Sslpassword or sslpassword.conf

Silly question could be.
Before creating a self-signed certificate, I see a file named sslpassword.conf.
# more sslpassword.conf
Internal (Software) Token:password
The admin guide of Messaging 2005 Q4 says:
To Create Self-signed Certificates (P. 639):
Specify the certificate database password for certutil in
/opt/SUNWmsgsr/config/sslpassword. For example:
# echo "password" > /opt/SUNWmsgsr/config/sslpassword
should we create another file sslpassword for setting SSL? or can we skip this step since sslpassword.conf already exists?

Neither.
You must put your password in the file, sslpassword.conf, where the word, "password" is now.

Similar Messages

Wildcard Certificate use in Sun Java System Messaging Server (IMAPs/POPs)

I'm trying to use a wildcard certificate acquired from GlobalSign and am having problems getting
it (properly) into the cert database.
I tried using certutil, and that didn't seem to work at all, it would list without user cert status:
rmorneau+root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
GlobalSign-Ext-CA CT,c,
*.xxxxxxxxxxx.edu ,,
I had some success using msgcert and pk12util, but after importing it in, then seeing that it did
have user cert status, after a quick restart of Messaging (IMAP/POP), SSL quit for IMAP and kicked all
my IMAPs users out temporarily (until I put the original cert8.db and key3.db back).
-------- ImapProxy_20101115.log----
20101115 135531 ImapProxyAService.cfg (id 2590) SSL negotiation failed for IP XXX.XXX.X.XXX: Cannot connect: SSL is disabled. (-12268)
pop.xxxxxxxxx.edu u,u,u
GlobalSign-Ext-CA CT,c,
*.xxxxxxxxxxx.edu u,u,u
I truly appreciate any help on this matter.
-Bob

2. Does the certificate nickname in NSS match the configured certificate nickname in the product?I'm not sure, but I'll try that the next time I try this... will probably be late at night were I won't be interrupting IMAPs and POPs
Makes sense. Prior to release 7 update 4, the servers have to be shut down before modifying certificate databases. As of 7 update 4 you can do a one-time migration to the cert9.db/key4.db format that >should allow certificates to be updated without taking the servers offline.
This was in the log just before the other log entry that I showed before.
20101115 135440 ImapProxyAService.cfg ASockSSL_Init: couldn't find cert imap.xxxxxxxxx.edu (-8174)
This is the key line from the log. The server is looking for a certificate with the NSS certificate nickname of 'imap.xxxxxxxxx.edu' and is not finding that certificate so issue 2 is likely the problem.Yes, this was it. Oversite on my part, forgot they had to match and could not be a form of just domainname.edu or *domainname.edu.
You either need to modify the default:SSLCertNicknames setting to match the nickname of the new certificate, or install the new certificate using the existing certificate nickname of 'imap.xxxxxxxxx.edu'I modified the default:SSLCertNicknames setting.
Thank you CNewman very much for all your help.
And, for those trolling for an answer with more detail via an Internet search (that is, if Oracle doesn't screw up these forums for anon searches)::::
With the private key in hand (not password protected), I used 'openssl' to get it into a pkcs12 type file:
(It is best to do this as root and not as sudo root as you might run into problems if your host
does not have root power to write to your home dir on the/a NFS share.... you will get "unable to write 'random state'".)
root@mmp1:/var/opt/SUNWmsgsr/config/GlobalSign-certs-new# /usr/sfw/bin/openssl pkcs12 -export \
-in ket-wildcard-cert.pem -inkey private.key -out cert.pkcs12 -name xxxxxxxxx.edu
Enter Export Password:
Verifying - Enter Export Password:
Where "private.key" is the key file, and "ket-wildcard-cert.pem" is the (pem format) cert from our cert provider,
and cert.pkcs12 is our cert file that will be imported into the database, and xxxxxxxxx.edu is whatever you (nick)name your cert
in the database
(I think you could use a password protected private key if you have that password.. I don't.)
Next, I used 'msgcert' to import the pkcs12 cert file into the database (I'm sure there is a way
to use certutil or even pk12util to do the same, but I'm on Sun Messenger 6.3 at this time, so that's what I used.
If someone would like to elaborate for those....?):
(It is best, when using 'msgcert', to do it where your mailsrv user has some privs.. I took my pkcs12 cert and moved into /tmp.)
root@mmp1:/tmp# /opt/SUNWmsgsr/sbin/msgcert import-cert cert.pkcs12
Enter the PKCS#12 file password: (blank)
Enter the certificate database password: (token password in sslpassword.conf)
Make sure your (wildcard) cert nickname matches what you have in
ImapProxyAService.cfg and PopProxyAService.cfg at the "default:SSLCertNicknames" field.
Edit if need be.
root@mmp1:/var/opt/SUNWmsgsr/config# /opt/SUNWmsgsr/sbin/certutil -L -d .
GlobalSign-Ext-CA CT,c,
xxxxxxxxx.edu u,u,u
root@mmp1:/var/opt/SUNWmsgsr/config# grep default:SSLCertNicknames *AService.cfg
ImapProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
PopProxyAService.cfg:default:SSLCertNicknames xxxxxxxxx.edu
Then, of course, restart the msg service(s).
/opt/SUNWmsgsr/sbin/stop-msg
/opt/SUNWmsgsr/sbin/start-msg
Edited by: 810750 on Nov 18, 2010 8:08 AM
Edited by: 810750 on Nov 18, 2010 8:11 AM

IP confusion in Convergence

Hello,
I just completed a single-host installation of CommSuite 7 (on Solaris 10 x86) and I seem to have put myself into a bind (nothing new there!).
I have customers that need access to my server from behind firewalls with immutable configurations (e.g., they'll allow connections on standard ports such as 80, 443, 143, 993, etc., but not on non-standard ports, e.g. 8080, etc.). In an effort to make all of the services that I wanted to expose available to those users, I created a second logical interface on the system and bound to that IP for various services.
Specifically, I have two hostnames for this system, colder.domain.com on the physical interface (e1000g0) and mail.domain.com on the logical interface (e1000g0:8).
I configured the listeners in Glassfish, for both ports 80 & 443, to only listen on colder's IP. For Messaging Server, I used configutil to set service.listenaddr to mail's IP.
At this point, things are mostly working:
1. I can connect via POP, POPS, IMAP, & IMAPS to mail, can login, and can see the messages in my inbox. I can also connect via HTTP & HTTPS to mail and see the "WMAP service active." message.
2. I can connect via HTTPS to all of the webapps on Glassfish (i.e., /da, /im, /rest, /commcli, /imps, /searchui, & /iwc).
3. I can connect to Calendar Server on the default port (3080 - I figured users would only access this through Convergence).
However, there is one problem.
While I can connect to Convergence and login as a provisioned user, upon login I am greeted with the message "The mail service is not available. Please try again later." The following appears in the iwc.log when I log into iwc:
PROXY_MAIL: INFO from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-2 at 2010-04-12 10:31:08,846 - Performing Sun Mail Authentication
ADDRESS_BOOK: INFO from com.sun.comms.client.ab.coresrv.DBHandler Thread httpSSLWorkerThread-443-0 at 2010-04-12 10:31:08,854 - Got DBPluginMap
PROXY_MAIL: ERROR from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-2 at 2010-04-12 10:31:08,863 - cookies not present from MS response
PROXY_MAIL: INFO from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-3 at 2010-04-12 10:31:08,865 - Performing Sun Mail Authentication
PROXY_MAIL: ERROR from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-3 at 2010-04-12 10:31:08,880 - cookies not present from MS response
PROXY_CAL: INFO from com.sun.comms.client.web.services.sun.CalendarServiceProxy Thread httpSSLWorkerThread-443-2 at 2010-04-12 10:31:08,972 - Performing Sun calendar Authentication
PROXY_MAIL: INFO from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-3 at 2010-04-12 10:31:09,041 - Performing Sun Mail Authentication
PROXY_MAIL: ERROR from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-3 at 2010-04-12 10:31:09,050 - cookies not present from MS responseHere are some of the pertinent iwc configuration properties:
mail.enable = true
mail.enablessl = false
mail.host = mail.domain.com
mail.port = 80
mail.proxyadminid = admin
mail.proxyadminpwd = ***removed***When I first added my test user, his LDAP entry included the attribute value mailHost: colder.domain.com, so my first thought was that it should instead be mailHost: mail.domain.com. I made that change, but then I saw the error message "The mail server unexpectedly closed the connection" in Convergence, and lots of imap log messages that said "get_imap_response: timed out reading from backend server". So I switched the mailHost back to colder.
The http log seems to indicate that indeed, it is trying to connect via IMAP to the wrong server:
[12/Apr/2010:10:42:45 -0500] colder httpd[10365]: General Error: IMAP connection to colder.domain.com:143 failed: Connection refused
[12/Apr/2010:10:42:45 -0500] colder httpd[10365]: General Error: Failed to connect to imap server on colder.domain.com
[12/Apr/2010:10:42:45 -0500] colder httpd[10365]: General Warning: Couldn't login testuser on IMAP server: Mail server unavailable. Administrator, check server log for details.Am I missing something obvious? Any suggestions as to what to check next?
Thanks,
Bill

OK, the last tidbit in the latter link had a rather cryptic description of what needed to be done, and I was able to figure it out. So that it is captured for posterity for the next person who googles for "Convert a PKCS12 certificate into JKS format", here's what I did:
1. Used pk12util to export my key & certificate from an existing web server key/certificate database:
# pk12util -o myCert.p12 -n Server-Cert \
-d /opt/SUNWappserver/domains/domain1/config \
-K myPassword -W myPassword2. Used the KeyTool class included with App Server (*not* the keytool utility included with the JRE!) to convert the pkcs12 file into a JKS keystore:
# java -classpath /opt/SUNWappserver/lib/appserv-rt.jar \
com.sun.enterprise.security.KeyTool \
-pkcs12 -pkcsFile myCert.p12 -pkcsKeyStorePass myPassword \
-pkcsKeyPass myPassword \
-jksFile /etc/opt/SUNWiim/default/config/server-keystore.jks \
-jksKeyStorePass myPassword3. Used "keytool -list" to verify that my certificate was indeed now included in my new server-keystore.jks.
4. Imported my CA certificate chain certs into the keystore:
# keytool -importcert -trustcacerts \
-alias 'utnAddTrustAB' \
-file UTNAddTrustServer_CA.crt \
-keystore /etc/opt/SUNWiim/default/config/server-keystore.jks \
-storepass myPassword -storetype JKS
# keytool -importcert -trustcacerts \
-alias 'NetSolCA' \
-file NetworkSolutions_CA.crt \
-keystore /etc/opt/SUNWiim/default/config/server-keystore.jks \
-storepass myPassword -storetype JKS5. Ran "keytool -list" again, and it now shows two "trustedCertEntry" certificates and one "PrivateKeyEntry" certificate (the one from my pkcs12 file).
6. Added these lines to the end of the iim.conf file:
! SSL Configuration
iim_server.sslkeystore = "/etc/opt/SUNWiim/default/config/server-keystore.jks"
iim_server.keystorepasswordfile = "/etc/opt/SUNWiim/default/config/sslpassword.conf"
iim_server.requiressl = "true"
iim_server.trust_all_cert = "false"After performing these steps, I fired up the server, the SMF log file has a line that indicates that SSL has been initialized (using JKS), and I am able to connect my Pidgin IM client to the server with my test user and the "Require SSL/TLS" option enabled, and it works!
Shane, thanks again for your excellent support. It's good to know that even though your paychecks have a different company name on the top, we as your customers continue to receive the same top-notch support we've become accustomed to over the years.
Bill
P.S. Feel free to show that last kudo to your boss when you ask him for your next raise. ;-)

