GroupWise Mobility Service 18 allows verification of the POA TLS/SSL certificate. After the installation or upgrade, certificate verification is disabled by default.
In the GroupWise Admin Console, the POA TCP/IP address needs to have the DNS name specified.
In the Mobility Admin Console, the POA SOAP address needs to have the DNS name specified instead of the IP address.
Follow the section that matches how you generated your POA certificates for each CA that you need to gather:
If your CA is GroupWise (18 or later), you can use one of the two methods below to get the certificate.
Open a browser to https://primarydomainip:adminport/gwadmin-service/system/ca.
For example: https://10.10.10.10:9710/gwadmin-service/system/ca
Enter your GroupWise admin credentials.
Save the certificate to the GMS server in /var/lib/datasync/mobility.
Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
Open a terminal on your GMS linux server.
Enter the following command:
curl -k --user username -o filename https://primarydomainip:adminport/gwadmin-service/system/ca
Replace username with your admin username and filename with the name of the saved file.
Copy the certificate and then save it to the GMS server in /var/lib/datasync/mobility.
Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
If your CA is a NetIQ Certificate Server, follow the steps below:
Login to iManager.
Select NetIQ Certificate Server.
It may be called Novell Certificate Server depending on your version of iManager.
Select Configure Certificate Authority.
Select the Certificates tab.
Select the Self Signed Certificate check box.
Select Export.
Unselect Export private key.
Select export formate as Base64.
Select Next.
Select Save the exported certificate file. Save it to the GMS server in /var/lib/datasync/mobility.
Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
If your CA is a commercial CA, follow the steps below:
Verify if your certificate is in the Mozilla trusted root CA store by checking the /var/lib/datasync/mobility/cacert.pem file on the GMS server where the CA store is stored. If your CA is in the list, continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
or
If your CA is not in the list, you need to find your CA public root certificate and place it on the GMS server in /var/lib/datasync/mobility. Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
Once you have your CA certificate, make sure it meets the following requirements:
Base64-encoded format
In the Basic Constraints, ensure that Subject Type=CA is specified.
Ensure that the current date is between the Valid from and Valid to dates.
The Issuer and the Subject match.
You can verify these requirements by viewing the details of the certificate or by running an openssl command to view the certificate information.
If your CA meets these requirements, continue with Adding the CA Certificates.
For the certificate verification to work, the CA certificates found previously needs to be added to the mob_ca.pem file. Follow the section that matches each CA certificate you gathered previously:
In a terminal on your GMS server, go to /var/lib/datasync/mobility/.
Add your CA certificate to the mob_ca.pem file using the following command:
cat yourCACertficate.pem >> mob_ca.pem
NOTE:You may need to add a hard return in the mob_ca.pem after the certificate before you add any other certificates to the file.
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
In a terminal on your GMS server, go to /var/lib/datasync/mobility/.
Add your CA certificate to the mob_ca.pem file using the following command:
cat yourCACertficate.pem >> mob_ca.pem
NOTE:You may need to add a hard return in the mob_ca.pem after the certificate before you add any other certificates to the file.
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
In a terminal on your GMS server, go to /var/lib/datasync/mobility/.
If your CA is not in the Mozilla CA certificate list, add your CA public certificate to the mob_ca.pem file using the following command:
cat yourCACertificate.pem >> mob_ca.pem
or
If your CA is in the list, copy the cacert.pem file to mob_ca.pem using the following command:
cat cacert.pem >> mob_ca.pem
NOTE:You may need to add a hard return in the mob_ca.pem after the certificate before you add any other certificates to the file.
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
Before you enable certificate verification, take a backup of the /var/lib/datasync/mobility/mob_ca.pem file.
Login to the GMS WebAdmin
Select Config > GroupWise.
Select SSL Certification Verification.
Select Apply.
In a terminal on the GMS server, restart GMS using the following command:
rcgms restart
You may experience SSL problems the first time you enable certificate verification. The following are helpful OpenSSL commands:
openssl s_client -showcerts -CAfile CA_public_certificate -connect poa_DNS:soap_port
Example: openssl s_client -showcerts -CAfile gwcacert.pem -connect gw.provo.novell.com:7191
openssl verify -issuer_checks -CAfile CA_public_certificate POA_certificate
Example: openssl verify -issuer_checks -CAfile cacert.pem gwpoa.pem
openssl x509 -in certificate -noout -text
Example: openssl x509 -in gwcacert.pem -noout -text
openssl s_client -showcerts -connect poa_DNS:soap_port
Example: openssl s_client -showcerts -connect gw.provo.novell.com:7191
openssl x509 -in certificate -noout -purpose
Example: openssl x509 -in gwcacert.pem -noout -purpose