Professional Documents
Culture Documents
SC23-8624-00
Lotus Sametime
®
SC23-8624-00
Note
Before using this information and the product it supports, read the information in “Notices” on page 541.
Edition notice
This edition applies to version 8.5 of IBM Lotus Sametime (program number 5724–J23) and to all subsequent
releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 1996, 2009.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Configuring . . . . . . . . 1 Using a different SSL certificate for servers
Configuring Sametime to access LDAP without a running on WebSphere . . . . . . . . . 241
Sametime System Console . . . . . . . . . . 1 Adding a Sametime server SSL certificate to the
Configuring a Sametime Community Server . . . . 2 Sametime System Console . . . . . . . . 242
Do I need to restart the Sametime server? . . . 2 Updating Sametime Media Manager connection
Mapping the user ID to a unique directory properties on the console . . . . . . . . 243
attribute . . . . . . . . . . . . . . 18 Configuring security for the Lotus Sametime
Turning off case sensitivity on the Lotus Community Server . . . . . . . . . . 244
Sametime Community Server . . . . . . . 26 Importing an SSL certificate from Lotus
Managing client types and logins . . . . . . 26 Sametime Unified Telephony . . . . . . . 318
Creating custom Java classes for searching the
LDAP . . . . . . . . . . . . . . . 28 Chapter 2. Administering . . . . . . 319
Ports used by the Sametime Community Server 33 Command reference for starting and stopping
Using reverse proxy or portal servers with the servers . . . . . . . . . . . . . . . 319
Sametime server . . . . . . . . . . . . 39 Lotus Sametime component URLs . . . . . . 322
Using multiple non-clustered Lotus Sametime Managing users with policies . . . . . . . . 325
Community Servers . . . . . . . . . . 53 Finding policies associated with a user . . . . 326
Clustering Lotus Sametime Community Servers 77 Creating new user policies . . . . . . . . 326
Configuring SiteMinder for the Lotus Sametime Assign users and groups to policies . . . . . 327
server . . . . . . . . . . . . . . . 92 Changing a user policy’s weight . . . . . . 339
Configuring the Sametime client . . . . . . . 97 Managing administrator access and roles . . . . 339
Client update process . . . . . . . . . . 97 Starting the Sametime Administration Tool . . 340
Writing custom messages for clients . . . . . 98 Adding a Sametime administrator in Domino
Creating an update site for plug-in access . . . 99 LDAP . . . . . . . . . . . . . . . 340
Turning off case sensitivity in the Lotus Roles in Sametime database ACLs . . . . . 344
Sametime Connect client . . . . . . . . 100 Administering a Lotus Sametime System Console 347
Basic Sametime Connect client connection Backing up the console database . . . . . . 348
process . . . . . . . . . . . . . . 101 Starting the Lotus Sametime System Console 348
Client connections over HTTP tunneling . . . 106 Administering a Lotus Sametime Community
Configuring Lotus Sametime for mobile users . . 107 Server . . . . . . . . . . . . . . . . 348
Configuring the Lotus Domino server for Lotus Updating Sametime Community Server
Sametime Mobile support . . . . . . . . 107 connection properties on the console . . . . 348
Configuring Sametime Mobile for client Configuring Sametime Community Server
downloads . . . . . . . . . . . . . 108 connectivity . . . . . . . . . . . . . 349
Configuring a Lotus Sametime Proxy Server . . . 112 Managing trusted IP addresses . . . . . . 350
Configuring connectivity . . . . . . . . 112 Forcing users to connect to a home server . . . 351
Configuring Lotus Connections as the business Managing community services . . . . . . 352
card server . . . . . . . . . . . . . 114 Managing anonymous access to virtual places 357
Setting up click-to-call . . . . . . . . . 115 Sending a message to all users . . . . . . 358
Clustering Lotus Sametime Proxy Servers . . . 115 Managing business cards . . . . . . . . 359
Configuring a Lotus Sametime Media Manager . . 127 Changing user names . . . . . . . . . 384
Clustering Lotus Sametime Media Manager Changing the IP address of an IBM i Sametime
components . . . . . . . . . . . . . 127 Community Server . . . . . . . . . . 403
Configuring a Lotus Sametime Meeting Server . . 160 Changing the host name of an IBM i Sametime
Configuring the Sametime Meeting Server for Community Server . . . . . . . . . . 403
document conversion. . . . . . . . . . 160 Monitoring the Sametime Community Server 405
Assigning administrators to the Meeting Room Administering a Lotus Sametime Proxy Server . . 407
Center . . . . . . . . . . . . . . . 163 Updating Sametime Proxy Server connection
Clustering Lotus Sametime Meeting Servers . . 163 properties on the console . . . . . . . . 407
Configuring Sametime Gateway . . . . . . . 183 Administering a Lotus Sametime Media Manager 408
Setting up TLS/SSL . . . . . . . . . . 183 Updating Sametime Media Manager connection
Connecting servers to Sametime Gateway . . . 203 properties on the console . . . . . . . . 408
Installing and configuring event logging . . . 231 Managing UDP ports for voice chat and video
Configuring Sametime Gateway properties . . 236 calls . . . . . . . . . . . . . . . 409
Configuring security . . . . . . . . . . . 241 Managing multiple audio and video streams 410
Contents v
vi Lotus Sametime: Installation and Administration Guide Part 2
Chapter 1. Configuring
After setting up your initial IBM® Lotus® Sametime® environment, you may want
to make additional changes, such as creating clusters of servers and enabling SSL.
This section contains information about enlarging and securing your Lotus
Sametime environment.
If you did not provide the connection information during installation or if the
information was incorrect, your Sametime server will be unable to connect to the
LDAP server and Sametime will not start. Usually, the underlying Domino® server
will start with errors but you can still access the directory assistance database to
make the necessary changes. After you have corrected the LDAP connection
information, restart the server.
Note: If the Sametime startup failures cause a more serious problem and you are
not able to access the Directory Assistance database, remove ″staddin″ or
″staddin2″ (on IBM i) from the ″Tasks″ list in the Sametime server’s notes.ini file,
and restart the server. After making the necessary configuration changes, put
″staddin″ or ″staddin2″ back in the ″Tasks″ list and restart the Sametime server.
The installation program for Windows®, AIX®, Linux®, and Solaris provides the
opportunity to fully configure all of the LDAP directory settings for a single LDAP
server. If you chose not to update the settings during installation, if you need to
configure additional LDAP directories, or if the settings are not correct, use the
Sametime Administration Tool to configure the LDAP Directory settings.
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Community
server events
and activities
Connections to
other meeting
servers in this
community
Meeting Events
Meeting server
events and
activities
Capacity Number of No
Warnings - active screen
Sharing in sharing/
Instant whiteboard
Meetings meetings
exceeds
Number of
people in all
screen
sharing/
whiteboard
meetings
exceeds
Number of
people in one
active screen
sharing/
whiteboard
meeting exceeds
Chapter 1. Configuring 3
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Number of
people in all
screen
sharing/
whiteboard
meetings
exceeds
Number of
people in one
active screen
sharing/
whiteboard
meeting exceeds
Port number
Address for
client
connections
Port number
(default 1533)
Address for
HTTPS tunneled
client
connections
Port number
Chapter 1. Configuring 5
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Port number
(default 8082 or
80)
Port number
Address for
client
connections
Port number
(default 1503)
Address for
HTTPS tunneled
client
connections
Port number
(default 8081)
Port number
(default 8081 or
80)
Broadcast
Services
Network
Chapter 1. Configuring 7
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Port number
(default 8084)
Multimedia Yes
Processor
(MMP) UDP
port numbers
start at :49252
Multimedia
Processor
(MMP) UDP
port numbers
end at :65535
Multimedia Yes
control address
Port number
(default 9093)
Server Alias
(this is what the
Reverse Proxy is
using to
forward
HTTP(S)
messages to this
server)
Chapter 1. Configuring 9
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
How often to
poll for new
names added to
the Sametime
Community
Directory
(minutes) : (60)
How often to
poll for new
servers added to
the Sametime
Community
(minutes): (60)
Maximum user
and server
connections to
the Community
server: (20000)
Maximum file
size allowed
(KB):1000
Display the No
″Launch
Sametime
Connect for
browsers″ link
on the Sametime
Home page
(stcenter.nsf).
Chapter 1. Configuring 11
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Users of
Sametime
applications
(databases such
as stconf.nsf or
Web sites) can
specify a display
name so that
they do not
appear online as
″anonymous.″
This does not
authenticate
users.
(Databases must
also allow
anonymous
access in the
ACL.)
Default domain
for anonymous
users:Guest
Default name:
User
Users can
browse the
directory (see a
list of names) or
type names
(resolve users
and groups).
Users can
browse the
directory to see
group content
and names, or
type names
(resolve user
and groups).
After a meeting,
add the names
of participants
to the meeting
document
Chapter 1. Configuring 13
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Participants can
share their
screen, view a
shared screen,
or control a
shared screen if
the moderator
permits.
Participants can
share their
screen if the
moderator
permits or view
a shared screen.
Participants can
view the shared
screen only.
Force Screen No
Sharing to use
8-bit color.
Allow people to No
choose the
whiteboard tool
in meetings
Allow people to
save whiteboard
annotations as
attachments to
the meeting.
Allow people to No
enable the ″Send
Web Page″ tool
in meetings
Allow people to No
choose the
Polling tool in
meetings
Allow people to No
record meetings
for later
playback
(scheduled
meetings only).
Save recorded
meetings in the
following
location
Stop recording
when this much
disk space is left
(MBytes) (an
error is written
to the log.):300
Require all No
scheduled
meetings to
have a
password
Chapter 1. Configuring 15
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Allow people to
choose
Sametime IP
Video in
meetings.
Time to wait
before switching
to next video
(500 - 4000 ms):
2000
Recorded
Meeting
Broadcast
Meetings
Connection
Speed
Settings
Chapter 1. Configuring 17
Main
Function in Sub - Details - Required
Admin Function Setting Switches restart Comments
Sametime provides the RESOLVE mode which lets you run the name conversion
utility one time only, in a way that eliminates the need for additional conversions
in the future. You change the Lotus Sametime LDAP configuration, to map the
user ID to a directory attribute in the person entry that is not bound to change. In
such a deployment, where the user ID attribute is constant, a name change does
not trigger a user ID change, eliminating the need for running the tool. RESOLVE
migrates the VpUserInfo.nsf database, from the old user ID to the new user ID.
Preparing to run the Name Change task in RESOLVE mode requires editing the
sametime.ini file on the IBM Lotus Sametime Community Server.
Note: Create a CSV for only one type of change: RESOLVE. You cannot mix
name change types in the same CSV.
3. Name and save the file with an extension of .csv in a directory accessible by
the Sametime server.
You change the Lotus Sametime LDAP configuration, to map the user ID to a
directory attribute in the person entry that is not bound to change. This change
eliminates the need for running the tool. RESOLVE migrates the VpUserInfo.nsf
database, from the old user ID to the new user ID.
Note: The old name will still appear in the contact list for users that have
previously added them.
If your LDAP directory does not contain an attribute with a unique value in the
person entry, then you must change to the schema to provide one. See the
documentation provided by your specific LDAP vendor. See also RFC 4530
(http://www.ietf.org/rfc/rfc4530.txt) which introduces the entryUUID attribute
in LDAP directories. The value of this attribute is constant by definition, which
makes it suitable for the user ID mapping in Lotus Sametime. If your LDAP
directory does not support this attribute, consider extending the directory schema
to support it. In case you prefer to use an existing attribute instead of modifying
the schema, choose an attribute that is not bound to change when users change
their name or relocate. Here are examples of stable attributes in some well-known
LDAP servers:
v IBM Directory Server: ibm-entryUUID
v Domino LDAP: dominounid
v Novell Directory Server (NDS): guid
v SunOne: nsuniqueid
v Active Directory: objectGUID
Unlike the ID name conversion mode, which expects a table of oldName and
newName entries as input, the RESOLVE mode does not expect any input from the
Chapter 1. Configuring 19
administrator. When the name conversion is run in this mode, it looks up each
user ID in the database against the directory, and replaces the old user ID with the
directory user ID. The tool accomplishes this by using the StResolve service to
lookup each person. This requires the administrator to make the LDAP
configuration change to use the new user ID mapping before running the tool.
Before you create a name change task, create a comma-separated value (CSV) file
of the name changes in the Lotus Sametime Community Server directory.
A name change task is not actually a scheduled program; its timestamp merely
indicates when the task was created and not when it will be run. The list of tasks
is ignored until you run the stnamechange.cmd program, which then operates on all
of the tasks in the list, using the .CSV files specified in the Name Change page.
Note: If you only want to edit a task, you can click the name of the scheduled
task to edit it.
6. Enter a name in the Name of Task field. The name is at your discretion. By
default, the name is the date the task is created.
7. Optional: Enter a description for the task.
8. Optional: If you want to run the task on all servers in the cluster, then select
All Servers.
9. Browse for the CSV file you want to use, and then click OK.
10. The name change task appears in the list of scheduled tasks.
All tasks listed here run when the stnamechange.cmd is run.
Results
After you have completed these steps on one Lotus Sametime Community server,
it may be necessary to repeat this process on other home Lotus Sametime
Community servers in your environment. You must replicate the NSF file to all the
Lotus Sametime Community servers so all are included, regardless of the server on
which it was defined.
When you are done setting up the task, name changes are saved to
stnamechange.nsf. This file is used by Domino to replicate the name changes
To Delete a name change task, on the Name Change page, select the task, and then
click Delete. If any name changes are not entered correctly, you can import a new
CSV file.
Before you begin, create a comma-separated value file with name changes, and
then create a name change task. IBM recommends running the name conversion
utility at off-peak hours.
It is not necessary to run the name change conversion utility on every IBM Lotus
Sametime Community Server in a cluster. For clusters, the task should run once on
one server and then replicated to other servers in the cluster. Note that the All
servers option on the Name Change page in the Sametime System Console does
not work because of the procedure for replicating across all servers. If you create a
Name Change task and select All servers, only the server you are logged on to
contains the task--other servers do not. This is viewable in stnamechange.nsf
through the Notes® client. The correct procedure is to create the name change task
on all the servers in the community.
Follow these steps to run the name conversion utility in RESOLVE mode on
Windows.
Running the name conversion utility in RESOLVE mode, migrates the old user ID
to a new user ID that is a directory attribute that is not likely to change. The tool
Chapter 1. Configuring 21
looks up each and every user ID in the database against the directory, and replaces
the old user ID with the directory user ID. In such a deployment, where the user
ID attribute is constant, a name change does not trigger a user ID change,
eliminating the need for running the tool. Name change in RESOLVE mode differs
from running other name conversion modes, because in the RESOLVE mode the
Lotus Sametime Community server should be running, so that the name change
utility can access StResolve
1. Disable the Sametime Community Server multiplexor service Sametime Polling
service on all servers in the cluster.
a. Open the sametime_installation_directory/STCommLaunch.dep file in an
editor and comment out the following lines by putting a number sign # in
front of them:
#SERVERAPP ST Mux,ST Community,SOFT
#SERVERAPP ST Polling,ST Mux,SOFT
b. Select Start → Control Panel → Administrative Tools → Services.
c. In the Services window, right-click ST Mux, and select Stop.
d. In the Services window, right-click ST Polling, and select Stop.
2. Change your Lotus Sametime Community Server configuration to use a unique
user ID, so you run the name change utility in RESOLVE mode. This is
controlled in the LDAPServer document in StConfig.nsf,
a. Log in to the Integrated Solutions Console.
b. Click Sametime System Console → Sametime Servers → Sametime
Community Servers .
c. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
d. Click the Community Services tab.
e. Under LDAP Attributes, enter the name of the field within the LDAP
person entries that contains the unique value used for logging in the
Attribute used for determining the internal user ID field. For example,
objectGUID contains a commonly-used unique value for logging in to
Sametime.
f. Click OK.
3. Restart the Lotus Sametime Community Server.
4. Open a command prompt, change to the Domino directory, and then type the
following command to run the name conversion utility:
stnamechange.cmd
5. Define the LDAP search filter responsible for selecting a user name from the
LDAP directory. The LDAP search attribute must match the Attribute used for
determining the internal user ID field of the IBM Lotus Sametime Community
Server
a. In the Integrated Solutions Console, click Sametime System Console →
Sametime Prerequisites → Connect to LDAP Servers.
b. Select the Deployment Name of your LDAP server.
c. Click Next until you get to Collect Person Settings.
d. Edit the Search Attributes field. It must include the attribute that you
specified as the Attribute used for determining the internal user ID for the
Sametime Community Server. For example, objectGUID.
e. Click Next until you get to the Summary screen, then click Finish.
6. Enable the Sametime Community Server multiplexer and Sametime Polling
services.
Follow these steps to run the name conversion utility in RESOLVE mode on IBM i.
Running the name conversion utility in RESOLVE mode, migrates the old user ID
to a new user ID that is a directory attribute that is not likely to change. The tool
looks up each and every user ID in the database against the directory, and replaces
the old user ID with the directory user ID. In such a deployment, where the user
ID attribute is constant, a name change does not trigger a user ID change,
eliminating the need for running the tool.
1. Stop the IBM Lotus Sametime Community Server, but leave the Domino
server running by running TELL STADDIN2 QUIT from the Domino console.
2. Go to the OS/400® command line and edit the data-directory/
STCommLaunch.dep file and comment out the following line by putting a
number sign # in front of it:
#SERVERAPP StMux,StCommunty,SOFT
3. Restart the Lotus Sametime Community Server by running LOAD STADDIN2
from the Domino console. This starts the server without running Sametime
Community Server multiplexer service. Name change in RESOLVE mode
differs from running other name conversion modes, because in the RESOLVE
mode the Lotus Sametime Community server should be running, so that the
name change utility can access StResolve
4. Change your Lotus Sametime Community Server configuration to use a
unique user ID, so you run the name change utility in RESOLVE mode. This is
controlled in the LDAPServer document in StConfig.nsf,
a. Log in to the Integrated Solutions Console.
b. Click Sametime System Console → Sametime Servers → Sametime
Community Servers .
c. In the Sametime Community Servers list, click the deployment name of
the server with the connectivity information that you want to change.
Chapter 1. Configuring 23
d. Click the Community Services tab.
e. Under LDAP Attributes, enter the name of the field within the LDAP
person entries that contains the unique value used for logging in the
Attribute used for determining the internal user ID field. For example,
objectGUID contains a commonly-used unique value for logging in to
Sametime.
f. Click OK.
5. Go to the OS/400 command line, and enter the following command: ″QSH″
This opens up a command line where the Name Change task is run.
6. Type the following commands:
cd <data directory>
stnamechange <data directory>
7. View the NameConversion**** log file starting with located in the Sametime
server directory/trace folder. The asterisks in the file name are variable
characters.
8. Define the LDAP search filter responsible for selecting a user name from the
LDAP directory. The LDAP search attribute must match the Attribute used
for determining the internal user ID field of the IBM Lotus Sametime
Community Server
a. In the Integrated Solutions Console, click Sametime System Console →
Sametime Prerequisites → Connect to LDAP Servers.
b. Select the Deployment Name of your LDAP server.
c. Click Next until you get to Collect Person Settings.
d. Edit the Search Attributes field. It must include the attribute that you
specified as the Attribute used for determining the internal user ID for
the Sametime Community Server. For example, objectGUID.
e. Click Next until you get to the Summary screen, then click Finish.
9. Stop the IBM Lotus Sametime Community Server, but leave the Domino
server running by running TELL STADDIN2 QUIT from the Domino console.
10. Go to the OS/400 command line and edit the data-directory/
STCommLaunch.dep file and remove the number sign # from the following line.
SERVERAPP StMux,StCommunty,SOFT
11. Restart the Lotus Sametime Community Server by running LOAD STADDIN2
from the Domino console. This starts the server with the Sametime
Community Server multiplexer service running .
12. Restart all Lotus Sametime Community Servers in your deployment so they
can detect the modified name. If your deployment includes Lotus Sametime
Unified Telephony, restart all Telephony Application Servers as well.
Follow these steps to run the name conversion utility in RESOLVE mode on UNIX.
Running the name conversion utility in RESOLVE mode, migrates the old user ID
to a new user ID that is a directory attribute that is not likely to change. The tool
looks up each and every user ID in the database against the directory, and replaces
the old user ID with the directory user ID. In such a deployment, where the user
ID attribute is constant, a name change does not trigger a user ID change,
eliminating the need for running the tool.
1. Disable the Sametime Community Server multiplexor service on all servers in
the cluster.
a. Stop the IBM Lotus Sametime Community Server.
b. Open a shell and edit the data-directory/STCommLaunch.dep file and
comment out the following line by putting a number sign # in front of it:
#SERVERAPP stmux_launcher.sh,stserver,SOFT
c. Restart the Lotus Sametime Community Server. This starts the server
without running Sametime Community Server multiplexer service. Name
change in RESOLVE mode differs from running other name conversion
modes, because in the RESOLVE mode the Lotus Sametime Community
server should be running, so that the name change utility can access
StResolve
2. Change your Lotus Sametime Community Server configuration to use a unique
user ID, so you run the name change utility in RESOLVE mode. This is
controlled in the LDAPServer document in StConfig.nsf,
a. Log in to the Integrated Solutions Console.
b. Click Sametime System Console → Sametime Servers → Sametime
Community Servers .
c. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
d. Click the Community Services tab.
e. Under LDAP Attributes, enter the name of the field within the LDAP
person entries that contains the unique value used for logging in the
Attribute used for determining the internal user ID field. For example,
objectGUID contains a commonly-used unique value for logging in to
Sametime.
f. Click OK.
3. Restart the Lotus Sametime Community Server.
4. Open a shell and change to the Domino data directory. Type the following
command:
./stnamechange.sh <domino_bin_directory> <domino_data_directory>
For example:
./stnamechange.sh /domino/opt/lotus/notes/80020/linux /domino/notesdata
5. Define the LDAP search filter responsible for selecting a user name from the
LDAP directory. The LDAP search attribute must match the Attribute used for
determining the internal user ID field of the IBM Lotus Sametime Community
Server
Chapter 1. Configuring 25
a. In the Integrated Solutions Console, click Sametime System Console →
Sametime Prerequisites → Connect to LDAP Servers.
b. Select the Deployment Name of your LDAP server.
c. Click Next until you get to Collect Person Settings.
d. Edit the Search Attributes field. It must include the attribute that you
specified as the Attribute used for determining the internal user ID for the
Sametime Community Server. For example, objectGUID.
e. Click Next until you get to the Summary screen, then click Finish.
6. Enable the Sametime Community Server multiplexer service on all the servers
in the cluster.
a. Stop the IBM Lotus Sametime Community Server.
b. Open a shell and edit the data-directory/STCommLaunch.dep file and
remove the number sign # from the following line:
SERVERAPP stmux_launcher.sh,stserver,SOFT
c. Restart all the servers in the cluster.
What to do next
IBM recommends that you also turn off case sensitivity in the Lotus Sametime
Connect client.
To learn more about this setting and others, see TechNote 1415058:
http://www.ibm.com/support/docview.wss?uid=swg21415058.
Related tasks
“Turning off case sensitivity in the Lotus Sametime Connect client” on page 100
If you turn off case sensitivity in the IBM Lotus Sametime Community server, IBM
recommends that you also turn off case sensitivity in the Lotus Sametime client.
Follow these steps to specify the list of client types that are allowed to connect to
the Lotus Sametime Community Server.
1. Open a text editor on the Lotus Sametime Community Server.
2. Open the sametime.ini file located in the Lotus Sametime Community Server
installation directory. For example, the default directory in Windows is
C:\program files\lotus\domino.
3. In the Config section, enter the client type IDs for the allowed client types in
the VPS_ALLOWED_CLIENT_TYPES flag. If the flag is not specified or its
value is empty, then all client types are allowed to connect to the server. Its a
comma-separated list.
[Config]
VPS_ALLOWED_LOGIN_TYPES=8020,8500
For a list of client types, see Technote 1114318 on the IBM Lotus Support Web
site at http://www.ibm.com/support/docview.wss?uid=swg21114318.
4. Save the sametime.ini file.
To configure the single login function and exclude certain client types from
qualifying as logins, edit the sametime.ini file.
1. Open a text editor on the Lotus Sametime Community Server.
2. Open the sametime.ini file located in the Lotus Sametime Community Server
installation directory. For example, the default directory in Windows is
C:\program files\lotus\domino.
3. In the Config section, set the following flag to activate single client login mode:
VP_ONLY_SINGLE_LOGIN_ALLOWED=1
If the flag is set to 1 than the server works in the single login allowed mode.
When a new client login request is received, all the previous logins are
disconnected. Only one client type connection per machine is allowed at one
time (related to client types, not users).
4. Specify which client types are not considered logins when the server checks
whether to accept or disconnect clients. Separate the client types with commas.
VPS_EXCLUDED_LOGIN_TYPES=clienttype1, clienttype2
For a list of client types, see Technote 1114318 on the IBM Lotus Support Web
site at http://www.ibm.com/support/docview.wss?uid=swg21114318.
In the following configuration, even though single client login mode is
activated, logins originating from C++ clients and Unified instant messaging
clients will not be disconnected if they have logged in from the Sametime client
too.VPS_EXCLUDED_LOGIN_TYPES=1002, 1304
5. Save the sametime.ini file.
Chapter 1. Configuring 27
Configuring the preferred login list
If a user is already connected to the IBM Lotus Sametime Community Server
through several different clients, and another user attempts to initiate an instant
messaging session with the logged-in user, Sametime uses a default login order to
determine which client type should receive the instant messaging session. A
preferred login list allows you to override the default order.
The Lotus Sametime Community Server depends upon the default list of client
types, each of which has a pre-defined weight. Login order for each user depends
upon the login-type weight. The first login type, having minimal weight, is the one
provided for the incoming instant messaging session.
Creating a custom Java class can be especially effective with complex LDAP
directory schemas. The Java code that you write must be compatible with the Java
Run-Time Environment (JRE 1.5.0). In addition to the following topics, the
Sametime wiki contains an article on writing Java classes that includes sample
search filters.
The Search filter for resolving person names and the Search filter for resolving
group namessettings in the LDAP directory settings of the Sametime
Administration Tool define the LDAP directory search filters responsible for
selecting user and group names from the LDAP directory.
Note: You do not have to write Java classes to control the search behavior for both
users and groups. You can use a Java class to control the search behavior for users
while using a single LDAP search filter to control the search behavior for groups,
or vice versa.
The specific source code that you write to support customized LDAP searches is
entirely dependent on your environment. This section provides a code sample to
help you understand how to write the Java class appropriate for your
environment.
Example
The following example invokes different LDAP directory search filters based on the
text string that is entered into the Sametime user interface by a user. The search
filters invoked by the method are dependent on the directory schema and the
search behavior needed for the environment. Assume that three different users
want to add the user Victor Lazlow to their Sametime Connect buddy lists. Each of
the three users searches for Victor Lazlow in a different way. The logic of the Java
class dictates the results of these three user searches:
v User 1
Input: User 1 enters ″Victor L*″ into the Sametime client user interface to add
Victor Lazlow to the buddy list.
