Page 1
PDF Creation Date: August 4, 2008 Document Security User Guide for Acrobat 9.0 and Adobe Reader 9.0 Acrobat® and Adobe® Reader® Version 9.0...
Page 2
Adobe Systems Incorporated. Please note that the content in this guide is protected under copyright law even if it is not distributed with software that includes an end user license agreement.
Contents Getting Started ........................7 1.1 What’s in this Guide? ..........................7 1.2 Who Should Read This Guide? ......................7 1.3 How Should You Use This Guide? ......................8 1.4 Roadmap to Security Documentation....................8 Getting and Using Your Digital ID..................10 2.1 Digital ID Basics..........................10 2.1.1 What is a Digital ID? ..............................10 2.1.2 Digital ID Storage Mechanisms ..........................11 2.1.3 Registering a Digital ID for Use in Acrobat......................12...
Page 4
Acrobat 8 Family of Products Security Feature User Guide 3.2.4 Searching for Digital ID Certificates........................34 3.3 Certificate Trust Settings........................36 3.3.1 Setting Certificate Trust............................37 3.3.2 Setting Certificate Policy Restrictions .........................39 3.3.3 Using Certificates for Certificate Security (Encryption).................40 3.4 Using Directory Servers to Add Trusted Identities ................40 3.4.1 Manually Configuring a Directory Server......................41 3.4.2 Editing Directory Servers Details ..........................42 3.4.3 Deleting a Directory Server.............................42...
Page 5
8.3 Setting JavaScript Options......................101 8.3.1 High Privilege JavaScript Defined ........................101 8.3.2 Javascript and Certified Documents......................... 102 8.4 Adobe Trusted Identity Updates ....................103 8.5 Working with Attachments ......................103 8.5.1 Default Behavior: Black and White Lists ......................103...
Page 6
9.2.3.4 Importing Timestamp Server Settings ....................132 9.2.3.5 Importing Directory Server Settings....................... 134 9.2.3.6 Importing Adobe LiveCycle Rights Management Server Settings ..........135 9.2.3.7 Importing Roaming ID Account Settings....................136 9.2.3.8 Importing a Trust Anchor and Setting Trust ..................138 10 Glossary of Security Terms ....................
Administrators: This document describes how to configure and use the application user interface. Because system administrators may be responsible for deploying and supporting the Adobe Acrobat family of products (including Adobe Reader) in document security workflows, leverage this guide to help your clients use the product correctly and effectively.
Many of the application’s registry settings can be accessed and manipulated via JavaScript. Note: The most recent document versions may be found online at http://www.adobe.com/devnet/ acrobat/.
Page 9
A guide to the documentation in the Adobe Acrobat SDK. Roadmap Acrobat and PDF Library API Reference Developers A description of the APIs for Acrobat and Adobe Reader® plug-ins, as well as for PDF Library applications. JavaScript for Acrobat API Reference Developers A listing of the Acrobat JavaScript APIs.
Getting and Using Your Digital ID A digital ID is like a driver’s license or passport or other “certified by some entity” paper identification. It proves your identity to people and institutions that you communicate with electronically. These IDs are a critical component of digital signatures and certificate security.
Network sharing: Certificates can be stored on a central server. The Trusted Identity Manager can be used to search for certificates on LDAP directory servers. Adobe applications provide tools for configuring and managing directory servers. For details, see “Using Directory Servers to Add Trusted Identities”...
Windows Certificate Store. Import Import Import Import Contains: Certificate and public key only .apf Adobe Profile Files (Legacy): Not used after Acrobat 5. Files can be Import Import Import Import upgraded by double clicking them. Export Contains: Digital ID (public and private keys) 2.1.3 Registering a Digital ID for Use in Acrobat...
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Digital ID Management and the Security Settings Console Figure 3 Add Digital ID dialog .apf Digital IDs no longer supported Older application versions use a deprecated digital ID format with an .apf extension. .apf is not supported in 9.0.
Generic ID Operations Adobe Reader (Windows): Edit > Preferences > Identity Adobe Reader (Macintosh): Adobe Reader > Preferences > Identity 2. Configure the identity details. These details will appear in your signature appearance when you sign with a self-signed digital ID.
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Sharing (Exporting) a Digital ID Certificate 1. Choose Advanced (Acrobat) or Document (Reader) > Security Settings. 2. Select Digital IDs in the left-hand tree (Figure 2.2.1). 3.
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Customizing a Digital ID Name Windows Digital IDs PKCS#11 Modules and Tokens 2.2.4 Customizing a Digital ID Name You can personalize a digital ID by providing a user-friendly name. This name appears in the ID drop-down list in workflows where you are asked to select an ID.
