9.2 Security Policies

Appropriate security policies help you keep users’ personal GroupWise data and Mobility system information secure.

9.2.1 Certificate Considerations

When creating certificates for your GroupWise system, we recommend the following:

  • Consolidate to one CA for your GroupWise system.

  • Use a public CA for your GroupWise system.

  • Use a wildcard certificate for all of your POAs.

9.2.2 Securing Your Mobility Data

Your Mobility server must be kept secure.

Limiting Physical Access to Mobility Servers

Servers where Mobility data resides should be kept physically secure, in locations where unauthorized persons cannot gain access to the server consoles.

Securing File System Access

Encrypted file systems should be used on all Mobility servers. Only Mobility administrators should have direct access to Mobility data.

9.2.3 Securing Your Mobility System

Locations where GroupWise users’ personal data and Mobility system information might be obtained must be kept secure.

Setting Up SSL Connections

Secure SSL connections should be used between your Mobility system and the following external components:

  • GroupWise Post Office Agent (POA)

  • Browser connection for the Mobility Admin console

  • Mobile devices

For instructions, see Security Administration.

Setting Up a Device Password Security Policy

To increase your control over mobile device access to your Mobility system, you should establish a device password security policy to ensure that users set up secure passwords on their mobile devices. For instructions, see Enabling a Device Password Security Policy.

Securing the Mobility Admin Console

The root user on the Mobility server is the Mobility Administrator.

IMPORTANT:The number of people who know how to log in to the Mobility Admin console should be kept to a minimum.

The Mobility Admin console can be integrated with a single sign-on solution. For more information, see Using the Mobility Admin Console with a Single Sign-On Solution.

Protecting Mobility Configuration Files

The configuration files for all internal Mobility components should be protected from tampering. Configuration files are found in the following default locations:

Internal Mobility Component

Configuration File

Sync Engine

/etc/datasync/syncengine/engine.xml

Web Admin

/etc/datasync/webadmin/server.xml

Config Engine

/etc/datasync/configengine/configengine.xml

Connector Manager

/etc/datasync/syncengine/connectors.xml

Protecting Mobility Log Files

The log files for all internal Mobility components should be protected against unauthorized access. Some log files contain very detailed information about your Mobility system and users. Mobility log files are found in the following locations:

Internal Mobility Service Component

Log File Subdirectory under /var/log/datasync

Log File Name

Sync Engine

syncengine

engine.log

Config Engine

configengine

configengine.log

Web Admin

webadmin

server.log

Connector Manager

syncengine

connectorManager.log

Sync Agents

connectors

  • groupwise-agent.log
  • groupwise.log
  • mobility-agent.log
  • mobility.log

If you set the Mobility Service log level to Debug, Subject lines are included in log files for troubleshooting purposes. This information identifies items that are experiencing synchronization problems.

If you use the Debug log level, ensure that log files are kept secure to protect users’ personal information. The Info log level is strongly recommended for a smoothly functioning Mobility system.

No text about recipients or from message bodies is included in log files.