test

Sun Java System Instant Messaging 7.2 Administration Guide

Setting Up Legacy SSL for the Multiplexor and Instant Messenger

If you are using an Instant Messaging client that does not support TLS, you can still use SSL instead of TLS for client-to-multiplexor communication. If you configure the multiplexor to use SSL, you cannot use TLS for client-to-server communication. All communication between the multiplexor and the server will be in clear text over an unsecured transport.

If you set up legacy SSL on the multiplexor and are using the XMPP/HTTP Gateway, you must configure the gateway to communicate directly with the server, not the multiplexor. The gateway does not support legacy SSL.

Enabling SSL between the multiplexor and Instant Messenger requires the following:

  1. Requesting an SSL Certificate for the Instant Messaging Multiplexor from the CA.

  2. Installing the Certificate.

  3. Enabling Legacy SSL Between the Multiplexor and Instant Messenger.

  4. Activating TLS on the Instant Messaging Server.

  5. Invoking the Secure Version of Instant Messenger.

Requesting an SSL Certificate for the Instant Messaging Multiplexor from the CA

To enable SSL in the multiplexor, you need to request a certificate.

ProcedureTo Request a Certificate for the Instant Messaging Multiplexor

This section assumes you are requesting the certificate using either the Sun Java System Web Server or Sun Java System Application Server as your web container.

The multiplexor uses NSS for certificate management, so you can use the NSS utilities to create, manage, and use certificates and the certificate database.

  1. In a web browser, type the following URL to start the web container's administration server:


    http://hostname.domain-name:administration-port

    A window prompting you for a user name and password appears.

  2. Type the administration user name and password you specified during the Web Server or Application Server installation.

    The Administration Server page appears.

  3. Create a separate Web Server or Application Server instance.

    For more information on installing multiple instances of the Application Server, see the Sun Java System Application Server Enterprise Edition 8.2 Installation Guide. For information about installing multiple instances of Web Server, see the Sun Java Communications Suite 5 Installation Guide.

  4. Create a trust database to store the public and private keys, referred as the key-pair file.

    The key-pair file is used for SSL encryption.

    For information on creating a trust database, see Chapter 9, Configuring Security, in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide for Application Server and Chapter 6, Certificates and Keys, in Sun Java System Web Server 7.0 Administrator’s Guide for Web Server.

  5. Request a certificate from the CA.

    For more information on requesting a certificate, see Chapter 9, Configuring Security, in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide for Application Server and Chapter 6, Certificates and Keys, in Sun Java System Web Server 7.0 Administrator’s Guide for Web Server.

Installing the Certificate

After you receive the signed server certificate from your Certificate Authority, you need to install the certificate and create databases for secure communication.

ProcedureTo Install the Certificate for the Instant Messaging Multiplexor

  1. In a web browser, type the following URL to start the administration server:


    http://hostname.domain-name:administration-port

    A window appears, prompting you for a user name and password.

  2. Type the administration user name and password you specified during the Web Server or Application Server installation.

    The Administration Server page appears.

  3. Install the server certificate.

    For more information on installing the certificate, see the Web Server or Application Server product documentation at http://docs.sun.com

  4. Change to your Web Server or Application Server’s /alias directory.

  5. Copy the database files from the /alias directory to the Instant Messaging server's im-cfg-base directory.

    For example, on Solaris:


    cp https-serverid-hostname-cert8.db /etc/opt/SUNWiim/default/config/cert8.db


    cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db


    cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db

    and on Linux:


    cp https-serverid-hostname-cert8.db /etc/opt/sun/im/default/config/cert8.db


    cp https-serverid-hostname-key3.db /etc/opt/sun/im/default/config/key3.db


    cp secmod.db /etc/opt/sun/im/default/config/secmod.db
    Note –

    You need to allow Read permission on the cert7.db, key3.db, and secmod.db files for the system user used by the multiplexor. In addition, if you created multiple instances of Instant Messaging, the name of the /default directory will vary depending on the instance.

