This chapter describes how to configure Sun Java System Messaging Server 6.3 for SSL and the Solaris Cryptographic Framework (SCF). This is a three-step process where you configure Messaging Server for SSL (optional), configure the Solaris Cryptographic Framework, then configure Messaging Server to use SCF.
The Solaris Cryptographic Framework (SCF) provides a common store of algorithms and PKCS#11 libraries to handle cryptographic requirements. The PKCS#11 libraries are implemented according to the cryptography standard created by RSA Security Inc., PKCS#11 Cryptographic Token Interface (Cryptoki). See Chapter 8, Introduction to the Solaris Cryptographic Framework, in Oracle Solaris Security for Developers Guide for more information. The Solaris Cryptographic Framework is available in the Solaris 10 Operating System and Solaris Express releases.A PKCS#11 module (also called a cryptographic module or a cryptographic service provider) manages cryptographic services such as encryption and decryption through the PKCS#11 interface. PKCS#11 modules can be thought of as drivers for cryptographic devices that can be implemented in either software or hardware. A PKCS#11 module always has one or more slots, which can be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual software slots. Each slot for a PKCS#11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. A hardware token is a PKCS#11 token implemented in physical devices, such as hardware accelerators and smart cards. A software token is a PKCS#11 token implemented entirely in software.Messaging Server is configured to use the NSS built-in soft token for its cryptographic needs. Any PKCS#11 module that supports PKCS#11 can be used with NSS libraries, so the Solaris Cryptographic Framework can be used as the cryptographic service provider for Messaging Server.
This section describes the procedures you use to create the secmod, key3, and cert8 databases, obtain a certificate, and install the certificate for the NSS built-in soft token. Completing such procedures enables SSL on your Messaging Server deployment.
If you already have a Messaging Server deployment configured for SSL, skip this section and proceed to "Configuring Individual Messaging Processes for SSL".
The pk12util command is the primary mechanism for managing certificates. It allows you to generate a certificate request, add a certificate to the certificate database, list certificates in the certificate database, and so on. The pk12util command, like all Messaging Server commands, runs as mailsrv. Thus, even if you execute pk12util as root, it executes as the Messaging Server user. The pk12util utility is located in the MessagingServer_home/bin directory, where MessagingServer_home is the location of the Messaging Server installation, by default /opt/sun/comms/messaging64.
For detailed information about the pk12util command, type:
MessagingServer_home/bin/pk12util --help
The following procedure generates secmod, key3, and cert8 databases, and also creates the sslpassword.conf file. By default, certificates are generated in the MessagingServer_home/config directory.You can also specify the location and prefix of the certificate databases by using the following local.ssldbprefix configuration parameter.The Messaging Server user (for example, mailsrv) should be able to read and write to local.ssldbpath.
To create the certificate database and add certificate/key pairs:
Change directories to the Messaging Server sbin directory.
cd MessagingServer_home/bin
Run the following command:
pk12util generate-certDB
This utility prompts you for a password to protect the keys and certificates in the certificate database.
Choose the Certificate Database password. (The password is not echoed on the screen.)
Confirm the Certificate Database password. (The password is not echoed on the screen.)
Confirm that the required databases and the sslpassword.conf file were created.
# ls -lrt ../config/*.db ../config/sslpassword.conf -rw------- 1 mailsrv mail 32768 Nov 16 04:40 ../config/secmod.db -rw------- 1 mailsrv mail 65536 Nov 16 04:40 ../config/cert8.db -rw------- 1 mailsrv mail 32768 Nov 16 04:40 ../config/key3.db -rw-r----- 1 mailsrv mail 36 Nov 16 04:40 ../config/sslpassword.conf # cat ../config/sslpassword.conf Internal (Software) Token:12345678
By default, the pk12util command creates a self-signed-certificate with the nickname Server-Cert. You can either remove this or use the self-signed-certificate.
The following example shows how to remove this default self-signed-certificate:
pk12util remove-cert -W MessagingServer_home/config/sslpassword Server-Cert
Request a CA-signed server certificate.
To the pk12util request-cert command, specify the cert request to be in ASCII format (the default is binary). The resulting certificate request is a PKCS#10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is format specified by RFCs 1421 through 1424 (RFC 1421) and used to represent a base64-encoded certificate request in US-ASCII characters.
For example:
# echo "12345678" > MessagingServer_home/config/sslpassword
Note:
This is the same password you used to generate the certificate database.
pk12util request-cert -W MessagingServer_home/config/sslpassword
--name "foobar.siroe.com" --org "Development" --org-unit "Comms" --city
Santaclara --state California --country us -F ascii -o /tmp/MyCertRequest
The content of the Certificate Signing Request (CSR) looks similar to this:
# cat /tmp/MyCertRequest -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWEx EzARBgNVBAcTClNhbnRhY2xhcmExDjAMBgNVBAsTBWNvbW1zMRQwEgYDVQQKEwtE ZXZlbG9wbWVudDEgMB4GA1UEAxMXYmlvdGl0ZS5yZWQuaXBsYW5ldC5jb20wgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFCDfmu1uYFy3DtHAo/kJUFqXF6utq2 ga+Tow2PNEyuX+70SqyZ0vFwiL8di9b1mLMHLp3WBDPmXjVfNkANHk6Q38RlfyzT 7iYpvhi6+4OVthzC65FaqwnEEiodZ7z7yx8vRhj4lVxeoNJpJexGr1MHuYr8tobe ljgEmrLP17aNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQANzqjEwcnnmdXjo/KH buolHi1hNEYoDsXWIlTi78xkH+7gtfCPkymFzTy5mS58PzAqyWm81MZKXj39C+Eq DOCJmZYRt3lG6wo0M8nMoQLHsVSHfGZxOyppupzYsmVfszhczr0EEHJP66itDPW2 /jHGRbhXfeJNhKsisscd/YYkEQ==
Transmit the CSR to your Certificate Authority, according to its procedures.
The process for obtaining your Certificate Authority certificate differs depending on the certificate authority you use. Some commercial CAs provide a web site that enables you to automatically download the certificate. Other CAs email the certificate to you upon request. After you have sent your request, you must wait for the CA to respond with your certificate.
Save the certificate you receive back from the Certificate Authority.
You should back up your certificates in a safe location. If you ever lose the certificates, you can reinstall them by using your backup file. You can save the certificates as text files. The PKCS#11 certificate in PEM format looks similar to the following:
-----BEGIN CERTIFICATE----- MIIDmTCCAwKgAwIBAgIBZjANBgkqhkiG9w0BAQQFADCBhjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBlNTRS1TVzEPMA0GA1UECxMG UG9ydGFsMRgwFgYDVQQDEw9WZWVyYSBOYXRhcmFqYW4xJjAkBgkqhkiG9w0BCQEW F3ZlZXJhLm5hdGFyYWphbkBzdW4uY29tMB4XDTA2MTExNjA3MDIyN1oXDTA3MTEx NjA3MDIyN1owfzELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR BgNVBAcTClNhbnRhY2xhcmExFDASBgNVBAoTC0RldmVsb3BtZW50MQ4wDAYDVQQL EwVjb21tczEgMB4GA1UEAxMXYmlvdGl0ZS5yZWQuaXBsYW5ldC5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBALFCDfmu1uYFy3DtHAo/kJUFqXF6utq2ga+T ow2PNEyuX+70SqyZ0vFwiL8di9b1mLMHLp3WBDPmXjVfNkANHk6Q38RlfyzT7iYp vhi6+4OVthzC65FaqwnEEiodZ7z7yx8vRhj4lVxeoNJpJexGr1MHuYr8tobeljgE mrLP17aNAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMDUGCWCGSAGG+EIBDQQoFiZT dW5PTkUtUFRTIFBvcnRhbDogT3BlblNTTCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU wkhhgKwbt1P8SXrRHpesVuhel0gwgbMGA1UdIwSBqzCBqIAUIALOde3lgiZiUwXo PTiN/YaJKoihgYykgYkwgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y bmlhMQ8wDQYDVQQKEwZTU0UtU1cxDzANBgNVBAsTBlBvcnRhbDEYMBYGA1UEAxMP VmVlcmEgTmF0YXJhamFuMSYwJAYJKoZIhvcNAQkBFhd2ZWVyYS5uYXRhcmFqYW5A c3VuLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQAdsOxEygD/Rbj4NWHhTrAZcn2B mWv40MFS1oAgJSMc5BPTBGHcSnnLEh0ZApFLfWknVro4ubW3mb5ByaHoR3sOsxAO 4705avDUgX2g+4V80ef2CVOo5AoZRNMgVMt4Ju3D1PDZsDWQstbfV3PTeMyAzy/7 NZh1+adCuh8J+Rhl4Q== -----END CERTIFICATE-----
Follow the same steps described previously to obtain additional certificates.
To add certificates to the NSS software token:
Save the signed certificate into a temporary location, for example:
/tmp/caissuedFirstCert
For this example, a second signed certificate was also obtained using the previous procedure and saved as the following:
/tmp/caissuedSecondCert
Install the CA-signed server certificates.
pk12util add-cert -W MessagingServer_home/config/sslpassword Server-Cert /tmp/caissuedFirstCert pk12util add-cert -W MessagingServer_home/config/sslpassword SolCrypto-Framework /tmp/caissuedSecondCert
Repeat Steps 1 and 2 for other certificates you have obtained.
Verify that the certificates have been successfully installed.
pk12util list-certs -W MessagingServer_home/config/sslpassword
...
2 certificates found
This section describes the procedures you use to configure the various Messaging Server processes for SSL.
To configure the MMP for SSL:
Set the SSL certificate nickname.
Edit the ImapProxyAService.cfg and PopProxyAService.cfg files as follows, modifying the line default:SSLCertNickNames to "Server-Cert".
# cd MessagingServer_home/data/config
ImapProxyAService.cfg: default:SSLCertNicknames "Server-Cert"
PopProxyAService.cfg: default:SSLCertNicknames "Server-Cert"
To enable SSL and IMAP, edit the ImapProxyAService.cfg file and uncomment the relevant SSL settings.
A sample ImapProxyAService.cfg file resembles the following:
# SSL configuration
#
# Enable SSL from client to MMP with this:
default:SSLEnable yes
default:SSLPorts 993
default:SSLCertNicknames Server-Cert
# Password File for SSL server keys:
default:SSLKeyPasswdFile Messaging_Server_Root/config/sslpassword.conf
# Where SSL session cache, secmod, cert, and key files are located:
default:SSLCacheDir Messaging_Server_Root/config
# Customizable SSL security module database file name:
default:SSLSecmodFile secmod.db
# Customizable SSL cert7.db and key3.db file prefixes:
default:SSLCertPrefix ""
default:SSLKeyPrefix ""
# Use SSL on this port when talking to the back-end server (0 = do not use SSL)
default:SSLBacksidePort 993
default:ServiceList /opt/SUNWmsgsr/lib/ImapProxyAService@1143|1993
/opt/SUNWmsgsr/lib/PopProxyAService@1110|1995
To enable SSL and POP, edit the PopProxyAService.cfg file and uncomment the relevant SSL settings.
Edit the AService.cfg file. For SSL and POP, add |1995 after the 1110 in the ServiceList setting. For SSL and IMAP, add |1993 after 1143.
The AService.cfg file should resemble the following:
default:ServiceList /opt/SUNWmsgsr/lib/ImapProxyAService@1143|1993 /opt/SUNWmsgsr/lib/PopProxyAService@1110|1995
To configure IMAP for SSL:
Use the configutil command to set the following configuration parameters to enable SSL:
configutil -o service.imap.enablesslport -v yes configutil -o service.imap.enable -v 1 configutil -o service.imap.sslport -v 993 configutil -o service.imap.sslusessl -v yes
Use the configutil command to set the SSL certificate nickname:
configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
To configure POP for SSL:
Use the configutil command to set the following configuration parameters to enable SSL:
configutil -o service.pop.enable -v 1 configutil -o service.pop.enablesslport -v yes configutil -o service.pop.sslport -v 995 configutil -o service.pop.sslusessl -v yes
Use the configutil command to set the SSL certificate nickname:
configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
To configure HTTP for SSL:
Use the configutil command to set the following configuration parameters to enable SSL:
configutil -o service.http.enable -v 1 configutil -o service.http.enablesslport -v yes configutil -o service.http.sslport -v 443 configutil -o service.http.sslusessl -v yes
Use the configutil command to set the SSL certificate nickname:
configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
To configure SMTP for SSL:
Use the configutil command to set the SSL certificate nickname:
configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
To enable SSL encryption for outgoing messages, modify the channel definitions to include the TLS channel options such as maytls, musttls, and so on.
Uncomment the TLS_PORT entry (in the dispatcher.cnf file located in the MessagingServer_home/config directory) if you want to support SSL on an alternate port.
port 465TLS_PORT=465
Note:
You can also use a per-service configuration setting for the SSL certificate nicknames. The configuration parameters, which have the same meaning (that is, the nickname) and override the encryption.rsa.sslpersonalityssl setting, are:local.imta.sslnicknames (for the SMTP and Submit Servers)
local.imap.sslnicknames (for the IMAP Server)
local.pop.sslnicknames (for the POP Server)
local.http.sslnicknames (for the HTTP Server)
To verify the SSL configuration:
Use the netstat command to verify that the service is running.
netstat -an | grep service.service.sslport
where service is a keyword mmp, imap, pop, http, or smtp.
Check for errors in the Messaging Server log files.
Log files are located in the MessagingServer_home/log directories. For example, check the imap log to ensure that there are no SSL initialization errors (ASockSSL_Init errors).
Because the Solaris Cryptographic Framework software token contains private information, you use the pktool(1) command to set a password on the token. This command initializes the user's default keystore by logging in to the system as the application owner (the Messaging Server user).
Running the pktool setpin command initializes the soft token data store in the $HOME/.sunw/pkcs11_softtoken/ directory. These files are created to be accessible only to the owner, to protect their contents. This also means that you must perform the initialization as the same user that is used to run Messaging Server (that is, mailsrv), so this user has access to the right data store.
To set up the SCF software token pin:
Become the mailsrv user.
su mailsrv
Run the id command.
id uid=207023(mailsrv) gid=6(mail)
Run the pktool command.
pktool setpin
Create the new passphrase. (The passphrase is not echoed on the screen.)
You use this passphrase to import the certificate/key pair into the SCF token.
Reenter the passphrase. (The passphrase is not echoed on the screen.)
You are notified that the passphrase is changed.
Change to the /export/mailsrv directory.
cd /export/mailsrv
Check permissions.
ls -alrR ..: total 6 drwx------ 3 mailsrv mail 512 Nov 16 17:21 .sunw drwxr-xr-x 4 root sys 512 Oct 31 12:31 .. drwxrwxrwx 3 root root 512 Nov 16 17:21 . ../.sunw: total 6 drwx------ 4 mailsrv mail 512 Nov 16 17:21 pkcs11_softtoken drwxrwxrwx 3 root root 512 Nov 16 17:21 .. drwx------ 3 mailsrv mail 512 Nov 16 17:21 . ../.sunw/pkcs11_softtoken: total 10 drwx------ 2 mailsrv mail 512 Nov 16 17:21 public drwx------ 2 mailsrv mail 512 Nov 16 17:21 private -rw------- 1 mailsrv mail 103 Nov 16 17:21 objstore_info drwx------ 3 mailsrv mail 512 Nov 16 17:21 .. drwx------ 4 mailsrv mail 512 Nov 16 17:21 . ../.sunw/pkcs11_softtoken/public: total 4 drwx------ 4 mailsrv mail 512 Nov 16 17:21 .. drwx------ 2 mailsrv mail 512 Nov 16 17:21 . ../.sunw/pkcs11_softtoken/private: total 4 drwx------ 4 mailsrv mail 512 Nov 16 17:21 .. drwx------ 2 mailsrv mail 512 Nov 16 17:21 .
The cryptoadm utility displays cryptographic provider information for a system, configures the mechanisms for each provider, and installs or uninstalls a cryptographic provider. The Solaris Cryptographic Framework supports three types of providers: a user-level provider (a PKCS#11 shared library), a kernel provider (a loadable kernel software module), and a kernel hardware provider (a cryptographic hardware device). The cryptoadm utility provides subcommands to enable and disable the metaslot's features, list metaslot's configuration, and also configure the metaslot's mechanisms policy.
To administer the Cryptographic Framework:
You can list all the service providers and their cryptographic mechanisms in the Solaris Cryptographic Framework by running the cryptoadm list -m command. Verify that ncp and pkcs11_softtoken.so are available as cryptographic providers. Because NCP is a kernel provider, pkcs11_kernel.so should appear before pkcs11_softtoken.so in the output.
Following is a partial output of this command.
# cryptoadm list -m User-level providers: ===================== Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Mechanisms: CKM_DSA CKM_RSA_X_509 CKM_RSA_PKCS Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN [.... so on ...] CKM_DSA CKM_DSA_SHA1 CKM_DSA_KEY_PAIR_GEN [.... so on ...] CKM_TLS_MASTER_KEY_DERIVE_DH CKM_SSL3_KEY_AND_MAC_DERIVE CKM_TLS_KEY_AND_MAC_DERIVE CKM_TLS_PRF Kernel software providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR [.... so on ...] sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa:CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS swrand: No mechanisms presented. Kernel hardware providers: ========================== ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS
Disable the use of the following user-level mechanisms, forcing them to be performed by the NCP.
# cryptoadm disable provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so \ mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,\ CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,\ CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
Verify that the user-level mechanisms are disabled.
# cryptoadm list -p provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
NSS uses secmod.db to keep track of the PKCS#11 modules available. You can use the security Module Database Tool modutil, a CLI that comes with NSS to manage PKCS#11 module information within secmod.db files. The Security Module Database Tool enables you to add and delete PKCS#11 modules, change passwords, set defaults, list module contents, and enable or disable slots. The modutil CLI is bundled with the Messaging Server software and is located in the MessagingServer_home/bin directory. This example assumes that you are running modutil from the MessagingServer_Home/lib directory and cert8.db, secmod.db, and key3.db are located under the config directory, that is MessagingServer_home/config.
List all the available PKCS#11 modules.
Using modutil, you can list all the available PKCS#11 modules. By default, NSS has an internal PKCS#11 module.
modutil -dbdir ../config -nocertdb -list
Using database directory ../config...
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
List the contents of the default NSS soft token.
The file sslpassword contains the password to the Certificate Database.
pk12util list-certs -W MessagingServer_home/config/sslpassword
Alias Valid from Expires on Self-signed?Issued by Issued to
Server-Cert 2006/11/15 23:02 2007/11/15 23:02 n
CN=CA,OU=test,O=authority,ST=California,C=US
CN=foobar.siroe.com,OU=comms,O=Dev,L=Santaclara,ST=California,C=us
SolCrypto-Framework 2006/11/16 00:14 2007/11/16 00:14 n
CN=CA,OU=test,O=authority,ST=California,C=US
CN=SCF,OU=comms,O=Dev,L=Santaclara,ST=California,C=us
2 certificates found
Messaging Server is configured to use the NSS built-in soft token for its cryptographic needs, which employs PKCS#11 to access cryptography. You can modify the Messaging Server configuration to use the User-Level Cryptographic Framework of the Solaris Cryptographic Framework, out of the box, by linking to the /usr/lib/libpkcs11.so library to get direct access to the PKCS#11 functionality. That is, you register the Solaris Cryptographic Framework as a PKCS#11 module.
To administer the Cryptographic Framework as a service provider:
Register the /usr/lib/libpkcs11.so PKCS#11 library with the Messaging Server software and enable the slot named Sun Metaslot.
modutil -dbdir ../config/ -nocertdb -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory ../config... Module "Solaris crypto Framework" added to database.
