6.3 Securing the Messenger Agents

6.3.1 Enabling SSL for Client/Server Connections

All the connections between the client and the server should be configured to use SSL. To do this, SSL must be configured for the agents. For information on configuring SSL for the agents and for the client, see Creating Your Messenger System for NetWare® and Windows and Configuring the Linux Messenger Agents for SSL for Linux in the Messenger 2.0 Installation Guide. To secure the client, simply use the port number specified for secure connections when connecting to the server.

6.3.2 Enabling SSL for the Message Transfer Protocol

When installing the agents, you have the option to configure SSL for the agents. If you chose to use SSL for the connection between the agents and the clients, the Message Transfer Protocol is automatically configured to use SSL as well. For more information, see Creating Your Messenger System for NetWare and Windows and Configuring the Linux Messenger Agents for SSL for Linux in the Messenger 2.0 Installation Guide.

Configuring SSL for the Message Transfer Protocol After Installation

In order for the Message Transfer Protocol to use SSL, you must enable SSL for the agents. If you chose not to use SSL during the installation, you can configure SSL for the agents in ConsoleOne.

Before the agents and the Message Transfer Protocol can use SSL encryption, you must send a Certificate Signing Request (CSR) to a Certification Authority (CA) and receive a public certificate file in return. The CSR includes the hostname of the server where the Messaging Agent runs. The Messaging Agent and the Archive Agent can use the same certificate if they run on the same server. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the Messaging Transfer Protocol to use SSL encryption. For more information, see Section 2.3.1, Generating a Certificate Signing Request and Private Key.

After you have a public certificate and a private key file available on the server where the Messaging Agent runs, you are ready to configure the Messaging Agent to use SSL encryption.

  1. In ConsoleOne, browse to and expand the Messenger Service object.

  2. Right-click the Messenger ArchiveAgent object, then click Properties.

  3. Click Agent > Security.

    Server Security page
  4. Fill in the following fields:

    Certificate Path: This field defaults to \novell\nm\certs for NetWare and Windows, and /opt/novell/messenger/certs for Linux.

    IMPORTANT:The certificate path must be located on the same server where the Messenger agents are installed. If your SSL certificate and key file are located on a different server, you must copy them into the directory specified in the Certificate Path field so they are always accessible to the Messenger agents.

    SSL Certificate: Browse to and select the public certificate file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the filename.

    SSL Key File: Browse to and select your private key file. Or, if it is located in the directory specified in the Certificate Path field, you can simply type the filename.

    Set Password: Provide the key file password you established when you submitted the certificate signing request.

    Enable SSL for Client/Server: Select this option to enable SSL encryption for your client and server.

    Enable SSL for Message Transfer Protocol: Select this option to enable SSL encryption for your Messenger Transfer Protocol.

  5. Click OK to save the SSL settings.

  6. Restart the Messaging Agent to begin using SSL encryption.

6.3.3 Enabling SSL for the Web Console

The Web console should already be configured to use SSL when SSL is configured during the installation. However, additional configuration is needed to enable SSL for the Web console. For information on how to secure and configure the Web console, see Setting Up the Messaging Agent Web Console and Section 4.10.2, Using the Archive Agent Web Console and GroupWise Monitor.

6.3.4 Enabling Password Protection for the Web Console

The Web console should be configured to use SSL and password protection, but password protection needs to be enabled. For information on how to enable password protection for the Web console, see Setting Up the Messaging Agent Web Console and Section 4.10.2, Using the Archive Agent Web Console and GroupWise Monitor.

6.3.5 Securing the Data Files

Securing the Data Store

The data store files should be protected from tampering. The data store files are identified by an eight-digit hexadecimal number followed by either .maf or .mai. They are found in the following default locations:

Table 6-1 Messenger Data Store File Locations

Platform

Directory

Store Files

NetWare

sys:\Novell\NM\aa\store
xxxxxxxx.maf
xxxxxxxx.mai

Linux

/var/opt/novell/messenger/aa/store
xxxxxxxx.maf
xxxxxxxx.mai

Windows

C:\Novell\NM\aa\store
xxxxxxxx.maf
xxxxxxxx.mai

Securing the Queue Files

The queue files should be protected from tampering. The queue files are identified by an eight-digit hexadecimal number followed by three numbers. They are found in the following default locations:

Table 6-2 Messenger Queue File Locations

Platform

Directory

Queue Files

NetWare

sys:\Novell\NM\ma\queue
sys:\Novell\NM\aa\queue

xxxxxxxx.nnn

Linux

/var/opt/novell/messenger/ma/queue
/var/opt/novell/messenger/aa/queue

xxxxxxxx.nnn

Windows

C:\Novell\NM\ma\queue
C:\Novell\NM\aa\queue
xxxxxxxx.nnn

Securing the Log Files

The log files for all Messenger agents should be protected from access by unauthorized persons. Some contain very detailed information about your Messenger system and Messenger users. They are found in the following default locations:

Table 6-3 Messenger Agent Log File Locations

Platform

Directory

Log Files

NetWare

vol:\Novell\MA\logs
vol:\Novell\AA\logs
mmddnma.nnn
mmddnaa.nnn

Linux

/var/opt/novell/log/messenger/ma/
/var/opt/novell/log/messenger/aa

mmddnma.nnn
mmddnaa.nnn

Windows

C:\Novell\MA\logs
C:\Novell\AA\logs

mmddnma.nnn
mmddnaa.nnn

Securing the Startup Files

The startup files for all Messenger agents should be protected from tampering. They are found in the following default locations:

Table 6-4 Messenger Agent Startup File Locations

Platform

Directory

Startup Files

NetWare

sys:\Novell\NM\ma
sys:\Novell\NM\aa
strtup.ma
strtup.aa

Linux

/etc/init.d
novell-nmma
novell-nmaa

Windows

C:\Novell\NM\ma
C:\Novell\NM\aa
strtup.ma
strtup.aa

Securing the Root Certificate

The root certificate files should be protected from tampering. The root certificate files are copied to the following default locations:

Table 6-5 Root Certificate File Locations

Platform

Directory

Startup Files

NetWare

sys:\Novell\NM\certs
certname.der

Linux

/opt/novell/messenger/certs
certname.der

Windows

C:\Novell\NM\certs
certname.der