Secure Sockets Layer (SSL) ensures secure communication between programs by encrypting the complete communication flow between the programs. The Installation program offered the opportunity to configure the Messaging Agent for SSL encryption, as described in Installing a Novell Messenger System
in the Novell Messenger 2.2 Installation Guide.
Figure 2-3 Security Configuration Page in the Messenger Installation Program
If you set up SSL encryption during installation, the Installation program copied the certificate file and key file you specified to the \novell\nm\certs directory to ensure availability for the Messenger agents.
If you did not set up SSL encryption during installation, you can easily do so after installation. If you have not already set up SSL encryption on your system, you must complete the following tasks:
Before the Messaging Agent can use SSL encryption, you must create a certificate by generating a certificate signing request (CSR) and having it issued by a certificate authority (CA). This can be issued either by a public CA or a local CA, such as Novell Certificate Server (Novell Certificate Server, which runs on a server with Novell eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server site.). The CSR includes the hostname of the server where the Messaging Agent runs. The Messaging Agent and the Archive Agent can use the same certificate if they run on the same server. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the Messaging Agent to use SSL encryption
IMPORTANT:On NetWare, the Messaging Agents do not support long filenames. Filenames must be in 8.3 format, meaning that the filename can be no longer than eight characters and the file extension can be no longer than three characters. For example, filename.crt is a valid filename in 8.3 format, and filename1.crt is not.
One way to create a CSR is to use the GroupWise GWCSRGEN utility. See Generating a Certificate Signing Request
in Security Administration
in the GroupWise 8 Administration Guide for instructions. This utility takes the information you provide and creates a .csr file to submit to a certificate authority. You might want to name the .csr file after the server it goes with, for example, server_name.csr.
To receive a server certificate, you need to submit the certificate signing request (server_name.csr file) to a certificate authority. If you have not previously used a certificate authority, you can use the keywords “Certificate Authority” to search the Web for certificate authority companies. You can also issue your own certificates with a local CA, such as Novell Certificate Server. (Novell Certificate Server, which runs on a server with Novell eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server site.)
The certificate authority must be able to provide the certificate in Base64/PEM or PFX format.
IMPORTANT:You cannot use an eDirectory root certificate (rootcert.der file) as a public certificate.
The process of submitting the CSR varies from company to company. Most provide online submission of the request. Follow their instructions for submitting the request.
After processing your CSR, the certificate authority returns to you a certificate (server_name.crt) file and a private key (server_name.key) file. Copy the files to the certs subdirectory of the Messenger agent installation directory.
After you have a certificate and a private key file available on the server where the Messaging Agent runs, you are ready to configure the Messaging Agent to use SSL encryption.
In ConsoleOne, browse to and expand the Messenger Service object.
Right-click the Messenger Server object, then click
.Click
> .Fill in the following fields:
Certificate Path: This field defaults to \novell\nm\certs for NetWare and Windows, and /opt/novell/messenger/certs for Linux.
IMPORTANT:The certificate path must be located on the same server where the Messenger agents are installed. If your SSL certificate and key file are located on a different server, you must copy them into the directory specified in the
field so that they are always accessible to the Messenger agents.SSL Certificate: Browse to and select the certificate file. Or, if it is located in the directory specified in the
field, you can simply type the filename.SSL Key File: Browse to and select your private key file. Or, if it is located in the directory specified in the
field, you can simply type the filename.Set Password: Provide the key file password you established when you submitted the certificate signing request.
Enable SSL: Select this option to enable SSL encryption for your Messenger system.
Because you provided the SSL information on the Messenger Server object, it applies to both the Messaging Agent and the Archive Agent if both agents are running on the same server. The same information can be provided on the Security page of each Messenger agent if necessary.
Click
to save the SSL settings.Stop and then start the Messaging Agent to start using SSL encryption.
Corresponding Startup Switches: You can also use the /certpath, /certfile, /keyfile, /keypassword, and /ssl startup switches in the Messaging Agent startup file to configure the Messaging Agent to use SSL encryption.