IMSMO2 - 設定 HTTPS over TLS

好耐無寫文,好忙,等分開幾部份寫啦

以前Domino 有個CA可以做Cert , 不過佢不支援TLS , 現在TLS 係入需,有段時間,IBM比埋IBM httpd server (即係apache) 支援TLS , 現在IBM 終於跟埋新的keyring 工具,可以放入由OpenSSL 做的證書


0001


 

1. download 及安裝以下的軟件

Kyrtool 解壓縮放到 c:\kyrtool 下

假設Lotus Notes / Domino administrator 在 c:\Program Files (x86)\IBM\Notes

假設OpenSSL 安裝到 c:\openssl-win32\bin

假設證書會放到 c:\cert 下, 請自行建立資料夾


打開cmd

set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

cd c:\openssl-win32\bin


openssl genrsa -out c:\cert\server.key 4096

openssl req -new -sha256 -key c:\cert\server.key -out c:\cert\server.csr

Create CSR c:\OpenSSL-Win32\bin>openssl req -new -sha256 -key c:\cert\server.key -out c:\cert\server.csr

 

建立self-signed cert

openssl x509 -req -days 3650 -sha256 -in c:\cert\server.csr -signkey c:\cert\server.key -out c:\cert\server.pem

 

輸入以下資料 (最重要,是common name 同使用者輸入的server name 一樣)

Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:Hong Kong
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:server.abc.com
Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it. 

 

建立keyring file

cd "c:\Program Files (x86)\IBM\Notes"

c:\kyrtool\w32\kyrtool =notes.ini create -k c:\cert\keyring.kyr -p password


複制兩個檔案 (c:\cert\server.pem and c:\cert\server.csr) 的內容到 c:\cert\server.txt

以下是例子

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
[Many lines removed]
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQDa3d9OQUIsWzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE4MzQ0NloXDTI0
[Many lines removed]
qddsfWubEwoMYKevnV8u9EFp7f0RONGqp93iU9O5jYPdrcB+RryT7bwErDTQKjua
ZAcuoKnUrnXiGIiq/dkXg2Umaf9Quewz0ow7BrCW
-----END CERTIFICATE-----

 

檢查證書內容

cd "c:\Program Files (x86)\IBM\Notes"
kyrtool =notes.ini verify c:\cert\cert.txt

verify

匯入證書到keyring

cd "c:\Program Files (x86)\IBM\Notes"

kyrtool =notes.ini import all  -k c:\cert\keyring.kyr -i c:\cert\cert.txtPut keyring.kyr and keyring.sth

import

 

把檔案 (keyring.kyr 及keyring.sth) 抄到 lotus domino (Server呀 !!!!!) 的data 資料夾下 , 並改名做 keyfile.kyr 及keyfile.sth (Lotus domino 設定中的預設名)

C:\Program Files\IBM\Domino\data

copyfile 

打開lotus domino administrator , 打開server document , 啟動SSL port (Ports -> internet ports -> web -> ssl port status

config

 

重新啟動Http task

完成 !!

參考資料: https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool

Add comment


Security code
Refresh