Increase the security of the IBM® Sametime® TURN Server by
implementing authentication validation on the Sametime TURN Server and
enforcing authentication for Web and IBM Sametime Connect TURN clients.
By enabling token authentication, the client securely accesses the
TURN Server. The client provides the token generated from the shared
secret key and sends its STUN BIND and STUN ALLOCATE messages to the
TURN Server. The TURN server then validates the token. If the token
is invalid, the TURN Server sends an error response.
About this task
Complete this procedure to enable token authentication on
the IBM Sametime TURN Server. If
server deployment is accessed by Sametime 8.5.2 IFR1 clients,
then TURN Server authentication should be disabled.
Procedure
- On the deployment manager for the Media Manager, update
the
stavconfig.xml
file for the Conference Manager
nodes by completing these steps:
- open the stavconfig.xml file for
editing.
- Set the
TURNTokenAuthEnabled
Value
setting to true
. For example,
configuration
lastUpdated="1226425838277" name="TURNTokenAuthEnabled" value="true"/
- Save and close the file.
- Make sure these settings are consistent across all nodes
by completing these steps:
- If there is one Conference Manager, restart it now. If you deployed
a cluster of Conference Managers, synchronize all nodes in the cluster
by completing these steps:
- In the Deployment Manager's Integrated Solutions Console, click .
- In the nodes table, select all nodes in the cluster.
- Click Full Resynchronize.
- From the SIP Proxy/Registrar, copy these files to the TURN
server, overwriting the existing files:
- secret key file -- The full path for the secret key file is identified
in the stavconfig.xml file of media server with
tag
"SecretKeyPathForTurnAuthToken"
. For example, C:\IBM\WebSphere\AppServer\profiles\wplccdlvmSTMSPNProfile1\properties\anonTokenSecret.txt
- sharedEncKey1.txt -- The shared secret encryption
key file is located in the media server profile's properties directory.
For example, in
C:\IBM\WebSphere\AppServer\profiles\wplccdlvmSTMSPNProfile1\properties\sharedEncKey1.txt
- sharedEncKey2.txt -- The shared secret encryption
key file is located in the media server profile's etc directory. For
example, in
C:\IBM\WebSphere\AppServer\profiles\wplccdlvmSTMSPNProfile1\etc\sharedEncKey2.txt
- Update the TURN Server settings by completing these steps:
- On the TURN Server, navigate to the directory where
the TURN Server files were installed (for example, C:\TURN).
- Open the
logging.properties
file for
editing.
- Add these settings:
com.ibm.stun.level=FINER
com.ibm.turn.server.level=FINER
- Save and close the file.
- Edit the
TurnServer.properties
file by
completing these steps:
- On the computer hosting the TURN Server, locate the
TurnServer.properties
file
and open it for editing.
- Enable token authentication for allocation requests
on the TURN server by adding this setting to the
TurnServer.properties
file:
turn.auth.token.required=true
- Enable token authentication for initial binding request
on TURN server by adding this statement to the
TurnServer.properties
file:
turn.auth.binding.token.required=true
- Add the following lines at the end of the TurnServer.properties file:
#Making turn server version key configurable
################################################################
turn.version.key=Samtime9.0
################################################################
#secret key file path
################################################################
turn.auth.shared.secret.path=anonTokenSecret.txt
################################################################
#Encryption key1 path for Turn server
################################################################
turn.auth.shared.secret.enc1.path=sharedEncKey1.txt
################################################################
#Encryption key2 path for Turn server
################################################################
turn.auth.shared.secret.enc2.path=sharedEncKey2.txt
- Save and close the properties file.
- Confirm that the secret files (secret key files) are stored
at the root of the TURN Server.
- Stop and restart the Sametime TURN Server. For
instructions, see Starting and stopping a Sametime TURN Server.