HCL Sametime V11 Proxy Server – exchange self certificate for qualified SSL certificate

To use Sametime V11 access from mobile devices or chat using a web browser, you need to install and configure the Sametime Proxy Server. Sametime since version 11 uses a proxy server based on Apache Tomcat. This reduced hardware requirements and simplified installation.

The document “ST11_Installation_and_Administration.pdf”, which can be downloaded together with the installation files located on Flexnet, describes the basic installation and configuration. The Sametime Proxy Server installation section describes how to automatically create a new selfcert for SSL without any configuration changes. If you use selfcert, it is possible that some web browsers or mobile devices may have problems with this certificate, you will have to create exceptions, rules and so on.
I had this problem with my installation of Sametime V11 and so we started looking for how to replace the selfcert with a qualified certificate from a Certificate Authority (in my case I chose RapidSSL from GeoTrust).

The solution is not complicated and although I am not an expert on Tomcat, I managed it quite easily. Maybe also thanks to my previous experience, as Domino Admin I used SSL certificates for Domino using OpenSSL.

How to do it?

Suppose we already have Sametime Community Server V11 installed and install Sametime Proxy Server V11 in “c:\ sametimeproxy” (as described in the instructions document). We will need the “keytool” tool, which is in “C: \ sametimeproxy \ jdk8u222-b10-jre \ bin

  1. Run a command prompt and open the folder C: \ sametimeproxy \ jdk8u222-b10-jre \ bin
  2. Now we will create a new Certificate Keystore using “keytool”, where we will then import the necessary certificates. We name the new keystore “st.keystore”. Create it C: \ sametimeproxy \ cfg.So we use the command:

“keytool -genkey -alias tomcat -keyalg RSA -keystore C:\sametimeproxy\conf\st.keystore”

– create a new password for the keystore. Tomcat default uses “changeit”
– we will confirm the password again
– fill in basic information about keystore. In “First and Last name” I used FQDN of Sametime server “sametime.company.com” and gradually filled in further data (Company, City, Country and so on).
– we created a new keystore

  1. Now we create a new a local Certificate Signing Request (CSR). In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR).

    That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as “secure”.

    The CSR is then created with:

“keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore C:\sametimeproxy\conf\st.keystore”

– Now you have a file called certreq.csr that you can submit to the Certificate Authority. In return you get a Certificate.

  1. The certificate must be installed to the keystore where the CSR was created.
    – Prepare a certificate file and both Intermediate certificates. Import Primary Intermediate:

“keytool -import -alias primary -trustcacerts -file D: \ cert \ PrimaryIntermediate.pem -keystore C: \ sametimeproxy \ conf \ st.keystore”

– Import Secondary Intermediate:

“keytool -import -alias secondary -trustcacerts -file D: \ cert \ SecondaryIntermediat .pem -keystore C: \ sametimeproxy \ conf \ st.keystore”

– Then import the SSL certificate:

“keytool -import -alias tomcat -trustcacerts -file D: \ cert \ certificate.txt -keystore C: \ sametimeproxy \ conf \ st.keystore”

  1. Now you need to configure the SSL Connector. Open the server.xml file located in the “c:\ conf” folder. In the configuration, find the connector that should work for the new keystore and uncomment it if necessary.
    In the connector configuration, specify the correct file location and passphrase. The correct configuration looks like this:

< Connector protocol=”org.apache.coyote.http11.Http11NioProtocol” port=”8443″ maxThreads=”200″ scheme=”https” secure=”true” SSLEnabled=”true” keystoreFile=”conf/st.keystore” keystorePass=”changeit” clientAuth=”false” sslProtocol=”TLS”/ >

  1. Now restart the Sametime proxy server and your web browser should already see the imported certificate.

2 thoughts on “HCL Sametime V11 Proxy Server – exchange self certificate for qualified SSL certificate”

  1. If you already have a pkcs12 file (I had a star certificate) you do not have to import it into a java keystore. The pkcs12 file may be referenced directly in the Tomcat server.xml file with the three keywords: keystoreFile, keystorePass,keystoreType

    maxPostSize="16777216" maxSwallowSize="16777216"
    port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"


Leave a comment