If the IBM® Sametime® Media Manager is
configured to use Transport Layer Security (TLS), you must also configure
TLS on the server hosting IBM Sametime Bandwidth Manager.
About this task
Sametime Bandwidth
Manager can use TLS (Transport Layer Security) encryption for security.
In IBM WebSphere® Application Server, the TLS functionality
requires a certificate. This certificate can be a self-signed for
testing or demonstration environment purposes, but IBM recommends using a certificate issued by
a valid Certificate Authority (CA) for any production environment.
Because
the Bandwidth Manager exchanges information with the Sametime Media Manager,
you must import a copy of the certificate to the Media Manager cell's
cell default truststore to ensure it will accept communications from
the Bandwidth Manager.
Procedure
- Import the Bandwidth Manager security certificate into
the Media Manager's SIP Proxy/Registrar:
- On the server hosting the Media Manager's SIP Proxy/Registrar
component (if that component is clustered, use the server hosting
its deployment manager), open the WebSphere Integrated
Solutions Console and log in as the WebSphere administrator.
- On the navigation tree, click .
- Click CellDefaultTrustStore.
- Click Signer certificates.
- Click Retrieve from port and
enter the Bandwidth Manager's host name and TLS port.
- Save the retrieved signer certificate.
- Import the Media Manager's SIP Proxy/Registrar security
certificate into the Bandwidth Manager:
- On the server hosting the Bandwidth Manager, open the WebSphere Integrated Solutions
Console and log in as the WebSphere administrator.
- On the navigation tree, click .
- Select the correct truststore:
For a stand-alone
Bandwidth Manager server, click NodeDefaultTrustStore.
For
a clustered Bandwidth Manager server, click CellDefaultTrustStore.
- Click Signer certificates.
- Click Retrieve from port and
enter the SIP Proxy/Registrar's host name and TLS port.
- Save the retrieved signer certificate.
- Locate the secure port value:
- From the Bandwidth Manager's WebSphere Integrated Solutions Console,
return to the navigation tree and click .
- On the Application servers page, navigate to the servers
table and click the name of your Bandwidth Manager server.
- On the Configuration page, navigate to the Container
Settings section and click .
- In the Transport Chains table, locate the Port value
in the SIPCInboundDefaultSecure row.
This is the secure port value, which you will need
in the next step.
- Configure the Bandwidth Manager to use the secure port:
- Back on the navigation tree, click .
- On the Status page, click the Configuration tab.
- On the Configuration page, click the SipFrontend component
listed in the table at the end of the page.
- On the General Properties page for the SipFrontend component,
edit the SIP URI field, typing the value of
the secure port that you obtained earlier from the value of SIPCInboundDefaultSecure in
the Transport Chains table.
- Cluster only: If you are setting up a cluster, also
change the Cluster SIP URI field to use that
same secure port.
- Click Apply and then click the Save link
in the "Messages" box at the beginning of the page.
- Restart the server or cluster:
- For a stand-alone server, restart it now as follows:
- On the server’s Configuration page, click the Status tab.
- On the Status page, click the Start/Restart button
at the beginning of the table.
- Click the Refresh button and verify that
all components are active.
- For a clustered server, synchronize nodes and restart the
cluster as follows:
- In the deployment manager's Integrated Solutions Console, click .
- Select all nodes in the cluster
- Click Full Resynchronize.
- In the navigator, click .
- Click a node agent, and then click Restart;
repeat for each node agent.