Citigroup Global Transaction Services

CitiDirect Online Banking

Automated File and Report Delivery (AFRD): E-Mail Set Up Guide
April 2005

Proprietary and Confidential

These materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusive use of CitiDirect Online Banking customers. The foregoing statement shall appear on all copies of these materials made by you in whatever form and by whatever means, electronic or mechanical, including photocopying or in any information storage system. In addition, no copy of these materials shall be disclosed to third parties without express written authorization of Citibank, N.A.

Please Note:
The information contained in this section is intended to assist you in establishing the environment and configuration required to successfully use CitiDirect Online Banking Automated File and Report Delivery (AFRD). It provides details on obtaining and installing end-user certificates, configuring the Web server and generating key pairs. Screen shots are provided for aid in understanding the instructions, although the actual screens may differ. We tried to cover some of the more common vendor products. It is not intended to replace information that you should obtain directly from your e-mail vendor, certificate authority of choice, and Web server vendor.

Table Of Contents
Table Of Contents ............................................................................................................... 3 Introduction ......................................................................................................................... 4 Overview ............................................................................................................................. 4 Obtaining Your Personal E-mail Certificate ................................................................ 4 Setting up your E-mail Client for S/MIME .................................................................... 4 Obtaining the Citigroup Certificate Authority Certificate ............................................. 6 Setting Up Your E-mail Client for S/MIME .......................................................................... 6 Microsoft Outlook 2000............................................................................................ 6 Microsoft Outlook Express 5.X.................................................................................. 20 Microsoft Outlook Express 4.0 .................................................................................. 21 Microsoft Outlook 98.................................................................................................. 21 Netscape 4.x (Communicator/Messenger) ............................................................... 22 Netscape Communicator/Messenger........................................................................ 25 Lotus Notes .............................................................................................................. 26 Retrieving the Citigroup CA (root) Certificate ................................................................... 27 Retrieving the Citigroup CA (root) Certificate Using IE:............................................ 28 Retrieving the Citigroup CA (root) Certificate Using Netscape:................................ 30 File and Report Processing via E-Mail ............................................................................. 30 Understanding E-Mail Security (S/MIME) ................................................................. 30 End-User Certificate Requirements (e-mail)............................................................. 31 General Characteristics of AFRD E-Mail Delivery .................................................... 32 CitiDirect Processing (Sign, Encrypt and Send) ....................................................... 32 Client Processing (Verify Signature, Decrypt and View) .............................................. 32 S/MIME E-Mail Support ............................................................................................. 33 E-Mail Programs that do NOT Support S/MIME ....................................................... 33 S/MIME Plug-ins for Entrust Enterprise Certificates ................................................. 34 AFRD Installation/Requirements Check List.................................................................... 34 Client Functionality Requested.................................................................................. 34 Type A Requirements ............................................................................................. 34 Type B Requirements SMTP S/MIME (e-mail).................................................. 34 Type C Requirements HTTPS (Web server)........................................................ 35 Type D Requirements HTTPS - SSL Encryption Only (Web server)..................... 36 Disclaimer.......................................................................................................................... 43

AFRD E-Mail Set Up Guide

Introduction
Automated File and Report Delivery was designed to be secure but flexible, using common standards and tools wherever possible. In most cases you can choose from a number of different Web servers, mail clients, Certificate Authorities (CA), etc., that meet AFRD requirements. Because of this, it is impossible to fully document, in detail, the installation and configuration of every workable scenario. This guide defines requirements, lists solutions that have been tested by Citibank, and offers other suggestions. In addition, it provides details around the certificate process for popular email programs and the set up and creation of certificates for approved Web servers. These details are only intended as a useful reference and in no way are meant to replace product specific documentation that you should reference to best accomplish the required activities. Please refer to the Automated File and Report Delivery Configuration and Installation Guide as a prerequisite reading before proceeding with this guide.

