Chapter 8 Configuring SSL

Calendar Server supports the Secure Sockets Layer (SSL) protocol to encrypt data between calendar client end users and Calendar Server. To support SSL, Calendar Server uses SSL libraries from Netscape Security Services (NSS), which are also used by Sun Java System Messaging Server.

You can configure Calendar Server in the ics.conf file to encrypt only the Calendar Server login and password or an entire calendar session.

This chapter is covers the three tasks necessary to configure SSL and troubleshooting:

• Configuring SSL for Calendar Server

  • To Create a Certificate Database

  • To Request and Import a Certificate from a Root Certificate Authority

  • To Configure SSL Parameters in the ics.conf File

• Troubleshooting SSL

Calendar Server does not support client-based SSL authentication.

Configuring SSL for Calendar Server

To Create a Certificate Database

An SSL implementation for Calendar Server requires a certificate database. The certificate database must define a Certificate Authority (CA) and certificates for Calendar Server. This section contains conceptual and task information:

Before You Begin

Before you create the certificate database, familiarize yourself with the following:

• Mozilla Tools — This release includes the following Mozilla tools:

  • Certificate Database Tool (certutil) to create and manage the certificate database. For information, refer to the following Web site:

    http://mozilla.org/projects/security/pki/
            nss/tools/certutil.html

    ---

    Tip –

    Familiarize yourself with the tool syntax before attempting to generate your certificate database.

    ---

  • Security Module Database Tool (modutil) to display information about available security modules. For information, refer to the following Web site:

    http://mozilla.org/projects/security/pki/
            nss/tools/modutil.html

    These utilities are available in the following directory:

    /opt/SUNWics5/cal/lib

    or download the most recent version from the Web site.

• Library Path Variable — Before you use the Mozilla tools, set your LD_LIBRARY_PATH variable appropriately. For example:

  setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib

• Example Files and Directories — The examples in this chapter use these files and directories:

  • alias is a directory that contains the certificate database. Create the alias directory in the following directory:

    /var/opt/SUNWics5

    Also, make sure you backup the alias directory regularly.

  • sslPasswordFile is a text file that contains the certificate database password. This file is used by the certutil utility but not by Calendar Server. Create sslPasswordFile in the following directory:

    /etc/opt/SUNWics5/config

  • /etc/passwd introduces entropy for random number generation, that is, this directory is used to generate varied and unique seeds that help ensure truly random results from the random number generator.

1. Log in as or become superuser (root).

2. Specify the certificate database password for certutil in /etc/opt/SUNWics5/config/sslPasswordFile. For example:

   # echo "password" /etc/opt/SUNWics5/config/sslPasswordFile

   where password is your specific password.

3. Create the certificate database alias directory. For example:

   # cd /var/opt/SUNWics5 # mkdir alias

4. Move to the bin directory and generate the certificate database (cert8.db) and key database (key3.db). For example:

   # cd /opt/SUNWics5/cal/bin # ./certutil -N -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile

   ---

   Note –

   For this and other times when you must run the certutil utility, follow the examples exactly, or consult the certutil help page to understand the syntax.

   For example, in this case, do not run the utility with the -N option without also specifying the -d /file information.

   ---

5. Generate a default self-signed root Certificate Authority certificate. For example:

   # ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu" -s "CN=My Sample Root CA, O=sesta.com" -m 25000 -o /var/opt/SUNWics5/alias/SampleRootCA.crt -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile -z /etc/passwd

6. Generate a certificate for the host. For example:

   # ./certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u" -s "CN=hostname.sesta.com, O=sesta.com" -m 25001 -o /var/opt/SUNWics5/alias/SampleSSLServer.crt -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile -z /etc/passwd

   where hostname.sesta.com is the server host name.

7. Validate the certificates. For example:

   # ./certutil -V -u V -n SampleRootCA -d /var/opt/SUNWics5/alias # ./certutil -V -u V -n SampleSSLServerCert -d /var/opt/SUNWics5/alias

8. List the certificates. For example:

   # ./certutil -L -d /var/opt/SUNWics5/alias # ./certutil -L -n SampleSSLServerCert -d /var/opt/SUNWics5/alias

9. Use modutil to list the available security modules (secmod.db). For example:

   # ./modutil -list -dbdir /var/opt/SUNWics5/alias

10. Change the owner of the alias file to icsuser and icsgroup (or the user and group identity under which Calendar Server will run). For example:

    # find /var/opt/SUNWics5/alias -exec chown icsuser {}; # find /var/opt/SUNWics5/alias -exec chgrp icsgroup {};

To Request and Import a Certificate from a Root Certificate Authority

The following steps tell you how to generate a certificate request, submit it to the Public Key Infrastructure (PKI) Web site, and then import the certificate.

1. Log in as or become superuser (root).

2. Move to the bin directory:

   # cd /opt/SUNWics5/cal/bin

3. Use certutil to generate a Certificate Request based on the Certificate Authority or Public Key Infrastructure (PKI) Web site. For example:

   # ./certutil -R -s "CN=hostname.sesta.com, OU=hostname/ SSL Web Server, O=Sesta, C=US" -p "408-555-1234" -o hostnameCert.req -g 1024 -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile -z /etc/passwd -a

   where “hostname.sesta.com” is the host name.

