Securing Server to Server Connections

Before you begin

You must configure the sametime.ini settings by completing one of these topics:

About this task

The Sametime Community Server port 1516 accepts connections from server applications (such as standalone Mux and Sametime Proxy server) and from peer Sametime Community Servers. Use this task to enable or disable TLS on the Sametime Community Server port. You can also use this task to change the listening address and port, although it is recommended you use the default port number of 1516.

By default connections are encrypted using the Diffie-Hellman key exchange and RC2 encryption. You can set the server to use one of three modes:
  • Strict TLS - The Sametime Community Server accepts only TLS connections. If you choose Strict TLS, enable TLS for all other servers and server-side components in the community.
  • Legacy Sametime encryption - The Sametime Community Server does not accept TLS connections. Instead, connections are encrypted using the Diffie-Hellman key exchange and RC2 encryption, as in Sametime 9 and below. This is the default setting.
  • Both allowed - The Sametime Community Server allows both legacy-encrypted connections and TLS connections over the same port. This setting is suitable for a mixed deployment of old and new servers. Old servers and server applications use legacy encryption. New servers and server applications establish a TLS connection. Refer to the Security Considerations document for more information.
  1. Follow these instructions to allow both legacy connections and TLS connections:
    1. Remote into the Sametime server and place the sametime.ini file into edit mode.
    2. Under the [Connectivity] section set the following:
      • VPS_PORT=1516
      • VPS_TLS_PORT=1516
  2. Follow these instructions to enforce strict TLS connections only:
    1. Remote into the Sametime server and place the sametime.ini file into edit mode.
    2. Under the [Connectivity] section set the following:
      • VPS_PORT=0
      • VPS_TLS_PORT=1516
  3. Save and close the sametime.ini file.
  4. Restart the server for these settings to take effect.

Additional Optional Security Features

Request certificate from the client:

The optional setting STSRV_TLS_CLIENT_AUTH specifies whether the server requires a certificate from the client. In this case the client is a Sametime application such as the standalone mux or Sametime Proxy server. This setting belongs under the [Config] section of sametime.ini.

There are three options:
  • 0= None - The server does not request a certificate from the client.
  • 1=Want - The server requests a certificate from the client, but will proceed with the handshake even if the client does not present one.
  • 2=Need - The server requests a certificate from the client, and fails the connection if the client does not present one.
The TLS handshake protocol provides two methods of authentication using certificates:
  • Server authentication: The server presents its certificate to the client, allowing the client to authenticate the server. In a Sametime deployment, server authentication is enabled by default and cannot be modified; a server with a key store will always present its certificate to the client.
  • Client authentication: The client presents its certificate to the server, allowing the server to authenticate the client. For a Sametime deployment, client authentication is optional.

Client authentication instructs the Community Server to require a client certificate when accepting connections on port 1516. Server components that reside on the same computer as the Community Server can use the same key store file as the Community Server for this purpose. Remote server components will either need a copy of the Community Server's key store file, or a key store that contains a certificate signed by the CA (certificate authority) that is trusted by the Community Server.

The Community Mux (accepting client connections on port 1533) can be configured to request client authentication as well. However, this is not common practice, because Sametime clients already authenticate using passwords (or tokens). If you do configure the Mux to require client authentication (by setting this field to Need, you must supply each client with a personal certificate, signed by a CA (certificate authority) that is trusted by the Mux.

If your environment requires a standalone Mux to have encrypted connections to the Sametime Community server, you must implement the same steps in the sametime.ini of the standalone Mux server.

Ensuring a certificate contains the Basic Constraints extension

When using TLS to encrypt traffic on the Sametime Community Server, the Community Server presents its certificate during a TLS handshake to any Sametime server application connecting to the server. To allow the server application to verify the validity of the signer of the Sametime Community Server's certificate as part of the TLS handshake, the signer's certificate must be present in the trust store used by the server applications. Ensure that the certificate belonging to the server certificate signer contains the Basic Constraints extension with the cA flag set to TRUE.

Best practices dictate that the signer's certificate contain the optional Basic Constraints extension with the cA flag set to TRUE. This extension indicates that the owner of the certificate is a certificate authority. If the extension is not part of the signer's certificate, add the ST_TLS_TRUST_MANAGER_FACTORY_ALGORITHM flag to the [Config] section of the sametime.ini file on the Sametime Community Server. Setting this flag allows all server applications to connect to the Sametime Community Server.

Complete these steps to add that flag.

  1. In the [Config] section of the sametime.ini file, add this entry:

    ST_TLS_TRUST_MANAGER_FACTORY_ALGORITHM=PKIX

  2. Save and close the file.