Overview
Obtaining Your Personal E -mail Certificate
CitiDirect Online Banking supports any X.509v3 compliant Personal / E-mail certificate issued by a standard Certificate Authority (CA), such as VeriSign or Thawte. Moreover, if you have your own Certificate Server installed, such as Microsoft Certificate Server or Netscape Certificate server. CitiDirect Online Banking will also honor these certificates. Although we do not require a specific certificate from a specific CA, Citibank strongly recommends that you deal with a reputable CA with auditable policies and procedures on certificate issuance and administration. Please refer to the Digital Certificate Summary grid in the Configuration and Installation Guide for general requirements and general end-user experience in obtaining and installing digital certificates. Once you obtain your certificate you will need to import it into your e-mail desktop personal computer (PC) and ensure that your e-mail is properly set up. Please use these instructions solely as a reference of what needs to occur. Follow your products specific documentation on how best to accomplish this activity.

Setting up your E -mail Client for S/MIME

What follows is a step-by-step process of what needs to be done to enable some of the more popular e-mail programs for S/MIME. Although the following instructions are considered accurate (as of the date of this document), Citibank strongly suggests that you follow your products specific user guides to configure your e-mail program for SMIME.

AFRD E-Mail Set Up Guide

Complete instructions and screen shot are included, as an example, for Microsoft Outlook 2000. More of an overview and guidelines are provided for the other e-mail programs.

AFRD E-Mail Set Up Guide

Obtaining the Citigroup Certificate Authority Certificate

The last process in this section provides instructions for obtaining the Citigroup CA Certificate. This is required for AFRD e-mail delivery and must also be imported into your e-mail client.

Setting Up Your E -mail Client for S/MIME

Microsoft Outlook 2000
These instructions apply specifically to Microsoft Outlook 2000 on Microsoft Windows 2000. One way to get a digital certificate is to use a wizard in Outlook 2000. Select Tools, then Options from the pull-down menu. This will open up the Options dialog box. Select the Security tab. Select the Get a Digital ID button.

Selecting this button (Get a Digital ID) will launch your browser and display a Web page hosted by Microsoft with links to several Certificate Authorities. Pick a CA and follow their instructions on obtaining a personal/e-mail digital certificate. During the certificate retrieval process, you will be asked to install the certificate in the browser/e-mail client of your choosing. In this case Microsoft Outlook 2000. Click the Install button. The following steps illustrate the entire process, using VeriSign as a typical CA. The actual experience will vary according to the CA you have selected.

AFRD E-Mail Set Up Guide

Select the VeriSign Link.

Go to Products and Services

AFRD E-Mail Set Up Guide

Select Secure Messaging under Retail Services

For illustration purposes, we will Try a Digital ID Free for 60 Days.

AFRD E-Mail Set Up Guide

Enroll Now for a Class 1 Digital ID

Complete the application.

AFRD E-Mail Set Up Guide

For the Cryptographic Service Provider Name: select Microsoft Strong Encryption Encoder.

Since these digital certificates are tied to an individual e-mail address, confirm that the address is correct. This completes the application process. VeriSign will send an e-mail confirmation.

AFRD E-Mail Set Up Guide

10

A second e-mail, Quick Installation Instructions, provides your Digital ID PIN and the URL to get your certificate.

AFRD E-Mail Set Up Guide

11

Go to the URL provided, enter PIN, and click Submit. This installs the certificate in your browser.

In your Browser, go to Tools, Internet Options, Content, and Certificates. From this screen you can: view the certificate by highlighting it and selecting View.

AFRD E-Mail Set Up Guide

12

Select Advanced and click on the Details tab for further information

Or you can

Press the Export button. You have a choice to export your certificate with or without the Private Key. If you need to export your certificate so that you can Import it into your mail client, choose that option.

AFRD E-Mail Set Up Guide

13

Note: If both your browser and mail client are Microsoft products, this should not be necessary. The illustration below shows you Exporting only your Public Key. This will be needed later, as it must be uploaded to CitiDirect Online Banking (S/MIME) Administration Service Class for you to be able to use Automated File and Report Delivery.

CitiDirect Online Banking only needs the Public Key.

Save the key to an easily remembered file on your PC.

AFRD E-Mail Set Up Guide

14

If you do need to install the entire certificate (Public and Private Keys) on your e-mail client, these alternative screens will be shown:

AFRD E-Mail Set Up Guide

15

Select Strong Encryption. Your Private Key requires a Password. Type and Confirm.

Click Finish, then OK.

AFRD E-Mail Set Up Guide

16

The alternative screen for Exporting with the Private Key is shown.

