Using SSL in Sametime 8.5.x for LDAP connections Part 2

Took me a little bit longer as expected but here is now part 2, how to enable SSL for LDAP connections on the community server.

In part 1 described how you can enable SSL for LDAP connections on the WAS servers.

You can find some information on this topic in the Sametime Wiki but I found it rather confusing and misleading.

First of all I had to set up iKeyman and the GSKit on the community server to support Cryptographic Message Syntax (CMS) and create the Keystore DBs. We need 3 different Keystore databases:

- CMS Keystore key.kdb -> used by different Sametime server components to connect securely to LDAP server

- Java Keystore stkeys.jks -> used by the userinfo servlet (Business Card) to connect securely to LDAP server

- Keyring File sametime85.kyr -> used by the Domino server (directory assistance) to connect securely to LDAP server

Install GSKit

- Go to the folder where you extracted the Sametime Standard Server Installation files. In there you find a folder “GSKit” – “Win32″. Run gsk8crypt32.exe as Admin

- Use standard values for installation wizard

- Run gsk8ssl32.exe as Admin and use standard values for installation wizard

- Add you Domino java folder as JAVA_HOME system variable

Update iKeyman to support CMS

- copy gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC) server to the community server and replace the older ones. You can find these files in the C:\WAS_INSTALL_DIR\WebSphere\UpdateInstaller\java\jre\lib\ext\ folder. Copy them to C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\ext\ folder.

- Edit the file java.security in folder C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\security\

- after security.provider.5=com.ibm.security.sasl.IBMSASL add following line:
security.provider.6=com.ibm.security.cmskeystore.CMSProvider 

Create CMS and Java Keystore files

- Start iKeyman (double click ikeyman.exe) which you can find in C:\DOMINO_INSTALL_DIR\ibm-jre\jre\bin\ folder

- Check the “Help” – “About iKeyman”, you should see

If you see an older Version# check if you copied  gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC)

- Now create a new CMS database by clicking on “Key Database file” – “New”. Choose CMS as type, name it key.kdb (has to be exactly this name!) and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Define a password and activate “Stash password to a file”

- Go to the “Signer Certificates” and click on “Add”

- Click “Browse” and open the Root.cer file (which you have create before on the SSC Server in Part 1)

- Enter a Label for the Certificate (i.e. GeoTrust Root Certificate)

- Do the same for the Intermediate Certificate

- You should now see 2 Signer Certificates in your keyDB

- Now create a new JKS database by clicking on “Key Database file” – “New”. Choose JKS as type, name it stkeys.jks and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Repeat all steps to import the root certificate and the intermediate certificate

 

Create the Domino Keyring file

- open the Server Certificate Admin DB (certsrv.nsf) on your Community Server with your Notes Client

- click on “1. Create Key Ring” to create a new keyring file

- fill in a name and a password and define your key size

- fill in your server name as Common Name, add your Organization/State/Country and click “Create Key Ring”

- you will see a confirmation window

- now import your Root Certificate, click on “3. Install Trusted Root Certificate…” and fill in a Label/Source/File Name and choose the appropriate file format

- click on “Merge Trsuted Root Certificate…” and fill in the password for the key ring file

- you will see a success window, click on “OK”

- import your intermediate certificate with same steps

- copy your keyring file and stash file to the data directory of your Community Server

- open the server document of your community server and go to “Ports” – “Internet Ports” and fill in your keyring file name

- save the document and close it

Encrypt the UserInfoServlet

- open UserInfoConfig.xml (in D:\IBM\Lotus\Domino)

- change SslEnabled to true and ensure SslPort is 636

- in the SslProperties tag add the path to your stkeys.jks file and insert your password for the keystore

Configuring Directory Assistance for SSL& Connect Sametime Community Server through SSL

- open the Directory Assistance DB (da.nsf) on your community server with your notes client and change the LDAP settings

- Click “Save and Close” and close the DB

- Now open the Sametime Community Server webpage and login as Sametime Admin and click on “Administer the Server”

- go to “LDAP Directory” > “Connectivity” and enable the use of SSL for LDAP and ensure that the used SSL port is 636

- Click on “Update”

(Optional) If you want to improve performance, you may choose to loosen security and encrypt only user credentials as follows:

- Open the sametime.ini file (in D:\IBM\Lotus\Domino)

- Locate the [Directory] section within the file and add the following setting:

ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1

- Save and close the file

- Restart your Community Server

That’s it, now you Security Officer is your friend again!