AppSuite:OX Guard Upgrade OSGI

From Open-Xchange

Upgrading OX Guard from 2.2.x to 2.4.0


With OX Guard 2.4.0 the first step was made and the product was moved into the OSGi stack. Although OX Guard now has a tighter integration with the core that does not mean that it lost its micro-service character. OX Guard still relies on the support API to accomplish its tasks; tasks like capability check, HTML sanitising and mail address resolving. The database calls however were completely eliminated (along with their support API) and now the core's OSGi services are used for that purpose. The same applies to the configuration.

In the next few sections it is described what was changed and the necessary steps to upgrade from 2.2.x to 2.4.0. For a fresh installation refer to the main OX Guard article.


This section covers the changes introduced with OX Guard 2.4.0.

Configuration Structure

Alongside with the OSGi-fication of the product, a bit of clean up took place, regarding the configuration files and their structure.

The most obvious change was to get rid of the separate /opt/open-xchange/guard directory that the entire configuration was residing in. The contents of this directory are now spread accross the appropriate folders in /opt/open-xchange.


The templates (originally located under /opt/open-xchange/guard/templates) were moved to the templates directory of the open-xchange installation, i.e. to /opt/open-xchange/templates/guard.


The translations (originally located under /opt/open-xchange/guard/l10n) were moved to the i18n directory of the open-xchange installation, i.e. to /opt/open-xchange/i18n. The translations formerly had a prefix main-*_*.po (i.e. main-de_DE.po) should now start with guard- (i.e. guard-de_DE.po) to be able to differentiate between middleware translations and those provided by OX Guard. Even the languages.xml and those starting with templates-* should be located within the above mentioned i18n directory.


Prior to 2.4.0, there were two files, one for the core groupware which contained properties that were used to enable the OX Guard capability to various modules as well as some extra functionality, and one for OX Guard itself, containing all properties for that product. Since the /opt/open-xchange/guard directory was deemed obsolete and subject to be removed and to avoid the name clashing of the two property files, they had to be renamed. A merge was not option, simply because they were provided and used by different packages. Therefore, the properties file (under /opt/open-xchange/etc/) which accomodated the properties for the AppSuite Guard bundle is now renamed to

The OX Guard file (under /opt/open-xchange/guard/etc) which housed all the OX Guard properties, is now renamed and moved under /opt/open-xchange/guard/etc/

private_dns_key and public_dns_key

Those two property files were not needed anymore, thus they were marked as obsolete and removed with OX Guard 2.4.0.

Farewell Jetty, welcome Grizzly

With the big step OX Guard took and moved into the OSGi stack, Jetty was rendered obsolete and had to be removed as well. OX Guard now uses Grizzly to register its servlets.


The first change in the Apache configuration is the port number of the balancer directive regarding OX Guard. Since Jetty was removed and Grizzly is in charge now, the port was adjusted to reflect that change.

The second change is the order of the ProxyPass locations. The OX Guard one, had to be moved forward because it was getting masked and overwritten by the AppSuite ones.

Guest Reader moved to a separate package

In order to allow more flexibility on distributed deployments, the "Guest Reader" component has moved to a separate package that is being installed on the frontend server. The UI is then provided by Apache rather than Jetty.

Because of this, the location of the Guest reader URL will change. By default, the reader package will be installed under /var/www/guard/reader

So, in most setups, the reader URL would change from




To handle this change, the easiest thing to do is change the externalReaderPath configuration in the new file from the old location to the new


Assuming that there are already several Guest emails out there with the old Jetty URL, Guard OSGI will automatically redirect all requests from the old location to the new

Command Line Tool

The command line tool also got a "lifting" and was brought to the standards of the rest of the command line tools of the OX family. The CLT now includes optional JMX authentication. Furthermore, the functionality of initialising the OX Guard installation was removed from the command line tool. It is now being done automatically upon server start up. The rest of the functionality is still there, though.

