IBM Sametime Proxy updated APNS certificate (Apple Push Notification)

The IBM Sametime Proxy Server uses a local certificate to correctly connect to the Apple push notification service (aka APNS) so that you can see a chat request inside your IOs mobile notification screen (otherwise you have to open the IBM Sametime chat app directly to see the chat).

This is gateway.push.apple.com via port 2195 and feedback.push.apple.com via port 2196.

Because the local certificate has a limited date it will expire may the 5th 2016 and you need to exchange the certificate file on your server (with the updated certificate).

Just download the new apns certificate from the IBM fixcentral website

IBM documentation: Updated security certificate for Push Notifications (iOS)


To check if the new certificate is working just use (and download) the APNSTest tool „New Sametime Proxy APNs test application“ from collaborationben site

java -jar apnstest.jar -k apns-prod.pkcs12

Beware you need three things to work to connect to APNS

  1. You need to resolve the dns addresses for gateway.push.apple.com and feedback.push.apple.com
  2. You need to be able to connect to these addresses via port 2195 and 2196 (entire 17.0.0.0/8 net)
    IP Address Range Used by the Push Service
  3. You need a valid apns certificate

Alternatively you could update to the latest Sametime Proxy fix from april 2016, but you have to update the Sametime System Console first to fix april 2016.

Sametime System Console Hotfix – ST30.25 build or 9.0.1 [April 2016]

Cumulative Hotfix for Sametime Proxy -ST30.25 build or 9.0.1 [April 2016]


APNS explained

  • gateway.push.apple.com:2195 = Apple notification server host name and port are used by the Sametime Proxy Server to send Sametime instant messages, meeting invitations, and announcements to iPhone users. When a user pauses receipt of messages, the Sametime Proxy Server database holds messages until the user views the messages or the mobile device’s pause time expires.
  • feedback.push.apple.com:2196 = Apple feedback service keeps track of which iPhone mobile devices are still valid and sends the information to the Sametime Proxy Server.
By Alexander Novak Posted in Sametime

Sametime Video Manager expired certificate – exchange root cert and trust 15 years

This is an old one, but it seems it happens a lot of again.

With the installation of the IBM Sametime Video Manager gold edition (sept. 2013), the Video Manager generates an self-signed one year valid ssl certificate.

2016-04-22_11-46-20

This certificate has to be trusted inside the Sametime Media System to connect via port 5061/5081 between Media Conference Bridge and Video Manager

IBM Wiki: Import the Video Manager’s certificate to the Conference Manager

After a year you get a new self-signed certificate on the Video manager and the connection between Media Conference Bridge and Video Manager ist broken (error 503). You could trust the new Video Manager certificate inside the Media Conference Bridge, but this is – again – for one year.

IBM already documented to change the certificate to a longer valid certificate or root certificate (15 years).

IBM Docu: Sametime 9 Video Manager – A/V call fails due to default root certificate expires in one year

Because of many people having problem with this documentation i will give you some more details and screenshots for this to work (from zero2hero)


  1. Login to the Sametime Video Manager ISC (https://yourvmgrserver:9043/ibm/console)
  2. Navigate to Security > SSL certificate & key management > key stores & certificates
  3. Select the option (or key store) NodeVMGRKeyStore
  4. Navigate to personal certificate and press the button „import certificate from a key
    2016-04-22_11-52-39-2
  5. Select the key store NodeDefaultKeyStore and enter the key store password (use „WebAS“ because it is the default password for all websphere based keystores) and press button „Get key store aliases
  6. Select in the field certificate alias to import the value default and press the button OK
    2016-04-22_11-49-31

  7. You should now see a certificate called default with a self-signed root certificate (valid for 15years) in common.
    Press SAVE to write the master configuration.
    2016-04-22_11-52-39
    You now need to assign the new certificate to the application server
  8. Navigate to Security > SSL certificate & key management > Manage endpoint security configurations
    • Expand the INBOUND tree until you see the application server name STMediaServer
    • Klick on the servername STMediaServer
    • Select „override inherited values„, select NodeDefaultSSLSetting configuration, select default certificate alias and press the button OK
      2016-04-22_11-53-46
      Repeat this for the OUTBOUND tree until you see the application server name STMediaServer
    • Expand the OUTBOUND tree until you see the application server name STMediaServer
    • Klick on the servername STMediaServer
    • Select „override inherited values„, select NodeDefaultSSLSetting configuration, select default certificate alias and press the button OK
  9. Press SAVE to write the master configuration.
  10. Check the values in the endpoint security tree
    2016-04-22_11-54-32
  11. Restart the Sametime Video Manager in the following order
    • stop STMediaServer_was.init (via service or batch)
    • stop soliddb (via service or batch)
    • start soliddb (via service or batch)
    • WAIT 60 seconds
    • start STMediaServer_was.init (via service or batch)

After this you need to import the new Video Manager certificate into the Media Conference Bridge.

  1. Login to the Sametime System Console ISC (https://yoursscserver:8701/ibm/console)
  2. Navigate to Security > SSL certificate & key management > key stores & certificates
  3. Select the option (or key store) CellDefaultTrustStore
    >> you could delete the old Video Manager certificate if you wish
  4. Navigate to signer certificate and press the button „retrieve from port
    2016-04-22_15-40-30
  5. Enter the hostname for the Video Manager (e.g. myvmgrserver.dns.local) enter the port 5061 (or any other ssl port) an press the button „Retrieve signer information
    You should see now the new Video Manager root certificate – valid for 15 years
    2016-04-22_12-22-55
  6. Enter an alias name for the certificate e.g. vmgr_cert  and press the button OK
  7. You should now see a trust certificate called vmg_cert  (valid for 15years).
    2016-04-22_15-40-30-2
    Press SAVE to write the master configuration.
  8. Navigate to System administration > Nodes select all nodes and press „full synchronize“ to push the new certificate to the all applications servers
    2016-04-22_12-24-32
    Because of having problems with the shutdown of the application server(s) after importing or changing certificates (shutdown is waiting to manually accept new certificates) i do manually retrieve the keys from the node with the following command
    >>  „<appserverbin>\profiles\<profilename>\bin\retrievesigners -host stsscserver -port 8703
    Systemdesign2
  9. Restart the Sametime Media Server (proxy registrar and/or conference bridge)
  10. Navigate to Sametime System Console > Sametime Servers > Sametime Video Manager Servers and check if you could connect to the Video Manager configuration
    2016-04-22_12-56-08

All done

By Alexander Novak Posted in Sametime