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Managing PKCS#12 Digital ID Files Left hand panel: The certificate chain. Bottom area: A description of the certificate, path validity statement, path validation time, and ...
Note: In enterprise settings, you may be instructed by your administrator to get a digital ID from a specific location or to customize Acrobat or Adobe Reader to work with software supplied by your organization. To find a digital ID file: 1.
9. Review the digital ID list and choose Finish. 2.3.3 Adding and Removing Digital ID Files from the File List Adobe Acrobat and Adobe Reader only allow deletion of user-created self-signed digital IDs created with those applications. A file can have one or more IDs.
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Changing a PKCS#12 File’s Password Timeout Figure 10 Digital ID files: Password configuration 2.3.5 Changing a PKCS#12 File’s Password Timeout Passwords and password time-outs can only be set for PKCS#12 IDs. Since a file can contain multiple IDs, passwords and time-outs are configured at the file level rather than for individual IDs.
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Logging in to PKCS#12 Files Figure 11 Digital ID files: Timeout settings 2.3.6 Logging in to PKCS#12 Files The digital ID Login feature provides access to the IDs in a particular file. Login behavior is dependant on the user-specified password timeout feature.
Page 22
These files should always be backed up. On Windows XP, the default location is C:\Documents and Settings\ <username>\Application Data\Adobe\<application name>\<version>\Security\ Windows Certificate Store: (Windows only) Stores the ID in the Windows Certificate Store where it ...
Page 23
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Creating a Self-Signed Digital ID Figure 13 Digital ID: Configuration 6. Configure the digital ID. The dialog is prepopulated if the Identity preferences have been previously configured: Tip: If you use non-Roman characters, choose Enable Unicode Support before continuing.
Figure 14 Digital ID: PKCS#12 location and password 2.3.8 Deleting a PKCS#12 Digital ID Adobe Acrobat and Adobe Reader only allow deletion of user-created, self-signed digital IDs created by them. The methodology for deleting other types of IDs varies with the type of ID.
The Windows store makes these IDs available to other Windows applications such as Acrobat and Adobe Reader. When an ID in the Windows store is registered with the application, it appears in the Security Settings Console.
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Adding a Roaming ID Account to Get a Roaming ID server rather than being distributed to each individual. Deployment and management therefore occurs in one location rather than on numerous client machines. Depending on how the system is configured, users identify themselves (authenticate) to the server either with a username and password, Windows single sign-on, or by some 3rd party method such as ArcotID.
Digital IDs can reside on hardware such as a smart card or token with a USB interface. In these cases, the card is inserted into a smart card reader or the token is inserted directly into an USB port. Adobe products can be configured to look for and use IDs on these devices by adding the device’s module (software driver)
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Changing Passwords 3. Highlight PKCS#11 Modules and Tokens. Figure 18 PKCS#11 Security Settings menu items 4. Choose Add Module. 5. Browse to the device driver. On Windows, this could likely be C:\Windows\system32\<some .
PKCS#11 workflows vary by the device supplier. For example, additional passwords or PINs may or may not be required. The login interface may be provided by the Adobe application or by the device supplier. To log in to a device: 1.
Managing Certificate Trust and Trusted Identities As described in “What is a Digital ID?” on page 10, a digital ID consists of two main parts: a certificate with a public key and a private key. Participants in signing and certificate security workflows need to exchange the public part (the certificate) of their digital ID.
Page 31
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide What is a Trusted Identity? The Acrobat family of products provide tools for selecting and interacting with the certificates of document recipients you trust. For example, Acrobat’s user interface prompts authors to select one or more recipients when applying certificate security.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Adding Someone to Your Trusted Identity List each other. It is also possible to create a group from any number of contacts so that security can be applied to all group members with a single action.
124. 3.2.3 Importing a Certificate From a File Acrobat and Adobe Reader are can export certificates to a file so that they can be shared as needed. To import certificates, follow the instructions described in “Migrating and Sharing Security Settings” on page 112.
Search button will NOT appear. The list of search servers in the Directories drop-down list is populated through three mechanisms: The default server settings that ship with Adobe Acrobat and Adobe Reader. The Windows Certificate Store if the user has turned on this option.
Page 35
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Searching for Digital ID Certificates Figure 26 Digital IDs: Searching for certificates To search for a certificate so that you can add one or more people to your trusted identities list: 1.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Certificate Trust Settings Figure 27 Searching for a document recipients 3.3 Certificate Trust Settings Contacts in the trusted identities list should be associated with one or more certificates. Those certificate’s trust settings may be individually configured.
1. Do one of the following: If you already have the certificate: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop down list. 3. Select the certificate. 4. Choose Edit Trust.