Getting error when trying to enable ssl over pop3

We are using SunOne Messaging Server v5.2 on Solaris 9
We followed the below steps:
1. Create a trust database password for "Internal (Software) Token"
2. Obtain a certificate
3. Install the certificate along with CA certificate.
4. The certificate is installed with the name "Server_Cert" and is shown as trusted in the "Certificate Management"
5. configured ssl over pop3 using configutil
6. stop and start the services.
The Configutil changes made are as below:
nsserversecurity = on
encryption.rsa.nssslactivation = on
encryption.rsa.nssslpersonalityssl = Server_Cert
encryption.rsa.nsssltoken = "Internal (Software)"
service.pop.enablesslport = yes
service.pop.sslport = 995
We saved the below in the sslpassword.conf:
Internal (Software) Token:mypassword
After restarting the services, pop3 over ssl is not working.We also checked "netstat -an -P tcp | grep 995" and it shows nothing.
The logs are showing the below error:
"[22/Apr/2006:15:46:58 -0300] mail popd[26352]: General Error: SSL initialization error: Didn't find certificate Server_Cert (-8157)"
Please advice a solution for the same. I am unable to figure out the problem.
Your help will be highly aperciated .
Regards
Ehab

Hi,
have you checked whether the cert is in the certsdb using certutil?
thanks
ndrb

Certificate Based Authentication and SSL

To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.

Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE.

Msgcert syntax

msg-serv 6.3-4.01 (built Aug 3 2007; 32bit)
I am attempting to request and install a new cert using msgcert on a 6.3 msg instance. I have used msgcert to generate self signed certs and understand
the basics of how it works.
I did not need to use msgcert the first time around on this instance as I had done so on a 6.2 instance and I was able to move the db files over
to the 6.3 instance for a still valid cert.
Now, however I am faced with figuring out the syntax of msgcert ( which I assume is the only mechanism for cert req as well as install on a 6.3 instance ?)
I am requesting the Cert with the following syntax:
(which seems to work fine, no errors)
./msgcert request-cert -W sslpassword.conf name mail.education.ucsb.edu org "University of California Santa Barbara" org-unit GGSE city "Santa Barbara" state California country US -F ascii -o /msg/config/test-cert.req
But contents of test-cert.req reads accordingly:
Certificate request generated by Messaging Server Instance:
Common Name: mail.education.ucsb.edu
Email: (not specified)
Phone: (not specified)
Organization: University of California Santa Barbara
State: California
Country: US
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIB3TCCAUYCAQAwgZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1TYW50YSBCYXJiYXJhMQ0wCwYDVQQLEwRHR1NFMS8wLQYDVQQK
EyZVbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEgU2FudGEgQmFyYmFyYTEgMB4GA1UE
AxMXbWFpbC5lZHVjYXRpb24udWNzYi5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAL7vF39FE1Y7bkViZmhn7qXeTpjF5ZWQgc/4Hu+uYoAde4mpvbWQUaia
EOIWKGUagK49C/t74bPJxh7W0W+5TgV7tUQ6VPPG54r74t4L1Q5EyMF4vTcpOIS2
UyzNIQca6mfATdQG43sEU5kSC/PViZ4Dl60yWVlzNdu8GOOL6CD7AgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQADBSLVbiGJzg1J0SLf8MQ7QzFTu18EOaKxnRte1VIY
yXh+p5egxm7dqvBbClmWSpaCrnvbwIQ5JTC9YYycy0pLjFC7eVEzJ89qT4uDjv+Y
UlAubfveiMrXYImuIJolDtjHy9vVylQncL0XXpbm2xD0bvzVm5Oo14NQkX6+loWs
kg==
-----END NEW CERTIFICATE REQUEST-----
My concern is that it is lacking the Org Unit and there is no email nor phone specified ( perhaps these two are not necesary) Past experience has indicated that if you do not get the syntax of a cert req just right the signed cert will not be compatible.
Is there some clearer documentation on the use of msgcert? Am I missing something? I do not see much in the forum nor a wiki page on it's use.
-john

goubeaux wrote:
I am uploading the CSR request file via web, eg paste into web interface. This has not been an issue in past times though.I cut/pasted the certificate you provided into the following website and it decoded properly:
http://www.redkestrel.co.uk/cgi/decodeCSR.pl
Are you just cut/pasting the following?
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIB3TCCAUYCAQAwgZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1TYW50YSBCYXJiYXJhMQ0wCwYDVQQLEwRHR1NFMS8wLQYDVQQK
EyZVbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEgU2FudGEgQmFyYmFyYTEgMB4GA1UE
AxMXbWFpbC5lZHVjYXRpb24udWNzYi5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAL7vF39FE1Y7bkViZmhn7qXeTpjF5ZWQgc/4Hu+uYoAde4mpvbWQUaia
EOIWKGUagK49C/t74bPJxh7W0W+5TgV7tUQ6VPPG54r74t4L1Q5EyMF4vTcpOIS2
UyzNIQca6mfATdQG43sEU5kSC/PViZ4Dl60yWVlzNdu8GOOL6CD7AgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQADBSLVbiGJzg1J0SLf8MQ7QzFTu18EOaKxnRte1VIY
yXh+p5egxm7dqvBbClmWSpaCrnvbwIQ5JTC9YYycy0pLjFC7eVEzJ89qT4uDjv+Y
UlAubfveiMrXYImuIJolDtjHy9vVylQncL0XXpbm2xD0bvzVm5Oo14NQkX6+loWs
kg==
-----END NEW CERTIFICATE REQUEST-----Regards,
Shane.

Problems after patch 120230-08

I have installed that patch and i encountred a lot of problems. I'll start with the most important SSL imap, pop3 doesn't work. After upgrade i noticed that my ssl certification is out of date so i tried to recreate it
/opt/sun/messaging/sbin/certutil -N -d /opt/sun/messaging/config -f /opt/sun/messaging/config/sslpassword.conf
/opt/sun/messaging/sbin/certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu" -s "CN=Sample Root CA, O=Sample.pl" -m 25000 -o /opt/sun/messaging/config/SampleRootCa.crt -d /opt/sun/messaging/config -f /opt/sun/messaging/config/sslpassword.conf -z /etc/passwd
/opt/sun/messaging/sbin/certutil -S -n Server-Cert -c SampleRootCA -t "u,u,u" -s "CN=sun.workgroup.Sample.pl, o=Sample.pl" -m 25001 -o /opt/sun/messaging/config/SampleSSLServer.crt -d /opt/sun/messaging/config -f /opt/sun/messaging/config/sslpassword.conf -z /etc/passwd
/opt/sun/messaging/sbin/certutil -V -u V -n SampleRootCA -d /opt/sun/messaging/config
/opt/sun/messaging/sbin/certutil -V -u V -n Server-Cert -d /opt/sun/messaging/config
/opt/sun/messaging/sbin/certutil -L -d /opt/sun/messaging/config/
/opt/sun/messaging/sbin/certutil -L -n Server-Cert -d /opt/sun/messaging/config/
/opt/sun/messaging/sbin/modutil -list -dbdir /opt/sun/messaging/config/
chown mailsrv:mail /opt/sun/messaging/config/key3.db
chown mailsrv:mail /opt/sun/messaging/config/cert8.db
Did all that steps (where Sample = my company name) and every result from that command was as before. Checked configutil:
service.imap.allowanonymouslogin = no
service.imap.banner = "%h %p service (%P %V)"
service.imap.enable = 1
service.imap.enablesslport = yes
service.imap.idletimeout = 30
service.imap.maxsessions = 4000
service.imap.maxthreads = 250
service.imap.numprocesses = 1
service.imap.plaintextmincipher = 0
service.imap.port = 143
service.imap.sslcachesize = 0
service.imap.sslport = 993
service.imap.sslusessl = yes
Everything seems fine. I checked my old old configutil entries and turned out almost all 'encryption' entries aren't there. So i added those
encryption.nscertfile = config/cert8.db
encryption.nskeyfile = config/key3.db
encryption.nsssl3 = on
encryption.nsssl3ciphers = "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha"
encryption.rsa.nssslpersonalityssl = Server-Cert
But everytime i added them i had:
/opt/sun/messaging/lib/configutil -o encryption.nsssl3ciphers -v rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha
OK SET
WARNING: unrecognized option encryption.nsssl3ciphers has been set
So i wonder what's up, what changed between versions. It was supposed to be quick fix but it wasnt :/
My version:
Sun Java(tm) System Messaging Server 6.3-0.08 (built Jun 8 2006)
libimta.so 6.3-0.08 (built 08:28:13, Jun 8 2006)
Linux workgroup.sample.pl 2.6.12-1.1381_FC3smp #1 SMP Fri Oct 21 04:03:26 EDT 2005 i686 i686 i386 GNU/Linux
Any help will be appreciated :/

I've solved the problem myself. Turns out there were few sslpassword files.
sslpassword file had just: mypassword
while
sslpassword.conf had Internal (Software) Token:mypassword
seems the LEGIT one is just plain password in sslpassword file. Then it all works fine. Hopefully this will save some time to some ppl.
Cheers

Server cannot be connected over ssl

Installed self-signed certificate on the Messaging Server. And started up the messaing server with ssl.
"netstat " shows port 993 is idle. But seems cannot connect to it .
The messaing server was running on a standalone machine, not network connective.
Does ssl require connections over the network?
Thanks!

Installed self-signed certificate on the Messaging
Server. And started up the messaing server with ssl."started the messaging serve with ssl". Means what?
Did you make the configutil settings to turn any of the ssl functions on?
Did you edit the sslpassword.conf file to add the password for the certificate database?
Did you make a typo? The default name of the cert is "Server-Cert". "server-cert" is not the same, as it's case sensitive.
Did you examine any of the logs and see errors on the restart?
I don't even know what version Messaging you're running. Frankly, you've a whole bunch of homework to do before I can be much help.
jay
>
>
"netstat " shows port 993 is idle. But seems cannot
connect to it .
The messaing server was running on a standalone
machine, not network connective.
Does ssl require connections over the network?
Thanks!

Problems whit Instant messaging 8.2 and SSL

Im trying to configure a instant messaging 8.2 whit ssl but when I restart the IM the mux start whitout ssl
I dont have idea what is the problem whit the configuration and I dont know if Instant messaging 8.2 support ssl
I use the same cert database that I used for the application server and smtp
Can I configure ssl only for the Mux and not for the server?
this is the configuration in the iim.conf for the mux
iim_mux.usessl=on
iim_mux.secconfigdir=/opt/sun/comms/im/config (I also tried this parameter whit the value /etc/opt/SUNWiim/default/config but it not work)
!iim_mux.keydbprefix=https-example.com-www-
!iim_mux.certdbprefix=https-example.com-www-
iim_mux.secmodfile=secmod.db
iim_mux.certnickname=portal.example.com
iim_mux.keystorepasswordfile=/opt/sun/comms/im/config/sslpassword.conf (I also tried whit the value "sslpassword.conf" )
Edited by: user9979971 on Jun 30, 2011 9:32 AM

Instant Messaging 7.3+ no longer supports SSL through the Multiplexor using NSS-based certificates,however you can now migrate the existing certificates from NSS store to JKS using the migratecert utility migratecert.Alternatively you can enable TLS on server which provides end to end encryption
HTH,
Swetha

TLS fails - no cipher suites in common

When I enable TLS on the instant messaging server, I can't connect to it using TLS. I am using a self signed cert. Do I need to put the certificate authority in the JKS?
steve
Version
[15 Apr 2010 13:46:00,927] INFO xmppd [main] Starting XMPP Server: Version 8.0
Patch: 139893-02
iim.conf
! tls configuration
iim_server.sslkeystore=/etc/opt/SUNWiim/default/config/im.jks
iim_server.keystorepasswordfile=/etc/opt/SUNWiim/default/config/sslpassword.conf
iim_server.requiressl=false
iim_server.trust_all_cert=true
iim_server.certnickname=im.uwo.ca
# keytool -list -V -keystore im.jks
Enter keystore password: Mu51cdi3
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: im.uwo.ca
Creation date: Apr 15, 2010
Entry type: trustedCertEntry
Owner: [email protected], CN=im.uwo.ca, OU=ITS, O=The University of Western Ontario, L=London, ST=Ontario, C=CA
Issuer: [email protected], CN=UWO Certificate Authority, OU=Information Technology Services, O=The University of Western Ontario, L=London, ST=Ontario, C=CA
Serial number: 13a
Valid from: Thu Apr 15 09:05:42 EDT 2010 until: Fri Apr 15 09:05:42 EDT 2011
Certificate fingerprints:
MD5: FB:21:99:37:29:45:8C:B6:B1:55:0B:61:5B:93:28:FE
SHA1: 4D:3B:24:72:D5:CB:2D:AA:D7:7F:6B:E6:3B:F1:DB:31:5F:64:FB:6B
[15 Apr 2010 13:46:55,767] DEBUG xmppd [default-iim_server-worker 2] last read count 51
[15 Apr 2010 13:46:55,770] DEBUG xmppd.xfer [default-iim_server-worker 2] [null] Received:<starttls xmlns='urn:ietf:par
ams:xml:ns:xmpp-tls' xml:lang='en'/>
[15 Apr 2010 13:46:55,770] DEBUG xmppd [default-iim_server-worker 2] [ClientPacketDispatcher] StartTLS Packet detected
[15 Apr 2010 13:46:55,771] DEBUG xmppd [default-iim_server-worker 2] Session[null] Starting TLS nego : false, null
[15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] [SecureByteChannel] TLS started for channel id : 2
com.iplanet.im.server.io.MuxChannel@107108e
[15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] last read count 0
[15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] Session[null] processed input
[15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint finished process()
[15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint started process()
[15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint[null] processing input
[15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] last read count 0
[15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] Session[null] processed input
[15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint finished process()
[15 Apr 2010 13:46:55,782] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint started process()
[15 Apr 2010 13:46:55,782] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint[null] processing input
[15 Apr 2010 13:46:55,782] DEBUG xmppd [default-iim_server-worker 0] last read count 90
[15 Apr 2010 13:46:55,783] DEBUG xmppd [default-iim_server-worker 0] Session[null] processed input
[15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint finished process()
[15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint started process()
[15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint[null] processing input
[15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] last read count 0
[15 Apr 2010 13:46:55,789] DEBUG xmppd [default-iim_server-worker 2] sslEngine closed
java.io.EOFException: sslEngine closed
at com.iplanet.im.common.ssl.SecureServerByteChannel.handleResult(SecureServerByteChannel.java:338)
at com.iplanet.im.common.ssl.SecureServerByteChannel.write(SecureServerByteChannel.java:244)
at com.iplanet.im.common.ssl.SecureServerByteChannel.handleHandshakeResult(SecureServerByteChannel.java:404)
at com.iplanet.im.common.ssl.SecureServerByteChannel.access$300(SecureServerByteChannel.java:27)
at com.iplanet.im.common.ssl.SecureServerByteChannel$2.run(SecureServerByteChannel.java:391)
at org.netbeans.lib.collab.util.Worker.run(Worker.java:244)
at java.lang.Thread.run(Thread.java:619)
[15 Apr 2010 13:46:55,792] DEBUG xmppd [default-iim_server-worker 2] [hsep]removing xmlns from packet ...
[15 Apr 2010 13:46:55,793] DEBUG xmppd [default-iim_server-worker 0] Sending CMD_CLOSE for channel: 2
[15 Apr 2010 13:46:55,793] INFO xmppd [default-iim_server-worker 0] MuxChannel.close() Server Closing client for chann
el : 2,null
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] outbound status changed from opened
to disconnected
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] inbound status changed from opened t
o disconnected
[15 Apr 2010 13:46:55,794] INFO xmppd [default-iim_server-worker 0] session.close() nullcloseStream false
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] [CSEP]null closeImpl
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] [CSEP] null closeSASLProvider
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] closed
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Removed connectionId : gz5im1.its.uwo.pri:7, this
: jid : nullcom.iplanet.im.server.ConnectedStreamEndPoint@1198ff2 , jid : null
[15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] leaveAllGroupChats
[15 Apr 2010 13:46:55,795] DEBUG xmppd [default-iim_server-worker 0] RouterEndPoint[null [18452466]] removed all listen
ers. STAT:numEndPointListener=0
[15 Apr 2010 13:46:55,795] DEBUG xmppd [default-iim_server-worker 0] no cipher suites in common
org.jabberstudio.jso.StreamException: no cipher suites in common
at net.outer_planes.jso.AbstractStream.process(AbstractStream.java:1179)
at com.iplanet.im.server.ConnectedStreamEndPoint.process(ConnectedStreamEndPoint.java:356)
at com.iplanet.im.server.ConnectedStreamEndPoint.dataAvailable(ConnectedStreamEndPoint.java:312)
at com.iplanet.im.server.io.MuxChannel$MuxReadRunnable.run(MuxChannel.java:452)
at org.netbeans.lib.collab.util.Worker.run(Worker.java:244)
at java.lang.Thread.run(Thread.java:619)
[15 Apr 2010 13:46:55,797] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint finished process()

[email protected] wrote:
When I enable TLS on the instant messaging server, I can't connect to it using TLS.What client are you using to connect to the IM Server and what platform is it running on?
I am using a self signed cert. Do I need to put the certificate authority in the JKS? Not as far as I can tell.
I used the self-signed cert from Messaging Server (./msgcert generate-certDB) and the steps provided at http://forums.sun.com/thread.jspa?messageID=10971294#10971294 and TLS worked fine with the same version as you are running.
I was testing with Pidgin 2.6.2 on Ubuntu 9.10.
Do you see:
[16 Apr 2010 16:13:03,421] INFO xmppd [main] SSL initialized - using JKSThe keytool output from my test system is below:
bash-3.00# keytool -list -V -keystore server-keystore.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: server-cert
Creation date: 16/04/2010
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=mumble.aus.sun.com
Issuer: CN=mumble.aus.sun.com
Serial number: 90509a40
Valid from: Wed Mar 24 16:01:17 EST 2010 until: Thu Jun 24 15:01:17 EST 2010
Certificate fingerprints:
MD5: 8C:8D:67:03:2C:4C:64:B6:73:45:94:36:FA:D6:CE:4C
SHA1: B8:3E:F3:F0:D9:0C:B9:16:2F:82:3A:22:C6:1D:62:B3:90:18:02:34
*******************************************Regards,
Shane.

