Sun logo      Previous      Contents      Index      Next     

Sun ONE Calendar Server 6.0 Administrator's Guide

Chapter 9
Using SSL With Calendar Server

Sun ONE Calendar Server 6.0 supports the Secure Sockets Layer (SSL) protocol to encrypt data between calendar client end users and Calendar Server. To support SSL, Calendar Server uses SSL libraries from Netscape Security Services (NSS), which are also used by Sun ONE Messaging Server.

You can configure Calendar Server in the ics.conf file to encrypt only the Calendar Server login and password or an entire calendar session.

This chapter describes these topics:

 

Configuring SSL for Calendar Server

Calendar Server SSL configuration is “self-contained” and does not require the Delegated Administrator.

To configure SSL for Calendar Server, follow these steps:

  1. Create the SSL Certificate Database
  2. Request and Import a Certificate From a Root Certificate Authority (CA)
  3. Configure SSL Parameters in the ics.conf File

 

Create the SSL Certificate Database

An SSL implementation for Calendar Server requires a certificate database. The certificate database must define a Certificate Authority (CA) and certificates for Calendar Server.

Mozilla Tools

This release includes the following Mozilla tools:

These utilities are available in the following directory:

/opt/SUNWics5/cal/bin

 

Library Path Variable

Before you use the Mozilla tools, set your LD_LIBRARY_PATH variable appropriately. For example:

setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib

Example Files and Directories

The examples in this chapter use these files and directories:

 

To create a certificate database

  1. Log in as or become superuser (root).
  2. Specify the certificate database password for certutil in /etc/opt/SUNWics5/config/sslPasswordFile. For example:

    3. # echo "password" > /etc/opt/SUNWics5/config/sslPasswordFile

    where password is your specific password.

  3. Create the certificate database alias directory. For example:

    4. # cd /var/opt/SUNWics5
    # mkdir alias

  4. Move to the bin directory and generate the certificate database (cert7.db) and key database (key3.db). For example:

    5. # cd /opt/SUNWics5/cal/bin
    # ./certutil -N -d /var/opt/SUNWics5/alias
    -f /etc/opt/SUNWics5/config/sslPasswordFile

  5. Generate a default self-signed root Certificate Authority certificate. For example:

    6. # ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
    -s "CN=My Sample Root CA, O=sesta.com" -m 25000
    -o /var/opt/SUNWics5/alias/SampleRootCA.crt
    -d /var/opt/SUNWics5/alias
    -f /etc/opt/SUNWics5/config/sslPasswordFile -z
    /etc/passwd

  6. Generate a certificate for the host. For example:

    7. # ./certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u"
    -s "CN=hostname.sesta.com, O=sesta.com" -m 25001
    -o /var/opt/SUNWics5/alias/SampleSSLServer.crt
    -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile
    -z /etc/passwd

    where hostname.sesta.com is the server host name.

  7. Validate the certificates. For example:

    8. # ./certutil -V -u V -n SampleRootCA -d /var/opt/SUNWics5/alias
    # ./certutil -V -u V -n SampleSSLServerCert -d /var/opt/SUNWics5/alias

  8. List the certificates. For example:

    9. # ./certutil -L -d /var/opt/SUNWics5/alias
    # ./certutil -L -n SampleSSLServerCert -d /var/opt/SUNWics5/alias

  9. Use modutil to list the available security modules (secmod.db). For example:

    10. # ./modutil -list -dbdir /var/opt/SUNWics5/alias

  10. Change the owner of the alias file to icsuser and icsgroup (or the user and group identity under which Calendar Server will run). For example:

    11. # find /var/opt/SUNWics5/alias -exec chown icsuser {} \;
    # find /var/opt/SUNWics5/alias -exec chgrp icsgroup {} \;

 

Request and Import a Certificate From a Root Certificate Authority (CA)

The following steps generate a certificate request, submit it to the Public Key Infrastructure (PKI) Web site, and then import the certificate.

To request and import a certificate from a root Certificate Authority

  1. Log in as or become superuser (root).
  2. Move to the bin directory:

    3. # cd /opt/SUNWics5/cal/bin

  3. Use certutil to generate a Certificate Request based on the Certificate Authority or Public Key Infrastructure (PKI) Web site. For example:

    4. # ./certutil -R -s "CN=hostname.sesta.com, OU=hostname / SSL Web Server, O=Sesta C=US" -p "408-555-1234" -o hostnameCert.req -g 1024
    -d /var/opt/SUNWics5/alias
    -f /etc/opt/SUNWics5/config/sslPasswordFile
    -z /etc/passwd -a

    where hostname.sesta.com is the host name.