Page 38
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Setting Certificate Trust 2. On the Trust tab, select the trust options. In enterprise settings, an administrator should tell you which trust settings to use. Note: During an import action, recipients of the distributed trust anchor may be able to inherit its trust settings.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Setting Certificate Policy Restrictions Embedded high privilege JavaScript: Trusts embedded scripts. Certificate settings do not override application-level settings, so even if JavaScript is enabled for a particular certificate, it may not execute unless the application’s preferences allow it.
Businesses often use a centrally managed certificate repository such as an LDAP directory server. Directory servers are capable of returning X.509 public key certificates. These servers are searchable so that you can easily expand your list of trusted identities. Both Adobe Acrobat and Adobe Reader for Windows ship with default servers: Versions 7.x:...
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Manually Configuring a Directory Server Figure 32 Digital ID Directory servers: Server list 3.4.1 Manually Configuring a Directory Server Some companies store employee digital ID certificates on a networked LDAP server. To access those certificates, add the server to the list of directories used to locate those IDs.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Editing Directory Servers Details Figure 33 Digital ID Directory servers: Setting server details 3.4.2 Editing Directory Servers Details Directory server details can be changed at any time. To edit directory server information: 1.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Specifying a Default Directory Server 3.4.4 Specifying a Default Directory Server A default server may be specified so that it is always used when searching for digital IDs. To set default directory server: 1.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Emailing Certificate or Contact Data Figure 35 Contacts: Viewing details 3. Choose Details. Figure 36 Edit Contact dialog 4. Edit the details. 5. Choose OK. 3.5.2 Emailing Certificate or Contact Data You can export certificate and contact data via email directly from the Trusted Identity Manager.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Associating a Certificate with a Contact 3.5.4 Associating a Certificate with a Contact A certificate is usually already associated with a contact. However, in certain cases the two may need to be reassociated: Someone has provided you with new contact information.
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Deleting Contacts and Certificates Note: The certificate list is populated with the currently associated certificate and any unassociated certificates for the current contact. In other words, the list does not display all of a contact’s certificates, it displays only those that have no contact association.
Page 47
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Deleting Contacts and Certificates Figure 39 Contacts: Deleting Deleting a Certificate To delete a certificate: 1. Choose Advanced (Acrobat) or Document (Reader) > Manage Trusted Identities. 2.
Security is often added to documents to limit viewing, editing, printing, and other features to only those users that have the required password, a digital ID, or access to an Adobe LiveCycle Rights Management Server. Acrobat’s default security methods not only protect document content from unauthorized access, but also allow users to specify encryption levels and permission settings.
Acrobat Family of Products Document Security Basics Security Feature User Guide Security Policies Table 5 Security method pros and cons Method Pros Cons Password Backward-compatible to Acrobat 3.0 for certain encryption levels. Protection depends on password strength. Simple and easily understood. Anyone who knows the password Share documents by sharing the password.
Acrobat Family of Products Document Security Basics Security Feature User Guide Security Methods and Encryption Note: Password security is unavailable if your administrator has configured your application to operate in FIPS mode. Certificate security: The user selects what document components to encrypt and then chooses the ...
Security Feature User Guide Security Methods and Permissions 128-bit RC4 is compatible with Acrobat 6.0 and later as well as other non-Adobe and Adobe PDF clients such as Ghostscript® and Apple Preview® that have not implemented AES. RC4 has a smaller file size by about 32 bytes per stream.
Adobe products enforce permissions restrictions. However, not all third-party products fully support and respect these permissions. Ecryption and therefore document access would likely not be impaired, but Adobe cannot gaurentee that individual permissions settings will remain function. Recipients using such third-party products might be able to bypass some of your restrictions.
Acrobat Family of Products Document Security Basics Security Feature User Guide Associating Batch Processing with a Security Method 2. Changes Allowed: Limits page-level editing, commenting, and form field interaction. None: Prevents users from changing the document, including filling in signature and form fields. ...
Acrobat Family of Products Document Security Basics Security Feature User Guide Changing and Viewing Security Settings Figure 44 Security methods for batch processing 4.2 Changing and Viewing Security Settings While anyone who can open a document can view its security methods, only those with permission can change those methods.
Acrobat Family of Products Document Security Basics Security Feature User Guide Viewing Document Restrictions Figure 46 Document security settings: Certificate security Figure 47 Document security settings: ALCRMS security 4.2.2 Viewing Document Restrictions In addition to the encryption and permissions settings enforced by the document’s security method, a document may be subject to additional restrictions if it is signed or certified.
Acrobat Family of Products Document Security Basics Security Feature User Guide Viewing Security Settings in a Browser Figure 48 Document Property dialog 4.2.3 Viewing Security Settings in a Browser To view document security settings in a Web browser: 1. Click on the lock icon in the left-hand pane. 2.
