Configuring Scalix on https Ubuntu Gutsy

From Scalix Wiki
Jump to: navigation, search

Important Note

Please note that these manual installation instructions should only be used on Ubuntu distributions, such as Ubuntu Gutsy Gibbon 7.10 server, the distribution the document was written for. If you install Scalix on an unsupported platform, this invalidates your ability to receive Scalix support. Thank you for your understanding and compliance.

This document might be inaccurate and under construction. Do not trust this document.

Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon)

As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community (here), I thought it would be useful to share my experiences on making the Scalix web applications accessible via https configuration as well.

So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix web applications available via https on a Ubuntu 7.10 server.

Scalix comes with a few web applications like SWA (Saclix Web Access, the web mail client), the SAC (Scalix Administration Console, the administration panel) and SMWC (Scalix Mobile Web Client, the web client for smartphones, pda's and other mobile devices). To make sure your connection to these application is secure, you should make them accessible via https.

I used several sources of information on the web. I listed the ones I can remember at the end of the document under Sources.

Applicable Environments

These Installation instructions have been tested with

  • Scalix CE 11.3.0
  • Ubuntu 7.10 Server (Gutsy Gibbon)

They might not apply unmodified to any other version of Scalix or Ubuntu.

Enable mod_ssl for Apache

Apache2 comes with a module called mod_ssl, this is the so-called SSL encryption module for the Apache web server. This makes it possible to secure the http traffic from and towards Apache by SSL encryption. To activate this module, use this command:

sudo a2enmod ssl

Configure certificate

To set up your secured server, you'll have to use the public key cryptography method to create a public and private key pair. In most cases, you send your certificate request (including your public key), a proof of your (company's) identity, and (of course) a payment to a Certificate Authority (CA), like Verisign. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.

Alternatively, for example if you're using your server privately, you can create your own self-signed certificate. Note, However, self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.

Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.

Generate Certificate Signing Request (CSR)

To generate the Certificate Signing Request (CSR), you should create your own key. Use the following command from a to create the key:

sudo openssl genrsa -des3 -out server.key 1024

Now you'll be asked to enter a passphrase twice. For best security, it should at least contain eight characters, include numbers and/or special characters and not be based on a dictionary word. Remember your passphrase to be case-sensitive!

You can also run your ssl-secured web server without a passphrase. This is convenient because you then you won't need to enter the passphrase every time you (re)start your secure web server. On the other hand it is less secure and therefor it's not recommended. To create a CSR without a passphrase, omit the -des3 parameter in the command while creating the key, like this:

sudo openssl genrsa -out server.key 1024

Now you have created a key, you can create a CSR, do this by running the following command:

sudo openssl req -new -key server.key -out server.csr

If applicable it will ask you to enter the passphrase. Next, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. If you want to create a CA-signed certificate, you can submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate.

As soon as you receive the signed certificate continue with installing the certificate. If you're planning to use a self-signed certificate, continue with the next step.

Create self-signed certificate

If you're willing to create a self-signed certificate using this CSR, please use the following command to sign the certificate:

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

If applicable it will ask you to enter the passphrase again. Next, your certificate will be created and it will be stored in the server.crt file.

Install certificate

You should install the key file server.key and certificate file server.crt or the certificate file issued by your CA by running following commands:

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Configure Apache SSL support

As the the default Apache configuration on Ubuntu does not support SSL, you'll have to change the (default) Apache configuration file /etc/apache2/sites-available/default. Add the following lines to this file, in the VirtualHost section, under the DocumentRoot line:

SSLEngine on

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Restart Apache and check configuration

Afterwards restart apache using:

sudo /etc/init.d/apache2 restart

If applicable, you should enter the passphrase when you start your secured web server.

Now check if no errors pop up. This can easily be done by the command:

tail -400 /var/log/apache2/error.log

If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!

Now you should be able to reach the Scalix web applications over https:


The author

The origin for this document was written by Max Wiertz. As a Scalix newbie, I invested a lot of work in getting Scalix together with https to work for me on Ubuntu. I felt like sharing this with all of you, so you can probably take advantage of it.

If you have any questions, remarks, comments or suggestions regarding this document, do not hesitate to contact me by e-mail: mailto:max_DOT_wiertz_AT_gmail_DOT_com.