Configuring Messaging Server and Solaris Cryptographic Framework

9 Configuring Messaging Server and Solaris Cryptographic Framework

This chapter describes how to configure Sun Java System Messaging Server 6.3 for SSL and the Solaris Cryptographic Framework (SCF). This is a three-step process where you configure Messaging Server for SSL (optional), configure the Solaris Cryptographic Framework, then configure Messaging Server to use SCF.

About the Solaris Cryptographic Framework

The Solaris Cryptographic Framework (SCF) provides a common store of algorithms and PKCS#11 libraries to handle cryptographic requirements. The PKCS#11 libraries are implemented according to the cryptography standard created by RSA Security Inc., PKCS#11 Cryptographic Token Interface (Cryptoki). See Chapter 8, Introduction to the Solaris Cryptographic Framework, in Oracle Solaris Security for Developers Guide for more information. The Solaris Cryptographic Framework is available in the Solaris 10 Operating System and Solaris Express releases.A PKCS#11 module (also called a cryptographic module or a cryptographic service provider) manages cryptographic services such as encryption and decryption through the PKCS#11 interface. PKCS#11 modules can be thought of as drivers for cryptographic devices that can be implemented in either software or hardware. A PKCS#11 module always has one or more slots, which can be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual software slots. Each slot for a PKCS#11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. A hardware token is a PKCS#11 token implemented in physical devices, such as hardware accelerators and smart cards. A software token is a PKCS#11 token implemented entirely in software.Messaging Server is configured to use the NSS built-in soft token for its cryptographic needs. Any PKCS#11 module that supports PKCS#11 can be used with NSS libraries, so the Solaris Cryptographic Framework can be used as the cryptographic service provider for Messaging Server.

Configuring Messaging Server for SSL

This section describes the procedures you use to create the secmod, key3, and cert8 databases, obtain a certificate, and install the certificate for the NSS built-in soft token. Completing such procedures enables SSL on your Messaging Server deployment.

If you already have a Messaging Server deployment configured for SSL, skip this section and proceed to "Configuring Individual Messaging Processes for SSL".

About the pk12util Command

The pk12util command is the primary mechanism for managing certificates. It allows you to generate a certificate request, add a certificate to the certificate database, list certificates in the certificate database, and so on. The pk12util command, like all Messaging Server commands, runs as mailsrv. Thus, even if you execute pk12util as root, it executes as the Messaging Server user. The pk12util utility is located in the MessagingServer_home/bin directory, where MessagingServer_home is the location of the Messaging Server installation, by default /opt/sun/comms/messaging64.

For detailed information about the pk12util command, type:

MessagingServer_home/bin/pk12util --help

Creating the Certificate Database and Add Certificate/Key Pairs

The following procedure generates secmod, key3, and cert8 databases, and also creates the sslpassword.conf file. By default, certificates are generated in the MessagingServer_home/config directory.You can also specify the location and prefix of the certificate databases by using the following local.ssldbprefix configuration parameter.The Messaging Server user (for example, mailsrv) should be able to read and write to local.ssldbpath.

To create the certificate database and add certificate/key pairs:

Change directories to the Messaging Server bin directory.
```
cd MessagingServer_home/bin
```
Run the following command:
```
pk12util generate-certDB
```
This utility prompts you for a password to protect the keys and certificates in the certificate database.
Choose the Certificate Database password. (The password is not echoed on the screen.)
Confirm the Certificate Database password. (The password is not echoed on the screen.)

Confirm that the required databases and the sslpassword.conf file were created.

# ls -lrt ../config/*.db ../config/sslpassword.conf
-rw-------   1 mailsrv  mail       32768 Nov 16 04:40 ../config/secmod.db
-rw-------   1 mailsrv  mail       65536 Nov 16 04:40 ../config/cert8.db
-rw-------   1 mailsrv  mail       32768 Nov 16 04:40 ../config/key3.db
-rw-r-----   1 mailsrv  mail          36 Nov 16 04:40 ../config/sslpassword.conf
# cat ../config/sslpassword.conf
Internal (Software) Token:12345678

Obtaining a Certificate

By default, the pk12util command creates a self-signed-certificate with the nickname Server-Cert. You can either remove this or use the self-signed-certificate.

