Replacing the default certificate used by IBM SIP Edge Proxy Server

To avoid the issue of IBM® Sametime® clients rejecting the certificate issued for the IBM SIP Edge Proxy Server, replace the default certificate on the IBM SIP Edge Proxy Server so that it contains the Sametime SIP Proxy/Registrar's fully qualified domain name.

About this task

These instructions are for the default certificate, which is meant for internal communications, not meant to act as a certificate authority. Sametime clients verify that the certificate was issued for the SIP Proxy/Registrar. In an IBM SIP Edge Proxy Server deployment, the client opens a TLS connection to the IBM SIP Edge Proxy Server resulting in the client receiving a certificate issued for the IBM SIP Edge Proxy Server. This certificate will be rejected by the client.

Procedure

  1. On the deployment manager for the IBM SIP Edge Proxy Server, log in to the WebSphere Integrated Solutions Console as the WebSphere administrator.
  2. In the Inbound > CellDefaultSSLSettings tree, select the STMediaServer WebSphere Application Server hosting the SIP Edge Proxy application by completing the following steps:
    1. Click Security > SSL certificate and key management.
    2. Click Manage endpoint security configurations.
    3. Expand Inbound > CellDefaultSSLSettings > nodes.
    4. Select the server that hosts the SIP Edge Proxy application by completing the following steps:
      • Select the node where the SIP Edge Proxy Server is installed and expand it.
      • Click servers.
      • Select the STMediaServer WebSphere Application Server where the SIP Edge Proxy application is hosted.
  3. Complete these steps to create the chained certificate:
    1. Click Manage Certificates.
    2. Click Create and then select Chained Certificate.
    3. Complete these fields:
      • alias -- Specify an alias for the SIP Edge Proxy Server. For example, enter sip-pr-cn-cert
      • common name -- Specify the SIP Proxy/Registrar's fully qualified domain name as defined in the stavconfig.xml file for your SIP Proxy/Registrar host. For example, enter SIPProxyServerName.company.com
        Note: Do not use an internal name for the common name. The client will be rejected if the name specified here is not the same as the name specified in the certificate common name.
      • organization -- Specify the organization for the new certificate. For example, enter IBM
      • country -- Specify the country. For example, enter US
  4. Click OK and Save.
  5. Click Security > SSL certificate and key management.
  6. Click Manage endpoint security configurations.
  7. Expand Inbound and then expand the nodes in that section. Select the SIP Edge Proxy Server.
  8. On the SSL certificate and key management page, click Manage certificates.
  9. Select the old (default alias) certificate by selecting the check box and then click Replace.
  10. In the "General properties" section, in the Replace with list, select the new certificate that is displayed using the alias name that you entered in step 3.c.
  11. Select the Delete old certificate after replacement check box.
  12. Click OK and then click Save.
  13. Stop and restart all WebSphere® Application server processes.