Voltage Securemail Server: Installation Guide

Voltage SecureMail Server
Version 7.3
Installation Guide
Document Release Date October 2020

Software Release Date October 2020
Legal notices
Warranty
The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products
and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or
editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted rights legend
Confidential computer software. Valid license from Micro Focus required for possession, use or copying. Consistent with FAR 12.211 and
12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the
U.S. Government under vendor's standard commercial license.
Copyright notice
© Copyright 2020 Micro Focus or one of its affiliates
Trademark notices
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
Red Hat Enterprise Linux is distributed under the GNU General Public License.
Python is licensed by Python Software Foundation (PSF, see http://www.python.org/psf/).
Boost C++ Libraries are distributed under the Boost Software License, Version 1.0.
SQLite is licensed by Hwaci.
Libxml2 and Libcurl are distributed under the MIT License through the Open Source Initiative OSI.
Struts and Apache Jakarta ORO are distributed under the Apache Software License, Version 1.1.
log4cxx, Castor, Jetty, MyFaces, Tomahawk, Xerces, Jasper, JSP Standard Tag Library, Apache log4j, Tomcat, Axis Web Services Framework, xalan and Apache Jakarta Commons are
licensed under the Apache License Version 2.0.
libiconv, GNU Privacy Guard, and TinyMCE are distributed under the GNU Lesser General Public License, Version 2.0.
GNU Multiple Precision Arithmetic Library (GMP) is distributed under the GNU Lesser General Public License, Version 3, and is available at http://www.gmplib.org/.
CentOS and GNU libstdc and libgcc are distributed under the GNU General Public License, Version 2.0.
zlib is licensed by Jean-loup Gailly and Mark Adler.
Windows Template Library (WTL), the Windows Installer XML (WiX), and HTML Parser are distributed under the Common Public License Version 1.0 through the Open Source
Initiative OSI.
spc_email_isvalid function is licensed through the Secure Programming Cookbook for C and C++.
Gecko SDX also known as XULRunner SDK and Mozilla NSS are licensed under the Mozilla Public License 1.0.
JavaService and Yahoo UI Library are distributed under Berkeley Software Distribution (BSD) through the Open Source Initiative OSI.
Django Web Application Framework is licensed by the Django Software Foundation and individual contributors.
FreeMarker is licensed by the Visigoth Software Society.
Bouncy Castle JCE Provider is licensed by the Legion Of The Bouncy Castle (http://www.bouncycastle.org).
JavaBean Activation Framework, JavaMail, and Java Runtime Environment (JRE) are licensed under the Sun Microsystems, Inc. Binary Code License Agreement.
Simple Logging Facade for Java (SLF4J) is distributed under the X License or the X11 License, which is a simple, permissive non-copyleft free software license.
Prototype JavaScript Framework is distributed under the X License or the X11 License, which is a simple, permissive non-copyleft free software license.
Scriptaculous is distributed under an open source license by Thomas Fuchs.
Open SSL is licensed by the OpenSSL Project.
cx_Oracle is licensed by Anthony Tuininga and Computronix (Canada) LTD.
pysqlite is distributed as a public domain project created by D. Richard Hipp.
lighttpd distributed under an open source license by Jan Kneschke.
FastCGI is distributed under an open source license by Open Market, Inc.
BIRT is licensed by Eclipse Public License, Version 1.0.
Jersey and JSR311 are licensed under Common Development and Distribution License (CDDL) Version 1.1.
ASM is licensed by INRIA, France Telecom.
Some Voltage products include software developed by the Visigoth Software Society (http://www.visigoths.org/).
Crypt::X509 is licensed by Mike Jackson (mj@sci.fi). Copyright 2001-2002 Norbert Klasen, DAASI Int’l GmbH under Artistic License.
Convert::ASN1 is licensed by Graham Barr (gbarr@cpan.org) under Artistic License.
Digest::SHA::PurePerl is licensed by Mark Shelor under Artistic License.
VOMS::Lite::PEMHelper is licensed by Mike Jones (mike.jones@manchester.ac.uk) under Artistic License.
Contents
Chapter 1 Planning a Voltage SecureMail Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Voltage SecureMail Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Understanding the Software Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Client to Server Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
One Linux Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
One Linux Server and One Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Multiple Linux Servers and One Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Multiple Linux Servers and Multiple Windows Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Network Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
IP Address Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
IP Address Requirements for a Stand-Alone Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
IP Address Requirements for a Distributed Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Planning for Network Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Connections Between Voltage SecureMail Servers and the Internet . . . . . . . . . . . . . . . . 1-15
Connections from the Management Console to the Voltage SecureMail Servers . . . . 1-15
Remote Connections to Voltage SecureMail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Connection to LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Lookup Addresses in LDAP for ZDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Upgrading Voltage SecureMail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Chapter 2 Installing Voltage SecureMail Server on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Installing the Voltage SecureMail Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Configuring the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
The IP Addresses and Gateway Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
The Hostname and DNS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
The Enter Account Information for Upgrades Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
The Deployment Model Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
The Appliance Role Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
The Administrative IP Address Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
The Management Console Password Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Understanding the Voltage SecureMail Appliance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Using the Voltage SecureMail Appliance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Chapter 3 Installing Voltage SecureMail Server on Windows . . . . . . . . . . . . . . . . . . . . . . . 3-1
Installing the MariaDB Database Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
iii CONFIDENTIAL
Installing the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Installing the Voltage SecureMail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Starting the Voltage SecureMail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Chapter 4 Understanding the Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Logging into the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Restricting Management Console Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Chapter 5 Upgrading from a Previous Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Upgrading SecureMail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Back Up Your Voltage SecureMail Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Upgrade MariaDB (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Upgrade the Management Console Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Upgrade the Voltage SecureMail Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Restoring Your System From a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Verify the Active Directory Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Update All Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Upgrading a Linux Appliance with the Upgrade Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Chapter 6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Voltage SecureMail Services Do Not Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Management Console Does Not Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Tuning JVM Memory on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Client to Server Communication Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
CONFIDENTIAL iv
1 Planning a Voltage SecureMail Deployment
Voltage SecureMail offers a variety of deployment options to satisfy your secure
communication requirements. You can deploy a system that does not use any client software or
you can deploy a secure end-to-end channel that extends all the way to each user’s desktop.
• In a clientless solution, users send outbound mail as usual. The Voltage SecureMail
Gateway automatically encrypts messages based on a policy that you specify. Recipients
receive encrypted messages in their inbox. Each message includes instructions for
posting the message to a secure website, where the recipient authenticates his or her
identity and reads the secure messages. External users can go to the same website to
reply securely. The Gateway can decrypt the replies bound for the internal users, so they
do not need to install a client.
• In an end-to-end solution, users in your organization can send and receive secure
messages using their desktop email tool or mobile email apps. Messages can be
automatically encrypted based on a policy that you specify, or users can specifically
choose to send a message securely using the Voltage SecureMail Encryption Client.
They can read their secure messages in the same way as they read any message.
Recipients outside your organization use the secure website that is available for the
clientless solution to read messages sent securely from within your organization.
In all cases, the identity of recipients is authenticated before they can read secure messages.
You can configure one or more authentication methods using a web-based console.
1-1 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3
Figure 1-1 shows a simplified example of a clientless solution.
Figure 1-1 Encrypted Message Flow for a Clientless Solution
In this example, the message flows as follows:
1. A user sends a message in the usual manner.
2. The mail server routes the message through the Voltage SecureMail Server/Gateway.
3. The Gateway checks the message header and, depending on the security policy,
encrypts the message before sending it on to the recipient.
4. The recipient clicks a link, and is connected to the Voltage SecureMail Server for identity
authentication.
5. The recipient reads the decrypted message.
1-2 CONFIDENTIAL
Figure 1-2 shows a simplified example of an end-to-end solution. Using the Voltage SecureMail
Encryption Client a message is sent securely to an external recipient from inside your
organization.
Figure 1-2 Encrypted Message Flow For an End-to-End Solution
In this example, the message flow is as follows:
1. The user sends a secure message to an external recipient using the Voltage SecureMail
Encryption Client.
2. The mail server delivers the secure message to the recipient.
3. The recipient opens the message, which provides a link to a web page served by the
Voltage SecureMail Server. This web page authenticates the identity of the recipient,
and then decrypts the message.
The Voltage SecureMail software provides all of the services needed for generating keys used
for encryption and decryption, configuring identity authentication methods, setting up
automatic policy-based message encryption, and managing a secure website used for sending
and reading encrypted messages.
1-3 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Voltage SecureMail Components
Voltage SecureMail Components
The Voltage SecureMail software consists of the following components:
• Voltage SecureMail Server: You can install one or more Voltage SecureMail Servers on
Linux-compatible hardware or on Windows servers. The Server includes the following
services:
• IBE Key Management Service: Manages the authentication methods used to verify
the identity of email senders and recipients, and generates private keys for
authenticated users.
• ZDM Service: Controls the Zero Download Messenger, which serves web pages that
allow users to read and compose secure messages without downloading any
Voltage SecureMail software.
• Voltage SecureMail Gateway: Provides the means to automatically encrypt or decrypt

email for secure communication beyond the corporate firewall. The Gateway is a
Sendmail mail filter (milter). You can only install the Voltage SecureMail Gateway on
Linux-compatible hardware. Note that the Gateway can be deployed on the same Linux
machine as the Voltage SecureMail Server.
• Voltage SecureMail Management Console: Provides configuration and administration of

the Voltage SecureMail Server services, including event logs and reporting. You can
install the Management Console on a Windows server or on Linux-compatible hardware.
Note that if you install multiple Management Consoles, only one can be running at a
time.
1-4 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Understanding the Software Installation Process
Figure 1-3 shows an overview of these Voltage SecureMail components.
Figure 1-3 Overview of the Voltage SecureMail Components and Message Flow
This diagram shows the Management Console serving as a central point of control,
communicating with the Voltage SecureMail Server and the Gateway. It also shows the
following example of a message flow in a clientless solution:
1. An internal user sends a message to an external recipient.
2. The mail server routes the message to the Gateway.
3. The Gateway encrypts the message and routes it to the recipient.
4. The recipient opens the message, which provides access to a web page served by the
ZDM service. The IBE service authenticates the identity of the recipient, and then
decrypts the message.
Understanding the Software Installation Process
Before you begin, you should have a good understanding of the mail flow for your domain, including
the approximate average and peak volume of messages. This information is important in estimating
the number of machines required. The successful installation of the Voltage SecureMail components
depends on the number of machines and which operating system is running on each machine in
your deployment.
1-5 CONFIDENTIAL
Linux
On Linux-compatible hardware, you install a single ISO image that contains both Centos 7 and
all Voltage SecureMail components. The ISO image also contains the MariaDB software and the
Mail Transfer Agent (Sendmail). Both of these are automatically installed and configured. The
machine becomes a dedicated Voltage SecureMail Appliance after installation is complete.
Installing the software on Linux-compatible hardware typically takes about 20 minutes.

CAUTION: The installation process formats the hard drive of the server and installs all
needed software. Any existing data is lost.
Before you start installing the Voltage SecureMail Appliance, make sure that your hardware
meets the following requirements:
• At least 3 GHz x86 64-bit architecture processor, with 8 CPU cores
• 8 GB RAM
• 80 GB disk space (recommended minimum size; actual space required depends on

logging levels and volume of data logged)
• Ability to load an ISO image containing the operating system, such as a physical or
virtual CD-ROM drive.
• If you are installing on hardware, use a CD drive (internal or external).
• If you are installing on a VM, use a real or virtual CD-ROM or a mounted ISO image.
• 1G Ethernet Network Interface Card (NIC)
The following hardware is supported:
• All hardware compatible with RedHat Enterprise Linux 7.0 64-bit (see https://
hardware.redhat.com/ for a complete list)
The following virtual server is also supported:
• VMware vSphere Hypervisor (ESXi) 6.0

NOTE: Versions of VMware ESXi prior to 6.0 might work correctly, but only
version 6.0 has been validated.
After installation, a setup wizard guides you through the process of configuring each
component, and then you can control each component using the Appliance Menu. If you are
installing the software for the first time on a single Linux-compatible machine, all of the
information you need is in the Voltage SecureMail Quick Start Guide.
1-6 CONFIDENTIAL
Windows
You must be logged in as a member of the administrators group in order to install the software.
On a Windows server, you install each component from its own executable file. You must also
download and install the MariaDB software. After the components are installed, you control
them from the Services window of the Windows Administrative Tools.
Installing and configuring the software on a Windows server typically takes about 40 minutes.
You must install the software on one of the following versions of the Windows Server:
• Windows Server 2008 R2, installed on a 64-bit OS
• Windows Server 2012 R2, installed on a 64-bit OS
• Windows Server 2016, installed on a 64-bit OS
• Windows Server 2019, installed on a 64-bit OS
Your system must meet the following minimum specifications:
• 2 GHz CPU
• 2 GB RAM
• 30 GB disk space
The following virtual server is also supported:
• VMware vSphere ESXi 5.5, 6.0 and 6.5
In addition to the Voltage SecureMail software, you must also install MariaDB version 10.2.12. A
64-bit version is available for installation on Windows Server 2008, 2012, 2016 or 2019.
If you are planning to use Microsoft Exchange with Active Directory, Voltage SecureMail Server
supports Microsoft Exchange 2010 SP2, Exchange 2013, Exchange 2016 and Exchange
2019.
Client to Server Communication

Beginning with version 6.3 of Voltage SecureMail Server, communication to the server from
Voltage SecureMail clients (Voltage Encryption Client and Voltage SecureMail Mobile apps)
must use TLS 1.2 by default. Some older versions of Windows OS do not support TLS 1.2 and
some older browsers do not use TLS 1.2 by default. The best practice is to upgrade user
software to versions that support TLS 1.2. You can force the server to use less secure
communication protocols using an advance setting. Contact Micro Focus Voltage Support for
assistance with this option.
1-7 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Deployment Options
Deployment Options
In planning your deployment, use the following guidelines to determine how many machines of
each type you need:
Organization Requirements Deployment Type Deployment Details


Light mail flow 
All components on one Linux See “One Linux Server” on page
machine 1-9

No need for Windows Active
Directory authentication

Light mail flow 
One combined Voltage See “One Linux Server and One
SecureMail Server/Management Windows Server” on page 1-9

Native Windows authentication Console on Windows
required

One Gateway on Linux

Moderate to heavy mail flow 
One combined Voltage See “Multiple Linux Servers and
SecureMail Server/Management One Windows Server” on page 1-

Native Windows authentication Console on Windows 11
required

One or more Voltage

Load balancing required SecureMail Servers on Linux

Prefer using Linux machines 
One or more Gateways on Linux

Heavy mail flow 
One Management Console See “Multiple Linux Servers and
(Windows or Linux) Multiple Windows Servers” on

Native Windows authentication page 1-12
required 
One or more Voltage
SecureMail Servers on Windows

Load balancing required

(optional) Voltage SecureMail

Multiple Windows and Linux Servers on Linux
machines available

One or more Gateways on Linux
The following restrictions apply to the deployment options:
• If you want to use the Gateway you must install Voltage SecureMail Server on at least
one Linux appliance.
• If you expect a large amount of mail traffic to be read using the ZDM Service, you should
install multiple Appliances on Linux.
• If you want to use Windows to authenticate the identity of senders or recipients, you
must install at least one Voltage SecureMail Server on Windows.
If you want to use Active Directory user authentication and you will use a Linux or mobile IBE
server, you must have at least one Trusted LDAP Server Certificate imported. If you do not,
then the Active Directory user authentication method will only be enabled on Windows for non-
Mobile requests. On a Linux or mobile IBE server, all user email addresses are processed as
1-8 CONFIDENTIAL
non-matches by the Active Directory user authentication method and fall through to the next
method in the User Authentication table unless a valid Trusted LDAP Server Certificate is
specified. For more information on configuring an Active Directory user authentication method
and importing Trusted LDAP Server Certificates, see the Voltage SecureMail Management
Console Administrator Guide.
One Linux Server

You can deploy all of the Voltage SecureMail software on a single Linux server. All components
are installed on this stand-alone Linux server, which must be located in your DMZ in order to
interact with machines outside your internal network.
Figure 1-1 on page 1-2 shows the path of a message that is encrypted at the Gateway. If you
are planning this type of deployment, see the Voltage SecureMail Quick Start Guide.
One Linux Server and One Windows Server

Use this configuration if you require Active Directory authentication and you only want to use
one Linux server.
• Install both the Management Console and the Voltage SecureMail Server software on a
Windows server, which resides in your internal network.
• Install the Voltage SecureMail Server software (which includes the Gateway) on Linux-
compatible hardware.
Figure 1-4 shows the path of a message in which an external recipient replies to a secure
message sent by an internal sender. The external user accesses the original message through
the ZDM, and the reply is also sent securely. The internal user (who originated the message) is
authenticated using Active Directory.
1-9 CONFIDENTIAL
Figure 1-4 Deployment with One Linux Server and One Windows Server
The reply to a secure message might go through the following path:
1. The external user logs into the ZDM (hosted on the Voltage SecureMail Server) to read
and reply to a secure message.
2. The ZDM encrypts the reply and delivers it to the internal mail server.
3. The mail server delivers the encrypted message to the recipient.
4. The client requests a key when the internal user opens the message.
5. The server communicates with the Active Directory system to authenticate the user.
6. The server grants the key to the client.
The recipient can now read the decrypted message on the machine on which the client is
installed.
1-10 CONFIDENTIAL
If you are planning this type of deployment, see Chapter 2, “Installing Voltage SecureMail
Server on Linux” for instructions on installing the Gateway and the Voltage SecureMail Server
software on Linux. See Chapter 3, “Installing Voltage SecureMail Server on Windows” for
instructions on installing the Voltage SecureMail Server and the Management Console on
Windows.
NOTE: When installing the Voltage SecureMail Software on Linux, be sure to choose
Distributed as the deployment type and Front-End Services as the Appliance role. See “The
Deployment Model Page” on page 2-5 and “The Appliance Role Page” on page 2-5 for
details.
Multiple Linux Servers and One Windows Server

