Category: Product Release

Posted on

Messaging Products Update – 19.0 Capabilities

The below is a list of the new capabilities brought to our Messaging products for the 19.0 release. 19.0 adds a lot of extra functionality across the board for our messaging products, along with a complete rewrite of the codebase so that future releases and bug fixes can be developed more quickly. For the full release notes please check the individual product updates, available from the customer portal and evaluation sections of our website.

Dependencies

Cobalt (version 1.3 or later) is needed to manage various capabilities in M-Switch 19.0. 

M-Switch, M-Store and M-Box depend on M-Vault 19.0.   All of these products are a part of R19.0 with common libraries and so are commonly installed together.

Product Activation 

All of the messaging products now use the new product activation.  Products activation is managed with the Messaging Activation Server (MAS) which provides a Web interface to facilitate managing activation of messaging and other Isode products.   MAS is provided as a tool, but installed as an independent component.   

M-Switch

Product Activation

There are a number of M-Switch features arising from the new product activation:

  • Various product options are encoded in the activation, restricting functionality to M-Switch options purchased.   The options available and any activation time limits are displayed by MConsole.
  • MConsole will correctly display the product name of the M-Switch being used (e.g., M-Switch MIXER, M-Switch Gateway etc).
  • MConsole views are restricted so that only ones relevant to the activated options are shown (e.g,, ACP 127 views will not be shown unless ACP 127 is activated).

Use of Cobalt

A number of functions have been moved from MConsole to Cobalt, which provides a Web general administrator interface.   MConsole is being more focused on M-Switch server configuration and operation.   Capabilities provided by Cobalt in support of M-Switch:

  • User and Role provisioning (replacing Internet Mail View)
  • Special function mailboxes
  • Redirections
  • Standard SMTP distribution lists
  • Military Distribution Lists
  • Profiler Configuration
  • File Transfer by Email (FTBE) account provisioning

Directory and Authentication

A number of enhancements have been made to improve security of authentication.   New configurations will require this improved security and upgrades are expected to switch.

  • Configuration of default M-Vault configuration directory is simplified.
  • Option provided to use a different M-Vault directory for users/operators, defaulting to the configuration directory.
  • M-Switch access to configuration and user directories will always authenticate using SASL SCRAM-SHA-1.  This is particularly important for deployments not using TLS, as it will ensure plain passwords are not sent over a link, while still using hashed passwords in M-Vault.
  • M-Vault directories created by MConsole will always have TLS enabled (where the product activation option allows).
  • Connections from M-Switch to M-Vault will use TLS by default.
  • Three modes can be configured for SMTP and SOM (MConsole) access to M-Switch
    • SCRAM-SHA-1.  This is the default and is a secure option suitable for most configurations.
    • PLAIN.  This option is needed if authentication is done using pass through to Active directory.   This should only be used on systems with TLS.
    • ANY.  When this option is used, SOM/MConsole will use SCRAM-SHA-1.   It is needed for SMTP setups that want to offer additional SASL mechanisms such as CRAM-MD5, which will need plain passwords to be stored in M-Vault.

ACP 127

An extensive set of enhancements had been provided to ACP 127.

  • Extend circuit control from enabled/disable to Enabled (Rx/Tx) / Rx Only / Disabled
  • Enhanced OPSIG support for BRIPES following agreed doc:
    • QRT/QRV.   Supports remote enable/disable, including control from top level of circuit management UI
    • ZES2 automatic handling on receive
    • Service message option to send INT ZBZ
    • Configurable option for reliable circuit to send ZBZ5 to acknowledge receipt of identified message
    • Limiting priority UI use two letter codes, but will still recognize single letter
    • Add CHANNEL CHECK generation and response
  • Option to use “Y” for emergency messages
  • Support for Community Variables (CV) which is a BRASS mechanism to use multiple crypto keys
    • Configuration of CVs available for each destination
    • Display of CVs for queued messages
    • CV Audit Logging
  • Scheduled Broadcasts to support MUs with constrained availability (e.g., Submarines)
    • Periodic Mode with GUI configuration
    • UI to show which messages will be transmitted in which period based on estimated transmission times
    • Scheduled periods at same time each day
    • Explicitly scheduled fixed intervals on specific day
  • Extension to Routing Tree configuration to specify specific channel.   This makes it easier to utilize the ACP 127 RI routing, which is needed in many ACP 127 configurations
  • Improved mapping of CAD/AIG to SMTP
  • Option to turn off message reassembly
  • Improvements to monitoring of circuits using serial links

FAB (Frequency Assignment Broadcast)

A subsystem is provided to support FAB, which is needed for older BRASS systems that do not support ALE. The M-Switch FAB architecture is described in  https://www.isode.com/whitepapers/brass.html. The key points are listed below:

  • A new FAB Server component is provided to run black side and generate the FAB data stream(s).
  • Red/Black separation can be provided by M-Guard
  • The FAB Server can monitor a remote modem for link quality using a new SNR monitoring protocol provided by Icon-5066 3.0.
  • Circuits to support FAB use a new “anonymous” type, reflecting that they are not associated with a specific peer.
  • Support is provided for ARQ (STANAG 5066 COSS) circuits which operate automatically shore side and for direct to modem circuits which require a shore side operator.
  • There is an operator UI for each circuit that enables setting FAB status and controlling acceptance of messages

Profiler and Corrector

  1. Support of TLS for Corrector UI and Manual Profiler
  2. Improved message display, including Security Label
  3. Profile configuration read from directory, which enables Cobalt configuration of Profiler rules

Icon-Topo Support

Isode’s Icon-Topo product automatically updates M-Switch configuration in support of MU Mobility.  M-Switch enhancements made in support of this:

  • Show clearly in MConsole when External MTAs, Routing Tree Entries and Nexus are created by Icon-Topo.
  • Enhance Nexus and Diversion UI to better display Icon-Topo created information.

Miscellaneous

  • Configure Warning Time based on Message Priority.
  • Tool to facilitate log and archive clear out

M-Store

No new features for R19.0.

M-Box

Improved Searching

Message searching is extended with three new capabilities that are exposed in Harrier.

  • Choice to search based on SIC (Subject Indicator Code) which can be used on its own or in conjunction with options to search other parts of the message.
  • Option to filter search based on a choice of one or more message precedences, matching against the action or info precedence as appropriate for the logged in user.
  • Option to filter search based on selected security label.

Posted on

Directory Products Update – 19.0 Capabilities

The below is a list of the new capabilities brought to our Directory products for the 19.0 release. 19.0 adds a lot of extra functionality across the board for our messaging products, along with a complete rewrite of the codebase so that future releases and bug fixes can be developed more quickly. For the full release notes please check the individual product updates, available from the customer portal and evaluation sections of our website.

Dependencies

Use of several new 19.0 features depend on Cobalt 1.3 or later.

M-Vault

Product Activation 

M-Vault uses the new product activation.  Product activation is managed with the Messaging Activation Server (MAS) which provides a Web interface to facilitate managing activation of messaging and other Isode products. MAS is provided as a tool, but installed as an independent component.   

Headless Setup

M-Vault, in conjunction with Cobalt, provides a mechanism to set up a server remotely with a Web interface only. This complements setup on the server using the M-Vault Console GUI.

Password Storage

Password storage format defaults to SCRAM-SHA-1 (hashed). This hash format is preferred as it enables use of SASL SCRAM-SHA-1 authentication which avoids sending plain passwords. Storage of passwords in the plain (previous default) is still allowed but discouraged.

LDAP/AD Passthrough

An LDAP Passthrough mechanism is added so that M-Vault users can be authenticated over LDAP against an entry in another directory. The key target for this mechanism is where there is a need to manage information in M-Vault, but to authenticate users with password against users provisioned in Microsoft Active Directory.  This is particularly important for Isode applications such as M-Switch, M-Link, and Harrier which utilize directory information not generally held in Active Directory.

Cobalt provides capabilities to manage accounts utilizing LDAP Passthrough.

OAuth Enhancements

A number of enhancements to OAuth, which was introduced in R18.1

  • OAUTH service has been integrated  into the core M-Vault server, which simplifies configuration and improves security,
  • Operation without Client Secret, validating OAUTH Client using TLS Client Authentication.  This improves security and resilience.
  • Allow client authentication using Windows SSO, so that Windows SSO can work for OAUTH Clients.  This enables SSO to be used for Isode’s applications using OAuth.

Sodium Sync

  • Some enhancements to Sodium Sync to improve operation on Windows Server.
  • Option that will improve performance for any remote server with a large round-trip-time. 
Posted on

M-Guard 1.4 New Capabilities

M-Guard 1.4 is a platform support update release for M-Guard Console and M-Guard Appliance. M-Guard Appliance has been updated to use UEFI instead of BIOS for key system services.

Platform Support

The M-Guard Appliance now supports running on Netgate 6100 and 6100 MAX appliance systems.

M-Guard Appliance on Hyper-V now uses Generation 2 virtual machines.

M-Guard Appliance on VirtualBox now uses EFI.

Use of BIOS for booting is deprecated in favor of UEFI.

Base Operation System Upgraded 

The M-Guard Appliance operating system is now powered by FreeBSD 13.1.

Notice

Upgrading earlier installations requires special steps.  Contact Isode support for assistance.

Posted on

Cobalt 1.3 Release Features

Cobalt 1.3 depends on M-Vault 19.0 or subsequent versions

M-Vault Management Support

  • M-Vault Bootstrap.   Enables operation in conjunction with M-Vault 19.0 to support headless bootstrap.
  • Managing users in M-Vault groups, such as Directory Server Administrators  and Messaging Configuration Read/Write.  This enables Cobalt to control user and operator rights to access M-Vault.
  • AD/LDAP passthrough support
    • Allow users (per domain) to support mandatory or partial passthrough
    • Set and validate passthrough entry for user
    • Identify users in passthrough server that might be added to domain

Messaging Management

  • Profile Editor for supporting and managing M-Switch Profiler.
    • SIC Coverage UI. Provide full list of SICS, showing which addresses each one goes to.   This enables operator to ensure that all SICs are sensibly handled.
  • File Transfer By Email capability is now managed by Cobalt, replacing capability previously in MConsole.
  • For Organizations and Military DLs enable control manage capability functions:
    • Max Message Size
    • Max Line Length (for ACP 127 destinations)
    • Charset Restrictions (for ACP 127 destinations)
    • Allows/block attachments
  • Option to show for a user which DLs the user is in, and give easy addition to other DLs.  This facilitates managing DL membership.

New Views

  • Non-Human Users (Special Users).  Need to support accounts with passwords that are not humans.   For XMPP, Email or both.  
  • View for end users, rather than administrators.  User can:
    • Change password. 
    • See all of own entry and modify  attributes.   The list of modifiable attributes can be configured.
    • See references to entry and email list membership.
  • User Groups, to enable management of directory groups (Distinguished Names).

Cobalt Access Control

  • New Cobalt roles, that can enable selective control of which users can access directory admin controls, and which users can set OAUTH rights and can add OAUTH Clients.  
  • Restrict Password set/change rights, so that only selected Cobalt administrators can do this.

Security Enhancements

  • When deleting a user, remove the password.   This will make it safe for applications searching whole DIT as you can’t authenticate with a deleted user’s account. 
  • Security Clearance can be selected for any role or user, based on a configured catalogue.  This supports key M-Switch and Harrier feature to check clearances. 

Miscellaneous

  • When assigning a new email, search entire DIT for conflicts, not just Cobalt area.   This  helps SASL resilience
  • Can add Photos to Routed UAs and Organizations.  
  • Check References on Delete. Cobalt has a “References” button on user/role form that displays all references of a user/role.  On deleting, references are deleted as well.
  • Tool to check references to users in AD, so that when users in AD are deleted, dangling references can be picked up.
  • Remove default domain concept
  • On deletion of domain in Cobalt, give option to delete all the domain data
  • Option to end all  cobalt logged in sessions of an operator, to allow an operator to logout from all browsers with a single action
  • There is also an option for an operator with appropriate rights  to end sessions of another Cobalt operator.
Posted on

Icon-5066 3.0 – New Capabilities

We are thrilled to announce the latest update to our STANAG 5066 server, Icon-5066. With this new release, we’ve incorporated a host of exciting features and enhancements, designed to not only add new functionality to your deployment but also increase the performance of your HF Radio Network.

The below is a list of the changes, and updates that can be found within Icon-5066 v3.0.

ALE Management

This major new feature enables management of ALE configuration independent of ALE implementation and allows easy sharing of configuration between nodes.  This capability is supported for modems where Isode provides ALE support.  Key features:

  • Web configuration of HF Network for each Icon-5066 node.
  • Configuration of Node ALE addressing, with support for 2G, 3G and 4G.
  • Support for fixed frequency (not using ALE for a network)
  • Configuration of HF Frequency list with options for narrowband and wideband
  • Configuration of schedules for used with ALE or fixed frequency.   This enables the frequencies used to be changed at configured times so that appropriate frequencies are used for an ALE network throughout the 24 hour cycle.
  • Import/Export of configuration, to enable easy sharing of configuration between nodes.   Model is that you configure ALE setup on one node and the transfer to other nodes.

Security

Two important security enhancements are included:

  1. Use of OAuth to control which operators can access Icon-5066.
  2. Support of TLS which includes:
    1. HTTPS Web Access
    2. TLS Support for GCXP to support Modem Proxy (crypto bypass) across a Red/Black boundary
    3. Web configuration of PKI setup of TLS

STANAG 5066 Ed4 Compliance

Icon-5066 is compliant to STANAG 5066 Ed4.   An overview of Ed4 is here.   Detailed Icon-5066 compliance is specified here

Most of these capabilities were in the previous release, but described as STANAG 5066 proposed extensions.   Interoperability has been tested with another Ed4 implementation.

SNR Monitor

A new option is provided to configure Icon-5066 as a modem monitor with a simple TCP monitoring protocol.  This is a general purpose capability, but is specifically targeted to support the ACP 127 FAB (Frequency Assignment Broadcast) capability in M-Switch to enable the FAB broadcast to report on measured link quality using a modem at a remote location. 

New Modem/ALE Support

The following ALE capabilities are added:

  • 3G ALE support for RapidM RM8 and RM10.
  • 4G ALE support for RapidM RM10

A new “Raw TCP” data option, which sends and receives data over simple TCP connection.   This generic capability can be used to exchange data with RapidM RM10 modem.

Management

Support for independent control of multiple STANAG 5066 nodes, so that on a system with multiple nodes nodes can be independently enabled and disabled by the Icon-5066 operator.

Red/Black Driver

A driver is provided for Isode’s Red/Black product to monitor Icon-5066.   Like the Red/Black driver for Isode supported Modems, this driver is distributed with Icon-5066, but will be picked up by a collocated Red/Black server.   It enables a Red/Black operator to enable/disable an Icon-5066 node and to monitor key parameters.

Product Activation

Icon-5066 servers are now controlled by Isode Product Activation.  This control includes:

  • Optional enabling of TLS.  This is helpful for export.
  • Control of the number of nodes available

Posted on

Successfully Managing HF Radio Networks

With the potential for new technologies to cause interference to traditional communications networks and even space itself at the risk of becoming weaponised, it is important to make sure that you always have a backup plan for your communications ready and waiting.

Should the worst happen and your primary network, typically SatCom, go down you need to ensure that you can still communicate with your forces wherever they are, and that communication needs to be fast,  simple and reliable. It also needs to be suitable for operation within degraded and denied environments.

That’s where HF Radio has a distinct advantage, utilising the ionosphere itself to relay communications and long-range radio signals. If you’re interested you can read more about the benefits of communications over HF Radio and how Isode is developing HF technology here.

When implementing new technologies, one of the challenges you can always expect to face is how you manage them and control how the important systems connect with one another. For HF Radio, that has always been a factor limiting its deployment, how do you ensure that mobile units remain connected to your HF network as they move from one location to the next?

This can now be done by our latest HF Radio enhancement product, Icon Topo. 

Icon Topo is a state of the art, web-based management system for HF Radio networks. The management system allows an operator to monitor and control the location of Mobile Units such as ships or aircraft, ensuring that as they move from one HF Access Point to another they can remain connected to your communications network.

The Icon Topo system allows you to manage your Mobile Units across multiple HF Networks, and plan a connection route for them as they do so, all from an easy forms-based interface. Removing any interruptions to service or downtime from applications as the MU moves across its intended path.

You can read more on Icon Topo here.

Alongside our HF management system, we have also recently developed our Red/Black solution to manage encrypted data over HF networks.

Red/Black is a Web-based server that can provide control and monitoring of different devices and servers. This is intended to complement, not replace, primary device management tools. Red/Black servers can operate in a pair, to monitor and control devices across a secure boundary.

Our Red/Black servers are designed to support HF radio systems through the display and management of communication chains, as seen below. They allow separation of, and passage for encrypted information across restricted networks from a ‘high’ side to a ‘low’ side. 

You can read more about our Red/Black solution here

The above two products give you full oversight over your HF networks so that you can be confident you will retain complete control over what gets to connect to your HF network and how exactly they do it.

If you’d like more information on our HF products, or are interested in a product demo then get in touch with us on sales@isode.com, alternatively you can fill out a contact form on our website and one of our team will get back to you.

Posted on

Draft, Review & Release

This week we are excited to announce the release of Harrier 3.1 and Cobalt 1.1.

These releases are an important step for our Draft, Review & Release Solution, a capability of particular interest within Military Deployments.

Draft and Release is a process of handling formal military communication, it is vital for scenarios where formal responsibility must be taken for messages sent. For example, Military commands sent as messages needing to be approved/released by an appropriate senior officer. More information on this can be found in our recently updated whitepaper.

This latest release of Harrier provides a new, simple and intuitive UI for drafters, reviewers, and releasers, making each task straightforward. Also included is a visual workflow, allowing easy tracking of messages.

There will be situations where it makes sense to send directly and to avoid any workflow. Cobalt allows simple control of users who can send directly for selected messages based on SIC and Priority.

Cobalt provides a range of capabilities to support Formal Military Message Handling Systems (MMHS), with capabilities oriented towards the support of systems using Isode’s Harrier, M-Box, and M-Switch products.

Downloads and accompanying release notes can be found in the evaluator and customer sections of the website.

Posted on

Oracle Java and Isode Products

Some components of release R17.0 are written in Java. You should install any Java dependencies before installing the following components of the Isode packages:

  • Sodium
  • M-Vault Console
  • Log Configuration
  • Isode Service Configuration
  • MConsole
  • M-Link Console
  • Web applications

If you do not require these components then you do not need to install Java.

Oracle has announced that Java updates for commercial customers ends after January 2019. See(https://www.oracle.com/technetwork/java/java-se-support-roadmap.html ).

For R17.0v7 and later, Isode recommend commercial users of Java who do not wish to purchase support from Oracle, to use Isode’s “OpenJDK for Isode” package instead. This is available from www.isode.com This contains a copy of the OpenJDK (see http://jdk.java.net) which has been tested for compatibility with R17.0, and is fully supported for use by Isode applications.

Isode will not be updating versions prior to R17.0 to work with Java 11. Commercial users using these releases will have the following options:

  • Upgrade to R17.0
  • Run with a version of Oracle Java 8 which will, after January 2019, no longer receive updates from Oracle
  • Obtain a suitable commercial license from Oracle for a supported version of Oracle Java 8 (which will receive updates after January 2019)

Isode R17.0 is supported with Oracle Java 8 and Oracle Java 11. A future version of Isode will remove support for Java 8.

After Java 8, the next LTS (Long-Term-Support) version of Oracle Java is Oracle Java 11. Commercial users of Oracle Java 11 are required to purchase a license from Oracle.

Commercial users may purchase extended support for Oracle Java 8 if they wish to deploy it after January 2019.

Posted on

Icon-5066, Isode’s modem-independent STANAG 5066 server.

We’re pleased to announce the first release of Icon-5066, Isode’s modem-independent STANAG 5066 server.

STANAG 5066 provides a link layer optimized for HF Radio as described in the whitepaper [STANAG 5066: The Standard for Data Applications over HF Radio].

Icon-5066 will connect to one or two HF modems, either through a Crypto box or directly, and provides a single interface to an HF network, which can be shared by multiple applications.  A comprehensive product description of Icon-5066 is available on the Isode website.

Configured using a web interface, Icon-5066 is shipped with three test tools to help partners in testing Icon-5066 deployments:

  1. HF Tool: For running a range of tests to ensure good performance and operation of modem drivers in a range of conditions. It also gives a clear measure of modem performance.
  2. STANAG 5066 Console: Providing STANAG 5066 server discovery, HF operator chat and throughput measurements to peer S5066 Consoles with ARQ and non-ARQ traffic.
  3. MoRaSky: Provides a service equivalent to HF modems connected to Radios and operating over the Ionosphere. It enables sophisticated testing of Icon-5066 and the applications it supports, without use of hardware or Over the Air transmission.

Evaluations of Icon-5066 are available, contact your Account Manager or fill in the evaluation request form for more information.

Posted on

R17.0 Now Available

R17.0, a major update to Isode’s product set, is now available, from our website, for customers and evaluators. Significant changes include:

  • Harrier for Exchange: Introduced with R16.6 for use with Isode products, our web based messaging client is now available for use with Microsoft Exchange.
  • Every IM domain in M-Link can now be configured to run with an independent directory. This enables support of multi-domain configurations with independent directories for users and groups.
  • Extensive improvements to ACP127 and ACP142 capabilities and management in M-Switch have been made, including a wide range of capabilities aimed specifically at Operators.
  • M-Vault has enhancements to OCSP support and built-in Web user password changing.

A comprehensive list of the new features in R17.0 can be found on the R17.0 Release Page.