Acrobat Family of Products Document Security Basics Security Feature User Guide Editing Security Method Settings Note: New settings do not appear in the user interface until the document is closed and reopened. 3. If the document is password protected, enter the document password. 4.
User policies: User policies are created and applied by anyone. User password and certificate policies are stored locally while Adobe LiveCycle Rights Management Server policies are stored on the server. Policy authors can edit and delete the policies they create.
Acrobat Family of Products Document Security Basics Security Feature User Guide Creating Security Policies with Policy Manager 4.3.1 Creating Security Policies with Policy Manager Policies can be created ahead of time or during the course of creating new security settings. When the Security Settings Console appears, simply choose Save these settings as a policy and enter a policy name and optional description (Figure...
Acrobat Family of Products Document Security Basics Security Feature User Guide Viewing a Security Policy 1. Choose Advanced > Security > Secure this Document. 2. Highlight a policy. 3. Choose Apply to Document. 4. Save the document. Tip: If a policy has been designated as a “favorite, ” a star appears next to the selected policy. All favorites appear in the security menu (Figure 53).
Acrobat Family of Products Document Security Basics Security Feature User Guide Making a Security Policy Favorite 4. Change the policy’s settings as described in one of the following sections: Chapter 5, “Password Security” Chapter 6, “Certificate Security” Chapter 7, “LiveCycle Rights Management Server Security” ...
Acrobat Family of Products Document Security Basics Security Feature User Guide Envelopes To delete a security policy: 1. Choose Advanced > Security > Manage Security Policies (Figure 50). 2. Choose a security policy. 3. Choose Delete. 4. Choose Yes at the confirmation dialog. 5.
Page 64
Acrobat Family of Products Document Security Basics Security Feature User Guide Envelopes Embed file attachments in security envelopes for secure transit. 1. Choose the Advanced > Security > Create Security Envelope. 2. Choose Add File To Send. 3. Browse to the documents you want to attach and choose Open. Select any PDFs in the list that you don’t want to include and choose Remove Selected Files.
Password Security Acrobat users can perform any task in this section. Adobe Reader users can only view encrypted documents and can not encrypt them for others. Password security provides a simple method for sharing encrypted documents by sharing passwords. Like all security methods, password security can enforce document restrictions on operations such as opening, printing, and editing.
Acrobat Family of Products Password Security Security Feature User Guide Creating Password Security Settings Tip: If the document has both types of passwords, it can be opened with either password. The document open password and permissions password cannot be identical. At a high level, adding password security includes specifying encryption settings, creating a Document Open password (if needed), creating a Permissions password (if needed), specifying permissions settings, and saving the document...
Page 67
Acrobat Family of Products Password Security Security Feature User Guide Creating a Reusable Password Security Policy 1. Compatibility: The compatibility options determine what encryption options will be available. Compatibility with earlier versions of Acrobat may mean all document contents will have to be encrypted.
Page 68
Creating a Reusable Password Security Policy Tip: Adobe recommends that permission passwords and document open password always be used together. The permissions password is used to change permissions and is NOT needed to gain access to the features the author is permitting. Thus, holders of the permissions password are essentially “owners”...
Acrobat Family of Products Password Security Security Feature User Guide Creating Password Security for One-Time Use 11. Choose OK. 12. Reenter the Document Open and/or Permissions passwords (if any) when asked to confirm it and choose OK. 13. Choose Finish. 5.1.2 Creating Password Security for One-Time Use Use this method if you: Need to make the document backward-compatible to Acrobat 3.0.
Page 70
Adobe products enforce permissions restrictions. However, not all third-party products fully support and respect these permissions. Ecryption and therefore document access would likely not be impaired, but Adobe cannot gaurentee that individual permissions settings will remain function. Recipients using such third-party products might be able to bypass some of your restrictions.
Page 71
Acrobat Family of Products Password Security Security Feature User Guide Creating Password Security for One-Time Use 2. Changes Allowed: Limits page-level editing, commenting, and form field interaction. None: Prevents users from changing the document, including filling in signature and form fields. ...
Acrobat Family of Products Password Security Security Feature User Guide Opening a Password-Protected Document 5.2 Opening a Password-Protected Document You must know the Document Open or Permissions password to open the document. To open a password protected document: 1. Open the document. 2.
Acrobat Family of Products Password Security Security Feature User Guide Password Recovery 5.5 Password Recovery Caution: There is no way to recover a lost password from a document. Keep a backup copy that is not password-protected.
