- Getting Started with GroupWise Mobility Service 2.0
- Preparing the GroupWise System
- Preparing the SUSE Linux Enterprise Server
- Installing GroupWise Mobility Service
- Upgrading GroupWise Mobility Service
Once the Mobility Service is installed, all administration is done through the Web Admin Console. There is a lot going on that’s new with GroupWise Mobility Service 2.0. So much that we’re going to dedicate a separate chapter to the new
The Web Admin Console
The Web Admin Console for your Mobility Service server listens by default on port 8120. To access your Web Admin Console, in your web browser go to:
GMS Login Screen
At the login screen, if you are using LDAP provisioning, enter the admin userid and password that you set in your installation above. If you are using GroupWise provisioning, use the root user and password for the server. Note that users can log in here as well and manage their address book and other sync settings. Right here at the login screen, you can see the version of GroupWise Mobility Service. This is a fantastically simple way to see if you are actually on the version you believe without having to both with logging in.
You should see a screen like Figure 6-2. If you added users during the installation and did not block devices, your users would be able to configure their devices and start syncing with no further ado! But now we’ll go over the settings in the admin portal.
Please note – if you are updating your system from a prior version of the Mobility Service, there are many new options. I suggest you read this entire chapter as though you didn’t know anything about Mobility!
The Main Mobility Service Window
We are now at the new “Home Page” for GroupWise Mobility Service. As you will see, the look and feel of the new Admin Console is much more streamlined. Essentially, the only action you can perform on the home screen is to start and stop your Sync Agents. See the power button to the right of the word “running”. If you click that box you stop the agent. Then you will have a play arrow to allow you to start it again.
The basic navigation for the Mobility Service has been reduced to three options:
All of these options have text links here on the home page, and can all be accessed via icons at the top at location in the Admin Console
We will look at the various options in the Server Configuration settings now.
The Mobility Service Configuration Settings
When you first click on the Service Configuration link (Config icon), you will see the following screen:
The General Tab in the Server Configuration allows you to modify the following settings:
Log Level: Your options here are Info, Debug, Warning, Error. It seems that most of the time I set this at either Info or Debug, and rarely to Warning! I run most of the time in Info, and then switch to Debug when I’m troubleshooting. Debug can put a heavy load on busy servers.
Sync Agent Startup: Most sites keep this at Automatic
Maximum Attachment Size (GroupWise to Device): Attachments are obviously the biggest space consumers on the Mobility Service. Choose the largest attachment you wish to send to devices. Remember that devices have quite a bit of space these days, but users need to be practical about the size of attachments that are reasonable to receive to a mobile device.
Maximum Send Mail Size (Device to GroupWise): This setting dictates how large of an attachment a device can send back through the GroupWise system. This prevents users from sending very large photos, for example, through the GroupWise system.
Alert Retention: The Dashboard will retain alerts for a period of time. 14 days is the default. Generally speaking, 14 days seems adequate. If you haven’t looked at the alerts by then, you probably don’t need the information.
Statistic History Retention: A number of different graphs are generated at the dashboard. The default is to retain this information for 30 days. You can change the range here.
Notification Enabled: The Mobility Service has its own notification system, separate from GroupWise Monitor. If you choose to turn on notifications, you must indicate an SMTP server to send through. This could be your GWIA, or if you have an independent SMTP server that is not associated with your GroupWise system, you could also put that here:
SMTP IP Address
Authentication User Name if required
Authentication User Password if required
System Notifications: Critical (red) alerts are considered system notifications. You can define one or more addresses to be alerted in a comma delimited string here for system notifications. These need to be email addresses, but can be device email addresses that arrive as text messages if desired.
Service Notifications: As you will see in the Device settings below, you can choose to quarantine new devices rather than just allowing users to connect new devices without notification. When a new device is ready to be released from the quarantine, the list of recipients (comma delimited) on this line will be notified.
MDM Server: There are a few Mobile Device Management servers that will interface with GroupWise, including Zenworks and BlackBerry 10 servers. If you are using an MDM, the IP address of that server goes here. It is very important to add your MDM IP address here if you are indeed using an MDM solution. Otherwise you may experience issues with duplicate user creation attempts.
Send Anonymous Feedback: If you choose, you can send anonymous feedback to Novell regarding statistical usage. As mentioned above, this is a very useful item for Novell, and all of the data gathered is available to you to peruse. This is a very transparent and open gathering of data!
The GroupWise Sync Agent
When you click on the “Config” icon at the top of the screen, you then click “GroupWise” to see the settings applicable to the GroupWise Sync Agent. As long as you entered everything correctly in the setup, these settings should not need to be changed.
Let’s take some time to go through all of the settings here for the GroupWise Sync Agent.
The GroupWise Sync Agent Settings
The GroupWise Sync Agent Settings
The GroupWise Sync Agent Settings mostly comprises information that you entered during the installation of your system. We’ll look at each of the items in Figure 6-3 at this time.
IP Address: This should be the “local” IP address for the Mobility Service. Do not use localhost here.
Port: This defaults to 4500. It is rare that you would feel a need to alter this. In general, unless you have an overriding reason to do so, we recommend that sites keep the default ports used by the product. This allows both Novell and the volunteers at http://forums.novell.com to assist with problems more easily.
POA SOAP URL: This is the location of the POA that is the “routing agent” so to speak for the GroupWise Sync Agent. If you have multiple Post Offices, the GroupWise Sync Agent will first contact the POA listed here, and then be redirected to the proper POA for the user in question. The default URL for SOAP with SSL is https://yourpoaaddress:7191/soap. If you are not using SSL, then it is merely http://yourpoaaddress:7191/soap. Remember that we can only supply the location for one POA here. If this POA becomes inaccessible, then your Mobility Service will not be able to process requests to the GroupWise system.
Trusted Application Name: This was entered from the installation. If you ever need to recreate the Trusted Application and give it a new name, you would enter that new name here. The Trusted Application Name and the Trusted Application Key below must both match what is in the GroupWise system, or synchronization will fail.
Trusted Application Key: This is a long string of characters, as represented by a string of asterisks. When you create the Trusted Application Key, you are asked to save the key to a text file. So long as you have this text file, you can reconfigure the Mobility Service as needed. If you lose this text file, you would need to create a new Trusted App for the Mobility Service. We have seen issues where this setting can become corrupted if you change items on this page. If that were to happen, just copy the text string from the Trusted App text file, and paste it back into this line. It will be saved, converted to asterisks, and the system should work again.
GroupWise Items to Sync: By default all items are listed to sync.
Any time you change items here, click Save.
The Device Sync Agent
Click on the “Device” tab on the Server Configuration page. Here you see the basic settings for your Device Sync Agent.
The settings on this page are fairly self-explanatory, but we will quickly go through them here.
IP Address: This has 0.0.0.0 set by default, and as such all IP addresses on the server will listen on the device sync port. You can change this address here if you wish to bind only a particular address to the agent port. This is rarely required or desired.
Port: If you have the next setting (Secure) checked, then port 443 is the default port for the Device Sync Agent. This is very practical, because most devices assume that they should connect on port 443 if SSL is selected. If you are not using SSL (although we assume that most sites WILL use SSL), port 80 would be the default port. You can change this port to any port your choose. However if you do, then all devices will need to be configured to connect on the port that you list here. Not all devices will be happy about such a change. Save yourself some grief and leave it as it is.
Secure: This setting indicates whether the Device Sync Agent will use SSL for connections. We assume that most sites will use SSL..
Block All Devices: As we saw during our setup of the Mobility Service, this setting is useful for preventing devices from connecting to the system when you are making changes, or wish to lock them out for other reasons. It is typical to have this setting checked during initial setup, especially if you have disseminated information to users ahead of time about how to connect to the server.
Quarantine New Devices: The Mobility Service allows for users to access their GroupWise information from any ActiveSync enabled device. If you wish to monitor or control the number of devices, you can check this box. If you quarantine devices, you can be notified when new devices are attempting access by setting up the “Service Notifications” described in “The Mobility Service Configuration Settings” above.
Maximum Devices per User: If you wish to limit the number of devices that an individual user can synchronize, enter than number here. If a user attempts to exceed this number, an error similar to “You are not authorized to use this service” will appear on the device. This can be confusing for users, and even administrators if you do not remember limiting the number of devices!
Remove Unused Devices: Here you can set the number of days after which an unused device will be deleted from the Mobility Service. This prevents unnecessary space being taken up by devices that are no longer active, and can also prevent problems with the Maximum Devices per User setting above if a particular user is prone to “testing”.
Device Security Policy: Determines whether you will force device security on all users. When you turn this on, the settings below are activated. It is important to note though, that by enabling this setting, some devices will pop up a “security notice” even if you do not actually enable any security options. So make sure you (and the help desk) are ready before you turn this on!
Require Both Letters and Numbers: This is for the device password policy. Despite the naming of this setting, this also requires that not only one letter and one number be a part of the password, but also that a special character be included.
Minimum Password Length: The minimum password allowed is 1 character, and the maximum 18 characters.
Inactivity Time: You can set an inactivity time for the devices to force a password lock after a certain amount of idle time.
Reset Device after failures: If password attempts occur repeatedly, the device can be reset.
Maximum Email Sync Limit: Users can actually attempt to synchronize their entire GroupWise mailbox with a device, and this is rarely desirable. The number you place here (in days) will be the number of days of email returned when a user chooses “All” for their email setting.
Maximum Calendar Sync Limit: Like email above, this dictates the number of days a calendar can synchronize.
Address Book User: The Mobility Service does not synchronize the GroupWise System Address Book. As long as the device supports it, users can do a lookup for the GroupWise System Address Book on the fly, and see the email address and phone number that is defined in the directory. Put a user here who can see all of the users in the GroupWise system that you wish to have visible in this lookup. You should think of this user as a “proxy object”. In other words, all objects that this user can see in your address book will be visible to all users of GroupWise Mobility Service. No password is needed here. The Device Sync Agent uses the Trusted Application Key for access to the Post Office. This user must also be provisioned as a Mobility Service user.
