Novell Home

My Favorites

Close

Please to see your favorites.

iChain 2.2 - GroupWise WebAccess Configuration Quick Start

(Last modified: 03Sep2004)

This document (10080212) is provided subject to the disclaimer at the end of this document.

goal

iChain 2.2 - GroupWise WebAccess Configuration Quick Start

fact

iChain 2.2

GroupWise 6 SP2

fix

GroupWise 6/SP2 WebAccess 

Browser access to a user’s GroupWise mailbox is provided by WebAccess (strtweb.ncf) using a URL similar to http://1300e.gwise.dsm.cit.novell.com/servlet/webacc. WebAccess is implemented as a servlet. Monitoring agents are also available for administrative purposes through a browser. Default port numbers for these web applications are given below.  For secure access to the Monitor agents using SSL, the GroupWise utility GWCSRGEN.EXE is used to create a CSR and private key. Follow GroupWise documentation for this procedure. Typical access ports are shown below:

WebAccess Monitor: 7205

Domain Monitor: 7180

POA Monitor: 7181

GWIA Monitor: 9850

User access to mailbox: 80 or 443

When installing GroupWise Webaccess onto a NetWare 6 server, Enterprise Web Server and Tomcat are the default choices for web server and servlet engine. For this example, the Enterprise Server’s default index.html has been replaced with the index.html provided by GroupWise WebAcces.

Accelerator Configuration:

For this example, the GroupWise 6/SP1 components have been installed on a single NW6/SP2 server. All GroupWise Monitoring agents have been configured for SSL. Five iChain accelerators will be configured using path-based multi-homing, one for each of the services/ports shown above.

On Web Server Accelerator page:

Name:  Webacc (This will be the multi-home master, used for user mailbox access via URL "http:// 1300e.gwise.dsm.cit.novell.com")

DNS Name: 1300e.gwise.dsm.cit.novell.com

Cookie Domain: dsm.cit.novell.com

"Use host name sent by browser" is selected

Web Server Port: 80

Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)

Accelerator Proxy port: 443

Accelerator IP address: 10.251.200.1

"Enable Authentication" is enabled

Authentication options:

Service Profile=ldap

Forward authentication info to web server:  Not selected

Enable Secure Exchange is enabled

SSL Listening Port: 446

Certificate: Auto

Secure Exchange Options:

Client<-446->Proxy<-443->Web Server

"Enable secure access between iChain Proxy and the Origin  Web Server" is enabled

"Allow pages to be cached at the browser" is not enabled

 

Name:  POA (Child of Webacc, used for administrator access to POA Monitor via URL "http:// 1300e.gwise.dsm.cit.novell.com/poa")

DNS Name: 1300e.gwise.dsm.cit.novell.com

Cookie Domain: dsm.cit.novell.com

"Use host name sent by browser" is selected

Web Server Port: 7181

Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)

Accelerator Proxy port: 80

Accelerator IP address: 10.251.200.1

"Enable Authentication" is enabled

Authentication options:

Service Profile=ldap

Forward authentication info to web server:  Not selected

"Enable Secure Exchange" is enabled

SSL Listening Port: 446

Certificate: Auto

Secure Exchange Options:

Client<-446->Proxy<-7181->Web Server

"Enable secure access between iChain Proxy and the Origin  Web Server" is not enabled

"Allow pages to be cached at the browser" is not enabled

 "Enable multi-homing" is enabled

"Multi-home Master" set to "Webacc"

"Multi-homing options":

"Path based multi-homing" is selected

"Sub-path match string" set to "/poa"

"Starts with" is selected

"Remove sub-path from URL" is selected

Name:  Domain (Child of Webacc , used for administrator access to .Domain Monitor via URL "http:// 1300e.gwise.dsm.cit.novell.com/domain")

DNS Name: 1300e.gwise.dsm.cit.novell.com

Cookie Domain: dsm.cit.novell.com

"Use host name sent by browser" is selected

Web Server Port: 7180

Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)

Accelerator Proxy port: 80

Accelerator IP address: 10.251.200.1

"Enable Authentication" is enabled

Authentication options:

