Messaging Products Update – 19.0 Capabilities

The below is a list of the new capabilities brought to our Messaging products for the 19.0 release. 19.0 adds a lot of extra functionality across the board for our messaging products, along with a complete rewrite of the codebase so that future releases and bug fixes can be developed more quickly. For the full release notes please check the individual product updates, available from the customer portal and evaluation sections of our website.

Dependencies

Cobalt (version 1.3 or later) is needed to manage various capabilities in M-Switch 19.0. HSM management depends on Cobalt version 1.4 or later.

M-Switch, M-Store and M-Box depend on M-Vault 19.0.   All of these products are a part of R19.0 with common libraries and so are commonly installed together.

Product Activation 

All of the messaging products now use the new product activation.  Products activation is managed with the Messaging Activation Server (MAS) which provides a Web interface to facilitate managing activation of messaging and other Isode products.   MAS is provided as a tool, but installed as an independent component.   

M-Switch

Product Activation

There are a number of M-Switch features arising from the new product activation:

  • Various product options are encoded in the activation, restricting functionality to M-Switch options purchased.   The options available and any activation time limits are displayed by MConsole.
  • MConsole will correctly display the product name of the M-Switch being used (e.g., M-Switch MIXER, M-Switch Gateway etc).
  • MConsole views are restricted so that only ones relevant to the activated options are shown (e.g,, ACP 127 views will not be shown unless ACP 127 is activated).

Use of Cobalt

A number of functions have been moved from MConsole to Cobalt, which provides a Web general administrator interface.   MConsole is being more focused on M-Switch server configuration and operation.   Capabilities provided by Cobalt in support of M-Switch:

  • User and Role provisioning (replacing Internet Mail View)
  • Special function mailboxes
  • Redirections
  • Standard SMTP distribution lists
  • Military Distribution Lists
  • Profiler Configuration
  • File Transfer by Email (FTBE) account provisioning

Directory and Authentication

A number of enhancements have been made to improve security of authentication.   New configurations will require this improved security and upgrades are expected to switch.

  • Configuration of default M-Vault configuration directory is simplified.
  • Option provided to use a different M-Vault directory for users/operators, defaulting to the configuration directory.
  • M-Switch access to configuration and user directories will always authenticate using SASL SCRAM-SHA-1.  This is particularly important for deployments not using TLS, as it will ensure plain passwords are not sent over a link, while still using hashed passwords in M-Vault.
  • M-Vault directories created by MConsole will always have TLS enabled (where the product activation option allows).
  • Connections from M-Switch to M-Vault will use TLS by default.
  • Three modes can be configured for SMTP and SOM (MConsole) access to M-Switch
    • SCRAM-SHA-1.  This is the default and is a secure option suitable for most configurations.
    • PLAIN.  This option is needed if authentication is done using pass through to Active directory.   This should only be used on systems with TLS.
    • ANY.  When this option is used, SOM/MConsole will use SCRAM-SHA-1.   It is needed for SMTP setups that want to offer additional SASL mechanisms such as CRAM-MD5, which will need plain passwords to be stored in M-Vault.

ACP 127

An extensive set of enhancements had been provided to ACP 127.

  • Extend circuit control from enabled/disable to Enabled (Rx/Tx) / Rx Only / Disabled
  • Enhanced OPSIG support for BRIPES following agreed doc:
    • QRT/QRV.   Supports remote enable/disable, including control from top level of circuit management UI
    • ZES2 automatic handling on receive
    • Service message option to send INT ZBZ
    • Configurable option for reliable circuit to send ZBZ5 to acknowledge receipt of identified message
    • Limiting priority UI use two letter codes, but will still recognize single letter
    • Add CHANNEL CHECK generation and response
  • Option to use “Y” for emergency messages
  • Support for Community Variables (CV) which is a BRASS mechanism to use multiple crypto keys
    • Configuration of CVs available for each destination
    • Display of CVs for queued messages
    • CV Audit Logging
  • Scheduled Broadcasts to support MUs with constrained availability (e.g., Submarines)
    • Periodic Mode with GUI configuration
    • UI to show which messages will be transmitted in which period based on estimated transmission times
    • Scheduled periods at same time each day
    • Explicitly scheduled fixed intervals on specific day
  • Extension to Routing Tree configuration to specify specific channel.   This makes it easier to utilize the ACP 127 RI routing, which is needed in many ACP 127 configurations
  • Improved mapping of CAD/AIG to SMTP
  • Option to turn off message reassembly
  • Improvements to monitoring of circuits using serial links

