Abstract
This document describes a few common user scenarios and how to configure S/Notify for them.
Installation Test Setup
Scenario
After the installation, you want your users to test S/Notify, but you do not want to break notifications for those users who do not participate in the test or who do not have certificates or keys for encryption available.
Setup
S/Notify Configuration
On the administrative configuration pages of S/Notify
- Leave the Key store file (for S/MIME) or HKP key server (for PGP) location empty
- Leave the Encryption Fallback set to Allow unencrypted notifications
Show me where to do this in Jira ...
In Jira
- Select Manage apps from the Jira Administration menu
- From the S/Notify section on the left, select User Key Management for the Key store file and HKP key server settings
- From the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
Show me where to do this in Confluence ...
In Confluence
- Select Manage apps from the Administrator menu
- Scroll down to the S/Notify section on the left, then select User Key Management for the Key store file and HKP key server settings
- Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
Show me where to do this in Bitbucket ...
In Bitbucket
- Go to the administration page by clicking on the cog wheel in the right upper area
- Scroll down to the S/Notify section, from there select User Key Management for the Key store file and HKP key server settings
- Scroll down to the S/Notify section, from there select Encryption Settings for the Encryption Fallback settings
User Profile
- Users who want to participate in the test can upload their public certificate
Show me where to do this in Jira ...
In Jira
- Select Profile from the user menu on the top right
- Scroll down to section Email Security
- Hit the edit symbol
- Select which type to upload (S/MIME or PGP), the select the file and upload it
Show me where to do this in Confluence ...
In Confluence
- Select Settings from the user menu on the top right
- From the S/Notify section on the left, select Email Security
- Select which type to upload (S/MIME or PGP), the select the file and upload it
Show me where to do this in Bitbucket ...
In Bitbucket
- Select Manage Account from the user menu on the top right
- On the left, select Email Security
- Select which type to upload (S/MIME or PGP), the select the file and upload it
Results
S/Notify will immediately start encrypting the notification emails of each user who has provided a valid S/MIME certificate or PGP key. However, users who have not provided a valid S/MIME certificate or PGP key will still receive their notification emails unencrypted due to the Encryption Fallback setting.
Central Key Management Setup
Scenario
You want to enforce encryption of all notification emails, and the S/MIME certificates or PGP keys for all users are centrally available.
Settings
S/Notify Configuration
S/Notify supports several options for centrally managed S/MIME certificates and PGP keys. Choose whichever fits best in your environment.
S/MIME
User S/MIME certificates can be centrally provided
- from a Key store file
- from an LDAP that is configured as the User directory in Jira, Confluence, or Bitbucket
- from any other External LDAP server (not currently available in Bitbucket)
PGP
User PGP keys can be centrally provided
- from a Key store file
- from a Key server – both HKP and LDAP based servers are supported
Both
- Only if you do not want users to be able to provide their own S/MIME certificates or PGP keys, uncheck Allow user certificates and Allow user keys, respectively.
- Set the Encryption Fallback to Do not allow unencrypted notifications - send problem report instead
Show me where to do this in Jira ...
In Jira
- Select Manage apps from the Jira Administration menu
- From the S/Notify section on the left, select User Key Management to set up the central S/MIME certificate or PGP key management
- From the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
Show me where to do this in Confluence ...
In Confluence
- Select Manage apps from the Administrator menu
- Scroll down to the S/Notify section on the left, then select User Key Management to set up the central S/MIME certificate or PGP key management
- Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
Show me where to do this in Bitbucket ...
In Bitbucket
- Go to the administration page by clicking on the cog wheel in the right upper area
Scroll down to the S/Notify section, then select User Key Management to set up the central S/MIME certificate or PGP key management
Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
User Profile
- Users need not configure anything
Results
S/Notify will immediately start encrypting the notification emails of each user for whom a valid certificate is present in the global keystore. If, for some users, a valid certificate cannot be found, these users will receive an unencrypted email instead, telling them that their original notification message has been discarded for security reasons, because the email could not be encrypted, and asking them to get in contact with their Jira or Confluence administrator.
User Responsibility Setup
Scenario
You want to enforce encryption of all notification emails, but the users should manage their certificates on their own, and/or not all certificates are available in central keystore. You want the users to provide their certificates, but you do not want to allow unencrypted emails for users who have not provided their certificate.
Settings
S/Notify Configuration
On the administrative configuration pages of S/Notify
- Leave the Global Keystore and Global Keyserver locations empty
- Check Allow user uploads
- Set the Encryption Fallback to Do not allow unencrypted notifications - send problem report instead
Show me where to do this in Jira ...
