Implementing the Global TLS Scope for Docker
Before you begin
About this task
- A trust store needed for creating outbound connections.
- The trust store is used by the client side of a TLS connection to validate the server's certificate.
- With mutual authentication, the trust store is also used by the server to validate the client's certificate.
- A key store needed for accepting inbound connections.
- The key store is used by the server side of a TLS connection to store the server certificate as well as chain certificates, if any chain certificates exist.
- During client authentication, the key store is used by the client to store its client certificate and chain certificates, if any exist.
- All Sametime encryption is done at TLS 1.2, which can be overridden if a lower version is required.
The following tables describe the required and optional configuration settings in the sametime.ini. To configure the sametime.ini file, see Configuring the sametime.ini file on Docker or Podman.
Parameter | Description |
---|---|
STI_Config_ST_TLS_TRUST_STORE_TYPE | The trust store type. Only p12 trust stores are supported. |
STI_Config_ST_TLS_KEY_STORE_TYPE | The key store type. Only p12 trust stores are supported. |
STI_Config_ST_TLS_TRUST_STORE_FILE | The full path and name of the trust store file. For example: /local/notesdata/truststore.p12 |
STI_Config_ST_TLS_TRUST_STORE_PASSWORD | The password to the trust store. For example:
|
STI_Config_ST_TLS_KEY_STORE_FILE | The full path and name of the key store. For example: /local/notesdata/keystore.p12 |
STI_Config_ST_TLS_KEY_STORE_PASSWORD | The password to the keystorel For example:
SecureSametimePassw0rd |
Parameter | Description |
---|---|
STI_Config_ST_TLS_FIPS_COMPLIANCE | Set to 1 to enable FIPS compliance. |
STI_Config_ST_TLS_SECURITY_LEVEL |
The required security level. The minimum security level controls compliance with the security standards NIST SP800-131a and NSA Suite B.
|
STI_Config_ST_TLS_MAX_SESSION_AGE | The amount of time before re-negotiating a session. The time to
keep a session, in seconds, before deleting it from cache.
|
STI_Config_ST_TLS_SESSION_CACHE_SIZE | Applies only to inbound connections. The number of TLS sessions
that a server keeps in memory, for session reuse. This option tells
the server to keep a cache of the TLS session state after the
connection is closed.
It is useful after temporary network outage, when the client
attempts to reconnect to the server, by reusing the session that
was established earlier.
|
STI_Config_ST_TLS_SESSION_CACHE_TIME | Applies only to inbound connections. The maximum age of a TLS session, in seconds before renegotiating a session, If the same session is used longer than this setting, a new session is renegotiated over the same connection. The default value 0 means that there is no session renegotiation. |
STI_Config_ST_TLS_MIN_PROTOCOL_VERSION= |
The oldest version of the SSL/TLS protocol to negotiate during
handshake. The default value is TLS 1.2.
|
STI_Config_ST_TLS_MAX_PROTOCOL_VERSION |
The maximum TLS protocol.
|
STI_Config_ST_TLS_CIPHER_SUITES | A comma-separated list of cipher suites. Leave blank to enable the default cipher suites. |
STI_Config_ST_TLS_CLIENT_AUTH |
Request a certificate from the client, does not apply to outbound connections.
|
STI_Config_ST_TLS_TRUSTED_HOSTS | A comma-separated list of one or more trusted hosts, to compare
against the peer certificate. The comparison takes place during the
TLS handshake, when receiving a certificate from the peer, when the
client receives the server certificate, or when the server receives
a client certificate. The name in the peer certificate is
typically specified in either the subject CN (common name) or
the A trusted host name may contain the wild card character (*) which can be used to compare domain components rather than the entire string as a whole. The comparison process follows the rules described in section 3.1 of RFC 2818. Certificate subject
validation only applies when receiving a certificate from the
peer. In order to ensure that a server performs this comparison,
the server must require a client certificate, by setting
|
STI_Config_ST_TLS_MIRROR_TRUSTED_HOSTS | This parameter is needed when you have a key store with multiple key certificates. In which case, each certificate has a different alias in the key store. On the server side, specify the alias of the certificate that identifies the server. If the key store is used on the client side of TLS connections, specify the alias of the certificate that identifies the client. |
STI_Config_ST_TLS_KEY_LABEL |
This parameter is ignored if the STI_Config_ST_TLS_KEY_STORE_FILE parameter is missing or if there is only one key in the keystore. This parameter is needed when you have a key store with multiple key certificates. In which case, each certificate has a different alias in the key store. On the server side, specify the alias of the certificate that identifies the server. If the key store is used on the client side of TLS connections, specify the alias of the certificate that identifies the client. |