Enabling token authentication on the TURN server

Increase the security of the IBM® Sametime® TURN Server by implementing authentication validation on the Sametime TURN Server and enforcing authentication for Web and IBM Sametime Connect TURN clients. By enabling token authentication, the client securely accesses the TURN Server. The client provides the token generated from the shared secret key and sends its STUN BIND and STUN ALLOCATE messages to the TURN Server. The TURN server then validates the token. If the token is invalid, the TURN Server sends an error response.

About this task

Complete this procedure to enable token authentication on the IBM Sametime TURN Server. If server deployment is accessed by Sametime 8.5.2 IFR1 clients, then TURN Server authentication should be disabled.

Procedure

  1. On the deployment manager for the Media Manager, update the stavconfig.xml file for the Conference Manager nodes by completing these steps:
    1. open the stavconfig.xml file for editing.
    2. Set the TURNTokenAuthEnabled Value setting to true.

      For example,

      configuration lastUpdated="1226425838277" name="TURNTokenAuthEnabled" value="true"/

    3. Save and close the file.
    4. Make sure these settings are consistent across all nodes by completing these steps:
      1. If there is one Conference Manager, restart it now. If you deployed a cluster of Conference Managers, synchronize all nodes in the cluster by completing these steps:
        1. In the Deployment Manager's Integrated Solutions Console, click System Administration > Nodes.
        2. In the nodes table, select all nodes in the cluster.
        3. Click Full Resynchronize.
  2. From the SIP Proxy/Registrar, copy these files to the TURN server, overwriting the existing files:
    • secret key file -- The full path for the secret key file is identified in the stavconfig.xml file of media server with tag "SecretKeyPathForTurnAuthToken". For example,

      C:\IBM\WebSphere\AppServer\profiles\wplccdlvmSTMSPNProfile1\properties\anonTokenSecret.txt

    • sharedEncKey1.txt -- The shared secret encryption key file is located in the media server profile's properties directory. For example, in

      C:\IBM\WebSphere\AppServer\profiles\wplccdlvmSTMSPNProfile1\properties\sharedEncKey1.txt

    • sharedEncKey2.txt -- The shared secret encryption key file is located in the media server profile's etc directory. For example, in

      C:\IBM\WebSphere\AppServer\profiles\wplccdlvmSTMSPNProfile1\etc\sharedEncKey2.txt

  3. Update the TURN Server settings by completing these steps:
    1. On the TURN Server, navigate to the directory where the TURN Server files were installed (for example, C:\TURN).
    2. Open the logging.properties file for editing.
    3. Add these settings:

      com.ibm.stun.level=FINER

      com.ibm.turn.server.level=FINER

    4. Save and close the file.
  4. Edit the TurnServer.properties file by completing these steps:
    1. On the computer hosting the TURN Server, locate the TurnServer.properties file and open it for editing.
    2. Enable token authentication for allocation requests on the TURN server by adding this setting to the TurnServer.properties file:

      turn.auth.token.required=true

    3. Enable token authentication for initial binding request on TURN server by adding this statement to the TurnServer.properties file:

      turn.auth.binding.token.required=true

    4. Add the following lines at the end of the TurnServer.properties file: 
      #Making turn server version key configurable
################################################################
turn.version.key=Samtime9.0
################################################################
#secret key file path
################################################################
turn.auth.shared.secret.path=anonTokenSecret.txt
################################################################
#Encryption key1 path for Turn server
################################################################
turn.auth.shared.secret.enc1.path=sharedEncKey1.txt
################################################################
#Encryption key2 path for Turn server
################################################################
turn.auth.shared.secret.enc2.path=sharedEncKey2.txt
  5. Save and close the properties file.
  6. Confirm that the secret files (secret key files) are stored at the root of the TURN Server.
  7. Stop and restart the Sametime TURN Server. For instructions, see Starting and stopping a Sametime TURN Server.