4. Request an test certificate for an SSL web server from the Certificate Authority or Public Key Infrastructure (PKI) Web site. Copy and paste the contents from the hostnameCert.req file into the Certificate Request.

   You will be notified by when your certificate is signed and can be picked up.

5. Copy the Certificate Authority Certificate Chain and SSL server certificate into text files.

6. Import the Certificate Authority Certificate Chain into the certificate database to establish a Chain of Authority. For example:

   # ./certutil -A -n "GTE CyberTrust Root" -t "TCu,TCu,TCuw" -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_1.txt -f /etc/opt/SUNWics5/config/sslPasswordFile # ./certutil -A -n "Sesta TEST Root CA" -t "TCu,TCu,TCuw" -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_2.txt -f /etc/opt/SUNWics5/config/sslPasswordFile

7. Import the signed SSL server certificate:

   # ./certutil -A -n "hostname SSL Server Test Cert" -t "u,u,u" -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/SSL_Server_Certificate.txt -f /etc/opt/SUNWics5/config/sslPasswordFile

8. List the certificates in the certificate database:

   # ./certutil -L -d /var/opt/SUNWics5/alias

9. Configure the SSL Server Nickname in the ics.conf file to be the signed SSL server certificate, For example: “hostname SSL Server Test Cert”.

   Note The host name for the service.http.calendarhostname and service.http.ssl.sourceurl parameters in the ics.conf file should match the host name on the SSL certificate (in case your system has several aliases). For example: calendar.sesta.com

To Configure SSL Parameters in the ics.conf File

To implement SSL with Calendar Server, you must set specific parameters in the ics.conf file. If any of the parameters listed in the following table are not in the ics.conf file, add them to the file with the value specified. Since the ics.conf is read only at system startup (when start-cal is issued), the new values will not take effect until the Calendar Server is restarted. For a description of these SSL parameters, see SSL Configuration.

1. Log in as an administrator with permission to change the configuration.

2. Change to the /etc/opt/SUNWics5/cal/config directory.

3. Save your old ics.conf file by copying and renaming it.

4. Edit one or more of the parameters as shown in the following table:

   Parameter	Value
   encryption.rsa.nssslactivation	“on”
   encryption.rsa.nssslpersonalityssl	“SampleSSLServerCert”
   encryption.rsa.nsssltoken	“internal”
   service.http.tmpdir	“/var/opt/SUNWics5/tmp”
   service.http.uidir.path	“html”
   service.http.ssl.cachedir	“.”
   service.http.ssl.cachesize	“10000”
   service.http.ssl.certdb.password	" "(Supply an appropriate password)
   service.http.ssl.certdb.path	“/var/opt/SUNWics5/alias”
   service.http.ssl.port.enable	“yes”
   service.http.ssl.port	"443" (Default SSL port) Note – Not on port "80", which is the HTTP default port.
   service.http.securesession	"yes" (Entire session encrypted)
   service.http.ssl.sourceurl	“https”//localhost:port” (Supply the name of your local host, and the service.http.ssl.port value.)
   service.http.ssl.ssl2.ciphers	““
   service.http.ssl.ssl2.sessiontimeout	“0”
   service.http.ssl.ssl3.ciphers	"rsa_red_40_md5, rsa_rc2_40_md5, rsa_des_sha, rsa_rc4_128_md5, rsa_3des_sha"
   service.http.ssl.ssl3.sessiontimeout	“0”
   service.http.sslusessl	“yes”

5. Save the file as ics.conf.

6. Restart Calendar Server for the changes to take effect.

   cal_svr_base/SUNWics5/cal/sbin/start-cal

Troubleshooting SSL

First, always backup your certificate database on a regular basis in case unrecoverable problems occur. If you have problems with SSL, here are some things to consider:

• Checking for the cshttpd Process

• Verifying Certificates

• Reviewing Calendar Server Log Files

• Connecting to the SSL Port

• Making cshttpd Stop Listening on the Regular HTTP Port

Checking for the cshttpd Process

SSL requires the Calendar Server cshttpd process to be running. To determine if cshttpd is running, use this command:

# ps -ef | grep cshttpd

Verifying Certificates

To list the certificates in the certificate database and checking their validity dates, use this command:

# ./certutil -L -d /var/opt/SUNWics5/alias

Reviewing Calendar Server Log Files

Check the Calendar Server log files for any SSL errors. For more information see Using Calendar Server Log Files.

Connecting to the SSL Port

Connect to the SSL port using a browser and the following URL:

https://server-name:ssl-port-number

where:

server-name is the name of the server where Calendar Server is running.

ssl-port-number is the SSL port number as specified by the service.http.ssl.port parameter in the ics.conf file. The default is 443.

Making cshttpd Stop Listening on the Regular HTTP Port

HTTP and HTTPS listen on different ports (443 for SSL, and 80 for HTTP), so you will never have both listening to the same port. Currently, there is no way to tell cshttpd to stop listening to the regular HTTP port. However, an administrator can change the service.http.port to an undisclosed number.

Do not set service.http.enable ="no" in an attempt to prevent cshttpd from listening to HTTP. Doing so would cause HTTPS to fail also. Both service.http.enable and service.http.ssl.port.enable must be set to "yes" for SSL to be configured properly.