test

Deployment Example: Sun Java System Communications Services for Access Anywhere (EdgeMail)

4.6 Installing and Configuring Portal Server

Follow the installation instruction on product installation guide to install Remote Access Pack Core, and Mobile Access.

ProcedureTo Install Portal Server

Steps

  1. Run the Java ES installer with the silent install file for Portal Server:


    /var/bits/Java_es/Solaris_sparc/installer -nodisplay -noconsole -state PortalServerStateFile

  2. If the runtime userID for Portal Server is not root, you must change ownership of its related directories with the following commands:


    # chown -R userID \
  AccessManagerPath /var/AccessManagerPath /etc/AccessManagerPath \
  PortalServerPath /var/PortalServerPath /etc/PortalServerPath
# chgrp -R usergroup \
  AccessManagerPath /var/AccessManagerPath /etc/AccessManagerPath \
  PortalServerPath /var/PortalServerPath /etc/PortalServerPath

  3. Change gateway.user from noaccess to userID.

ProcedureTo Configure the Provider Channels

Steps

  1. To configure the mail provider, copy the following files from phys-bedge1-1 or phys-bedge3–1. edit them as needed to use the local hostname and the dc=example,dc=com base DN.


    /var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchCompose.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchInbox.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchFolder.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doNewInbox.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doInboxCont.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doInboxStart.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getfolders.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getnewmsgs.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getnewmsg.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getnewmsgs.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getnewmsg.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/delete.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/menu.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/moveMsg.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/doNewFd.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/folders.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getfolders.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/message.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/newFd.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/typeMsg.jsp
/var/opt/SUNWps/instance/portal/web-aps/jsp/default/mail/aml/compose.jsp
/etc/opt/SUNWps/desktop/default/MailProvider/aml/display-summary.template
/etc/opt/SUNWps/desktop/default/MailProvider/aml/display.template

  2. To configure the calendar provider, copy and edit the following files in the same way:


    /var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/event.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/task.jsp
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/dayview.jsp

  3. To configure the LDAP look-up channel:

    1. Copy ldaplookupprovider.jar from PortalPath/web-src/WEB-INF/lib/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/lib and PortalPath/web-src/WEB-INF/lib/.

    2. Copy countryAccessCodes.properties, countryShortDial.properties, ldapab.properties, ldapab_en.properties, wireless.properties from PortalPath/web-src/WEB-INF/classes/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/classes/ and PortalPath/web-src/WEB-INF/classes/.

    3. Copy launchLDAPABook.jsp from PortalPath/web-src/jsp/default/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ and PortalPath/web-src/jsp/default/.

    4. Copy compose.jsp, doSearch.jsp, search.jsp from PortalPath/web-src/jsp/default/ldapab/aml of phys-bedge-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ldapab/aml and PortalPath/web-src/jsp/default/ ldapab/aml.

    5. Copy compose.jsp, doSearch.jsp, search.jsp from PortalPath/web-src/jsp/default/ldapab/wml of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ldapab/wml and PortalPath/web-src/jsp/default/ldapab/wml

    6. Add /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/classes to the classpath of the web server.

    7. Modify the value of the PropertyDirectory baseURL attribute in /opt/SUNWps/web-src/WEB-INF/classes/wireless.properties accordingly.

ProcedureTo Configure the Single Sign-On (SSO) Adaptor

Steps

  1. Logon to amconsole as admin. Configure SSO template:


    1.Select the tab "Service Configuration"
  2.Select SSO Adapter on the right panel
  3.Confiture SSO template for each provider

  2. sso adapter template for mail provider (note: in edge 2, mail provider is configured to use proxy auth and only one mail server existed. Configuration may be different if proxy auth is not to be used and more than one mail server existed in edge 3) update sso adapter template forSUN-ONE-MAIL 


    * click on the "Edit Properties.." link of SUN-ONE-MAIL under the section "SSO Adapter Templates"
   * update the following properties accordingly
         o enableProxyAuth 
         o proxyAdminUid 
         o proxyAdminPassword

  3. - so adapter template for address book provider (Note: in edge 2, address book provider is configured to use proxy auth and only one mail server existed. Configuration may be different if proxy auth is not to be used or if more than one mail server existed in edge 3) create sso adapter template for SUN-ONE-ADDRESS-BOOK 