AFRD E-Mail Set Up Guide

17

If you need to import your certificate into Outlook, go to Outlook, Tools, Options, Security, Import Export button. Click (Browse) your certificate location, the password you created and name it. Click OK.

To confirm or change the setup of your certificate and e-mail, open Outlook. From the Tools menu, click Options and then select the Security tab. The following screen appears:

Click the Setup Secure E-mail button under the Secure e-mail section. The Change Security Settings dialog displays.

AFRD E-Mail Set Up Guide

18

Outlook 2000 views your certificates, determines which ones are valid for e-mail encryption and digital signatures, and chooses a certificate for each. If the certificates that Outlook selects are not the ones you want to use, you can change the default selections. Click the Choose button in the Encryption Certificate section to select a certificate for e-mail encryption. Note: CitiDirect Online Banking requires that the Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup. If the certificates do not match, use the dropdown menu to select the appropriate certificate and click OK. Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choices should reflect your personal preferences. Click OK to close the Change Security Settings dialog box and return to the Options dialog box. Click Apply, and then click OK to close the Options dialog box.

1. Validating a E-mail Message Signature

For Outlook 2000, you can validate the signature of a message by clicking on the certificate icon in the upper right hand corner. Clicking on the red certificate icon will open up a window detailing the signature that was used to sign the message. Ensure that the signature states that it was signed by CitiDirect Online Banking.

AFRD E-Mail Set Up Guide

19

Microsoft Outlook Express 5.X

Here are the steps needed to configure Outlook Express to read S/MIME Secure Mail messages. From the Tools menu, click Accounts, and then click the Mail tab. Select your mail account, and click the Properties button. Click the Security tab to display security-related properties for your mail account. In the Signing certificate area, click Select. The Select Default Account Digital ID dialog box appears. Click the certificate you would like to use. Outlook Express recognizes only those certificates for S/MIME use that include your e-mail address in the certificate's Subject field. Note: CitiDirect requires that Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup. Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences. Click Apply, and then click OK to close the Select Default Account Digital ID dialog box. Click OK to close the Properties dialog box for your mail account. Click Close to close the Internet Accounts dialog box.

AFRD E-Mail Set Up Guide

20

Microsoft Outlook Express 4.0

The next screen you will see is the option to install the certificate in the browser/e-mail client you want to use. In this, case Microsoft Outlook Express 5.X. Click the Install button. On the Tools menu, click Accounts. Click the Mail tab, click the mail account in which you want to use a digital ID, and then click Properties. On the Security tab, click the "Use a digital ID when sending secure messages from <email address>" check box to select it, and then click Digital ID. Note: CitiDirect requires that Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup. If the certificates do not match, using the dropdowns, select the appropriate certificate and select OK. Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences. Click the appropriate certificate, click OK, and then click Close. Note: If you do not have CitiDirects (the senders) certificate (Public Key) imported into your address book, Outlook Express dis plays the following security warning message: The certificate used to sign this message is either not listed in your Address Book or marked as not trusted by you. Continue to open this message? If you have the sender's Public Key imported into your address book and the certificate is marked as Not Trusted By Me, Outlook Express displays the following security warning message: You do not trust the certificate used to sign this message. Continue to open this message?

Microsoft Outlook 98
The next screen you will see is the option to install the certificate in the browser/e-mail client you want to use. In this case Microsoft Outlook 98. Click the 'Install' button. To import a downloaded Digital ID into your address book for Outlook 98: Open "Contacts" from Outlook '98 (Click on the Contacts icon). Add CitiDirect (** need exact e-mail address here ****) to your contact list. Select the Certificates tab in the Contact window. Click on the "Import" button. Locate the Digital ID you downloaded from CitiDirect and click the Open button. AFRD E-Mail Set Up Guide
21

Click on "Save and close". Note: CitiDirect requires that the Encryption Certificate matches the certificate that was uploaded to CitiDirect during the e-mail delivery setup. If the certificates do not match, make the appropriate changes using the supplied User Interface and select OK.
Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences.

