Configuring TLS encryption between the Community Server and the LDAP server

Configure TLS security on the connection between the IBM® Sametime® Community Server and the LDAP server.

About this task

The Sametime Community Server makes a separate connection to the LDAP server to perform each of these five tasks:

  • Authenticate users
  • Resolve a user name to a distinguished name as part of the login procedure
  • Resolve user and group names (for example, as a response to an "Add Person or Group" request from a Sametime Connect Client)
  • Browse the directory
  • Get the content of public groups

The Sametime Community Server and LDAP servers exchange directory information, including user names and passwords, over these connections. To ensure this information is secure, the administrator can use SSL to encrypt the data that passes over these connections. The administrator should consider the level of protection required before enabling SSL. Using SSL to encrypt these connections can slow the server performance. The administrator has the following options when using SSL to encrypt the data transmitted between the Sametime and LDAP servers:

  • Encrypt all data - This option encrypts all directory information (both user names and passwords) that is transmitted between the Sametime Community Server and the LDAP server. If you encrypt all data, all five connections between the Sametime Community Server and LDAP server are encrypted with SSL. This option provides the most security but also has the greatest affect on server performance.
  • Encrypt only user passwords - This option encrypts passwords but not other directory information (such as user names) passing over the connections between the Sametime Community Server and LDAP servers. If you encrypt only user passwords, only the "authenticating users" connection between the Sametime server and the LDAP server is encrypted with SSL. This option provides an intermediate level of security and has less affect on server performance than encrypting all of the data.
  • Encrypt no data - This option allows all directory information and passwords to pass unencrypted between the Sametime and LDAP servers. This option does not affect server performance and should be used if the administrator feels there is no chance that an unauthorized user can intercept information transmitted over the connections between the Sametime and LDAP servers
  • Using SSL to encrypt connections between the Sametime servlet and LDAP
  • Ensuring the Sametime Community Server trusts the LDAP server certificate
Note: If you are encrypting connections between an AIX® version of the Sametime server and an LDAP directory, xlC.aix50.rte must be 6.0.0.3 (or higher).