Sun Java System Calendar Server 6 2005Q1 °ü¸® ¼³¸í¼ |
8Àå
SSL ±¸¼ºCalendar Server´Â ´Þ·Â Ŭ¶óÀ̾ðÆ® ÃÖÁ¾ »ç¿ëÀÚ¿Í Calendar Server °£ÀÇ µ¥ÀÌÅÍ ¾Ïȣȸ¦ À§ÇØ SSL(Secure Sockets Layer) ÇÁ·ÎÅäÄÝÀ» Áö¿øÇÕ´Ï´Ù. SSLÀ» Áö¿øÇϱâ À§ÇØ Calendar Server´Â Netscape Security Services(NSS)ÀÇ SSL ¶óÀ̺귯¸®¸¦ »ç¿ëÇϸç, Sun Java System Messaging Server¿¡¼µµ ÀÌ ¶óÀ̺귯¸®¸¦ »ç¿ëÇÕ´Ï´Ù.
Calendar Server ·Î±×ÀÎ ¹× ºñ¹Ð¹øÈ£¸¸ ¾ÏÈ£ÈÇϰųª Àüü ´Þ·Â ¼¼¼ÇÀ» ¾ÏÈ£ÈÇϵµ·Ï ics.conf ÆÄÀÏ¿¡¼ Calendar Server¸¦ ±¸¼ºÇÒ ¼ö ÀÖ½À´Ï´Ù.
ÀÌ ÀåÀº ´ÙÀ½ ³»¿ëÀ¸·Î ±¸¼ºµÇ¾î ÀÖ½À´Ï´Ù.
Calendar Server¿¡ ´ëÇØ SSL ±¸¼ºCalendar ServerÀÇ SSLÀ» ±¸¼ºÇÏ·Á¸é ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
SSL ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º ¸¸µé±â
Calendar Server¸¦ À§ÇØ SSLÀ» ±¸ÇöÇÏ·Á¸é ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º°¡ ÇÊ¿äÇÕ´Ï´Ù. ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º´Â ÀÎÁõ ±â°ü(CA) ¹× Calendar Server¿ë ÀÎÁõ¼¸¦ Á¤ÀÇÇØ¾ß ÇÕ´Ï´Ù.
Mozilla µµ±¸
À̹ø ¸±¸®½º¿¡´Â ´ÙÀ½ Mozilla µµ±¸°¡ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
- ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º¸¦ ¸¸µé°í °ü¸®ÇÏ´Â ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º µµ±¸(certutil).
ÀÚ¼¼ÇÑ ³»¿ëÀº ´ÙÀ½ À¥ »çÀÌÆ®¸¦ ÂüÁ¶ÇϽʽÿÀ.http://mozilla.org/projects/security/pki/nss/tools/certutil.html
- »ç¿ë °¡´ÉÇÑ º¸¾È ¸ðµâ¿¡ ´ëÇÑ Á¤º¸¸¦ Ç¥½ÃÇÏ´Â º¸¾È ¸ðµâ µ¥ÀÌÅͺ£À̽º µµ±¸(modutil). ÀÚ¼¼ÇÑ ³»¿ëÀº ´ÙÀ½ À¥ »çÀÌÆ®¸¦ ÂüÁ¶ÇϽʽÿÀ.
http://mozilla.org/projects/security/pki/nss/tools/modutil.html
ÀÌ À¯Æ¿¸®Æ¼´Â ´ÙÀ½ µð·ºÅ丮¿¡¼ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
/opt/SUNWics5/cal/lib
¶Ç´Â À¥ »çÀÌÆ®¿¡¼ ÃֽŠ¹öÀüÀ» ´Ù¿î·ÎµåÇÒ ¼ö ÀÖ½À´Ï´Ù.
¶óÀ̺귯¸® °æ·Î º¯¼ö
Mozilla µµ±¸¸¦ »ç¿ëÇϱâ Àü¿¡ LD_LIBRARY_PATH º¯¼ö¸¦ ¿Ã¹Ù¸£°Ô ¼³Á¤ÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib
ÆÄÀÏ ¹× µð·ºÅ丮 ¿¹
À̹ø ÀåÀÇ ¿¹¿¡¼´Â ´ÙÀ½ ÆÄÀÏ°ú µð·ºÅ丮¸¦ »ç¿ëÇÕ´Ï´Ù.