Continue with "Enabling the Slot Named Sun Metaslot".
To enable the slot named Sun Metaslot:
Run the following modutil command.
modutil -dbdir ../config/ -nocertdb -disable "Solaris Crypto Framework" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory ../config... Slot "Sun Metaslot" disabled. Slot "ncp/0 Crypto Accel Asym 1.0" disabled.
Run the following modutil command.
modutil -dbdir ../config/ -nocertdb -enable "Solaris Crypto Framework" -slot "Sun Metaslot" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory ../config... Slot "Sun Metaslot" enabled.
Run the following modutil command to verify that the Solaris Crypto Framework is successfully added.
modutil -dbdir ../config/ -nocertdb -list
Using database directory ../config...
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Solaris crypto Framework
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: ncp/0 Crypto Accel Asym 1.0
token: ncp/0 Crypto Accel Asym 1.0
-----------------------------------------------------------
This task describes how to export the certificate/key pairs from the NSS soft token (as PKCS#12 formatted files) to be imported in to the SCF software token. The following shows how to export two certificates found in the internal token.
To export the certificate/key pairs from the NSS soft token:
Choose the PKCS#12 file password and copy it to a file called /tmp/pkcs12password.
# echo "pkcspassword" > /tmp/pkcs12password
Run the following commands to export the two certificates found in the Internal Token in to PKCS#12 formatted files.
pk12util export-cert -W MessagingServer_home/config/sslpassword -o /tmp/Server-Certpk12 -O /tmp/pkcs12password Server-Cert
# file /tmp/Server-Certpk12
/tmp/Server-Certpk12: data
Continue with "Importing the Key/Certificate Pairs to the Sun Metaslot (SCF)".
To import the key/certificate pairs to the SCF:
Run the following pk12util command.
$ pk12util -i /tmp/Server-Certpk12 -d ../config/ -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
{ This is the same password you entered, when running pktool setpin )
Enter password for PKCS12 file:
{PKCSpassword : password used to export certificates from the Internal Software Token }
pk12util: PKCS12 IMPORT SUCCESSFUL
Run the following pk12util command.
$ pk12util -i /tmp/SCFpk12 -d ../config/ -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
{ This is the same password you entered, when running pktool setpin )
Enter password for PKCS12 file:
{PKCSpassword : password used to export certificates from the Internal Software Token }
pk12util: PKCS12 IMPORT SUCCESSFUL
Continue with "Verifying the Successful Importation of the Certificate/Key Pairs".
Use this task to verify that the certificate/key pairs were successfully imported to the token. You must be logged in as mailsrv (that is, the Messaging Server user).
To verify that the certificate/key pairs were successfully imported:
Run the following certutil command.
$ certutil -L -d ../config/ -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": ( This is the same password you entered, when running pktool setpin. ) Sun Metaslot:Server-Cert u,u,u Sun Metaslot:SolCrypto-Framework u,u,u
Run the following certutil command.
$ certutil -K -d ../config/ -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": ( This is the same password you entered, when running pktool setpin. ) <0> Server-Cert <1> SolCrypto-Framework
Proceed to the next section to configure Messaging Server.
This section describes the procedures you use to configure the various Messaging Server processes to use the external token.
To configure Messaging Server processes to use the external token:
Configure MMP by editing the ImapProxyAService.cfg and PopProxyAService.cfg files as follows.
# cd MessagingServer_home/data/config
ImapProxyAService.cfg: default:SSLCertNicknames "Sun Metaslot:Server-Cert"
PopProxyAService.cfg: default:SSLCertNicknames "Sun Metaslot:Server-Cert"
Configure the IMAP server by setting the following configuration parameters to use the external token.
configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
OR
configutil -o local.imap.sslnicknames -v "Sun Metaslot:Server-Cert"
Configure the POP server by setting the following configuration parameters to use the external token.
configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
OR
configutil -o local.pop.sslnicknames -v "Sun Metaslot:Server-Cert"
Configure the HTTP server by setting the following configuration parameters to use the external token.
configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
OR
configutil -o local.http.sslnicknames -v "Sun Metaslot:Server-Cert"
Configure the SMTP server by setting the following configuration parameters to use the external token.
