Configuring the Bandwidth Manager to use TLS encryption

If the IBM® Sametime® Media Manager is configured to use Transport Layer Security (TLS), you must also configure TLS on the server hosting IBM Sametime Bandwidth Manager.

About this task

Sametime Bandwidth Manager can use TLS (Transport Layer Security) encryption for security. In IBM WebSphere® Application Server, the TLS functionality requires a certificate. This certificate can be a self-signed for testing or demonstration environment purposes, but IBM recommends using a certificate issued by a valid Certificate Authority (CA) for any production environment.

Because the Bandwidth Manager exchanges information with the Sametime Media Manager, you must import a copy of the certificate to the Media Manager cell's cell default truststore to ensure it will accept communications from the Bandwidth Manager.

Procedure

  1. Import the Bandwidth Manager security certificate into the Media Manager's SIP Proxy/Registrar:
    1. On the server hosting the Media Manager's SIP Proxy/Registrar component (if that component is clustered, use the server hosting its deployment manager), open the WebSphere Integrated Solutions Console and log in as the WebSphere administrator.
    2. On the navigation tree, click Security > SSL certificate and key management > Key stores and certificates.
    3. Click CellDefaultTrustStore.
    4. Click Signer certificates.
    5. Click Retrieve from port and enter the Bandwidth Manager's host name and TLS port.
    6. Save the retrieved signer certificate.
  2. Import the Media Manager's SIP Proxy/Registrar security certificate into the Bandwidth Manager:
    1. On the server hosting the Bandwidth Manager, open the WebSphere Integrated Solutions Console and log in as the WebSphere administrator.
    2. On the navigation tree, click Security > SSL certificate and key management > Key stores and certificates.
    3. Select the correct truststore:

      For a stand-alone Bandwidth Manager server, click NodeDefaultTrustStore.

      For a clustered Bandwidth Manager server, click CellDefaultTrustStore.

    4. Click Signer certificates.
    5. Click Retrieve from port and enter the SIP Proxy/Registrar's host name and TLS port.
    6. Save the retrieved signer certificate.
  3. Locate the secure port value:
    1. From the Bandwidth Manager's WebSphere Integrated Solutions Console, return to the navigation tree and click Servers > Server types > WebSphere application servers.
    2. On the Application servers page, navigate to the servers table and click the name of your Bandwidth Manager server.
    3. On the Configuration page, navigate to the Container Settings section and click SIP Container Settings > SIP container transport chains.
    4. In the Transport Chains table, locate the Port value in the SIPCInboundDefaultSecure row.

      This is the secure port value, which you will need in the next step.

  4. Configure the Bandwidth Manager to use the secure port:
    1. Back on the navigation tree, click Sametime Servers > Bandwidth Manager.
    2. On the Status page, click the Configuration tab.
    3. On the Configuration page, click the SipFrontend component listed in the table at the end of the page.
    4. On the General Properties page for the SipFrontend component, edit the SIP URI field, typing the value of the secure port that you obtained earlier from the value of SIPCInboundDefaultSecure in the Transport Chains table.
    5. Cluster only: If you are setting up a cluster, also change the Cluster SIP URI field to use that same secure port.
    6. Click Apply and then click the Save link in the "Messages" box at the beginning of the page.
  5. Restart the server or cluster:
    • For a stand-alone server, restart it now as follows:
      1. On the server’s Configuration page, click the Status tab.
      2. On the Status page, click the Start/Restart button at the beginning of the table.
      3. Click the Refresh button and verify that all components are active.
    • For a clustered server, synchronize nodes and restart the cluster as follows:
      1. In the deployment manager's Integrated Solutions Console, click System Administration > Nodes.
      2. Select all nodes in the cluster
      3. Click Full Resynchronize.
      4. In the navigator, click System Administration > Node agents.
      5. Click a node agent, and then click Restart; repeat for each node agent.