Securing the Sametime Proxy Server
About this task
Replacing the self-signed certificate with a third party certificate
A third party certificate is recommended for deployments that include mobile devices.
Follow the steps in the knowledge article: How to create a new Java Keystore with a Third Party certificate for Sametime Proxy 11.
Changing the default HTTP/S ports
The Sametime 11 Proxy server default ports are 8080 (unsecure) and 8443 (secure).
To change the ports to 80 and 443, use this procedure.
- In the folder you unzipped the Sametime proxy application, locate the "server.xml" file located in the conf subfolder.
- Open the file using a text or xml editor.
- Locate the two settings below –
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLS"/>
- Update the "port" values to 80 and 443:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443"/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLS"/>
- Save and restart the Sametime Proxy server and validate.
Disabling Early TLS
- In the folder you unzipped the Sametime proxy application, locate the "server.xml" file located in the conf subfolder.
- Open the file using a text or xml editor.
- Modify the sslProtocol=”TLS” to sslProtocol=”TLSv1.2”.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLS"/>
Modify to
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/stproxy.keystore" keystorePass="sametime" clientAuth="false" sslProtocol="TLSv1.2"/>