SSL Certificate Guide - GroupWise & OES Product Families

GroupWise Web (GWWEB) SSL Certificates

Command Line to run GWWEB and load SSL certificates:

docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/web:latest

For a more detailed discussion about GWWEB, refer to my GWWEB guide here.

Required Files

You must have 2 files in the /opt/novell/gw/certs folder:

  • /opt/novell/gw/certs/server.crt
    • Obtained from the certificate vendor, it could be named a number of things.
    • Copy the certificate file to /opt/novell/gw/certs and rename to server.crt.
  • /opt/novell/gw/certs/server.key
    • This file was created when you created the Certificate Signing Request, or CSR.
    • Copy the key file to /opt/novell/gw/certs and rename to server.key.

Intermediate CA Cert (Incomplete Certificate Chain)

Your certificate chain will most likely be incomplete because there is no directive in the command line to load an Intermediate or Chain certificate. To overcome this obstacle, you concatenate the certificate file and the intermediate certificate file into the same server.crt certificate. The following command will accomplish this task:

cat My_CA_Bundle.ca-bundle >> /opt/novell/gw/certs/server.crt

Note: Substitute the actual intermediate or chain certificate from your commercial certificate provider in place of the bundle file listed in the syntax.

GroupWise Mobility Service (GMS) SSL Certificates

SSL Certificates Name and Location

GMS uses a single PEM formatted file called gms_mobility.pem, and it is located at /var/lib/datasync.   For a more in-depth discussion please refer to my GMS Best Practices page.   You will need to combine the certificate and private key files into a single file named and located at /var/lib/datasync/gms_mobility.pem. This is what you'll need:

  • The private key file (That you generated when you created the CSR to submit to your SSL vendor)
    • Also of importance is to note that GMS requires that the Private Key file does NOT have a password on it. This is the exact opposite of what is required by the GroupWise Agents.
  • The server certificate (Generally .crt file) from your SSL vendor
  • The SSL Vendor's intermediate SSL Certificate.

Combining All Certificate and Key Files into a single PEM file

GMS requires that all of your certificate files are combined into a single PEM file. You basically concatenate all files together using the sequence below. Please note that you will need to use the name of your specific files, not the samples I have used.

# cat passwordless.key > gms_mobility.pem   (Ensure that you are using the Key File that does NOT have a password on it)
# cat server.crt >> gms_mobility.pem   (This is the certificate provided by the SSL vendor)
# cat intermediate.crt >> gms_mobility.pem   (This is the Intermediate certificate provided by the SSL vendor)
# cp gms_mobility.pem /var/lib/datasync/
# gms restart

Important Notes

Here are some things to keep in mind when updating SSL Certificates for GMS:

  • There is no configuration, the name and location of the certificate file is /var/lib/datasync/gms_mobility.pem
  • You do not have to do anything in the web admin screen.
  • Yes GMS has a tool called "mcheck" that will help you install your certificates. Use that if you want. I don't ever use it.
  • Simply restarting the GMS services will load the new certificate file.
  • If the Web Admin page for GMS does not load after you have installed a new certificate, it most likely means your certificate file is not correct.
  • This single certificate file provide a secure connection for the administration console as well as the end user connection from mobile devices.

Opentext FILR SSL Certificates

Prerequisites for the PKCS12 Certificate

If you downloaded the certificate file from your SSL Provider and chose "Apache" as the format (recommended), you generally have 2 files:

  1. The actual certificate file. It's usually named the same as the website it is protecting.
  2. The intermediate Certificate file. Sometimes you have multiple intermediate certs depending on the vendor.

In addition, you should have the following in your possession:

  • The private Key file.  This was created when you generated the CSR (Certificate Signing Request).  The SSL Vendor does not have nor should never have this file.  You should have it in your possession, and you will need it to create the PKCS12 certificate file.
  • In the example below it is assumed that the Private Key file is not encoded with a password.  If your Private Key file is encoded (you would have had to do this manually), you'll just need to enter that same password during the process to be successful.

Generating the PKCS12 Certificate Pair File

I use the Linux command line and the openssl tool to combine the certificate and key file into a PKCS12 file.  You can do that using the following syntax:

openssl pkcs12 -export -out filr.p12 -in servercert.crt -inkey privatekey.key

The sequence is as follows:

fs:/opt/certs # openssl pkcs12 -export -out filr.p12 -in servercert.crt -inkey privatekey.key
Enter Export Password:  (Note the password for later use in the FILR appliance)

You will then have a new file called "filr.p12" in the same folder. This is the certificate file you will import into your FILR appliance.

fs:/opt/certs # ls -l filr.p12
-rw------- 1 root root 3357 Sep 5 18:35 filr.p12
fs:/opt/certs #

Note that this will not put the Intermediate Certificate into the Keypair file, but it is not needed for FILR.  You import the Intermediate Certificate separately.

How to Install the new FILR SSL Certificate Keypair

  1. Launch the Appliance Managment interface and login to it with the vaadmin account. This is a web page located at port 9443 of your FILR server.  For example:  https://filr.yourcompany.net:9443
  2. Click on the "Digital Certificates" menu icon.
  3. In the Keystore Dropdown box at the top, change the option to "Web Application Certificates"
  4. Click File --> Import --> Key Pair
  5. Browse to and select your PKCS12 Formatted Certificate File. Then hit "Open".  This takes you back to the "Import Key Pair" dialog. You should have 3 visible options:
    • The PKCIS12 Certificate File you are importing
    • The alias (this is for visual and cosmetic purposes)
    • The password. Use the same password you assigned when creating the PKCS12 file.
  6. When all 3 of the fields are completely, click on the OK button.
  7. This will upload the certificate into the FILR keystore.  You will receive a prompt to set the certificate as active and restart the server.

Activate the new SSL Certificate

  1. Click on the new FILR PKCS12 Certificate you uploaded. The option "Set as Active" will become available.
  2. Click "Set as Active".
  3. When prompted, choose "yes" to confirm.
  4. Close the certificate dialog options page.
  5. On the main FILR appliance control page, click the "Reboot" button.
  6. Once the server has restarted, confirm that the FILR application shows the new certificate is functioning.

How to Install the Trusted Intermediate Certificate File

  1. From the same "Web Application Certificates" dialog, click File --> Import --> Trusted Certificate.
  2. Browse to and select the Trusted Certificate File provided by your SSL Certificate Vendor. This takes you back to the "Import Trusted Certificate" dialog. You should have 2 visible options:
    1. The Certificate File you are importing
    2. The alias (this is for visual and cosmetic purposes)
  3. When both of the fields are complete, click on the OK button.
  4. This will upload the Vendor's Intermediate certificate into the FILR keystore.  You will receive a prompt to restart the server.

Reload (GroupWise Disaster Recovery)

Prerequisites

You should have the following two files:

  1. The actual certificate file. It's usually named the same as the website it is protecting.
  2. The private Key file.  This was created when you generated the CSR (Certificate Signing Request).

Note: You should be using a private key file that has not been encoded with a password.

Installing the Reload certificate

Login to the Reload management interface.  It is typically at http://xx.xx.xx.xx:5555 or https://xx.xx.xx.xx:5555

** Note that by default SSL and certificate is not configured.   However after installing a certificate, SSL should be enabled and the interface accessed via https instead of http.

The process is simple for adding or changing the certificate used by the Reload Web Admin interface:

  1. Choose the Certificate File with the button provided (This is the file from your SSL Vendor)
  2. Choose the Key File with the button provided (This is the private keyfile that you should have from when you created the CSR)
  3. Click the "Save Certificate & Key" button.
  4. Restart the Reload daemon at the Linux command line via:
    • reloadd restart

When you restart the Reload agent, you should see it load the new certificate file as shown below:

reload01:/opt/beginfinite/reload # reloadd restart

Stopping GroupWise Disaster Recovery Daemon

GroupWise Disaster Recovery Daemon Stopped
Loading configuration file...
Certificate: license/reload.crt
Key file: license/reload.key
Certificate file: license/reload.crt
-D -v -p 5555 -prk license/reload.key -pk license/reload.crt -ssl 1 -a -U admin

GroupWise Disaster Recovery Daemon Restarting with -D -v -p 5555 -prk license/reload.key -pk license/reload.crt -ssl 1 -a -U admin

Waiting 5 seconds to determine Daemon load status

The GroupWise Disaster Recovery Daemon is now running

Important Note / Testing

The Reload Management interface is a little bit quirky when changing the certificates. You may find that the files don't "stick".   Keep working at it and you'll get it. Do it one file at a time if you need to.  And although the Reload Management Interface may try to restart the services for you, you might find that you still need to do it from the command line to make it work correctly.

To test and confirm the certificate is installed, you should be able to do the following:

  • Go to the configuration page and see that it has the new certificates listed in the configuration dialog
  • See the SSL Lock next to the URL for the Reload Management page.

Check out the Clinton Fall Festival: https://clintonfallfestival.org