Securing connections between the Sametime mux and the Connect and Embedded clients

There are several connection methods to connect to the Sametime server. This topic includes the steps to encrypt connections between the clients and the Sametime mux using TLS.

Before you begin

To implement the use of TLS, the clients must have the Direct connection using TLS connection option enabled. This setting is under Preferences > Server Communities > Global Connection Settings.

About this task

There are three methods to set the client connection preferences.
  • Push the setting to users in the managed-community-configs.xml file, which is a good option for clients that are already deployed and in use.
  • Use the plugin_customization.ini file which can be configured and included with the installation package.
  • Manually configure the settings.

For additional information, see Updating connectivity settings with the managed-community-configs.xml file.

When you enable TLS for the Sametime server connections, TLS version 1.2 is used by default. SSLv3 and TLSv1 have security vulnerabilities and should not be used.

To configure the connection between the Sametime server and clients, there are two tasks that must be completed:
  • Configure the encryption settings.
  • Configure the client settings to support a direct connection with TLS.

Sametime can be configured to allow legacy encryption along with TLS encryption (both enabled), or strict TLS where only TLS encrypted connections are allowed. The Sametime Mux can listen for both TLS and legacy encrypted connections on the same port number, so there is no need to have a unique port for the TLS encrypted connections, they can also use port 1533. The port number can be changed if desired.

For details on configuring the encryption settings, refer to the following topics.

Procedure

  1. In the HCL Notes client, select File > Preferences > Sametime > Server Communities. The Server Communities window defines the server communities defined for the client.

    • To select this connection method for all server communities, click Server Communities. In the Global connection settings section, click Direct connection using TLS > OK.
    • To select this connection method for only one server community, click Server Communities, select the server community name, and open the Connection tab. Disable the Use global connection setting, then click Direct connection using TLS. Click OK to close the Preferences window.