Chapter 10 Managing SSL for Instant Messaging

You use SSL for secure Instant Messaging communications. This chapter provides instructions on setting up SSL for Instant Messaging in the following sections:

• Overview of Using SSL in Instant Messaging

• Requesting a Certificate from the Certificate Authority

• Installing the Certificate

• Enabling SSL Between the Multiplexor and Instant Messenger

• Invoking the Secure Version of Instant Messenger

• Activating SSL for Server to Server Communication

Overview of Using SSL in Instant Messaging

Instant Messaging supports the Secure Sockets Layer (SSL) protocol, for encrypted communications and for certificate-based authentication of Instant Messaging servers. Instant Messaging server supports SSL version 3.0.

Instant Messaging multiplexor and Instant Messenger also support SSL for encrypted communication between the client and the multiplexor.

Enabling SSL for Instant Messaging server requires the following:

1. Obtaining and installing a certificate for your Instant Messaging server, and configuring the Instant Messaging server to trust the Certification Authority’s certificate.

2. Ensuring that each Instant Messaging server that needs to communicate using SSL with your server, obtains and installs a certificate.

3. Turning on SSL in the server by setting the appropriate parameters in the iim.conf file.

Enabling SSL between the multiplexor and Instant Messenger requires the following:

1. Requesting a Certificate from the Certificate Authority.

2. Installing the Certificate.

3. Enabling SSL Between the Multiplexor and Instant Messenger.

4. Activating SSL for Server to Server Communication.

5. Invoking the Secure Version of Instant Messenger.

For more information about managing certificates, see the Web Server and Application Server product documentation at http://docs.sun.com.

Requesting a Certificate from the Certificate Authority

To enable SSL, you need to request a certificate. You can request the certificate using Sun Java^TM System Web Serveror Sun Java^TM System Application Server.

To Request a Certificate

Steps

1. Type the following URL for starting the administration server in your browser:

   http://hostname.domain-name:administration_port

   A window prompting you for a user name and password appears.

2. Type the administration user name and password you specified during the Web Server or Application Server installation.

   The Administration Server page appears.

3. Create a separate Web Server or Application Server instance.

   For more information on installing multiple instances of the server, see the product documentation at http://docs.sun.com/.

4. Create a trust database to store the public and private keys, referred as the key-pair file.

   The key-pair file is used for SSL encryption.

   For information on creating a trust database, see the Web Server or Application Server product documentation at http://docs.sun.com/.

5. Request a certificate from the Certificate Authority.

   For more information on requesting a certificate, see the Web Server or Application Server product documentation at http://docs.sun.com/.

Installing the Certificate

After you receive the server certificate from your Certificate Authority, you need to install the certificate and create databases for secure communication.

To Install the Certificate

Steps

1. Type the following URL for starting the administration server in your browser:

   http://hostname.domain-name:administration_port

   A window appears, prompting you for a user name and password.

2. Type the administration user name and password you specified during the Web Server or Application Server installation.

   The Administration Server page appears.

3. Install the server certificate.

   For more information on installing the certificate, see the Web Server or Application Server product documentation at http://docs.sun.com

4. Change to your Web Server or Application Server’s /alias directory.

5. Copy the database files from the /alias directory to the Instant Messaging server's im_cfg_base directory.

   cp https-serverid-hostname-cert8.db /etc/opt/SUNWiim/default/config/cert8.db

   cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db

   cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db

   ---

   Note –

   The end user on which the Instant Messaging server runs should have Read permission on cert7.db, key3.db, and secmod.db files. In addition, if you created multiple instances of Instant Messaging, the name of the /default directory will vary depending on the instance.

   ---

   See Table 3–1 for default locations for im_cfg_base.

6. Change to your Instant Messaging server's im_cfg_base directory.

   See Instant Messaging Server Directory Structure for information on locating im_cfg_base.

7. Create a file named sslpassword.conf using an editor of your choice.

8. Enter the following line in sslpassword.conf.

   Internal (Software) Token:password

   Where password is the password you specified when you created the trust database.

9. Save and close sslpassword.conf.

10. Ensure that all Instant Messenger end users have Ownership and Read permission on sslpassword.conf.

11. Verify that SSL is working properly.

    You can do this a number of ways, for example by following the steps in Invoking the Secure Version of Instant Messenger.

12. Log in to the Web Server or Application Server as an administrator.

13. Remove the server instance that you created while requesting the certificate.

Enabling SSL Between the Multiplexor and Instant Messenger

Table 10–1 lists the parameters in iim.conf for enabling SSL between Instant Messenger and multiplexor. It also lists the description and the default value of these parameters.

To Enable SSL Between Instant Messenger and the Multiplexor

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Add the values from Table 10–1 to the multiplexor configuration parameters in iim.conf.

Example 10–1 SSL Multiplexor Configuration in iim.conf

The following is an example of iim.conf with the multiplexor configuration parameters included:

! IIM multiplexor configuration
! =============================
!
! Multiplexor specific options

! IP address and listening port for the multiplexor.
! WARNING: If this value is changed, the port value of ’-server’
! argument in the client’s im.html and im.jnlp files should 
! also be changed to match this.
iim_mux.listenport = "siroe.com:5222"

! The IM server and port the multiplexor talks to.
iim_mux.serverport = "siroe.com:45222"

! Number of instances of the multiplexor.
iim_mux.numinstances = "1"

! Maximum number of threads per instance
iim_mux.maxthreads = "10"

! Maximum number of concurrent connections per multiplexor process
iim_mux.maxsessions = "1000"

                         
iim_mux.usessl = "on"
iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_mux.keydbprefix = "This-Database"
iim_mux.certdbprefix = "Secret-stuff"
iim_mux.secmodfile = "secmod.db"
iim_mux.certnickname = "Server_Cert"
iim_mux.keystorepasswordfile = "sslpassword.conf"

Invoking the Secure Version of Instant Messenger

The secure version of Instant Messenger can be invoked by accessing imssl.html or imssl.jnlp from your web browser. These files are located under the resource directory, the base directory under which all the Instant Messenger resources are stored.

The links to these applet descriptor files can also be added to index.html.

Activating SSL for Server to Server Communication

Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA’s certificate as described earlier.

Table 10–2 lists the parameters in iim.conf used to enable SSL between two Instant Messaging servers. It also contains the description and the default value of these parameters.

To Activate SSL Between Servers

Steps

1. Set these iim.conf parameters:

   • iim_server.usesslport=true

   • iim_server.sslport=5223

   These parameters should already be in the iim.conf file.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Set the server-to-server configuration as described in Chapter 6, Federating Deployment of Multiple Instant Messaging Servers.

3. Add the following additional parameter to iim.conf:

   iim_server.coserver1.usessl=true

4. Change the port number of the following parameter:

   iim_server.coserver1.host=hostname:5223

   The port number should be the SSL port of the other server.

5. Refresh the server configuration using imadmin.

   imadmin refresh server

Example 10–2 SSL Server Configuration in iim.conf

Following is a section of iim.conf file with the required SSL configuration:

! Server to server communication port.
iim_server.port = "5269”
! Should the server listen on the server to server
! communication port
iim_server.useport = "True”
! Should this server listen for server-to-server communication
! using ssl port
iim_server.usesslport = "True”
iim_server.sslport=5223
iim_server.coservers=coserver1
iim_server.coserver1.serverid=Iamcompany22
iim_server.coserver1.password=secretforcompany22
iim_server.coserver1.usessl=true
iim_server.coserver1.host=iim.i-zed.com:5223
iim_server.serverid=Iami-zed
iim_server.password=secret4i-zed
iim_server.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_server.keydbprefix = "This-Database"
iim_server.certdbprefix = "Secret-stuff"
iim_server.secmodfile = "secmod.db"
iim_server.certnickname = "Server_Cert"
iim_server.keystorepasswordfile = "sslpassword.conf"