Use the configutil command to set the SSL certificate nickname:
configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
OR
configutil -o local.imta.sslnicknames -v "Sun Metaslot:Server-Cert"
Note:
As shown previously, you can also use a per-service configuration setting for the SSL certificate nicknames. The configuration parameters, which have the same meaning (that is, the nickname) and override the encryption.rsa.sslpersonalityssl setting, are:local.imta.sslnicknames (for the SMTP and Submit Servers)
local.imap.sslnicknames (for the IMAP Server)
local.pop.sslnicknames (for the POP Server)
local.http.sslnicknames (for the HTTP Server)
Save the "Sun Metaslot" password in to the sslpassword.conf file.
The "Sun Metaslot" is protected by a password. The server prompts for a password every time it starts up. Instead of entering the password every time, Messaging Server reads the password from the sslpassword.conf file located in the MessagingServer_home/config directory. Edit this file as follows.
# cat MessagingServer_home/data/config/sslpassword.conf
Sun Metaslot:secret( "secret" : This is the same password you entered, when running pktool setpin )
This task explains how to restart the Messaging Server services, check for errors, and verify the operational SCF environment.
To start and debug Messaging Server services:
Restart the Messaging Server services.
# MessagingServer_home/bin/start-msg
Connecting to watcher ...
Launching watcher ... 27351
Starting ens server ... 27352
Starting store server .... 27353
Checking store server status .... ready
Starting imap server .... 27354
Starting pop server .... 27355
Starting http server .... 27356
Starting sched server ... 27357
Starting dispatcher server .... 27359
Starting job_controller server .... 27365
Ensure that there are no SSL_init errors in the log files, and no ASockSSL_init errors in any of the tcp_smpt, default, imap, pop, and http log files.
You see something like the following when there is a problem.
http:[31/Nov/2006:11:36:21 -0800] biotite httpd[27356]: General Error: SSLinitialization error: ASockSSL_Init: couldn't open slot Metaslot (-8127) imap:[31/Nov/2006:11:36:20 -0800] biotite imapd[27354]: General Error: SSLinitialization error: ASockSSL_Init: couldn't open slot Metaslot (-8127) pop:[31/Nov/2006:11:36:21 -0800] biotite popd[27355]: General Error:SSL initialization error: ASockSSL_Init: couldn't open slot Metaslot (-8127) tcp_smtp_server.log-0J8000L01MGM3Z00:[31/Nov/2006:11:36:22 -0800] biotite [27363]: General Error:SSL initialization error: ASockSSL_Init: couldn't open slot Metaslot (-8127) tcp_smtp_server.log-0J8000L03MGM3Z00:[31/Nov/2006:11:36:22 -0800] biotite [27364]: General Error:SSL initialization error: ASockSSL_Init: couldn't open slot Metaslot (-8127)
Verify that the SSL ports are listening.
# netstat -an | grep 995 *.995 *.* 0 0 49152 0 LISTEN # netstat -an | grep 443 *.443 *.* 0 0 49152 0 LISTEN # netstat -an | grep 465 *.465 *.* 0 0 49152 0 LISTEN
Once the application is operational on the Solaris Cryptographic Framework, use the kstat command to display the number of RSA public key decryptions performed using NCP since the last system boot.
The number of RSA public key decryptions are shown as the rsapublic value in the kstat output. An incremental and a positive increase in the value of rsapublic shows that NCP is operational.
# kstat -n ncp0 | grep rsa rsprivate Xrsapublic X
In this output:
rsaprivate -- Total number of jobs submitted to the device for RSA private key operations.
rsapublic -- Total number of jobs submitted to the device for RSA public key operations.
By using a browser to connect to the HTTP SSL port and log in, you see how the count increases. For example:
<Log in to https://host1.red.example.com> # kstat -n ncp0 | grep rsa rsaprivate 35 rsapublic 146 # kstat -n ncp0 | grep rsa rsaprivate 38 rsapublic 149