SSL/TLS support in Calendar Server 5.1.1?
After reviewing the documentation and searching Sun's site, I can't seem to find anything that even suggests that it is possible to SSL-enable the Calendar Server's web server. This is pretty disheartening.
If this is indeed impossible (at least currently), has anyone else thought about how to shore up the security of at least the Calendar Express web login?
I'm also curious if any Sun folks monitor these forums...
I also wonder if adding SSL/TLS support is in the works.
Thanks for any help!
_Khalid
Sys Admin
I know ;-)...plus if you have more than 1 calendar servers, you can seamlessly load balance. Believe me, I was hooked when I started using pound.-Bruno
We're using stunnel, which seems to provide similar results to pound (though pound looks like it's probably a better approach). Unless pound is looking through the pages and rewriting text, you'll still need to do two things:
1) in ics.conf, set ui.base.url to the https: url, e.g.
ui.base.url = "https://moltar.rutgers.edu:1025"
2) in bin/html/en/default.html, insert code to redirect people to the https: version from the login page. The problem is that when a session times out, the system sends them back to the login page. But it doesn't pay attention to ui.base.url. It will send them to the non-https version of the login page. Somewhere near the beginning of default.html I did it right before
function getArgs() {
if (!location.search) return null
add the following:
if ((location.port != 1025) && (!location.search)) {
location.replace('https://moltar.rutgers.edu:1025/');
}
Obviously you'll need to use your own port number and URL. Note that this will only redirect a default login page. It doesn't do anything for more complex calls to default.html. (I have limited it because of previous bad experiences.)
Thanks to the last poster, I edited my ics.conf file.
ui.base.url = "https://calendar.mydomain.com"
I didn't actually need to edit any of the Javascript in the HTML pages. Now, I have Pound successfully proxying the calendar server over SSL. Oh yes, I'm running v5.1.1
If any Sun folks are reading, this would be great stuff to add to the documentation. Sorry, but I can't resist the temptation to reference Whitfield Diffie's (Sun's Chief Security Officer) quote at http://wwws.sun.com/software/security/
Thanks for everyone's input.
_Khalid
I try the proposition of using pound.
But after presenting the login page of calendar, then the URL turn
the the back-end server (calendar) and present me another time
the login page of calendar; and this time I am in HTTP not HTTPS.
My pound.cfg
ListenHTTPS xxx.xxx.xxx.xxx,9810 /var/host/etc/cert.pem
UrlGroup ".*"
BackEnd 127.0.0.1,8810,1
EndGroup
What's wrong ?
Thank you,
Roger
