Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Similar documents
Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Browser-based Support Console

CipherMail Gateway Upgrade Guide

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

EventTracker Windows syslog User Guide

Application Note AN1502

Basic Exchange Setup Guide

How-to-Guide: SAP Web Dispatcher for Fiori Applications

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Clearswift Information Governance

CA and SSL Certificates

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

IIS 6.0SSL Certificate Deployment Guide

Ciphermail Gateway EJBCA integration guide

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Scenarios for Setting Up SSL Certificates for View

HP Device Manager 4.7

Creating a Free Trusted SSL Cert with StartSSL for use with Synctuary

Configuring TLS Security for Cloudera Manager

Basic Exchange Setup Guide

Ciphermail Gateway Web LDAP Authentication Guide

To enable https for appliance

Installing BIRT Analytics 4.4

SSL Interception on Proxy SG

Installing Dspace 1.8 on Ubuntu 12.04

Using Client Side SSL Certificate Authentication on the WebMux

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Device Log Export ENGLISH

CipherMail Gateway Installation Guide

e-cert (Server) User Guide For Apache Web Server

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

How to: Install an SSL certificate

Immotec Systems, Inc. SQL Server 2005 Installation Document

F-Secure Messaging Security Gateway. Deployment Guide

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Install MS SQL Server 2012 Express Edition

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

LoadMaster SSL Certificate Quickstart Guide

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

An Information System

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

F-SECURE MESSAGING SECURITY GATEWAY

CA Nimsoft Unified Management Portal

Encrypted Connections

Apache, SSL and Digital Signatures Using FreeBSD

QuickStart Guide for Managing Mobile Devices. Version 9.2

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

SecuritySpy Setting Up SecuritySpy Over SSL

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

Creating Certificate Authorities and self-signed SSL certificates

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

EMC Data Protection Search

JAMF Software Server Installation Guide for Linux. Version 8.6

Cassandra Installation over Ubuntu 1. Installing VMware player:

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

SQL Server 2008 and SSL Secure Connection

How to Secure a Groove Manager Web Site

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

WHITE PAPER Citrix Secure Gateway Startup Guide

Oracle Mobile Security Suite Workshop. Installation

École des Ponts Paristech DSI. Installing OpenVPN

White Paper. Fabasoft on Linux Cluster Support. Fabasoft Folio 2015 Update Rollup 2

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

VPN (OpenVPN) Setting Guide. Johnny

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Generating and Installing SSL Certificates on the Cisco ISA500

SolarWinds Technical Reference

IMF Tune Quarantine & Reporting Running SQL behind a Firewall. WinDeveloper Software Ltd.

Using LDAP for User Authentication

IUCLID 5 Guidance and Support

NSi Mobile Installation Guide. Version 6.2

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Mondopad v1.6. Quick Start

Network Configuration Settings

HP LaserJet Pro Devices Installing 2048 bit SSL certificates

Training module 2 Installing VMware View

Apache Security with SSL Using Ubuntu

Cisco SSL Encryption Utility

Installing the SSL Client for Linux

SOLR INSTALLATION & CONFIGURATION GUIDE FOR USE IN THE NTER SYSTEM

Dialogic 4000 Media Gateway Series as a Survivable Branch Appliance for Microsoft Lync Server 2010

Set up a Home Secure Global Desktop Enterprise Edition Remote Access Server

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Solr Bridge Search Installation Guide

Zeroshell: VPN Host-to-Lan

Configuring Global Protect SSL VPN with a user-defined port

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.7+

Install and Configure an Open Source Identity Server Lab

LDAP User Guide PowerSchool Premier 5.1 Student Information System

StreamServe Persuasion SP5 StreamStudio

Setting Up CAS with Ofbiz 5

Obtaining SSL Certificates for VMware View Servers

Transcription:

CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway Separate Front-end and Back-end Configuration Guide June 19, 2014, Rev: 8975

Copyright 2010-2014, ciphermail.com.

CONTENTS CONTENTS Contents 1 Introduction 3 2 Back-end 3 2.1 SSL certificate............................ 3 2.2 Configure SOAP........................... 4 3 Front-end 5 3.1 Specify back-end server....................... 5 3.2 Trust the SSL certificate....................... 5 2

2 BACK-END 1 Introduction This guide will explain how to configure the Ciphermail gateway to work with a separate front-end and back-end. This guide does not explain how to setup a Ciphermail gateway (see the installation guide for installation instructions). This guide assumes that Ciphermail is installed on Ubuntu. For installations on other systems, some of the instructions might be different. Note: currently, the back-end does not have any notion of roles. Once an external user has successfully authenticated, the external user is allowed to access all SOAP services. Future versions of Ciphermail will add support for roles on the back-end. This guide assumes that the following IP addresses are used for the front-end and back-end server: Front-end: 192.168.178.71 Back-end: 192.168.178.72 Note: commands that should be executed by the user, are shown on lines starting with a $ sign (the $ sign is not part of the command to execute). You can directly copy and paste the commands to the command line. 2 Back-end SOAP is being used to communicate between the front-end and back-end. To protect the SOAP connection against sniffing and spoofing, the connection should be protected with TLS. A SSL certificate should therefore be available which is valid for the IP address (or domain name) of the back-end server. The following part will explain how to make a self signed SSL certificate with openssl. This part can be skipped if a valid SSL certificate is already available. 2.1 SSL certificate A SSL certificate valid for the back-end IP address (or domain name if the back-end server has a domain name) will be created using openssl in the directory of the Ciphermail server. In the last step, openssl asks for some user input like country, city etc. Only the common name is required. The common name should be equal to the IP address of the back-end server (in this case 192.168.178.72). Alternatively instead of using an IP address, the domain name can be used. Create SSL certificate: $ cd /usr/share/djigzo $ sudo mkdir ssl $ cd ssl $ sudo sh -c "openssl genrsa 2048 > ssl-soap.key" 3

