steffen: server/doc/technical kdablogo.eps, NONE, 1.1 Makefile, 1.4, 1.5 intro.sgml, 1.5, 1.6 kolabserver.sgml, 1.6, 1.7 openssl.sgml, 1.5, 1.6
cvs at intevation.de
cvs at intevation.de
Tue Aug 17 02:46:06 CEST 2004
- Previous message: bo: doc/kolab-formats commonfields.sgml, 1.9, 1.10 events.sgml, 1.6, 1.7 journals.sgml, 1.7, 1.8 tasks.sgml, 1.6, 1.7
- Next message: steffen: server/kolab-resource-handlers kolab-resource-handlers.spec, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: steffen
Update of /kolabrepository/server/doc/technical
In directory doto:/tmp/cvs-serv11984
Modified Files:
Makefile intro.sgml kolabserver.sgml openssl.sgml
Added Files:
kdablogo.eps
Log Message:
started updating tech manual
--- NEW FILE: kdablogo.eps ---
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: (ImageMagick)
%%Title: (kdablogo-neu-klein.eps)
%%CreationDate: (Fri Aug 9 12:20:10 2002)
%%BoundingBox: 0 0 371 108
%%DocumentData: Clean7Bit
%%LanguageLevel: 1
%%Pages: 1
%%EndComments
%%BeginDefaults
%%EndDefaults
%%BeginProlog
%
% Display a color image. The image is displayed in color on
% Postscript viewers or printers that support color, otherwise
% it is displayed as grayscale.
%
[...3578 lines suppressed...]
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
end
%%PageTrailer
%%Trailer
%%EOF
Index: Makefile
===================================================================
RCS file: /kolabrepository/server/doc/technical/Makefile,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- Makefile 21 Mar 2003 17:08:32 -0000 1.4
+++ Makefile 17 Aug 2004 00:46:04 -0000 1.5
@@ -7,6 +7,9 @@
DEST= kolabserver
SHELL= /bin/bash
SGML_SRC= kolabserver.sgml
+DEP_SGML= apache.sgml cyrus.sgml intro.sgml kolab.sgml monit.sgml openssl.sgml proftpd.sgml \
+ appendix.sgml extensions.sgml kolabserver.sgml ldap.sgml \
+ openpkg.sgml postfix.sgml sasl.sgml
HTML_DST= html/index.html
PS_DST= $(NAME).ps
@@ -39,13 +42,13 @@
's/SRC=\"kolab\.gif\"/SRC=\"kolab.png\"/g' > /tmp/123.html
#grep -l kolab.gif $(DEST)/*.html | xargs cp /tmp/123.html
-$(NAME).ps: $(SGML_SRC)
+$(NAME).ps: $(SGML_SRC) $(DEP_SGML)
$(PS_CMD) $(SGML_SRC)
$(NAME).pdf: $(SGML_SRC) $(NAME).ps
ps2pdf $(NAME).ps
-$(NAME).rtf: $(SGML_SRC)
+$(NAME).rtf: $(SGML_SRC) $(DEP_SGML)
$(RTF_CMD) $(SGML_SRC)
clean:
Index: intro.sgml
===================================================================
RCS file: /kolabrepository/server/doc/technical/intro.sgml,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- intro.sgml 20 Feb 2003 16:27:16 -0000 1.5
+++ intro.sgml 17 Aug 2004 00:46:04 -0000 1.6
@@ -15,29 +15,35 @@
<orderedlist>
<listitem><para> <ulink URL="http://asg.web.cmu.edu/cyrus/imapd/">
Carnegie Mellon University Cyrus IMAP Daemon </ulink> (with Cyrus Sieve) version
-2.1.11
+2.2.6
</para></listitem>
<listitem><para> <ulink URL="http://asg.web.cmu.edu/cyrus/sasl/">
Carnegie Mellon University Cyrus Simple Authentication and Security Layer (SASL)
-</ulink> version 2.1.10
- (SASL 2.1+ is needed by Cyrus IMAP Daemon version 2.1+) </para></listitem>
+</ulink> version 2.1.18 </para></listitem>
<listitem><para> <ulink URL="http://www.sleepycat.com">
-Berkeley DB </ulink> version 4.1.25
+Berkeley DB </ulink> version 4.2.52.2
(DB is needed by Cyrus IMAP Daemon and Postfix) </para></listitem>
<listitem><para> <ulink URL="http://www.openssl.org"> OpenSSL </ulink> version
-0.9.7
-(OpenSSL 0.9.4+ is needed by Cyrus IMAP Daemon version 2.1+) </para></listitem>
+0.9.7d </para></listitem>
<listitem><para> <ulink URL="http://www.openldap.org"> OpenLDAP </ulink>
-version 2.1.12 </para></listitem>
+version 2.2.14 </para></listitem>
<listitem><para> <ulink URL="http://www.postfix.org">
-Postfix </ulink> version 2.0.3 with TLS extensions version 0.8.11a
+Postfix </ulink> version 2.1.4
</para></listitem>
+<!-- FIXME: Do we use this at all anymore?
<listitem><para> <ulink URL="http://www.proftpd.org">
ProFTP Daemon </ulink> version 1.2.8rc1 </para></listitem>
+-->
<listitem><para> <ulink URL="http://www.apache.org">
-Apache Webserver </ulink> version 1.3.27 </para></listitem>
-<listitem><para> <ulink URL="http://www.tildeslash.com/monit/">
-Monit </ulink> version 3.1 </para></listitem>
+Apache Webserver </ulink> version 1.3.31 </para></listitem>
+<listitem><para> <ulink URL="http://www.php.net">
+PHP Hypertext Preprocessor</ulink> version 4.3.8 </para></listitem>
+<listitem><para> <ulink URL="http://www.perl.org/">
+Perl Interpreter</ulink> version 5.8.4 </para></listitem>
+<listitem><para> <ulink URL="http://www.ijs.si/software/amavisd/">
+Amavisd-new</ulink> version 20030616p10 </para></listitem>
+<listitem><para> <ulink URL="http://www.clamav.net/">
+Clam Antivirus</ulink> version 0.74 </para></listitem>
</orderedlist>
<para> Key features that lead to the Cyrus IMAP daemon for Kolab: </para>
@@ -120,10 +126,18 @@
specification. Note that the relevant Kolab server software is
provided by the OpenPKG system which will be described in the next chapter.
</para>
+<para>Kolab1</para>
<itemizedlist>
<listitem><para> Hardware: Dual Pentium II, 256 MB
</para></listitem>
<listitem><para> Software: Debian Sid/Sarge Testing/Unstable </para></listitem>
<listitem><para> Kernel: 2.4.18 SMP </para></listitem>
+</itemizedlist>
+<para>Kolab2</para>
+<itemizedlist>
+<listitem><para> Hardware: VIA Nehemia C3 1GHz CPU, 512 MB
+</para></listitem>
+<listitem><para> Software: Various, including Debian and SuSE 9.0 </para></listitem>
+<listitem><para> Kernel: 2.4.21 </para></listitem>
</itemizedlist>
</chapter>
Index: kolabserver.sgml
===================================================================
RCS file: /kolabrepository/server/doc/technical/kolabserver.sgml,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- kolabserver.sgml 12 Mar 2004 10:15:34 -0000 1.6
+++ kolabserver.sgml 17 Aug 2004 00:46:04 -0000 1.7
@@ -14,6 +14,7 @@
<!entity chapter-appendix SYSTEM "appendix.sgml">
<!ENTITY erfrakon SYSTEM "erfrakon.eps" NDATA EPS>
<!ENTITY kolab SYSTEM "kolab.eps" NDATA EPS>
+<!ENTITY kdab SYSTEM "kdablogo.eps" NDATA EPS>
]>
<book>
@@ -21,14 +22,15 @@
<title>Kolab Server</title>
<subtitle>Technical Description</subtitle>
<authorgroup>
+<corpauthor><inlinegraphic entityref="kdab"
+fileref="kdablogo" scale="50"></inlinegraphic> </corpauthor>
<corpauthor><inlinegraphic entityref="erfrakon"
fileref="erfrakon"></inlinegraphic> </corpauthor>
<othercredit>
+<othername> Klarälvdalens Datakonsult AB </othername>
+<othername> http://www.klaralvdalens-datakonsult.se </othername>
+<othername> email: info at klaralcdalens-datakonsult.se </othername>
<othername> Erlewein, Frank, Konold & Partner </othername>
-<othername> Beratende Ingenieure und Physiker </othername>
-<othername> Nobelstr. 15 </othername>
-<othername> 70569 Stuttgart </othername>
-<othername> Germany </othername>
<othername> http://www.erfrakon.de </othername>
<othername> email: info at erfrakon.de </othername>
</othercredit>
@@ -58,6 +60,10 @@
</revision>
<revision>
<revnumber>1.0.x</revnumber>
+<date>CVS</date>
+</revision>
+<revision>
+<revnumber>pre-2.0</revnumber>
<date>CVS</date>
</revision>
</revhistory>
Index: openssl.sgml
===================================================================
RCS file: /kolabrepository/server/doc/technical/openssl.sgml,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- openssl.sgml 21 Feb 2003 09:06:25 -0000 1.5
+++ openssl.sgml 17 Aug 2004 00:46:04 -0000 1.6
@@ -2,14 +2,15 @@
<para> OpenSSL certificates are required at several services on the Kolab server.
As you install the kolab RPM (see next chapter) the bootstrapping procedure of the Kolab
-server automatically creates certificates that can be used with the Kolab server. Three keys are
-provided by the bootstrapping procedure:
+server offers to automatically create a certificate authority and certificates that can
+be used with the Kolab server. The certificate authority's files are kept in /kolab/etc/kolab/ca.
+Three keys are provided by the bootstrapping procedure:
</para>
<itemizedlist>
<listitem><para> /kolab/etc/kolab/cert.pem </para></listitem>
<listitem><para> /kolab/etc/kolab/key.pem </para></listitem>
-<listitem><para> /kolab/etc/kolab/CAcert.pem </para></listitem>
+<listitem><para> /kolab/etc/kolab/ca/cacert.pem </para></listitem>
</itemizedlist>
<para> It you want to use your own keys feel free to do so. Of course you should check with the
@@ -27,7 +28,7 @@
/kolab/etc/apache/apache.conf:
...
-SSLCACertificateFile /kolab/etc/kolab/CAcert.pem
+SSLCACertificateFile /kolab/etc/kolab/cert.pem <= FIXME: ?
...
SSLCertificateFile /kolab/etc/kolab/cert.pem
SSLCertificateKeyFile /kolab/etc/kolab/key.pem
@@ -35,7 +36,7 @@
/kolab/etc/postfix/main.cf:
...
-smtpd_tls_CAfile = /kolab/etc/kolab/CAcert.pem
+smtpd_tls_CAfile = /kolab/etc/kolab/CAcert.pem <= FIXME: ?
smtpd_tls_cert_file = /kolab/etc/kolab/cert.pem
smtpd_tls_key_file = /kolab/etc/kolab/key.pem
...
