GroupWise Web (GWWEB) Best Practices

GroupWise POA with SOAP enabled. SOAP must have SSL enabled.

If you find that SSL is not enabled on the SOAP protocol, you will need to install a certificate/key pair on each Post Office agent and enable SSL for SOAP on the agent configuration. SSL configuration is out of the scope of this document.

Refer to the Troubleshooting/Log Files section below for information on how to configure and view the log files.

How to configure the GroupWise DVA with SSL Enabled

This four-step process enables the GroupWise DVA with SSL using a self-signed certificate:

1) Tell the POA's to connect to the DVA's via SSL

On the DVA configuration in the GroupWise Administration console, check the box that says "Enable SSL".   This tells the Post Office to use SSL when connecting to the DVA.  It does not actually configure the DVA with SSL.

Note: It's very confusing, and I don't like the behavior.  The dialog makes you believe that you are enabling SSL on the DVA, when in fact you are not. You're only telling the Post Office to use SSL when connecting to the DVA. The checkbox does nothing to actually configure SSL on the DVA. You will need to follow the remaining steps to actually enable SSL on the DVA.

2) Creating the Certificate

Creating the certificates can be accomplished entirely from a SLES 15 Linux command line. The filenames I use are dva.crt, dva.key, and dva.crt.  The dva.nopass.key in the first step named "dva.nopass.key" for clarity that it does not have a password at that step.

I like to ensure that I'm in a folder that I have created just for certificates so that I do not get them confused with any other files or certificates.

Create CSR File and Private Key
This command will create the necessary Certificate Signing Request (CSR) and also generate the necessary Private Key file. Note that in this step, the private key file does not contain a password.

openssl req -newkey rsa:2048 -nodes -keyout dva.nopass.key -out dva.csr

Assign a password to the private key

This command will assign a password to the key file you just created. You will be prompted to enter the password.

openssl rsa -in dva.nopass.key -des3 -out dva.des3.key

Sign the CSR and creates the certificate file

This command will sign the certificate and write it to file. When completed, you should find a "dva.crt" file in the same folder.

openssl x509 -in dva.csr -out dva.crt -req -signkey dva.des3.key -days 3650

3) Configure the DVA Startup File

The DVA Startup file now must be configured to load the certificate and key file. In many cases, the DVA startup file is called "gwdva.dva". However, it is also possible that it is called named similar to the Post Office it is associated with. I have found that it could vary depending on how it was created.  It could be "poa_name.dva".

On Linux: The DVA Startup file should be located in the /opt/novell/groupwise/agents/share folder.

On Windows:  The DVA startup file should be located in c:/Program Files/Novell/GroupWise Server/Agents.

Use your favorite text editor to modify the gwdva.dva file. Locate the section titled "Enable SSL for Https" and add the following four (4) lines to it:

−-httpssl
−-sslCert /opt/iso/certificates/dva.crt
−-sslKey /opt/iso/certificates/dva.des3.key
−-sslKeyPassword $q~Nk:_@@cSxk{3ptCALhlHfc

• Ensure that you put your own Key File password, not the one shown above.
• The Password is in clear text. I am unaware of a way to change this.
• Ensure that the path/filenames specify the correct location of the certificate and key file.

4) Test and Confirm SSL Status on the DVA

Once the configuration changes have been made, log in to the DVA Web interface and confirm that the DVA shows that SSL is enabled and active. The default port is 8301. Assuming you have not changed the default port, you access the Web Agent at the following URL:

https://xx.xx.xx.xx:8301 (Enter the IP address of your Post Office Server here)

If the URL connects securely (and/or asks you to confirm the validity of the certificate), this alone would suggest it is working. However, you can also confirm the status of SSL in the two different places as shown below:

Installing and Configuring Docker and GroupWise Web

The documentation presents two options for installing the GroupWise Web components without making it abundantly clear that there in fact two entirely different options. Furthermore, the terminology can be confusing and you may not understand exactly what is happening.

The two options are listed below:

• Using the Docker Image (Preferred): This downloads the necessary files from the Micro Focus docker repository on the Internet.
• Using the Micro Focus Download: This uses a downloadable tar.gz file to install docker. The file is obtained as a separate file download from the customer care portal. It is not necessary to download or use this method unless you do not have Internet access on your GroupWise Web server (This would be an extremely rare scenario such as a dark network, or an installation where GroupWise Web is only available to internal systems).

Installation Using the Docker Image (Preferred)

Using the Docker Image is my preferred option, and this is the only method I discuss in this document. This process is an easy three (3) step process that I will outline in detail below. This will follow these steps:

1. Install, enable, and start the Docker service
2. Download and Run the "web-config" utility
3. Download and Run the "GroupWise Web" image

STEP 1: Install, Enable, and Start the Docker Service

In a nutshell, here are the quick and easy steps to get the docker service running:

sudo zypper install docker
sudo systemctl enable docker
sudo systemctl start docker

STEP 1 PART A: Installing Docker

Below is what you should see when you run the “zypper install docker” command. Once it has completed successfully, repeat the “rpm -qa|grep docker” command to confirm that results are returned and the minimum version required is installed.

What if Docker is Not Installed / Won't Install

It's possible that Docker will not install because the server does not have the correct container modules configured from the SUSE repository. Here is output from a failed install attempt.

linux-nd2d:~ # sudo zypper install docker
Refreshing service 'Basesystem_Module_15_SP2_x86_64'.
Refreshing service 'Desktop_Applications_Module_15_SP2_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_15_SP2_x86_64'.
Refreshing service 'Server_Applications_Module_15_SP2_x86_64'.
Loading repository data...
Reading installed packages...
'docker' not found in package names. Trying capabilities.
No provider of 'docker' found.
Resolving package dependencies...

Nothing to do.
linux-nd2d:~ #

If this happens, you need to enable the "Containers Module" in Yast. To correct this issue, do the following:

• Run the "yast" or "yast2" (Graphical) utility --> Software --> Add System Extensions or Modules.
• Select the "Containers Module 15 x86_64" option --> Next.
• On the Installation Summary screen, click Accept --> Finish.
• Once you have completed this task, retry the Docker installation from the above instructions.

The images below are from the graphical YAST utility and show you what you need to choose.

STEP 1 PART B: Enabling and Starting Docker

If you recall the former WebAccess configuration, the Apache web service uses a configuration file with a comprehensive set of directives to fully control the SSL certificates. In short, Docker does not use a configuration file for SSL configuration. You must use the command line to load SSL Certificates. There are several items to consider when working with 3rd party SSL certificates and the new GroupWise Web.

To use a commercial 3rd party certificate with GroupWise Web, you are instructed to add a certificate path to the command line of the docker run statement. You'll notice that there are no certificate or key files specified, only the path.

From the documentation:

What the documentation fails to mention is that the command line above only creates default self-signed certificates at the path specified. The Docker / GroupWise Web installation process does not do anything with your previous 3rd party SSL certificate. It does not create them. It does not manage them. It does not import them from WebAccess. Docker will only use your 3rd party commercial certificates if they already exist in the "certs" folder and match the file names "server.crt" and "server.key".

Complete these tasks below to configure GroupWise Web with a 3rd party certificate:

• Ensure there is a folder called /opt/novell/gw/certs
• Copy your 3rd Party commercial certificates into /opt/novell/gw/certs folder
• Rename your 3rd party certificate file to server.crt
• Rename your 3rd party key file to server.key. Ensure the key file does not require a password.
• Start or restart the docker services to activate the new certificates.

Here are some key points to understand:

Your certificate chain will most likely be incomplete because there is no directive in the command line to load an Intermediate or Chain certificate. To overcome this obstacle, you concatenate the certificate file and the intermediate certificate file into the same server.crt certificate. The following command will accomplish this task:

cat My_CA_Bundle.ca-bundle >> /opt/novell/gw/certs/server.crt

Note: Substitute the actual intermediate or chain certificate from your commercial certificate provider in place of the bundle file listed in the syntax.

Access from Older Devices

Since GroupWise Web is only enabled with TLS v1.2 and TLS v1.3, it's plausible to believe that some older devices may not be able to connect. For example, older devices that only support TLS v1.1 will fail to connect. There does not appear to be a way to enable older TLS versions, so this should be considered if it's applicable to your environment.

Troubleshooting / Miscellaneous Issues

This section shows you how to enable logging within the Docker GroupWise Web application. It also covers a short list of various issues or error conditions you may encounter during your installation and configuration of the GroupWise Web docker application.

Add the following command to your "docker run....." command to enable logging.

-v /opt/novell/gw/logs/:/var/log/nginx/

Here is an example of the full "docker run" command that includes logging:

docker run -d --restart always -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webmail.redjuju.com -e DNS_SERVER=172.16.4.78 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -v /opt/novell/gw/logs/:/var/log/nginx/ mfgroupwise/web:latest

Notes about Logging

Here are some things you need to know about how logging works:

• The directive above will create log files at /opt/novell/gw/logs.
• The "error.log" file is where you'll look to troubleshoot most issues with GroupWise Web.
• There are several "-v" directives that reference specific paths. You're not replacing any of the existing -v directives, you're adding a new one.
• Don't just add the directive to the end of the command line.  I found that GroupWise Web won't load correctly if you do this. Instead, put it after the previous "-v" directive and before the "mfgroupwise/web:latest" directive.

Docker Container Logging

You can learn a lot about what Docker is doing with GWWEB by logging the docker process itself.

At the command line, run the following:

docker logs --timestamps --details --follow gwweb

Note that this command follows the log much like the standard "tail -f" command does.  However, it will stop logging if the GWWEB application is stopped or not running.

If I am having problems with GWWEB, I will start the docker application (via docker run ....) and then start the docker logs process as shown above. While I may or may not see any errors, I can at least see some activity and feel better that something is happening.

GWWEB 18.4 introduced some additional startup scripts that query each post office and DVA in your system. It requests and confirms that the certificates are valid, and then it caches them for use during runtime.  The more post offices/DVA's you have, the longer this process will take.  You should see that these scripts are running when you utilize this troubleshooting method.

Here is a sample of what you should see with the GWWEB Docker app:

server:/opt/novell/gw/certs # docker logs --timestamps --details --follow gwweb
2022-07-14T04:07:52.876153832Z startup.sh: Running startup scripts...
2022-07-14T04:07:52.878257719Z startup.sh: Running certs-ca-update.sh...
2022-07-14T04:07:52.890133698Z certs-ca-update.sh: /etc/nginx/gw/poas.conf exists.
2022-07-14T04:07:52.890530996Z certs-ca-update.sh: Requesting certificate of mhcfs02.redjuju.com:7191 server
2022-07-14T04:08:02.906316005Z certs-ca-update.sh: Requesting certificate of mhcfs02.redjuju.com:7191 server
2022-07-14T04:08:12.914415327Z certs-ca-update.sh: /etc/nginx/gw/dvas.conf exists.
2022-07-14T04:08:12.914873965Z certs-ca-update.sh: Requesting certificate of mhcfs02.redjuju.com:8301 server
2022-07-14T04:08:22.922555790Z certs-ca-update.sh: Copying /etc/nginx/gw/ca.crt file
2022-07-14T04:08:22.930236166Z certs-ca-update.sh: Upstream servers certificates are available. Updating the CA...
2022-07-14T04:08:22.936338032Z certs-ca-update.sh: Updating certificates in /etc/ssl/certs...
2022-07-14T04:08:24.205586096Z certs-ca-update.sh: 1 added, 0 removed; done.
2022-07-14T04:08:24.206434176Z certs-ca-update.sh: Running hooks in /etc/ca-certificates/update.d...
2022-07-14T04:08:24.208333264Z certs-ca-update.sh: done.
2022-07-14T04:08:24.213443073Z startup.sh: Running certs.sh...
2022-07-14T04:08:24.220437766Z startup.sh: Running ep.sh...
2022-07-14T04:08:24.240699496Z startup.sh: Startup scripts completed

HTTP response code: 401 for URL

During the Docker "web-Config" phase, if you receive an error such as this, it means a connection could not be established to the GroupWise Administration service.

GWADMIN_SERVICE=admin@192.168.1.1:9710 -e GWSOAP_HOST_DEFAULT=192.168.1.2 mfgroupwise/web-config
Please enter the password:

java.io.IOException: Server returned HTTP response code: 401 for URL: https://192.168.1.242:9710/gwadmin-service/list/POA
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.microfocus.gw.AdminService.sendRequest(AdminService.java:173)
at com.microfocus.gw.poa.POAMain.getPOAList(POAMain.java:48)
at com.microfocus.gw.poa.POAMain.process(POAMain.java:78)
at com.microfocus.gw.ConfigMain.main(ConfigMain.java:59)

Confirm the following:

• You have the correct IP address and port number for the GroupWise Administration Service.
• You used the correct username and password for the GroupWise Administration. Note the userID is passed on the command line, while you are then prompted for the password.
• Ensure your GroupWise Administration service is functional.
• Ensure the Firewall on the GroupWise Administration server allows a connection to port 9710 (Default) from the GroupWise Web server.
• Ensure the GroupWise Web server has a route to the Administration service, in the case where GroupWise Web is running on a separate network segment such as a DMZ.

WARNING: IPv4 fowarding is disabled. Networking will not work.

You may receive this error with your "docker run" command.

mhcfs01:/opt/novell/gw # docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=mailserver.mydomain.com -e DNS_SERVER=192.168.72.15 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -e GWSOAP_SSL_VERIFY=off -v /opt/novell/gw/logs/:/var/log/nginx/ mfgroupwise/web:latest
WARNING: IPv4 forwarding is disabled. Networking will not work.
f3d5cce18324aaba01e30c5c4c68d2caa5ce0bfad67c43858cf0fcce122502d9

When this happens you will find that your docker container will abort shortly after loading.

The solution is a simple sysctl.conf tweak.   It involves two easy steps:

• Edit the file /etc/sysctl.conf and add the following line to it:

net.ipv4.ip_forward=1

• Activate the setting with the following command line statement:

sysctl -p /etc/sysctl.conf -w

You should receive the following confirmation that the setting is now set to 1 (instead of 0):

net.ipv4.ip_forward = 1


Try to run the "docker run ...." command and it should not produce the IPv4 warning, and you should now be able to confirm that GWWEB is running.

Cleanup / Uninstall of old GroupWise WebAccess

The GroupWise Web installation does not uninstall the old GroupWise WebAccess. In fact, you'll notice that when you install GroupWise 18.3, there are no options at all related to GroupWise WebAccess on the installation menu.

You can see here on this Linux server that I have the GroupWise agents upgraded to version 18.3, but the WebAccess version 18.2.1 remains. Also note that there is no RPM install for the new GroupWise Web, so it will not show up in the list of installed RPM's.

GroupWise WebAccess is completely absent from the GroupWise 18.3 installation menu. The new GroupWise Web is also not part of this installation procedure.

GroupWise 18.3 Installation Dialog on Linux

GroupWise 18.3 Installation Dialog on Windows

Uninstalling GroupWise WebAccess (Linux)

Uninstall the Linux agents using the rpm command.

• First, you must find the version of WebAccess that is running.

rpm -qa|grep groupwise
result:  groupwise-webaccess-webapp-18.2.1-135777.noarch

• Use the results to determine the command line for uninstall. The rpm build in the previous command shows you the name for the uninstall.

rpm --erase groupwise-webaccess-webapp-18.2.1-135777.noarch

Uninstalling GroupWise WebAccess (Windows)

In order to fully uninstall GroupWise WebAccess from Windows, you must do the following:

• Uninstall GroupWise WebAccess from the Programs and Features list.
• Uninstall “Apache Tomcat 9.0 Tomcat 9” from the Programs and Features list.
• The uninstall process should also delete the "Apache Tomcat 9.0 Tomcat9" service that is running in the Services list in the control panel. You should check and confirm that it is gone. If it does not clean it up automatically, you can issue the command "sc delete Tomcat9" at the command prompt.
• You may want to remove the folder c:/Novell/Groupwise/Tomcat and c:/Novell/WebAccess (Use caution).

View of Add/Remove Programs when GroupWise WebAccess 18.2.1 is installed on Windows.

The Apache Tomcat service that is typically running when GroupWise WebAccess 18.2.1 is installed on Windows.