Enabling TLSv1.2 for SametimeAdvanced Server

Configure TLSv1.2 settings on the Sametime® Advanced Server.

About this task

Improve the security of your Sametime deployment by enabling servers to communicate with TLSv1.2.

Procedure

  1. On the Sametime Advanced Server, log in to the WebSphere® Integrated Solutions Console as the WebSphere administrator.
  2. Click Security > SSL certificate and key management > SSL configurations.
  3. Enable TLS for the NodeDefaultSSLSettings SSL configuration:
    1. Select the NodeDefaultSSLSettings configuration for the Management scope of your Sametime Advanced Server.

      For example: (cell):SSCHostnameSSCCell:(node):STAdvHostnameSTAdvNode).

    2. In the "Additional Properties" section, click Quality of Protection (QoP) setting.
    3. Change the Protocol setting to SSL_TLSv2.
      Note: This setting is a temporary work-around because Sametime Advanced uses XULrunner to support chat room functions, but when Sametime 9.0.1 FP1 was released, XULrunner did not support TLSv1.2. For more information, see the IBM tech note SAML logins for Sametime Advanced chat rooms function uses XULrunner embedded browser, which only supports TLS1.0.
    4. Click OK.
    5. Update the master configuration by clicking Save in the "Messages" box at the beginning of the page.
    6. Repeat this step for every NodeDefaultSSLSettings SSL configuration that belongs to the Sametime Advanced Server.
  4. Stop the STAdvancedServer application server by opening a command window and running the stopServer.bat (Windows™) or stopServer.sh (AIX®, Linux™) script.
    For example on Linux: 
    sh /opt/IBM/WebSphere/AppServer/profiles/STAdvAppProfile/bin/stopServer.sh STAdvancedServer –username wasadmin –password password
  5. Stop the STAdvancedServer node agent by running the stopNode.bat (Windows) or stopNode.sh (AIX, Linux) script.
    For example on Linux: 
    sh /opt/IBM/WebSphere/AppServer/profiles/STAdvAppProfile/bin/stopNode.sh –username wasadmin –password password
  6. Modify the ssl.client.props file to ensure that the server it can communicate with the System Console using TLSv1.2.
    1. On the server, open the $AppServer/profiles/STAdvAppProfile/properties/ssl.client.props file.
    2. Edit the file and change the com.ibm.ssl.protocol setting to TLSv1.2. 
      com.ibm.ssl.protocol=TLSv1.2
    3. Save and close the file.
  7. Sync the node with the deployment manager by running the syncNode.bat (Windows) or syncNode.sh (AIX, Linux) script.
    For example on Linux: 
    sh /opt/IBM/WebSphere/AppServer/profiles/STAdvAppProfile/bin/syncNode.sh SSC_Host_Name 8703 –username wasadmin –password password

    If you encounter problems when syncing the nodes, verify that TLSv1.2 was properly enabled on the server. If you still see problems, restart the server and sync again.

  8. Start the STAdvancedServer node agent by running the startNode.bat (Windows) or startNode.sh (AIX, Linux) script.
    For example on Linux: 
    sh /opt/IBM/WebSphere/AppServer/profiles/STAdvAppProfile/bin/startNode.sh
  9. Start the STAdvancedServer application server by opening a command window and running the startServer.bat (Windows) or startServer.sh (AIX, Linux) script.
    For example on Linux: 
    sh /opt/IBM/WebSphere/AppServer/profiles/STAdvAppProfile/bin/startServer.sh STAdvancedServer
  10. Open a browser and navigate to the Sametime System Console and verify that all Sametime Advanced Servers can be accessed and are in a started state.
    You can navigate to the Sametime System Console with the following URL:
    https://SSC_Host_Name:8701/ibm/console