Problem:  Customers are reporting a "The server has a signed certificate that does not match the server's name. Unable to establish a SSL connection." error in the Omni Mobile client when trying to use https:// in the WebAccess URL.

Mobile devices have more restrictions on how to use SSL than their desktop counterparts.  If you connect to your WebAccess server using a browser and view the SSL certificate (double-click on the SSL "lock" icon), the Issued to: name must match the host name in the URL, e.g. if the WebAccess URL is https://webmail.mycompany.com/gw/webacc the host name of the hosting server is "webmail.mycompany.com". 

Cause:  When servers are installed, the installation process will create SSL certificates that use the server's name e.g. FS1.mycompany.com as the "Issued To" name.  If this is the case, you would see something like "Issued to: FS1.mycompany.com" in the SSL certificate, even though WebAccess is installed as "webmail.mycompany.com".  Because  the certificates are bound to the DNS name, the device must connect to the server via the "Issued To" name.  Because the URL does not match the SSL certificate Issued To name, the connection fails and generates an error.

Resolution:

To resolve the problem, re-generate the certificate for the proper name, e.g.  webmail.mycompany.com, not fs1.mycompany.com.  Do not use wildcards in the certificate because most mobile devices do not support wildcards.

It is a recommended design practice to use the same DNS host name for WebAccess on both the inside and outside of your network.  For example, configure public DNS and internal private DNS with "A" records or "CNAME" alias records to point to the same WebAccess host name, e.g.  webmail.mycompany.com.  This removes issues with certificates and client configuration for devices that use both WiFi and commercial connections like GPRS or CDMA. 

How to Recreate the SSL Certificate

To correct the problem, you have to generate a replacement SSL certificate ... see "How to create a web site certificate using Novell's CA - TID 10072424" at http://support.novell.com/cgi-bin/search/searchtid.cgi?10072 424.htm for the steps.  Now you need to modify the sys:apache2\conf\httpd.conf file  (this presumes you are runnung GW WebAccess on NetWare 6.5).  Look for a line that reads:

and modify it to use the name of the new Key object you created, e.g. if you created "SSL GW-WebAcc - SERVER1" you would change the line to read:

If you are running NetWare 6.0 (Apache 1.2 and Tomcat 33), then you will make the changes in the sys:apache\conf\GWApache.conf file.  Change:

to

Once that change is made, stop and start Tomcat which should reload the new SSL certificate.

If you are running WebAccess on SUSE Linux, refer to "How to Change SSL Certificate on SLES 9 for GW WebAccess (novell-httpd) - TID10096824" at http://support.novell.com/cgi-bin/search/searchtid.cgi?10096 824.htm.

If you are running WebAccess on Windows server, refer to the Cool Solutions article "Enabling SSL on Microsoft's IIS with Novell's Certificate Authority" available at http://www.novell.com/coolsolutions/feature/5565.html.

For additional background info, read Tay Kratzer's Cool Solutions article "Netware 6.5 and GroupWise 6.5 WebAccess" available at http://www.novell.com/coolsolutions/feature/9937.html.

Please follow the rest of the instructions in the "Omni Mobile User Guide" to configure SSL on Pocket PC and Windows Mobile devices.