Google smtp server certificate for IBM ELM mail notifications
4 answers
Hi
If you're using a default Liberty installation then Liberty isn't configured with a trust store, so it will reject google's (or anyone else's) ssl certificate, i.e. all outgoing SSL connection attempts will fail.
One way to fix this for a specific site would be to download the site's certificate and put it in the Liberty keystore - I've not tried this method but it should be possible. An example of how to download the ssl cert is here https://security.stackexchange.com/questions/70528/how-to-get-ssl-certificate-of-a-mail-server or here https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628 and then you'll have to convert the key to JKS format using openssl and then use the jre keytool to import the key into the ibm-keystore.
A more general way to fix this for 6.x is to add a trust store based in this example on the JRE cacerts trust store into the Liberty server.xml (<JazzInstallationFolder>/server/liberty/servers/clm/server.xml).
There may be other ways of fixing this, but example steps are:
1. Copy <JazzInstallationFolder>/server/jre/lib/security/cacerts to <JazzInstallationFolder>/server/liberty/servers/clm/resources/security (just to make it easier to reference)
2.Change the default ssl settings to add this key store as a trustStoreRef by editing server.xml from this:
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
<keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>
To this (new parts in bold):
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
<keyStore id="defaultTrustStore" location="cacerts" type="JKS" password="changeit" />
<keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>
NOTE this uses the default JRE trust store password 'changeit' as shipped in the Jazz JRE - it's probably a good idea to change this if you want to make the trust store harder to interfere with.
This manual change should no longer be needed when installing 7.0.1 see https://jazz.net/jazz/web/projects/Jazz%20Foundation#action=com.ibm.team.workitem.viewWorkItem&id=505608 and this is also planned to be resolved in 7.0.0 iFix003 see https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=508417 - these use a slightly different method which works with the newer versions of Liberty in 7.0+.
Comments
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
<keyStore id="defaultTrustStore" location="cacerts" type="JKS" password="clmadmin"/>
<keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>
By default i knew after 6.0.4 the email notification wont work until unless we provide the certificate and import.So this will resolve that issue or after importing certificate we need to follow this method?After doing this server became down!
(For some reason I can't comment on your comment)
Adding the trust store is a general solution as the cacerts contains most (all?) of the current top-level CA certificates, I used this approach to test gmail notifications myself last week.
When editing server.xml also make sure to put cacerts in the correct folder - otherwise your server will go down.
To get smtp access to my gmail account I had to enable two factor authentication and then generate an app password. Then the settings in Jazz I used were port 587, and Use STARTTLS set to true. For the SMTP username I used my gmail email address and for the SMTP password I used the 16-digit app password. I put the gmail address in the from/reply email addresses, but not sure these are critical.