Securing the Sametime Proxy Server

About this task

Replacing the self-signed certificate with a third party certificate

A third party certificate is recommended for deployments that include mobile devices.

Follow the steps in the knowledge article: How to create a new Java Keystore with a Third Party certificate for Sametime Proxy 11.

Changing the default HTTP/S ports

The Sametime 11 Proxy server default ports are 8080 (unsecure) and 8443 (secure).

To change the ports to 80 and 443, use this procedure.

  1. In the folder you unzipped the Sametime proxy application, locate the "server.xml" file located in the conf subfolder.
  2. Open the file using a text or xml editor.
  3. Locate the two settings below –

    <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLS"/>

  4. Update the "port" values to 80 and 443:

    <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443"/>

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLS"/>

  5. Save and restart the Sametime Proxy server and validate.

Disabling Early TLS

  1. In the folder you unzipped the Sametime proxy application, locate the "server.xml" file located in the conf subfolder.
  2. Open the file using a text or xml editor.
  3. Modify the sslProtocol=”TLS” to sslProtocol=”TLSv1.2”.

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLS"/>

    Modify to

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLSv1.2"/>