umchs Absent Member.
Absent Member.
2248 views

GroupWise Email Encryption Options


I will just admit going in this is new to me but something I should have addressed long ago.



I need to start encrypting emails from a handful of staff members. I know there is an option for the client to encrypt and digitally sign, but that requires an SSL to be installed on the GroupWise server, correct?



Today I contacted Entrust to learn about S/MIME Encryption. They sell licenses per work station for $40/year. That might be the easiest solution.



However I am not sure what is the best way to go about this and would like some input from others who have SSL or S/MIME configured on their GW PO. Is it better to get the SSL for a system wide option or shoot for individual accounts using an app like Entrust?



GW 14.0.2



Mike Snyder
Labels (1)
0 Likes
22 Replies
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

In article <58A42BC9.9454.0078.0@umchs.org>, Mike Snyder wrote:
> I know there is an option for the client to encrypt and digitally sign, but that

requires an SSL to be installed on the GroupWise server, correct?

No, they are two separate things.
One is client to client (end to end) encryption where both sender and recipient must
have the same encryption tech while the servers are generally oblivious to that
encryption, where as the server components are for keeping the individual links
secured and the clients/users are oblivious to it being secured.

By default all communications among GroupWise components (agent to agent, client to
POA) where as basic internet email, aka SMTP is very clear text.
SSL can be used at two levels, to upgrade the GroupWise to GroupWise communications
from the old proprietary encryption and more commonly to encrypt SMTP traffic to
those hosts that support it.

It is possible, and happens often enough, that a message is encrypted by a client
with PGP, S/MIME or the like, then the SMTP path it takes is also encrypted.
If a message is only encrypted by the client, the full header (To: From: Subject:)
is visible in the SMTP. If SMTP is encrypted, then we can only see that two mail
servers are talking, not who it emailing who. "See" being where we can intercept
packets.

Encryption always has two ends to it, the sender and the recipient. So to whom are
these staff members sending to?
- If internal to GroupWise, then its already taken care of.
- If to external, is it to just a specific set of recipients or is it to just
anyone?

It is really easy to setup SSL encryption for GWIA so that it will encrypt SMTP with
any system that is also configured for it, so this is an easy basic to start with.
https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/adm_gwi
a_config_ssl.html
And to test, both for your system and can be used with partners is
http://checktls.com/

I have one client where we regularly check that email between them and their key
partners is SSL encrypted. One check we built in is a rule check for appropriate
encryption indication in the headers that sets the category(colour) of the message
from those partners, one category(colour:green) for encrypted, other category
(colour:red) for should be encrypted but is not, so raise the alarm.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please show your
appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
umchs Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options


First of all let me say THANK YOU, so often on forums people give short answers or spend more time telling you how stupid you are instead of helping. And then you go and write a page of help for me, amazing!!!



This is AWESOME!



The document you sent me on Novell looks straight forward, I just need to purchase an SSL cert. Do you happen to have a favorite? I think GoDaddy sells them, Novell suggested Entrust, I don't really care.



As for your questions, it is mainly needed so that a select few staff members can email medical providers and other agencies so we can ensure the information being sent is indeed safe. We don't really need EVERY email encrypted, but if SSL would do that it cannot hurt. What people cannot see they cannot steal, right?







>>> Andy Konecny<konecnya@no-mx.forums.microfocus.com> 2/15/2017 1:16 PM >>>



In article <58A42BC9.9454.0078.0@umchs.org>, Mike Snyder wrote:

> I know there is an option for the client to encrypt and digitally sign, but that

requires an SSL to be installed on the GroupWise server, correct?

No, they are two separate things.
One is client to client (end to end) encryption where both sender and recipient must
have the same encryption tech while the servers are generally oblivious to that
encryption, where as the server components are for keeping the individual links
secured and the clients/users are oblivious to it being secured.

By default all communications among GroupWise components (agent to agent, client to
POA) where as basic internet email, aka SMTP is very clear text.
SSL can be used at two levels, to upgrade the GroupWise to GroupWise communications
from the old proprietary encryption and more commonly to encrypt SMTP traffic to
those hosts that support it.

It is possible, and happens often enough, that a message is encrypted by a client
with PGP, S/MIME or the like, then the SMTP path it takes is also encrypted.
If a message is only encrypted by the client, the full header (To: From: Subject:)
is visible in the SMTP. If SMTP is encrypted, then we can only see that two mail
servers are talking, not who it emailing who. "See" being where we can intercept
packets.

Encryption always has two ends to it, the sender and the recipient. So to whom are
these staff members sending to?
- If internal to GroupWise, then its already taken care of.
- If to external, is it to just a specific set of recipients or is it to just
anyone?

It is really easy to setup SSL encryption for GWIA so that it will encrypt SMTP with
any system that is also configured for it, so this is an easy basic to start with.
https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/adm_gwi
a_config_ssl.html
And to test, both for your system and can be used with partners is
http://checktls.com/

I have one client where we regularly check that email between them and their key
partners is SSL encrypted. One check we built in is a rule check for appropriate
encryption indication in the headers that sets the category(colour) of the message
from those partners, one category(colour:green) for encrypted, other category
(colour:red) for should be encrypted but is not, so raise the alarm.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please show your
appreciation by clicking on the star below. Thanks!
0 Likes
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

Mike Snyder wrote:

> I need to start encrypting emails from a handful of staff members.


Hi Mike,

There are a couple of ways to secure your email:

First:
When you encrypt email, the sender uses using the public key of the
recipient. The recipient uses his private key to decrypt it.

This means that both sender and recipient must be setup to
encrypt/decrypt their email. It also means that senders and recipient
must have their own private/public keys and provide the recipient with
the public key. The good news is that you don't have to bye them. You
can generate your own.

This TID may help:
https://www.novell.com/support/kb/doc.php?id=7002943

Second:
The other way is to use secure links when transferring unencrypted
email. GroupWise (GWIA) and other email software can use TLS to
transfer email to the recipient's SMTP server but only if that server
is setup for secure email transfers and once the email has been
received, it is stored in pain text format (unless they also use
GroupWise but you can't count on that!). Furthermore, when the
recipient retrieves the email you can't control whether they use a
secure link to do so or, for that matter, where their SMTP server may
reside. You also have no control over whether they use SSL to send
their email to their SMTP server nor how their (ISP's) SMTP server uses
TLS.

While it is possible to use this method to transfer email, and a good
idea to do so, in practice you can't control how third parties
configure their system and can't insure that unencrypted email sitting
on someone's SMTP server won't be accessed by unauthorized persons.


--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

In article <58A46240.9454.0078.0@umchs.org>, Mike Snyder wrote:
> First of all let me say THANK YOU, so often on forums people give
> short answers or spend more time telling you how stupid you are
> instead of helping. And then you go and write a page of help for
> me, amazing!!!
> This is AWESOME!


You are very welcome.
I've had to explain bits of it to my clients the past few years so it just flowwed.
I think I may flesh it out further as a full article.

> The document you sent me on Novell looks straight forward, I just
> need to purchase an SSL cert. Do you happen to have a favorite?
> I think GoDaddy sells them, Novell suggested Entrust, I don't really care.


So far we've just used self minted certs. I haven't encountered any places that
care about the full chain of trust yet, but that may yet happen. I think the basic
trust chain of DNS with MX records one way and SPF and the like for the other are
covering that need. The advantage of a self minted cert is that you can often make
it a longer time frame that the likely life of the server rather than the most
common maximum of 5 years, in addition to not really costing you anything to create.
Comodo is where I've been getting my certs the past while, though that is as much
because a friend is a reseller of their certs and we have some joint clients.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please show your
appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

Am 15.02.2017 um 22:16 schrieb Andy Konecny:

>
> By default all communications among GroupWise components (agent to agent, client to
> POA) where as basic internet email, aka SMTP is very clear text.


Dunno if that's a typo or a missing word. So to clear that up: All
Groupwise *internal* communication is encrypted (always, impossible to
disable), not clear text. SMTP email to the internet by default is clear
text and needs SSL configured to be encrypted "on demand" if both ends
of the communication support it.


CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
umchs Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options


Thank you, that is what I have always been told as well, internal communication is safe and encrypted, which is most of our communication and at one point the only private or confidential material was being sent to and from our own staff.



Now we are being asked to use more email for communication as faxes go by the wayside (thank God). So in order to keep our data secure I am moving forward with encrypting emails that leave the GroupWise PO.



>>> Massimo Rosen<mrosenNO@SPAMcfc-it.de> 2/16/2017 1:11 AM >>>



Am 15.02.2017 um 22:16 schrieb Andy Konecny:


>
> By default all communications among GroupWise components (agent to agent, client to
> POA) where as basic internet email, aka SMTP is very clear text.


Dunno if that's a typo or a missing word. So to clear that up: All
Groupwise *internal* communication is encrypted (always, impossible to
disable), not clear text. SMTP email to the internet by default is clear
text and needs SSL configured to be encrypted "on demand" if both ends
of the communication support it.


CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
umchs Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options


Thank you Kevin, I stumbled across that TID yesterday and we are using GW 14 now and no longer use Console One to administer GroupWise as it's all done via the web based admin console. I wasn't sure if this still applied to 14, latest one listed it GW 7.



I think at this point it's probably best to open a ticket with Novell so they can assist me. Last thing I want is to spend time and money and do it incorrectly 🙂



Mike



>>> Kevin Boyle<KBOYLE@no-mx.forums.microfocus.com> 2/15/2017 5:48 PM >>>



Mike Snyder wrote:


> I need to start encrypting emails from a handful of staff members.


