Modifying the signatory of a security policy

Before they are deployed on user stations with the signatory certificate, security policies are signed by a policy signatory. This guarantees the authenticity and integrity of policies.

For more information, refer to the section Downloading and signing a security policy.

Apply the following procedure to modify the signatory of a policy, e.g. if the signatory's signature is compromised or if the signatory leaves the company.

The following conditions are required:

If you are using Microsoft’s public key infrastructure solution, for information on how to obtain the certificate for a security policy signatory account, see Creating a SDS Enterprise security policy signatory account.

During the transition between two signatories, you must install a .p7b file containing the certificate of the old signatory and the certificate of the new signatory on the user stations. This operation must be performed before redeploying the policy signed by the new signatory. Therefore, the SDS Enterprise agent considers both certificates as being valid signatories of the policy.

  1. Generate an admin_policy.p7b file containing both certificates concerned. For example you can use the export function in the Windows certificate manager.

  2. On the user stations, install the admin_policy.p7b file in the installation folder C:\Programmes\Arkoon\Security BOX.

The .p7b file overwrites any .cer signatory certificate already present in the same folder.

Once the admin_policy.p7b file installed on the user stations, apply the following steps to deploy the policy:

  1. Place the admin_policy.cer certificate of the new signatory in the installation folder C:\Programmes\Arkoon\Security BOX of the users, in the same location as the .p7b file and the certificate of the old signatory. The old certificate is overwritten by the new one.

  2. Apply the procedure for updating a policy via a distribution point as described in the Updating the security policy on SDS Enterprise agents section.

  3. Inform the users that they must accept the signatory change in the warning message displayed when logging back onto their SDS Enterprise account.

  4. Once all users have accepted the new signatory, delete the .p7b file of the SDS Enterprise installation folder to ensure the old signatory is no longer considered as valid.

If a user refuses the new signatory, the policy is still updated and he/she can use the product. In this case, the warning message is displayed again during the next logging onto the user's SDS Enterprise account.

In the properties of the SDS Enterprise agent on user stations, you can view the certificate of the policy signatory:

  1. Right-click on the SDS Enterprise icon SDS Enterprise icon in the Windows system tray.

  2. Select Properties.

  3. In the Configuration tab, double-click on the Keyring icon.

  4. Display the Policy signatory tab. If the signatory changes, the tab is updated automatically when the user accepts the change in the warning message displayed when logging onto the SDS Enterprise account.

  5. Click on Details to display all the information of the certificate.