IBM Support

Updated security certificate for Push Notifications (iOS)

Flash (Alert)


Abstract

On 5 May 2016, the security certificate for iOS traffic was updated. If Push Notifications have stopped working for the native iOS client, this could be because the SSL certificate for connecting to the APNS server expired.

Content

The Sametime Proxy server ships with an SSL certificate to allow for push notifications to occur securely for the Sametime Mobile Chat client for Apple iOS via the Apple Push Notification Service (APNS). The previous certificate expired on 5 May 2016, and Sametime administrators should have downloaded and applied the updated certificate by that date to prevent interruptions in functionality for users.

Problems that occur if the certificate expired

If the certificate in use by the Sametime Proxy server has expired, users of the native iOS chat client will no longer receive push notifications. Users might describe the symptom as receiving messages only when the application is in the foreground, or that notifications are not sent to the device when the Sametime client application is in the background.

The issue can be identified in the server logs by the following error.

"APNSService W com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService startAPNS CLFRX0079W: Unable to establish an SSL connection to the APNS service Connection refused: connect"

Correct this problem by downloading and installing the updated certification.

Installation Instructions

Download the updated certificate 9001-ST-Proxy-IF-WLIN-A8SKAK from IBM Fix Central.

Use the installation instructions for your type of deployment:

  • Stand-alone/Cell installation

If you chose this type of installation, then you have a deployment manager (dmgr), as well as a nodeagent and application server, all on the same operating system.

Install the updated certificate by completing the following steps:

1. Copy the provided apns-prod.pkcs12 file to the following directory:

../IBM/WebSphere/AppServer/profiles/[dmgrProfileName]/config/cells/[cellName]/nodes/[stProxyNodename]/

*Note that this is the dmgr profile, NOT the Application profile

2. Perform a Full Resynchronize of the node

3. Stop the STProxyServer

4. Stop the nodeagent

5. Start the nodeagent

6. Start the STProxyServer

  • Network (Primary Node) installation

This type of installation typically means that you are using the Sametime System Console (SSC) as the dmgr. Install the updated certificate by completing the following steps:

1. Copy the provided apns-prod.pkcs12 file to the following directory on the SSC operating system file system:

../IBM/WebSphere/AppServer/profiles/[SSCdmgrProfileName]/config/cells/[SSCcellName]/nodes/[stProxyPNNodename]/

*Note that this is the SSC dmgr profile, NOT the SSC Application profile

2. Perform a Full Resynchronize of the node

3. Stop the STProxyServer

4. Stop the nodeagent

5. Start the nodeagent

6. Start the STProxyServer

Network (Secondary Nodes)

If you have any secondary nodes, you need to copy the apns-prod.pkcs12 file to ALL secondary node directories on the SSC dmgr. The secondary node directories are found in the same place as the primary node directory was found:

../IBM/WebSphere/AppServer/profiles/[SSCdmgrProfileName]/config/cells/[SSCcellName]/nodes

Once copied to the secondary nodes, make sure to restart the nodeagent and STProxyServer as you did for the primary node.

Certificate verification

Any hot fix provided after May 5th, 2016 should contain the latest certificate to allow APNS.
It can be verified either in the Sametime Proxy Server log file named "CurrentStatus.log" or by completing the following steps:

1. Download the Cert Tool from the following URL:

http://pokgsa.ibm.com/projects/s/sametime-level3-support/certs/cert.jar

2. Run the following command to verify the APNS status: java -jar cert.jar apns -h

Output Sample:

java -jar cert.jar apns -t -f c:\temp\apns-prod.pkcs12

IssuerDN: CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
SubjectDN: C=US, O=IBM, OU=RBVH72H5WP, CN=Apple Push Services: com.ibm.lotus.sametime, UID=com.ibm.lotus.sametime
From (yyyy-mm-dd): 2016-04-04
To (yyyy-mm-dd): 2017-05-04
MD5: B8:D3:2E:B3:42:04:D5:26:A9:63:68:30:00:15:CA:18:78:A9:AE:20

testing connection to gateway.push.apple.com:2195
passed
testing connection to feedback.push.apple.com:2196
passed

Related information

Updated SSL Certificate on Fix Central
A simplified Chinese translation is available

Document information

More support for: IBM Sametime
Sametime Proxy Server and Web Client

Software version: 8.5.2.1, 9.0, 9.0.0.1, 9.0.1

Operating system(s): AIX, Linux, Windows, iOS

Reference #: 1641787

Modified date: 15 April 2016