Results: This search attempt returns an error because the Java class is
programmed to return an error when the user enters a text string that includes
an asterisk.
v User 2
Input: User 2 enters ″Victor_Lazlow@acme.com″ into the Sametime client
interface.
Results: This search attempt succeeds and returns the value
″Victor_Lazlow@acme.com″ (Victor Lazlow’s e-mail address) from the LDAP
directory. The search attempt succeeds in this way because the Java class is
programmed to return an LDAP search filter that can resolve an LDAP directory
search to a user’s e-mail address. The Java class returns this e-mail address
search filter if the search text string entered by the end user includes the ″at″
character (@).
v User 3
Input: User 3 enters ″Victor L″ into the Sametime client interface. This search
attempt succeeds and returns the common name (cn) directory attribute of
″Victor Lazlow.″
Results: The search attempt succeeds in this way because the Java class is
programmed to return an LDAP search filter that can resolve an LDAP directory
search to a user’s common name (cn). The Java class returns this common name
search filter if the search text string entered by the end user does not include
either an asterisk or ″at″ (@) character.
Sample code
Chapter 1. Configuring 29
The code sample below shows the Java source code that produces the search
behavior described above. This code creates a Java class named
″StLdapCustomized″ that includes the ″peopleResolveFilter″ method. The if
statements in the peopleResolveFilter method examine the text string entered by
the user in the Sametime client user interface and return the appropriate LDAP
search filter based on this text string. The comments in the source code explain the
purpose of each if statement.
public class StLdapCustomized
/**
* Generates a search filter for finding a user, given the user's
* name. * * @param name The user's name as provided by the Sametime client.
* @return The search filter, or null if the name is invalid. */
What to do next
After writing your Java class, complete the tasks in this section to integrate the
class into the Lotus Sametime Community server.
In most environments, the value of the The attribute of the person entry that
defines the user’s name setting can specify a common LDAP directory attribute,
such as cn (common name) or mail (e-mail address). When configured in this way,
the search returns the value assigned to a user’s cn or mail directory attribute and
displays this value in the Sametime client user interface.
To return names in a format different from the LDAP directory attributes, create a
custom Java class. For example, you might create a Java class that does the
following:
v Combines the values of two LDAP directory attributes to produce the user name
in a desired format.
v Edits the information in a single LDAP directory attribute to produce the user
name in a format that is different than the value specified by the attribute.
The sample code below shows how to combines the values of the sn and
givenName attributes to return a user name with the Last Name shown first,
assuming the following requirements:
v LDAP searches must return a user name in the format LastName, FirstName (for
example: Smith, John)
v None of the LDAP directory attributes specify the user name in the LastName,
FirstName format.
v The LDAP directory attribute sn specifies each user’s last name.
v The LDAP directory attribute givenName specifies each user’s first name.
Sample code
This example takes values from the sn and givenName directory attributes and
combines these values into a single display name in the format of LastName,
FirstName.
public class StLdapCustomizedAttributes
return result;
What to do next
After writing your Java class, complete the tasks in this section to integrate it into
the Lotus Sametime Community server.
Follow these steps to add the class to the Sametime Community Server.
Note:
When you use this feature on IBM AIX, Linux, or Solaris, you must compile your
class using Java 1.5 or later. This requires you to use IBM Lotus Domino 8.0 or
later because earlier versions do not include the right version of Java.
1. Compile the Java source code file to produce the Java class file.
2. Copy the compiled class file (StLdapCustomized.class) to the ″java″
subdirectory of the Sametime server installation directory.
The default path for the class file is: c:\Lotus\Domino\java
Limiting the number of open files on the Sametime Community Server (Linux):
Chapter 1. Configuring 31
If your IBM Lotus Sametime Community Server is hosted on Linux and you have
loaded custom Java classes for searching the LDAP, limit the number of concurrent
open files on the server to prevent performance problems.
Java opens many files and Lotus Sametime uses a lot of file descriptors. When a
high number of concurrent users (for example, 1,000 or more) connect to the Lotus
Sametime Community Server, the server may run out of file descriptors. If that
happens, you may see the following exception in the SystemOut.log, with the
result that no more users can log in:
[9/9/09 11:09:46:701 EST] 0000109d exception E com.ibm.ws.wim.adapter.ldap.
LdapConnection getDirContext CWWIM4520E The 'javax.naming.CommunicationException:
pir02pc27.westford5.notesdev.ibm.com:389 [Root exception is java.net
.SocketException:Too many open files]' naming exception occurred during
processing.
[9/9/09 11:09:46:738 EST] 0000109d exception E com.ibm.ws.wim.adapter.ldap.
LdapConnection getDirContext com.ibm.websphere.wim.exception.WIMSystemException:
CWWIM4520E The 'javax.naming.CommunicationException: pir02pc27.westford5.
notesdev.ibm.com:389 [Root exception is java.net.SocketException:
Too many open files]' naming exception occurred during processing.
Prevent this situation by placing an upper limit on the number of file descriptors
in the Linux configuration file.
1. Use a text editor and open /etc/security/limits.conf.
2. Add the following lines to the file:
soft nofile 65535
hard nofile 65535
3. Save the file.
Add the path for your new custom Java class to the sametime.ini file so that the
IBM Lotus Sametime Community Server can locate the new class.
Edit the sametime.ini file on the Lotus Sametime Community Server and add the
paths for the new custom class.
1. Use a text editor to open the sametime.ini file, which is stored in the Domino
installation directory.
In Microsoft® Windows, the default location for this file is: C:\Lotus\Domino
2. Add or modify the following statements to the [Config] section of the file:
Make sure your file contains all three statements when you finish:
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\StConfig.jar;
C:\Lotus\Domino\StConfigXml.jar;C:\Lotus\Domino\xerces.jar;custom_class_directory
ST_JAVA_JVM_PATH=java_jvm_install_path
ST_JAVA_CUSTOM_PATH=custom_class_directory
where:
v java_jvm_install_path indicates the path where the Java JVM is installed
(the default path on Windows is: C:\Lotus\Domino\ibm-jre\jre\bin\
classic\jvm.dll; on Solaris use this path: ibm-jre/lib/sparc/server/
libjvm.so
v custom_class_directory indicates the path to the new custom Java class (the
default path on Windows is C:\Lotus\Domino\java)
Adding the custom Java class name and method to the Lotus Sametime LDAP
settings:
Use the IBM Lotus Sametime Administration Tool to add the class name and
method of your new custom Java class to the LDAP settings used by the Lotus
Sametime Community Server.
Use the Sametime Administration Tool to add the new custom Java class to the
LDAP directory settings.
1. Log on to the Lotus Sametime Community Server as the Sametime
administrator.
2. Open the Sametime Administration Tool by clicking Administer the Server.
3. Click LDAP Directory → Basics.
4. In the Search settings for server list, select the LDAP server that contains the
LDAP directory you are modifying with your custom Java class.
5. If you are adding a custom Java class that defines a search filter, do the
following:
a. In the Search filter for resolving person names settings, enter the class
name and method name for a Person filter, using this format:
Classname.methodname()
Following the earlier code example for a Person filter, you would enter
StLdapCustomized.peopleResolveFilter() for the new class.
b. In the Search filter for resolving group names settings, enter the class
name and method name for a Group filter, using this format:
Classname.methodname()
For example, you might have named your class like this:
StLdapCustomized.groupsResolveFilter().
6. If you are adding a custom Java class that formats search results, locate The
attribute of the person entry that defines the user’s name settings, and enter
the class name and method name, using this format: Classname.methodname()
Following the earlier code example for formatting search results, you would
enter StLdapCustomizedAttributes.displayName(givenName, sn) for the new
class.
7. After you have added all of your custom Java classes, click Update.
8. Restart the Lotus Sametime Community Server for the changes to take effect.
You can use the Sametime Administration Tool to configure the ports on which the
Sametime services listen for connections from clients.
Chapter 1. Configuring 33
The port settings for all services can be accessed from the Configuration →
Connectivity → Networks and Ports options of the Sametime Administration Tool.
The following ports are used by the Sametime HTTP Services, IBM Lotus Domino
Application Services, and LDAP Services.
The following ports are used by the Sametime Community Services. Most of these
ports are configurable.
Chapter 1. Configuring 35
Default Port Purpose
Port 1533 The Community Services listen for direct
TCP/IP connections and HTTP-tunneled
connections from the Community Services
clients (such as Sametime Connect and
Sametime Meeting Room clients) on this
port.
Note: The term ″direct″ TCP/IP connection
means that the Sametime client uses a
unique Sametime protocol over TCP/IP to
establish a connection with the Community
Services.
If the administrator does not allow HTTP tunneling on port 80 during the
Sametime installation, the Domino HTTP server listens for HTTP connections on
port 80 by default.
On some platforms, you can configure Sametime to operate using a Microsoft IIS
HTTP server or IBM WebSphere HTTP server. For information on setting up
Sametime to use a different HTTP Web server, see ″Sametime Server Installation.″
Follow these instructions if you need to change the HTTP port of the Domino
HTTP server:
1. Open the Sametime Administration Tool.
2. Select Configuraton → Connectivity → Networks and Ports.
3. Select Configure HTTP Services on a Web page in its own window.
4. Select Ports.
5. Select Internet Ports.
Chapter 1. Configuring 37
If the Domino server is set up for HTTP connections from Web browsers, you
can change the TCP/IP port number setting, located under the Web
(HTTP/HTTPS) column of the settings. To change the port used by the HTTP
server, change the port associated with the TCP/IP port number field. (For
example, if you are enabling HTTP tunneling on port 80 on a Sametime server
that includes a single IP address, you may want to change the HTTP port
from port 80 to 8088.)
6. Select Internet Protocols.
7. Select Domino Web Engine.
8. Under the Generating References to this server section, make the following
changes:
If the HTTP server uses HTTP for Web browser connections:
v In the Protocol setting, select http.
v In the Port number field, enter the same port entered in the TCP/IP port
number setting in Step 5.
9. Click Save and Close to save the Server document.
10. Change the port number in the stconvservices.properties file to match, as the
HTTP port is pulled from this setting.
11. Restart the Domino server for the change to take effect.
Generally, it is only necessary to change this port if you have installed multiple
Sametime servers on a single server machine or if another application on the server
uses port 9092.
Note: If you run Sametime on an IBM i, Linux, Sun Solaris, or IBM AIX machine,
you can install multiple Sametime servers on a single machine, within the same
logical partition. Each Sametime server instance runs on a separate partitioned IBM
Lotus Domino server. If you run Sametime on Microsoft Windows, you can only
install one server on each Windows machine.
If multiple Sametime servers are running on the same machine, you must ensure
that each Sametime server specifies a different port as the ″Event server″ port. For
example, if Sametime server 1 and Sametime server 2 are running in separate
partitions of an IBM i machine, you can specify port 9092 as the ″Event server″
port for Sametime server 1 and port 9095 as the ″Event server″ port for Sametime
server 2. Sametime for IBM i provides an option to specify the ″Event server″ port
at the time you configure your Sametime server.
If you are operating Sametime on an IBM i, IBM AIX, Linux, or Sun Solaris server,
you can install multiple Sametime servers on a single computer, within the same
logical partition. In this scenario, each Sametime server instance runs on a separate
partitioned IBM Lotus Domino server.
Generally, it is only necessary to change this port if you have installed multiple
Sametime servers on a single server machine or if another application on the server
uses port 9094.
Note: If you run Sametime on an IBM i, Linux, Sun Solaris, or IBM AIX machine,
you can install multiple Sametime servers on a single machine within the same
logical partition. Each Sametime server instance runs on a separate partition of the
IBM Lotus Domino server. If you run Sametime on Microsoft Windows, you can
only install one server on each Windows machine.
If multiple Sametime servers are running on the same machine, you must ensure
that each Sametime server specifies a different port as the ″Token server″ port. For
example, if Sametime server 1 and Sametime server 2 are running in separate
partitions of an IBM i machine, you might want to specify port 9094 as the ″Token
server″ port for Sametime server 1 and port 9096 as the ″Token server″ port for
Sametime server 2. Sametime for IBM i provides an option to specify the Token
server port at the time you configure your Sametime server.
An IBM Lotus Sametime server can be deployed behind a reverse proxy server or
a portal server. This section discusses issues related to using reverse HTTP proxy
servers with a Sametime server. The issues discussed in this section also apply to
deploying a Sametime server behind a portal server.
To accomplish its security objectives, a reverse proxy server manipulates the data
that passes through it. The table below shows the client-side proxy types through
which clients can connect to the Sametime server.
Sametime client SOCKS 4 proxy SOCKS 5 proxy HTTP proxy HTTPS proxy
Sametime supported supported supported supported
Connect
Chapter 1. Configuring 39
Sametime client SOCKS 4 proxy SOCKS 5 proxy HTTP proxy HTTPS proxy
Sametime not supported not supported supported supported
Mobile
Sametime supported supported supported not supported
Meeting Room
screen-sharing/
whiteboard
components
Sametime supported not supported supported not supported
Meeting Room
participant
list/chat
components
Sametime supported not supported not supported not supported
Meeting Room
interactive
audio/video
components
Sametime supported not supported supported not supported
Recorded
Meeting client
This section includes topics related to the use of reverse HTTP proxy servers with
the Sametime server.
Note: If you are configuring the Sametime server to operate behind a Tivoli®
Access Manager WebSEAL reverse proxy server, refer to the Lotus Sametime Server
Release Notes for additional configuration information.
The reverse proxy server protects internal HTTP servers by providing a single
point of access to the internal network. Providing a single point of access to all
HTTP servers on an internal network offers these specific security advantages and
network access characteristics:
v The administrator can use the authentication and access control features of the
reverse proxy server to control who can access the internal servers and control
which servers each individual user can access. When a reverse proxy is
deployed, the authentication process and access rights to multiple internal
servers can be controlled from a single machine, which simplifies the security
configuration.
v All traffic to your intranet servers appears to be destined for a single network
address (the address of the reverse proxy server).
When a reverse proxy server is deployed, only URLs that are associated with the
reverse proxy server are made public to Web browser users. Users from the
Internet use these URLs to access the reverse proxy server. The reverse proxy
server handles these requests from Internet users and redirects these requests to
the appropriate internal HTTP server.
The requirements and limitations associated with using a reverse proxy server with
Sametime include:
v Reverse proxy server requirements
v Sametime client limitations and requirements
v Sametime server limitations
v Secure Sockets Layer (SSL) issues and requirements
v Client certificate authentication issues
v IBM Lotus Sametime Enterprise Meeting Server (WCMS) restrictions
This section lists the requirements and issues that are specific to the reverse proxy
server.
Chapter 1. Configuring 41
v URL specification requirement (affinity-id requirement) - Only reverse proxy
servers that use the following URL specification to access protected internal
servers can be used with Sametime:
Http[s]://hostname:port/affinity-id/
The ″affinity-id″ is an administrator-defined alias for an internal Sametime
server. This affinity-id must be present in the URLs sent from Web browsers to
the reverse proxy server to enable Web browser users to access the Sametime
server through the reverse proxy. For detailed information on this mandatory
requirement of the reverse proxy server, see Configuring mapping rules on a
reverse proxy server.
v Multiple reverse proxy servers must use the same DNS name and mapping
configurations - If you have deployed multiple reverse proxy servers in your
network environment, and you expect users to access your Sametime server(s)
through multiple reverse proxy servers, each of the reverse proxy servers must
have the same DNS name and the same mapping configurations as noted below:
– DNS name - All reverse proxy servers must use the same DNS name. For
example, if one reverse proxy server is named reverseproxy.ibm.com all other
reverse proxy servers must be named reverseproxy.ibm.com. If the reverse
proxy servers have different DNS names, the Sametime clients will be unable
to maintain communications with a Sametime server deployed behind the
reverse proxy servers.
The following Sametime clients can communicate with Sametime servers through a
reverse proxy server:
v Sametime Meeting Room client
v Sametime Recorded Meeting client
v Sametime Connect for browsers (the Java version of Sametime Connect)
v Sametime Connect for the desktop (the Microsoft Windows version of Sametime
Connect)
v Sametime Links applications built with Sametime developer toolkits
On UNIX and IBM AIX servers, the Meeting start-up log contains the Sametime
server name when the Sametime server is configured behind a proxy server.
The Sametime Meeting Room client and the Sametime Recorded Meeting client can
communicate with a Sametime server through a reverse proxy server when
running with the following Web browsers and Java Virtual Machines (JVMs):
v A Microsoft Internet Explorer 6 browser that operates with the Microsoft native
VM or the Sun Microsystems JVM 1.4.2 (and associated Java Plug-in).
v A Netscape 7 browser that operates with the Sun Microsystems JVM 1.4.2 (and
associated Java Plug-in).
The Sametime Connect for browsers client and Sametime Links applications can
communicate with a Sametime server through a reverse proxy server when
running in an Internet Explorer 6 or Netscape 7 browser that operates with the Sun
JVM 1.4.2. These clients may not function appropriately with other JVMs, including
the native Microsoft VM provided for Internet Explorer.
The following limitations apply to Sametime server features when the Sametime
server is deployed behind a reverse proxy server.
v Audio/video is not available - Audio/video streams cannot be transmitted to
Sametime clients that access the Sametime server through a reverse proxy server.
v Access to the Sametime Administration Tool is not available - A user that
connects to the Sametime server through a reverse proxy server cannot access
the Sametime Administration Tool. The user can open a Web browser that is
installed on the Sametime server to access the Sametime Administration Tool.
The user can also connect to the Sametime server from an internal network
Chapter 1. Configuring 43
location that does not route HTTP traffic through the reverse proxy server to
access the Sametime Administration Tool.
Note the following about SSL and Sametime in a reverse proxy environment:
v Secure Sockets Layer (SSL) can be used to encrypt data transmitted between the
Sametime clients and the reverse proxy server.
v SSL cannot be used to encrypt data transmitted between the Sametime servers
and the reverse proxy server.
If SSL is used to encrypt data transmitted between Web browsers and the reverse
proxy server, the administrator must perform the mapping configurations on the
Sametime server necessary to map the HTTPS data received from the Web browser
to the HTTP required by the Sametime server.
The reverse proxy must also be configured to translate the HTTP data received
from the Sametime server to the HTTPS data required by the client.
When a reverse proxy server is configured to support SSL, the reverse proxy server
sends an SSL server certificate to the Web browser during the SSL connection
handshake. The Java 1.4.2 Plug-in used by the Web browser must have access to a
Signer certificate that is signed by the same Certificate Authority (CA) as the server
certificate that is sent by the reverse proxy.
By default, the Java Plug-in has access to several different Signer certificates that
can be used for this purpose. To view the Signer certificates that are available to
the Java Plug-in 1.4.2, use the Java Plug-in Control Panel as described in “Viewing
the Signer certificates.”
The IBM Lotus Sametime Enterprise Meeting Server that operates with Sametime
servers cannot be deployed behind a reverse proxy server.
The Java Plug-in has access to several different Signer certificates that can be used
for reverse proxy support.
To view the Signer certificates that are available to the Java Plug-in 1.4.2, use the
Java Plug-in Control Panel:
1. From the Windows desktop, open the Control Panel by clicking Start → Settings
→ Control Panel.
2. Double-click on the Java Plug-in 1.4.2 icon to open the Java Plug-in Control
Panel.
Results
The server certificate sent by the reverse proxy server to the client Web browser
must be signed by one of the CAs that appears in the signer CA list for the SSL
connection handshake to succeed.
You can use the Certificates tab of the Java Plug-in Control Panel to import the
client certificate into the Java Plug-in key store:
1. From the Windows desktop, open the Control Panel by clicking Start → Settings
→ Control Panel.
2. Double-click on the Java Plug-in 1.4.2 icon to open the Java Plug-in Control
Panel.
3. Click Certificates.
4. In the Certificates column, click Secure Site.
5. Click Import to import the client certificate.
The mapping rules enable the reverse proxy server to translate (or rewrite) a URL
associated with the reverse proxy server to the URL of an internal Sametime server.
This section discusses how mapping rules are configured on a reverse proxy server
to accomplish the translation (or rewriting) of URLs when the reverse proxy
operates with Sametime. This section includes the following topics:
Only reverse proxy servers that support the use of an affinity-id (or server alias) in
the URLs that are associated with internal servers can be used with IBM Lotus
Sametime.
Specifically, the reverse proxy server must support the following URL specification
to access protected internal servers:
Http[s]://hostname:port/affinity-id/
where hostname represents the DNS name of the reverse proxy server and the
affinity-id is an alias for an internal server that is protected by the reverse proxy
server. A specific example of this URL format is:
Http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
Chapter 1. Configuring 45
where the text sting ″st01″ is the affinity-id. The affinity-id is an alias for a specific
Sametime server (such as sametime.ibm.com) that is protected by the reverse proxy
server. The affinity-id is used by the reverse proxy server to direct incoming
requests to the specific internal Sametime server.
For example, if the incoming URL from the Web browser is:
Http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
and the mapping rules on the reverse proxy server map the ″st01″ affinity-id to the
Sametime server named ″sametime.ibm.com,″ the affinity-id ensures the reverse
proxy server rewrites the incoming URL to:
Http[s]://sametime.ibm.com/stcenter.nsf
It is mandatory that any reverse proxy server that operates with a Sametime server
support the affinity-id (or server alias) in URLs.
Here are some examples of how an administrator might configure URL mapping
configurations for a reverse proxy server deployed in front of an IBM Lotus
Sametime server.
When a user connects to a Sametime server through a reverse proxy server, the
reverse proxy server must be configured to support the following actions that
enable Sametime users to attend meetings and participate in chat sessions:
v The user must be able to click on links in the Sametime server home page and
navigate to the various HTML pages of the UI. This capability requires the
reverse proxy server to rewrite the URLs of the HTML pages that comprise the
Sametime UI.
v The Sametime Java applet clients that load in a user’s Web browser must be able
to connect to the services on the Sametime server. Since these connections must
occur through the reverse proxy server, the reverse proxy server must also be
able to rewrite the URLs required to establish these connections to the services
on the Sametime server.
The example below illustrates how an administrator can configure the reverse
proxy server to enable users to navigate the HTML pages of the Sametime user
interface. This example assumes the following:
v The Sametime server name is ″sametime.ibm.com.″
v The URL required to access the reverse proxy server is ″reverseproxy.ibm.com.″
v The affinity-id chosen by the administrator for the Sametime server is ″st01.″
Listed below are two entities of the Sametime server user interface and the URLs
required to access these entities on a Sametime server with the server name
″sametime.ibm.com.″
v Sametime server home page - The Sametime server URL for the server home
page is http://sametime.ibm.com/stcenter.nsf.
v Active Meeting page - The Sametime server URL for the Active Meeting page
is http://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenView.
To access the Sametime server home page through a reverse proxy server, the Web
browser would send the following URL to the reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
The reverse proxy server must contain a mapping rule that translates this URL into
the following URL required to access the Sametime server home page:
http[s]://sametime.ibm.com/stcenter.nsf
If the user selects the Attend a Meeting link in the Sametime user interface to view
the list of active meetings, the Web browser would send the following URL to the
reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stconf.nsf/vwWebActiveMeetings?OpenView
The reverse proxy server must contain a mapping rule that translates this URL into
the following URL required to access the Sametime server Active Meetings page:
Http[s]://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenView
A single mapping rule can be used to translate all URLs associated with the
Sametime server user interface
Through the use of wildcards, the administrator can create a single mapping rule
on the reverse proxy server to translate all URLs associated with the Sametime
server interface. Following the examples above, the administrator can create a
mapping rule that translates the following URL from the Web browser:
Http[s]://reverseproxy.ibm.com/st01/*
Chapter 1. Configuring 47
A single mapping rule that accomplishes this type of URL translation should
enable users to access all entities of the Sametime user interface through a reverse
proxy server.
Note: It is not mandatory to configure the mapping rules as described above. The
actual configuration of the mapping rules on the reverse proxy server is at the
discretion of the administrator. When configuring the mapping rules note that the
URL for any entity of the Sametime server user interface will begin with the
Sametime server name (sametime.ibm.com in this example).
The following example URL mappings enable the Sametime Java applet clients
running in a user’s Web browser to connect to the Community Services, Meeting
Services, and Recorded Meeting Broadcast Services on the Sametime server
through the reverse proxy server:
This example illustrates the mapping configurations that enable a Java applet client
to connect to the Community Services:
The mapping rules on the reverse proxy must translate these URLs to:
http://sametime.ibm.com:8082/communityCBRHttp://sametime.ibm.com:8082/CommunityCBR
Note: The mapping configuration for the Community Services connectivity should
contain two case-sensitive mapping rules as indicated above. Some pieces of the
Java code contain the lowercase ″c″ in ″communityCBR″ and some pieces of the
Java code use the uppercase ″C″ in ″CommunityCBR.″ This difference may prevent
connections if the proxy is case-sensitive.
This example illustrates the mapping configurations that enable a Java applet client
to connect to the Meeting Services:
The mapping rule on the reverse proxy must translate this URL to:
Http://sametime.ibm.com:8081/MeetingCBR
This example illustrates the mapping configurations that enable a Java applet client
to connect to the Recorded Meeting Broadcast Services:
During a Sametime server installation, the administrator has the option of allowing
or not allowing HTTP tunneling on port 80.
If the administrator does not allow HTTP tunneling on port 80 during the
Sametime server installation, it is necessary to configure separate mapping rules
for each of the three Sametime services (Community Services, Meeting Services,
and Recorded Meeting Broadcast Services).
Note: Four mapping rules are required: two for the Community Services, one for
the Meeting Services, and one for the Recorded Meeting Broadcast Services as
shown in the three examples above.
When the administrator does not allow HTTP tunneling on port 80, each of the
Sametime services listens for HTTP connections on a different port:
v The Community Services listen for HTTP connections on port 8082. Port 8082 is
reflected in the mapping rule for Community Services connections above. You
can view or change this port setting from the Community Services Network -
Address for HTTP-tunneled client connections option in the Networks and Ports
tab of the Sametime Administration Tool.
v The Meeting Services listen for HTTP connections on port 8081. Port 8081 is
reflected in the mapping rule for Meeting Services connections above. You can
view or change this port setting from the Meeting Services Network - Address
for HTTP-tunneled client connections option in the Networks and Ports tab of
the Sametime Administration Tool.
v The Recorded Meeting Broadcast Services listen for HTTP connections on port
554. Port 554 is reflected in the mapping rule for Recorded Meeting Broadcast
Services connections above. You can view or change this port setting from the
Recorded Meeting Broadcast Services Network - Address for HTTP-tunneled
client connections option in the Networks and Ports tab of the Sametime
Administration Tool.
Because each of these Sametime services listens for a connection on a separate port,
separate mapping rules must be established for each of the services. The mapping
rule must specify the port on which each of the services is listening for
connections.
Note: If you change the HTTP-tunneling port number for a specific service in the
Sametime Administration Tool, the mapping rules you configure on the reverse
proxy server must reflect the new port number.
If the administrator allows HTTP tunneling on port 80 during the Sametime server
installation, the Sametime clients connect to all of the services on a single port.
With this configuration, the single mapping rule that enables users to navigate the
Sametime server user interface will also enable the Sametime clients to make
connections to the Sametime services.
Chapter 1. Configuring 49
Services on the Sametime server. The Community Services multiplexer listens for
connections to all of these services on a single port (port 80).
Note: When operating in this mode, the Community Services multiplexer on the
Sametime server can distinguish between HTTP requests destined for the HTTP
Services, Community Services, Meeting Services, and Recorded Meeting Broadcast
Services and establish intraserver connections to each of the services. For example,
if the Community Services multiplexer receives an HTTP request for the Meeting
Services on port 80, the Community Services handles the request and creates an
intraserver connection to the Meeting Services. The Community Services
multiplexer then forwards the request to the Meeting Services. The ability of the
Community Services multiplexer to handle requests for multiple services in this
way is sometimes referred to as ″single port mode.″
When the administrator allows HTTP tunneling on port 80 (that is, when the
Sametime server is operating in single port mode), the mapping rules for Java
applet connectivity are much simpler. Since all connections from the Sametime Java
applet clients occur on the same port, it is not necessary to specify individual ports
for each service in the mapping rules.
In this scenario, the administrator would only need to ensure that this incoming
URL from the Sametime Java applets:
Http[s]://proxy.ibm.com/st01/*
Is translated to this URL by the mapping rules on the reverse proxy server:
Http://sametime.ibm.com/*
Note that server performance is not as efficient when the Sametime server is
configured to support HTTP tunneling on port 80 because of the connectivity
burden placed on the Community Services multiplexer.
Note: Enabling this setting does not require that all users on your corporate
intranet access the Sametime server through the reverse proxy server. Users on
your corporate intranet that are not required to route connections through the
reverse proxy servers can still establish connections with the Sametime server
using the standard Sametime client connection processes. For more information,
see Connecting to a Sametime server without going through the reverse proxy
server.
Note: An administrator may want to change the default Server Alias setting to
avoid using the real Sametime server name as the affinity-id in the mapping
rules on the reverse proxy server. If the real Sametime server name is used as
the affinity-id on the reverse proxy server, the real server name will appear in
URLs transmitted on the Internet.
For more information about the affinity-id, see Configuring mapping rules on a
reverse proxy server to support Sametime.
Client connectivity issues for reverse proxy servers are discussed in the following
topics:
When an IBM Lotus Sametime server is configured to operate with a reverse proxy
server, users on the corporate intranet that are not required to route connections
through the reverse proxy server can still connect using the standard Sametime
client connection processes.
Chapter 1. Configuring 51
Note: In this scenario, both intranet and Internet users connect to the same
Sametime server. Connections from Internet users are routed through the reverse
proxy server while connections from intranet users are not routed through the
reverse proxy server.
To illustrate this point, the Meeting Room client connection process that occurs
when the Enable Reverse Proxy Discovery on the client setting is selected is
summarized below.
1. Upon loading in a user’s Web browser, the Sametime Meeting Room client
attempts a direct TCP/IP connection to the Sametime server.
If the direct TCP/IP connection attempt fails, the Meeting Room client
continues with the connection process as described below.
Note: Step 3 represents the major difference in the connection process that
occurs when the ″Enable Reverse Proxy Discovery on the client″ setting is
selected.
4. If the reverse proxy server is not detected, the Sametime clients will still
attempt to connect to the Sametime server using HTTP tunneling but the
connection attempts will not be made to the reverse proxy server.
This section provides additional notes about IBM Lotus Sametime client
connectivity through a reverse proxy server.
If the administrator has selected the ″Enable reverse proxy discovery on client″
setting and specified the ″Affinity ID″ setting in the Sametime Administration Tool
on the Sametime server, the Sametime clients should be able to programmatically
detect the presence of the reverse proxy server and connect to the Sametime server
through the reverse proxy server.
If these clients must connect to the reverse proxy server through a forward (or
client-side) HTTP or SOCKS proxy server, the connectivity settings (address and
port) of the forward proxy server should be specified the locations noted below:
v If the Sametime client runs in a Web browser that operates with the Sun
Microsystems Java Virtual Machine (1.4.2), the forward proxy server address and
port are specified in the Sun Microsystems Java Plug-in Control Panel on the
user’s machine. (The Java Plug-in Control Panel is available from the user’s
Windows Control Panel).
v If the Sametime client runs in a Web browser that operates with the native
Microsoft Virtual Machine (VM), the forward proxy server address and port are
specified in the proxy configuration settings of the Web browser.
Note the following about using Sametime Connect for browsers with a reverse
proxy server:
v The Sametime Connect for browsers client loads in the user’s Web browser with
either the ″Use my Java Plug-in settings″ option or the ″Use my Internet
Explorer Browser settings″ option selected by default in the
Options-Preferences-Sametime Connectivity tab. User’s should not change this
default setting when operating with a reverse proxy server. These connectivity
settings ensure the client will make either a direct connection to the Sametime
server or connect through a forward proxy server if one is defined in the Web
browser connectivity settings or Java Plug-in as noted above.
v The Sametime Connect for browsers client includes a ″Host name″ and ″Port″
setting in the Options-Preferences-Sametime Connectivity tab. The values in
these settings are ignored when the Sametime server is configured to operate
with a reverse proxy server. (In a normal Sametime deployment, these settings
specify the Host name of the Sametime server to which the client should connect
and the port number on which the Sametime server listens for connections from
Sametime Connect clients).
Chapter 1. Configuring 53
To support a large or geographically distributed community of IBM Lotus
Sametime users, it is usually necessary to deploy multiple Sametime servers. This
section discusses the issues associated with deploying multiple Sametime servers,
including:
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community.
v You can specify different home Sametime servers for members of the Sametime
community.
v Individual meetings can be simultaneously active on multiple Sametime servers.
If you install multiple Sametime servers, you can assign different ″home″ Sametime
servers for users in the community. Specifying different home Sametime servers for
Sametime community members allows you to spread the load of a large number of
users among the Community Services of multiple Sametime servers.
The ″home″ Sametime server is the server to which each user connects for the
online presence (or awareness) and chat functionality supported by the
Community Services. After installing a new Sametime server, you can assign
specific users to the new server by entering the name of the new Sametime server
in the Sametime server field in each user’s Person document.
All users in the community will have presence and chat capabilities with all other
users, even though they connect to different ″home″ Sametime servers to get this
functionality. Server-to-server connections among the Community Services of the
multiple Sametime servers ensure that all users in the community have presence
and chat capabilities with all other users.
When a Connection Document of the type Sametime exists between two Sametime
servers, one Sametime server can invite the other server to a Sametime meeting.
For example, if the administrator creates a Connection Document that connects
Sametime server A to Sametime server B, a meeting started on Sametime server A
can also appear in the list of active meetings in the Sametime Meeting Center on
Sametime server B. When the meeting starts on Sametime server A, Sametime
server A ″invites″ Sametime server B to the meeting, and the meeting becomes
simultaneously active on both servers. Users can access either Sametime server A
or Sametime server B to attend the same meeting.
Chapter 1. Configuring 55
and services to Internet users so that users on the corporate intranet and Internet
users can attend the same Sametime meetings without compromising network
security.
These are the basic processes and issues involved with integrating a new Sametime
server into an existing Sametime community.
Related concepts
“Advantages of using multiple Sametime servers” on page 54
This topic discusses the advantages of using multiple IBM Lotus Sametime servers
in a deployment.
Installing the IBM Lotus Sametime server software is the first procedure you must
perform when integrating a new Sametime server into an existing Sametime
community.
Before you install the new Sametime server, decide whether you want the server to
be accessed by Internet and intranet clients or intranet clients only. If you want the
server to be accessed by both Internet and intranet clients, you should install the
Sametime server software on a computer that is located in the network DMZ
(outside the firewall that protects the corporate intranet).
Related concepts
“Advantages of using multiple Sametime servers” on page 54
This topic discusses the advantages of using multiple IBM Lotus Sametime servers
in a deployment.
“Integrating a Sametime server into an existing Sametime community”
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
When multiple IBM Lotus Sametime servers are installed in an IBM Lotus Domino
environment, the Sametime servers must be able to communicate on specific ports.
Note: Ports for Meetings do not apply to Sametime Entry, Sametime Limited Use,
or versions of Sametime that do not support web conferencing.
The table below lists the ports on which Sametime servers communicate with each
other. When these ports are open, Community Services and Meeting Services data
can pass between the two servers, and one Sametime server can invite the other to
a meeting.
When one Sametime server invites another Sametime server to a meeting that
includes interactive audio/video, the audio/video data is not transmitted between
the two Sametime servers. Instead, the user must connect to the Sametime server
on which a meeting was started and receive the audio/video streams directly from
that host server. For example, assume a meeting that includes chat, screen sharing,
and audio/video is started on Sametime server A and Sametime server A invites
Sametime server B to the meeting. A user can attend the meeting on Sametime
server B (the invited server) and receive the chat and screen sharing data from
Sametime server B. However, the user is redirected to Sametime server A for the
audio/video data.
Next step:
Next, perform the procedures described in Synchronize the Sametime server with
other Sametime servers deployed in the environment.
Chapter 1. Configuring 57
Related concepts
“Advantages of using multiple Sametime servers” on page 54
This topic discusses the advantages of using multiple IBM Lotus Sametime servers
in a deployment.
“Integrating a Sametime server into an existing Sametime community” on page 56
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Related reference
“Ports used by the Sametime Community Server” on page 33
IBM Lotus Sametime uses a number of ports on the server. This topic lists the
default ports and their uses.
When multiple Lotus Sametime servers are installed, you must synchronize the
Sametime servers to operate as a single community.
Related concepts
“Advantages of using multiple Sametime servers” on page 54
This topic discusses the advantages of using multiple IBM Lotus Sametime servers
in a deployment.
“Integrating a Sametime server into an existing Sametime community” on page 56
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
This topic discusses managing IBM Lotus Domino Directories for multiple IBM
Lotus Sametime servers.
After you have installed a new Sametime server, the administrator should
determine how to manage the Directory for the Sametime community.
For more information about the Directory issues relevant to extending a single
Sametime community across multiple Domino domains, see Extending a single
Sametime community across multiple Domino domains.
Next step:
After determining your directory management strategy, assign users to the new
Sametime server.
Related concepts
“Advantages of using multiple Sametime servers” on page 54
This topic discusses the advantages of using multiple IBM Lotus Sametime servers
in a deployment.
“Integrating a Sametime server into an existing Sametime community” on page 56
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Assign users to the new Sametime server (setting the home Sametime server):
This topic discusses how the IBM Lotus Sametime administrator can assign users
to a new Sametime server, which designates that server as the user’s ″home″
server.
To assign a user to the new Sametime server, enter the Sametime server name in
the Sametime server field in the Real-Time Collaboration section of a user’s
Person document in the Domino Directory. This field identifies the ″home″
Sametime server of each user.
Note: Only a portion of the users in your environment should be assigned to the
new Sametime server. For load balancing purposes, you should assign an equal
number of users to each Sametime server in your environment. The network
proximity of the user to the server is also a consideration when assigning users to
a home Sametime server. Generally, you should assign the user to the closest
Sametime server on the network.
To specify a home Sametime server, open the Domino Directory (Address Book),
go to the Real-Time Collaboration section of each user’s Person document, and
enter the name of a Sametime server in the Sametime server field. If necessary,
you can create a simple agent to automate the process of populating the Sametime
server field in each user’s Person document with the name of a Sametime server.
When entering the name of the Sametime server in the Sametime server field on
the Person document, you can enter the name of the Sametime server in the
Domino hierarchical name format (for example sametime/west/acme). The
Sametime server field automatically converts the name to the full canonical name
format. For example, if you enter sametime/west/acme in the ″Sametime server″
field, the server name is stored as cn=sametime/ou=west/o=acme unless, for
Chapter 1. Configuring 59
example, the name is populated by an agent. It is advisable to enter the server
name using the full hierarchical name format.
Community services reads the server name from the Servers view ($Servers) of the
Domino Directory. The name entered in the Sametime server field on the Person
document must match the name of the Sametime server as it appears in the
Servers view of the Domino Directory. If you are using an agent to populate the
home Sametime server field, ensure that the agent specifies the full canonical
name of the Sametime server.
Note also that a Sametime Connect client’s Sametime Connectivity settings should
specify the same Sametime server as the Sametime server field on that user’s
Person document. In the Sametime Connect client’s Sametime Connectivity
settings, the server name must be specified using the DNS name or IP address of
the Sametime server (for example, sametime.acme.com or 111.111.111.111).
Next step:
After assigning users to the server, the next step is Creating Connection Records to
connect Sametime servers.
Related concepts
“Advantages of using multiple Sametime servers” on page 54
This topic discusses the advantages of using multiple IBM Lotus Sametime servers
in a deployment.
“Integrating a Sametime server into an existing Sametime community” on page 56
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
This topic explains how to create Connection Records for IBM Lotus Sametime
servers.
Note: Information about connecting meeting servers does not apply to Sametime
Entry.
Note: Do not complete this if you are configuring Sametime Limited Use.
Source server - This is a read-only field that contains the name of the Source
server in the Domino hierarchical server name format that includes the domain
or community name (for example, sametimeA.acme.com/ACME, where ACME
is the domain name). The Source server is the server on which the Meeting is
created and started.
Destination server - Enter the name of the Destination server in the Domino
hierarchical server name format that includes the domain or community name
(for example, sametimeB.acme.com/ACME). The Destination server is the remote
server on which the meeting will become active (or the server that is ″invited″
to the meeting by the Source server).
Chapter 1. Configuring 61
Make sure the server name you enter is an exact, case-sensitive, match with the
server name that appears in the destination Sametime server’s Server
Document in the Domino Directory. Also, ensure that the domain or
community name (/ACME in the example) is included in the server name.
Destination server IP address - You must enter the fully qualified DNS name
or IP address of the destination server in this field. If this field is left blank,
meetings started on the source server will not become active on the destination
server.
4. Click the Add button.
The server specified as the ″Destination″ server in the Connection Record
appears in the Meeting Servers That Are Connected list in the Configuration
→ Connectivity → Servers in this Community settings of the Sametime
Administration Tool. In the Meeting Servers That Are Connected list, you
should specify the settings you want in the People Can Attend from Inside the
Organization and People Can Attend from the Internet columns. To make the
appropriate selections, see Configuring the ″Meeting Servers That Are
Connected″ options.
Related concepts
“Integrating a Sametime server into an existing Sametime community” on page 56
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Using a Lotus Notes client to create Connection Records for invited servers:
A Lotus Notes client can also be used to create the Connection Records described
above. To use a Lotus Notes client:
1. Open the Directory on the Sametime server.
2. Select the Configuration → Servers → Connections view.
3. Click Add Connection.
4. Click the Replication/Routing tab.
5. In the Replication task field, select Disabled. The purpose of the Connection
document is to enable one Sametime server to invite the other server to a
meeting. This step ensures that the Connection document does not cause
unexpected replication to occur.
6. Click the Basics tab.
7. In the Connection Type field, select Sametime.
8. Enter the name of the Destination server (described above).
9. Select either the within my organization or from the Internet option on the
Connection Document. These settings correspond to similar settings in the
Sametime Administration Tool that are described in Configuring the ″Meeting
Servers That Are Connected″ options.
10. Optional: In the Optional Network Address field, enter the fully qualified
DNS name or IP address of the destination server. This field is mandatory for
a Sametime Connection document.
11. Save and close the Connection document.
The administrator can use the Sametime Administration Tool to configure the
Meeting Servers That Are Connected settings for connections between Sametime
servers. (The Meeting Servers That Are Connected settings are accessible from the
Configuration → Connectivity → Servers in the Community settings of the
Sametime Administration Tool.)
The Meeting Servers That Are Connected settings list all servers that are specified
as ″Destination servers″ in the Connection Records that connect a Sametime server
with other Sametime servers in the community. A meeting started on a Sametime
server can be simultaneously active on any Sametime server that appears in the
Meeting Servers That Are Connected list. (The Sametime server can ″invite″ any
Sametime server in the ″Meeting Servers That Are Connected″ list to a meeting.)
When creating a meeting on a Sametime server, the user controls whether the
Destination servers are invited to the meeting by selecting options in the Locations
tab of the New Meeting form. The options available to the users are People are
attending from Internal Sametime servers and People are attending from the
Internet (outside the organization).
The administrator uses the check boxes available in the Meeting Servers That Are
Connected list to determine which options appear to the user on the Locations tab
of the New Meeting creation form. The check boxes in the Meeting Servers That
Are Connected list also control which Destination servers are invited to a meeting
when the user selects one of the options in the Locations tab of the New Meeting
form. The check boxes the administrator uses to control this behavior include:
v People Can Attend from Inside the Organization
v People Can Attend from the Internet
This option should be selected for a Sametime server in the Meeting Servers That
Are Connected list if both of the following are true:
v The Sametime server is deployed inside the firewall (on the corporate intranet
and available to internal users).
v You want meetings that are started on this Sametime server to be active on the
destination Sametime server in the Meeting Servers That Are Connected list.
(This Sametime server can invite the Sametime server in the Meeting Servers
That Are Connected list to the meeting.) This capability is controlled by the user
in the manner described below.
If the People Can Attend from Inside the Organization option is selected for a
Sametime server, the following occurs:
v A People are attending from internal Sametime servers option appears in the
Locations tab of the New Meeting form in the Sametime Meeting Center on the
Sametime server.
If the user selects this setting when creating a meeting, the meeting becomes
simultaneously active on every Sametime server that has the People Can Attend
Chapter 1. Configuring 63
from Inside the Organization option selected in the Meeting Servers That Are
Connected list of the Sametime Administration Tool.
If the People Can Attend from Inside the Organization setting is not selected
for a Sametime server in the Sametime Administration Tool, the meeting does
not become active on that Sametime server even if the user selects the People
are attending from internal Sametime servers option in the Locations tab when
creating the meeting.
Similar to the People Can Attend from Inside the Organization setting, the
People Can Attend from the Internet setting also affects the options that are
available to the user and determines whether a meeting started on a Source
Sametime server can be simultaneously active on a Destination Sametime server in
the Meeting Servers That Are Connected list. This option should be selected for a
Sametime server if both of the following are true:
v The Sametime server is deployed outside the firewall (in the network DMZ and
accessible to Internet clients).
v You want meetings that are started on other Sametime servers to be
simultaneously active on this Sametime server. This capability is controlled by
the user in the manner described below.
If the People Can Attend from the Internet option is selected for a Sametime
server, the following occurs:
v A People are attending from the Internet (outside the organization) option
appears in the Locations tab of the New Meeting form in the Sametime Meeting
Center when creating a new meeting.
v If the user selects the People are attending from the Internet (outside the
organization) option in the Locations tab when creating a meeting, the meeting
becomes simultaneously active on every Sametime server that has the People
Can Attend from the Internet setting selected in the ″Meeting Servers That Are
Connected″ list in the Sametime Administration Tool.
If the People Can Attend from the Internet setting is not selected for a
Sametime server, meetings started on other Sametime servers cannot become
active on the Sametime server deployed in the network DMZ.
Sametime provides the ability for multiple meeting servers to participate in the
same meeting. This capability is known as ″Invited Servers.″ Because meeting
documents are created on all servers, users may attend the meeting on any server
participating. Servers route data directly to each other in a star configuration. The
number of connections between servers is fixed, no matter how many users attend.
This functionality has been useful for hosting meetings between
geographically-dispersed regions.
Chapter 1. Configuring 65
With static invitations, Administrators who wanted to make every meeting
available to every server have had to modify their servers so that, for all meetings,
every server in the organization has invited every other server by default, creating
an extra load on each server.
When you configure IBM Lotus Sametime servers for regional dynamic invitation,
meeting documents appear on the server hosting the meeting, as well as on all
invited servers, allowing users to connect to the meeting through any of the
servers in the set.
v If a user attends the meeting on the hosting server, her Meeting Room Client
connects to the hosting server for meeting services.
v If a user attends the meeting on a server other than the hosting server, but in the
same region as the hosting server, his Meeting Room connection for meeting
services is forwarded to the hosting server.
v If a user attends the meeting on a server in a different region than the hosting
server, and no server in that region is attending, then the user’s Meeting Room
Client connects directly to that server, and server-to-server connections are
established with the hosting server.
v If a user attends on a server in a different region from the hosting server, and a
different server in that region has already established server-to-server
connections, the user’s Meeting Room Client is forwarded to the
already-connected server in that region.
v For any given meeting, no more than one server in a region participates.
In configuring invited servers, IBM Lotus Sametime administrators have the option
of assigning servers to a reserved region called ″Isolation.″ Isolation characterizes
the server as being in its own private region. Even if two different servers are
assigned to Isolation, each is treated as being in its own private region. This is a
The IBM Lotus Sametime administrator can choose how the ″invited servers″
functionality will be used in a Sametime deployment.
Options for Invited Servers will be controlled using the following two entries in
the sametime.ini file:
EnableStaticInvites=x, where x is 0 or 1
For example:
EnableStaticInvites=0
ClusterGroupAffinity=Beijing
The following table describes the behavior of the system, based on settings of the
sametime.ini parameters:
Chapter 1. Configuring 67
Parameter Settings Invited Server Behavior
For information on how client users see dynamically invited meetings, see
Regional dynamic invitations.
This topic provides an example of how to connect an IBM Lotus Sametime server
in an IBM Lotus Domino domain with another Sametime server within a different
Domino domain.
Follow the procedures below to link two Sametime servers that operate in different
Domino domains:
You can extend a single IBM Lotus Sametime community across multiple IBM
Lotus Domino domains by cross-certifying the servers.
The example below describes the simplest way to cross-certify the two Sametime
servers. In this example, the two Sametime servers are Sametimeserver1/East and
Sametimeserver2/West. To cross-certify these servers, the West organization
certifier (/West) must obtain a cross-certificate for the East organization certifier
(/East) and the East organization certifier must obtain a cross-certificate for the
West organization certifier. These cross-certificates are stored in the Domino
Directories on the respective Sametime servers.
For more information about cross-certification, see the Domino Administration Help
database, available in the Help directory of any Domino server. Domino
administration documentation is also available from the Documentation Library at
www.lotus.com/ldd/doc.
1. On Sametimeserver1/East, open the IBM Lotus Notes client. From the
Microsoft Windows desktop click Start → Run and browse to
C:\Sametime\nlnotes.exe before clicking OK.
2. Click File → Database → Open and specify the Sametimeserver2/West server.
3. When prompted for a cross-certificate, select OK.
4. Repeat steps 1 through 3, but this time use the Notes client on
Sametimeserver2/West to access Sametimeserver1/East, and accept the
cross-certificate from the Sametimeserver2/West server.
What to do next
You can extend a single IBM Lotus Sametime community across two IBM Lotus
Domino domains by sharing Directory information between domains.
Chapter 1. Configuring 69
Results
In this example, the two Sametime servers that operate in different domains are
Sametimeserver1/East and Sametimeserver2/West.
Note: This example describes replicating the entire Directories of both domains.
There are more efficient ways to share Directory information between two Domino
domains when connecting the communities. For more information on alternate
methods for sharing the Directory information, see Alternate ways to share
Directory information across domains.
What to do next
After you have created replicas of the Directories on each Sametime server, you
must create Connection Documents to ensure the Directories replicate at regular
intervals. When creating the Connection Documents:
v For Connection Type, select Local Area Network.
v Complete the Destination Server, Source Domain, Destination Domain, and
Optional Network Address fields.
v For Replication Type, select Pull Push.
v In the Files/Directories to Replicate field, enter names.nsf.
v In the Schedule field, select Enabled.
Chapter 1. Configuring 71
1. Start the Lotus Notes client.
2. Click Configuration → Server → All Server Documents.
3. Double-click the name of the Sametime server (Sametimeserver1/East) to open
the Server document.
4. If necessary, select the Basics tab of the Server document.
5. Click Edit Server.
6. In the Directory Assistance database name field, enter the filename (for
example, da.nsf) of the Directory Assistance database.
7. Click Save and Close.
8. Repeat this procedure to identify the Directory Assistance database on the
Sametime server in the other domain (Sametimeserver2/West in this example).
9. Perform the procedure below to create a Directory Assistance Document in each
Directory Assistance database.
Setting Value
Domain type Click Notes.
Domain name Enter the name of the Domino domain
associated with the secondary Directory (or
Directory that was replicated from the other
domain to this Sametime server). The
domain name must be different from the
primary Notes domain and from all other
domain names configured in Directory
Assistance.
Company name Enter the name of your company.
Search order A number representing the order in which
this directory is searched, relative to other
directories in the Directory Assistance
database.
Setting Value
Rule # One or more rules that describe the names
in the directory. By default, the first rule
contains all asterisks, indicating all names in
the Directory.
Enabled Choose one:
v No to disable a specific rule.
v Yes to enable a specific rule.
Chapter 1. Configuring 73
4. Select the Replicas tab and do the following:
Setting Value
Database Links Open the replica of the secondary directory,
and then click Edit → Copy As Link →
Database Link.
This topic discusses the Directory information that is shared between IBM Lotus
Sametime servers and describes some alternate, more efficient ways to share
Directory information when connecting Sametime communities across multiple
IBM Lotus Domino domains.
The example procedure for extending a single Sametime community across two
Domino domains earlier in this section explains how you can share Directory
information to connect two Sametime communities.
To share this Directory information, each domain must replicate the information to
the other domains that comprise the Sametime community. In the example scenario
described in Example of extending a single Sametime community across two
Domino domains, the entire Directories of two separate Domino domains are
replicated between the two Sametime servers. The Domino components of
Sametime provide features that you can use to replicate the Directory information
in a more efficient manner. You can use either of the following alternate techniques
to share Directory information across Domino domains.
v Selective replication of Directory information across domains
v Set up Extended Directory Catalogs to share Directory information across
domains
Instead of replicating the entire Domino Directory between domains, you can use
selective replication to replicate only the Person, Group, and Server documents. For
example, you can open the Directory database to be replicated to the other domain
and use the Replication Settings to replicate a subset of the documents contained
in the database. Use a selection formula, such as
(Type="Person")|(Type="Group")|(Type="Server" and Sametime="1") to ensure that
only the Person, Group, and Server documents (for which the Is this a Sametime
server? field is set to Yes) are replicated.
For more information on selective replication, see the Domino Server Administration
Help, available in the Help directory on every Domino server as well as in the
Documentation Library at www.lotus.com/ldd.
Before using this feature, the administrator should read the documentation in
Domino Server Administration Help that explains the function and set up of
Extended Server Directory Catalogs. This documentation is available in the Help
directory on every Domino server as well as in the Documentation Library at
www.lotus.com/ldd.
Chapter 1. Configuring 75
You can follow the procedures in the Domino administration documentation to set
up an Extended Server Directory Catalog on the Sametime server. When setting up
the Extended Server Directory Catalog to be used by Sametime, note the following
when creating the Configuration document for the Extended Server Directory
Catalog.
v The Configuration document contains an Additional fields to include list in the
Basics tab. The following field name entries must exist in the Additional fields
to include list to ensure that all information needed by Sametime is available in
the Extended Server Directory Catalog:
Install IBM Lotus Sametime server software on each computer that will operate as
part of the Community Services cluster.
Chapter 1. Configuring 77
About this task
Installing the Sametime servers is one of the tasks associated with clustering Lotus
Sametime Community Servers.
1. Install two Domino servers as described in the Lotus Domino Administrator Help.
2. Install a Sametime server on top of each Domino server, as described in
″Sametime Server Installation.″
3. Ensure that the Sametime servers will operate as part of the same Domino
domain by registering them in the same Domino Directory and replicating it
between the servers.
An IBM Lotus Sametime server cluster is hosted on an IBM Lotus Domino server
cluster, as each Sametime server is hosted on a Domino server.
Creating a Domino server cluster is one of the tasks required to cluster Lotus
Sametime Community Servers.
Note: This topic provides basic information on creating a Domino server cluster. If
you are unfamiliar with the functioning of Domino clusters, see the Lotus Domino
Administrator Help, available from the Documentation Library at
www.lotus.com/ldd.
To create a cluster, you must have at least ″Author″ access and ″Delete Documents″
rights specified in the Domino Directory’s ACL, and at least ″Author″ access in the
Administration Requests database ACL.
Results
If the server you used to create the Domino cluster is part of the cluster, the server
immediately starts the cluster processes and replicates its Domino Directory with
another server in the cluster. This process informs other servers in the cluster that
they are a part of the cluster. If you did not use a cluster member to create the
cluster, this process starts when the Domino Directory of the server you used to
create the cluster replicates with the Domino Directory of a server in the cluster.
You can do the following to verify the cluster was created correctly:
1. From the Domino Administrator, click 1. The name of the cluster followed by the
the Configuration tab, expand Cluster, names of the cluster servers displayed in
and then click Clusters. the Results pane.
2. In the Results pane, open the Server 2. The name of the cluster in the Cluster
documents of the servers you added to name field on the Basics tab.
the cluster.
From the Domino Administrator, click a CLDBDIR (the Cluster Database Directory
cluster server in the Server pane, and then Manager) and CLREPL (the Cluster
click the Server - Status tab. Replicator) in the Task list.
From the Domino Administrator, click a The title ″Cluster Directory (R4)″ and the file
cluster server in the Server pane, and then name ″cldbdir.nsf″ to show that Domino
click the Files tab. created the Cluster Database Directory.
Compare the replica IDs of the Cluster The same replica ID on each server.
Database Directories on each cluster server.
What to do next
Chapter 1. Configuring 79
Setting up replication of IBM Lotus Sametime databases is needed when you set
up a Community Services cluster without clustering the Meeting Services.
To set up real-time replication between the clustered Domino servers, you must
create a new replica of each of the databases listed below on the clustered Domino
servers. For example, on Sametime server 1, use an IBM Lotus Notes client to open
the vpuserinfo.nsf database, click File → Replication → New Replica, and create a
new replica of vpuserinfo.nsf on Sametime server 2.
Creating the new replica is the only procedure required to set up real-time
replication of the databases in the Domino server cluster. Whenever a change
occurs to one of the databases, the change is automatically pushed to the replicas
on the other servers in the Domino cluster.
Note: By default, an IBM Lotus Domino server does not allow you to create new
replicas on a server. To ensure you can create new replicas on the Sametime server,
you must do the following:
1. Use a Notes client to open the Server document of the Domino server on which
Sametime is installed.
2. Click the Security tab.
3. In the Server Access → Create replica databases field, enter the appropriate
user or group name to enable those users to create new replicas on the Domino
server.
After you have created and named the Community Server cluster, ensure that the
clients can connect to the cluster.
Note: Sametime uses this field to ensure that a user connects to one of the
Sametime servers in the Community Server cluster. This field serves the same
Adding the cluster name to a field in each user’s Person entry in the LDAP
directory
Note: This example uses the ″Sametime server″ field of each user’s Person
document in the Domino Directory as the field that holds the Sametime cluster
name. The field you select to hold the name of the Community Server cluster
must be specified in the LDAP Directory-Authentication-Name of the Home
Server attribute setting in the Sametime Administration Tool. In this example,
the ″Sametime server″ field was specified when you configured the connection
to the LDAP server when installing the Sametime servers.
To complete the example, you can enter the cluster name in the ″Sametime
server″ field of each user’s Person document in the Domino Directory on the
Domino LDAP server. Note that you defined the cluster name when creating a
cluster document in the Configuration database.
If you used a server name as the cluster name, you can enter the server name in
the Domino hierarchical name format (sametimeserver1/west/acme) when
entering the name in the Sametime server field of the Person document.
The Sametime Connect client attempts to connect to the network address specified
in the Options-Preferences-Sametime Connectivity-Host field of the Sametime
Connect client. The users in the Sametime community must enter the DNS name or
IP address of the load-balancing mechanism for the Community Server cluster in
the ″Host″ field of their Sametime Connect clients:
v If you have set up a rotating DNS system for load balancing, users must specify
the DNS name (for example, sametime.cscluster.com) of the rotating DNS system
in this field.
v If you have set up a WebSphere Edge Server to perform load balancing, users
must enter the IP address or DNS name of the WebSphere Edge Server machine
in this field.
You can run the Sametime client packager application on a Sametime server to
ensure that each Sametime Connect client downloaded from a Sametime server is
pre-configured with the appropriate connectivity settings for your environment,
including the Host name setting required to connect to the rotating DNS system or
WebSphere Edge Server. For more information, see ″Sametime Server Installation.″
Chapter 1. Configuring 81
Connectivity issues associated with a rotating DNS setup
If DNS resolve requests are cached, users might experience some problems when
reconnecting following a server failure. For more information on connectivity
issues associated with using a rotating DNS setup to accomplish load balancing,
see Rotating DNS Limitations with cached DNS resolve requests.
Setting up the load-balancing mechanism is one of the tasks associated with setting
up an IBM Lotus Sametime Community Services cluster without clustering the
Meeting Services.
The way in which you set up the load-balancing mechanism varies slightly
depending on whether you have deployed Community Services multiplexers on
separate machines.
The diagram below shows the Sametime servers with the rotating DNS system in
place. Note that the WebSphere Edge Server can be used in place of the rotating
DNS system.
The diagram below shows the Community Services multiplexers with the rotating
DNS system in place. Note that the WebSphere Edge Server can be used in place of
the rotating DNS system.
Chapter 1. Configuring 83
Creating a cluster document in the Configuration database (stconfig.nsf):
The cluster document enables the servers in a cluster to operate as part of the
cluster, and enables servers outside of the cluster (but still within the community)
to communicate with the cluster.
Every server within an IBM Lotus Sametime community requires a copy of the
community’s cluster document.
You must copy the Cluster Information document to all Sametime servers that are
part of the community, regardless of whether they are a part of the cluster itself.
Every server in the Sametime Community must contain the Cluster Information
document in its Configuration database. This procedure enables users who have a
home Sametime server that is not part of the Community Services cluster to share
presence and instant messaging capabilities with users who are assigned to the
Community Services cluster (have the cluster name listed as the home cluster in
the user’s Domino or LDAP directory entry).
To copy the Cluster Information document to all other Sametime servers in the
community:
1. If necessary, open the Sametime Configuration database (stconfig.nsf) in which
you created the Cluster Information document that defines the cluster.
2. Copy the Cluster Information document:
a. Locate ″Cluster Information″ in the Form Name column of the
Configuration database.
Chapter 1. Configuring 85
b. In the Cluster Information’s Last Modified Date column, right-click on the
date that represents the Cluster Information document you want to copy.
c. Select Copy.
d. Click File → Close to close the Configuration database.
3. Paste the Cluster Information document into the Configuration database on
each Sametime server in the community:
a. From the Lotus Notes client, click File → Database → Open.
b. In the Server field, type the name of another Sametime server in the
community.
c. Click Open.
d. In the Database list, select the Configuration database (stconfig.nsf).
e. Click Open.
f. Click Edit → Paste to paste the Cluster Information document into the
Configuration database on this Sametime server. The document name and
date will appear in the Last Modified Date column of Form Name section
in the Configuration database.
g. Save and close the Configuration database.
4. Repeat step 3 for every Sametime server in the Sametime community.
What to do next
Ensure that clients can access the Community Services cluster by configuring client
connectivity for the Community Services cluster.
After configuring a cluster of IBM Lotus Sametime servers on IBM i, register the
cluster with the Lotus Sametime System Console so you can manage all of the
Lotus Sametime servers from a central location.
Make sure of each these servers is ready for the cluster registration task:
v Each of the Lotus Sametime Community Servers in the cluster must be
registered with the Lotus Sametime System Console, and must be started.
v The Lotus Sametime System Console must be started.
v The LDAP server must be started, and must be connected to the Lotus Sametime
System Console.
1. Verify that each of the servers in the cluster has been registered with the Lotus
Sametime System Console.
2. If you just configured cluster settings for a group of Lotus Sametime
Community Servers, restart all of the cluster members now so the cluster goes
into effect before you continue.
3. Complete the following steps for each server in the cluster to verify each server
document’s Net Address field:
a. From a Lotus Notes client, open the Server document for the Lotus
Sametime Community Server you are working on.
b. Click the Ports tab.
c. Click the Notes Network Ports tab and check the Net Address field:
Chapter 1. Configuring 87
Adding a server to the Community Services cluster
You can add IBM Lotus Sametime Community servers to an existing Community
Services cluster.
1. Follow these steps to ensure sure that all databases have the same replica ID.
a. Add the Sametime server to the IBM Lotus Domino server cluster following
the guidelines described in Creating a Domino server cluster.
b. Replicate the Sametime databases to the newly added Sametime server
following the guidelines described in Setting up replication of Sametime
databases.
2. Update the Cluster Information document and copy the updated document to
all Sametime servers in the community:
a. Add the name of the new Sametime server to the List of Servers in Cluster
field in the Cluster Information document in the Configuration database
(stconfig.nsf) on one Sametime server.
Enter the server name in the Domino full canonical name format (for
example, cn=servername/ou=organizational unit/o=organization). Do not
use the fully qualified DNS name in this field.
The list includes every Sametime server in the cluster; separate the server
names with a semicolon and a space as shown in the example below:
cn=sametimeserver1/ou=west/o=acme; cn=sametimeserver2/ou=west/
o=acme
b. Copy the updated Cluster Information document and paste it into the
Configuration database on every Sametime server in the community (both
clustered servers and non-clustered servers).
You might want to create multiple Community Services clusters if you have users
who are in the same community, but work in remote locations. For example, you
might want to create a Community Services cluster for workers in your Dublin
office and a separate Community Services cluster for workers in your Paris office.
Creating two separate clusters enables the clusters to function more efficiently. If
the servers in Dublin and the servers in Paris were part of the same Community
Services cluster, it would be necessary to replicate databases in real-time across a
WAN connection, which might result in inefficient performance.
Results
When you create a Community Services cluster, you create a Cluster Information
document in the Configuration database (stconfig.nsf) on one Sametime server in
the cluster and copy this Cluster Information document to the Configuration
databases of every Sametime server in the community.
When you create multiple Sametime server clusters in a single community, the
Configuration database of every Sametime server in the community must include a
Cluster Information document for every cluster in the Sametime community. In
such an environment, the Configuration database on each Sametime server in the
community will contain multiple Cluster Information documents.
For example, if you have three Community Services clusters in your community
(Cluster 1, Cluster 2, and Cluster 3), the configuration database of every Sametime
server in the community must include three cluster documents (one for each
cluster).
This rule applies to all servers in the community, even servers that do not operate
as a member of a cluster.
What to do next
Chapter 1. Configuring 89
The failover behavior of the Sametime Connect clients when DNS resolve requests
are cached is discussed below.
When the DNS resolve requests are cached and a server fails, Sametime Connect
for the desktop automatically attempts to connect to another server in the cluster.
When any of the following settings are selected on the Sametime Connectivity tab,
a successful connection to the cluster depends on the client machine and its
settings:
v Direct connection using standard Sametime protocol
v Use SOCKS4 proxy with ″Resolve server name locally″ checked
v Use SOCKS5 proxy with ″Resolve server name locally″ checked
v Direct connection using HTTP protocol
If Sametime Connect cannot reconnect to the cluster when these settings are
selected, the user can try any of the following options:
v On Windows 2003 machines, change the registry key that controls the cache time
for DNS requests so the DNS requests are cached for only one second:
1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Dnscache\Parameters
2. Change the value of the registry key ″MaxCacheEntryTtlLimit ″ to ″1″
v In the Sametime Connect client’s Sametime Connectivity settings, change the
name in the Host setting from the cluster name to the name of a specific server
within the cluster.
When any of the following settings are selected in the Sametime Connectivity tab,
a proxy server resolves the cluster name. Resolving the cluster name depends on
the settings of the proxy server. The proxy server might return a valid server name
in the cluster, or it might return the address of the server that is already down.
v Use HTTP proxy
v Use HTTPS proxy
v Use SOCKS4 proxy with ″Resolve server name locally″ unchecked
v Use SOCKS5 proxy with ″Resolve server name locally″ unchecked
If Sametime Connect cannot reconnect to the cluster when these settings are
selected, check the settings on the proxy server to verify the proxy is attempting to
connect to the servers within the cluster in rotating order.
With Sametime Connect for browsers, the client resolves the cluster name when
any of the following options are selected:
v Direct connection using standard Sametime protocol
v Direct connection using HTTP protocol
v Use SOCKS4 proxy with ″Resolve server name locally″ checked
v Use SOCKS5 proxy with ″Resolve server name locally″ checked
If Sametime Connect for browsers cannot reconnect to the cluster when these
settings are selected, the user should do the following:
v On Windows NT® and Windows 98 machines, restart the Sametime Connect
client or restart the Web browser.
v On Windows 2000 machines, change the registry key that controls the cache time
for DNS requests so that DNS requests are cached for only one second:
1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Dnscache\Parameters
2. Change the value of the registry key ″MaxCacheEntryTtlLimit ″ to ″1″
v In the Sametime Connect client’s Sametime Connectivity settings, change the
name in the Host field from the cluster name to the name of a specific server
within the cluster.
When any of the following settings are selected in the Sametime Connect for
browsers Sametime Connectivity tab, a proxy server resolves the cluster name.
Resolving the cluster name depends on the settings of the proxy server. The proxy
server might return a valid server name in the cluster, or it might return the
address of the server that is already down.
v Use SOCKS4 proxy with ″Resolve server name locally″ unchecked
v Use SOCKS5 proxy with ″Resolve server name locally″ unchecked
v Use HTTP proxy
v Use HTTPS proxy
If Sametime Connect cannot reconnect to the cluster when these settings are
selected, check the proxy settings to verify the proxy is attempting to connect to
the servers in the cluster in rotating order.
When Use my browser settings is selected in the Sametime Connectivity tab, the
behavior of the client depends on the proxy connectivity settings of the Web
browser.
v If the browser settings do not specify a proxy server, the client attempts a Direct
connection using standard Sametime protocol or a Direct connection using
HTTP protocol. If the client is unable to reconnect following a server failure, the
user can try any of the options listed for Direct connection using standard
Sametime protocol and Direct connection using HTTP protocol above.
v If the browser settings specify a SOCKS proxy server, and the client is unable to
reconnect following a server failure, the user can try any of the options listed for
the Use SOCKS4 and Use SOCKS5 proxy settings above.
v If the browser settings specify an HTTP or HTTPS proxy server, the proxy server
resolves the cluster name. If the client cannot reconnect, check the settings on
the proxy server to verify the proxy is attempting to connect to the servers in
the cluster.
Chapter 1. Configuring 91
Configuring SiteMinder for the Lotus Sametime server
This section describes how to configure CA eTrust SiteMinder for the IBM Lotus
Sametime 8 server.
You installed the Lotus Sametime 8 server as part of the process for installing IBM
Lotus Sametime Advanced. The Lotus Sametime 8 server is managed with the
Lotus Sametime Advanced server. When you configure SiteMinder to work the
Lotus Sametime 8 server, you create a new agent object, agent configuration object,
Host configuration object, realm, and sub-realms. You should use the same user
directory and domain that you created when you configured SiteMinder for Lotus
Sametime Advanced.
Chapter 1. Configuring 93
Authentication Default Resource
Name Resource Filter Scheme Protection
ST Applets sametime/applets Basic Unprotected
ST Applet Sametime/Applet Basic Unprotected
IMI Sametime sametime/ Basic Unprotected
hostAddress.xml
ST MMAPI servlet/auth/mmapi Basic Unprotected
ST Admin CGI cgi-bin/ Basic Unprotected
StAdminAct.exe
ST UserInfoServlet servlet/ Basic Unprotected
UserInfoServlet
4. Create rules for the protected realm (Sametime)and the two protected
sub-realms (ST AdminPage and ST Src).
a. Right-click the realm that was created for the Web Agent domain (for
example Sametime), and select Create Rule under Realm.
b. Use the SiteMinder Rule dialog to create the following rules named Rule 1
and Rule 2:
Rule 1 properties
v *Name - GetPost Rule
v Realm - Sametime
v Resource: *
v Web Agent actions - Get,Post,
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
Rule 2 properties
v *Name - OnAuthAccept
v Realm - Sametime
v Resource: *
v Authentication events - OnAuthAccept
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
c. Right-click the ST AdminPage sub-realm , and select Create Rule under
Realm.
d. Use the SiteMinder Rule dialog to create the following rule named Rule 1:
Rule 1 properties
v *Name - GetPost Rule
v Realm - Sametime.ST AdminPage
v Resource: *
v Web Agent actions - Get,Post,
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
e. Right-click the ST Src sub-realm , and select Create Rule under Realm.
f. Use the SiteMinder Rule dialog to create the following rules named Rule 1
and Rule 2:
Rule 1 properties
v *Name - GetPost Rule
Before you begin, you must download the Siteminder V6-QMR5 W32 Web Agent
installation files from the SiteMinder support site at .http://support.netegrity.com.
Refer to the SiteMinder platform support matrices for more details. These matrices
can be obtained from the SiteMinder support site. You can also refer to the
SiteMinder WebAgent Installation Guide for details about configuring the Web Agent
to work with the HTTP server that you are using. The application agent for IBM
Lotus Sametime Advanced should be v6.0 CR005 or later to ensure support of IBM
WebSphere Application Server 6.1.
Note: To install the SiteMinder Web Agent on platforms other than Microsoft
Windows, you can use the relevant Win32 instructions as a reference document.
The same configuration information needs to be provided, regardless of platform.
There are also additional instructions included with the Web Agent installation
files that indicate platform-specific steps that are required for installing and
configuring the Web Agent on a specific platform.
Follow these steps to install and configure the Win32 6x Web Agent for your HTTP
server.
1. If necessary, extract all the files from the ZIP file provided by SiteMinder.
2. Start the Web Agent executable. The format is nete-wa-6qmrX-platform.exe.
For example:
Chapter 1. Configuring 95
nete-wa-6qmr5-win32.exe
Note: You can ignore messages indicating that some warnings occurred
during the installation. These warnings appear by default and do not affect
the functionality of the Web Agent.
What to do next
There are additional steps that must be completed to enable the Web Agent to
function properly for your server. Follow the additional instructions that are
provided by your SiteMinder contact in order to complete this setup.
Follow these steps to add the DSAPI filter file name to the Domino Directory.
1. Open the Domino Directory (names.nsf) on the Domino server.
2. Edit the server document for the Domino server as follows:
a. Click the Internet Protocols tab, then click the HTTP tab. In the DSAPI
filter file names field, type the full path and name of the SiteMinder Web
Agent (typically c:\Program Files\Netegrity\Siteminder Web
Agent\bin\dominowebagent.dll)
b. Click the Domino Web Engine tab, then set the Session authentication field
to Disabled.
3. Save and close the server document.
When the user logs in from the client, the client looks in the preferences.ini file
located in the update plugin (com.ibm.collaboration.realtime.update\
preferences.ini) root directory for the existence of the ″runme″ property. If the
property is present and is set to ’true,’ then the update plugin continues. The client
then checks the policy key CONNECT_UPDATE_URL on the default Lotus
Sametime Community Server. If the server is 7.5.x or later then you, as
Administrator, can define the policy to tell the client where the update site is
located. If the policy key is not set on the server (see the section on User Policy in
this documentation), it is missing for one of two reasons:
1. The administrator did not set the key in the stpolicy.nsf file on the Louts
Sametime Community Server.
2. The Lotus Sametime Community Server is a pre-7.5.1 version.
Chapter 1. Configuring 97
If the key is not found, the client will search the preferences.ini file located in the
update plugin (com.ibm.collaboration.realtime.update\preferences.ini) root
directory for the adminUpdatePolicyURL value. The client then silently downloads
all updated features it finds in the administrator’s update site and install them.
Updates of features from this site are required so the client does not have the
option of not installing them. Once installation is complete, the user receives a
message announcing that new updates have been installed and that the user
should restart the Sametime client. The user can click the restart button or press a
five-minute delay button. If the user is involved in chats with other users, he or
she can continue to delay restart for as long as he wishes by continuing to press
the restart button at five-minute intervals. After the restart, the client checks again
to see if there are more updates, and if it finds none, the user is not interrupted
again. This update process takes place each time the user restarts his client and
logs in into his default server.
You can create a branding plug-in that shows a custom message in the user’s ″New
contact″ screen or in the login screen. For example, when you are creating a
message for the new contact screen, if you connect a particular community to a
public instant messaging network, you may want to tell the users which
community to use to add a contact from that public network. This branding feature
accepts text only. For information on using a wizard to create plug-ins, see the
Eclipse documentation: http://help.eclipse.org/help32/topic/
org.eclipse.pde.doc.user/guide/tools/project_wizards/
new_project_wizards.htm.
The plug-in you create this way is pushed to the client just as Sametime updates
are pushed. See the following examples for a template.
</plugin>
static {
NLS.initializeMessages(BUNDLE_NAME, Messages.class);}}
What to do next
After you have created the plug-in by following these examples, provision the
messages to the Sametime clients.
User downloads
If you want to manually provision the plug-in, make sure that the policy Allow
user to install plug-ins is assigned to the user. To deploy the plug-in to a larger
audience, you can use software distribute system or a Sametime update site. For
more information on using Sametime update sites, see Methods of pushing down
Sametime 7.5.x & 8.0 client updates. In Lotus Sametime Connect, the user can
select the feature from the Lotus Sametime Connect client.
1. Choose Tools → Plug- ins → Install Plug-ins.
2. Select Search for new features to install, and then click Next.
3. Select the site to include in the search and click Finish.
4. In the Search Results, select the features to install and click Next.
5. In the next window, click Finish to install. Verify by clicking Install.
6. Restart the client.
If Automatic Updates are selected in the Connect Client, the user receives a dialog
box that states that new updates are available, and asks the user if he or she wants
to install them now. The user can select Yes or No.
Before you begin, turn off case sensitivity in the IBM Lotus Sametime Community
server and restart the server.
You turn off case sensitivity for Lotus Sametime clients by editing the
plugin_customization. For more information on configuring user preferences see
the following Technote:
http://www-01.ibm.com/support/docview.wss?rs=477&uid=swg21306943
1. Backup the sametime client program directory\plugin_customization.ini.
2. Modify the plugin_customization.ini file, by updating the following line:
com.ibm.collaboration.realtime.people/isCaseInsensitive=true
3. Save and close the configuration file.
The Lotus Sametime Connect client connects to the Community Services on the
Lotus Sametime Community Server. Community Services supports all Sametime
presence and chat capabilities.
Connection process
The basic connection process of the Sametime Connect client is described below.
The connection process depends on the Connection, Proxy type, and Port settings
that are selected in the Sametime Connect client Sametime Connectivity settings.
1. The user starts the Sametime Connect client.
2. The Sametime Connect client examines the values in the Host field and the
Community Port field (default 1533) of the Sametime Connect client’s
Sametime Connectivity settings.
The Sametime Connect client uses the Host and Community Port values to
determine the host name and port it should use when attempting a connection
to the Sametime server.
Note: You can also select Use my Internet Explorer HTTP settings to
establish connections through HTTP and SOCKS proxy servers.
Use SOCKS4 proxy and Use SOCKS5 proxy - If the Sametime Connect client
connects to a SOCKS proxy server to access the Internet or intranet, you must
select the appropriate SOCKS proxy option (either Use SOCKS4 proxy or Use
SOCKS5 proxy) as the Proxy type in the Sametime Connect client’s Sametime
Connectivity settings.
Note: If the HTTP proxy server requires authentication, the user name and
password required for authentication to the HTTP proxy server must also be
entered in the Proxy server options of the Sametime Connect client’s Sametime
Connectivity settings.
When Use HTTP proxy is selected, the client encases the standard Sametime
protocol connection information within an HTTP request. Sametime Connect
connects to the HTTP proxy, and the HTTP proxy server connects to the
Community Services multiplexer on the Sametime server on behalf of the
Sametime Connect client. The HTTP connection to the Community Services
multiplexer occurs on the ″Community port″ (default 1533) specified in the
Sametime Connect client Sametime Connectivity settings.
The Community Services multiplexer on the Sametime server listens for HTTP
connections on all ports specified in the Port number field under Client
connections in the Community Services settings of the Sametime System
Console and HTTP tunneled client connections in the Community Services
settings of the Sametime System Console.
For this connection to succeed, the port specified as the Community port
setting in the Sametime Connect client’s Sametime Connectivity settings must
match a port number specified in one of these settings in the Sametime System
Console:
v The Port number field under Client connections in the Community Services
settings of the Sametime System Console.
v The Port number field under HTTP tunneled client connections in the
Community Services settings of the Sametime System Console.
Note: You can also select Use my Internet Explorer HTTP settings to
establish connections to the Community Services through HTTP tunneling on
port 80. If you select this setting, you must also ensure that the Community
port setting in the Sametime Connectivity settings is set to port 80.
Note: If the HTTP port is to be changed manually, so must the port be changed in
the stconvservices.properties file. This is a limitation in that the server does not
pull the port from the server document.
Configuring Lotus Sametime for mobile users involves the following tasks:
Complete the following steps to enable support for Lotus Sametime Mobile on the
Lotus Domino server.
1. Create a Web Site Rule document in the Domino Directory and establish a URL
redirection. The URL redirection enables users to download the Lotus Sametime
Mobile application to their mobile devices using the simplified URL
http://yoursametimeserver.yourcompany.com/mobile.
a. In the Domino Directory, open the Server document for the Lotus Domino
server that hosts the Lotus Sametime Community server.
b. Click the Create Web - URL Mapping/Redirection button.
c. In the Basics tab, select URL → Redirection URL.
d. Click the Mapping tab and enter the following information:
v In the Incoming URL path field, enter /mobile/* .
v In the Redirection URL string field, enter stcenter.nsf/
WebMobileDownloads?OpenView .
What to do next
After these steps are completed, the Lotus Sametime Community server can be
used with the Sametime Mobile client; however, before allowing users to download
Lotus Sametime Mobile, you should provision the client with appropriate server
details. This simplifies the user experience and prevents the user from entering
incorrect connectivity details.
These instructions assume that you do not use the IBM Lotus Sametime Enterprise
Meeting Server in your Sametime deployment. If you use the Enterprise Meeting
Server, proceed to the topic, Configuring Sametime Mobile for client downloads in
the Sametime Enterprise Server Meeting help, instead.
Sametime provides three options for connecting mobile devices to the Lotus
Sametime Community server:
v Connect with a Virtual Private Network (VPN) such as IBM Lotus Mobile
Connect or RIM BlackBerry Enterprise Server Mobile Data Services (MDS).
This connection model provides end-to-end connectivity from the device into the
corporate intranet, allowing for applications to access intranet resources securely.
Sametime Mobile would access the server, and intranet, in the same manner as
any other application installed on the device. This is typically the most flexible
approach as it allows the client to utilize a variety of application that may be
hosted on the corporate intranet.
v Connect with an authenticating HTTP Proxy, such as IBM HTTP Server or
Apache HTTP Server.
The Sametime Mobile client supports connecting through a standard Web proxy
that issues HTTP 401 or 407 challenge requests with HTML Form Basic
Authentication (Digest is not supported at this time). The reverse proxy server
Follow the instructions below to configure Sametime Mobile for client downloads.
1. Start the Lotus Sametime Community server and log in.
2. Fill in configuration information for the mobile devices supported in your
environment by completing the following steps:
a. Click Administer the server.
b. Expand Configuration and under it, click Sametime Mobile. The
Configuration - Sametime Mobile page displays a link for each supported
mobile device.
c. Click the link that represents a device you want to configure.
d. Enter the appropriate configuration information for your device.
The devices supported with the current release of Lotus Sametime Mobile
are listed below this topic; refer to the appropriate device for additional
configuration details.
e. Click Update to save your changes.
What to do next
The following mobile devices are supported with this release of Lotus Sametime
Mobile:
These configuration steps provision information for users of the following mobile
devices. These steps are optional but highly recommended. These settings affect
both the Windows Mobile MIDP client as well as the new Unified Communications
and Collaboration (UCC) Windows Mobile client.
v Microsoft Windows Mobile 6 Standard
v Microsoft Windows Mobile 6 Professional
v Microsoft Windows Mobile 5 Pocket PC
Nokia Eseries
Configure IBM Lotus Sametime Mobile support for Nokia Eseries devices.
The following configuration steps provision information for users of Nokia Eseries
mobile devices. These steps are optional but highly recommended.
Hint for user’s first time login
Enter a user name suffix, for example an e-mail suffix such as @acme.com.
During login, the User name field displays this suffix as a default value, so
that users need only add their names before the suffix.
Sametime server name
Enter the fully qualified host name of the Lotus Sametime Community
server that mobile devices will connect to by default; for example,
sametime.acme.com.
Port Enter the default port used to connect to the specified Lotus Sametime
Community server.
Proxy connection
Select this setting if mobile users will connect to the Lotus Sametime
Community server through a proxy server. If you enable a proxy
connection, you must enter a valid proxy URL in the field that follows.
Proxy URL
Enter the URL for the proxy server that will connect Sametime Mobile
users to the Lotus Sametime Community server.
Use Sametime Connect user ID and password
Select this option if you want Sametime Mobile users to connect to the
Sametime server with their IBM Lotus Sametime Connect user name and
password.
The following configuration steps provision information for users of Sony Ericsson
M600, P900, and P1i mobile devices. These steps are optional but highly
recommended.
Configuring connectivity
Configure connectivity from the IBM Lotus Sametime Proxy Server to the Lotus
Sametime Community Server and Lotus Sametime Meeting Server. Connect to a
business card server, set up click-to-call, a FIPS server, and clustering.
Before completing this task, ensure that Lotus Sametime Community server is
configured correctly.
Complete the following steps to connect the Lotus Sametime Proxy server to the
Lotus Sametime Community server.
1. Login to the Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Expand the Sametime System Console twistie.
3. Select Sametime Proxy Servers
4. Select the Deployment Name for the Sametime Proxy Server deployment you
wish to configure.
Configure Single Sign-On (SSO) between the meeting server and the Community
Server (either Lotus Sametime Community Server or Lotus Sametime Standard)
that this Lotus Sametime Proxy Server will connect to.
Complete the following steps to connect the Lotus Sametime Proxy server to a
meeting server.
1. Login to the Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Click Sametime System Console → Sametime Proxy Servers.
3. Select the Deployment Name for the Sametime Proxy Server deployment you
are configuring.
4. Select the type of meeting server to which the Lotus Sametime Proxy server
will connect.
The Lotus Sametime Proxy server can connect to any of the following meeting
servers:
v Lotus Sametime Meeting Server
v Lotus Sametime Classic Server
v Lotus Sametime Standard server (used in releases prior to Lotus Sametime
8.5)
v Lotus Sametime Enterprise Meeting Server (used for clustering meeting
servers in releases prior to Lotus Sametime 8.5)
5. (Optional) Enable SSL
6. Enter the fully qualified host name of the meeting server that you selected in
step 5.
For example: sametime_meeting.acme.com
7. Enter the port number for that meeting server.
If you choose Sametime Classic Meeting server, the host name and port fields
will be grayed out since the same fully qualified host name and port is used for
the Lotus Sametime Community server.
8. Click Apply.
Chapter 1. Configuring 113
Configuring Lotus Connections as the business card server
By default, the IBM Lotus Sametime Proxy Server retrieves business card
information from the Lotus Sametime Community Server. You can configure the
connection to use a Lotus Connections server instead by completing the tasks
below.
Note: This feature requires the use of Lotus Connections 2.5.0.1 or later. The
binding between Lotus Sametime users and Lotus Connections users is based on
e-mail address, so e-mail addresses need to be enabled on the Lotus Connections
server.
Before completing this task, ensure that your telephony conferencing server is
configured correctly. If you will use Lotus Sametime Unified Telephony, make sure
the following tasks have been competed before attempting to create the connection
as described in this topic:
1. Install the Lotus Sametime Unified Telephony API on the Telephony
Application Server (for information, see the Lotus Sametime Unified Telephony
API Guide).
2. Configure LDAP access for the API on the Lotus Sametime Unified Telephony
server (for information, see the Lotus Sametime Unified Telephony API Guide).
3. Configure Web Single Sign-On (SSO) between the Lotus Sametime Unified
Telephony server and the Lotus Sametime Community Server.
4. Import the SSL certificate from the Lotus Sametime Unified Telephony server
into the Lotus Sametime Proxy Server’s Cell truststore.
Complete the following steps to connect the IBM Lotus Sametime Proxy server to
the telephony conferencing server.
1. Login to the Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Expand the Sametime System Console twistie.
3. Select Sametime Proxy Servers
4. Select the Deployment Name for the Sametime Proxy Server deployment you
wish to configure.
5. Select a telephony service:
v No telephony (default)
v Enable TCSPI (Telephony Control Service Provider Interface)
v Enable Sametime Unified Telephony
If using Lotus Sametime Unified Telephony, enter the Host name and Port
(9080 is the default) of the Telephony Application Server.
6. Enable Secure Socket Layer (SSL) encryption by clicking Enable SSL.
Note: This step is required when you use Lotus Sametime Unified Telephony.
7. Click OK, and then click Apply.
Before you can configure a cluster of Lotus Sametime Proxy Servers, you must
have installed the following servers:
1. Lotus Sametime System Console
This server will function as the cluster’s Deployment Manager; the console can
function as the Deployment Manager for multiple clusters.
2. Lotus Sametime Community Server
At least one Lotus Sametime Community Server must be deployed to provide
presence and awareness for users attending online meetings.
3. One Lotus Sametime Proxy Server installed with the Network Deployment →
Primary Node option.
Every cluster requires exactly one Primary Node. The application server on the
Primary Node will function as the cluster’s application template. All other
application servers in the cluster (nodes and cluster members) will be
duplicated from the Primary Node’s application server. The Primary node’s
application server can only belong to one cluster. The Primary Node can be
used as a container for additional cluster members when creating a vertical
cluster (multiple cluster members on the same physical system).
There are several tasks involved in creating a cluster; complete them in the
sequence shown here:
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager’s (the Lotus Sametime System Console)
system clock.
Install a Lotus Sametime Proxy Server using the Network Deployment - Primary
Node option.
When you install the Primary Node, WebSphere creates an application in the
Primary Node cell and the path to the Lotus Sametime Proxy Server application
binary is hard-coded to ${APP_INSTALL_ROOT}\PrimaryNodeCellName. When Lotus
Sametime Proxy Servers are clustered, the applications installed on the Primary
Node is transferred to the Deployment Manager cell; however, the application
binaries continue to reside under the Primary Node cell path. If the Primary Node
is not hosted on the same computer as the Deployment Manager, the hard-coded
path that is now referenced on the Deployment Manager will be incorrect. You can
prevent this problem by changing that path so that it uses the variable ${CELL}
instead of the hard-coded Primary Node’s name. This change ensures that the
application will be copied under the Deployment Manager’s cell folder.
Complete this task after you have installed the Primary Node, but before you
attempt to create a cluster.
Note: If you have already completed the federation of this Primary Node
(either during the clustering guided activity or manually using the WebSphere
addNode utility), log into the Deployment Manager’s Integrated Solutions
Console instead.
2. Click Applications → Application Types → WebSphere Enterprise Applications.
3. Select the ″SametimeProxy″ application.
4. Click the Application binaries link.
5. Change the Location (full path) to this value: $(APP_INSTALL_ROOT)/$(CELL).
6. Save your change.
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System Console
and all of the servers you plan to cluster.
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime
Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″).
Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make
sure that you have set the location for the application binaries on the Primary
Node (explained in ″Preparing the Primary Node″) before you proceed.
These instructions assume that you will use the Lotus Sametime System Console as
the cluster’s Deployment Manager, which provides a single Integrated Solutions
Console for all WebSphere administrative functions for all servers participating in
the cell – this simplifies the administrative experience.
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
Note: Make sure that the Primary Node’s application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager’s Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
During cluster configuration, each node’s application server was stopped so that
the node could be federated. Start all of the application servers now.
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Server types → WebSphere application servers in the
navigation tree.
3. Select the application server’s check box and click Start.
The status column changes to show that the application server is running.
4. Repeat for every application server in the cluster.
Note: If you created a vertical cluster, you will need to start all of the
application servers on every node.
Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a
server running a different operating system for use with a Lotus Sametime
deployment hosted on IBM i.
IBM Load Balancer is not required for a Lotus Sametime clustered deployment;
you can use any load-balancing mechanism that supports HTTP session affinity so
that a user is repeatedly routed to the same server during a single session. IBM
Load Balancer is included in the Lotus Sametime package with the other IBM
WebSphere components.
1. Download IBM Load Balancer onto the server where you will install it:
a. Open this release’s Download document in the Lotus Sametime Download
document.
b. Locate the appropriate IBM WebSphere Edge server component in the
document’s listing, then download the packages labelled with the
corresponding part numbers to the system on which you are installing.
2. Navigate to the folder where you stored the downloaded files, locate the folder
for IBM Load Balancer, and start the installation program.
For instructions on installing IBM Load Balancer, see the Load Balancer for
IPv4 and IPv6 configuration guide.
3. After you have installed IBM Load Balancer, configure two static IP addresses
for it:
v Non-Forwarding Address: The NFA is the address of the server itself. It is
used for logging in and administering the load balancer.
v Cluster Address: This is the address by which clients and other servers will
access the cluster. It must be DNS-resolvable.
For example, suppose your cluster contains two nodes, and you configure an
IBM Load Balancer for the cluster. Your IP addresses will look like this:
Table 1. Sample host names and IP addresses for a Lotus Sametime Meeting Server cluster
or Lotus Sametime Proxy Server cluster with IBM Load Balancer
Fully qualified host name Server’s role in deployment Server’s IP address
Load balancer: loadbal.acme.com
Load balancer Load balancer (NFA): 9.51.251.115
Cluster: st-cluster.acme.com (Cluster address) Cluster: 9.51.251.44
stconsole.acme.com Deployment Manager 9.51.251.101
(Lotus Sametime System Console)
svr1.acme.com Primary Node 9.51.251.103
(Lotus Sametime Meeting Server
or Lotus Sametime Proxy Server)
svr2.acme.com Secondary Node 9.51.251.109
(Lotus Sametime Meeting Server
or Lotus Sametime Proxy Server)
Install IBM Load Balancer and assign two status IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node’s MAC address.
Each of the nodes in the cluster is configured with a loopback adapter; when the
packet is rewritten to the network, the appropriate node will receive and process
the packet.
1. Set up the loopback adapters on the cluster nodes:
On each of the nodes of the cluster, a loopback adapter must be added with the
IP address of the cluster. This step is different for each operating system. Refer
to the Load Balancer for IPv4 and IPv6 configuration guide for details.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. On the load balancer server, configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer’s Dispatcher process:
v IBM AIX, Linux, Solaris
dsserver
v Microsoft Windows
Click Start → Control Panel → Administrative Tools → Services. right-click
IBM Dispatcher (ULB), and then click Start.
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
These commands enable processing of IPv6 packets in the respective
operating systems. Issue this command only once; thereafter, you can start
and stop the executor as often as you need. If you do not issue the
command to enable processing of IPv6 packets on these systems, the
executor will not start (on Solaris, the executor will start, but no IPv6
packets can be viewed).
AIX
1) Run the following command:
autoconf6
.
f. Add the cluster port:
dscontrol port add cluster's_fully_qualified_host_name@port
where cluster’s_fully_qualified_host_name:port is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
stms-cluster.acme.com@80
g. Add the nodes for which this server will balance workload:
dscontrol server add cluster_host@port@primary_node
dscontrol server add cluster_host@port@secondary_node
where:
v cluster_host:port:primary_node indicates the cluster’s fully qualified host
name with the port appended (as in the previous step) plus now with the
primary node’s fully qualified host name appended; for example:
stms-cluster.acme.com@80@meetsvr1.acme.com
v cluster_host@port@secondary_node indicates the cluster’s fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node’s fully qualified host name appended (include an
additional line for each additional secondary node); for example:
stms-cluster.acme.com@80@meetsvr2.acme.com
h. Add the cluster to the executor:
dscontrol executor add cluster's_fully_qualified_host_name
where cluster’s_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.acme.com
To cluster SIP Proxy and Registrar components, complete the following tasks in the
sequence shown:
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager’s (the Lotus Sametime System Console)
system clock.
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System Console
and all of the servers you plan to cluster.
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime
Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″).
Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make
sure that you have set the location for the application binaries on the Primary
Node (explained in ″Preparing the Primary Node″) before you proceed.
These instructions assume that you will use the Lotus Sametime System Console as
the cluster’s Deployment Manager, which provides a single Integrated Solutions
Console for all WebSphere administrative functions for all servers participating in
the cell – this simplifies the administrative experience.
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Note: Make sure that the Primary Node’s application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager’s Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
Configure an IBM WebSphere proxy server to perform routing and caching tasks
for a cluster of IBM Lotus Sametime servers running on WebSphere Application
Server.
Use these instructions to configure a WebSphere proxy server that operates with
the following Lotus Sametime server clusters:
v Meeting Server
v Conference Manager
v SIP Proxy and Registrar
A cluster of Lotus Sametime servers that run on WebSphere Application Server can
use a WebSphere proxy server to manage routing and caching tasks. To ensure
redundancy in the case of a proxy server failure, you may want to configure
multiple proxy servers for the cluster. You can host a WebSphere proxy server on
any node in the cluster (except the Lotus Sametime System Console) but because it
uses a lot of system resources, you may want to host it on its own computer.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. In the navigation tree, click Servers → Server Types → WebSphere proxy
servers.
3. In the proxy servers table, click the New button at the top of the table.
4. In the ″Create a new proxy server entry″ dialog box, do the following:
a. In the ″Select a node″ box, select the node that will host the WebSphere
proxy server.
Complete the configuration for clustering IBM Lotus Sametime Media Manager SIP
Proxy and Registrar components using an IBM WebSphere Application Server
network deployment.
Create a cluster of SIP Proxy and Registrar components using the guided activity.
After you create a cluster of IBM Lotus Sametime Media Manager SIP Proxy and
Registrar components, you must enable memory-to-memory replication among the
cluster members to ensure that the cluster operates properly.
Complete this task on every member of the SIP Proxy and Registrar cluster.
Note: One replication domain is created by the installer, using the same name as
the SIP Proxy and Registrar cluster. You need to map servers in the cluster to this
replication domain. The number of replicas that you configure in the replication
domain affects the performance of your configuration; if you have more than two
servers in the cluster, you should create separate replication domains for each pair
of servers.
1. On the first 2 servers of your cluster, map the servers to the replication domain
as follows:
a. On the Deployment Manager (the Lotus Sametime System Console), log in
to the IBM WebSphere Integrated Solutions Console as the WebSphere
administrator.
b. Click Servers → Server Types → Websphere application servers.
c. In the ″Application Server″ table, click the cluster member’s name to display
the ″Configuration″ page.
d. Under ″Container Settings,″ click ″SIP Container Settings″ and then click the
SIP container link.
e. In the SIP container settings, look under ″Additional Properties″ and click
the Session management link.
f. In the Session management settings, look under ″Additional Properties″ and
click the Distributed environment settings link.
g. In the Distributed environment settings, look under ″General Properties″
and click the link labelled Memory-to-memory replication.
Do not click the selector to choose this option – click the link itself so you
can modify the option’s settings.
h. In the Memory-to-memory replication settings, look under ″General
Properties″ and set the * Replication domain setting to be the SIP Proxy
and Registrar cluster.
i. In the ″Replication Mode″ field, click Both client and server.
j. Click Apply, and then click OK.
k. Save your changes by clicking the Save link in the ″Messages″ box at the
top of the page.
l. Back in the Distributed environment settings, look under ″General
Properties″ and verify that the Memory-to-memory replication option is
now selected.
m. Return to the Integrated Solutions Console navigation pane and select
Environment → Replication Domain → cluster_name.
n. In the Configuration page, look under ″Additional Properties″ and verify
that the ″Replication Domain Members″ list includes the following item:
SessionManager:cluster_member_name (the cluster member’s name from
substep c).
o. Complete this set of substeps for both servers.
Note: For performance reasons, you should not map more than two servers
to this replication domain.
Note: For performance reasons, you should not map more than two servers to
each replication domain.
a. On the Deployment Manager (the Lotus Sametime System Console), log in
to the IBM WebSphere Integrated Solutions Console as the WebSphere
administrator.
b. Click Servers → Server Types → Websphere application servers.
c. In the ″Application Server″ table, click the cluster member’s name to display
the ″Configuration″ page.
d. Under ″Container Settings,″ click ″SIP Container Settings″ and then click the
SIP container link.
e. In the SIP container settings, look under ″Additional Properties″ and click
the Session management link.
f. In the Session management settings, look under ″Additional Properties″ and
click the Distributed environment settings link.
g. In the Distributed environment settings, look under ″General Properties″
and click the link labelled Memory-to-memory replication.
Do not click the selector to choose this option – click the link itself so you
can modify the option’s settings.
h. In the Memory-to-memory replication settings, look under ″General
Properties″ and set the * Replication domain setting to be the newly
created domain.
i. In the ″Replication Mode″ field, click Both client and server.
j. Click Apply, and then click OK.
k. Save your changes by clicking the Save link in the ″Messages″ box at the
top of the page.
l. Back in the Distributed environment settings, look under ″General
Properties″ and verify that the Memory-to-memory replication option is
now selected.
m. Return to the Integrated Solutions Console navigation pane and select
Environment → Replication Domain → newly_created_domain.
Creating object cache instances for the SIP Proxy and Registrar:
Create an object cache for the IBM Lotus Media Manager SIP Proxy and Registrar;
this cache will be available to all cluster members.
Add a path to the IBM Lotus Sametime Media Manager SIP Proxy and Registrar’s
ProxyRegCommon-8.5.jar file to make it available to the cluster’s Deployment
Manager.
The SIP Proxy and Registrar component provides a JMX interface. On the cluster’s
Deployment Manager, copy the ProxyRegCommon-8.5.jar file to a location that is
visible to the Deployment Manager. Then define a JVM custom property called
ws.ext.dirs that points to this location. Defining a path for ws.ext.dirs enables
the ProxyRegCommon-8.5.jar file to be properly loaded by the root class path
loader.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click System administration → Deployment manager to display the
″Configuration″ page.
3. Under ″Server Infrastructure″, expand Java Process Management, and then
click Process definitions.
Add a path to the IBM Lotus Sametime Media Manager SIP Proxy and Registrar’s
ProxyRegCommon-8.5.jar file to make it available to all nodes in the cluster.
The SIP Proxy and Registrar component provides a JMX interface. Copy the
ProxyRegCommon-8.5.jar file to a location that is to visible to all node agents in the
cluster. Then define a JVM custom property called ws.ext.dirs that points to this
location. Defining a path for ws.ext.dirs enables the ProxyRegCommon-8.5.jar file
to be properly loaded by the root class path loader.
Do this for every node in the SIP Proxy and Registrar cluster.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click System administration → Node agents.
3. In the table listing the node agents, click the link representing a SIP Proxy and
Registrar node to display its ″Configuration″ page.
4. Under ″Server Infrastructure″, expand Java Process Management, and then
click Process definitions.
5. Under ″Additional Properties″, click Java Virtual Machine.
6. Under ″Additional Properties″, click Custom Properties.
7. In the table listing the custom properties, click the New button.
8. Create a new entry named ws.ext.dirs; the value is the path to the location
where the ProxyRegCommon-8.5.jar file is stored.
9. Click OK to save the new custom property.
10. Repeat this process for every node in the SIP Proxy and Registrar cluster.
Each member of a cluster has some ports defined at the server scope. Once the
members are added to the cluster, those ports are no longer needed and should be
removed.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Server Types → Websphere application servers →
cluster_member_name.
3. In the ″Application Servers″ table, click the name of a cluster member.
This displays the server’s ″Configuration″ page.
Increasing the heap size for a clustered SIP Proxy and Registrar component:
If you installed the IBM Lotus Sametime Media Manager using either the Primary
Node or Secondary Node option to create a clustered server, increase the
maximum heap size for the SIP Proxy and Registrar component.
Install and cluster two or more Lotus Sametime Media Manager SIP Proxy and
Registrar components. Then complete this task for every cluster member.
Typically, the total value of all server instance JVM heap sizes on a specific node
must be less than half of the total RAM of that computer.
1. Log in to the SIP Proxy and Registrar’s Integrated Solutions Console as the
WebSphere administrator.
2. Click Servers → Server Types → WebSphere application servers → .
3. Click a server name to display the ″Configuration″ page for the server.
4. In the Server Infrastructure section, click Java and process management, and
then click Process definition.
5. Under ″Additional Properties″ click Java virtual machine.
6. Under ″General Properties″ specify the heap size settings as follows:
Table 2. Heap settings for the SIP Proxy and Registrar
Initial heap size 256
Maximum heap size 1024
7. In the Generic JVM arguments field, type the following information exactly as
shown:
-Xverbosegclog:${SERVER_LOG_ROOT}/gc.log,1,14000
When you use the Lotus Sametime System Console as the Deployment Manager
for a cluster of Conference Manager or SIP Proxy and Registrar components, the
″Use available authentication data when an unprotected URI is accessed″ setting is
enabled on the console to satisfy a requirement of the Lotus Sametime Meeting
Server. As a result, the SIP Container requires authentication even though the
Media Manager’s SIP applications are not configured with security constrains. All
incoming SIP messages without credentials are rejected with a ″401 Not
Authorized″ response.
To prevent this problem, create a custom property that disables the ″Digest TAI on
SIP Container″ setting for every cluster member.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the IBM WebSphere administrator.
2. Click Servers → Server Types → Websphere application servers.
3. In the ″Application Servers″ table, click the name of a cluster member.
4. Under ″Container settings″ click SIP Container settings → SIP Container.
5. Under ″Additional Properties″ click Custom properties.
6. Click New.
7. In the Name field, enter com.ibm.ws.sip.security.enable.digest.tai exactly
as shown here.
8. In the Value field, enter false.
9. Click the OK button
10. Save your changes by clicking the Save link in the ″Messages″ box at the top
of the page.
11. Repeat this process for every cluster member.
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Server types → WebSphere application servers in the
navigation tree.
3. Select the application server’s check box and click Start.
The status column changes to show that the application server is running.
4. Repeat for every application server in the cluster.
Note: If you created a vertical cluster, you will need to start all of the
application servers on every node.
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager’s (the Lotus Sametime System Console)
system clock.
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System Console
and all of the servers you plan to cluster.
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime
Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″).
Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make
sure that you have set the location for the application binaries on the Primary
Node (explained in ″Preparing the Primary Node″) before you proceed.
Note: Make sure that the Primary Node’s application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager’s Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
Configure an IBM WebSphere proxy server to perform routing and caching tasks
for a cluster of IBM Lotus Sametime servers running on WebSphere Application
Server.
Use these instructions to configure a WebSphere proxy server that operates with
the following Lotus Sametime server clusters:
v Meeting Server
v Conference Manager
v SIP Proxy and Registrar
A cluster of Lotus Sametime servers that run on WebSphere Application Server can
use a WebSphere proxy server to manage routing and caching tasks. To ensure
redundancy in the case of a proxy server failure, you may want to configure
multiple proxy servers for the cluster. You can host a WebSphere proxy server on
any node in the cluster (except the Lotus Sametime System Console) but because it
uses a lot of system resources, you may want to host it on its own computer.
Complete the configuration for clustering IBM Lotus Sametime Media Manager
Conference Manager components using an IBM WebSphere Application Server
network deployment.
After the Conference Manager cluster has been created, remove all of the existing
McuEntryCache instances and create a new one at the cluster scope.
The McuEntryCache object instance is required at the cluster scope so that all
cluster members can access the list of Packet Switchers which are registered with
the cluster. You need to remove the existing McuEntryCache from all scopes and
create a new one at the cluster scope.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Resources → Cache Instances → Object Cache Instances.
3. Make sure that All scopes is selected.
4. In the table, click the box next to every occurrence of McuEntryCache, and then
click the Delete button at the top of the table.
5. Click OK.
6. Next, create an McuEntryCache object at the cluster’s scope:
a. In the All scopes list, select the Conference Manager cluster scope.
b. In the table, click the New button at the top of the table.
c. Fill in the following information for the new cache object:
Name McuEntryCache
JNDI name services/cache/mcu_map
Cache size 20000
″Consistency settings″ Select this option
Enable cache replication
Full group replication domain Select the domain name
Replication type Select Push only
Push frequency 1
7. Click OK.
8. Save your changes by clicking the Save link in the ″Messages″ box at the top of
the page.
Each member of a cluster has some ports defined at the server scope. Once the
members are added to the cluster, those ports are no longer needed and should be
removed.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
After creating a cluster, add the SIP ports of each cluster member to the virtual
host alias.
Tip: Print this page and use the table to record the port settings as you look them
up in steps 1 and 2:
Table 3. Write down the port numbers used for these settings in every cluster member
SOAP_
WC_ CONNECTOR_ SIP_ SIP_DEFAULTHOST_ PROXY_SIP_ PROXY_SIPS_
defaulthost ADDRESS DEFAULTHOST SECURE ADDRESS ADDRESS
Cluster member 1
Cluster member 2
Cluster member 3
Cluster member 4
Cluster member 5
When you use the Lotus Sametime System Console as the Deployment Manager
for a cluster of Conference Manager or SIP Proxy and Registrar components, the
″Use available authentication data when an unprotected URI is accessed″ setting is
enabled on the console to satisfy a requirement of the Lotus Sametime Meeting
Server. As a result, the SIP Container requires authentication even though the
Media Manager’s SIP applications are not configured with security constrains. All
incoming SIP messages without credentials are rejected with a ″401 Not
Authorized″ response.
To prevent this problem, create a custom property that disables the ″Digest TAI on
SIP Container″ setting for every cluster member.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the IBM WebSphere administrator.
2. Click Servers → Server Types → Websphere application servers.
3. In the ″Application Servers″ table, click the name of a cluster member.
4. Under ″Container settings″ click SIP Container settings → SIP Container.
5. Under ″Additional Properties″ click Custom properties.
6. Click New.
7. In the Name field, enter com.ibm.ws.sip.security.enable.digest.tai exactly
as shown here.
8. In the Value field, enter false.
9. Click the OK button
10. Save your changes by clicking the Save link in the ″Messages″ box at the top
of the page.
11. Repeat this process for every cluster member.
Configuring the Conference Manager cluster to use the SIP Proxy and Registrar cluster:
After you create clusters of IBM Lotus Sametime Media Manager Conference
Manager components and SIP Proxy and Registrar components, configure the
Conference Manager cluster to work with the IBM WebSphere proxy server that is
used by the SIP Proxy and Registrar cluster.
Create and configure the Conference Manager and SIP Proxy and Registrar
clusters.
Option Description
SIPProxyServerHost Use the host name of the computer where
the WebSphere proxy server is installed for
the SIP Proxy and Registrar cluster.
SIPProxyServerPort Use the PROXY_SIP_ADDRESS port value
of the same WebSphere proxy server (used
by the SIP Proxy and Registrar cluster).
For example:
<configuration lastUpdated="1226425838277" name="SIPProxyServerHost"
value="wasproxy_pr.acme.com"/>
<configuration lastUpdated="1226425838277" name="SIPProxyServerPort" value="5080"/>
3. Save and close the file.
4. Repeat for every Conference Manager in the cluster.
5. Now synchronize all nodes in the cluster:
a. In the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console, click System Administration → Nodes.
b. Click Full Resynchronize.
During cluster configuration, each node’s application server was stopped so that
the node could be federated. Start all of the application servers now.
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Server types → WebSphere application servers in the
navigation tree.
3. Select the application server’s check box and click Start.
The status column changes to show that the application server is running.
4. Repeat for every application server in the cluster.
Note: If you created a vertical cluster, you will need to start all of the
application servers on every node.
Configuring the Packet Switcher to access the cluster’s WebSphere proxy server:
After you create clusters of IBM Lotus Sametime Media Manager Conference
Manager and SIP Proxy and Registrar components, configure the Packet Switcher
component to communicate with the cluster through the IBM WebSphere proxy
server.
Install the Lotus Media Manager Packet Switcher component and start the server.
Create and configure the Conference Manager and SIP Proxy and Registrar
clusters.
Option Description
ConferenceServerHost Use the host name of the computer where
the WebSphere proxy server is installed for
the Conference Manager cluster.
ConferenceServerPort Use the PROXY_SIP_ADDRESS port value
of the same WebSphere proxy server (used
by the Conference Manager cluster).
For example:
<configuration lastUpdated="1226425838277" name="ConferenceServerHost"
value="wasproxy_cf.acme.com"/>
<configuration lastUpdated="1226425838277" name="ConferenceServerPort" value="5062"/>
<configuration lastUpdated="1226425838277" name="SIPProxyServerHost"
value="wasproxy_pr.acme.com"/>
<configuration lastUpdated="1226425838277" name="SIPProxyServerPort" value="5080"/>
3. Save and close the file.
4. (Optional) Synchronize all nodes in the Deployment Manager that manages the
Packet Switcher:
This step is not needed if the Packet Switcher was installed using the Network
Deployment → Primary Node option.
a. In the Deployment Manager’s Integrated Solutions Console, click System
Administration → Nodes.
b. Click Full Resynchronize.
5. Restart the Packet Switcher.
Create a cluster of SIP Proxy and Registrar components and a cluster of Conference
Manager components.
This task is only needed when the following conditions are true:
v Both the SIP Proxy and Registrar components and the Conference Manager
components are clustered.
v The Lotus Sametime System Console is serving as the Deployment Manager for
both clusters.
You will map the SIP Proxy application and the SIP Registrar application to the SIP
Proxy and Registrar cluster; then you will map the Conference Focus application to
the Conference Manager cluster.
1. Map the SIP Proxy application module to the SIP Proxy and Registrar cluster.
a. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the IBM WebSphere administrator.
b. Click Applications → Application Types → Websphere enterprise
applications.
The Lotus Sametime Meeting Server uses the file system on the server to store and
convert documents and presentations to slides. This section shows you how to
configure the server for document conversion technology.
Note: There are no special configuration steps for using document conversion
technology on Windows servers.
Note: The GDFONTPATH variable must not contain a ’:’ in the beginning. The
only value that should be set here is the path to the fonts. Do not append
anything before or after.
Note: The GDFONTPATH variable must not contain a ’:’ in the beginning. The
only value that should be set here is the path to the fonts. Do not append
anything before or after.
3. If you cannot obtain suitable fonts for the GDFONTPATH option, you may set
up an X Virtual Frame Buffer for conversion. Xvfb is already installed on
Solaris 9 in /usr/openwin/bin. Solaris 8 users must obtain a separate
implementation of Xvfb.
a. Log in from a terminal shell as the root user and run the following
command:
/usr/openwin/bin/Xvfb :1 -screen 0 1280x1024x8 &
You can assign any number except 0 in place of the number 1 in the above
example. This is the display number you wish to have associated with this
instance of the XVFB. You might get a ″No such file or directory″ message.
This is normal.
b. Verify that the VFB is running properly by entering the following command:
ps -ef | grep vfb
Note: To check whether the XVFB server is running, use this command:
WRKACTJOB JOB(QSTXVFB*).
The environment variables must be set when the Lotus Sametime Meeting
Server starts. The XVFB server must be running for file conversions to occur. If
the Lotus Sametime Meeting Server was already running during this setup,
then the Lotus Sametime Meeting Server must be restarted before files will be
converted
The default IBM Lotus Sametime Meeting Server installation maps all users to the
administrator role, which allows all users to see meeting statistics. Meeting
statistics will show all meeting rooms, including those that are hidden. Map the
administrator role to a subset of users that are allowed to see meeting statistics for
all rooms.
1. Log in the Integrated Solutions Console.
2. Click Applications → Application Types → WebSphere enterprise applications.
3. Click the Lotus Sametime Meeting Server.
4. Under Detailed Properties, click Security role to user/group mapping
5. To map the administrator role to a select set of users or groups, follow these
steps:
a. Select the administrator role, and click Map Users... or Map Groups....
b. Select the name of the user or group and click the right arrow.
c. Click OK.
6. To remove all authenticated users from the administrators role, follow these
steps:
a. Select the administrator role.
b. Click Map Special Subjects.
c. Select none.
d. Click OK.
Before you can configure a cluster of Lotus Sametime Meeting Servers, you must
have installed the following servers:
1. The Lotus Sametime System Console
This server will function as the cluster’s Deployment Manager; the console can
function as the Deployment Manager for multiple clusters.
2. (Optional) Lotus Sametime Community Servers
At least one Lotus Sametime Community Server must be deployed if you want
to provide presence and awareness for users attending online meetings.
3. One Lotus Sametime Meeting Server installed with the Network Deployment →
Primary Node option.
There are several tasks involved in creating a cluster; complete them in the
sequence shown here:
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager’s (the Lotus Sametime System Console)
system clock.
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System Console
and all of the servers you plan to cluster.
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime
Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″).
Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make
sure that you have set the location for the application binaries on the Primary
Node (explained in ″Preparing the Primary Node″) before you proceed.
These instructions assume that you will use the Lotus Sametime System Console as
the cluster’s Deployment Manager, which provides a single Integrated Solutions
Console for all WebSphere administrative functions for all servers participating in
the cell – this simplifies the administrative experience.
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
The list only displays Lotus Sametime products for which one or more servers
have been installed and registered with the Lotus Sametime System Console. If
you installed servers using deployment plans, they are registered with the
console automatically. If you did not use a deployment plan, you must
manually register the servers with the console before proceeding (see
″Registering servers with the Lotus Sametime System Console″).
3. Select or Create a Cluster.
To create a new cluster:
a. Click Create Cluster.
b. Type a descriptive name for the cluster in the Cluster Name field.
For example, if you are creating a cluster of Lotus Sametime Meeting
Servers, you will probably want to indicate that in the cluster name so you
can easily identify it later.
c. Click Next.
To modify an existing cluster; for example, to add a new cluster member:
a. Click Select Existing Cluster.
b. Select a cluster in the Cluster Name list.
If you are going to add a node or cluster member to the cluster, you must
use the same Lotus Sametime product. For example, you cannot add a
Lotus Sametime Meeting Server cluster member to a cluster of Lotus
Sametime Proxy Servers.
c. Click Next.
4. Select the Deployment Manager.
In the Select Deployment Manager list, select the Lotus Sametime System
Console as the cluster’s deployment manager, and then click Next.
Every cluster must have exactly one Deployment Manager; the Lotus Sametime
System Console can function as the Deployment Manager for multiple clusters.
5. Select the Primary Node.
a. In the Select Primary Node list, select the server that will serve as the
cluster’s primary node.
Every cluster must have exactly one Primary Node, the application server
that will function as a template for the cluster member servers. All
Secondary Nodes and Cluster Members will be created by duplicating the
application server hosted on the Primary Node.
Note: Make sure that the Primary Node’s application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager’s Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
Do not click anywhere on the browser until the operation completes or it
may interrupt the clustering process.
6. Select One or More Secondary Nodes.
If you are creating a horizontal cluster where each node is hosted on a separate
computer, add one or more secondary nodes to the cluster. Be sure to federate
each selected node before proceeding to select another.
a. In the Secondary Node Name list, click the node you want to add to the
cluster.
You can add only one node at a time, and you must federate it before
selecting the next node. If a node’s Status indicates ″Federated″ it already
belongs to a cluster (either this cluster or a different one) and cannot be
added now.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Once the connection is complete, the node’s Status displays ″Federated″ –
this may take some time, but do not proceed until the node has been
successfully federated.
If the federate node action completed and the Secondary Node’s status has
not changed to ″Federated″ or the federate node returned an error, wait 3-5
minutes and then retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and secondary node and then click the Federate
Node button again to continue this guided activity.
c. Repeat steps a. and b. until you have added all your Secondary Nodes to
the cluster.
d. Click Next.
7. Add Cluster Members.
If you are creating a vertical cluster where multiple copies of the application
are hosted on a single computer, add one or more ″cluster members″ to the
Primary Node. If you are creating a horizontal cluster, add one cluster member
to each of the secondary nodes you federated in the previous step.
The table lists Cluster Members, the Node that the cluster resides on, and the
Status of each cluster member. Each node in the cluster needs to have at least
one cluster member created on it for it for the node to be used in the cluster.
The status of a Cluster Member will be ″Clustered″ if the cluster member has
Create a cluster of Lotus Sametime Meeting Servers using the guided activity,
synchronize the nodes in the cluster, and start all of the application servers.
During cluster configuration, each node’s application server was stopped so that
the node could be federated. Start all of the application servers now.
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Server types → WebSphere application servers in the
navigation tree.
3. Select the application server’s check box and click Start.
The status column changes to show that the application server is running.
4. Repeat for every application server in the cluster.
Note: If you created a vertical cluster, you will need to start all of the
application servers on every node.
Delete the default topic space assigned to a cluster to prevent messages directed to
a specific cluster member appearing for every cluster member.
A topic space publishes messages that subscriber processes can receive. When you
create a cluster, the cluster as a whole is assigned to the default topic space, which
publishes messages for all cluster members. This can cause confusion when an
error is reported against a particular cluster member and yet shows up in the logs
for all of the other cluster members as well. Delete the cluster-wide topic space by
completing the following steps:
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Resources → JMS → Topics.
3. In the table listing the topics, locate the topic whose ″Scope″ is set to:
Cluster=cluster_name where cluster_name is the name of the cluster you are
configuring.
4. Click the box next to the topic’s name to select it.
The topic space is deleted along with the topic.
5. Click the Delete button at the top of the table, and then confirm the deletion.
What to do next
In the next task, you will create a separate topic space for each cluster member,
where that cluster member can subscribe to receive only messages intended for it.
Create a topic space for each cluster member so it can subscribe to receive only its
own messages.
A topic space publishes messages that subscriber processes can receive. Create a
new topic space for each cluster member, where it can subscribe to receive only its
own messages. This is less confusing than using a single, cluster-wise topic space
that publishes all messages to all cluster members.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Resources → JMS → Topics.
3. In the ″All scopes″ list, select the scope corresponding to a cluster member.
4. In the table listing the topics, click the topic representing the same cluster
member.
The topic name is a link, which displays a page where you define settings for
the topic.
5. In the ″Connection″ section of the page, click in the Topic space field and select
Create service bus integration destination.
This launches a wizard that creates the new topic space.
6. In the ″Create a new topic space″ dialog box, type a descriptive name for the
new topic space, and then click Next.
For example, the name could consist of the cluster member’s name with
″topicspace″ appended.
7. Click Finish to create the new topic space.
8. Click OK and save your changes by clicking the Save link in the ″Messages″
box at the top of the page.
9. Repeat this process for each topic (cluster member) listed in the table.
Add all of the nodes in the cluster to the same service integration bus to support
messaging.
Add each cluster member to the meeting_server_bus topology so they can share
messaging. The cluster’s Primary Node is added to the bus by default; you must
add all additional cluster members manually.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Service integration → Buses.
3. In the buses table, click meeting_service_bus.
4. Click the Local Topology tab.
5. Expand the bus and click Add.
The ″Add a new bus member″ wizard launches.
6. In the ″Add a new bus member″ dialog box, click the Server option, select a
cluster member on that server, and then click Next.
7. In the next dialog box, click File Store, and then click Next.
8. In the next dialog box, click Next to accept the default file store settings.
9. In the ″Tune performance parameters″ dialog box, click Next to accept the
default tuning settings.
Results
When you have finished, all cluster members will appear in the bus topology
diagram.
Use these instructions to configure a WebSphere proxy server that operates with
the following Lotus Sametime server clusters:
v Meeting Server
v Conference Manager
v SIP Proxy and Registrar
A cluster of Lotus Sametime servers that run on WebSphere Application Server can
use a WebSphere proxy server to manage routing and caching tasks. To ensure
redundancy in the case of a proxy server failure, you may want to configure
multiple proxy servers for the cluster. You can host a WebSphere proxy server on
any node in the cluster (except the Lotus Sametime System Console) but because it
uses a lot of system resources, you may want to host it on its own computer.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. In the navigation tree, click Servers → Server Types → WebSphere proxy
servers.
3. In the proxy servers table, click the New button at the top of the table.
4. In the ″Create a new proxy server entry″ dialog box, do the following:
a. In the ″Select a node″ box, select the node that will host the WebSphere
proxy server.
Be sure to select a node that belongs to the appropriate cluster.
b. Type a name for the new proxy server; for example ″was_proxy1″, and then
click Next.
c. In the ″Specify server specific properties″ box, select the appropriate
″Support protocol″ settings for your cluster, select Generate unique ports,
and then click Next.
v If you are configuring this WebSphere proxy server for a Meeting Server
cluster: deselect the SIP protocol.
v If you are configuring this WebSphere proxy server for a SIP Proxy and
Registrar cluster: accept both HTTP and SIP protocols.
Configure a WebSphere proxy server for use with a cluster of Lotus Sametime
Meeting Servers or Lotus Sametime Proxy Servers, and then start the WebSphere
proxy server.
The WebSphere proxy server does not cache application server dynamic content by
default; you can optionally enable caching by completing these steps.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Server Types → WebSphere Proxy Servers.
3. In the ″WebSphere Proxy Servers″ dialog box, select the proxy you would like
to enable dynamic caching on.
4. On the ″Configuration″ page, expand HTTP Proxy Server Settings and under
it, click Proxy Settings.
5. On the ″Proxy Settings″ page, locate the ″Caching section″ and do the
following:
a. Click Enable Caching.
b. Select a cache from the ″Cache instance name″ list.
c. Click Cache Dynamic Content.
d. Accept the default ″Cache update URI″ value.
e. Click OK.
174 Lotus Sametime: Installation and Administration Guide Part 2
6. Synchronize all nodes in the cluster:
a. Back in the Integrated Solution Console’s navigation tree, click System
Administration → Nodes.
b. Select all of the nodes in the cluster.
c. Click Full Resynchronize.
Create an object cache for the IBM WebSphere proxy server so it can track which
server hosts each online meeting.
Add one or more WebSphere proxy servers that will operate with a cluster of IBM
Lotus Sametime Meeting Servers.
The WebSphere proxy server requires an object cache in which to store information
tracking which online meetings are hosted on which Lotus Sametime Meeting
Servers.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Resources → Cache Instances → Object Cache Instances.
3. Click in the Scope field and select a WebSphere proxy server that will be used
by the cluster of Lotus Sametime Meeting Servers.
4. Click New.
This launches a wizard to create the new object cache.
5. In the ″New Object Cache″ dialog box, click in the Name field and type a
descriptive name for the new cache; for example ″Wasproxy1_Id_Cache″.
6. In the JNDI Name field, type proxy/rtc4web_id_cache exactly as shown.
7. Click OK to complete the wizard.
8. Save your changes to the master configuration by clicking the Save button
when prompted.
9. Repeat this process for each WebSphere proxy server used by the cluster.
Add a path to the IBM WebSphere proxy server’s class path loader to enable the
IBM Lotus Sametime routing filters to be loaded correctly for a cluster.
Configure one or more WebSphere proxy servers to operate with the cluster of
Lotus Sametime servers.
Defining a path for ″ws.ext.dirs″ enables the Lotus Sametime routing filters to be
properly loaded by the root class path loader.
1. Log in to the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
This section contains procedures for tuning a WebSphere proxy server that is used
by a cluster of IBM Lotus Sametime servers running on WebSphere Application
Server.
Note that this section is not referring to the SIP Proxy, but rather to a WebSphere
proxy server.
You can disable the read-ahead mechanism on the IBM WebSphere proxy server to
resolves a HIGH CPU issue that occurs when terminating connections with
read-ahead enabled.
1. Log in to the Integrated Services Console.
2. Click Servers → Server Types → WebSphere proxy servers.
3. In the table listing the WebSphere proxy servers, click the link representing the
proxy server you want to modify.
4. Under Proxy Settings, expand HTTP Proxy Server Settings.
5. Click Proxy settings.
6. Under Additional Properties, click Custom properties.
7. Click New to create a custom property.
8. Specify the Name of the new property as
http.connectionPoolReadAheadEnabled.
9. Set the Value of the new property to false.
10. Click New to create another custom property.
11. Specify the Name of the new property as
dynacache.extension.lookup_timeout_property.
12. Set the Value of the new property to 20000.
13. Click Apply, and then click Save.
A thread pool lets servers reuse threads instead of creating new threads at run
time.
1. Log in to the Integrated Services Console.
2. Click Servers → Server Types → WebSphere proxy servers .
3. In the table listing the WebSphere proxy servers, click the link representing the
proxy server you want to modify.
4. Under Additional Properties, click Thread pools.
5. Click Proxy.
6. Under General Properties,, make sure the Minimum Size and Maximum Size
are both set to 50 threads.
7. Click Apply, and then click Save.
Setting JVM verbose garbage collection and heap sizes on the Websphere proxy server:
In order to monitor IBM WebSphere Application Server JVM heap for specific
applications, enable the JVM verbose garbage collection logging for the WebSphere
Application Servers.
1. Log in to the Integrated Services Console.
2. Click Servers → Server Types → WebSphere proxy servers .
3. In the table listing the WebSphere proxy servers, click the link representing the
proxy server you want to modify.
4. Under Server Infrastructure, expand the Java and Process Management tree.
5. Click Process definition.
6. Under Additional properties, click Java Virtual Machine.
7. Under General Properties, make sure the Verbose garbage collection check
box is cleared.
8. Under General Properties, make sure the Minimum heap size is set to 256MB.
9. Under General Properties, make sure the Maximum heap size is set to 512MB.
10. Click Apply, and then click Save.
You can extend the HTTP persistent timeout on the IBM WebSphere proxy server
to stay connected longer.
The default rtc4web timeout value is 30 seconds. This is the default timeout for the
WebSphere proxy server persistent timeout setting, too. This can causes a rare
condition to occur where both sides of the connection can let go at the same time.
In order to minimize this conflict, extend the WebSphere proxy server HTTP
Persistent timeout to stay connected longer.
1. Log into Integrated Solutions Console on the server where the WebSphere
proxy server is configured .
In order to handle a large set of LDAP operations, the context pool between the
WebSphere Application Server and LDAP can be optimized by setting the
following items. This might also require an LDAP server optimization as well in
order to handle a large number of LOGIN/BIND requests simultaneously. This
particular setting only manages the pool between WebSphere Application Server
and LDAP. For LOGIN/BIND operations, this pool is bypassed and WebSphere
Application Server connects directly to LDAP. Make sure your LDAP server can
handle the volume of connections based on your login rate/profile.
1. Log in to the Integrated Services Console.
2. Click Security → Global security.
3. Click Configure... next to the Available realm definition, which is set to
Federated repositories.
4. Click your LDAP Repository Identifier link.
5. Under Additional Properties, click Performance.
6. Under General Properties Context Pool, leave the Initial size set to 1, set the
Preferred size to 20, and set the Maximum size to 200. Do not change any
other settings.
7. Click Apply, and then click Save.
Enabling traces and logs for the WebSphere proxy server used by a Meeting
Server cluster:
Enable traces and logs for an IBM WebSphere proxy server that is used with an
IBM Lotus Sametime Meeting Server cluster.
Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a
server running a different operating system for use with a Lotus Sametime
deployment hosted on IBM i.
IBM Load Balancer is not required for a Lotus Sametime clustered deployment;
you can use any load-balancing mechanism that supports HTTP session affinity so
that a user is repeatedly routed to the same server during a single session. IBM
Load Balancer is included in the Lotus Sametime package with the other IBM
WebSphere components.
1. Download IBM Load Balancer onto the server where you will install it:
a. Open this release’s Download document in the Lotus Sametime Download
document.
b. Locate the appropriate IBM WebSphere Edge server component in the
document’s listing, then download the packages labelled with the
corresponding part numbers to the system on which you are installing.
2. Navigate to the folder where you stored the downloaded files, locate the folder
for IBM Load Balancer, and start the installation program.
For instructions on installing IBM Load Balancer, see the Load Balancer for
IPv4 and IPv6 configuration guide.
3. After you have installed IBM Load Balancer, configure two static IP addresses
for it:
v Non-Forwarding Address: The NFA is the address of the server itself. It is
used for logging in and administering the load balancer.
v Cluster Address: This is the address by which clients and other servers will
access the cluster. It must be DNS-resolvable.
For example, suppose your cluster contains two nodes, and you configure an
IBM Load Balancer for the cluster. Your IP addresses will look like this:
Configure IBM Load Balancer for a cluster of IBM Lotus Sametime Meeting Servers
or Lotus Sametime Proxy Servers.
Install IBM Load Balancer and assign two status IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node’s MAC address.
Each of the nodes in the cluster is configured with a loopback adapter; when the
packet is rewritten to the network, the appropriate node will receive and process
the packet.
1. Set up the loopback adapters on the cluster nodes:
On each of the nodes of the cluster, a loopback adapter must be added with the
IP address of the cluster. This step is different for each operating system. Refer
to the Load Balancer for IPv4 and IPv6 configuration guide for details.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. On the load balancer server, configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer’s Dispatcher process:
.
f. Add the cluster port:
dscontrol port add cluster's_fully_qualified_host_name@port
where cluster’s_fully_qualified_host_name:port is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
stms-cluster.acme.com@80
g. Add the nodes for which this server will balance workload:
dscontrol server add cluster_host@port@primary_node
dscontrol server add cluster_host@port@secondary_node
where:
.
i. Start the manager:
dscontrol manager start
j. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
k. Now you can stop the service:
dsserver stop
l. Close the command window.
4. Define server affinity with a ″sticky time″:
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
″sticky time″. This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will ″stick to″ the same
server until the preset time expires. IBM recommends a ″sticky″ time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
a. Start IBM Load Balancer.
b. In the navigation tree, select the Executor (the load balancer’s
non-forwarding IP address, which appears under its host name).
c. Click Configuration Settings.
d. In ″Port-Specific Settings″, change the Default sticky-time settings from 0
to 60 second, and click Update Configuration.
e. Leave IBM Load Balancer open for the next step.
5. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.acme.com).
Setting up TLS/SSL
Transport Layer Security (TLS) and Secure Sockets Later (SSL) provide encrypted
SIP communications between Lotus Sametime Gateway and the external instant
messaging communities such as AOL, Yahoo!, Office Communications Server, and
Lotus Sametime communities, but only if the other Lotus Sametime community
requires SSL. TLS/SSL also provides encrypted XMPP communications for XMPP
communities. The TLS/SSL protocols allow Lotus Sametime messages to
communicate across a network in a way designed to prevent eavesdropping,
tampering, and message forgery. Use these steps to set up SSL with a certificate
signed by a Certificate Authority and exchange trusted certificates with external
communities.
Messages that flow between Lotus Sametime Gateway and AOL Office
Communications Server, and Yahoo always require a TLS/SSL connection. Lotus
Sametime and XMPP communities may or may not require a TLS/SSL connection,
depending whether the external community requires a CA-signed certificate.
Google Talk does not work over TLS/SSL.
This section provides steps for a single Lotus Sametime Gateway server or cluster
of Lotus Sametime Gateway servers. In addition, this section provides steps
needed to set up SSL on a Sametime 6.5.1 or later server in an external community.
