Since SSL provides encryption at the level of the network connection, different ports are used for secure and non-secure communications. Port 993 is the default port for secure IMAP4 connections; port 995 is the default port for secure POP3 connections.
Note - Mail read by the client from IMAP/POP over Secure Socket is encrypted. That is, the message read and the authentication is encrypted. Mail sent by the client to IMTA is not encrypted at this time.
SIMS supports SSL version 3.0. SIMS also supports the ability to create a local Root Certificate Authority (CA), and to create server credentials signed by that CA. The following instructions outline the steps needed to accomplish this. SIMS is also able to use server credentials signed by an external Root CA. Please contact a Sun Support representative for more information regarding this feature.
To set up SIMS with SSL, you must
|
|
Create a Root Certification Authority |
|
|
Create a Key Pair and Certificate for Your Mail Server |
|
|
Install the Certificate and Key Package on the Machine Running SIMS |
 |
To Create a Root Certification Authority |
| 1. | Create the local root CA user, skirca. |
| You can use User Manager to create users. You will need to be able to log in as skirca, so be sure to specify a login shell and password for the new user. |
Note - The username must be skirca.
| 2. | Set up the FNS naming context on each machine that will use security tools. |
| a. | As root, run /usr/http/bin/setup_fns |
| b. | You will need to run setup_fns on each host where you will use SSL certificates (at least the local root CA machine and the machine running SIMS). |
| 3. | Create a local root certification authority (CA). |
| a. | You will need to log in as skirca. |
| b. | Run /usr/bin/create_rootca. |
| c. | You will be prompted for a Distinguished Name (DN) for the local root CA. |
We suggest that the cn (common name), o (organization), st (state), and c (country code) be chosen as the minimum attribute set of the root CA's DN.
|
| d. | You will next be prompted for the name of a directory into which will be stored the key package and certificate. |
You may wish to locate this new directory in the home directory of the skirca user. You must specify an absolute pathname, i.e., the pathname must begin with a /.
|
| e. | You will next be prompted, twice, for the password you wish to use for the
local root CA key package.
|
| f. | You will next be asked if you want to store the root CA credentials in the
naming service. Answer in the affirmative and follow the remaining
instructions.
|
| |
To Create a Key Pair and Certificate for Your Mail Server |
| 1. | Log in as skirca on the local root CA machine. |
| 2. | Create a directory where you can store key packages and certificates. |
| The skirca user must be able to write to this directory: |
| $mkdir /home/skirca/server-creds |
| 3. | Find the IP address of the SIMS host for which you would like to create a certificate. |
| You can use ypmatch <hostname> hosts if you are using NIS or nslookup <hostname> if you are using DNS. For example: |
| $ ypmatch bob hosts 121.131.141.5 bob Run /usr/http/bin/setup_creds <certs_directory> <ip_address_of_server> |
| For example, if our output directory is /home/skirca/server-creds/ and the IP address of the mail server is 121.131.141.5: |
| $ <install_root>/usr/http/bin/setup_creds /home/skirca/server-creds 121.131.141.5 Creating Public/Private key pairs and certificates for your server... Enter Host Name on which you run the server: (Hit return to use localhost) |
| 4. | You will be asked to enter the following information about the server for which you are creating a certificate: |
| hostname - Enter only the host name of the machine running SIMS. For example, bob. |
| domain name - Enter the domain name of the SIMS host. For example, ABCD.com. |
| Distinguished Name Suffix - Enter the DN information without the cn (common name) attribute. The fully qualified domain name--the hostname plus the domain name you entered--will be used for the common name field. |
| certificate password - Enter a password twice for this server's key. You will need this password when you install the key package and certificate on the mail server. |
Note - You are creating a password for this key pair and certificate; it is different from the local root key password.
| 5. | You will be asked to enter the local root key password (the password for the local root CA key pair). |
| Once you have entered this, the key package for the mail server will be generated and a certificate will be created. |
| 6. | The certificate will be stored in the file <certs_directory>/certs/ <ip_address>.CERT |
| For example, /home/skirca/server-cred/certs/121.131.141.5.CERT |
| |
To Install the Certificate and Key Package on the SIMS Host |
You will need to transport the output directory you used with setup_creds to the SIMS host (if it is not the same as the local root CA machine), and copy it to a permanent location on that machine.
| 1. | Transport the directory on floppy disk or any other transportable medium. |
| You may want to create a directory on the mail server where you can store the credential directories for many servers. For example, a directory named /var/sims/SSL/ may contain directories such as host1_pkg/, host2_pkg/, etc. for each host for which you create a certificate. |
| 2. | Log in as root on the mail server. |
| 3. | You must have set up the FNS naming context on the mail server machine. See "To Create a Key Pair and Certificate for Your Mail Server" on page 273. |
| 4. | Run intall_certs command. |
| The syntax is: |
| /usr/http/bin/install_certs -p <certs_directory> -i <ip_address> <inetmail_uid> |
| where, |
| certs_directory - Is the directory containing the key package and certificates that were created on the local root CA machine. |
| ip_address - Is the IP address of the server. This field is optional; if you do not specify anything, the default IP of the machine will be used. |
| inetmail_uid - Enter the uid for inetmail user on your system. |
| For example: |
# <install_root>/usr/http/bin/install_certs -p /var/sims/SSL/bob_creds/ -i 121.131.141.5 9870
/usr/bin/skistore: certificate /var/sims/SSL/bob_creds/certs/skirca.CERT successfully stored
/usr/bin/skistore: keypkg /var/sims/SSL/bob_creds/keypkgs/129.146.114.74.KEYPKG successfully stored
/usr/bin/skistore: certificate /var/sims/SSL/bob_creds/certs/129.146.114.74.CERT successfully stored
/usr/bin/skistore: Operation Completed
/usr/bin/skilogin: Enter host key package password:
Note - Take special care to ensure that the numeric UID value is specified properly for the install_certs command. This value should be the user id for "inetmail" user. For example:
#id inetmail
uid=72(inetmail) gid=6(mail)
/usr/http/bin/install_certs -p /var/sims/SSL/bob_creds -i 121.131.141.5 72
See syntax for install_certs below.
| 5. | You will be prompted for the certificate password you used when you created the key package. |
| Once you have completed these steps, you have a working environment for running SSL with SIMS. |
| 6. | Verify that the SSL ports are running. |
| a. | Stop and start im.server or reboot the system. |
| # /opt/SUNWmail/admin/sbin/im.server stop # /opt/SUNWmail/admin/sbin/im.server start |
| b. | Enter the following commands to verify SSL port operation: |
| # netstat -a -n | grep 993 | grep LISTEN *.993 *.* 0 0 0 0 LISTEN |
| # netstat -a -n | grep 995 | grep LISTEN *.995 *.* 0 0 0 0 LISTEN |
| If you do not receive this output, then SSL port operation is not running. |