If you are using an Instant Messaging client that does not support TLS, you can still use SSL instead of TLS for client-to-multiplexor communication. If you configure the multiplexor to use SSL, you cannot use TLS for client-to-server communication. All communication between the multiplexor and the server will be in clear text over an unsecured transport.
If you set up legacy SSL on the multiplexor and are using the XMPP/HTTP Gateway, you must configure the gateway to communicate directly with the server, not the multiplexor. The gateway does not support legacy SSL.
Enabling SSL between the multiplexor and Instant Messenger requires the following:
Requesting an SSL Certificate for the Instant Messaging Multiplexor from the CA.
Enabling Legacy SSL Between the Multiplexor and Instant Messenger.
To enable SSL in the multiplexor, you need to request a certificate.
This section assumes you are requesting the certificate using either the Sun Java System Web Server or Sun Java System Application Server as your web container.
The multiplexor uses NSS for certificate management, so you can use the NSS utilities to create, manage, and use certificates and the certificate database.
In a web browser, type the following URL to start the web container's administration server:
http://hostname.domain-name:administration-port |
A window prompting you for a user name and password appears.
Type the administration user name and password you specified during the Web Server or Application Server installation.
The Administration Server page appears.
Create a separate Web Server or Application Server instance.
For more information on installing multiple instances of the Application Server, see the Sun Java System Application Server Enterprise Edition 8.2 Installation Guide. For information about installing multiple instances of Web Server, see the Sun Java Communications Suite 5 Installation Guide.
Create a trust database to store the public and private keys, referred as the key-pair file.
The key-pair file is used for SSL encryption.
For information on creating a trust database, see Chapter 9, Configuring Security, in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide for Application Server and Chapter 6, Certificates and Keys, in Sun Java System Web Server 7.0 Administrator’s Guide for Web Server.
Request a certificate from the CA.
For more information on requesting a certificate, see Chapter 9, Configuring Security, in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide for Application Server and Chapter 6, Certificates and Keys, in Sun Java System Web Server 7.0 Administrator’s Guide for Web Server.
After you receive the signed server certificate from your Certificate Authority, you need to install the certificate and create databases for secure communication.
In a web browser, type the following URL to start the administration server:
http://hostname.domain-name:administration-port |
A window appears, prompting you for a user name and password.
Type the administration user name and password you specified during the Web Server or Application Server installation.
The Administration Server page appears.
Install the server certificate.
For more information on installing the certificate, see the Web Server or Application Server product documentation at http://docs.sun.com
Change to your Web Server or Application Server’s /alias directory.
Copy the database files from the /alias directory to the Instant Messaging server's im-cfg-base directory.
For example, on Solaris:
cp https-serverid-hostname-cert8.db /etc/opt/SUNWiim/default/config/cert8.db |
cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db |
cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db |
and on Linux:
cp https-serverid-hostname-cert8.db /etc/opt/sun/im/default/config/cert8.db |
cp https-serverid-hostname-key3.db /etc/opt/sun/im/default/config/key3.db |
cp secmod.db /etc/opt/sun/im/default/config/secmod.db |
You need to allow Read permission on the cert7.db, key3.db, and secmod.db files for the system user used by the multiplexor. In addition, if you created multiple instances of Instant Messaging, the name of the /default directory will vary depending on the instance.
See Table 3–1 for default locations for im-cfg-base.
Change to your im-cfg-base on the multiplexor's host.
See Instant Messaging Server Directory Structure for information on locating im-cfg-base.
Create a file named sslpassword.conf using a text editor of your choice.
Enter the following line in sslpassword.conf.
Internal (Software) Token:password |
Where password is the password you specified when you created the trust database.
Save and close sslpassword.conf.
Ensure that all Instant Messenger end users have Ownership and Read permission on sslpassword.conf.
Restart the multiplexor.
Verify that SSL is working properly.
You can do this a number of ways, for example by following the steps in Invoking the Secure Version of Instant Messenger.
Log in to the Web Server or Application Server as an administrator.
Remove the server instance that you created while requesting the certificate.
You enable SSL for client-to-multiplexor communication by modifying parameters in iim.conf and then connecting to the multiplexor using the secure version of the Instant Messenger client.
Table 12–2 lists the parameters in iim.conf for enabling SSL between Instant Messenger and the multiplexor. It also lists the description and the default value of these parameters.
Table 12–2 Instant Messaging Multiplexor SSL Parameters
Parameter |
Default Value |
Description |
---|---|---|
iim_mux.usessl |
off |
If the value is set to on, the multiplexor requires an SSL handshake for each connection it accepts, before exchanging any application data. |
iim_mux.secconfigdir |
Solaris: /etc/opt/SUNWiim/default/config Linux: /etc/opt/sun/im/default/config |
This directory contains the key and certificate databases. It usually contains the security module database. In addition, if you created multiple instances of Instant Messaging, the name of the /default directory will vary depending on the instance. See Creating Multiple Instances from a Single Instant Messaging Installation for more information. |
iim_mux.keydbprefix |
(Empty string) |
This value should contain the key database filename prefix. The key database file name must always end with key3.db. If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database. |
iim_mux.certdbprefix |
(Empty string) |
This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db. If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff. |
iim_mux.secmodfile |
secmod.db |
This value should contain the name of the security module file. |
iim_mux.certnickname |
Multiplexor-Cert |
This value should contain the name of the certificate you entered while installing the certificate. The certificate name is case-sensitive. |
iim_mux.keystorepasswordfile |
sslpassword.conf |
This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line: Internal (Software) Token:password Where password is the password protecting the key database. |
Open iim.conf.
See iim.conf File Syntax for instructions on locating and modifying iim.conf.
Add the values from Table 12–2 to the multiplexor configuration parameters in iim.conf.
The following is an example of iim.conf with the multiplexor configuration parameters included:
! IIM multiplexor configuration ! ============================= ! ! Multiplexor specific options ! IP address and listening port for the multiplexor. ! WARNING: If this value is changed, the port value of ’-server’ ! argument in the client’s im.html and im.jnlp files should ! also be changed to match this. iim_mux.listenport = "siroe.com:5222" ! The IM server and port the multiplexor talks to. iim_mux.serverport = "siroe.com:45222" ! Number of instances of the multiplexor. iim_mux.numinstances = "1" ! Maximum number of threads per instance iim_mux.maxthreads = "10" ! Maximum number of concurrent connections per multiplexor process iim_mux.maxsessions = "1000" iim_mux.usessl = "on" iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config" iim_mux.keydbprefix = "This-Database" iim_mux.certdbprefix = "Secret-stuff" iim_mux.secmodfile = "secmod.db" iim_mux.certnickname = "Multiplexor_Cert" iim_mux.keystorepasswordfile = "sslpassword.conf" |