FAB (Frequency Assignment Broadcast)

A subsystem is provided to support FAB, which is needed for older BRASS systems that do not support ALE. The M-Switch FAB architecture is described in  https://www.isode.com/whitepapers/brass.html. The key points are listed below:

  • A new FAB Server component is provided to run black side and generate the FAB data stream(s).
  • Red/Black separation can be provided by M-Guard
  • The FAB Server can monitor a remote modem for link quality using a new SNR monitoring protocol provided by Icon-5066 3.0.
  • Circuits to support FAB use a new “anonymous” type, reflecting that they are not associated with a specific peer.
  • Support is provided for ARQ (STANAG 5066 COSS) circuits which operate automatically shore side and for direct to modem circuits which require a shore side operator.
  • There is an operator UI for each circuit that enables setting FAB status and controlling acceptance of messages

Profiler and Corrector

  1. Support of TLS for Corrector UI and Manual Profiler
  2. Improved message display, including Security Label
  3. Profile configuration read from directory, which enables Cobalt configuration of Profiler rules

Icon-Topo Support

Isode’s Icon-Topo product automatically updates M-Switch configuration in support of MU Mobility.  M-Switch enhancements made in support of this:

  • Show clearly in MConsole when External MTAs, Routing Tree Entries and Nexus are created by Icon-Topo.
  • Enhance Nexus and Diversion UI to better display Icon-Topo created information.

PKCS#11 HSM Support

PKCS#11 HSM (Hardware Security Module) support is added. This has been tested with HSMs from Nitrokey, Yubico, Gemalto and the SoftHSM software.  HSM support can be enabled and PKCS#11 identities created by Cobalt can be configured and used for all TLS and S/MIME functions in M-Switch.

Miscellaneous

  • Configure Warning Time based on Message Priority.
  • Tool to facilitate log and archive clear out

M-Store

No new features for R19.0.

M-Box

Improved Searching

Message searching is extended with three new capabilities that are exposed in Harrier.

  • Choice to search based on SIC (Subject Indicator Code) which can be used on its own or in conjunction with options to search other parts of the message.
  • Option to filter search based on a choice of one or more message precedences, matching against the action or info precedence as appropriate for the logged in user.
  • Option to filter search based on selected security label.

PKCS#11 HSM Support

PKCS#11 HSM (Hardware Security Module) support is added. This has been tested with HSMs from Nitrokey, Yubico, Gemalto and the SoftHSM software.  This can be used to protect TLS access to M-Box using server identity created by Cobalt.

Draft & Release for Military Messaging: An Open, Online Approach

In military communications, messages are frequently sent to organizations (e.g., a Command) rather than to an individual or to a role.

The receiving organization will process the message using a Profiler, which looks at meta-information (such as a Subject Indicator Code “SIC”) in the message in order to dispatch it to the appropriate recipient. This process of examination and dispatch is known as draft and release and is, today, mostly done using a mix of paper and online systems. A number of deployments have sought to introduce entirely online systems for draft and release but the approaches used in those deployments all have weaknesses.

In a new whitepaper on the Isode website, “Open Online Draft & Release“, Isode proposes a new open standards based approach to online draft and release, combining the best practices of existing systems with capabilities for message review which can be used independent of draft and release.

Happy Birthday M-Switch

Today we’ve been reminded, by LinkedIn, that one of our core products turns 23 this week. Happy Birthday M-Switch!

