Lotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC23-8760-00

Lotus Sametime Version 8.0 FIPS Support for IBM Lotus Sametime 8.0 SC23-8760-00

Disclaimer THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS DOCUMENTATION, IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM'S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS DOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF IBM SOFTWARE. Licensed Materials - Property of IBM Copyright IBM Corporation 2007 All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GS ADP Schedule Contract with IBM Corp. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact IBM Software Group. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. IBM Corporation IBM Software Group One Rogers Street Cambridge, MA 02142 List of Trademarks IBM, the IBM logo, DB2, Domino, Lotus, Notes, Sametime, and WebSphere are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation in the United Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

Contents FIPS Support for IBM LOTUS Sametime 8.0... 1 Disclaimer... 2 Licensed Materials - Property of IBM... 2 List of Trademarks... 2 Introduction... 5 Known issues and limitations... 5 Installing and configuring a stand-alone Sametime server and FIPS Proxy.5 Installing and configuring the FIPS Proxy... 6 Setting up IHS as a reverse proxy for Sametime... 8 Configuring the Sametime server for FIPS... 14 Configuring STLinks for FIPS proxy... 16 Configuring FIPS Proxy for multiple Sametime servers... 17 Configuring Enterprise Meeting Server (EMS) for FIPS... 20 Configuring the Sametime room servers for FIPS... 20 Installing the FIPS Proxy on WebSphere Application Server... 21 Relocating applets to IHS and modifying EMS to use IHS for applet download... 21 Setting FIPS-specific configuration for Instant Meetings feature and materials management... 21 SSL Certificates Support... 23 STLinks FIPS Support... 24 iii

Introduction This document describes the configuration of IBM Lotus Sametime 8.0 to enable support for the U.S. government-defined security requirements for cryptographic modules known as FIPS 140-2 (Federal Information Processing Standard 140-2). The installation and configuration steps are documented along with known issues and limitations for the feature. Known issues and limitations The following Sametime 8.0 features are not currently supported in a FIPS 140- compliant configuration: For the Sametime servers and clients to function properly, all servers and clients in a deployment must be running the updated FIPS 140-compliant code. This release does not include FIPS 140-compliance for Sametime Mobile clients. Client-to-client file transfer from the Sametime Connect client is not FIPS 140-compliant (and therefore should be disabled via server policy settings for a fully FIPS 140-compliant server configuration - see configuration instructions below) Client and server platform support This release supports only Microsoft Windows 2003 Server as the server operating system. This release supports the same client operating system, browser, and Java virtual machine combinations supported by the "base" Sametime, with the following exceptions: o Version 1.4.2 JVMs are not supported. This includes both the Sun and IBM JVMs. Apple Macintosh clients function properly using the Safari browser and the Firefox browser version 2.0.0.4. Firefox version 1.5 and 2.0.0.3 may crash when running in a FIPS 140-compliant environment. Installing and configuring a stand-alone Sametime server and FIPS Proxy To maintain FIPS 140-compliance for all data exchanged between clients and the Sametime server, a "FIPS Proxy" device must be installed on WebSphere Application Server to accept data on behalf of the Sametime server. Also, because the IBM Lotus Domino HTTP server is not FIPS 140-compliant, an IBM HTTP Server (IHS) must be deployed as a proxy for the HTTP data to the Sametime server. The following instructions explain how to install a stand-alone Sametime server (Sametime Enterprise Meeting Server (EMS) configuration instructions are covered separately) along with the FIPS Proxy, and how to configure the IHS server. 5

