16.7 Securing GroupWise Web with TLS Connections

16.7.1 Securing GroupWise Web using a Commercial Certificate

GroupWise Web creates self-signed certificates when you run the Docker image. You can supply your own commercial certificates for GroupWise Web for enhanced security. The certificates must follow the requirements found in Configuring Server Certificates and TLS in the GroupWise Administration Guide.

When you run with commercially signed certificates, you need to specify the location of the certificates in the Docker run command. Below is an example of the command to run GroupWise Web with commercially signed certificates:

Running GroupWise Web with commercially signed certificates:

docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/web:23.4-xxx

/opt/novell/gw/certs should contain the server.key and server.crt files for your commercially signed certificates.

IMPORTANT:At this time, GroupWise Web does not support the use of password protected .key files. In order to use a key file that has password protection, you must remove it before running the Docker command above or the Web app will fail when launched. This can be done by running the following on a machine with OpenSSL installed:

openssl rsa -in passwordprotected.key -out nopassword.key

16.7.2 Updating POA/DVA Certificates while GroupWise Web is Running

If you update the certificate on the POA/DVA after the GroupWise Web image is running, you can have GroupWise Web grab the new certificates and use the POA/DVA without having to restart the GroupWise Web image. This is also needed if the POA/DVA was not accessible when the GroupWise Web image was started, but is now available. Use the following Docker command to update the certificates:

docker exec <container_name or container_id> bash -c "/update/update-certs.sh"

Example: docker exec gwweb bash -c "/update/update-certs.sh"

You can use either the container name or the container id to run the command.

NOTE:Restarting the GroupWise Web image also updates the POA/DVA certificates.

16.7.3 Securing GroupWise Web using Certificate Verification

In GroupWise 18.4 and later, GroupWise Web has enhanced security by doing certificate checks for the GroupWise Admin Service, POA, and DVA certificates. The certificate checks make sure the Subject Alternative Name on the certificate matches the GroupWise Admin Server, POA, and DVA and that the certificate date is valid.

The GroupWise Admin Service check is enabled by default and cannot be disabled. The POA check is enabled by default and can be disabled. Beginning in GroupWise 18.5, the DVA check is enabled by default and can be disabled. However, to be fully secure, you should keep all of the certificate verification checks enabled.

NOTE:The POA check and the DVA check are independent of each other and can be run together, separate, or not at all.

As part of the 18.5 changes, the env.list file is generated when running the Docker command in the Web Config utility container and the GWDVA_SSL_VERIFY switch is added to the file with the switch set to ”ON” by default.

Using GroupWise Admin Service Certificate Verification

The GroupWise Admin Service check is done when the web-config utility runs to get the POA and DVA information for your GroupWise system. If the GroupWise Admin Service check runs properly, the web-config utility creates five files: web.conf, poas.conf, dvas.conf, env.list and ca.crt.

In order for the GroupWise Admin Service check to pass, you need to use a GroupWise self-signed certificate with the Fully Qualified Domain Name of IP address of the GroupWise server as the Subject Alternative Name on the certificate.

Using POA Certificate Verification

The POA check is part of the running GroupWise Web image and is enabled by default. GroupWise Web checks every POA against its certificate to make sure it matches and is valid.

In order for the POA check to pass, the certificate Subject Alternative Name must match the hostname specified in the poa.conf file. Certificate requirements and recommendations can be found in Configuring Server Certificates and TLS in the GroupWise Administration Guide.

NOTE:If the Subject Alternative Name in the certificate and the poa.conf file do not match, it is easier to change the poa.conf file than to get a new certificate.

You do not need to change your Docker run command if you want to use POA certificate verification. If you do not want to use POA certificate verification, you must include the switch GWSOAP_SSL_VERIFY=off. Below is an example of running the GroupWise Web Docker image with POA certificate verification turned off:

docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -e GWSOAP_SSL_VERIFY=off mfgroupwise/web:23.4-xxx

Using DVA Certificate Verification

The DVA check is part of running the GroupWise Web image and is enabled by default beginning in GroupWise 18.5. In order for the DVA check to pass, the certificate Subject Alternative Name (SAN) must match the domain name specified by the GWDVA_SSL_DNS= setting in the env.list file that is created by the web.config utility Docker command. Wildcard certificates can be used for your DVAs as long as the GWDVA_SSL_DNS= setting switch specifies the DNS that is in the SAN on the wildcard certificate. Certificate requirements and recommendations can be found in Configuring Server Certificates and TLS in the GroupWise Administration Guide.

Although not recommended, you can disable the DVA verification check. If the env.list file already exists, you should override the check directly from the file by changing the GWDVA_SSL_VERIFY switch to off. This file is generated in the /opt/novell/gw folder when you run the web-config utility.

NOTE:If the env.list file does not exist, run the web-config utility Docker command to generate the required configuration files including the env.list file.

If the env.list file does not exist and you are unable to run the web-config utility Docker command, and if you do not want to use DVA certificate verification when running the GroupWise Web Docker image, you must include the GWDVA_SSL_VERIFY=off switch.

Examples - Running the GroupWise Web Docker Image

Two examples are provided below for running the GroupWise Web Docker image with the DVA check ON and OFF. In both examples, the env.list file does not exist:

  • DVA certificate verification OFF:

    docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -e GWDVA_SSL_VERIFY=off mfgroupwise/web

  • DVA certificate verification ON (default), using the GWDVA_SSL_DNS switch:

    docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -e GWDVA_SSL_DNS=*.lab.acmegwsystem.com mfgroupwise/web

NOTE:The GWDVA_SSL_DNS setting is only required or used when DVA certificate verification is ON, not OFF.