brodgers Absent Member.
Absent Member.
1584 views

Admin Console SSL Certificate

Is it possible to change the SSL certificate that the GroupWise 18 Admin Console uses? I know in GW 2014 there was no supported method of doing it.

Thank you!
Brad Rodgers
Labels (1)
0 Likes
5 Replies
brodgers Absent Member.
Absent Member.

Re: Admin Console SSL Certificate

Sorry, it appears that I posted this in the wrong forum. Perhaps a moderator would be kind enough to move it to the appropriate forum.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Admin Console SSL Certificate

Hi Brad,

GroupWise 18 uses it's own CA. You can't change that. But you can mint new certificates as needed for the Admin Console. You don't quite say what it is you are wanting to achieve.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
brodgers Absent Member.
Absent Member.

Re: Admin Console SSL Certificate

Laura,

Web browsers do not trust the GroupWise CA so when someone visits the Admin Console, they get the messages about the site not being secure and have to go through the hoops to get past. I was hoping to switch the SSL cert with our wildcard cert so it shows as a valid cert.

Thank you,
Brad
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Admin Console SSL Certificate

Hi Brad,

Unfortunately, you can't replace the GroupWise CA issued certs with external ones.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
hhs_admin Contributor.
Contributor.

Re: Admin Console SSL Certificate ... can be replaced!

laurabuckley;2486052 wrote:


Unfortunately, you can't replace the GroupWise CA issued certs with external ones.



Hi Laura,

it not only possible to replace the GroupWise CA certs with external ones but highly recommended. See "Configuring Server Certificates and TLS" in GroupWise 18 Administration Guide:

" ... For your convenience, the GroupWise CA can generate certificates until you obtain your commercially signed certificates." ... an intermediate solution and further on:

Certificate Best Practices


  • If you obtain your certificates from an intermediate CA, the certificate for that intermediate CA and all other intermediate CAs leading to the Trusted Root CA must be appended to your certificate file.
  • For TLS communication between the agents and servers, the Fully Qualified Domain Name (FQDN) of the server should be the used for the Subject Alternative Name (SAN) on the certificate. Also, the GroupWise agents should be configured with the FQDN instead of the IP address on the Agent Settings tab for all GroupWise agents.


But the documentation doesn't show how to implement the external cert for all Agents, Admin-Console and GWMon :mad:
A much more detailed description can be found in the GroupWise 8 docs, but still WEB-Access, Admin-Console and GWMon is missing.

So here my findings:

  • WEB-Access is handled by Apache
  • for all agents ONE server certificate can be imported via Admin-Console
  • for the Admin-Console: juste save and replace the files: /opt/novell/groupwise/certificates/<longhash>/admin.<domain>{.crt,.key} with the server certificate for your site.
  • GWMonitor

    • Either use the Cool Solution "Creating a certificate to use with GroupWise Monitor Agent web console" (not tested for GW18!)
    • or - as GWMonitor is using the Tomcat keystore located in /var/opt/novell/conf/cacerts

      1. prepare the cert including private key (without password) and complete chain as PKCS12 file i.e. mycert.p12
      2. the intermediated cert intermediate.pem and the cert itself as mycert.pem than
      3. cd /var/opt/novell/tomcat/conf
        rm cacerts
        keytool -importkeystore -srckeystore mycert.p12 -destkeystore cacerts -deststoretype pkcs12 -destkeypass
        keytool -import -alias IntermediateCA -keystore cacerts -trustcacerts -file intermediate.pem
        keytool -import -alias tomcat -keystore cacerts -trustcacerts -file mycert.pem
        rcnovell-tomcat restart







      4. Klaus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.