JES5: Calendar cannot start ssl

I'm using JES5 and update patch for calendar.
Please help me.
# showrev -p |grep 121657
Patch: 121657-15 Obsoletes: 117706-08, 116577-36 Requires: Incompatibles: Packages: SUNWics5, SUNWica5
Patch: 121657-18 Obsoletes: 117706-08, 116577-43 Requires: Incompatibles: Packages: SUNWics5, SUNWica5
Patch: 121657-19 Obsoletes: 117706-08, 116577-43 Requires: Incompatibles: Packages: SUNWics5, SUNWica5
# certutil -L -d /var/opt/SUNWics5/alias
Server-Cert CTu,Cu,Cu
DEMO_CERT u,u,u
# cat /etc/opt/SUNWics5/config/sslpassword.conf
Internal (Software) Token:password
# tail http.log
[28/Feb/2008:14:01:06 +0700] mail cshttpd[7486]: General Error: http_ssl_init(): SSL initialization failed
[28/Feb/2008:14:01:08 +0700] mail cshttpd[7486]: General Notice: cshttpd is ready
# ics.conf #
encryption.rsa.nssslactivation �on�
encryption.rsa.nssslpersonalityssl �DEMO_CERT�
encryption.rsa.nsssltoken �internal�
service.http.tmpdir �/var/opt/SUNWics5/tmp�
service.http.uidir.path �html�
service.http.ssl.cachedir �.�
service.http.ssl.cachesize �10000�
service.http.ssl.certdb.password �password�
service.http.ssl.certdb.path �/var/opt/SUNWics5/alias�
service.http.ssl.port.enable �yes�
service.http.ssl.port �8443�
service.http.ssl.securelogin �yes�
service.http.securesession �yes�
service.http.ssl.sourceurl �https�//mail.demo.com:8443�
service.http.ssl.ssl2.ciphers ��
service.http.ssl.ssl2.sessiontimeout �0�
service.http.ssl.ssl3.ciphers "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha"
service.http.ssl.ssl3.sessiontimeout �0�
service.http.sslusessl �yes�

truss result if using certutil command create database and generate a self-signd certificate
14390/1: stat("/var/opt/SUNWics5/alias/cert8.db", 0xFFBFD440) = 0
14390/1: open("/var/opt/SUNWics5/alias/cert8.db", O_RDONLY) = 23
14390/1: fcntl(23, F_SETFD, 0x00000001) = 0
14390/1: read(23, "\00615 a\0\0\002\0\010E1".., 260) = 260
14390/1: lseek(23, 16384, SEEK_SET) = 16384
14390/1: read(23, "\006 ?F7 ?F4 ?E3 ?A8 ? o".., 16384) = 16384
14390/1: stat("/var/opt/SUNWics5/alias/key3.db", 0xFFBFD500) = 0
14390/1: open("/var/opt/SUNWics5/alias/key3.db", O_RDONLY) = 24
14390/1: fcntl(24, F_SETFD, 0x00000001) = 0
14390/1: read(24, "\00615 a\0\0\002\0\010E1".., 260) = 260
14390/1: lseek(24, 8192, SEEK_SET) = 8192
14390/1: read(24, "\00E1FF91FF81FED1FDD1FCF".., 8192) = 8192
14390/1: stat("/var/opt/SUNWics5/alias/libnssckbi.so", 0xFFBFD2A8) = 0
14390/1: resolvepath("/var/opt/SUNWics5/alias/libnssckbi.so", "/var/opt/SUNWics5/alias/libnssckbi.so",
1023) = 37
14390/1: open("/var/opt/SUNWics5/alias/libnssckbi.so", O_RDONLY) = 25
14390/1: mmap(0x00010000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ALIGN, 25, 0) = 0xFC510000
14390/1: mmap(0x00010000, 376832, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xF
9020000
14390/1: mmap(0xF9020000, 105120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_TEXT, 25, 0) = 0xF9020
000
14390/1: mmap(0xF9048000, 209505, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_INITDATA, 2
5, 98304) = 0xF9048000
14390/1: mmap(0xF9020000, 105120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_TEXT, 25, 0) = 0xF9020
000
14390/1: mmap(0xF9048000, 209505, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_INITDATA, 2
5, 98304) = 0xF9048000
14390/1: munmap(0xF903A000, 57344) = 0
14390/1: memcntl(0xF9020000, 39140, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
14390/1: close(25) = 0
14390/1: stat("/opt/SUNWics5/cal/lib/libc.so.1", 0xFFBFD178) Err#2 ENOENT
14390/1: munmap(0xFC510000, 8192) = 0
14390/1: brk(0x003A0850) = 0
14390/1: brk(0x003B2850) = 0
14390/1: open("/var/opt/SUNWics5/alias/sslpassword.conf", O_RDONLY) = 25
14390/1: read(25, " I n t e r n a l ( S o".., 255) = 35
14390/1: close(25) = 0
14390/1: lseek(23, 32768, SEEK_SET) = 32768
14390/1: read(23, "\0\b ?C9 ? t ? ; = = = -".., 16384) = 16384
14390/1: lseek(24, 16384, SEEK_SET) = 16384
14390/1: read(24, "\0\b1F801CBE1C >19 |18FC".., 8192) = 8192
14390/1: time() = 1204346872
14390/1: getpid() = 14390 [14378]
14390/1: fstat(3, 0xFFBFCFFC) = 0
14390/1: lseek(3, 0, SEEK_END) = 123610
Workaround after copy *.db of messaging server to /opt/SUNWics5/cal/config.
cert8.db, key3.db and secmod.db create and generate self-signed certificate from msgcert command.
I don't know why ssl does not work if generate certificate from certutil command of calendar.
But calendar ssl work if create and generate certificate from msgcert command of messaging.
1. copy *.db from messaging to calendar directory
2. chown icsuser:icsgroup *.db
3. configure ssl parameters in the ics.conf file
4. restart calendar service
Regards,
Chai.

