2.3 Configuring the Messaging Agent with SSL Encryption

Secure Sockets Layer (SSL) ensures secure communication between programs by encrypting the complete communication flow between the programs. The Installation program required configuring the messaging agent for SSL encryption, as described in Installing and Setting Up Your GroupWise Messenger System in the GroupWise Messenger 18 Installation Guide.

When you set up SSL encryption during installation, the Installation program copied the certificate file and key file you specified to the /opt/novell/messenger/certs directory to ensure availability for the Messenger agents.

IMPORTANT:Certificates must follow the requirements for certificates found in Messenger Server Requirements under Server Certificates requirements.

If you want to import a new certificate or switch from internal to external certificates, you must complete the following tasks:

2.3.1 Generating a Certificate Signing Request and Private Key

Before the Messaging Agent can use external SSL encryption, you must create a certificate by generating a certificate signing request (CSR) and having it issued by a certificate authority (CA). This can be issued either by a public CA or a local CA, such as Novell Certificate Server. (Novell Certificate Server, which runs on a server with NetIQ eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server documentation site.). The CSR includes the hostname of the server where the Messaging Agent runs. The Messaging Agent and the Archive Agent can use the same certificate if they run on the same server. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the Messaging Agent to use SSL encryption.

2.3.2 Submitting the Certificate Signing Request to a Certificate Authority

To receive a server certificate, you need to submit the certificate signing request (server_name.csr file) to a certificate authority. If you have not previously used a certificate authority, you can use the keywords “Certificate Authority” to search the web for certificate authority companies. You can also issue your own certificates with a local CA, such as Novell Certificate Server. (Novell Certificate Server, which runs on a server with NetIQ eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For more information, see the Novell Certificate Server documentation site.)

The certificate authority must be able to provide the certificate in Base64/PEM or PFX format.

IMPORTANT:You cannot use an eDirectory root certificate (rootcert.der file) as a public certificate.

The process of submitting the CSR varies from company to company. Most provide online submission of the request. Follow their instructions for submitting the request.

2.3.3 Installing the Certificate on the Server

After processing your CSR, the certificate authority returns to you a certificate (server_name.crt) file and a private key (server_name.key) file. Copy the files to the certs subdirectory of the Messenger agent installation directory.

2.3.4 Modifying the Server Object SSL Certificate

After you have a certificate and a private key file available on the server where the Messaging Agent runs, you are ready to configure the Messaging Agent to use SSL encryption.

  • In the GroupWise Admin console, navigate to Messenger > MessengerService > Servers, and then select the server.

  • On the SSL Settings tab, fill in the following fields:

    Certificate Path: Certificates are placed by default in/opt/novell/messenger/certs.

    IMPORTANT:The certificate path must be located on the same server where the Messenger agents are installed. If your SSL certificate and key file are located on a different server, you must copy them into the directory specified in the Certificate Path field so that they are always accessible to the Messenger agents.

    SSL Certificate: Browse to and select the certificate file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the file name.

    SSL Key File: Browse to and select your private key file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the file name.

    Set Password: Provide the key file password you established when you submitted the certificate signing request.

    Because you provided the SSL information on the Messenger Server object, it applies to both the Messaging Agent and the Archive Agent if both agents are running on the same server. The same information can be provided on the Security page of each Messenger agent if necessary.

  • Click Save.

  • Restart the Messaging Agent to start using SSL encryption.

Corresponding Startup Switches: You can also use the /certpath, /certfile, /keyfile, and /keypassword startup switches in the Messaging Agent startup file to modify the Messaging Agent SSL certificates.

2.3.5 Modifying the SSL Cipher Suite

You can modify the SSL cipher suite if you need to disable certain ciphers that do not work in your environment. The ciphers suite can be modified both on the Archive Agent and the Messaging agent.

IMPORTANT:Unless you are required to modify the cipher suite for your environment, consider carefully before you make any changes as this decreases the security of your Messenger system.

The cipher list must be in OpenSSL format. For more information on OpenSSL format, see cipher list format.

To modify the SSL cipher suite use the /sslciphersuite startup switch.