Netscape 4.x (Communicator/Messenger)

What follows are instructions for getting a Digital ID for Sending/Receiving Secure Messages (S/MIME) and Installing it in Netscape 4.X Please refer to the following site for more information on using S/MIME with Netscape Messenger. http://www.verisign.com/smime/guide/nsemail.html To get a digital certificate, you must first decide which CA (Certificate Authority) you would like to use. If you follow, the Security, Certificates, Yours, Get a Certificate option within Netscape, you will be taken to a page where you can pick from a predefined list of Certificate Authorities. Pick a CA; follow its enrollment instructions for personal/e-mail certificates. Towards the end of the process you will be prompted by Netscape to generate a Private Key. For Netscape Communicator you will be asked to generate your Private Key for the certificate request. The following screen will appear.

Click OK to Continue. The next screen will require you to enter your password to access your private keystore.

AFRD E-Mail Set Up Guide

22

If you have recently installed Netscape on your system or have never used any of Netscape's security features, you may be asked to create and setup a Netscape Communicator password. Citibank highly recommends taking this action. By doing so, you effectively prevent any individual, other than yourself, from managing, importing or exporting digital certificates on your machine. This password also restricts other individuals from sitting down at your machine and signing e mail messages with your digital ID. Note: Be sure to remember your Communicator password. This is a Netscape function, included with Communicator for your security. If you forget your password, you will not have access to manage, deploy or use your digital ID. There is nothing your CA and/or Netscape can do in the event that this happens and ANY digital certificates you may have will be rendered useless. The Authentication Phase , carried out by your CA. Depending on the type of certificate you are requesting this process might be quite simple or rather complex.

After you complete the enrollment process explained in the above steps, depending on your CA and the type of certificate you requested, they will either e -mail you that your certificate is available or send you some form of postal mail. Irrespective of the mode of delivery, the message will contain specific information on how you can pick up your Digital ID. This mailing usually includes such items as a URL you can use to get your Digital ID along with some form of PIN number. Go to the URL included in the e-mail and complete the Certificate retrieval process. Note: since you will be installing your Digital ID in Netscape, you must go to the pickup page using Netscape Communicator. This causes the Digital ID to be installed in your browser, in turn, allowing the Netscape Messenger client to locate it. The Retrieval Phase consists of getting your certificate for use. For e-mail certificates, most CA will notify you of your certificates availability using e-mail. For other certificate types, server, for example, some certificate authorities use e-mail, others may use the postal service. Irrespective of the method of communication, most will provide you with a U.R.L. where you can retrieve your certificate online. Follow your CAs instructions for retrieving your certificate. If you retrieve your certificate using Netscape (Communicator/Messenger), a series of windows will be displayed requesting that you name and save your certificate.

AFRD E-Mail Set Up Guide

23

Select OK to continue.

You may want to select the Save As button to keep a copy of your personal certificate for backup purpose. Click Continue. This completes the certificate retrieval process.

To verify that your Digital ID pickup has been successful installed in Netscape Communicator click on the Security tab at the top of the browser window. Under Certificates, click Yours. Your named certificate should be displayed. Your e-mail client is now ready to receive S/MIME messages.

AFRD E-Mail Set Up Guide

24

Netscape Communicator/Messenger
To ensure security and privacy, Netscape Messenger provides encryption (scrambling) and digital signing (authentication) of e-mail messages. Messenger's privacy features comply with the Secure Multipurpose Internet Mail Extensions (S/MIME) standard. The S/MIME standard allows Messenger to send and receive encrypted messages and authenticate received messages. Using the S/MIME standard, Messenger also provides features that detect message tampering. To enable Messenger with S/MIME follow these instructions: Click the Security tab at the top of the Communicator windows Select Messenger from the pop-up windows left pane. In the field requesting which certificate to use for singing and encrypting (Certificate for your Signed and Encrypted Messages:) select your newly created certificate. Note: CitiDirect requires that Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup. If the certificates do not match, using the dropdowns, select the appropriate certificate and select OK. Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choices should reflect your personal preferences. Click OK and close the Security Window.

