- Getting Started with GroupWise Mobility Service 2.0
- Preparing the GroupWise System
- Preparing the SUSE Linux Enterprise Server
Now that we have made necessary changes to GroupWise, installed our SLES server, and prepared our SSL certificate (if applicable), we are ready to install GroupWise Mobility Service.
Beginning the Installation
Download the GroupWise Mobility Service ISO from your Customer Center portal. Place it somewhere on the SLES 11 server where you can access it. As mentioned earlier, you will also need access to the text file that was created when you generated your Trusted App. We also recommend that you have your SLES 11 installation DVD and SLES 11 SDK DVD handy just in case (if you installed the server with only the options we listed above, the SLES 11 installation DVD will be requested during the GroupWise Mobility Service setup). In this particular install, we did not need the SDK DVD, but it’s good to be prepared! You should not need the SLES 11 installation DVD2.
As discussed in “Preparing the SUSE Linux Enterprise Server, you do not require a graphical interface to install or run GroupWise Mobility Service. That said, the figures are much better for our guide if we use the graphical installation! So, if you installed your server to boot to run level 3, just load “yast” from the terminal and follow along with our steps in the text based installation after we load YaST from the GUI. In case you are using the text install, we assume you know how to tab through the fields and select them by pressing the space bar, and follow along with this installation, adjusting as necessary for the text based install.
These instructions are for the GUI based YaST utility.
- Click on Computer, and then choose YaST from the list to the right.
On the left-hand side, click on Software
- Choose Add-On Products
- Click Add
- Click Local ISO Image
- Click Next.
- At the next screen, click the Browse button and find the ISO that you downloaded. Select that ISO. Click Next.
- Accept the license agreement and click Next.
- The next screen will show the YaST software patterns screen (the software search screen in the text install). Click accept.
- You will now see the Changed Packages screen. Click Continue. If any packages required by the installation are missing, you will be prompted to install those as well. You may also be alerted to the fact that the product is either unsupported, or requires an additional customer contract for support. You can add your Mobility product to the Novell Customer Center if required after the installation.
- The installation will install all needed files.
- You will next be at the GroupWise Mobility Service Configuration screen. Click the Change box in the bottom middle and choose GroupWise Mobility Service Configuration.
- At the User Server Settings, you will see and option to choose GroupWise or LDAP as the Source for Users and Groups. This is an important change from Version 1.x of this product. This change was made primarily to accommodate the new “unassociated” option of Windermere that will allow a GroupWise system to be totally standalone with no dependency or integration on a Directory. In the section on “Directories and GroupWise Mobility Service” we discussed the reasons for choosing one or the other. At this screen you will choose your “Provisioning” source. If you choose GroupWise as your provisioning type, this screen will be greyed out. If you choose LDAP, you will see the following settings. LDAP Settings screen, enter the information needed as follows:
- LDAP Server IP Address/Host Name: For most GroupWise Mobility Service installations, this will be an eDirectory server.
- LDAP Port: This defaults to 636 and will change to 389 if you uncheck the Secure box.
- LDAP Admin DN: This is your eDirectory admin login (it need not be the user “admin”, but merely a user with rights to query the LDAP server)
- LDAP Admin password: The eDirectory password for the chosen user
- If you have filled in LDAP information, when you click Next, the configuration will verify the settings you have entered. If everything is correct you will advance to Figure 4-3. Enter the following information (please note that if you have chosen GroupWise provisioning, only the bottom half of this screen is applicable):
- LDAP User Container: This is the OU where you wish to begin your user search in the directory. The search will begin in this container and search down any subcontainers it finds. If you require searching through more OUs, see “Adding Additional LDAP Contexts” later in this chapter.
- LDAP Group Container: This is the OU where you wish to begin your eDirectory groups search in the directory. Again, if you need to search additional containers, you can add them later in this chapter.
- GroupWise Mobility Service Admin DN: This is the user login you wish to assign to GroupWise Mobility Service administration. The user you indicate here is the user who will log in as the administrator in the GroupWise Mobility Service Web Console. If this is the same as the LDAP admin you entered in the previous screen, it will already be filled in for you. If you wish to have a different user be the GroupWise Mobility Service admin user, change it here. Additional administrators can be added. We will go over that in the chapter on “Administering GroupWise Mobility Service”.
- GroupWise Mobility Service Database Password: Choose a password for your database. This is the password for the PostgreSQL database. Use only alpha-numeric characters here. In the past we recommended against special characters, umlauts or other accents. In theory these should work, except for * and : characters.
- Verify the password: Enter the same password here.
NOTE: Even if you know nothing about PostgreSQL, this will still be a simple installation. The installation routine assumes that PostgreSQL is not installed, and will set it up for you. There is no need to do any “pre-installation” of PostgreSQL at all. Just enter a password here, and the entire system will be configured up for you.
- When you click next, the containers for users and groups will be verified and you will move to Figure 4-4.
- Trusted Application Name: This is the name of the Trusted App we created earlier in “Creating the Trusted App”.
- Trusted Application Key File: Browse for the file that you copied to the server from your Trusted App Key generation.
- GroupWise Post Office Agent IP Address/HostName: Enter the location of your GroupWise Post Office.
- Soap Port: By default this is 7191. Change it here if you have changed the port for your Post Office Agent. Also verify whether or not SSL is enabled for SOAP on your Post Office Agent.
You need only enter the IP address for one of your GroupWise Post Office Agents. SOAP uses the same redirection table as client/server access. Thus, if a user in your system is not on the Post Office that you indicate here, the Post Office Agent will redirect the request to the proper server on login
- The Trusted App Login will be verified, and you will move to Figure 4-5.
As discussed in the chapter on setting up SLES, if you have enabled the Proxy for SLES, you must exclude your Post Office Agent from the Proxy, or the Trusted App verification will fail.
- Device Port: This is the port that the devices use to connect to GroupWise Mobility Service. While you can technically make this any port you like, it is easiest for device setup if you run your Device Sync Agent on port 443 with SSL enabled. Most devices expect this port number, and will automatically find the server at this port with little user intervention. Some devices will not allow for this port to be changed
- SSL Certificate: You can choose whether you wish to generate a self-signed certificate or indicate if you have purchased a certificate for this server. Some devices are more friendly to self-signed certificates than others. The iPhone, for example, will alert the user only one time that the certificate might have a problem, and then happily work thereafter with no other issues. Some Nokia devices we have tested will ask the user at almost every turn to verify the certificate. And some Windows Mobile devices will simply refuse to connect unless you have a trusted certificate (or download the certificate to the devices prior to connection). Very small systems with only devices that are friendly to self-signed certificates might choose to simply deal with the setup issues for the users. Larger sites, and sites that have devices that will not connect with the self-signed server certificate will need a purchased certificate. If you have a purchased certificate for this particular server, you can enter the certificate location here. Please refer back to the information on “Logging into the Admin Web Console” for details on preparing your purchased certificate for GroupWise Mobility Service.
- GroupWise Address Book User: You should think of this user as a “proxy object”. In other words, all objects that this user can see in your address book will be visible to all users of GroupWise Mobility Service. No password is needed here. The Device Sync Agent uses the Trusted Application Key for access to the Post Office. This user must also be provisioned on the Mobility Service.
- You may at this point be prompted with a Novell Customer Center validation. If you have never validated your Mobility license, you can do it here, and then you can update right from zypper or YaST rather than downloading update ISOs. You need your Novell Customer Center email address and the activation code for Mobility in order to complete this task. You can also choose to register later.
- Once the installation is complete, click OK at the Installed Add-On Products screen and exit YaST.
Verifying The Installation
Now we will go to a terminal window to verify that the GroupWise Mobility Service products are running.
- Go to a terminal window thus:
- From the main server screen, click Computer and click More Applications
- In the Filter box, type Terminal.
- Depending on whether you are using GNOME or KDE, you will see either GNOME Terminal or Konsole. Click on the terminal icon.
- At the terminal, type rcgms status. You will see the following:
Checking for gms monitor: running
Checking for gms config: running
Checking for gms engine: running
Checking for gms web admin: running
Checking for gms agent manager service: running
There are five scripts created in /etc/init.d called:
These correspond to the lines in the rcdatasync status command above. In the /usr/sbin directory there are links to these four scripts
There is also a /usr/sbin/rcgms script that controls all of these scripts. You can easily stop or start all scripts by simply typing:
You can also control each script individually. For example,
would stop just the Web Admin Server.
If you do manually stop/stop individual components, there is a recommended order.
Start: config –> engine —> connectors
Stop: connector —> engine —> config
Only the WebAdmin can safely be restarted alone without affecting other components.
Logging into the Admin Web Console
Once GroupWise Mobility Service is installed, all administration is done through the Web Admin Console.
The Web Admin Console for your GroupWise Mobility Service server listens on port 8120. It is possible to change this value (see “Editing XML Files for Other Changes”), however, if you are running GroupWise Mobility Service as a dedicated appliance, there should never be a need to change this port.
