GroupWise Web (GWWEB) Best Practices
Applicable to GroupWise GWWEB versions 18.3, 18.4.x, 18.5, 23.4, 24.1, 24.2, 24.3, and newer
GroupWise 18.3 introduced the Web Client "GWWEB", which replaced the previous "GroupWise Webaccess" application that was built on Apache/Tomcat. GWWEB is designed from the ground up and is implemented via Docker Containers to run a self-contained web mail application. There are very few options and it doesn't take much to get going. My goal is to provide real world information that goes above and beyond what you find in the official GroupWise GWWEB product documentation. I'm making the assumption that you've looked at the documentation that can be found here: Setting Up GroupWise Web - GroupWise Installation Guide
Versioning Notice: I initially wrote this document in 2020 when GroupWise 18.3 and the first official iteration of GWWEB was released. As new versions have been introduced, I attempted to note and document the various nuances and changes of each version. However, this just isn't practical anymore. While there are generally some changes and new things in each version, in a practical sense, only the newest version matters. The older versions are mostly irrelevant. In the spirit of providing the most accurate information possibly, and due to my own workload and time constraints, my goal with this document is to provide the best information for the latest GWWEB release.
Important GroupWise 18.5+ Note: It is worth noting that GroupWise 18.5 introduced a major change related to the encoding of the keyfile for the SSL certificate/keypair. If you are running any 3rd party certificates anywhere in GroupWise, please review this link to understand the issue and how to correct it if it applies to you: https://www.redjuju.com/groupwise-18-5-released. You may need to go through and redo your private key files due to this issue, and this could impact your GWWEB implementation as well since it has to interact with the DVA(s) and POA(s).
The following Operating Systems are supported for running Docker and GWWEB:
- SLES 12 SP5, OES 2018 SP3 (Based on SLES 12)
- SLES 15 SP5, OES 2023, OES 23.4/24.x (Based on SLES 15)
Note that there are many differences between SLES 12 and SLES 15. I do not reference SLES 12 at all in this document. My preference is to always use SLES 15. Also, worth noting: While it also may be possible to run GWWEB and Docker on a Windows platform, I do not cover that at all in this document. You will have a very difficult time finding support for GWWEB on Windows if you choose to go down that path. Reference the GroupWise documentation for any questions about this:
GroupWise System Requirements: GroupWise System Requirements
GWWEB Requirements: GroupWise GWWEB System Requirements
The End Result / What To Expect
Much of the GroupWise 23.4 release was rebranding GroupWise from Micro Focus to Opentext. With this release, any previous customization or site-specific branding that could have been done previously was no longer possible. Below is a screenshot of the GroupWise 23.4 GWWeb login screen. Although it does not mean everything is working perfectly, if you get this screen when connecting to GroupWise mail with an Internet browser, you can be confident that the new GroupWise Web application is running. Note that login screen customization was reintroduced to GWWEB in version 24.2.
Updating GWWEB with each new release
If you already have a functional GWWEB implementation, the biggest question that comes up is how to properly update it when a new version is released. Fortunately, this is a pretty simple process that only takes a few minutes.
There are two primary steps in the process:
- Pull and run a new web-config to create/update any relevant config files.
- Pull and run the new gwweb app inside docker.
GWWEB "web-config" Update
Every release of GWWEB has generally brought some new config files into the mix. Therefore, you MUST pull and run a new GWWEB config any time you update. This will create / update the various files that are required to run and operate GWWEB. Failure to do this could result in connection problems or a failed GWWEB after the update. Follow this simple process to fully update your GWWEB Configs:
- Pull a new GWWEB Config from the Microfocus Docker Repository:
-
- # docker pull mfgroupwise/web-config
- # docker run -it -v /opt/novell/gw:/config -e GWADMIN_SERVICE=admin@192.168.5.5:9710 -e GWSOAP_HOST_DEFAULT=192.168.5.7 mfgroupwise/web-config
- Make sure to change the following to fit your environment:
- GroupWise Admin Service login name
- IP Address of the GroupWise Administration service
- Port Number of the GroupWise Administration Service
- The IP Address of one of the Post Offices in your environment (with SOAP enabled, which generally is)
GWWEB Application Update
This process to actually update the GWWEB Application is very straight forward and simple. Follow these easy steps below:
- Pull the new GWWEB application from the Microfocus Docker repository.
