9 GroupWise Mobility System Security. Novell GroupWise 18, Messenger 18 (GroupWise Messenger 18), GroupWise Mobility 18
Advertisement
Advertisement
9
GroupWise Mobility System Security
Large amounts of personal and confidential information pass between GroupWise and mobile devices. Securing the synchronization process is a vital aspect of securing your GroupWise system.
“Security Administration” on page 79
“Security Policies” on page 84
“Certificate Verification” on page 87
“Secure Message Gateway (GWAVA 7) Integration” on page 91
Security Administration
It is vital to secure each stage in the communication path between GroupWise and mobile devices.
“Securing Communication with the LDAP Server” on page 79
“Securing Communication between the GroupWise Sync Agent and the GroupWise POA” on page 79
“Securing Communication between the Device Sync Agent and Mobile Devices” on page 80
Securing Communication with the LDAP Server
If you are using LDAP as your user source, you must secure the communication between your
Mobility system and the LDAP server.
If your GroupWise system is configured to use LDAP authentication when users access their
GroupWise mailboxes, your LDAP server is already set up for a secure SSL LDAP connection with your Mobility system. For more information, see Trusted Root Certificates and LDAP Authentication in the GroupWise 18 Administration Guide .
You can enable and disable SSL for the LDAP connection in the LDAP section of the User Source
Service LDAP Connection” on page 14
.
Securing Communication between the GroupWise Sync
Agent and the GroupWise POA
The GroupWise Sync Agent communicates with the GroupWise POA as a SOAP client. In order to secure communication between the GroupWise Sync Agent and the GroupWise POA, the POA must be configured for secure SSL SOAP. SOAP is enabled by default in GroupWise 18.
You can enable and disable SSL for the POA SOAP connections on the GroupWise Sync Agent
Configuration page in the Mobility Admin console. For instructions, see
“Enabling and Disabling SSL for POA SOAP Connections” on page 36 .
GroupWise Mobility System Security 79
Securing Communication between the Device Sync Agent and Mobile Devices
In order to provide a secure SSL connection between the Device Sync Agent and mobile devices, you must provide a server certificate on the Mobility server.
“Using a Self-Signed Certificate on the Mobility Server” on page 80
“Using a Commercially Signed Certificate on the Mobility Server” on page 80
“Manually Converting a Certificate to DER Format for Use on Mobile Devices” on page 83
“Manually Downloading a Certificate to a Mobile Device” on page 83
“Enabling and Disabling SSL for Device Connections” on page 84
“Enabling a Password Security Policy for Device Connections” on page 84
For issues with specific types of certificates, see GroupWise Mobility Device Sync Agent SSL Issues
(http://wiki.novell.com/index.php/Data_Synchronizer_Mobility_Connector_SSL_Issues) .
For SSL issues with specific types of devices, see GroupWise Mobility Devices (http:// wiki.novell.com/index.php/Data_Synchronizer_Mobility_Connector_Devices) .
Using a Self-Signed Certificate on the Mobility Server
IMPORTANT: You should obtain a commercially signed certificate for use with your Mobility system as quickly as possible.
When you have the Mobility Service Installation program create a self-signed certificate for you, two certificate files are created in the
/var/lib/datasync/device
directory: mobility.pem
mobility.cer
When a mobile device connects to the Device Sync Agent, the Device Sync Agent passes the selfsigned certificate file ( mobility.pem
) to the mobile device. In most cases, the mobile device accepts the self-signed certificate and connects successfully.
Some mobile devices do not automatically accept self-signed certificates in PEM format. If you choose to use a self-signed certificate and if users encounter connection problems with particular
to the users who are encountering connection problems. This procedure enables users to use the mobility.cer
file instead of the mobility.pem
file on their mobile devices.
The self-signed certificate generated by the Installation program is issued to “DataSync Web Admin” rather than to a specific hostname. Some mobile devices require that a self-signed certificate be associated with a specific hostname.
Using a Commercially Signed Certificate on the Mobility Server
IMPORTANT: You should obtain a commercially signed certificate for use with your Mobility system as quickly as possible.
“Selecting a Certificate Authority (CA)” on page 81
“Obtaining the Certificate” on page 81
80 GroupWise Mobility System Security
“Removing a Password from a Key File” on page 82
“Combining Files Received from a Certificate Authority” on page 82
“Installing a Commercially Signed Certificate on the Mobility Server” on page 82
For more detailed instructions, see TID 7006904, “How to Configure Certificates from a Trusted CA for the Device Sync Agent” in the Novell Support Knowledgebase (http://www.novell.com/support) .
Selecting a Certificate Authority (CA)
Choose a certificate authority (CA) from the many available on the Internet. If you do not want to immediately purchase a certificate, free temporary certificates are available from several websites, including:
FreeSSL (http://www.freessl.com)
Instant SSL (http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html)
Obtaining the Certificate
When you have selected a certificate authority, request a certificate in PEM format. If necessary, you can use a chained certificate or a wildcard certificate with your Mobility system. However, these more complex types of certificates are not recommended.
In order to obtain a certificate, you need to send the certificate authority a certificate signing request
(CSR). For example, you can use OpenSSL to generate the CSR.
1 In a terminal window on the Mobility server, become root
by entering su -
and the root password.
2 Change to a convenient directory where you want to create the CSR.
3 Create the key file:
3a Enter the following command: openssl genrsa -des3 -out key_file_name .key 2048
Replace key_file_name.key
with a convenient name for the private key file, such as gw.key
.
3b Enter and verify a pass phrase for the key file.
4 Create the CSR:
4a Enter the following command: openssl req -new -key key_file_name .key -out csr_file_name .csr
Replace key_file_name .key
with the key file that you created in Step 3 .
4b Enter the pass phrase for the key file.
4c Enter the two-letter code for your country, such as
US
for the United States,
DE
for Germany, and so on.
4d Enter your state or province.
4e Enter your city.
4f Enter the name of your company or organization.
4g Enter your department or other organizational unit.
4h Enter your name.
4i Enter your email address.
GroupWise Mobility System Security 81
4j (Optional) Enter a password for the CSR, or simply press Enter.
4k (Optional) Enter a secondary name for your company or organization, or simply press Enter.
NOTE: Depending on the method that you use to generate the CSR, you might be prompted for the type of web server where you plan to install the certificate. The Mobility Service uses the CherryPy web server.
The certificate authority returns one or more files to you. Save the files to a convenient location.
These files might require modification for use in your Mobility system.
If the certificate authority included a password, remove the password. For instructions, see
“Removing a Password from a Key File” on page 82 .
If the certificate authority provided multiple files, combine them into a single file. For instructions, see
“Combining Files Received from a Certificate Authority” on page 82 .
Removing a Password from a Key File
If the key file provided by the certificate authority includes a password, you need to remove the password in order to use the key file in your Mobility system.
1 Check to see if the key file includes a password.
A password-protected key file includes the following line:
Proc-Type: 4,ENCRYPTED
2 Use the following command to remove the password: openssl rsa -in original_file_name .key -out passwordless_file_name .key
Combining Files Received from a Certificate Authority
If you receive more than one file from the certificate authority, such as a certificate file and a key file, you must combine the contents into a single file with the following format:
-----BEGIN RSA PRIVATE KEY---- several_lines_of_private_key_text
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE---- several_lines_of_server_certificate_text
-----END CERTIFICATE-----
If the certificate authority provided an intermediate certificate, place it at the end of the file after the private key and the actual certificate.
Installing a Commercially Signed Certificate on the Mobility Server
1 (Conditional) If you have been using a self-signed certificate, rename the existing
/var/lib/ datasync/device/mobility.pem
file.
2 Copy the certificate file received from the certificate authority to
/var/lib/datasync/device
.
3 Rename it to mobility.pem
.
4 Restart the Mobility Service.
5 (Conditional) If a particular mobile device does not automatically accept the commercially signed
certificate in PEM format, follow the instructions in “Manually Converting a Certificate to DER
Format for Use on Mobile Devices” on page 83
.
82 GroupWise Mobility System Security
IMPORTANT: If you uninstall the Mobility Service, the certificate files associated with your Mobility system are also deleted. Back up commercially signed certificates in a location outside of
/var/lib/ datasync
.
Manually Converting a Certificate to DER Format for Use on Mobile
Devices
Some mobile devices do not automatically accept certificates in PEM format. If users encounter connection problems with particular mobile devices, you can convert the PEM file that you received from the certificate authority into DER format to resolve these connection problems.
1 Change to the
/var/lib/datasync/device
directory.
2 Execute the following command: openssl x509 -in mobility.pem -inform PEM -out mobility.cer -outform DER
IMPORTANT: The output file name with the
.cer
extension must be in DER (Distinguished
Encoding Rules) format.
3
Have users with connection problems follow the instructions in “Manually Downloading a
Certificate to a Mobile Device” on page 83 to use the
mobility.cer
file instead of the mobility.pem
file.
Manually Downloading a Certificate to a Mobile Device
For background information, see “Using a Self-Signed Certificate on the Mobility Server” on page 80
and “Manually Converting a Certificate to DER Format for Use on Mobile Devices” on page 83
.
1 Access the
page of the Mobility Admin console on your mobile device at the following URL: https:// mobility_server :8120
Replace mobility_server
with the IP address or DNS hostname of the server where you installed the Mobility Service.
2 Log in using your network user name and password to display the Mobility Settings page on your mobile device.
3 Tap Device Settings .
4 In the Mobility Certificate File field, tap Download Certificate File .
NOTE: If you are the Mobility administrator and have associated your mobile device with the
Mobility administrator account, you must navigate from the main Mobility Admin console page to the Mobility Certificate File field.
5 Save the mobility.cer
file to a convenient location on your mobile device.
6 Import the certificate file into the certificate store on your mobile device.
For device-specific instructions, see the GroupWise Mobility Service Devices Wiki (http:// wiki.novell.com/index.php/GroupWise_Mobility_Devices) .
GroupWise Mobility System Security 83
7
(Conditional) If you are not able to access the Mobility Settings
page from your particular mobile device:
7a Access the
Mobility Settings page in a web browser on your Windows or Linux desktop,
then click Device Settings .
7b Click Download Certificate File .
7c Save the mobility.cer
file on your Windows or Linux workstation.
7d Set up an IMAP email account on your mobile device, then email the mobility.cer
file from your workstation to your mobile device.
or
Physically connect your mobile device to your workstation so that it appears as a drive on your workstation, then copy the mobility.cer
file from your workstation to your device.
8 Import the certificate file into the certificate store on your mobile device.
Enabling and Disabling SSL for Device Connections
For instructions, see “Enabling and Disabling SSL for Device Connections” on page 43 .
Enabling a Password Security Policy for Device Connections
For instructions, see “Enabling a Device Password Security Policy” on page 40 .
Security Policies
Appropriate security policies help you keep users’ personal GroupWise data and Mobility system information secure.
“Certificate Considerations” on page 84
“Securing Your Mobility Data” on page 84
“Securing Your Mobility System” on page 85
Certificate Considerations
When creating certificates for your GroupWise system, we recommend the following:
Consolidate to one CA for your GroupWise system.
Use a public CA for your GroupWise system.
Use a wildcard certificate for all of your POAs.
Securing Your Mobility Data
Your Mobility server must be kept secure.
“Limiting Physical Access to Mobility Servers” on page 85
“Securing File System Access” on page 85
84 GroupWise Mobility System Security
Limiting Physical Access to Mobility Servers
Servers where Mobility data resides should be kept physically secure, in locations where unauthorized persons cannot gain access to the server consoles.
Securing File System Access
Encrypted file systems should be used on all Mobility servers. Only Mobility administrators should have direct access to Mobility data.
Securing Your Mobility System
Locations where GroupWise users’ personal data and Mobility system information might be obtained must be kept secure.
“Setting Up SSL Connections” on page 85
“Setting Up a Device Password Security Policy” on page 85
“Securing the Mobility Admin Console” on page 85
“Protecting Mobility Configuration Files” on page 86
“Protecting Mobility Log Files” on page 86
Setting Up SSL Connections
Secure SSL connections should be used between your Mobility system and the following external components:
LDAP server (if you are using LDAP as your user source)
GroupWise Post Office Agent (POA)
Browser connection for the Mobility Admin console
Mobile devices
For instructions, see “Security Administration” on page 79 .
Setting Up a Device Password Security Policy
To increase your control over mobile device access to your Mobility system, you should establish a device password security policy to ensure that users set up secure passwords on their mobile
devices. For instructions, see “Enabling a Device Password Security Policy” on page 40 .
Securing the Mobility Admin Console
During installation of the Mobility Service, you selected the source (LDAP or GroupWise) from which users and groups of users can be added to your Mobility system. For background information, see
“ Selecting the User Source for Your Mobility System ” in the GroupWise Mobility Service 18
Installation Guide .
One Mobility administrator is established when you install the GroupWise Mobility Service. If you are using LDAP as the user source, you selected one LDAP user as the Mobility system administrator
Administrator Users” on page 13 . If you are using GroupWise as the user source, the
root
user on the Mobility server is the Mobility administrator user.
GroupWise Mobility System Security 85
IMPORTANT: The number of people who know how to log in to the Mobility Admin console should be kept to a minimum.
The Mobility Admin console can be integrated with a single sign-on solution. For more information,
see “Using the Mobility Admin Console with a Single Sign-On Solution” on page 11
.
Protecting Mobility Configuration Files
The configuration files for all internal Mobility components should be protected from tampering.
Configuration files are found in the following default locations:
Internal Mobility
Component
Sync Engine
Web Admin
Config Engine
Connector Manager
Configuration File
/etc/datasync/syncengine/engine.xml
/etc/datasync/webadmin/server.xml
/etc/datasync/configengine/configengine.xml
/etc/datasync/syncengine/connectors.xml
Protecting Mobility Log Files
The log files for all internal Mobility components should be protected against unauthorized access.
Some log files contain very detailed information about your Mobility system and users. Mobility log files are found in the following locations:
Internal Mobility Service
Component
Sync Engine
Config Engine
Web Admin
Connector Manager
Sync Agents
Log File Subdirectory under /var/log/datasync syncengine configengine webadmin syncengine connectors
Log File Name engine.log
configengine.log
server.log
connectorManager.log
groupwise-agent.log
groupwise.log
mobility-agent.log
mobility.log
If you set the Mobility Service log level to Debug, Subject lines are included in log files for troubleshooting purposes. This information identifies items that are experiencing synchronization problems.
If you use the Debug log level, ensure that log files are kept secure to protect users’ personal information. The Info log level is strongly recommended for a smoothly functioning Mobility system.
No text about recipients or from message bodies is included in log files.
86 GroupWise Mobility System Security
Certificate Verification
GroupWise Mobility Service 18 allows verification of the POA TLS/SSL certificate. After the installation or upgrade, certificate verification is disabled by default.
Enabling Certificate Verification
Troubleshooting Certificate Verification
Prerequisites
In the GroupWise Admin Console, the POA TCP/IP address needs to have the DNS name specified.
In the Mobility Admin Console, the POA SOAP address needs to have the DNS name specified instead of the IP address.
Gathering CA Certificates
Follow the section that matches how you generated your POA certificates for each CA that you need to gather:
GroupWise 18 Certificate Authority
Trusted Commercial Certificate Authority
GroupWise 18 Certificate Authority
If your CA is GroupWise (18 or later), you can use one of the two methods below to get the certificate.
Method 1
1 Open a browser to https:// primarydomainip : adminport /gwadmin-service/system/ca
.
For example: https://10.10.10.10:9710/gwadmin-service/system/ca
2 Enter your GroupWise admin credentials.
3 Save the certificate to the GMS server in
/var/lib/datasync/mobility
.
4
Continue with Verifying the CA Certificates
if you have gathered all of your CA certificates.
Method 2
1 Open a terminal on your GMS linux server.
2 Enter the following command: curl -k --user username -o filename https:// primarydomainip : adminport /gwadminservice/system/ca
Replace username
with your admin username and filename
with the name of the saved file.
GroupWise Mobility System Security 87
3 Copy the certificate and then save it to the GMS server in
/var/lib/datasync/mobility
.
4
Continue with Verifying the CA Certificates
if you have gathered all of your CA certificates.
NetIQ Certificate Server
If your CA is a NetIQ Certificate Server, follow the steps below:
1 Login to iManager.
2 Select NetIQ Certificate Server .
It may be called Novell Certificate Server depending on your version of iManager.
3 Select Configure Certificate Authority .
4 Select the Certificates tab.
5 Select the Self Signed Certificate check box.
6 Select Export .
7 Unselect Export private key .
8 Select export formate as Base64.
9 Select Next .
10 Select Save the exported certificate file . Save it to the GMS server in
/var/lib/datasync/ mobility
.
11
Continue with Verifying the CA Certificates
if you have gathered all of your CA certificates.
Trusted Commercial Certificate Authority
If your CA is a commercial CA, follow the steps below:
1 Verify if your certificate is in the Mozilla trusted root CA store by checking the
/var/lib/ datasync/mobility/cacert.pem
file on the GMS server where the CA store is stored. If your
CA is in the list, continue with
Verifying the CA Certificates if you have gathered all of your CA
certificates.
or
2 If your CA is no in the list, you need to find your CA public root certificate and place it on the
GMS server in
/var/lib/datasync/mobility
. Continue with Verifying the CA Certificates
if you have gathered all of your CA certificates.
Verifying the CA Certificates
Once you have your CA certificate, make sure it meets the following requirements:
Base64-encoded format
In the
Basic Constraints
, ensure that
Subject Type=CA
is specified.
Ensure that the current date is between the
Valid from
and
Valid to
dates.
The
Issuer
and the
Subject
match.
.
If your CA meets these requirements, continue with Adding the CA Certificates
.
88 GroupWise Mobility System Security
Adding the CA Certificates
For the certificate verification to work, the CA certificates found previously needs to be added to the mob_ca.pem file. Follow the section that matches each CA certificate you gathered previously:
“GroupWise 18 Certificate Authority” on page 89
“NetIQ Certificate Server” on page 89
“Commercial Certificate Authority” on page 89
GroupWise 18 Certificate Authority
1 In a terminal on your GMS server, go to
/var/lib/datasync/mobility/
.
2 Add your CA certificate to the mob_ca.pem
file using the following command: cat yourCACertficate.pem
>> mob_ca.pem
NOTE: You may need to add a hard return in the mob_ca.pem
after the certificate before you add any other certificates to the file.
3
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
NetIQ Certificate Server
1 In a terminal on your GMS server, go to
/var/lib/datasync/mobility/
.
2 Add your CA certificate to the mob_ca.pem
file using the following command: cat yourCACertficate.pem
>> mob_ca.pem
NOTE: You may need to add a hard return in the mob_ca.pem
after the certificate before you add any other certificates to the file.
3
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
Commercial Certificate Authority
1 In a terminal on your GMS server, go to
/var/lib/datasync/mobility/
.
