GW Console - Primary MTA reports as Not Running

Good day, 

I used to maintain a GroupWise system for a customer, but that customer has since moved onto O365, and my GroupWise troubleshooting skills are a bit dated. I have successfully installed/configured GW 24.2.0 on my OES 23.4 server, everything was working fine until I configured the GW Monitor Agent, and Web Application. The GW Web monitor and application are running, but when I logged into the GW admin Console, it reports the Primary Domain as Nor Running, in the Administration Console - Overview when I go into the MTA itself it is running, and a rcgrpwise status at the Linux screen shows that all services are running. I have stopped/restarted the admin service many times no changes. 

Can someone point me towards what might be wrong and where I can start my troubleshooting, I was also going to attempt to restart the server (this is a small production environment) no users would be affected, but having restarted the service I would have thought that it would be the same thing. 

Any assistance gratefully accepted

Thank you

-DS

  • 0  

    Hi Daniel,

    So it is running but it is not...

    I would check that the ports are configured correctly and that the agents are all listening on their configured ports,

    __________
    Kevin Boyle, SuperUser

    Calgary, Alberta, Canada

  • 0   in reply to   

    It actually is running, "rcgrpwise status" shows all services running, I have stopped it from the console, and restarted it from the console stops and starts. But I am getting a red X in GW console for the Primary MTA , I have stopped and restarted the gwadminservice same thing it stops and restarts but still the red X 

    At this point I'm almost thinking of just deleting everything and starting from scratch, but I was hoping that there would be a quick solution, that I can find. 

    Strange that also in the GW monitor, I added an httpuser to both  the secondary domain the post office, and yet those are reporting as "No http" under the status of both. I know I solved these in the past, but cannot find my notes at this point in time. 

  • 0  

    From experience, I can only advise against setting up GroupWise 18.4 or higher on OES 23.4 if it is not an OES cluster system. In the case of Single Server, the ports used by OES collide with the ports of GroupWise. An example is GW WebApplication and GroupWise LDAPS and OES LDAPS.


    As of GroupWise 18.4, SSL and FQDN (there are minor exceptions) are required. If you see a red cross in GWadmin or Monitor Agent please check the certificate of the MTA, POA or whatever is red with openssl s_client -connect fqdn:port. SSL without FQDN is not possible, the CN should contain the server name of the GroupWise system. Furthermore, a documentation is helpful in which all ports of all functions are entered in order to have an overview for testing. Another small tool that is always helpful is the simple lsof -i:port

    One more thing: with the gwadminutils or openssl the GroupWise certificates can be read out. I always have problems in the field if there is an IP in the certificate of the Pridom, SecDom,POA, or GWIA instead of the FQDN.

    Example

    openssl x509 -in admin.pri-dom.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 112107617412 (0x65f47e0004)
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: O = GWSYSTEM, CN = GWSYSTEM-CA
            Validity
                Not Before: Mar 15 15:21:18 2024 GMT
                Not After : Mar 13 15:21:18 2034 GMT
            Subject: O = gwsystem, OU = pri-dom, OU = admin, CN = server.domain.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:f1:25:7e:d4:6f:46:6d::4e:68:bd:54:6f:9d:

    .........
                        
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Alternative Name:
                    DNS:server,domain.com, IP Address:192.168.xxx.xxx
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Extended Key Usage: critical
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Key Identifier:
                    17:E4:E0:C9:1A:53:17:80:40:76:01:35:8E:2A:73:5C:B6:0C:5D:E2
        Signature Algorithm: sha256WithRSAEncryption
             d5:87:e0:02:92:b7:14:3e:6b:62:27:40:32:bd:77:65:26:c2:
             19:d2:aa:98:fc:86:f8:fc:66:3c:be:93:86:25:d9:52:a4:b2:

    .........

    George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    Do you use ssl for http? If in use, turn it off and try again.

    If turning off helps, then you have to work on your ssl certificate ...


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to   

    Good morning 

    I turned SSL for HTTP off on the Primary Domain under the Agent Settings port 7100 SSL: Disabled attempted to stop the MTA from the admin console, even though it reported that it stopped when I checked on the server itself the Agents showed that they had been running for 2 days so I don't even think the admin console at this point is even functioning as it should be at this point. With that said I stopped the Agent manually from the server (rcgrpwise stop/start) and still no change 

    I don't believe it's the SSL certificate at this point because I haven't even done anything SSL related, by that I mean that I have not even set up LDAP servers, unless you are talking about the server certificate itself?

  • 0   in reply to   

    No, GW certs do not really have a relationship to server certs; they are GW internal certs. Check directory /opt/novell/groupwise/certificates/<long string>.

    There are ca.crt, some admin-certs and some ssl certs (I assume). They must work together. You can check them with openssl. For your version of GW they have to be SHA256 certs and some of the should contain the fqn server name and ip address.

    Use openssl x509 -noout -text <string>.crt to check!


