71.2 Server Certificates and SSL Encryption

You should strengthen native GroupWise encryption with Secure Sockets Layer (SSL) communication between servers where GroupWise agents are installed. If you have not already set up SSL on your system, you must complete the following tasks:

If you have already set up SSL on your system and are using it with other applications besides GroupWise, skip to Section 71.2.6, Configuring the Agents to Use SSL.

71.2.1 Generating a Certificate Signing Request

Before the GroupWise agents can use SSL, you must create a Certificate Signing Request (CSR) and obtain a public certificate file. The CSR includes the hostname of the server where the agents run. Therefore, you must create a CSR for every server where you want the GroupWise agents to use SSL. However, all GroupWise agents running on the same server can all use the same resulting certificate, so you do not need separate CSRs for different agents. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the agents to use SSL.

One way to create a CSR is to use the GWCSRGEN utility. This utility takes the information you provide and creates a .csr file from which a public certificate file can be generated.

  1. Start the GroupWise Generate CSR utility.

    Linux:

    The utility (gwcsrgen) is installed to the /opt/novell/groupwise/agents/bin directory. You must be logged in as root to start the utility. The directory where you want to create the certificate file and key file must already exist.

    Windows:

    The utility (gwcsrgen.exe) is located in the \admin\utility\gwcsrgen directory either on the GroupWise 7 Administrator for NetWare/Windows CD or in the GroupWise software distribution directory.
    GroupWise Generate CSR utility

  2. Fill in the fields in the Private Key box. The private key information is used to create both the Private Key file and the Certificate Signing Request file.

    Key Filename: Specify a name for the Private Key file (for example, server1.key). If you don’t want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the filename (for example, c:\server1.key or /opt/novell/groupwise/certs/server1.key).

    Key Password: Specify the password for the private key. The password can be up to 256 characters (single-byte environments).

    Verify Password: Specify the password again.

  3. Fill in the fields in the Certificate Signing Request box.

    CSR Filename: Specify a name for the Certificate Signing Request file (for example, server1.csr). If you don’t want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the filename (for example, c:\server1.csr or /opt/novell/groupwise/certs/server1.csr).

  4. Fill in the fields in the Required Information box. This information is used to create the Certificate Signing Request file. You must fill in all fields to generate a valid CSR file.

    Country: Specify the two-letter abbreviation for your country (for example, US).

    State/Province: Specify the name of your state or province (for example, Utah). Use the full name. Do not abbreviate it.

    City: Specify the name of your city (for example, Provo).

    Organization: Specify the name of your organization (for example, Novell, Inc.).

    Division: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).

    Hostname of Server: Specify the DNS hostname of the server where the server certificate will be used (for example, dev.provo.novell.com).

  5. Click Create to generate the CSR file and Private Key file.

    The CSR and Private Key files are created with the names and in the locations you specified in the Key Filename and CSR Filename fields.

71.2.2 Using a GWCSRGEN Configuration File

For convenience if you need to generate multiple certificates, you can record the information for the above fields in a configuration file so that the information is automatically provided whenever you run the Generate CSR utility. The configuration file must have the following format:

[Private Key]
Location = 
Extension = key

[CSR]
Location = 
Extension = csr

[Required Information]
Country = 
State = 
City = 
Organization = 
Division = 
Hostname =

If you do not want to provide a default for a certain field, insert a comment character (#) in front of that line. Name the file gwcsrgen.cnf. Save the file in the same directory where the utility is installed:

Linux:

/opt/novell/groupwise/agents/bin

Windows:

\grpwise\software\admin\utility\gwcsrgen

71.2.3 Submitting the Certificate Signing Request to a Certificate Authority

To obtain a server certificate, you can submit the Certificate Signing Request (server_name.csr file) to a Certificate Authority. If you have not previously used a Certificate Authority, you can use the keywords “Certificate Authority” to search the Web for Certificate Authority companies. The Certificate Authority must be able to provide the certificate in Base64/PEM or PFX format.

The process of submitting the CSR varies from company to company. Most provide online submission of the request. Please follow their instructions for submitting the request.

71.2.4 Creating Your Own Certificate

Using ConsoleOne on Windows or Linux

The Novell Certificate Server, which runs on a NetWare® server with Novell eDirectory™, enables you to establish your own Certificate Authority and issue server certificates for yourself. For complete information, see the Novell Certificate Server Web site.

To quickly create your own public certificate in ConsoleOne:

  1. Click Help > About Snap-ins to see if the Certificate Server snap-in to ConsoleOne is installed.

    If it is not installed, you can obtain it from Novell Product Downloads. If you are using eDirectory on Linux, the Certificate Server snap-in is installed by default.

    NOTE:You can create a server certificate in Novell iManager, as well as in ConsoleOne, using steps similar to those provided below.

  2. Browse to and select the container where your Server object is located.

  3. Click Tools > Issue Certificate.

    CSR Filename page

  4. Browse to and select the CSR file created by GWCSRGEN in Section 71.2.1, Generating a Certificate Signing Request, then click Next.

    By default, your own organizational certificate authority signs the request.

  5. Click Next.

    Key Information page

  6. In the Type box, select Custom.

  7. In the Key Usage box, select all three usage options.

  8. Click Next.

  9. In the Validity Period field, select the length of time you want the certificate to be valid.

    You might want to change the setting to a longer period of time to best meet the needs of your organization.

  10. Click Next, view the summary information, then click Finish.

    Save Certificate page

  11. Select File in Base64 Format.

  12. Specify the path and filename for the certificate.

    Limit the filename to 8 characters. You can retain the .b64 extension or use the more general .crt extension.

  13. Click Save.

Using YaST on Linux

  1. On the Linux server desktop, click Computer > YaST, then enter the root password.

  2. Click Security and Users > CA Management.

  3. If you did not create the YaST_Default_CA during the installation of Linux on the server:

    1. Click Import CA, specify the name and location of an existing CA, click OK, then skip to Step 4.

      or

      Click Create Root CA, then continue with Step 3.b.

    2. Fill in the following fields:

      CA Name: Specify the name of the CA certificate.

      Common Name: Specify the name of the Certificate Authority.

      Organization: Specify the name of your organization (for example, Novell, Inc.).

      Organizational Unit: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).

      Locality: Specify the name of your city or other regional division (for example, Provo).

      State: Specify the name of your state (for example, Utah). Use the full name. Do not abbreviate it.

      Country: Select the name of your country (for example, USA).

    3. Click Next.

    4. Specify and verify the certificate password, then click Next.

    5. Click Create to create the root Certificate Authority on the server.

  4. After you have a Certificate Authority on the Linux server:

    1. Select YaST_Default_CA or the CA you just created, click Enter CA, specify the CA password, then click OK.

    2. On the Certificates tab, click Export > Export to File.

    3. Select Certificate and the Key Encrypted in PEM Format.

    4. Specify the certificate password and, if desired, specify and verify a new password for the new certificate file.

    5. Browse to and select the directory where you want to create the certificate file, then specify the filename for the certificate, adding a .pem extension.

    6. Click OK to create the certificate file, then click OK again to confirm.

    7. Exit from YaST.

  5. In a terminal window, log in as root, then separate the .pem file created by YaST into a .crt file and a .key file, as required by GroupWise:

    1. Use a text editor such as gedit to open the .pem file.

    2. Select and copy the BEGIN CERTIFICATE line through the END CERTIFICATE line into a new file, name it the same as the server name, and add a .crt extension to the filename when you save it.

    3. Select and copy the BEGIN RSA PRIVATE KEY line through the END RSA PRIVATE KEY line into a new file, name it the same as the server name, and add a .key extension to the filename when you save it.

    4. Exit the text editor.

71.2.5 Installing the Certificate on the Server

After processing your CSRs, the Certificate Authority sends you a public certificate (server_name.b64) file for each CSR. You might need to extract the private key from the public certificate. The private key file might have an extension such as .pem or .pfx. The extension is unimportant as long as the file format is correct.

If you used the Issue Certificate feature in ConsoleOne, as described in Using ConsoleOne on Windows or Linux, it generated the public certificate file (server_name.b64) and private key file (server_name.key).

If you used the CA Management feature in YaST, as described in Using YaST on Linux, you created the public certificate file (server_name.crt) and private key file (server_name.key).

Copy the files to any convenient location on each server. The location must be accessible to the GroupWise agents that run on the server.

71.2.6 Configuring the Agents to Use SSL

To configure the agents to use SSL you must first enable them for SSL and then provide certificate and key file information. For detailed instructions, see the following sections: