We would like to configure Zimbra Network Edition to require a client side certificate to authenticate the client to the Zimbra server for both Web Mail and ActiveSync for mobile phones. We followed the instructions in Gautam-Notes - Zimbra :: Wiki and did get it to work using an extra step.
The notes stated to execute the following command to add our CA certificate as a trusted certificate issuer.
opt/zimbra/bin/zmcertmgr addcacert <certfile>
This adds the CA certificate to the JRE keystore file but the Jetty web server does not appear to use that keystore file. We installed the CA certificate in the Jetty keystore file as well.
# cd /opt/zimbra/jetty-6.1.22.z6/etc
# /opt/zimbra/jdk1.6.0_26/bin/keytool -importcert -v -keystore keystore -file /opt/pki/crt/ca.crt
Our reasoning for insisting on client side certificates is that we want to reduce the pounding an Internet exposed web server takes. Without a recognized client side certificate, the server closes the session very early in the SSL handshake.
We encountered the following issues that prevent us from moving forward:
- Zimbra requires that certificate based client authentication be performed on a separate port other than 443 AND that "/certauth" be appended to the URL. Although this is doable from a browser, I can't see how to do that on my Android phone with Touchdown. The Touchdown configuration wants a host name, not a URL.
- After certificate based client authentication completes on port 4443, Zimbra redirects the client to port 443. This defeats the purpose of certificate based client authentication since port 443 must remain exposed to non-authenticated clients. I am sure there is a way to configure Jetty to do this by modifying Jetty configuration files directly but I am not sure how to do it using Zimbra commands.
Has anyone tried to do what I describe? Any insight would be greatly appreciated.