Use this configuration if you require Active Directory authentication and you need multiple
servers for either load balancing or failover. Figure 1-5 shows the path of a message that is
similar to that shown in Figure 1-4, but with a configuration in which a load balancer shares
traffic among two servers in the DMZ.
Figure 1-5 Deployment with Multiple Linux Servers and One Windows Server
1-11 CONFIDENTIAL
In this diagram, an external recipient replies to a secure message sent by an internal sender.
The external user accesses the original message through the ZDM, after being directed by the
load balancer to one of the servers that hosts the ZDM. As before, the internal user (who
originated the message) is authenticated using Active Directory.
The reply to a secure message might go through the following path:
1. The external user browses to the ZDM page, and is directed to the load balancer.
2. The load balancer directs the user to one of the machines that is hosting the ZDM,
where the user can read and reply to a secure message.
3. The ZDM encrypts the reply and delivers it to the internal mail server.
4. The mail server delivers the encrypted message to the recipient.
5. The client requests a key when the internal user opens the message.
6. The server communicates with the Active Directory system to authenticate the user.
7. The server grants the key to the client.
The recipient can now read the decrypted message on the machine on which the client is
installed.
Server on Linux” and Chapter 3, “Installing Voltage SecureMail Server on Windows” for
instructions.
details.
Multiple Linux Servers and Multiple Windows Servers

Use this configuration for a deployment that includes heavy mail flow. A dedicated
Management Console pushes information to all Voltage SecureMail machines and receives
database updates. This configuration can be scaled to accommodate changes in the mail flow,
or to add new clusters of machines that are in different geographical locations. Figure 1-6
shows the relationship of the components in this configuration.
1-12 CONFIDENTIAL
Figure 1-6 Deployment with Multiple Linux and Windows Servers
Server on Linux” for instructions on installing the Voltage SecureMail Server on Linux. See
Chapter 3, “Installing Voltage SecureMail Server on Windows” for instructions on installing the
Voltage SecureMail Server and the Management Console on separate Windows machines.
details.
1-13 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Network Configuration Settings
Network Configuration Settings
IP Address Requirements
The IP address requirements depend on the configuration of your installation. In the Setup
Wizard for Linux, you can choose to configure the Appliance as a stand-alone Appliance or as a
distributed Appliance that is part of a cluster. If you are using Windows, your deployment is
likely to be distributed, since the Gateway can only be installed on Linux.
IP Address Requirements for a Stand-Alone Deployment

In a stand-alone deployment, you configure a single Linux server to run the Management
Console, the Gateway and the Voltage SecureMail Server. This configuration requires at least
one valid IP address. You can use the same IP address for both the Voltage SecureMail software
and the default Sendmail MTA. You can also optionally configure the Sendmail MTA to listen
on more than one IP address. The hostname for the Public Parameters that the Key
Management Service uses is voltage-pp-0000.<your_domain>. Additionally, you can use a
different name as a user-facing host name. In this case, each tenant requires two IP addresses
for the Voltage SecureMail software.
IP Address Requirements for a Distributed Deployment

In a distributed deployment, you configure the Voltage SecureMail software on multiple
machines. Each machine is part of a cluster and runs either the Management Console, the
Voltage SecureMail Server (including the Gateway for a Linux-compatible machine), or both. In
a distributed deployment, when you set configuration options using the Management Console,
that machine communicates with other hosts in the cluster to push configuration data and
retrieve logs.
If you are configuring a machine to run the Management Console component, you need only
one IP address. If you are configuring a machine to run the Voltage SecureMail Server
component, you need at least two IP addresses: one IP address for the Management Console to
use for communicating with the Voltage SecureMail Servers and one for the Voltage SecureMail
Servers to host the Public Parameters. If you want to use a more readable name as the user-
facing host name, you need a third IP address for this. Finally, if you configure multiple clusters,
it is possible that you need a separate IP address for inter-cluster communication.
1-14 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Network Configuration Settings
Planning for Network Integration

To configure the Voltage SecureMail software to allow external communication, you must
enable the firewall settings before or during the installation.
Connections Between Voltage SecureMail Servers and the Internet

Enable the following ports for communication from each Voltage SecureMail Server to the
Internet:
• Port 443 to anywhere for public parameter retrieval / Multi-cluster ZDM Proxy
• Port 123 to NTP servers(s) (optional)
• Port 25 if the Gateway is the last hop for email
Enable the following ports for communication from the Internet to the Voltage SecureMail
Servers:
• Port 443 for ZDM / Multi-cluster ZDM Proxy
• Port 25 if the Voltage SecureMail Server is published as the MX server
Connections from the Management Console to the Voltage SecureMail Servers

Enable the following port for communication from the Management Console to the Voltage
SecureMail Servers:
• Port 443 for data service, a component of the Management Console.

NOTE: No ports are required for communication from the Voltage SecureMail Servers
to the Management Console.
Enable the following port for communication between multiple Voltage SecureMail Servers:
• Port 3306 for MariaDB database access, including data replication (optional)
• Port 443 for communication between hosts in the same cluster
Remote Connections to Voltage SecureMail

To connect to a Linux server remotely, use port 10022 for SSH.
To connect to a Windows server remotely, use port 3389 for Remote Desktop.
1-15 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Upgrading Voltage SecureMail Server
Connection to LDAP Server

If you plan to use Active Directory for authentication, make sure the AD server has either port
3268 (Management Console on Windows) or port 3269 (Management Console on Linux or
Mobile-enabled IBE server) accessible for communication with the server hosting the
Management Console. Use port 3268 if you are deploying an IBE server running on Windows
with native AD authentication For more information, see the Voltage SecureMail Management
Console help.
Lookup Addresses in LDAP for ZDM

If you are using the Recipient Verification feature, the Voltage SecureMail Appliance must be
able to connect to the server. Open port 389 in the firewall between the Voltage SecureMail
Appliance and the LDAP server.
Upgrading Voltage SecureMail Server
For Windows-based servers, you can upgrade to Version 7.3 from Version 6.0 or later. For
Linux-based servers with Voltage SecureMail versions prior to 6.3, you must first upgrade to
version 6.3.x before restoring a backup on a new install of version 7.0. See Chapter 5,
“Upgrading from a Previous Version” for details. If you are upgrading from a version prior to 6.0,
contact Micro Focus Voltage Support for assistance.
Additional Documentation
The following manuals provide more information on configuring Voltage SecureMail:
• Voltage SecureMail Management Console Administrator Guide: Contains information on

using the Management Console to configure settings for the Voltage SecureMail Servers
and the Gateway.
• Voltage SecureMail Appliance Administrator Guide: Contains information about using

the Voltage SecureMail Appliance menu to check the status of the Appliance, configure
monitoring and network settings, set the date and time, and shutdown or reboot the
Appliance. In addition, this manual describes both how to configure SNMP monitoring
on the Appliance and how to configure the Appliance to decrypt secure messages for
archiving.
1-16 CONFIDENTIAL
2 Installing Voltage SecureMail Server on
Linux
This chapter describes how to install Version 7.3 of the Voltage SecureMail software on Linux-
compatible hardware. Installation creates a dedicated Voltage SecureMail Appliance that can
be configured to serve as one or more of the following components:
• Voltage SecureMail Management Console
• Voltage SecureMail Server
• Voltage SecureMail Gateway
Installing the Voltage SecureMail Software
If you are deploying a multiple server configuration, install the Voltage SecureMail ISO on each
Linux-compatible machine. If your deployment includes Windows servers, see Chapter 3,
“Installing Voltage SecureMail Server on Windows” for instructions.
CAUTION: Installing the Voltage SecureMail Appliance from disk reformats the hard drive of
the machine on which you install. This deletes all data and the operating system. There is no
way to recover deleted data or software once the installation begins.
Before installing the Voltage SecureMail software, make sure that the hardware time is set
correctly on the machine. An incorrect hardware time can cause Sendmail errors on the server.
Set the correct time from the BIOS.
To install the Voltage SecureMail software:
1. Insert the a CD with the Voltage SecureMail ISO into the CD-ROM drive and boot up the
system.
2. Mount the Voltage SecureMail ISO.
When the installation is complete, the system automatically reboots and starts the
services. Numerous system startup messages are displayed, and the licensing
agreement displays.
3. To accept the licensing agreement and continue, ensure that I Agree is highlighted, and
then press Enter.
2-1 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Configuring the Software
When the installation process completes, the machine is configured as a Voltage SecureMail
Appliance. The next step is to configure the Appliance settings using the Setup Wizard, as
described in the following section.
Configuring the Software
After you install the Voltage SecureMail Appliance and accept the licensing agreement, the
Setup Wizard displays. The Setup Wizard takes you through the steps to configure your basic
network settings and to enable access to the Management Console. The first steps allow you to
select a timezone and change the passwords for the admin and root users.
To begin the configuration process:
1. On the Welcome page, highlight Continue and then press Enter.
2. Use the ARROW keys to move up or down the list of time zones. Highlight the correct
timezone to select it.
3. Press the TAB key to move to the Next button at the bottom of the screen. Leave the
System Clock Uses UTC field blank unless you set system clock time in the BIOS to
UTC.
4. Press Enter.
The Appliance Passwords page displays.
5. On the ‘admin’ Password line, type a new password for the admin user and then press
the Tab key.
Passwords must be at least eight characters in length and include at least one number.
Your passwords serve as a security check to protect your Voltage SecureMail Appliance.
Therefore, it is important to choose passwords that are not easily guessed.
The password you enter is checked against a system dictionary and a set of rules for
identifying poor choices. It is recommended that you choose a password that is at least
eight characters long and a mixture of upper and lower case letters, and numbers.
6. On the Confirm Password line, type the admin password again to confirm it.
7. Press the Tab key.
8. On the ‘root’ Password line, type a new password for the root user and then press the
Tab key.
9. On the Confirm Password line, type the root password again to confirm it.
10. Press the Tab key to highlight Next and then press Enter.
2-2 CONFIDENTIAL
The IP Addresses & Gateway page displays.
The IP Addresses and Gateway Page

