Secure Sockets Layer (SSL) ensures secure communication between programs by encrypting the complete communication flow between the programs. The Installation program required configuring the messaging agent for SSL encryption, as described in Installing a Novell Messenger System
in the Novell Messenger 3.0 Installation Guide.
When you set up SSL encryption during installation, the Installation program copied the certificate file and key file you specified to the \novell\nm\certs directory to ensure availability for the Messenger agents.
If you want to import a new certificate or switch from internal to external certificates, you must complete the following tasks:
Before the Messaging Agent can use external SSL encryption, you must create a certificate by generating a certificate signing request (CSR) and having it issued by a certificate authority (CA). This can be issued either by a public CA or a local CA, such as Novell Certificate Server. (Novell Certificate Server, which runs on a server with NetIQ eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server documentation site.). The CSR includes the hostname of the server where the Messaging Agent runs. The Messaging Agent and the Archive Agent can use the same certificate if they run on the same server. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the Messaging Agent to use SSL encryption.
One way to create a CSR is to use the GroupWise GWCSRGEN utility. See Generating a Certificate Signing Request
in the GroupWise 2014 Administration Guide for instructions. This utility takes the information you provide and creates a .csr file to submit to a certificate authority. You might want to name the .csr file after the server it goes with. For example, server_name.csr.
To receive a server certificate, you need to submit the certificate signing request (server_name.csr file) to a certificate authority. If you have not previously used a certificate authority, you can use the keywords “Certificate Authority” to search the web for certificate authority companies. You can also issue your own certificates with a local CA, such as Novell Certificate Server. (Novell Certificate Server, which runs on a server with NetIQ eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server documentation site.)
The certificate authority must be able to provide the certificate in Base64/PEM or PFX format.
IMPORTANT:You cannot use an eDirectory root certificate (rootcert.der file) as a public certificate.
The process of submitting the CSR varies from company to company. Most provide online submission of the request. Follow their instructions for submitting the request.
After processing your CSR, the certificate authority returns to you a certificate (server_name.crt) file and a private key (server_name.key) file. Copy the files to the certs subdirectory of the Messenger agent installation directory.
After you have a certificate and a private key file available on the server where the Messaging Agent runs, you are ready to configure the Messaging Agent to use SSL encryption.
In ConsoleOne, browse to and expand the Messenger Service object.
Right-click the Messenger Server object, then click Properties.
Click Server > Security.
Fill in the following fields:
Certificate Path: Certificates are placed by default in \novell\nm\certs for Windows, and /opt/novell/messenger/certs for Linux.
IMPORTANT:The certificate path must be located on the same server where the Messenger agents are installed. If your SSL certificate and key file are located on a different server, you must copy them into the directory specified in the Certificate Path field so that they are always accessible to the Messenger agents.
SSL Certificate: Browse to and select the certificate file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the file name.
SSL Key File: Browse to and select your private key file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the file name.
Set Password: Provide the key file password you established when you submitted the certificate signing request.
Because you provided the SSL information on the Messenger Server object, it applies to both the Messaging Agent and the Archive Agent if both agents are running on the same server. The same information can be provided on the Security page of each Messenger agent if necessary.
Click OK to save the SSL settings.
Stop and then start the Messaging Agent to start using SSL encryption.
Corresponding Startup Switches: You can also use the /certpath, /certfile, /keyfile, and /keypassword startup switches in the Messaging Agent startup file to modify the Messaging Agent SSL certificates.
You can modify the SSL cipher suite if you need to disable certain ciphers that do not work in your environment. The ciphers suite can be modified both on the Archive Agent and the Messaging agent.
IMPORTANT:Unless you are required to modify the cipher suite for your environment, consider carefully before you make any changes as this decreases the security of your Messenger system.
The cipher list must be in OpenSSL format. For more information on OpenSSL format, see Cipher List Format.
To modify the SSL cipher suite use the /sslciphersuite startup switch.