Abstract

Before 19 June 2014, Sametime administrators must download and apply the latest security certificate for iOS traffic. If Push Notifications have stopped working for the native iOS client, this could be due to the SSL certificate for connecting to the APNS server having expired.


Content

The Sametime Proxy server ships with an SSL certificate to allow for push notifications to occur securely for the Sametime Mobile Chat client for Apple iOS via the Apple Push Notification Service (APNS). The current certificate expires 19 June 2014. Before that date, Sametime administrators should download and apply an updated certificate to continue expected functionality for users.


Problem that occurs with expired certificate

If the certificate in use by the Sametime Proxy server has expired, users of the native iOS chat client will no longer receive push notifications. Users might describe the symptom as receiving messages only when the application is in the foreground or that notifications are not sent to the device when the Sametime client application is in the background.

The issue can be identified in the server logs by the following error.
“APNSService W com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService startAPNS CLFRX0079W: Unable to establish an SSL connection to the APNS service Connection refused: connect”

Installation Instructions

Download the updated certificate 9001-ST-Proxy-FP-AGRE-9KYLU4 from IBM Fix Central. To avoid the problem, copy the provided keystore to the appropriate location. Because there are two types of installations, you need to determine which you have and apply the appropriate steps for that type.

Stand-alone/Cell installation

If you chose this type of installation, then you have a deployment manager (dmgr) as well as a nodeagent and server all on the same operating system.
To resolve the problem, follow these steps:
1. Copy the provided apns-prod.pkcs12 file to the following directory:
../IBM/WebSphere/AppServer/profiles/[dmgrProfileName]/config/cells/[cellName]/nodes/[stProxyNodename]/
*Note that this is the dmgr profile, NOT the Application profile
2. Perform a Full Resynchronize of the node
3. Stop the STProxyServer
4. Stop the nodeagent
5. Start the nodeagent
6. Start the STProxyServer


Network (Primary Node) installation

This type of installation typically means that you are using the Sametime System Console (SSC) as the dmgr. The steps are as follows (basically the same as above):
1. Copy the provided apns-prod.pkcs12 file to the following directory on the SSC operating system file system:
../IBM/WebSphere/AppServer/profiles/[SSCdmgrProfileName]/config/cells/[SSCcellName]/nodes/[stProxyPNNodename]/
*Note that this is the SSC dmgr profile, NOT the SSC Application profile
2. Perform a Full Resynchronize of the node
3. Stop the STProxyServer
4. Stop the nodeagent
5. Start the nodeagent
6. Start the STProxyServer
Network (Secondary Nodes)

If you have any secondary nodes, you need to copy the apns-prod.pkcs12 file to ALL secondary node directories on the SSC dmgr. The secondary node directories are found in the same place as the primary node directory was found:

../IBM/WebSphere/AppServer/profiles/[SSCdmgrProfileName]/config/cells/[SSCcellName]/nodes

Once copied to the secondary nodes, make sure to restart the nodeagent and STProxyServer as you did for the primary node.