IBM® Sametime® supports the U.S.
government-defined security requirements for cryptographic modules
known as FIPS 140-2 (Federal Information Processing Standard 140-2).
Installing the FIPS Server is only necessary if your Sametime deployment must
be FIPS-compliant; otherwise, it is optional.
Before you begin
You should have already installed the IBM Sametime System
Console and the Sametime Proxy
Server. If you want to administer the FIPS Server from the Sametime System Console,
you should have already installed the FIPS administration portlet.
About this task
The FIPS administration portlet can connect to the FIPS Server
only if the server is installed on the Sametime Proxy Server. You
cannot have multiple FIPS Servers running on the same computer.Note: Currently,
you cannot administer the per-node configuration or vertical clustering
of FIPS on the Sametime System
Console. The administrative portlet only administers and therefore
shows registered cell deployments or horizontal cluster deployments.
It will not show individual primary or secondary nodes of the cluster.
Procedure
- On
the server where you will install the FIPS server, enable FIPS on
the WebSphere® Application
Server by following the procedure in Configuring Federal Information Processing Standard Java™ Secure Socket Extension files.
- Copy sametimefipsproxy.war from setup\STIPLaunchpad\disk1\FIPSProxy on
the image disk to your local drive.
- Log in to the Integrated Solutions Console on the computer
where you are installing the FIPS Server.
- Click .
- On the Enterprise Applications page, click Install.
- In the Path to the new application section,
browse to the sametimefipsproxy.war file. Keep
the default settings to install the server, and then click Next
- Enter the context root that you want for the FIPS Server,
for example, /fipsProxy.
- Click Finish and save the configuration.
- Restart the Sametime Proxy
Server to automatically start the FIPS Server.
- Log in to the Integrated Solutions Console.
- Click .
You can only edit data for FIPS if the
FIPS war is running on the installed server. Make sure that your FIPS
Server is running in order to administer it.
- Click the FIPS Server that you installed.
- Enter a fully qualified inbound host name and port and
an outbound host name and port to which FIPS connects.
If
you are using the FIPS administration portlet, also replace the serverAddress
entries with entries for the Sametime Community server
that is connected to the Sametime Proxy
Server.Click OK.
- Restart the Sametime Proxy
Server again to automatically start the FIPS Server.
- In a text editor, open the sametimeProxy.xml file.
This file defines the port routing so the TLS Connections can use
the proxy to access the Sametime server.
The file is located in the \WebSphere\AppServer\profiles\profile_name\installedApps\cell_name\sametimefipsproxy_war.ear\sametimefipsproxy.war directory.
- If you are using the FIPs administration portlet, skip
to the next step.
If you are not using the FIPs administration
portlet, edit the SametimeProxyChannel properties in the sametimeProxy.xml
file. Replace the serverAddress entries with entries for the Sametime Community server
that is connected to the Sametime Proxy
Server.
In the following entries, replace "temp.sametimeserver.com"
with your Sametime server
name, for example, "yourserver.yourdomain.com".
<channel name="SametimeProxyChannel" factory="com.ibm.sametime.proxy.channel.impl.SametimeProxyChannelFactory" sequence="2" weight="1">
...
<property name="serverAddress1" value="temp.sametimeserver.com:8081" />
<property name="clientAddress2" value="*:1533" />
<property name="serverAddress2" value="temp.sametimeserver.com:1533" />
<property name="clientAddress3" value="*:554" />
<property name="serverAddress3" value="temp.sametimeserver.com:554" />
...
</channel>
- Edit the TLSInboundChannel properties in the sametimeProxy.xml
file:
- Close and save the file.
- Restart the Sametime Proxy
Server again to put the configuration changes into effect.
Results
Sametime Connect
Client clients
use the "Direct connection using TLS" Connection option when setting
up the server community connected to the FIPS-enabled server.