2.2 Configure SOAP 2 BACK-END $ sudo sh -c "openssl req -new -x509 -nodes -sha1 -days 365 \ -key ssl-soap.key > ssl-soap.cert" Note: make sure that the common name is the correct IP address or domain name. If not, the SSL connection cannot be established. Create pfx file The generated key and certificate should be stored in a password protected pfx file. Use djigzo (without the quotes) for the pfx password 1. $ sudo openssl pkcs12 -export -inkey ssl-soap.key \ -in ssl-soap.cert -out ssl-soap.pfx The pfx file should be owned by user djigzo and only readable by owner. $ sudo chown djigzo:djigzo ssl-soap.pfx $ sudo chmod go-r ssl-soap.pfx The generated key should be removed for safety reasons as it s no longer needed. $ sudo rm ssl-soap.key 2.2 Configure SOAP Set the IP address, port and protocol The IP address, port and protocol of the SOAP server are specified in the Ciphermail main properties file. The soap.server properties in the properties file /etc/djigzo/djigzo.properties should be changed to make the Ciphermail backend bind to the external IP address. protected.system.soap.server.protocol=https protected.system.soap.server.bind=192.168.178.72 protected.system.soap.server.port=9001 Note: the bind address should be set to the IP address of the back-end server 2. Change default SOAP password Because the SOAP interface will be made available to external users, it s advised to change the default soap password. The soap password is specified in the main Ciphermail properties file /etc/djigzo/djigzo.properties. The soap password can be changed by modifying the property "protected.system.soap.password". 1 if a different password is used, make sure that the password specified in the soap configuration file soap.xml matches the pfx password. 2 The reason the IP address should be specified, is that the WSDL of the SOAP services will specify the actual IP address of SOAP service. The address should therefore be equal to the IP address of the server itself because the server will handle SOAP. 4

3 FRONT-END Note: the new soap password should also be set on the front-end (this will be explained in the front-end section). Allow access to port 9001 If a local firewall is running, for example ufw, the firewall should be opened to allow incoming connections to port 9001. For ufw this can be done using the following command: $ sudo ufw allow 9001/tcp Note: for added safety, access to port 9001 should only be allowed from the front-end server IP. Restart Ciphermail Ciphermail should be restarted to make sure the new settings are being used. $ sudo /etc/init.d/djigzo restart 3 Front-end 3.1 Specify back-end server The front-end web application should be setup to connect to the remote Ciphermail back-end. The following settings should be added to the Tomcat default configuration file /etc/default/tomcat6. JAVA_OPTS="$JAVA_OPTS -Ddjigzo.ws.server.host=192.168.178.72" JAVA_OPTS="$JAVA_OPTS -Ddjigzo.ws.server.port=9001" JAVA_OPTS="$JAVA_OPTS -Ddjigzo.ws.server.protocol=https" JAVA_OPTS="$JAVA_OPTS -Dsoap.password=****" Note: The host IP address should be replaced with the IP address of the back-end server and the soap password (****) should be replaced with the soap password used by the back-end. 3.2 Trust the SSL certificate If a self signed SSL certificate is used, or an SSL certificate is used which is not by default trusted, the self signed SSL certificate or the root that issued the certificate should be trusted by Tomcat. The following steps assume that the SSL certificate used is a self signed certificate which was generated using the steps specified in the previous section. If an existing SSL certificate issued by a non-trusted root is used, some of the following steps should be modified to match the root certificate used. 5

3.2 Trust the SSL certificate 3 FRONT-END Copy the self signed SSL certificate The self signed certificate should be copied from the back-end server to the front-end server. $ scp djigzo-admin@192.168.178.72:/usr/share/djigzo/ssl/ssl-soap.cert. Trust the self signed SSL certificate By copying the self signed SSL certificate to the local ca certificate store, the certificate will be trusted. $ sudo mv ssl-soap.cert /usr/local/share/ca-certificates/djigzo-ssl-soap.crt $ sudo /usr/sbin/update-ca-certificates Note: if djigzo-ssl-soap.crt was already stored in the ca certificates store, use the -f flag (update-ca-certificates -f ) to force an update. Restart Tomcat Tomcat should be restarted to make sure the new settings are being used. sudo /etc/init.d/tomcat6 restart 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information