74.2 Agent Passwords

Agent passwords facilitate access to remote servers where domains, post office, and document storage areas are located and access to eDirectory for synchronization of user information between GroupWise and eDirectory. They also protect GroupWise Monitor and the agent Web consoles from unauthorized access.

74.2.1 Facilitating Access to Remote Servers

If the NetWare POA runs on a server other than where the post office database and directory structure are located, it needs to log in to that remote server using an existing username and password. There are several ways to provide this information:

  • Fill in the Remote User Name and Remote Password fields on the Post Office Settings page of the Post Office object in ConsoleOne

  • Add the /dn startup switch to the POA startup file to provide the fully distinguished name of the NetWare POA object

  • Add the /user and /password startup switches to the POA startup file to provide a username and password

The Windows POA also needs username and password information if it needs to access a document storage area on a server other than the one where the post office database and directory structure are located. The three methods listed above can be used for this situation as well. The Windows POA does not need username and password information in order to access the post office directory because it should already have a drive mapped to that location.

If the NetWare MTA, Internet Agent, or WebAccess Agent runs on a server other than where the domain database and directory structure are located, it needs to log in to that remote server using an existing username and password. All three of these agents support the /user and /password switches for this purpose. The MTA also supports the /dn switch parallel to the POA. You cannot currently use ConsoleOne to specify username and password information for these agents.

Providing passwords in clear text in a startup file might seem like a security risk. However, the servers where the agents run should be kept physically secure. If an unauthorized person did gain physical access, they would not be doing so for the purpose of obtaining these particular passwords. And the passwords are encrypted as they pass over the wire between servers, so the security risk is minimal.

74.2.2 Facilitating Access to eDirectory

If you have enabled eDirectory user synchronization, the MTA must be able to log in to eDirectory in order to obtain the updated user information. An eDirectory-enabled MTA should be installed on a server where a local eDirectory replica is located.

If the eDirectory-enabled NetWare MTA is running on a different server from where the domain is located, you must add the /user and /password switches, or the /dn switch, to the MTA startup file so that the MTA can authenticate to eDirectory. The /dn switch is preferable, so that username and password information is not exposed in the MTA startup file. If the NetWare MTA is running on the same server where the domain is located, the MTA can look up the distinguished name in the domain database.

For the eDirectory-enabled Windows MTA, you must add the /user and /password switches to the MTA startup file in order to specify the network user account that the MTA should use to authenticate to eDirectory.

For more information, see Section 41.4.1, Using eDirectory User Synchronization.

74.2.3 Protecting the Agent Web Consoles

When you install the POA and the MTA, they are automatically configured with an agent Web console and no password protection is provided. When you install the Internet Agent and the WebAccess Agent, you can choose whether to enable the agent Web console during installation. If you do, you can provide password protection at that time.

If you do not want agent Web console status information available to anyone who knows the agent network address and port number, you should set passwords on your agent Web console, as described in the following sections:

If you plan to access the agent Web consoles from GroupWise Monitor, it is most convenient if you use the same password on all agent Web consoles. That way, you can provide the agent Web console password once in GroupWise Monitor, rather than having to provide various passwords as you view the Web consoles for various agents. For information about providing the agent Web console password in GroupWise Monitor, see Section 63.4, Configuring Polling of Monitored Agents.

74.2.4 Protecting the GroupWise Monitor Web Console

Along with the agent Web consoles, you can also provide password protection for the Monitor Web console itself, from which all the agent Web consoles can be accessed. For instructions, see Section 63.8, Configuring Authentication and Intruder Lockout for the Monitor Web Console.