Hi Mike,

There are a couple of ways to secure your email:

First:
When you encrypt email, the sender uses using the public key of the
recipient. The recipient uses his private key to decrypt it.

This means that both sender and recipient must be setup to
encrypt/decrypt their email. It also means that senders and recipient
must have their own private/public keys and provide the recipient with
the public key. The good news is that you don't have to bye them. You
can generate your own.

This TID may help:
https://www.novell.com/support/kb/doc.php?id=7002943

Second:
The other way is to use secure links when transferring unencrypted
email. GroupWise (GWIA) and other email software can use TLS to
transfer email to the recipient's SMTP server but only if that server
is setup for secure email transfers and once the email has been
received, it is stored in pain text format (unless they also use
GroupWise but you can't count on that!). Furthermore, when the
recipient retrieves the email you can't control whether they use a
secure link to do so or, for that matter, where their SMTP server may
reside. You also have no control over whether they use SSL to send
their email to their SMTP server nor how their (ISP's) SMTP server uses
TLS.

While it is possible to use this method to transfer email, and a good
idea to do so, in practice you can't control how third parties
configure their system and can't insure that unencrypted email sitting
on someone's SMTP server won't be accessed by unauthorized persons.


--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

Mike Snyder wrote:

> I think at this point it's probably best to open a ticket with Novell
> so they can assist me.


Hi Mike,

That's one advantage of having maintenance! 🙂

The TID I gave you is old, yes, but the steps outlined in bold still
apply. The tools used to accomplish each step will vary depending on
your version of GroupWise.

Even if tech support can help you to get this setup, you'll still want
to know how to enable encrypted email for other users. As the TID
suggests, you can create a couple of new users to verify you have
completed all the necessary steps.

I assume you have checked with potential recipients to ensure they are
able to send/receive encrypted email? Remember, this has to be in place
at both ends.

Please let us know how you make out. You never know if there are any
gotchas along the way that others should be made aware of.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
umchs Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options


That is what I am doing now, gathering a list of recipients so I can inquire about this. My hunch is no based on the IT services in our small rural town, not many medical providers seem to be compliant which is a larger concern than anything we are doing.



I'll see if I can figure out who/what I'm working with before I call Novell.







>>> Kevin Boyle<KBOYLE@no-mx.forums.microfocus.com> 2/16/2017 9:13 AM >>>



Mike Snyder wrote:


> I think at this point it's probably best to open a ticket with Novell
> so they can assist me.


Hi Mike,

That's one advantage of having maintenance! 🙂

The TID I gave you is old, yes, but the steps outlined in bold still
apply. The tools used to accomplish each step will vary depending on
your version of GroupWise.

Even if tech support can help you to get this setup, you'll still want
to know how to enable encrypted email for other users. As the TID
suggests, you can create a couple of new users to verify you have
completed all the necessary steps.

I assume you have checked with potential recipients to ensure they are
able to send/receive encrypted email? Remember, this has to be in place
at both ends.

Please let us know how you make out. You never know if there are any
gotchas along the way that others should be made aware of.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
0 Likes
EUWID_Netmaster Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options

Hi all,

this TID is unfortunately pretty old.
We are using GW 2014R2. I'm wondering if I really have to add the
LDAP-eDirectory to the Address-Book on every workstation. Or is there a
way to implement that centrally in the GW-Admin console? I saw there a
directory-entry in the config page for the LDAP-Server? Could that be
done there? Or is there a newer TID about that for GW2014?

THX for any answer

Regards

Ullrich


Kevin Boyle schrieb:
> Mike Snyder wrote:
>
>> I need to start encrypting emails from a handful of staff members.

>
> Hi Mike,
>
> There are a couple of ways to secure your email:
>
> First:
> When you encrypt email, the sender uses using the public key of the
> recipient. The recipient uses his private key to decrypt it.
>
> This means that both sender and recipient must be setup to
> encrypt/decrypt their email. It also means that senders and recipient
> must have their own private/public keys and provide the recipient with
> the public key. The good news is that you don't have to bye them. You
> can generate your own.
>
> This TID may help:
> https://www.novell.com/support/kb/doc.php?id=7002943
>
> Second:
> The other way is to use secure links when transferring unencrypted
> email. GroupWise (GWIA) and other email software can use TLS to
> transfer email to the recipient's SMTP server but only if that server
> is setup for secure email transfers and once the email has been
> received, it is stored in pain text format (unless they also use
> GroupWise but you can't count on that!). Furthermore, when the
> recipient retrieves the email you can't control whether they use a
> secure link to do so or, for that matter, where their SMTP server may
> reside. You also have no control over whether they use SSL to send
> their email to their SMTP server nor how their (ISP's) SMTP server uses
> TLS.
>
> While it is possible to use this method to transfer email, and a good
> idea to do so, in practice you can't control how third parties
> configure their system and can't insure that unencrypted email sitting
> on someone's SMTP server won't be accessed by unauthorized persons.
>
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

Hi.