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to   

    So after trying again, this time fixing a typo that I had in the installation I used the following information: (some items I have edited out of course)

    1.) GroupWise Server (this is the only item that I have installed to this point)

    System Name: StxxIxxGwSxxxxx
    Internet Domain Name: hxxx.stxx

    Hostname: SxxxVxOxxxx.hxxx.sxx
    GroupWise Domain Name: SxxxGwPxxxxx2
    Domain Folder: /media/nss/Sxxxxxxxxx/Sxxxxxxxxxx2
    Language: English - US
    Time Zone: (UTC-05:00) Eastern Time (US & Canada)

    MTA Settings
    MTP Port: 7100
    HTTP Port: 7180
    Admin Port: 9710

    When I did this check 

    openssl x509 -in SxxxGwPxxxxxx.crt -text -noout

    Subject: O = SxxxxxxGwSxxxxx, OU = SxxxGwPxxxxx2, CN = SxxxVxOxxxx.hxxx.sxx

    In the gwadmin console for the Listed Domain, at this point just the Primary Domain, it is showing a Green Dot I have not yet added any other items nor changed anything I wanted to see it remain Green upon a reboot as well. 

    Thank you, 

    -DS

  • 0   in reply to   

    please try # openssl s_client -connect yourserver.yourdomain.com:9710

    that should come out something like this.

    # openssl s_client -connect yourserver.yourdomain.com:9710
    CONNECTED(00000003)
    depth=1 O GWSYSTEM, CN = GWSYSTEM-CA
    verify error:num=19:self signed certificate in certificate chain
    verify return:1
    depth=1 O = GWSYSTEM, CN = GWSYSTEM-CA
    verify return:1
    depth=0 O = gwsystem, OU = pri-dom, OU = admin, CN = yourserver.yourdomain.com
    verify return:1
    ---
    Certificate chain
     0 s:O = gwsystem, OU = pri-dom, OU = admin, CN = yourserver.yourdomain.com
       i:O = GWSYSTEM, CN = GWSYSTEM-CA
     1 s:O = GWSYSTEM, CN = GWSYSTEM-CA
       i:O = GWSYSTEM, CN = GWSYSTEM-CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDnDCCAoSgAwIBAgIGZfR1fgAEMA0GCSqGSIb3DQEBCwUAMDsxGjAYBgNVBAoM
    EUxPR0lOLUlULUdXU1lTVEVNMR0wGwYDVQQDDBRMT0dJTi1JVC1HV1NZU1RFTS1D
    jQ1it1KxIsnJvpYhJHJ7l8nt0pZqGFFiuJhPI1lepPEkHO/uH4CIFOp+yxyx5Jp3
    fJhvDtahSBI3TdZmdY0LCg==
    -----END CERTIFICATE-----
    subject=O = gwsystem, OU = pri-dom, OU = admin, CN = yourserver.yourdomain.com

    issuer=O = GWSYSTEM, CN = GWSYSTEM-CA

    ---
    Acceptable client certificate CA names
    O = GWSYSTEM, CN = GWSYSTEM-CA
    Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
    Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 2436 bytes and written 437 bytes
    Verification error: self signed certificate in certificate chain
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 19 (self signed certificate in certificate chain)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 9411AB8D985B34E0590EAD79EBDCD771DBF7DC0D6DC23EDF1993871C880BD538
        Session-ID-ctx:
        Resumption PSK: D5FEE1F8C75B487898B9EB45C02CB528145C23FC2C86029A430C95D1BAE62A8F6E69A87345394CDC91D868D51DD884F3
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 86400 (seconds)
        TLS session ticket:
        0000 - e9 65 aa 51 2d d7 33 86-75 f1 01 32 9a e0 d4 0f   .e.Q-.3.u..2....
        0010 - 61 99 b8 c3 7f 6d ca 95-95 77 de 83 e6 80 03 af   a....m...w......

        Start Time: 1720448529
        Timeout   : 7200 (sec)
        Verify return code: 19 (self signed certificate in certificate chain)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK

    then the next step. From the gut, rebuild the GroupWise CA with gwadminutil and then distribute the CA to all POA, GWIA and domains.

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    Good morning, 

    So I checked my out put from the command you sent, openssl s_client -connect yourserver.yourdomain.com:9710 (I changed the values to match my GW system) and it appears that mine is resembling your out put, additionally I created a new Secondary Domain and that is reporting with a Green rundle as well. So I will make a note when doing the installation/configuration of the GW system, that for the Hostname that I use the DNS name and not the IP address as I did previously, at this point things are looking much better, though I will be trying a reboot as well to just make sure that things come up as I was (or am) expecting them to do so. 

    Thank you. 

    -DS

  • Verified Answer

    +1   in reply to   

    So it seems that when doing the Hostname (value): [DNSNameof Server] is the value that I should be using, as I have also rebooted my GW server and it came back up correctly, both the Primary Domain and the Secondary Domain(s) are showing with Green Rundles (showing as Active/Running) so I'll take from this that using the IP address in the Hostname field is no longer allowed in GW administration and I'll make some changes to my notes about this moving forward. 

    Thank you, 

    -DS 

    I'll mark this as a Verified answer.