Netmail Archive 5.x
Netmail Archive 6.x
For organizations wishing to access Netmail Search over SSL without getting a certificate warning, it is possible to configure Search to use a trusted certificate.
If you don't have the certificate and need to generate a new request:
Download openssl for Windows from https://code.google.com/p/openssl-for-windows/downloads/detail?name=openssl-0.9.8k_WIN32.zip and unpack to a convenient folder.
Copy the openssl.cnf file to the openssl bin directory.
3. From the openssl bin directory, open a command prompt with elevated privileges.
4. Using the Fully Qualified Domain Name (FQDN) for which you will request the certificate, run the following command:
openssl genrsa -des3 -out <NameOfYourCertificate>.key 2048
- This command will generate a .key file that will be used in the next step. Do not lose the .key file as it is needed throughout this process
- You will be prompted to enter a passphrase. Make sure that you do not lose or forget it
5. At the same command prompt, run the following command:
openssl req -new -key <NameOfYourCertificate>.key -out <NameOfYourCertificate>.csr -config openssl.cnf
- This will create a .csr file that you will send to a CA, such as Entrust or GoDaddy
- You will be prompted for the key file passphrase, location information (country, state, city, organization name, organizational unit (e.g., IT) and common name. Note that the common name is the FQDN for which you are requesting the certificate, E.G. search.yourdomain.com.
- Create a challenge password and keep it safe; your CA may request it
6. Send the .csr file to your CA requesting a certificate in PEM format, often called Apache.
Once in possession of a certificate in PEM format (.cer/.crt):
7. Once you receive the certificate file (.cer/.crt) from your CA, copy and paste it to the openSSL bin directory; the .key file generated in Step 4 must also be in the bin folder.
8. From the openssl bin directory, open a command prompt with elevated privileges and run the following command:
openssl pkcs12 -export -in <NameOfYourCertificate>.cer -inkey <NameOfYourCertificate>.key -out keystore.p12 -name jetty -CAfile <NameOfYourBundle>.cer -caname root
- This command will generate a file called keystore.p12. You will be prompted to enter an export password.
Do not lose the export password or you will not be able to access Netmail Search!
Once in possession of a certificate in PKCS12 format (.p12/.pfx):
9. On a machine configured with Java version 6+ (a.k.a. Java 1.6 or more recent) copy and paste the keystore.p12 file to the Java bin folder; default location is C:\Program Files (x86)\Java\jre6\bin.
10. From the java bin folder, open a command prompt with elevated privileges and run the following command:
keytool -importkeystore -deststorepass <export password> -destkeypass <keyfile passphrase> -destkeystore jexcon_keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass <export password> -alias jetty
If the certificate was not generated using the command in Step 8, then the alias in the certificate maybe different than 'jetty'. To find the right alias to use, run this command:
keytool -list -keystore <CertificateFile> -storetype PKCS12
The very first word in the entry is the alias.
- This command will generate a file called jexcon_keystore.jks
- Copy and paste jexcon_keystore.jks to the Remote Provider folder, whose default location is C:\Program Files (x86)\Messaging Architects\RemoteProvider
11. Locate the jetty-ssl.xml file in the Remote provider folder and create a backup.
12. After creating the backup, edit the jetty-ssl.xml file to be able to connect to the proper keystore path (the jetty-ssl.xml file is also located in the Remote Provider folder):
- Change the two lines referencing C:\Program Files (x86)\Messaging Architects\RemoteProvider\keystore to C:\Program Files (x86)\Messaging Architects\RemoteProvider\jexcon_keystore.jks
- Change the port to the one you want to access via SSL
- Ensure that the passwords for the keyStorePassword, keyManagerPassword, and trustStorePassword parameters are the same as those you entered when you created the keystore
13. In the xgwxmlv.cfg file (also located in the Remote Provider folder), modify the provider.ssl parameter so that its value is set to true (provider.ssl=true).
14. Restart the Netmail AWA Remote Provider service.
Assuming you have the hostname configured in DNS, it should now be possible to access Netmail Search via https:\\<FQDN>:8443. To change the port that Netmail Search is listening on follow these instructions How to change the ports used by Netmail Archive / Netmail Search