AFRD E-Mail Set Up Guide

25

Lotus Notes
You can import Internet certificates into your Notes User ID. You can also export Internet certificates from your Notes User ID. Importing Internet certificates allows you to use them for SSL client authentication, and for encrypted and signed S/MIME messages. For example, if you are using a Netscape browser that is compliant with Public Key Cryptographic Standard #12 (PKCS #12), and have Internet certificates and keys (in compliance with PKCS #12) accessible from your local machine, you can import them into your Notes User ID file. On the same note, if you have Internet certificates and keys (in compliance with PKCS #12) in your Notes User ID file, you can export them to a file on your local machine and then import them to use with a Netscape browser. To import Internet certificates into your User ID file Choose File - Tools - User ID. Enter your Notes password. Click "More Options" and click "Import Internet Certificates." Select the file that contains the certificates in the "Specify PKCS12 File Containing the Internet Certificates" dialog box and then click Open. If the file is password protected, enter the password when prompted. Click "Accept All" in the "Accept Internet Certificates" dialog box to accept the certificates and any Private Keys in the file. Enter your Notes password. Note: To check that your certificates were imported into your ID file, choose File - Tools - User ID and click Certificates. You cannot import invalid certificates, or incomplete certificate chains.

AFRD E-Mail Set Up Guide

26

Retrieving the Citigroup CA (root) Certificate

This certificate is only required when the delivery method is e-mail. It allows you to automatically trust all certificates signed by Citibank. You can retrieve Citigroups Certificate Authority (CA) Certificate by accessing Citibanks Web site at the following location:

https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start
Note:

If you use one of the e -mail programs provided by Microsoft (Outlook , Express), you are required to access the above site using Microsoft IE. If you are using Netscape Messenger to receive your e-mail, you must access the site using the Netscape browser.

Instructions begin on the next page.

AFRD E-Mail Set Up Guide

27

Retrieving the Citigroup CA (root) Certificate Using IE:

Click on the link to retrieve the Citigroup Certificate Authority (CA) certificate.

AFRD E-Mail Set Up Guide

28

The next screen will prompt you for a name for this CA. Please enter in something like the following: Citigroup CA and select FINISH. The window will close and Citibanks CA will have been installed in your browsers local keystore.

AFRD E-Mail Set Up Guide

29

Retrieving the Citigroup CA (root) Certificate Using Netscape:

Click on the link to Retrieve the Citigroup Certificate Authority (CA) certificate. Using a Netscape browser, a series of dialog will appear.

File and Report Processing via E-Mail

Understanding E -Mail Security (S/MIME)
An Internet mail message consists of a message header, which contains sender and recipient information, and an optional message body. The message body can contain plain text or contain multiple body parts or file attachments as defined by the MIME standard. MIME 1 defines a standard mechanism for incorporating multiple message types in a single e-mail message. However, it does not define how to secure the message body. S/MIME provides the required security extensions that let MIME entities encapsulate security objects, such as digital signatures and encrypted messages. Through these extensions, the privacy and integrity of your e-mail can be guaranteed.
1

MIME is defined in Request for Comments (RFC) 2045 through 2049. It defines how a message body can contain data types other than flat ASCII.

AFRD E-Mail Set Up Guide

30

While the actual risk or likelihood of interception is relatively low, without S/MIME, someone along a message's journey could conceivably intercept one or more of these chunks of plain text and read at least part, if not all, of your message. To use a traditional postal analogy, this is similar to sending a postcard, where anyone who encounters that card along its way can read, and perhaps even modify, the message you write on the back of the card. Moreover, someone could write a postcard and forge your name and address on it, making their message appear to have come from you. Given the sensitive nature of the information being transferred to CitiDirect, protecting the message during transit is of utmost importance. To ensure the privacy and integrity of the data transmitted from CitiDirect to you, CitiDirect has 2 chosen to utilize S/MIME (Secure Multipurpose Internet Mail Extension) standard. S/MIME was designed to add security to e-mail messages in MIME format. The S/MIME standard was chosen since it has established itself as the de-facto standard for e-mail security within the industry. Moreover, S/MIME relies on state of the art Public Key cryptography and is supported in most of the popular e-mail programs on the market today. Popular e-mail programs (including Microsoft Outlook Express and Outlook 2000, as well as Netscape Communicator/Messenger) not only support S/MIME but actually interoperate with each other. This decision enables us to apply a full set of security functions to e -mail. These functions include: Confidentiality - provided by the use of 128bit DES strong encryption; Integrity - provided by the use of SHA-1 Digital Signatures; Authentication - provided by the use of X.509 Digital Certificates; Proof of a transaction or 'Non-Repudiation' as define by the Public Key Infrastructure (PKI)

