Setting up SSL for a single Gateway server

These procedures describe how to set up Secure Sockets Layer (SSL) on a single Sametime® Gateway Server for both SIP and XMPP communications.

Before you begin

Before you begin, make sure the Sametime Gateway Server server is running.

About this task

To have a secure network connection, you will create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.

WebSphere® Application Server uses the certificates that reside in keystores to establish trust for a SSL connection. WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation.

A default, self-signed certificate is also created in the key.p12 file at this time. Do not use this self-signed or other self-signed certificate to connect to external communities.

Note: Ensure that the SSL certificate contains the Basic Constraints extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the IBM® JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints extension. If the extension is not set, WebSphere Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn't allow to validate a server certificate as valid, because the issuing CA is not found.

Trial certificates are not publicly trusted and so cannot be used to test against public instant messaging providers such as AOL Instant Messenger™.

The following procedure describes how to:
  1. Import the certificate authorities' public certificate used by each of the public or private external communities your Sametime Gateway Server will be communicating with.
  2. Request a CA-signed certificate, and then import the signed certificate that the CA provided in response. Before performing this step you might have to import intermediary certificates.
  3. Configure the WebSphere environment to make use of the imported keys.

A complete technical reference of how to setup up SSL on the WebSphere Application Server can be found in the WebSphere Application Server product documentation.

Procedure

  1. Add trust for certificate authorities used by external communities.
  2. Request a certificate signed by a certificate authority.
  3. Import any intermediate CA certificates into the keystore.
  4. Import a signed certificate issued into the keystore.
  5. Set up Sametime Gateway to use a new certificate.
  6. Import the Community Server's certificate into the Gateway Server.
  7. Import the Gateway Server's certificate into the Community Server.

What to do next

If necessary, replace (or renew) a certificate for the Gateway Server.