    See Table 3–1 for default locations for im-cfg-base.

  6. Change to your im-cfg-base on the multiplexor's host.

    See Instant Messaging Server Directory Structure for information on locating im-cfg-base.

  7. Create a file named sslpassword.conf using a text editor of your choice.

  8. Enter the following line in sslpassword.conf.


    Internal (Software) Token:password

    Where password is the password you specified when you created the trust database.

  9. Save and close sslpassword.conf.

  10. Ensure that all Instant Messenger end users have Ownership and Read permission on sslpassword.conf.

  11. Restart the multiplexor.

  12. Verify that SSL is working properly.

    You can do this a number of ways, for example by following the steps in Invoking the Secure Version of Instant Messenger.

  13. Log in to the Web Server or Application Server as an administrator.

  14. Remove the server instance that you created while requesting the certificate.

Enabling Legacy SSL Between the Multiplexor and Instant Messenger

You enable SSL for client-to-multiplexor communication by modifying parameters in iim.conf and then connecting to the multiplexor using the secure version of the Instant Messenger client.

Table 12–2 lists the parameters in iim.conf for enabling SSL between Instant Messenger and the multiplexor. It also lists the description and the default value of these parameters.

Table 12–2 Instant Messaging Multiplexor SSL Parameters

Parameter  

Default Value  

Description  

iim_mux.usessl

off

If the value is set to on, the multiplexor requires an SSL handshake for each connection it accepts, before exchanging any application data.

iim_mux.secconfigdir

Solaris: /etc/opt/SUNWiim/default/config

Linux: /etc/opt/sun/im/default/config

This directory contains the key and certificate databases. It usually contains the security module database. In addition, if you created multiple instances of Instant Messaging, the name of the /default directory will vary depending on the instance. See Creating Multiple Instances from a Single Instant Messaging Installation for more information.

iim_mux.keydbprefix

(Empty string) 

This value should contain the key database filename prefix. The key database file name must always end with key3.db.

If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.

iim_mux.certdbprefix

(Empty string) 

This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.

If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.

iim_mux.secmodfile

secmod.db

This value should contain the name of the security module file. 

iim_mux.certnickname

Multiplexor-Cert

This value should contain the name of the certificate you entered while installing the certificate. 

The certificate name is case-sensitive. 

iim_mux.keystorepasswordfile

sslpassword.conf

This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line: 

Internal (Software) Token:password

Where password is the password protecting the key database.

ProcedureTo Enable SSL Between Instant Messenger and the Multiplexor

  1. Open iim.conf.

    See iim.conf File Syntax for instructions on locating and modifying iim.conf.

  2. Add the values from Table 12–2 to the multiplexor configuration parameters in iim.conf.

Example 12–2 Legacy SSL Multiplexor Configuration in iim.conf

The following is an example of iim.conf with the multiplexor configuration parameters included:


! IIM multiplexor configuration
! =============================
!
! Multiplexor specific options

! IP address and listening port for the multiplexor.
! WARNING: If this value is changed, the port value of ’-server’
! argument in the client’s im.html and im.jnlp files should 
! also be changed to match this.
iim_mux.listenport = "siroe.com:5222"

! The IM server and port the multiplexor talks to.
iim_mux.serverport = "siroe.com:45222"

! Number of instances of the multiplexor.
iim_mux.numinstances = "1"

! Maximum number of threads per instance
iim_mux.maxthreads = "10"

! Maximum number of concurrent connections per multiplexor process
iim_mux.maxsessions = "1000"

                         
iim_mux.usessl = "on"
iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_mux.keydbprefix = "This-Database"
iim_mux.certdbprefix = "Secret-stuff"
iim_mux.secmodfile = "secmod.db"
iim_mux.certnickname = "Multiplexor_Cert"
iim_mux.keystorepasswordfile = "sslpassword.conf"