55.4 Securing GWIA Connections with SSL

The GWIA can use the SSL (Secure Socket Layer) protocol to enable secure connections to other SMTP hosts, POP/IMAP clients, and the GWIA Web console. For the GWIA to do so, you must ensure that it has access to a server certificate file and that you have configured the connection types (SMTP, POP, IMAP, HTTP) you want secured through SSL. The following sections provide instructions:

55.4.1 Defining the Certificate File

To use SSL, the GWIA requires access to a server certificate file and key file. The GWIA can use any Base64/PEM or PFX formatted certificate file located on its server. If the GWIA’s server does not have a server certificate file, you can use the GroupWise Generate CSR utility to help you obtain one. For information, see Section 5.16.4, GroupWise Generate CSR Utility (GWCSRGEN).

To define the certificate file and key file that the GWIA will use:

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click GroupWise > SSL Settings to display the SSL Settings page.

    SSL Settings property page

    For background information about certificate files and SSL key files, see Section 83.2, Server Certificates and SSL Encryption.

    By default, the GWIA looks for the certificate file and SSL key file in the same directory where the GWIA executable is located, unless you provide a full path name.

  3. Fill in the Certificate File, SSL Key File, and Set Password fields:

    Certificate File: Specify the server certificate file that the GWIA will use. The certificate file must be in Base64/PEM or PFX format. This setting corresponds to the GWIA’s --certfile switch.

    SSL Key File: Specify the key file associated with the certificate. The key file must be password protected in order for SSL to function correctly. If the private key is included in the certificate file rather than in a separate key file, leave this field blank. This setting corresponds to the GWIA’s --keyfile switch.

    Set Password: Click Set Password to specify the password for the key. If the key does not require a password, do not use this option. This setting corresponds to the --keypasswd switch.

  4. If you want to define which connections (HTTP, SMTP, POP3, or IMAP4) use SSL, click Apply to save your changes, then continue with the next section, Section 55.4.2, Defining Which Connections Use SSL.

    or

    Click OK to save your changes.

55.4.2 Defining Which Connections Use SSL

After you define the GWIA’s certificate and key file (see Section 55.4.1, Defining the Certificate File), you can configure which connections you want to use SSL. You can enable SSL connections to other SMTP hosts and the GWIA Web console, which means that an SSL connection is used if the other SMTP host or the Web browser (running the Web console) supports SSL. You can also enable or require SSL connections to POP3, IMAP4, and LDAP clients. If SSL is enabled, an SSL connection is used if the client supports SSL; if SSL is required, only SSL connections are accepted.

For more information about POP3 and IMAP4 clients, see Section 53.2, Configuring POP3/IMAP4 Services. For more information about LDAP clients, see Section 53.3, Configuring LDAP Services.

To configure connections to use SSL:

  1. In ConsoleOne, if the GWIA object’s property pages are not already displayed, right-click the GWIA object, then click Properties.

  2. Click GroupWise > Network Address to display the Network Address page.

    Network Address page
  3. Configure the SSL settings for the following connections:

    Message Transfer: Select Required if you want the GWIA to use a secure connection to the MTA. The MTA must also be enabled to use SSL.

    HTTP: Select Enabled to enable the GWIA to use a secure connection when passing information to the GWIA Web console. The Web browser must also be enabled to use SSL; if it is not, a non-secure connection is used.

    SMTP: Select from the following options to configure the GWIA’s use of secure connections to other SMTP hosts. The SMTP host must also be enabled to use SSL or TLS (Transport Layer Security); if it is not, a non-secure connection is used. All connections are through port 25.

    • Disabled: The GWIA does not support SSL connections.

    • Enabled: The other SMTP host determines whether an SSL connection or non-SSL connection is used with an SSL-enabled GWIA.

    • Required: The GWIA forces SSL connections. Non-SSL connections are denied.

    POP: Select from the following options to configure the GWIA’s use of secure connections to POP clients:

    • Disabled: The GWIA does not support SSL connections. All connections are non-SSL through port 110.

    • Enabled: The POP client determines whether an SSL connection or non-SSL connection is used with an SSL-enabled GWIA. An SSL-enabled GWIA allows SSL connections on port 995 and non-SSL connections on port 110.

    • Required: The GWIA forces SSL connections on port 995 and port 110. Non-SSL connections are denied.

    IMAP: Select from the following options to configure the GWIA’s use of secure connections to IMAP clients:

    • Disabled: The GWIA does not support SSL connections. All connections are non-SSL through port 143.

    • Enabled: The IMAP client determines whether an SSL connection or non-SSL connection is used with an SSL-enabled GWIA. An SSL-enabled GWIA allows SSL connections on port 993 and non-SSL connections on port 143.

    • Required: The GWIA forces SSL connections on port 993 and port 143. Non-SSL connections are denied.