The following example shows how to remove this default self-signed-certificate:

pk12util remove-cert -W MessagingServer_home/config/sslpassword Server-Cert

Request a CA-signed server certificate.

To the pk12util request-cert command, specify the cert request to be in ASCII format (the default is binary). The resulting certificate request is a PKCS#10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is format specified by RFCs 1421 through 1424 (RFC 1421) and used to represent a base64-encoded certificate request in US-ASCII characters.

For example:

# echo "12345678" > MessagingServer_home/config/sslpassword

Note:

This is the same password you used to generate the certificate database.

pk12util request-cert  -W MessagingServer_home/config/sslpassword
--name "foobar.siroe.com" --org "Development" --org-unit "Comms" --city
Santaclara --state California --country us -F ascii -o /tmp/MyCertRequest

The content of the Certificate Signing Request (CSR) looks similar to this:

# cat /tmp/MyCertRequest
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EzARBgNVBAcTClNhbnRhY2xhcmExDjAMBgNVBAsTBWNvbW1zMRQwEgYDVQQKEwtE
ZXZlbG9wbWVudDEgMB4GA1UEAxMXYmlvdGl0ZS5yZWQuaXBsYW5ldC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFCDfmu1uYFy3DtHAo/kJUFqXF6utq2
ga+Tow2PNEyuX+70SqyZ0vFwiL8di9b1mLMHLp3WBDPmXjVfNkANHk6Q38RlfyzT
7iYpvhi6+4OVthzC65FaqwnEEiodZ7z7yx8vRhj4lVxeoNJpJexGr1MHuYr8tobe
ljgEmrLP17aNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQANzqjEwcnnmdXjo/KH
buolHi1hNEYoDsXWIlTi78xkH+7gtfCPkymFzTy5mS58PzAqyWm81MZKXj39C+Eq
DOCJmZYRt3lG6wo0M8nMoQLHsVSHfGZxOyppupzYsmVfszhczr0EEHJP66itDPW2
/jHGRbhXfeJNhKsisscd/YYkEQ==

Transmit the CSR to your Certificate Authority, according to its procedures.

The process for obtaining your Certificate Authority certificate differs depending on the certificate authority you use. Some commercial CAs provide a web site that enables you to automatically download the certificate. Other CAs email the certificate to you upon request. After you have sent your request, you must wait for the CA to respond with your certificate.

Save the certificate you receive back from the Certificate Authority.

You should back up your certificates in a safe location. If you ever lose the certificates, you can reinstall them by using your backup file. You can save the certificates as text files. The PKCS#11 certificate in PEM format looks similar to the following:

Follow the same steps described previously to obtain additional certificates.

Adding Certificates to the NSS Software Token

To add certificates to the NSS software token:

Save the signed certificate into a temporary location, for example:
```
/tmp/caissuedFirstCert
```
For this example, a second signed certificate was also obtained using the previous procedure and saved as the following:
```
/tmp/caissuedSecondCert
```

Install the CA-signed server certificates.

pk12util add-cert -W MessagingServer_home/config/sslpassword Server-Cert /tmp/caissuedFirstCert
pk12util add-cert -W MessagingServer_home/config/sslpassword SolCrypto-Framework /tmp/caissuedSecondCert

Repeat Steps 1 and 2 for other certificates you have obtained.

Verify that the certificates have been successfully installed.

pk12util list-certs -W MessagingServer_home/config/sslpassword
...
2 certificates found

Listing the Default NSS Certificates

For newer certificate formats (cert9.db and pkcs11.txt), to list the default NSS certificates, you need to first add the libnssckbi.so default certificate library to the configuration.

To list the default built-in certificates:

Change directories to the Messaging Server's configuration directory.
```
cd /opt/sun/comms/messaging64/config
```
Run the following command to add the libnssckbi.so default certificate library to the configuration directory:
```
modutil -dbdir sql:. -add "NSS certificates" -libfile /opt/sun/comms/messaging64/lib/libnssckbi.so
```
Run the following command to list the default NSS certificates:
```
certutil -L -d sql:. -h "NSS certificates" 
```

Configuring Individual Messaging Processes for SSL

This section describes the procedures you use to configure the various Messaging Server processes for SSL.

Configuring MMP for SSL

To configure the MMP for SSL:

Set the SSL certificate nickname.

Edit the ImapProxyAService.cfg and PopProxyAService.cfg files as follows, modifying the line default:SSLCertNickNames to "Server-Cert".
```
# cd MessagingServer_home/data/config
ImapProxyAService.cfg: default:SSLCertNicknames "Server-Cert"
PopProxyAService.cfg: default:SSLCertNicknames "Server-Cert"
```

To enable SSL and IMAP, edit the ImapProxyAService.cfg file and uncomment the relevant SSL settings.

A sample ImapProxyAService.cfg file resembles the following:

# SSL configuration
#
#  Enable SSL from client to MMP with this:
default:SSLEnable         yes
default:SSLPorts         993
default:SSLCertNicknames  Server-Cert
#  Password File for SSL server keys:
default:SSLKeyPasswdFile Messaging_Server_Root/config/sslpassword.conf
#  Where SSL session cache, secmod, cert, and key files are located:
default:SSLCacheDir      Messaging_Server_Root/config
#  Customizable SSL security module database file name:
default:SSLSecmodFile     secmod.db
#  Customizable SSL cert7.db and key3.db file prefixes:
default:SSLCertPrefix     ""
default:SSLKeyPrefix      ""
#  Use SSL on this port when talking to the back-end server (0 = do not use SSL)
default:SSLBacksidePort   993
default:ServiceList  /opt/sun/comms/messaging64/lib/ImapProxyAService@1143|1993
/opt/sun/comms/messaging64/lib/PopProxyAService@1110|1995

To enable SSL and POP, edit the PopProxyAService.cfg file and uncomment the relevant SSL settings.
Edit the AService.cfg file. For SSL and POP, add |1995 after the 1110 in the ServiceList setting. For SSL and IMAP, add |1993 after 1143.

The AService.cfg file should resemble the following:
```
default:ServiceList  /opt/sun/comms/messaging64/lib/ImapProxyAService@1143|1993
/opt/sun/comms/messaging64/lib/PopProxyAService@1110|1995
```

Configuring IMAP for SSL

To configure IMAP for SSL:

Use the configutil command to set the following configuration parameters to enable SSL:

configutil -o service.imap.enablesslport -v yes
configutil -o service.imap.enable -v 1
configutil -o service.imap.sslport -v 993
configutil -o service.imap.sslusessl -v yes

Use the configutil command to set the SSL certificate nickname:

configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"

Configuring POP for SSL

To configure POP for SSL:

Use the configutil command to set the following configuration parameters to enable SSL:

configutil -o service.pop.enable -v 1
configutil -o service.pop.enablesslport -v yes
configutil -o service.pop.sslport -v 995
configutil -o service.pop.sslusessl -v yes

Use the configutil command to set the SSL certificate nickname:

configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"

Configuring HTTP for SSL

To configure HTTP for SSL:

Use the configutil command to set the following configuration parameters to enable SSL:

configutil -o service.http.enable -v 1
configutil -o service.http.enablesslport -v yes
configutil -o service.http.sslport -v 443
configutil -o service.http.sslusessl -v yes

Use the configutil command to set the SSL certificate nickname:

configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"

Configuring SMTP for SSL

To configure SMTP for SSL:

Use the configutil command to set the SSL certificate nickname:

configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"

To enable SSL encryption for outgoing messages, modify the channel definitions to include the TLS channel options such as maytls, musttls, and so on.
Uncomment the TLS_PORT entry (in the dispatcher.cnf file located in the MessagingServer_home/config directory) if you want to support SSL on an alternate port.
```
port 465TLS_PORT=465
```

Note:

You can also use a per-service configuration setting for the SSL certificate nicknames. The configuration parameters, which have the same meaning (that is, the nickname) and override the encryption.rsa.sslpersonalityssl setting, are:

local.imta.sslnicknames (for the SMTP and Submit Servers)
local.imap.sslnicknames (for the IMAP Server)
local.pop.sslnicknames (for the POP Server)
local.http.sslnicknames (for the HTTP Server)

Verifying the SSL Configuration

To verify the SSL configuration:

Use the netstat command to verify that the service is running.
```
netstat -an | grep service.service.sslport
```
where service is a keyword mmp, imap, pop, http, or smtp.
Check for errors in the Messaging Server log files.

Log files are located in the MessagingServer_home/log directories. For example, check the imap log to ensure that there are no SSL initialization errors (ASockSSL_Init errors).

Configuring the Solaris Cryptographic Framework (SCF)

Because the Solaris Cryptographic Framework software token contains private information, you use the pktool(1) command to set a password on the token. This command initializes the user's default keystore by logging in to the system as the application owner (the Messaging Server user).

Setting Up the SCF Software Token Pin

Running the pktool setpin command initializes the soft token data store in the $HOME/.sunw/pkcs11_softtoken/ directory. These files are created to be accessible only to the owner, to protect their contents. This also means that you must perform the initialization as the same user that is used to run Messaging Server (that is, mailsrv), so this user has access to the right data store.

To set up the SCF software token pin:

Become the mailsrv user.
```
su mailsrv
```
Run the id command.
```
id
uid=207023(mailsrv) gid=6(mail)
```
Run the pktool command.
```
pktool setpin
```
Create the new passphrase. (The passphrase is not echoed on the screen.)

You use this passphrase to import the certificate/key pair into the SCF token.
Reenter the passphrase. (The passphrase is not echoed on the screen.)

You are notified that the passphrase is changed.
Change to the /export/mailsrv directory.
```
cd /export/mailsrv
```

Check permissions.

ls -alrR
..:
total 6
drwx------   3 mailsrv  mail         512 Nov 16 17:21 .sunw
drwxr-xr-x   4 root     sys          512 Oct 31 12:31 ..
drwxrwxrwx   3 root     root         512 Nov 16 17:21 .

../.sunw:
total 6
drwx------   4 mailsrv  mail         512 Nov 16 17:21 pkcs11_softtoken
drwxrwxrwx   3 root     root         512 Nov 16 17:21 ..
drwx------   3 mailsrv  mail         512 Nov 16 17:21 .

../.sunw/pkcs11_softtoken:
total 10
drwx------   2 mailsrv  mail         512 Nov 16 17:21 public
drwx------   2 mailsrv  mail         512 Nov 16 17:21 private
-rw-------   1 mailsrv  mail         103 Nov 16 17:21 objstore_info
drwx------   3 mailsrv  mail         512 Nov 16 17:21 ..
drwx------   4 mailsrv  mail         512 Nov 16 17:21 .

../.sunw/pkcs11_softtoken/public:
total 4
drwx------   4 mailsrv  mail         512 Nov 16 17:21 ..
drwx------   2 mailsrv  mail         512 Nov 16 17:21 .

../.sunw/pkcs11_softtoken/private:
total 4
drwx------   4 mailsrv  mail         512 Nov 16 17:21 ..
drwx------   2 mailsrv  mail         512 Nov 16 17:21 .

Administering the Cryptographic Framework by Using cryptoadm

The cryptoadm utility displays cryptographic provider information for a system, configures the mechanisms for each provider, and installs or uninstalls a cryptographic provider. The Solaris Cryptographic Framework supports three types of providers: a user-level provider (a PKCS#11 shared library), a kernel provider (a loadable kernel software module), and a kernel hardware provider (a cryptographic hardware device). The cryptoadm utility provides subcommands to enable and disable the metaslot's features, list metaslot's configuration, and also configure the metaslot's mechanisms policy.

To administer the Cryptographic Framework:

You can list all the service providers and their cryptographic mechanisms in the Solaris Cryptographic Framework by running the cryptoadm list -m command. Verify that ncp and pkcs11_softtoken.so are available as cryptographic providers. Because NCP is a kernel provider, pkcs11_kernel.so should appear before pkcs11_softtoken.so in the output.

Following is a partial output of this command.

# cryptoadm list -m
User-level providers:
=====================
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Mechanisms:
CKM_DSA
CKM_RSA_X_509
CKM_RSA_PKCS
 
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Mechanisms:
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES_ECB
CKM_DES_KEY_GEN
[.... so on ...]
CKM_DSA
CKM_DSA_SHA1
CKM_DSA_KEY_PAIR_GEN
[.... so on ...]
CKM_TLS_MASTER_KEY_DERIVE_DH
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_TLS_PRF
 
Kernel software providers:
==========================
des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR
[.... so on ...]
sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL
md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
rsa:CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA256_RSA_PKCS,
CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS
swrand: No mechanisms presented.
 
