Sametime 9 SSL and LDAP Notes to Get LDAPS (636) Working

Mindwatering Incorporated

Author: Tripp W Black

Created: 05/07/2014 at 09:22 PM

 

Category:
Domino Upgrades / Installations
SameTime

Issue:
Installed Sametime community server but client logins do NOT work.


Solution:
There isn't an easy script. You have to use part of the IBM Lotus Sametime 7.5 documentation with creating JKS keyring files, parts of the Sametime 8.5.2 documentation, some WAS IKeyMan and GSKit documentation. Add in days of experimentation, and a bunch of back-and-forth with IBM support passing various tech-note.

Below are our notes to get SSL LDAP working between Sametime and a Domino server running LDAP on port 636. Please note that there are a lot of steps to perform in installing and set-up of Domino server. This includes a 32bit Linux OS, required libraries, install Domino, install Sametime, installation of the WAS server and the Sametime console, set-up of the deployment profile, and finally the actual set-up of Sametime community server. Once this is done, you may find numerous issues that have to be manually fixed.

SSL Sametime9 GSKit Linux Set-up

1. Keep the installation files after installing Sametime.
Note: Make sure you install 32bit Domino and 32bit Sametime, on 32bit Redhat OS. We cannot get Sametime to work on Redhat 6.x and CentOS 6.x otherwise.
(Works w/64 bit Ubuntu, but that's not a supported distro.)

2. Set-up / repair the IBM Sametime server web authentication and session based logins.
When the Sametime Console set's up the Sametime server, the new LDAP document in directory access will likely NOT work.
a. This is due to the Domino mail/app server likely uses Internet Sites and the ST server doesn't.
Make sure that the Domino server has the domainssl.kyr and the domainssl.sth keyring and hash files for normal SSL.
Make sure that the SSL ports are open for HTTP on the ST Domino server. Test the SSL and confirm it's working.
Now open the server document and confirm/add the kyr filename into the Internet Protocols tab. Save, restart the server.
If it doesn't work, change the server document to use Internet Sites, as well, restart the server. Change it back, restart the server.
b. Check your Directory Access app has the auto-created LDAP entry created. Make sure the entry is trusted for login by LDAP clients.

3. Now confirm directory assistance is working with a sh xdir. There should be two entries now with the second LDAP connected.

Notes:
DA is now set up and Domino can now talk to the Domino LDAP server, but ST cannot. It has to use the GSKit's keyring files.

4. Locate the Sametime installation files which you kept from the original ST installation. Navigate down through the GSKit and Linux folders.
# pwd
/root/tmp/SametimeStandardServer/GSKit/Linux
# ls
gskcrypt32-8.0.15.6.linux.x86.rpm gskssl32-8.0.15.6.linux.x86.rpm

5. Install the RPM files. The gskcrypt*.rpm RPM file must be first.
# rpm -i gsk*.rpm
# rpm -i gsk*.rpm
(Note: The default RPM program folder destination is into usr/local/ibm/. )

6. Set-up the java.security file.
# cd /opt/ibm/domino/notes/latest/linux/ibm-jre/jre/lib/security/
# vi java.security
Notes:
- I added the following line at the end of the list of providers, and saved:
security.provider.10=com.ibm.spi.IBMCMSProvider
- This didn't work, so I did a web search and other admins said that the line should say:
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
- Re-edit and update the .10 to whatever number is next in the list.
# cd /opt/ibm/domino/notes/latest/linux/jvm/lib/security/
# vi java.security

7. Remove the gskikm.jar file that is already in the ../jre/lib/ext folder.
# cd ..
# cd ext
# rm gskikm.jar
rm: remove regular file 'gskikm.jar'? yes

8. Set the JAVA_HOME variable to the Domino / ST Java home location:
# JAVA_HOME=/opt/ibm/domino/notes/latest/linux/ibm-jre/jre export JAVA_HOME

9. Start the IKeyMan - IBM Key Management program:
# cd /opt/ibm/domino/notes/latest/linux/jvm/bin/
# ./ikeyman

10. Created new CMS file per normal documentation. Saved to /root/tmp.
- Imported the SSL root certifier, the intermediate certifier, and the final SSL cert for the LDAP server.
(Note: Tested and found out, the LDAP server import wasn't needed, just the parent certs.)
- File Save to /root/tmp/companysslfilename.kdb, clicked the check mark to also make a hash file (sth). Gave it a password.
- Note: This actually created 3 files ending w/kdb, rdb, and sth.

11. Opened again the same kdb, preformed Save As and chose JKS this time.
- Notes:
We are supposed to use the GSKit command line according the Sametime 7.5 documentation, but the newer GSKit software cannot do JKS files anymore. So we used IKeyMan.
This created a key.jks. Renamed the key.jks file to the companysslfilename.jks.
This did NOT create the key.crl file. I could not find a way to create it.

12. Moved all the cert files to the /local/notesdata/

13. Updated the sametime.ini and added 4 lines to it specifying the JKS store and its password.
# vi /local/notesdata/sametime.ini

Added the following 4 lines to the bottom of the [config] section.
javax.net.ssl.keyStore=/local/notesdata/companysslfilename.jks
javax.net.ssl.trustStore= /local/notesdata/companysslfilename.jks
javax.net.ssl.keyStorePassword=JKSPassword
javax.net.ssl.trustStorePassword=JKSPassword

14. Updated the UserInfoConfig.xml file and updated the SSL keyring path.
# vi /local/notesdata/UserInfoConfig.xml

Located the SslProperties node and updated KeyStorePath:
<SslProperties KeyStorePath="/local/notesdata/companysslfilename.jks" .../>

15. Didn't work in looking at the /local/notesdata/Trace/stdirectory_datetime.txt,
the file being retrieved is key.kdb instead of the files specified in steps #13 and #14 above.
Unable to find a third file to edit, I decided to test creating symlinks for each of the 3 files for companysslfilename.kdb.
# cd /local/notesdata
# ln -s ./companysametime.kdb ./key.kdb
# ln -s ./companysametime.rdb ./key.rdb
# ln -s ./companysametime.sth ./key.sth

16. Restarted Domino.
Logins are now working.




previous page