Adding trust for certificate authorities used by external communities

External communities certificates are signed by a specific certificate authority - probably a different authority from the CA used to sign your Sametime® Gateway certificate. In order for the Sametime Gateway to trust a certificate presented by an external community, the CA that issued this certificate would have to be configured to be trusted in advance.

About this task

This topic explains what CA certificate needs to be downloaded and imported into the WebSphere® Application Server trust store.
  • Steps 1-4 explain how to obtain the required CA certificate.
  • Steps 5-7 explain how to import the obtained CA certificates into the WebSphere Application Server.

Procedure

  1. To connect to AOL, download the following CA certificate. Navigate to http://www.geotrust.com/resources/root_certificates/index.asp and download the Equifax Secure Certificate Authority:
    Download - Equifax Secure Certificate Authority (Base-64 encoded X.509)
  2. To connect to AOL, you are also required to download the following additional certificates:
    1. Navigate to https://pki-info.aol.com/AOL/ and download both certificates titled: "America Online Root CA 1 certificate" and the "America Online Root CA 2 certificate.
    2. Navigate to https://pki-info.aol.com/AOLMSPKI/index.html and download the certificate titled: "AOL Member CA certificate
  3. To connect to an external Sametime-based IM community over SSL you will need to obtain the CA certificate used by external community
    1. Check with the external community administrator to determine which trusted certificate authority they are using.
    2. Obtain the CA certificate.
  4. To connect to an external XMPP-based IM community over SSL.
    1. Check with the external community administrator to determine which trusted certificate authority they are using.
    2. Obtain the CA certificate.
  5. In case the received certificate is stored in any type of a certificate file database (a file with a suffix of .db or .p12, for example), you have to extract the certificate to an independent file, before you can import it to WebSphere Application Server.
  6. Complete the following tasks in the Integrated Solutions Console: Click Security > SSL Certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer Certificate.
  7. 7. Click Add.
    1. Type an alias to identify the Certificate Authority in the Alias field. This is a freeform value used to identify the certificate inside WebSphere, a good idea would be to set the alias to the certificate's CN (common name) field value.
    2. Type in the full path to the file name containing the Certificate Authority's public key. For example: c:\certificates\acme_external_community.arm.
    3. Select the data type.
      Note: Attention: For IBM® i, you must select binary as the data type.
    4. Click OK.
    Note: For IBM i only, Certificates are automatically downloaded with the .CER file extension, so you must manually rename them to the .DER file extension.