- # docker pull mfgroupwise/web:latest
- Stop the current GWWEB application
- # docker stop gwweb
- Remove the current GWWEB application
- # docker rm gwweb
- Launch GWWEB to run the new version you just pulled.
- # docker run -d --restart always -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webmail.redjuju.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -v /opt/novell/gw/logs/:/var/log/nginx/ -e GWSOAP_SSL_VERIFY=off mfgroupwise/web:latest
- Make sure to change the following to fit your environment:
- FQDN of your GroupWise GWWEB Server
- IP Address of an accessible DNS server
- That's it. If it worked before it should work again. If you have issues you can refer to various sections of this page to troubleshoot.
PRO TIPS:
Since you already had GWWEB setup before, the previous command lines you used are likely still in the history buffer of the Linux Console. You can use this to your advantage to easily put in the same commands as before, since the commands themselves do not change. To access the history buffer you can do some of the following:
- # docker run + PAGE-UP Key
- This will populate the command line with the previous "docker run" command. Page up multiple times until you find the one you need.
- # history |grep -i "docker run"
- This will show you any previous command. You can then copy/paste from there.
Confirm the Update was Successful
Once you have docker running after the update, it's easy to confirm that the update was successful. Just login to the GWWEB mail interface, click on the gear in the top right corner, and click "About". This will show you the GroupWise version of the post office you are connected to as well as the version of GWWEB that you are running.
Problems you may Experience
- Certificate Issues: You'll need to ensure that your certificates meet the GroupWise requirements. Each release of GroupWise since 18.3 has tightened down these requirements. If you get any errors during any of the above processes, it's likely that you'll need to check the certificates that your system uses on the GroupWise agents and especially on the DVA.
- Docker Issues: I've seen some problems where docker doesn't load the new gwweb version even though it acts like it should. In this case, I typically find myself scrubbing everything out of docker and ensuring that there are no old or left over bits getting in the way. Over time, even when you follow the above process, the old docker images remain in your system. When this happens, you just have to clean up and remove the old images. These are two things to look at:
- Running Docker Containers
- # docker ps
- Installed Docker Images
- # docker image list
- Running Docker Containers
- Docker Cleanup & Start Over: If you do find yourself needing to clean up Docker and start over, you need to delete/remove/purge out all of the GroupWise currently in the system. It's not always clear what you will need to remove, however there are many resources online available that discuss how to clean up Docker. I consider this link a starting point: Prune unused Docker objects | Docker Docs
Too Long Didn't Read Version (New Install)
This is the process from start to finish that is required to get the new GroupWise Web installed and configured. If everything works perfectly, this is all you need. If you're logged in as root, you do not need the sudo command.
Preparation
- Create the folder /opt/novell/gw/certs
- Copy your 3rd Party commercial certificates into /opt/novell/gw/certs
- Rename your 3rd party certificate files to server.crt and server.key
Command Line Syntax
sudo zypper install docker
sudo systemctl enable docker
sudo systemctl start docker
sudo docker run -it -v /opt/novell/gw:/config -e GWADMIN_SERVICE=admin@192.168.1.1:9710 -e GWSOAP_HOST_DEFAULT=192.168.1.2 mfgroupwise/web-config
sudo docker run -d --restart always -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webmail.redjuju.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs -v /opt/novell/gw/logs/:/var/log/nginx/ -e GWSOAP_SSL_VERIFY=off mfgroupwise/web:latest
Notes
Note the following items that must be customized to your specific environment:
- You'll notice I don't actually "pull" the gwweb config or application from the Microfocus docker distribution site. This is because it's not technically necessary. If the code is not already pulled down and present on your system, it will go out and pull it automatically when you invoke the relevant "docker run" command.
- "admin" refers to your GroupWise Administrator user credential. It is not necessarily "admin".
- The IP Address referenced with the GWADMIN_SERVICE directive should be the IP address of your GroupWise Administration service.