Service Profile=ldap

Forward authentication info to web server:  Not selected

"Enable Secure Exchange" is enabled

SSL Listening Port: 446

Certificate: Auto

Secure Exchange Options:

Client<-443->Proxy<-7180->Web Server

"Enable secure access between iChain Proxy and the Origin  Web Server" is not enabled

"Allow pages to be cached at the browser" is not enabled

"Enable multi-homing" is enabled

"Multi-home Master" set to "Webacc"

"Multi-homing options":

"Path based multi-homing" is selected

"Sub-path match string" set to "/domain"

"Starts with" is selected

"Remove sub-path from URL" is selected

 

Name:  GWIA (Child of Webacc, used for administrator access to GWIA Monitor via URL  "http:// 1300e.gwise.dsm.cit.novell.com/gwia")

DNS Name: 1300e.gwise.dsm.cit.novell.com

Cookie Domain: dsm.cit.novell.com

"Use host name sent by browser" is selected

Web Server Port: 9850

Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)

Accelerator Proxy port: 80

Accelerator IP address: 10.251.200.1

"Enable Authentication" is enabled

Authentication options:

Service Profile=ldap

Forward authentication info to web server:  Not selected

"Enable Secure Exchange" is enabled

SSL Listening Port: 446

Certificate: Auto

Secure Exchange Options:

Client<-446->Proxy<-9850->Web Server

"Enable secure access between iChain Proxy and the Origin  Web Server" is not enabled

"Allow pages to be cached at the browser" is not enabled

"Enable multi-homing" is enabled

"Multi-home Master" set to "Webacc"

"Multi-homing options":

"Path based multi-homing" is selected

"Sub-path match string" set to "/gwia"

"Starts with" is selected

"Remove sub-path from URL" is selected

 

Name:  WebAcc2 (Child of Webacc, used for administrator access to WebAccess Monitor via url "http:// 1300e.gwise.dsm.cit.novell.com/webacc")

DNS Name: 1300e.gwise.dsm.cit.novell.com

Cookie Domain: dsm.cit.novell.com

"Use host name sent by browser" is selected

Web Server Port: 7205

Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)

Accelerator Proxy port: 80

Accelerator IP address: 10.251.200.1

"Enable Authentication" is enabled

Authentication options:

Service Profile=ldap

Forward authentication info to web server:  Not selected

"Enable Secure Exchange" is enabled

SSL Listening Port: 446

Certificate: Auto

Secure Exchange Options:

Client<-446->Proxy<-7205->Web Server

"Enable secure access between iChain Proxy and the Origin  Web Server" is not enabled

"Allow pages to be cached at the browser" is not enabled

 "Enable multi-homing" is enabled

"Multi-home Master" set to "Webacc"

"Multi-homing options":

"Path based multi-homing" is selected

"Sub-path match string" set to "/webacc"

"Starts with" is selected

"Remove sub-path from URL" is selected

On Access Control Page:

"Enable Form Fill Authentication" is enabled

"Object level access control (OLAC)" is disabled

On Configuration->Management page:

"Enable Pin List" is not selected

ConsoleOne Configuration:

In ConsoleOne->ISO object properties:

Add resource for the GroupWise web site:

Name=GroupWise

URL Prefix=http://1300e.gwise.dsm.cit.novell.com/*

Access: Restricted

Single Sign On through iChain:

1. SSO to WebAccess:

GW6/SP2 WebAccess does not support Authorization headers, so iChain’s Forward Authentication/OLAC cannot be used for SSO. Sample FormFill scripts are shown below. The first is for the language selection form (if the user does not enter resource name /servlet/webacc), followed by a login failure and a login script:

<urlPolicy>

<name>Groupwise-Language-Selection</name>

<url>1300e.gwise.dsm.cit.novell.com/*</url>

    <formCriteria>

          <title>Novell Web Services</title>

    </formCriteria>

    <actions>

        <fill>

        <select name="User.lang" type="listbox" value="~">

      </fill>

     <post/>

     </actions>

</urlPolicy>

 

