In the three months prior to the release of R14.4 we previewed the release features in a series of 28 posts on the Isode Blog. On this page you'll find an overview of those features, together with links to blog posts (where appropriate) which describe those features in a more detail. All R14.4 features are fully documented in the product Administration Guides.
If you wish to view all of the blog posts that relate to the R14.4 release, click here. This page looks at:
- Extensions to our Security Policy infrastructure
- M-Link: Security Labels, Clustering, Multi User Chat and Roster Versioning
- M-Box Gateway: Support for Multiple Backends
- M-Switch: File Transfer by Email
- M-Switch: External Internet Mail Conversion
- M-Switch: Support of FLOT and Text Security Label Formats
- M-Vault: Directory Access Control Management GUI (Sodium)
- M-Vault: Conformance
- Sodium: Improved GUI management for Security Labels and Security Clearances
- Directory Synchronization (Sodium Sync)
- M-Switch MIXER: Per Address Mapping and Support for S/MIME & Security Labels
- M-Store X.400: Performance Improvements
- Strong Authentication Management
- Message Audit Database: removing dependencies, management improvements and support of HSQLDB an an option
- Messaging Configuration Management
- Security Label/Clearance/Policy tools
- Web Application Enhancements
- STANAG 5066 Console Improvements
- MConsole: X.400 Mailbox Management Preview
- Changes to X.400 Gateway and Client APIs
- Changes to Directory Client API
Extensions to Isode's Security Policy Infrastructure to include:
- Support for NATO Category Syntaxes (ACP 322) enabling support of NATO and JSP 457 (UK) Security Policy.
- Support for Equivalent Policies.
These enhancements are described in more detail in the Blog Post "Security Policy Enhancements"
Isode also support the Open XML SPIF format published at xmlspif.org as one of the supported SPIF formats. You can read about this here.
New features include:
- Security Label support as described in Using Security Labels to Control Message Flow in XMPP Servces, and XEP-0258 support.
- Additional support for clients supporting the Cross-Domain Collaborative Information Environment (CDCIE) Chat system for security labels, such as TransVerse, including label discovery.
- Support of clustering, to enable a single XMPP service to be operated on multiple servers. This clustering work is the basis for future low bandwidth network support as described in the Isode whitepaper Operating XMPP over Radio and Satellite Networks.
- Permanent MUC (multi-user chat) groups, including directory configuration.
- Improved MUC affiliation capabilities including new roles, in-room management and moderation.
- XEP-0012 (Last Activity) support.
- Ability to restrict transient MUC (multi-user chat) room creation to local users
- XEP-0050 (Ad Hoc Commands) support, including "kick user off" administrator command.
- XEP-0237 "Roster Versioning". This specification, which is expected to become part of the core XMPP protocol at some stage, optimizes client connection by only providing an updated roster if there has been a change since the last connection. This is an important optimization for clients working over slow links. XEP-0237 uses the same techniques to optimize network use as IMAP CONDSTORE RFC 4551 "IMAP Extension for Conditional STORE Operation or Quick Flag Changes Resynchronization" which is implemented by M-Box. Isode has been a major contributor and editor of both of these specifications.
Some of these enhancements are described in more detail in the Blog Posts:
- "Security Label Support in M-Link"
- "Support for TransVerse (JFCOM XMPP Client with Security Label support)"
- "M-Link Clustering"
- "New Multi User Chat (MUC) Features in M-Link"
Support for multiple POP3 back-ends, so that a single M-Box Gateway account can access several mailboxes (Yahoo! Gmail etc). These can be mapped to a single inbox, or represented as separate IMAP folders. This capability can be used with M-Box, so that a user can see multiple mailboxes from a single IMAP account.
This enhancement is described in more detail in the Blog Post "M-Box Gateway Support for Multiple Backends"
Support for file transfer by email will be added to M-Switch. Files are picked up and delivered by a special channel. Transfer can use X.400 or Internet mail. This may be used to support directory replication by email, or other applications needing reliable multicast data transfer.