The Voltage SecureMail appliance uses IP aliasing to configure local IP addresses. The number
of IP addresses that you need depends on the type of deployment, as well as the role of the
appliance you are configuring.
To configure the IP Addresses & Gateway page:
1. Enter the IP address associated with the hostname for this machine, and then press the
Tab key.
NOTE: If you are configuring this Appliance as a stand-alone Management Console of
a distributed environment, or as a stand-alone Appliance that includes both the
Management Console and Voltage SecureMail Server software on a single machine,
you only need to enter one IP address. If you are configuring this Appliance as a
Voltage SecureMail Server managed by a separate Management Console, you need
to enter two IP addresses.
2. Enter a second IP address if you are using more than one IP address, and then press the
Tab key.
3. Enter the Netmask address, and then press the Tab key.
4. Enter the Default Router IP address and then press the Tab key.
5. With Next highlighted, press Enter.
The Hostname & DNS page displays.
The Hostname and DNS Page

1. Enter the hostname associated with the first IP address that you entered on the
Hostname & IP Addresses page, and then press the TAB key.
IMPORTANT: It is best to enter the hostname in this format: voltage-pp-
0000.<domain>. For example: voltage-pp-0000.example.com.
2. Determine whether you need to use an Active Directory Server to authenticate

Management Console Administrators:
• If you do not need this capability, continue to Step 3
• If you need this capability, complete the following steps:
i. Verify that a certificate for using LDAP over TLS is available on your Active
Directory Server.
2-3 CONFIDENTIAL
This certificate is used for authentication between the Active Directory Server
and the Management Console. If your Active Directory Server does not already
have this type of certificate installed, see the Microsoft Knowledge base article at
http://support.microsoft.com/kb/321051 or the Active Directory Certificate
Services Step-by-Step Guide (http://go.microsoft.com/?linkid=9645085) for
instructions.
ii. Type the IP address of the DNS server that contains the Active Directory server
locator records (NS record of the AD domain) in the Primary Nameserver IP
field, and then press the TAB key.
iii. Proceed to Step 4.
3. Type the IP address of your Primary Nameserver, and then press the TAB key.
4. If you are using a Secondary Name Server, type the IP address for the Secondary
Nameserver, and then press the TAB key. If you are only using one Nameserver, press
the TAB key to bypass the line.
5. With Next highlighted, press ENTER.
A list of the settings that you entered is displayed at the top of the Summary page.
Review the entries to ensure that they are correct. If anything is incorrect, return to the
appropriate page to fix it.
6. When you are sure that the entries are correct, make sure that Next is highlighted, press
ENTER.
A progress bar displays briefly, and then the Enter Account Information for Upgrades page
displays.
The Enter Account Information for Upgrades Page

Micro Focus Voltage provides an upgrade server that lets you use an option on the Appliance
menu to automatically upgrade from 7.0 to new versions of the software. See Chapter 5,
“Upgrading from a Previous Version,” for details about upgrading your software.
NOTE: Automatic upgrades from versions prior to 7.0 is not supported.
If the appliance has Internet access, it can access the upgrade repository if you supply the
correct authentication credentials.
To configure the authentication credentials that enable access to the upgrade repository, enter
the Account and Password information supplied by Micro Focus Voltage Support, then use the
Tab key to highlight Next and press Enter.
The Deployment Model page displays.
2-4 CONFIDENTIAL
The Deployment Model Page

The Voltage SecureMail appliance can be deployed in either a single-box environment or in a
distributed environment. The services to initialize depend on how the appliance is to be
deployed.
1. Use the ARROW keys to select the type of deployment that you are configuring. Select
one of the following:
• Stand-alone: Your deployment consists of only one appliance machine. In a single-

box deployment, the appliance is configured to run both the Management Console
and the Voltage SecureMail Server, which handles the IBE Key Management Server,
Zero Download Messenger, and Gateway Services. If you choose this option, you can
use the Voltage SecureMail Quick Start Guide.
• Distributed: Your deployment consists of more than one appliance. When you select
a distributed deployment, you can choose to configure the Appliance to run the
Management Console, or to run the Voltage SecureMail Server. For more
information, see “The Appliance Role Page” on page 2-5.
2. Press the Tab key to highlight Next and then press Enter.
If you chose to configure the Appliance for a stand-alone deployment, the Management
Console Password page displays. Skip the next section and continue with the
instructions in“The Management Console Password Page” on page 2-6.
If you chose to configure the Appliance for a distributed configuration, the Appliance
Role page displays. Continue with the instructions in the following section, “The
Appliance Role Page”.
The Appliance Role Page

When you choose a distributed deployment, the Appliance Role page is displayed. From this
page you choose a role for the current Appliance in your configuration.
1. Use the Arrow keys to select one of the following:
• Voltage SecureMail Management Console: Configures the Appliance to run the

Management Console. No front-end services run on the Management Console if you
choose this configuration. The Management Console communicates with other hosts
in the cluster to push configuration data and retrieve logs.
• Voltage SecureMail Server: This configures the Appliance to run as a server that
includes IBE Key Management services, ZDM services, and Gateway services.
2. Use the Tab key to highlight Next and then press Enter.
2-5 CONFIDENTIAL
If you chose Management Console, the wizard configures the Appliance as a

Management Console deployment and the Management Console Password page
displays. For instructions, see “The Management Console Password Page” on page 2-6.
If you chose Voltage SecureMail Server, the wizard configures the Appliance as a
distributed deployment and the Administrative IP Address page displays. See the
following section, “The Administrative IP Address Page” for instructions.
The Administrative IP Address Page

On the Administrative IP Address page, you select one of the IP addresses that you entered
on the Hostnames and IP Addresses page.
1. Use the Arrow keys to select the IP address that you want the Management Console to
use to contact the Appliance.
2. Press the Tab key until Next is highlighted and then press Enter.
The Done page displays a message that you have successfully configured the
Appliance. The Host Registration IP and Registration Key are displayed. Write these
down.
3. Press Enter to exit to the Appliance Menu.
Since you did not configure a Management Console machine, the Management
Console Password Page is not displayed. Skip the following section and continue with
“Using the Voltage SecureMail Appliance Menu” on page 2-7.
The Management Console Password Page

You use the Management Console to configure your system. You only need to change the
password on a machine that has been initialized as a stand alone installation or as a distributed
Management Console machine. Since the cluster hosts do not run the Management Console,
you do not need to follow this procedure on those machines.
1. On the ‘admin’ Password line, type a new password for the Management Console admin
user and then press the Tab key.
Passwords must be at least eight characters in length and include at least one number.
Your passwords serve as a security check to protect your Voltage SecureMail Appliance.
Therefore, it is important to choose passwords that are not easily guessed.
2. On the Confirm Password line, type the Management Console admin password again to
confirm it.
3. Press the Tab key to highlight Next and press Enter.
2-6 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Understanding the Voltage SecureMail Appliance Menu
The wizard configures the firewall. The Done window displays a message that you have
successfully configured the Voltage SecureMail Appliance and the URL that you can use
to log into the Management Console.
4. Write down the URL and press Enter to exit the wizard.
The Voltage SecureMail Appliance Main Menu is displayed. “Understanding the

Voltage SecureMail Appliance Menu” describes using the Appliance menus.
The next step is to log into the Management Console. For instructions, see Chapter 4,
“Understanding the Management Console”.
Understanding the Voltage SecureMail Appliance Menu
When you complete the Configuration Wizard, the Voltage SecureMail Appliance Menu
displays. Use this menu to configure, shut down or reboot the Appliance.
Use the admin username to perform all administrator functions on the Appliance. If you log in
with the root user name, the shell prompt displays instead of the Appliance Menu. Use the root
username only if you are troubleshooting with the help of a Micro Focus Voltage
representative. Treat both the admin and root passwords with the highest level of security.
Using the Voltage SecureMail Appliance Menu

