Securing communications

Secure communications between components of Global Mailbox by configuring TLS/SSL according to your business requirements. Implement NIST or FIPS compliance by configuring Liberty and Global Mailbox with specific settings.

About this task

The communications between components are secured by default during installation for the most typical topology. For some circumstances, such as a test or demo system, less secure communications might be appropriate. In other situations, even tighter security might be required.

To modify security settings for communications:

Procedure

  1. Secure connections to the Global Mailbox management tool by using SSL/TLS. This is enabled by default. For information about changing this configuration, see Securing the Global Mailbox User Interface with SSL.
  2. Global Mailbox uses the capabilities provided by the Liberty profile to enable secure communication with TSL/SSL.
  3. To configure Liberty to run in NIST, see Setting up a Liberty profile to run in SP800-131a.
  4. To configure Global Mailbox to run in NIST, see Securing the Global Mailbox User Interface with SSL.
  5. Each Global Mailbox node in the cluster must be individually configured for TLS/SSL. If the TLS/SSL configuration is changed in the server.xml file of one Global Mailbox node, the same changes must be made to the other Global Mailbox nodes in the cluster. This includes copying the keystore and truststore lines from the server where the changes were made to the other servers.
  6. To restrict access to the server to trusted clients only, the connection between Global Mailbox and Cassandra must be secured. This is disabled by default. Enable it to secure the database server for the internal network. For information about this enabling it, see Securing Apache Cassandra SSL connections.
  7. SSL connections between Global Mailbox and the application are enabled by default; and are set during installation. For changing Global Mailbox to NIST, see Securing the Global Mailbox User Interface with SSL.
    Important: If you make a mistake when you change server.xml and save the file, Liberty does not immediately apply the configuration. However, the file on disk is changed, so if you restart Liberty using the changed file, Liberty does not start and you cannot log in to the Global Mailbox management tool. Before making changes to the server.xml file, make a backup copy of the file in case a mistake is made.
  8. To secure connections to WebSphere MQ, see Securing connections to WebSphere MQ.