Transferring the single server SSL certificate to ND Gateway installation

This post is in response to a question asked on my previous post by Gili Nachum.

When re-installing the Sametime Gateway to convert it from a Single Server to a Network Deployment you are obviously faced with the task to re-configure the system, which definitely includes the SSL configuration. There might possibly be a way to transfer most of the configuration using Websphere scripts. In absence of any experience in this area I am going to describe the manual steps here.

Very important: create a backup of your Websphere directory before removing the old installation of the Gateway. I am assuming here that you have followed IBM’s instructionsfor the SSL setup of the single server and didn’t create a custom keystore. In this case you’ll find a key.p12 file within the profile config, which is the NodeDefaultKeyStore and a trust.p12 file, reflecting the NodeDefaultTrustStore.

On setting up the new Sametime Gateway server using network deployment you will be creating a new key store. Instead of creating a certificate request though you are going to import the existing certificate.

  1. Select Personal Certificates under Additional properties and choose Import.
  2. Choose Key store file and type the path to you key.p12 file.
  3. Leave Type set to PKCS12.
  4. Enter the Key file password. The default key store password, if you haven’t changed it, is WebAS .
  5. Hit the ‘Get Key File Aliases’ button and select the alias to import in the drop down below.
  6. Define the alias name for the import and hit okay.

Repeat above steps for all trust certificates using the trust.p12 file of the old installation and the CellDefaultTrustStore of the new installation. You can now continue with the SSL configuration for the cluster, the SIP and XMPP proxy.

As a side note to above: it is strongly recommended to change the password for your DefaultKeyStores. Otherwise an attacker might possibly be able to steal and misuse your identity.

Unable to re-install Sametime Gateway

Today I had the need to re-install our Lotus Sametime Gateway to change it around from Standalone to Network Deployment. While the de-installation following IBM’s procedure seemed to be alright, I still wasn’t able to re-install the server, ending up with an error message:

“Unable to locate a Sametime Gateway server at [oldinstalllocation]”

Figuring out what was going on kept me busy for quite a while. I got my final hint from the installlog.txt claiming:

“com.ibm.rtc.gateway.install.CheckVPDRegistry, msg1, An existing Sametime Gateway version 8.5.0.0 was detected.”

This pointed me to the final solution on the web. Apparently there can be an issue with Install Shield’s Vital Product Database (VPD), which is still containing an entry for Sametime where there isn’t a valid installation any more. Removing the Gen2 folder from the \Program Files\Common Files\InstallShield\Universal\common directory as described in the linked document above finally allowed me to re-run the set-up. Also note that the Gen2 folder should be backed up before removing as it also holds information for other products that may be installed on the same server. More details on this can also be found in the linked document.