Using SSL in Sametime 8.5.x for LDAP connection Part 1

Securing a connection to a LDAP server sounds pretty easy but doing this for a Sametime 8.5 deployment, especially the community server, is far away from easy.

Documentation (Infocenter, Sametime Wiki) is not very clear on this topic and has some conflicting infos.

These are the steps which worked for me.

Configure WAS Servers for secure access to LDAP server

This is pretty easy and is well documented in the Sametime Wiki, you just have to import the public root CA of the LDAP server certificate. In my case I only had the .pfx file of the LDAP server and first hat to export the CA’s root and intermediate certificates.

– Import the .pfx certificate into your Certificates store on your Windows server (double click certificate…)
– Click “Start” and open up mmc.exe
– Click “File”-“Add/Remove Snap-in” and add the Certificates Snap-in
– Double click your certificate under “Personal” – “Certificates” and click on “Certification Path”
– Click on the root certificate (GeoTrust Global CA) and “View Certificate”. Now open the “Details” tab and click on “Copy to file”
– Export the certificate as “DER encoded binary”

– Choose a file name and a location where to save the file on the server

– Now change to the WAS Admin console to import the certificates into the trust store.
Navigate to “Security” – “SSL certificate and key management” – “Key stores and certificates” and click on “CellDefaultTrustStore”

– Click on “Signer certificates” and “Add”

– Fill in an alias for the global certificates, point to the file (on the server) and choose “Binary DER data” as data type
– do exactly the same to import the intermediate certificate. Now you see both certificates inside your trust store.
– Now we change the ldap settings. Go to “Security” – “Global security” and click on “Configure”
– Chnage the port number to 636 and enable “”Require SSL communications”. Click “ok” and “Save” afterwards
– Last step is to resynchronize all nodes and restart all servers

I will describe what I had to change on the community server in part 2, stay tuned.

 

 

Leave a Reply

%d bloggers like this: