In this chapter, we will go over the SLES preparations needed for GroupWise Mobility Service.
Installing your SLES Server
As we mentioned in the Getting Started chapter, the Novell GroupWise Mobility Service requires a 64-bit server, and cannot be installed on 32-bit SLES.
This guide does not intend to be a complete installation guide for SLES. We will just go over a few issues that are important for GroupWise Mobility Service installation.
First, we know of no “X-server” requirements for GroupWise Mobility Service, and you could simply install a very vanilla SLES 11 server with no X Window System components (i.e., GNOME or KDE). However, we also know that most GroupWise administrators feel uncomfortable not having GUI capabilities. Thus, you can choose whether you wish to install the Graphical Environment Files during your SLES server installation.
For our test server, we simply kept the default server configuration (GNOME for the Graphical Environment and Print Server with Web Based Enterprise Management selected for the Primary Function) and added the C++ Compiler and Tools.
There is no need for (thus you should not install) Apache or Tomcat. We typically also make sure that we have sources and compilers installed on all of our servers “just in case”, especially if you are installing this as a virtual machine and intend to add virtual tools to the server. There is an option during installation to install “Add-On” services to a SLES 11 server. And indeed GroupWise Mobility Service is an “Add-On” service for SLES 11. However, we do not recommend that you attempt to install GroupWise Mobility Service add-on during the initial installation of your SLES server. There are options and configuration items that are required prior to installation, and we will come back to the actual installation of GroupWise Mobility Service later in this guide.
Turning off IPv6 and Configuring a Static IP Address
During the installation, you will reach the Network Configuration screen (Figure 3-1). Click the link in the General Network Settings section to “Disable IPv6”. Earlier versions of Mobility did not work at all if IPv6 was enabled. If indeed you do need IPv6, you can leave it enabled, but our motto has always been, don’t have random protocols available that are not required.
Now you will need to configure a static IP address for your GroupWise Mobility Service server. Click the Network Interfaces link in Figure 3-1 and with the network interface selected click Edit. Change the setting here from DHCP to Static and enter your Static IP address, Subnet Mask and Hostname. After you click Next here, also make sure to click the Routing tab to enter the default route for the server. It is also very important to make sure DNS is properly configured on this server, as the GMS installation checks for DNS resolution, and will have difficulties if DNS resolution is not working properly.
If you intend to keep the SLES firewall loaded, you must open these ports/services:
- SSH, port 22 – for internal use only. You can also change the default SSH port
- GroupWise Sync Agent Listening Port, port 4500 (default, you can change this). This is for internal use only. The GroupWise POAs in your network need to be able to talk to this port.
- HTTPS, port 443. Our assumption here is that you are using SSL for your device connections to your Mobility Service. This could be simply HTTP over port 80, but most devices will complain if you are not using SSL on port 443. Make your life simple and use SSL and port 443! You will need to open this for outside access so that your mobile devices can talk to the Device Sync Agent.
- Web Console Port 8120. This is the port that the admin console runs on. This does not need to be accessed from outside of your network, but any machine needing to administer the system will need access to port 8120. If you intend to allow your users to access the Web Console from outside of your network to modify their own sync settings, you will also need to provide access to this port from outside of your network.
- If you have enabled the proxy on your SLES server, make sure that you have an exception to the GroupWise server’s SOAP port that you will use as your GroupWise contact POA. SOAP talks on https or http and will be “caught” by the proxy otherwise, and you will not be able to verify your Trusted Application during the installation. If you get stuck there, the proxy is most likely the problem.
Opening the Mobility Port for Use by External Users
This particular function will be different at various sites, depending on your setup. Your site should have a dedicated external IP address for the server dedicated to GroupWise Mobility Service, and you will need to forward traffic on port 443 of this public IP address through to port 443 of your Mobility server. The general steps needed to make the process easy for your users are:
- Choose a DNS name that is easy to remember for your users – for example, gw.yourdomain.com
- Create a DNS record for gw.yourdomain.com to reach your network
- Enable port forwarding and create packet filters to allow HTTPS traffic to reach GroupWise Mobility Service. While the port used by the Device Sync Agent can be modified, most devices will automatically attempt to connect HTTPS to port 443 when setting up ActiveSync services, and many will fail altogether if you attempt to change the port. Thus, using port 443 makes the most sense overall.
These steps may be accomplished by the GroupWise Administrator in some cases, or handed off to the network or firewall department in other organizations. If you are unsure of how to accomplish these tasks, you will need to consult the documentation for your firewall. There are too many types of firewalls available for us to go into detail on this step.
Disabling Apache and Tomcat
If you followed our recommendation for installing the SLES server without Apache and Tomcat, then you need not worry about turning them off. If you have Apache and Tomcat installed on this server, you can disable them by running the following commands:
chkconfig –del apache2
chkconfig –del tomcat6
Copy the Trusted App Key File to the Mobility Service
Make sure that the Trusted App Key File that you created in the previous chapter is copied to the GroupWise Mobility Service server. If you created the Trusted App Key in ConsoleOne on Linux, you can use scp to copy the file from the GroupWise Linux server to the Mobility server. From the GroupWise server type
scp nameoffile root@mobilityserverip:/root/
This will copy the file to the /root directory on the Mobility server. Of course, you can use any valid user on the Mobility server for the user to log in as, and you can place the file in any directory of your choosing.
If you created the Trusted App Key in ConsoleOne on Windows, you can use pscp from PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/ to copy the file.
Installing a Trusted Certificate for your Device Sync Agent
Since many devices will complain about an untrusted certificate if you use a self-signed certificate, you may wish to purchase a certificate for your Mobility server. We can see situations during “testing” where you are not ready to do this, but ultimately most GroupWise Mobility Service Servers will want a trusted certificate. If you plan on using a trusted certificate fight from the start, we will go ahead and get this ready now. If you decide to let the GroupWise Mobility Service installation create a self-signed certificate for now, and wish to change it later, you can see the instructions in the chapter on “Administering GroupWise Mobility Service” later in this guide. You can purchase very inexpensive certificates at godaddy.com, for example, that can be used for your Mobility Service.
Generating your CSR
These instructions are for general use, and should be sufficient for most organizations’ security needs. If your organization has stronger security requirements than these, you probably already know not only that you have higher security requirements, but also how to create the CSR.
While you can use Novell’s GWCSRGEN to create your Certificate Signing Request, you’ve just installed your SLES 11 server, and openssl is installed by default. It is a lot simpler and quicker to just run through the CSR generation right here rather than going to find a GroupWise server that has GWCSRGEN available. If you are more of a GUI type, and feel more comfortable, you can use GWCSRGEN. Just go to http://www.novell.com/documentation/documentation/groupwise2012/gw2012_guide_admin/data/ak9e3ju.html and follow the instructions there.
We will do the certificate request right from the SLES server using openssl. Go to a terminal window, change to the directory where you would like to store your files (for this purpose your home directory or even /root/ is fine) and type:
openssl genrsa -des3 -out mobility.key 2048
Because we are using the -des3 command, we are putting a passkey on our private key, which we are naming “mobility.key” with a 2048 bit key name. We find that this is sufficient for most sites. You will be asked for a pass phrase for your key. You will need to know this pass phrase in a few minutes when we generate the CSR, and also after you receive the certificate for further use. In other words, use a pass phrase that you will not readily forget!
Once our private key has been created (we named ours mobility.key), we will create the CSR. To do so, type the following in the terminal window:
openssl req -new -key mobility.key -out mobility.csr
We are requested a new CSR be generated, using our private key of mobility.key, and naming the CSR mobility.csr.
You will be asked for the following information:
- Pass Phrase: This is the pass phrase that you just used for creating your private key.
- Country Name 2 letter code: For example, AU, US, DE
- State or Province Name (full name): For example, Colorado
- Locality Name (eg, city): Put in your city name
- Organization Name (eg, company): For example, Caledonia
- Organizational Unit Name: For example, IS
- Common Name: This is actually the host name, so for example, gw.company.com
- Email Address: This should be a domain contact person
You will then be presented some optional information, that you can simply press ENTER at those prompts if you do not wish to include the information in the request.
You will now have a CSR file (in our case mobility.csr) that can be sent to the Certificate Authority for generation. Most CAs do all of this over the Internet now, having you simply copy and paste the information from your CSR directly into a box on their website, or ask you to upload the CSR file to their servers.
Once you receive the certificate from your Certificate Authority, you will need to prepare the certificate file for use by GroupWise Mobility Service. When you go to retrieve your certificate, if asked what server you are using, you can simply choose the “Apache2” download. GroupWise Mobility Service runs on CherryPy, but we’ve found no issues with using the “Apache2” formatted certificate.
First, in order to use the private key that you created above for the GroupWise Mobility Service certificate, we will need to remove the passphrase. In a terminal window, change to the directory where you created your private key and run the following:
openssl rsa -in mobility.key -out mobilitynew.key
You will be asked for the passphrase for your private key. In our case we have taken our mobility.key and created a new key called mobilitynew.key that has no passphrase. You might ask why we bother with the passphrase in the first place. Many certificate authorities will require that you have a passphrase when you submit your request. It’s easy enough to remove after the fact, so we always just create the request with a passphrase.
Preparing Your Certificate for GroupWise Mobility Service
Now on to the certificates received from your Certificate Authority.
Typically you receive your certificate in a file that ends with .crt. You may also receive one or more files that are “intermediate” certificates. For example, GoDaddy generally sends a file called gd_bundle.crt, Comodo sends ca_bundle.crt, and so on. For use with GroupWise Mobility Service, you must create a single file that contains the private key, server certificate and intermediate certificate all in one file. It will look like this:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
—–BEGIN INTERMEDIATE CERTIFICATE—–
intermediate certificate text
—–END INTERMEDIATE CERTIFICATE—–
While you could use a text editor to do this, you can also just use the Linux “cat” command to manage it all.
Since you need a safe place to put your files anyway, create a directory on your new SLES 11 server, and place your unpassworded key file (ours is called mobilitynew.key), and your certificate files in the same directory. If you only have two files (for example, your CA sends you only a single crt file), you would have perhaps:
So you could run the following command in this directory to create your mobility.pem file:
cat mobilitynew.key gw.company.com.crt > mobility.pem
This will create a mobility.pem file containing both the private key and the certificate file. If your CA sends you multiple files, chain them together in the order of private key, server certificate, intermediate. So for example:
cat mobilitynew.key gw.company.com.crt intermediate.crt > mobility.pem
Now, when we install the GroupWise Mobility Service files, we can point to this mobility.pem file to incorporate our official, purchased certificate into our system.
Finally, it’s important that you back all of this up to a location other than your GroupWise Mobility Service. If you ever uninstall your GroupWise Mobility Service, and need to reinstall, you will want this information. Make a copy of your original key file, your key file that has had the passphrase removed, any certificate files received from your CA, and your mobility.pem file to a safe location.