Kernel hardware providers:
==========================
ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS

Disable the use of the following user-level mechanisms, forcing them to be performed by the NCP.

# cryptoadm disable provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so \
mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,\
CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,\
CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

Verify that the user-level mechanisms are disabled.

# cryptoadm list -p provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,
CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.

Configuring the SCF Provider

NSS uses secmod.db to keep track of the PKCS#11 modules available. You can use the security Module Database Tool modutil, a CLI that comes with NSS to manage PKCS#11 module information within secmod.db files. The Security Module Database Tool enables you to add and delete PKCS#11 modules, change passwords, set defaults, list module contents, and enable or disable slots. The modutil CLI is bundled with the Messaging Server software and is located in the MessagingServer_home/bin directory. This example assumes that you are running modutil from the MessagingServer_Home/lib directory and cert8.db, secmod.db, and key3.db are located under the config directory, that is MessagingServer_home/config.

List all the available PKCS#11 modules.

Using modutil, you can list all the available PKCS#11 modules. By default, NSS has an internal PKCS#11 module.

modutil -dbdir ../config -nocertdb -list
Using database directory ../config...
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
     status: loaded
 
     slot: NSS Internal Cryptographic Services
     token: NSS Generic Crypto Services
 
     slot: NSS User Private Key and Certificate Services
     token: NSS Certificate DB

List the contents of the default NSS soft token.

The file sslpassword contains the password to the Certificate Database.

pk12util list-certs -W MessagingServer_home/config/sslpassword
Alias Valid from Expires on Self-signed?Issued by Issued to
Server-Cert           2006/11/15 23:02     2007/11/15 23:02   n
CN=CA,OU=test,O=authority,ST=California,C=US
CN=foobar.siroe.com,OU=comms,O=Dev,L=Santaclara,ST=California,C=us
SolCrypto-Framework  2006/11/16 00:14  2007/11/16 00:14        n
CN=CA,OU=test,O=authority,ST=California,C=US
CN=SCF,OU=comms,O=Dev,L=Santaclara,ST=California,C=us
2 certificates found

Adding the Solaris Cryptographic Framework as a Service Provider

Messaging Server is configured to use the NSS built-in soft token for its cryptographic needs, which employs PKCS#11 to access cryptography. You can modify the Messaging Server configuration to use the User-Level Cryptographic Framework of the Solaris Cryptographic Framework, out of the box, by linking to the /usr/lib/libpkcs11.so library to get direct access to the PKCS#11 functionality. That is, you register the Solaris Cryptographic Framework as a PKCS#11 module.

To administer the Cryptographic Framework as a service provider:

Register the /usr/lib/libpkcs11.so PKCS#11 library with the Messaging Server software and enable the slot named Sun Metaslot.

modutil -dbdir ../config/ -nocertdb -add "Solaris Crypto Framework" -libfile
/usr/lib/libpkcs11.so -mechanisms RSA
WARNING: Performing this operation while the browser is running could cause corruption
of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 'q <enter>' to abort,
or <enter> to continue:
 
Using database directory ../config...
 
Module "Solaris crypto Framework" added to database.

Continue with "Enabling the Slot Named Sun Metaslot".

Enabling the Slot Named Sun Metaslot

To enable the slot named Sun Metaslot:

Run the following modutil command.

modutil -dbdir ../config/ -nocertdb -disable "Solaris Crypto Framework"

WARNING: Performing this operation while the browser is running
could cause corruption of your security databases.
If the browser is currently running,
you should exit browser before continuing this operation.
Type 'q <enter>' to abort, or <enter> to continue:
Using database directory ../config...
 
Slot "Sun Metaslot" disabled.
Slot "ncp/0 Crypto Accel Asym 1.0" disabled.

Run the following modutil command.

modutil -dbdir ../config/ -nocertdb -enable "Solaris Crypto Framework" -slot "Sun Metaslot"
WARNING: Performing this operation while the browser is running
could cause corruption of your security databases.
If the browser is currently running,
you should exit browser before continuing this operation.
Type 'q <enter>' to abort, or <enter> to continue:
 
Using database directory ../config...
Slot "Sun Metaslot" enabled.

