You should strengthen native GroupWise encryption with Secure Sockets Layer (SSL) communication between servers where GroupWise agents are installed. If you have not already set up SSL on your system, you must complete the following tasks:
If you have already set up SSL on your system and are using it with other applications besides GroupWise, skip to Section 71.2.6, Configuring the Agents to Use SSL.
Before the GroupWise agents can use SSL, you must create a Certificate Signing Request (CSR) and obtain a public certificate file. The CSR includes the hostname of the server where the agents run. Therefore, you must create a CSR for every server where you want the GroupWise agents to use SSL. However, all GroupWise agents running on the same server can all use the same resulting certificate, so you do not need separate CSRs for different agents. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the agents to use SSL.
One way to create a CSR is to use the GWCSRGEN utility. This utility takes the information you provide and creates a .csr file from which a public certificate file can be generated.
Start the GroupWise Generate CSR utility.
Fill in the fields in the Private Key box. The private key information is used to create both the Private Key file and the Certificate Signing Request file.
Key Filename: Specify a name for the Private Key file (for example, server1.key). If you don’t want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the filename (for example, c:\server1.key or /opt/novell/groupwise/certs/server1.key).
Key Password: Specify the password for the private key. The password can be up to 256 characters (single-byte environments).
Verify Password: Specify the password again.
Fill in the fields in the Certificate Signing Request box.
CSR Filename: Specify a name for the Certificate Signing Request file (for example, server1.csr). If you don’t want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the filename (for example, c:\server1.csr or /opt/novell/groupwise/certs/server1.csr).
Fill in the fields in the
box. This information is used to create the file. You must fill in all fields to generate a valid CSR file.Country: Specify the two-letter abbreviation for your country (for example, US).
State/Province: Specify the name of your state or province (for example, Utah). Use the full name. Do not abbreviate it.
City: Specify the name of your city (for example, Provo).
Organization: Specify the name of your organization (for example, Novell, Inc.).
Division: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).
Hostname of Server: Specify the DNS hostname of the server where the server certificate will be used (for example, dev.provo.novell.com).
Click
to generate the CSR file and Private Key file.The CSR and Private Key files are created with the names and in the locations you specified in the
and fields.For convenience if you need to generate multiple certificates, you can record the information for the above fields in a configuration file so that the information is automatically provided whenever you run the Generate CSR utility. The configuration file must have the following format:
[Private Key] Location = Extension = key [CSR] Location = Extension = csr [Required Information] Country = State = City = Organization = Division = Hostname =
If you do not want to provide a default for a certain field, insert a comment character (#) in front of that line. Name the file gwcsrgen.cnf. Save the file in the same directory where the utility is installed:
To obtain a server certificate, you can submit the Certificate Signing Request (server_name.csr file) to a Certificate Authority. If you have not previously used a Certificate Authority, you can use the keywords “Certificate Authority” to search the Web for Certificate Authority companies. The Certificate Authority must be able to provide the certificate in Base64/PEM or PFX format.
The process of submitting the CSR varies from company to company. Most provide online submission of the request. Please follow their instructions for submitting the request.
The Novell Certificate Server, which runs on a NetWare® server with Novell eDirectory™, enables you to establish your own Certificate Authority and issue server certificates for yourself. For complete information, see the Novell Certificate Server Web site.
To quickly create your own public certificate in ConsoleOne:
Click
to see if the Certificate Server snap-in to ConsoleOne is installed.If it is not installed, you can obtain it from Novell Product Downloads. If you are using eDirectory on Linux, the Certificate Server snap-in is installed by default.
NOTE:You can create a server certificate in Novell iManager, as well as in ConsoleOne, using steps similar to those provided below.
Browse to and select the container where your Server object is located.
Click
.Browse to and select the CSR file created by GWCSRGEN in Section 71.2.1, Generating a Certificate Signing Request, then click .
By default, your own organizational certificate authority signs the request.
Click
.In the
box, select .In the
box, select all three usage options.Click
.In the
field, select the length of time you want the certificate to be valid.You might want to change the setting to a longer period of time to best meet the needs of your organization.
Click
, view the summary information, then click .Select
.Specify the path and filename for the certificate.
Limit the filename to 8 characters. You can retain the .b64 extension or use the more general .crt extension.
Click
.On the Linux server desktop, click root password.
, then enter theClick
.If you did not create the YaST_Default_CA during the installation of Linux on the server:
Click Step 4.
, specify the name and location of an existing CA, click , then skip toor
Click Step 3.b.
, then continue withFill in the following fields:
CA Name: Specify the name of the CA certificate.
Common Name: Specify the name of the Certificate Authority.
Organization: Specify the name of your organization (for example, Novell, Inc.).
Organizational Unit: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).
Locality: Specify the name of your city or other regional division (for example, Provo).
State: Specify the name of your state (for example, Utah). Use the full name. Do not abbreviate it.
Country: Select the name of your country (for example, USA).
Click
.Specify and verify the certificate password, then click
.Click
to create the root Certificate Authority on the server.After you have a Certificate Authority on the Linux server:
Select
or the CA you just created, click , specify the CA password, then click .On the
tab, .Select
.Specify the certificate password and, if desired, specify and verify a new password for the new certificate file.
Browse to and select the directory where you want to create the certificate file, then specify the filename for the certificate, adding a .pem extension.
Click
to create the certificate file, then click again to confirm.Exit from YaST.
In a terminal window, log in as root, then separate the .pem file created by YaST into a .crt file and a .key file, as required by GroupWise:
Use a text editor such as gedit to open the .pem file.
Select and copy the BEGIN CERTIFICATE line through the END CERTIFICATE line into a new file, name it the same as the server name, and add a .crt extension to the filename when you save it.
Select and copy the BEGIN RSA PRIVATE KEY line through the END RSA PRIVATE KEY line into a new file, name it the same as the server name, and add a .key extension to the filename when you save it.
Exit the text editor.
After processing your CSRs, the Certificate Authority sends you a public certificate (server_name.b64) file for each CSR. You might need to extract the private key from the public certificate. The private key file might have an extension such as .pem or .pfx. The extension is unimportant as long as the file format is correct.
If you used the Issue Certificate feature in ConsoleOne, as described in Using ConsoleOne on Windows or Linux, it generated the public certificate file (server_name.b64) and private key file (server_name.key).
If you used the CA Management feature in YaST, as described in Using YaST on Linux, you created the public certificate file (server_name.crt) and private key file (server_name.key).
Copy the files to any convenient location on each server. The location must be accessible to the GroupWise agents that run on the server.
To configure the agents to use SSL you must first enable them for SSL and then provide certificate and key file information. For detailed instructions, see the following sections: