Sun Java logo     ¤W¤@­Ó      ¥Ø¿ý      ¯Á¤Þ      ¤U¤@­Ó     

Sun logo
Sun Java System Calendar Server 6 2005Q1 ºÞ²z«ü«n 

²Ä 8 ³¹
°t¸m SSL

Calendar Server ¤ä´©¦w¥þ®M±µ¼h (SSL) ¨ó©w¡A¥H¥[±K¦æ¨Æ¾ä¥Î¤áºÝ¤@¯ë¨Ï¥ÎªÌ»P Calendar Server ¤§¶¡ªº¸ê®Æ¡C¬°¤ä´© SSL¡ACalendar Server ¨Ï¥Î Netscape ¦w¥þªA°È (NSS) ªº SSL µ{¦¡®w¡ASun Java System Messaging Server ¤]¨Ï¥Î³o¨Çµ{¦¡®w¡C

±z¥i¥H¦b ics.conf Àɮפ¤±N Calendar Server °t¸m¬°¶È¥[±K Calendar Server µn¤J»P±K½X©Î¥[±K¾ã­Ó¦æ¨Æ¾ä¶¥¬q§@·~¡C

¥»³¹»¡©ú¥H¤U¥DÃD¡G


ª`·N

Calendar Server ¤£¤ä´©°ò©ó¥Î¤áºÝªº SSL »{ÃÒ¡C



¬° Calendar Server °t¸m SSL

­Y­n¬° Calendar Server °t¸m SSL¡A½Ð°õ¦æ¥H¤U¨BÆJ¡G

«Ø¥ß SSL ¾ÌÃÒ¸ê®Æ®w

¥Î©ó Calendar Server ªº SSL ¹ê§@»Ý­n¾ÌÃÒ¸ê®Æ®w¡C¾ÌÃÒ¸ê®Æ®w¥²¶·©w¸q»{ÃÒ¾÷ºc (CA) ©M¥Î©ó Calendar Server ªº¾ÌÃÒ¡C

Mozilla ¤u¨ã

¥»µo¦æª©¥»¥]§t¥H¤U Mozilla ¤u¨ã¡G

³o¨Ç¤½¥Îµ{¦¡¦ì©ó¥H¤U¥Ø¿ý¤¤¡G

/opt/SUNWics5/cal/lib

©Î±qºô¯¸¤U¸ü³Ì·sª©¥»¡C

µ{¦¡®w¸ô®|ÅܼÆ

¨Ï¥Î Mozilla ¤u¨ã¤§«e¡A½Ð¾A·í³]©w±zªº LD_LIBRARY_PATH ÅܼơC¨Ò¦p¡G

setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib

½d¨ÒÀÉ®×»P¥Ø¿ý

¥»³¹¤¤ªº½d¨Ò¨Ï¥Î¥H¤UÀÉ®×»P¥Ø¿ý¡G

«Ø¥ß¾ÌÃÒ¸ê®Æ®w

  1. ¥H¶W¯Å¨Ï¥ÎªÌªº¨­¥÷µn¤J©Î¦¨¬°¶W¯Å¨Ï¥ÎªÌ (root)¡C
  2. ¦b /etc/opt/SUNWics5/config/sslPasswordFile ¤¤¬° certutil «ü©w¾ÌÃÒ¸ê®Æ®w±K½X¡C¨Ò¦p¡G
  3. # echo 'password' > /etc/opt/SUNWics5/config/sslPasswordFile

    ¨ä¤¤ password ¬°±zªº¯S©w±K½X¡C

  4. «Ø¥ß¾ÌÃÒ¸ê®Æ®w alias ¥Ø¿ý¡C¨Ò¦p¡G
  5. # cd /var/opt/SUNWics5
    # mkdir alias

  6. ²¾¦Ü bin ¥Ø¿ý¨Ã²£¥Í¾ÌÃÒ¸ê®Æ®w (cert7.db) »Pª÷Æ_¸ê®Æ®w (key3.db)¡C¨Ò¦p¡G
  7. # cd /opt/SUNWics5/cal/bin
    # ./certutil -N -d /var/opt/SUNWics5/alias
    -f /etc/opt/SUNWics5/config/sslPasswordFile


