Issuing a SAN entry certificate request for a cluster

Issue a unique certificate request, which consists of the Subject Alternative Names (SAN) of one or more entries when an encrypted (TLS) federation with an external community requires it. For example, when the external community is Microsoft™ Lync AND the IBM® Sametime® Gateway Server consists of more than one local domain.

Before you begin

Stop the Sametime Gateway Cluster environment (Servers, node agents deployment manager, proxies).

About this task

Use the IBM iKeyMan utility to create a keystore, in which a SAN entries certificate request is stored. The iKeyman utility is a graphical user interface (GUI) based tool that you can use to manage your digital certificates. With iKeyman, you can create a new key database or test a digital certificate, add certificate authority (CA) roots to your database, copy certificates form one database to another, request and receive a digital certificate from a CA, set default keys, and change passwords.

The iKeyMan utility is located in the WAS_ROOT\bin\ikeyman directory.

Procedure

  1. From the iKeyMan utility, click Key Database File and then click Open.
  2. In the Key database type field, select PKCS12, and then browse to ${CONFIG_ROOT}\STGWKS.p12 and click OK.
  3. Enter the keystore password.
  4. Click Create > New Certificate Request.
  5. In the Key Label field, specify the certificate name.
  6. In the Key Size field, select 2048 as the key size for the certificate.
  7. In the Signature Algorithm field, select SHA256WithRSA.
  8. In the Common Name field, specify the common name of the certificate in lower case characters.
    Note: If the common name contains upper case characters, some services will not accept it.
  9. In the Organization field, type an organization name. This value is the organization value in the certificate distinguished name.
  10. In the Organization unit field, type the organization unit portion of the distinguished name.
  11. In the Locality field, type the locality portion of the distinguished name.
  12. In the State or Province field, type the state portion of the distinguished name
  13. In the Zip Code field, type the zip code portion of the distinguished name.
  14. In the Country or region field, select the two-letter country code portion of the distinguished name.
  15. In the Subject Alternative Names section, DNS Name field, enter all of the domains of the local community.
  16. Make a backup copy of your keystore file. Make this backup before receiving the CA-signed certificate into the keystore.
  17. Send the certificate request to a Certificate Authority for signing.
  18. Start the Sametime Gateway cluster DMGR and node agents.
  19. Synchronize your changes to all nodes in the cluster by clicking System Administration > Nodes.
  20. Select all nodes in the cluster, then click Full Resynchronize.
  21. Start the Sametime Gateway cluster.