Push SSL x-certs to IBM Notes Client (prevent cross-cert dialog)

If you connect the IBM Sametime meeting oder advanced server from the IBM Notes client (plug-in) through secure connection (SSL) …


… you will get a cross certificate warning within the Notes client.


To prevent this annoying dialog within the IBM Notes client you can push this x-certs to all IBM Notes client through the IBM Domino policy.

  1. Configure a secure (SSL) connection from your IBM Notes client (administrator) to the IBM Sametime meeting (or advanced) server
  2. After you connect the first time to the IBM Sametime meeting server you should get a cross-certificate window
    ! DO NOT automatically accept it.
    You need to change the fields to save the cross-certificate to your central domino address book (names.nsf).
    NOTE: If you do not get the cross-certificate window, please check your local address book for already accepted x-certs and delete the concerning document.
  3. In the field „certifier“ select your IBM Domino organization id (e.g. /edcom/de)
    In the field „server“ select your IBM Domino administration server (could be any other Domino server who helds the names.nsf)
    In the field „subject name“ select either the Sametime Meeting Server certificate or the „trusted root“ authority
  4. Click „cross certify“ to save the cross-certificate between IBM Domino organization <> Sametime server „trusted root“ into your central IBM domino directory (names.nsf)
  5. Create or edit an IBM Domino policy  – security setting document and switch to
    >> tab „keys and certificate“ >> section „administrative trust defaults“ and press the button „Update Links“ …
    … and select the cross-certificate you created before
  6. After the next login from the IBM Notes client, the cross-certificate from the IBM Domino policy security document was saved to the local address book in the view certificates

Thats it

BTW – you could also use this documentation to push x-certs between DomOrg <> DomOrg to IBM Notes clients

Sametime 9.0.1 – error installing new SystemConsole

IBM announced IBM Sametime 9.0.1 in May this year (=>http://blog.novaknet.de/?p=2451).

This week i tried to renew my test environment – so i make a complete new installation starting with 9.0.1 Version.
So i started the installation, i did 100 times before

  • Install IBM DB2 10.5.7
  • Install Installation Mangager
  • Install Websphere 8.5.5 + Fixpack 8
  • Create SSC Database
  • Install Sametime System Console 9.0.1

Installation was finished, but i got error messages that the SystemConsole could not register itself and i had to manually create missing tables in the System Console database with the db2-script createSchedTable.dll.
There is also a document concerning this script on the IBM Sametime wiki => Wiki: Setting the SSC db manually

So i created the table manually and tried to register SSC itself, but the Sametime Portlet gets an error („CWLAA6003: portlet could not load“).

So i thought i did a mistake and tried this again and again (on different OS) but i get every time the same error.
Then i tried to install the last Sametime System Console version 9.0 from feb., 2015 (poodle patch) and this version was installed successfully (w/o errors).

A deep analysis of the 9.0.1 SSC installation i found out, that the db-script (createSchedTable) was missing in the SSC installation script and therefore this is the problem… I think IBM has to correct the software, but i found a workaround for new installations

  • Workaround 1: Create SSC database, manually start the db2-script createSchedTable.dll, install SSC 9.0.1
  • Workaround 2: Create SSC database, Install SSC 9.0 ( – AGAR-9RHDHN), Update to SSC 9.0.1

Note: I get the same error with the latest SSC 9.0.x hotfix from april 2016 on the IBM fixcentral side ( – Fix: AGAR-A95S8V)

Here is how you manually start the db2-script

  • open DB2 command line (db2cmd)
  • db2cmd > db2 connect to STSC
  • db2cmd > db2 -tf \install\SametimeSystemConsole\DatabaseScripts\SystemConsole\createSchedTable.dll



By Alexander Novak Posted in Sametime

Sametime 9.0.1 announced and available for download (update)

IBM announced today the IBM Sametime version 9.0.1. You can download this from IBM Passport Advanced site.

IBM Link: IBM Sametime 9.0.1 Complete – download sheet & IBM partnumbers

IBM Link: IBM Sametime 9.0.1 – Detailed System Requirements

UpdatedIBM Sametime 9.0.1 Documentation Wiki is now online

  • IBM DB2 10.5 + FP 7
  • IBM Installation Manager
  • IBM Webpshere 8.5.5 + Fixpack 5 (there is no information about higher fixpack level)
  • IBM Sametime 9.0.1 System Console, Meeting, Proxy, Gateway, Advanced, Media (also Video Manager & MCU) and Community Server
  • ST 9.0.1 Mac Client (64 Bit with A/V)
  • new Meetingcenter UI
  • and more What’s new in this release?
    • Live Update for Sametime Clients
    • Preconfigured configuration keys for the Sametime Meeting Server (not sure what this means)
    • First Party Call Control (access a third-party SIP server directly from their Sametime Client)
By Alexander Novak Posted in Sametime

IBM Sametime Proxy updated APNS certificate (Apple Push Notification)

The IBM Sametime Proxy Server uses a local certificate to correctly connect to the Apple push notification service (aka APNS) so that you can see a chat request inside your IOs mobile notification screen (otherwise you have to open the IBM Sametime chat app directly to see the chat).

