Before you can activate TLS on the server, you must create a JKS, obtain and install a signed server certificate, and trust the CA’s certificate as described in Setting Up TLS for the Instant Messaging Server. You activate TLS on the server when you want to use TLS for server-to-server and/or client-to-server communication.
Table 12–1 lists the parameters in iim.conf used to enable TLS in an Instant Messaging server. It also contains the description and the default value of these parameters.
Table 12–1 Instant Messaging Server TLS Configuration Parameters
Parameter |
Default Value |
Description |
|
---|---|---|---|
iim_server.sslkeystore |
None |
Contains the relative path and filename for the server's Java keystore (JKS). For example:
|
|
iim_server.keystorepasswordfile |
sslpassword.conf |
Contains the relative path and the name of the file that contains the password for the keystore. This file should contain the following line: Internal (Software) Token:password Where password is the password protecting the keystore. |
|
iim_server.requiressl |
false |
If true, the server will terminate any connection that does not request a TLS connection after the initial stream session is set up. |
|
iim_server.trust_all_cert |
false |
If this value is true, the server will trust all certificates, including expired and self-signed certificates, and will also add the certificate information into the log files. If false, the server will not log certificate information and will only trust valid certificates signed by a CA. |
Use this procedure to configure the Instant Messaging server to use secure communication over TLS in the following ways:
Require TLS for all client and server connections.
Require TLS only for specific server-to-server connections.
Allow TLS connections for clients and servers that request a secure transport after the initial communication session has been set up.
A Combination of requiring TLS for specific server-to-server connections and allowing TLS connections for other clients and servers.
Ensure that you have created a JKS, obtained and installed a server certificate, and configured the server to trust the CA’s certificate as described in Setting Up TLS for the Instant Messaging Server.
For server-to-server TLS communication, you must complete this procedure on each server you want to configure to use TLS.
Add values for the following parameters in iim.conf.
If the parameters are not already present in iim.conf, add them.
iim_server.sslkeystore=server-keystore.jks iim_server.keystorepasswordfile=sslpassword.conf |
The server will now respond to a connection request from any client or another Instant Messaging server with the information that it is able to communicate over TLS. The requesting client or server then chooses whether or not to establish a secure connection over TLS.
If you want the server to require TLS for all connections from clients, and remote and peer servers, add the following parameter to iim.conf:
iim_server.requiressl=true |
If you set this parameter to true, the server will terminate a connection with any client or remote or peer server that does not support TLS. Use this parameter to require secure client-server communication over TLS.
See Chapter 8, Federating Deployment of Multiple Instant Messaging Servers for more information about server-to-server communication.
If you want to require TLS for communication with a specific remote or peer server, add the following parameter to iim.conf:
iim_server.coserver1.requiressl=true |
Set this parameter for each coserver for which you want to require TLS.
If you set iim_server.requiressl to true, the server will require a TLS connection for any server with which it communicates. In this case, you do not need to set this parameter for specific coservers.
(Optional) If you want the server to trust all certificates it receives, and to add certificate information to the log files, add the following parameter to iim.conf:
iim_server.trust_all_cert=true |
You might need to use this feature to test your deployment before you go live. However, you typically should not do this on a deployed system as it presents severe security risks. If this value is true, the server will trust all certificates, including expired and self-signed certificates, and will also add the certificate information into the log files. If false, the server will not log certificate information and will only trust valid certificates signed by a CA.
Refresh the server configuration using imadmin.
imadmin refresh server |
Verify that TLS is working properly.
You can do this a number of ways, for example by following the steps in Invoking the Secure Version of Instant Messenger.
The following is an example section of an iim.conf file with the required TLS configuration for server-to-server and client-to-server communication. Values for the parameters in this example will be different in your deployment.
! Server to server communication port. iim_server.port = "5269" ! Should the server listen on the server to server ! communication port iim_server.useport = "True” iim_server.coservers=coserver1 iim_server.coserver1.serverid=Iamcompany22 iim_server.coserver1.password=secretforcompany22 iim_server.coserver1.host=iim.i-zed.com:5269 iim_server.serverid=Iami-zed iim_server.password=secret4i-zed iim_server.trust_all_cert=true iim_server.sslkeystore=/var/im/server_keystore.jks iim_server.keystorepasswordfile=/var/im/sslpassword.conf |