- 9710 Is the default GroupWise Admin port but could vary.
- The GWSOAP_HOST_DEFAULT should reference the IP address of one of your GroupWise Post Office Agents. This may or may not be the same as your GroupWise Administration IP Address depending on your environment.
- FQDN should be the full DNS name that users enter to connect to GroupWise Web from the Internet.
- DNS_SERVER IP Address that docker will use for DNS Lookups. Typically a locally accessible internal DNS server that contains entries for your GroupWise environment. (Docker does not utilize your local host DNS configuration located at /etc/resolv.conf, so it must be passed to docker through the command line run option.)
- -e GWSOAP_SSL_VERIFY=off directive added for GroupWise 18.4+. The new certificate and security requirements may fail if your certs are not adequate. This allows you to bypass this check. It is on by default.
Working with Docker for GroupWise Web
I won't go into a ton of detail on Docker in general, but I will cover the basics for use in the GroupWise environment. Instead of installing an RPM module and configuring Apache and tomcat, Docker provides a prebuilt "image" that just runs. It works with a simple configuration file and minimal command-line options. Many applications are now being developed in this manner.
Helpful Docker commands:
Command | Purpose |
---|---|
zypper install docker | Installs the current Docker modules from the SUSE repositories |
systemctl enable docker | Enables the Docker service to launch on system startup |
systemctl disable docker | Prevents the Docker service from launching on system startup |
systemctl start docker | Starts the Docker service |
systemctl stop docker | Stops the Docker service |
systemctl status docker | Shows the running status of the Docker service |
docker image list | Lists the current Docker images |
docker stop gwweb | Stops the GroupWise Web application within Docker. Docker remains running. |
docker rm gwweb | Cleans up the GroupWise Web application from within Docker. |
docker stop gwweb docker rm gwweb docker start gwweb |
Generally used to stop, remove, and then start GroupWise Web. Use this if you need to stop GroupWise Web, make changes or troubleshoot, then start it again. If you have made changes to the "docker run" command line, you will need to follow this sequence. |
docker restart gwweb | Restarts the GroupWise Web application container. |
docker pull mfgroupwise/web | Downloads the latest version of GroupWise Web from the Micro Focus Docker repository |
docker pull mfgroupwise/web-config | Downloads the web-config utility from the Micro Focus Docker repository |
"Docker Run" command line switches for GroupWise Web
The command line required to launch GWWEB via Docker is quite complex. I have provided two tables. The first one explains the generic use of each relevant command line option. The second table outlines each of the options that are relevant/required for running GWWEB.
General "Docker Run" Command Line Options
A good reference for better understanding Docker Commands can be found on the Docker documentation that can be found here: https://docs.docker.com/engine/reference/commandline/run/
Syntax
docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Command | Purpose |
---|---|
-d (or --detach) | Run container in background and print container ID. This is a no brainer, it wouldn't make sense to not run it in the background. |
-rm | Automatically remove the container when it exits. |
--restart | Restart policy to apply to a container.
Restart Always: Restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. (This is my preferred option) Examples: --restart always (preferred) |
--name | Assign a name to the container. Example: --name gwweb |
-e (or --env) | Set environment variables Example: -e DNS_SERVER=192.168.0.1 |
-v | Bind mount a volume. When you use a bind mount, a file or directory on the host machine is mounted into a container. The file or directory is referenced by its absolute path on the host machine. The file or directory does not need to exist on the Docker host already. It is created on demand if it does not yet exist. Reference this link to understand this directive a little better: https://docs.docker.com/storage/bind-mounts/
In the case of GWWEB, many bind mounts are used that help define locations of log files, certificates, and custom images. Example: -v /opt/novell/gw/certs:/certs |
-p | Publish a container's port(s) to the host. Example: -p 443:443 |
--add-host | Add a custom host-to-IP mapping (host:ip). Use this if you do not have accessible DNS for name resolution. This is similar to using a hosts file on a server. Example: --add-host gwpo.redjuju.com:192.168.185.13 |
"Docker Run" command line switches for GroupWise Web
The directives below are each of the actual directives needed to launch GWWEB via the Docker Run command.
