Setting up SSL on a single server

These procedures describe how to set up Secure Sockets Layer (SSL) on a single Sametime® Gateway Server for both SIP and XMPP communications.

Before you begin

Before you begin, make sure the Sametime Gateway Server server is running.

About this task

To have a secure network connection, you will create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.

WebSphere® Application Server uses the certificates that reside in keystores to establish trust for a SSL connection. WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation.

A default, self-signed certificate is also created in the key.p12 file at this time. Do not use this self-signed or other self-signed certificate to connect to external communities.

Note: Ensure that the SSL certificate contains the Basic Constraints extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the IBM® JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints extension. If the extension is not set, WebSphere Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn't allow to validate a server certificate as valid, because the issuing CA is not found.

Trial certificates are not publicly trusted and so cannot be used to test against public instant messaging providers such as AOL Instant Messenger.

The following procedures describe how to:
  1. Import the certificate authorities' public certificate used by each of the public or private external communities your Sametime Gateway Server will be communicating with.
  2. Request a CA-signed certificate, and then import the signed certificate that the CA provided in response. Before performing this step you might have to import intermediary certificates.
  3. Configure the WebSphere environment to make use of the imported keys.

A complete technical reference of how to setup up SSL on the WebSphere Application Server can be found in the WebSphere Application Server product documentation.

  1. Adding trust for certificate authorities used by external communities
    External communities certificates are signed by a specific certificate authority - probably a different authority from the CA used to sign your Sametime Gateway certificate. In order for the Sametime Gateway to trust a certificate presented by an external community, the CA that issued this certificate would have to be configured to be trusted in advance.
  2. Requesting a certificate signed by a certificate authority
    To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA. For example, when the external community is Microsoft Lync AND the IBM Sametime Gateway Server consists of more than one local domain.
  3. Importing any intermediate CA certificates into the keystore
    If your server certificate is issued by an intermediary CA, then complete the steps that follow.
  4. Importing a signed certificate issued into the keystore
    A Certificate Authority (CA) creates a certificate from a certificate request. WebSphere Application Server keystore receives the certificate from the CA and generates a CA-signed personal certificate that your Sametime Gateway Server can use for Secure Sockets Layer (SSL) security.
  5. Setting up Sametime Gateway to use a new certificate
    Set up IBM Sametime Gateway Server to use the new certificates.
  6. Replacing and renewing a certificate for a single Gateway Server
    Replacing or renewing a certificate is similar to importing it for the first time, but you also replace the old certificate with the new one.
Parent topic: Configuring TLS/SSL for Sametime Gateway