IMSMO2 - 設定 HTTPS over TLS
好耐無寫文,好忙,等分開幾部份寫啦
以前Domino 有個CA可以做Cert , 不過佢不支援TLS , 現在TLS 係入需,有段時間,IBM比埋IBM httpd server (即係apache) 支援TLS , 現在IBM 終於跟埋新的keyring 工具,可以放入由OpenSSL 做的證書
1. download 及安裝以下的軟件
- Microsoft Visual C++ 2010 SP1 : https://www.microsoft.com/zh-TW/download/details.aspx?id=13523
- OpenSSL 32bit : https://slproweb.com/products/Win32OpenSSL.html
- KyrTool : https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0&source=fc
Kyrtool 解壓縮放到 c:\kyrtool 下
假設Lotus Notes / Domino administrator 在 c:\Program Files (x86)\IBM\Notes
假設OpenSSL 安裝到 c:\openssl-win32\bin
假設證書會放到 c:\cert 下, 請自行建立資料夾
打開cmd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg cd c:\openssl-win32\bin
openssl req -new -sha256 -key c:\cert\server.key -out c:\cert\server.csr Create CSR c:\OpenSSL-Win32\bin>openssl req -new -sha256 -key c:\cert\server.key -out c:\cert\server.csr |
建立self-signed cert
openssl x509 -req -days 3650 -sha256 -in c:\cert\server.csr -signkey c:\cert\server.key -out c:\cert\server.pem |
輸入以下資料 (最重要,是common name 同使用者輸入的server name 一樣)
Country Name (2 letter code) [AU]:HK State or Province Name (full name) [Some-State]:Hong Kong Locality Name (eg, city) []:Hong Kong Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:server.abc.com Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it. |
建立keyring file
cd "c:\Program Files (x86)\IBM\Notes" c:\kyrtool\w32\kyrtool =notes.ini create -k c:\cert\keyring.kyr -p password |
複制兩個檔案 (c:\cert\server.pem and c:\cert\server.csr) 的內容到 c:\cert\server.txt
以下是例子
-----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx [Many lines removed] 7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo +d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEyjCCArICCQDa3d9OQUIsWzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBx1 bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE4MzQ0NloXDTI0 [Many lines removed] qddsfWubEwoMYKevnV8u9EFp7f0RONGqp93iU9O5jYPdrcB+RryT7bwErDTQKjua ZAcuoKnUrnXiGIiq/dkXg2Umaf9Quewz0ow7BrCW -----END CERTIFICATE----- |
檢查證書內容
cd "c:\Program Files (x86)\IBM\Notes"
kyrtool =notes.ini verify c:\cert\cert.txt
匯入證書到keyring
cd "c:\Program Files (x86)\IBM\Notes"
kyrtool =notes.ini import all -k c:\cert\keyring.kyr -i c:\cert\cert.txtPut keyring.kyr and keyring.sth
把檔案 (keyring.kyr 及keyring.sth) 抄到 lotus domino (Server呀 !!!!!) 的data 資料夾下 , 並改名做 keyfile.kyr 及keyfile.sth (Lotus domino 設定中的預設名)
C:\Program Files\IBM\Domino\data
打開lotus domino administrator , 打開server document , 啟動SSL port (Ports -> internet ports -> web -> ssl port status
重新啟動Http task
完成 !!
參考資料: https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool