HCL Sametime V11 Proxy Server – exchange self certificate for qualified SSL certificate

To use Sametime V11 access from mobile devices or chat using a web browser, you need to install and configure the Sametime Proxy Server. Sametime since version 11 uses a proxy server based on Apache Tomcat. This reduced hardware requirements and simplified installation.

The document “ST11_Installation_and_Administration.pdf”, which can be downloaded together with the installation files located on Flexnet, describes the basic installation and configuration. The Sametime Proxy Server installation section describes how to automatically create a new selfcert for SSL without any configuration changes. If you use selfcert, it is possible that some web browsers or mobile devices may have problems with this certificate, you will have to create exceptions, rules and so on.
I had this problem with my installation of Sametime V11 and so we started looking for how to replace the selfcert with a qualified certificate from a Certificate Authority (in my case I chose RapidSSL from GeoTrust).

The solution is not complicated and although I am not an expert on Tomcat, I managed it quite easily. Maybe also thanks to my previous experience, as Domino Admin I used SSL certificates for Domino using OpenSSL.

How to do it?

Suppose we already have Sametime Community Server V11 installed and install Sametime Proxy Server V11 in “c:\ sametimeproxy” (as described in the instructions document). We will need the “keytool” tool, which is in “C: \ sametimeproxy \ jdk8u222-b10-jre \ bin

  1. Run a command prompt and open the folder C: \ sametimeproxy \ jdk8u222-b10-jre \ bin
  2. Now we will create a new Certificate Keystore using “keytool”, where we will then import the necessary certificates. We name the new keystore “st.keystore”. Create it C: \ sametimeproxy \ cfg.So we use the command:

“keytool -genkey -alias tomcat -keyalg RSA -keystore C:\sametimeproxy\conf\st.keystore”

– create a new password for the keystore. Tomcat default uses “changeit”
– we will confirm the password again
– fill in basic information about keystore. In “First and Last name” I used FQDN of Sametime server “sametime.company.com” and gradually filled in further data (Company, City, Country and so on).
– we created a new keystore

  1. Now we create a new a local Certificate Signing Request (CSR). In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR).

    That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as “secure”.

    The CSR is then created with:

“keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore C:\sametimeproxy\conf\st.keystore”

– Now you have a file called certreq.csr that you can submit to the Certificate Authority. In return you get a Certificate.

  1. The certificate must be installed to the keystore where the CSR was created.
    – Prepare a certificate file and both Intermediate certificates. Import Primary Intermediate:

“keytool -import -alias primary -trustcacerts -file D: \ cert \ PrimaryIntermediate.pem -keystore C: \ sametimeproxy \ conf \ st.keystore”

– Import Secondary Intermediate:

“keytool -import -alias secondary -trustcacerts -file D: \ cert \ SecondaryIntermediat .pem -keystore C: \ sametimeproxy \ conf \ st.keystore”

– Then import the SSL certificate:

“keytool -import -alias tomcat -trustcacerts -file D: \ cert \ certificate.txt -keystore C: \ sametimeproxy \ conf \ st.keystore”

  1. Now you need to configure the SSL Connector. Open the server.xml file located in the “c:\ conf” folder. In the configuration, find the connector that should work for the new keystore and uncomment it if necessary.
    In the connector configuration, specify the correct file location and passphrase. The correct configuration looks like this:

< Connector protocol=”org.apache.coyote.http11.Http11NioProtocol” port=”8443″ maxThreads=”200″ scheme=”https” secure=”true” SSLEnabled=”true” keystoreFile=”conf/st.keystore” keystorePass=”changeit” clientAuth=”false” sslProtocol=”TLS”/ >

  1. Now restart the Sametime proxy server and your web browser should already see the imported certificate.

3 thoughts on “HCL Sametime V11 Proxy Server – exchange self certificate for qualified SSL certificate”

  1. Wildcard certificate for meetings
    You have to pull the certificate apart and extract the cert.key and the cert.crt
    Commands pulled from this website

    https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

    1. On a windows box, download openssl https://www.openssl.org/
    1. Install openssl and take the defaults
    2. Copy the Wildcard cert to a folder that is easy to navigate and remember. For example C:\Wild
    3. Extract the ENCRYPTED cert.key
    1. Start Open SSL via command prompt or EXE
    2. Type in your command to extract the cert.key, you will be prompted for the Password for the WIldCard, and the Password for the PEM
    3. Password for the WIldcard is to UNLOCK the WILDCARD, Password for PEM is to SAFEGUARD the PEM
    4. at the “OPENSSL>” prompt type
    5. pkcs12 -in [path to wildcard] -nocerts -out cert.key
    6. in my example it looks like this
    7. pkcs12 -in c:\sametimeproxy\conf\WildcardDec2022.pfx -nocerts -out cert.key
    8. Enter Import Password:[password for wildcard]
    9. Enter PEM pass phrase:[password to secure the pem] *I use the same password as above to keep it simple
    10.

    11. Now you will have a cert.key in the folder where OPEN SSL is being run from. In my example it is in C:\Program Files\OpenSSL-Win64\bin
    4. Now we are pulling out the CRT, you will be prompted for the Wildcard Password
    1. At prompt OpenSSL> pkcs12 -in c:\sametimeproxy\conf\WildcardDec2022.pfx -clcerts -nokeys -out cert.crt
    2. Enter Import Password:[Wildcard password]
    3.
    5. Now we are going to decrypt the CERT.KEY from Step 3
    1. OpenSSL> rsa -in cert.key -out certdecrypted.key
    2. Enter pass phrase for cert.key:{Wildcard password]
    3.
    4. Now you will have a certdecrypted.key in the folder where OPEN SSL is being run from. In my example it is in C:\Program Files\OpenSSL-Win64\bin.
    6. Rename keys
    1. Now rename cert.key to encryptedcert.key
    2. Now rename decryptedcert.key to cert.key

    Sametime Meetings
    1. Shut down Sametime meetings server
    1. open a terminal and navigate to your install folder
    2. change directory by using : cd /opt
    3. to see the directories : ls
    4. cd STMeet (because it is case sensitive)
    5. to down the server on docker : docker-compose down
    6.
    7.
    2. Now place your new cert.key and cert.crt in the folder ./jitsi config/web/keys/cert.crt and cert.key
    1. For me its the following opt/STMeet/jitsi-config/web/keys
    2.
    3. Now bring server back up by following steps above 1.1 – 1.4
    1. to bring server up : docker-compose up

    Reply
  2. If you already have a pkcs12 file (I had a star certificate) you do not have to import it into a java keystore. The pkcs12 file may be referenced directly in the Tomcat server.xml file with the three keywords: keystoreFile, keystorePass,keystoreType

    <Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxPostSize="16777216" maxSwallowSize="16777216"
    port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="conf/key.p12"
    keystorePass="password"
    keystoreType="PKCS12"

    Reply

Leave a comment