usage: guard [-i [-d /custom/path]] [-t] [-u
   ] [-e] [-n
   ] [-j jmxUser] [-w jmxPassword] [-x
   ] [-o <JMX_PORT>] [-p <RMI_PORT>] [--responsetimeout
 -d,--directory <arg>         Full path of the 'oxguardpass' file
                              (defaults to current directory). This flag
                              should be used in conjunction with the
                              '--init' switch.
                              e.g. guard --init --directory
 -e,--reset <arg>             Resets the specified e-mail address and
                              sends a new password to the user
                              e.g. guard --reset
 -h,--help                    Prints a help text
 -i,--init                    Initialise guard.
 -j,--jmx-user <arg>          JMX user
 -n,--remove-pin <arg>        Removes the PIN for the specified user
                              e.g. guard --remove-pin
 -o,--jmx-port <arg>          JMX port (default: '9999')
 -p,--port <arg>              The optional RMI port (default:1099)
    --responsetimeout <arg>   The optional response timeout in seconds
                              when reading data from server (default: 0s;
 -s,--server <arg>            The optional RMI server (default: localhost)
 -t,--test <arg>              Test the specified e-mail address against
                              the MailResolver
                              e.g. guard --test
 -u,--upgrade <arg>           Upgrades the specified guest account to an
                              OX account
                              e.g. guard --upgrade
 -w,--jmx-password <arg>      JMX password
 -x,--jmx-host <arg>          JMX host (default: 'localhost')

Command line tool for OX Guard


The /opt/open-xchange/guard/etc/logback.xml file for OX Guard was completely removed. Now logging is being configured globally in /opt/open-xchange/etc/logback.xml. All OX Guard events that were previously logged in /var/log/open-xchange/guard/guard.log are now being logged in the log file as the groupware, namely in /var/log/open-xchange/open-xchange.log.0.

The SMTP relevant section is no longer present, but it can be configured separately by adding it again to the previous mentioned logback.xml file.

<!-- Configure SMTP Triggered emails here.  Once done, uncomment out appender under root below -->
  <appender name="SMTP" class="">
    <subject>Guard - %marker - %msg%n </subject>
    <layout class="ch.qos.logback.classic.html.HTMLLayout">

    <evaluator class="ch.qos.logback.classic.boolex.JaninoEventEvaluator">
        marker != null && (marker.contains("NOTIFY_MAJOR") || marker.contains("NOTIFY_MINOR"))

The following tag has to be added to the root level in order for this to work.

<appender-ref ref="SMTP" />

For example:

<root level="INFO">
    <appender-ref ref="ASYNC"/>
    <appender-ref ref="SMTP" />

Upgrading from 2.2.x to 2.4.0

There are a few things to consider when upgrading from a version 2.2.x to 2.4.0. In this section we will cover that upgrade path.

The first thing is that the file storage implementations are now being kept into two separate packages, i.e. open-xchange-guard-file-storage and open-xchange-guard-s3-storage for the file storage and S3 storage support respectively. This means that one of the packages has to be manually installed after the upgrade.

The second thing is that the open-xchange-guard system service is now gone. Since, OX Guard is intergraded into the OSGi stack, it will start automatically with the backend, i.e. when the open-xchange system service starts.

With those two things in mind, OX Guard can be upgraded as described here. Again, after the upgrade is complete there is no need to restart the open-xchange-guard system service; neither the open-xchange system service should be restarted just yet. There are a few things to do before having a fully functional OX Guard backend.

The Guest Reader component has moved to the open-xchange-guard-reader package, which needs to be installed on the frontend server next to App Suite UI.

Step 1 - Enhance repository sources

If you currently do not have an Open-Xchange middleware installed you have to adapt your Open-Xchange repository file to be able to solve required dependencies to the middleware packages. Add the following to the file that already should contain an entry for the OX Guard repository.

