Customize SMTP settings for OTPBySMTPValve

This PhenixID Solution Document (PSD) is written for PhenixID Server.

This article describes the SMTP settings in PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

Overview

This document will describe the parameters to be configured on the OTPBySMTPValve.

The document will also explain how to act if untrusted certficates are used by the SMTP-server.

If any changes are made please make sure to have a resent copy of the file/files:

phenix-store.json (OTPBySMTPValve settings)

cacerts (import of self-signed certificate into JAVA)

start-PhenixID.sh (JAVA_OPTS=”${JAVA_OPTS} -Dmail.smtp.ssl.trust=*” on Linux)

phenixidserver.vmoptions and/or phenixservice.vmoptions (-Dmail.smtp.ssl.trust=* on Windows)

Instruction

These are the parameters to configure on the “OTPBySMTPValve”:

  • “smtp_host” : “ip/dns name of the smtp server”,
  • “smtp_port” : “port of the smtp server”,
  • “ssl_on_connect” : “true/false”, (To force SSL/TLS immediately on connect)
  • “smtp_from_address” : “sender address”,
  • “start_tls_enabled” : “true/false”, (to enable SSL/TLS encryption for otherwise plain text messages)
  • “userid_param_name” : “User-Name/username”, (used by the system, DO NOT CHANGE!)
  • “smtp_username” : “username if authentication is required on the smtp server”,
  • “smtp_password” : “password for the authentication”,
  • “mail_param_name” : “the attribute containing the smtp address, for example mail”
  • “generated_otp_name” : “generated_otp” (used by the system, DO NOT CHANGE!)

The end result should look according to the example below:

{
	"name": "OTPBySMTPValve",
	"config": {
		"smtp_host": "172.16.220.10",
		"smtp_port": "25",
		"ssl_on_connect": "false",
		"smtp_from_address": "otpuser@org.local",
		"start_tls_enabled": "true",
		"userid_param_name": "User-Name",
		"smtp_username": "otpuser",
		"smtp_password": "{enc}xEkXe2W7OhB5qYsLZdUhjKmxOqWeyHf2y1qCZ3aTVjo=",
		"mail_param_name": "mail",
		"generated_otp_name": "generated_otp"
	}
}

For any changes to the OTPBySMTPValve after initial configuration, please go into the configuration UI, Scenarios, Radius, "Username, password and mail", <your scenario>.  On the tab"Execution flow" edit the valve OTPBySMTPValve on your Pipe. When done press "Save".

TLS and self-signed certificates

If the SMTP server uses a self-signed certificate or a certificate that not is included in the cacerts, we have two options.

The first option is to import the self-signed certificate into the file cacerts, located in <PhenixID Server installationdirectory>/jre/lib/security. This is the recommended way. Example of how this is done can be found here: http://docs.oracle.com/cd/E19340-01/820-6740/aeogk/index.html

The second option is to use a JAVA parameter to trust self-signed certificates.
 For Linux, add the following to <PhenixID Server installationdirectory>/bin/start-PhenixID.sh:


JAVA_OPTS=”${JAVA_OPTS} -Dmail.smtp.ssl.trust=*”

For Windows, the add following parameter to <PhenixID Server installationdirectory>/bin/phenixidserver.vmoptions and phenixservice.vmoptions:

-Dmail.smtp.ssl.trust=*