Installing the FIPS Server

IBM® Sametime® supports the U.S. government-defined security requirements for cryptographic modules known as FIPS 140-2 (Federal Information Processing Standard 140-2). Installing the FIPS Server is only necessary if your Sametime deployment must be FIPS-compliant; otherwise, it is optional.

Before you begin

You should have already installed the IBM Sametime System Console and the Sametime Proxy Server. If you want to administer the FIPS Server from the Sametime System Console, you should have already installed the FIPS administration portlet.

About this task

The FIPS administration portlet can connect to the FIPS Server only if the server is installed on the Sametime Proxy Server. You cannot have multiple FIPS Servers running on the same computer.
Note: Currently, you cannot administer the per-node configuration or vertical clustering of FIPS on the Sametime System Console. The administrative portlet only administers and therefore shows registered cell deployments or horizontal cluster deployments. It will not show individual primary or secondary nodes of the cluster.

Procedure

  1. On the server where you will install the FIPS server, enable FIPS on the WebSphere® Application Server by following the procedure in Configuring Federal Information Processing Standard Java™ Secure Socket Extension files.
  2. Copy sametimefipsproxy.war from setup\STIPLaunchpad\disk1\FIPSProxy on the image disk to your local drive.
  3. Log in to the Integrated Solutions Console on the computer where you are installing the FIPS Server.
  4. Click Applications > Application Types > Websphere Enterprise Applications.
  5. On the Enterprise Applications page, click Install.
  6. In the Path to the new application section, browse to the sametimefipsproxy.war file. Keep the default settings to install the server, and then click Next
  7. Enter the context root that you want for the FIPS Server, for example, /fipsProxy.
  8. Click Finish and save the configuration.
  9. Restart the Sametime Proxy Server to automatically start the FIPS Server.
  10. Log in to the Integrated Solutions Console.
  11. Click Sametime System Console > Sametime Servers > FIPS Proxy Servers.
    You can only edit data for FIPS if the FIPS war is running on the installed server. Make sure that your FIPS Server is running in order to administer it.

  12. Click the FIPS Server that you installed.
  13. Enter a fully qualified inbound host name and port and an outbound host name and port to which FIPS connects.

    If you are using the FIPS administration portlet, also replace the serverAddress entries with entries for the Sametime Community server that is connected to the Sametime Proxy Server.Click OK.

  14. Restart the Sametime Proxy Server again to automatically start the FIPS Server.
  15. In a text editor, open the sametimeProxy.xml file. This file defines the port routing so the TLS Connections can use the proxy to access the Sametime server.

    The file is located in the \WebSphere\AppServer\profiles\profile_name\installedApps\cell_name\sametimefipsproxy_war.ear\sametimefipsproxy.war directory.

  16. If you are using the FIPs administration portlet, skip to the next step.

    If you are not using the FIPs administration portlet, edit the SametimeProxyChannel properties in the sametimeProxy.xml file. Replace the serverAddress entries with entries for the Sametime Community server that is connected to the Sametime Proxy Server.

    In the following entries, replace "temp.sametimeserver.com" with your Sametime server name, for example, "yourserver.yourdomain.com".

    <channel name="SametimeProxyChannel" factory="com.ibm.sametime.proxy.channel.impl.SametimeProxyChannelFactory" sequence="2" weight="1">
...
<property name="serverAddress1" value="temp.sametimeserver.com:8081" />
<property name="clientAddress2" value="*:1533" />
<property name="serverAddress2" value="temp.sametimeserver.com:1533" />
<property name="clientAddress3" value="*:554" />
<property name="serverAddress3" value="temp.sametimeserver.com:554" />
...
</channel>
  17. Edit the TLSInboundChannel properties in the sametimeProxy.xml file:
    • For the com.ibm.ssl.keyStore property, replace the wccmDefault value of DummyServerKeyFile.jks with the actual keyFileName and location for the keystore on this WebSphere Application Server. Replace the /c: designation with the operating system's absolute path to the file.
    • For the com.ibm.ssl.trustStore property, replace the wccmDefault value of DummyServerTrustFile.jks with the actual trustFileName and location for the keystore on this WebSphere Application Server. Replace the /c: designation with the operating system's absolute path to the file.
      <channel name="TLSInboundChannel" factory="com.ibm.ws.ssl.channel.impl.SSLChannelFactory" sequence="2" weight="1">
...
<wccmProperty name="com.ibm.ssl.keyStore" wccmPropertyName="keyFileName" wccmPropertyGroup="SecurityPropertyGroup" wccmDefault="C:/WebSphere/AppServer/profiles/default/etc/DummyServerKeyFile.jks" />
<wccmProperty name="com.ibm.ssl.trustStore" wccmPropertyName="trustFileName" wccmPropertyGroup="SecurityPropertyGroup" wccmDefault="C:/WebSphere/AppServer/profiles/default/etc/DummyServerTrustFile.jks" />
...
</channel>
    • For the com.ibm.ssl.protocol property, replace the SSLv3 value with TLSv1.
  18. Close and save the file.
  19. Restart the Sametime Proxy Server again to put the configuration changes into effect.

Results

Sametime Connect Client clients use the "Direct connection using TLS" Connection option when setting up the server community connected to the FIPS-enabled server.