92.2 Configuring Server Certificates and TLS

For a secure GroupWise system, you should configure the server and agents to use TLS. We recommend you use commercially signed certificates from a Trusted Root Certificate Authority (ie GoDaddy, Digicert, etc). For your convenience, the GroupWise CA can generate certificates until you obtain your commercially signed certificates. When generating certificates, keep in mind the following certificate best practices for GroupWise:

NOTE:One server certificate can be used to secure all of the GroupWise agents on the server.

Certificate Best Practices

  • If you obtain your certificates from an intermediate CA, the certificate for that intermediate CA and all other intermediate CAs leading to the Trusted Root CA must be appended to your certificate file.

  • For TLS communication between the agents and servers, the Fully Qualified Domain Name (FQDN) of the server should be the used for the Subject Alternative Name (SAN) on the certificate. Also, the GroupWise agents should be configured with the FQDN instead of the IP address on the Agent Settings tab for all GroupWise agents.

NOTE:TLS for GroupWise Web defaults to Intermediate configuration. Please visit https://wiki.mozilla.org/Security/Server_Side_TLS for additional details. If you configure GroupWise Web with your own TLS certificates, the must be compatible with the Intermediate configuration as well as the GroupWise requirements.

IMPORTANT:If you are using iOS 13 and/or macOS 10.15 devices in your GroupWise system, your certificates also need to meet the increased security requirements released by Apple. The requirements can be found here: https://support.apple.com/en-in/HT210176.

Once you have planned and gathered your certificates, use the information in the following sections to configure TLS for the agents:

NOTE:If you are using WebAccess, you can optionally secure Tomcat on the WebAccess server by following the steps found here: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html. This is optional and not required to run a secure GroupWise system. When you upgrade GroupWise after changing these settings, you will need to follow these steps again as the upgrade will overwrite the TLS settings in the server.xml file.