Using SSL in Sametime 8.5.x for LDAP connections Part 2

Took me a little bit longer as expected but here is now part 2, how to enable SSL for LDAP connections on the community server.

In part 1 described how you can enable SSL for LDAP connections on the WAS servers.

You can find some information on this topic in the Sametime Wiki but I found it rather confusing and misleading.

First of all I had to set up iKeyman and the GSKit on the community server to support Cryptographic Message Syntax (CMS) and create the Keystore DBs. We need 3 different Keystore databases:

– CMS Keystore key.kdb -> used by different Sametime server components to connect securely to LDAP server

– Java Keystore stkeys.jks -> used by the userinfo servlet (Business Card) to connect securely to LDAP server

– Keyring File sametime85.kyr -> used by the Domino server (directory assistance) to connect securely to LDAP server

Install GSKit

– Go to the folder where you extracted the Sametime Standard Server Installation files. In there you find a folder “GSKit” – “Win32”. Run gsk8crypt32.exe as Admin

– Use standard values for installation wizard

– Run gsk8ssl32.exe as Admin and use standard values for installation wizard

– Add you Domino java folder as JAVA_HOME system variable

Update iKeyman to support CMS

– copy gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC) server to the community server and replace the older ones. You can find these files in the C:\WAS_INSTALL_DIR\WebSphere\UpdateInstaller\java\jre\lib\ext\ folder. Copy them to C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\ext\ folder.

– Edit the file java.security in folder C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\security\

– after security.provider.5=com.ibm.security.sasl.IBMSASL add following line:
security.provider.6=com.ibm.security.cmskeystore.CMSProvider 

Create CMS and Java Keystore files

– Start iKeyman (double click ikeyman.exe) which you can find in C:\DOMINO_INSTALL_DIR\ibm-jre\jre\bin\ folder

– Check the “Help” – “About iKeyman”, you should see

If you see an older Version# check if you copied  gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC)

– Now create a new CMS database by clicking on “Key Database file” – “New”. Choose CMS as type, name it key.kdb (has to be exactly this name!) and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

– Define a password and activate “Stash password to a file”

– Go to the “Signer Certificates” and click on “Add”

– Click “Browse” and open the Root.cer file (which you have create before on the SSC Server in Part 1)

– Enter a Label for the Certificate (i.e. GeoTrust Root Certificate)

– Do the same for the Intermediate Certificate

– You should now see 2 Signer Certificates in your keyDB

– Now create a new JKS database by clicking on “Key Database file” – “New”. Choose JKS as type, name it stkeys.jks and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

– Repeat all steps to import the root certificate and the intermediate certificate

 

Create the Domino Keyring file

– open the Server Certificate Admin DB (certsrv.nsf) on your Community Server with your Notes Client

– click on “1. Create Key Ring” to create a new keyring file

– fill in a name and a password and define your key size

– fill in your server name as Common Name, add your Organization/State/Country and click “Create Key Ring”

– you will see a confirmation window

– now import your Root Certificate, click on “3. Install Trusted Root Certificate…” and fill in a Label/Source/File Name and choose the appropriate file format

– click on “Merge Trsuted Root Certificate…” and fill in the password for the key ring file

– you will see a success window, click on “OK”

– import your intermediate certificate with same steps

– copy your keyring file and stash file to the data directory of your Community Server

– open the server document of your community server and go to “Ports” – “Internet Ports” and fill in your keyring file name

– save the document and close it

Encrypt the UserInfoServlet

– open UserInfoConfig.xml (in D:\IBM\Lotus\Domino)

– change SslEnabled to true and ensure SslPort is 636

– in the SslProperties tag add the path to your stkeys.jks file and insert your password for the keystore

Configuring Directory Assistance for SSL& Connect Sametime Community Server through SSL

– open the Directory Assistance DB (da.nsf) on your community server with your notes client and change the LDAP settings

– Click “Save and Close” and close the DB

– Now open the Sametime Community Server webpage and login as Sametime Admin and click on “Administer the Server”

– go to “LDAP Directory” > “Connectivity” and enable the use of SSL for LDAP and ensure that the used SSL port is 636

– Click on “Update”

(Optional) If you want to improve performance, you may choose to loosen security and encrypt only user credentials as follows:

– Open the sametime.ini file (in D:\IBM\Lotus\Domino)

– Locate the [Directory] section within the file and add the following setting:

ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1

– Save and close the file

– Restart your Community Server

That’s it, now you Security Officer is your friend again!

Comments

ldapmven
Reply

Very generally speaking, administrators should use TLS instead of SSL for connections to directory servers wherever possible. Modern, professional-quality directory servers support a StartTLS extended operation which allows for better tracking and auditing than SSL.

Maik Weber
Reply

Thank you for this documentation! I agree that the steps outlined in product wiki are a little bit confusing. However, you forgot one important step — You have to define stkey.jks in sametime.ini. It is used by StPolicy to resolve users and their policies:

http://www-10.lotus.com/ldd/stwiki.nsf/dx/Modifying_the_LDAP_server_configuration_for_SSL_st852ifr1

=================
[Config]
ConfigurationSSLEnabled=true
javax.net.ssl.keyStore=D:\IBM\Lotus\Domino\stkeys.jks
javax.net.ssl.trustStore=D:\IBM\Lotus\Domino\stkeys.jks
javax.net.ssl.keyStorePassword=passw0rd
javax.net.ssl.trustStorePassword=passw0rd

Klaus Bild
Reply

Thank you, you’re right, you need this if you’re using SSL not only for authentication process.

Leave a Reply

%d bloggers like this: