Configuring SSL for the email engine

Enterprise and standalone certification authorities (CAs) can issue certificates for secure email by using SSL. This topic gives you general steps to configure the Secure Sockets Layer (SSL) and use it with the Email Engine.

You must consider various factors when using SSL; for example, which CA to use. Configuration differs considerably between using a commercial CA authority like VeriSign and using a certificate server in a non-active directory environment using Microsoft's Certification Authority management console.

Related topic

Encrypting-AR-System


Here are a few tips to set up your secure email:

  • SSL is an open standard that Netscape Communications developed to establish and protect web communications and prevent the interception of critical information such as credit card numbers.
  • By default, the Email Engine does not use SSL. You must configure the Email Engine to use SSL.
    For more information, see Configuring incoming mailboxes and Configuring outgoing mailboxes.

  • Email Engine does not support Transport Layer Security (TLS). However, Email Engine uses JavaMail, which supports the use of TLS parameters. Therefore, you can use TLS with Email Engine.
    For more information, see Does the Remedy ARS Email engine support TLS (Transport Layer Security) on the BMC Community site.

 The following image shows a digitally signed email message that uses SSL:

SSL-encryption.gif

To configure SSL for Email Engine

  1. Set up a local CA or search for a CA to use with your mail server.
    You must decide if you want to use a commercial CA (For example: VeriSign) or a CA created in-house. Most Windows system administrators can set up a CA on a Windows server.
    The primary difference between a commercial or in-house CA is that a "cert" (certificate) issued by a commercial CA (such as VeriSign) is trusted far and wide, while a cert issued by an in-house CA is not trusted by anyone outside the organization.

  2. In Microsoft Exchange System Manager (used by a Microsoft Exchange system administrator only), return the properties for the Internet Message Access Protocol (IMAP) virtual server:
    1. Use the Certificate Wizard to generate a cert request.
      For the detailed procedure, see To generate a Certificate Signing Request (CSR) for a Microsoft Exchange server.

    2. Submit the cert request to the CA.
      The procedures required to submit and receive a cert from a CA vary depending on the CA. For more information, see To create a CA certificate from a CSR.

    3. Use the Certificate Wizard to install the cert received from the CA.
      For more information, see To add an SSL certificate to a Microsoft Exchange server.

  3. Make sure that email users obtain their own certificate:
    1. The CA generates a personal certificate that users will use for signing and encrypting their email messages. With a local CA, you can retrieve and install the cert by using a browser.
      The following images gives you information about selecting a cert to use with your IMAP account:
      CA-client-IMAP-acct.gif
    2. In the email client, open the Properties dialog for your IMAP account and select the new cert to use for signing and encrypting email messages.
      If you have configured the certs correctly, you can exchange certificates so that the communications are secure.

    3. Send email messages that are signed but not encrypted between the two users.
      The following image shows a signed email message:
      sending-CA-mail.gif

      Outlook Express provides the facility to sign and encrypt messages. The email client would automatically notice the signed message and store the certificate so that it can be used to encrypt further messages exchanged between the users.

To generate a Certificate Signing Request (CSR) for a Microsoft Exchange server

  1. In Microsoft Exchange System Manager, expand Servers > serverName > Protocols > IMAP4, and select Default IMAP4 Virtual Console.
    The same procedure applies to POP3 and SMTP.
  2. In the Default IMAP4 Virtual Server Properties dialog box, click the Access tab, and then click Certificate.
  3. On the Web Server Certificate Wizard:
    1. On the first page, click Next.
    2. On the Server Certificate page:
      If you have not yet created an SSL certificate for your web server, select Create a new certificate, and click Next.
      If you already have an SSL certificate for your web server, select Assign an existing certificate, and click Next.
      A list of the existing SSL certificates installed on your web server is displayed. Select the appropriate certificate and generate a CA from the CSR.
    3. On the Name and Security Settings page:
      1. Enter a unique name for the certificate
      2. Select 1024 as the bit length
      3. Click Next
        If you plan to install the trial certificate from VeriSign, do not select the Server Gated Cryptography (SGC) certificate check box. For more information about SGC, see your CA documentation on SSL algorithms.
    4. On the Organization Information page, select an Organization > Organizational Unit, and click Next.
    5. On the Your Site's Common Name page, enter the common name for your site.
      You can access the Microsoft Exchange server with this common name. This name is also used to configure SSL on Outlook Express.
      Do not enter an IP address as the common name, else, the CA will not create the SSL certificate successfully.
    6. On the Geographical Information page, select the appropriate Country/Region, State/province, and City/locality, and click Next.
    7. On the Certificate Request File Name page, enter the absolute path and file name for the CSR (For example: certreq.txt ), and click Next.
      Make sure that you provide a location that is easy to remember and access.
    8. On the Request File Summary page, verify the information you provided, and click Next if the information is accurate.
      Else, click Back to go to the appropriate pages and change the values.
    9. Click Finish to complete the process and close the wizard.

To create a CA certificate from a CSR

  2. Enter the information required to create the trial SSL certificate.
  3. When prompted for the CSR, copy the contents of certreq.txt file in the appropriate text area.
  4. After completing the steps, a certificate is generated and sent to the email address that you entered in your information form.

  5. Open a new file in a text editor and copy the following content from the email you received from the commercial CA (For example: VeriSign):

    *-----Begin Certificate----- <Encoded data> ... ... -----End Certificate-----*

    Make sure that you do not select blank lines or spaces before Begin Certificate and after End Certificate.

  6. Save the file with the .cer extension; for example, web.cer.

To add an SSL certificate to a Microsoft Exchange server

  1. In Microsoft Exchange System Manager, expand Servers > serverName > Protocols > IMAP4, and select Default IMAP4 Virtual Console.
  2. In Default IMAP4 Virtual Server Properties dialog box, click the Access tab, and then click the Certificate.
  3. On the Web Server Certificate Wizard:
    1. On the first page, click Next.
    2. On the Pending Certificate Request page, select Process the pending request and install the certificate, and click Next.
    3. On the Process a Pending Request page, enter the absolute path and file name that you provided when creating the CSR and click Next.

To enable SSL communication on a Microsoft Exchange server

  1. In Microsoft Exchange System Manager, expand Servers > serverName > Protocols > IMAP4, and select Default IMAP4 Virtual Console.
  2. In the Default IMAP4 Virtual Server Properties dialog box, click the Access tab, and then click Communication.
  3. In the Security dialog box, select Require secure channel, and then click OK.
    If you plan to install the trial certificate from VeriSign, do not select Require 128-bit encryption.

To set up Microsoft Outlook Express and Email Engine

  1. To use IMAPS (IMAP over SSL) for Outlook Express, open a browser and go to http://www.verisign.com/products-services/security-services/ssl/buy-ssl-certificates/free-trial/test-root-ca/trialcainstall.html.
    Follow the prompts on the screen and install the test root CA on the computer where you want to configure the Outlook Express.
    When prompted to enter the IMAP server address, you must provide the "common name" you entered while creating the CSR. If you provide any other value or an IP address, the following message is displayed: CN does not match with passed value.

  2. To configure Email Engine to use SSL, run the following command to import the test root CA certificate into the keystore:

    <javaHome>\bin\keytool -import -alias "testroot"
    -keystore <javaHome>\lib\security\cacerts
    -file <certFilePath>/testroot.cer

    The javaHome is the directory where JRE (not JDK) is installed.
    Find the appropriate keystore path before entering the command. Email Engine uses the location where Oracle Java Runtime Environment (Oracle JRE) is installed as the keystore path.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*