Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

HOWTO: Generating and publishing DKIM keys for SEG

Expand / Collapse


This article applies to:

  • Trustwave SEG 7.3 through 7.5.X
    • (For 8.0 and above, see article Q20841)
  • DKIM functionality

Question:

  • How can I generate and use DKIM keys to sign messages in SEG?
  • What setup is required before creating DKIM signing rules?

Procedure:

The steps in this article provide a suggested way to complete the basic configuration required before you can create rules to use DKIM signing with SEG:

  • Generate a RSA key for use with DKIM
  • Import the private key into SEG
  • Create a matching DNS TXT record with the public key.
  • To sign messages, enable a Content Analysis rule with the action "Apply DKIM Signature."

Many other options are available. A starting place for resources is dkim.org. The Internet RFC that describes the standard for DKIM is RFC 6376.

The instructions assume you have an installation of OpenSSL on any server or workstation. For a Windows version, you could use Shining Light Productions' Win32 OpenSSL.

Generating keys

  1. Open a command window and navigate to the OpenSSL binary folder.
  2. Generate a private key:

    openssl genrsa -out myKey.pem 1024
     
  3. Create a public key from the private key:

    openssl rsa -in myKey.pem -out myPublicKey.txt -pubout -outform PEM

    You will use the encoded key data (the part between the BEGIN and END tags) to construct the DNS record.

     
     
  4. Create a PKCS#8 DER file of the private key for import to SEG:

    openssl pkcs8 -topk8 -in myKey.pem -outform DER -out myKey.der -v1 PBE-SHA1-RC4-128
     
    • Enter a password when prompted
    • The -v1 parameter is the algorithm used when encrypting the key. SEG only supports -v1 (or -nocrypt, not recommended). For a list of tested algorithms see Notes below.
  5. Important: Save the DER file in a secure location. If you later restore configuration on a different system you will need to re-import this file (it is NOT stored in the SEG configuration backup).

Creating the DNS record(s)

A DNS Resource Record is required for each local domain from which you are planning to send DKIM signed messages.

The record name is like:

selector._domainkey.domain.TLD

Where the "selector" is any text, such as a date string (the selector permits versioning of the record if you want to change the key later).

For example:

20140813._domainkey.example.com

The only required content of the record is the p section (public key data formatted like "p=data" )

  • For example, in Windows DNS Manager, expand the zone for the desired local domain, and then add a resource record of type TEXT:
     

     
  • Looking up the record with NSLookup returns a result as shown below:
     

Importing the key to SEG

In the SEG Configurator, open the properties for the local domain.

  • To import the key, click Import Key and select the DER file you created above. If you encrypted the key, enter the encryption password.
  • In the DKIM Selector field, enter the selector value that you configured as part of the DNS record.

     

Notes:

  • You can use the same key for all domains.
  • Add a DNS record and local domain information for each local domain where you want to use DKIM to sign outgoing messages.
  • Ensure that DNS and local domain configuration is in place before creating any signing rules for a domain.
  • You must create rules to sign messages.

Key encryption algorithms

  • The following algorithms have been tested for creation of the PKCS#8 DER file (the -v1 parameter):
    • PBE-SHA1-RC4-128  
    • PBE-SHA1-3DES
    • PBE-SHA1-2DES
    • PBE-SHA1-RC2-128
    • PBE-SHA1-RC2-40
  • This algorithm is used to encode the private key in the DER file. -v1 algorithms are used for interoperability with the Windows key store.
  • This algorithm is not used for signing of email messages. Message signing uses the DKIM algorithm you select for the domain (SHA-256 is recommended).

Key Storage and replication

  • DKIM key storage depends on the Windows CNG Key Isolation service to store the keys and provide them to the SEG services. This service should be running on both the Array Manager and processing servers.
  • Keys are transmitted over secure RPC between the Array Manager and node Controller.
  • If you see "failed to update DKIM keys" messages in the Event Log or text logs, verify that the CNG Key Isolation service is running and then restart the Array Manager and Controller services.

To contact Trustwave about this article or to request support:


Rate this Article:
     

Related Articles



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.