To connect to the Appliance menu remotely, you can SSH into port 10022. Set the character
set translation on your SSH client (such as PuTTY) to UTF-8.
To choose a Voltage SecureMail Appliance Menu option:
1. Use the up or down arrow to highlight the menu option that you want to select.
or
Type the letter for the menu option that you want to select.
2. Press Enter.
or
Use the Tab key to highlight OK and then press Enter.
You can also perform the following actions using function keys:
• From a secondary menu, Press F12 to return to the Main Menu or to return to the
previous menu.
• Press F9 to exit the Appliance Menu and go to the command line.
2-7 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Understanding the Voltage SecureMail Appliance Menu
• Press F8 to exit the Appliance Menu and log out of the server.
For additional information about using the Voltage SecureMail Appliance menu, see the
Voltage SecureMail Appliance Administrator Guide.
2-8 CONFIDENTIAL
3 Installing Voltage SecureMail Server on
Windows
This chapter describes how to install the following Voltage SecureMail components on a
Windows server:
• Voltage SecureMail Server consists of the IBE Key Management Service, MariaDB, and
ZDM Service.
• Voltage SecureMail Management Console allows you to configure and administer your
system. This component stores configuration, logging and runtime information in a
MariaDB database
NOTE: The Voltage SecureMail Gateway in not supported on a Windows machine.
You must install it as a component of a Linux Appliance. See “Installing Voltage
SecureMail Server on Linux” on page 2-1for details.
See “Voltage SecureMail Components” on page 1-4 for more information about these
components.
You must be logged in as a member of the administrators group in order to install the software.
You can install both components on the same server or you can install each component on a
separate server. You can also create a cluster that includes multiple Voltage SecureMail Servers,
which can be used for load-balancing purposes. A cluster is a logically grouped set of hosts that
run the Voltage SecureMail Server services. Clusters also contain resources such as email
servers that are shared by the hosts within a cluster.
You must install the MariaDB software before you install these components on a Windows
server. The following MariaDB file is available at the same location as the Voltage SecureMail
software:
• 64-bit OS: mariadb-10.2.12-winx64.msi
Installing the MariaDB Database Software
You must install the MariaDB 10.2.12 software on each server that runs the Voltage SecureMail
Server software or the Management Console software. These servers must not be running the
MySQL database software.
To install the MariaDB software:
1. Double-click the following file to start the Setup Wizard for the MariaDB software:
3-1 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Installing the MariaDB Database Software
• 64-bit OS: mariadb-10.2.12-winx64.msi
These files are available at the same location as the Voltage SecureMail software.
2. Click Run to start the Setup Wizard, then click Next.
3. Accept the license agreement by clicking the acceptance check box, then click Next.
4. On the Custom Setup screen, click Next to accept the default settings.
5. On the Default instance property screen you have the option to set the root password.
If you want to set the root password now, enter and confirm it. Make note of the
password as you will need it when you install the Micro Focus Voltage software.
Otherwise, uncheck Modify password for database user ‘root’. You will have the option
to set the root password when you install the Voltage SecureMail software.
6. Check Use UTF8 as default server's character set and leave Create an anonymous
account unchecked, then click Next.
7. On the Default instance property screen, click Next to accept the default settings.
8. Choose whether to select the Enable the Feedback plugin and submit anonymous
usage information check box, then click Next.
9. On the Ready to install MariaDB 10.2 screen, click Install.
10. Click Finish to exit the installation wizard.
11. Open the my.ini file in a text editor. The file is in the following location:
C:\Program Files\MariaDB 10.2\data
12. Add the following lines under [mysqld] in the my.ini file:
max_allowed_packet=100M
innodb_file_per_table
innodb_data_file_path=ibdata1:10M:autoextend:max:20G
13. Save the my.ini file.
14. Navigate to Control Panel > Administrative Tools > Services.
15. Right-click the MySQL (MariaDB database server) service and choose Properties.
CAUTION: Do not change the name of the service. The Voltage SecureMail software
will not work correctly unless the service name is MySQL.
16. Click the Log On tab and choose Local System Account, then click OK.
A message indicates that you must restart the service for the change to take effect.
3-2 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Installing the Management Console
17. Right-click the MySQL (MariaDB database server) service and click Restart.
18. Add the following value to the PATH environment variable:
C:\Program Files\MariaDB 10.2\bin
To verify that you have installed the MariaDB software:
1. From the Windows Start menu, navigate to All Programs > MariaDB 10.2 > MySQL
Client (MariaDB 10.2).
The MySQL Client (MariaDB 10.2) command window opens.
2. Enter the following command:
mysql -u root.
3. Enter the root password if you have set one, or press Enter if no password is set.
Information about the MariaDB displays, followed by the MariaDB command prompt.
4. Enter the following command:
show databases;
The database information displays, which indicates that the MariaDB installation is complete,
and you can proceed to the following sections for instructions on installing the Voltage
SecureMail software.
Installing the Management Console
The services that run on the Management Console are the Voltage SecureMail Management
Data Service and the Voltage SecureMail Management Server. Install the Management Console
on a single Windows server that you want to use to configure and administer the Voltage
SecureMail Servers.
To install the Management Console:
1. Double-click the vsmgmt-<version-build_number>.exe file to start the

Management Console installation.
2. Click Next to begin the installation process.
3. In the License Agreement page, review the license and click I Agree to accept the
terms of the license agreement.
4. The User Settings page prompts you for the current MariaDB root password and allows
you to change the password.
3-3 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Installing the Voltage SecureMail Server
• Enter the current password if set. If you do not want to change the password, click
Next.
• If you did not set a password during the installation of MariaDB and do not want to
set a root password, leave all fields blank and click Next. You will be prompted to
confirm the action.
• To change or set a password, enter current password if set, select Modify root
password, enter new password, and confirm. Click Next.
NOTE: The password cannot include special characters. If the password includes
invalid characters, you are prompted to enter a different password.
If you leave the New password and Confirm password fields blank, you will remove
the current password. You will be prompted to confirm the action.
5. In the Choose Install Location page, do one of the following:
• Click Install to accept the default installation location.
• In the Destination Folder field, enter the directory location where you would like the
server installed and then click Install.
6. When the installation is finished, click Finish.
The Management Console installation is complete, and you can proceed to the next section to
install the Voltage SecureMail Server.
Installing the Voltage SecureMail Server
The service that runs on a Voltage SecureMail Server is the Voltage SecureMail Server IBE
Server service. If you have a multiple-server configuration, install the Voltage SecureMail Server
on all of the hosts in your cluster.
NOTE: If you are installing a standalone Management Console on a Windows server, proceed
to the instructions in “Starting the Voltage SecureMail Services” on page 3-7 for that server
only.
To install a Voltage SecureMail Server:
1. In the Windows Services window, stop and disable the Internet Information Server (IIS).
NOTE: IIS and the Voltage SecureMail server software cannot run simultaneously on
the same machine. Do not restart IIS while the Voltage SecureMail server software is
running. Make sure that the IIS service is disabled so that it does not start
automatically when the server is rebooted. This also stops WWW Publishing service
and the SMTP service.
3-4 CONFIDENTIAL
2. Double-click the vsibe-<version-build_number>.exe file to start the IBE server

installation program.
5. The User Settings page prompts you for the current MariaDB root password and allows
you to change the password.
• Enter the current password if set. If you do not want to change the password, click
Next.
• If you did not set a password during the installation of MariaDB and do not want to
set a root password, leave all fields blank and click Next. You will be prompted to
confirm the action.
• To change or set a password, enter current password if set, select Modify root
password, enter new password, and confirm. Click Next.
NOTE: The password cannot include special characters. If the password includes
invalid characters, you are prompted to enter a different password.
If you leave the New password and Confirm password fields blank, you will remove
the current password. You will be prompted to confirm the action.
6. In the Choose Install Location page, do one of the following:
• Click Install to accept the default installation location.
• In the Destination Folder field, enter the directory location where you would like the
server installed and then click Install.
7. When the installation is finished, do one of the following:
• If this is a new installation and you are not upgrading from a previous version, verify
that the Create registration password (new installs only) check box is selected,
and then click Finish.
The registration password for the management server displays in a Command

Prompt window. Write this password down, or copy it to a new document to save it,
then press any key to close the window.
• If you are upgrading from a previous version, verify that the Create registration
password (new installs only) check box is cleared, and then click Finish.
3-5 CONFIDENTIAL
8. If one or more Voltage SecureMail Servers are on a different machine than the
Management Console, you must edit the server.conf file on the machines running
Voltage SecureMail Servers. This step is required to enable communication with the
Management Console.
NOTE: You do not need to perform this step if the Management Console and the
Voltage SecureMail Server are running on the same machine.
To edit the server.conf file:
1. On each machine hosting a Voltage SecureMail Server, open the server.conf file using
Notepad or another text editor. The file is in one of the following locations, depending
on your server:
— 32-bit OS:
C:\Program Files\Voltage Security\Voltage IBE Server\etc\server.conf
— 64-bit OS:
C:\Program Files (x86)\Voltage Security\Voltage IBE Server\etc\server.conf
Note that these are the default installation paths. If you entered a different location in
the Destination Folder field in Step 6, use that location.
2. Add the following line to the server.conf file:

mgmt.ip=<IP Address>
Where <IP Address> is an IP address on the Voltage SecureMail Server machine that
communicates with the Management Console. The Data Service and Management
Console will make requests to the SecureMail Server using this IP address. This can be
any IP on the machine, other than the one used for the public parameters (voltage-pp-
0000.<domain>). See “IP Address Requirements” on page 1-14 for additional
information about IP address requirements.
3. Save the file and exit the text editor.
The Voltage SecureMail Server installation is complete, and you can proceed to the following
section for instructions on how to start the Voltage SecureMail services.
3-6 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Starting the Voltage SecureMail Services
Starting the Voltage SecureMail Services
The Voltage SecureMail IBE Server, Voltage SecureMail Management Server and Voltage
SecureMail Management Data Service all run as services on your Windows servers. These
services are set to automatically start when the system is rebooted. You can also start the
services manually. After the services are started, you can configure the system using the
Management Console.
NOTE: The MySQL (MariaDB database server) service, which starts automatically when it is
installed, must be running before any of the Voltage SecureMail services can start. Stopping
this service stops all Voltage SecureMail servers, which must be restarted manually.
To start the Voltage SecureMail IBE Server service on the host machines:
1. From the Windows Start menu, go to Control Panel> Administrative Tools> Services.
2. Right-click Voltage IBE Server and select Start from the menu.
To start the Voltage SecureMail Management Data Service and the Voltage SecureMail
Management Server service on the machine hosting the Management Console:
1. From the Windows Start menu, go to Control Panel> Administrative Tools> Services.
2. Right-click Voltage Management Server and choose Start from the menu.
3. Right-click Voltage Management Data Service and choose Start from the menu.
4. (Optional) If you want to add or change the root password:
a. Open a command prompt.
b. Navigate to the \etc\mysql directory of the install location you used in “Installing the
Management Console” on page 3-3. The default locations are:
— 32-bit OS:
C:\Program Files\Voltage Security\Voltage IBE Server\etc\server.conf
— 64-bit OS:
C:\Program Files (x86)\Voltage Security\Voltage IBE Server\etc\server.conf
c. Run the following command:

