Ciphermail Gateway EJBCA integration guide



Similar documents
SolarWinds Technical Reference

Ciphermail for BlackBerry Quick Start Guide

Document Classification: Public Document Name: SAPO Trust Centre - Generating a SSL CSR for IIS with SAN Document Reference:

Ciphermail Gateway PDF Encryption Setup Guide

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

EJBCA with GemSAFE Toolbox Part2 Sign. and Encrypt

CAC/PIV PKI Solution Installation Survey & Checklist

Ciphermail S/MIME Setup Guide

Integrating EJBCA and OpenSSO

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Djigzo S/MIME setup guide

CipherMail Gateway Upgrade Guide

Exchange 2010 PKI Configuration Guide

Ciphermail Gateway Web LDAP Authentication Guide

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

NSi Mobile Installation Guide. Version 6.2

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

CHAPTER 7 SSL CONFIGURATION AND TESTING

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

F-Secure Messaging Security Gateway. Deployment Guide

Setting Up SSL on IIS6 for MEGA Advisor

Copyright 2013, 3CX Ltd.

Exchange Reporter Plus SSL Configuration Guide

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Central Configuration Using File Server

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

Ciphermail for Android Quick Start Guide

Installing BIRT Analytics 4.4

Introduction to Mobile Access Gateway Installation

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

OrgChart Now SSL Certificate Installation. OfficeWork Software LLC

EJBCA with GemSAFE Toolbox Part1 Workstation Logon

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Secure Messaging Server Console... 2

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Installation and Configuration Guide

Chapter 2 Editor s Note:

Sun Access Manager CAC Authentication Deployment Configuration Guide

CA Performance Center

RoomWizard Synchronization Software Manual Installation Instructions

How to Configure Certificate Based Authentication for WorxMail and XenMobile 10

Installation valid SSL certificate

Clearswift Information Governance

X.509 Certificate Generator User Manual

Configuring SSL in OBIEE 11g

Scenarios for Setting Up SSL Certificates for View

Managing Software and Configurations

Mobile Device Management Version 8. Last updated:

How to Connect SSTP VPN from Windows Server 2008/Vista to Vigor2950

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.7+

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

App Orchestration 2.5

Integrated SSL Scanning

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Contents Notice to Users

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Installing and Configuring a Server Certificate for use by MailSite Fusion with TLS/SSL A guide for MailSite Administrators

Web Remote Access. User Guide

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Certificate technology on Pulse Secure Access

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Certificate technology on Junos Pulse Secure Access

IIS 6.0SSL Certificate Deployment Guide

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

How to generate SSL certificates for use with a KVM box & XViewer with XCA v0.9.3

ez Agent Administrator s Guide

Oracle Communications Cartridge Feature Specification for Broadsoft Broadworks Enterprise Services

What s New in Propalms VPN 3.5?

2 Downloading Access Manager 3.1 SP4 IR1

Enable SSL for Apollo 2015

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Title: How to set up SSL between CA SiteMinder Web Access Manager - SiteMinder Policy Server and Active Directory (AD)

MadCap Software. Upgrading Guide. Pulse

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

The IceWarp SSL Certificate Process

SSL Considerations for CAS: Planning, Management, and Troubleshooting. Marvin Addison Middleware Services Virginia Tech October 13, 2010

HTTPS Configuration for SAP Connector

IceWarp SSL Certificate Process

CA Unified Infrastructure Management Server

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

Configuring TLS Security for Cloudera Manager

Installation Guide. SafeNet Authentication Service

Novell Identity Manager

EJBCA with GemSAFE Toolbox Part3 SSL

Click Studios. Passwordstate. High Availability Installation Instructions

How to Configure an Initial Installation of the VMware ESXi Hypervisor

ENABLING SINGLE SIGN-ON FOR EMC DOCUMENTUM WDK-BASED APPLICATIONS USING IBM WEBSEAL ON AIX

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

StreamServe Encryption and Authentication

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Using Internet or Windows Explorer to Upload Your Site

Transcription:

CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway EJBCA integration guide June 17, 2014, Rev: 5460

Copyright 2011-2014, ciphermail.com.

