Setting up TLS between the Community Server and the System Console

If the connection between the Sametime® Community Server and the Sametime System Console requires different TLS settings from the default TLS settings for server applications, you can configure new settings on the Community Server.

Before you begin

This task is only needed when you change the TLS settings for the connection between the Community Server and the System Console (instead of using the default TLS settings).

About this task

The Sametime Community Server connects to the Sametime System Console during server initialization, and pulls policy settings from the System Console. This connection should be secured with TLS encryption; if you enable TLS then the default settings are the same as the server application TLS settings. You only need to complete this task when the connection between the Community Server and the System Console requires different TLS settings from the default TLS settings.

Procedure

  1. Configure the default TLS settings for server applications by completing the steps in Setting up TLS configuration.
  2. Enable TLS for the connection between the Community Server and the System Console.
    1. On the Community Server, open the console.properties file for editing.
    2. Set the SSCSSLEnabled flag to true.
    3. Save and close the console.properties file.
    Note: You do not need to register the Community Server with the System Console again because changes to the console.properties file will take effect when you restart the Community Server at the end of this task. For more information on the console.properties file, see the topic, Registering the Sametime Community Server with the Sametime System Console.
  3. Configure TLS settings for the connection between the Community Server and the System Console.
    1. On the Community Server, open the sametime.ini file for editing.
    2. Configure a separate certificate trust store for the connection between the Community Server and the System Console.

      Add the following settings to the [Config] section of the sametime.ini file:

      STSSC_TLS_TRUST_STORE_FILE=Trust store file
STSSC_TLS_TRUST_STORE_TYPE=Trust store type
STSSC_TLS_TRUST_STORE_PASSWORD=Trust store password
STSSC_TLS_TRUST_STORE_PASSWORD_STASH_FILE=Trust store password stash file

      The trust store can be either a P12 file (PKCS#12), a JKS (Java™ Key Store), or a KDB (IBM key database). You can use an existing certificate store file, or create a new one. If you are creating a new certificate store, P12 (PKCS#12) is the recommended format. You can use the iKeyMan tool for creating and editing the certificate store, as explained in the topic, Using iKeyMan to manage certificates for TLS.

      The trust store type, password, and password stash file settings are optional, as explained in Setting up TLS configuration.

    3. Configure separate trusted certificate host names for establishing a TLS connection from the Community Server to the System Console.

      Add the following settings to the [Config] section of the sametime.ini file:

      
STSSC_TLS_TRUSTED_HOSTS=List of trusted hosts
STSSC_TLS_MIRROR_TRUSTED_HOSTS=true

      where:

      • STSSC_TLS_TRUSTED_HOSTS is a comma-separated list of one or more trusted hosts, to compare against the peer certificate.
      • STSSC_TLS_MIRROR_TRUSTED_HOSTS sets the trusted certificate host name to match the self certificate host name by extracting the trusted host name from the certificate in the local key store.
    4. (Optional) Configure a different TLS protocol version (or range of versions) for the connection from the Community Server to the System Console.

      By default, this connection uses the same TLS protocol version as the server applications. You can configure a different protocol version (or range of versions) by adding the following settings to the [Config] section of the sametime.ini file:

      
STSSC_TLS_MIN_PROTOCOL_VERSION=oldest protocol name
STSSC_TLS_MAX_PROTOCOL_VERSION=newest protocol name

      where:

      • STSSC_TLS_MIN_PROTOCOL_VERSION is the oldest version of the SSL/TLS protocol supported for the connection.
      • STSSC_TLS_MAX_PROTOCOL_VERSION is the newest version of the SSL/TLS protocol supported for the connection; defaults to TLS 1.2.

      You can use any of the following protocol versions:

      • SSL 3.0 - use the code 0x0300
      • TLS 1.0 - use the code 0x0301
      • TLS 1.1 - use the code 0x0302
      • TLS 1.2 - use the code 0x0303

      For example, to set the protocol version range between TLS 1.0 and TLS 1.2, inclusive, configure the settings as shown: 

      
STSSC_TLS_MIN_PROTOCOL_VERSION=0x301 
STSSC_TLS_MAX_PROTOCOL_VERSION=0x303
    5. Save and close the sametime.ini file.
  4. Restart the Community Server for the changes to take effect.