Setting up TLS/SSL for a Gateway cluster

These procedures describe how to set up Secure Sockets Layer (SSL) on a cluster of Sametime® Gateway Servers.

Before you begin

You must first install Sametime Gateway Server on each node, including a deployment manager node, then create the cluster, and create a SIP proxy server for the cluster.

About this task

To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.

WebSphere® Application Server uses the certificates that reside in keystores to establish trust for an SSL connection. WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation. A default, self-signed certificate is also created in the key.p12 file at this time.

Note: If you use a certificate other than the default self-signed certificate provided, ensure that the SSL certificate contains the Basic Constraints extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the IBM® JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints extension. If the extension is not set, WebSphere Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn't allow to validate a server certificate as valid, because the issuing CA is not found.

Trial certificates are not publicly trusted, therefore, they cannot be used to test against public instant messaging providers such as AOL Instant Messenger™.

The following procedure describes how to request a Certificate Authority-signed certificate, receive the request, then extract the certificate to the keystore.

For complete details for setting up SSL in WebSphere Application Server, see the WebSphere Application Server product documentation.

Procedure

  1. Purchase a certificate from a Certificate Authority.
  2. Create a new keystore.
  3. Request a certificate signed by a Certificate Authority for a cluster.
  4. Import intermediate CA certificates into the keystore.
  5. Receive a signed certificate.
  6. Define the default SSL configuration for a cluster.
  7. Define the SSL configuration for a cluster.
  8. Obtain the root certificate.
  9. Add a trusted CA certificate to the keystore.
  10. Add the CA certificate to the CellDefaultTrustStore.
  11. Configure the Gateway servers to use SSL.
  12. Configure the SIP proxy server to use SSL.
  13. Configure the XMPP proxy server to use SSL.
  14. Import the Community Server's certificate into the Gateway Server cluster.
  15. Import the Gateway Server cluster's certificate into the Community Server.

What to do next

If necessary, replace (or renew) a certificate for the cluster.