2 If your CA is not in the Mozilla CA certificate list , add your CA public certificate to the mob_ca.pem
file using the following command: cat yourCACertificate.pem
>> mob_ca.pem
or
If your CA is in the list, copy the cacert.pem file to mob_ca.pem
using the following command: cat cacert.pem >> mob_ca.pem
NOTE: You may need to add a hard return in the mob_ca.pem
after the certificate before you add any other certificates to the file.
3
Continue with Enabling Certificate Verification if you have added all of your CA certificates.
GroupWise Mobility System Security 89
Enabling Certificate Verification
Before you enable certificate verification, take a backup of the
/var/lib/datasync/mobility/ mob_ca.pem
file.
1 Login to the GMS WebAdmin
2 Select Config > GroupWise .
3 Select SSL Certification Verification .
4 Select Apply .
5 In a terminal on the GMS server, restart GMS using the following command: rcgms restart
Troubleshooting Certificate Verification
You may experience SSL problems the first time you enable certificate verification. The following are helpful OpenSSL commands:
Verify POA Connection
openssl s_client -showcerts -CAfile CA_public_certificate -connect poa_DNS :soap_ port
Example:
openssl s_client -showcerts -CAfile gwcacert.pem -connect gw.provo.novell.com:7191
Verify a Certificate
openssl verify -issuer_checks -CAfile CA_public_certificate POA_certificate
Example: openssl verify -issuer_checks -CAfile cacert.pem gwpoa.pem
View Certificate Information
openssl x509 -in certificate -noout -text
Example: openssl x509 -in gwcacert.pem -noout -text
Get POA Certificate
openssl s_client -showcerts -connect poa_DNS : soap_port
Example: openssl s_client -showcerts -connect gw.provo.novell.com:7191
90 GroupWise Mobility System Security
View Certificate Purpose
openssl x509 -in certificate -noout -purpose
Example: openssl x509 -in gwcacert.pem -noout -purpose
Secure Message Gateway (GWAVA 7) Integration
Mobility 18 provides an integration with Secure Message Gateway (GWAVA 7) to secure your device emails. Device emails are scanned and accepted or rejected. If accepted, the message is delivered to
GroupWise. If rejected, the sender receives an email explaining that the email was rejected by the
Secure Message Gateway scan.
For this integration to work, you must do the following:
1 An Interface must be created in Secure Message Gateway for Mobility. For information on creating an interface see SMT Interface (http://support.gwava.com/documentation/GWAVA/70/ html/index.html#t=SMTP_Interface.htm) in the Secure Message Gateway documentation.
2 Open the following file on the Mobility server:
/etc/datasync/configengine/engines/default/pipelines/pipeline1/connectors/ mobility/connecter.xml
3 Add the following elements in the <custom> section:
Element Value
<securegatewayEnable> 0 </securegatewayEnable>
A “0” is disabled. A “1” is enabled. Set the value to “1” if you want to use Secure Message Gateway.
<securegatewayHost> securegatewayhost </ securegatewayHost>
<securegatewayPort> securegatewayport </ securegatewayPort>
<securegatewaySecure> securegatewaysecure </ securegatewaySecure>
<securegatewayAppkey> securegatewayAppkey </ securegatewayAppkey> securegatewayHost should be set to the value found in the Secure Message Gateway Admin > Module
Management > Interfaces > 3rd Party Application
Manager >
<Name of Interface created for GMS>
>
Server Address .
securegatewayPort should be set to 80 if not using
SSL and 443 if using SSL.
A “0” is non-secure or HTTP. A “1” is secure or HTTPS.
Set the value to what you are using for Secure
Message Gateway.
securegatewayAppkey should be set to the value found in the Secure Message Gateway Admin >
Module Management > Interfaces > 3rd Party
Application Manager >
<Name of Interface created for GMS> > Application Key .
4 Restart Mobility.
GroupWise Mobility System Security 91
92 GroupWise Mobility System Security
Download
Public link updated
The public link to your chat has been updated.
Document public link
Advertisement