The Lotus Sametime system uses different security protocols to save the communication between different Lotus Sametime computer systems and the communication via a number of web-based interfaces.
Configuration of Certificate Strategy
In a Lotus Sametime system different security protocols are used. The customer must configure the certificate structure.
Deployment Scenario Integrated Simplex
In this deployment scenario, only one Lotus Sametime computer system needs to be integrated in the security concept of the customer network: the application computer.
Deployment Scenario Small Duplex
In this deployment scenario the following Lotus Sametime computer systems must be integrated in the security concept of the customer network: The active application computer and the passive application computer (if available).
Customer Environment 1 (KU1) - PKI with CA
The customer network uses already a Public Key Infrastructure (PKI) with a proprietary Certificate Authority (CA). The customer provides required keys and associated certificates directly as PKCS#12 keystore file.
Customer Environment 2 (KU2) - PKI with CA and CSR
The customer network uses already a Public Key Infrastructure (PKI) with a proprietary Certificate Authority (CA). A Certificate Sign Request (CSR) is required to provide required certificates.
Customer Environment 3 (KU3) - PKI without CA
The customer already uses a Public Key Infrastructure without proprietary certificate authority.
Customer Environment 4 (KU4) - PKI Planned
The customer has not used a Public Key Infrastructure so far, but plans to introduce one with the Lotus Sametime system.
Configuration steps of the certificate strategy in one of the contemplated customer environments follow the specific of the relevant customer environment.
Preparation of Certificate Strategy
Execution of the preparatory steps like determination of Lotus Sametime Setup directory, Keytool command, Keystore directory, directory for the SSL / TLS configuration and definition of an X.500 Distinguished Name is necessary before you can configure the certificate strategy.
Configuration of a Simple Certificate Authority
KU 4: A simple certificate authority configured in this way should only be used for testing purposes on one of the application computer of Lotus Sametime system. The freely available software OpenSSL is used for configuration. This software is usually pre-installed with each Linux operating system.
Creation of a Pair of Keys for the Application Computer
KU2, KU3, KU4: You need to create a pair of keys for the application computer. If you use an active and a passive application computer, both application computers use the same pair of keys, since these computer systems are addressed under the same host name.
Signing Certificate Sign Requests
KU2, KU3, KU4: The newly created pairs of keys must be signed to confirm the identity of the associated computer systems. To this, the associated certificate sign requests are signed by a certificate authority.
Activation of Server Keystore for the CMP
KU1, KU2, KU3, KU4: When a user invokes the CMP (Common Management Portal) with his/her web browser, the CMP and the web browser exchange their certificates.
Import of Root Certificate in the Client Browser
KU4: The Lotus Sametime computer systems authenticate themselves with their configured server certificates against the client browsers of the Lotus Sametime users. So that the client browsers accept these server certificates you need to import the root certificate with which the server certificates of the Lotus Sametime computer systems were signed in the client browsers of the Lotus Sametime users.
Additional instructions to configure the certificate strategy in a customer environment.