Environment
GroupWise 18
Situation
You plan to move your primary domain from a present into a new server with a different name and IP address. Original system certificates cannot be used on a new server as those hold a server name/IP address information.
Resolution
Follow steps bellow for renewing system certificates on all GW servers:
1. Copy the primary directory into a new server. Next you need to generate new system certificates on this server:
gwadminutil ca -d /<path to primary> -g -f
This will create new system GUID directory on the server with system certificates (in /opt/novell/groupwise/certificates directory).
2. Now you need to launch gwadminservice with temporary certificates:
gwadminservice -detached -home /<path to primary> -ip <new IP> -adminPort <probably 9710 again>
This is a java based service started within the terminal window. You will need to wait a bit till admin port specified in above command becomes active. Afterwards you can start gwadmin console and connect to the primary on this new server via browser.
Login and set new IP address for the MTA, also delete & regenerate SSL settings. Save changes and terminate running java gwadminservice by Ctrl + C.
3. At this point you have new system CA certificate files plus new key and certificate file for the MTA. Next is to generate new gwha.conf file on this server:
gwsc -i /<path to primary>
This creates new gwha.conf with the entry for the primary. This means you can now run "rcgrpwise start" script to start gwadminservice and MTA with its new certificates. Afterwards connect to the primary MTA via gwadmin console.
4. If anything else shall run on this server (only) -> adjust IP and SSL settings for corresponding agents, always save changes. In next step create new startup configuration files for those agents:
gwsc -i /<path to a domain> .. for any next MTA shall it run on the server
gwsc -i /<path to a domain>/wpgate/gwia .. for any GWIA
gwsc -i /<path to PO> .. shall there run any POA
gwsc -i -dva .. shall there run any DVA
By "rcgrpwise start" you start all specified agents on this server.
5. Since you generated new certificate files for your primary doamin server, all existing certificates on different, remote GW servers will need to be replaced as well.
Stop on a remote GW server gwadminservice and download new certificates from the primary domain server:
gwadminutil certinst -ca <ip/dns of primary>:<admin port> -db /<path to a domain on this remote server> -a <admin> -p <pwd of admin>
This will download new certs from the primary domain server on the remote domain server.
The same applies if it is a remote server running a POA only but then you use in "-db" switch a UNC path to the PO.
6. You can then stop and then start gwadminservice on this domain server with its just downloaded new system certs. Once this service is up, connect to it with gwadmin console and delete and regenerate SSL certificates on the MTA object. Save changes and restart MTA with its new certificates. Similarly for any GWIA or PO.