How to setup GroupWise Mobile Server with SSL?

  • 3955914
  • 27-Aug-2007
  • 10-Dec-2013

Environment

Products:
Novell GroupWise 7 Support Pack 1 or later
Novell GroupWise 8
Novell GroupWise Mobile Server 2
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server
Novell SUSE Linux Enterprise Server 10
Novell Open Enterprise Server (Linux based)

Situation

Purpose:
How to setup GroupWise Mobile Server with SSL?
How to setup Secure Gateway with SSL?
SSLizing GroupWise Mobile Server 2 and/or Secure Gateway
Configuring SSL for GroupWise Mobile Server 2 and/or Secure Gateway
How to SSLize communication between the devices/browsers and the GMS/Secure Gateway server

Resolution

GMS on Windows
Inbuilt Certificate
By default SSL is already enabled on a GMS 2 server. However, the Certification Authority is Intellisync and the Certificate is issued to Intellisync and not to the URL that the users will connect to. No changes need to be made if the inbuilt SSL Certificate is to be used except the following steps can be followed to force SSL
  1. Click Start | Programs | Intellisync Mobile Suite | Admin Console.
  2. Right Click on Intellisync Mobile Suite and click Properties.
  3. Click the General Tab and put a checkmark on "Force website access to use HTTPS".
  4. Click OK.

Third Party Certificate

If a third party certificate is to be used, follow the steps listed below to generate a keystore, export a Certificate Signing Request, sign the Certificate Signing Request and import the Certificate in the Keystore on the GroupWise Mobile Server
  1. Click Start | Run and type "cmd" without quotes and click OK.
  2. Type "cd C:\Program Files\Intellisync Mobile Suite\jre\bin " without quotes and press Enter.
  3. Type "keytool -genkey -validity 500 -alias newalias -keyalg RSA -keystore new.key " without quotes and Press Enter and answer the questions. Please make sure that the "first and last name" is the URL/IP Address that the devices will connect to.

    This generates a key pair (a public key and associated private key) and wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias named newalias
  4. Type "keytool -certreq -alias newalias -file c:\cert.csr -keystore new.key " without quotes and press Enter.

    This generates a Certificate Signing Request to be sent to a Certificate Authority. c:\cert.csr needs to be sent to a Trusted Certificate Authority like Verisign, Thawte etc or use eDirectory to sign the CSR. The following steps 5-17 show how to use eDirectory to sign the CSR and generate a Certificate
  5. Login to eDirectory using the Novell Client.
  6. Launch ConsoleOne with Certificate snapins (\\ServerName\sys\Public\Mgmt\ConsoleOne\Bin\ConsoleOne.exe ).
  7. Highlight the Tree and click Tools | Issue Certificate.
  8. Give the path to cert.csr that was created in step 4.
  9. Click Next.
  10. Click Next on "Organizational certificate Authority".
  11. Click Custom and select "Set the key usage extension to critical", "Data encipherment", "Key encipherment", "Digital Signature".
  12. Click Next.
  13. Change the Validity period to Maximum.
  14. Click Next.
  15. Click Finish.
  16. Select "File in binary DER format".
  17. In the Filename type "c:\cert.der" and click Save.

    Once the Certificate is generated or signed by a Trusted Certificate Authority, follow the steps listed below to import the CA Certificate (if a Trusted CA is not being used or if a local CA is being used) and the signed Certificate in the Keystore
  18. Click Start | Run and type "cmd" without quotes and click OK.
  19. Type "cd C:\Program Files\Intellisync Mobile Suite\jre\bin " without quotes and press Enter.
  20. This step needs to be followed if a Trusted CA is not being used or if a local CA is being used. If Trusted CA like Verisign or Thawte is being used, skip to step 22. Type keytool -import -alias newalias -file c:\ca.der -trustcacerts -keystore "c:\Program Files\Intellisync Mobile Suite\jre\lib\security\cacerts"  (where ca.der is the Public Certificate of the CA) and press Enter to import the CA Certificate. This step should only be done if the certificate was not signed by a Trusted CA or if a local CA was being used like eDirectory. If a Trusted CA like Verisign or Thawte was being used, then the Trusted CA Public Key is already in the cacerts file.
  21. Enter the password "changeit " without quotes if the above step was followed.