The User Source
We discussed the User Source in “Let’s Get Started with GroupWise Mobility Service!”. Please go back and review the “Directories and GroupWise Mobility Service” section of that chapter to get a better understanding of the User Source. Here’s an overview of what you can configure on this screen.
From the “Config” icon, choose the User Source tab.
The User Source Tab
On this page we choose our Provisioning and Authentication settings.
Provisioning: The provisioning of users means the directory where you find your users to add to the system. Originally, there was only one choice for provisioning users. You were required to use LDAP, and that actually meant eDirectory. You can now choose to provision your users directly from the GroupWise directory. Of particular import here, if you choose the provisioning to “GroupWise”, you have no choice other than GroupWise for authentication. This makes perfect sense, and quite honestly, we recommend that you bite the bullet and move away from LDAP provisioning AND authentication. Note, this does not mean that you cannot use LDAP as an authentication source for GroupWise itself. It simply means that whatever authentication method the POA users will be available to the Mobility Service when users attempt to log in.
Group Membership Poll Rate: If you are using groups (or distribution lists) to provision users, this value will determine how often these groups are refreshed by the Mobility Service in the background. There is a “Poll Now” button here where you can force a poll.
If you use LDAP for your provisioning or authentication, you will see the LDAP section above.
IP Address: Enter the IP address of your LDAP server
Port: Enter the port for your LDAP server. If you are using Secure (SSL) the default port is 636. If you are not using SSL, the default is 389.
Secure: If you check this, you will be initiating your LDAP connection via SSL, so make sure that your port above is the proper SSL port.
Admin Full DN: Note that even though this says “Admin” this is not the admin user for the Admin Console. This is a user who has rights to access your LDAP server, and really is not an administrator to THIS system. Enter the full DN of the user who will contact your LDAP server.
Admin Password: the password for your LDAP user.
Base User DNs: The system will search for users from these DNs (think OUs for eDirectory) and down.
Base Group DNs: The system will search for groups from these DNs (think OUs for eDirectory) and down.
Obviously, if you change anything here, click Save.
The Mobility Service can specifically use NetIQ Access Manager or KeyShield SSO for single-signon for the Mobility Admin Console. NetIQ Access Manager is transparent, and you will be logged in automatically. For KeyShield, you must fill out the sections on this tab to activate.
Managing Mobility Service Users
User management is accomplished from the Users window of the Mobility Service admin console. Before we start looking at the management tools here, let’s have a little discussion about “users”.
In GroupWise 2012 and prior (this will change with GroupWise 2014), there are really three types of “users” that we can deal with:
- GroupWise Users
- GroupWise External Entities
Let’s take a look at each of these
A GroupWise user (with a red shirt in ConsoleOne) is a standard GroupWise account that has an associated eDirectory user. I.e., I log into eDirectory to access services such as file and print, and I also have a GroupWise ID. This is the most common type of GroupWise user. The eDirectory userid may or may not be the same as my GroupWise ID. For example, a site might have eDirectory logins like dz1234 and GroupWise ids like dzanre.
GroupWise External Entities
An External Entity is a GroupWise mailbox holder that does not have rights to log into eDirectory. These users are often remote users, users in Active Directory who do not access eDirectory services, and the like. A GroupWise External Entity can only access the Mobility Service if the User Provisioning is set to use GroupWise authentication, because no password is associated with the External Entity’s eDirectory object. The only password an External Entity can have is a GroupWise password.
A GroupWise Resource looks like a GroupWise user from the perspective of the mailbox associated with it, but a GroupWise Resource is special. A Resource is intended to represent a role, object or location. For example, a resource might be “receptionist” or “projector” or “conference room”.
One of the limitations of GroupWise Mobility Service is that shared items (folders, calendars, address books) cannot be synchronized to any user except for the owner of the item. One way to work-around that is to have all shared items be owned by a resource that you allow multiple users to access from mobile devices. For example, let’s say that you have a project called “Office Relocation”. This project has folders where email messages are stored for everyone in the project to see. This project also has a project calendar. And there is an address book for the project with names of outside vendors, contacts, etc. that are needed for the project to run smoothly. Rather than having the project head create all of these items in his own GroupWise account, you could create a resource called “Relocation”. That Resource could then share all of these items to users so that when they are using the GroupWise client the items are all accessible right in their own GroupWise account. You could then give all of the sharees the password for the Relocation resource, and they can connect to it via their mobile devices.
There are a few complications to this as follows:
A Resource must have a password, and this is set by the owner of the resource proxying to the resource and setting the password there. If the owner forgets the password, it can only be reset through a GWCHECK with “reset client options/clear password”. There is no way for an administrator to set a password for the resource. After the password is cleared, the owner can then proxy to the resource and set a new password. This would then need to be communicated to all affected parties.
Shared items already exist in many GroupWise systems that are not owned by resources. In order to use resources to facilitate shared items you would need to move those items to a resource. There is no way to do that with GroupWise itself. However, you can use the Shared Folder Administration tool found at http://www.caledonia.net/shariff.html to assist with that. For address books, you can export the address books to NAB files and import them into the resource address books. For calendars, you can export the calendar to an ics file and import that for the resource. In order for this to be effective, multiple resources would need to exist for each group of people who need access. For example, you probably could not have one big resource that owns all address books, because that would then allow any user who has access to the resource to access all address books rather than just the books you intend.
It is best if resources are named with a single word and no spaces in the name to facilitate compatibility with all portions of Mobility and devices.
From the main home screen, all of the users which were added during the installation, either individually, or by virtue of belonging to groups that were added, can be accessed by clicking on the Users link.
Adding Mobility Users
From the Home screen of your admin portal, click on the Users link in the bottom third of the window. You can manually add new users here.
To add users individually to the Mobility Service, do the following:
Click on the Add Users check box at the top of the screen. You will see a Search Users box where you can type in a portion of the user’s name. A couple of notes here:
There is both an LDAP and a GroupWise radio button here.
If this is an updated Mobility Service, your LDAP settings are still configured in your setup, even if you have switched to GroupWise provisioning. Thus, you could use either use an LDAP OR a GroupWise lookup here.
If this is a new Mobility server, and you choose GroupWise provisioning, you will still see this LDAP option, but it will return zero results.
Once the user is found, you can click the checkbox next to the user’s name to add the user. This can be a user, external entity or resource.
If you are using LDAP authentication, for each user you add, if the GroupWise userid does not match the LDAP username, you must click on the name link under the Default Name to enter the proper GroupWise userid for the user. Please note, that in our testing, if you do not correct the Default Name right here, you will have trouble with the device not being able to synchronize data.
Adding users to Mobility
If you will be adding the users via a group, follow these instructions:
Click on the Groups link and choose the Add Groups button.
Search for the Group you would like to add to Mobility Service and click the box next to the Group and then click Add. As with the users, you will have both LDAP and GroupWise options here.
Wait for a minute or so, and then click on the Users tab. You should see the users there that are members of your group.
As mentioned above, we do not recommend adding users via an LDAP group if the user’s GroupWise and LDAP userids do not match.
Any users added via group membership must be removed from the group in order to delete them from the Mobility server.
Viewing Mobility Users and Groups
In the Users section of the Mobility Service you can manage information regarding the GroupWise account. Let’s take a look at the Users window.
Here we have an assortment of users. There are a number of icons visible in the above figure, as well as some that you might see in your travels. You can click on the column names to sort this list via any of the four columns. You can also search for a user in the search field in the upper left. You can even filter on the various types of devices, as seen in the next figure.
This is a scrolling list, rather than a static list with “next” buttons.
Following is information on what you see above.
In the far left column, you will see icons that represent the type of entity, and whether or not the entity was added by group. For example, “confroom3” is a resource as indicated by the resource icon. This resource, as well as some of the users like “Mary” was added via a group. Here are the relevant icons:
To the right of the userid is a “delete” icon. You will only see this icon if the user is eligible to be deleted from the Mobility Service.
To the right of the User Name column is the User State. Here is where you can see at a glance what is going on with the users on your Mobility Service.
Queued: To be honest, I’ve never seen this state! It seems to happen too quickly for me to get a look at it. Essentially, this one means that the user has been added to the Server, but the initial synchronization process hasn’t kicked off yet. As you will see in the next bulleted section though, if you add more than 4 users at a time, it’s likely you will see this state.
Syncing-Init: Once GroupWise gets the message that a user has been added to the Mobility Service, the synchronization begins. As many as four users can be synchronizing simultaneously.
Syncing-Days: The initial synchronization of email is for three days. Users can change this at the device. When a user asks for 7 days, 2 weeks, 1 month, etc., the Mobility Service must ask the POA for the older message.
Synced: This is by far the most common state you will see. When the user is in a synced state, this does NOT mean that the devices that the user has connected are up to date. In fact, a user can show a synced state, and the Device State can show “Never Connected”. a “synced” user state means that the Mobility Service and GroupWise are synchronized.
Blocked: If you have blocked users from connecting their devices, the user state will change to blocked.
Failed: If the Mobility Service cannot synchronize with GroupWise, you will see a failed state. Back when we were adding users with LDAP groups, it was mentioned that having a different LDAP ID from the GroupWise ID would cause problems. Almost every time we’ve seen a “failed” state, it has to do with a mismatch of GroupWise and LDAP IDs.
Deleting: The user is in the process of being deleted (See Figure 6-10 below).
Re-Init: The user is being reinitialized. The reinitialization process removes all of the user’s data from the Mobility Service, and then requests new data from GroupWise. This is useful when synchronization stops for no apparent reason.
If you see a Failed or Blocked state, click on the user name to be taken to the user details screen where you can perform other options, as described later in this chapter.
Whereas the User State signifies the progress of the GroupWise Sync Agent in performing its synchronization tasks, the Device State is an indicator of what is happening with the Device Sync Agent.
Never Connected: No device has ever connected to the system for this user.
Normal: Everything is copacetic!
Blocked: Devices for this user (or perhaps all users) are being blocked by the
Quarantined: If you are quarantining new devices, you will see this icon when a
new device has connected, and needs to be approved.
Resetting: A Reset command has been sent to the device to wipe it.
Reset: Verification that the device has been reset.
Unless you have limited the number of devices for all users to a single device (see “The Device Sync Agent” above), you may see multiple lines here for each user. Each device can be managed separately.
Managing Individual Users and Devices
Now that you’ve seen how to add users, and view their general status, we’ll get down to more granular administration. From the Mobility Service Web Console, click on the Users icon. We’ll be back to the screen shown in Figure 6-6. Each user’s name is a clickable link that will drill down to settings specific to that user. We’ll look at those settings now.
The top line of the User Details page shows the user’s name, state, settings and available actions. If there is a problem with the user’s state (for example, blocked or failed), you can take corrective action here. This top line has a few icons of note.
Device Configuration: When you click this device configuration icon, you can choose which email folders are synchronized to the devices. By default all folders are synchronized. By limiting folders here, items that would never be useful on a device (perhaps logs, or certain email lists that a user does not read on the device), you can limit the amount of data that is stored on the Mobility Service. Even when all folders are synchronized to the Mobility Service, the email is only synchronized to the device’s Inbox (or other folders if the device allows you to specify multiple push folders) unless the user clicks on a specific folder in the email client. Once a user clicks a folder other than the Inbox, those messages are downloaded to the device. So, many sites do not limit folders here, but rely on the user to only choose to download items that make sense to have on the device.
GroupWise Configuration: When you click on this GroupWise configuration icon, you see which address books are set to synchronize, and what items the user has chosen to sync. Note that upon creation of a user, all address books except the Frequent Contacts Book are chosen to synchronize. This default cannot be changed, but users can choose which books they wish to have on their devices after the initial sync by logging into the admin portal. Here users can also choose which of their address books will receive contacts that are created on the devices, which often do not have the ability to save a contact to a specific address book. Some administrators choose to manage all of this for the users rather than allowing users to log into the portal.
Re-Initialize User: There are times when a user needs to be reinitialized. If a user shows a state of “Failed”, then this is often the first step prior to deleting a user. Re-initializing will allow the user settings to remain, but refresh the data for the system. This will effectively re-initialize all data for all devices as well.
Block User: This will stop synchronization with all devices for the user. This is useful if you are performing maintenance (such as re-initalizing the user), or need to prevent the user from downloading new data without deleting devices or the user itself.
Unblock User: If you have blocked the user, this icon will appear. Clicking it will give you the opportunity to unblock the user.
Looking again at Figure 6-8 above, you will see the section entitled Devices. Here is where you can see all of the devices that are in use for each user. Here is another device list. We will reference both of these figures in our discussion of devices.
More Device examples
In these two figures we have iOS devices, Android devices, even “Application” generated devices such as the MacTouchDown and SafeZoneiPad devices. The following information is available for each device:
Device ID: Each device has a specific ID. Typically this will be the device serial numbers, sometimes the IMEI number, or even an application generated ID.
Type: Here you will see things like iPad, iPhone, Android, or an application
OS: What OS is the device running. This can be useful for troubleshooting.
Protocol: You may see 2.5 or 12.1 here.
Last Sync: Pretty self-explanatory. When did this device last sync with the server.
The next column is “Actions”. A couple of these settings were listed above under User Actions. Performed there, these actions affect all devices. To be more granular, you can perform some actions per device.
Resync Device: This function removes all existing data from the device, and resynchronizes. This is effectively the same thing as removing the account from the device and re-adding it. This might be necessary if the synchronization to the device stops working, or the data on the device no longer matches what is in GroupWise. If the user has more than one device and all are exhibiting problems, re-initializing the user as described in “User Actions” above is a better choice.
Block Device: This will stop synchronization with a specific device for the user.
Unblock Device: If you have blocked the device, this icon will appear. Clicking it will give you the opportunity to unblock the device.
Reset device to factory standards: If the device will allow it, you can reset the device to factory standards. If no reset icon is available for a device, this means that the device does not support resetting from the Mobility Service. Additionally, some Application devices will allow for a reset of the applications data only. For example, Nitrodesk TouchDown products and Fixmo’s SafeZone product allow you to save Groupwise data into a specific application on your device or computer. Resetting such “devices “to factory standards will simply delete the data in that application, and not from the entire device that houses the application. This particular function is of course a destructive function. It should be used with care, typically with the permission of the device owner.
Back at Figure 6-8, you will see a section called Folder List. In the figure, we have expanded the folder list by clicking the plus sign next to the section heading.
Each device has its own Set of folders listed here. You can scroll through the list, and see folders for the user in question. Here you can see the number of items pending for a specific device, and how many items have synchronized to the devices. This is a very useful place to look when a user complains that all email is not being received, or a particular address book has not synchronized.
Looking at Figure 6-6, you will notice that some users have an next to them. This is the “delete” button. In order to remove a user from the Mobility Service, you simply click on that and then verify that you wish to delete the user.
As mentioned earlier though, users added to Mobility via a group cannot be deleted from Mobility directly, but rather must be removed from the group. You will notice that all of the users above that have a group icon do not have a delete button. In order to remove these users from the Mobility Service, you must remove the user from the LDAP group or GroupWise Distribution List that assigns the user rights to the Mobility server.
