2.3 Establishing Messaging Security with SSL Encryption

Secure Sockets Layer (SSL) ensures secure communication between programs by encrypting the complete communication flow between the programs. The Installation program offered the opportunity to configure the Messaging Agent for SSL encryption, as described in Installing a Novell Messenger System in the Novell Messenger 2.1 Installation Guide.

Figure 2-3 Security Configuration Page in the Messenger Installation Program

If you set up SSL encryption during installation, the Installation program copied the certificate file and key file you specified to the \novell\nm\certs directory to ensure availability for the Messenger agents.

If you did not set up SSL encryption during installation, you can easily do so after installation. If you have not already set up SSL encryption on your system, you must complete the following tasks:

2.3.1 Generating a Certificate Signing Request and Private Key

Before the Messaging Agent can use SSL encryption, you must send a certificate signing request (CSR) to a certificate authority (CA) and receive a public certificate file in return. The CSR includes the hostname of the server where the Messaging Agent runs. The Messaging Agent and the Archive Agent can use the same certificate if they run on the same server. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the Messaging Agent to use SSL encryption.

One way to create a CSR is to use the GroupWise GWCSRGEN utility. See Generating a Certificate Signing Request in Security Administration in the GroupWise 8 Administration Guide for instructions. This utility takes the information you provide and creates a .csr file to submit to a certificate authority. You might want to name the .csr file after the server it goes with, for example, server_name.csr.

2.3.2 Submitting the Certificate Signing Request to a Certificate Authority

To receive a server certificate, you need to submit the certificate signing request (server_name.csr file) to a certificate authority. If you have not previously used a certificate authority, you can use the keywords “Certificate Authority” to search the Web for certificate authority companies. The certificate authority must be able to provide the certificate in Base64/PEM or PFX format.

IMPORTANT:You cannot use an eDirectory root certificate (rootcert.der file) as a public certificate.

The process of submitting the CSR varies from company to company. Most provide online submission of the request. Follow their instructions for submitting the request.

The Novell Certificate Server, which runs on a NetWare server with Novell eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server site.

2.3.3 Installing the Certificate on the Server

After processing your CSR, the certificate authority returns to you a certificate (server_name.crt) file and a private key (server_name.key) file. Copy the files to the certs subdirectory of the Messenger agent installation directory.

2.3.4 Configuring the Messaging Agent for SSL

After you have a public certificate and a private key file available on the server where the Messaging Agent runs, you are ready to configure the Messaging Agent to use SSL encryption.

  1. In ConsoleOne, browse to and expand the Messenger Service object.

  2. Right-click the Messenger Server object, then click Properties.

  3. Click Server > Security.

    Server Security page
  4. Fill in the following fields:

    Certificate Path: This field defaults to \novell\nm\certs for NetWare and Windows, and /opt/novell/messenger/certs for Linux.

    IMPORTANT:The certificate path must be located on the same server where the Messenger agents are installed. If your SSL certificate and key file are located on a different server, you must copy them into the directory specified in the Certificate Path field so that they are always accessible to the Messenger agents.

    SSL Certificate: Browse to and select the public certificate file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the filename.

    SSL Key File: Browse to and select your private key file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the filename.

    Set Password: Provide the key file password you established when you submitted the certificate signing request.

    Enable SSL: Select this option to enable SSL encryption for your Messenger system.

    Because you provided the SSL information on the Messenger Server object, it applies to both the Messaging Agent and the Archive Agent if both agents are running on the same server. The same information can be provided on the Security page of each Messenger agent if necessary.

  5. Click OK to save the SSL settings.

  6. Stop and then start the Messaging Agent to start using SSL encryption.

Corresponding Startup Switches: You can also use the /certpath, /certfile, /keyfile, /keypassword, and /ssl startup switches in the Messaging Agent startup file to configure the Messaging Agent to use SSL encryption.