9.1 Security Administration

It is vital to secure each stage in the communication path between GroupWise and mobile devices.

9.1.1 Securing Communication between the GroupWise Sync Agent and the GroupWise POA

The GroupWise Sync Agent communicates with the GroupWise POA as a SOAP client. In order to secure communication between the GroupWise Sync Agent and the GroupWise POA, the POA must be configured for secure SSL SOAP. SSL SOAP security is enabled by default in GroupWise.

You can enable and disable SSL for the POA SOAP connections on the GroupWise Sync Agent Configuration page in the Mobility Administration Console. For instructions, see Enabling and Disabling SSL for POA SOAP Connections.

9.1.2 Securing Communication between the Device Sync Agent and Mobile Devices

In order to provide a secure SSL connection between the Device Sync Agent and mobile devices, you must provide a server certificate on the Mobility server.

Using a Self-Signed Certificate on the Mobility Server

IMPORTANT:You should obtain a commercially signed certificate for use with your Mobility system as quickly as possible.

Starting with GMS 18.4, the entire process of obtaining a certificate has been automated in the MCheck utility. For details see, Using MCheck to Simplify User, Certificate, and Database Management > Generate a Private Key and Certificate Signing Request.

When you have the Mobility Service Installation program create a self-signed certificate for you, two certificate files are created in the /var/lib/datasync directory:

gms_mobility.pem
gms_mobility.cer

NOTE:/var/lib/datasync also contains a system-use only file named gms_server.pem. Do not modify or replace this file.

When a mobile device connects to the Device Sync Agent, the Device Sync Agent passes the self-signed certificate file (gms_mobility.pem) to the mobile device. In most cases, the mobile device accepts the self-signed certificate and connects successfully.

Some mobile devices do not automatically accept self-signed certificates in PEM format. If you choose to use a self-signed certificate and if users encounter connection problems with particular mobile devices, explain the procedure in Manually Downloading a Certificate to a Mobile Device to the users who are encountering connection problems. This procedure enables users to use the gms_mobility.cer file instead of the gms_mobility.pem file on their mobile devices.

The self-signed certificate generated by the Installation program is issued to “DataSync Web Admin” rather than to a specific hostname. Some mobile devices require that a self-signed certificate be associated with a specific hostname.

Using a Commercially Signed Certificate on the Mobility Server

IMPORTANT:You should obtain a commercially signed certificate for use with your Mobility system as quickly as possible.

Starting with GMS 18.4, the entire process of obtaining a certificate has been automated in the MCheck utility. For details see, Using MCheck to Simplify User, Certificate, and Database Management > Generate a Private Key and Certificate Signing Request.

Obtaining the Certificate

When you have selected a certificate authority, request a certificate in PEM format. If necessary, you can use a chained certificate or a wildcard certificate with your Mobility system.

In order to obtain a certificate, you need to send the certificate authority a certificate signing request (CSR). For example, you can use OpenSSL to generate the CSR.

  1. In a terminal window on the Mobility server, become root by entering su - and the root password.

  2. Change to a convenient directory where you want to create the CSR.

  3. Create the key file:

    1. Enter the following command:

      openssl genrsa -des3 -out key_file_name.key 2048

      Replace key_file_name.key with a convenient name for the private key file, such as gw.key.

    2. Enter and verify a pass phrase for the key file.

  4. Create the CSR:

    1. Enter the following command:

      openssl req -new -key key_file_name.key -out csr_file_name.csr

      Replace key_file_name.key with the key file that you created in Step 3.

    2. Enter the pass phrase for the key file.

    3. Enter the two-letter code for your country, such as US for the United States, DE for Germany, and so on.

    4. Enter your state or province.

    5. Enter your city.

    6. Enter the name of your company or organization.

    7. Enter your department or other organizational unit.

    8. Enter your name.

    9. Enter your email address.

    10. (Optional) Enter a password for the CSR, or simply press Enter.

    11. (Optional) Enter a secondary name for your company or organization, or simply press Enter.

NOTE:Depending on the method that you use to generate the CSR, you might be prompted for the type of web server where you plan to install the certificate. The Mobility Service uses the CherryPy web server.

The certificate authority returns one or more files to you. Save the files to a convenient location. These files might require modification for use in your Mobility system.

Removing a Pass Phrase from a Key File

If the key file that you created in Step 3 includes a pass phrase, you need to remove it in order to use the file in your Mobility system.

  1. Check to see if the key file includes a pass phrase.

    A pass-phrase-protected key file includes the following line:

    Proc-Type: 4,ENCRYPTED
  2. Use the following command to remove the pass phrase:

    openssl rsa -in original_file_name.key -out pass-phrase-less_file_name.key

Combining Files Received from a Certificate Authority

If you receive more than one file from the certificate authority, such as a certificate file and a key file, you must combine the contents into a single file with the following format:

-----BEGIN RSA PRIVATE KEY----- several_lines_of_private_key_text
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- several_lines_of_server_certificate_text
-----END CERTIFICATE-----

If the certificate authority provided an intermediate certificate, place it at the end of the file after the private key and the actual certificate.

Installing a Commercially Signed Certificate on the Mobility Server

  1. (Conditional) If you have been using a self-signed certificate, rename the existing /var/lib/datasync/gms_mobility.pem file.

  2. Copy the certificate file received from the certificate authority to /var/lib/datasync.

  3. Rename it to gms_mobility.pem.

  4. Restart the Mobility Service.

IMPORTANT:If you uninstall the Mobility Service, the certificate files associated with your Mobility system are also deleted. Back up commercially signed certificates in a location outside of /var/lib/datasync.

Manually Downloading a Certificate to a Mobile Device

NOTE:When GMS starts or restarts, a new gms_mobility.cer file is generated automatically from the existing gms_mobility.pem file.

  1. Access the Mobility Settings page of the Mobility Administration Console on your mobile device at the following URL:

    https://mobility_server:8120

    Replace mobility_server with the IP address or DNS hostname of the server where you installed the Mobility Service.

  2. Log in using your network user name and password to display the Mobility Settings page on your mobile device.

  3. Tap Device Settings.

  4. In the Mobility Certificate File field, tap Download Certificate File.

  5. Save the gms_mobility.cer file to a convenient location on your mobile device.

  6. Import the certificate file into the certificate store on your mobile device.

    For device-specific instructions, see the GroupWise Mobility Service Devices Wiki.

  7. (Conditional) If you are not able to access the Mobility Settings page from your particular mobile device:

    1. Access the Mobility Settings page in a web browser on your Windows or Linux desktop, then click Device Settings.

    2. Click Download Certificate File.

    3. Save the gms_mobility.cer file on your Windows or Linux workstation.

    4. Set up an IMAP email account on your mobile device, then email the gms_mobility.cer file from your workstation to your mobile device.

      or

      Physically connect your mobile device to your workstation so that it appears as a drive on your workstation, then copy the gms_mobility.cer file from your workstation to your device.

  8. Import the certificate file into the certificate store on your mobile device.

Enabling and Disabling SSL for Device Connections

For instructions, see Enabling and Disabling SSL for Device Connections.

Enabling a Password Security Policy for Device Connections

For instructions, see Enabling a Device Password Security Policy.