securing novell groupwise through ssl and s/mime

Securing Novell® GroupWise® through SSL and S/Mime

Dirk Giles GroupWise Software [email protected]

Mukesh JethwaniNovell WorldWide Support [email protected]

© Novell, Inc. All rights reserved.2

Agenda

• LDAP authentication and Novell® GroupWise® Post Offices

• Novell GroupWise Agents and SSL

– Certificate Generation

– Installing and Enabling SSL

– Securing GWIA and WebAccess agents

• Secure Internet Email with S/MIME

LDAP Authentication


Why Use LDAP Authentication?

• Uses user's directory password

– Minimizes password management requirements

– Supports password policies (Bind Mode)

– Less passwords for the user to remember

• Can authenticate to other LDAP directories

• Requires that users connect to the directory

– Note: Directory accounts without a password will not require a password, even with a High Security Post Office


LDAP Authentication Planning

• LDAP Server information

– Use SSL or not?

> SSL key file

– IP Address or name of LDAP server

– LDAP port for LDAP server

– User authentication method

> Bind

> Compare


LDAP Authentication Planning Part 2

• Use proxy user?

– Access the directory with limited rights

– Need distinguished name (DN)

– Need password

• Allow users to change password?

– Novell® GroupWise® Client Change Password dialog


Export LDAP CertificateWhich One?


Export LDAP CertificateCertificate Properties


Export LDAP CertificateExport Wizard – No Private Key


Export LDAP CertificateExport Wizard – Output Format and Filename


LDAP Server ConfigurationNovell® GroupWise® System Tools


LDAP Server ConfigurationLDAP Server List


LDAP Server ConfigurationLDAP Server Options


Post Office ConfigurationSecurity Settings


Post Office ConfigurationLDAP Server Selection

LDAP Authentication Demonstration

Securing Novell® GroupWise® with SSL


Novell® GroupWise® Security and SSL

• Enhances native messaging encryption

• Ensures secure communication between the Post Office Agent and clients

• Ensures secure communication between the Novell GroupWise agents

• Secures Web Console and WebAccess


Where Do I Start?

1. Get a certificate!

– Generate a Certificate Signing Request (CSR)

> Each separate server should have its own

> Agents running on the same server can share


Generate Certificate Signing RequestNovell® GroupWise® Generate CSR Utility (GWCSRGEN)


Request the Certificate

• Submit the certificate signing request to a certificate authority

– Trusted Certificate Authorities

– Online submission mechanisms

– Create your own


Create a Certificate

• Novell Certificate Server™ and Novell® eDirectory™

– ConsoleOne®

> Requires the Novell Certificate Server snap-in

– iManager

> Requires the Novell Certificate Server plug-in module

• YaST on Linux

– Novell Open Enterprise Server

– SUSE® Linux Enterprise Server


Create a Certificate usingNovell Certificate Server™

• Enter certificate signing request

• Select key type and usage

• Select validity period

• Select output format and filename


Issuing a Certificate with ConsoleOne®

Issue Certificate Wizard



Enter certificate signing request



Select key type and usage



Select validity period



Select output format and filename


Issuing a Certificate with YaSTEnter Certificate Authority


Issuing a Certificate with YaSTSelect Export to File


Issuing a Certificate with YaSTSelect output format and filename


Issuing a Certificate with YaSTSave certificate


Issuing a Certificate with YaSTSave key

Certificate Generation Demonstration


Install the Certificate

2. Install the certificate!– Use ConsoleOne® to designate the certificate

and key paths– Enter the password of the key file


Configure AccessNetwork Access Tab

3. Enable SSL and configure access– Disabled, Enabled, and Required– Internal versus External


Equivalent Command Line Options

GWPOA CertificateInstallation Demonstration

Securing Novell® GroupWise® Internet Agent


Securing the Novell® GroupWise® Internet Agent with SSL• Secure Connections to other SMTP hosts

• Secure Connections for POP/IMAP clients

• Secure Connections to WebConsole

– SSL Enabled or Required for the above?


Securing the GWIA with SSLInstall the Certificate


Securing the GWIA with SSLEnabling SSL

Securing Novell® GroupWise®

Internet Agent Demonstration

Securing Novell® GroupWise® WebAccess


Securing WebAccess with SSL

• Securing WebAccess Agent - WebConsole

• Securing WebAccess Application (Apache/IIS)


Securing WebAccess AgentInstall Certificate


Securing WebAccess AgentEnabling SSL

Securing WebAccess Agent Demonstration


Securing WebAccess ApplicationLinux - Apache

• Modify /etc/sysconfig/apache– APACHE_SERVER_FLAGS=” SSL”

• Modify /etc/apache2/vhosts.d/vhost-ssl.conf


Securing WebAccess ApplicationLinux - Apache

• Restart apache2 by typing “rcapache2 restart”

• If the Private Key has a password restarting apache will ask for the password during the restart. Follow the step listed below to remove the password from the Key file

– openssl rsa -in gw.key -out gwu.key

– Also protect gwu.key by making sure only root can read gwu.key by typing “chmod 700 gwu.key”

• Modify the /etc/apache2/vhosts.d/vhost-ssl.conf with the unencrypted key file

Securing Apache on Linux Demonstration


Securing WebAccess ApplicationNetWare® - Apache

• Apache on NetWare by default enables SSL but uses the internal Certificates

• Follow TID 3033173 to import Certificate from a Public CA to Novell® eDirectory™

• Modify SYS:\APACHE2\CONF\HTTPD.CONF file

– SecureListen 443 “SSL CertificateDNS”

• Restart apache by typing ap2webdn and ap2webup


Securing WebAccess ApplicationWindows 2008 - IIS



Sign the CSR using ConsoleOne® and issue the certificate in a der format

OR

Send the CSR to the Public CA and get the Certificate


Securing WebAccess ApplicationEnabling SSL

Securing IIS on Windows Demonstration

Secure Internet Email with S/MIME


Secure Internet Email with S/MIME

• What is S/MIME

– Digital Signature– Encryption (Symmetric vs Asymmetric)

• Advantages and Disadvantages

• Creating and Importing User Certificates (Public Key and Private Key)

• Exchanging Public Keys/Certificates

• Encrypting/Decrypting Mails


What is S/MIME?

• S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions

• It is a standard for Public Key Encryption and signing of MIME Data. In simple terms, it is used for Digitally signing a message and/or Encrypting a message

– Digital Signature

– Encryption


Digital Signature

• Signature – A signature in simple terms is a handwritten depiction of someone's name or a nickname that a person writes on documents as a proof of identity and intent

• Digital Signature is an electronic signature used to authenticate the identity of the sender of a message and possibly to ensure that the original content of the message or document that has been sent is unchanged. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.


Encryption

• Encryption – A process of transforming information using an information to make it unreadable to anyone except those possessing special knowledge

• Two types of Encryption

– Symmetric vs Asymmetric?


Symmetric vs Asymmetric

• Symmetric– Same key is used for Encryption and Decryption

• Asymmetric

– Separate keys are used for Encryption and Decryption


Advantages/Disadvantages

• Advantages

– Authenticity and Protection of the Message

• Disadvantages

– Not all email software handles S/MIME signatures

– S/MIME Encryption is currently not available for the Novell® GroupWise® Linux, Mac, or WebAccess clients


Creating and Importing User Certificates (Public Key and Private Key)

• Administrator– Creates the Public Key and Private Key

• Users– Export the Private Key and the Public Key

• Users– Import the Public Key and Private Key into the Client


Creating User CertificatesLogin to iManager as admin


Creating User CertificatesCreate Certificate for users


Importing User CertificatesAdministrator sets the URL


Importing User CertificatesUser Imports the Certificate


Exchanging Public Keys/Certificates

• Sender– Sends a digitally signed message

• Receiver– Receiver receives the digitally signed message along with the

Certificate


Exchanging Public KeySender sends Digitally Signed Message


Exchanging Public KeysReceiver receives Digitally Signed Message along with the sender's Certificate


Encrypting/Decrypting Mails

• Sender (Original Receiver)– Encrypts an email using the Receivers Certificate

• Receiver (Original Sender)– Decrypts it using his/her Private Key


Exchanging Public KeysSend Encrypted Message


Exchanging Public KeysReceive Encrypted Message


Overview

• User1 sends a digitally signed message to User2

• User2 receives the digitally signed message along with the certificate

• Now User2 can send an encrypted message to User1

• User1 decrypts the message with the Private Key

S/MIME Demonstration

Questions?

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

securing novell groupwise through ssl and s/mime

Technology

novell certificate server

smime2 novell

yastsave certificate

novell groupwise security

novell edirectory consoleone

limited rights

ssl certificate generation

ldap server ldap port