Date: 2003-12-17T12:28:29
Editor: 63.116.136.130 <>
Wiki: Apache James Wiki
Page: James/UsingSSL
URL: http://wiki.apache.org/james/James/UsingSSL
fixed wiki syntax
Change Log:
------------------------------------------------------------------------------
@@ -56,53 +56,53 @@
----
In config.xml, setup a different service for ssl/tls, using port 465 (just
duplicate the existing entry for the smtpserver service, change the name to
smtpserver-tls and change the entries as shown below):
-{{{
-{{{ <smtpserver-tls enabled="true"> }}}
-{{{ <!-- port 465 is the well-known/IANA registered port for SMTPS
--> }}}
-{{{ <port>465</port> }}}
-{{{ <useTLS>true</useTLS> }}}
-{{{ ... }}}
-{{{ </smtpserver-tls> }}}
- }}}
+{{{
+<smtpserver-tls enabled="true">
+ <!-- port 465 is the well-known/IANA registered port for SMTPS -->
+ <port>465</port>
+ <useTLS>true</useTLS>
+ ...
+</smtpserver-tls>
+}}}
----
Enable the ssl factory section of <server-sockets> (shared with POP3S),
replacing the <file>
with the appropriate certificate keystore address and setting the correct
password.
-{{{
-{{{ <factory name="ssl" }}}
-{{{
class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
}}}
-{{{ <keystore> }}}
-{{{ <file>'''conf/keystore'''</file> }}}
-{{{ <password>'''secret'''</password> }}}
-{{{ <type>JKS</type> }}}
-{{{ <protocol>TLS</protocol> }}}
-{{{ <algorithm>SunX509</algorithm> }}}
-{{{ <authenticate-client>false</authenticate-client>
}}}
-{{{ </keystore> }}}
-{{{ </factory> }}}
- }}}
+{{{
+<factory name="ssl"
+
class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
+ <keystore>
+ <file>conf/keystore</file>
+ <password>secret</password>
+ <type>JKS</type>
+ <protocol>TLS</protocol>
+ <algorithm>SunX509</algorithm>
+ <authenticate-client>false</authenticate-client>
+ </keystore>
+</factory>
+}}}
----
The smtpserver-tls service must be declared in assembly.xml (just duplicate
the existing entry for the smtpserver service and change the name to
smtpserver-tls):
-{{{
-{{{ <block name="smtpserver-tls"
class="org.apache.james.smtpserver.SMTPServer" > }}}
-{{{ <provide name="James" role="org.apache.mailet.MailetContext"/> }}}
-{{{ <provide name="mailstore"
role="org.apache.james.services.MailStore"/> }}}
-{{{ <provide name="users-store"
role="org.apache.james.services.UsersStore"/> }}}
-{{{ <provide name="sockets" }}}
-{{{
role="org.apache.avalon.cornerstone.services.sockets.SocketManager"/> }}}
-{{{ <provide name="connections" }}}
-{{{
role="org.apache.avalon.cornerstone.services.connection.ConnectionManager"/>
}}}
-{{{ <provide name="James"
role="org.apache.james.services.MailServer"/> }}}
-{{{ <provide name="thread-manager" }}}
-{{{
role="org.apache.avalon.cornerstone.services.threads.ThreadManager" /> }}}
-{{{ </block> }}}
- }}}
+{{{
+<block name="smtpserver-tls" class="org.apache.james.smtpserver.SMTPServer">
+ <provide name="James" role="org.apache.mailet.MailetContext"/>
+ <provide name="mailstore" role="org.apache.james.services.MailStore"/>
+ <provide name="users-store" role="org.apache.james.services.UsersStore"/>
+ <provide name="sockets"
+
role="org.apache.avalon.cornerstone.services.sockets.SocketManager"/>
+ <provide name="connections"
+
role="org.apache.avalon.cornerstone.services.connection.ConnectionManager"/>
+ <provide name="James" role="org.apache.james.services.MailServer"/>
+ <provide name="thread-manager"
+
role="org.apache.avalon.cornerstone.services.threads.ThreadManager" />
+</block>
+}}}
----
Also add this to environment.xml to get log files (set the log-level as
appropriate) (just duplicate the existing entry for the smtpserver category and
change the name to smtpserver-tls):
-{{{
-{{{ <category name="smtpserver-tls" log-level="DEBUG"> }}}
-{{{ <log-target id-ref="smtpserver-target"/> }}}
-{{{ </category> }}}
- }}}
+{{{
+<category name="smtpserver-tls" log-level="DEBUG">
+ <log-target id-ref="smtpserver-target"/>
+</category>
+}}}
In this example the log target is shared with smtpserver.
----
@@ -113,39 +113,39 @@
----
In config.xml, setup a different service for ssl/tls, using port 995 (just
duplicate the existing entry for the pop3server service, change the name to
pop3server-tls and change the entries as shown below):
-{{{
-{{{ <pop3server-tls enabled="true"> }}}
-{{{ <!-- port 995 is the well-known/IANA registered port for POP3S ie
over SSL/TLS --> }}}
-{{{ <port>995</port> }}}
-{{{ <useTLS>true</useTLS> }}}
-{{{ ... }}}
-{{{ </pop3server-tls> }}}
- }}}
+{{{
+<pop3server-tls enabled="true">
+<!-- port 995 is the well-known/IANA registered port for POP3S ie over SSL/TLS
-->
+ <port>995</port>
+ <useTLS>true</useTLS>
+ ...
+</pop3server-tls>
+}}}
----
Enable the ssl factory section of <server-sockets>, shared with SMTPS
(see the SMTPS example above).
----
The pop3server-tls service must be declared in assembly.xml (just duplicate
the existing entry for the pop3server service and change the name to
pop3server-tls):
-{{{
-{{{ <block name="pop3server-tls"
class="org.apache.james.smtpserver.SMTPServer" > }}}
-{{{ <provide name="mailstore"
role="org.apache.james.services.MailStore"/> }}}
-{{{ <provide name="users-store"
role="org.apache.james.services.UsersStore"/> }}}
-{{{ <provide name="sockets" }}}
-{{{
role="org.apache.avalon.cornerstone.services.sockets.SocketManager"/> }}}
-{{{ <provide name="connections" }}}
-{{{
role="org.apache.avalon.cornerstone.services.connection.ConnectionManager"/>
}}}
-{{{ <provide name="James"
role="org.apache.james.services.MailServer"/> }}}
-{{{ <provide name="thread-manager" }}}
-{{{
role="org.apache.avalon.cornerstone.services.threads.ThreadManager" /> }}}
-{{{ </block> }}}
- }}}
+{{{
+<block name="pop3server-tls" class="org.apache.james.smtpserver.SMTPServer" >
+ <provide name="mailstore" role="org.apache.james.services.MailStore"/>
+ <provide name="users-store" role="org.apache.james.services.UsersStore"/>
+ <provide name="sockets"
+
role="org.apache.avalon.cornerstone.services.sockets.SocketManager"/>
+ <provide name="connections"
+
role="org.apache.avalon.cornerstone.services.connection.ConnectionManager"/>
+ <provide name="James" role="org.apache.james.services.MailServer"/>
+ <provide name="thread-manager"
+
role="org.apache.avalon.cornerstone.services.threads.ThreadManager" />
+</block>
+}}}
----
Also add this to environment.xml to get log files (set the log-level as
appropriate) (just duplicate the existing entry for the pop3server category and
change the name to pop3server-tls):
-{{{
-{{{ <category name="pop3server-tls" log-level="DEBUG"> }}}
-{{{ <log-target id-ref="pop3server-target"/> }}}
-{{{ </category> }}}
- }}}
+{{{
+<category name="pop3server-tls" log-level="DEBUG">
+ <log-target id-ref="pop3server-target"/>
+</category>
+}}}
In this example the log target is shared with pop3server.