In Jira
- Select Manage apps from the Jira Administration menu
- From the S/Notify section on the left, select User Key Management for the Global Keystore and Global Keyserver settings, as well as User override
- From the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
Show me where to do this in Confluence ...
In Confluence
- Select Manage apps from the Administrator menu
- Scroll down to the S/Notify section on the left, then select User Key Management for the Global Keystore and Global Keyserver settings, as well as User override
- Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings
Show me where to do this in Bitbucket ...
In Bibucket
- Go to the administration page by clicking on the cog wheel in the right upper area
- Scroll down to the S/Notify section, then from there select User Key Management for the Global Keystore and Global Keyserver settings, as well as User override
- Scroll down to the S/Notify section, then from select Encryption Settings for the Encryption Fallback settings
User Profile
Users can now upload their public certificate
Show me where to do this in Jira ...
In Jira
- Select Profile from the user menu on the top right
- Scroll down to section Email Security
- Hit the edit symbol
- Select which type to upload (S/MIME or PGP), the select the file and upload it
Show me where to do this in Confluence ...
In Confluence
- Select Settings from the user menu on the top right
- From the S/Notify section on the left, select Email Security
- Select which type to upload (S/MIME or PGP), the select the file and upload it
Show me where to do this in Bitbucket ...
In Bitbucket
- Select Manage Account from the user menu on the top right
- On the left, select Email Security
- Select which type to upload (S/MIME or PGP), the select the file and upload it
Results
S/Notify will immediately start encrypting the notification emails of each user who has provided a valid certificate. Users who have not provided a valid certificate will receive an unencrypted email instead, telling them that their original notification message has been discarded for security reasons, because the email could not be encrypted, and asking them to get in contact with their Jira, Confluence or Bitbucket administrator.
Per Project or Per Space Encryption Setup
Scenario
You want encryption only for specific Jira projects or Confluence spaces, or you want to exclude specific Jira projects or Confluence spaces from encryption.
This feature is not yet available in Bitbucket. Please let us know if you are interested in seeing support for per-project encryption in Bitbucket.
Settings
S/Notify Configuration
On the administrative configuration pages of S/Notify
- switch on Allow project / space configuration
- if you want encryption for all but some projects / spaces, switch on Encrypt by default
if you encryption for only some projects / spaces and not for all, switch off Encrypt by default - select if ambiguous emails should be encrypted
- select if other emails should be encrypted
Show me where to do this in Jira ...
In Jira
- Select Manage apps from the Jira Administration menu
- From the S/Notify section on the left, select Encryption Settings
- Scroll down to Per Project Encryption
- Select Allow project configuration
- Select Encrypt by default if you want encryption for all but some projects, or deselect if you want encryption for only some projects
- Select Encrypt ambiguous, if you want emails that refer to more than one project to be encrypted, or deselect if you want such emails to be left unencrypted
- Select Encrypt other, if you want emails that do not refer to any project to be encrypted, or deselect if you want such emails to be left unencrypted
Show me where to do this in Confluence ...
In Confluence
- Select Manage apps (or Add-ons in earlier versions of Confluence) from the Administrator menu
- From the S/Notify section on the left, select Encryption Settings
- Scroll down to Per Space Encryption
- Select Allow space configuration
- Select Encrypt by default if you want encryption for all but some spaces, or deselect if you want encryption for only some spaces
- Select Encrypt ambiguous, if you want emails that refer to more than one space to be encrypted, or deselect if you want such emails to be left unencrypted
- Select Encrypt other, if you want emails that do not refer to any space to be encrypted, or deselect if you want such emails to be left unencrypted
Project or Space Configuration
On the project or space configuration pages
- Switch encryption on or off as desired
Show me where to do this in Jira ...
In Jira
- Select Projects from the Jira Administration menu
- Select the project you want to configure by clicking on its name
- From the Project Settings menu on the left, select Email Security
- Depending on the required setup, select or deselect Encrypt emails for this projects
- Repeat for additional projects that need to be set up different from your default setting
Show me where to do this in Confluence ...
In Confluence
- Select Space directory from the Spaces menu at the top
- Select the space you want to configure by clicking on the info symbol on the right of the space name
- From Space Tools tabs, select Apps
- Depending on the required setup, under Email Security, select or deselect Encrypt emails for this space
- Repeat for additional spaces that need to be set up different from your default setting
Results
S/Notify will check all outgoing emails for references to Jira projects or Confluence spaces. According to the settings for project or space identified, S/Notify encrypts the email or leaves it unencrypted.
When an email does not refer to a Jira project or a Confluence space, or refers to multiple Jira projects or Confluence spaces with different encryption settings, the email in handled according to the setting for ambiguous emails.
Related articles