6.3 Securing the Messenger Agents
6.3.1 Enabling SSL for Client/Server Connections
All the connections between the client and the server should be configured to use SSL. To do this, SSL must be configured for the agents. For information on configuring SSL for the agents and for the client, see Creating Your Messenger System
for NetWare® and Windows and Configuring the Linux Messenger Agents for SSL
for Linux in the Messenger 2.0 Installation Guide. To secure the client, simply use the port number specified for secure connections when connecting to the server.
6.3.2 Enabling SSL for the Message Transfer Protocol
When installing the agents, you have the option to configure SSL for the agents. If you chose to use SSL for the connection between the agents and the clients, the Message Transfer Protocol is automatically configured to use SSL as well. For more information, see Creating Your Messenger System
for NetWare and Windows and Configuring the Linux Messenger Agents for SSL
for Linux in the Messenger 2.0 Installation Guide.
Configuring SSL for the Message Transfer Protocol After Installation
In order for the Message Transfer Protocol to use SSL, you must enable SSL for the agents. If you chose not to use SSL during the installation, you can configure SSL for the agents in ConsoleOne.
Before the agents and the Message Transfer Protocol can use SSL encryption, you must send a Certificate Signing Request (CSR) to a Certification Authority (CA) and receive a public certificate file in return. The CSR includes the hostname of the server where the Messaging Agent runs. The Messaging Agent and the Archive Agent can use the same certificate if they run on the same server. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the Messaging Transfer Protocol to use SSL encryption. For more information, see Section 2.3.1, Generating a Certificate Signing Request and Private Key.
After you have a public certificate and a private key file available on the server where the Messaging Agent runs, you are ready to configure the Messaging Agent to use SSL encryption.
-
In ConsoleOne, browse to and expand the Messenger Service object.
-
Right-click the Messenger ArchiveAgent object, then click .
-
Click > .
-
Fill in the following fields:
Certificate Path: This field defaults to \novell\nm\certs for NetWare and Windows, and /opt/novell/messenger/certs for Linux.
IMPORTANT:The certificate path must be located on the same server where the Messenger agents are installed. If your SSL certificate and key file are located on a different server, you must copy them into the directory specified in the field so they are always accessible to the Messenger agents.
SSL Certificate: Browse to and select the public certificate file. Or, if it is located in the directory specified in the field, you can simply type the filename.
SSL Key File: Browse to and select your private key file. Or, if it is located in the directory specified in the field, you can simply type the filename.
Set Password: Provide the key file password you established when you submitted the certificate signing request.
Enable SSL for Client/Server: Select this option to enable SSL encryption for your client and server.
Enable SSL for Message Transfer Protocol: Select this option to enable SSL encryption for your Messenger Transfer Protocol.
-
Click to save the SSL settings.
-
Restart the Messaging Agent to begin using SSL encryption.
6.3.3 Enabling SSL for the Web Console
The Web console should already be configured to use SSL when SSL is configured during the installation. However, additional configuration is needed to enable SSL for the Web console. For information on how to secure and configure the Web console, see Setting Up the Messaging Agent Web Console and Section 4.10.2, Using the Archive Agent Web Console and GroupWise Monitor.
6.3.4 Enabling Password Protection for the Web Console
The Web console should be configured to use SSL and password protection, but password protection needs to be enabled. For information on how to enable password protection for the Web console, see Setting Up the Messaging Agent Web Console and Section 4.10.2, Using the Archive Agent Web Console and GroupWise Monitor.
6.3.5 Securing the Data Files
Securing the Data Store
The data store files should be protected from tampering. The data store files are identified by an eight-digit hexadecimal number followed by either .maf or .mai. They are found in the following default locations:
Securing the Queue Files
The queue files should be protected from tampering. The queue files are identified by an eight-digit hexadecimal number followed by three numbers. They are found in the following default locations:
Securing the Log Files
The log files for all Messenger agents should be protected from access by unauthorized persons. Some contain very detailed information about your Messenger system and Messenger users. They are found in the following default locations:
Table 6-3 Messenger Agent Log File Locations
Securing the Startup Files
The startup files for all Messenger agents should be protected from tampering. They are found in the following default locations:
Securing the Root Certificate
The root certificate files should be protected from tampering. The root certificate files are copied to the following default locations: