These sections contain information for securing GroupWise Web using certificates.
GroupWise Web creates self-signed certificates when you run the docker image. You can supply your own commercial certificates for GroupWise Web for enhanced security. The certificates must follow the requirements found in Configuring Server Certificates and TLS
in the GroupWise 18 Administration Guide.
When you run with commercially signed certificates, you need to specify the location of the certificates in the docker run command. Below is an example of the command to run GroupWise Web with commercially signed certificates:
Running GroupWise Web with commercially signed certificates:
docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/web:latest
NOTE:/opt/novell/gw/certs should contain the server.key and server.crt files for your commercially signed certificates.
If you update the certificate on the POA/DVA after the GroupWise Web image is running, you can have GroupWise Web grab the new certificates and use the POA/DVA without having to restart the GroupWise Web image. This is also needed if the POA/DVA was not accessible when the GroupWise Web image was started, but is now available. Use the following docker command to update the certificates:
docker exec <container_name or container_id> bash -c "/update/update-certs.sh"
Example
docker exec gwweb bash -c "/update/update-certs.sh"
You can use either the container name or the container id to run the command.
NOTE:Restarting the GroupWise Web image also updates the POA/DVA certificates.
In GroupWise 18.4 and later, GroupWise Web has enhanced security by doing certificate checks for the GroupWise Admin Service, POA, and DVA certificates. The certificate checks make sure the Subject Alternative Name on the certificate matches GroupWise Admin Server, POA, and DVA and that the certificate date is valid.
The GroupWise Admin Service check is enabled by default and cannot be disabled. The POA check is enabled by default and can be disabled. The DVA check is disabled by default, but can be enabled. To be fully secure, you should enable all of the certificate verification checks.
NOTE:The POA check and the DVA check are independent of each other and can be run together, separate, or not at all.
The GroupWise Admin Service check is done when the web-config utility runs to get the POA and DVA information for your GroupWise system. If the GroupWise Admin Service check runs properly, the web-config utility creates four files: web.conf, poas.conf, dvas.conf, and ca.crt.
In order for the GroupWise Admin Service check to pass, you need to use a GroupWise self-signed certificate with the Fully Qualified Domain Name of IP address of the GroupWise server as the Subject Alternative Name on the certificate.
The POA check is part of the running GroupWise Web image and is enabled by default. GroupWise Web checks every POA against its certificate to make sure it matches and is valid.
In order for the POA check to pass, the certificate Subject Alternative Name must match the hostname specified in the poa.conf file. Certificate requirements and recommendations can be found in Configuring Server Certificates and TLS
in the GroupWise 18 Administration Guide.
NOTE:If the Subject Alternative Name in the certificate and the poa.conf file do not match, it is easier to change the poa.conf file than to get a new certificate.
You do not need to change your docker run command if you want to use POA certificate verification. If you do not want to use POA certificate verification, you must include the switch GWSOAP_SSL_VERIFY=off. Below is an example of running the GroupWise Web docker image with POA certificate verification turned off:
docker run -it -v /opt/novell/gw:/config -e GWADMIN_SERVICE=admin@192.168.1.1:9710 -e GWSOAP_HOST_DEFAULT=192.168.1.2 -e GWSOAP_SSL_VERIFY=off mfgroupwise/web-config:18.4.0-111
The DVA check is part of the running GroupWise Web image and is disabled by default. You can enable the DVA check by adding the GWDVA_SSL_VERIFY=on switch to your docker run command. You must also add GWDVA_SSL_DNS= and specify your domain to use for the check. GroupWise Web checks every DVA against its certificate to make sure it matches and is valid. DVAs that do not pass the check are not used by GroupWise Web if the DVA check is enabled.
In order for the DVA check to pass, the certificate Subject Alternative Name must match the domain name specified in the GWDVA_SSL_DNS= switch in the docker run command. Wildcard certificates can be used for your DVAs as long as the GWDVA_SSL_DNS= switch specifies the DNS that is in the Subject Alternative Name on the wildcard certificate. Certificate requirements and recommendations can be found in Configuring Server Certificates and TLS
in the GroupWise 18 Administration Guide.
Below is an example of running the GroupWise Web docker image with DVA certificate verification enabled:
docker run -it -v /opt/novell/gw:/config -e GWADMIN_SERVICE=admin@192.168.1.1:9710 -e GWSOAP_HOST_DEFAULT=192.168.1.2 -e GWDVA_SSL_VERIFY=on -e GWDVA_SSL_DNS=acme.com mfgroupwise/web-config:18.4.0-111