It's all about the answers!

Ask a question

Google smtp server certificate for IBM ELM mail notifications


sreenath v (78680) | asked Jun 15 '20, 9:26 a.m.

Hi,

I want to configure email notifications with IBM elm and gmail . So from where i can download smtp certificate for google and import the same with ibm elm?

4 answers



permanent link
Ian Barnard (2.3k714) | answered Jun 15 '20, 10:41 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Jun 15 '20, 10:52 a.m.
Hi

If you're using a default Liberty installation then Liberty isn't configured with a trust store, so it will reject google's (or anyone else's) ssl certificate, i.e. all outgoing SSL connection attempts will fail.

One way to fix this for a specific site would be to download the site's certificate and put it in the Liberty keystore - I've not tried this method but it should be possible. An example of how to download the ssl cert is here https://security.stackexchange.com/questions/70528/how-to-get-ssl-certificate-of-a-mail-server or here https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628 and then you'll have to convert the key to JKS format using openssl and then use the jre keytool to import the key into the ibm-keystore.

A more general way to fix this for 6.x is to add a trust store based in this example on the JRE cacerts trust store into the Liberty server.xml (<JazzInstallationFolder>/server/liberty/servers/clm/server.xml).

There may be other ways of fixing this, but example steps are:
1. Copy <JazzInstallationFolder>/server/jre/lib/security/cacerts to <JazzInstallationFolder>/server/liberty/servers/clm/resources/security (just to make it easier to reference)
2.Change the default ssl settings to add this key store as a trustStoreRef by editing server.xml from this:
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>

<keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>
To this (new parts in bold):
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>

<keyStore id="defaultTrustStore" location="cacerts" type="JKS" password="changeit" />

<keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>
NOTE this uses the default JRE trust store password 'changeit' as shipped in the Jazz JRE - it's probably a good idea to change this if you want to make the trust store harder to interfere with.

This manual change should no longer be needed when installing 7.0.1 see https://jazz.net/jazz/web/projects/Jazz%20Foundation#action=com.ibm.team.workitem.viewWorkItem&id=505608 and this is also planned to be resolved in 7.0.0 iFix003 see https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=508417 - these use a slightly different method which works with the newer versions of Liberty in 7.0+.


Comments
sreenath v commented Jun 15 '20, 12:27 p.m. | edited Jun 15 '20, 12:39 p.m.

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
    <keyStore id="defaultTrustStore" location="cacerts" type="JKS" password="clmadmin"/>
    <keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>



By default i knew after 6.0.4 the email notification wont work until unless we provide the certificate and import.So this will resolve that issue or after importing certificate we need to follow this method?After doing this server became down!


permanent link
Ian Barnard (2.3k714) | answered Jun 15 '20, 12:42 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Jun 15 '20, 1:25 p.m.
(For some reason I can't comment on your comment)

Adding the trust store is a general solution as the cacerts contains most (all?) of the current top-level CA certificates, I used this approach to test gmail notifications myself last week.

Importing the single certificate for smtp.gmail.com would also work but only for that site. I haven't done that process but I'm sure it's possible using openssl and keytool.

When editing server.xml also make sure to put cacerts in the correct folder - otherwise your server will go down.

permanent link
sreenath v (78680) | answered Jun 15 '20, 11:02 p.m.
edited Jun 15 '20, 11:03 p.m.
For some reason I can't comment on your comment)

Ya now server got up..but editing server email settings and it is showing

Configuration changes are being saved. This may take a minute...

java.net.SocketTimeoutException: Read timed out

Getting this error

permanent link
Ian Barnard (2.3k714) | answered Jun 16 '20, 4:37 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Jun 16 '20, 4:38 a.m.

To get smtp access to my gmail account I had to enable two factor authentication and then generate an app password. Then the settings in Jazz I used were port 587, and Use STARTTLS set to true. For the SMTP username I used my gmail email address and for the SMTP password I used the 16-digit app password. I put the gmail address in the from/reply email addresses, but not sure these are critical.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.