Am 17.02.2017 um 10:16 schrieb Ullrich:
> Hi all,
>
> this TID is unfortunately pretty old.
> We are using GW 2014R2. I'm wondering if I really have to add the
> LDAP-eDirectory to the Address-Book on every workstation.


No, you don't have to. It's *one* way to get eDirectory user
certificates to your users. You can also let them retrieve them via
iManager for instance.

The thing is, user certificates can only be trieved by the user himself
for security reasons. That makes it OTOH a tad complicated.

> Or is there a
> way to implement that centrally in the GW-Admin console? I saw there a
> directory-entry in the config page for the LDAP-Server? Could that be
> done there? Or is there a newer TID about that for GW2014?


No. Note that all this hasn't even a lot to do with Groupwise.
Certificates come from eDirectory (if you self-sign them), and the
functionality to use them on the workstation is actually from Windows,
with Groupwise merely using them. The task is to enable users to
retrieve "their" certificates from eDir in the for them easiest way (but
they have to do it themselfs), and to integrate that certificate into
Windows' certificate store.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
EUWID_Netmaster Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options

Hi Massimo,

thanks for your answer. This applies to the private cert. Every user has
to export it him/her-self from eDir.
But I wonder is there any easy way for the public ones. Can I retrieve
them automatically when sending a mail to one of our GW-Users? Actually
I have to add the public certs on every device for every user in the
GW-Adress-Book. This is a pain.

Regards

Ullrich

Massimo Rosen schrieb:
> Hi.
>
> Am 17.02.2017 um 10:16 schrieb Ullrich:
>> Hi all,
>>
>> this TID is unfortunately pretty old.
>> We are using GW 2014R2. I'm wondering if I really have to add the
>> LDAP-eDirectory to the Address-Book on every workstation.

>
> No, you don't have to. It's *one* way to get eDirectory user
> certificates to your users. You can also let them retrieve them via
> iManager for instance.
>
> The thing is, user certificates can only be trieved by the user himself
> for security reasons. That makes it OTOH a tad complicated.
>
>> Or is there a
>> way to implement that centrally in the GW-Admin console? I saw there a
>> directory-entry in the config page for the LDAP-Server? Could that be
>> done there? Or is there a newer TID about that for GW2014?

>
> No. Note that all this hasn't even a lot to do with Groupwise.
> Certificates come from eDirectory (if you self-sign them), and the
> functionality to use them on the workstation is actually from Windows,
> with Groupwise merely using them. The task is to enable users to
> retrieve "their" certificates from eDir in the for them easiest way (but
> they have to do it themselfs), and to integrate that certificate into
> Windows' certificate store.
>
> CU,


0 Likes
umchs Absent Member.
Absent Member.

Re: GroupWise Email Encryption Options


Hey Kevin, so I ran the CheckTLS app on 2 state.or.us email addresses and they all come up OK on everything but Cert OK, that one shows FAIL.



So am I to understand that even if I send an encrypted email from this end, if they don't have SSL on their end it doesn't really encrypt it?



>>> Kevin Boyle<KBOYLE@no-mx.forums.microfocus.com> 2/16/2017 9:13 AM >>>



Mike Snyder wrote:


> I think at this point it's probably best to open a ticket with Novell
> so they can assist me.


Hi Mike,

That's one advantage of having maintenance! 🙂

The TID I gave you is old, yes, but the steps outlined in bold still
apply. The tools used to accomplish each step will vary depending on
your version of GroupWise.

Even if tech support can help you to get this setup, you'll still want
to know how to enable encrypted email for other users. As the TID
suggests, you can create a couple of new users to verify you have
completed all the necessary steps.

I assume you have checked with potential recipients to ensure they are
able to send/receive encrypted email? Remember, this has to be in place
at both ends.

Please let us know how you make out. You never know if there are any
gotchas along the way that others should be made aware of.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GroupWise Email Encryption Options

Hi.

Am 17.02.2017 um 15:41 schrieb Ullrich:
> Hi Massimo,
>
> thanks for your answer. This applies to the private cert. Every user has
> to export it him/her-self from eDir.
> But I wonder is there any easy way for the public ones. Can I retrieve
> them automatically when sending a mail to one of our GW-Users?


Why would you want to send S_Mime encrypted mail internally? That's
really useful for internet mail only, internally you don't have to worry.

And yes, certs are user specific in Windows. Something for roaming
profiles...

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.