Message Archiver Overview
The Message Archiver feature provides a basic IM compliance solution. This feature allows your system to comply with regulations that require logging of all instant messaging traffic in your company. Many industries require that instant messages adhere to the same regulatory compliance guidelines as for all other business records. To comply with these regulations, your system must log and archive all business records, and archived records must be retrievable.
The Message Archiver feature provides support for instant messaging (IM) compliance by collecting data for the following IM activities in single cluster, intercluster, or federated network configurations. This includes point-to-point messages and various forms of group chat.
This feature requires that you deploy an external database specifically for this feature
Encrypted Database for Message Archiver
For added security, you can enable an encrypted database for the Message Archiver. When this option is enabled, the IM and Presence Service encrypts IMs before archiving them in the external database. With this option, all data in the database is encrypted such that even a database administrator will be unable to read archived IMs, unless they possess the encryption key.
The encryption key can be downloaded from the IM and Presence Service and used in conjunction with whatever tool you use to view data in order to decrypt archived data.
For intercluster networks, you can enable encryption for the local cluster and any intercluster peers from a single IM and Presence Service cluster. The cluster on which you enable encryption becomes the master cluster, which controls the encryption key for its remote slave clusters. You can download the encryption key from the IM and Presence Service interface, but you must use the encryption password that was entered in the master cluster.
Encryption Standards
To ensure that archived data is not compromised, this feature uses three keys: a symmetric encryption key, along with an assymetric public-private key pair.
-
Encryption key—This 256-bit symmetric key is generated and stored internally by the IM and Presence Service, which uses this key to encrypt IM compliance data before archiving the data in the compliance database. For intercluster networks, the master cluster syncs its encryption key to the remote slave clusters so that the entire intercluster network is using the same encryption key, which is controlled from the master cluster.
You must download this key from the IM and Presence Service and use it with your data viewer to be able to decrypt archived IMs. When you download this key, the key is encrypted with the public key from the public-private key pair. You can later decrypt the encryption key with the private key.
-
Public-Private key pair—You must generate this assymetric key pair in an approved key generation tool (for example, OpenSSL) and use it to encrypt the key in the IM and Presence Service and then decrypt the key with your data viewing tool. The public-private key pair secures the encryption key while in transit from the IM and Presence Service to your data viewing tool (for example, Splunk).
The encryption password is hashed with SHA2 and then encrypted with AES 256. Instant Messages are encrypted with the AES 256 algorithm
Intercluster Network Encryption
The following conditions apply for intercluster peer networks:
-
An intercluster peer network can have only a single master cluster or encryption errors will result. The master cluster uses the Cisco Intercluster Sync Agent to sync encryption related information, (for example, the encryption password and encryption key) to remote peer clusters, which become slave clusters of the master cluster.
-
Once you enable Message Archiver encryption within a local cluster, that cluster becomes a master cluster.
-
If you checked the Enable Encyption in Remote Clusters check box, the remote peer clusters become slave clusters of the master cluster following the next intercluster sync, provided the Message Archiver is configured on all nodes in the remote cluster with Microsoft SQL Server as the compliance database. If this is true, the Cisco Intercluster Sync Agent syncs encryption related information, incuding the password and encryption key to the remote cluster.
-
If the remote cluster does not have the Message Archiver configured on all nodes with a Microsoft SQL Server compliance database, encryption will not become enabled. However, if you later configure the Message Archiver on all nodes with a Microsoft SQL Server compliance database, encryption will be enabled automatically in the remote cluster following the next intercluster sync.
-
If you configure a master cluster with the Enable Encryption on Remote Clusters option selected and subsequently add an intercluster peer, the peer cluster becomes a slave cluster automatically following the next intercluster sync. Encryption will be enabled on the slave provided the Message Archiver is configured on all nodes with a Micrsoft SQL Server external database.
-
If you have an intercluster peer relationship between an 11.5(1)SU5 master cluster that has Message Archiver encryption enabled for remote clusters, and a peer cluster that does not support encryption (for example, 11.5(1)SU4), the peer cluster will not have encryption enabled, even if it has a Microsoft SQL Server compliance database. However, once the peer cluster upgrades to 11.5(1)SU5, the encryption settings will be applied following the intercluster sync.
-
Cisco recommends that you deploy a single external database per cluster for the Message Archiver.
Process Flow for Encryption
The following table highlights the process flow for enabling encryption and for viewing encrypted data from the database. The flow highlights each step, and the interface on which each step is completed.
IM and Presence Service Master Cluster |
Key Generation Tool (e.g., OpenSSL) |
Data Viewing Tool |
|
---|---|---|---|
Step 1 |
The administrator configures encryption for the intercluster network. The master cluster syncs encryption settings across the intercluster network. Archived data is now encrypted. |
||
Step 2 |
The administrator generates a public-private key pair for securing the encryption key. |
||
Step 3 |
The administrator downloads the encryption key from the IM and Presence Service. During the download, the public key encrypts the encryption key. |
||
Step 4 |
The administrator uses the private key to decrypt the encryption key. |
||
Step 5 |
The encryption key decrypts compliance data. Authorized personnel can view archived compliance data. |