<urlPolicy>

       <name>GroupWiseWebAccessLoginFailure</name>

       <url>1300e.gwise.dsm.cit.novell.com/servlet/webacc</url>

       <formCriteria>

            <TITLE>Novell WebAccess</TITLE>

            Please login again. You may have typed your name or password incorrectly.

            loginForm

       </formCriteria>

   <actions>

      <deleteRemembered>GroupWiseWebAccess</deleteRemembered>

      <redirect>1300e.gwise.dsm.cit.novell.com/servlet/webacc</redirect>

  </actions>

</urlPolicy>

 

<urlPolicy>

       <name>GroupWiseWebAccess</name>

       <url>1300e.gwise.dsm.cit.novell.com/servlet/webacc</url>

       <formCriteria>

            <TITLE>Novell WebAccess</TITLE>

            loginForm

       </formCriteria>

<actions>

<fill>

<INPUT NAME="User.id"                 value="~">

<INPUT NAME="User.password"     value="~">

</fill>

<maskedPost/>

</actions>

</urlPolicy>

2. SSO to the GroupWise Monitoring Agents:

Login to the Monitoring agents is done with a pop-up login prompt. The username/password required for GWIA, POA and MTA  is specified in configuration files created during installation: sys:/system/gwia.cfg, .sys:/system/<NameOfGroupWiseSystem>.poa, and sys:/system/<NameOfGroupWiseSystem>.mta respectively.  This name/password could match the CN and password of an actual NDS user object, but likely will not.

If the username/password configured for the Monitoring agents is actually the CN (or other NDS attribute) and password of an NDS user, OLAC could be configured to inject the CN and password to provide SSO. On the "Access Control" page in the iChain GUI, select check box "Enable Object Level Access Control (OLAC)". Under the accelerator configuration, go to the "Authentication Options" window and select "Forward authentication information to web server". Add the following OLAC entry on the GroupWise ISO resource:

 

Name:                     ICHAIN_UID

Data Source:         LDAP

Value:                     CN

If an NDS user will be logging in to the Monitoring agents but wants to use a name/password different than his or her  NDS cn/password, that information could be stored in some other attribute(s) on that NDS user object, then OLAC configured to inject those attributes.
                       

Sending iChain SMTP alerts to GroupWise 6 (GWIA)

IChain can send eMail alerts using the SMTP protocol to GroupWise 6 (GWIA must be installed for SMTP access). Configure iChain to send SMTP alerts in the iChain GUI->System->Alerts page. Be sure to use a username with an account on the specified server, and be careful of the “Alert source name” field. Normally, avoid spaces if at all possible, since according to the GWIA developer they are against the SMTP RFC, and may result in a failure to send alerts. However, GWIA from GroupWise 6 SP1 will accept one space in the name, SP2 seems to accept multiples (I’ve had 4 spaces with no trouble). Other characters like “!” will also cause problems (#306383).

Internal rewriter with WebAccess

The rewriter should detect and rewrite URL references (which match names/ip addresses listed in the accelerator’s "Web server addresses" field) in the email Subject lines and Body, but should never touch URL references in attachments being saved. In iChain 2.1, attachments were being rewritten (#307530). With iChain 2.2., the Subject and Message body text is not being rewritten as expected  but attachments are rewritten when being viewed (#100300994). Other anomalies with rewriter and webaccess messages also exist (#100300603)..

note

Known Issues:

GroupWise Webaccess 6.5 behind iChain:

Webaccess can now accept LDAP names for login, and can be configured to accept credentials in the Authorization header from "trusted applications" such as iChain. If Webaccess is behind an accelerator with option "Forward authentication information to web server" enabled, login to webaccess fails and the user is being prompted to login to Webaccess even though iChain has stuffed the Auth header with the correct credentials and has been configured as a trusted application.

This appears to be caused by iChain using an uppercase "CN" in the name (e.g. "CN=user1,o=novell"), and Webaccess is looking only for lowercase. A defect was entered against Webaccess to ignore case on 5/20/03.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10080212
  • Solution ID: NOVL87138
  • Creation Date: 13Feb2003
  • Modified Date: 03Sep2004
    • NovellConnectivity Products

      Groupware

Did this document solve your problem? Provide Feedback