Creating a truststore with a third party certificate
When creating a connection between the Sametime server and a service using TLS, a truststore is needed. The truststore is used to store Sametime certificates.
Before you begin
To create a trust store, the Java Keytool command is used. The keytool utility must be installed to complete the steps. The command is part of the Oracle and OpenJDK toolkits. The OpenJDK is included with Sametime. For more information on keytool, see the OpenJDK The keytool Command or Oracle Tools Reference websites. Run the utility from the directory where it is installed.
The certificate used to trust the connection must be a CRT file type format. For chained certificates, you also need the root and intermediate certificates.
When using SAML connections, LDAP connections, and business card photos, there are additional considerations for creating the truststore. See the following sections for details.
Creating a truststore when using SAML
Before you begin
About this task
When using a SAML connection, the Sametime server must be able to decodes the SAML tokens. You need to know how many SAML partnerships or relying party trusts are required. For information on identifying the number, see Setting up SSO using SAML. If you are supporting more than one relying party trust, create one trust store that contains certificates for each one.
The SAML trust store file name must be samltruststore.p12.
Procedure
keytool -importcert -storetype PKCS12 -keystore samltruststore.p12 -storepass truststore_password -alias alias_name -file file_to_trust.crt -noprompt
- truststore_password
- The desired password for your trust store. Save the password for later use.
- alias_name
- The value to display in the trust store, each certificate must have a unique alias.
- file_to_trust.crt
- The full path to the certificate you are adding to the trust store.
-J-Dkeystore.pkcs12.legacy
parameter to the
command. For
example:keytool -importcert -storetype PKCS12 -keystore samltruststore.p12 -storepass truststore_password -alias alias_name -file file_to_trust.crt -noprompt -J-Dkeystore.pkcs12.legacy
What to do next
Creating a truststore when using LDAP
Before you begin
About this task
If the connection is secured using TLS, a certificate is needed to complete the SSL handshake with LDAP. If you are connecting to multiple LDAP servers that have different certificates, you need to trust each certificate in a single trust store.
The LDAP trust store file name must be ldaptruststore.p12. It is defined using the commands in this procedure.
Procedure
- Copy the certificates to be trusted to the machine where the keytool utility is installed, and stage them in a temporary directory.
-
Create a keystore by issuing the below command with the parameters:
keytool -importcert -storetype PKCS12 -keystore ldaptruststore.p12 -storepass truststore_password -alias alias_name -file file_to_trust.crt -noprompt
- truststore_password
- The desired password for your trust store. Save the password for later use.
- alias_name
- The value to display in the trust store, each certificate must have a unique alias.
- file_to_trust.crt
- The full path to the certificate you are adding to the trust store.
- Optional:
To import additional certificates into an existing trust store, run the
below command, be sure to use a unique alias for each additional
certificate.
keytool -importcert -storetype PKCS12 -keystore ldaptruststore.p12 -storepass truststore_password -alias aliasname -file file_to_trust.crt -noprompt
What to do next
Creating a truststore when using business card photos
About this task
If you are retrieving photos from an HTTPS trusted URL, the Sametime Proxy service needs a truststore to properly retrieve the photos from the https protected PhotoURL.
The truststore file name must be named XXXX.p12.
keytool -importcert -storetype PKCS12 -keystore XXX.p12 -storepass truststore_password -alias alias_name -file file_to_trust.crt -noprompt
- truststore_password
- The desired password for your truststore. Save the password for later use.
- use.alias_name
- The value to display in the truststore, each certificate must have a unique alias.
- file_to_trust.crt
- The full path to the certificate you are adding to the truststore.
What to do next
After creating the truststore, see Setting up business cards.