Cybersecurity
DevOps Cloud
IT Operations Cloud
OpenText product name changes coming to the community soon! Learn more.
SLES 15 SP5 SMG Server
How can I export an eDirectory certificate and use it for SMG SMTP TLS
n / a
For the purposes of this document example the below is assumed, make appropriate changes
with your FQDN's and certificate information in mind, this is just an example, but it did work for me with no problems :
a. The SMG server (linux) is on a server that has an fully qualified domain name (FQDN) of "smg.smgserver.com" .
b. The SMG server is at least the latest current version of "23.3.4 rpm:1.0.1-502.1", but if your SMG is
reasonably UpToDate then it should still work fine.
c. The eDirectory server is an OES2018 box (linux) (OES2023 is fine also likely) and it's FQDN is : "oes.oesserver.com"
d. This document assumes you will create the private key file and certificate signing request (.csr) with the open-source "openssl" utility on a linux box.
e. *** BEFORE performing the steps in this document, please create a snapshot backup of your smg server, to fall back on , if needed. ***
Note: Again, change the appropriate information below to match your certificate and hostname information, and filename information, as needed for your situation. This is just an example that did work.
1. As the "root" user at the SMG server terminal, do the command "mkdir /root/smg-certs", no quotes.
2. cd to /root/smg-certs.
3. Issue the command : openssl req -newkey rsa:2048 -keyout smgserver.key -out smgserver.csr
Enter PEM pass phrase: type your key file password and press ENTER.
Verifying - Enter PEM pass phrase: Again type your key file password and press ENTER.
Country Name (2 letter code) [US]: In the United States, type US and press ENTER.
State or Province Name (full name) [Some-State]: Type your State, like Utah and press ENTER.
Locality Name (eg, city) []: Type your city, like Provo and press ENTER.
Organization Name (eg, company) [opentext]: Type your business name and press ENTER.
Organization Unit Name (eg, section) []: Type the applicable section in your company, or just press ENTER.
Common Name (eg, server FQDN) []: IMPORTANT, type the fully qualified domain name (FQDN) of your opentext SMG (Secure Messaging Gateway) server, in this document example it is "smg.smgserver.com" and press ENTER.
Email Address []: You can type your e-mail address or just press ENTER to leave it blank.
A challenge password []: I usually just press ENTER to leave it blank.
An optional company name []: I usually just press ENTER to leave it blank.
4. You now have a new private key and .csr file, you will see them if you do an "ll" command at your current
directory.
Login to iManager to import your .csr file to then export the public certificate:
Check LDAP settings:
1. Login to your OES box iManager ( hopefully iManager is installed, if not install it ), make sure that your OES box has "apache2" running. Login as the eDirectory tree "admin" user. In this document's example the browser url would be: https://oes.oesserver.com/nps
2. On the Roles and Tasks tab, CLICK on LDAP, and LDAP Options.
3. Click View LDAP Servers.
4. Click on "LDAP Server - <OES Server Name>.Organization name, for me it is "oes.novell".
5. Click the Connections tab above left.
6. The Server Certificate should be the default : SSL CertificateDNS.
7. LDAP Interfaces should be : ldap://:389
8. Now just click Cancel, now that you have checked these settings.
Import the .csr file and export the eDirectory public certificate:
1. Click on NetIQ Certificate Server, Issue Certificate.
2. Click "Choose File" and browse to your /root/smg-certs/ directory and select the .csr file you
created above. Then click Next.
3. Choose the "Key type" of "SSL or TLS", click Next, click Next again.
4. On the Subject Alternative Names section, click on New, for the Type, select "DNS name", and in the
"Name" field, type in your FQDN for the SMG server, for me it is "smg.smgserver.com". Click OK.
Adjust the Validity period as desired, 2 years in the default. Click Next.
5. For "Save to" select the "File in Base64 format" radio button. Click Next.
6. Click Finish.
7. Click the link "Download the issued certificate".
8. You browser normally would download the file to your downloads directory, by default, the name of the .b64 file should be <nameOfYourCSR-file>.b64. Make a copy of it to /root/smg-certs (to maintain a copy) and on /opt/microfocus/smg/certs/ both on your SMG server.
NOTE: Be aware you must change the ownership of the certificate and key file in this latter path to be owned by “smg” , not root.
In this example my certificate is called “cert-smg-tls.b64” and my private key is called ‘cert-smg-tls.key”.
Refer to the below screenshot of where and how in the SMG Admin console to configure SMG for smtp tls. Type the path and names of your certificate and key file accordingly in the “SSL certificate file” and “SSL key file” fields as shown below :
9. Now after you have configured the SMG Smtp interface to use your certificate and key file, click on Module Management, Module Status, in the upper right, click on the “Restart All” button, and click the OK button 3 times. You should see the “Run time” column count up from zero seconds forward.
Does SMG like my certificate and key file :
Note: Normally when SMG on server boot, if it likes your certificate and key file you should see something like this in your SMG smtp log :
[139954478880512] 2024-02-29 07:41:33 (INIT) Initializing system
[139954478880512] 2024-02-29 07:41:33 (CFLD) Loading module configuration
[139954386626304] 2024-02-29 07:41:34 (CORE) Startup database notification service
[139954478880512] 2024-02-29 07:41:34 (CFSV) Starting SMTP server
[139954478880512] 2024-02-29 07:41:34 (CFSV) Starting SMTP SSL server
[139954478880512] 2024-02-29 07:41:34 (CFLD) Configuration load complete
[139954478880512] 2024-02-29 07:41:34 (CFLD) Configuration loaded for interface: SMTP Interface
If SMG does not like your certificate and or key file you may see something like this in your SMG smtp log :
... SSL failed to initialize
... SSL failed to initialize
... SSL failed to initialize, TLS is disabled
... Configuration load complete
When you receive an inbound smtp message in SMG you should see, and TLS is working correctly you should see something like this in the SMG smtp log :
10. You are done. If you have any issues with SMG smtp tls, after completing the steps in this document, then “REBOOT” the SMG server.