These procedures describe how to set up Secure Sockets Layer (SSL) on a cluster of Sametime
® Gateway servers.
Before you begin
You must first install Sametime
Gateway on each node, including a Deployment Manager node, create the cluster, and create a SIP proxy server for the cluster.
About this task
To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.
® Application Server uses the certificates that reside in keystores to establish trust for a SSL connection. WebSphere
Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation. A default, self-signed certificate is also created in the key.p12 file at this time.
If you use a certificate other than the default self-signed certificate provided, ensure that the SSL certificate contains the Basic Constraints
extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere
Application Server 6.1 uses the IBM
® JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints
extension. If the extension is not set, WebSphere
Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn't allow to validate a server certificate as valid, because the issuing CA is not found.
Trial certificates are not publicly trusted and so cannot be used to test against public instant messaging providers such as AOL Instant Messenger.
The following procedure describes how to request a Certificate Authority-signed certificate, receive the request, then extract the certificate to the keystore.
For complete details for setting up SSL in WebSphere
Application Server, see the WebSphere
Application Server information center
Parent topic: Configuring TLS/SSL for Sametime Gateway
1. Purchasing a certificate from a Certificate Authority
Purchase a Certificate Authority-signed certificate for secure connections between Sametime
Gateway and other instant messaging providers.
2. Creating a new keystore
The keystore file is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. A Secure Sockets Layer (SSL) configuration references keystore configurations during WebSphere
Application Server runtime. Whether a keystore file was created by another keystore tool or saved from a previous configuration, the file must be part of a keystore configuration object. You can create a keystore configuration for the existing keystore object.
3. Creating a certificate request
To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA.
4. Importing intermediate CA certificates into the keystore
Application Server creates a certificate chain when the signed certificate is received. The chain is constructed from the signer certificates that are in the keystore at the time the certificate is received. Therefore, it is important to import all intermediate certificates as signer certificates into the keystore before receiving the Certificate Authority-signed certificate. When you purchase a server certificate for Sametime
Gateway, the certificate is issued by a Certificate Authority (CA). The CA can either be a root CA or an intermediary CA.
5. Receiving a signed certificate
A Certificate Authority (CA) creates a certificate from a certificate request. WebSphere
Application Server keystore receives the certificate from the CA and generates a CA-signed personal certificate that your Sametime
Gateway cluster can use for Secure Sockets Layer (SSL) security.
6. Defining the SSL configuration for a cluster
Complete these steps to create a new SSL configuration for a cluster of Sametime
7. Obtaining the root certificate
Download a certificate authority's (CA) root certificate. After you download the certificate, you must add it to the WebSphere
Application Server truststore. For connections to AOL, download the Equifax Secure CA because this certificate is used by both communities. For connections to XMPP communities, you must determine what root certificate, if any, is being used, and then check to see if WebSphere
Application Server already recognizes the certificate, and, if necessary, download and add the certificate to your truststore.
8. Adding a trusted CA certificate to the keystore
Add your new Certificate Authority certificate to the keystore to establish the trust relationship in SSL communication.
9. Configuring the SIP proxy server to use SSL
Apply the new SSL definition to the SIP proxy server.
10. Configuring the XMPP proxy server to use SSL
Apply the new SSL definition to the XMPP proxy server.
11. Replacing and renewing a certificate in a Gateway cluster
Replacing or renewing a certificate for an IBM Sametime
Gateway cluster is similar to importing it for the first time, but you also replace the old certificate with the new one.