Defining the default SSL configuration for a cluster

Complete these steps to create a new SSL configuration for the deployment manager and node agents in a cluster of IBM® Sametime® Gateway Servers.

About this task

Secure Sockets Layer (SSL) configurations contain the attributes that you need to control the behavior of client and server SSL endpoints. Modify the default SSL configuration to be used on the inbound and outbound trees in the configuration topology. The deployment manager and the node agents will use the default SSL configuration, while the application servers will use a new SSL configuration, which you will create in the next task.

Procedure

  1. Ensure that the deployment manager and node agents are started, and the servers are stopped.
  2. Update configuration to use TLS version 1.2 as follows:
    1. In the Integrated Solutions Console, click Security > SSL certificate and key management > SSL Configurations.
    2. Click into CellDefaultSSLSettings.
    3. On the configuration page, look in the "Additional Properties" section and click Quality of Protection (QoP) Settings.
    4. Set the protocol to TLSv1.2.
    5. Click Apply and then click Save to update the master configuration.
    6. Repeat this step for all of the NodeDefaultSSLSettings SSL configurations listed.
  3. Edit the security.xml file on every node that is federated to the Deployment manager using the following steps:
    1. Open the profile_root\config\cells\DMGRCell\security.xml file for editing.
    2. Locate the CellDefaultSSLSettings Quality of Protection (QoP) Settings and chance the value to TLSv1.2.
      For example:
      <repertoire xmi:id="SSLConfig_1" alias="CellDefaultSSLSettings" managementScope="ManagementScope_1">
<setting xmi:id="SecureSocketLayer_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="TLSv1.2" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_2" keyManager="KeyManager_1">
    3. Repeat step b for all of the NodeDefaultSSLSettings listed in the file.
      For example:
      <repertoire xmi:id="SSLConfig_1386248717790" alias="NodeDefaultSSLSettings" managementScope="ManagementScope_1386248717790">
<setting xmi:id="SecureSocketLayer_1386248717790" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="TLSv1.2" keyStore="KeyStore_1386248717790" trustStore="KeyStore_2" trustManager="TrustManager_1386248717790" keyManager="KeyManager_1386248717790">

      Repeat steps a-c for any node that is federated to the deployment manager.

  4. Restart the deployment manager.

    If the server fails to stop, then restart the operating system before starting the deployment manager.

  5. Restart all node agents.

    If the node agents fail to stop, then restart the operating system before starting the node agents.