- sslPasswordFileÀº ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º ºñ¹Ð¹øÈ£¸¦ Æ÷ÇÔÇÏ´Â ÅؽºÆ® ÆÄÀÏÀÔ´Ï´Ù. ÀÌ ÆÄÀÏÀº Calendar Server°¡ ¾Æ´Ï¶ó certutil À¯Æ¿¸®Æ¼°¡ »ç¿ëÇÕ´Ï´Ù. ´ÙÀ½ µð·ºÅ丮¿¡ sslPasswordFileÀ» ¸¸µì´Ï´Ù.
/etc/opt/SUNWics5/config
- /etc/passwd¿¡¼´Â ³¼ö »ý¼ºÀ» À§ÇÑ ¿£Æ®·ÎÇǸ¦ ¸¸µì´Ï´Ù. Áï, ÀÌ µð·ºÅ丮´Â ³¼ö »ý¼º±â¿¡¼ ½ÇÁ¦·Î ¹«ÀÛÀ§ÇÑ °á°ú¸¦ ¾òÀ» ¼ö ÀÖµµ·Ï µµ¿ÍÁÖ´Â ´Ù¾çÇÏ°í °íÀ¯ÇÑ ½Ãµå¸¦ »ý¼ºÇÏ´Â µ¥ »ç¿ëµË´Ï´Ù.
ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º¸¦ ¸¸µé·Á¸é
- ¼öÆÛÀ¯Àú(root)·Î ·Î±×ÀÎÇÕ´Ï´Ù.
- certutilÀÇ ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º ºñ¹Ð¹øÈ£¸¦ /etc/opt/SUNWics5/config/sslPasswordFile¿¡ ÁöÁ¤ÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# echo ‘password’ > /etc/opt/SUNWics5/config/sslPasswordFile
¿©±â¼ password´Â °íÀ¯ ºñ¹Ð¹øÈ£ÀÔ´Ï´Ù.
- ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º alias µð·ºÅ丮¸¦ ¸¸µì´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# cd /var/opt/SUNWics5
# mkdir alias
- bin µð·ºÅ丮·Î À̵¿ÇÏ°í ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º(cert7.db)¿Í Å° µ¥ÀÌÅͺ£À̽º(key3.db)¸¦ ¸¸µì´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# cd /opt/SUNWics5/cal/bin
# ./certutil -N -d /var/opt/SUNWics5/alias
-f /etc/opt/SUNWics5/config/sslPasswordFile- ÀÚü ¼¸íµÈ ±âº» ·çÆ® ÀÎÁõ ±â°ü ÀÎÁõ¼¸¦ »ý¼ºÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
-s "CN=My Sample Root CA, O=sesta.com" -m 25000
-d /var/opt/SUNWics5/alias
-d /var/opt/SUNWics5/alias
-f /etc/opt/SUNWics5/config/sslPasswordFile
/etc/passwd
- È£½ºÆ®¸¦ À§ÇÑ ÀÎÁõ¼¸¦ »ý¼ºÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u"
-s "CN=hostname.sesta.com, O=sesta.com" -m 25001
-o /var/opt/SUNWics5/alias/SampleSSLServer.crt
-d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile
-z /etc/passwd
¿©±â¼ hostname.sesta.comÀº ¼¹ö È£½ºÆ® À̸§ÀÔ´Ï´Ù.
- ÀÎÁõ¼¸¦ °ËÁõÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./certutil -V -u V -n SampleRootCA -d /var/opt/SUNWics5/alias
# ./certutil -V -u V -n SampleSSLServerCert -d /var/opt/SUNWics5/alias
- ÀÎÁõ¼¸¦ ³ª¿ÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./certutil -L -d /var/opt/SUNWics5/alias
# ./certutil -L -n SampleSSLServerCert -d /var/opt/SUNWics5/alias
- modutilÀ» ÅëÇØ »ç¿ë °¡´ÉÇÑ º¸¾È ¸ðµâÀ» ³ª¿ÇÕ´Ï´Ù(secmod.db). ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./modutil -list -dbdir /var/opt/SUNWics5/alias
- alias ÆÄÀÏÀÇ ¼ÒÀ¯ÀÚ¸¦ icsuser ¹× icsgroup(¶Ç´Â Calendar Server¸¦ ½ÇÇàÇÒ »ç¿ëÀÚ ¹× ±×·ì ¾ÆÀ̵ð)À¸·Î º¯°æÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# find /var/opt/SUNWics5/alias -exec chown icsuser {} \;
# find /var/opt/SUNWics5/alias -exec chgrp icsgroup {} \;
·çÆ® ÀÎÁõ ±â°ü(CA)¿¡ ÀÎÁõ¼¸¦ ¿äûÇÏ°í °¡Á®¿À±â
´ÙÀ½ ´Ü°è¿¡¼´Â ÀÎÁõ¼ ¿äûÀ» »ý¼ºÇÏ°í À̸¦ PKI(Public Key Infrastructure) À¥ »çÀÌÆ®¿¡ Á¦ÃâÇÏ°í ³ª¼ ÇØ´ç ÀÎÁõ¼¸¦ °¡Á®¿É´Ï´Ù.
