Setup GWIA to use SSL/TLS with IMAP/POP3, and SMTP

  • 7004811
  • 05-Nov-2009
  • 26-Apr-2012

Environment

Novell GroupWise 7
Novell GroupWise 8

Situation

Setup GWIA to use SSL/TLS with IMAP/POP3, and SMTP

Resolution

The GWIA needs two files in order to allow SSL/TLS transmissions.
One is the Certificate File, the other is a Key File. Generating the two files involves using a tool to generate a certificate request, an authority to sign the request, to place the certificates on the server and to configure GWIA using ConsoleOne.

The steps are:
1. Generate the CSR (Certificate Signing Request) file and the Private SSL Keyfile.

a. Use the "Generate CSR Utility", GWCSRGEN.EXE  in the GroupWise Software Distribution Directory or GroupWise Administrator CD (\admin\utility\gwcsrgen).
In this example we will name the Keyfile yourserver.key and the CSR file, youserver.csr. Note the password down as needs to be specified in the SSL GWIA configuration.
Fill out all the required fields. For the hostname specify the DNS name that will be used for the public mail traffic. I.e. mail.yourdomain.com. Do not use the internal DNS name or servername unless the same name is used to receive and send mails. If you are unsure about the hostname, simply use *.yourdomain.com.
This process will create a KEY file and a CSR file.

2. Getting the certificate signed.

a. Send the CSR file to an external authority to sign your certificate.
The process of submitting the CSR varies from company to company. Most provide online submission of the request. Please follow their instructions for submitting the request.
Another option is to use the Novell Certificate Server, that comes with eDirectory and which enables you to establish your own Certificate Authority and sign or issue server certificates.
Follow this TID to sign your CSR with your own Certificate Authority. How to Locally Sign a CSR for use with SSL Choose SSL or TLS during the signing process and the validity. Leave the other settings at their default and save the certificate in Base64 format with a filename with not more than 8 characters. I.e. signed.b64

b. Put the certificate file that was signed by the external authority or your own certificate server and the keyfile from the first step, generated by the CSR generator, in the same directory where the GWIA can access it.
This folder CANNOT have more than 8 characters anywhere in the path.  You can put it in the Vol:\domain\wpgate\GWIA directory for example. If necessary rename the file to match the 8.3 naming.

c. In ConsoleOne go to the details of the GWIA and go to the GroupWise tab and select the SSL portion. Enter the path to the signed.b64 file.
DO NOT use the browse buttons. As of writing this document using the browsebutton puts in the driveletter as a portion of the path. GWIA will read the files on startup, so you have to use a path that the server understands. I.e. VOL1:\GRPWISE\DOMAIN\WPGATE\GWIA\Signed.b64
Enter the path to the Keyfile as well. If you used a password during the certificate creation, then enter it as well, otherwise don't set it.

d. Restart the GWIA once the update has been processed.

If you get a Warning - Failure in SSL startup (8209) during the GWIA startup, then GWIA was not able to find the certificate files.
If you get a Warning - Failure in SSL startup (891D) during the GWIA startup, then the password for the certificate is wrong or missing or the certificate has expired. If the certificate has expired, a new certificate needs to be obtained.

Additional Information

Entrust offers you a 90 day evalution for a signed certificate at http://www.entrust.com/freecerts/
It will stop working after 90 days, so this is just for testing purposes.
Following these steps below to use the free certificate.

a.Choose web server certificate.
b.Fill in your info and choose Apache as the web server.
c. As the servername, type the dns Hostname of server like described step 1a.
d.Choose display as PEM encoding of cert in raw DER
e.Paste in the contents of the CSR. Choose Retrieve the CA Certificate.
f. Copy the certificate they give you and paste it into NOTEPAD and rename it to signed.der
g.Go to step 2b to finish the procedure. Instead using the signed.b64 file, use the signed.der file.


Formerly known as TID# 10068982