CONTENTS CONTENTS Contents 1 Introduction 3 2 Configure Ciphermail 3 3 Configure EJBCA 5 3.1 Certificate Profile........................... 5 3.2 End Entity Profile........................... 5 4 Finish 6 A EJBCA certificate request handler configuration 8 2

2 CONFIGURE CIPHERMAIL 1 Introduction This guide explains how to configure a Ciphermail gateway to make the gateway request certificates from an external EJBCA server. EJBCA (http:// ejbca.org/) is a widely used, flexible, enterprise Java based open source CA server. Ciphermail contains basic CA functionality. If however more advanced CA functionality is required, for example add constraints to the issued certificates, EJBCA is advised. Note: this guide assumes that a Ciphermail gateway and an EJBCA server have already been setup and that the EJBCA server is setup to accept incoming connections to the Web Service Interface. 2 Configure Ciphermail To configure Ciphermail for EJBCA support, the EJBCA certificate request handler should be configured. All the default certificate request handlers are defined in the spring configuration file found in the folder where Ciphermail is installed 1 : conf/spring/certificate-request-handlers.xml. The ejbcacertificaterequesthandlersettings bean specifies the EJBCA specific settings and should be configured (see Appendix A for the default configuration). The following properties can be set: enabled Set to true if the EJBCA certificate request handler should be enabled (it s disabled by default). webserviceurl The webserviceurl is the URL of the EJBCA server web service. The URL should typically be of the form: https://host:8443/ejbca/ejbcaws/ejbcaws where HOST should be replaced by the real host name or the IP address of the EJBCA server 2. keystorefile EJBCA requires that the web service client is authenticated with a client side certificate. The keystorefile should be set to the path to the file containing the administration certificate. 1 For the Virtual Appliance and the Deb and RPM packages, the default folder is /usr/share/djigzo 2 Since EJBCA requires client side authentication, the webserviceurl should always be accessed over HTTPS. 3

2 CONFIGURE CIPHERMAIL Note: With a default EJBCA installation, the administration certificate is stored in EJBCA_HOME/p12/superadmin.p12. The file superadmin.p12 should be copied to a location accessible by Ciphermail. keystorepassword The password of the keystorefile. Note: With a default EJBCA installation, the password for the superadmin.p12 file is ejbca keystoretype The type of the keystorefile (PKCS12, JKS or some other key store type supported by Java). If keystoretype is not set, the key store type is based on the filename extension of the key store file 3. skipcertificatecheck The web service connection to the EJBCA server is protected with TLS/SSL. By default the connection to the EJBCA server is only setup if the SSL certificate used by the EJBCA server is trusted by the Ciphermail server (see truststorefile). To disable checking the web service SSL certificate, set skipcertificatecheck to true. Note: Only set skipcertificatecheck to true for testing purposes or when the SSL web service certificate cannot be imported for some reason and the connection between the Ciphermail gateway and EJBCA server is fully trusted. truststorefile The path to the key store with the trusted issuer of the web service SSL certificate. If not set, the default Java system trust store will be used. To completely skip all server certificate checks, set skipcertificatecheck to true. Note: In a default EJBCA installation, the trusted certificate is stored in EJBCA_HOME/p12/truststore.jks. The file truststore.jks should be copied to a location accessible by Ciphermail. truststorepassword The password of the truststorefile. Note: In a default EJBCA installation, the password for the truststore.jks file is changeit truststoretype The type of the truststorefile. See keystoretype for more information. 3.pfx and.p12 are opened as PKCS12 and jks and a file without an extension is opened as JKS 4