Run the following modutil command to verify that the Solaris Crypto Framework is successfully added.

modutil -dbdir ../config/ -nocertdb -list
Using database directory ../config...
 
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
 
     slots: 2 slots attached
     status: loaded
 
     slot: NSS Internal Cryptographic Services
     token: NSS Generic Crypto Services
 
     slot: NSS User Private Key and Certificate Services
     token: NSS Certificate DB
 
  2. Solaris crypto Framework
 
     library name: /usr/lib/libpkcs11.so
 
     slots: 2 slots attached
     status: loaded
 
     slot: Sun Metaslot
     token: Sun Metaslot
 
     slot: ncp/0 Crypto Accel Asym 1.0
     token: ncp/0 Crypto Accel Asym 1.0
-----------------------------------------------------------

Exporting the Certificate/Key Pairs From the NSS Soft Token

This task describes how to export the certificate/key pairs from the NSS soft token (as PKCS#12 formatted files) to be imported in to the SCF software token. The following shows how to export two certificates found in the internal token.

To export the certificate/key pairs from the NSS soft token:

Choose the PKCS#12 file password and copy it to a file called /tmp/pkcs12password.
```
# echo "pkcspassword" > /tmp/pkcs12password
```

Run the following commands to export the two certificates found in the Internal Token in to PKCS#12 formatted files.

pk12util export-cert -W MessagingServer_home/config/sslpassword -o /tmp/Server-Certpk12 -O /tmp/pkcs12password Server-Cert

# file /tmp/Server-Certpk12

/tmp/Server-Certpk12:   data

Continue with "Importing the Key/Certificate Pairs to the Sun Metaslot (SCF)".

Importing the Key/Certificate Pairs to the Sun Metaslot (SCF)

To import the key/certificate pairs to the SCF:

Run the following pk12util command.

$ pk12util -i /tmp/Server-Certpk12 -d ../config/ -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
{ This is the same password you entered, when running pktool setpin )
Enter password for PKCS12 file:
{PKCSpassword : password used to export certificates from the Internal Software Token }
pk12util: PKCS12 IMPORT SUCCESSFUL

Run the following pk12util command.

$  pk12util -i /tmp/SCFpk12 -d ../config/ -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
{ This is the same password you entered, when running pktool setpin )
Enter password for PKCS12 file:
{PKCSpassword : password used to export certificates from the Internal Software Token }
pk12util: PKCS12 IMPORT SUCCESSFUL

Continue with "Verifying the Successful Importation of the Certificate/Key Pairs".

Verifying the Successful Importation of the Certificate/Key Pairs

Use this task to verify that the certificate/key pairs were successfully imported to the token. You must be logged in as mailsrv (that is, the Messaging Server user).

To verify that the certificate/key pairs were successfully imported:

Run the following certutil command.

$ certutil -L -d ../config/ -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
( This is the same password you entered, when running pktool setpin. )
Sun Metaslot:Server-Cert                                       u,u,u
Sun Metaslot:SolCrypto-Framework                               u,u,u

Run the following certutil command.

$ certutil -K -d ../config/ -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
( This is the same password you entered, when running pktool setpin. )
<0> Server-Cert
<1> SolCrypto-Framework

Proceed to the next section to configure Messaging Server.

Configuring Messaging Server to Use the External Token

This section describes the procedures you use to configure the various Messaging Server processes to use the external token.

Configuring Messaging Server Processes to Use the External Token

To configure Messaging Server processes to use the external token:

Configure MMP by editing the ImapProxyAService.cfg and PopProxyAService.cfg files as follows.

# cd MessagingServer_home/data/config
ImapProxyAService.cfg: default:SSLCertNicknames  "Sun Metaslot:Server-Cert"
PopProxyAService.cfg:  default:SSLCertNicknames   "Sun Metaslot:Server-Cert"

Configure the IMAP server by setting the following configuration parameters to use the external token.

configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"

configutil -o local.imap.sslnicknames -v "Sun Metaslot:Server-Cert"

Configure the POP server by setting the following configuration parameters to use the external token.

configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"

configutil -o local.pop.sslnicknames -v "Sun Metaslot:Server-Cert"

Configure the HTTP server by setting the following configuration parameters to use the external token.

configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"

configutil -o local.http.sslnicknames -v "Sun Metaslot:Server-Cert"

Configure the SMTP server by setting the following configuration parameters to use the external token.