change_db_conn
d. At the prompt that asks for the current password, enter the password, or if a
password has never been set, press Enter.
e. At the next prompt, enter the new password and a confirmation of that new
password.
3-7 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Troubleshooting
After the Voltage SecureMail services are all started, you can log into the Management Console
by opening a browser and going to the following location:
http://localhost:8080/console
NOTE: The Management Console might not be available immediately after starting the
Voltage SecureMail services. If you cannot access it, try again a few minutes later.
Log in with Username admin and Password voltage123
If you installed the Voltage SecureMail Server and the Management Console on the same
machine, the Voltage SecureMail Setup Assistant begins.
Troubleshooting
You might experience errors or failures if you did not install the MariaDB software exactly as
specified in “Installing the MariaDB Database Software” on page 3-1.
See Chapter 6, “Troubleshooting” for solutions to common installation issues.
3-8 CONFIDENTIAL
4 Understanding the Management Console
You configure the Voltage SecureMail Server and the Gateway using the Management Console
graphical interface, which runs in a web browser. Because the Voltage SecureMail Appliance
does not have a web browser installed, you must connect from a separate machine that has a
web browser installed.
The first time you log into the Management Console, you are directed through a setup wizard.
After finishing the wizard, you can configure the settings to allow access to the Management
Console from only the machines that you specify. By default, access to the Management
Console is allowed on all machines.
Logging into the Management Console

To log into the Management Console:
1. Open a web browser and, in the address field, type:

https://<DNS name>:8443/console
This is the URL that you wrote down in step four of “The Management Console
Password Page” on page 2-6.
If you have not set up a DNS entry for the IP address yet, you can use the IP address.
Use the first IP address that you entered on the IP Addresses and Gateway page
described in, “The IP Addresses and Gateway Page” on page 2-3. Use the following
format:
https://<IP address>:8443/console
2. Log in using the admin username and the password that you entered in “The
Management Console Password Page” on page 2-6.
3. Complete the on-screen directions in the Setup assistant. Your Voltage SecureMail
Server is now configured. Optionally, continue with “Restricting Management Console
Remote Access” on page 4-1.
Restricting Management Console Remote Access

To restrict remote access to specific machines:
1. In the Management Console, click the Administration tab.
2. Click the Enable Remote Access check box.
4-1 CONFIDENTIAL
The Remote Access IP Networks field displays the list of IP networks that have been
given access to the Management Console.
3. In the Enter as IP Address/Netmask text box, enter an IP address and a netmask to

identify one or more machines from which administrative logins are accepted.
The following are examples of IP address and netmask entries:
• To allow everyone:
IP Address: 127.0.0.1
Netmask: 0.0.0.0
• To allow any machine on 172.16 class b network:

IP Address: 172.16.0.0
Netmask: 255.255.0.0
• To allow only the machine with IP address, 172.16.5.14:

IP Address: 172.16.5.14
Netmask: 255.255.255.255
4. Click Add, and then click Save.
5. On the machine for which you allowed access, open a browser and enter one of the
following URLs using the DNS name or the IP address to access the Management
Console:
https://<DNS name>:8443/console
or
https://<IPaddress>:8443/console
Note the letter “s” in “https”.
Log into the Management Console and follow the steps in the setup assistant.
For additional information about the Management Console, see the Voltage SecureMail
Appliance Administrator Guide.
4-2 CONFIDENTIAL
5 Upgrading from a Previous Version
For Windows-based servers, you can upgrade to Version 7.3 from Version 6.0 or later. For
Linux-based servers with Voltage SecureMail versions prior to 6.3, you must first upgrade to
version 6.3.x before restoring a backup on a new install of Version 7.3.
Use the checklist in Table 5-1 to make sure that you perform all of the required upgrade tasks
for each server, starting with the version you are currently running and continuing through
each version until you install Version 7.3. If you are upgrading from a version below 6.0, contact
Micro Focus Voltage Support for instructions.
Table 5-1 Upgrade Checklist
Upgrade On Each Server... For Windows: Use File... See...
6.0 to 6.1  Back Up Your Voltage SecureMail N/A page 5-4

or 6.1.1 Configuration
 Upgrade MariaDB (Windows) mariadb-10.0.26-win32.msi page 5-5

OR
mariadb-10.0.26-win64.msi
 Upgrade the Management Console vsmgmt-6.1.0.-r<build_number>.exe page 5-6

Software
 Upgrade the Voltage SecureMail Server vsibe-6.1.0-r<build_number>.exe page 5-7

Software
 Verify the Active Directory Domain N/A page 5-9

Name
 Update All Clusters N/A page 5-10
 Back Up Your Voltage SecureMail N/A page 5-4

Configuration
5-1 CONFIDENTIAL
6.1 or 6.1.1  Back Up Your Voltage SecureMail N/A

to 6.3 Configuration
 Upgrade MariaDB (Windows) mariadb-10.0.28-win64.msi
 Upgrade the Management Console vsmgmt-6.3.0.-r<build_number>.exe

Software
 Upgrade the Voltage SecureMail Server vsibe-6.3.0-r<build_number>.exe

Software
 Verify the Active Directory Domain N/A

Name
 Update All Clusters N/A
 Back Up Your Voltage SecureMail N/A

Configuration
6.3 to 6.4  Back Up Your Voltage SecureMail N/A

Configuration

Software

Software

Name

Configuration

Configuration

Software

Software

Name

Configuration
5-2 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Upgrading SecureMail

Configuration

Software

Software

Name

Configuration
Upgrading SecureMail
Follow these steps to upgrade to Version 7.3 of the Voltage SecureMail Server:
1. If you have been using a Voltage SecureMail configuration in a production environment,

create a backup of your existing configuration for disaster recovery purposes. See “Back
Up Your Voltage SecureMail Configuration” on page 5-4 for instructions.
2. Upgrade the MariaDB version if needed. See “Upgrade MariaDB (Windows)” on page 5-
5 for instructions.
3. Upgrade the Management Console software. See “Upgrade the Management Console
Software” on page 5-6 for instructions.
4. Upgrade the Voltage SecureMail Server software. See “Upgrade the Voltage SecureMail
Server Software” on page 5-7 for instructions.
5. If you are using Mobile Edition and Active Directory, log into the Management Console
and verify the server domain is specified, and not the server name. See “Verify the Active
Directory Domain Name” on page 5-9 for instructions.
6. Log into the Management Console and update all clusters. See “Update All Clusters” on
page 5-10 for instructions.
7. (Optional) If the hosts in your configuration are located in the same geographical region
but assigned to different clusters, move them to a single cluster. This step simplifies the
configuration while retaining the redundancy that was previously available only in a
multi-cluster configuration. See “Update All Clusters” on page 5-10 for instructions.
5-3 CONFIDENTIAL
8. Back up your configuration, using the same procedure you used in Step 1.
CAUTION: After you install the update, you will not be able to restore backups
created from earlier versions. Be sure you make a backup right after you complete
the upgrade.
Back Up Your Voltage SecureMail Configuration

Before upgrading, and again after you complete the upgrade, create a backup of your existing
configuration for disaster recovery purposes. The following procedure backs up the
configuration, including the district information, SSL certificate configuration, authentication
methods, identity data used by the enrollment service, and ZDM settings.
To back up your configuration:
1. Stop the Voltage SecureMail Management Data Service.
• On a Windows server, open Services in the Windows Control Panel Administrative

Tools group, then stop the Voltage SecureMail Management Data Service.
• On a Linux Appliance, log in as root, then execute the following command:
service vsdata stop
2. Log into the Management Console.
3. Click the Administration tab, and then click the Backup & Restore tab.
4. Click Create a New Backup.
5. Select System Recovery Backup from the Backup Type list.
6. Enter a password in the Password text box.
The export password must be at least 8 characters and contain both a letter and a
number.
7. Re-enter the password in the Re-enter Password text box.
8. Click Backup.
9. Save the file to the local disk.
A message indicating that the backup file was successfully created is displayed.
10. Select Identity Data Backup from the Backup Type list.
11. Click Add Tenants.
5-4 CONFIDENTIAL
12. Select the check box at the top left corner of the table to select all tenants, and then click
Select.
13. Enter a password.
The export password must be at least 8 characters and contain both a letter and a
number.
14. Re-enter the password in the Re-enter Password field.
15. Click Backup.
16. Save the file to the local disk.
A message indicating that the backup file was successfully created is displayed.
17. Restart the Voltage SecureMail Data Service (from either the Windows Services panel
or the Appliance menu).
18. As a precaution, copy both backup files to a different computer as well.
Upgrade MariaDB (Windows)

To upgrade to Voltage SecureMail, you must first upgrade the database software to MariaDB to
the required version (10.2.12).
NOTE: MariaDB upgrade is performed automatically when you upgrade a Linux Appliance.
To upgrade to the MariaDB software on a Windows server:
1. Stop the Voltage SecureMail Services:
a. From the Windows Start menu, navigate to Control Panel> Administrative Tools>
Services.
b. Right-click Voltage Management Data Service and choose Stop from the menu.
c. Right-click Voltage Management Server and choose Stop from the menu.
d. Right-click Voltage IBE Server and choose Stop from the menu.
e. Right-click the MySQL service and choose Stop from the menu.
2. Double-click the following file to start the Setup Wizard for the MariaDB software:
• 64-bit OS: mariadb-10.2.xx-winx64.msi
This file is available at the same location as the Voltage SecureMail software.
3. Click Run to start the Setup Wizard, then click Next.
5-5 CONFIDENTIAL
4. On the Ready to Install MariaDB 10.2 screen, click Install.

