Good Day
I deployed a new Sametime 12 setup for a client, only SSL(636) is allowed to connect to their AD LDAP servers. Where / How do I configure the SSL trust store etc in the new V12 architecture?
I suggest to explore custom.env file for SSL related settings
Also check filters in StCommunityConfig.xml and UserInfoConfig.xml files
Thanks Niraj
Somewhere I surely need to copy the .p12 cert store in order for the Sametime to load the AD LDAP trust certs, I just cannot find any information on this for ST V12.
Just a summary of what I have done so far and where I am stuck.
- I created a local copy of the sametime.ini and edited the ST_TLS* entries to list the trust store.
https://help.hcltechsw.com/sametime/12/admin/implement_tls_configuration.html
- I then added the below lines to my docker-compose.yml
volumes:
- ./sametime.ini:/local/notesdata/sametime.ini
- ./myssl.p12:/local/notesdata/myssl.p12
- Now the chat-server container is stuck in a restarting loop. (Attached are two screenshots).
I then removed the ./sametime.ini line from the docker-compose.yml, and the container starts successfully and I can see the "myssl.p12" files are mounted/copied successfully upon container startup.
What is the correct way to edit the sametime.ini for the chat-server container?
To add to what Tony said, the trust store file name must be "ldaptruststore.p12"
HI @Casey Toole , could you clarify what you mean? In the screenshot above is STI__Config__STLDAP_TLS_TRUST_STORE_FILE supposed to be set to "ldaptruststore.p12" instead of "/local/notesdata/ldaptruststore.p12"?
Also, a follow-up question. Is there better/current documentation on how to create the trust store for Domino? I found this old IBM doc for a different product, but it seems to work and there is a keytool utility in the domino jvm/bin directory.
Thanks!
Hi Ben,
Thanks for your question.
The parameter is correct how Tony posted it, which applies to Docker configurations.
For Kubernetes, you simply take your file ldaptruststore.p12 and create a secret including the .p12 file and its trust store password.
If you have a Domino server you can run keytool there, but it can be a little tricky. You want to switch to the notes user first and make sure notes.ini is in your path. I don't think we cover running keytool on Domino, but you can also download it separately. Here is a link to the Domino 12 help center: https://help.hcltechsw.com/domino/12.0.0/admin/index.html
We are in the process of re-working some of the help center, and actually this topic is scheduled to be published soon. You can access the Sametime 12 Help Center here: https://help.hcltechsw.com/sametime/12/admin/administrator_doc.html
To create a trust store for Sametime, you can follow these steps:
Assuming you are doing this for LDAP -- you need to have a copy of:
- certificate for the subject (ldap.example.com)
- intermediate certs
- CA/root
You do not need the private keys for this, as this is a trust store only.
You'll need to install keytool if you don't have it already.
- Copy the certificate(s) to be trusted to the machine where keytool is installed, and stage them in a temporary directory.
- Create a keystore by issuing the below command with the parameters:
- <thepassword> : substitute this for the desired password for your trust store. Save the password for later use.
- <alias_name>: This is a value for display in the trust store, each certificate must have a unique alias.
- <file_to_trust.crt> specify the full path to the certificate you are adding to your trust store.
keytool -importcert -storetype PKCS12 -keystore ldaptruststore.p12 -storepass <thepassword> -alias <alias_name> -file <file_to_trust.crt> -noprompt
- Optional: To import additional certificates into an existing trust store, run the below command, be sure to use a unique alias for each additional cert.
keytool -importcert -storetype PKCS12 -keystore ldaptruststore.p12 -storepass <the password> -alias <aliasname> -file <file_to_trust.crt> -noprompt
Please feel free to open a case with us if you need assistance.
Thanks,
Casey Toole, HCL
@Ben Erickson in case you need this:
How to configure TLS for LDAP on Docker: https://help.hcltechsw.com/sametime/12/admin/securing_ldap_docker.html
How to configure TLS for LDAP on Kubernetes: https://help.hcltechsw.com/sametime/12/admin/securing_ldap_kubernetes.html
And see yesterday's post for how to create a trust store.
Hi Anthony and Casey, we are still struggling with this and our client is pressuring us to get this implemented. I have a case open with HCL CS0332641
We are using this same LDAP trust store for Security Directory Integrator, WebSphere (HCL Connections) and for Domino Directory Assistance connection to their AD LDAP server via SSL.
I want to confirm if the construction of our ldaptruststore.p12 is correct for Sametime as I suspect that the issues we are experiencing is related to the truststore.
The LDAP trust store contains the following certs:
Private key
GoDaddy wildcard certificate (This certificate is used by the AD server)
GoDaddy Intermediate certificate
GoDaddy Root certificate
As mentioned this structure works on other services for this customer with regards to LDAPS auth, I just want to confirm if Sametime requires anything else?
We will work this thru the case.
Hi.
Any additional tips on what to check when TLS for LDAP is not working?
In our case, 389 is working fine, but, when we switch to TLS on 636 we see 0 connections between the Sametime server and the LDAP server.
Debugging LDAP and SSL on the Sametime server the only messages we see on the logs are:
> Error: ldap_ssl_client_init failed [113/10] SSL initialization call failed
> Failed to initialize connection with ldapserver.test.com:636
Is it a connectivity issue?
Or a problem with the certificate?
If the latter, logs show that certificate is being properly opened and read. Which is the problem then? This certifcate is being used on other servers without issues.
Thank you very much.
It would be best to open a case so that we can properly assist you.
Have a look at this article: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0104104
If you are on Docker, then some of it does not apply to you.
Check for network issues, like port 636 blocked by firewall.
Is this Domino LDAP or some other LDAP? Sametime 12.0.1 and earlier releases require a specific cipher to be supported, which is not enabled by default on Domino 12.x servers. See: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0099644
To further investigate we need to see some debug. Create a debug.env and enable STI__Debug__VP_LDAP_TRACE=1 and STI__DEBUG__ST_TLS_DEBUG=1
Implement the debug.env per instructions:
https://help.hcl-software.com/sametime/1201/admin/troubleshooting_debug_trace_docker.html
Restart Sametime and reproduce the problem (generate some traffic).
Then check the community logs by running:
docker-compose logs communityYou want to look when Sametime makes initial contact with LDAP if the handshake is completing.
Also if you are connecting to a Domino LDAP server you can enable debug at the server console by entering: set config ldapdebug=7
Enable that just before you test, then after testing disable it by issuing: set config ldapdebug=0
Output for Domino is in the \data\IBM_Technical_Support\console.log
Another thing to check - in 12.0 and 12.01, we required creating the ldaptruststore in 'legacy mode'.
This has been corrected in 12.02 (just released!) and the overall configuration of ldaps is much simpler - in addition to updating many of our internal libraries, we also now include a default truststore that contains many of the major signers and negating the need to create and confiugre a trust store at all in most cases.
I would suggest trying out 12.02 and seeing if that doesn't just resolve your issue. There are many other new features as well.