Certificate Security Acrobat users can perform any task in this section. Adobe Reader users can only view encrypted documents and not encrypt them for others. If you share documents that require high security, you may need certificate security. Businesses use certificate security because a public key infrastructure (PKI) enables central management by an administrator.
Acrobat Family of Products Certificate Security Security Feature User Guide Setting up the Certificate Security Environment 6.1 Setting up the Certificate Security Environment If you’re going to use certificate security, consider doing the following: Configuring Acrobat to use certificates in the Windows Certificate store as well as those in the Acrobat ...
Acrobat Family of Products Certificate Security Security Feature User Guide Selecting a Certificate to Use for Encryption Figure 62 Windows integration The Windows Certificate Store will now appear in Search for Recipients dialog’s directory list. The dialog can be invoked from two locations: From a certificate security workflow: Set the encryption settings, choose Next, and then choose ...
Acrobat Family of Products Certificate Security Security Feature User Guide Working with Groups of Contacts Figure 63 Choosing a certificate for encryption 6.2 Working with Groups of Contacts Contacts can be added to a group so that all group members can easily share a predefined set of permissions and restrictions.
Acrobat Family of Products Certificate Security Security Feature User Guide Deleting a Group 3. Add or remove a contact: Adding a contact: Choose Add, select a contact from the contact list, and choose OK twice. Removing a contact: Select a contact, choose Remove, and choose OK. ...
Page 79
Acrobat Family of Products Certificate Security Security Feature User Guide Creating a Reusable Certificate Security Policy 1. Choose Advanced > Security > Manage Security Policies. 2. Choose New. 3. Select Use public key certificates. 4. Choose Next. 5. Enter a policy name and optional description. Figure 66 Security policy: General settings 6.
Page 80
Security Feature User Guide Creating a Reusable Certificate Security Policy 128-bit RC4: Compatible with Acrobat 6.0 and later as well as other non-Adobe and Adobe PDF clients such as Ghostscript and Apple Preview that have not implemented AES. RC4 has a smaller file size by about 32 bytes per stream.
Page 81
Control or Shift keys. 2. Choose Permissions. 3. When an alert appears stating that non-Adobe products may not respect these settings, choose OK. 4. Check Restrict printing and editing of the document and security settings.
Acrobat Family of Products Certificate Security Security Feature User Guide Creating Certificate Security for the Current Document 1. Printing Allowed: None: Prohibits printing. Low Resolution: Limits printing to 150-dpi resolution. Printing may be slower because each page is printed as a bitmapped image. This option is only available if a high encryption level (Acrobat 5 or Acrobat 6) is selected.
Page 83
Adobe products enforce permissions restrictions. However, not all third-party products fully support and respect these permissions. Encryption and therefore document access would likely not be impaired, but Adobe cannot guarantee that individual permissions settings will remain function. Recipients using such third-party products might be able to bypass some of your restrictions.
Page 84
5. Choose the encryption algorithm: 128-bit RC4: Compatible with Acrobat 6.0 and later as well as other non-Adobe and Adobe PDF clients such as Ghostscript and Apple Preview that have not implemented AES. RC4 has a smaller file size by about 32 bytes per stream.
Page 85
Acrobat Family of Products Certificate Security Security Feature User Guide Creating Certificate Security for the Current Document Figure 70 Choosing a digital ID for certificate security 8. If you have more than one digital ID, choose the digital ID persistence level. Ask me which digital ID to use next time ...
Page 86
Control or Shift keys. 2. Choose Permissions. 3. When an alert appears stating that non-Adobe products may not respect these settings, choose OK. 4. Check Restrict printing and editing of the document and security settings.
Acrobat Family of Products Certificate Security Security Feature User Guide Applying a Certificate Security Policy 2. Changes Allowed: Limits page-level editing, commenting, and form field interaction. None: Prevents users from changing the document, including filling in signature and form fields. ...
Acrobat Family of Products Certificate Security Security Feature User Guide Opening a Certificate-Protected Document 1. Configure certificate security as described in “Creating Certificate Security Settings” on page 78. When you are prompted to add document recipients to the recipient list, choose Search. 2.
Page 89
Acrobat Family of Products Certificate Security Security Feature User Guide Opening a Certificate-Protected Document Figure 73 Opening an encrypted document: With certificate security...
LiveCycle Rights Management Server Security Adobe LiveCycle Rights Management Server (ALCRMS) security is only available to users with access to an Adobe LiveCycle Rights Management Server. Tip: This document provides a cursory overview of the ALCRMS features. For information on configuring your application to use an Adobe LiveCycle Rights Management Server, log in to the server and use the help system.
7.1.1 Importing ALCRMS Settings from an FDF file Adobe LiveCycle Rights Management Server settings can be distributed via FDF files. Both users and administrators can import and export server settings in the same way as timestamp and directory server information is imported and exported.
