16.7 Securing GroupWise Web with TLS Connections

16.7.1 Securing GroupWise Web using a Commercial Certificate

GroupWise Web creates self-signed certificates when you run the docker image. You can supply your own commercial certificates for GroupWise Web for enhanced security. The certificates must follow the requirements found in Configuring Server Certificates and TLS in the GroupWise 18 Administration Guide.

When you run with commercially signed certificates, you need to specify the location of the certificates in the docker run command. Below is an example of the command to run GW Web with commercially signed certificates:

Running GW Web with commercially signed certificates:
docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/web:latest

NOTE:/opt/novell/gw/certs should contain the server.key and server.crt files for your commercially signed certificates.

16.7.2 Updating POA/DVA Certificates while GW Web is Running

If you update the certificate on the POA/DVA after the GW Web image is running, you can have GW Web grab the new certificates and use the POA/DVA without having to restart the GW Web image. This is also needed if the POA/DVA was not accessible when the GW Web image was started, but is now available. Use the following docker command to update the certificates:

docker exec <container_name or container_id> bash -c "/update/update-certs.sh"
Example
docker exec gwweb bash -c "/update/update-certs.sh"

You can use either the container name or the container id to run the command.

NOTE:Restarting the GW Web image also updates the POA/DVA certificates.

16.7.3 Securing GroupWise Web using Certificate Verification

In GroupWise 18.4 and later, GroupWise Web has enhanced security by doing certificate checks for the GroupWise Admin Service, POA, and DVA certificates. The certificate checks make sure the Subject Alternative Name on the certificate matches GW Admin Server, POA, and DVA and that the certificate date is valid.

The GroupWise Admin Service check is enabled by default and cannot be disabled. The POA check is enabled by default and can be disabled. The DVA check is disabled by default, but can be enabled. To be fully secure, you should enable all of the certificate verification checks.

NOTE:The POA check and the DVA check are independent of each other and can be run together, separate, or not at all.

Using GroupWise Admin Service Certificate Verification

The GroupWise Admin Service check is done when the web-config utility runs to get the POA and DVA information for your GroupWise system. If the GW Admin Service check runs properly, the web-config utility creates four files: web.conf, poas.conf, dvas.conf, and ca.crt.

In order for the GW Admin Service check to pass, you need to use a GroupWise self-signed certificate with the Fully Qualified Domain Name of IP address of the GroupWise server as the Subject Alternative Name on the certificate.

Using POA Certificate Verification

The POA check is part of the running GW Web image and is enabled by default. GW Web checks every POA against it’s certificate to make sure it matches and is valid.

In order for the POA check to pass, the certificate Subject Alternative Name must match the hostname specified in the poa.conf file. Certificate requirements and recommendations can be found in Configuring Server Certificates and TLS in the GroupWise 18 Administration Guide.

NOTE:If the Subject Alternative Name in the certificate and the poa.conf file don’t match, it is easier to change the poa.conf file than to get a new certificate.

You do not need to change your docker run command if you want to use POA certificate verification. If you do not want to use POA certificate verification, you must include the switch GWSOAP_SSL_VERIFY=off. Below is an example of running the GW Web docker image with POA certificate verification turned off:

docker run -it -v /opt/novell/gw:/config -e GWADMIN_SERVICE=admin@192.168.1.1:9710 -e GWSOAP_HOST_DEFAULT=192.168.1.2 -e GWSOAP_SSL_VERIFY=off mfgroupwise/web-config:18.4.0-111

Using DVA Certificate Verification

The DVA check is part of the running GW Web image and is disabled by default. You can enable the DVA check by adding the GWDVA_SSL_VERIFY=on switch to your docker run command. You must also add GWDVA_SSL_DNS= and specify your domain to use for the check. GW Web checks every DVA against it’s certificate to make sure it matches and is valid. DVAs that do not pass the check are not used by GW Web if the DVA check is enabled.

In order for the DVA check to pass, the certificate Subject Alternative Name must match the domain name specified in the GWDVA_SSL_DNS= switch in the docker run command. Wildcard certificates can be used for your DVAs as long as the GWDVA_SSL_DNS= switch specifies the DNS that is in the Subject Alternative Name on the wildcard certificate. Certificate requirements and recommendations can be found in Configuring Server Certificates and TLS in the GroupWise 18 Administration Guide.

Below is an example of running the GW Web docker image with DVA certificate verification enabled:

docker run -it -v /opt/novell/gw:/config -e GWADMIN_SERVICE=admin@192.168.1.1:9710 -e GWSOAP_HOST_DEFAULT=192.168.1.2 -e GWDVA_SSL_VERIFY=on -e GWDVA_SSL_DNS=acme.com mfgroupwise/web-config:18.4.0-111