  4. Request an test certificate for an SSL web server from the Certificate Authority or Public Key Infrastructure (PKI) Web site. Copy and paste the contents from the hostnameCert.req file into the Certificate Request.

    5. You will be notified by when your certificate is signed and can be picked up.

  5. Copy the Certificate Authority Certificate Chain and SSL server certificate into text files.
  6. Import the Certificate Authority Certificate Chain into the certificate database to establish a Chain of Authority. For example:

    7. # ./certutil -A -n "GTE CyberTrust Root" -t "TCu,TCu,TCuw"
    -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_1.txt
    -f /etc/opt/SUNWics5/config/sslPasswordFile

    # ./certutil -A -n "Sesta TEST Root CA" -t "TCu,TCu,TCuw"
    -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_2.txt
    -f /etc/opt/SUNWics5/config/sslPasswordFile

  7. Import the signed SSL server certificate:

    8. # ./certutil -A -n "hostname SSL Server Test Cert" -t "u,u,u"
    -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/SSL_Server_Certificate.txt
    -f /etc/opt/SUNWics5/config/sslPasswordFile

  8. List the certificates in the certificate database:

    9. # ./certutil -L -d /var/opt/SUNWics5/alias

  9. Configure the SSL Server Nickname in the ics.conf file to be the signed SSL server certificate, For example: "hostname SSL Server Test Cert".

    10. Note The host name for the service.http.calendarhostname and service.http.ssl.sourceurl parameters in the ics.conf file should match the host name on the SSL certificate (in case your system has several aliases). For example: calendar.sesta.com

Configure SSL Parameters in the ics.conf File

To implement SSL with Calendar Server, you must set specific parameters in the ics.conf file. This section describes:

 

SSL Configuration Parameters

Code Example 9-1 shows the SSL configuration parameters. If any of these parameters are not in the ics.conf file, add them to the file. After you set these parameters, restart Calendar Server for the values to take effect. For a description of these SSL parameters, see "SSL Configuration".

Code Example 9-1  SSL Configuration Parameters for Calendar Server

service.http.ssl.cachedir = "."
service.http.ssl.cachesize = "10000"
service.http.ssl.certdb.password = "password"
service.http.ssl.certdb.path = "/var/opt/SUNWics5/alias"
service.http.ssl.port.enable = "yes"
service.http.ssl.port = "443"
service.http.ssl.securelogin = "yes"
service.http.ssl.securesession = "yes"

! Set localhost to the name of your local host.

! Set the port numner (default: 443) to the SSL port you are using.

service.http.ssl.sourceurl = "https://localhost:443"

service.http.ssl.ssl2.ciphers = ""
service.http.ssl.ssl2.sessiontimeout = "0"
service.http.ssl.ssl3.ciphers = "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha"
service.http.ssl.ssl3.sessiontimeout = "0"
service.http.ssl.usessl = "yes"
encryption.rsa.nssslactivation = "on"
encryption.rsa.nssslpersonalityssl = "SampleSSLServerCert"
encryption.rsa.nsssltoken = "internal"
service.http.tmpdir = "/var/opt/SUNWics5/tmp"
service.http.uidir.path = "html"

 

Caution

Remote administration is not enabled for Calendar Server. Do not change the service.admin.port parameter, because it is already set to its required value by Calendar Server. Otherwise, the csadmind process might not run properly.

Encryption of Calendar Server Login or Entire Calendar Session

You can configure Calendar Server to encrypt only the Calendar Server login and password or an entire calendar session by setting the following parameters:

 

Troubleshooting SSL

First, always backup your certificate database on a regular basis in case unrecoverable problems occur. If you have problems with SSL, here are some things to consider:

 

Checking for the cshttpd Process

SSL requires the Calendar Server cshttpd process to be running. To determine if cshttpd is running, use this command on Solaris systems:

# ps -ef | grep cshttpd

Verifying Certificates

To list the certificates in the certificate database and checking their validity dates, use this command on Solaris systems:

# ./certutil -L -d /var/opt/SUNWics5/alias

Reviewing Calendar Server Log Files

Check the Calendar Server log files for any SSL errors. For more information see "Monitoring Calendar Server Log Files".

Connecting to the SSL Port

Connect to the SSL port using a browser and the following URL:

https://server-name:ssl-port-number

where:

server-name is the name of the server where Calendar Server is running.

ssl-port-number is the SSL port number as specified by the service.http.ssl.port parameter in the ics.conf file. The default is 443.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.