NOTE: If you did not stop the services as instructed in Step 1, you are prompted to
stop the services.
5. On the screen that indicates a successful installation, click Finish.
6. Navigate to Control Panel > Administrative Tools Group > Services and restart the
MySQL service.
NOTE: Do not change the name of the service. The Voltage SecureMail software will
not work correctly unless the service name is MySQL.
To verify that the upgrade succeeded, open a Windows command prompt as Administrator,
and enter the following command:
mysql -u root
The response provides a welcome to MariaDB message confirming the upgrade was successful.
Upgrade the Management Console Software

The Management Console runs in a web browser and enables you to configure and administer
the Voltage SecureMail services. You manage all servers or hosts from a single Management
Console. Determine whether your Management Console runs on a Windows Server or a Linux
Appliance, then follow the appropriate procedure.
NOTE: If there are a few hundred thousand events on the existing server, the upgrade can
take up to 10 minutes. If there are a few million events, the upgrade can take several hours.
You can check the number of events in the Overview section of the Home page in the
Management Console. Micro Focus Voltage recommends deleting events before upgrading.
Windows
The services that run on the Management Console machine are the Voltage SecureMail
Management Data Service and the Voltage SecureMail Management Server. Before you begin
the upgrade, you can delete existing events by running delete_events.bat, located in the
C:\Program Files\Voltage Security\Voltage Management Server\bin directory. See “Backing Up
and Purging Events” in the Voltage SecureMail Management Console Administrator Guide for
details.
To upgrade the Management Console on the Windows server:
1. Double-click the vsmgmt-<version-build_number>.exe file to start the Management

Console installation. See Table 5-1 on page 5-1 for the name of the file.
3. On the License Agreement page, review the license and click I Agree to accept the
5-6 CONFIDENTIAL
4. When the installation is complete, click Finish.

NOTE: The installer may require a reboot if any applications were running from the
installation directory during the install.
Linux
Before you begin the upgrade, you can delete existing events by running /opt/vsmgmt/bin/
delete_events. See “Backing Up and Purging Events” in the Voltage SecureMail
Management Console Administrator Guide for details.
To manually upgrade the Management Console software on a Linux Appliance:
1. Create a backup of your existing configuration. See “Back Up Your Voltage SecureMail
Configuration” on page 5-4.
NOTE: Only backups from versions 6.3.X and later can be restored to Version 7.3.
If you are restoring from a version prior to 6.3, upgrade to 6.3 and back up your
system.
2. Install Voltage SecureMail 7.1 as described as in “Upgrading a Linux Appliance with the
Upgrade Script” on page 5-11.
3. Restore your system backup as described in “Restoring Your System From a Backup” on
page 5-8.
Upgrade the Voltage SecureMail Server Software

If you have a multiple-server configuration, upgrade the Voltage SecureMail Server on all of the
hosts.
Windows
To upgrade the Voltage SecureMail Server software on a Windows server:
1. Double-click the vsibe-<version-build_number>.exe file to start the IBE server

installation program. See Table 5-1 on page 5-1for the name of the file.
NOTE: The installer may require a reboot if any applications were running from the
installation directory during the install.
Linux
To manually upgrade the Voltage SecureMail Server software on a Linux Appliance:
5-7 CONFIDENTIAL
To manually upgrade the Management Console software on a Linux Appliance:
1. Create a backup of your existing configuration. See “Back Up Your Voltage SecureMail
2. Install Voltage SecureMail 7.1 as described as in “Upgrading a Linux Appliance with the
Upgrade Script” on page 5-11.
3. Restore your system backup as described in “Restoring Your System From a Backup” on
page 5-8.
Restoring Your System From a Backup

To restore your system from a backup:
1. Go to the Administration > Backup and Restore page on the Management Console,
then click Restore from a previous backup. This starts the Restore Wizard.
2. Choose the type of restore that you want to perform from the drop-down list. The type
of restore you select depends on the type of backup you selected when creating the
backup file. In this case, you should be restoring a System Recovery Backup.
• Service Data Backup: Backs up the application state of one or more selected
tenants. The Service Data Backup includes:
— Configuration data for each tenant, such as, the tenant name, domain, brand and
certificates.
— Services configuration for each tenant, such as, ZDM, Client, Gateway and
Enrollment Server configurations.
• Identity Data Backup: Backs up the identity data of one or more selected tenants.
The identity data includes the PKI keys for the Gateway Service and username and
passwords for the Enrollment Service.
• System Recovery Backup: Backs up the entire state of the system including all
tenant, service and system deployment configurations.
3. In the Upload Backup File field, click Browse to navigate to the file.
NOTE: If the file is not accessible from the Management Console machine, move the
file to an accessible location using a tool such as WinSCP. When using WinSCP, the
default port (22) does not work and you must connect on port 10022
4. Enter the password that you entered when you created the backup file in the Password
field.
5. Click Validate Password and Upload. When the file has been successfully uploaded,
the following message is displayed:
5-8 CONFIDENTIAL
"Validated backup file created Day Month Date Time Year"
6. Click Next when the file has finished successfully uploading.
7. Select the Tenants that you want to restore. If you want to overwrite current tenant
information with the information in the backup file, select Restore Tenant Details.
8. Click Next.
9. Select the services that you want to restore.
10. Click Next.
11. Click Finish to confirm the restore options that you selected, or click Back to change
your selections.
12. Click OK to confirm that you want to restore. When the file is successfully restored, you
are returned to the Backup and Restore page where the following message displays:
Successfully restored Service Data Backup.
Verify the Active Directory Domain Name

Using the server domain allows Active Directory to be bound to the domain without needing to
specify the name of the domain controller. This is important if you intend to install Voltage
SecureMail Mobile Edition for use with Active Directory.
To verify that the server domain name is specified:
1. Open the Management Console in a web browser.
The URL is http://localhost:8080/console for a Windows server and https://<DNS

name>:8443/console for a Linux appliance, which is the URL that you wrote down in
step four of “The Management Console Password Page” on page 2-6.
2. Enter the administrator Username and Password.
3. Click the System tab. If there are multiple clusters, click the plus icon (+) next to name of
the cluster in the table, click the plus icon (+) next to Resources, and then click Active
Directory.
The Active Directory Details page displays.
4. In the Active Directory Domain text box, verify that the domain displays. If the server
name displays, enter the domain.
5. Click Save and Exit.
5-9 CONFIDENTIAL
Update All Clusters

To update all clusters:
1. Open the Management Console in a web browser.
The URL is http://localhost:8080/console for a Windows server and

https://<DNS name>:8443/console for a Linux appliance, which is the URL that you
wrote down in step four of “The Management Console Password Page” on page 2-6.
2. Enter the administrator Username and Password.
3. Click the System tab, and then click Update Cluster for any existing cluster.
When you update the cluster, the database information is updated.
4. (Optional) If the hosts in your configuration are located in the same geographical region
but assigned to different clusters, and you want to move them to a single cluster, use the
following procedure:
a. Click the host name on the System tab to display the Host Details page.
b. If the host that runs on the same server as the Management Console uses the local
IP address of 127.0.0.1 as the Management IP Address, click that host, then enter a
new IP address. If you want to reuse an IP address, you can specify a port number in
the Management Port field.
This is needed because 127.0.0.1 cannot be the Management IP Address for a host
if there are any other hosts in the same cluster. Note that you do not need to enter a
password on this page because the software reuses the secure connection that is
already established.
c. If you updated the IP address or port number, click Register.
d. In the Move Host to Cluster list, select a new cluster for the host, then click Move.
The System tab displays, showing the host assigned to the new cluster.
e. Click Save and Exit to return to the System Configuration page.
f. (Optional) If you have removed all of the hosts from a particular cluster, click the
associated Delete link to remove the cluster from the system.
g. Click Update All Clusters.
Note that if a cluster no longer has any associated hosts, an error message displays
to let you know that the cluster cannot be updated because it has no hosts.
5. Back up your updated configuration. See “Back Up Your Voltage SecureMail

5-10 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Upgrading a Linux Appliance with the Upgrade Script
See Chapter 6, “Troubleshooting” for solutions to common upgrade issues.
Upgrading a Linux Appliance with the Upgrade Script
You can use a manual upgrade script to upgrade SecureMail Version 7.0 version to Version 7.1.
Before using upgrade script, you need to execute a helper script. Contact your Micro Focus
Voltage Customer Representative to receive the script.
IMPORTANT: You cannot use an upgrade script to upgrade to version 7.0 and later. Version
7.0 and later requires a fresh install and system restore from your previous 6.X version.
Table 5-2 Upgrade Scripts
To use the upgrade script to upgrade to Version: You must be upgrading from Version:
6.1 6.0
6.3 6.1
6.4 6.3
7.1 7.0
7.2 7.1
7.3 7.2
To use the helper script:
1. Log into the Appliance as root. A command prompt displays.
2. Copy the helper script into the /tmp directory on the appliance
3. Run the helper script:

# cd /tmp
# sh helperscript.sh
To use the manual upgrade script:
1. Edit the /etc/hosts file to include an incorrect IP address (such as 0.0.0.0) for
updates.voltage.com, similar to the following line:
0.0.0.0 updates.voltage.com
2. Log into the Appliance as root. A command prompt displays.
3. Copy the patch script into the /tmp directory on the server.
4. Run the patch script:

# cd /tmp
# sh voltage-manual-patch-7.X.XXXXX.sh
5-11 CONFIDENTIAL
Voltage SecureMail Server Installation Guide Version 7.3 Upgrading a Linux Appliance with the Upgrade Script
5. Enter ‘y’ to begin the upgrade process.