7.1.4 Managing your ALCRMS Account To manage your ALCRMS Account: 1. Choose Advanced > Security > Adobe LiveCycle Rights Management > Manage My Account. 2. If prompted, enter a username and password and choose OK. 3. Manage your account as described in the Adobe LiveCycle Rights Management Help documentation.
1. Choose Advanced > Security > Manage Security Policies. 2. Highlight a policy. 3. Choose Apply to Document. 7.2.3 Refreshing the Security Policy List To refresh the list of available ALCRMS policies: 1. Choose Advanced > Security > Adobe LiveCycle Rights Management > Refresh Security Policies.
Synchronizing a document for offline use allows you to get the latest version so that you can access it when you are not connected to the network. To synchronize a document: 1. Choose Advanced > Security > Adobe LiveCycle Rights Management > Synchronize for Offline. 2. If prompted, enter a username and password and choose OK.
External Content and Document Security Document access to internal and external content such as the Internet, attachments, and embedded multimedia represents a security risk. Users should configure their application so that it operates at an acceptable risk level. In enterprise settings, administrators should either preconfigure client installations or distribute instructions for setting up the application correctly.
Add Folder Path: If you have a large number of files that you trust, specify an entire directory. Add Host: Enter the name of the root URL only. For example, enter www.adobe.com but not www. adobe.com/products. To only allow higher privileges for files accessed from secure connections, select the option for Secure Connections Only (https:).
Acrobat Family of Products External Content and Document Security Security Feature User Guide Changes in FDF Behavior 8.1.2 Changes in FDF Behavior FDF files are data exchange files. Like acrobatsecurity files, they help you move certificate, server, and other data from one machine to another. This data transfer usually involves some mechanism such as data injection into a PDF form field, installing files, executing a script, and so on.
8.1.4 Make Privileged Folder Locations Recursive You can extend privileged locations to be recursive by configuring the registry a reg setting. For details, refer to the Security Administration Guide for Acrobat 9.0 and Adobe Reader 9.0. 8.2 Controlling Multimedia The Acrobat family of products have a notion of trusted documents and other documents (documents that have not been trusted).
Acrobat Family of Products External Content and Document Security Security Feature User Guide Configuring Multimedia Trust Preferences If your multimedia trust preferences result in a prompt asking whether you want to play multimedia, the Manage Trust for Multimedia Content dialog will offer various options that may allow you to trust the document.
Acrobat Family of Products External Content and Document Security Security Feature User Guide Setting JavaScript Options your system. Participants in certification workflows should consider the source of the document and the security of the workflow before enabling dynamic content. Whether dynamic content executes in certified documents based on the Trusted Document or Other Document settings depends on two items under your control: You can configure a certified document to use the trusted document settings on a per-certificate basis ...
To block or allow execution of all JavaScript from the tool bar: 1. Choose one of the following: Acrobat and Adobe Reader (Windows): Edit > Preferences > JavaScript Acrobat and Adobe Reader (Macintosh): (Application) > Preferences > JavaScript ...
Adobe Trusted Identity Updates 8.4 Adobe Trusted Identity Updates In order to facilitate workflows that use certificates, Adobe occasionally sends new certificates configured as trust anchors to application users. These certificates allow you to validate signatures that are signed with certificates that chain up to those trusted certificates. In other words, you can validate those signatures without the extra steps of trusting each signer’s certificate or manually configuring another...
Page 104
Acrobat Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Be aware of dangerous file types and how the application manages those types. Adobe applications maintain Black Lists and White Lists which control application behavior.
Page 105
Acrobat Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Table 4 Default prohibited file types Extension Description .ade Access Project Extension (Microsoft) .adp Access Project (Microsoft) .app Executable Application .asp Active Server Page .bas BASIC Source Code...
Page 106
Acrobat Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Table 4 Default prohibited file types Extension Description .mad Access Module Shortcut (Microsoft) .maf Access (Microsoft) .mag Access Diagram Shortcut (Microsoft) .mam Access Macro Shortcut (Microsoft) .maq...
Acrobat Family of Products External Content and Document Security Security Feature User Guide Adding Files to the Black and White Lists Table 4 Default prohibited file types Extension Description .sit Compressed archive of Mac files (Stuffit) .tar Tape Archive file .tgz UNIX Tar file Gzipped .tmp...
Acrobat Family of Products External Content and Document Security Security Feature User Guide Resetting the Black and White Lists Figure 85 Launch Attachment dialog 8.5.3 Resetting the Black and White Lists Because the registry list could grow over time and users do not have direct access to the lists through the user interface, resetting the list to its original state may result in the highest level of security.
