54.1 Configuring Single Sign-On with KeyShield

GroupWise 2014 R2 supports KeyShield’s single sign-on capabilities, allowing users to bypass logins by virtue of logging in once with KeyShield. This is enabled through the KeyShield client on a workstation. For more information on KeyShield, please visit their website.

54.1.1 System Requirements

  • The LDAP servers for GroupWise and KeyShield must be the same.

  • Your GroupWise Post Offices, KeyShield server, and workstations must be time synced.

  • You must be running KeyShield 6.0.2 or higher.

  • You must be running GroupWise 2014 R2 or higher.

54.1.2 Configuring KeyShield SSO

  1. (Conditional) If KeyShield is protected by APIKeys, create an API authorization for GroupWise in the KeyShield SSO console > Configuration > API > API Authorizations.

  2. On the Configuration > API > API Configuration page, if you want to use HTTPS, upload PKCS#12 keystore file from the KeyShield server to generate a certificate.


    On the Configuration > API > API Configuration page, generate a self signed certificate.

  3. (Optional) Modify the API Certificate validity and API Certificate notBefore parameters as needed.

  4. Apply the certificate configuration so the certificate is generated. Return to the API Configuration page edit mode and click Download next to the keystore name field.

  5. In the GroupWise Admin console, go to System > System Preferences and upload the certificate in the KeyShield SSO Certificate field.

    The certificate is replicated to all GroupWise POAs.

  6. In the GroupWise Admin console, enable KeyShield SSO on the Client Options > Security page of the Domain, Post Office, or User where you are using KeyShield.

  7. (Optional) To use KeyShield with Web Access, the KeyShield SSO Options must be enabled in the webacc.cfg file on the Web Access server.