Setting up SSL on a cluster

These procedures describe how to set up Secure Sockets Layer (SSL) on a cluster of Sametime® Gateway Servers.

Before you begin

You must first install Sametime Gateway Server on each node, including a deployment manager node, then create the cluster, and create a SIP proxy server for the cluster.

About this task

To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.

WebSphere® Application Server uses the certificates that reside in keystores to establish trust for an SSL connection. WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation. A default, self-signed certificate is also created in the key.p12 file at this time.

Note: If you use a certificate other than the default self-signed certificate provided, ensure that the SSL certificate contains the Basic Constraints extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the IBM® JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints extension. If the extension is not set, WebSphere Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn't allow to validate a server certificate as valid, because the issuing CA is not found.

Trial certificates are not publicly trusted, therefore, they cannot be used to test against public instant messaging providers such as AOL Instant Messenger.

The following procedure describes how to request a Certificate Authority-signed certificate, receive the request, then extract the certificate to the keystore.

For complete details for setting up SSL in WebSphere Application Server, see the WebSphere Application Server product documentation.

  1. Purchasing a certificate from a Certificate Authority
    Purchase a Certificate Authority-signed certificate for secure Connections betweenSametime Gateway Server and other instant messaging providers.
  2. Creating a new keystore
    The keystore file is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. A Secure Sockets Layer (SSL) configuration references keystore configurations during WebSphere Application Server runtime. Whether a keystore file was created by another keystore tool or saved from a previous configuration, the file must be part of a keystore configuration object. You can create a keystore configuration for the existing keystore object.
  3. Requesting a certificate signed by a Certificate Authority for a cluster
    To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA.
  4. Importing intermediate CA certificates into the keystore
    IBM WebSphere Application Server creates a certificate chain when the signed certificate is received. The chain is constructed from the signer certificates that are in the keystore at the time the certificate is received. Therefore, it is important to import all intermediate certificates as signer certificates into the keystore before receiving the Certificate Authority-signed certificate. When you purchase a server certificate for Sametime Gateway, the certificate is issued by a Certificate Authority (CA). The CA can either be a root CA or an intermediary CA.
  5. Receiving a signed certificate
    A Certificate Authority (CA) creates a certificate from a certificate request. WebSphere Application Server keystore receives the certificate from the CA and generates a CA-signed personal certificate that your Sametime Gateway Server cluster can use for Secure Sockets Layer (SSL) security.
  6. Defining the SSL configuration for a cluster
    Complete these steps to create a new SSL configuration for a cluster of IBM Sametime Gateway Servers.
  7. Obtaining the root certificate
    Download a certificate authority's (CA) root certificate. After you download the certificate, you must add it to the IBM WebSphere Application Server truststore. For connections to AOL, download the Equifax Secure CA because this certificate is used by both communities. For connections to XMPP communities, you must determine what root certificate, if any, is being used, and then check to see if WebSphere Application Server already recognizes the certificate, and, if necessary, download and add the certificate to your truststore.
  8. Adding a trusted CA certificate to the keystore
    Add your new Certificate Authority certificate to the keystore to establish the trust relationship in SSL communication.
  9. Configuring the SIP proxy server to use SSL
    Apply the new SSL definition to the SIP proxy server.
  10. Configuring the XMPP proxy server to use SSL
    Apply the new SSL definition to the XMPP proxy server.
  11. Replacing and renewing a certificate in a Gateway cluster
    Replacing or renewing a certificate for an IBM Sametime Gateway cluster is similar to importing it for the first time, but you also replace the old certificate with the new one.
Parent topic: Configuring TLS/SSL for Sametime Gateway