Steps to import MCS SSL certificates on a Sametime Server. Securing LDAP connections to and from Sametime server using SSL



Similar documents
Setting Up SSL From Client to Web Server and Plugin to WAS

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Configure Single Sign on Between Domino and WPS

IBM Security Identity Manager Version 6.0. Security Guide SC

USING SSL/TLS WITH TERMINAL EMULATION

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Implementing Secure Sockets Layer on iseries

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

SSL CONFIGURATION GUIDE

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

TELNET CLIENT 5.0 SSL/TLS SUPPORT

NSi Mobile Installation Guide. Version 6.2

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

How To Restore Your Data On A Backup By Mozy (Windows) On A Pc Or Macbook Or Macintosh (Windows 2) On Your Computer Or Mac) On An Pc Or Ipad (Windows 3) On Pc Or Pc Or Micro

Working with Portecle to update / create a Java Keystore.

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

ADFS Integration Guidelines

Domino Certification Authority and SSL Certificates

JAVS Scheduled Publishing. Installation/Configuration... 4 Manual Operation... 6 Automating Scheduled Publishing... 7 Windows XP... 7 Windows 7...

Enabling secure communication for a Tivoli Access Manager Session Management Server environment

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

WHITE PAPER Citrix Secure Gateway Startup Guide

Installation Procedure SSL Certificates in IIS 7

Certificates for computers, Web servers, and Web browser users

RoomWizard Synchronization Software Manual Installation Instructions

Smart Policy - Web Collector. Version 1.1

Setup 1of 2: AKO (NOT E ) Setup on Outlook 2010

Websense Content Gateway HTTPS Configuration

Lotus Notes 6.x Client Installation Guide for Windows. Information Technology Services. CSULB

Using Internet or Windows Explorer to Upload Your Site

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

Configuring SSL in OBIEE 11g

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

Initial Setup of Microsoft Outlook 2011 with IMAP for OS X Lion

BT Office Anywhere Configuring Mobile Outlook Synchronisation with Exchange Server

Setting Up SSL on IIS6 for MEGA Advisor

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

CHAPTER 7 SSL CONFIGURATION AND TESTING

Configuring a Windows 2003 Server for IAS

Install and configure SSH server

Implementing Secure Sockets Layer (SSL) on i

Netscape Setup Instructions

Using LDAP Authentication in a PowerCenter Domain

Instructions to connect to GRCC Remote Access using a Macintosh computer

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents

WebLogic Server 6.1: How to configure SSL for PeopleSoft Application

Security Digital Certificate Manager

Security Digital Certificate Manager

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

Initial Setup of Mac Mail with IMAP for OS X Lion

How-to: Single Sign-On

Copyright

How To Configure CU*BASE Encryption

How To Create A Hyperlink In Publisher On Pc Or Macbookpress.Com (Windows) On Pc/Apple) On A Pc Or Apple Powerbook (Windows 7) On Macbook Pressbook (Apple) Or Macintosh (Windows 8

Configuring Your Client: Eudora 5.x

Lotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC

MY HELPDESK - END-USER CONSOLE...

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

Enabling SSL and Client Certificates on the SAP J2EE Engine

enter the administrator user name and password for that domain.

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Installing Logos SSL Certificates on Mobile Devices

BlackBerry Enterprise Service 10. Version: Configuration Guide

User's Guide. Product Version: Publication Date: 7/25/2011

Secure IIS Web Server with SSL

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Using Session Initiation Protocol with IBM Lotus Sametime

Using etoken for Securing s Using Outlook and Outlook Express

BusinessLink Software Support

Figure 1: Restore Tab

Configuration Guide BES12. Version 12.2

CERTIFICATE-BASED SSO FOR MYDOCUMENTUM OUTLOOK WITH IBM TAM WEBSEAL

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuring Your Client: Eudora 5.x. Quick Reference

Installing Management Applications on VNX for File

Installation valid SSL certificate

SQL Server 2008 and SSL Secure Connection

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows

Exchange 2010 PKI Configuration Guide

Undergraduate Academic Affairs \ Student Affairs IT Services. VPN and Remote Desktop Access from a Windows 7 PC

How to Implement Two-Way SSL Authentication in a Web Service

How To Take Advantage Of Active Directory Support In Groupwise 2014

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Business Internet service from Bell User Guide

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

SEZ SEZ Online Manual- DSC Signing with Java Applet. V Version 1.0 ersion 1.0

Chapter 2 Editor s Note:

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

Marriott Enrollment Server for Web User Guide V1.4

Microsoft Expression Web

Forward proxy server vs reverse proxy server

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Wavecrest Certificate

webmethods Certificate Toolkit

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

Transcription:

Steps to import MCS SSL certificates on a Sametime Server Securing LDAP connections to and from Sametime server using SSL Author: Madhu S Dutta / Manoj Palaniswamy, IT Specialist 1 P a g e

Configuring security for the Lotus Sametime Community Server Introduction: IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) data encryption between Sametime servers and the LDAP servers. The GSKit package also installs the ikeyman key management utility (gsk7ikm), which you can use to create key databases, public-private key pairs, and certificate requests. The IBM Lotus Sametime server uses the Internet and intranet security features of the Domino server on which it is installed to authenticate Web browser users who access Domino databases on the server. You can encrypt communications for Lotus Sametime Services and the communication between Lotus Sametime and Web browsers. You can also encrypt communications between an LDAP server and the Lotus Sametime server with the LDAPS protocol. You can set up either, or both, of these protocols independently: GSKit is required to provide SSL encryption between the Lotus Sametime server and LDAP server. This document assumes that you already have secured the communication between your sametime server and the LDAP server using SSL security. If you do not have GSKit installed, please follow the link to install one - https://www-304.ibm.com/support/docview.wss?rs=203&uid=swg21099766 Please note that there is no configuration required from the Sametime server side either in the sametime.ini or Sametime config files. By enabling LDAP (S) through the Sametime configuration or DA, sametime server starts looking for the GSKit program and the *.kdb file which contains the root certificates. There are no changes to be done on the domino side as well. Procedure for enabling LDAP over SSL: This procedure enables the Sametime server to trust the SSL server certificate of the LDAP server. To ensure the Sametime server trusts the certificate of the LDAP server, the administrator must perform the following procedures: Install the Key Management Utility (IKeyMan) program on the Sametime server. Create a key database on the Sametime server named "key.kdb" and store this database in the root Sametime directory. Ensure that the key.kdb database on the Sametime server contains the SSL trusted root certificate that enables the Sametime server to trust the SSL server certificate of the LDAP server. Note: Ensure you keep the name of the keystore database as key.kdb as we had experienced issues when the name was changed. How LDAP(S) works? If the LDAP server is set up to listen for SSL connections, the LDAP server will include an SSL key database that contains (at minimum) one certificate. This certificate is: A trusted root (or "signer") certificate signed by a specific Certificate Authority (CA), such as VeriSign. The LDAP server presents its SSL server certificate to the Sametime server during the SSL connection handshake. The key database on the Sametime server ("key.kdb" created above) must contain a trusted root (or "signer") certificate that matches the trusted root certificate for the CA that signed the LDAP server certificate. 2 P a g e

For example, if the key database on the LDAP server contains a "VeriSign Class 4 Public Primary Certification Authority" trusted root certificate and the LDAP SSL server certificate is signed by VeriSign, the key database on the Sametime server must also contain a "VeriSign Class 4 Public Primary Certification Authority" trusted root certificate. In summary, the SSL connection from the Sametime server to the LDAP server should succeed if both of the following are true: The key database on the LDAP server and the key.kdb database on the Sametime server have a trusted root (or "signer") certificate in common. The trusted root certificate above is issued by the same CA that signed the LDAP SSL server certificate. When the key.kdb database is created, the database contains several trusted root (or "signer") certificates by default. If the appropriate trusted root certificate exists in the key.kdb database by default, no other procedures are required to ensure that the Sametime server trusts the LDAP server certificate. The procedure required to ensure the Sametime server trusts the SSL certificate of the LDAP server is complete. If there is any change in the trusted root certificate on the LDAP server, the same certificate has to be imported into the key.kdb database in order for the SSL encryption to work. The below procedure describes the steps required to import the trusted root certificate of the LDAP server into the key.kdb keystore. If the root certificates have expired or if there is some problem with the keystore database, you may receive the error stating that the specified database has been corrupted. If you experience this problem, you will have to create a new keystore database using the following steps: Creating new key.kdb database: To create the key.kdb database, follow the instructions below: 1. Start the IBM IKeyMan utility. To start the utility, run the gsk7ikm.exe file located in the C:\Lotus\Domino\IBM\gsk7\bin directory on the Sametime server. 2. From the IBM IKeyMan menu bar, select Key Database File -> New. 3 P a g e

3. In the New window, do the following: a. For Key database type, select "CMS key database file." b. For File Name, enter "key.kdb." c. For Location, enter "C:\Lotus\Domino" (or other directory in which Sametime is installed.) d. Click OK. 4. In the Password prompt window, do the following: a. Type a password and confirm the password used to access the key database. The password is at your discretion. b. Select the "Stash the password to a file?" check box. c. Click OK. 5. In information window appears indicating the password is encrypted and saved in the location C:\Lotus\Domino\key.sth (or <Sametime install directory>\key.sth). 6. Ensure you delete the old *.kdb, *.rdb, *.sth, *.jks, *.crl from the data folder. After creating the key.kdb database, ensure the key.kdb database contains the appropriate trusted root certificate. If the date and time is not set to the correct settings, certain certificates may not be inserted correctly since the certificate may not be valid yet. 4 P a g e

Installing the trusted root into the KDB file Sametime accepts certificates in Base-64 format and Binary formats only. Ensure you receive the root certificates in the above format before installing them into the key database A pre-built.cer and.pem file should have been emailed to you when your certificate was issued. Normally jre based applications (like Sametime application) does not have ability to import MCS certificate automatically. You have to import certificate one by one by IKEYMAN utility if you have multiple domains on your Sametime environment. So you should have IKEYMAN software installed on your Sametime server. 1. Open Ikeyman.exe from domino directory to the path ibm\gsk7\bin 2. Double click gsk7ikm.exe 3. The IBM Key Management window will open as below 4. Click on open folder icon 5. It will open another window which will prompt for key file name and location of the file. 6. You should use the key.kdb which is located in Sametime domino directory. Then you navigate the key.kdb file location as below. 5 P a g e

7. Click ok and it will prompt for password. Use the password for key.kdb file when you first time created. 8. Once you click ok it will populate key database contents and you can identify what are the certificates imported earlier or currently exists. 9. You can see the existing certificate status by clicking view edit button as below 6 P a g e

10. Then click Add button to import new certificate 7 P a g e

11. You will get CA certificate window from there you can browse.cer file by browse button 12. Browse the.cer file which you have received from LDAP Team 13. It s not mandatory to import.cer files from domino directory. You can copy the.cer and.pem files anywhere in your system from there you can import. 14. Click OK and it will prompt for label for the certificate. You can type any name as per your convenience. 15. Then click ok. It will propagate the new certificate in key Management console under signer certificate as displayed in below screen shot. 8 P a g e

16. The following files are generated and please verify their existence on the data directory - key.kdb, key.sth, key.crl, key.rdb and key.jks as below. 9 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information