Command | Purpose |
---|---|
-d | Run the GWWEB application container in the background and displays the container ID on the screen when launched. |
-rm (Use either -rm or --restart always, you cannot use both) |
This directive will run the GWWEB app but remove the container when docker is stopped. It's more tedious, and I do not prefer it in most cases. When docker restarts, you will have to manually run the Docker Run command to get GWWEB working again. |
--restart always (Use either -rm or --restart always, you cannot use both) |
I prefer this directive because it will cause the GWWEB app to always run even after the docker service is restarted or if the server itself is restarted. |
-v /opt/novell/gw:/etc/nginx/gw | There are several configuration files in the /opt/novell/gw folder that define connectivity to your Post Offices and DVA's. This directive does a "bind mount" and puts the files into the GWWEB container, giving GWWEB the ability to read these configuration files needed to connect to GroupWise. |
--name gwweb | This names the docker container. When starting, stopping, or removing the app, you reference this name.
docker stop gwweb (stops the gwweb container) |
-e FQDN=webmail.yourserver.com | Specifies the FQDN name of your server. The name in this directive should generally be resolvable from the public Internet (unless you only allow GWWEB from inside your organization. In that case you would still assign a FQDN that is resolvable from inside your organization). |
-e DNS_SERVER=192.168.0.1 | Docker does not have the ability to use your system defined DNS resolvers. Therefore you must define the DNS server that Docker will use when performing DNS lookups. Note that the DNS server you select needs to be able to resolve the FQDN of your GroupWise Post Offices and DVAs. This doesn't matter as much if you use IP Addresses for them, however the best practice from a security and certificate standpoint is to use FQDN ever since GroupWise 18.4.0. |
-p 443:443 | This command tells the GWWEB container to publish/map port 443 in the container to the hosts secure https port 443. |
-p 80:80 | This command tells the GWWEB container to publish/map port 80 in the container to the hosts non secure http port 80. |
-v /opt/novell/gw/certs:/certs | This tells Docker to use certificates when loading the application. It loads them from the folder listed, which is /opt/novell/gw/certs. I always use this directive, even though the documentation makes it sound more optional. It doesn't even seem practical to try to run GWWEB in a non-secure mode without certificates. |
-e GWSOAP_SSL_VERIFY=off | I have found that I generally need this statement with any GW 18.4.x version. Without it, Docker can fail to connect to your Post Office(s) due to various problems it detects with the certificates. I struggle with this even if the certificates are perfectly valid. I do not know what triggers a failure, so using this has become a standard directive in most instances of GWWEB that I deploy. |
-v /opt/novell/gw/logs/:/var/log/nginx/ | This tells Docker to log the GWWEB application in the /opt/novell/gw/logs/ folder. |
-v /opt/gwweb/gwlogo.svg:/app/assets/img/app-logo.svg
|
This instructs Docker to load a custom SVG file in place of the default one. The default image is the Blue Square with the white envelope above and to the left of the login prompt. Reference the section about customizing the login screen for more details on this option. |
-v /opt/gwweb/graphic.jpg:/app/assets/img/login_image.jpg
|
This instructs Docker to load a custom Graphic image in the background in place of the default one. The default image is the image of 5 people putting their fists together at a table. It is placed in roughly the right 55% of the screen. Reference the section about customizing the login screen for more details on this option. |
mfgroupwise/web:latest | This should ALWAYS be the last item on the line. It instructs docker what image you are actually running. This "image" is the GWWEB program code that runs inside the Docker Container. In most cases, "mfgroupwise/web:latest" is the correct version. This could vary for a couple reasons:
If you're using something other than the latest, you would replace "latest" with the build number that you installed. |
Feature Parity GroupWise WebAccess vs GroupWise Web
It is important to understand that full feature parity does not exist between the GroupWise Client, the older GroupWise WebAccess 18.2.1, and the newer GroupWise GWWEB. The initial GWWEB 18.3 was severely lacking, but it has improved dramatically with subsequent releases. Reference the "What's New" section of the GroupWise 18 release notes for details on improvements that have been made with each subsequent release. https://www.novell.com/documentation/groupwise18/gw18_readme/data/gw18_readme.html#whats_new
Suggestions for how you might handle concerns about missing features:
- Install the latest available GroupWise WEB version. There are generally no reasons to run older versions, and it has improved dramatically. Continue to update it as new versions are released.