Installing and configuring the FIPS Proxy on Websphere Application Server 1. Install WebSphere Application Server (versions 6.1.0.9 is supported) and enable it for FIPS mode. For more information, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com. ibm.websphere.base.doc/info/aes/ae/tsec_fips.html 2. On WebSphere Application Server, install the FIPS Proxy.war file from the Sametime build: a. Copy the stfipsproxy.war file to WebSphere/installableApps directory. b. Open the WebSphere Application Server admin console (start server1 and go to https://localhost:9043/ibm/console/logon.jsp) and log in. c. Go to Applications, Install New Application. d. Select Local File System and browse to the stfipsproxy.war file in the installableapps directory. e. Accept the defaults on each screen. You can use any context root for the.war file, for example, fipsproxy. 3. After you install the.war file, update the sametimeproxy.xml file. The sametimeproxy.xml file contains the configuration for the proxy. It defines the port routing so the TLS connections can use the proxy to access the Sametime server. Use the comments in the file to set up the host names of the Sametime server and update the location of the keystore and keystoretrust files. The sametimeproxy.xml file is located in the \WebSphere\AppServer\profiles\default\installedApps\[cell]\stfipsproxy_war. ear\stfipsproxy.war directory. 4. Edit the sametimeproxy.xml file and replace the serveraddress entries with entries for your Sametime server. Example: In the following entries, replace "temp.sametimeserver.com" with your Sametime server name, for example, "yourserver.yourdomain.com". <channel name="sametimeproxychannel" factory="com.ibm.sametime.proxy.channel.impl.sametimeproxychannelfactory" sequence="2" weight="1"> <property name="numberofclientports" value="3" /> <property name="clientaddress1" value="*:8081" /> <property name="serveraddress1" value="temp.sametimeserver.com:8081" /> <property name="clientaddress2" value="*:1533" /> <property name="serveraddress2" value="temp.sametimeserver.com:1533" /> <property name="clientaddress3" value="*:554" /> <property name="serveraddress3" value="temp.sametimeserver.com:554" /> <property name="outboundchain" value="proxytcpoutboundconnector" /> <property name="displayperformancestatisticsinterval" value="5" /> 6

</channel> 5. Edit the TLSChannel properties in the sametimeproxy.xml file and change the wccmdefault values for the keyfilename and trustfilename so that they point to the appropriate WebSphere Application Server keystores. Example: <channel name="tlsinboundchannel" factory="com.ibm.ws.ssl.channel.impl.sslchannelfactory" sequence="2" weight="1"> <wccmproperty name="com.ibm.ssl.keymanager" wccmpropertyname="keymanager" wccmpropertygroup="securitypropertygroup" wccmdefault="ibmx509" /> <wccmproperty name="com.ibm.ssl.trustmanager" wccmpropertyname="trustmanager" wccmpropertygroup="securitypropertygroup" wccmdefault="ibmx509" /> <wccmproperty name="com.ibm.ssl.protocol" wccmpropertyname="com.ibm.ssl.protocol" wccmpropertygroup="securitypropertygroup" wccmdefault="sslv3" /> <wccmproperty name="com.ibm.ssl.keystore" wccmpropertyname="keyfilename" wccmpropertygroup="securitypropertygroup" wccmdefault="c:/websphere/appserver/profiles/default/etc/dummyse rverkeyfile.jks" /> <wccmproperty name="com.ibm.ssl.truststore" wccmpropertyname="trustfilename" wccmpropertygroup="securitypropertygroup" wccmdefault=""c:/websphere/appserver/profiles/default/etc/dummys ervertrustfile.jks" /> <wccmproperty name="com.ibm.ssl.keystorepassword" wccmpropertyname="keyfilepassword" wccmpropertygroup="securitypropertygroup" wccmdefault="webas" /> <wccmproperty name="com.ibm.ssl.truststorepassword" wccmpropertyname="trustfilepassword" wccmpropertygroup="securitypropertygroup" wccmdefault="webas" /> <wccmproperty name="com.ibm.ssl.keystoretype" wccmpropertyname="keyfileformat" wccmpropertygroup="securitypropertygroup" wccmdefault="jks" /> <wccmproperty name="com.ibm.ssl.truststoretype" wccmpropertyname="trustfileformat" wccmpropertygroup="securitypropertygroup" wccmdefault="jks" /> 7

<wccmproperty name="com.ibm.ssl.clientauthentication" wccmpropertyname="clientauthentication" wccmpropertygroup="securitypropertygroup" wccmdefault="false" /> <wccmproperty name="com.ibm.ssl.securitylevel" wccmpropertyname="securitylevel" wccmpropertygroup="securitypropertygroup" wccmdefault="high" /> </channel> 6. Restart WebSphere Application Server, and make sure that the fipsproxy application starts. 7. Checkpoint: After restarting WebSphere Application Server, use the "netstat" command to make sure that the server is listening on the ports listed in Step 4. For example, enter "netstat -a". Setting up IBM HTTP Server (IHS) as a reverse proxy for Sametime Enable IHS for SSL and configure IHS to function as a reverse proxy for Sametime. 1. Run the IBM Key Management Utility (located in the IHS_INSTALL_ROOT/bin directory). For example, C:\Program Files\IBM HTTP Server\bin\ikeyman.bat. 8