@@ -48,55 +49,287 @@
</para>
<para> The kolab bootstrapping procedure creates the certificates using the following script
-(it is called <filename>kolab_sslcert.sh</filename>) :
+(it is called <filename>kolab_ca.sh</filename>) :
</para>
<screen>
-#!/bin/sh
+#!@l_prefix@/lib/openpkg/bash
+##
+## Copyright (c) 2004 Klaraelvdalens Datakonsult AB
+## Written by Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
+##
+## CA management script that is heavily inspired by Tim Hudson's
+## CA.sh script from the openssl distribution
-echo "Generating kolab's SSL/TLS certificates"
+PREFIX=/kolab
-PWD=`pwd`
-TMPDIR="@@@kolab_prefix@@@/etc/kolab/tmp"
-mkdir $TMPDIR
-mkdir -p $TMPDIR/demoCA/private/
-mkdir -p $TMPDIR/demoCA/newcerts
-mkdir -p $TMPDIR/demoCA/certs
-mkdir -p $TMPDIR/demoCA/crl
-cd $TMPDIR
-touch demoCA/index.txt
-echo "01" > demoCA/serial
+DAYS="-days 3650"
+REQ="$PREFIX/bin/openssl req"
+CA="$PREFIX/bin/openssl ca"
+VERIFY="$PREFIX/bin/openssl verify"
+X509="$PREFIX/bin/openssl x509"
+RSA="$PREFIX/bin/openssl rsa"
+GENRSA="$PREFIX/bin/openssl genrsa"
-echo -n "generate self-signed CA ... "
- echo -e ".\n.\n.\n.\n.\n`hostname`\n.\n" | \
- @@@kolab_prefix@@@/bin/openssl req -new -x509 -nodes \
- -keyout demoCA/private/cakey.pem \
- -out demoCA/cacert.pem -days 3650 2>/dev/null
-echo "done"
+CATOP=$PREFIX/etc/kolab/ca
+CAKEY=cakey.pem
+CACERT=cacert.pem
-echo -n "generate certificate and sign request ... "
- echo -e ".\n.\n.\n.\n.\nkolab\n.\n\n\n" | \
- @@@kolab_prefix@@@/bin/openssl req -new -nodes \
- -keyout key.pem -out newreq.pem \
- -days 3650 2>/dev/null
- cat newreq.pem key.pem > new.pem
-echo "done"
+# Make sure not to create world readable files
+umask 0077
-echo -n "sign certificate with newly created CA ... "
-echo -e "y\ny\n" | @@@kolab_prefix@@@/bin/openssl ca \
- -policy policy_anything \
- -out cert.pem -infiles new.pem 2>/dev/null 1>&2
-sleep 2
-echo "done"
+cd @l_prefix@/etc/kolab
-cp demoCA/cacert.pem @@@kolab_prefix@@@/etc/kolab/CAcert.pem
-cp key.pem @@@kolab_prefix@@@/etc/kolab/key.pem
-cp cert.pem @@@kolab_prefix@@@/etc/kolab/cert.pem
-cd $PWD
-rm -rf $TMPDIR
-
-echo "New certificates have been installed under \
- @@@kolab_prefix@@@/etc/kolab/"
+# Config
+function createconf() {
+local DNAME=$1
+echo "Using dn $hostname"
+#if [ ! -d "$PREFIX/etc/kolab/ca" ]; then
+# mkdir $PREFIX/etc/kolab/ca
+#fi
+export OPENSSL_CONF=$PREFIX/etc/kolab/kolab-ssl.cnf
+cat > ${OPENSSL_CONF} <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+default_bits = 1024
+prompt = no
+x509_extensions = v3_req
+attributes = req_attributes
+
+string_mask = nombstr
+
+[ req_attributes ]
+
+[ req_distinguished_name ]
+#C =
+#ST =
+#L =
+#O =
+#OU =
+#CN =
+#emailAddress =
+$DNAME
+
+[ v3_req ]
+basicConstraints = CA:TRUE
+
+[ ca ]
+default_ca = CA_kolab
+
+[ CA_kolab ]
+dir = $CATOP
+certs = \$dir/certs # Where the issued certs are kept
+crl_dir = \$dir/crl # Where the issued crl are kept
+database = \$dir/index.txt # database index file.
+unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = \$dir/newcerts # default place for new certs.
+
+certificate = \$dir/cacert.pem # The CA certificate
+serial = \$dir/serial # The current serial number
+#crlnumber = \$dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = \$dir/crl.pem # The current CRL
+private_key = \$dir/private/cakey.pem# The private key
+RANDFILE = \$dir/private/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+commonName = supplied
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+EOF
+}
+
+function readinput() {
+ local p=$1
+ local d=$2
+ read -ep "$p [$d]: " value
+ if [ -z "$value" ]; then
+ value="$d"
+ fi
+}
+
+appname=$0
+while [ $# -gt 0 ]; do
+case $1 in
+-h|-help|--help)
+ echo "Usage: $appname {-newca hostname [organization organizational-unit]|-newreq hostname [keyfile] [certfile]|-sign [filename]|-verify [filename]|-help}"
+ ;;
+-newca)
+ if [ ! -f ${CATOP}/serial ]; then
+ # create the directory hierarchy
+ mkdir ${CATOP}
+ mkdir ${CATOP}/certs
+ mkdir ${CATOP}/crl
+ mkdir ${CATOP}/newcerts
+ mkdir ${CATOP}/private
+ echo "01" > ${CATOP}/serial
+ touch ${CATOP}/index.txt
+ fi
+ if [ ! -f ${CATOP}/private/$CAKEY ]; then
+ cn=$2
+ shift
+ if [ -n "$2" ]; then
+ o=$2
+ shift
+ else
+ readinput "Enter organization name" "Kolab"
+ o=$value
+ fi
+ if [ -n "$2" ]; then
+ ou=$2
+ shift
+ else
+ readinput "Enter organizational unit" "Test-CA"
+ ou=$value
+ fi
+ shift
+ echo "Using subject O=$o,OU=$ou,CN=$cn";
+ createconf "O=$o
+OU=$ou
+CN=$cn"
+
+ echo "CA certificate filename (or enter to create)"
+ read FILE
+
+ # ask user for existing CA certificate
+ if [ "$FILE" ]; then
+ cp $FILE ${CATOP}/private/$CAKEY
+ RET=$?
+ else
+ echo "Making CA certificate ..."
+ $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
+ -out ${CATOP}/$CACERT $DAYS
+ RET=$?
+ fi
+ fi
+ ;;
+-newkey)
+ # create a new priv. key
+ createconf "CN=$2"
+ keyfile=key.pem
+ if [ -n "$3" ]; then
+ keyfile=$3
+ fi
+ shift 2
+ echo "secret"|$GENRSA -des3 -passout fd:0 -out .tmp.pass.key 1024
+ echo "secret"|$RSA -passin fd:0 -in .tmp.pass.key -out $keyfile
+ rm .tmp.pass.key
+ ;;
+-newreq)
+ # create a certificate request
+ createconf "CN=$2"
+ reqfile=newreq.pem
+ if [ -n "$3" ]; then
+ keyfile=$3
+ fi
+ if [ -n "$4" ]; then
+ reqfile=$4
+ fi
+ shift 3
+ $REQ -new -nodes -key ${keyfile} -out ${reqfile} $DAYS
+ RET=$?
+ echo "Request is in $reqfile and private key is in $keyfile"
+ ;;
+-sign|-signreq)
+ createconf
+ infile=newreq.pem
+ outfile=newcert.pem
+ if [ -n "$2" ]; then
+ infile=$2
+ fi
+ if [ -n "$3" ]; then
+ outfile=$3
+ fi
+ shift 2
+ $CA -policy policy_anything -out ${outfile} -infiles ${infile}
+ RET=$?
+ #cat ${outfile}
+ echo "Signed certificate is in ${outfile}"
+ ;;
+-verify)
+ createconf
+ shift
+ if [ -z "$1" ]; then
+ $VERIFY -CAfile $CATOP/$CACERT newcert.pem
+ RET=$?
+ else
+ for j
+ do
+ $VERIFY -CAfile $CATOP/$CACERT $j
+ if [ $? != 0 ]; then
+ RET=$?
+ fi
+ done
+ fi
+ exit 0
+ ;;
+*)
+ echo "Unknown arg $i";
+ exit 1
+ ;;
+esac
+shift
+done
+
+cd -
+
+exit $RET
</screen>
</chapter>
- Previous message: bo: doc/kolab-formats commonfields.sgml, 1.9, 1.10 events.sgml, 1.6, 1.7 journals.sgml, 1.7, 1.8 tasks.sgml, 1.6, 1.7
- Next message: steffen: server/kolab-resource-handlers kolab-resource-handlers.spec, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the commits
mailing list