Security

After setting up your initial IBM® Sametime® environment, you may want to make additional changes to safeguard information at your site, including limiting user access to certain features, using encryption, and modifying default security settings.

This section contains information about securing your Sametime servers running on IBM Domino® and IBM WebSphere® Application Server.

Important: For security, IBM recommends that you configure an HTTPS environment for all Sametime Meeting Server deployments.

Note: For information about Configuring IBM Security Access Manager / WebSEAL transparent junctions to work with an IBM Sametime environment, see the following Community article on the Sametime wiki:Configuring Tivoli® Access Manager for IBM Sametime. IBM Tivoli Access Manager has been rebranded as IBM Security Access Manager. You might see both names used in the product documentation.

Adding administrators to WebSphere-based Sametime servers
Add yourself or others as administrators of IBM Sametime components that are hosted on IBM WebSphere Application Server.
Configuring SiteMinder for Sametime components
SiteMinder uses agents to intercept HTTP requests in Sametime servers, and then forwards them to the SiteMinder Policy Server for authentication.
Setting up compliance for FIPS 140-2
IBM Sametime supports the U.S. government-defined security requirements for cryptographic modules known as FIPS 140-2 (Federal Information Processing Standard 140-2). If your Sametime deployment must maintain FIPS 140-compliance for all data exchanged between clients and Sametime Community Servers, you must install the FIPS Server on the Sametime Proxy Server to accept data on behalf of Sametime Community Servers.
Setting up single sign-on for Sametime clients
Configure servers for single sign-on (SSO) as a convenience to users running the IBM Sametime browser client. With SSO configured, users who log in once to any server in the DNS domain do not have to log in again when they access any other server running on IBM Domino or WebSphere Application Server. Enabling SSO between the servers also helps the Sametime Connect Client as well. If the community server is in the single sign-on domain, the component services can re-use the token from the Sametime Connect Client to login to other services.
Configuring virus scan for use during file transfer
Virus scanning of inbound and outbound file transfers occurs on the IBM Sametime Community Server. The Sametime Proxy Server does not offer any specific virus scanning support for files during file transfer through a Sametime Proxy Server. You can configure the file system location used for temporary storage of files and enforce virus scanning during file read and write.
Configuring secure access to an LDAP repository
Configure secure access to a Lightweight Directory Access Protocol (LDAP) repository used by IBM Sametime servers.
Replacing SSL certificates for Sametime servers running on WebSphere
Communications between IBM Sametime servers are encrypted when the servers are configured to use SSL (Secure Sockets Layer). Sametime servers that run on IBM WebSphere Application Server install with SSL enabled, and with a default certificate in place. Replace that certificate with one that is signed by an accepted Certificate Authority. For the awareness feature to work with browser clients, the Sametime Advanced Server must use the same certificate that the Sametime Proxy Server uses.
Enabling anonymous access by token authentication
Enabling anonymous access by token authentication protects the IBM Sametime Community Server from overload and from possible security risks.
Changing the SIP transport protocol in the Sametime Media Manager
You can change the transport protocol that IBM Sametime Media Manager uses for the SIP Proxy/Registrar, Video Manager, and Conference Manager components. Supported transport protocols are TCP and TLS.
Working with Domino security in Sametime
The IBM Sametime Community server uses the Internet and intranet security features of the IBM Domino server on which it is installed to authenticate web browser users who access Domino databases on the server.