2. Create the key database file. Select Key Database File -> New. Make sure that you select a CMS key because IHS only works with CMS key databases. 9

3. Create the password on the keystore database. 10

4. Create a new self-signed certificate. From the Create menu, select New Self- Signed Certificate. 11

5. Complete the Create New Key and Certificate Request dialog box fields with information that is relevant to your system. 6. Enable SSL and the reverse proxy on IHS by copying the proxy.conf and rules.conf files from the IHS build folder to the <IHS_INSTALL_ROOT>/conf directory. (These files contain the directives to enable SSL and the reverse proxy.) 7. Edit the proxy.conf file by modifying the following section to match the keydatabase and stash file that you generated in the previous step. <ifmodule mod_ibm_ssl.c> SSLDisable SSLClientAuth none # For some reason this requires the full path: Keyfile "c:/ibm/ihs6/ssl/key.kdb" SSLStashfile "c:/ibm/ihs6/ssl/key.sth" </ifmodule> Note: This file defaults to enabling FIPS on the SSL server, which forces all connections to use FIPS-compliant TLS (SSLv3). To disable FIPS on the SSL server, comment out the SSLFIPSEnable directive. 8. Edit the rules.conf file and change the Sametime server name to your server name: Example: In the following entries, replace "temp.sametimeserver.com" with your Sametime server name, for example, "yourserver.yourdomain.com". 12

ProxyPass /st/communitycbr http://temp.sametimeserver.com:8082/communitycbr ProxyPass /st/communitycbr http://temp.sametimeserver.com:8082/communitycbr ProxyPass /st/meetingcbr http://temp.sametimeserver.com:8081/meetingcbr ProxyPass /st/broadcastcbr http://temp.sametimeserver.com:554/broadcastcbr ProxyPass /st/ http://temp.sametimeserver.com/ ProxyPassReverse /st/ http://temp.sametimeserver.com/ This allows the IHS server to reverse proxy for the Sametime server. Note that these rules are not needed for an EMS environment. 9. Include the proxy.conf file in the httpd.conf configuration file: a. Edit IHS_INSTALL_ROOT/conf/httpd.conf and add the following line at the end of the file: include conf/proxy.conf b. Search for the Listen 80 statement and comment it out by placing a # at the beginning of the line. The proxy.conf file contains a listen and it will cause a port conflict to have two listen statements on the same port. 10. If your system is running on Linux, and the kernel firewall is enabled, make sure that you open the SSL port so that data can reach the server. Copy the ACCEPT line and change the port to allow 443 traffic. Here is an iptables file example: -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT Then restart the iptables service: /sbin/service iptables restart. 11. Start or restart IHS. 12. Checkpoint: Go to https://youserver.yourdomain.com to verify that you can see the IHS default screen. Enter https://[yourserver.yourdomain.com]/[alias]/stcenter.nsf to access the Sametime Meeting Center. 13

Configuring the Sametime server for FIPS 1. Log in to the Sametime server as admin, Administer the server. Navigate to the connectivity options and select Reverse Proxy Support. 2. In the Server Alias field, enter the alias defined in the rules.conf file. Note that this is not needed for an EMS environment. 3. Run the Lotus Notes client (nlnotes.exe) to update the FIPS configuration: a. Open the stconfig.nsf database. b. Open the MeetingServices document in the database. c. Set the FIPSEnabled parameter to True. d. Enter the host names and ports for the FIPS Proxy in the document. The ports should match the ports used in Step 4 in the "Installing and configuring a stand-alone Sametime server" topic. On a default Sametime server, Sametime Community uses port 1533, Sametime Meetings use port 8081, and Sametime Broadcast uses port 554. 4. (Optional) If you use self-signed certificates and followed the procedures in the topic "Setting up IHS as a reverse proxy for Sametime to set up IHS with a self-signed certificate, complete the following steps to allow the Web client applets and installed client to accept connections from the server. (These steps are not necessary if you are using a certificate from a valid Certificate Authority.): a. Enable the use of self-signed certificates for Meeting Room Client and meeting recording by editing the FIPS configuration settings outlined in Step 3. Change FIPS Allow Self-Signed Certificates to "true" to permit the use of certificates from an unknown Certificate Authority or a self-signed certificate. b. Enable the use of self-signed certificates for the installed Sametime Connect client by opening the sametime.ini file in your client installation directory and adding the following line: -DallowPeerCerts=true c. STLinks: See the instructions below for using the STLinks toolkit with a FIPS 140-enabled server. There is also a setting necessary there for use with a server utilizing self-signed certificates. 14

5. (Optional) You may chose to use a different certificate keystore file other than the default file (stkeystore.p12) provided with Sametime. The following steps outline changing the default keystore file and password. a. If you do not already have a keystore file you can use the IBM Key Manager program (<domino root>/jvm/bin/ikeyman.exe) to create a new file or edit an existing one. The keystore file must be PKCS12 file format. The default Sametime keystore file (stkeystore.p12) is found in several of the applet JARS and can be extracted then renamed to be used as a replacement keystore file. The default keystore file can be found in <domino root>/data/domino/html/sametime/stmeetingroomclient/ stmeetingroomclient.jar. The password for the stkeystore.p12 file is 'sametime' and that password only applies to managing the certificates in the keystore file. Individual certificates have their own passwords and those passwords should never be published. b. Once a replacement certificate keystore file has been created it must be copied to the individual applet directories so that it can be found when loading the Sametime applets. The replacement keystore file must be copied to the following directories: <domino root>/data/domino/html/sametime/stbroadcastclient <domino root>/data/domino/html/sametime/stdirectoryapplet <domino root>/data/domino/html/sametime/stmeetingroomclient c. The keystore filename and password must be set by editing the FIPS configuration as outlined in Step 3. Set the FIPS Keystore Filename to the name of the replacement keystore file that was copied to the applet directories. Set the FIPS Keystore Password to the password used to manage the keystore file. The replacement keystore file and password will be used by the client applets when FIPS is enabled to create secure connections based on the certificates contained in the keystore file. 6. Configure the Sametime server to support Instant Meetings: a. From the Lotus Notes client, open stconfig.nsf. b. Open the MeetingCenter document. c. Double-click to edit the document. d. In the "Alternate HTTP Server URL" enter: https://<yourihsservername>/<alias> e. Save your changes. f. Exit the Notes client. This step allows the Sametime Connect client to send users to the appropriate server for Instant Meetings, for Test A/V Meetings, to schedule meetings, or to attend scheduled meetings. 7. Restart the Domino Server. 8. Checkpoint: Open the SametimeCommunity2.xml file (in the C:\Lotus\Domino directory) and make sure that you can find an entry for <FIPSServices> that contains the host names and ports that you defined in Step 4 in the "Installing and configuring a stand-alone Sametime server" topic: - <FIPSServices> 15

<Enabled>1</Enabled> <CommunityPort>1533</CommunityPort> <CommunityAddress>fips_proxy_server.acme.com</CommunityAddress> <MeetingPort>8081</MeetingPort> <MeetingAddress>fips_proxy_server.acme.com</MeetingAddress> <BroadcastPort>554</BroadcastPort> <BroadcastAddress>fips_proxy_server.acme.com</BroadcastAddress> <KeystoreFilename>stkeystore.p12</KeystoreFilename> <KeystorePassword>sametime</KeystorePassword> <SelfSignedCert>1</SelfSignedCert> </FIPSServices> 9. Disable client-to-client file transfers from the Sametime Connect client: By default, file transfers between Sametime Connect clients that bypass the Sametime server, are allowed. Because these connections are not FIPS 140- compliant, disable this capability via the policy setting from the server Admin: Clear the "Allow client-to-client" file transfer check box in the Community Services Admin section: Configuring STLinks for FIPS If a FIPS Proxy is used with the Sametime server as part of a FIPS 140-compliant deployment, configure STLinks for proxy (as described in the STLinks documentation): 1. Uncomment and edit the following stlinks.js variables accordingly: //var ll_rproxyname="https://proxy.ibm.com"; //var ll_affinityid="st1"; 2. Configure STLinks for a FIPS environment. Change the following parameters in the stlinks.js file as needed, for example, set isfips_env to true, and correctly update the keystore and keystore password: var isfips_env = false; var stfipskeystore = "stkeystore.p12"; var stkeystorepwd = "sametime"; var allowselfsignedcerts = false; Note: If the server is configured to run using self-signed certificates, change the "allowselfsignedcerts" value to true: var allowselfsignedcerts = true; 16

3. Replace the stlinks.jar file (<domino_data>\domino\html\sametime\stlinks) with the signed stlinks.jar file (<domino_data>\domino\html\sametime\stlinks\signed). 4. Verify that copies of the SSLite library (sslite140-v3.16.zip) and the Keystore file (stkeystore.p12) are in the <domino_data>\domino\html\sametime\stlinks directory. If they are not, copy those files in to that directory. Configuring FIPS Proxy for multiple Sametime servers These instructions explain how to add support for additional IP addresses and ports. This step is required if you want a FIPS Proxy to support multiple Sametime servers or Room Servers. Description of SametimeProxy.xml file sections <factories/> This section defines channel factories. <channels/> The channel section defines which inbound channels are available to be loaded. This entry also contains a number of properties that are passed to the channel on initialization. The host name and port property are used to determine which ports to listen on. <chains> The chains section defines the "stack." The channel framework allows different channels to be layered. As long as the channel chains are compatible, the channelframework will allow a given chain to be constructed. The chains section defines the multiple channel chains to be loaded. <groups/> The groups section allows the user to define which chains to load. The proxy application loads the chains listed in the "AllChains" group. To add additional inbound chains and routing rules, perform the following steps: 1. Add an additional ProxyTCPChannel entry to the XML file: <channel name="proxytcpchannel#" factory="com.ibm.ws.tcp.channel.impl.tcpchannelfactory" sequence="1" weight="1"> <property name="hostname" value="*" /> <property name="port" value="8081" /> <property name="maxopenconnections" value="20000" /> <property name="tcpnodelay" value="1" /> </channel> 2. Make sure to increment the number of the ProxyTCPChannel entry so that it is unique. Set the host name and port values to the desired port. 17

3. Include an additional SametimeProxyInbound chain entry. Make sure to use a unique #: <chain name="sametimeproxyinboundchain#" type="0"> <channel name="proxytcpchannel#" /> <channel name="tlsinboundchannel" /> <channel name="sametimeproxychannel" /> </chain> 4. Make sure that the ProxyTCPChannel entry number matches the entry from the previous step. 5. Add the new chain to the groups element: <chain name="sametimeproxyinboundchain" type="0"> <property name="enabled" value="true" /> <property name="enabledtransport" value="true" /> </chain> 6. Make sure that the SametimeProxyInboundChain matches the one added in the previous step. 7. Define the routing rules for this new connection by editing the SametimeProxyChannel properties: <channel name="sametimeproxychannel" factory="com.ibm.sametime.proxy.channel.impl.sametimeproxychannelfactory " sequence="2" weight="1"> <property name="numberofclientports" value="3" /> <property name="clientport1" value="*:8081" /> <property name="serveraddress1" value=" temp.sametimeserver.com:8081" /> <property name="clientport2" value="*:1533" /> <property name="serveraddress2" value=" temp.sametimeserver.com:1533" /> <property name="clientport3" value="*:554" /> <property name="serveraddress3" value=" temp.sametimeserver.com:554" /> <property name="outboundchain" value="proxytcpoutboundconnector" /> <property name="displayperformancestatisticsinterval" value="5" /> </channel> 8. Add clientport and serveraddress entries for the additional channels listed in the previous steps. Note that the host names for the clientport must match the values defined on the ProxyTCPChannel entry. Increase the 18

numberofclientports to match the number of client and server addresses in the property list. 9. Save the XML file. 10. Open the XML file with Internet Explorer or Firefox to make sure that it is properly formed and looks correct. 11. Restart the server to make the changes take effect. 19

Configuring Enterprise Meeting Server (EMS) for FIPS These instructions assume that you have an installed and fully functional Sametime 8.0 EMS environment (DB2, WebSphere Application Server, IHS, EMS, and Room Servers). Refer to existing EMS documentation for instructions on installing and configuring the EMS environment. For instructions on enabling SSL for WebSphere Application Server, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com. ibm.websphere.base.doc/info/aes/ae/csec_sslsecurecom.html For instructions on enabling SSL on IHS and the WebSphere Application Server plug-in, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websp here.base.doc/info/aes/ae/tsec_httpserv2.html Configuring the Sametime room servers for FIPS 1. Run the Lotus Notes client (nlnotes.exe) to update the FIPS configuration: a. Open the stconfig.nsf database. b. Open the MeetingServices document in the database. c. Set the FIPSEnabled parameter to True. d. Enter the host names and ports for the FIPS Proxy in the document. The ports should match the ports used in Step 4 in the "Installing and configuring a stand-alone Sametime server" topic. On a default Sametime server, Sametime Community uses port 1533, Sametime Meetings use port 8081, and Sametime Broadcast uses port 554. 2. (Optional) If you use self-signed certificates and followed the procedures in the topic "Setting up IHS as a reverse proxy for Sametime to set up IHS with a self-signed certificate, complete the following steps to allow the Web client applets and installed client to accept connections from the server. (These steps are not necessary if you are using a certificate from a valid Certificate Authority.): a. Enable the use of self-signed certificates for Meeting Room Client and meeting recording by editing the FIPS configuration settings outlined in Step 3. Change FIPS Allow Self-Signed Certificates to "true" to permit the use of certificates from an unknown Certificate Authority or a self-signed certificate. b. Enable the use of self-signed certificates for the installed Sametime Connect client by opening the sametime.ini file in your client installation directory and adding the following line: -DallowPeerCerts=true 20

