Creating a certificate to use with the GroupWise Monitor Agent is different from all other GroupWise agents since it uses a .pem file that contains both the private key, and the public certificate in a single file.
There are four primary steps that need to be completed to generate the pem file, they are:
- Create a certificate signing request (CSR)
- Create the Server certificate
- Use openssl to extract and combine the two components together to create the .pem file
- Modify the grpwise-ma startup script.
From a Windows Workstation copy the files needed to run the GroupWise CSR Generator (gwcsrgen). These files can be found under the admin\Utility folder of the GroupWise software distribution directory as long as it is an SDD created from the win_nlm download. The gwcsrgen utility can also be found on Linux GroupWise server under /opt/novell/groupwise/agents/bin. Whether you do this from a Windows workstation or from a Linux server the steps are identical.
To create a CSR:
- Launch gwcsrgen.
- Enter a unique key name with the extension .key, for example monitor.key.
- Set the key length to the desired level, 1024 is the default, 2048 is the standard for eDirectory certificates, maximum is 4096.
- Set a key password, and retype it to verify, don’t forget this password, we need to remove it later from the key file.
- Give the csr a name, and use the extension .csr, for example monitor.csr.
- Set the Country to the two digit ISO country code for your country, for example CA for Canada, or US for the United States.
- Set the State/Province to your location, for example Ontario, or Michigan.
- Set the City to your current city, for example Ottawa, or Detroit.
- Set the Organization to your company name.
- Set the Division to your organizational unit (for example IT)
- Provide the full hostname of the server (for example monitor.novell.com)
- Click Create when satisfied.
This generates two files, from the example they would be monitor.key and monitor.csr. You can now generate the server certificate in one of two ways, use the internal organizational CA built into eDirectory, or post the csr to an external certificate authority such as entrust or verisign. Internal certificates should be sufficient in most cases.
To create Server Certificate from the Organizational CA
- Launch iManager
- Under Roles and Tasks go down the list to Novell Certificate Server and expand the role, from the list of tasks select Issue Certificate.
- Click the Browse button and locate the csr file you created from gwcsrgen. Click next when ready.
- For the key type select custom, for key usage select key encipherment and digital signature.
- Make sure the checkbox for Enable extended key usage is checked.
- Set the extended key type to Custom.
- Select the following extended key usages: Server authentication, User authentication.
- Click next to proceed.
- The certificate type can be unspecified, and the path length can be unspecified.
- Click next to proceed.
- Check the subject name. You may have to flip the order of the subject name. The server hostname and domain name should be at the beginning of the subject, not at the end.
- Select your validity period, 2 years is the default, 10 years is the maximum.
- Click next to proceed.
- Save the file in a binary DER format. Click next to proceed.
- Review the settings for the certificate, and click finished when satisfied.
- Click on the hyperlink to download the certificate to the workstation or server.
- Click close to leave the Issue Certificate task, and exit iManager.
Copy files to the target Server
- Using ssh or WinSCP copy the *.key and *.der files to a folder on the target Linux server.
- I like keeping the path short, so I created a folder off the root named /certs
- On the Linux server login as root and open a terminal session and change to the folder where you copied the two files.
- First we must convert the .der file to a .pem file. Use the following command:
openssl x509 -out monitor.crt -outform pem -text -in monitor.der -inform der
- This will create the desired pem file.
- Next we must remove the password from the private key. Use the following command:
openssl rsa -in monitor.key -out monitor1.key
- Enter the password when prompted, this is the password you entered during the csr generation.
- Now we need to concatenate the two files together. Use the following command:
cat monitor1.key monitor.crt > monitor.pem
- You can either leave this new file in its current location or move it to a desired final location.
Modify the grpwise-ma script
- Make a backup copy of the current grpwise-ma script. Use the following command:
cp /etc/init.d/grpwise-ma /etc/init.d/grpwise-ma.org
- Using your favorite editor (vi or gedit if running the gui) edit the grpwise-ma script and modify the line that starts with #MA_OPTIONS. I actually left the current line as is and created a new MA_OPTIONS line with the following entries:
MA_OPTIONS=”–httpcertfile /certs/monitor.pem –httpssl –httpmonuser gwmon –httpmonpassword monitor”
- The httpmonuser and httpmonpassword are optional. Save the file when done.
- Restart the GroupWise Monitor Agent.
/etc/init.d/grpwise-ma stop and then /etc/init.d/grpwise-ma start
- Check the status by using /etc/init.d/grpwise-ma status, it should show as running.
- From a windows workstation launch a web browser and go to the GroupWise Monitors Web console by entering https://server-name.domain-name:8200. If you added the httpmonuser and password fields a dialogue box will ask for the username and password.
- You can now perform any task you wish and all communication between you and the monitor agent are secure.