Implementing the Global TLS Scope for Docker
You must have a key store and trust store as a .p12 file. Both third party and self-signed certificates are supported.
Note: If you are supporting mobile clients, use a third-party certificate.
- A trust store needed for creating outbound connections.
- The trust store is used by the client side of a TLS connection to validate the server's certificate.
- With mutual authentication, the trust store is also used by the server to validate the client's certificate.
- A key store needed for accepting inbound connections.
- The key store is used by the server side of a TLS connection to store the server certificate as well as chain certificates, if any chain certificates exist.
- During client authentication, the key store is used by the client to store its client certificate and chain certificates, if any exist.
- All Sametime encryption is done at TLS 1.2, which can be overridden if a lower version is required.
The following tables describe the required and optional configuration settings in the sametime.ini. To configure the sametime.ini file, see Configuring the sametime.ini file on Docker or Podman.
Table 1. Required parameters
| Parameter | Description |
|---|---|
| STI_Config_ST_TLS_TRUST_STORE_TYPE | The trust store type. Only p12 trust stores are supported. |
| STI_Config_ST_TLS_KEY_STORE_TYPE | The key store type. Only p12 trust stores are supported. |
| STI_Config_ST_TLS_TRUST_STORE_FILE | The full path and name of the trust store file. For example: /local/notesdata/truststore.p12 |
| STI_Config_ST_TLS_TRUST_STORE_PASSWORD | The password to the trust store.For example: SecureSametimePassw0rd |
| STI_Config_ST_TLS_KEY_STORE_FILE | The full path and name of the key store. For example: /local/notesdata/keystore.p12 |
| STI_Config_ST_TLS_KEY_STORE_PASSWORD | The password to the keystorel For example: SecureSametimePassw0rd |
Table 2. Optional Parameters
| Parameter | Description |
|---|---|
| STI_Config_ST_TLS_FIPS_COMPLIANCE | Set to 1 to enable FIPS compliance. |
| STI_Config_ST_TLS_SECURITY_LEVEL | The required security level. The minimum security level controls compliance with the security standards NIST SP800-131a and NSA Suite B. |
| 0: No requirement | |
| 1: NIST SP800 -131a “Transition mode” | |
| 2: NIST SP800-131a “Strict mode” | |
| 3: NSA Suite B 128-bit level | |
| 4: NSA Suite B 192-bit level | |
| STI_Config_ST_TLS_MAX_SESSION_AGE | The amount of time before re-negotiating a session. The time to keep a session, in seconds, before deleting it from cache. |
| -1: No cache, which is generally sufficient for most Sametime deployments. This is the default value. | |
| 0: No limit on the age of cached sessions. | |
| STI_Config_ST_TLS_SESSION_CACHE_SIZE | Applies only to inbound connections. The number of TLS sessions that a server keeps in memory, for session reuse. This option tells the server to keep a cache of the TLS session state after the connection is closed. |
| -1: No session cache, which is generally sufficient for most Sametime deployments. This is the default value. | |
| 0: No limit on the number of cached sessions. It is useful after temporary network outage, when the client attempts to reconnect to the server, by reusing the session that was established earlier. | |
| - If the server finds the session in cache, the handshake is abbreviated, consuming less resources. | |
| - If the session is not in cache, a new session is established, including the full handshake. | |
| STI_Config_ST_TLS_SESSION_CACHE_TIME | Applies only to inbound connections. The maximum age of a TLS session, in seconds before renegotiating a session, If the same session is used longer than this setting, a new session is renegotiated over the same connection. The default value 0 means that there is no session renegotiation. |
| STI_Config_ST_TLS_MIN_PROTOCOL_VERSION= | The oldest version of the SSL/TLS protocol to negotiate during handshake. The default value is TLS 1.2. |
| 0x300: SSL v3 | |
| 0x301: TLS v1.0 | |
| 0x302: TLS v1.1 | |
| 0x303: TLS v1.2. This is the default value used if the value for the parameter is blank. | |
| STI_Config_ST_TLS_MAX_PROTOCOL_VERSION | The maximum TLS protocol. |
| 0x300: SSL v3 | |
| 0x301: TLS v1.0 | |
| 0x302: TLS v1.1 | |
| 0x303: TLS v1.2. This is the default value used if the value for the parameter is blank. | |
| STI_Config_ST_TLS_CIPHER_SUITES | A comma-separated list of cipher suites. Leave blank to enable the default cipher suites. |
| STI_Config_ST_TLS_CLIENT_AUTH | Request a certificate from the client, does not apply to outbound connections. |
| 0=None: The server does not request a certificate from the client. This is the default value. | |
| 1=Want: The server requests a certificate from the client, but will proceed with the handshake even if the client does not present one. | |
| 2=Need: The server requests a certificate from the client, and will fail the connection if the client does not present one. | |
| STI_Config_ST_TLS_TRUSTED_HOSTS | A comma-separated list of one or more trusted hosts, to compare against the peer certificate. The comparison takes place during the TLS handshake, when receiving a certificate from the peer, when the client receives the server certificate, or when the server receives a client certificate. The name in the peer certificate is typically specified in either the subject CN (common name) or the subjectAltName field. Validation passes if there is at least one match between the name in the peer certificate and a name in the trusted hosts list. |
| A trusted host name may contain the wild card character (*) which can be used to compare domain components rather than the entire string as a whole. The comparison process follows the rules described in section 3.1 of RFC 2818. | |
Certificate subject validation only applies when receiving a certificate from the peer. In order to ensure that a server performs this comparison, the server must require a client certificate, by setting ST_TLS_CLIENT_AUTH=2. |
|
| STI_Config_ST_TLS_MIRROR_TRUSTED_HOSTS | This parameter is needed when you have a key store with multiple key certificates. In which case, each certificate has a different alias in the key store. On the server side, specify the alias of the certificate that identifies the server. If the key store is used on the client side of TLS connections, specify the alias of the certificate that identifies the client. |
| STI_Config_ST_TLS_KEY_LABEL | This parameter is ignored if the STI_Config_ST_TLS_KEY_STORE_FILE parameter is missing or if there is only one key in the keystore. |
| This parameter is needed when you have a key store with multiple key certificates. In which case, each certificate has a different alias in the key store. On the server side, specify the alias of the certificate that identifies the server. If the key store is used on the client side of TLS connections, specify the alias of the certificate that identifies the client. |
Note: When you enable TLS for the Sametime server connections, TLS version 1.2 is used by default. SSLv3 and TLSv1 have security vulnerabilities and should not be used.
Parent Topic: Securing connections