| Oracle® Communications Calendar Server Security Guide Release 7.0.5 E54936-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications Calendar Server Security Guide Release 7.0.5 E54936-01 |
|
|
PDF · Mobi · ePub |
Starting with version 7 Update 2, Oracle Communications Calendar Server (also known as Calendar Server 7 and formerly known as Oracle Communications Calendar Server for CALDAV Clients) supports certificate-based authentication. In certificate-based authentication, clients request access to a protected resource, such as the Calendar Server. The server presents its certificate to the client, which the client verifies. If the verification succeeds, the client then sends its certificate to the server and the server verifies the client's credentials. As long as the client's credentials are verified, the server grants access to the protected resource.
Topics:
Setting up certificate authentication for Calendar Server involves the following high-level steps:
Obtaining your certificates from a Certificate Authority (CA), or setting up your own CA for testing purposes
Enabling SSL and client authentication for a listener
Generating a certificate request and importing into GlassFish Server
Creating an SSL client
Configuring Calendar Server
Testing the certificate authentication
Installing the client certificate for use by Connector for Outlook
Note:
In a production environment, you would not set up your own Certificate Authority and generate certificates with it, as is described in this section. You would most likely purchase certificates from a commercial Certificate Authority, such as VeriSign. This section is purely for test purposes.If you haven't done so already, download the OpenSSL toolkit from the OpenSSL website at:
You use the openssl command to perform a variety of cryptographic functions.
Create directories to hold your certificate authority (CA) keys, your server keys. and your client keys.
For example, you could use directories called ssl/ca,ssl/server, and ssl/client.
cd /var/tmp mkdir -p ssl/ca ssl/client ssl/server
Use the openssl command to create a private key and certificate request for your own CA.
For example:
openssl req -new -newkey rsa:2048 -nodes -out ssl/ca/ca.csr -keyout ssl/ca/ca.key Generating a 2048 bit RSA private key ...................................................................................+++ ................................+++ writing new private key to 'ssl/ca/ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: CA Locality Name (eg, city) []: Santa Clara Organization Name (eg, company) [Internet Widgits Pty Ltd]: Siroe Organizational Unit Name (eg, section) []: Corporate Common Name (eg, YOUR name) []: Sam Smith Email Address []:sam.smith@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # Create your CA's self-signed certificate. The default setting is one year. You might want to increase this setting by increasing the number of days.openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in ssl/ca/ca.csr -out ssl/ca/ca.pem Signature ok subject=/C=US/ST=CA/L=Santa Clara/O=Siroe/OU=Corporate/CN=Sam Smith/emailAddress=sam.smith@example.com Getting Private key
Copy the ca.pem file to ca.crt and edit the file so that the strings "TRUSTED CERTIFICATE" read "CERTIFICATE."
You can then import your CA certificate into your trusted root certificate's store.
Create a file to hold your CA's serial numbers. This file starts with the number 2. For example:
echo "02" > ssl/ca/ca.srl
For this step, refer to "How to Enable SSL and Client Authentication for a Listener in Oracle GlassFish Server" at: https://wikis.oracle.com/display/CommSuite/How+to+Set+Up+Certificate-based+Authentication+for+Convergence#HowtoSetUpCertificate-basedAuthenticationforConvergence-HowtoEnableSSLandClientAuthenticationforaListenerinOracleGlassFishServer
Use the certutil command to generate a certificate request.
For example:
cd /opt/SUNWappserver/lib ./certutil -R -s "CN=host1.example.com, OU=Corporate, O=Siroe, L=Santa Clara, ST=CA, C=US" -o /var/tmp/ssl/server/host1.csr -d /opt/SUNWappserver/domains/domain1/config -a # Use the previously created CA to sign this certificate request. For example:cd /var/tmp openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial ssl/ca/ca.srl -req -in ssl/server/host1.csr -out ssl/server/host1.crt -days 365
Import your signed server certificate into your server NSS keystore.
For example:
cd /opt/SUNWappserver/lib ./certutil -A -n "TestSSLCert" -t "p,p,p" -d /opt/SUNWappserver/domains/domain1/config -i /var/tmp/ssl/server/host1.crt
Import your CA certificate into your server NSS keystore.