The first deployment of M-Switch, then simply called the Message Transfer Agent, was to British Telecom. Since then it has evolved into a range of Isode products, including:

  • M-Switch SMTP; a SMTP Message Switch.
  • M-Switch X.400; a X.400 Message Transfer Agent (MTA)
  • M-Switch MIXER; a message switch, providing conversion between X.400 and Internet email according to the MIXER specifications.
  • M-Switch ACP127 gateway provides mapping between STANAG 4406 and text messaging protocols such as ACP127.
  • M-Switch ACP145 gateway, provides STANAG 4406 message signing and verification.

As well as these core server products we also now offer add-ons to extend M-Switch, such as M-Switch Encryption to add message encryption and decryption capabilities (using S/MIME for SMTP messages and STANAG 4406 Encryption for X.400 messages) as well as an add-on to enable security label mapping & conversion.

Although it has been joined by many other core server products since 1992, products based on M-Switch, under the direction of the messaging team headed by Ian Reissmann, remain a vital part of our business, accounting for over 50% of our new product sales over the last 3 years.

Our commitment to the continued development of the M-Switch family means that it’ll be celebrating many more birthdays in the future.

New Whitepaper: Isode’s Solution for BRASS

HF Radio is an important naval communication channel for ‘beyond line of sight’ (BLOS) communication, BRASS (Broadcast and Ship to Shore) is an approach used by Navies, particularly those of NATO countries, to communicate between ships and shore using HF.

In a new whitepaper (Isode’s Solution for BRASS) we give an overview of BRASS and describe our strategy and solution for this area. The whitepaper looks at how our products can support the protocols and interoperability for currently deployed BRASS systems and move them forward to state of the art capabilities that can extend the services offered over BRASS.

R16.3: Multi-Master Directory, XMPP Archive/Search & ACP127 support

We’re pleased to announce the availability of Isode’s latest release, R16.3, which can be downloaded now from our website. R16.3 is a major Isode release which adds new capabilities across the entire Isode product range, including:

M-Vault

We’ve introduced a multi-master capability to M-Vault, complementing the single-master approach to replication defined in the X.500 protocols around which M-Vault was developed. M-Vault is the first directory to offer both multi-master and X.500.

M-Link

M-Link gains a new Archive Server for archive of all messages (including 1:1 chat, MUC and PubSub). XMPP clients can access archives using Message Archive Management (MAM) as defined in XEP-0313. M-Link also gains three new web applications:

  1. Message Archive Management, allowing browser-based access to information in the archive.
  2. Statistics, a lightweight monitoring alternative to the M-Link Console GUI.
  3. Forms Discovery and Publishing, for end-user publishing and display of FDP forms.

M-Link Statistics Web App
M-Link Statistics Web App

M-Switch

We’ve added gateway support for text based organisational message protocols, which we’re collectively describing as ACP127. The first release of this capability supports ACP127 and DOI 103S, a popular US variant, and enables conversion with STANAG 4406 (compliant to STANAG 4406 Annex D) and SMTP (following the MMHS over SMTP extensions).

In addition we’ve made extensive improvements to MConsole and M-Link Console to support the new M-Switch and M-Link family capabilities. For a full run-down of new capabilities in R16.3, please see the Product Release page. We’ll be publishing further blog posts over the coming weeks focusing on some of the new R16.3 capabilities.

M-Switch ACP127 Gateway to STANAG 4406 and MMHS over SMTP

ACP127 is an older military messaging protocol, which remains in widespread use along with a number of similar protocols such as DOI 103 and ACP 128. Isode’s M-Switch already provides full server side support for STANAG 4406, ACP 145 and MMHS over SMTP. We’ve now added support for ACP127 and selected related protocols to the M-Switch product enabling gateway connections between SMTP and STANAG 4406 services and ACP127 systems.

Product information is available on the M-Switch ACP127 product page.