Configuring the Relay Server
2. From the Server tab, set field values as shown:
Server Configuration Fields
Values
Relay Server Name Enter the fully qualified, publicly recognized DNS name for the relay server that you previously registered with the Domain Name Service. Use the format <relay
name>.<company name>.<top-level domain>. For
example, relay1.xyzcorp.com. This name identifies the relay server to the Enterprise Management Server and to Groove clients.
See the section, “Preparing the Network for a Relay Server”, for more information about the DNS name. The default name is the DNS name of the relay server machine on the network.
Administrative User Name Accept the default or enter another administrator name.
This is the name you use to access the relay server administrative Web pages.
Default: ServerAdmin
Administrative Realm Accept the default or enter another name for your administrative realm or domain using the format <relay name>@<company name>.<top-level domain>. For example, [email protected]. This value appears in the password prompt when you access the relay server administrative Web pages.
This email address may also be used by Groove Networks to send you emails concerning your server, as part of the (CSN) feature. For information about this feature, see “Customer Support Notification” in the Monitoring a Relay Server chapter.
Administrative Password Enter a password. This is the password you use when you access the relay server administrative Web pages.
Private Key File Name Accept the default file name or edit it (for example, to include the relay server name). This is the name that the system will give to the server’s private key file once it is generated. The file contains the relay server private key.
The key is saved to this file in encrypted form using a hash of the user-supplied password.
Default: privkey.dat
Certificate File Name Accept the default file name or edit it (for example, to include the relay server name). Then click the Generate Files button to generate the private key file and certificate file.
Before generating the files, the system displays the Define Password pop-up window where you enter a private key password, as described below.
The certificate file name is the name that the system will give to the server’s public key once it is generated. This key is used by managed users to send secure Groove messages and data to the relay server.
Note: Whenever you generate a new private key file, you must enter the private key file password. This password applies to both the relay server key files you define in this window and to the SOAP key files that you define on the SOAP tab, described next.
Default: ServerCertificate.cer
1.3 Client Registry File Accept the default registry path for the Groove 1.3 client registry file or edit it (for example, to include the relay server name). This file is required in order to support Groove versions prior to 2.0 only. (Relay SOAP configuration parameters control this functionality for Groove 2.0 or later.) The registry settings in this file must be installed on Groove clients that will be assigned to this relay server prior to the installation of the pre-2.0 Groove software.
If you want to export the client_relay_params.reg file to another location, enter a path name for exporting the file, then click the Export 1.x Reg File button. Click this button only AFTER you have generated valid private/public key files (by clicking the Generate Files button) as described above.
Default: client_relay_params_.reg Server Configuration
Fields
Values
3. When prompted to enter the Private Key File Password, enter a password of up to 255 characters, then re-enter it to confirm it. Click OK as the system generates the necessary files. The relay server uses this password to decrypt private key
information which the server requires to run. The system will prompt you for this password whenever you manually restart the relay server (unless Unattended startup is checked). When the Unattended Startup checkbox is checked (enabling unattended startup), the server uses a hash of this password stored in the registry.
This password applies to the relay server’s private key file, the SOAP private key file configured on the SOAP tab, and the SSL private key file configured on the SSL tab, as described in the next procedures.
Note: Memorize this password because you cannot recover it if it is lost or forgot-ten. The password is not stored anywhere directly. Only a hash of the pass-word is stored in the registry (under the Groove relay parameters key) and only if the Unattended Startup checkbox is checked.
4. Once you have entered at least the Administrative Password and generated the relay private key and certificate files (by clicking the Generate Files button), click the Next button to continue to the next procedure and create the SOAP identity files necessary for communication with the Enterprise Management Server. (The Next button is disabled if you have not completed the required fields).
Unattended Startup Leave this option checked for unattended startup of the relay service after a machine reboot or crash. Leaving the box checked allows the relay service to start without prompting for a password.
If you do not want automatic relay service startup after shut down or failure, uncheck the Unattended Startup checkbox.
Unchecking this option is not recommended.
Note the following implications of this field:
• Unattended Startup does not startup the relay server, or force the relay server to automatically restart upon failure or upon reboot. You must use the Windows service Manager settings to configure automatic startup and to start the relay service.
• If you disable unattended startup you must go to the Service Manager and enable Allow Service to Interact with the Desktop under the Log On tab for the relay service after exiting the relay server configuration control panel applet.
• When you allow unattended startup, a hash of your password is stored in the system registry. The relay service tries to remove public access to the registry key where the password hash is stored, but a security specialist at your company should verify that the access controls on the relay server registry keys are appropriate for your site. To check the relay server access control settings, see the registry permissions on the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\Groove Relay\Parameters
Default: checked (enable unattended startup).
Server Configuration Fields
Values
Note: To return to a previous window to review or edit a value, you can always press the Back button.
Generating SOAP Key Files
If you are supporting Groove 2.0 (or later) users, the Enterprise Management Server (EMS), on which the relay server depends for certain administrative tasks, communicates with the relay server via Simple Object Access Protocol (SOAP) over port 8009. There-fore, you must configure the relay server SOAP interface to be recognizable to EMS, and to secure communication between the relay server and the Enterprise Management Server (EMS) at your site.
To configure the relay-SOAP interface, follow these steps:
1. From the relay server control panel applet SOAP tab, fill in the fields as described in the following table:
Accept or edit the default name. This is a fully qualified DNS name for the relay SOAP interface that you previously registered with your Domain Name Service. Use the format http://<relay name>.<company name>.<top-level
domain>. For example, http://relay1.xyzcorp.com. EMS uses this name to contact the relay server via SOAP. The default name is based on the DNS name of the relay server machine on the network.
If you want the name in this field to be same as the relay server name that you already defined on the Server tab, click the Same As Relay Server Name checkbox to check it (the default condition). If you want to use a different name for the SOAP interface (for example, if you have assigned the SOAP interface to a specific internal network interlace card separate from the publicly-used interface), make sure to register the name with DNS first.
Private Key File Name Accept the default file name or edit it (for example, to include the relay server name). This will be the name of the relay server’s SOAP interface private key file once it is generated. The file contains the relay server SOAP private key. This key file is encrypted using the same password entered on the Server tab.
Default: ServerSOAPKeyStore.xml
Certificate File Name Accept the default file name or edit it (for example, to include the relay server name). Then click the Generate Files button to create the private key and certificate files.
The certificate file name is that of the server’s SOAP certificate file once it is generated. This certificate file contains the server’s SOAP interface public key. The Enterprise Management Server uses this certificate when sending messages to the relay server.
Default: ServerSOAPCertificate.cer
2. Once you have generated the SOAP private key and certificate files (by clicking the Generate Files button) and then clicked the Export ID File button, click the Next button to continue to the next procedure and setup SSL.
Setting Up SSL
Relay server statistics and an administrative interface are available from secure Web pages via HTTP over Secure Socket Layer (SSL/HTTPS) on port 8010. To access these pages, you must generate an SSL key store and SSL certificate.
Note: If you want to configure the SSL interface using a third-party Certificate Author-ity (CA), you should know the CA’s specific requirements for requesting a certif-icate before performing that portion of this procedure.
Export ID File Name Accept the default file name or edit it (for example, to include the relay server name). This file contains the relay server’s certificates, relay server name, and SOAP interface name, required by the Enterprise Management Server and Groove clients to establish secure communication with the relay server. The file is not encrypted because it contains only public data.
When you are ready, click the Export ID File button to generate the file. Remember where this file is saved. The location of this file must be specified in the EMS Web interface in order to upload it to EMS. The file contains the relay server name and public key which are shared with Groove 2.0 (or later) clients that are assigned to this relay server.
You can generate this file repeatedly without changing any key files. However, if you update any key files, change the relay server’s name, or the relay SOAP interface name, you must re-generate the ID file and redistribute it to EMS.
In order to identify the Enterprise Management Server to the relay server, you must copy the Enterprise Management Server’s registry key file to the relay server and install it in the local registry. Only Enterprise Management Servers whose registry keys are written to the relay server can communicate with the relay. Successful upload of the RelayID file to EMS and the writing of the EMS registry file to the relay server are necessary to enable and secure
communication between the two servers.
See the following registry key in order to verify the defined Enterprise Management Servers:
This field is for information only. It displays the name of the management server and the SOAP URL of each management server that has exchanged identification information with the relay server.
Enable SOAP Access for Remote Management
Select this field to enable SOAP connections between management and relay servers.
SOAP Configuration Fields
Values
To configure SSL to support access to the relay server administrative Web pages, follow these steps:
1. From the relay server control panel applet SOAP tab, note the fully qualified registered DNS name for the relay SOAP interface. The name should have the format, http://<soap interface name>.<company name>.<top-level domain>. For example, relay1.xyzcorp.com.
You can use the Relay Server or Relay SOAP Interface host name for the SSL name. The SSL configuration does not ask you to enter this name but you will need it to enter the SSL relay server administrative Web pages URL and if you want to request a third-party-signed certificate.