Use the configutil command to set the SSL certificate nickname:
```
configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
```
OR
```
configutil -o local.imta.sslnicknames -v "Sun Metaslot:Server-Cert"
```
Note:

As shown previously, you can also use a per-service configuration setting for the SSL certificate nicknames. The configuration parameters, which have the same meaning (that is, the nickname) and override the encryption.rsa.sslpersonalityssl setting, are:
- local.imta.sslnicknames (for the SMTP and Submit Servers)
- local.imap.sslnicknames (for the IMAP Server)
- local.pop.sslnicknames (for the POP Server)
- local.http.sslnicknames (for the HTTP Server)
Save the "Sun Metaslot" password in to the sslpassword.conf file.

The "Sun Metaslot" is protected by a password. The server prompts for a password every time it starts up. Instead of entering the password every time, Messaging Server reads the password from the sslpassword.conf file located in the MessagingServer_home/config directory. Edit this file as follows.
```
# cat MessagingServer_home/data/config/sslpassword.conf
Sun Metaslot:secret( "secret" : This is the same password you entered, when running pktool setpin )
```

Starting and Debuging Messaging Server Services

This task explains how to restart the Messaging Server services, check for errors, and verify the operational SCF environment.

To start and debug Messaging Server services:

Restart the Messaging Server services.

# MessagingServer_home/bin/start-msg
Connecting to watcher ...
Launching watcher ... 27351
Starting ens server ... 27352
Starting store server .... 27353
Checking store server status .... ready
Starting imap server .... 27354
Starting pop server .... 27355
Starting http server .... 27356
Starting sched server ... 27357
Starting dispatcher server .... 27359
Starting job_controller server .... 27365

Ensure that there are no SSL_init errors in the log files, and no ASockSSL_init errors in any of the tcp_smpt, default, imap, pop, and http log files.

You see something like the following when there is a problem.

http:[31/Nov/2006:11:36:21 -0800]
biotite httpd[27356]: General Error: SSLinitialization error:
ASockSSL_Init: couldn't open slot Metaslot (-8127)
imap:[31/Nov/2006:11:36:20 -0800]
biotite imapd[27354]: General Error: SSLinitialization error:
ASockSSL_Init: couldn't open slot Metaslot (-8127)
pop:[31/Nov/2006:11:36:21 -0800]
biotite popd[27355]: General Error:SSL initialization error:
ASockSSL_Init: couldn't open slot Metaslot (-8127)
tcp_smtp_server.log-0J8000L01MGM3Z00:[31/Nov/2006:11:36:22 -0800]
biotite [27363]: General Error:SSL initialization error:
ASockSSL_Init: couldn't open slot Metaslot (-8127)
tcp_smtp_server.log-0J8000L03MGM3Z00:[31/Nov/2006:11:36:22 -0800]
biotite [27364]: General Error:SSL initialization error:
ASockSSL_Init: couldn't open slot Metaslot (-8127)

Verify that the SSL ports are listening.

# netstat -an | grep 995
  *.995                *.*              0      0 49152      0 LISTEN
# netstat -an | grep 443  
*.443                *.*                0      0 49152      0 LISTEN
# netstat -an | grep 465  
*.465                *.*                0      0 49152      0 LISTEN

Once the application is operational on the Solaris Cryptographic Framework, use the kstat command to display the number of RSA public key decryptions performed using NCP since the last system boot.

The number of RSA public key decryptions are shown as the rsapublic value in the kstat output. An incremental and a positive increase in the value of rsapublic shows that NCP is operational.
```
# kstat -n ncp0 | grep rsa
rsprivate                      Xrsapublic                      X
```
In this output:
- rsaprivate -- Total number of jobs submitted to the device for RSA private key operations.
- rsapublic -- Total number of jobs submitted to the device for RSA public key operations.
By using a browser to connect to the HTTP SSL port and log in, you see how the count increases. For example:
```
<Log in to https://host1.red.example.com>
# kstat -n ncp0 | grep rsa
rsaprivate		   35       rsapublic 	   146
# kstat -n ncp0 | grep rsa
rsaprivate	   38       rsapublic 	   149
```