This blog describes how to use the Mail receiver adapter to send signed and/or encrypted mails to an email recipient. This feature will be available for customers starting with the 14-April-2019 release. This blog describes the feature in a small sample scenario.
Sending Signed and/or Encrypted Mails in Mail Receiver Adapter
In many Cloud Integration scenarios messages are sent out to one or multiple mail receivers. Starting with the 14-April-2019 release, the mails sent out cannot only be encrypted but also signed. This blog describes a small sample scenario.
Configure Key and Certificate in the Keystore
Add or Create Signature Key
To sign the mail, a private key is required in the keystore. Add or create the private key to be used for the signature in the keystore, note down the
Alias as it is required in the
Mail receiver channel. To create or import the key in the keystore open the
Keystore Monitor available in the Operations View in the section
Manage Security.
Create New Key
If you want to create a new key, in the
Keystore Monitor select the
Create ->
Key Pair action at the top of the monitor. A create dialog appears asking for the
Alias to be used for the key and the key specific attributes. Note down the
Alias as it is required later in the mail receiver channel.
Choose
Deploy to add the new key to the keystore.
Upload Existing Key
If you want to upload an existing key, in the
Keystore Monitor select the
Add ->
Key Pair action at the top of the monitor. An upload dialog appears asking for the private key file to upload and the
Alias to be used for the private key. Note down the
Alias as it is required later in the mail receiver channel.
Choose
Deploy to add the certificate to the keystore.
Add Encryption Certificate
To encrypt the mail, the certificate of the mail receiver is required in the keystore. Add the certificate to be used for the encryption to the keystore, note down the
Alias as it is required later in the configuration of the
Mail receiver channel. To import the certificate to the keystore open the
Keystore Monitor available in the Operations View in the section
Manage Security.
To upload the certificate, in the
Keystore Monitor select
Add ->
Certificate action at the top of the monitor. An upload dialog appears asking for the private key file to upload and the
Alias to be used for the private key. Note down the
Alias as it is required later in the mail receiver channel.
Choose
Deploy to add the certificate to the keystore.
Configure the Key and Certificate in the Mail Receiver
To be able to receive signed and encrypted mails in the mail receiver the respective key and certificate needs to be defined there as well.
For decryption the private key is required for the certificate the mail was encrypted with in the Cloud Integration tenant.
For signature verification the public key is required for the key pair the mail was signed with in the Cloud Integration tenant. This certificate can be downloaded in the
Keystore Monitor using the
Download action for the Signature Key:
Configure the Integration Flow Sending the Mails
Now we configure the integration flow in the Web UI, Design section. Create an integration flow, connect the sender participant with the start message event and select the adapter you want to use as sender adapter. Alternatively, to keep things simple, you can use a
Timer start event to trigger the processing of the integration flow.
The integration flow we configure in this blog is using the
Timer start event and sets the payload in a
Content Modifier ->
Message Body:
For the
Timer start event, specify the
Run Once option so that the integration flow is processed once after deployment.
Configure the Mail Receiver Channel
To configure the mail receiver channel, connect the
End Message event with the
Receiver participant and select the
Mail adapter.
Make sure that the created mail channel has at least version 1.5, as only with this version sending signed mails is possible.
First, you choose the
Connection tab in the
Mail receiver channel. Configure the mail server in the
Address field and configure the
Proxy Type,
Protection and
Authentication as required by your mail server.
Also configure the sender and receiver mail addresses in the
Mail Attributes:
In the
Security tab, specify that the mail shall be signed and encrypted using the
Signature and Encryption Type drop down. After selecting
S/MIME Signature and Encryption the configuration fields for
Signature and
Encryption are shown.
Under
Signature specify the
Alias of the private key to be used for signing the mail and select the
Signature Algorithm. The
Alias can either be a fixed alias name or can be read dynamically from a header or property using ${header.alias}. Make sure the alias fits to the one configured in the keystore.
Under
Encryption specify the
Encryption Algorithm and the
Alias of the public key to be used for encrypting the mail. With the 12-May-2019 update the
Alias can also be read dynamically from a header or property using ${header.alias} or from partner directory using pd:<PartnerID>:<ParameterID>:Binary. Note that you need to use the new mail receiver version 1.6 to be able to set the alias dynamically. Make sure the alias fits to the one configured in the keystore.
Note that the message is first signed and afterwards encrypted.
Deploy the Integration Flow
Now you can deploy the integration flow. You can check if the integration flow was started successfully in the
Manage Integration Content monitor.
Execute the Scenario
Now you can send signed and encrypted mails to mail receivers.