When you delete a user object, you will notice a change in the name of the user and status as seen in Figure 6-10.
Deleting a user
If you are watching, you will see this “deleting” state regardless of whether you manually delete a user or remove the user from an associated group.
Changing SSL Settings for the Mobility Service.
In this section we will look at a couple of SSL administration tasks that you might be called upon to perform.
Replacing the Mobility Service SSL Certificate
During installation of the Mobility Service you could have added a trusted certificate to your installation, or you might have let the installation generate a self-signed certificate for you. Of course, there will be times in the future as well, when your certificate expires and needs to be replaced. If you need instructions on how to generate a CSR for a trusted certificate, see “Installing a Trusted Certificate for your Device Sync Agent”. If you have your new certificate ready, here are the instructions for adding it to your Mobility Service!
The Mobility Service uses SSL certificates in two locations. One for the “device connection” server, and one for the Web Admin Console. You can use the same certificate for both.
Updating The Device Connection Certificate
First let’s update the device sync agent certificate!
Change to /var/lib/datasync/device on your Mobility Service.
Backup the existing mobility.pem file just for good measure (i.e. cp mobility.pem mobility.bak)
Copy the mobility.pem file that we created back in “Installing a Trusted Certificate for your Device Sync Agent” into /var/lib/datasync/device.
Restart the Device Sync Agent either by clicking on the Stop/Start buttons in the Web Admin Console, or just run rcgms restart.
Updating the Web Admin Console Certificate
You can also use the same mobility.pem file that you created earlier for securing the Web Admin Console. To do so, do the following:
Change to /var/lib/datasync/webadmin on the Mobility Service.
Back up the existing server.pem file (cp server.pem server.bak)
Copy the mobility.pem file that you created earlier into /var/lib/datasync/webadmin, and name it server.pem.
Restart the Web Admin (rcdatasync-webadmin restart).
Tightening Up SSL Settings
Many sites have stringent security settings that require that only specific versions of SSL be used, or only specific cipher types be accepted. Due to backwards compatibility issues, many web servers (CherryPy which is the basis for Mobility Service) included, allow for SSL transport of many cipher types. If your organization has requirements, for example, that you only accept SSLv3 connections, or that you only accept certain types of ciphers, you can modify the settings of your Mobility Service to accommodate these requirements.
There are two spots in the Mobility Connector where you can change these settings. To access them, first log into the Web Admin Console for the Synchronizer. Then do the following:
Click on the Mobility Connector in your connectors list (just named “mobility”).
Click the Edit XML Source in the upper right portion of the page.
Add the following tag just below the tag for <SSL>. The tag we add can technically be anywhere in the <custom> settings, but adding it below <SSL> keeps all of the SSL related information together and easier to read.
<sslMethod> value </sslMethod>
The valid options for the sslMethod are 1, 2, 3 or 4 as defined below:
SSLv2 = 1
SSLv3 = 2
TLSv1 = 4
All of the above = 3
If you wish to limit the ciphers that can be accepted by your server, also add a tag for
<sslCiphers> list </sslCiphers>
You can find the list of ciphers that your server accepts by typing openssl ciphers -ssl3 in a terminal window. Replace the word “list” with the ciphers that you wish to allow.
Click Save XML to save your changes
Next click Home to return to the main Web Admin Page.
Restart the Device Sync Agent by clicking the stop button (red box), and then click the start button (green arrow).
User and Device QuickStart
Users can also access the Web Admin Console. By entering the URL of your Mobility Pack server in their web browser, the user can log in and change the address books to sync, and choose which, if any, types of items they wish to limit from syncing to the device. For example, If you set yourself up as the Synchronizer administrator user, you can access your personal User
Options page with the following URL:
If you set your own login as an LDAP administrator for the system, you can log into the Web Console as a “typical user” by going to:
Here a user can set options for synchronizing address books and other items to devices. If users have address books and/or folders that they do not want to synchronize to the device, it can be useful to have them log in before setting up the device to avoid downloading a lot of information and then changing it later to exclude these items.
In order for your users to set up their devices in the ActiveSync or “Exchange” client for the device, typically they will only need the following information:
DNS name of your Mobility Service (for example, gw.yourdomain.com)
Whether or not you are using SSL (i.e., port 80 or port 443, or even a custom port if you need to do that)
Their own eDirectory or GroupWise userid and password (depending on whether you are using LDAP or GroupWise authentication)
Some devices might insist that the user enter a “domain”. Mobility doesn’t care, so typically I suggest that sites just use a variation of their company name here. For example, we use “Caledonia” as the domain designation for devices that want something.
Information on setting up some specific devices is at http://wiki.novell.com/index.php/Data_Synchronizer_Mobility_Connector. Caledonia also has a comprehensive iOS Users Guide, which includes information on the Mobility Pack settings and operation for the iPhone/iPod Touch/iPad. In addition to basic setup instructions for the iOS devices, the Caledonia iOS Users Guide has detailed information on the operation of the Mail, Calendar and Contacts apps on the iOS devices as used with the GroupWise solution.
