Messaging Products Update – 19.0 Capabilities

The below is a list of the new capabilities brought to our Messaging products for the 19.0 release. 19.0 adds a lot of extra functionality across the board for our messaging products, along with a complete rewrite of the codebase so that future releases and bug fixes can be developed more quickly. For the full release notes please check the individual product updates, available from the customer portal and evaluation sections of our website.

Dependencies

Cobalt (version 1.3 or later) is needed to manage various capabilities in M-Switch 19.0. HSM management depends on Cobalt version 1.4 or later.

M-Switch, M-Store and M-Box depend on M-Vault 19.0.   All of these products are a part of R19.0 with common libraries and so are commonly installed together.

Product Activation 

All of the messaging products now use the new product activation.  Products activation is managed with the Messaging Activation Server (MAS) which provides a Web interface to facilitate managing activation of messaging and other Isode products.   MAS is provided as a tool, but installed as an independent component.   

M-Switch

Product Activation

There are a number of M-Switch features arising from the new product activation:

  • Various product options are encoded in the activation, restricting functionality to M-Switch options purchased.   The options available and any activation time limits are displayed by MConsole.
  • MConsole will correctly display the product name of the M-Switch being used (e.g., M-Switch MIXER, M-Switch Gateway etc).
  • MConsole views are restricted so that only ones relevant to the activated options are shown (e.g,, ACP 127 views will not be shown unless ACP 127 is activated).

Use of Cobalt

A number of functions have been moved from MConsole to Cobalt, which provides a Web general administrator interface.   MConsole is being more focused on M-Switch server configuration and operation.   Capabilities provided by Cobalt in support of M-Switch:

  • User and Role provisioning (replacing Internet Mail View)
  • Special function mailboxes
  • Redirections
  • Standard SMTP distribution lists
  • Military Distribution Lists
  • Profiler Configuration
  • File Transfer by Email (FTBE) account provisioning

Directory and Authentication

A number of enhancements have been made to improve security of authentication.   New configurations will require this improved security and upgrades are expected to switch.

  • Configuration of default M-Vault configuration directory is simplified.
  • Option provided to use a different M-Vault directory for users/operators, defaulting to the configuration directory.
  • M-Switch access to configuration and user directories will always authenticate using SASL SCRAM-SHA-1.  This is particularly important for deployments not using TLS, as it will ensure plain passwords are not sent over a link, while still using hashed passwords in M-Vault.
  • M-Vault directories created by MConsole will always have TLS enabled (where the product activation option allows).
  • Connections from M-Switch to M-Vault will use TLS by default.
  • Three modes can be configured for SMTP and SOM (MConsole) access to M-Switch
    • SCRAM-SHA-1.  This is the default and is a secure option suitable for most configurations.
    • PLAIN.  This option is needed if authentication is done using pass through to Active directory.   This should only be used on systems with TLS.
    • ANY.  When this option is used, SOM/MConsole will use SCRAM-SHA-1.   It is needed for SMTP setups that want to offer additional SASL mechanisms such as CRAM-MD5, which will need plain passwords to be stored in M-Vault.

ACP 127

An extensive set of enhancements had been provided to ACP 127.

  • Extend circuit control from enabled/disable to Enabled (Rx/Tx) / Rx Only / Disabled
  • Enhanced OPSIG support for BRIPES following agreed doc:
    • QRT/QRV.   Supports remote enable/disable, including control from top level of circuit management UI
    • ZES2 automatic handling on receive
    • Service message option to send INT ZBZ
    • Configurable option for reliable circuit to send ZBZ5 to acknowledge receipt of identified message
    • Limiting priority UI use two letter codes, but will still recognize single letter
    • Add CHANNEL CHECK generation and response
  • Option to use “Y” for emergency messages
  • Support for Community Variables (CV) which is a BRASS mechanism to use multiple crypto keys
    • Configuration of CVs available for each destination
    • Display of CVs for queued messages
    • CV Audit Logging
  • Scheduled Broadcasts to support MUs with constrained availability (e.g., Submarines)
    • Periodic Mode with GUI configuration
    • UI to show which messages will be transmitted in which period based on estimated transmission times
    • Scheduled periods at same time each day
    • Explicitly scheduled fixed intervals on specific day
  • Extension to Routing Tree configuration to specify specific channel.   This makes it easier to utilize the ACP 127 RI routing, which is needed in many ACP 127 configurations
  • Improved mapping of CAD/AIG to SMTP
  • Option to turn off message reassembly
  • Improvements to monitoring of circuits using serial links

FAB (Frequency Assignment Broadcast)

A subsystem is provided to support FAB, which is needed for older BRASS systems that do not support ALE. The M-Switch FAB architecture is described in  https://www.isode.com/whitepapers/brass.html. The key points are listed below:

  • A new FAB Server component is provided to run black side and generate the FAB data stream(s).
  • Red/Black separation can be provided by M-Guard
  • The FAB Server can monitor a remote modem for link quality using a new SNR monitoring protocol provided by Icon-5066 3.0.
  • Circuits to support FAB use a new “anonymous” type, reflecting that they are not associated with a specific peer.
  • Support is provided for ARQ (STANAG 5066 COSS) circuits which operate automatically shore side and for direct to modem circuits which require a shore side operator.
  • There is an operator UI for each circuit that enables setting FAB status and controlling acceptance of messages

Profiler and Corrector

  1. Support of TLS for Corrector UI and Manual Profiler
  2. Improved message display, including Security Label
  3. Profile configuration read from directory, which enables Cobalt configuration of Profiler rules

Icon-Topo Support

Isode’s Icon-Topo product automatically updates M-Switch configuration in support of MU Mobility.  M-Switch enhancements made in support of this:

  • Show clearly in MConsole when External MTAs, Routing Tree Entries and Nexus are created by Icon-Topo.
  • Enhance Nexus and Diversion UI to better display Icon-Topo created information.

PKCS#11 HSM Support

PKCS#11 HSM (Hardware Security Module) support is added. This has been tested with HSMs from Nitrokey, Yubico, Gemalto and the SoftHSM software.  HSM support can be enabled and PKCS#11 identities created by Cobalt can be configured and used for all TLS and S/MIME functions in M-Switch.

Miscellaneous

  • Configure Warning Time based on Message Priority.
  • Tool to facilitate log and archive clear out

M-Store

No new features for R19.0.

M-Box

Improved Searching

Message searching is extended with three new capabilities that are exposed in Harrier.

  • Choice to search based on SIC (Subject Indicator Code) which can be used on its own or in conjunction with options to search other parts of the message.
  • Option to filter search based on a choice of one or more message precedences, matching against the action or info precedence as appropriate for the logged in user.
  • Option to filter search based on selected security label.

PKCS#11 HSM Support

PKCS#11 HSM (Hardware Security Module) support is added. This has been tested with HSMs from Nitrokey, Yubico, Gemalto and the SoftHSM software.  This can be used to protect TLS access to M-Box using server identity created by Cobalt.