Acrobat Family of Products External Content and Document Security Security Feature User Guide Controlling Access to Referenced Files and XObjects 8.6 Controlling Access to Referenced Files and XObjects Your application can inform you when a PDF file is attempting to access external content identified as a stream object by flags as specified in the PDF Reference.
Acrobat Family of Products External Content and Document Security Security Feature User Guide Turning Internet Access Off and On 8.7.1 Turning Internet Access Off and On To block or allow all Web sites: 1. Choose Edit > Preferences (Windows) or Acrobat > Preferences (Macintosh). 2.
To configure Internet resource access on a per-URL basis, add specific Web sites to the black and white lists: 1. Choose Edit > Preferences (Windows) or Acrobat (or Adobe Reader) > Preferences (Macintosh). 2. Select Trust Manager in the Categories panel.
ID data, trust, server details, signing preferences, and so on. Settings can only be exported from Acrobat but settings can be imported by both Acrobat and Adobe Reader. 9.1.1 Exporting Security Settings to a File Settings can only be exported from Acrobat.
10. Sign and save the file. If you don’t know how to certify a file, refer to the Digital Signatures User Guide. 9.1.2 Importing Security Settings from a File Settings can be imported by both Acrobat and Adobe Reader. To import security settings:...
Page 114
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Security Settings from a File 1. Choose Advanced > Security > Import Security Settings. 2. Browse to an .acrobatsecuritysettings file. 3. Choose Open. 4. acrobatsecuritysettings files must be certified and are therefore signed. You can verify the signer’s identity by choosing the Signature Properties in the Document Message Bar and reviewing the signer’s details.
9.2 Sharing Settings & Certificates with FDF Acrobat and Adobe Reader support the use of FDF files to exchange data between the Acrobat family of client and server products. FDF files use a .fdf extension, and like .pdf, it is registered by Adobe so that the...
Page 116
FDF features: Import and export of digital ID certificates. Import and export of server settings for an Adobe LiveCycle Rights Management Server, LDAP directory servers, roaming credential servers, and timestamp servers. Creation by a user (through the application) or by a server programmatically.
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide FDF Files and Security “Exporting Your Certificate” on page 121 “Emailing Your Certificate” on page 122 “Saving Your Digital ID Certificate to a File” on page 123 ...
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Exporting Application Settings with FDF Files Table 5 Rules for opening a PDF via FDF Action location location 8.x behavior 9.x behavior Data injection server Application Allowed Allowed if: PDF makes EFS POST/GET and FDF sends ...
When Acrobat exports a certificate, it automatically exports other selected certificates in that certificate’s chain and includes them in the FDF file. 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop-down list.
Page 120
Figure 99 Selecting a certificate chain for export 6. Choose Export. 7. Choose one of the following: Email the data to someone: Emailing the data automatically creates an FDF file that other Adobe product users can easily import. Save the exported data to a file: Acrobat FDF Data Exchange. FDF is a format recognized by the ...
When distributing a trusted root in a signed file that the FDF recipient can validate, set the certificate trust level: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop-down list.
To email a digital ID certificate: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Security Settings. 2. Select Digital IDs in the left-hand tree. 3. Highlight an ID in the list on the right. If you have more than one, choose the one that is appropriate for the usage context.
Certificate Message Syntax - PKCS#7: Save the file as a PKCS7 file. Use this format when the data will be imported into a non-Adobe store such as the Macintosh key store or Windows Certificate Store. 7. Choose Next.
When you request digital ID information from someone, the application automatically attaches to the email an FDF file containing your contact information and certificate. To request a certificate from someone: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Request Contact. Figure 103 Emailing a certificate request 3.
Save, and then choose OK. Tell the intended recipient(s) where to find the file. 9.2.2.7 Emailing Server Details Adobe LiveCycle Rights Management Server, directory server, roaming credential server, and timestamp server details can be exported to an FDF file for distribution to one or more people. Server information sent via an email resides in an attached FDF file.
12. Choose Finish. 9.2.2.8 Exporting Server Details Adobe LiveCycle Rights Management Server, directory server, roaming ID, and timestamp server details can be exported to an FDF file for distribution to one or more people. Server information can be written to a file and saved to any location.
ID so that it can be added to their trusted identities list. One way someone can get your ID is to request it in an email. To request your certificate, a user will simply choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities and then choose Request Contact. Acrobat automatically attaches an FDF file with their public certificate to an email that requests your digital ID.
Page 128
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files To respond to an email digital ID request: 1. Double click the attached FDF file. 2. Choose Email your Certificate. Figure 109 Emailing your certificate 3.