Debian 7.x
deb /
Debian 8.x
deb /
RedHat Enterprise Linux 6 or CentOS 6
Redhat Enterprise Linux 7 or CentOS 7
SUSE Linux Enterprise Server 11.x
$ zypper ar ox-backend
SUSE Linux Enterprise Server 12.x
$ zypper ar ox-backend

After adding new repositories retrieve new lists of packages by executing your desired package managers update call.

Step 2 - Update OX Guard

Upgrade the existing installation by executing your desired package mangers upgrade call, for instance apt-get dist-upgrade, yum upgrade and so on.

If you are running an OX Guard-only node (because of infelicitous set dependencies) you have to install an implementation of the package open-xchange-authentication and open-xchange-spamhandler which will never be used but checked for. We suggest to install open-xchange-authentication-database and open-xchange-spamhandler-default. Installing those packages as well as chosing a open-xchange-guard-storage implementation will install all required middleware dependencies.

After the update /etc/init.d/open-xchange-guard shouldn't be available any more but OX Guard will start when starting the open-xchange system service.

Step 3 - Choose and install your storage

According to your previous installation, you will have to manually install the relevant open-xchange-guard-storage package. Of course, you can switch to the one or the other storage if you wish, but be aware that no data will be migrated. You will have to do this manually.

File Storage Support

If you want the file storage support, and depending on your Linux distribution, you can install it with the following command:

Debian 7.x/8.x
apt-get install open-xchange-guard-file-storage
RedHat Enterprise Linux 6.x/7.x or CentOS 6.x/7.x
yum install open-xchange-guard-file-storage
SUSE Linux Enterprise Server 11.x/12.x
zypper in open-xchange-guard-file-storage

S3 Storage Support

If you want the S3 storage support, and depending on your Linux distribution, you can install it with the following command:

Debian 7.x/8.x
apt-get install open-xchange-guard-s3-storage
RedHat Enterprise Linux 6.x/7.x or CentOS 6.x/7.x
yum install open-xchange-guard-s3-storage
SUSE Linux Enterprise Server 11.x/12.x
zypper in open-xchange-guard-s3-storage

Step 4 - Install open-xchange-rest

OX Guard requires access to existing middleware hosts. The endpoint is configured within the which you can find in /opt/open-xchange/etc. The endpoint configured via com.openexchange.guard.restApiHostname need to have the package open-xchange-rest installed to be able to retrieve and process OX Guard REST requests.

Normally the post installation scripts from the open-xchange-guard package should take over the formerly configured endpoint so that you do not have to do anything.

Step 5 - Ensure that the server keys are readable by the sever

The oxguardpass file should be owned by the open-xchange user and have the permission 400, meaning read access only by the owner of the file.

ls -l /opt/open-xchange/etc/oxguardpass
-r-------- 1 open-xchange root 64 Nov 17 19:14 /opt/open-xchange/etc/oxguardpass

Step 6 - Ensure that the Apache balancer directive uses the correct port

Since OX Guard is part of the OSGi stack and Grizzly is used to register and serve the OX Guard servlets, the oxguard and oxguardpgp balancer directives in the Apache configuration have to be adjusted in order to set the correct port and possibly removed.

If the Proxy balancer for the backend (oxcluster) is the same as the Guard servers, then you can remove the balancer entries for Guard and just redirect the ProxyPass directive to the oxcluster like so

 ProxyPass /appsuite/api/oxguard balancer://oxcluster/oxguard
 ProxyPass /pks balancer://oxcluster/pgp

Otherwise, if the Guard servers are different from your backend, find the balancers containing

BalancerMember http://guardserver:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1
BalancerMember http://guardserver:8080/pgp timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1

The second Balancer (oxguardpgp) for PGP should just be removed. The primary Guard balancer should look like below, removing the sub-directory "/oxuard"

 <Proxy balancer://oxguard>
   BalancerMember http://guardserver:8009 timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1

The find the lines with the ProxyPass for </appsuite/api/oxguard> and change the balancer to //oxguard/oxguard Add the PGP balancer if you are exposing the PGP Public key server.

