Enabling TLS on a Sametime Proxy Server

When Transport Layer Security (TLS) strict mode is enabled on an IBM® Sametime® Community Server, TLS must be enabled on the IBM Sametime Proxy Server as well.

About this task

If the Sametime Community Server and the Sametime Proxy Server are on the same computer, you do not need to create a key database. Use the key database that is being used by the Community Server.

Ensure that the key database the Sametime Proxy Server uses contains the Trust Root CA that the Sametime Community Server uses.
Note: TLS is not supported on the IBM i platform.

Enable TLS on a Sametime Proxy Server by completing these steps:

Procedure

  1. Create the certificate store (key database) for the Sametime Proxy Server. For more information, see the topic Creating a certificate store.
  2. Initialize the stproxyconfig.xml file by completing the following steps:
    1. On the Sametime System Console, log in the WebSphere® Integrated Solutions Console as the WebSphere administrator.
    2. Click Sametime System Console > Sametime Servers > Sametime Proxy Server.
    3. In the Sametime Proxy Servers list, click the name of the Sametime Proxy Server that you are updating.
    4. On the Sametime Proxy Server administration page, do not change any settings, just click OK to initialize the file.

      When you click OK on the administration page, the stproxyconfig.xml file is populated with default values.

  3. Locate the stproxyconfig.xml file used by the Sametime Proxy Server's deployment manager. For example,

    On Linux™

    .../WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/STAIXL016SSCCell/nodes/staixl015STPNode1/servers/STProxyServer

    On Windows™

    ..\WebSphere\AppServer\profiles\nstvm001STPDMProfile1\config\cells\nstvm001STPCell1\nodes\nstvm001STPNode1\servers\STProxyServer

  4. Update the stproxyconfig.xml file settings to reflect your deployment. This is a sample of the settings in the stproxyconfig.xml file:
    <tls>
<!-- true or false-->
<isUsed>true</isUsed>
<!-- Name of the security provider, null for the default TLS provider. -->
<providerName></providerName>
<!-- Trust store type, or null to determine by the trustStoreFile extension. -->
<trustStoreType></trustStoreType>
<!-- Trust store file, requires fully qualified path. Leave null if no trust store. -->
<trustStoreFile>C:\Program Files (x86)\ibm\WebSphere\AppServer\profiles\STSCDMgrProfile\config\cells\SSCCell\key.p12</trustStoreFile>
<!-- Trust store password, may be null if encoded in stash file. -->
<trustStorePassword></trustStorePassword>
<!-- Trust store password stash file, null if not stashed. -->
<trustStorePasswordStashFile></trustStorePasswordStashFile>
<!-- Key store type, or null to determine by the keyStoreFile extension. -->
<keyStoreType></keyStoreType>
<!-- Key store file, requires fully qualified path. Leave null if no key store. -->
<keyStoreFile>C:\Program Files (x86)\ibm\WebSphere\AppServer\profiles\STSCDMgrProfile\config\cells\SSCCell\trust.p12</keyStoreFile>
<!-- Key store password, may be null if encoded in stash file. -->
<keyStorePassword></keyStorePassword>
<!-- Key store password stash file, null if not stashed. -->
<keyStorePasswordStashFile></keyStorePasswordStashFile>
<!-- Personal certificate label in key store, or null to use any. -->
<keyLabel></keyLabel>
<!-- The minimum security level to allow. The applied security level will be pushed higher if there are JVM arguments that impose stronger security. -->
<securityLevel></securityLevel>
<!-- The oldest protocol version to allow (example uses TLSv1.2). -->
<minProtocolVersion>0x303</minProtocolVersion>
<!-- The newest protocol version to support (example uses TLSv1.2). -->
<maxProtocolVersion>0x303</maxProtocolVersion>
<!-- Custom cipher suites. null implies default, while "*" implies all implemented cipher suites. -->
<cipherSuites></cipherSuites>
<!-- Client authentication option for server-side engines. null implies ClientAuth.NONE. -->
<clientAuth></clientAuth>
<!-- Comma-separated list of valid peer hosts. Peer verification passes if the host name in the peer certificate matches any of these names. null implies no matching. -->
<trustedHosts></trustedHosts>
<!-- Indicates that the list of acceptable hosts is retrieved from the local personal certificate, in addition to the host names passed in the trustedHosts argument. -->
<mirrorTrustedHosts>0</mirrorTrustedHosts>
<!-- Maximum number of sessions to cache for potential session reuse (-1=none, 0=no limit). -->
<sessionCacheSize>-1</sessionCacheSize>
<!-- Maximum time to re-use the same session, in seconds (-1=no reuse, 0=no limit). -->
<sessionCacheTime>-1</sessionCacheTime>
<!-- Maximum time that an engine will exchange data over the same session before it initiates a new one with the peer, in seconds (0=no limit).  -->
<maxSessionAge>0</maxSessionAge>
</tls>

    For information about the parameters, see the topic Configuring TLS for the Community Server.

  5. Save and close the file.
  6. Synchronize and restart the Sametime Proxy nodes by completing steps 7 - 12.
  7. Log in to the deployment manager's (the Sametime System Console) Integrated Solutions Console as the WebSphere administrator.
  8. Stop the deployment manager:
    1. Click System Administration > Deployment manager.
    2. Click the Configuration tab.
    3. On the Configuration tab of the deployment manager settings, click Stop.
  9. Now start the deployment manager:
    1. Open a command window and navigate to the was_install_root/profiles/DeploymentManagerName/bin directory.
    2. Run the following command:

      IBM AIX®, or Linux

      ./startManager.sh

      Microsoft™ Windows

      startManager.bat
  10. Log in to the Integrated Solutions Console.
  11. Wait until the nodes have all started. Then follow these steps to synchronize all the nodes:
    1. In the deployment manager's Integrated Solutions Console, click System Administration > Nodes.
    2. Select all nodes in the cluster.
    3. Click Full Resynchronize.
  12. Restart all nodes in the cluster:
    1. In the deployment manager's Integrated Solutions Console, click System Administration > Node agents.
    2. Click a node agent, and then click Restart (the node agent should already be running).
    3. Wait until the nodes have all started before proceeding to another task.