Securing connections between Sametime Community and Sametime clients

Before you begin

You must configure the sametime.ini settings by completing one of these topics:

About this task

Sametime provides several connection methods for users to connect to the Community Server. Use these steps to encrypt connections between the desktop clients and the Community server using TLS.

When forcing the use of TLS, the clients must have the Connection option “Direct connection using TLS” enabled. This setting is under Preferences > Server Communities > Global Connection Settings. Client preferences can be pushed from the server using Managed Settings.

When you enable TLS for the Community server connections, TLS version 1.2 is used by default.

Modify the stconfig.nsf to configure encryption settings:

Sametime can be configured to allow legacy encryption along with TLS encryption (both enabled), or strict TLS where only TLS encrypted connections are allowed. This is handled in the stconfig.nsf CommunityServices document. The Sametime Mux can listen for both TLS and legacy encrypted connections on the same port number, so there is no need to have a unique port for the TLS encrypted connections, they can also use port 1533. The port number can be changed if desired.

  1. Use a HCL Notes or Administration client.
  2. Click on Open > Application > Open an Application.
  3. In the server name field enter the name of the Sametime Server.
  4. In the file name field, enter “stconfig.nsf”.
  5. Click Open.
  6. Double click on the CommunityConnectivity document to open it, then double-click inside the document to place it in edit mode.

  7. Follow these instructions to allow both legacy connections and TLS connections:

    1. In the VPMX_PORT field enter 1533.
    2. In the VPMX_HOSTNAME field enter the fully qualified hostname of the server.
    3. In the VPMX_TLS_PORT field, enter 1533.
    4. In the VPMX_TLS_HOST field, enter the fully qualified hostname of the server.
    5. Click File > Save to save the settings.

  8. Follow these instructions to enforce strict TLS connections only:

    1. Blank both fields for VPMX_PORT and VPMX_HOST (leave with empty values).
    2. In the VPMX_TLS_PORT field, enter 1533.
    3. In the VPMX_TLS_HOST field, enter the fully qualified hostname of the server.
    4. Click File > Save to save the settings.
  9. Restart the server for these settings to take effect.

Required Client Setting to support Direct Connection with TLS

After securing the Mux port, the clients must change the connection preferences, Connection tab, to “Direct connection with TLS”.

There are three methods to set the client connection preferences. This can be pushed to users in the managed-community-configs.xml file, which may be a good option for clients that are already deployed and in use.

Another method is to use the plugin_customization.ini file which can be configured and included with the installation package.

These are the manual steps for the client:
  1. From the Sametime Connect Client, click File > Preferences.
  2. Do one of the following:
    • To select this connection method for all server communities, click Server Communities. In the "Global connection settings" section, click Direct connection using TLS and click OK.
    • To select this connection method for only one server community, click Server Communities, select the server community name, and open the Connection tab. Uncheck Use global connection settings, then click Direct connection using TLS and click OK. Click OK to close the Preferences window.