Editing XML Files for Other Changes
There are a number of changes that you can make to your system that cannot be accomplished in the Web Admin Console. For these, you must edit some XML files and then restart the Mobility Service (rcgms restart). We’ll go over a few of these now.
Modifying the Synchronizer Web Admin Port Number
If you wish to change the access port for the Web Admin Console from 8120 to something else, you can do this by editing the /etc/datasync/webadmin/server.xml file. You will need root access to do this (su or sudo). Find 8120 in this file and change it to the port of your choice. Save the file and restart the Web Admin server (rcdatasync-webadmin restart).
Adding Additional LDAP Synchronizer Administrator Users
During installation you can only add one user who has access to the GroupWise Mobility Service Web Admin Console. If you wish to add additional users for access, edit /etc/datasync/configengine/configengine.xml file in a text editor. You will need root access to do this (su or sudo). Find the following section:
Duplicate the <dn> line and place it before the </admins> line to configure the administrators you desire. After saving the file you must restart the Synchronizer (rcdatasync-syncengine restart).
Updating the Mobility 2.0 Installation
Now that you have your Mobility server up and running, you can be sure that you will need to update it within a few months! Novell has committed to rolling out updates to the Mobility Service on a regular basis, bringing new features and bug fixes very quickly. If you are looking to upgrade from the 1.2.x Data Synchronizer, please see “Upgrading GroupWise Mobility Service”.
There are two ways you can update your Mobility Service:
Download the Mobility ISO from downloads.novell.com and apply the update via YaST via the Patch CD Update option.
Use zypper to update Mobility directly from the online repository for Mobility.
While you can always use the Patch CD Update to do your update, you can only use the zypper method if you are on the same “dot” release. What this means is, if you are running version 2.0, and Novell releases 2.0.1, you can use zypper to update. However, if you are running version 2.0 and Novell releases 2.1, you will need to use the Patch CD Update to update your server.
Updating Using the Patch CD Update
If you are happier using YaST for your updates, you can always download the ISO from download.novell.com and do your update.
Download the Update CD from download.novell.com to a location on your Mobility server.
First unload your current 2.x Mobility Service.
ps -eaf | grep gms
Choose Patch CD Update (note: do not use the Add-On Products option, as this would require you to go through the setup again).
You may be asked to update your Novell Customer Center options when you load Patch CD Update. Follow the prompts to update, and you may need to load the Patch CD Update option again.
When you reach the screen where you point to the Patch CD, choose Local ISO image.
Browse for your file, choose it and then click Next.
Accept the license agreement.
You will see the list of files that will be updated. I have found that it is best at the point to uncheck all items other than the Mobility Service version you are attempting to upgrade to. You can do any other updates that the system suggests later. Choose Next.
Click Start Update when you are prompted.
After the update has finished, exit YaST and change to /opt/novell/datasync
Run the update.sh script and follow the prompts*
After the script has finished, then run rcgms restart.
Note that in step 13 above, this is the current routine for updating your server. Make sure to read the readmes on any update to see if these options change. If you get login or other odd errors when running update.sh, type
Make sure that your server’s host name is there. If not, edit the file add the host name and rerun update.sh.
To check that everything updated properly, log into your WebAdmin and look to see that the version number and build number look correct.
Updating Using Zypper
Using zypper will allow you to update online from the online repository without downloading the ISO. This requires that your Novell Customer Center information is up-to-date, and that your account is active.
You can check to see if you have a Mobility repository set by running the following at the terminal prompt:
You should see something like the following:
# | Alias | Name | Enabled | Refresh
1 | GroupWise-Mobility-Service_2.0 | GroupWise-Mobility-Service_2.0 | Yes | No
2 | SUSE-Linux-Enterprise-Server-11 11-0 | SUSE-Linux-Enterprise-Server-11 11-0 | Yes | No
3 | nu_novell_com:Mobility-2.0-Updates | Mobility-2.0-Updates | Yes | Yes
4 | nu_novell_com:SLES11-Updates | SLES11-Updates | Yes | Yes
If you do not show a Mobility repository, you can run the following, all on one line:
SUSE_register -a regcode-mobility=registration_code
-a email=email_address -L /root/.SUSE_register.log
Of course, you need to enter your own registration code and email address here. This will register you with the Mobility repository. After you complete this, you can run the following:
zypper up -r nu_novell_com:Mobility-2.0-Updates
This will prompt you through the update. After the update is complete, change to /opt/novell/datasync and run update.sh. Note that this is the current procedure. You should be certain to check the readme to see if the update script name changes.
The Mobility Service database occasionally needs maintenance. Here are some options for you:
Vacuum & Reindex (TID 7009453)
Backup & Restore (TID 7008163)
Remove user references (TID 7008852)
Mcheck is a new utility that ships with GMS 2.0. It provides diagnostic tools that can assist with rooting out and fixing GMS problems.
Mcheck is a python script found in the /opt/novell/datasync/tools/mcheck folder. The script MUST be run as root.