- Continue running GroupWise WebAccess and do not upgrade until more features have been built into GroupWise Web. The older GroupWise WebAccess will continue to function, it is not mandatory to upgrade it to continue to use it. Note that you may get pushback from Micro Focus support if you open a support ticket, and it's unlikely any bug fixes will be provided.
- Run the GroupWise 18.2.1 WebAccess simultaneously alongside GroupWise Web (using different servers)
My personal opinion of GWWEB:
I was not a fan of GWWEB when it was first released. It was very buggy, and severely lacking in features. However, as the product has matured, it has come a long way. I find that GWWEB is now much easier to use than the old WebAccess, and in fact, I don't even like to use the old version anymore. It's too clunky and hard to navigate. I generally recommend that customers start using GWWEB rather than try to continue with the old WebAccess version. While it is drastically different and takes some getting used to, the streamlined simplistic design and improved functionality is a tremendous improvement.
Prerequisites and System Requirements
It's easy to skim over the system requirements and assume everything is set correctly in your existing GroupWise environment. If you do this with GroupWise Web, you will be in for some challenges. Please review the system requirements and confirm that you meet each requirement.
In summary, the requirements are as follows:
-
Docker 19.03.5 or later on any Docker supported platform.
-
GroupWise 18.3 or later system.
-
GroupWise POA with SOAP enabled. SOAP must have SSL enabled.
-
GroupWise DVA with SSL enabled. ** This is likely going to be where you have issues **
-
(Optional) TLS certificates for GroupWise Web.
I have provided detailed notes on how to ensure that your system is configured to meet these requirements below.
Docker 19.03.5 or later on any Docker supported platform.
Note about Multi-Server environments: In a multi-server GroupWise environment, the Docker requirement is only necessary for the actual server running the GroupWise Web application. Docker does not need to be installed on any other server.
To identify the Docker version, use this command at the Linux command line:
rpm -qa|grep docker
This should produce a list of all RPM's that contain the text "docker", and one of them will show the version number. In the results below from my fully patched SLES15 SP2 system, the version of Docker is 19.03.11.
mhcfs02:/ # rpm -qa|grep docker
docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.38.2.x86_64
docker-bash-completion-19.03.11_ce-6.34.2.noarch
docker-19.03.11_ce-6.34.2.x86_64
docker-libnetwork-0.7.0.1+gitr2902_153d0769a118-4.21.2.x86_64
NOTE: If no results are returned, Docker is not installed at all. This is normal if it's a new install. The instructions for installing and enabling Docker are further below in this same document.
GroupWise 18.3 or later system.
To ensure your system is running GroupWise 18.3 or later, use this command at the Linux command line on all servers that are running GroupWise Agents (Post Offices and/or Domains):
rpm -qa|grep groupwise-server
This should produce the rpm module that is installed for the GroupWise software. The resulting output should show you the GroupWise version you are running as shown below:
mhcfs02:/ # rpm -qa|grep groupwise-server
groupwise-server-18.3.0-137352.x86_64
A couple points of clarification for this requirement.
- There's an entire best practice process for a GroupWise 18.3 or GroupWise 18.4 system upgrade and it's not included in this document. However, the general recommendation is that the GroupWise WebAccess or GroupWise Web application should be upgraded/installed after all domains and all post offices have been upgraded.
- In a multi-server GroupWise system, if GroupWise Web will be running on it's own separate and/or dedicated server, you likely do not and will not have the "groupwise-server" modules installed on that server. Check the versions on the servers that are actually running GroupWise agents.
GroupWise POA with SOAP enabled. SOAP must have SSL enabled.
It's very likely you meet this requirement already. But you should confirm the configuration anyway. Points to consider:
- SOAP needs to be enabled on ALL Post Office Agents.
