When using TLS to encrypt traffic on the IBM® Sametime® Community
Server, the Community Server presents its certificate during a TLS
handshake to any Sametime server
application connecting to the server. To allow the server application
to verify the validity of the signer of the Sametime Community Server's
certificate as part of the TLS handshake, the signer's certificate
must be present in the trust store used by the server applications.
Ensure that the certificate belonging to the server certificate signer
contains the Basic Constraints extension with the cA flag set to TRUE.
About this task
Best practices dictate that the signer's certificate contain
the optional Basic Constraints extension with the cA flag set to TRUE.
This extension indicates that the owner of the certificate is a certificate
authority. If the extension is not part of the signer's certificate,
add the ST_TLS_TRUST_MANAGER_FACTORY_ALGORITHM flag to the [Config]
section of the sametime.ini file on the Sametime Community Server.
Setting this flag allows all server applications to connect to the Sametime Community Server.
Complete these steps to add that flag.
Procedure
- On the Sametime Community
Server, open the sametime.ini file in a text
editor.
By default the sametime.ini file
is located in the Sametime Community
Server installation folder. For example,
C:\Domino\Sametime.ini
- In the [Config] section of the sametime.ini file,
add this entry:
ST_TLS_TRUST_MANAGER_FACTORY_ALGORITHM=PKIX
- Save and close the file.