Transferring the single server SSL certificate to ND Gateway installation

This post is in response to a question asked on my previous post by Gili Nachum.

When re-installing the Sametime Gateway to convert it from a Single Server to a Network Deployment you are obviously faced with the task to re-configure the system, which definitely includes the SSL configuration. There might possibly be a way to transfer most of the configuration using Websphere scripts. In absence of any experience in this area I am going to describe the manual steps here.

Very important: create a backup of your Websphere directory before removing the old installation of the Gateway. I am assuming here that you have followed IBM’s instructionsfor the SSL setup of the single server and didn’t create a custom keystore. In this case you’ll find a key.p12 file within the profile config, which is the NodeDefaultKeyStore and a trust.p12 file, reflecting the NodeDefaultTrustStore.

On setting up the new Sametime Gateway server using network deployment you will be creating a new key store. Instead of creating a certificate request though you are going to import the existing certificate.

  1. Select Personal Certificates under Additional properties and choose Import.
  2. Choose Key store file and type the path to you key.p12 file.
  3. Leave Type set to PKCS12.
  4. Enter the Key file password. The default key store password, if you haven’t changed it, is WebAS .
  5. Hit the ‘Get Key File Aliases’ button and select the alias to import in the drop down below.
  6. Define the alias name for the import and hit okay.

Repeat above steps for all trust certificates using the trust.p12 file of the old installation and the CellDefaultTrustStore of the new installation. You can now continue with the SSL configuration for the cluster, the SIP and XMPP proxy.

As a side note to above: it is strongly recommended to change the password for your DefaultKeyStores. Otherwise an attacker might possibly be able to steal and misuse your identity.