Sun Java System Messaging Server 6.3 Administration Guide

7.2.3 Certificate-Based Client Authentication

The MMP can use a certificate mapping file (certmap.conf) to match a client’s certificate to the correct user in the Users/Groups Directory Server.

In order to use certificate-based client authentication, you must also enable SSL encryption as described in 7.2.2 Encryption (SSL) Option.

You also have to configure a store administrator. You can use the mail administrator, but it is recommended that you create a unique user ID, such as mmpstore for this purpose so that you can set permissions as needed.

Note that the MMP does not support certmap plug-ins. Instead, the MMP accepts enhanced DNComps and FilterComps property value entries in the certmap.conf file. These enhanced format entries use the form:

mapname:DNComps FROMATTR=TOATTRmapname:FilterComps FROMATTR=TOATTR

So that a FROMATTR value in a certificate’s subjectDN can be used to form an LDAP query with the TOATTR=value element. For example, a certificate with a subjectDN of “cn=Pilar Lorca, ou=pilar,” could be mapped to an LDAP query of “(uid=pilar)” with the line:

mapname:FilterComps ou=uid

ProcedureTo Enable Certificate-based Authentication for Your IMAP or POP Service

  1. Decide on the user ID you intend to use as store administrator.

    While you can use the mail administrator for this purpose, it is recommended that you create a unique user ID for store administrator (for example, mmpstore).

  2. Make sure that SSL encryption is (or will be) enabled as described in 7.2.2 Encryption (SSL) Option.

  3. Configure the MMP to use certificate-based client authentication by specifying the location of the certmap.conf file in your configuration files.

  4. Install at least one trusted CA certificate, as described in To Install Certificates of Trusted CAs