5.1 Security Administration

5.1.1 Securing Communication with the LDAP Server

If your GroupWise system is configured to use LDAP authentication when users access their GroupWise mailboxes, then your LDAP server is already set up for a secure SSL LDAP connection with your Synchronizer system. If you are not yet using LDAP authentication in your GroupWise system, but you want to use secure LDAP for communication with your Synchronizer system, the GroupWise documentation provides information to help you set this up. See Trusted Root Certificates and LDAP Authentication in Security Administration in the GroupWise 2012 Administration Guide.

You can enable and disable SSL for the LDAP connection on the Global Settings page in Synchronizer Web Admin. For instructions, see Section 3.1.6, Enabling and Disabling SSL for the Synchronizer LDAP Connection.

5.1.2 Securing Communication between the GroupWise Connector and the GroupWise POA

The GroupWise Connector communicates with the GroupWise POA as a SOAP client. In order to secure communication between the GroupWise Connector and the GroupWise POA, the POA must be configured for secure SSL SOAP, as described in Supporting SOAP Clients in Post Office Agent in the GroupWise 2012 Administration Guide.

You can enable and disable SSL for the POA SOAP connections on the GroupWise Connector Configuration page in Synchronizer Web Admin. For instructions, see Enabling and Disabling SSL for POA SOAP Connections in GroupWise Connector Configuration in the GroupWise Connector Installation and Configuration Guide.

5.1.3 Securing Communication between the Mobility Connector and Mobile Devices (Mobility Pack Only)

In order to provide a secure SSL connection between the Mobility Connector and mobile devices, you must provide a server certificate on the Synchronizer server.

For issues with specific types of certificates, see Data Synchronizer Mobility Connector SSL Issues.

For SSL issues with specific types of devices, see Data Synchronizer Mobility Connector Devices.

Using a Self-Signed Certificate

When you have the Mobility Pack Installation program create a self-signed certificate for you, two certificate files are created in the /var/lib/datasync/device directory:

mobility.pem
mobility.cer

When a mobile device connects to the Mobility Connector, the Mobility Connector passes the self-signed certificate file (mobility.pem) to the mobile device. In most cases, the mobile device accepts the self-signed certificate and connects successfully.

Some mobile devices do not automatically accept self-signed certificates in PEM format. If you choose to use a self-signed certificate and if users encounter connection problems with particular mobile devices, explain the procedure in Manually Downloading a Certificate to a Mobile Device to the users who are encountering connection problems. This procedure enables users to use the mobility.cer file instead of the mobility.pem file on their mobile devices.

The self-signed certificate generated by the Installation program is issued to “DataSync Web Admin” rather than to a specific hostname. Some mobile devices require that a self-signed certificate be associated with a specific hostname. You can use YaST to generate a self-signed certificate with a specific hostname. If you need assistance with this task, refer to Using YaST on Linux in Security Administration in the GroupWise 2012 Administration Guide. Complete Step 1 through Step 4. Do not complete Step 5. By default, YaST generates a single self-signed certificate file as required for use with your Synchronizer system.

Using a Commercially Signed Certificate

IMPORTANT:You should obtain a commercially signed certificate for use with your Synchronizer system as quickly as possible.

For more detailed instructions, see TID 7006904: How to Configure Certificates from a Trusted CA for the Mobility Connector in the Novell Support Knowledgebase.

Selecting a Certificate Authority (CA)

Choose a certificate authority (CA) from the many available on the Web. If you do not want to immediately purchase a certificate, free temporary certificates are available from several Web sites, including:

Obtaining the Certificate

When you have selected a certificate authority, request a certificate in PEM format. If necessary, you can use a chained certificate or a wildcard certificate with your Synchronizer system, although these more complex types of certificates are not recommended.

In order to obtain a certificate, you need to send the certificate authority a certificate signing request (CSR).

One way to generate a CSR is to use the GWCSRGEN Utility, as described in Generating a Certificate Signing Request in Security Administration in the GroupWise 2012 Administration Guide. Another way is to use the openssl command, as described in HOWTO Keys.

NOTE:If you use a different method to generate the CSR, you might be prompted for the type of Web server where you plan to install the certificate. Synchronizer uses the CherryPy Web server.

The certificate authority return one or more files to you. These files might require modification for use in your Synchronizer system. Save the files to a convenient location. If the certificate authority included a password, remove the password, as described in Removing a Password from a Key File. If the certificate authority provided multiple files, combine them into a single file, as described in Combining Files Received from a Certificate Authority.

Removing a Password from a Key File

If the key file provided by the certificate authority includes a password, you need to remove the password in order to use the key file in your Synchronizer system.

  1. Check to see if the key file includes a password.

    A password-protected key file includes the following line:

    Proc-Type: 4,ENCRYPTED
    
  2. Use the following command to remove the password:

    openssl rsa -in original_file_name.key -out passwordless_file_name.key
    
Combining Files Received from a Certificate Authority

If you receive more than one file from the certificate authority, such as a certificate file and a key file, you must combine the contents into a single file with the following format:

-----BEGIN RSA PRIVATE KEY-----
several_lines_of_private_key_text
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
several_lines_of_server_certificate_text
-----END CERTIFICATE-----

If the certificate authority provided an intermediate certificate, place it at the end of the file after the private key and the actual certificate.

Installing a Commercially Signed Certificate
  1. (Conditional) If you have been using a self-signed certificate, rename the existing /var/lib/datasync/device/mobility.pem file.

  2. Copy the certificate file received the certificate authority to /var/lib/datasync/device.

  3. Rename it to mobility.pem.

  4. Restart the Mobility Connector.

  5. (Conditional) If your particular mobile device does not automatically accept the commercially signed certificate in PEM format, follow the instructions in Manually Converting a Certificate to DER Format.

IMPORTANT:If you uninstall the Synchronizer software, the certificate files associated with your Synchronizer system are also deleted. Back up commercially signed certificates in a location outside of /var/lib/datasync if you need to uninstall the Synchronizer software.

Manually Converting a Certificate to DER Format

Some mobile devices do not automatically accept certificates in PEM format. If users encounter connection problems with particular mobile devices, you can convert the PEM file that you received from the certificate authority into DER format to resolve these connection problems.

  1. Change to the /var/lib/datasync/device directory.

  2. Execute the following command:

    openssl x509 -in mobility.pem -inform PEM -out mobility.cer -outform DER 
    

    NOTE:The file name with the .cer extension must be in DER (Distinguished Encoding Rules) format.

  3. Have users with connection problems follow the instructions in Manually Downloading a Certificate to a Mobile Device to use the mobility.cer file instead of the mobility.pem file.

Manually Downloading a Certificate to a Mobile Device

  1. Access the Data Synchronizer User Options page on your mobile device at the following URL:

    https://data_synchronizer_server:8120
    

    Replace data_synchronizer_server with the IP address or DNS hostname of the Synchronizer server.

  2. Log in using your network user name and password.

    Manage My Connectors page displayed on a mobile device
  3. Click the Mobility Connector.

    Mobility Connector Options page displayed on a mobile device
  4. (Conditional) If you are the Synchronizer administrator and have associated your mobile device with the Synchronizer administrator account, click Users, then click Edit User icon to display the Mobility Certificate File field.

  5. In the Mobility Certificate File field, click Certificate icon (Download certificate file).

  6. Save the mobility.cer file to a convenient location on your mobile device.

  7. Import the certificate file into the certificate store on your mobile device.

    For device-specific instructions, see the Data Synchronizer Mobility Connector Devices Wiki.

  8. (Conditional) If you are not able to access the Data Synchronizer User Options page from your particular mobile device:

    1. Access the Data Synchronizer User Options page in a Web browser on your Linux or Windows desktop.

      Mobility Connector Options page displayed in a Web browser
    2. Save the mobility.cer file on your Linux or Windows workstation.

    3. Set up an IMAP email account on your mobile device, then email the mobility.cer file from your workstation to your mobile device.

      or

      Physically connect your mobile device to your workstation so that it appears as a drive on your workstation, then copy the mobility.cer file from your workstation to your device.

  9. Import the certificate file into the certificate store on your mobile device.

Enabling a Password Policy for Device Connections

For instructions, see Enabling a Device Password Security Policy in Mobility Connector Configuration in the Mobility Connector Installation and Configuration Guide.

5.1.4 Selecting a Specific Version of SSL

By default, the Mobility Connector accepts connections from mobile devices that use SSLv3 and TLSv1, but rejects connections from mobile devices that use SSLv2. If a user’s mobile device tries to connect using SSLv2, the user receives an error and cannot connect. You can enable and disable different versions of SSL protocols and also specify the cipher to use with the desired protocol.

  1. In Synchronizer Web Admin, click the Mobility Connector to display the Mobility Connector Configuration page, then click Edit XML Source to display the Connector XML Source window.

  2. Add the following tags between the <custom> and </custom> tags:

    <sslMethod>value</sslMethod>
    <sslCiphers>list</sslCiphers>
    
  3. In the <sslMethod> tag, replace value with any of the following values:

    SSL Version

    Value

    SSLv2

    1 (not recommended)

    SSLv3

    2

    TLSv1

    4

    All of the above

    3 (not recommended)

    SSLv3 and TLSv1

    5 (default)

  4. In a terminal window, use the following command to determine the ciphers that are available on your system:

    openssl ciphers -ssl3
    
  5. In the <sslCiphers> tag in the Connector XML Source window, replace list with the desired values as provided by the openssl command.

  6. Click Save XML to save your changes, then click Home to return to the main Synchronizer Web Admin page.

  7. Restart the Mobility Connector to put the desired SSL protocol and ciphers into effect.