Bare Metal Project - Java (HISP only) - CentOS x86-64

From Direct Project
Jump to: navigation, search
This page documents the bare metal install of the Java reference implementation from a pre-compiled assembly (no source) on the CentOS 5.5 x86-64. For a source install, see Bare Metal Project - Java (source).


This document is a starting-point, from which a production HISP can be derived. It is not meant to be a final solution for real-world scenarios. It documents the fastest and simplest way to launch a operational instance using the Java reference implementation.

It is strongly advised and encouraged to back the reference implementation with a tested and proven enterprise mail server. Please review the various deployment models and configurations with your architect and decide which best suits your needs. This should also involve input from you security officer to evaluate things such as HIPAA compliance.

The bare metal install is not HIPAA compliant.


  1. Assumed that the user is root or has sudo privileges.
  2. Assumed that the HISP already has MX and related DNS records set up.
  3. The unzip command is installed and available.

For a reference on creating certificates and trust anchors using the tool provided in the Java reference implementation, please see TBD.

Obtain and Install the Assembly

Steps for obtaining and installing the pre-compiled assembly.

Install Java

Install Sun Java 6 JDK. By default it is not included in the shipped repository, and needs to be added manually. 

  1. Go to the Sun/Oracle download page and hit the Download JDK button under the Java Platform Standard Edition for JDK 6 Update 22.
  2. On the next page, select Linux 64 from the drop-down selector and hit the Continue button.
  3. Download the file labeled jdk-6u22-linux-x64-rpm.bin

After changing directories to the download location.

chmod 755 jdk-6u22-linux-x64-rpm.bin
sudo ./jdk-6u22-linux-x64-rpm.bin

Change alternatives

After installing, need to update java alternatives to use the newly installed Java version instead of shipped version. Start by creating alternatives for the new java commands installed above.
sudo alternatives --install /usr/bin/java java /usr/java/jdk1.6.0_22/bin/java 100 sudo alternatives --install /usr/bin/jar jar /usr/java/jdk1.6.0_22/bin/jar 100 sudo alternatives --install /usr/bin/javac javac /usr/java/jdk1.6.0_22/bin/javac 100

Continue by selecting the new alternative for each command:

sudo alternatives --config java
sudo alternatives --config jar
sudo alternatives --config javac

Finally set the JAVA_HOME environment variable for the new JDK

export JAVA_HOME=/usr/java/jdk1.6.0_22
echo "export JAVA_HOME=$JAVA_HOME" >> ~/.bashrc

Java Cryptographic Extensions

Download and install the Java Cryptographic Extensions.
Unzip the resulting files, and place the jar files in $JAVA_HOME/jre/lib/security.

The jar files in zip may be older than the ones found in your JDK. You must replace the files in your JDK regardless of data. JDKs by default are not package with the strong encryption policy jars.
unzip* sudo cp jce/local_policy.jar $JAVA_HOME/jre/lib/security sudo cp jce/US_export_policy.jar $JAVA_HOME/jre/lib/security rm -rf jce*

Obtain the Assembly

Obtain the pre-built assembly from the Sonatype repository or the google code repository downloads page.



Extract James and Tomcat

Extract the Apache James mail server with security agent, and Apache Tomcat with configuration service.
tar xvfz DirectGateway-M1.tar.gz export DIRECT_HOME=`pwd`/direct echo "export DIRECT_HOME=$DIRECT_HOME" >> ~/.bashrc

Enable the configuration port

Allow port 8081 on the local network as follows
sudo iptables -I INPUT -p tcp --dport 8081 -j ACCEPT sudo service iptables save

Disable sendmail

Disable the default sendmail service
sudo service sendmail stop sudo chkconfig sendmail off

Run Tomcat

Run Apache Tomcat and start the configuration service.
cd $DIRECT_HOME/apache-tomcat-6.0.29 sh bin/

Note: Give this step a minute or two to start the server before continuing to the next step.

Configure James (manual step)

  1. Log into [1] with username:admin and password:adm1nD1r3ct
  2. Click New Domain.
    1. Enter the Domain Name and Postmaster E-Mail Address for the domain this HISP will be handling.
    2. Choose ENABLED as the status.
  3. Click the Anchors tab.
    1. Import trust anchors.
    2. Choose ENABLED as the status.
  4. Click Cancel and click Go To Certificates.
    1. Import certificates.
    2. Choose ENABLED as the status.
  5. Click Cancel and click Go To Settings.
    1. Add setting key:PrivateStoreType with value:WS
    2. Add setting key:AnchorStoreType with value:WS
    3. Add setting key:PublicStoreType with value:DNS,WS
    4. Add setting key:MDNAutoResponse with value:true

Tell James the domain this HISP will be handling by replacing with your domain.

cd $DIRECT_HOME/james-2.3.2
sh bin/

Run James

Start the Apache James mail server with security trust agent.
cd $DIRECT_HOME/james-2.3.2 sudo -E sh bin/ > james.log 2>&1 &

Create James users (manual step)

Create users that will be using the Apache James mail server.
telnet localhost 4555 > root > root > adduser username password > quit

Recommended Next Steps

Following are optional, but recommended, next steps to secure your environment.

Secure Configuration Service Port (8081)

To secure the configuration service, it is recommended to limit access to port 8081 to localhost and/or a local subnet.

Secure Configuration Service Password

To further protect the configuration service, or if port 8081 must remain public, it is recommended to change the default password.
cp $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml.orig sed -i "s/adm1nD1r3ct/your_new_password/g" $DIRECT_HOME/apache-tomcat-6.0.29/webapps/config-ui/WEB-INF/config-servlet.xml sh bin/ sh bin/