GroupWise Mobility Service 2014 R2 has enhanced the security options available to administrators. This document takes you through the security enhancements and how they can secure your system.
The following are the enhancements that have been made to GroupWise Mobility Service to make communication more secure:
Before upgrading or installing GMS 2014 R2, all POAs need to either have SSL enabled or disabled. SSL failover is no longer available.
POA certificates should be issued to the DNS name of the POA server.
If you have run against a POA that didn’t have SSL enabled in the past, create a new GroupWise trusted application for GMS before enabling SSL.
Consolidate to one CA for your GroupWise system.
Use a public CA for your GroupWise system.
Use a wildcard certificate for all of your POAs.
A new tool has been created because of the SSL changes to ensure that all GroupWise POAs are correctly setup for the SSL settings you have set in GMS.
IMPORTANT:This tool needs to be run before upgrading to GMS 2014 R2.
The tool is provided with the download of the GMS 2014 R2 iso. Follow the steps below to run the tool:
Download the GMSsslCheck.tar file to your GMS server.
Open a terminal and extract the contents of the tar file to a temporary location on your GMS server using the following command:
tar xvf GMSsslCheck.tar
Open a terminal and browse to the folder where you extracted the files.
Run the following command:
python sslcheck.pyc
In the menu prompt, select option 1.
The tool connects to all of your GroupWise POAs and checks their SSL settings against the GMS settings. If the settings do not match those in GMS, the information is displayed so you can resolve the settings. Once the settings have been resolved, continue with the upgrade of GMS.
NOTE:If you are not upgrading but installing a new system, run MCheck after the installation and select the System > SSL Check option to check the SSL settings of your GroupWise POAs.
GroupWise Mobility Service 2014 R2 allows verification of the POA TLS/SSL certificate. After the installation or upgrade, certificate verification is disabled by default.
In the GroupWise Admin Console, the POA TCP/IP address needs to have the DNS name specified.
In the Mobility Admin Console, the POA SOAP address needs to have the DNS name specified instead of the IP address.
Follow the section that matches how you generated your POA certificates for each CA that you need to gather:
If your CA is GroupWise (2014 or later), you can do one of the two methods below to get the certificate.
Open a browser to https://primarydomainip:adminport/gwadmin-service/system/ca.
For example: https://10.10.10.10:9710/gwadmin-service/system/ca
Enter your GroupWise admin credentials.
Save the certificate to the GMS server in /var/lib/datasync/mobility.
Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
Open a terminal on your GMS linux server.
Enter the following command:
curl -k --user username -o filename https://primarydomainip:adminport/gwadmin-service/system/ca
Replace username with your admin username and filename with the name of the saved file.
Copy the certificate and then save it to the GMS server in /var/lib/datasync/mobility.
Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
If your CA is a NetIQ Certificate Server, follow the steps below:
Login to iManager.
Select NetIQ Certificate Server.
It may be called Novell Certificate Server depending on your version of iManager.
Select Configure Certificate Authority.
Select the Certificates tab.
Select the Self Signed Certificate check box.
Select Export.
Unselect Export private key.
Select export formate as Base64.
Select Next.
Select Save the exported certificate file. Save it to the GMS server in /var/lib/datasync/mobility.
Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
If your CA is a commercial CA, follow the steps below:
Verify if your certificate is in the Mozilla trusted root CA store by checking the /var/lib/datasync/mobility/cacert.pem file on the GMS server where the CA store is stored. If your CA is in the list, continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
or
If your CA is no in the list, you need to find your CA public root certificate and place it on the GMS server in /var/lib/datasync/mobility. Continue with Verifying the CA Certificates if you have gathered all of your CA certificates.
Once you have your CA certificate, make sure it meets the following requirements:
Base64-encoded format
In the Basic Constraints, ensure that Subject Type=CA is specified.
Ensure that the current date is between the Valid from and Valid to dates.
The Issuer and the Subject match.
You can verify these requirements by viewing the details of the certificate or by running an openssl command to view the certificate information.
If your CA meets these requirements, continue with Adding the CA Certificates.
For the certificate verification to work, the CA certificates found previously needs to be added to the mob_ca.pem file. Follow the section that matches each CA certificate you gathered previously:
In a terminal on your GMS server, go to /var/lib/datasync/mobility/.
Add your CA certificate to the mob_ca.pem file using the following command:
cat yourCACertficate.pem >> mob_ca.pem
NOTE:You may need to add a hard return in the mob_ca.pem after the certificate before you add any other certificates to the file.
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
In a terminal on your GMS server, go to /var/lib/datasync/mobility/.
Add your CA certificate to the mob_ca.pem file using the following command:
cat yourCACertficate.pem >> mob_ca.pem
NOTE:You may need to add a hard return in the mob_ca.pem after the certificate before you add any other certificates to the file.
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
In a terminal on your GMS server, go to /var/lib/datasync/mobility/.
If your CA is not in the Mozilla CA certificate list, add your CA public certificate to the mob_ca.pem file using the following command:
cat yourCACertificate.pem >> mob_ca.pem
or
If your CA is in the list, copy the cacert.pem file to mob_ca.pem using the following command:
cat cacert.pem >> mob_ca.pem
NOTE:You may need to add a hard return in the mob_ca.pem after the certificate before you add any other certificates to the file.
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
Before you enable certificate verification, take a backup of the /var/lib/datasync/mobility/mob_ca.pem file.
Login to the GMS WebAdmin
Select Config > GroupWise.
Select SSL Certification Verification.
Select Apply.
In a terminal on the GMS server, restart GMS using the following command:
rcgms restart
You may experience SSL problems the first time you enable certificate verification. The following are helpful OpenSSL commands:
openssl s_client -showcerts -CAfile CA_public_certificate -connect poa_DNS:soap_port
Example: openssl s_client -showcerts -CAfile gwcacert.pem -connect gw.provo.novell.com:7191
openssl verify -issuer_checks -CAfile CA_public_certificate POA_certificate
Example: openssl verify -issuer_checks -CAfile cacert.pem gwpoa.pem
openssl x509 -in certificate -noout -text
Example: openssl x509 -in gwcacert.pem -noout -text
openssl s_client -showcerts -connect poa_DNS:soap_port
Example: openssl s_client -showcerts -connect gw.provo.novell.com:7191
openssl x509 -in certificate -noout -purpose
Example: openssl x509 -in gwcacert.pem -noout -purpose
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.
Copyright © 2016 Novell, Inc., a Micro Focus company. All Rights Reserved.