This enhancement is described in more detail in the Blog Post "M-Switch: File Transfer by Email"
A new channel is added to enable message conversion of Internet messages. This allows customers to add advanced message conversion and checking capabilities. Integration is done using a special protocol CCCP (Content Checking and Conversion Protocol).
This enhancement is described in more detail in the Blog Post "CCCP - Supporting External Content Checking and Conversion of Internet Mail in M-Switch"
M-Switch supports FLOT (First Line of Text) security labels and other text formats, including mapping between these formats and conversion to S/MIME ESS Labels. *BLOG
this enhancement is described in more detail in the Blog Post "FLOT and other Text Format Security Label Support"
A new UI has been provided in Sodium to enable configuration of X.500 identity based access control. The goal is to make it easier to use sophisticated access control.
This enhancement is described in more detail in the Blog Post "M-Vault Directory Access Control Management GUI"
- X.500 Conformance updated to X.500 (2008).
- Support for Approximate Match indexes
This enchancement is described in more detail in the Blog Post "X.500 (2008) Conformance"
In the previous release the GUI capabilities for handling security labels and security clearances mean that in practice you are restricted to either very simple labels/clearances or you load pre-prepared labels/clearances from files (XML or ASN.1).
We have added a Catalog mechanism, that enables simple GUI selection from a standard list. For a simple security policy, the Catalog would simply be a list of all possible labels or clearances. For a complex security policy, it would be a selection of labels or clearances appropriate for the deployment.
This Catalog mechanism has been added to Sodium. We will add it to other places in future releases (in particular to IMA for User Clearances, and XUXA for Labels). Sodium now has Catalog support define in templates for the following applications:
M-Link/M-Vault/Third Party Applications
- User Clearance (Security Clearance in a directory entry)
- Security Label as operational attribute in any entry
- DSA Clearance (to control data in the server)
- DSA Label (to control connected users)
- Server (Domain) Clearance (to control messages switched)
- Server (Domain) Label (to control connected users)
- MUC Group Clearance (to control messages switched)
- MUC Group Label (to control group members)
Isode will provide sample Catalogs, along with the sample Security Policies included with R14.4. This will enable easy setup of Security Label capabilities in our products.
A number of features have been added to Sodium Sync, including:
- Easy setup of strong authentication and TSL use over LDAP and LDAPs.
- Integration with the new File Transfer by Email capability in M-Switch
- Ability to synchronize data TO Active Directory, including support for mapping X.400 OR Addresses into the forms required by AD/Exchange.
These enhancements are described in more detail in the Blog Posts:
- Per address mappings. Standard MIXER uses configurable mappings based on parts of the addresses. This enhancement enables use of a directory to handle mappings for individual addresses, based on directory entries holding both addresses. Flexible configuration is provided, to support a range of deployments.
- Support of S/MIME to extract content from inbound messages and to sign outbound messages. S/MIME ESS Security Labels are mapped with X.411 Security Labels.
These enhancements are described in more detail in the Blog Posts:
- "M-Switch MIXER - Per Address Mapping"
- "M-Switch MIXER enhancements to support S/MIME and Security Labels"
Performance and scaling improvements for deployments with very large numbers of messages.
This enchancement is described in more detail in the Blog Post "M-Store X.400 Performance Improvements"
All of Isode's server products and many of our GUIs can use strong authentication. Isode provides a range of management capabilities to handle strong authentication, primarily in Sodium. R14.4 contains a number of enhancements including:
- Improved LDAP Bind configuration in Sodium and Sodium Sync using Strong Authentication and TLS to provide GUI setup of strong authentication configuration.
- GUI configuration of M-Vault Strong Authentication options, including trust anchors and CRL checking using the new infrastructure.
- Enhanced Certificate display and checking.
- Support for userSMIMECertificate.
- Support for SubjectAltName, including: internet mail; domain (dnsName); IP address; OR Address. These can be included in CSRs and displayed in certificates. Consistency between certificate and entry is checked.
- Addition of X.501 Security Clearance to CSR.
- Management of secure identities.
