34.7 SSL Switches

The GWIA can use SSL to enable secure SMTP, POP, IMAP, and HTTP connections. The following switches can be used to 1) specify the server certificate file, key file, and key file password required for SSL and 2) enable or disable SSL for SMTP, POP, IMAP, and HTTP connections. See Securing Internet Access with TLS Connections to the GWIA.

34.7.1 --certfile

Specifies the server certificate file to use. The file must be in Base64/PEM or PFX format. If the file is not in the same folder as the GWIA program, specify the full path.

Syntax: --certfile file_name

Example: --certfile \\server1\sys\server1.crt

34.7.2 --dhparm

Specifies a Diffie-Hellman cipher parameters file used for SSL/TLS to replace the default parameters set by GroupWise. GroupWise uses default Diffie-Hellman parameters of 2048 bits to generate the DH key. A valid DH parameter is in PEM format.

 

Linux

Windows

Syntax:

--dhparm directory/pemfile

/dhparm directory/pemfile

Example:

--dhparm /var/tmp/dh.pem

/dhparm C:\temp\dh.pem

34.7.3 --keyfile

Specifies the private key file to use. The key file is required if the certificate file does not contain the key. If the certificate file contains the key, do not use this switch. When specifying a file name, use the full path if the file is not in the same folder as the GWIA program.

Syntax: --keyfile file_name

Example: --keyfile \\server1\sys\server1.key

34.7.4 --keypasswd

Specifies the private key password. If the key does not require a password, do not use this switch.

Syntax: --keypasswd password

Example: --keypasswd novell

34.7.5 --smtpssl

Enables the GWIA to use a secure connection to other SMTP hosts. The SMTP host must also be enabled to use SSL or TLS (Transport Layer Security); if it is not, a non-secure connection is used. Valid settings are enabled and disabled.

Syntax: --smtpssl setting

Example: --smtpssl enabled

34.7.6 --httpssl

Enables the GWIA to use a secure connection to a web browser being used to display the GWIA console. The web browser must also be enabled to use SSL; if it is not, a non-secure connection is used. Valid settings are enabled and disabled.

Syntax: --httpssl setting

Example: --httpssl enabled

34.7.7 ‑‑ldapMinTLS

Specify the minimum allowed TLS version for LDAP connections. For security reasons, GroupWise defaults to TLS 1.2 as the minimum allowed version. However, to support older directories, you can overwrite the default by specifying either “TSLv1” or “TLSv1_1”.

Linux POA

Windows POA

Syntax:

  • ‑‑ldapMinTLS TLS_version
  • /ldapMinTLS-TLS-version

Example:

  • ‑‑ldapMinTLS TLSv1
  • /ldapMinTLS-TLSv1

NOTE:Not available in versions older than GroupWise 18.3.

34.7.8 --popssl

Disables, enables, or requires secure (SSL) connections between POP3 clients and the GWIA.

Syntax: --popssl enabled|disabled|required

Example: --popssl required

Option

Description

enabled

The POP3 client determines whether an SSL connection or non-SSL connection is used. By default, the GWIA listens for SSL connections on port 995 and non-SSL connections on port 110. You can use the ‑‑popsport and ‑‑popport switches to change these ports.

required

The GWIA forces SSL connections on port 995 and port 110. Non-SSL connections are denied. You can use the ‑‑popsport and ‑‑popport switches to change these ports.

disabled

The GWIA listens for connections only on port 110, and the connections are not secure. You can use the ‑‑popport switch to change this port.

34.7.9 --imapssl

Disables, enables, or requires secure (SSL) connections between IMAP4 clients and the GWIA.

Syntax: --IMAP4ssl enabled|disabled|required

Example: --popssl required

Option

Description

enabled

The IMAP4 client determines whether an SSL connection or non-SSL connection is used. By default, the GWIA listens for SSL connections on port 993 and non-SSL connections on port 143. You can use the ‑‑imapsport and ‑‑imapport switches to change these ports.

required

The GWIA forces SSL connections on port 993 and port 143. Non-SSL connections are denied. You can use the ‑‑imapsport and ‑‑imapport switches to change these ports.

disabled

The GWIA listens for connections only on port 143, and the connections are not secure. You can use the /imapport switch to change this port.

34.7.10 --sslciphersuite

Sets the SSL cipher suites used by the agents. The cipher list must be in OpenSSL format. For more information on OpenSSL format, see Cipher List Format.

 

Linux POA

Windows POA

Syntax:

--sslciphersuite “setting”

/sslciphersuite-”setting

Example:

--sslciphersuite “HIGH:!AECDH:!EXP:@STRENGTH”

/sslciphersuite-”HIGH:!AECDH:!EXP:@STRENGTH”

34.7.11 --ssloption

Specify a specific SSL protocol to disable. By specifying ssl_OP_NO_sslv1, GroupWise will disable SSLv1 support. Specify additional options by adding the SSL key work separated by a comma.

 

Linux

Windows

Syntax:

--ssloption ssl_protocol

/ssloption ssl_protocol

Example:

--ssloption ssl_OP_NO_sslv1,ssl_OP_NO_sslv1_1

/ssloption ssl_OP_NO_sslv1,ssl_OP_NO_sslv1_1