----
@@ -159,16 +159,18 @@
== Preparing the Certificate Keystore ==
-(Adapted from the Tomcat 4.1 documentation)
+(Adapted from the Tomcat 4.1 documentation)
-James currently operates only on JKS format keystores. This is Java's standard
"Java KeyStore" format, and is the format created by the keytool command-line
utility. This tool is included in the JDK.
+James currently operates only on JKS format keystores. This is Java's standard
"Java KeyStore" format, and is the format created by the keytool command-line
utility. This tool is included in the JDK.
-To import an existing certificate into a JKS keystore, please read the
documentation (in your JDK documentation package) about keytool.
+To import an existing certificate into a JKS keystore, please read the
documentation (in your JDK documentation package) about keytool.
To create a new keystore from scratch, containing a ''single self-signed
Certificate'', execute the following from a terminal command line:
- <code>keytool -genkey -alias james -keyalg RSA -keystore
<your_keystore_filename></code>
-{{{ }}}
+{{{
+keytool -genkey -alias james -keyalg RSA -keystore <your_keystore_filename>
+}}}
+
(The RSA algorithm should be preferred as a secure algorithm, and this also
ensures general compatibility with other servers and components.)
As a suggested standard, create the keystore in the james/conf directory (the
same containing sqlResources.xml), with a name like
<code>james.keystore</code>. Any name and location though is fine, as long as
is the same as in the <file> of the ssl factory section of
<server-sockets> in config.xml.
@@ -189,7 +191,7 @@
== Installing a Certificate from a Certificate Authority ==
-(Adapted from the Tomcat 4.1 documentation)
+(Adapted from the Tomcat 4.1 documentation)
To obstain and install a Certificate from a Certificate Authority (like
verisign.com, thawte.com or trustcenter.de) you should have read the previous
section and then follow these instructions:
@@ -198,13 +200,14 @@
In order to obtain a Certificate from the Certificate Authority of your choice
you have to create a so called Certificate Signing Request (CSR). That CSR will
be used by the Certificate Authority to create a Certificate that will identify
your James server as "secure". To create a CSR follow these steps:
Create a local Certificate as described in the previous section.
-{{{ }}}
-The CSR is then created with:
-{{{ }}}
- <code>keytool -certreq -keyalg RSA -alias james -file certreq.csr -keystore
<your_keystore_filename></code>
-{{{ }}}
+
+The CSR is then created with:
+{{{
+keytool -certreq -keyalg RSA -alias james \
+ -file certreq.csr -keystore <your_keystore_filename>
+}}}
Now you have a file called certreq.csr. The file is encoded in PEM format. You
can submit it to the Certificate Authority (look at the documentation of the
Certificate Authority website on how to do this). In return you get a
Certificate.
-{{{ }}}
+
=== Importing the Certificate ===
Now that you have your Certificate you can import it into you local keystore.
First of all you may have to import a so called Chain Certificate or Root
Certificate into your keystore (the major Certificate Authorities are already
in place, so it's unlikely that you will need to perform this step). After that
you can procede with importing your Certificate.
@@ -216,12 +219,17 @@
For Trustcenter.de go to:
http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html (seems no
longer valid)
-Import the Chain Certificate into you keystore
-{{{ }}}
- <code>keytool -import -alias root -keystore <your_keystore_filename>
-trustcacerts -file <filename_of_the_chain_certificate></code>
+Import the Chain Certificate into you keystore
+{{{
+keytool -import -alias root -keystore <your_keystore_filename> \
+ -trustcacerts -file <filename_of_the_chain_certificate>
+}}}
==== Importing the requested Cerificate ====
-And finally import your new Certificate (It must be in X509 format):
-{{{ }}}
- <code>keytool -import -alias james -keystore <your_keystore_filename>
-trustcacerts -file <your_certificate_filename></code>
+And finally import your new Certificate (It must be in X509 format):
+
+{{{
+keytool -import -alias james -keystore <your_keystore_filename> \
+ -trustcacerts -file <your_certificate_filename>
+}}}