These enhancements are described in more detail in the Blog Posts:
- "Strong Authentication Verification Infrastructure and use in M-Vault"
- "Sodium, Sodium Sync, LDAPS and Strong Authentication"
- "Secure Identity Management"
- "PKI Display and Checking"
- "SubjectAltName Support"
The Audit Database infrastructure has been updated to remove the dependencies on Postgres, so that other databases can be used. Postgres will continue to be supported, and support for other databases will be considered for future releases.
This enhancement is described in more detail in the Blog Post "Audit Database - Switch to full JDBC Operation"
We've also added a way to manage removal of old records from the Audit Database. This is done by the AuditDB Management Daemon (which also takes on the functionality of the existing AuditDB Quarantine Management Daemon).
Support of HSQLDB an an option
We've added HSQLDB support as an alternative Audit Database option to Postgres. HSQLDB is a simple Java JDBC database.
One reason for doing this is to clearly demonstrate and test the database independence of our tools.
The second reason is to provide an easy demo setup. We are bundling HSQLDB with the Isode product set, which makes it easy to set up an Audit Database for demonstration and evaluation purposes. Our experience suggests that HSQLDB scaling limit as an Audit Database is around 40,000 records, which means that it is unlikely to be suitable for production use.
- Editing of existing message configuration in MConsole (to replace EMMA System View)
- Address checking over protocol (so that checks are done by the M-Switch server)
These enhancements are described in more detail in the Blog Post "Ongoing work on M-Switch GUI Configuration Management"
We're including a number of command line tools in the release. We've been using these internally, and it has become clear that they will be useful to customers setting up systems using Security Labels. Tools include:
- Label, Clearance and SPIF tools:
- format conversion (between supported ASN.1 and XML formats)
- descriptive dump
- ACDF Tool: Evaluates the ACDF (Access Control Decision Function) to check a label against a clearance under a specific policy
- Security Label & Security Clearance builders: Tools to help correctly build complex Security Labels and Clearances according to a Security Policy
- Catalog Builder: Creates a complete (Label or Clearance) Catalog from a SPIF (Security Policy Information File)
Added support for Message Token Security (in addition to MOAC) to show: message content integrity; message origin authentication; message sequence integrity.
These enhancements are described in more detail in the Blog Post "XUXA (Test & Demo X.400 ser Agent) Features"
- Web Applications will be provided as a separate package, reflecting their growing importance. This will include an application server, to simplify installation.
- The Audit Database changes mean that the Message Tracking and Statistics interfaces are now integrated with IMA, and use directory for authentication and user identification.
These enhancements are described in more detail in the Blog Post "Web Application Enhancements"
The STANAG 5066 Console is a GUI tool provided by Isode to help set up and test STANAG 5066 networks over HF, VHF and UHF radio. It also provides service discovery and operator chat. We've made a number of improvements to this GUI to make it easier to use and more flexible.
These enhancements are described in more details in the Blog Post "STANAG 5066 Console Improvements"
We have also made some improvements in order to do STANAG 5066 benchmarking, and have included these changes. The benchmarking is described in the whitepaper [STANAG 5066 Performance Measurements over HF Radio].
We plan to provide an X.400 Mailbox management capabilty in MConsole which will give integrated functionlaity to replace that currently provided by XMSConsole and by User View within EMMA. This project has started and we are shipping the work done so far in R14.4 as a preview.
You can read and see more about the current state of this in the Blog Post "X.400 Mailbox Management Preview"
- X.400 Gateway API available in Java
- X.400 Gateway API add checks and API control for unsupported critical extension
- X.400 Gateway API extended in order to better expose the message content. This will be of interest to those handling content types other than IPM or P772, and in particular those needing to access the CMS layers of STANAG 4406 ed 2.
- X.400 Message Token Security (required for AMHS Security) in X.400 Client API
- Handling of OR Address SubjectAltName for Message Origin Authentication
checks in X.400 Client API
- In previous releases the Java Client API is implemented as a thin layer over the 'C' API, and provides a similar API. This is convenient for those using both APIs, but means that the Java API is quite low level and of a style that would be expected by a 'C' programmer, but does not take advantage of Java language features. We have added a higher level interface, which will be natural for Java developers, and should reduce development times for those building X.400 applications over our Java X.400 Client API.
Support of Paged Results (DAP and LDAP) from the Directory Client API