Novell GROUPWISE 7 - SECURITY ADMINISTRATION Manual

Hide thumbs Also See for GROUPWISE 7 - SECURITY ADMINISTRATION:

Installation manual (328 pages)

Installation and administration manual (108 pages)

Manual (74 pages)

Table Of Contents

Table of Contents

Quick Links

Download this manual See also: Troubleshooting Manual, Manual

Security Administration

X V

Chapter 70, "GroupWise Passwords," on page 1111

Chapter 71, "Encryption and Certificates," on page 1117

Chapter 72, "LDAP Directories," on page 1127

Chapter 73, "Message Security," on page 1131

Chapter 74, "Address Book Security," on page 1133

Chapter 75, "GroupWise Administrator Rights," on page 1135

Chapter 76, "GroupWise Agent Rights," on page 1147

Chapter 77, "GroupWise User Rights," on page 1149

Chapter 78, "Spam Protection," on page 1155

Chapter 79, "Virus Protection," on page 1157

Need help?

Do you have a question about the GROUPWISE 7 - SECURITY ADMINISTRATION and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell GROUPWISE 7 - SECURITY ADMINISTRATION

Page 1 Security Administration Chapter 70, “GroupWise Passwords,” on page 1111 Chapter 71, “Encryption and Certificates,” on page 1117 Chapter 72, “LDAP Directories,” on page 1127 Chapter 73, “Message Security,” on page 1131 Chapter 74, “Address Book Security,” on page 1133 Chapter 75, “GroupWise Administrator Rights,” on page 1135 Chapter 76, “GroupWise Agent Rights,”...
Page 2 1110 GroupWise 7 Administration Guide...
Page 3: Groupwise Passwords
® Access to GroupWise mailboxes is protected by post office security settings or GroupWise ® passwords. Agent passwords grant access to remote servers and to Novell eDirectory , and protect access to GroupWise agent status information. Section 70.1, “Mailbox Passwords,” on page 1111 Section 70.2, “Agent Passwords,”...
Page 4: Requiring Groupwise Passwords
“Establishing a Default GroupWise Password for New Accounts” on page 1112 “Accepting eDirectory Authentication Instead of GroupWise Passwords” on page 1112 “Using Novell SecureLogin to Handle GroupWise Passwords” on page 1113 “Allowing Windows to Cache GroupWise Passwords” on page 1113 “Using Intruder Detection”...
Page 5 GroupWise mailboxes. Using Novell SecureLogin to Handle GroupWise Passwords If users have Novell SecureLogin installed on their workstations, you can select Enable Single Sign- On (ConsoleOne > Tools > GroupWise Utilities > Client Options > Security > Password). This allows GroupWise users to select Use Single Sign-On (Windows client >...
Page 6 Online mailboxes. To change the Online mailbox password while in Caching or Remote mode, users must use a method they might not be familiar with (Windows client > Accounts > Account Options > Novell GroupWise Account > Properties > Advanced > Online Mailbox Password).
Page 7: Agent Passwords
mailbox access are obtain using trusted applications, third-party programs that can log into Post Office Agents (POAs) in order to access GroupWise mailboxes. For more information about using trusted application to bypass mailbox passwords, see Section 4.12, “Trusted Applications,” on page 69 70.2 Agent Passwords Agent passwords facilitate access to remote servers where domains, post office, and document...
Page 8: Facilitating Access To Edirectory
70.2.2 Facilitating Access to eDirectory If you have enabled eDirectory user synchronization, the MTA must be able to log in to eDirectory in order to obtain the updated user information. An eDirectory-enabled MTA should be installed on a server where a local eDirectory replica is located. If the eDirectory-enabled NetWare MTA is running on a different server from where the domain is located, you must add the /user and /password switches, or the /dn switch, to the MTA startup file so that the MTA can authenticate to eDirectory.
Page 9: Encryption And Certificates
Gemplus GemSAFE Card CSP 1.0 or later (http://www.gemplus.com) Schlumberger Cryptographic Provider (http://www.slb.com) For additional providers, consult the Novell Partner Product Guide (http://www.novell.com/ partnerguide). These products enable users to digitally sign and/or encrypt their messages using S/MIME encryption. When a sender digitally signs a message, the recipient is able to verify that the item was not modified en route and that it originated from the sender specified.
Page 10 > Tools > Options > Certificates > Get Certificate). If you provided a URL, users are taken to the Certificate Authority of your choice. Otherwise, certificates for use with GroupWise can be obtained from various certificate providers, including: ® Novell, Inc. (if you have installed Novell Certificate Server 2 or later (http:// www.novell.com/products/certserver))
Page 11: Server Certificates And Ssl Encryption
.csr file from which a public certificate file can be generated. 1 Start the GroupWise Generate CSR utility. Linux: The utility (gwcsrgen) is installed to the /opt/novell/groupwise/agents/bin directory. You must be logged in as root to start the utility. Windows: The utility (gwcsrgen.exe) is located in the \admin\utility\gwcsrgen...
Page 12: Using A Gwcsrgen Configuration File
Do not abbreviate it. City: Specify the name of your city (for example, Provo). Organization: Specify the name of your organization (for example, Novell, Inc.). Division: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).
Page 13: Creating Your Own Certificate
If you are using eDirectory on Linux, the Certificate Server snap-in is installed by default. NOTE: You can create a server certificate in Novell iManager, as well as in ConsoleOne, using steps similar to those provided below. 2 Browse to and select the container where your Server object is located.
Page 14 4 Browse to and select the CSR file created by GWCSRGEN in Section 71.2.1, “Generating a Certificate Signing Request,” on page 1119, then click Next. By default, your own organizational certificate authority signs the request. 5 Click Next. 6 In the Type box, select Custom. 7 In the Key Usage box, select all three usage options.
Page 15: Installing The Certificate On The Server
11 Select File in Base64 Format. 12 Specify the path and filename for the certificate. Limit the filename to 8 characters. You can retain the .b64 extension or use the more general .crt extension. 13 Click Save. 71.2.5 Installing the Certificate on the Server After processing your CSRs, the Certificate Authority sends you a public certificate (server_name.b64) file for each CSR.
Page 16 However, circumstances might arise where you need to create one manually. You can do this in ConsoleOne. 1 Make sure that Novell International Cryptography Infrastructure (NICI) is installed on the workstation where you run ConsoleOne.
Page 17 5 Click Validate, then click OK. 6 Click Export. 7 When asked if you want to export the private key with the certificate, select No, then click Next. 8 In the Output Format box, select File in Binary DER Format. 9 In the Filename field, specify the full path and filename for the trusted root certificate.
Page 18 1126 GroupWise 7 Administration Guide...
Page 19: Ldap Directories
If you are new to GroupWise or LDAP, you might find it useful to review TID 2955731: GroupWise and LDAP in the Novell Support Knowledgebase. (http:/ /www.novell.com/support/supportcentral) This TID provides an overview of LDAP and explains the two address-book-related ways that GroupWise makes use of LDAP.
Page 20: Access Method
When you understand these LDAP capabilities, you are ready to set up LDAP authentication for your GroupWise users. See Section 36.3.4, “Providing LDAP Authentication for GroupWise Users,” on page 501. 72.3.1 Access Method On a server-by-server basis (ConsoleOne > GroupWise System Operations > LDAP Servers), you can specify whether you want each LDAP server to respond to authentication requests using a bind or a compare.
Page 21 Directory). An advantage to this is that recipients’ certificates are available no matter what workstation the GroupWise user sends the message from. NOTE: This feature is not available in the Cross-Platform client or the WebAccess client. LDAP Directories 1129...
Page 22 1130 GroupWise 7 Administration Guide...
Page 23: Message Security
Message Security ® The GroupWise client accommodates users’ preferences for security and privacy when sending messages. Users can: Sign a message with standardized text (Windows client > Tools > Options > Environment > Signature and Cross-Platform client > Tools > Options > Send > Signature). Sign a message with an electronic business card (vCard) (Windows client >...
Page 24 1132 GroupWise 7 Administration Guide...
Page 25: Address Book Security
Part XVI, “Security Policies,” on page 1159. 74.1 eDirectory Information Displayed in the Address Book ® The Address Book displays information stored in Novell eDirectory for users, resources, and distribution lists in your GroupWise system. By default, the following information is displayed: Name...
Page 26: Controlling Groupwise Object Visibility Between Groupwise Systems
a post office, or to no one at all. An object does not need to be visible to be addressable. For instructions, see Section 6.2, “Controlling Object Visibility,” on page 74.4 Controlling GroupWise Object Visibility between GroupWise Systems If you synchronize your GroupWise system with other GroupWise systems to simplify addressing for users of both systems, you can control what information from your Address Book you want to be available in the Address Books of other GroupWise systems.
Page 27: Groupwise Administrator Rights
GroupWise Administrator Rights ® ® To administer GroupWise , a user needs the appropriate file system rights and Novell eDirectory rights. The following sections provide information to help you configure GroupWise administrator rights to meet the needs of your environment: Section 75.1, “Setting Up a GroupWise Administrator as an Admin Equivalent,”...
Page 28: File System Rights
If you have one administrator whom you want to control all links between domains, you can assign rights to the eDirectory objects and file systems associated with domains links. The following two sections, Section 75.2.1, “File System Rights,” on page 1136 Section 75.2.2, “eDirectory Rights,”...
Page 29 Modify link information (for example, defining whether Domain 1 links directly to Domain 3 or indirectly to Domain 3 through Domain 2). Perform system operations (for example, managing software distribution directories, creating administrator-defined fields, and setting up eDirectory user synchronization). Perform maintenance operations (for example, rebuilding domain and post office databases, analyzing and fixing user and message databases, and changing a user’s client options).
Page 30 Modifications to an object can fail for the following reasons: The administrator does not have the appropriate rights to the object’s properties. For example, to restrict an administrator from moving a user from one post office to another, you could 1) not give the administrator Read and Write rights to the source or target post office object’s NGW: Members property or 2) not give the administrator Read and Write rights to the user object’s NGW: Post Office property.
Page 31 Performing System Operations The system operations that a GroupWise administrator can perform in ConsoleOne are listed on the Tools > GroupWise System Operations menu. GroupWise System Operations Submenu on the Tools Menu Figure 75-1 The Select Domain, Pending Operations, and Restore Area Management operations are always available to GroupWise administrators.
Page 32: Common Types Of Groupwise Administrators
Performing Maintenance Operations To perform maintenance operations such as validating, recovering, or rebuilding domain databases; fixing user, resource, or post office databases; or changing a user’s client options, an administrator must have Read and Write rights to the NGW: GroupWise ID property for the object being modified. For example, to rebuild a domain database, an administrator requires Read and Write rights to the NGW: GroupWise ID property for the Domain object.
Page 33 Directory NetWare Rights Windows Permissions The GroupWise agent directories. Read Full Control Write For NetWare, the default directory is sys:\system. Create For Windows, the default directory is c:\grpwise. Erase Modify File Scan Access Control eDirectory Rights A Domain administrator requires Read and Write rights to properties for the objects listed below. Domain object: Only the domain the administrator is responsible for unless he or she will also configure domain links.
Page 34 Directory NetWare Rights Windows Permissions The domain directory Read Full Control Write Create Erase Modify File Scan Access Control The following directories: Read Full Control Write post office directory Create Erase library storage area directories for libraries Modify assigned to the post office File Scan Access Control The directory for the Post Office Agent.
Page 35: Edirectory Object And Properties Rights
File System Rights Table 75-2 Directory NetWare Rights Windows Permissions sys:\public (for ConsoleOne and Read Not applicable GroupWise Administrator snap-ins) File Scan Domain directory Read Full Control Write Create Erase Modify File Scan eDirectory Rights A Post Office administrator requires Read and Write rights to the properties for the objects listed below.
Page 36 Object Property Post Office NDA: Port NGW: Access Mode NGW: Distribution List Member NGW: Domain NGW: File ID NGW: GroupWise ID NGW: Language NGW: Library Member NGW: Location NGW: Network Type NGW: Resource Member NGW: Time Zone ID NGW: Version ngwDefaultWebAccess ngwLDAPServerAddress Description...
Page 37 Object Property Resource NGW: File ID NGW: GroupWise ID NGW: Owner NGW: Post Office NGW: Type NGW: Visibility Description Distribution List NGW: Blind Copy Member NGW: Carbon Copy Member NGW: GroupWise ID NGW: Post Office NGW: Visibility Description Member Library NGW: Archive Max Size NGW: Document Area Size NGW: File ID...
Page 38: Granting Or Removing Object And Property Rights
75.4 Granting or Removing Object and Property Rights You can use trustee assignments to grant or restrict rights to an object and its properties. The following steps provide one way to grant or remove a user’s rights to an object or its properties. For additional methods, see your eDirectory documentation.
Page 39: Groupwise Agent Rights
When you create domains and post offices, ConsoleOne creates the directory structures and Agent objects with all the required rights to enable the agents to function properly, regardless of link type ® between locations and including requirements for Novell eDirectory user synchronization. No ®...
Page 40 1148 GroupWise 7 Administration Guide...
Page 41: Groupwise User Rights
GroupWise User Rights ® ® GroupWise users require specific Novell eDirectory rights and, in some cases, specific file system rights in order for the GroupWise client to function properly. The following sections provide information about the required rights and how to supply them.
Page 42: Manually Granting Edirectory Rights
2 To have GroupWise Administrator automatically set access rights, select the Set Access Rights Automatically When Creating a GroupWise User option. To turn off this option, deselect the Set Access Rights Automatically When Creating a GroupWise User option. 3 Click OK to save your changes. 77.1.2 Manually Granting eDirectory Rights At startup, the GroupWise client must know the following: The post office where the user has an account.
Page 43 GroupWise Name Server (ngwnameserver) The following information applies to users running the GroupWise client in client/server access mode. If you do not want to provide eDirectory rights to GroupWise users as explained above, or if you have GroupWise users who don’t log in to eDirectory, you can set up a GroupWise name server. A GroupWise name server enables users to access their post office without knowing the IP address and port number of the POA.
Page 44: Granting File System Rights To The Post Office Directory
77.2.1 Granting File System Rights to the Post Office Directory The following information applies only to users who are running the GroupWise client in direct access mode. Users who are running in client/server access mode do not require rights to the post office directories.
Page 45: Granting File System Rights To The Software Distribution Directory
Directories NetWare Rights Windows Permissions ------ No Access wpcsout ------ No Access ------ No Access RWCEMF Full Control -WC-M- Change -WC-M- Change defer RWC-MF Full Control RWC-MF Full Control -WC-M- Change problem 77.2.2 Granting File System Rights to the Software Distribution Directory The software distribution directory contains the GroupWise client for Windows.
Page 46: Granting File System Rights To The Mailbox Backup Directory
77.2.3 Granting File System Rights to the Mailbox Backup Directory If you back up a user’s network mailbox, or a user backs up his or her local mailbox, to a network location, the user requires Read and Write file system rights to the backup directory in order to restore his or her mailbox.
Page 47: Configuring The Internet Agent For Spam Protection
Spam Protection ® Unwanted Internet e-mail messages (spam) can be a distracting nuisance to GroupWise client users. Your first line of defense against spam is the Internet Agent. Your second line of defense is the Junk Mail Handling feature of the GroupWise Windows client. Section 78.1, “Configuring the Internet Agent for Spam Protection,”...
Page 48 Individual e-mail addresses or entire Internet Domains can be placed on the user’s Junk List. Messages from these addresses are automatically delivered to the Junk Mail folder in the user’s mailbox. The user can configure automatic deletion of items in the Junk Mail folder and can also create rules to act on items placed in the Junk Mail folder.
Page 49: Virus Protection
For information about these and other security products for use with your GroupWise system, see ® Novell Partner Product Guide (http://www.novell.com/partnerguide/) and the Novell Open Enterprise Server Partner Support site (http://www.novell.com/products/openenterpriseserver/ partners). See also Part XVI, “Security Policies,” on page 1159. Virus Protection...