In this guide, we’ll walk you through configuring the Postfix SMTP server with TLS to secure email communication in IBM Db2 Data Management Console (DMC). This tutorial specifically addresses setups where the Postfix server uses a self-signed SSL certificate instead of one issued by a trusted Certificate Authority (CA). You’ll learn how to import the self-signed certificate into DMC’s Java keystore to establish a trusted, encrypted connection between DMC and your Postfix SMTP server.
Prerequisites
- Access to the Postfix SMTP server.
- Access to the DMC installation folder.
- Necessary permissions to execute commands and modify the keystore.
Identify the SSL Certificate Used by Postfix
First, you need to determine which SSL certificate is currently being used by your Postfix SMTP server. You can find this information in the Postfix configuration file (main.cf).
Run the Following Command
grep -E 'smtpd_tls_cert_file|smtpd_tls_key_file' /etc/postfix/main.cf
Example Output :
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
In this example, the certificate being used is located at /etc/ssl/certs/ssl-cert-snakeoil.pem.
Check the Content of the Certificate
You can inspect the content of the certificate using the following command:
openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem
Example Output :
root@jobin-test-machine1:~# openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIUOSyMbZI0wK/eriBg29cqI++WWPYwDQYJKoZIhvcNAQEL
BQAwKzEpMCcGA1UEAwwgam9iaW4tdGVzdC1tYWNoaW5lMS5meXJlLmlibS5jb20w
... (truncated for brevity)
-----END CERTIFICATE-----
Copy the Certificate Content
- Capture the Output: Run the command from Step 2. Make sure to capture all the text between
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
- Create a New File: On your DMC machine, create a new file named
ssl-cert-snakeoil.pem. You can do this using a text editor like nano or vi. For example, using nano:
nano /path/to/ssl-cert-snakeoil.pem
Replace /path/to/ with the desired directory where you want to save the file.
- Paste the Certificate: Paste the copied certificate content into the new file. Make sure to include both the
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- Save the File: If you're using
nano, save the file by pressing CTRL + O, then hit Enter. Exit by pressing CTRL + X.
Locate the DMC Installation Folder
Find the DMC installation directory on your server. For example:
/root/ibm-datamgmtconsole
Identify the Keystore Location
The default Java keystore file (cacerts) is usually found at:
/root/ibm-datamgmtconsole/java/jre/lib/security/cacerts
Import the Certificate into the Keystore
To import the certificate, run the following command, assuming you are in the same directory where you created the ssl-cert-snakeoil.pem file:
This command prompts for Trust this certificate? [no]:. Enter yes here.
sudo keytool -importcert -file ssl-cert-snakeoil.pem -keystore /root/ibm-datamgmtconsole/java/jre/lib/security/cacerts -alias smtp-cert -storepass changeit
Note: changeit is the default password for the Java keystore. If this password has been changed, you should provide the updated password instead.
Example Output :
root@c41440v1:~/smtp_cert# sudo keytool -importcert -file ssl-cert-snakeoil.pem -keystore /root/ibm-datamgmtconsole/java/jre/lib/security/cacerts -alias smtp-cert -storepass changeit
Owner: CN=jobin-test-machine1.com
Issuer: CN=jobin-test-machine1.com
Serial number: 392c8c6d9234c0afdeae2060dbd72a23ef9658f6
Valid from: Tue Oct 08 02:04:39 PDT 2024 until: Fri Oct 06 02:04:39 PDT 2034
Certificate fingerprints:
SHA1: BB:A0:27:27:F7:F8:A3:33:6E:6F:FB:B9:84:CC:5A:FA:1E:55:2D:37
SHA256: 4A:C7:99:EC:98:77:30:FE:E6:4D:4C:09:24:EA:50:CF:A0:75:D1:DB:91:5F:EF:44:F6:90:A1:CB:8C:A8:43:D2
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: jobin-test-machine1.com
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ED C9 4E E4 14 2A 44 1D 3D 11 1C 2D 68 1F 57 FF ..N..*D.=..-h.W.
0010: 17 31 81 20 .1.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Verify the Import
You can verify that the certificate has been added to the keystore by running:
keytool -list -keystore /root/ibm-datamgmtconsole/java/jre/lib/security/cacerts -storepass changeit -alias smtp-cert
Example Output :
root@c41440v1:~/smtp_cert# keytool -list -keystore /root/ibm-datamgmtconsole/java/jre/lib/security/cacerts -storepass changeit -alias smtp-cert
smtp-cert, Oct 22, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 4A:C7:99:EC:98:77:30:FE:E6:4D:4C:09:24:EA:50:CF:A0:75:D1:DB:91:5F:EF:44:F6:90:A1:CB:8C:A8:43:D2
Test Email Sending
On the DMC Email Configuration page, provide the basic email server details such as:
-
Hostname
-
Server port
-
Sender’s email address
Then, select the Use TLS option.
Next, enter a sample destination email address and test whether the configuration is working properly. If it does not work, you may need to restart the DMC.
Restart DMC
To restart the DMC, run the following command:
/root/ibm-datamgmtconsole/bin/restart.sh
Example Output :
root@c41440v1:~/ibm-datamgmtconsole/bin# ./restart.sh
Tue Oct 22 23:34:43 PDT 2024 Stopping IBM Db2 Data Management Console
Stopping server dsweb.
Server dsweb stopped.
Tue Oct 22 23:34:53 PDT 2024 Successfully stopped IBM Db2 Data Management Console.
Updating the application server bootstrap and environment properties ...
Updating the applications ...
Tue Oct 22 23:35:05 PDT 2024 Starting IBM Db2 Data Management Console.
Starting server dsweb.
Server dsweb started with process ID 3843570.
Tue Oct 22 23:37:10 PDT 2024 Successfully started IBM Db2 Data Management Console.
******************************************************************************
Summary
* Web console HTTP URL
http://c41440v1.com:11080/console
* Web console HTTPS URL
https://c41440v1.com:11081/console