Installing the FIPS Proxy on WebSphere Application Server 1. Install WebSphere Application Server (versions 6.1.0.9 is supported) and enable it for FIPS mode. For more information, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com. ibm.websphere.base.doc/info/aes/ae/tsec_fips.html Note: This step should be applied only on the WebSphere Application Server where the FIPS Proxy will be deployed. The FIPS-enable setting for WebSphere Application Server cannot be applied on the WebSphere Application Server where EMS is deployed because of incompatibilities with single sign-on (SSO). The HTTP traffic to the EMS server is protected by IHS, which will be enabled for FIPS compliance. 2. Refer to the FIPS Proxy installation instructions above in the Installing and configuring the FIPS Proxy section. Those instructions provide details for installing the FIPS Proxy.war file, configuring the FIPS Proxy, and verifying that the FIPS Proxy is listening on the appropriate ports. Relocating applets to IHS and modifying EMS to use IHS for applet download. Relocating the applets to IHS server reduces the network traffic between the Room Server and the IHS server. 1. Copy the lotus/domino/data/domino/html/sametime folder to the docroot directory on your IHS server or servers. If you are using an IHS cluster, copy it to each server. 2. Confirm that you can access http://ihs_server/sametime/buildinfo.txt, and then update the APPLETDOWNLOADURL column in the STCONFIG.ROOMSERVER table in DB2 to reflect the host name of your IHS (cluster): Access http://ems_server/iwc-admin/sql.jsp and enter the following command: UPDATE STCONFIG.ROOMSERVER SET APPLETDOWNLOADURL = 'https://ihs_server' 3. Refresh the configuration by restarting the EMS application servers. After the restart is complete, you should see the applets and other related files being served by your IHS cluster, and not the Room Servers. Note: If any patch is made to the Room Servers you must re-copy the Sametime folder to your IHS environment, and remove and re-add the affected servers to your EMS environment. Setting FIPS-specific configuration for Instant Meetings feature and materials management 21

1. On the Room Server, set URLBASE=https://ems-host/iwc/center in the sametime.ini [config] section, and restart the Room Server to enable the Instant Meeting feature from the Sametime Connect client. 2. On the EMS server, make sure that the following configuration parameters are correct: From https://ems-host/iwc-admin/sql.jsp, enter the following command in the box: select * from stconfig.organization and click the Execute SQL button. 3. In the results, ensure that the column marked MTGCNTRCONNECTIONURL contains https://ems-server/iwc/center. It should match the URLBASE as set in the Room Servers.ini file. If it is not correct, enter the following command in the entry box to update it: update stconfig.organization set MTGCNTRCONNECTIONURL = 'https://<ems-host>/iwc/center' and click the Execute SQL button. The result is a "1 record modified" statement. The second parameter is for enabling the dynamic attachment feature. In the SQL box, enter the command: select * from stconfig.roomserver 4. Click the Execute SQL button. In the results, look at the column marked MATERIALSREFRESHURL and update that column for all Room Servers to use the IHS Proxy to access the Room Servers by entering the following command: update stconfig.roomserver set MATERIALSREFRESHURL = 'https://<fips-host>/<servlet>/refresh' where servername = '<servername>' The <servlet> part above must be unique for each Room Server. If you have two Room Servers, enter the command twice, like this: update stconfig.roomserver set MATERIALSREFRESHURL = 'https://<fips-host>/servlet1/refresh' where servername = 'CN=roomserver1/o=org' update stconfig.roomserver set MATERIALSREFRESHURL = 'https://<fips-host>/servlet2/refresh' where servername = 'CN=roomserver2/o=org' Note: The <servername> must match exactly the servernames in the SERVERNAME column of the results. Servernames are case-sensitive. 5. Refresh the EMS configuration. You can do this by hitting the iwc-admin section and changing any configuration value (and then changing it back). Alternatively, you can restart EMS and the Room Servers to refresh the configuration. Note: 'fips-host' in this case represents the IHS server for which you have followed the configuration steps for the FIPS proxy. 6. On the IHS server, we will be adding a couple of proxy rules for this to work. Use Notepad to edit the IBM HTTP Server\conf\rules.conf file, and add 22