3 CONFIGURE EJBCA disablecncheck By default, when the TLS/SSL connection is setup, a check is done to see whether the SSL certificate of the EJBCA server is issued to the hostname (or IP) address of the webserviceurl. If the hostname from the SSL certificate does not match the hostname of the webserviceurl, the TLS/SSL connection is terminated. If the certificate is issued to a different hostname than the hostname of the webserviceurl, the hostname check can be disabled by setting disablecncheck to true. CAName This should be set to the name of the Certificate Authority (CA) used for the issued certificates. endentityprofilename This should be set to the name of the End Entity Profile used for the issued certificates. certificateprofilename This should be set to the name of the Certificate Profile used for the issued certificates. defaultuserpassword By default EJBCA will generate a password for every new user. If for some reason a static password must be used, set the default- UserPassword to the password selected for new users. 3 Configure EJBCA To issue S/MIME certificates, certain Certificate Profile and End Entity Profile settings must be specified. 3.1 Certificate Profile The default (fixed) ENDUSER certificate profile can be used since it contains all the relevant settings. If another certificate profile should be used instead of the ENDUSER profile, the following profile settings are required: Key Usage If the key usage extension is checked, either no key usages should be selected (which implies that the key can be used for all purposes) or Digital Signature and Key encipherment should be selected 4. Extended Key Usage If the extended key usage extension is checked, make sure that either Any Extended Key Usage or Email Protection is checked. 3.2 End Entity Profile Subject DN Attributes Certain Subject DN Attributes should be added to the End Entity Profile: Organization, givenname, surname and emailaddress. 4 Digital Signature is required for a certificate valid for digital signing and Key encipherment is required for a certificate valid for encryption. 5

4 FINISH Other subject attributes The RFC 822 Name should be added to Other subject attributes and Use entity e-mail field should be enabled. See figure 1 for an example of the relevant End Entity Profile settings. Figure 1: EJBCA End Entity Profile 4 Finish After the EJBCA settings have been changed, the Ciphermail gateway should be restarted. After a restart, the administrator can select the EJBCA certificate request handler (see figure 2). 6

4 FINISH Figure 2: EJBCA certificate request handler 7

A EJBCA CERTIFICATE REQUEST HANDLER CONFIGURATION A EJBCA certificate request handler configuration EJBCA certificate request handler settings <bean id="ejbcacertificaterequesthandlersettings" class="mitm.common.security.ca.handlers.ejbca.staticejbcacertificaterequesthandlersettings"> set enabled to true to use the EJBCA request handler <property name="enabled" value="false" /> The URL of the EJBA web service <property name="webserviceurl" value="https://192.168.178.113:8443/ejbca/ejbcaws/ejbcaws" /> The path to the Admin certificate key store (.p12 or.pfx) <property name="keystorefile" value="/home/martijn/temp/superadmin.p12"/> The password of the Admin certificate key store <property name="keystorepassword" value="ejbca"/> The type of the key store file (JKS, PKCS12 etc.). Leave empty to 'guess' type based on file extension <property name="keystoretype" value="pkcs12"/> If true, no server certificate trust check will be done (i.e., all certificates are accepted) <property name="skipcertificatecheck" value="false" /> The path the key store with the trusted issuer(s). This should be the store containing the root of the EJBCA server certificate. If not set, the default Java system trust store will be used. To completely skip all server certificate checks, set skipcertificatecheck to true. <property name="truststorefile" value="/home/martijn/temp/truststore.jks"/> The password of the trust store <property name="truststorepassword" value="changeit"/> The type of the trust store file (JKS, PKCS12 etc.). Leave empty to 'guess' type based on file extension <property name="truststoretype" value="jks"/> If true, the CN of the certificate is not checked if it's equal to the domain name of the webserviceurl <property name="disablecncheck" value="true" /> The EJBCA CA to use <property name="caname" value="adminca1" /> The EJBCA end entity profile to use <property name="endentityprofilename" value="test" /> The EJBCA certificate profile to use <property name="certificateprofilename" value="enduser" /> The default password for newly requested certificates. Note: Only set this if password is required and not automatically generated by EJBCA <property name="defaultuserpassword" value="changethis!" /> </bean> 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information