|
|
| (19 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| {{WIP}}
| | #REDIRECT [[Client_Cert_Auth_using_X.509_certificates]] |
| | |
| __TOC__
| |
| | |
| ==Single Sign On==
| |
| | |
| '''SPNEGO'''
| |
| The SPNEGO SSO feature allows AD domain users to enter their Zimbra mailbox without having to re-authenticate themselves to Zimbra by entering their Zimbra credentials.
| |
| * [http://www.zimbra.com/docs/ne/latest/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=NE_Admin_Guide_7_0.Appendix%20B%20Configuring%20SPNEGO%20Single%20Sign-On%20for%20ZCS.html SPNEGO Configuration]
| |
| * For ZCO, ensure that the Store Password HKEY is diabled
| |
| HKEY_LOCAL_MACHINE\SOFTWARE\Zimbra\StorePassword = 0
| |
| | |
| '''SMIME'''
| |
| | |
| | |
| ==Certificates==
| |
| | |
| '''2-way SSL (mutual authentication) using X.509 certificates'''
| |
| | |
| Two-way SSL authentication, also commonly referred to as SSL mutual authentication, is the combination of server and client authentication. The authentication that is occurring is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.
| |
| | |
| For a server authenticating itself to the client, the client must trust the CA who signed the server's certificate.
| |
| | |
| For a client authenticating itself to the server, the server must trust the CA who signed the client's certificate.
| |
| | |
| '''Note:''' Steps and examples used below are mainly for QA and dev environment.
| |
| | |
| ---
| |
| 1. Create a Certificate Authority (CA) Certificate
| |
| ---
| |
| 1. First, we create a 1024-bit private key to use when creating our CA.
| |
| mkdir /tmp/cert; cd /tmp/cert
| |
| openssl genrsa -des3 -out ca.key 1024
| |
| | |
| The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key.
| |
| | |
| 2. Next, we create a master certificate based on this key, to use when signing other certificates:
| |
| openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer
| |
| | |
| This will create our CA certificate and store it as /tmp/cert/ca.cer
| |
