Cool Blog: Securing your Agents, Part I
Novell Cool Solutions: Feature
By Alex Evans
Digg This -
Posted: 24 Jul 2007
I have a note in Tomboy with a list of blog topics that I have been compiling, so I am on a bit of a blogfest at the moment to get some of them done - incidentally I am looking for more topics if you have any ideas ...
Over the years I have dealt with huge numbers of GroupWise systems, both during onsite visits and on dialins, and a very common theme is that customers have not bothered to secure their agents in any shape or form - some not even enabling a username/password. At the most basic level I would certainly recommend securing the HTTP interface on any agent where you have enabled it. Yes, this is a bit of work, but if you don't do all traffic is basic, unencrypted HTTP - including the password. Here's how:
1. Set up a username and password to secure the agents; otherwise, the interface is completely open to the public. In ConsoleOne, go to the properties of the agent in question and, on the Agent Settings tab (optional agent settings on GWIA and WA), set an HTTP Username and Password. This does not need to exist in eDirectory; it's just an arbitrary name. If you are doing multiple agents, I would recommend trying to keep them all the same.
Quick Tip - Instead of having to remember all the HTTP ports, you can connect to the C/S port on the POA (normally 1677) or the MTP port on the MTA (normally 7100) and you will get redirected. For example: http://10.10.10.10:1677
At this point, all the traffic is still cleartext, so we need to SSLize the connection (not sure that's a word. but I like it). I don't think there is any need to get an expensive Verisign minted certificate for this - I would just use a self-signed cert from your own certificate server. The easiest way to do this is using iManager, but first you need to create a CSR (Certificate Signing Request). 2. Go to your GW CD/admin/utility/gwcsrgen and run gwcsrgen.exe. Fill it in like in the diagram, but make sure the values reflect your own server and that any filenames you use are 8.3 format.
3. Once you have the .key and the CSR, you can start iManager.
4. Down the left there should be a Novell Certificate Server task - expand that and select Issue Certificate. If it's not there, check to see if you have the .NPM installed (hit the configure option and see if you are told that there are new ones to install).
5. When you do get to the Wizard, browse for the CSR you created.
6. Select the usage - I put SSL or TLS and Server Authentication and User Authentication.
7. On the next page, select End Entity.
8. Accept the default 2 year validity and save as a Base64 format file.
9. Download the resulting certificate.
10. Now that you have a .key file and a .b64 file, copy these to a place where the agent can access them. For best practices I always place them at the root of the domain or PO directory.
11. Then, in ConsoleOne, go to the SSL Settings tab on the agent you want to secure.
12. Browse to the .b64 and the .key files you created.
13. Set the .key password to whatever you entered in gwcsrgen.
14. On the Network Address tab on the same agent, set the SSL dropdown next to HTTP to "Enabled". You are done with that agent.
You should now do the rest - you need to generate a new CSR, .key and .b64 for each server that runs the agents. What I have not tried, but it should work, is to create a wildcard certificate and key and secure all you agents using that. This would be much less time-consuming - if anyone out there has already done it and it worked, let us know.
Oh, and as a point worth noting I spent an hour, generating and regenerating certificates and swearing at iManager, because Firefox was giving me 8101 errors and refusing to connect. It was only when I went into IE that I noticed the certificate was not yet valid - my VMWare session with my NetWare 6.5 box was running in the future, so the certificate had the wrong dates. So, sorry iManager.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com