Multiplexor ssl

hi
I have one machine with pop multiplexor installed (messaging 6.1), i want to set up pop with ssl.
i did the following
1) i installed a certificate using the console.
2) cd msg_svr_base/config
ln -s /var/mps/serverroot/alias/admin-serv-instance-cert8.db cert8.db
ln -s /var/mps/serverroot/alias/admin-serv-instance-key3.db key3.db
3) i edited the PopProxyAService.cfg file and uncomment
the relevant SSL settings like the manual said.
4) i edited the AService.cfg file and add |995 after the 110 in the ServiceList setting.
5) start-msg mmp
but i can start the ssl service.
i look at the logs files and i get the following.
20040618 183334 /opt/SUNWmsgsr/config/PopProxyAService.cfg ASockSSL_Init: PK11 auth failed to Server-Cert
20040618 183334 /opt/SUNWmsgsr/config/PopProxyAService.cfg Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.1 (built Apr 28 2004)) started
any idea of what could be the problem

Sorry to open this old case again, but I'm having the same problem. But all the things said above seems to be OK...
each time I start the mmp, I get this in the logs (pop and imap) :
20061020 110740 /opt/SUNWmsgsr/config/PopProxyAService.cfg ASockSSL_Init: PK11 auth failed to server-cert-test
20061020 110740 /opt/SUNWmsgsr/config/PopProxyAService.cfg Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.2-7.04 (built Aug 17 2006)) started
server-cert-test is in the riht DB, which is a link to /var/opt/mps/serverroot/alias :
:/var/opt/SUNWmsgsr/config # ls -l *.db
lrwxrwxrwx 1 root root 49 Oct 19 15:43 cert8.db -> /var/opt/mps/serverroot/alias/msg-config-cert8.db
lrwxrwxrwx 1 root root 48 Oct 19 15:44 key3.db -> /var/opt/mps/serverroot/alias/msg-config-key3.db
-rw------- 1 mailsrv mail 32768 Oct 19 17:40 secmod.db
# /opt/SUNWmsgsr/sbin/certutil -L -d /var/opt/SUNWmsgsr/config/
VeriSign Trial Secure Server Test CA CT,,
server-cert-test u,u,u
my-server-cert CTu,Cu,Cu
my-ca-cert CTu,Cu,Cu
The sslpassword.conf in /var/opt/SUNWmsgsr/config is like :
# cat sslpassword.conf
Internal (Software) Token:mypass
I'm about to open a case to the support team, but I'm checking here in case someone would have a hint...
# /opt/SUNWmsgsr/sbin/imsimta version
Sun Java(tm) System Messaging Server 6.2-7.04 (built Aug 17 2006)
libimta.so 6.2-7.04 (built 12:30:11, Aug 17 2006)
SunOS z1-mmp..domain.com 5.10 Generic_118833-20 sun4v sparc SUNW,Sun-Fire-T200
This MMP is running in a Solaris 10 zone.
Thanks.

Cs 6.3 fails to create certificate authority

i did the single host deployment:
http://docs.sun.com/source/820-0086/index.html
and now, i'm trying to follow the steps in chapter 7:
http://docs.sun.com/app/docs/doc/819-4654/6n6prj535?a=view
portal#pwd
/etc/opt/SUNWics5/config
portal#more doMakeCert8AndKey3
#!/bin/sh
LD_LIBRARY_PATH=/opt/SUNWics5/cal/lib
export LD_LIBRARY_PATH
cd /opt/SUNWics5/cal/sbin
./certutil -N -d /etc/opt/SUNWics5/config -f /etc/opt/SUNWics5/config/sslpasswor
d.conf
portal#more doCreateCA
#!/bin/sh
LD_LIBRARY_PATH=/opt/SUNWics5/cal/lib
export LD_LIBRARY_PATH
rm tempcert*
cd /opt/SUNWics5/cal/sbin
./certutil -S -n SampleRootCA -x -t "CTu, CTu, CTu" -s "CN=My Sample Root CA, O=
sesta.com" -m 25000 -o /etc/opt/SUNWics5/config/SampleRootCA.crt -d /etc/opt/SUN
Wics5/config -f /etc/opt/SUNWics5/config/sslpassword.conf -z /etc/passwd
portal#./doMakeCert8AndKey3
portal#./doCreateCA
tempcert*: No such file or directory
Generating key. This may take a few moments...
certutil: unable to decode trust string: Certificate extension not found.
portal#
i just can't see what i typed in incorrectly - or which step i did wrong.

I had to take spaces out of the "cTu, cTu, cTu" part then it worked.

Can't find ssl cert db

We installed a cert from our local Cert Server using the Manage Certificates tab in the Messaging Console. Everything seemed to go ok. However, I get the following messages in the imap and http log files:
imap:[22/Aug/2006:13:52:23 -0700] k240 imapd[6941]: General Information: Not initializing SSL: no certificate installed
http:[22/Aug/2006:13:48:57 -0700] k240 httpd[6903]: General Information: Not initializing SSL: no certificate installed
I was following an earlier thread in this forum to solve this and it seemed to indicated that I should be able to find the cert8.db file. That file is nowhere on the system, even though the console sees a valid cert.
Is it held in the LDAP server somewhere?
Am I not supposed to have config/cert8db and config/key3.db files?
Thanks

Since you don't give your version or os, I have to guess.
Assuming 6.2 and Solaris.
Console will place your msg-name-cert8.db and key files in
/var/opt/mps/serverroot/alias
directory.
Messaging expects to see it in
/opt/.SUNWmsgsr/config
copy the files over.
Don't forget to edit the sslpassword.conf file to include the cert db password.