End-User Certificate Requirements (e- mail)

Given that S/MIME relies on PKI, you will need to acquire a Personal E-mail Certificate (X.509) from an independent Certifying Authority (CA). Two of the most popular certificate authorities are: http://www.verisign.com/ http://www.thawte.com/ CitiDirect recommends using S/MIME with the following symmetric encryption algorithms: ? Triple DES (more correctly DES ECE3 in CBC) using 168-bit key. ? RC2 encryption in CBC mode using 128-bit key You will also need to obtain another certificate for each end-user, which will allow you to automatically trust all certificates signed by Citibank. This certificate, Citigroups (Citibank) CA certificate, is obtained by accessing Citibanks Web site at the following location: https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start Note: If you are using Netscape Messenger to receive your e-mail you must access the site above using the Netscape browser. If you would like to use Microsofts e-mail
2

S/MIME 3.0 became an Internet Engineering Task Force (IETF) approved standard In June 1999. Please refer to Requests for Comments (RFCs) 2632 through 2634 for further details on this standard.

AFRD E-Mail Set Up Guide

31

programs (Outlook, Express), you are required to access the above site using Microsoft IE.
Additional details on obtaining and installing this certificate can be found in the Setup Details section of this Installation and Configuration Guide, but the Web site will also guide you through the process.

General Characteristics of AFRD E - Mail Delivery

Only one e-mail address may be specified for each automated e-mail delivery schedule. Our mail server imposes a file size limitation of 25mb. Due to its nature, e-mail delivery is NOT GUARANTEED. CitiDirect will know only whether it has successfully submitted the e-mail to the mail system processor (SMTP server) for delivery. CitiDirect will not know whether e-mail subsequently reached its intended recipient. You may apply different processing controls to your e-mail activities. For example, you may configure your e-mail servers to reject e-mails with attachments that are greater than a certain size. Or you may defer delivery of e-mails with such attachments. You also may require administrative procedures to accept receipt of e-mails from a restricted list of domains outside of the company, etc.

CitiDirect Processing (Sign, Encrypt and Send)

To guarantee message privacy, CitiDirect Online Banking will encrypt all mail using the TripleDES algorithm (symmetric cipher), and a randomly generated secret key (generated per message). CitiDirect will then apply a one-way hash (SHA-1) on the encrypted data to obtain a checksum of the data. CitiDirect will then apply a Digital Signature to the message by encrypting the checksum (using an asymmetric cipher) using its own Private Key. The session key is then encrypted using the recipients Public Key so that it can be retrieved by you as the recipient. All of these objects/structures are then assembled into an e-mail message and sent using SMTP (e-mail protocol) to the recipients e-mail address.

Client Processing (Verify Signature, Decrypt and View)

For you to decrypt and verify the integrity of the message, you must have obtained the root CA certificate of Citibank. Please refer to the section entitled Setup Details for more information on how to obtain it. Assuming you have an S/MIME aware e-mail program, when the e-mail arrives at your inbox, the following steps are performed: 1. You receive a warning message stating that the message is encrypted. Depending on the e -mail program, you may have to select some option to continue processing the message. The session key information (protecting the message) is decrypted using your Private (secret) Key. The message signature is validated using the Public Key of Citibank (and/or CitiDirect Online Bankings Public Key which were previously obtained).
32

2. 3.

AFRD E-Mail Set Up Guide

4.

The message is decrypted for viewing/processing.

If your e-mail program only displays two file attachments with the extension *.p7m and/or *.pls, then your e-mail program either does not support S/MIME or has not been properly configured. Please check your e-mail products installation and configuration documentation for enabling S/MIME functionality.

S/MIME E - Mail Support

The following table highlights those e-mail programs that support S/MIME and should function properly with CitiDirect Online Bankings Automated File and Report Delivery Service.
E-mail Program Microsoft Outlook 98 Microsoft Outlook Express 5.X Microsoft Outlook 2000 Microsoft Outlook Mac version 8.21 or greater Microsoft Outlook Express 4.X Netscape Communicator 4.x Novel Groupwise 6.0 Eudora Pro CitiDirect Tested NO YES YES NO NO YES NO YES Comments Requires security patch Windows version only (Not on the Mac) Supports S/MIME Supports S/MIME Supports S/MIME WinTel version only but NOT version 6.X Supports S/MIME Requires Plug-in (Entrust) (Mac supported)

not

For instructions on importing a certificate into the various e-mail programs, please refer to your e-mail users guide. Instructions for some popular e-mail programs can be located in a later section of this document.

