How to configure Certificates from Trusted CA for Mobility

  • 7006904
  • 23-Sep-2010
  • 02-Jul-2019

Environment

GroupWise Mobility Service 18
GroupWise Mobility Service 2014 R2
GroupWise Mobility Service 2.1
GroupWise Mobility Service 2.0.1
GroupWise Mobility Service 2.0
Novell Data Synchronizer Mobility Pack

Situation

Purpose:
How to configure Certificates for Mobility
Configuring Data Synchronizer Mobility Connector for certificates from Trusted Certificate Authorities
How to configure Third Party Certificate for Mobility Connector
 
Symptom:
Devices unable to connect to the Mobility Connector
Unable to connect to WebAdmin after changing the certificates
Unable to connect to Mobility after changing the certificates

Resolution

  1. Download Novell Cool Solutions Tool - dsapp Mobility Administration to the Mobility server.

    • From the dsapp menu, select Certificates | Generate CSR and Key:
      • Provide the path to store the certificate files.
        Note: Directory will be created if it does not already exist.
      • Type the pass phrase to protect the key and press Enter.
      • Re-enter the pass phrase to protect the key.
      • Fill in the Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address.
        Note: Common Name is very important as this is the DNS name that the devices would use to connect to the server. (i.e. mobility.mycompany.com)
      • When asked for Challenge password and optional company name, leave it blank.
      • Press [Enter] to continue.

    • Send the Certificate Signing Request to the Trusted Certificate Authority like VeriSign, GoDaddy, DigiCert, etc. Download their response files to the directory provided to store the certificate files in Step 2.

    • Select Apply certificates (Generate PEM) :
      • Provide the path where the certificate files are stored from steps 2 and 3.
      • Enter the private key file, then the public crt from the 3rd party.
        Note: You may be prompted for the password of the private key.
      • Provide any Intermediate Certificate Chain files.
        Note: If the certificate was not signed by the Root CA, obtain the Intermediate Certificate from the Trusted Certificate Authority if any. Most of the Trusted Certificate Authorities like VeriSign, GoDaddy, DigiCert etc use the Intermediate CAs. Make sure to get the Intermediate Certificate from the Trusted Certificate Authority, if needed.
      • Enter y to implement with Mobility connector for devices.
      • Enter y to implement with WebAdmin.

    • Restart Mobility services:
      rcgms restart OR rcdatasync restart

      Note: Most devices already have the root certificate of the CA installed. If the device does not recognize the CA of  the certificate, download the DER file of the root certificate from the vendor website and install it on the device. One way to do this is to put it on a web server and browse to it from the device. Then follow the device instructions for adding the certificate to the trusted root store on the device. 

    Additional Information

    To verify the certificate, select the following options:
    • Visit WebAdmin and select the lock icon to view information about the certificate.
    • Visit http://www.digicert.com/help/ and provide the Server Address devices use to connect to verify the Mobility certificates.

    Manual steps: 
    1. Generate a Private Key and Certificate Signing Request by following the steps listed below
      • Type "openssl genrsa -des3 -out server.key 2048 " and press Enter.
      • Type the pass phrase to protect the key and press Enter.
      • Re-enter the pass phrase to protect the key.
      • Type "openssl req -new -key server.key -out server.csr " and press Enter.
      • Enter the pass phrase of private key when asked for. This is the same pass phrase that was entered in Step 1.
      • Fill in the Country Name , State or Province Name , Locality Name , Organization Name , Organizational Unit Name , Common Name , Email Address . Common Name is very important as this is the DNS name that the devices would use to connect to the server.
      •  When asked for Challenge password and optional company name, leave it blank.

        OR

        Use the GWCSRGEN utility to generate a Private Key and Certificate Signing Request. Hostname of the Server is very important as this is the DNS name that the devices would user to connect to the server. Please click on the following link and then click on "Generating a Certificate Signing Request" for the instructions
        https://www.novell.com/documentation/groupwise2012/gw2012_guide_admin/?page=/documentation/groupwise2012/gw2012_guide_admin/data/ak9e3ju.html
    2. Now send the Certificate Signing Request to the Trusted Certificate Authority like VeriSign, GoDaddy, DigiCert etc
    3. Remove the password from the Private Key by typing the following command:
      openssl rsa -in server.key -out passwordless.key
    4. Obtain the Server Certificate from the Trusted Certificate Authority like VeriSign, GoDaddy, DigiCert etc.
    5. If the certificate was not signed by the Root CA, obtain the Intermediate Certificate from the Trusted Certificate Authority if any. Most of the Trusted Certificate Authorities like VeriSign, GoDaddy, DigiCert etc use the Intermediate CAs. Make sure to get the Intermediate Certificate from the Trusted Certificate Authority
    6. Copy the passwordless.key , server certificate, intermediate certificate to /tmp on the server.
    7. Type cd /tmp.
    8. Type cat passwordless.key > mobility.pem  
    9. Type cat server.crt >> mobility.pem. (server.crt is the Server Certificate that was obtained in Step 4 that was sent by the Trusted Certificate Authority)
    10. Type cat inter.crt >> mobility.pem . This step needs to be followed only if there are Intermediate Certificate. (inter.crt is the Intermediate Certificate obtained in Step 5)
    11. Follow step 10 if there are more than one Intermediate Certificate.  There could be more than one intermediate certificate. If there are more than one intermediate certificate, this step needs to be followed for all the intermediate certificates.
    12. Copy /tmp/mobility.pem to /var/lib/datasync/device/mobility.pem .
    13. If the same certificate needs to be used for webadmin, please copy /tmp/mobility.pem to /var/lib/datasync/webadmin/server.pem
    14. Restart DataSync by typing "rcdatasync restart" and press Enter. 
    Most devices already have the root certificate of the CA installed. If the device does not recognize the CA of  the certificate, download the DER file of the root certificate from the vendor website and install it on the device. One way to do this is to put it on a web server and browse to it from the device. Then follow the device instructions for adding the certificate to the trusted root store on the device.