For example:
./certutil -A -n "TestCACert" -t "T,c,c" -d /opt/SUNWappserver/domains/domain1/config -i /var/tmp/ssl/ca/ca.crt
The next step is necessary to use SSL client authentication.
Modify HTTPS listener, typically http-listener-2, to use your TestSSLCert, that is, changing it from s1as to your own TestSSLCert.
Add the following line to the http-listener-2 property list to use the fallback feature if client authentication fails. If you do not want to fallback, change want to need.
<property name="com.sun.grizzly.ssl.auth" value="want"/>
Use the openssl command to create a client certificate request.
The specified email address must be for an existing LDAP user in the Directory Server. For example:
cd /var/tmp openssl req -new -newkey rsa:2048 -nodes -out ssl/client/samsmith.req -keyout ssl/client/samsmith.key Generating a 2048 bit RSA private key ....................................................................................................................+++ ....................+++ writing new private key to 'ssl/client/samsmith.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: CA Locality Name (eg, city) []: Santa Clara Organization Name (eg, company) [Internet Widgits Pty Ltd]: Siroe Organizational Unit Name (eg, section) []: Corporate Common Name (eg, YOUR name) []:Sam Smith Email Address []:sam.smith@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Use the openssl command to have the CA sign the client certificate.
openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial ssl/ca/ca.srl -req -in ssl/client/samsmith.req -out ssl/client/samsmith.pem -days 365
Signature ok
subject=/C=US/ST=CA/L=Santa Clara/O=Siroe/OU=Corporate/CN=Sam Smith/emailAddress=sam.smith@example.com
Getting CA Private Key
# Use the {{openssl}} command to generate a PKCS12 file containing your client certificate.
For example:openssl pkcs12 -export -clcerts -in ssl/client/samsmith.pem -inkey ssl/client/samsmith.key -out ssl/client/samsmith.p12 -name "sam_smith_cert"
Enter Export Password:
Verifying - Enter Export Password:
Import the PKCS12 file into your web browser to use as your client certificate.
Repeat the preceding steps as often as required.
Decide how you want to configure certificate authentication. The Calendar Server configuration parameters to enable Certificate Authentication are:
davcore.auth.cert.enable (default is false)
davcore.auth.cert.fallback (default is true)
Use the davadmin command to configure the parameters that enable certificate authentication.
For example:
davadmin config modify -u admin -o davcore.auth.cert.enable -v true
If you want to use certificate authentication exclusively, disable the fallback option by setting the davcore.auth.cert.fallback parameter to false. Otherwise, you can use the standard login mechanism if certificate authentication fails. The fallback option has meaning only if certificate authentication is enabled.
Set up the certmap.conf file to map the subject in the client certificate to an LDAP user.
For example:
certmap=default,testca default.IssuerDN=default testca.IssuerDN=CN=TestCA,OU=Corporate,O=Siroe,L=Santa Clara,ST=CA,C=US testca.DNComps= testca.FilterComps=emailaddress=mail testca.VerifyCert=off
For more information, see the topic about certificates at:
https://wikis.oracle.com/display/CommSuite/How+to+Set+Up+Certificate-based+Authentication+for+Convergence
Restart Glassfish Server.
In a browser in which the client certificate installed has been installed, connect to the Calendar Server SSL port.
For example:
https://host1.example.com:8181/davserver/browse/home/samsmith/
If certificate authentication is working properly, a pop-up dialog prompts you to select the certificate to use.
Click OK.
You should see the Calendar Server browser page if certificate authentication is working properly.
Check the errors.0 log file for a message similar to the following for certificate authentication taking place.
INFO [2011-06-10T10:44:15.623-0700] <...X509CertificateLoginModule.login> Performing certificate authentication with these details: ...
To use certificate authentication to Calendar Server with Connector for Microsoft Outlook, import the client certificate by using Internet Explorer. This makes the certificate available to Connector for Outlook. See the topic on certificate-based authentication for more information at:
https://wikis.oracle.com/display/CommSuite/Certificate+based+Authentication+for+Connector+for+Microsoft+Outlook+7.3+Update+1
|
 Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|