- Enabling SSL on the SOAP protocol on your Post Offices is all or nothing. Meaning it's either enabled for ALL applications that use it or it's not enabled. You cannot mix and match between enabled and not enabled. For example, you cannot have SSL enabled on SOAP for use by GroupWise Web if GroupWise Mobility is set to use SOAP via non-SSL.
- To my previous point, If you do not use SSL for soap, you MUST configure and enable it in order for GroupWise Web to function. You must ALSO consider all other applications that may use SOAP. For any application in your organization that connects to GroupWise via SOAP, you MUST enable SSL on the SOAP protocol. Some applications that use SOAP: Legacy GroupWise WebAccess, GroupWise Mobility Service, and the new GroupWise Web application.
Generally speaking, you can confirm that SOAP is configured to use SSL by looking at the running configuration on each Post Office agent. You do this in the POA Web Console that can be launched from the GroupWise Administration page.
GroupWise POA Configuration Settings |
Internet Protocol Agent Settings: | |
IMAP Agent: | Enabled |
IMAP Port for Incoming IMAP requests: | 143 (Default) |
IMAP over SSL: | Enabled |
IMAP SSL Agent: | Enabled |
IMAP SSL Port for Incoming IMAP requests: | 993 (Default) |
IMAP Read Limit: | 4000 |
IMAP Read New: | Enabled |
SOAP Agent: | Enabled |
SOAP Port for Incoming SOAP requests: | 7191 |
SOAP Proxy Port: | 7191 |
SOAP over SSL: | Enabled |
SOAP Redirection Table: | Show |
If you find that SSL is not enabled on the SOAP protocol, you will need to install a certificate/key pair on each Post Office agent and enable SSL for SOAP on the agent configuration. SSL configuration is out of the scope of this document.
GroupWise DVA with SSL enabled
When SSL is not enabled on the DVA, GroupWise Web will function but you won't be able to view PDF or other docs from within the GroupWise Web application.
Things to understand about the GroupWise DVA:
- The GroupWise DVA is what allows you to view PDF, DOC, and Image files from within GroupWise.
- Each Post Office generally has its own DVA. (This is not absolutely always true)
- The GroupWise DVA is not enabled for SSL by default.
- All DVA's in your entire GroupWise system need to have SSL enabled.
- The GroupWise Administration Console makes you think you're enabling SSL on the DVA but it's not actually doing what you think. More on this below in step 1 of the DVA required configuration.
If this requirement is not met, you'll experience the two things below.
When SSL is not enabled on the GroupWise DVA, you will receive an error that states "Unable to view attachment" as shown below.
When SSL is not enabled on the GroupWise DVA, you will see the following in the Docker log files when you experience this error.
2021/01/05 08:43:41 [error] 16#16: *43 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 172.17.0.1, server: webmail.redjuju.com, request: "POST /dva HTTP/1.1", upstream: "https://192.168.0.147:8301/dva", host: "webmail.redjuju.com", referrer: "https://webmail.redjuju.com/gw/mailbox/default"
Refer to the Troubleshooting/Log Files section below for information on how to configure and view the log files.
How to configure the GroupWise DVA with SSL Enabled
This four-step process enables the GroupWise DVA with SSL using a self-signed certificate:
1) Tell the POA's to connect to the DVA's via SSL
On the DVA configuration in the GroupWise Administration console, check the box that says "Enable SSL". This tells the Post Office to use SSL when connecting to the DVA. It does not actually configure the DVA with SSL.
Note: It's very confusing, and I don't like the behavior. The dialog makes you believe that you are enabling SSL on the DVA, when in fact you are not. You're only telling the Post Office to use SSL when connecting to the DVA. The checkbox does nothing to actually configure SSL on the DVA. You will need to follow the remaining steps to actually enable SSL on the DVA.
2) Creating the Certificate
Creating the certificates can be accomplished entirely from a SLES 15 Linux command line. The filenames I use are dva.crt, dva.key, and dva.crt. The dva.nopass.key in the first step named "dva.nopass.key" for clarity that it does not have a password at that step.
I like to ensure that I'm in a folder that I