NOTE: After the upgrade process completes, log into the appliance as admin before
applying the next patch.
5-12 CONFIDENTIAL
6 Troubleshooting
You might experience errors or failures if you did not install or upgrade the MariaDB software
exactly as specified.
You can use the Windows Event Viewer to check for possible silent failures or errors that
occurred during the installation. To open the Event Viewer, click the Windows Start menu and
navigate to Administrative Tools > Event Viewer.
Voltage SecureMail Services Do Not Start

The Voltage SecureMail services might not start if they cannot communicate with the MariaDB
software. To confirm that this is the issue, look in the log file for the following exception:
Unable to connect to voltagemgmt
MariaDB was installed in a non-default location
If you installed the MariaDB software in non-default location, follow these instructions to enable
Voltage SecureMail software to communicate with it:
1. Stop all Voltage SecureMail services.
2. Add the MariaDB install directory to the PATH environment variable:

<Installation_Location>\MariaDB 10.2\bin
3. Open the voltage_settings.bat file for editing. The file is in one of the following locations:
• 32-bit OS:
C:\Program Files\Voltage Security\Voltage Management Server\etc\mysql
• 64-bit OS:
C:\Program Files (x86)\Voltage Security\Voltage Management Server
\etc\mysql
4. Change the “Set this to MySQL install directory” section to specify the correct install
path for the MariaDB software:
"SET MYSQL_DIR=<Install_Location>\MariaDB 10.2"
5. Open a Windows command prompt, and run the following command:
• 32-bit OS:
C:\Program Files\Voltage Security\
Voltage Management Server\etc\mysql\setup_db.bat
6-1 CONFIDENTIAL
• 64-bit OS:
C:\Program Files (x86)\Voltage Security
\Voltage Management Server\etc\mysql\setup_db.bat
This creates the required Voltage SecureMail databases.
6. Repeat steps 3, 4 and 5 to set the MariaDB installation location for the IBE server if the
IBE server is installed on the same machine.
7. Start all Voltage SecureMail services.
Management Console Does Not Display

If you did not modify the my.ini file, as described in page 3-2 of the “Installing the MariaDB
Database Software” section on page 3-2 (for a new installation), or in “Upgrade MariaDB
(Windows)” on page?5-5 (for an upgrade), the Management Console does not display. To
verify that this is the issue, look for the following exceptions in the log file:
Caused by: java.sql.SQLNonTransientConnectionException: Could not send
query: Connection reset by peer: socket write error
org.mariadb.jdbc.internal.SQLExceptionMapper.get(SQLExceptionMapper.ja
va:136)
org.mariadb.jdbc.internal.SQLExceptionMapper.throwException(SQLExcepti
onMapper.java:106)
org.mariadb.jdbc.MySQLStatement.executeQueryEpilog(MySQLStatement.java
:268
If you see these messages, add the following lines to the my.ini file under [mysqld], and then
restart the database and Voltage SecureMail services:
max_allowed_packet=100M
innodb_file_per_table
innodb_data_file_path=ibdata1:10M:autoextend:max:20G
Tuning JVM Memory on Windows

If you experience problems that could be the result insufficient memory allocated for JVM, you
can use the VSServiceTool.bat utility to increase the Java memory pool size. This utility can
be run for Voltage Management Server, Voltage Management Data Service, and Voltage IBE
Server.
To increase the memory allocation:
1. For the Voltage IBE Server, from the command prompt, enter:
cd c:\Program Files (x86)\Voltage Security\Voltage IBE Server\bin
For the Voltage Management Server or Voltage Data Management Service, from the
command prompt, enter:
cd c:\Program Files (x86)\Voltage Security\Voltage Management
Server\bin
6-2 CONFIDENTIAL
2. Run the one of the commands below depending on the server or service for which you
want increase memory.
For the Voltage IDE Server:
VSServiceTool.bat "Voltage IBE Server"
For the Voltage Management Server or Voltage Data Management Service:
VSServiceTool.bat "Voltage Management Server"
VSServiceTool.bat "Voltage Management Data Service"
3. Click the Java tab.
CAUTION: Do not make any other changes in vsservice without direction from Micro
Focus Voltage Support.
4. Change the Initial memory pool and Maximum memory pool values as needed. Do
not allocate more than 1024 MB to the maximum memory pool.
5. Click OK.
6. Restart the service you have changed.
Client to Server Communication Errors

Beginning with version 6.3 of Voltage SecureMail Server, communication to the server from
SecureMail clients (Voltage Encryption Client and Voltage SecureMail Mobile apps) must use
TLS 1.2 by default. Some older versions of Windows OS do not support TLS 1.2 and some older
browsers do not use TLS 1.2 by default. The best practice is to upgrade user software to
6-3 CONFIDENTIAL
versions that support TLS 1.2. You can force the server to use less secure communication
protocols using an advance setting. Contact Micro Focus Voltage Support for assistance with
this option.
If you have client users on Windows 7 with latest update or Windows Server 2008 R2, and they
are unable to download keys, there is a patch to Windows 7 that enables TLS 1.1 and TLS 1.2
as a default secure protocols in WinHTTP.
Please apply the patch located at https://support.microsoft.com/en-us/kb/3140245.
6-4 CONFIDENTIAL

Voltage Securemail Server: Installation Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Voltage Securemail Server: Installation Guide

Uploaded by

Copyright:

Available Formats

Voltage SecureMail Server

Document Release Date October 2020

The information contained herein is subject to change without notice.

Restricted rights legend

© Copyright 2020 Micro Focus or one of its affiliates

Chapter 1 Planning a Voltage SecureMail Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Figure 1-1 shows a simplified example of a clientless solution.

Figure 1-1 Encrypted Message Flow for a Clientless Solution

In this example, the message flows as follows:

1. A user sends a message in the usual manner.

5. The recipient reads the decrypted message.

Figure 1-2 Encrypted Message Flow For an End-to-End Solution

In this example, the message flow is as follows:

2. The mail server delivers the secure message to the recipient.

4. The recipient reads the decrypted message.

Voltage SecureMail Components

The Voltage SecureMail software consists of the following components:

• Voltage SecureMail Gateway: Provides the means to automatically encrypt or decrypt

• Voltage SecureMail Management Console: Provides configuration and administration of

Figure 1-3 shows an overview of these Voltage SecureMail components.

1. An internal user sends a message to an external recipient.

2. The mail server routes the message to the Gateway.

3. The Gateway encrypts the message and routes it to the recipient.

5. The recipient reads the decrypted message.

Understanding the Software Installation Process

Installing the software on Linux-compatible hardware typically takes about 20 minutes.

• At least 3 GHz x86 64-bit architecture processor, with 8 CPU cores

• 80 GB disk space (recommended minimum size; actual space required depends on

• If you are installing on hardware, use a CD drive (internal or external).

• 1G Ethernet Network Interface Card (NIC)

The following hardware is supported:

The following virtual server is also supported:

• VMware vSphere Hypervisor (ESXi) 6.0

• Windows Server 2008 R2, installed on a 64-bit OS

• Windows Server 2012 R2, installed on a 64-bit OS

• Windows Server 2016, installed on a 64-bit OS

• Windows Server 2019, installed on a 64-bit OS

Your system must meet the following minimum specifications:

The following virtual server is also supported:

• VMware vSphere ESXi 5.5, 6.0 and 6.5

Client to Server Communication

Organization Requirements Deployment Type Deployment Details

The following restrictions apply to the deployment options:

One Linux Server

One Linux Server and One Windows Server

The reply to a secure message might go through the following path:

3. The mail server delivers the encrypted message to the recipient.

6. The server grants the key to the client.

Multiple Linux Servers and One Windows Server

The reply to a secure message might go through the following path:

4. The mail server delivers the encrypted message to the recipient.

7. The server grants the key to the client.

Multiple Linux Servers and Multiple Windows Servers

Figure 1-6 Deployment with Multiple Linux and Windows Servers

Network Configuration Settings

IP Address Requirements for a Stand-Alone Deployment

IP Address Requirements for a Distributed Deployment

Planning for Network Integration

Connections Between Voltage SecureMail Servers and the Internet

• Port 123 to NTP servers(s) (optional)

• Port 25 if the Gateway is the last hop for email

• Port 443 for ZDM / Multi-cluster ZDM Proxy

• Port 25 if the Voltage SecureMail Server is published as the MX server