To add someone’s certificate to your list of trusted identities: 1. Click on the FDF file or from Acrobat or Adobe Reader choose File > Open. The digital ID certificate may be sent directly from Acrobat as an email attachment or may reside in a networked directory.
To add multiple certificate to the trusted identities list all at once: 1. Click on the FDF file or from Acrobat or Adobe Reader choose File > Open. The digital ID certificate may be sent directly from Acrobat as an email attachment or may reside in a networked directory.
Page 131
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Figure 113 Importing multiple certificates 2. If the FDF file is signed, the signature can be validated, AND a trust level has been specified by the sender, check or uncheck Accept the level of Trust specified by the signer for all Contacts in this file.
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Time Stamp Servers in the left-hand list, and choosing Import.
Page 133
If No is selected, a default timestamp server must be set before timestamps can be used. To set a default timestamp server, Choose Advanced (Acrobat) or Document (Adobe Reader) > Security Settings > Time Stamp Servers, select a server, and choose Set Default.
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Directory Servers in the left-hand list, and choosing Import.
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Adobe LiveCycle Rights Management Servers in the left-hand list, and choosing Import.
4. Choose OK. 5. Choose Import. 6. If you do not already have a default Adobe LiveCycle Rights Management Server, a dialog appears asking whether or not you want to make this your default server, choose Yes or No. 7. Choose OK.
Page 137
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Figure 120 Importing roaming ID server settings 3. Choose Import. 4. Verify the roaming ID account name and server URL. Figure 121 Roaming ID server name and URL 5.
Click on the FDF file. It may be an email attachment or a file on a network or your local system. In Acrobat or Adobe Reader choose File > Open, browse to the FDF file, and choose Open. ...
Page 139
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Note: During an import action, recipients of the distributed trust anchor may be able to inherit its trust settings. Once you’ve verified the sender, you usually want to accept these settings so you can use the certificate they way the sender intended.
Page 140
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files application environment be configured correctly. For details, see “Setting JavaScript Options” on page 101. Privileged system operations (networking, printing, file access, etc.: Some operations ...
See PKCS#7. .pfx See PKCS#12. Adobe Profile Files Adobe's legacy certificate format not used after Acrobat 5. The certificates are stored in .apf files. This format is not supported as of version 9.0. ALCRMS Adobe LiveCycle Rights Management Server. approval signature A signature used to indicate approval of, or consent on, the document terms.
Page 142
An Adobe security partner that has joined the Adobe CDS program to provide CDS digital IDs to end users and organizations. As of Acrobat 6, Adobe Reader and Acrobat trust CDS digital IDs and are able to validate signatures that use GeoTrust digital IDs, without requiring any special application configuration.
Page 143
If you double click on a .p7c file it will be viewed by a Windows application. Policy Server As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server privileged context A context in which you have the right to do something that’s normally restricted. Such a right (or privilege) could be granted by executing a method in a specific way (through the console or batch process), by some PDF property, or because the document was signed by someone you trust.
Page 145
81, 86 certified document 141 Adding Someone to Your Trusted Identity List 32 Certified Document Services (CDS) 141 Adobe LiveCycle Rights Management Server security 49 Certified Document Services. 141 Adobe Profile Files 141 certify or certifying 141 Adobe Trusted Identity Updates 103...
Page 146
Importing 134 Enhanced security Sender’s identify 126 Configuration dialog 96 Server list 41 Enhanced Security in Acrobat 9 and Adobe Reader 9 9 Setting defaults 43 Envelopes 63 Setting server details 42 Examples of Allowed Behavior 98 Digital ID files...
Page 147
Guidelines for Developing CSPs for Acrobat on Windows 9 Logging in to a roaming ID server 137 Gzip Compressed Archive 105 Logging in to an Adobe LiveCycle Rights Management Server 136 Logging in to PKCS#12 Files 21 High Privilege JavaScript Defined 101...
Page 148
Acrobat Family of Products Index Security Feature User Guide Multimedia Trust (legacy) 100 Registration Information/Key for Windows 95/98, Registry Data file 106 Removing a contact 78 Removing Document Security 58 OCSP 142 Removing Password Security 72 Office Profile Settings file 106 Requesting a Certificate via Email 124 Online Certificate Status Protocol (OCSP) 142 Requesting a Digital ID via Email 33...
Page 149
Acrobat Family of Products Index Security Feature User Guide Selecting a digital ID 128 VBScript Script file, Visual Basic for Applications Script 107 Self-expanding archive (used by Stuffit for Mac files and View a Document’s Audit History 94 possibly by others) 106 Viewing a Security Policy 61 Server Name 41 Viewing All of Your Digital IDs 15...
Need help?
Do you have a question about the 22002484 and is the answer not in the manual?
Questions and answers