     * click on the "NEW" button under the section "SSO Adapter Templates"
   * Enter "SUN-ONE-ADDRESS-BOOK" into the field Name
   * Select "[SUN-ONE-ADDRESS-BOOK]" from the "Existing Template" selection list.
   * Click OK to create a copy of "SUN-ONE-ADDRESS-BOOK" template
   * Upon the template successfully created, update the following template properties accordingly
         o  host e.g. edge-ds1.us.example.com
         o  port e.g. 389
         o  pabSearchBase e.g. ou=people,o=example.com,o=esmi,o=pab
         o  userSearchBase e.g. Ou=people,o=example.com,o=esmi
         o  aid
         o  adminPassword
         o  imapHost e.g. edge-mail1.us.example.com
         o  imapPort e.g. 443
         o  clientPort e.g. 80
         o  enableProxyAuth (set to true to enable proxy Auth)
         o  proxyAdminUid (if Poxy Auth is to be enabled)
         o  proxyAdminPassword (if Proxy Auth is to be enabled)

  4. - update sso adapter template for calendar provider (note: in edge 2, address book provider is configured to use proxy auth and only one calendar server existed. Configuration may be different if proxy auth is not to be used and more than one calendar server existed in edge 3) update sso adapter template for SUN-ONE-CALENDAR 


     *  click on the "Edit Properties.." link of SUN-ONE-CALENDAR under the section "SSO Adapter Templates"
   *  update the following properties accordingly
   o  enableProxyAuth (set to true to enable proxy Auth)
   o  proxyAdminUid (if Poxy Auth is to be enabled)
   o  proxyAdminPassword (if Proxy Auth is to be enabled)

  5. Configure SSO Adapter Configuration at top organization level


      1. Select tab "Identiy Management"
  2. Select "services" from the "View" dorp down list on the right panel
  3. Select "SSO Adapter" from the Services list on the right panel

- sso adapter configuration for mail provider

  6. - sso adapter configuration for mail provider (Note: in edge 2, only one mail server existed. Configuration may be if more than one mail server existed in edge 3) create sso adapter template for SunOneMail 


    * click on the "Edit Properties..." link of SunOneMail on the left panel
   * update the following properties
 
     o host: edge-mail1.us.example.com
     o port e.g. 143
     o smtpServer e.g. edge-mail1.us.example.com
     o clientPort e.g. 80
     o smtpServer e.g. 25

  7. - sso adapter configuration for calendar provider (note: in edge 2, only one mail server existed. Configuration may be if more than one mail server existed in edge 3) create sso adapter template for SunOneCalendar 


     * click on the "Edit Properties..." link of SunOneCalendar on the left panel
   * update the following properties
       o  host: edge-cal1.us.example.com
       o  port e.g. 143
       o  clientPort e.g. 80

  8. Disable authless anonymous portal


    * Logon to amconsole
   * select the "Service Configuration tab
   * select Portal Desktop under Portal Server Configuration
   * Check the Disable radio button under Authentication-less Portal Desktop Configuration

  9. Setup user profile for MAP application access (at/after user loading) (note: this may already covered in user profile loading) add objectclass to pre-selected users (/apps/dirserv/shared/bin/wirelessUserProvision.sh) 


    * sunmobileappmailpersion
   * sunmobileappcalendarperson
   * sunssoadapterperson
   * sunportaldesktopperson
   * sunmobileappabperson
   * sunportalgatewayaccessservice

4.6.1 Remote Access Pack

Modify AMConfig.properties ref to AMConfig.properties of phys-edge-1 Software installation on edge-fe-n machines

Follow the installation instruction on product installation guide to install remote access pack post-installation configuration on remote access pack

Enable notification and disable polling between IS and gateway and other system tunning

- update platform.conf.default

- update AMConfig*.properties (ref to /var/opt/SUNWam/config/AMConfig*.properties of edge-fe6)

- update gateway script (ref to /apps/SUNWps/bin/gateway.sh of edge-fe6)

ProcedureTo Request an SSL Certificate

The following example is for messaging, substitute appropriate parameters as necessary. Note that certificate names can be anything because they are just nicknames. For example, if you call mail-amer.example.com “Server-Cert”, then “Server-Cert” needs to be in your configuration files. Common certutil commands


# certutil -L -d .
# certutil -L -d . -n certificateName
# certutil -D -d . -n Server-Cert
Steps

  1. Create certificate directory for setting up the certificates


    # mkdir -p /usr/local/cert/SunPKI/app_id (where app_id = mail, cal, etc.)
# cd /usr/local/cert/SunPKI/app_id

  2. Create sslpassword.conf that contains the correct password in the following format:


    Internal (Software) Token:password

  3. Create PW


    # sed s/'^.*:'// sslpassword.conf > PW

  4. Create an empty certificate database:


    # certutil -N -d . -f ./PW

  5. Generate the request for a new PKI certificate, for example:


    # certutil -R -d . -s "CN=mail-amer.example.com, OU=messaging server/SSL Server,O=Example Corp." \
   -p 3032722269 -o ./cert_req.mail-amer -f ./PW -z /etc/passwd -a

  6. Order a new PKI certificate on your certificate server and retrieve it according to your corporate policy. Save the certificate in a file.

  7. Copy the certificate chain from your certificate server and save it to a file as well.

  8. Import all the certificates. The following commands assume that copies of certificate chain files are in the parent directory; certificate received for mail in current directory:


    # certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i ../ABC_chain.cert -f ./passwd
# certutil -A -n "Example Corp Root CA - ABC Corporation" -t "C,," -d . -a -i ../Example_Corp.cert -f ./passwd
# certutil -A -n "Example Corp CA (Class B) - Example Corp" -t "C,," -d . -a -i ../Example_Corp_cB.cert -f ./passwd
# certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./mail.cert -f ./passwd

  9. List out each certificate and document dates of expiration:


    # certutil -L -d . -n "ABC Trusted Root"
   Expirations related to mail-amer.example.com:
   ABC Trusted Root:       Not After: Thu Feb 23 23:59:00 2007
   Example Corp CA ABC:    Not After: Thu Feb 23 23:59:00 2007
   Example Corp Class B:   Not After: Fri Nov 13 19:23:10 2009
   mail-amer.example.com:  Not After: Tue May 18 19:34:36 2010
   cal-amer.example.com:   Not After: Tue May 18 19:24:21 2010

    At a minimum per above output you will need to replace or renew the ABC Trusted Root and Example Corp CA ABC certificates in Feb 2007.

  10. Copy certificates to final destination on each front end mail node.


    # cp *.db /opt/SUNWmsgsr/config

   #tar up the cert dir from d1/fe node on which you generated the certs and copy (scp) same certs to all fe/d1 nodes.
   #this include the cert8.db, key3.db and secmod.db files.  Extract tar file within /usr/local/cert subdir,
   #and from there copy all certs to /opt/SUNWmsgsr/config and verify perms (600, mailsrv:mailsrv)

   #Verify password in sslpassword.conf contains PW used during cert generation and replace if necessary.

   cat /opt/SUNWmsgsr/config/sslpassowrd.conf
   # should show single line with PW at the end and no spaces after the ":":  Internal (Software) Token:password

  11. Copy same mail certificates to webserver for mail filter use if need to listen on ssl ports (443 or 444):

    1. For webserver certificates go into: /opt/SUNWwbsvr/alias

    2. Create under webserver config directory file: password.conf (perms same as db files) Format of password.conf file is e.g. (assuming real password for mail certificate dbs of: something): internal:something.

    3. Edit under webserver config dir file: magnus.conf and change Security to on.

    4. Edit under webserver config dir file: server.xml and add in/modify listen ports as needed. On Nauticus server.xml should use hostname vs the mail VIP; on Foundry sites mail VIP should be used.

    5. Restart webserver.

  12. If using Nauticus, complete this step (for mail and cal certificates)


    pk12util -d . -o /var/tmp/mail_pkcs12.out  -n Server-Cert

openssl pkcs12 -in /var/tmp/mail_pkcs12.out -out /var/tmp/mail_key.pem
rm /var/tmp/mail_pkcs12.out

# Provide mail_key.pem to GIS for import into Nauticus.

  13. Restart mail services so that certificates will be used. Verify SSL is working by connecting using openssl program. 


        e.g. from Foundry front end:   ./openssl s_client -connect mail-amer.example.com:993  

    e.g. from Nauticus front end:  ./openssl s_client -connect d1-sfbay-01.example.com:993 
 

    Also check logs for any messages relating to issues with SSL.

ProcedureTo Install an SSL Certificate

Steps

  1. Installing Certificate


    # PortalPath/SUNWps/bin/certadmin -n default

  2. Select 4) Install Certificate From Certificate Authority (CA) on the certificate administration menu

  3. Provide server-cert (or whatever certificate name is to be used) as the certificate name and the certificate file saved in “Order a Certificate From a CA.”

  4. Restart gateway.

ProcedureSetting up the Gateway Redirector

Steps

  1. Install and configure a web server with the gw dns listen on port 80 from edge-fe6, copy the /apps/SUNWwbsvr/docs/index.html to WebServerPath/docs/ and /apps/SUNWwbsvr/docs/en/index.html to WebServerPath/docs/en/

  2. modify the url in index.html accordingly

ProcedureSetting Up Load Balancing

Step

    Modify /etc/mail/submit.cf and change MTAHost to relay all e-mails through the dedicated MTA VIP.


    D{MTAHost}[10.1.82.194]