    If GODADDY Certificate is not being used, please skip to step 29 . If GODADDY Certificate is being used follow steps 22-28
  22. Copy the above downloaded files to c:\Program Files\Intellisync Mobile Suite\jre\bin\
  23. Type "keytool -import -trustcacerts -alias root -file valicert_class2_root.cer -keystore new.key " and press Enter. Enter the password and it may give a message saying that the certificate already exists in the system wide CA and if it still needs to be added to this keystore. Type Yes and press Enter.
  24. Type "keytool -import -trustcacerts -alias cross -file gd_cross_intermediate.crt -keystore new.key " and Press Enter. It will ask for the password. Enter the password and Press Enter.
  25. Type "keytool -import -trustcacerts -alias inter -file gd_intermediate.crt -keystore new.key " and Press Enter. It will ask for the password. Enter the password and Press Enter.
  26. Type "keytool -import -keystore new.key -alias newalias -file c:\cert.der " and press Enter. It should ask for the password and then it should say "Certificate reply was installed in the keystore"
  27. Skip to step 30.
  28. Please note down the alias that was used to create the keystore as the same alias needs to be used while importing the certificate reply. In this TID, newalias has been used. If the alias is forgotten, please type "keytool -list -keystore c:\cert.key " and press Enter and type the password. Once the alias has been noted, then type "keytool -import -alias newalias -file c:\cert.der " without quotes and press Enter. Replace newalias with the alias that was used. Answer the questions and type "yes" to Trust this certificate. This should give a message stating that the "Certificate was added to keystore".
  29. Copy new.key from C:\Program Files\Intellisync Mobile Suite\jre\bin to C:\Program Files\Intellisync Mobile Suite\CommSvr\conf
  30. Launch Internet Explorer and type "http://localhost/sgadmin" without quotes and press Enter
  31. Click "Set SSL Certificate Info"
  32. In the Key file name, type "new.key" without quotes and in the Password and Repeat Password, type the Password that was entered while doing the above steps
  33. Click Save
  34. Click Start | Run and type "services.msc" without quotes and click OK
  35. Restart the Intellisync Services
  36. Test SSL by typing https://ipAddress OR URL in a browser. If needed follow steps 1a-4a to force SSL

    If a Secure Gateway is also needed, please follow the steps in the documentation to install Secure Gateway and follow the steps listed below on the Secure Gateway server to SSLize it

    1b. Copy new.key from the GMS Server to C:\Program Files\Secure Gateway\CommSvr\conf
    2b. Edit C:\Program Files\Secure Gateway\CommSvr\conf\securegateway.properties
    3b. Type the following at the end of the file as mentioned below. The entries are case sensitive

    HttpsSSLPort=443
    SSLKeyFileName=new.key
    SSLPassCode=novell

    4b. Save and close the file
    5b. Click Start | Run and type "services.msc " without quotes and press Enter
    6b. Restart the Secure Gateway service
    7b. Follow steps 31 -34
    8b. Launch Intellisync Admin Console on GMS Server | Right Click on Intellisync Mobile Suite and Click Properties | Click Secure Gateway Tab and add https://IPAddressofSecureGateway:443
    9b. Follow steps 36 and 37 on the GMS Server
The above steps are only for SSLizing the communication between the devices/browsers and GMS/Secure Gateway server. Please click on the link below to SSLize the communication between the GMS Server and the POA though it may not be necessary if POA and GMS server are in the same network
GMS on Linux
Inbuilt Certificate
By default SSL is already enabled on a GMS 2 server. However, the Certification Authority is Intellisync and the Certificate is issued to Intellisync and not to the URL that the users will connect to. No changes need to be made if the inbuilt SSL Certificate is to be used except the following steps can be followed to force SSL
  1. Launch a web browser.
  2. Login to the Web Console.
  3. Expand System Settings.
  4. Click General.
  5. Click Edit.
  6. Put a check mark on "Force Website Access to Use HTTPS".
  7. Click Save.
  8. Click Done.
  9. Type "/etc/init.d/mobilesuite stop " without quotes and press Enter.
  10. Type "/etc/init.d/securegateway stop " without quotes and press Enter.
  11. Type "/etc/init.d/asadb stop " without quotes and press Enter.
  12. Type "/etc/init.d/asadb start " without quotes and press Enter.
  13. Type "/etc/init.d/securegateway start " without quotes and press Enter.
  14. Type "/etc/init.d/mobilesuite start " without quotes and press Enter.

    Third Party Certificate

    Follow the steps listed for GMS for Windows Section to create a certificate. All of the steps remain the same except the keytool path is /opt/ims/lib/external/jre/linux/bin and the new key file should be copied to /opt/ims/conf .

    Test SSL by typing https://ipAddress OR URL in a browser. If needed follow steps 1a-4a to force SSL

Additional Information

Keytool Utility has many options and the entire documentation for keytool can be found at http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

Feedback service temporarily unavailable. For content questions or problems, please contact Support.