This is gateway.push.apple.com via port 2195 and feedback.push.apple.com via port 2196.

Because the local certificate has a limited date it will expire may the 5th 2016 and you need to exchange the certificate file on your server (with the updated certificate).

Just download the new apns certificate from the IBM fixcentral website

IBM documentation: Updated security certificate for Push Notifications (iOS)

To check if the new certificate is working just use (and download) the APNSTest tool „New Sametime Proxy APNs test application“ from collaborationben site

java -jar apnstest.jar -k apns-prod.pkcs12

Beware you need three things to work to connect to APNS

  1. You need to resolve the dns addresses for gateway.push.apple.com and feedback.push.apple.com
  2. You need to be able to connect to these addresses via port 2195 and 2196 (entire net)
    IP Address Range Used by the Push Service
  3. You need a valid apns certificate

Alternatively you could update to the latest Sametime Proxy fix from april 2016, but you have to update the Sametime System Console first to fix april 2016.

Sametime System Console Hotfix – ST30.25 build or 9.0.1 [April 2016]

Cumulative Hotfix for Sametime Proxy -ST30.25 build or 9.0.1 [April 2016]

APNS explained

  • gateway.push.apple.com:2195 = Apple notification server host name and port are used by the Sametime Proxy Server to send Sametime instant messages, meeting invitations, and announcements to iPhone users. When a user pauses receipt of messages, the Sametime Proxy Server database holds messages until the user views the messages or the mobile device’s pause time expires.
  • feedback.push.apple.com:2196 = Apple feedback service keeps track of which iPhone mobile devices are still valid and sends the information to the Sametime Proxy Server.
By Alexander Novak Posted in Sametime

Sametime Video Manager expired certificate – exchange root cert and trust 15 years

This is an old one, but it seems it happens a lot of again.

With the installation of the IBM Sametime Video Manager gold edition (sept. 2013), the Video Manager generates an self-signed one year valid ssl certificate.


This certificate has to be trusted inside the Sametime Media System to connect via port 5061/5081 between Media Conference Bridge and Video Manager

IBM Wiki: Import the Video Manager’s certificate to the Conference Manager

After a year you get a new self-signed certificate on the Video manager and the connection between Media Conference Bridge and Video Manager ist broken (error 503). You could trust the new Video Manager certificate inside the Media Conference Bridge, but this is – again – for one year.

IBM already documented to change the certificate to a longer valid certificate or root certificate (15 years).

IBM Docu: Sametime 9 Video Manager – A/V call fails due to default root certificate expires in one year

Because of many people having problem with this documentation i will give you some more details and screenshots for this to work (from zero2hero)

  1. Login to the Sametime Video Manager ISC (https://yourvmgrserver:9043/ibm/console)
  2. Navigate to Security > SSL certificate & key management > key stores & certificates
  3. Select the option (or key store) NodeVMGRKeyStore
  4. Navigate to personal certificate and press the button „import certificate from a key
  5. Select the key store NodeDefaultKeyStore and enter the key store password (use „WebAS“ because it is the default password for all websphere based keystores) and press button „Get key store aliases
  6. Select in the field certificate alias to import the value default and press the button OK

  7. You should now see a certificate called default with a self-signed root certificate (valid for 15years) in common.
    Press SAVE to write the master configuration.
    You now need to assign the new certificate to the application server
  8. Navigate to Security > SSL certificate & key management > Manage endpoint security configurations
    • Expand the INBOUND tree until you see the application server name STMediaServer
    • Klick on the servername STMediaServer
    • Select „override inherited values„, select NodeDefaultSSLSetting configuration, select default certificate alias and press the button OK
      Repeat this for the OUTBOUND tree until you see the application server name STMediaServer
    • Expand the OUTBOUND tree until you see the application server name STMediaServer
    • Klick on the servername STMediaServer
    • Select „override inherited values„, select NodeDefaultSSLSetting configuration, select default certificate alias and press the button OK
  9. Press SAVE to write the master configuration.
  10. Check the values in the endpoint security tree
  11. Restart the Sametime Video Manager in the following order
    • stop STMediaServer_was.init (via service or batch)
    • stop soliddb (via service or batch)
    • start soliddb (via service or batch)
    • WAIT 60 seconds
    • start STMediaServer_was.init (via service or batch)

After this you need to import the new Video Manager certificate into the Media Conference Bridge.

  1. Login to the Sametime System Console ISC (https://yoursscserver:8701/ibm/console)
  2. Navigate to Security > SSL certificate & key management > key stores & certificates
  3. Select the option (or key store) CellDefaultTrustStore
    >> you could delete the old Video Manager certificate if you wish
  4. Navigate to signer certificate and press the button „retrieve from port
  5. Enter the hostname for the Video Manager (e.g. myvmgrserver.dns.local) enter the port 5061 (or any other ssl port) an press the button „Retrieve signer information
    You should see now the new Video Manager root certificate – valid for 15 years
  6. Enter an alias name for the certificate e.g. vmgr_cert  and press the button OK
  7. You should now see a trust certificate called vmg_cert  (valid for 15years).
    Press SAVE to write the master configuration.
  8. Navigate to System administration > Nodes select all nodes and press „full synchronize“ to push the new certificate to the all applications servers
    Because of having problems with the shutdown of the application server(s) after importing or changing certificates (shutdown is waiting to manually accept new certificates) i do manually retrieve the keys from the node with the following command
    >>  „<appserverbin>\profiles\<profilename>\bin\retrievesigners -host stsscserver -port 8703
  9. Restart the Sametime Media Server (proxy registrar and/or conference bridge)
  10. Navigate to Sametime System Console > Sametime Servers > Sametime Video Manager Servers and check if you could connect to the Video Manager configuration

All done

By Alexander Novak Posted in Sametime

Sametime 9.0 Upgrade (poodle patch) of System Console fails

IBM announced new updates of Sametime because of SSLv3 vulnerability (PODDLE) for all Sametime comoponents on february this year

Security Bulletin: Vulnerability in SSLv3 affects Sametime (CVE-2014-3566)

After two month of upgrading today i got this strange error if i try to upgrade the Sametime System Console.

„A problem occurred during the execution of the ….WebSphere\STSCCell\build_meeting.xml file“

Analyzing the xml file (build_meeting.xml) there was a problem starting the application server STConsoleServer within the upgrade phase.
So i checked if there are problems with the registered os services to start – but this was not the problem (upgrade also failed). Looking inside the application server configuration i found out that the application server was  set to have dependencies with its nodeagent (monitoring policy = RUNNING).

So therefore the upgrade fails because of waiting for the nodeagent to start. You need – only for the upgrade process – to set the setting from RUNNING to STOPPED.

There is an IBM technote with a little more information about this setting.

Using the Monitoring Policy to automate the server startup may interfere with Application updates


Sametime Proxy – expired APNS certificate drops down STProxy application

IBM announced that the Apple Push Notification Service (APNS) certificate within the Sametime 8.5.x/9.0.x Proxy installation will get expired on june, 19th 2014

Updated security certificate for Push Notifications (iOS)

So please make a update NOW !!!

If you do not update the certificate (or forgot) your Sametime Proxy webchat client will not work anymore. You should get error messages inside the
proxy log (systemout.log) like this.

APNSService   W   com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService.isPushAvaialble() – Connection to APNS Failed. Returning false. Exception thrown
                                 java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:179)
    at com.ibm.jsse2.b.a(b.java:146)
    at com.ibm.jsse2.b.b(b.java:174)
    at com.ibm.jsse2.b.a(b.java:38)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:209)
    at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:643)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:106)
    at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:304)
    at com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService.getSSLConnection(APNSService.java:429)
    at com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService.testConnection(APNSService.java:507)
    at com.ibm.collaboration.realtime.stproxy.services.push.PushService$1$1.run(PushService.java:84)

Another problem coudl be that you can´t change the Samtime Proxy configuration inside the Sametime System console, after saving you get an error

AIDSC1608E: Unable to reach the Sametime Proxy host name
Sametime Proxy error

This could be solved by updating the APNS key OR i had the same problem at a customer because the APNS Servernames


could not be resoved by DNS (so i added tha APNS addresses to the local hostfile).

Sametime 9 Hotfix(es)

IBM brought some Hotfixes for IBM Sametime 9 which are resolving some problems found in 9.0 Gold (Sept. 2013).

Sametime 9.0 – generelly Hotfix 1 (04-01-2014)

Sametime 9.0 – Hotfixes for Proxy (18-12-2013)


Sametime 9.0 – Hotfix for Media Server (30-01-2014)


Sametime 9.0 – Hotfix for Client (31-01-2014)


If you plan to install Sametime 9 as new – you do not have to install 9.0 Gold first, you just need to download ST 9 Hotfix 1 from IBM Fixcentral
and just add/insert the file repository.config to the IBM Installation Manager repository.

e.g. …/SametimeProxyServer/disk1/STProxy/respository.config