To run mcheck, change to the /opt/novell/datasync/tools/mcheck folder and run python mcheck.pyc
This will invoke a menu described as follows:
MCheck (Version: 1.0) – Running as root
Please use only when directed by Novell Support.
If you choose 1 for System, the following menu appears:
MCheck (Version: 1.0) – Running as root
Please use only when directed by Novell Support.
1 Get Mobility Configuration
2 GroupWise System Address Book Check
0 Main Menu
Under the MCheck directory, there is a ‘logs’ directory. A separate log file is created for each action selected from the menu. Each log file has a date and time stamp to provide uniqueness. At present, there is no process to clean-up MCheck log files.
The following section describes the purpose of each MCheck option, how to access it via the menu, logs file locations, and a recommendation description. The output for each entry will also detail the log name and location so that you can see the details for the process.
Get Mobility Configuration
When you choose this from the menu, you get an output similar to the following:
Completed getting GroupWise Mobility Service Configuration.
Log file location: logs/mobConfiguration_2013-11-19T11:51:50.log
Enter to continue
The information gathered here includes defined log levels, attachment size limits, LDAP poll rates, server locations, and Postgres database settings.
GroupWise System Address Book Check
This check ensures that the GroupWise System Address Book and the Mobility Address Book are in sync. If errors are detected, you will be prompted to fix them during the check.
If you choose 2 at the main menu, you will see the following menu:
MCheck (Version: 1.0) – Running as root
Please use only when directed by Novell Support.
1 Check User
0 Main Menu
The only option here is to do a user check.
This option will verify that all GroupWise entries are successfully being synced to Mobility. All items (inbox, calendars and contacts are checked for synchronization issues. Just enter the userid you wish to check.
Here’s an entry from my check!
Completed analysis for user: cn=danita,o=CNC
Device count: 4
No GroupWise configuration problem detected.
Mobility Folder structure problem detected
Email Summary (Inbox only)
GroupWise Inbox count: 5430
Mobility Inbox count (success): 5344
Mobility Inbox count (failure): 86
GroupWise Calendar count: 123
Mobility Calendar count (success): 123
Mobility Calendar count (failure): 0
GroupWise Contacts count in synced books: 0
Mobility Contacts count (success): 0
Mobility Contacts count (failure): 0
Log file location: logs/danita_2013-11-20T10:07:57.log
User problem detected. Do you want to correct the problem by re-initializing the user? (yes/no)
So, time to re-initialize poor Danita! When I indicate “yes” to re-initialize, the process is kicked of. In the Web Admin, if I click on users, I now see that Danita is indeed in a Re-Init state.
The end of the run will indicate where the log exists. This can be a fairly large log depending on the errors. While we’ve deleted chunks of this log, here are some the things you will have access to:
Test 1: Does the Mobility Event Configuration exist for this server?
Test 2: Is the user in the GroupWise POA notification list?
Test 3: Is the user configured on other Mobility Systems?
Test 4: Are all GroupWise address book in the GroupWise folder list?
Folder Structure Check
Test 1: In the SE, validate each folder has a parent folder.
GroupWise folder structure
All folders have valid parents.
Mobility folder structure
All folders have valid parents.
Test 2: In the SE, validate the GroupWise and Mobility folder structures.
GroupWise is missing these mobility folders:
Folder Name: TouchDown; Id:
Folder Name: Deleted Stuff; Id:
Mobility is missing these GroupWise folders:
Folder Name: TouchDown; Id:
Parent Name: Cabinet; Type: Cabinet; Id:
Test 3: In the Mobility Sync Agent, validate that each system folder exists.
No Mobility Sync Agent system folders problems.
Mobility User Current Sync State: Synced
Here a list of all devices will occur with last connection time.
Test 1: Folder Compare – Have all GroupWise events successfully synced to Mobility?
Note: Only comparing Inbox, personal calendars, and selected personal books (contacts).
Evaluating GroupWise folder: Mailbox (Email).
This will now check all devices for errors. In my case, only one device had issues
Device Last Connection: 11/18/2013 02:00:54 PM. Events newer than: 2013-05-24T00:00:00Z.
Failure. GroupWise Event does not exist in Mobility.
Event in this GroupWise Folder = Mailbox
GroupWise: id=52154337.Beta.Windermere.100.1313931.1.63C.1; itemtype: Mail
GroupWise subject = re: mlc order
GroupWise created = 2013-06-22 07:34:45
Other Management Issues
Here are a few TIDs that can be helpful in keeping your system up-to-date
Remove log archives to free up space (TID 7010533)
Register & Update
Register DataSync (TID 3030847)
Update with Novell Update Channel (TID 7007012)
Update with local ISO (TID 7007012)
Generate CSR and Key (TID 7007674)
Generate self-signed certificate (TID 7007674)
Configure certificate from 3rd party (TID 7006904)
User Authentication Issues
Finds authentication issues for specific user, suggests steps to resolve (TID 7012048)
If you give the wrong password three times, you will be locked out of the Admin Console. This can be fixed simply by restarting the webadmin:
Our next section will deal with Monitoring your Mobility Service through the new dashboard!