·çÆ® ÀÎÁõ ±â°ü¿¡ ÀÎÁõ¼¸¦ ¿äû ¹× °¡Á®¿À·Á¸é
- ¼öÆÛÀ¯Àú(root)·Î ·Î±×ÀÎÇÕ´Ï´Ù.
- bin µð·ºÅ丮·Î À̵¿ÇÕ´Ï´Ù.
# cd /opt/SUNWics5/cal/bin
- certutilÀ» »ç¿ëÇÏ¿© ÀÎÁõ ±â°üÀ̳ª PKI(Public Key Infrastructure) À¥ »çÀÌÆ®¸¦ ±â¹ÝÀ¸·Î ÀÎÁõ¼ ¿äûÀ» ¸¸µì´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./certutil -R -s "CN=hostname.sesta.com, OU=hostname / SSL Web Server, O=Sesta, C=US" -p "408-555-1234" -o hostnameCert.req -g 1024
-d /var/opt/SUNWics5/alias
-f /etc/opt/SUNWics5/config/sslPasswordFile
-z /etc/passwd -a¿©±â¼ hostname.sesta.comÀº È£½ºÆ® À̸§ÀÔ´Ï´Ù.
- ÀÎÁõ ±â°üÀ̳ª PKI(Public Key Infrastructure) À¥ »çÀÌÆ®¿¡ SSL À¥ ¼¹ö¿¡ ´ëÇÑ Å×½ºÆ® ÀÎÁõ¼¸¦ ¿äûÇÕ´Ï´Ù. hostnameCert.req ÆÄÀÏÀÇ ³»¿ëÀ» º¹»çÇÏ¿© ÀÎÁõ¼ ¿äû¿¡ ºÙÀÔ´Ï´Ù.
ÀÎÁõ¼°¡ ¼¸íµÇ¾î ã¾Æ°¥ ¼ö ÀÖ°Ô µÇ¸é °ü¸®ÀÚ¿¡°Ô ¾Ë¸³´Ï´Ù.
- ÀÎÁõ ±â°ü ÀÎÁõ¼ üÀÎ ¹× SSL ¼¹ö ÀÎÁõÀ» ÅؽºÆ® ÆÄÀÏ·Î º¹»çÇÕ´Ï´Ù.
- CA ÀÎÁõ¼ üÀÎÀ» ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º·Î °¡Á®¿Í¼ ÀÎÁõ üÀÎÀ» ¼³Á¤ÇÕ´Ï´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
# ./certutil -A -n "GTE CyberTrust Root" -t "TCu,TCu,TCuw"
-d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_1.txt
-f /etc/opt/SUNWics5/config/sslPasswordFile# ./certutil -A -n "Sesta TEST Root CA" -t "TCu,TCu,TCuw"
-d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_2.txt
-f /etc/opt/SUNWics5/config/sslPasswordFile- ¼¸íµÈ SSL ¼¹ö ÀÎÁõ¼¸¦ °¡Á®¿É´Ï´Ù.
# ./certutil -A -n "hostname SSL Server Test Cert" -t "u,u,u"
-d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/SSL_Server_Certificate.txt
-f /etc/opt/SUNWics5/config/sslPasswordFile- ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽ºÀÇ ÀÎÁõ¼¸¦ ³ª¿ÇÕ´Ï´Ù.
# ./certutil -L -d /var/opt/SUNWics5/alias
- ics.conf ÆÄÀÏÀÇ SSL Server º°¸íÀÌ ¼¸íµÈ SSL ¼¹ö ÀÎÁõ¼°¡ µÇ°Ô ±¸¼ºÇÕ´Ï´Ù.
¿¹: "hostname SSL Server Test Cert"ÁÖ ics.conf ÆÄÀÏ¿¡ ÀÖ´Â service.http.calendarhostname ¹× service.http.ssl.sourceurl ¸Å°³ º¯¼öÀÇ È£½ºÆ® À̸§ÀÌ SSL ÀÎÁõ¼ÀÇ È£½ºÆ® À̸§°ú ÀÏÄ¡ÇØ¾ß ÇÕ´Ï´Ù(½Ã½ºÅÛ¿¡ ¿©·¯ °³ÀÇ º°¸íÀÌ ÀÖ´Â °æ¿ì).
¿¹: calendar.sesta.comics.conf ÆÄÀÏÀÇ SSL ¸Å°³ º¯¼ö ±¸¼º
Calendar Server¿¡ SSLÀ» ±¸ÇöÇÏ·Á¸é ics.conf ÆÄÀÏ¿¡ ƯÁ¤ ¸Å°³ º¯¼ö¸¦ ¼³Á¤ÇØ¾ß ÇÕ´Ï´Ù. Ç¥ 8-1¿¡ ³ª¿µÈ ¸Å°³ º¯¼ö Áß¿¡¼ ics.conf ÆÄÀÏ¿¡ ¾ø´Â º¯¼ö°¡ ÀÖ´Â °æ¿ì¿¡´Â ÆÄÀÏ¿¡ ÇØ´ç º¯¼ö¸¦ Ãß°¡ÇÏ°í °ªÀ» ÁöÁ¤ÇÕ´Ï´Ù. ics.conf´Â ½Ã½ºÅÛÀ» ½ÃÀÛÇÒ ¶§(start-calÀ» ½ÃÀÛÇÒ ¶§)¿¡¸¸ ÀÐÈ÷±â ¶§¹®¿¡ Calendar Server¸¦ ´Ù½Ã ½ÃÀÛÇÒ ¶§±îÁö »õ °ªÀÌ Àû¿ëµÇÁö ¾Ê½À´Ï´Ù. ÀÌ SSL ¸Å°³ º¯¼ö¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ³»¿ëÀº SSL ±¸¼ºÀ» ÂüÁ¶ÇϽʽÿÀ.
SSL ¹®Á¦ ÇØ°á¿ì¼± º¹±¸ ºÒ°¡´ÉÇÑ ¹®Á¦°¡ ¹ß»ýÇÒ °æ¿ì¸¦ ´ëºñÇÏ¿© Á¤±âÀûÀ¸·Î ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º¸¦ ¹é¾÷ÇÕ´Ï´Ù. SSL¿¡ ¹®Á¦°¡ ÀÖÀ» °æ¿ì ´ÙÀ½ ³»¿ëÀ» È®ÀÎÇϽʽÿÀ.
cshttpd ÇÁ·Î¼¼½º Á¡°Ë
SSLÀ» »ç¿ëÇÏ·Á¸é Calendar Server cshttpd ÇÁ·Î¼¼½º°¡ ½ÇÇà ÁßÀ̾î¾ß ÇÕ´Ï´Ù. cshttpd°¡ ½ÇÇà ÁßÀÎÁö È®ÀÎÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÕ´Ï´Ù.
# ps -ef | grep cshttpd
ÀÎÁõ¼ °ËÁõ
ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽ºÀÇ ÀÎÁõ¼¸¦ ³ª¿ÇÏ°í ÇØ´ç À¯È¿ ÀÏÀÚ¸¦ È®ÀÎÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÕ´Ï´Ù.
# ./certutil -L -d /var/opt/SUNWics5/alias
Calendar Server ·Î±× ÆÄÀÏ È®ÀÎ
Calendar Server ·Î±× ÆÄÀÏ¿¡ SSL ¿À·ù°¡ ÀÖ´ÂÁö È®ÀÎÇÕ´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº Calendar Server ·Î±× ÆÄÀÏ »ç¿ëÀ» ÂüÁ¶ÇϽʽÿÀ.
SSL Æ÷Æ®¿¡ ¿¬°á
ºê¶ó¿ìÀú¿Í ´ÙÀ½ URLÀ» »ç¿ëÇÏ¿© SSL Æ÷Æ®¿¡ ¿¬°áÇÕ´Ï´Ù.
https://server-name:ssl-port-number
¿©±â¼,
server-nameÀº Calendar Server°¡ ½ÇÇà ÁßÀÎ ¼¹ö À̸§ÀÔ´Ï´Ù.
ssl-port-number´Â ics.conf ÆÄÀÏÀÇ service.http.ssl.port ¸Å°³ º¯¼ö°¡ ÁöÁ¤ÇÏ´Â SSL Æ÷Æ® ¹øÈ£ÀÔ´Ï´Ù. ±âº»°ªÀº 443ÀÔ´Ï´Ù.