E-Mail Programs that do NOT Support S/MIME

The following table illustrates some popular e-mail programs that either do not function properly for AFRD, or do not support the S/MIME standard.
Program Microsoft Outlook Express MS Exchange Client (all versions) Netscape Communicator Comments All Mac versions are NOT Supported NOT supported Version prior to 4.X are NOT supported On WinTel version 6.0 is NOT supported All other platforms are NOT supported

One vendor that supports various e-mail systems is Baltimore Technologies, found at: http://www.baltimore.com/securityapplications/mailsecure/index.html Baltimore Technologies MailSecure S/MIME enables the following e-mail programs:

Microsoft Exchange Microsoft Outlook Lotus Notes Qualcomm Eudora

Please Note: That this information is being presented here solely as a point of reference. Other commercial e-mail plug-in providers exist. You can choose what e-mail plug-in they require (if any) based on their corporate security policies and procedures.

AFRD E-Mail Set Up Guide

33

S/MIME Plug- ins for Entrust Enterprise Certificates

The Entrust Entelligence E-mail Plug-in (currently called Entrust Express), along with Entrust Entelligence 6.0 can be used with a variety of e-mail applications such as Microsoft Exchange, Microsoft Outlook, and Lotus Notes. It can be obtained through Citigroup or from the Entrust Web site located at: http://www.entrust.com/entelligence/email/index.htm). Please note: That if you are required (and/or prefer) to utilize Entrust Enterprise certificates to secure your e-mail communication, the Entrust Express e-mail plug-in must also be used with your e-mail program regardless of whether or not the program supports S/MIME natively.

AFRD Installation/Requirements Check List

Client Functionality Requested

Scheduled Reports to Browser Type A Scheduled Reports via E-mail Type B Scheduled Reports via HTTPS Type C Reports via HTTPS (SSL Encryption Only) Type D Scheduled Export File(s) via E-mail Type B Scheduled Export File(s) via HTTPS Type C Scheduled Import File(s) via HTTPS Type C Exports File(s) via HTTPS (SSL Encryption Only) Type D

Type A Requirements
No special requirements covered by in-session SSL.

Type B Requirements

SMTP S/MIME (e -mail)

Digital Certificate (Web cert for end-user) X.509 compliant Triple DES (DES ECE3 in CBC) using 168-bit key RC2 encryption in CBC mode using 128-bit key

S/MIME Aware E-mail Client such as: Microsoft Outlook Express 5.X (Windows version only) Microsoft Outlook 2000 Netscape Communicator 4.X (WinTel version only but not version 6.X)
34

AFRD E-Mail Set Up Guide

Mail Server that supports native S/MIME such as:

Exchange HP OpenMail configured for IMAP or POP3 (not MAPI)

Type C Requ irements

HTTPS (Web server)

Install a Web Server (if one is not already available) Microsoft IIS Version 4.X and above Netscape/iPlanet Web Server Version 4.X and above Apache HTTP Server (plus OPENSSL or mod SSL) Version 1.3 and above

Enable Secure Sockets Layer SSL (if not already enabled) Minimum encryption strength is 128-bit, 1024-bit session keys) Activate SSL security (on folder or root level) Other SSL configuration requirements

Create a user account for the exclusive use by CitiDirect GET functionality must be enabled for file Import PUT functionality must be enabled for file Export

Dedicated Internet connection minimum T1 (1.54Mbps) HTTPS connection on Port 443 for GET & PUT Acquire Digital Certificate from a Certificate Authority (CA)
Certificate must be an SLL Server Certificate on Citibank approved list (see appendix) Must support 128-bit encryption, 1024-bit session keys

Create a CitiDirect user (User ID and Password) on your Web server Citibank recommends password to be at least 6 characters in length and changed frequently NOTE when you change this password please ensure that it is changed in CitiDirect (Delivery Options Library) as well in order to avoid scheduled job fails NOTE you will provide this information to Citibank during the definition phase of Delivery Method (File Delivery scheduling process)