To access your Web Admin Console, in your web browser go to:
At the login screen, enter the admin userid and password that you set in your installation above. Note that users can log in here as well and manage their address book and other sync settings. We will go over that in the Users Guide chapter for GroupWise Mobility Service.
You should see a screen like below There are important settings for the first installation that should be looked at first, so let’s do that now.
Notice that there is an “Administration” section at the bottom of this screen that is essentially duplicated by icons at the top of the screen. You will always be able to see the icons at the top. You might wonder why these are duplicated on the home page. My best guess is that after reorganizing the entire interface, suddenly the home page was very empty. In any event, you can get to these three administrative options either from the links down the left on the home page, or up at the icons on the top.
On this screen you see both a “Groupwise” and a “Device” Sync Agent listed in the left hand column. Next to the name of the agent is a column that shows status. The only option here is to start/stop the Sync Agents with the power button to the right of the status column. Everything else is accomplished by accessing the settings under the Administrator section (or through the icons at the top.
We will ago over all of the settings later in the chapter on “Administering GroupWise Mobility Service”. For now we will just address the issues needed to properly get the server ready for users, and then go over the details of the system when we’ve got everything up and running.
Before we set our users loose on GroupWise Mobility Service, we’ll make some setting changes and add users to the system.
If you need to get back to this screen, just click on Home icon at left of the top navigation icons.
Adding Additional LDAP Contexts
If you chose LDAP as your provisioning method earlier, you added a single LDAP context that can be used to search for users. GroupWise Mobility Service will search that context and any OUs below it. If you need to add additional contexts for searching, do the following. It is important that you do these steps before you attempt to start adding users if the users are not in the default context that you entered during installation.
Logged into the GroupWise Mobility Service Web Console, click on the Config icon, or the Service Configuration link under Administration.
You will now see the following page.
For those of you who have used the Mobility Service before, you will notice that all of the configuration has been consolidated into one simple location. We’ve clicked on the “User Source” tab in the figure above in order to update our LDAP contexts.
Here you can do a couple of things:
- Add additional context for LDAP lookups of users and groups.
- Change the polling rate in seconds. This defines how often the LDAP server looks at groups for additions and deletions.
- Change the LDAP server and port
- Change the user and/or password that does the LDAP bind for lookups.
- Do an immediate poll for new LDAP objects (this is useful if you are adding users to your eDirectory group, for example, and you do not wish to wait for the polling interval)
Here you can also see how to change the Authorization method if you wish to use GroupWise authentication. Please note, you can only use LDAP authentication if you wish to use eDirectory as your LDAP source. If you are using any other LDAP directory (such as Active Directory) as your GroupWise Authentication source at your POA, you will need to use GroupWise Authentication here.
Notice that if you click on GroupWise as the Provisioning source, only the top portion of the page remains. Also, if you choose GroupWise as your Provisioning method, you must use GroupWise as your Authentication method as well.
Changing Initial General Settings
On this same screen, click on the “General” tab to open the general settings for the Server. If you have moved away from this window, just click on the Config icon again to return to this location.
There are a few items here that you might wish to change.
- Maximum Attachment Size: This setting will control the largest attachment size that the GroupWise server will send to the GroupWise Mobility Service Engine. The default here is 500 kB. If you have a large number of users, the attachment size will probably dictate in large part the required storage requirements for your GroupWise Mobility Service.
- Maximum Send Mail Size: The converse of the first setting, this determines how large of a message can be sent from the device through the GroupWise system. For example, a user might attempt to send a large photo or other large attachment from the device. You can limit that here.
- Logging: You can set the logging here. In our figure we have our logging set to “debug”. Please note that this is very space and resource intensive, so you should only set your logging to greater than “Info” if you are debugging problems.
The rest of the settings on this screen will be explained in the “Administering GroupWise Mobility Service” chapter. If you make changes to this Sync Agent, be certain to click the Save button.
Changing Initial Device Sync Agent Settings
If necessary, log into the Mobility Service Web Console as outlined in “Logging into the Admin Web Console” or click on Home at the top to return to the main page. Click on the “Device” Sync Agent to open the settings for the Device Sync Agent.
The Device Sync Agent Settings
You can set a device security policy, and typically it’s recommended to do this right away when you install the Mobility Service. No need to let users become accustomed to the idea of lax security initially! It is important to note though, that by enabling this setting, some devices will pop up a “security notice” even if you do not actually enable any security options. So make sure you are ready before you turn this on!
To set a security policy, you must first check the box that says “Device Security Policy”. Once enabled, you can require both letters and numbers, a minimum length for the password, an inactivity time, and the ability to automatically reset a device if a password fails too many times.
Most likely the only other setting you would need to change here to get up and running is the “Block All Devices” setting. We typically recommend this when adding initial users so that your users will not attempt to log in before you are ready.
The other settings on this page will be described in the Administration chapter.
If you make changes to this sync agent, be certain to click the Save button.
Adding Users to GroupWise Mobility Service
Now that we’ve made the changes to attachment size and looked at our security policies, we will begin to add our users. You can add users individually, or through a group, as we discussed in “Creating an eDirectory Group or GroupWise Distribution List for Mobility Users”.
To add users individually to GroupWise Mobility Service, do the following:
Back at the main GroupWise Mobility Service home screen click on the Users link.
Next click on the Add Users button. You will see a Search Users box where you can type in a portion of the user’s name. If you are using LDAP provisioning, you can choose to do a lookup either with LDAP or with GroupWise. If you have chosen GroupWise provisioning and have not entered LDAP information, of course you will need to use the GroupWise radio button to search for your users. Once the user is found, you can click the checkbox next to the user’s name to add the user.
If you are using LDAP provisioning, for each user you add, if the GroupWise userid does not match the LDAP username, you must click on the link for the name under the Default Name column to enter the proper GroupWise userid for the user. Please note, that in our testing, if you do not correct the Default Name right here, you will have trouble with the device not being able to synchronize data.
Adding users to the Mobility Service
If you will be adding the users via a group, follow these instructions:
Click on the Groups link at the top of the Users page and choose the Add Groups button.
Click the LDAP or GroupWise radio button as appropriate, and search for the Group you would like to add to the Mobility Service and click the box next to the Group and then click Add.
Wait for a minute or so, and then click on the Users tab. You should see the users there that are members of your group.
Remember, with LDAP provisioning, if a user’s GroupWise and eDirectory userids do not match, you should add the users manually, and not as a member of an LDAP group.
Verifying Synchronization and Unblocking Devices
After all of your users have been added to GroupWise Mobility Service, and you have changed any settings that you feel are important, we can check that mail is syncing and unblock the devices so that users can begin to connect.
First, let’s go to the Mobility Service Dashboard to verify that mail is synchronizing to the user Mobility Accounts. From any Web Console page click on Dashboard icon at the top of the screen
The Mobility Dashboard
We will look more closely at the dashboard later, but first we just want to verify that our new user is receiving information. Click on Users in the upper middle box. The information in the bottom box will change, and you will see user accounts below like the following figure.
User Sync Status
Notice that Danita in this list shows “Sync-Validate”. This means that mail is being requested from GroupWise for Danita. James shows “Synced”. You should note that “Synced” on this page does not mean that any information has been synced to devices. It means that all information has been received from the GroupWise Sync Agent, and is ready to synchronize to devices.
Once you are ready to allow users to connect, go to the Device Sync Agent Settings and uncheck the box for blocking devices. Make sure to click the Save button so that the devices can begin syncing.
Your users should be able to point their devices to the host name that you set up in the beginning of this book. For example, if you were setting up an iPhone, you would need the following:
In the Settings App on the iOS device, go to the Mail Settings, click on Add Account and choose the “Microsoft Exchange” option.
In the “Enter your Exchange account information” screen, enter the following:
Email: Enter your email account for your GroupWise account. For example, firstname.lastname@example.org
Domain: This field should be left blank. (Note that some devices will require the domain field, so just give your users a dummy word to place here – like Mobility)
Username: This is your GroupWise userid
Description: Here you can put whatever information you like. You might leave it at your email address (which is the default), or change it to GroupWise.
After you fill in the information and click Next, you will most likely receive a message that reads “Unable to Verify Certificate” indicating that the certificate for your setup cannot be verified. This is okay to accept at this point.
Since the setup was unable to find your “Exchange” server with the information you provided, you will now be presented with a new screen where you will enter your server name. You will put in the Public IP Address or Host Name that you designated (for example, gw.company.com). Click Next. After your GroupWise settings are verified, you will see a screen that has Mail, Contacts, Reminders and Calendars, all turned on. If you choose, you can turn one or more of these functions off, although most readers will want all four enabled. When these settings reflect your wishes, click Done.
If all goes according to plan, within a few minutes GroupWise items will be syncing to your device.