Bare Metal Project - Java (HISP only)
Table of Contents
Preface
This document is a starting-point, from which a production HISP can be derived. It is not meant to be a final solution for real-world scenarios. It documents the fastest and simplest way to launch a operational instance using the Java reference implementation.
It is strongly advised and encouraged to back the reference implementation with a tested and proven enterprise mail server. Please review the various deployment models and configurations with your architect and decide which best suits your needs. This should also involve input from you security officer to evaluate things such as HIPAA compliance.
The bare metal install is not HIPAA compliant.
Assumptions
- Assumed that the user is root or has sudo privileges.
- Assumed that the HISP already has MX and related DNS records set up.
For a reference on creating certificates and trust anchors using the tool provided in the Java reference implementation, please see TBD.
Obtain and Install the Assembly
Steps for obtaining and installing the pre-compiled assembly.
General
Install required tools.
sudo apt-get update sudo apt-get install unzip sudo apt-get install ant
Install Java
Install Sun Java 6 JDK. By default it is not included in the shipped repository, and needs to be added manually. After installing, need to update java-alternatives to use the newly installed Java version instead of shipped version.
Note: For Ubuntu 10.10 Maverick, the add-apt-repository command is not available. Instead, uncomment the canonical repository in the /etc/apt/sources.list and follow the remainder of the steps.
sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner" sudo apt-get update sudo apt-get install sun-java6-jdk sudo update-java-alternatives -s java-6-sun export JAVA_HOME=/usr/lib/jvm/java-6-sun echo "export JAVA_HOME=$JAVA_HOME" >> ~/.bashrc
Note: It is okay to ignore the "no alternative" error messages displayed after running the update-java-alternatives command.
Java Cryptographic Extensions (manual step)
Download the Java Cryptographic Extensions.
Follow the steps below to unzip the resulting files, and place the jar files in $JAVA_HOME/jre/lib/security (or for OS X, $JAVA_HOME/lib/security).
Note: The jar files in zip may be older than the ones found in your JDK. You must replace the files in your JDK regardless of data. JDKs by default are not package with the strong encryption policy jars.
unzip jce_policy-1_4_2.zip* sudo cp jce/local_policy.jar $JAVA_HOME/jre/lib/security sudo cp jce/US_export_policy.jar $JAVA_HOME/jre/lib/security rm -rf jce*
Obtain the Assembly
Obtain the 1.2 from the Maven Central repository:
wget -U DirectFetch/1.0 http://repo2.maven.org/maven2/org/nhind/direct-project-stock/1.2/direct-project-stock-1.2.tar.gz
Note: The central maven repository is sensitive to certain IP ranges and may block access. This is especially true for many many EC2 instances. Use repository below as an alternate location if cannot access the central maven repository. Also note that the custom agent specified above gets around a block on certain wget versions.
wget https://oss.sonatype.org/content/repositories/releases/org/nhind/direct-project-stock/1.2/direct-project-stock-1.2.tar.gz
Extract James and Tomcat
Extract the Apache James mail server with security agent, and Apache Tomcat with configuration service.
tar xvfz DirectGateway-1.2.tar.gz export DIRECT_HOME=`pwd`/direct echo "export DIRECT_HOME=$DIRECT_HOME" >> ~/.bashrc
Run Tomcat
Run Apache Tomcat and start the configuration service.
cd $DIRECT_HOME/apache-tomcat-6.0.32 sh bin/startup.sh
Note: Give this step a minute or two to start the server before continuing to the next step.
Configure James (manual step)
- Log into [1] with username: admin and password: adm1nD1r3ct
- Click New Domain.
- Enter the Domain Name and Postmaster E-Mail Address for the domain this HISP will be handling.
- Choose ENABLED as the status.
- Click the Anchors tab.
- Import trust anchors.
- Choose ENABLED as the status.
- Click Cancel and click Go To Certificates.
- Import certificates.
- Choose ENABLED as the status.
- Click Cancel and click Go To Settings.
- Add setting key: PrivateStoreType with value: WS
- Add setting key: AnchorStoreType with value: WS
- Add setting key: PublicStoreType with value: DNS,WS
- Add setting key: MDNAutoResponse with value: true
Tell James the domain this HISP will be handling by replacing my.domain.com with your domain.
cd $DIRECT_HOME/james-2.3.2 sh bin/setdomain.sh my.domain.com
Run James
Start the Apache James mail server with security trust agent.
cd $DIRECT_HOME/james-2.3.2 sudo -E sh bin/run.sh > james.log 2>&1 &
Create James users (manual step)
Create users that will be using the Apache James mail server.
telnet localhost 4555 > root > root > adduser username password > quit
Recommended Next Steps
Following are optional, but recommended, next steps to secure your environment.
Secure Configuration Service Port (8081)
To secure the configuration service, it is recommended to limit access to port 8081 to localhost and/or a local subnet.
Secure Configuration Service Password
To further protect the configuration service, or if port 8081 must remain public, it is recommended to change the default password.
cp $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml.orig sed -i "s/adm1nD1r3ct/your_new_password/g" $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml sh bin/shutdown.sh sh bin/startup.sh