Cert move JES6.2 > JES6.3
Has anyone had any luck moving a cert issued to a 6.2 msg-instance to a 6.3 instance ?
I attempted to move the files involved, eg:
cert8.db key3.dbsecmod.dbsslpassword.conf to the 6.3 instance but with NO luck. msgcert shows the cert installed but services fail to start with ssl.
Documentation (6.3) indicates a cert can be exported and re-imported but as 6.2 does not include the "msgcert" utility I am not altogether sure that moving the cert with certutil is worth the trbl?
-john
[516 byte] By [
goubeauxa] at [2007-11-27 9:56:09]
# 1
Hi,
I don't see any reason why you shouldn't be able to just transfer the certdb files across - they are the same format and lots of people are upgrading from 6.2->6.3 and not changing their existing certificates.
Have you checked that the permissions on the files are correct?
As an example these are the permissions on my 6.3 certificate files:
bash-3.00# ls -la sslpassword.conf *.db
-rw-1 mailsrv mail65536 Jun 13 11:15 cert8.db
-rw-1 mailsrv mail32768 Jun 13 11:15 key3.db
-rw-1 mailsrv mail32768 Jun 13 11:15 secmod.db
-rw-r--1 mailsrv mail 34 Jun 13 11:15 sslpassword.conf
What error do you get when you try and start with ssl in the imap/http logs?
What do you get as output when you run the command:
./msgcert list-certs
Make sure that the configutil parameter encryption.rsa.nssslpersonalityssl correlates with the certificate name from the previous command.
It's entirely possible you are hitting an SSL issue that isn't related to the database but is related to not setting some other messaging parameter correctly.
What you could do is move the 6.2 cert database across, run the ./msgcert generate-certDB command to get a new self-signed database into place, get SSL working and then put the 6.2 db files into place. That way at least you know the only difference is the database itself.
Regards,
Shane.
# 2
Thanks Shane,
Yes, It looks like you you are correct in that my configutil parameters are not set properly:
destination 6.3 ver
encryption.rsa.nssslpersonalityssl = Server-Cert
source 6.2 ver
encryption.rsa.nssslpersonalityssl = server-cert
I am also curious why my 6.2 ver has many configutil parameters for "encryption" which I don't recall having set . This version had a properly requested cert signed by a CA and
my 6.3 version (which has a self signed cert) has only :
encryption.rsa.nssslpersonalityssl = Server-Cert
When I move the cert db files over from the 6.2 version's cert to the 6.3 server do i need to manually set all these configutil params ? Where these set in 6.2 when i generated the db ? If I remember right i used the console to generate the db and request the cert then I moved it in place on the 6.2 version this must be the source of all these settings?
bash-3.00# ./configutil | grep encryption
encryption.createtimestamp = 20070203072843Z
encryption.creatorsname = "cn=directory manager"
encryption.fortezza.createtimestamp = 20070203072843Z
encryption.fortezza.creatorsname = "cn=directory manager"
encryption.fortezza.modifiersname = "cn=directory manager"
encryption.fortezza.modifytimestamp = 20070203072843Z
encryption.fortezza.nssslactivation = off
encryption.fortezza.objectclass = top
encryption.modifiersname = "cn=directory manager"
encryption.modifytimestamp = 20070203072843Z
encryption.nsssl2 = off
encryption.nsssl3 = on
encryption.nsssl3ciphers = rsa_rc4_40_md5
encryption.nsssl3sessiontimeout = 0
encryption.nssslclientauth = 0
encryption.nssslsessiontimeout = 0
encryption.objectclass = top
encryption.rsa.createtimestamp = 20070203072843Z
encryption.rsa.creatorsname = "cn=directory manager"
encryption.rsa.modifiersname = "cn=msg-config,cn=sun one messaging suite,cn=server group,cn=kady-amd.education.ucsb.edu,ou=education.ucsb.edu,o=netscaperoot"
encryption.rsa.modifytimestamp = 20070307031810Z
encryption.rsa.nssslactivation = on
encryption.rsa.nssslpersonalityssl = server-cert
encryption.rsa.nsssltoken = internal
encryption.rsa.objectclass = top
# 3
Hi,
> Yes, It looks like you you are correct in that my
> configutil parameters are not set properly:
>
> destination 6.3 ver
> encryption.rsa.nssslpersonalityssl = Server-Cert
>
> source 6.2 ver
> encryption.rsa.nssslpersonalityssl = server-cert
This is a good start - and a pretty common issue.
> I am also curious why my 6.2 ver has many configutil
> parameters for "encryption" which I don't recall
> having set . This version had a properly requested
> cert signed by a CA and
> my 6.3 version (which has a self signed cert) has
> only :
> encryption.rsa.nssslpersonalityssl = Server-Cert
If you read through the comm-suite-5 release notes for messaging server you will see that almost all of the encryption settings are obsolete, removed or renamed. That is why you need to set much less with regards to encryption.
> When I move the cert db files over from the 6.2
> version's cert to the 6.3 server do i need to
> manually set all these configutil params ?
No. I come back to my original question of whether you can get SSL working with the certificate database created by the "./msgcert generate-certDB" command. The other type of configutil parameters I was referring to was things such as:
./configutil -o service.imap.sslusessl -v yes
./configutil -o service.imap.enablesslport -v yes
Once you have enabled these settings, restart messaging server, and check the imap log file to see if there are any SSL related errors. That should help guide you as to the cause of your problem.
Regards,
Shane.
# 4
Thanks,
Yes, after correcting the syntax to:
encryption.rsa.nssslpersonalityssl = server-cert The services accepted the Cert.
All of the other default configutil values were fine.
The addition of msgcert in 6.3 and the ease of adding a self signed cert is really a nice feature as well, which btw was working all along.
-john