    ª`·N

    ·í±z¥²¶·°õ¦æ certutil ¤½¥Îµ{¦¡®É¡A½Ð§¹¥þ¨Ì·Ó½d¨Ò¡A©ÎªÌ¬d¾\ certutil »¡©ú­¶­±¥HÁA¸Ñ»yªk¡C

    ¨Ò¦p¡A¦b³oºØ±¡ªp¤U¡A¨S¦³«ü©w -d /file ¸ê°T¡A½Ð¤Å°õ¦æ±a¦³ -N ¿ï¶µªº¦¹¤½¥Îµ{¦¡¡C


  8. ²£¥Í¹w³]ªº¦Û§Úñ¸pªº®Ú»{ÃÒ¾÷ºc¾ÌÃÒ¡C¨Ò¦p¡G
  9. # ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
    -s "CN=My Sample Root CA, O=sesta.com" -m 25000
    -o /var/opt/SUNWics5/alias/SampleRootCA.crt
    -d /var/opt/SUNWics5/alias
    -f /etc/opt/SUNWics5/config/sslPasswordFile -z
    /etc/passwd

  10. ²£¥Í¥Î©ó¥D¾÷ªº¾ÌÃÒ¡C¨Ò¦p¡G
  11. # ./certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u"
    -s "CN=hostname.sesta.com, O=sesta.com" -m 25001
    -o /var/opt/SUNWics5/alias/SampleSSLServer.crt
    -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile
    -z /etc/passwd

    ¨ä¤¤ hostname.sesta.com ¬°¦øªA¾¹¥D¾÷¦WºÙ¡C

  12. ÅçÃÒ¾ÌÃÒ¡C¨Ò¦p¡G
  13. # ./certutil -V -u V -n SampleRootCA -d /var/opt/SUNWics5/alias
    # ./certutil -V -u V -n SampleSSLServerCert -d /var/opt/SUNWics5/alias

  14. ¦C¥X¾ÌÃÒ¡C¨Ò¦p¡G
  15. # ./certutil -L -d /var/opt/SUNWics5/alias
    # ./certutil -L -n SampleSSLServerCert -d /var/opt/SUNWics5/alias

  16. ¨Ï¥Î modutil ¦C¥X¥i¥Îªº¦w¥þ¼Ò²Õ (secmod.db)¡C¨Ò¦p¡G
  17. # ./modutil -list -dbdir /var/opt/SUNWics5/alias

  18. Åܧó alias Àɮתº©Ò¦³ªÌ¬° icsuser »P icsgroup (©Î Calendar Server °õ¦æ®É±N¨Ï¥Îªº¨Ï¥ÎªÌ»P¸s²Õ¨­¥÷)¡C¨Ò¦p¡G
  19. # find /var/opt/SUNWics5/alias -exec chown icsuser {} \;
    # find /var/opt/SUNWics5/alias -exec chgrp icsgroup {} \;

½Ð¨D»P¶×¤J¨Ó¦Û®Ú»{ÃÒ¾÷ºc (CA) ªº¾ÌÃÒ

¥H¤U¨BÆJ·|²£¥Í¤@­Ó¾ÌÃҽШD¡A¨Ã±N¨ä´£¥æ¦Ü¤½¶}ª÷Æ_°ò¦¬[ºc (PKI) ºô¯¸¡AµM«á¶×¤J¸Ó¾ÌÃÒ¡C

½Ð¨D»P¶×¤J¨Ó¦Û®Ú»{ÃÒ¾÷ºcªº¾ÌÃÒ

  1. ¥H¶W¯Å¨Ï¥ÎªÌªº¨­¥÷µn¤J©Î¦¨¬°¶W¯Å¨Ï¥ÎªÌ (root)¡C
  2. ²¾¦Ü bin ¥Ø¿ý¡G
  3. # cd /opt/SUNWics5/cal/bin

  4. ¨Ï¥Î certutil ®Ú¾Ú»{ÃÒ¾÷ºc©Î¤½¶}ª÷Æ_°ò¦¬[ºc (PKI) ºô¯¸¨Ó²£¥Í¾ÌÃҽШD¡C¨Ò¦p¡G
  5. # ./certutil -R -s "CN=hostname.sesta.com, OU=hostname / SSL Web Server, O=Sesta, C=US" -p "408-555-1234" -o hostnameCert.req -g 1024
    -d /var/opt/SUNWics5/alias
    -f /etc/opt/SUNWics5/config/sslPasswordFile
    -z /etc/passwd -a

    ¨ä¤¤ hostname.sesta.com ¬°¥D¾÷¦WºÙ¡C

  6. ¦V»{ÃÒ¾÷ºc©Î¤½¶}ª÷Æ_°ò¦¬[ºc (PKI) ºô¯¸¬° SSL Web ¦øªA¾¹½Ð¨D¤@­Ó´ú¸Õ¾ÌÃÒ¡C½Æ»s hostnameCert.req Àɮתº¤º®e¡A¨Ã±N¨ä¶K¤J¾ÌÃҽШD¤¤¡C
  7. ·í±zªº¾ÌÃÒ³Qñ¸p¨Ã¥i¨ú±o®É¡A±z·|¦¬¨ì³qª¾¡C

  8. ±N»{ÃÒ¾÷ºc¾ÌÃÒÃì»P SSL ¦øªA¾¹¾ÌÃҽƻs¦Ü¤å¦rÀɮפ¤¡C
  9. ±N»{ÃÒ¾÷ºc¾ÌÃÒÃì¶×¤J¾ÌÃÒ¸ê®Æ®w¥H«Ø¥ß±ÂÅvÃì¡C¨Ò¦p¡G
  10. # ./certutil -A -n "GTE CyberTrust Root" -t "TCu,TCu,TCuw"
    -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_1.txt
    -f /etc/opt/SUNWics5/config/sslPasswordFile

    # ./certutil -A -n "Sesta TEST Root CA" -t "TCu,TCu,TCuw"
    -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/CA_Certificate_2.txt
    -f /etc/opt/SUNWics5/config/sslPasswordFile

  11. ¶×¤J¤wñ¸pªº SSL ¦øªA¾¹¾ÌÃÒ¡G
  12. # ./certutil -A -n "hostname SSL Server Test Cert" -t "u,u,u"
    -d /var/opt/SUNWics5/alias -a -i /export/wspace/Certificates/SSL_Server_Certificate.txt
    -f /etc/opt/SUNWics5/config/sslPasswordFile

  13. ¦C¥X¾ÌÃÒ¸ê®Æ®w¤¤ªº¾ÌÃÒ¡G
  14. # ./certutil -L -d /var/opt/SUNWics5/alias

  15. ¦b ics.conf Àɮפ¤±N SSL ¦øªA¾¹¼ÊºÙ°t¸m¬°¤wñ¸pªº SSL ¦øªA¾¹¾ÌÃÒ¡A¨Ò¦p¡G"hostname SSL Server Test Cert"¡C
  16. ª`·N  ics.conf Àɮפ¤¥Î©ó service.http.calendarhostname »P service.http.ssl.sourceurl °Ñ¼Æªº¥D¾÷¦WºÙÀ³²Å¦X SSL ¾ÌÃÒ¤Wªº¥D¾÷¦WºÙ (°²©w±zªº¨t²Î¾Ö¦³¼Æ­Ó§O¦W)¡C¨Ò¦p¡G calendar.sesta.com

¦b ics.conf Àɮפ¤°t¸m SSL °Ñ¼Æ

­Y­n±N SSL »P Calendar Server °t¦X¹ê§@¡A¥²¶·¦b ics.conf Àɮפ¤³]©w¯S©wªº°Ñ¼Æ¡C¦pªG ics.conf Àɮפ¤¨S¦³ªí 8-1¤¤¦C¥Xªº¬Y¨Ç°Ñ¼Æ¡A«h½Ð¦b¸ÓÀɮפ¤¼W¥[³o¨Ç°Ñ¼Æ¡A¨Ã«ü©w¨ä­È¡C¥Ñ©ó ics.conf ¦b¨t²Î±Ò°Ê®É (µo¥X start-cal ®É) ³B©ó°ßŪª¬ºA¡A¦]¦¹·s­È±N¦b Calendar Server ­«·s±Ò°Ê«á¤~·|¥Í®Ä¡C¦p»Ý¦³Ãö³o¨Ç SSL °Ñ¼Æªº»¡©ú¡A½Ð°Ñ¾\¡uSSL °t¸m¡v¡C

ªí 8-1 °t¸m SSL ©Ò»Ýªº ics.conf °Ñ¼Æ 

°Ñ¼Æ

­È

encryption.rsa.nssslactivation

"on"

encryption.rsa.nssslpersonalityssl

"SampleSSLServerCert"

encryption.rsa.nsssltoken

"internal"

service.http.tmpdir

"/var/opt/SUNWics5/tmp"

service.http.uidir.path

"html"

service.http.ssl.cachedir

"."