Establish Access Rights for this CitiDirect User For Export write (PUT) authorization is required For Import read (GET) authorization is required Ensure that access is given to the appropriate directory location(s) Ensure that the assigned directories are restricted to any/all other users
35

AFRD E-Mail Set Up Guide

If there will be multiple Import Files then ensure that the HTTP LIST command is also enabled for the specified directory and user

Minimum Configuration Parameters for SLL v3 Cipher Suite RC4 or RC5 symmetric algorithm with 128-bit cipher strength RSA Public Key Algorithm with 1024-bit key strength SHA1 Message Authentication Hash / Digest Algorithm NOTE CitiDirect supported SSLv3 ciphers include; RC4 with MD5 RC2 with MD5 Triple DES with MD5

End-User Software and Certificate Requirements PCKS-7 standard Entrust Entelligence 6.0 software (can be obtained from Citibank) Ports to be opened if thru Citigroup 389 to check certificates against our directory services; 709 to send certificates to our CA; And 829 to renew the certificate. Use Entelligence to retrieve enterprise certificate from Citigroup

Type D Requirements HTTPS - SSL Encryption Only (Web server)

Exact same requirements documented for Type C except there is no end-user software or certificate requirements. A customer can select to have data files and reports delivered through an encrypted SSL session without extra encryption on the file and/or report itself.

This security method is named None with SSL and can be configured within the Delivery option table found online in CitiDirect. Currently, this applies to files and reports delivered from CitiDirect AFRD to the customer. Payment files originating from the client for import into CitiDirect require file encryption.

AFRD E-Mail Set Up Guide

36

When the New Certificate Authority windows displays, click NEXT to continue.

AFRD E-Mail Set Up Guide

37

Another window will appear explaining the role of a Certificate Authority. Click Next to continue.

AFRD E-Mail Set Up Guide

38

Another window displays where you can view (More Info) Citibanks Public Key information. Select More Info for certificate details. When complete select NEXT to continue.

AFRD E-Mail Set Up Guide

39

After selecting NEXT, the above window appears where you MUST select at least the option for using the Citibank CA to certify e-mail users since Citibank will be sending you files signed using our Public Key.

AFRD E-Mail Set Up Guide

40

Depending on your comfort level, please choose the appropriate option above and select NEXT.

AFRD E-Mail Set Up Guide

41

The next screen will prompt you for a name for this CA. Please enter in something like the following Citigroup CA and select FINISH. The window will close and Citibanks CA will have been installed in your browsers local keystore.

AFRD E-Mail Set Up Guide

42

Disclaimer
The authoritative and official text of this CitiDirect Online Banking documentation shall be in the English language as used in the United States of America. Any translation of any CitiDirect documentation from English to another language is done solely for the convenience of the reader, and any inconsistencies, or inaccuracies between the English text and that translation shall be resolved in favor of the English text. These materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusive use of CitiDirect Online Banking customers. The foregoing statement shall appear on all copies of these materials made by you in whatever form and by whatever means, electronic or mechanical, including photocopying or in any information storage system. In addition, no copy of these materials shall be disclosed to third parties without express written authorization of Citibank, N.A. Customer shall be solely responsible for the use of any User identifications, passwords and authentication codes that may be provided to it, from time to time, in connection with CitiDirect Online Banking (collectively, "User IDs"). Customer agrees to keep all User IDs strictly confidential at all times. Customer shall immediately cease use of CitiDirect Online Banking if it receives notification from Citibank, or otherwise becomes aware of, or suspects, a technical failure or security breach. Customer shall immediately notify Citibank if it becomes aware of, or suspects, a technical failure or security breach.
April, 2005 2005 Citibank, N.A. All rights reserved. CITIBANK, CITIDIRECT, WORLDLINK, CITIGROUP, and the Umbrella Device are trademarks and service marks of Citicorp or its affiliates and are used and registered throughout the world. Adobe, Acrobat, Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Actuate is a registered trademark of Actuate Corporation. Microsoft, Outlook and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. VeriSign and Thawte are registered trademarks of VeriSign in the United States and/or other countries. All other brands, products, and service names mentioned are trademarks or registered trademarks of their respective owners.