test

Sun Java System Instant Messaging 7.2 Administration Guide

ProcedureTo Activate TLS Communication in the Instant Messaging Server

Use this procedure to configure the Instant Messaging server to use secure communication over TLS in the following ways:

Before You Begin

Ensure that you have created a JKS, obtained and installed a server certificate, and configured the server to trust the CA’s certificate as described in Setting Up TLS for the Instant Messaging Server.

For server-to-server TLS communication, you must complete this procedure on each server you want to configure to use TLS.

  1. Add values for the following parameters in iim.conf.

    If the parameters are not already present in iim.conf, add them.


    iim_server.sslkeystore=server-keystore.jks
iim_server.keystorepasswordfile=sslpassword.conf

    The server will now respond to a connection request from any client or another Instant Messaging server with the information that it is able to communicate over TLS. The requesting client or server then chooses whether or not to establish a secure connection over TLS.

  2. If you want the server to require TLS for all connections from clients, and remote and peer servers, add the following parameter to iim.conf:


    iim_server.requiressl=true

    If you set this parameter to true, the server will terminate a connection with any client or remote or peer server that does not support TLS. Use this parameter to require secure client-server communication over TLS.

    See Chapter 8, Federating Deployment of Multiple Instant Messaging Servers for more information about server-to-server communication.

  3. If you want to require TLS for communication with a specific remote or peer server, add the following parameter to iim.conf:


    iim_server.coserver1.requiressl=true

    Set this parameter for each coserver for which you want to require TLS.

    If you set iim_server.requiressl to true, the server will require a TLS connection for any server with which it communicates. In this case, you do not need to set this parameter for specific coservers.

  4. (Optional) If you want the server to trust all certificates it receives, and to add certificate information to the log files, add the following parameter to iim.conf:


    iim_server.trust_all_cert=true
    Caution – Caution –

    You might need to use this feature to test your deployment before you go live. However, you typically should not do this on a deployed system as it presents severe security risks. If this value is true, the server will trust all certificates, including expired and self-signed certificates, and will also add the certificate information into the log files. If false, the server will not log certificate information and will only trust valid certificates signed by a CA.

  5. Refresh the server configuration using imadmin.


    imadmin refresh server

  6. Verify that TLS is working properly.

    You can do this a number of ways, for example by following the steps in Invoking the Secure Version of Instant Messenger.

Example 12–1 TLS Configuration in iim.conf

The following is an example section of an iim.conf file with the required TLS configuration for server-to-server and client-to-server communication. Values for the parameters in this example will be different in your deployment.


! Server to server communication port.
iim_server.port = "5269"
! Should the server listen on the server to server
! communication port
iim_server.useport = "True”
iim_server.coservers=coserver1
iim_server.coserver1.serverid=Iamcompany22
iim_server.coserver1.password=secretforcompany22
iim_server.coserver1.host=iim.i-zed.com:5269
iim_server.serverid=Iami-zed
iim_server.password=secret4i-zed
iim_server.trust_all_cert=true
iim_server.sslkeystore=/var/im/server_keystore.jks
iim_server.keystorepasswordfile=/var/im/sslpassword.conf