Bare Metal Project - Java (HISP only) - CentOS x86-64
Jump to navigation
Jump to search
This page documents the bare metal install of the Java reference implementation from a pre-compiled assembly (no source) on the CentOS 5.5 x86-64. For a source install, see Bare Metal Project - Java (source).
Table of Contents
Preface
This document is a starting-point, from which a production HISP can be derived. It is not meant to be a final solution for real-world scenarios. It documents the fastest and simplest way to launch a operational instance using the Java reference implementation.
It is strongly advised and encouraged to back the reference implementation with a tested and proven enterprise mail server. Please review the various deployment models and configurations with your architect and decide which best suits your needs. This should also involve input from you security officer to evaluate things such as HIPAA compliance.
The bare metal install is not HIPAA compliant.
Assumptions
- Assumed that the user is root or has sudo privileges.
- Assumed that the HISP already has MX and related DNS records set up.
- The unzip command is installed and available.
For a reference on creating certificates and trust anchors using the tool provided in the Java reference implementation, please see TBD.
Obtain and Install the Assembly
Steps for obtaining and installing the pre-compiled assembly.
Install Java
Install Sun Java 6 JDK. By default it is not included in the shipped repository, and needs to be added manually.
- Go to the Sun/Oracle download page and hit the Download JDK button under the Java Platform Standard Edition for JDK 6 Update 22.
- On the next page, select Linux 64 from the drop-down selector and hit the Continue button.
- Download the file labeled jdk-6u22-linux-x64-rpm.bin
After changing directories to the download location.
chmod 755 jdk-6u22-linux-x64-rpm.bin sudo ./jdk-6u22-linux-x64-rpm.bin
Change alternatives
After installing, need to update java alternatives to use the newly installed Java version instead of shipped version. Start by creating alternatives for the new java commands installed above.
sudo alternatives --install /usr/bin/java java /usr/java/jdk1.6.0_22/bin/java 100 sudo alternatives --install /usr/bin/jar jar /usr/java/jdk1.6.0_22/bin/jar 100 sudo alternatives --install /usr/bin/javac javac /usr/java/jdk1.6.0_22/bin/javac 100
Continue by selecting the new alternative for each command:
sudo alternatives --config java sudo alternatives --config jar sudo alternatives --config javac
Finally set the JAVA_HOME environment variable for the new JDK
export JAVA_HOME=/usr/java/jdk1.6.0_22 echo "export JAVA_HOME=$JAVA_HOME" >> ~/.bashrc
Java Cryptographic Extensions
Download and install the Java Cryptographic Extensions.
Unzip the resulting files, and place the jar files in $JAVA_HOME/jre/lib/security.
The jar files in zip may be older than the ones found in your JDK. You must replace the files in your JDK regardless of data. JDKs by default are not package with the strong encryption policy jars.
unzip jce_policy-1_4_2.zip* sudo cp jce/local_policy.jar $JAVA_HOME/jre/lib/security sudo cp jce/US_export_policy.jar $JAVA_HOME/jre/lib/security rm -rf jce*
Obtain the Assembly
Obtain the pre-built assembly from the Sonatype repository or the google code repository downloads page.
wget https://oss.sonatype.org/content/repositories/snapshots/org/nhind/direct-project-stock/1.0-SNAPSHOT/direct-project-stock-1.0-SNAPSHOT.tar.gz
or
wget http://nhin-d.googlecode.com/files/DirectGateway-M1.tar.gz
Extract James and Tomcat
Extract the Apache James mail server with security agent, and Apache Tomcat with configuration service.
tar xvfz DirectGateway-M1.tar.gz export DIRECT_HOME=`pwd`/direct echo "export DIRECT_HOME=$DIRECT_HOME" >> ~/.bashrc
Enable the configuration port
Allow port 8081 on the local network as follows
sudo iptables -I INPUT -p tcp --dport 8081 -j ACCEPT sudo service iptables save
Disable sendmail
Disable the default sendmail service
sudo service sendmail stop sudo chkconfig sendmail off
Run Tomcat
Run Apache Tomcat and start the configuration service.
cd $DIRECT_HOME/apache-tomcat-6.0.29 sh bin/startup.sh
Note: Give this step a minute or two to start the server before continuing to the next step.
Configure James (manual step)
- Log into [1] with username:admin and password:adm1nD1r3ct
- Click New Domain.
- Enter the Domain Name and Postmaster E-Mail Address for the domain this HISP will be handling.
- Choose ENABLED as the status.
- Click the Anchors tab.
- Import trust anchors.
- Choose ENABLED as the status.
- Click Cancel and click Go To Certificates.
- Import certificates.
- Choose ENABLED as the status.
- Click Cancel and click Go To Settings.
- Add setting key:PrivateStoreType with value:WS
- Add setting key:AnchorStoreType with value:WS
- Add setting key:PublicStoreType with value:DNS,WS
- Add setting key:MDNAutoResponse with value:true
Tell James the domain this HISP will be handling by replacing my.domain.com with your domain.
cd $DIRECT_HOME/james-2.3.2 sh bin/setdomain.sh my.domain.com
Run James
Start the Apache James mail server with security trust agent.
cd $DIRECT_HOME/james-2.3.2 sudo -E sh bin/run.sh > james.log 2>&1 &
Create James users (manual step)
Create users that will be using the Apache James mail server.
telnet localhost 4555 > root > root > adduser username password > quit
Recommended Next Steps
Following are optional, but recommended, next steps to secure your environment.
Secure Configuration Service Port (8081)
To secure the configuration service, it is recommended to limit access to port 8081 to localhost and/or a local subnet.
Secure Configuration Service Password
To further protect the configuration service, or if port 8081 must remain public, it is recommended to change the default password.
cp $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml.orig sed -i "s/adm1nD1r3ct/your_new_password/g" $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml sh bin/shutdown.sh sh bin/startup.sh