Home
HCL Sametime® Administration Guide 12.0.1
Securing
This section provides information on securing your HCL Sametime environments.
Securing connections
The various connections to Sametime can be secured using TLS.
Securing connections between the Sametime mux and the Connect and Embedded clients
There are several connection methods to connect to the Sametime server. This topic includes the steps to encrypt connections between the clients and the Sametime mux using TLS.
Creating a keystore for Sametime mux
A keystore consists of a private key and a certificate. Sametime supports both a third-party certificate, signed by a Certification Authority (CA), or a self-signed certificate. Request a certificate and private key from your CA for the hostname used by the Sametime mux. This is the microservice that listens on port 1533 for requests from the Sametime Connect clients (installed clients on desktop). In Kubernetes, the mux is either a Kubernetes service (for example, a load balancer type service) or a Kubernetes ingress service for on-premise Kubernetes. For Docker deployments, the mux listens on port 1533 and does not require any additional service.
Creating a keystore for Sametime mux: self-signed certificate

HCL Sametime® Administration Guide 12.0.1
- Accessibility features for Sametime
  Accessibility features help users who have a disability, such as restricted mobility or limited vision, use information technology products successfully. HCL® strives to provide products with usable access for everyone.
- What's new
  HCL Sametime and HCL Sametime Premium 12.0.1 provide many new features, enhancements and fixes to servers and clients. Additional releases to version 12.0.1 also provides updates to the product.
- Planning
  This section describes the system requirements and server configurations needed for HCL Sametime and HCL Sametime Premium.
- Installing
  This section provides information on installing the servers for Sametime and Sametime Premium.
- Configuring
  This section provides information on configuring the HCL Sametime server. Configuration tasks are dependent on the deployment environment.
- Securing
  This section provides information on securing your HCL Sametime environments.
  - Encryption usage in Sametime
    HCL Sametime uses several types of encryption to protect data.
  - Securing connections
    The various connections to Sametime can be secured using TLS.
    - Obtaining the cert.key and cert.crt files for Sametime
    - Creating a truststore with a third-party certificate
      When creating a connection between the Sametime server and a service using TLS, a truststore is needed. The truststore is used to store certificates for Sametime.
    - Implementing the Global TLS Scope for Docker
    - Securing connections between the Sametime mux and the Connect and Embedded clients
      There are several connection methods to connect to the Sametime server. This topic includes the steps to encrypt connections between the clients and the Sametime mux using TLS.
      - Creating a keystore for Sametime mux
        A keystore consists of a private key and a certificate. Sametime supports both a third-party certificate, signed by a Certification Authority (CA), or a self-signed certificate. Request a certificate and private key from your CA for the hostname used by the Sametime mux. This is the microservice that listens on port 1533 for requests from the Sametime Connect clients (installed clients on desktop). In Kubernetes, the mux is either a Kubernetes service (for example, a load balancer type service) or a Kubernetes ingress service for on-premise Kubernetes. For Docker deployments, the mux listens on port 1533 and does not require any additional service.
        Creating a keystore for Sametime mux: third-party CA
        Creating a keystore for Sametime mux: self-signed certificate
      - Configuring TLS for Sametime mux on Kubernetes
      - Configuring the encryption settings on Docker and Podman
    - Securing connections between Sametime servers and LDAP
      When Sametime is configured to connect to an LDAP server, the Sametime servers makes five separate connections to the LDAP server.
  - Enabling Single Sign-on
    The HCL Sametime server installer enables required JSON Web Token (JWT) authentication. Additionally, the Sametime server supports Security Assertion Markup Language (SAML) and Lightweight Third Party Authentication (LTPA) Single Sign-on (SSO).
  - Setting up TLS for the Mongo database
    You can update the MongoDB connection with the Sametime server to encrypt data flowing between the Sametime server and a TLS-enabled MongoDB. This step is optional but is recommended for multi-Kubernetes-cluster deployments.
  - Replacing the TLS certificates for Web Chat and Meetings
    The Sametime server is pre-configured with a self-signed certificate. You can replace the self-signed certificate with a third party certificate.
  - Applying Let's Encrypt certificates
    This topic describes how to replace the self-signed certificate with a third-party certificate.
- Administering
  This section provides information on administering on Sametime environments.
- Troubleshooting
  This section provides information on troubleshooting and supporting Sametime environments.
- Uninstalling Sametime
  In the event that Sametime must be removed, follow the procedure for the platform that Sametime is installed on.
- Migrating and Upgrading
  This section provides information on migrating data from an earlier release to Sametime 12.
- Notices

Creating a keystore for Sametime mux: self-signed certificate

Procedure

Run the following command to create a private key.
```
openssl genrsa -des3 -out server.key 2048
```
The key length can be modified to meet your requirements. The longer the key length, the more secure it is.
Note: The command prompts for a password. Record this password in a secure place for future reference.
Create a certificate signing request, which in this case, is signed by the self-signed CA. Run the command to create the self-signed x509 certificate.
```
openssl req -new -key server.key -out server.csr
```
When you run the command, you must provide the following:
- Country Name: Enter a two-letter country code
- State or Province Name: Enter the state or province
- Locality name: Enter the city name
- Organization Name: Enter the name of your organization or company
- Common Name: Enter the fully qualified domain name to be used by clients to connect to Sametime mux. For example, chat.example.com
- Email Address: Enter an email address
Run the command to create the self-signed x509 certificate.
```
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
```
In the above command, the days parameter is 365 and can be modified.

Create the keystore.

openssl pkcs12 -export -in server.crt -inkey server.key -name ‘mux’ -out keystore.p12

The sample command makes use of the following naming conventions.

server.crt: Signed certificate filename
server.key: Private key filename
‘mux’: Alias name (how it appears in the keystore)
keystore.p12: The resulting keystore file name

What to do next

After the keystore is created, do the following:

Move the .KEY, .CRT, and .PEM files to a secure location and remove them from the machine.
Record the keystore password that is used in another step.

Rate this topic

5 stars 4 stars 3 stars 2 stars 1 star

Comment on this topic.

By clicking this box, you acknowledge that you are NOT a U.S. Federal Government employee or agency, nor are you submitting information with respect to or on behalf of one. HCL provides software and services to U.S. Federal Government customers through its partners immixGroup, Inc. Contact this team at https://hcltechsw.com/resources/us-government-contact. Do not include any personal data in this Comment box. Note: To report a problem or question about the product software, do not use this form. Instead, go to the HCL Software Support site.