GroupWise Mobility: Figuring out Certificates!
(This article was originally published by Dean Lythgoe in Cool Solutions - September 27, 2010)
Hello all, my name is Nadeem Ahmad Nazeer. Over the past year and half I have been leading the development efforts for Novell Data Synchronizer Mobility Pack.
Today I am going to cover information regarding SSL Certificate management in the Mobility Pack. I will also discuss SSL protocol and Cipher configuration.
The Mobility Pack is bundled with 1) WebAdmin 2) Config Engine 3) Sync Engine 4) GroupWise Connector 5) Mobility Connector services. These services run as separate process and communicate with each other over a secure connection. The internal self signed certificates are generated and installed for communication between datasync services and connectors.
There are two certificates you should know about 1) WebAdmin 2) Mobility Connector. The WebAdmin certificate is presented when you connect to admin interface via web browser (as user or as the admin) and the Mobility connector certificate is presented when a user connects to the mobility server via a device.
Replacing the WebAdmin certificate:
Because of security concerns some companies like to use certificate signed by trusted authorities. This is a recommended practice. The webadmin certificate is stored in the /var/lib/datasync/webadmin directory:
Replace the above file with the certificate from a trusted authority. Make sure the certificate file is in PEM format. If its in binary format you can convert it using the following openssl command:
openssl x509 -inform DER -outform PEM -in certificate.crt -out server.pem
Note: Make sure to use the file name "server.pem"
Replacing the Mobility Certificate:
If you picked the self-signed certificate option during the install, the mobility installer will create two certificates in the /var/lib/datasync/device directory:
In our internal deployment we found that some devices have issues with self-signed certificate. The issues ranged from devices giving warnings to devices not being able to accept the certificate. The self-signed certificate is issued to "DataSync MobilityPack" rather than to the specific hostname. Some devices require that a self-signed certificate be associated with a specific hostname.
In any case, it is highly recommended to get certificate signed by a trusted authority. When you request your certificate ask for it in PEM format which contains the key and the certificate. If they are in binary format you can convert them to PEM format using the following openssl command:
openssl x509 -inform DER -outform PEM -in certificate.crt -out certificate.pem
You can also convert the key file using following openssl command.
openssl rsa -outform PEM -in key.key -out key.pem
Note: While converting the key file you will be asked for the passphrase which was used during the creation of the key file.
Once you have both the certificate and the key file converted combine them into one mobility.pem file. It should look like this:
-----BEGIN RSA PRIVATE KEY----- (certificate contents) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (certificate contents) -----END CERTIFICATE----- If you are using a certificate chain make sure they are all in the mobility.pem file. The format of the file should look like this:. -----BEGIN RSA PRIVATE KEY----- (certificate contents) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary certificate contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (root certificate contents) -----END CERTIFICATE-----
Note: Devices verify the certificates based on their installed trusted root certificates. Please make sure the CA of your certificate exists on the device. You can refer to our device wiki for additional detail. http://wiki.novell.com/index.php/Data_Synchronizer_Mobility_Connector_Devices
Configuring the SSL version and Ciphers for Mobility Connector:
If you are concerned with the SSL v2 and weak ciphers that are setup by default, then you can turn them off by editing the connector configuration file using the webadmin interface (Goto home page click on the mobility connector ? Edit XML Source). The default settings for the Mobility connector are to accept all SSL versions and all ciphers. For customization, add the following tags between the beginning tag and the end tag:
The values for sslMethod are 1 (SSLv2), 2 (SSLv3), 3 (all the protocol) and 4 (TLSv1). In the current release only a single value is supported.
Obtain the installed cipher list by running the following command:
openssl cipher protocol (e.g. openssl cipher -sslv3)
You can enter any number of cipher from this list. Here is a sample configuration:
The above configuration disables all the weak ciphers and enables the TLSv1 protocol.
Back to Dean:
Thanks Nadeem for all of the great information. Let the team know if you have questions about how to best secure your mobility server and devices.