|
| |
| Sun Java System Calendar Server 6 2005Q1 ºÞ²z«ü«n | |
²Ä 8 ³¹
°t¸m SSLCalendar Server ¤ä´©¦w¥þ®M±µ¼h (SSL) ¨ó©w¡A¥H¥[±K¦æ¨Æ¾ä¥Î¤áºÝ¤@¯ë¨Ï¥ÎªÌ»P Calendar Server ¤§¶¡ªº¸ê®Æ¡C¬°¤ä´© SSL¡ACalendar Server ¨Ï¥Î Netscape ¦w¥þªA°È (NSS) ªº SSL µ{¦¡®w¡ASun Java System Messaging Server ¤]¨Ï¥Î³o¨Çµ{¦¡®w¡C
±z¥i¥H¦b ics.conf Àɮפ¤±N Calendar Server °t¸m¬°¶È¥[±K Calendar Server µn¤J»P±K½X©Î¥[±K¾ãÓ¦æ¨Æ¾ä¶¥¬q§@·~¡C
¥»³¹»¡©ú¥H¤U¥DÃD¡G
¬° Calendar Server °t¸m SSLYn¬° Calendar Server °t¸m SSL¡A½Ð°õ¦æ¥H¤U¨BÆJ¡G
«Ø¥ß SSL ¾ÌÃÒ¸ê®Æ®w
¥Î©ó Calendar Server ªº SSL ¹ê§@»Ýn¾ÌÃÒ¸ê®Æ®w¡C¾ÌÃÒ¸ê®Æ®w¥²¶·©w¸q»{ÃÒ¾÷ºc (CA) ©M¥Î©ó Calendar Server ªº¾ÌÃÒ¡C
Mozilla ¤u¨ã
¥»µo¦æª©¥»¥]§t¥H¤U Mozilla ¤u¨ã¡G
- ¾ÌÃÒ¸ê®Æ®w¤u¨ã (certutil)¡A¥Î©ó«Ø¥ß»PºÞ²z¾ÌÃÒ¸ê®Æ®w¡C¦p»Ý¬ÛÃö¸ê°T¡A½Ð°Ñ¾\¥H¤Uºô¯¸¡G
http://mozilla.org/projects/security/pki/nss/tools/certutil.html
- ¦w¥þ¼Ò²Õ¸ê®Æ®w¤u¨ã (modutil)¡A¥Î©óÅã¥Ü¦³Ãö¥i¥Î¦w¥þ¼Ò²Õªº¸ê°T¡C¦p»Ý¬ÛÃö¸ê°T¡A½Ð°Ñ¾\¥H¤Uºô¯¸¡G
http://mozilla.org/projects/security/pki/nss/tools/modutil.html
³o¨Ç¤½¥Îµ{¦¡¦ì©ó¥H¤U¥Ø¿ý¤¤¡G
/opt/SUNWics5/cal/lib
©Î±qºô¯¸¤U¸ü³Ì·sª©¥»¡C
µ{¦¡®w¸ô®|ÅܼÆ
¨Ï¥Î Mozilla ¤u¨ã¤§«e¡A½Ð¾A·í³]©w±zªº LD_LIBRARY_PATH ÅܼơC¨Ò¦p¡G
setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib
½d¨ÒÀÉ®×»P¥Ø¿ý
¥»³¹¤¤ªº½d¨Ò¨Ï¥Î¥H¤UÀÉ®×»P¥Ø¿ý¡G
«Ø¥ß¾ÌÃÒ¸ê®Æ®w
- ¥H¶W¯Å¨Ï¥ÎªÌªº¨¥÷µn¤J©Î¦¨¬°¶W¯Å¨Ï¥ÎªÌ (root)¡C
- ¦b /etc/opt/SUNWics5/config/sslPasswordFile ¤¤¬° certutil «ü©w¾ÌÃÒ¸ê®Æ®w±K½X¡C¨Ò¦p¡G
# echo 'password' > /etc/opt/SUNWics5/config/sslPasswordFile
¨ä¤¤ password ¬°±zªº¯S©w±K½X¡C
- «Ø¥ß¾ÌÃÒ¸ê®Æ®w alias ¥Ø¿ý¡C¨Ò¦p¡G
# cd /var/opt/SUNWics5
# mkdir alias
- ²¾¦Ü bin ¥Ø¿ý¨Ã²£¥Í¾ÌÃÒ¸ê®Æ®w (cert7.db) »Pª÷Æ_¸ê®Æ®w (key3.db)¡C¨Ò¦p¡G
# cd /opt/SUNWics5/cal/bin
# ./certutil -N -d /var/opt/SUNWics5/alias
-f /etc/opt/SUNWics5/config/sslPasswordFile
ª`·N ·í±z¥²¶·°õ¦æ certutil ¤½¥Îµ{¦¡®É¡A½Ð§¹¥þ¨Ì·Ó½d¨Ò¡A©ÎªÌ¬d¾\ certutil »¡©ú¶±¥HÁA¸Ñ»yªk¡C
¨Ò¦p¡A¦b³oºØ±¡ªp¤U¡A¨S¦³«ü©w -d /file ¸ê°T¡A½Ð¤Å°õ¦æ±a¦³ -N ¿ï¶µªº¦¹¤½¥Îµ{¦¡¡C
- ²£¥Í¹w³]ªº¦Û§Úñ¸pªº®Ú»{ÃÒ¾÷ºc¾ÌÃÒ¡C¨Ò¦p¡G
# ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
-s "CN=My Sample Root CA, O=sesta.com" -m 25000
-o /var/opt/SUNWics5/alias/SampleRootCA.crt
-d /var/opt/SUNWics5/alias
-f /etc/opt/SUNWics5/config/sslPasswordFile -z
/etc/passwd
- ²£¥Í¥Î©ó¥D¾÷ªº¾ÌÃÒ¡C¨Ò¦p¡G
# ./certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u"
-s "CN=hostname.sesta.com, O=sesta.com" -m 25001
-o /var/opt/SUNWics5/alias/SampleSSLServer.crt
-d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile
-z /etc/passwd
¨ä¤¤ hostname.sesta.com ¬°¦øªA¾¹¥D¾÷¦WºÙ¡C
- ÅçÃÒ¾ÌÃÒ¡C¨Ò¦p¡G
# ./certutil -V -u V -n SampleRootCA -d /var/opt/SUNWics5/alias
# ./certutil -V -u V -n SampleSSLServerCert -d /var/opt/SUNWics5/alias
- ¦C¥X¾ÌÃÒ¡C¨Ò¦p¡G
# ./certutil -L -d /var/opt/SUNWics5/alias
# ./certutil -L -n SampleSSLServerCert -d /var/opt/SUNWics5/alias
- ¨Ï¥Î modutil ¦C¥X¥i¥Îªº¦w¥þ¼Ò²Õ (secmod.db)¡C¨Ò¦p¡G
# ./modutil -list -dbdir /var/opt/SUNWics5/alias
- Åܧó alias Àɮתº©Ò¦³ªÌ¬° icsuser »P icsgroup (©Î Calendar Server °õ¦æ®É±N¨Ï¥Îªº¨Ï¥ÎªÌ»P¸s²Õ¨¥÷)¡C¨Ò¦p¡G
# find /var/opt/SUNWics5/alias -exec chown icsuser {} \;
# find /var/opt/SUNWics5/alias -exec chgrp icsgroup {} \;
½Ð¨D»P¶×¤J¨Ó¦Û®Ú»{ÃÒ¾÷ºc (CA) ªº¾ÌÃÒ
¥H¤U¨BÆJ·|²£¥Í¤@Ó¾ÌÃҽШD¡A¨Ã±N¨ä´£¥æ¦Ü¤½¶}ª÷Æ_°ò¦¬[ºc (PKI) ºô¯¸¡AµM«á¶×¤J¸Ó¾ÌÃÒ¡C
½Ð¨D»P¶×¤J¨Ó¦Û®Ú»{ÃÒ¾÷ºcªº¾ÌÃÒ
- ¥H¶W¯Å¨Ï¥ÎªÌªº¨¥÷µn¤J©Î¦¨¬°¶W¯Å¨Ï¥ÎªÌ (root)¡C
- ²¾¦Ü bin ¥Ø¿ý¡G
# cd /opt/SUNWics5/cal/bin
- ¨Ï¥Î certutil ®Ú¾Ú»{ÃÒ¾÷ºc©Î¤½¶}ª÷Æ_°ò¦¬[ºc (PKI) ºô¯¸¨Ó²£¥Í¾ÌÃҽШD¡C¨Ò¦p¡G
# ./certutil -R -s "CN=hostname.sesta.com, OU=hostname / SSL Web Server, O=Sesta, C=US" -p "408-555-1234" -o hostnameCert.req -g 1024
-d /var/opt/SUNWics5/alias
-f /etc/opt/SUNWics5/config/sslPasswordFile
-z /etc/passwd -a¨ä¤¤ hostname.sesta.com ¬°¥D¾÷¦WºÙ¡C
- ¦V»{ÃÒ¾÷ºc©Î¤½¶}ª÷Æ_°ò¦¬[ºc (PKI) ºô¯¸¬° SSL Web ¦øªA¾¹½Ð¨D¤@Ó´ú¸Õ¾ÌÃÒ¡C½Æ»s hostnameCert.req Àɮתº¤º®e¡A¨Ã±N¨ä¶K¤J¾ÌÃҽШD¤¤¡C
·í±zªº¾ÌÃÒ³Qñ¸p¨Ã¥i¨ú±o®É¡A±z·|¦¬¨ì³qª¾¡C
- ±N»{ÃÒ¾÷ºc¾ÌÃÒÃì»P SSL ¦øªA¾¹¾ÌÃҽƻs¦Ü¤å¦rÀɮפ¤¡C
- ±N»{ÃÒ¾÷ºc¾ÌÃÒÃì¶×¤J¾ÌÃÒ¸ê®Æ®w¥H«Ø¥ß±ÂÅvÃì¡C¨Ò¦p¡G
# ./certutil -A -n "GTE CyberTrust Root" -t "TCu,TCu,TCuw"
-d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_1.txt
-f /etc/opt/SUNWics5/config/sslPasswordFile# ./certutil -A -n "Sesta TEST Root CA" -t "TCu,TCu,TCuw"
-d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_2.txt
-f /etc/opt/SUNWics5/config/sslPasswordFile- ¶×¤J¤wñ¸pªº SSL ¦øªA¾¹¾ÌÃÒ¡G
# ./certutil -A -n "hostname SSL Server Test Cert" -t "u,u,u"
-d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/SSL_Server_Certificate.txt
-f /etc/opt/SUNWics5/config/sslPasswordFile- ¦C¥X¾ÌÃÒ¸ê®Æ®w¤¤ªº¾ÌÃÒ¡G
# ./certutil -L -d /var/opt/SUNWics5/alias
- ¦b ics.conf Àɮפ¤±N SSL ¦øªA¾¹¼ÊºÙ°t¸m¬°¤wñ¸pªº SSL ¦øªA¾¹¾ÌÃÒ¡A¨Ò¦p¡G"hostname SSL Server Test Cert"¡C
ª`·N ics.conf Àɮפ¤¥Î©ó service.http.calendarhostname »P service.http.ssl.sourceurl °Ñ¼Æªº¥D¾÷¦WºÙÀ³²Å¦X SSL ¾ÌÃÒ¤Wªº¥D¾÷¦WºÙ (°²©w±zªº¨t²Î¾Ö¦³¼ÆÓ§O¦W)¡C¨Ò¦p¡G calendar.sesta.com
¦b ics.conf Àɮפ¤°t¸m SSL °Ñ¼Æ
Yn±N SSL »P Calendar Server °t¦X¹ê§@¡A¥²¶·¦b ics.conf Àɮפ¤³]©w¯S©wªº°Ñ¼Æ¡C¦pªG ics.conf Àɮפ¤¨S¦³ªí 8-1¤¤¦C¥Xªº¬Y¨Ç°Ñ¼Æ¡A«h½Ð¦b¸ÓÀɮפ¤¼W¥[³o¨Ç°Ñ¼Æ¡A¨Ã«ü©w¨äÈ¡C¥Ñ©ó ics.conf ¦b¨t²Î±Ò°Ê®É (µo¥X start-cal ®É) ³B©ó°ßŪª¬ºA¡A¦]¦¹·sȱN¦b Calendar Server «·s±Ò°Ê«á¤~·|¥Í®Ä¡C¦p»Ý¦³Ãö³o¨Ç SSL °Ñ¼Æªº»¡©ú¡A½Ð°Ñ¾\¡uSSL °t¸m¡v¡C
ºÃÃø±Æ¸Ñ SSLº¥ý¡A½Ð©w´Á³Æ¥÷±zªº¾ÌÃÒ¸ê®Æ®w¡A¥H§Kµo¥ÍµLªk¦^´_ªº°ÝÃD¡C¦pªG±zªº SSL µo¥Í°ÝÃD¡A¥i¥H¦Ò¶q¥H¤U¤@¨Ç¤º®e¡G
Àˬd cshttpd µ{§Ç
SSL n¨D Calendar Server cshttpd µ{§Ç¥¿¦b°õ¦æ¡CYn½T©w cshttpd ¬O§_¥¿¦b°õ¦æ¡A½Ð¨Ï¥Î¥H¤U«ü¥O¡G
# ps -ef | grep cshttpd
ÅçÃÒ¾ÌÃÒ
Yn¦C¥X¾ÌÃÒ¸ê®Æ®w¤¤ªº¾ÌÃÒ¨ÃÀˬd¨ä¦³®Ä¤é´Á¡A½Ð¨Ï¥Î¥H¤U«ü¥O¡G
# ./certutil -L -d /var/opt/SUNWics5/alias
¬d¾\ Calendar Server °O¿ýÀÉ
Àˬd Calendar Server °O¿ýÀÉ¡A¥H§ä¥X©Ò¦³ªº SSL ¿ù»~¡C¦p»Ý§ó¦h¸ê°T¡A½Ð°Ñ¾\¨Ï¥Î Calendar Server °O¿ýÀÉ¡C
³s½u¦Ü SSL ³s±µ°ð
¨Ï¥ÎÂsÄý¾¹©M¥H¤U URL ³s½u¦Ü SSL ³s±µ°ð¡G
https://server-name:ssl-port-number
¨ä¤¤¡G
server-name ¬°°õ¦æ Calendar Server ªº¦øªA¾¹¤§¦WºÙ¡C
ssl-port-number ¬° ics.conf Àɮפ¤ service.http.ssl.port °Ñ¼Æ«ü©wªº SSL ³s±µ°ð¸¹½X¡C¹w³]¬° 443¡C