8.2 Security Policies

Appropriate security policies help you keep users’ personal GroupWise data and Mobility system information secure.

8.2.1 Securing Your Mobility Data

Your Mobility server must be kept secure.

Limiting Physical Access to Mobility Servers

Servers where Mobility data resides should be kept physically secure, in locations where unauthorized persons cannot gain access to the server consoles.

Securing File System Access

Encrypted file systems should be used on all Mobility servers. Only Mobility administrators should have direct access to Mobility data.

8.2.2 Securing Your Mobility System

Locations where GroupWise users’ personal data and Mobility system information might be obtained must be kept secure.

Setting Up SSL Connections

Secure SSL connections should be used between your Mobility system and the following external components:

  • LDAP server (if you are using LDAP as your user source)

  • GroupWise Post Office Agent (POA)

  • Browser connection for the Mobility Admin console

  • Mobile devices

For instructions, see Section 8.1, Security Administration.

Setting Up a Device Password Security Policy

To increase your control over mobile device access to your Mobility system, you should establish a device password security policy to ensure that users set up secure passwords on their mobile devices. For instructions, see Section 4.3, Enabling a Device Password Security Policy.

Securing the Mobility Admin Console

During installation of the Mobility Service, you selected the source (LDAP or GroupWise) from which users and groups of users can be added to your Mobility system. For background information, see Selecting the User Source for Your Mobility System in the GroupWise Mobility Service 2.1 Installation Guide.

One Mobility administrator is established when you install the GroupWise Mobility Service. If you are using LDAP as the user source, you selected one LDAP user as the Mobility system administrator and you can designate additional Mobility administrators, as described in Setting Up Multiple Mobility Administrator Users. If you are using GroupWise as the user source, the root user on the Mobility server is the Mobility administrator user.

IMPORTANT:The number of people who know how to log in to the Mobility Admin console should be kept to a minimum.

The Mobility Admin console can be integrated with a single sign-on solution. For more information, see Section 1.4.2, Using the Mobility Admin Console with a Single Sign-On Solution.

Protecting Mobility Configuration Files

The configuration files for all internal Mobility components should be protected from tampering. Configuration files are found in the following default locations:

Internal Mobility Component

Configuration File

Sync Engine

/etc/datasync/syncengine/engine.xml

Web Admin

/etc/datasync/webadmin/server.xml

Config Engine

/etc/datasync/configengine/configengine.xml

Connector Manager

/etc/datasync/syncengine/connectors.xml

Protecting Mobility Log Files

The log files for all internal Mobility components should be protected against unauthorized access. Some log files contain very detailed information about your Mobility system and users. Mobility log files are found in the following locations:

Internal Mobility Service Component

Log File Subdirectory under /var/log/datasync

Log File Name

Sync Engine

syncengine

engine.log

Config Engine

configengine

configengine.log

Web Admin

webadmin

server.log

Connector Manager

syncengine

connectorManager.log

Sync Agents

connectors

  • groupwise-agent.log
  • groupwise.log
  • mobility-agent.log
  • mobility.log

If you set the Mobility Service log level to Debug, Subject lines are included in log files for troubleshooting purposes. This information identifies items that are experiencing synchronization problems.

If you use the Debug log level, ensure that log files are kept secure to protect users’ personal information. The Info log level is strongly recommended for a smoothly functioning Mobility system.

No text about recipients or from message bodies is included in log files.