test

Deployment Example: Sun Java System Communications Services for Access Anywhere (EdgeMail)

ProcedureTo Request an SSL Certificate

The following example is for messaging, substitute appropriate parameters as necessary. Note that certificate names can be anything because they are just nicknames. For example, if you call mail-amer.example.com “Server-Cert”, then “Server-Cert” needs to be in your configuration files. Common certutil commands


# certutil -L -d .
# certutil -L -d . -n certificateName
# certutil -D -d . -n Server-Cert
Steps

  1. Create certificate directory for setting up the certificates


    # mkdir -p /usr/local/cert/SunPKI/app_id (where app_id = mail, cal, etc.)
# cd /usr/local/cert/SunPKI/app_id

  2. Create sslpassword.conf that contains the correct password in the following format:


    Internal (Software) Token:password

  3. Create PW


    # sed s/'^.*:'// sslpassword.conf > PW

  4. Create an empty certificate database:


    # certutil -N -d . -f ./PW

  5. Generate the request for a new PKI certificate, for example:


    # certutil -R -d . -s "CN=mail-amer.example.com, OU=messaging server/SSL Server,O=Example Corp." \
   -p 3032722269 -o ./cert_req.mail-amer -f ./PW -z /etc/passwd -a

  6. Order a new PKI certificate on your certificate server and retrieve it according to your corporate policy. Save the certificate in a file.

  7. Copy the certificate chain from your certificate server and save it to a file as well.

  8. Import all the certificates. The following commands assume that copies of certificate chain files are in the parent directory; certificate received for mail in current directory:


    # certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i ../ABC_chain.cert -f ./passwd
# certutil -A -n "Example Corp Root CA - ABC Corporation" -t "C,," -d . -a -i ../Example_Corp.cert -f ./passwd
# certutil -A -n "Example Corp CA (Class B) - Example Corp" -t "C,," -d . -a -i ../Example_Corp_cB.cert -f ./passwd
# certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./mail.cert -f ./passwd

  9. List out each certificate and document dates of expiration:


    # certutil -L -d . -n "ABC Trusted Root"
   Expirations related to mail-amer.example.com:
   ABC Trusted Root:       Not After: Thu Feb 23 23:59:00 2007
   Example Corp CA ABC:    Not After: Thu Feb 23 23:59:00 2007
   Example Corp Class B:   Not After: Fri Nov 13 19:23:10 2009
   mail-amer.example.com:  Not After: Tue May 18 19:34:36 2010
   cal-amer.example.com:   Not After: Tue May 18 19:24:21 2010

    At a minimum per above output you will need to replace or renew the ABC Trusted Root and Example Corp CA ABC certificates in Feb 2007.

  10. Copy certificates to final destination on each front end mail node.


    # cp *.db /opt/SUNWmsgsr/config

   #tar up the cert dir from d1/fe node on which you generated the certs and copy (scp) same certs to all fe/d1 nodes.
   #this include the cert8.db, key3.db and secmod.db files.  Extract tar file within /usr/local/cert subdir,
   #and from there copy all certs to /opt/SUNWmsgsr/config and verify perms (600, mailsrv:mailsrv)

   #Verify password in sslpassword.conf contains PW used during cert generation and replace if necessary.

   cat /opt/SUNWmsgsr/config/sslpassowrd.conf
   # should show single line with PW at the end and no spaces after the ":":  Internal (Software) Token:password

  11. Copy same mail certificates to webserver for mail filter use if need to listen on ssl ports (443 or 444):

    1. For webserver certificates go into: /opt/SUNWwbsvr/alias

    2. Create under webserver config directory file: password.conf (perms same as db files) Format of password.conf file is e.g. (assuming real password for mail certificate dbs of: something): internal:something.

    3. Edit under webserver config dir file: magnus.conf and change Security to on.

    4. Edit under webserver config dir file: server.xml and add in/modify listen ports as needed. On Nauticus server.xml should use hostname vs the mail VIP; on Foundry sites mail VIP should be used.

    5. Restart webserver.

  12. If using Nauticus, complete this step (for mail and cal certificates)


    pk12util -d . -o /var/tmp/mail_pkcs12.out  -n Server-Cert

openssl pkcs12 -in /var/tmp/mail_pkcs12.out -out /var/tmp/mail_key.pem
rm /var/tmp/mail_pkcs12.out

# Provide mail_key.pem to GIS for import into Nauticus.

  13. Restart mail services so that certificates will be used. Verify SSL is working by connecting using openssl program. 


        e.g. from Foundry front end:   ./openssl s_client -connect mail-amer.example.com:993  

    e.g. from Nauticus front end:  ./openssl s_client -connect d1-sfbay-01.example.com:993 
 

    Also check logs for any messages relating to issues with SSL.