[ngw] Admin service SSL certificate questions

Morris Blackham Morris.Blackham at microfocus.com
Fri Jun 23 18:22:13 UTC 2017


K,  now I get it.   The PO admin service doesn't accept REST API requests, so it doesn't listen on port 9710.  Only the admin service for domains will accept it.

--Morris

>>> David Gerisch <DGerisch at co.tulare.ca.us> 6/23/2017 12:02 PM >>>
Hello Morris,

OK, does this make sense?  If the server I am connecting to has an MTA,
then the admin service certificate will be for the domain object of the
MTA, and the chain will go to the CA generated by the primary domain. 
If the server I am connecting to has a POA (but not an MTA), then the
admin service certificate will be for the install certificate, and the
chain likewise.  I'm using "openssl s_client -connect hostname:9710" for
testing.

Thanks!

David Gerisch

>>> "Morris Blackham" <Morris.Blackham at microfocus.com> 2017-06-22 11:30
>>>
David,  you cannot drop in a third party ca cert for gwadmin service.  


The INSTALL certificate CA is just that,  it's the CA used on a server
when no other GW components are installed.   If everything is setup
properly you should have valid admin CA signed certs for DOM and PO
admin service instances in
/opt/novell/groupwise/certificates/<biglonghashdirectory>

I don't think your problem with your script is the issue above.   The
CA cert/key generated by the admin service on initial system create (or
update from 2012) is self-signed.   So depending on what your script
languages is,  you can do one of two things: 

1)  if you don't feel the need to validate the cert, you can find a way
to not validate it.   For example,  if you are using curl in a shell
script,
you can do curl -k .....  -k says to not validate the cert.   Each
scripting lang should have a similar option available

2)  supply the admin ca.crt in your script,  ie, for curl:

	curl -cacert  <pathtoca.cert>

You can get the ca cert a number of ways:

a.  curl -k --user gwadmin:pwd blah  > ca.crt


b.  from a browser:  blah  and it will download the crt


c.  copy from /opt/novell/groupwise/certificates/<hasheddir>/ca.crt

--Morris
>>> David Gerisch <DGerisch at co.tulare.ca.us> 6/22/2017 11:31 AM >>>
I forgot to mention that the command to check what the server sees is
an
openssl command.

openssl s_client -host <insert hostname here> -port 9710

After it goes through checking, and reporting what SSL certificates
are
being used, you will have to hit Control-C to break out.
>>> "David Gerisch" <DGerisch at co.tulare.ca.us> 6/22/2017 10:25 AM >>>
I'm trying to do some scripting against the GroupWise Administration
Service, and I'm running into SSL errors, because my certificates
aren't
configured correctly (apparently).  Two questions:

Question 1) If the primary domain admin service certificate has a
common name of CN=TULARE_COUNTY-CA but my post office server admin
service certificate says CN=INSTALL-CA - is that probably the source
of
my problem?  The post office server says the certificate chain
includes

Certificate chain
0 s:/O=INSTALL/CN=INSTALL-SVC
   i:/O=INSTALL/OU=GROUPWISE/OU=ADMIN/CN=INSTALL-CA
1 s:/O=INSTALL/OU=GROUPWISE/OU=ADMIN/CN=INSTALL-CA
   i:/O=INSTALL/OU=GROUPWISE/OU=ADMIN/CN=INSTALL-CA

and the primary domain admin service certificate is none of those. 
The
problem that I'm getting is that during the SSL negotiation phase of
connecting to the admin service on the local machine, I get
"certificate
verify failed".

Question 2) It doesn't look very hard to replace the certificates -
but
what are the implications / side effects?

It looks like all I have to do is run gwadminutil-certinst per the
documentation.  But I don't know if that's going to cause any
disruption
or need any sort of service restarts or such.  Does it affect the way
clients connect to the POA?

Thanks!

David Gerisch



More information about the ngw mailing list