 <Proxy /appsuite/api/oxguard>
   ProxyPass balancer://oxguard/oxguard
 <Proxy /pks>
   ProxyPass balancer://oxguard/pgp

Please note : You cannot have more than one BalancerMember with the same URL. So, if changing to the same URL as the OX Backend, you should just remove the Guard entries otherwise there will be some errors reported by Apache, and only the first entry will be used.

Step 7 - Adapt configuration

This chapter is only valid for OX Guard-only node where no additional middleware services haven't been desired and installed before! As Guard is now using existing middleware mechanisms to access the databases you have to configure the following properties.

  • copy an already configured file from a middleware node to /opt/open-xchange/etc on the OX Guard node.
  • copy an already configured file from a middleware node to /opt/open-xchange/etc on the OX Guard node.
  • set com.openexchange.connector.networkListenerHost to your desired hosts (e. g. *)
  • logback.xml
  • consolidate your old OX Guard logback.xml with the new one from within /opt/open-xchange/etc
  • copy an already configured file from a middleware node to /opt/open-xchange/etc on the OX Guard node.
  • mpasswd
  • copy your existing oxadminmaster credential storage to /opt/open-xchange/etc on the OX Guard node.
  • Adapt the property com.openexchange.guard.endpoint. This can be as simple as replacing the old port 8080 with 8009 but may differ depending on your setup
  • Adapt the property com.openexchange.guard.externalReaderPath. Adjust to the new location of the Guard reader under Apache. Defaults to domain/guard/reader/reader.html

After copying those files, please make sure that they are owned by the group open-xchange, otherwise they cannot be read by the middleware service. In addition to the above mentioned properties you may would like to change the default configuration if the underlying middleware instance is only used for OX Guard:

  • Disable Hazelcast cluster discovery
  • remove all permissions set via configuration
  • set entries to false

Step 8 - Restart the groupware

Last, and certainly not least, you need to restart the groupware process:

Debian 7.x/RedHat Enterprise Linux 6.x/CentOS 6.x/SUSE Linux Enterprise Server 11.x
service open-xchange restart
Debian 8.x/RedHat Enterprise Linux 7.x/CentOS 7.x/SUSE Linux Enterprise Server 12.x
systemctl restart open-xchange

Step 9 - Execute update tasks

Before OX Guard should receive the first requests you have to ensure that all database schemas are up to date. This can be done by executing /opt/open-xchange/sbin/runupdate.

Congratulations! You should now have a running OX Guard 2.4.0!

Common Problems

When trying to decode a message I get a 404

This happens probably because the AppSuite ProxyPass Location directives are overwriting the OX Guard ones. To solve this, you will have to move the OX Guard ProxyPass Location directive right before the AppSuite ones.

Change the ordering of the locations from this:

<Location /ajax>
  ProxyPass balancer://oxcluster/ajax
<Location /appsuite/api>
  ProxyPass balancer://oxcluster/ajax
<Location /appsuite/api/oxguard>
  ProxyPass balancer://oxguard

to this:

<Location /appsuite/api/oxguard>
  ProxyPass balancer://oxguard
<Location /ajax>
  ProxyPass balancer://oxcluster/ajax
<Location /appsuite/api>
  ProxyPass balancer://oxcluster/ajax

After migration, OX Guard fails to accept any request

This may happen if configuration files that were copied during migration do not have the correct permission set. Please have a look at the OX Guard middleware log file to find any ERROR messages. The getmissingservices command-line tool may also help to identify services that have not been started and why they failed to start.

After migration, Guest reader doesn't work and report too many redirects

The location of the Guest reader has been changed, and is now being handled by apache rather than the Jetty server previously used by Guard.

To maintain compatibility with the Guest emails previously sent, Guard tries to redirect the old URL to the new...which is configured as the externalReaderPath in the file. Be sure to update this setting to the new location as mentioned above.