Activate SSL with OpenSSL Self-Signed Cert

Dear Expert,
Anyone can give me guidance on how to activate and create ssl cert in Java IM using openssl self-signed cert.
thanks

Here how I make it work. Some of the tips is from jay in this forum
Instant Messaging with SSL
Let say I have Messaging, Directory, IM server in 1 box.
Let's create a cert
# cd /etc/opt/SUNWiim/default/config/
a) Sun [TM] ONE Messaging Server 6.1 and Sun [TM] ONE Directory Server 5.2 were installed from JES2 on the same box
b) The server_root directory for Directory Server is the default: /var/opt/mps/serverroot
c) The server_root directory for Messaging Server is also the default: /opt/SUNWmsgsr
1. Login to the console and do a Certificate Request
a) cd /var/opt/mps/serverroot
b) ./startconsole &
c) Login to the main console as "cn=Directory Manager"
d) Select and open the "Messaging Server" console
e) Highlight the tab called "Tasks" at the top
f) Select "Manage Certificates"
g) Console will ask for a password for the security database. Please enter a password twice and make sure that you remember it. This will create the following two files under "/var/opt/mps/serverroot/alias" directory:
-rw------- 1 mailsrv other 65536 Aug 12 13:57 msg-config-cert8.db
-rw------- 1 mailsrv other 32768 Aug 12 13:57 msg-config-key3.db
NOTE: Please make sure that:
- either the owner of the files is the messaging server user ( mailsrv in this case ),
-or the permission is appropriate for the mail server user to at least read it.
h) Once you reach the "Manage Certificate" window, please make a "Certificate Request" by filing up the appropriate questions
i) Once you are done, you get a CSR , which looks something like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBszCCARwCAQAwczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWE x
DzANBgNVBAcTBm5ld2FyazEMMAoGA1UEChMDc21pMQ0wCwYDVQQLEwRhdGFjMSEw
HwYDVQQ DExhwb3BleWUuYXRhYy5lYmF5LnN1bi5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBALF eXVTFDj/1eONPzV/dAZ0dBKdstl+u+L/DTdw1sCXXOdNG
MzYeTUu9g/g0dXL/bniF31M0OkoW+6O 5mshySv/KXS9QcoPngSKS6wuL8kNlYKQR
Dw97WCS1uaqubAK/kir4hDmL7X9Rf29EFHDSFOWjeOJ /M7aqFWCfR5sTeSIFAgMB
AAGgADANBgkqhkiG9w0BAQQFAAOBgQCeYwptiL/j7Bcs0DtGYiOlMMs utezF1COC
4+wHt/p+LtQkvQWBoXisqN6YlGfZPXOCdUyA+RwU7BxjX9IQLP+9HLHfQyLzvCKb
boKKpjIc8Ci+tmibM5QkgTxu4L7yeCR/PiplgVPttHNT2Qr9cxHLLBvIO6N1GOE8
VBoq0pC5SA= =
-----END NEW CERTIFICATE REQUEST-----
Please maintain and preserve this CSR , since you will be sending it to the Certificate Authority ( CA ) so they can issue you a Certificate
# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
# openssl x509 -req -days 3650 -in file.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server-cert.crt
# cp -p /var/opt/mps/serverroot/alias/msg-config-key3.db key3.db
# cp -p /var/opt/mps/serverroot/alias/msg-config-cert8.db cert8.db
# cp -p /var/opt/mps/serverroot/alias/secmod.db .
# cat sslpassword.conf
Internal (Software) Token:password
# cat /etc/opt/SUNWiim/default/config/iim.conf
iim.comm.modules = "iim_server,iim_mux,iim_wd"
iim.smtpserver = "www.esuria.com.bn"
iim.instancedir = "/opt/SUNWiim"
iim.instancevardir = "/var/opt/SUNWiim/default"
iim.user = "root"
iim.group = "root"
iim.config.version = "1.1"
iim_ldap.host = "www.esuria.com.bn:389"
iim_ldap.searchbase = "o=esuria.com.bn,dc=esuria,dc=com,dc=bn"
iim_ldap.loginfilter = "(&(objectclass=inetorgperson)(uid={0}))"
iim_ldap.usergroupbyidsearchfilter = "(|(&(objectclass=groupofuniquenames)(dn={0
}))(&(objectclass=inetorgperson)(uid={0})))"
iim_ldap.usergroupbynamesearchfilter = "(|(&(objectclass=groupofuniquenames)(cn=
{0}))(&(objectclass=inetorgperson)(cn={0})))"
iim_ldap.allowwildcardinuid = "False"
iim_ldap.userclass = "inetOrgPerson"
iim_ldap.groupclass = "groupOfUniqueNames"
iim_ldap.groupbrowsefilter = "(objectclass=groupofuniquenames)"
iim_ldap.searchlimit = "40"
iim_ldap.userdisplay = "cn"
iim_ldap.groupdisplay = "cn"
iim_ldap.useruidattr = "uid"
iim_ldap.groupmemberattr = "uniquemember"
iim_ldap.usermailattr = "mail"
iim_ldap.resynctime = "720"
iim_ldap.usergroupbinddn = "cn=Directory Manager"
iim_ldap.usergroupbindcred = "password"
iim_ldap.useidentityadmin = "false"
iim.log.iim_server.severity = "INFO"
iim.log.iim_mux.severity = "ERROR"
iim.log.iim_wd.severity = "ERROR"
iim_server.domainname = "esuria.com.bn"
iim_server.useport = "True"
iim_server.port = "5269"
iim_server.usesslport = "False"
iim_server.sslport = "5223"
iim_server.enable = "True"
iim_server.clienttimeout = "15"
iim_server.usesso = "0"
iim.policy.modules = "iim_ldap"
iim.userprops.store = "file"
iim_mux.listenport = "www.esuria.com.bn:5222"
iim_mux.serverport = "www.esuria.com.bn:45222"
iim_mux.enable = "true"
iim_mux.numinstances = "2"
iim_mux.maxthreads = "10"
iim_mux.maxsessions = "1000"
iim_mux.usessl = "on"
iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_mux.keydbprefix =
iim_mux.certdbprefix =
iim_mux.secmodfile = "secmod.db"
iim_mux.certnickname = "server-cert"
iim_mux.keystorepasswordfile = "sslpassword.conf"
iim_wd.enable = "true"
iim_wd.period = "300"
iim_wd.maxRetries = "10"
-open http://www.esuria.com.bn/im/en/im.jnlp
-click More Detail and enable Use SSL

Sslpassword or sslpassword.conf

Similar Messages

Maybe you are looking for