About James .jks keystore for SSL/TLS

[Duc Nguyen]

Hi guys

 

Recently I've been configuring James in Kubernetes deployment. 

When it comes to add certificates for James IMAP/ SMTP, I found that the
configuration requires extra step - which is not convenient for general
users:

 

In Virtual machine environment:

1.       James

-          Generate, request Certificates ( in crt + key format)

-          Use keytool to create a .jks keystore file

-          Add .jks file to config folder path.

Reference link: https://james.apache.org/server/3/config-ssl-tls.html

 

 

2.       Oher Mailing apps  (Postfix, Zimbra, Mailu,.): 

-          Generate, request Certificates ( in crt + key format)

-          Add both files to designed folder path.

Reference links: 

-          Postfix:
https://www.ssldragon.com/blog/install-an-ssl-certificate-on-postfix/ 

-          Zimbra:
https://www.thesslstore.com/knowledgebase/ssl-install/install-ssl-certificat
e-zimbra-mail-server/

 

In Kubernetes environment - ( I'm using cert-manager
<https://cert-manager.io/docs/>  to request and issue LE certificates )

 

Kubernetes manage certificates crt + key format in kind: Secret

-          apiVersion: v1

-          kind: Secret

-          metadata:

-            name: secret-tls

-          type: kubernetes.io/tls

-          data:

-            # the data is abbreviated in this example

-            tls.crt: |

-                  MIIC2DCCAcCgAwIBAgIBATANBgkqh ...

-            tls.key: |

-                  MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...

 

Other apps immediately benefits from this approach, they can simply add cert
by request Kubernetes secret:

          secret:

            items:

              - key: tls.crt

                path: cert.pem

              - key: tls.key

                path: key.pem

            secretName: mail-example-com-letsencrypt-ssl

https://vadosware.io/post/serving-email-on-kubernetes-with-mailu/

https://www.tauceti.blog/posts/run-postfix-in-kubernetes/#requesting-tls-cer
tificate

 

On the contrary, James users (me) are struggling with SSL because of JKS
format. 

The configuration is do-able but complicated for general users:

-          Extract the private key from tls.key

-          Extract the issued certificates from kind: CertifticateRequest 

-          Use openssl to create a  a KeyStore in PKCS12.

-          Use keytool to convert it to JKS

-          Add .jks file to config folder path.

https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#download-the
-certificate-and-use-it

https://kubernetes.io/docs/reference/kubectl/jsonpath/

 

Conclusion: 

With Kubernetes and containers have become virtually synonymous with
cloud-native development, Apache James needs to adapt quickly and catch up
with others. 

JKS keystore is an old topic but I'm bringing this back because the change
is necessary.

 

Regards,

Duc Nguyen

DevOps Engineer