Set Up Your Own Secure Messaging System with iChat Server
Instant messaging is often considered a way to keeping in touch with friends (and is usually associated with teenagers). However, in many business environments—particularly those with offices in multiple locations—messaging can be an excellent way to get quick responses from colleagues. One concern of many organizations, however, is that public messaging services such as AOL Instant Messenger don’t provide any form of security.
Apple’s iChat Server provides a very easy solution for setting up your own internal messaging system that is secured using SSL.
iChat Server actually gives you more potential solutions than using a public messaging system. In addition to providing an encrypted solution for instant messaging, it also supports audio and video chats, providing a low-cost solution for video conferencing.
Combined with Apple Remote Desktop as a screen sharing solution, its audio and video features can create a powerful remote collaboration and training tool at a much lower cost than many commercial remote training packages.
Setting Up Your Server
iChat Server is based on the open-source Jabber protocol and is built into Mac OS X Server. Like many open-source technologies used in Mac OS X Server, Apple has tweaked Jabber to integrate it with Open Directory. This means that organizations with a directory services infrastructure can enable iChat Server without the need to manually create user chat accounts.
Any user who can log in using directory services automatically has access, which makes deploying iChat Server extremely quick and simple.
In addition to being bound to directory services, the server hosting iChat Server must have a domain name that is fully resolvable by the DNS servers. The fully qualified domain name of the server is used not only for message delivery but also to generate the screen names of each user. Screen names are derived from a user account’s short name followed by @ and then the fully qualified domain name of the server, resulting in a name similar to email@example.com. If the server’s name is unwieldy or not descriptive, you can use CNAME records in your DNS server to create aliases that resolve to the server.
Configuring iChat Server is done with Server Admin and offers only a handful of basic options, as shown in Figure 1.
Figure 1 iChat server settings
The first option enables you to enter the various hostnames for the server used to generate screen names. The default hostname of the server is displayed. If you are using CNAME records to create aliases using an alternate name, you can enter the name(s) in this listbox so that screen names using those alternate server names will be valid.
There is also a welcome message field that enables you to enter a welcome message sent to users when they connect to the server (though this is, ironically, not supported by the current version of iChat). Like a login banner message, this can be a great way to communicate information to your users. It can also be used to inform users about any chat or acceptable use policies that your organization has established.
The final option is a pop-up menu to select the certificate that is used to encrypt communication between clients and the server using SSL. This menu will display any certificates that have been configured for the server, including self-signed certificates created on the server, certificates from certificate authorities on the Internet such as Verisign, and the default certificate installed with Mac OS X Server.
You should always avoid using the default certificate because it is created to secure communication between a server and Apple’s server administration applications when they are run remotely. Since the server will be internal to your organization, you can generally use self-signed certificates without concern (though this may require configuration of some non-Apple Jabber clients to support those certificates).
Once you’ve configured these options, you can click the start service button in the Server Admin toolbar, which launches the Jabber process on which iChat Server is built. Users can then connect using iChat or any other Jabber client. Although user buddy lists are stored on the server and are available at whichever computer a user connects from, there is currently no built-in mechanism for autogenerating buddy lists. As a result, users will need to create buddy lists manually.