the following: ProxyPass /stsrc.nsf/ http://roomserver1.yourdomain.com/stsrc.nsf/ ProxyPassReverse /stsrc.nsf/ http://roomserver1.yourdomain.com/stsrc.nsf/ where "http://roomserver1.yourdomain.com" is the address of one of your Room Servers. You need to add this section only once. 7. Add the following for each of the Room Servers. Using the example above for two Room Servers, add: ProxyPass /servlet1/ http://roomserver1.yourdomain.com/servlet/ ProxyPassReverse /servlet1/ http://roomserver1.yourdomain.com/servlet/ ProxyPass /servlet2/ http://roomserver2.yourdomain.com/servlet/ ProxyPassReverse /servlet2/ http://roomserver2.yourdomain.com/servlet/ 8. Restart the IHS server for the changes to take effect. Why this works: This works simply because the requests that are usually handled by the Room Server are handled through the IHS proxy instead. The IHS proxy sends the request to the Room Server, which then redirects the request back to EMS like it does in a normal environment where the Room Server is available to end users. SSL Certificates Support (Optional) If you use self-signed certificates and followed the procedures in the topic "Setting up IHS as a reverse proxy for Sametime to set up IHS with a selfsigned certificate, complete the following steps to allow the Web client applets and installed client to accept connections from the server. (These steps are not necessary if you are using a certificate from a valid Certificate Authority.): a. Enable the use of self-signed certificates for Meeting Room Client and meeting recording by editing the FIPS configuration settings outlined in Step 3. Change FIPS Allow Self-Signed Certificates to "true" to permit the use of certificates from an unknown Certificate Authority or a self-signed certificate. b. Enable the use of self-signed certificates for the installed Sametime Connect client by opening the sametime.ini file in your client installation directory and adding the following line: -DallowPeerCerts=true c. STLinks: See the instructions below for using the STLinks toolkit with a FIPS 140-enabled server. There is also a setting necessary there for use with a server utilizing self-signed certificates. (Optional) You may chose to use a different certificate keystore file other than the default file (stkeystore.p12) provided with Sametime. The following steps outline changing the default keystore file and password. a. If you do not already have a keystore file you can use the IBM Key Manager program (<domino root>/jvm/bin/ikeyman.exe) to create a new file or edit an existing one. The keystore file must be PKCS12 file format. 23

The default Sametime keystore file (stkeystore.p12) is found in several of the applet JARS and can be extracted then renamed to be used as a replacement keystore file. The default keystore file can be found in <domino root>/data/domino/html/sametime/stmeetingroomclient/ stmeetingroomclient.jar. The password for the stkeystore.p12 file is 'sametime' and that password only applies to managing the certificates in the keystore file. Individual certificates have their own passwords and those passwords should never be published. b. Once a replacement certificate keystore file has been created it must be copied to the individual applet directories so that it can be found when loading the Sametime applets. The replacement keystore file must be copied to the following directories: <domino root>/data/domino/html/sametime/stbroadcastclient <domino root>/data/domino/html/sametime/stdirectoryapplet <domino root>/data/domino/html/sametime/stmeetingroomclient c. The keystore filename and password must be set by editing the FIPS configuration as outlined in Step 3. Set the FIPS Keystore Filename to the name of the replacement keystore file that was copied to the applet directories. Set the FIPS Keystore Password to the password used to manage the keystore file. The replacement keystore file and password will be used by the client applets when FIPS is enabled to create secure connections based on the certificates contained in the keystore file. a. STLinks FIPS Support Refer to the topic Configuring STLinks for FIPS for instructions on using the STLinks toolkit with a FIPS140-enabled server. There is also a setting necessary there for use with a server that utilizes self-signed certificates. 24