Gautam-Notes: Difference between revisions

No edit summary
 
(18 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{WIP}}
#REDIRECT [[Client_Cert_Auth_using_X.509_certificates]]
 
__TOC__
 
==Single Sign On==
 
'''SPNEGO'''
The SPNEGO SSO feature allows AD domain users to enter their Zimbra mailbox without having to re-authenticate themselves to Zimbra by entering their Zimbra credentials.
* [http://www.zimbra.com/docs/ne/latest/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=NE_Admin_Guide_7_0.Appendix%20B%20Configuring%20SPNEGO%20Single%20Sign-On%20for%20ZCS.html SPNEGO Configuration]
* For ZCO, ensure that the Store Password HKEY is diabled
  HKEY_LOCAL_MACHINE\SOFTWARE\Zimbra\StorePassword = 0
 
'''SMIME'''
 
 
==Certificates==
 
'''2-way SSL (mutual authentication) using X.509 certificates'''
 
Two-way SSL authentication, also commonly referred to as SSL mutual authentication, is the combination of server and client authentication.  The authentication that is occurring is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.
 
For a server authenticating itself to the client, the client must trust the CA who signed the server's certificate.
 
For a client authenticating itself to the server, the server must trust the CA who signed the client's certificate.
 
'''Note:''' Steps and examples used below are mainly for QA and dev environment.
 
 
'''1. Create a Certificate Authority (CA) Certificate'''
 
A. First, we create a 1024-bit private key to use when creating our CA.
  mkdir /tmp/cert; cd /tmp/cert
  /opt/zimbra/openssl/bin/openssl genrsa -des3 -out ca.key 2048
 
The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key.
 
B. Next, we create a master certificate based on this key, to use when signing other certificates:
  /opt/zimbra/openssl/bin/openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer
 
This will create our CA certificate and store it as /tmp/cert/ca.cer
 
C. Create and sign(self-sign) a certificate from the certificate request
  /opt/zimbra/openssl/bin/openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key
 
 
'''2. Create a Client Certificate'''
 
A. Create a private key
  /opt/zimbra/openssl/bin/openssl genrsa -out user1.key 2048
 
B. Create a certificate request
'''Note:''' the most important information is the Email Address.  It must be the email address of the Zimbra user.
  /opt/zimbra/openssl/bin/openssl req -new -key user1.key -out user1.csr
 
C. Sign the user certificate request using the CA created in 1 and create the user certificate
  /opt/zimbra/openssl/bin/openssl ca -in user1.csr -cert ca.crt -keyfile ca.key -out user1.crt -policy policy_anything
 
'''3. Import the Client Certificate into Web Browsers'''

Latest revision as of 12:12, 20 March 2015

Jump to: navigation, search