Using the Transport Layer Security (TLS) protocol with Sametime Audio/Video in a load balancing environment

Technote (troubleshooting)


Problem

TLS can't be used in a load balancer environment, when there are multiple SIP proxies in front of a SIP Proxy/Registrar cluster.

Cause

There are cases when the WebSphere proxy server can not use the same TLS connection initiated by the client. The WebSphere Proxy server will try to establish a new TLS connection to the Sametime client. However, since in Sametime Audio/Video TLS is used with server-provided certificates, the TLS handshake will fail and as a result, the call will fail.

Resolving the problem

There are two options:

  1. Use a single WebSphere proxy (instead of multiple) in front of a clustered SIP Proxy/Registrar. In this case the WebSphere proxy has a connection to the client (associated with registrations that the client initiates). The client receives inbound traffic over the same connection and therefore, the WebSphere proxy does not try to create a new connection to the client. Disadvantage: Affects high availability, WebSphere proxy becomes a single point of failure.
  2. Use TCP instead of TLS. Disadvantage: this option requires to disable security (including SIP authentication). Follow the instructions below to disable the SIP security
    1. Log in to the SIP Proxy and Registrar administrative console.
    2. Click Applications> WebSphere Enterprise Applications.
    3. Click IBM Lotus SIP Registrar .
    4. Under Detail Properties, click Security role to user/group mapping.
    5. Select secureRolecheck box. Select Everyone from the Map Special Subjects down list.
    6. Click OK and save the changes


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Sametime
Media Manager

Software version:

8.5.1, 8.5.1.1

Operating system(s):

AIX, Linux, Windows

Reference #:

1458164

Modified date:

2011-11-15

Translate my page

Machine Translation

Content navigation