Securing Novell GroupWise through SSL and S/MIME
Upcoming SlideShare
Loading in...5
×
 

Securing Novell GroupWise through SSL and S/MIME

on

  • 7,649 views

Novell GroupWise has always been known for its security, but there's even more you can do. Attend this session to learn about areas that are frequently overlooked in the security of Novell GroupWise ...

Novell GroupWise has always been known for its security, but there's even more you can do. Attend this session to learn about areas that are frequently overlooked in the security of Novell GroupWise environments. With the help of product demonstrations, participants will learn how to implement secure LDAP authentication, how to enhance the security of GroupWise communication with SSL and how to roll out S/MIME to GroupWise users.

Statistics

Views

Total Views
7,649
Views on SlideShare
7,615
Embed Views
34

Actions

Likes
0
Downloads
243
Comments
0

1 Embed 34

http://www.slideshare.net 34

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing Novell GroupWise through SSL and S/MIME Securing Novell GroupWise through SSL and S/MIME Presentation Transcript

  • Securing Novell GroupWise ® ® through SSL and S/Mime Dirk Giles GroupWise Software Engineer dpgiles@novell.com Mukesh Jethwani Novell WorldWide Support Engineer mjethwani@novell.com
  • Agenda • LDAP authentication and Novell GroupWise ® ® Post Offices • Novell GroupWise Agents and SSL – Certificate Generation – Installing and Enabling SSL – Securing GWIA and WebAccess agents • Secure Internet Email with S/MIME 2 © Novell, Inc. All rights reserved.
  • LDAP Authentication
  • Why Use LDAP Authentication? • Uses user's directory password – Minimizes password management requirements – Supports password policies (Bind Mode) – Less passwords for the user to remember • Can authenticate to other LDAP directories • Requires that users connect to the directory – Note: Directory accounts without a password will not require a password, even with a High Security Post Office 4 © Novell, Inc. All rights reserved.
  • LDAP Authentication Planning • LDAP Server information – Use SSL or not? > SSL key file – IP Address or name of LDAP server – LDAP port for LDAP server – User authentication method > Bind > Compare 5 © Novell, Inc. All rights reserved.
  • LDAP Authentication Planning Part 2 • Use proxy user? – Access the directory with limited rights – Need distinguished name (DN) – Need password • Allow users to change password? – Novell GroupWise Client Change Password dialog ® ® 6 © Novell, Inc. All rights reserved.
  • Export LDAP Certificate Which One? 7 © Novell, Inc. All rights reserved.
  • Export LDAP Certificate Certificate Properties 8 © Novell, Inc. All rights reserved.
  • Export LDAP Certificate Export Wizard – No Private Key 9 © Novell, Inc. All rights reserved.
  • Export LDAP Certificate Export Wizard – Output Format and Filename 10 © Novell, Inc. All rights reserved.
  • LDAP Server Configuration Novell GroupWise System Tools ® ® 11 © Novell, Inc. All rights reserved.
  • LDAP Server Configuration LDAP Server List 12 © Novell, Inc. All rights reserved.
  • LDAP Server Configuration LDAP Server Options 13 © Novell, Inc. All rights reserved.
  • Post Office Configuration Security Settings 14 © Novell, Inc. All rights reserved.
  • Post Office Configuration LDAP Server Selection 15 © Novell, Inc. All rights reserved.
  • LDAP Authentication Demonstration
  • Securing Novell GroupWise with SSL ® ®
  • Novell GroupWise Security and SSL ® ® • Enhances native messaging encryption • Ensures secure communication between the Post Office Agent and clients • Ensures secure communication between the Novell GroupWise agents • Secures Web Console and WebAccess 18 © Novell, Inc. All rights reserved.
  • Where Do I Start? 1. Get a certificate! – Generate a Certificate Signing Request (CSR) > Each separate server should have its own > Agents running on the same server can share 19 © Novell, Inc. All rights reserved.
  • Generate Certificate Signing Request Novell GroupWise Generate CSR Utility (GWCSRGEN) ® ® 20 © Novell, Inc. All rights reserved.
  • Request the Certificate • Submit the certificate signing request to a certificate authority – Trusted Certificate Authorities – Online submission mechanisms – Create your own 21 © Novell, Inc. All rights reserved.
  • Create a Certificate • Novell Certificate Server and Novell eDirectory ™ ® ™ – ConsoleOne ® > Requires the Novell Certificate Server snap-in – iManager > Requires the Novell Certificate Server plug-in module • YaST on Linux – Novell Open Enterprise Server – SUSE Linux Enterprise Server ® 22 © Novell, Inc. All rights reserved.
  • Create a Certificate using Novell Certificate Server ™ • Enter certificate signing request • Select key type and usage • Select validity period • Select output format and filename 23 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with ConsoleOne ® Issue Certificate Wizard 24 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with ConsoleOne ® Enter certificate signing request 25 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with ConsoleOne ® Select key type and usage 26 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with ConsoleOne ® Select validity period 27 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with ConsoleOne ® Select output format and filename 28 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with YaST Enter Certificate Authority 29 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with YaST Select Export to File 30 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with YaST Select output format and filename 31 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with YaST Save certificate 32 © Novell, Inc. All rights reserved.
  • Issuing a Certificate with YaST Save key 33 © Novell, Inc. All rights reserved.
  • Certificate Generation Demonstration
  • Install the Certificate 2. Install the certificate! – Use ConsoleOne to designate the certificate ® and key paths – Enter the password of the key file 35 © Novell, Inc. All rights reserved.
  • Configure Access Network Access Tab 3. Enable SSL and configure access – Disabled, Enabled, and Required – Internal versus External 36 © Novell, Inc. All rights reserved.
  • Equivalent Command Line Options 37 © Novell, Inc. All rights reserved.
  • GWPOA Certificate Installation Demonstration
  • Securing Novell GroupWise Internet Agent ® ®
  • Securing the Novell GroupWise ® ® Internet Agent with SSL • Secure Connections to other SMTP hosts • Secure Connections for POP/IMAP clients • Secure Connections to WebConsole – SSL Enabled or Required for the above? 40 © Novell, Inc. All rights reserved.
  • Securing the GWIA with SSL Install the Certificate 41 © Novell, Inc. All rights reserved.
  • Securing the GWIA with SSL Enabling SSL 42 © Novell, Inc. All rights reserved.
  • Securing Novell GroupWise ® ® Internet Agent Demonstration
  • Securing Novell GroupWise WebAccess ® ®
  • Securing WebAccess with SSL • Securing WebAccess Agent - WebConsole • Securing WebAccess Application (Apache/IIS) 45 © Novell, Inc. All rights reserved.
  • Securing WebAccess Agent Install Certificate 46 © Novell, Inc. All rights reserved.
  • Securing WebAccess Agent Enabling SSL 47 © Novell, Inc. All rights reserved.
  • Securing WebAccess Agent Demonstration
  • Securing WebAccess Application Linux - Apache • Modify /etc/sysconfig/apache – APACHE_SERVER_FLAGS=” SSL” • Modify /etc/apache2/vhosts.d/vhost-ssl.conf 49 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Linux - Apache • Restart apache2 by typing “rcapache2 restart” • If the Private Key has a password restarting apache will ask for the password during the restart. Follow the step listed below to remove the password from the Key file – openssl rsa -in gw.key -out gwu.key – Also protect gwu.key by making sure only root can read gwu.key by typing “chmod 700 gwu.key” • Modify the /etc/apache2/vhosts.d/vhost-ssl.conf with the unencrypted key file 50 © Novell, Inc. All rights reserved.
  • Securing Apache on Linux Demonstration
  • Securing WebAccess Application NetWare - Apache ® • Apache on NetWare by default enables SSL but uses the internal Certificates • Follow TID 3033173 to import Certificate from a Public CA to Novell eDirectory ® ™ • Modify SYS:APACHE2CONFHTTPD.CONF file – SecureListen 443 “SSL CertificateDNS” • Restart apache by typing ap2webdn and ap2webup 52 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 53 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 54 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 55 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 56 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 57 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS Sign the CSR using ConsoleOne and issue the ® certificate in a der format OR Send the CSR to the Public CA and get the Certificate 58 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 59 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Windows 2008 - IIS 60 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Enabling SSL 61 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Enabling SSL 62 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Enabling SSL 63 © Novell, Inc. All rights reserved.
  • Securing WebAccess Application Enabling SSL 64 © Novell, Inc. All rights reserved.
  • Securing IIS on Windows Demonstration
  • Secure Internet Email with S/MIME
  • Secure Internet Email with S/MIME • What is S/MIME – Digital Signature – Encryption (Symmetric vs Asymmetric) • Advantages and Disadvantages • Creating and Importing User Certificates (Public Key and Private Key) • Exchanging Public Keys/Certificates • Encrypting/Decrypting Mails 67 © Novell, Inc. All rights reserved.
  • What is S/MIME? • S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions • It is a standard for Public Key Encryption and signing of MIME Data. In simple terms, it is used for Digitally signing a message and/or Encrypting a message – Digital Signature – Encryption 68 © Novell, Inc. All rights reserved.
  • Digital Signature • Signature – A signature in simple terms is a handwritten depiction of someone's name or a nickname that a person writes on documents as a proof of identity and intent • Digital Signature is an electronic signature used to authenticate the identity of the sender of a message and possibly to ensure that the original content of the message or document that has been sent is unchanged. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later. 69 © Novell, Inc. All rights reserved.
  • Encryption • Encryption – A process of transforming information using an information to make it unreadable to anyone except those possessing special knowledge • Two types of Encryption – Symmetric vs Asymmetric? 70 © Novell, Inc. All rights reserved.
  • Symmetric vs Asymmetric • Symmetric – Same key is used for Encryption and Decryption • Asymmetric – Separate keys are used for Encryption and Decryption 71 © Novell, Inc. All rights reserved.
  • Advantages/Disadvantages • Advantages – Authenticity and Protection of the Message • Disadvantages – Not all email software handles S/MIME signatures – S/MIME Encryption is currently not available for the Novell ® GroupWise Linux, Mac, or WebAccess clients ® 72 © Novell, Inc. All rights reserved.
  • Creating and Importing User Certificates (Public Key and Private Key) • Administrator – Creates the Public Key and Private Key • Users – Export the Private Key and the Public Key • Users – Import the Public Key and Private Key into the Client 73 © Novell, Inc. All rights reserved.
  • Creating User Certificates Login to iManager as admin 74 © Novell, Inc. All rights reserved.
  • Creating User Certificates Create Certificate for users 75 © Novell, Inc. All rights reserved.
  • Creating User Certificates Create Certificate for users 76 © Novell, Inc. All rights reserved.
  • Creating User Certificates Create Certificate for users 77 © Novell, Inc. All rights reserved.
  • Creating User Certificates Create Certificate for users 78 © Novell, Inc. All rights reserved.
  • Creating User Certificates Create Certificate for users 79 © Novell, Inc. All rights reserved.
  • Creating User Certificates Create Certificate for users 80 © Novell, Inc. All rights reserved.
  • Importing User Certificates Administrator sets the URL 81 © Novell, Inc. All rights reserved.
  • Importing User Certificates Administrator sets the URL 82 © Novell, Inc. All rights reserved.
  • Importing User Certificates Administrator sets the URL 83 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 84 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 85 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 86 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 87 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 88 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 89 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 90 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 91 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 92 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 93 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 94 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 95 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 96 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 97 © Novell, Inc. All rights reserved.
  • Importing User Certificates User Imports the Certificate 98 © Novell, Inc. All rights reserved.
  • Exchanging Public Keys/Certificates • Sender – Sends a digitally signed message • Receiver – Receiver receives the digitally signed message along with the Certificate 99 © Novell, Inc. All rights reserved.
  • Exchanging Public Key Sender sends Digitally Signed Message 100 © Novell, Inc. All rights reserved.
  • Exchanging Public Keys Receiver receives Digitally Signed Message along with the sender's Certificate 101 © Novell, Inc. All rights reserved.
  • Encrypting/Decrypting Mails • Sender (Original Receiver) – Encrypts an email using the Receivers Certificate • Receiver (Original Sender) – Decrypts it using his/her Private Key 102 © Novell, Inc. All rights reserved.
  • Exchanging Public Keys Send Encrypted Message 103 © Novell, Inc. All rights reserved.
  • Exchanging Public Keys Receive Encrypted Message 104 © Novell, Inc. All rights reserved.
  • Overview • User1 sends a digitally signed message to User2 • User2 receives the digitally signed message along with the certificate • Now User2 can send an encrypted message to User1 • User1 decrypts the message with the Private Key 105 © Novell, Inc. All rights reserved.
  • S/MIME Demonstration
  • Questions?
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.