service.http.ssl.cachesize

"10000"

service.http.ssl.certdb.password

"anypassword" (´£¨Ñ¾A·í±K½X)

service.http.ssl.certdb.path

“/var/opt/SUNWics5/alias”

service.http.ssl.port.enable

"yes"

service.http.ssl.port

"443" (¹w³]³s±µ°ð)

service.http.ssl.securelogin

"yes" (µn¤J»P±K½X¤w¥[±K)

service.http.securesession

"yes" (¾ã­Ó¶¥¬q§@·~¤w¥[±K)

service.http.ssl.sourceurl

"https"//localhost:port" (´£¨Ñ±zªº¥»¦a¥D¾÷ªº¦WºÙ©M service.http.ssl.port ­È¡C)

service.http.ssl.ssl2.ciphers

""

service.http.ssl.ssl2.sessiontimeout

"0"

service.http.ssl.ssl3.ciphers

"rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,
rsa_rc4_128_md5,rsa_3des_sha"

service.http.ssl.ssl3.sessiontimeout

"0"

service.http.sslusessl

"yes"


ª`·N

³z¹L³]©w¥H¤U°Ñ¼Æ¡A±z¥i¥H±N Calendar Server °t¸m¬°¶È¥[±K Calendar Server µn¤J»P±K½X©Î¥[±K¾ã­Ó¦æ¨Æ¾ä¶¥¬q§@·~¡Gservice.http.ssl.securelogin ©M service.http.ssl.securesession¡C

¦pªG±z­n¥[±Kµn¤J»P¶¥¬q§@·~¡A«h¥²¶·±N "yes" «ü©w¬°³o¨â­Ó°Ñ¼Æªº­È¡C



ºÃÃø±Æ¸Ñ SSL

­º¥ý¡A½Ð©w´Á³Æ¥÷±zªº¾ÌÃÒ¸ê®Æ®w¡A¥H§Kµo¥ÍµLªk¦^´_ªº°ÝÃD¡C¦pªG±zªº SSL µo¥Í°ÝÃD¡A¥i¥H¦Ò¶q¥H¤U¤@¨Ç¤º®e¡G

Àˬd cshttpd µ{§Ç

SSL ­n¨D Calendar Server cshttpd µ{§Ç¥¿¦b°õ¦æ¡C­Y­n½T©w cshttpd ¬O§_¥¿¦b°õ¦æ¡A½Ð¨Ï¥Î¥H¤U«ü¥O¡G

# ps -ef | grep cshttpd

ÅçÃÒ¾ÌÃÒ

­Y­n¦C¥X¾ÌÃÒ¸ê®Æ®w¤¤ªº¾ÌÃÒ¨ÃÀˬd¨ä¦³®Ä¤é´Á¡A½Ð¨Ï¥Î¥H¤U«ü¥O¡G

# ./certutil -L -d /var/opt/SUNWics5/alias

¬d¾\ Calendar Server °O¿ýÀÉ

Àˬd Calendar Server °O¿ýÀÉ¡A¥H§ä¥X©Ò¦³ªº SSL ¿ù»~¡C¦p»Ý§ó¦h¸ê°T¡A½Ð°Ñ¾\¨Ï¥Î Calendar Server °O¿ýÀÉ¡C

³s½u¦Ü SSL ³s±µ°ð

¨Ï¥ÎÂsÄý¾¹©M¥H¤U URL ³s½u¦Ü SSL ³s±µ°ð¡G

https://server-name:ssl-port-number

¨ä¤¤¡G

server-name ¬°°õ¦æ Calendar Server ªº¦øªA¾¹¤§¦WºÙ¡C

ssl-port-number ¬° ics.conf Àɮפ¤ service.http.ssl.port °Ñ¼Æ«ü©wªº SSL ³s±µ°ð¸¹½X¡C¹w³]¬° 443¡C



¤W¤@­Ó      ¥Ø¿ý      ¯Á¤Þ      ¤U¤@­Ó     


¤å¥ó¸¹½X¡R819-1479¡CCopyright 2005 Sun Microsystems, Inc. ª©Åv©Ò¦³¡C