Environment
Micro Focus GroupWise 18.3.x or later
Situation
Using wildcard certificates with Micro Focus GroupWise ensures that connections to GroupWise Agents are trusted connections. This includes connections to Agent Web Consoles, GroupWise Client connections to Post Office Agents and Agent to Agent communications. The instructions included in this knowledgebase article is based on DigiCert Wildcard Certificates.
GroupWise preparations
Make sure that the following is configured on GroupWise:
- Do not use IP addresses in the agent address configuration fields. Only use resolvable DNS names for agent address configurations.
- Make sure that the self-signed SSL certificates have been generated for each agent.
- Enable SSL on the agent port configurations.
Wildcard certificate bundle preparation
If you already have your PRIVATE KEY for your certificate, you can decrypt your private key using the following command:
openssl rsa -in private.key -out private-decrypted.key
This will simplify the configuration in the GroupWise Administration Console as you will not need to provide a private key passphrase for each configuration.
If you no longer has access to your PRIVATE KEY, DigiCert allows you to re-issue your wildcard certificate with a new certificate request using the re-issue function in your DigiCert management portal without invalidating previously issued wildcard certificates. To generate a new CSR, use the following command:
openssl req -newkey rsa:2048 -keyout private.key -out new-wildcard.csr
Use the CSR to re-issue a wildcard certificate.
Download or obtain your organisation's certificate bundle (star-organisation.p7b) from your DigiCert portal.
Extract your certificate + chain from the certificate bundle:
openssl pkcs7 -print_certs -in star-organisation.p7b -out wildcardcert.crt
Upload the private-decrypted.key and wildcardcert.crt to the following directory on each GroupWise server where you have GroupWise Agents running:
/opt/novell/groupwise/certificates
Configure GroupWise with wildcard certificates
For each GroupWise Agent (MTA, POA and GWIA) do the following:
On the Agent configuration tab for SSL select the SSL certificate that was uploaded to the GroupWise server. Also select the decrypted PRIVATE KEY that was uploaded to the GroupWise server.
If you did not decrypt your PRIVATE KEY you will also need to provide the passphrase for your PRIVATE KEY.
Remember to also provide the certificate details in the startup file of your GroupWise Document Viewer Agent (DVA):
--httpssl
--sslCert /opt/novell/groupwise/certificates/wilcardcert.crt
--sslKey /opt/novell/groupwise/certificates/private-decrypted.key
Restart your agents.
Important
- Do not attempt to configure the wildcard certificates for your GroupWise Administration Console. You will still require the internal GroupWise Certificate Authority when you add new GroupWise components to your GroupWise system.
- When accessing your GroupWise Agents going forward, make sure to use the DNS name of the agent in your browser.
- When your GroupWise clients connect to a GroupWise Post Office, make sure the GroupWise client uses the DNS name of the Post Office instead of an IP address.
Comments
0 comments
Please sign in to leave a comment.