You can provide these steps as a courtesy to an external community or refer them
to the Lotus Sametime Standard help in this information center.
SSL can encrypt sensitive information for SIP and XMPP communications, and
provides authenticity and data signing to ensure a secure connection between the
local Lotus Sametime Gateway community and an external instant messaging
community. The foundation technology for SSL is public key cryptography, which
guarantees that when an entity encrypts data using its private key, only entities
with the corresponding public key can decrypt that data.
You cannot use SSL between Lotus Sametime Gateway and Google Talk
communities.
Before you begin, make sure the Lotus Sametime Gateway server is running.
To have a secure network connection, you will create a key for secure network
communications and receive a certificate from a certificate authority (CA) that is
designated as a trusted CA on your server.
A default, self-signed certificate is also created in the key.p12 file at this time. Do
not use this self-signed or other self-signed certificate to connect to external
communities.
Note: Ensure that the SSL certificate contains the Basic Constraints extension. Do
not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1
uses the IBM JDK 1.5.0 JSSE2 which checks for the presence of the Basic
Constraints extension. If the extension is not set, WebSphere Application Server
assumes that the CA is not a valid CA but a user certificate, which in returns
doesn’t allow to validate a server certificate as valid, because the issuing CA is not
found.
Trial certificates are not publicly trusted and so cannot be used to test against
public instant messaging providers such as Yahoo Messenger or AOL Instant
Messenger.
This topic explains what CA certificate needs to be downloaded and imported into
the WebSphere Application Server trust store.
v Steps 1-4 explain how to obtain the required CA certificate.
v Steps 5-7 explain how to import the obtained CA certificates into the WebSphere
Application Server.
1. To connect to AOL or Yahoo! download the following CA certificate. Navigate
to http://www.geotrust.com/resources/root_certificates/index.asp and
download the Equifax Secure Certificate Authority:
Download - Equifax Secure Certificate Authority (Base-64 encoded X.509)
2. To connect to AOL you are also required to download the following additional
certificates:
a. Navigate to https://pki-info.aol.com/AOL/ and download both certificates
titled: ″America Online Root CA 1 certificate″ and the ″America Online Root
CA 2 certificate.
b. Navigate to https://pki-info.aol.com/AOLMSPKI/index.html and download
the certificate titled: ″AOL Member CA certificate
3. To connect to an external Lotus Sametime-based IM community over SSL you
will need to obtain the CA certificate used by external community
a. Check with the external community administrator to determine which
trusted certificate authority they are using.
b. Obtain the CA certificate.
4. To connect to an external XMPP-based IM community over SSL. Note that the
Google talk public community does not use SSL you need to obtain the CA
certificate used by external community.
a. Check with the external community administrator to determine which
trusted certificate authority they are using.
b. Obtain the CA certificate.
5. In case the received certificate is stored in any type of a certificate file database
(a file with a suffix of .db or .p12, for example), you have to extract the
certificate to an independent file, before you can import it to WebSphere
Application Server.
6. Complete the following tasks in the Integrated Solutions Console: Click
Security → SSL Certificate and key management → Key stores and certificates
→ NodeDefaultTrustStore → Signer Certificate.
7. 7. Click Add.
a. Type an alias to identify the Certificate Authority in the Alias field. This is a
freeform value used to identify the certificate inside WebSphere, a good idea
would be to set the alias to the certificate’s CN (common name) field value.
b. Type in the full path to the file name containing the Certificate Authority’s
public key. For example: c:\certificates\acme_external_community.arm.
c. Select the data type.
Note: Attention: For IBM i, you must select binary as the data type.
Note: For IBM i only, Certificates are automatically downloaded with the .CER
file extension, so you must manually rename them to the .DER file extension
The keystore that contains a personal certificate request must already exist. In
WebSphere Application Server, the keystore file key.p12 exists.
1. Log in to the Integrated Solutions Console.
2. Click Security → SSL certificate and key management → Related items → Key
stores and certificates → NodeDefaultKeyStore.
3. Under ″Additional Properties,″ click Personal certificate requests.
4. Click New.
5. In the File for certificate request field, type the full path where the certificate
request is to be stored, plus a file name.
For example: c:\servercertreq.arm (for a Windows machine).
6. Type an alias name in the Key label field.
The alias is the name you use to identify the certificate request in the keystore.
For example: stgwcertificate
7. Type a common name (CN) value.
The CN must be your external visible DNS address to which the external
community (AOL for example) would be opening a TCP connection to. The
CN value does not have to be identical to any of the email domains
associated with your community.
You should decide on the CN value in advance primarily by consulting your
network administrator
8. Type an organization name in the Organization field.
This value is the ″organization″ value in the certificate’s distinguished name.
9. In the Organization unit field, type the ″organization unit″ portion of the
distinguished name.
10. In the Locality field, type the ″locality″ portion of the distinguished name.
11. In the State or Province field, type the ″state″ portion of the distinguished
name.
12. In the Zip Code field, type the ″zip code″ portion of the distinguished name.
13. In the Country or region drop down list, select the two-letter ″country code″
portion of the distinguished name.
14. Click Apply and Save.
The certificate request is created in the specified file location in the keystore.
The request functions as a temporary placeholder for the signed certificate
until you manually receive the certificate in the keystore.
Note: Key store tools (such as iKeyman and keyTool) cannot receive signed
certificates that are generated by certificate requests from WebSphere
If your server certificate is issued by an intermediary CA, then complete the steps
that follow.
You have received the signed certificate from the certificate authority, but before
importing the signed certificate into the keystore, you have to determine if the
received certificate had been signed by a root Certificate Authority (CA), or by a
intermediary Certificate Authority. If the certificate was signed by a root CA you
could skip this topic completely and continue straight to ″Importing a signed
certificate into the keystore″. If the certificate was signed by an intermediary CA
you will need to import the intermediary signer certificates as described in this
topic.
IBM WebSphere Application Server creates a certificate chain when the signed
certificate is received. The chain is constructed from the signer certificates that are
in the keystore at the time the certificate is received. Therefore, it is important to
import all intermediate certificates as signer certificates into the keystore before
receiving the Certificate Authority-signed certificate. When you purchase a server
certificate for Sametime Gateway, the certificate is issued by a Certificate Authority
(CA). The CA can either be a root CA or an intermediary CA.
1. The following steps describe how to tell if your certificate was signed by a root
CA or an intermediary CA (example given is on the Windows operating
system)
a. Save the signed certificate to a text file with a .cer extension. For example:
signed-certificate.cer. Include the Begin Certificate and End
Certificate lines when you save the file. For example:
-----BEGIN CERTIFICATE-----
ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3
WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp
bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn
YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti
obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g
e. If the server certificate is not issued by an intermediary CA, stop here and
click Next topic at the bottom of this topic.
You have received the signed certificate from the certificate authority. You have
determined whether the certificate is signed by a root CA or an intermediate CA, if
the certificate was signed by an intermediate CA, then you have imported into the
keystore all intermediate CA certificates. Now you are ready to import the signed
certificate itself into the keystore.
WebSphere Application Server can receive only those certificates that are generated
by a WebSphere Application Server certificate request. It cannot receive certificates
that are created with certificate requests from other keystore tools, such as
iKeyman and keyTool. The keystore must contain the certificate request that was
created and sent to the CA. This means that you cannot import a certificate to the
keystore if the keystore does not contain the original certificate request.
Make sure the certificate file you have received does not contain any text lines
before the " -----BEGIN CERTIFICATE-----" line appears on top. These lines can
cause the certificate import process to fail, and therefore you must delete these
lines if they are present in the certificate file.
1. Log in to the Integrated Solutions Console .
2. Click Security → SSL certificate and key management → Related items → Key
stores and certificates → NodeDefaultKeyStore .
3. Under Additional Properties, click Personal certificates.
4. Click Receive a certificate from a certificate authority.
5. Type the full path and name of the certificate file. For example on windows:
c:\mycertificate.cer
6. Do not change the default data type on the list (Base64-encoded ASCII Data).
7. Click Apply and Save.
Set up IBM Lotus Sametime Gateway server to use the new certificates.
1. Log in to the Integrated Solutions Console.
2. Click Security → SSL certificate and key management → Configuration
settings → Manage endpoint security configurations.
3. Expand the Inbound node, and then expand all levels below Nodes.
4. In the tree view, click the Sametime Gateway server.
5. On the configuration panel, under Specific SSL configuration for this
endpoint, select Override inherited values if this option is available.
6. Select the SSL Configuration name from the drop down list that you specified
when you defined the SSL configuration.
7. Click Update certificate alias list.
8. Select the certificate alias from the Certificate alias in key store drop down
that you specified when you received the certificates from the CA.
9. Click Apply and then Save.
10. Important: Repeat the preceding steps on the Outbound node of the local
topology tree.
11. Restart the Sametime Gateway server.
For a standalone: the single Java process.
You must first install Lotus Sametime Gateway on each node, including a
Deployment Manager node, create the cluster, and create a SIP proxy server for the
cluster.
Note: If you use a certificate other than the default self-signed certificate provided,
ensure that the SSL certificate contains the Basic Constraints extension. Do not use
a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the
IBM JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints
extension. If the extension is not set, WebSphere Application Server assumes that
the CA is not a valid CA but a user certificate, which in returns doesn’t allow to
validate a server certificate as valid, because the issuing CA is not found.
Trial certificates are not publicly trusted and so cannot be used to test against
public instant messaging providers such as Yahoo Messenger or AOL Instant
Messenger.
For complete details for setting up SSL in WebSphere Application Server, see the
WebSphere Application Server information center.
The keystore file is a key database file that contains both public keys and private
keys. Public keys are stored as signer certificates while private keys are stored in
the personal certificates. A Secure Sockets Layer (SSL) configuration references
keystore configurations during WebSphere Application Server runtime. Whether a
keystore file was created by another keystore tool or saved from a previous
configuration, the file must be part of a keystore configuration object. You can
create a keystore configuration for the existing keystore object.
Expected state: the Deployment Manager, node agents, and servers are started.
1. Stop all Lotus Sametime Gateway servers, but leave the Deployment Manager
and node agents running.
2. Using the Integrated Solutions Console, click Security → SSL certificate and
key management → Key stores and certificates.
3. Click New.
4. Type a name in the Name field that specifies the unique name to identify the
key store; for example: STGWKS.
5. Type a path in the Path field that specifies the location of the keystore file in
the format needed by the keystore type; for example: STGWKS.p12.
6. Type a password in the Password field. The password is used to protect the
keystore.
7. Type the keystore password again in the Confirm Password field to confirm
the password.
8. Select PKCS12 from the list. The type that you select is for the keystore file that
you specified in the Path field.
9. Click Apply and Save.
The keystore that contains a personal certificate request must already exist. In
WebSphere Application Server, the keystore file p12 exists.
After you receive the certificate back from the Certificate authority, you are ready
to proceed to the next step.
IBM WebSphere Application Server creates a certificate chain when the signed
certificate is received. The chain is constructed from the signer certificates that are
in the keystore at the time the certificate is received. Therefore, it is important to
import all intermediate certificates as signer certificates into the keystore before
receiving the Certificate Authority-signed certificate. When you purchase a server
certificate for Sametime Gateway, the certificate is issued by a Certificate Authority
(CA). The CA can either be a root CA or an intermediary CA.
If your server certificate is issued by an intermediary CA, then complete the steps
that follow, otherwise skip these steps and click Next topic at the bottom of this
topic.
1. Before you import an intermediate CA, first determine if your server’s
certificate was issued by an intermediary CA:
a. Save the signed certificate to a text file with a .cer extension. For example:
signed-certificate.cer. Include the Begin Certificate and End
Certificate lines when you save the file. For example:
-----BEGIN CERTIFICATE-----
ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3
WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp
bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn
YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti
obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g
OPiRcPY8oYlZ5R7Bq1fI/t5MFUTJhYw7k6z95jfIufzai2Bn3e+jzm7ivJ5dckEZ
Gm3ajjYQgwjCJBfOh7P9fE13dWJSZZZZzWcCAwEAAaOBrjCBqzAOBgNVHQ8BAf8E
BAMCBPAwHQYDVR0OBBYEFMHrh2oiTGbcBH759lnRZZZZn+NSMDoGA1UdHwQzMDEw
L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/ZZZZGA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjANBZZZZkiG9w0BAQUFAAOBgQBKq8lUVj/DOPuNL/Nn
IGlrr1ot8VoZS7wZZZZlgeQLOmnZjIdRkbaoH04N3W3qZsQVs2/h4JZJj3mKVjjX
FeRVHFFyGZZZZ4hHWH+Zqf/PJwjhVPKEwsiKFaAGJS5VzP3btMG8tGan02zZUE4L
wPZZZZpMmvPI3U12W+76bqyvVg==
-----END CERTIFICATE-----
b. Double-click on the new file that you created and a Certificate dialog box
opens.
c. Click on the Certification Path tab.
d. Look at the tree-like structure representing the full certificate chain. The top
of the chain is referred to as the root Certificate Authority (CA). The bottom
of the chain represents your server’s certificate. If your server is not listed
one-level below the root CA, then your certificate was issued by an
intermediary CA. However, if your server is listed one-level below the root
CA, then the certificate was issued by the root CA. For example, the
following screen capture shows a certificate chain where an intermediary
CA, VeriSign Class 3 Secure Server CA, issued a certificate for
stgw.lotus.com.
The keystore must contain the certificate request that was created and sent to the
Certificate Authority. Also, the keystore must be able to access the certificate that is
returned by the Certificate Authority.
Expected state: the Deployment Manager and the node agents are started. The
servers are stopped.
Note: WebSphere Application Server creates the certificate chain when the signed
certificate is received. The chain is constructed from the signer certificates that are
in the keystore at the time the certificate is received. Be sure to import all
intermediate certificates as signer certificates into the keystore before receiving the
CA-signed certificate.
1. Click Security → SSL certificate and key management → Key stores and
certificates.
2. Click the keystore that you created previously.
3. Click Personal certificates.
4. Click Receive a certificate from a certificate authority.
5. Type the full path and name of the certificate file generated by the CA.
What to do next
Complete these steps to create a new SSL configuration for a cluster of Lotus
Sametime Gateway servers.
Secure Sockets Layer (SSL) configurations contain the attributes that you need to
control the behavior of client and server SSL endpoints. You create a single SSL
configuration to be used on the inbound and outbound trees in the configuration
topology.
Expected state: the Deployment Manager and node agents are started. The servers
are stopped.
1. Using the Integrated Solutions Console, click Security → SSL certificate and
key management → SSL Configurations.
2. Click New to display the SSL configuration panel.
3. Type name in the Name field for your SSL configuration.
4. In the Trust store name drop-down list, replace the default
CellDefaultKeyStore value with CellDefaultTrustStore. The truststore name
refers to a specific truststore that holds signer certificates that validate the
trust of certificates sent by remote connections during an SSL handshake.
5. Select the keystore that you created from the Keystore name drop-down list. A
keystore contains the personal certificates that represent a signer identity and
the private key that WebSphere Application Server uses to encrypt and sign
data.
6. Click Get certificate aliases.
7. Select your certificate alias as the default server certificate alias.
8. Select your certificate alias as the default client certificate alias.
9. Click Apply, and then Save.
10. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes.
11. Select all nodes in the cluster, then click Full Resynchronize.
Download a certificate authority’s (CA) root certificate. After you download the
certificate, you must add it to the WebSphere Application Server truststore. For
connections to AOL or Yahoo, download the Equifax Secure CA because this
certificate is used by both communities. For connections to XMPP communities,
you must determine what root certificate, if any, is being used, and then check to
see if WebSphere Application Server already recognizes the certificate, and, if
necessary, download and add the certificate to your truststore.
What to do next
If for any reason the root certificate authority for an instant messaging community
changes or you add an additional instant messaging community to your Lotus
Sametime Gateway, you must explicitly add the new root CA to your WebSphere
Application Server truststore.
Add your new Certificate Authority certificate to the keystore to establish the trust
relationship in SSL communication.
The keystore that you want to add the CA certificate to must already exist.
Expected state: the Deployment Manager and node agents are started. The servers
are stopped.
1. In the Integrated Solutions Console, click Security → SSL certificates and key
management.
2. Click Key stores and certificates → CellDefaultTrustStore → Signer certificates
.
Expected state: the Deployment Manager, node agents, and all servers in the
cluster are started.
What to do next
Now you can exchange signer certificates with other server communities.
Expected state: the Deployment Manager, node agents, and all servers in the
cluster are started.
1. In the Integrated Solutions Console, click Security → SSL certificate and key
management → Manage endpoint security configurations..
2. Expand the Inbound node on the local topology tree.
a. Expand cell with XMPP proxy.
b. Expand nodes.
c. Select the node with the XMPP proxy.
3. On the configuration panel, select Override inherited values.
4. Make sure NodeDefaultSSLSettings is selected in the SSL configuration
drop-down list.
5. Click Update certificate alias list.
6. Select your certificate alias from the Certificate alias in key store drop-down
list.
7. Click Apply.
8. Repeat the preceding steps on the Outbound node of the local topology tree.
9. Click OK and Save.
What to do next
Now you can exchange signer certificates with other server communities.
Certificate vendors sometimes change the product names of their offerings without
changing the underlying CA certificate. AOL, Yahoo!, and XMPP can not keep
track of all the product-naming conventions of each certificate vendor.
For the current list of Certificate Authorities and accepted by Lotus Sametime
Gateway and AOL, XMPP, and Yahoo, see the IBM FAQ Tech Note #1372445, ″List
of Certificate Authorities (CAs) accepted by Lotus Sametime Gateway″ at:
www.ibm.com/support/docview.wss?&uid=swg21372445
In this procedure, you create a key database on the Sametime SIP Connector
machine and create an SSL certificate signed by a Certificate Authority.
1. Specify the host name and port for SSL connections.
2. Enable a SIP Connector to require client certificate authentication.
3. Manage the certificates required for TLS connections by ensuring that the SIP
Connector can operate as a server in a TLS handshake.
a. Install the IKeyMan program on the SIP Connector machine.
b. Use the IKeyMan program to create a key database on the SIP Connector
machine.
c. Identify the signer (or ″trusted root″) certificate you will use.
d. Create and submit a server certificate request.
e. Import the server certificate into the key database.
4. Manage the certificates required for TLS connections by ensuring that the SIP
Connector can operate as a client in a TLS connection handshake.
5. Enable a SIP Connector to require client certificate authentication.
a. Enter the client certificate name in the ExternCommunity document in the
stconfig.nsf database.
b. Ensure the SIP Connector has access to the certificates necessary to trust the
client certificate.
6. Edit the CommunityConnector document in the stconfig.nsf database to include
the local SIP Connector machine information.
7. Edit the ExternCommunity document in the stconfig.nsf database to include the
external community (Lotus Sametime Gateway community) to which the SIP
Gateway is connecting.
You now need to export the signed certificate and add it to the Sametime
Gateway’s trust store. Then, you must export the CA-signed personal certificate
from the keystore file of Lotus Sametime Gateway and add this certificate as a
signer certificate to the Sametime SIP Connector’s key database.
Name: talky.l.google.com
Addresses: 74.125.47.125, 74.125.65.125, 74.125.155.125, 209.85.137.125
209.85.163.125, 209.85.229.125, 216.239.51.125, 64.233.169.125, 72.14.203.125
72.14.247.125
C:\>nslookup talkz.l.google.com
Non-authoritative answer:
Name: talkz.l.google.com
Addresses: 209.85.200.129, 72.14.252.129, 209.85.162.129
4. Make sure that the Lotus Sametime Gateway server can resolve a reverse
lookup on each of the Google IP addresses below.
You can verify this by substituting each IP address into the following
command:
:\nslookup
> 209.85.163.125
Server: UnKnown
Address: 129.42.250.40
Name: el-in-f125.google.com
Address: 209.85.163.125
Whenever you install a server that communicates with an IBM Lotus Sametime
Community Server, you must add the new server’s IP address to the Community
Server’s settings.
The Lotus Sametime Community Server accepts connections from the Lotus
Sametime Media Manager, the Lotus Sametime Gateway, the Lotus Sametime
Community Mux, and the Lotus Sametime Proxy Server, as well as other servers
that are listed in the Community Services page. To ensure that the Lotus Sametime
Community Server trusts these components when they establish a connection, you
must add the trusted server’s IP address to the Lotus Sametime Community
Server.
You do not need to add the Lotus Sametime System Console’s IP address because
it is added automatically when you install the Lotus Sametime Community Server
using a deployment plan or register the Lotus Sametime Community Server with
the console after installation.
This task must be completed separately for each server within a Lotus Sametime
Community Server cluster, as well as for multiple non-clustered Community
Servers.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
Note: For the Lotus Sametime Media Manager, enter the Conference Manager
server IP address. Each instance of a Conference Manager cluster must be
entered.
To delete an IP address from the list, select it and click Delete Selected.
6. Click OK.
7. Restart the Lotus Sametime Community Server for the change to take effect.
If your Sametime servers are configured to use an LDAP server that is not a native
internal Domino directory, you must specify the attribute in an LDAP record that
contains the user’s e-mail address. This setting is required because SIP entities are
identified by their e-mail addresses.
1. From the Sametime server home page, click the Administer the Server link to
open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the Basics settings for server drop-down list, select the LDAP server.
4. In the Attribute of a person entry that defines the person’s e-mail address
setting, type the attribute that your LDAP directory uses to hold the user’s
e-mail address. Default attribute names include the following:
v Type mail (default) if your LDAP directory is a Domino Directory, IBM
Directory Server, or Sun ONE Java System Directory Server.
v Type userPrincipalName (default) if you are using Microsoft Active
Directory.
5. Click Update.
6. Choose LDAP Directory - Searching.
7. In the search filter for resolving person names, update the search filter to
contain the attribute specified in step 4 above. For example, if the LDAP
directory uses the mail attribute, then update the search filter to include the
mail attribute. For example:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))
8. Click Update and restart the server for the change to take effect.
To use Lotus Sametime Gateway with a local Sametime server version 6.5.1 or 7.0,
you must disable the Sametime SIP Gateway application.
1. Windows: Disable the Sametime SIP Gateway application by completing the
following steps:
a. Click Start → Programs → Administrative tools → Services.
b. Right click on ST SIP Gateway and click Stop.
c. Right click on ST SIP Gateway and click Properties.
d. In the Startup type drop-down list, select Disabled.
e. Click OK.
IBM i:
SERVERAPP StGateway,StCommunity,SOFT
e. Save the file.
f. Restart the Sametime server.
Complete these steps to allow your Sametime clients to add external users to
Contact Lists.
After you complete these steps, users will see an External Contact check box on
the Add New Contact dialog. To add an external contact, users type the external
user’s email address (name@domain), select External Contact, and then click Add.
1. Log in as the Sametime administrator to the following URL, substituting your
Sametime server’s Web address: http://SametimeServer.yourco.com/
stcenter.nsf.
2. Click Administer the server.
3. Click Policies in the navigation panel, and open the Policy in use.
4. Select Yes next to the statement Allow users to add external users using the
Sametime Gateway.
5. Click OK to save.
6. Using a Lotus Notes client, open the Sametime server’s stconfig.nsf file.
7. Click Create at the top of the client, and select Community Gateway.
8. Accept the defaults of True for Support external communities and Convert
ID.
9. Save and close the document.
10. Repeat the preceding steps for each Sametime server in the Sametime cluster.
11. Restart each Sametime server.
Before you can add a local Sametime server to Lotus Sametime Gateway, make
sure you’ve completed the preceding steps:
v Opened port 1516 on the internal firewall to the local Sametime community
server. If the Lotus Sametime community is clustered, you opened port 1516 to
each of the Sametime community servers, allowing both inbound and outbound
traffic between Lotus Sametime Gateway and each community server.
v Configured the Sametime server to trust the IP addresses of Lotus Sametime
Gateway servers.
v Disabled the legacy Sametime SIP Gateway on the Sametime community server.
v Allowed local Sametime clients to add external users to Contact Lists.
Important: You can only connect one gateway to a community; otherwise the
awareness and chat features may not work properly. Likewise, you can connect
only one local Lotus Sametime community to Lotus Sametime Gateway. You must
add the local community to Lotus Sametime Gateway before you add external
communities.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway servers are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the local community such as Acme
Sametime Users.
4. In the Community Type field, select Local.
5. In the Domains field, type the domain names in which users are found in the
local community.
Notes:
v Wildcards are not supported in this field, you must type each complete
domain name.
v Each domain name must access the same user directory. For example:
acme.com, us.acme.com, fr.acme.com, and uk.acme.com must all be linked
by a common user directory to be in the community. Obtain this
information from the system administrator of the local Lotus Sametime
community.
v If you plan to connect to Google Talk or other XMPP communities, all the
domains listed must have an existing SRV record. See the instructions in
Connecting to Google talk community. If even a single listed domain does
not have an SRV record, the Google community cannot connect.
6. In the Translation Protocol field, select VP.
7. Type the Host name of the Sametime community server, or any Sametime
server that’s part of a cluster in the local community. For example,
sametimeserver1.acme.com. If Sametime community server is part of a cluster,
enter the host name of any Sametime community server. Do not enter the host
name of a MUX or IP sprayer server. Sametime Gateway receives the cluster
Specifying connection attempts and a time out when connecting with the local
Sametime server:
When the Sametime Gateway server is disconnected from the Sametime server, by
default Sametime Gateway tries to connect for one minute, then stops, then tries
again to connect. This process goes on indefinitely unless you change these
defaults by creating two custom properties, one for connection attempts and the
other for the connection time out.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. In the table that lists communities, click the Local community.
3. On the local community panel, click Custom properties, and then click New.
4. To set the number of connection attempts, in the name field, type Server
connection attempts.
5. In the value field, type -1 (to try infinitely), or some other number.
6. Click OK.
7. To set the connection time out, in the name field, type Server connection time
out.
8. In the value field, type a number in milliseconds. For example, type 30000 to
set the time out to 30 seconds.
9. Click OK.
10. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
Related reference
“Custom properties details” on page 447
Use this page to edit custom properties for a community, translation protocol, or
message handler. You can also specify new properties that are needed to configure
third-party elements used by the IBM Lotus Sametime Gateway.
When you set up a connection with AOL, you have the option of connecting with
AOL users only, or connecting with the AOL clearinghouse community that
includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner
communities, including external Sametime communities. IBM recommends that
you do not configure both communities, as users served by the AOL clearinghouse
are a superset of users served by the AOL community. If you set up AOL only, and
later decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
Note: Lotus Sametime client users must use the Sametime client version 7.5 or
later when exchanging instant messages and presence information with public
instant messaging providers such as AOL Instant Messenger, Yahoo Messenger,
The procedure for registering your Lotus Sametime Gateway depends on how you
acquired Lotus Sametime Standard or Lotus Sametime Advanced:
Related tasks
“Connecting to the AOL clearinghouse community” on page 214
Use this procedure to add the AOL clearinghouse community to IBM Lotus
Sametime Gateway. The AOL clearinghouse connects your Sametime users to a
wide community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. Connect to the AOL clearinghouse community or the AOL
community, but not both, as the former is a superset of the latter.
If you acquired licenses for IBM Lotus Sametime Standard or Lotus Sametime
Advanced using the IBM Passport Advantage® Web site, then register your IBM
Lotus Sametime Gateway directly using the Lotus Sametime Provisioning
Application.
If you did not acquire licenses for IBM Lotus Sametime Standard or Lotus
Sametime Advanced through IBM Passport Advantage, then register your IBM
Lotus Sametime Gateway by e-mailing the required information to the provided
address. For example, if you are an IBM Business Partner or have purchased IBM
Lotus Sametime Standard for Cisco Unified Communications from Cisco or an
authorized Cisco reseller, you must use this procedure.
Registration Code:
v Registration code
This is available on the Lotus Sametime for Cisco Unified Communications
software DVD. If you are an IBM Business Partner, you can get this code from
your Business Partner representative.
Technical information:
v Gateway host name (the fully qualified domain name of your gateway; for
example: stgateway.company.com)
v The port on which you want to accept incoming TLS/SIP requests (port 5061 is
used by default)
Contact information:
v Company Name
v ID or Order # (If IBM Business Partner, use Partnerworld ID #; otherwise, use
Order #)
v Contact first/last name
v Contact e-mail address
v Contact telephone number
v Contact instant messaging address (optional)
When you set up a connection with AOL, you have the option of connecting with
AOL users only, or connecting with the AOL clearinghouse community that
includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner
communities, including external Sametime communities. IBM recommends that
you do not configure both communities, as users served by the AOL clearinghouse
are a superset of users served by the AOL community. If you set up AOL only, and
later decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
Use this procedure to add the AOL clearinghouse community to IBM Lotus
Sametime Gateway. The AOL clearinghouse connects your Sametime users to a
wide community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. Connect to the AOL clearinghouse community or the AOL
community, but not both, as the former is a superset of the latter.
Note: IBM recommends that you do not configure both the AOL clearinghouse
and the AOL communities, as users served by the AOL clearinghouse are a
superset of users served by the AOL community. If you set up AOL only, and later
decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
Before you add the AOL clearinghouse community, you must establish the local
community, and use the provisioning application to register your Lotus Sametime
with AOL Public Instant Messaging Services.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new clearinghouse community.
4. In the Community Type field, select Clearinghouse.
5. Select a Translation Protocol. Choose SIP for AOL for AOL Clearinghouse
community connections.
6. In the Host Name field, type the following:
sip.oscar.aol.com
7. In the Port field, type the port number. The default port is 5061.
8. Because AOL clearinghouse requires a secure connection, the Transport
protocol is set to TLS, so there is nothing to do.
9. Click OK to save the new community.
10. On the Communities panel, select the name of the community that you
created , scroll to the bottom, and click Assign local users to this community
to assign users access to the AOL clearinghouse community.
11. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
12. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional IP addresses for AOL
Instant Messenger servers. Sametime Gateway uses these IP addresses to
determine which SIP requests originate from AOL. The Custom properties
link is available only after the community is saved.
What to do next
For troubleshooting help, see Technote 1317952 on the IBM Lotus Support Web site
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952.
Related tasks
“Registering your Sametime Gateway with AOL and Yahoo!” on page 212
The IBM Lotus Sametime Provisioning Application enables you to set up
interoperability with certain public instant messaging services such as Yahoo! and
AOL. The application prompts you for relevant information, validates your
organization’s entitlement to use IBM Lotus Sametime Gateway, provides the
information to the instant messaging service, and notifies you when you have been
added by the service.
“Adding a local Community Server to Sametime Gateway” on page 208
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
Related reference
“Sametime Gateway communities” on page 433
View the list of communities and use the list as the starting place to set up
communities, assign local users access to external communities, and set properties
on communities. The communities list shows the community name, the type of
community, and the translation protocol used.
“Community properties” on page 436
Use this page to connect IBM Lotus Sametime Gateway to one internal community
and multiple external communities, or to edit the connection properties of an
existing community. Specify the type of community, the domains to use when
accessing the community, the translation protocol that Lotus Sametime Gateway
uses to communicate with the community, connection details, and any custom
properties for the connection or community. After you create a community, use the
Assign local users to this community link to give permission to local users to
access the external or clearinghouse community.
Use this procedure to add the AOL Instant Messenger community to IBM Lotus
Sametime Gateway so that your users can exchange instant messages and presence
with AOL Instant Messenger users. Add the AOL community only if you have not
added the AOL clearinghouse community because the AOL clearinghouse is a
superset of the AOL community.
Note: IBM recommends that you do not configure both the AOL clearinghouse
and the AOL communities, as users served by the AOL clearinghouse are a
superset of users served by the AOL community. If you set up AOL only, and later
decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
You must establish the local community first before adding an external community.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new community such as AOL
IM.
4. Under Community Type, select External.
5. In the Domains field, type: aol.net, corp.aol.com, aol.com
6. In the Translation Protocol list, select SIP for AOL.
7. In the Host Name field, type sip.oscar.aol.com.
8. In the Port field, type a port number. The default port is 5061.
9. In the Transport protocol field, TLS (Transport Layer Security) is already
selected.
10. Click AOL IM from the list to edit the connection properties.
11. Click OK to save the new community.
12. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign local users access to the external community.
13. Click Assign local users to this community to assign local users access to the
external community. This link is inoperable until you first save the new
external community.
14. Restart the Lotus Sametime Gateway server. If you have a cluster of servers,
restart the cluster.
15. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional TCP/IP addresses for AOL
Instant Messenger servers. Sametime Gateway uses these IP addresses to
determine which SIP requests originate from AOL. When setting up the
community for the first time, the Custom properties links are available
only after the community is saved.
What to do next
For troubleshooting help, see Technote 1317952 on the IBM Lotus Support Web site
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952.
IBM Lotus Sametime Gateway users can exchange instant messages with the
Google Talk community over the Extensible Messaging and Presence Protocol, or
XMPP. To communicate with the Google Talk community, you must first set up a
DNS service (SRV) record and publish it to DNS so that Google Talk users and
local Sametime users can discover each other and establish a connection. This topic
instructs you to create a DNS SRV record first, and then add Google Talk as an
external community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup talkz.l.google.com
nslookup 64.12.162.248
nslookup -type=SRV -class=all _xmpp-server._tcp.google.com
Make sure all domains you specified in the internal community are not registered
with ″Google Apps.″ To determine whether a domain is registered with Google
Apps, see the IBM Technote Unable to establish awareness with Google Talk users
through the Sametime Gateway.
Your firewall rules should be set up as described in the ″GoogleTalk″ section of the
topic, “Opening ports in the firewalls” on page 203.
Work with your network administrator to set up a DNS SRV record for each
domain defined in your internal community using the following format:
_xmpp-server._tcp.domain name. IN SRV priority weight port target.
For example:
_xmpp-server._tcp.lotus.com. IN SRV 5 0 5269 sttest.lotus.com.
Expected state: the Lotus Sametime Gateway single server or cluster is started
1. Create an individual DNS SRV record (_xmpp-server._tcp) for each domain
name that you will support.
For example, you might support two local domain names, called lotus.com
and ibm.com®. For each of the domain names you want to support, you must
create an individual DNS SRV record. The records will be identical except for
the domain name field’s value.
2. Verify that the DNS SRV record that you added to DNS is correct by using the
nslookup command:
a. Open a command window and run nslookup.
b. Type set type=SRV.
c. Type set class=IN.
d. Search the _xmpp-server.tcp record using the supported domains added in
the previous step.
Using the example above, you enter _xmpp-server._tcp.lotus.com and repeat
the searching for _xmpp-server._tcp.ibm.com. Using lotus.com, the full
command and returned value appears as follows:
nslookup>set type=SRV
>set class=IN
>_xmpp-server._tcp.lotus.com.
Make sure the correct hostname of the Sametime Gateway server and IP
address are returned. The following is an example only:
Server: sbydns01.srv.ibm.com
Address: 9.0.4.1
Non-authoritative answer:
_xmpp-server._tcp.lotus.com SRV service location
priority = 5
weight = 0
port = 5269
svr hostname = sttest.lotus.com
What to do next
For troubleshooting help, see Technote 1316296 on the IBM Lotus Support Web site
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21316296.
Related tasks
“Adding a local Community Server to Sametime Gateway” on page 208
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
You must establish the local community first before adding an Office
Communications Server community. Please also note that setting SSL is a
prerequisite for connecting to an Office Communications Server community.
Remember that the IBM Lotus Sametime Gateway servers must have access to a
DNS server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
nslookup [OCS Edge Server]
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Connect to the Yahoo! Messenger community so that your users can exchange
instant messages with Yahoo! Messenger users.
You must set up SSL and establish the local community first before adding the
Yahoo! Messenger community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new community.
4. Under Community Type, select External.
5. In the Domains field, type the following domain names: yahoo.com,
ymail.com, rocketmail.com, ameritech.net, btinternet.com, btopenworld.com,
demobroadband.com, flash.net,nl.rogers.com, nvbell.net, ort.nl.rogers.com,
ort.rogers.com, pacbell.net, prodigy.net, rogers.com, sbcglobal.net, snet.net,
swbell.net, uat.nl.rogers.com, uat.rogers.com, verizon.net, wans.net
Notes
v When adding Yahoo! domains, do not use Yahoo domains other than
yahoo.com and the partner domains listed above. Yahoo domains such as
yahoo.ca and yahoo.co.uk are not supported. For example, when a user
wants to add an external contact such as jsmith@yahoo.ca, the user must
enter the contact as jsmith@yahoo.com.
v Sametime users cannot add Yahoo Japan e-mail addresses using the e-mail
address domain yahoo.co.jp. Yahoo Japan is a separate company whose
network is completely separate from Yahoo.com.
6. Select SIP for Yahoo as the translation protocol.
7. In the Host Name field, type iopibm.msg.yahoo.com.
What to do next
For troubleshooting help, see Technote 1317952 on the IBM Lotus Support Web site
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952.
IBM Lotus Sametime Gateway users can exchange instant messages with an XMPP
community over the Extensible Messaging and Presence Protocol, or XMPP.
You must set up SSL and establish the local community first before adding the
XMPP community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new community.
4. Under Community Type, select External.
5. In the Domains field, type the domains provided by the XMPP community.
Attention: Wildcards are not supported in this field, you must type each
complete domain name.
6. Select XMPP as the translation protocol.
When you select XMPP as your protocol, the Host Name field defaults to
″Localhost″ as its value while Lotus Sametime Gateway resolves the domain
value that you entered in step 5; once the domain is resolved, an appropriate
value is entered automatically into the Host Name field.
7. In the Port field, the default port is 5269.
8. In the Transport protocol field, select TCP (Transmission Control Protocol) or
TLS (Transport Layer Security).
9. Click OK to save the new community.
10. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign local users access to the external community.
11. Restart the Lotus Sametime Gateway server. If you have a cluster of servers,
restart the cluster.
12. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional host names for XMPP
servers. Sametime Gateway uses these IP addresses to determine which
XMPP requests originate from this community. Note that the Custom
properties link is available only after the community is saved.
b. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway. If Route properties are not visible, you must connect
to a local community first.
c. Select the check box to disable the route to the community.
d. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
What to do next
For troubleshooting help, see Technote 1316296 on the IBM Lotus Support Web site
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21316296.
Instant messaging users from commercial IM providers such as Yahoo and Google
can watch the status of internal Sametime users unless the server is configured to
manage this functionality. This functionality can be managed through the ’user
consent’ feature. When the server is configured to require permission from the
Sametime user, the Sametime user sees a pop-up window on his screen, asking for
permission for the external user to watch the Sametime user’s status. The
Sametime user can give consent, or not.
When the server is configured to require permission from the Sametime user, the
Sametime user sees a popup window requesting permission for the external user
to watch the Sametime user’s status. The Sametime user can approve or decline.
You must add the local Sametime community first before adding an external
community. In addition, if you are not connecting to a Sametime 7.5 or later server
using its own Lotus Sametime Gateway, be sure that the external Sametime 6.5.1 or
7.0 server has the Sametime SIP Gateway enabled. Finally, confirm that the external
Sametime server and Lotus Sametime Gateway have the latest fixes installed.
Expected state:
v Single server: the local Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and a Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a name for the new community.
4. Under Community Type, select External.
5. In the Domains field, type the Fully qualified domain names in which users
are found in the external community. Each domain name must access the
same user directory. For example: acme.com, us.acme.com, fr.acme.com, and
uk.acme.com must all be linked by a common user directory to be in the
community. Obtain this information from the system administrator in the
external community.
6. Select a Translation Protocol:
Option Description
SIP for Sametime Gateway Use SIP for Sametime Gateway for
connections to Lotus Sametime Gateway
versions 7.5 or later communities.
SIP for legacy Sametime Gateway Use SIP for legacy Sametime Gateway for
Lotus Sametime versions 7.0 or 6.5.1
communities.
7. In the Host Name field, type the name of the external real-time
communication server such as AcmeServer1.com, for example.
This feature requires you to define a Home Server (cluster) for all users within the
targeted community, so that the Lotus Sametime Gateway server can determine
whether the user belongs to a community on the exclusion list. For information on
defining a user’s Home Server, see Forcing users to connect to a home server.
An exclusion list is a list of clusters (for a stand-alone Lotus Sametime server, the
cluster name is the server name) deployed within a local Lotus Sametime
community; you define the list as a Lotus Sametime Gateway custom property. Use
the exclusion list to prohibit external users from communicating with users in a
community hosted on one of the specified clusters. Subscribe (awareness) and chat
(instant messaging) requests from all external users to the local users hosted on the
clusters listed on the exclusion list, will be rejected by the Lotus Sametime
Gateway server. You enable this feature with the custom property called ″Sametime
community exclusion list″.
For example, suppose the Acme Corporation has two distributed Lotus Sametime
clusters, called eu.acme.com (Europe) and usa.acme.com (USA). In addition, Lotus
Sametime Gateway is installed on gw.acme.com.
Follow these steps to define an exclusion list. For details see Adding custom
properties.
1. Log in to the Integrated Services Console as a Lotus Sametime Gateway
administrator.
2. Click Sametime Gateway → Communities.
3. Select the local community for which you want to define an exclusion list.
4. In the Name field, type: Sametime community exclusion list as the name of
the new property.
5. In the Value field, type the list of excluded servers and clusters.
Type the server names and cluster names as a list using any of these characters
to separate names:
v comma ,
v semicolon ;
v space
Cluster names must appear as defined in the Cluster Document; for more
information, see ″Creating a cluster document in the Configuration database″.
These steps describe how to obtain and update the port number that the SIP
container uses to communicate with external communities. You want to provide
the port number to external communities so they can use the same port. You may
also need to change the TLS port number that the Lotus Sametime Gateway uses.
This procedure assumes that you have installed the Lotus Sametime Gateway.
A standalone Lotus Sametime Gateway server uses a SIP container port that is, by
default, 5061 for Transport Layer Security (TLS). Therefore, if an external
community wants to connect to Lotus Sametime Gateway, the external community
must define port 5061. Check the SIP_DEFAULTHOST_SECURE parameter to
verify the TLS port for the SIP container service.
These steps describe how to obtain and update port numbers that the SIP and
XMPP proxy servers uses to communicate with external communities. You want to
provide the port numbers to external communities so they can use the same port.
You may also need to change the TLS/SSL port number Lotus Sametime Gateway
uses.
This procedure assumes that you have installed Lotus Sametime Gateway, have
created a cluster, and have installed and configured a SIP and XMPP proxy server.
By default, the SIP proxy uses port 5061 over TLS/SSL, and the XMPP proxy
server uses port 5269 for SSL and non-SSL connections.
What to do next
The port number in combination with the DNS name of the node on which the SIP
and XMPP proxy servers run is needed for configuring external instant messaging
communities to connect to your Lotus Sametime Gateway.
What to do next
Note: When adding Yahoo! Messenger users, use the yahoo.com domain, even if
the Yahoo user’s e-mail domain is different. For example, if the external contact is
jsmith@yahoo.ca, enter the contact as jsmith@yahoo.com. Similarly, if a Yahoo
user’s e-mail is sbrown@yahoo.co.uk, enter the contact as sbrown@yahoo.com.
Note that users who have Yahoo Japan e-mail addresses using the domain
yahoo.co.jp cannot use Lotus Sametime Gateway. Yahoo Japan is a separate
company whose network is completely separate from Yahoo.com.
The event logging feature is available only for a clustered deployment. When you
configure the Lotus Sametime Gateway cluster, the Common Event Infrastructure
data source is installed automatically on IBM AIX, Linux, Microsoft Windows, and
Solaris. If you are using IBM i, you must install this data source yourself before
you can enable event logging.
For complete details regarding functionality and how to read the logging codes in
the event log, see the Lotus Sametime Gateway Integration Guide included in the
Lotus Sametime Software Development Kit.
The event logging feature is available only for a clustered deployment. When you
configure the Lotus Sametime Gateway cluster, the Common Event Infrastructure
data source is installed automatically on IBM AIX, Linux, Microsoft Windows, and
Solaris. If you are using IBM i, you must install this data source yourself before
you can enable event logging.
The Lotus Sametime Software Development Kit includes a samples ear file
(rtc_gatewaySamplesEAR.ear) that you install as a regular J2EE application in
WebSphere Application Server. Once the ear file is installed and the event logger is
enabled, Lotus Sametime Gateway event logger can then send easy to read output
to the trace.log file. For complete details regarding installation, configuration, and
the functionality of the sample Logger Event Consumer, see the Lotus Sametime
Gateway Integration Guide included with the Sametime SDK.
The sample application sends the name and value pairs of extendedDataElements
in any event that is captured with extensionName RtcGatewayLoggerEvent to the
trace.log file. The sample Logger Event Consumer distributed with the SDK only
writes information when diagnostic trace is enabled. Review the topic ″Setting a
diagnostic trace″ for more information. Logging for the samples must be enabled
and set to All Message and Trace Levels for
com.ibm.collaboration.realtime.sample.
Uninstall the event logging application, which is part of the Sametime Gateway
samples ear file, by first disabling the event logging message handler, then
stopping the enterprise application, and finally uninstalling the application.
1. From the Integrated Solutions Console, click Sametime Gateway → Message
Handlers.
2. In the list of message handlers, select the event logger, helloworld, chatlog, and
presblock.
3. Click Disable.
Logging events
Complete these steps to enable content, instant messaging, or presence logging. To
actually view the log results, you must install the sample ear file.
When you first install Lotus Sametime Gateway, event logging is enabled. But to
begin logging events, you must enable at least one custom property for the event
logger. You can record three types of events: the actual content of an instant
messaging session, instant messaging data, and presence (or subscription) data.
Each type of event records basic information such as when a session starts and
stops, when an instant message is sent, when a presence subscription is created or
released, and when a presence notification takes place.
Event logging for content, instant messaging, and presence is disabled (set to 0) by
default. Values 0 or 1 and true or false are acceptable.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Message
Handlers.
2. Click the event logger plugin in the table.
3. Click Custom properties.
4. Select one of the following properties:
v enableContentLogging
v enableImLogging
v enablePresenceLogging
5. Set the value as follows:
Values Meaning
0 OR false disabled
1 OR true enabled
6. Click OK. You cannot view logged events until you install the sample
application that logs information to trace.log. See the sample ear file and Lotus
Sametime Gateway Integration Guide included in the Lotus Sametime Software
Development Kit.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Gateway
Properties.
2. Type the blacklist domain names. Use Fully qualified domains names or
TCP/IP addresses separated by a comma, semicolon, or space. Wildcards using
an asterisk in the left-most subdomain position are allowed. For example,
*.spamalot.com is allowed.
3. Click Apply.
Related reference
“Sametime Gateway properties” on page 432
Use this page to set the maximum chat sessions. You can also specify domains
from which to block messages.
If the session timeout property is set for a community, the community value takes
precedence over the translation protocol value.
You can set a session timeout on communities that use the following translation
protocols:
v SIP for Sametime Gateway
v SIP for legacy Sametime Gateway
v SIP for AOL
v SIP for Yahoo
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. Select a community to view the community properties.
3. At the top, click Custom Properties.
4. In this is the first time you are setting the session timeout at the community
level, click New, otherwise click session_timeout to edit the custom property.
5. Type session_timeout as the name for the property.
6. Type an interval, in seconds, in the Value field, for example: 3600.
7. Click OK, and then Save.
8. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
If the property is defined for a community, the community value takes precedence
over translation protocol value.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Translation
Protocols.
2. Select a translation protocol: SIP for Sametime Gateway, SIP for AOL, SIP for
OCS, SIP for Yahoo, or SIP for legacy Sametime Gateway.
3. Under Additional properties, click Custom Properties.
4. Select session_timeout.
5. Type a new session timeout in the Value field. The default timeout is 3600
seconds (60 minutes).
6. Click OK, and then Save.
By default, the subscription timeout is set on the translation protocol only. You can
set the same property on an external community, allowing fine-grained control on
a community basis. If the property is defined for a community, the community
value takes precedence over the translation protocol value.
Subscription timeout applies to only to the SIP for legacy Sametime Gateway
translation protocol. The subscription timeout does not apply to VP or other
protocols.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. Select a community that uses SIP for legacy Sametime Gateway to view the
community properties.
3. At the top, click Custom Properties.
4. In this is the first time you are setting the subscription timeout at the
community level, click New, otherwise click subscription_timeout to edit the
custom property.
5. Type subscription_timeout as the name for the property.
6. Type an interval in seconds in the Value field, for example: 3600.
7. Click OK, and then Save.
8. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
By default, the subscription timeout is set on the translation protocol only. You can
set the same property on a community, allowing fine-grained control on a
community basis. If the property is defined for a community, the community value
takes precedence over the translation protocol value.
Subscription timeout applies to the SIP for legacy Sametime Gateway protocol. The
subscription timeout does not apply to VP, XMPP, or other protocols.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
You must create the external community first before you specify the custom error
message.
You can set a custom property at the community level to display a specific error
message that users see when they are unable to connect to a user in an external
community. Without specifying the custom property, user always see a default
message ″Your message has not been delivered. Please verify that the recipient is
online.″ The steps below describe how to create a custom error message to provide
additional feedback to users when trying to connect to a specific community.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. From the list of communities, select an external community.
3. Click Custom Properties.
4. Click New to create a new custom property.
5. In the Name field, type IM failure message .
6. In the Value field, type the custom error message to display to users when
sending an instant message fails.
7. Click Apply.
8. Restart the Lotus Sametime Gateway server.
Update host or IP addresses only after new addresses have been published by
IBM.
Sametime Gateway uses a custom property called server to store Fully qualified
domain names (FQDN) or host IP addresses of instant messaging services. The
property enables Sametime Gateway to determine when a SIP request is coming
from AOL Instant Messenger, Office Communications Server, or Yahoo! Messenger,
or when an or XMPP request is coming from Google Talk. The property is pre-set
when you add an external community that uses one of the aforementioned
services, so if a FQDN or a host IP addresses changes, you must update the
custom property for any community that relies on that service.
Note that you can change only the custom property at the community level after
you create the connection to a community.
1. Log into the Integrated Solutions Console (http://localhost:9060/ibm/console),
and click Sametime Gateway → Communities.
2. Click a community that uses the translation protocol that you want to update:
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. Select a community to view the community properties.
3. At the top, click Custom Properties.
4. Click New.
5. Type the name of the custom property in the Name field.
6. Type the value in the Value field.
7. Select Required to enable the custom property.
You can extend the IBM Lotus Sametime Gateway by adding translation protocols.
Additional translation protocols expand the communities that the Lotus Sametime
Gateway can connect with.
Configuring security
After setting up your initial IBM Lotus Sametime environment, you may want to
make additional changes to safeguard information at your site, including limiting
user access to certain features, using encryption, and modifying default security
settings.
This section contains information about securing your Lotus Sametime servers
running on Domino and WebSphere Application Server.
The following Lotus Sametime servers install with SSL already enabled, using a
self-signed certificate provided by IBM:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
If you install the Media Manager components on separate servers, each is
installed with SSL enabled.
Note: The Lotus Sametime Gateway server does not install with SSL enabled; the
configuration instructions in this information center explain how to enable SSL and
import a certificate for Lotus Sametime Gateway servers.
If you want to modify your deployment to use a different SSL certificate, follow
the instructions in the WebSphere information center topic, Import certificate from
a key file or managed keystore.
To enable SSL, you must extract the certificate from the Lotus Sametime product
server and add it to the trust store of the Sametime System Console. The Lotus
Sametime product servers include:
v Lotus Sametime Meeting Server
v Lotus Sametime Proxy Server
v Lotus Sametime Media Manager
v Lotus Sametime Gateway Server
v SIP Proxy and Registrar
Follow these instructions. See the WebSphere Application Server information center
for more information on extracting and adding certificates.
1. Log in to the Integrated Solutions Console for the Lotus Sametime product
server.
2. Click Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore
→ Signer certificates
3. Select the alias named root, and click Extract.
4. Enter the name of the .cer file, and select Base64 as the type for storing the
process server signer certificate.
5. Log in to the Integrated Solutions Console for the Lotus Sametime System
Console.
6. Click Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore
→ Signer certificates
7. Click Add.
8. Enter an alias.
9. Enter the file name where you stored the extracted process server signer
certificate from the product server.
10. Click Apply.
11. Restart the Lotus Sametime System Console deployment manager.
If you are configuring the Lotus Sametime Media Manager to use SSL (Secure
Socket Layer), make sure the server’s certificate has been added to the Sametime
System Console’s trust store.
Note: The Lotus Sametime Media Manager does not support TLS. It supports
SSL between servers, but not between the server and the client.
6. Click Save.
7. If you enabled SSL, then you must restart the Lotus Sametime System Console
for the changes to take effect.
Follow the instructions in this section to set up SSL, HTTP tunneling, and user
authentication.
You can encrypt communications for Lotus Sametime Services and the
communication between Lotus Sametime and Web browsers. You can also encrypt
communications between an LDAP server and the Lotus Sametime server with the
LDAPS protocol.
Enabling encryption for Lotus Sametime Services, and between Lotus Sametime
and Web browsers:
Configure SSL encryption for IBM Lotus Sametime Services and enable HTTPS for
Web browsers.
Enabling SSL encryption with the HTTPS (browser-based) protocol involves the
following tasks:
Because IBM Lotus Sametime resides on an IBM Lotus Domino server, you must
enable the Lotus Domino server’s HTTP component to support Secure Socket
Layer (SSL) before you can configure the Lotus Sametime server to encrypt
communications.
Follow these steps in the Lotus Domino Administrator information center to set up
a Lotus Domino server to support SSL for HTTP connections:
Set up SSL encryption on the IBM Lotus Sametime server by importing the SSL
certificate used by IBM Lotus Domino and configuring the Lotus Sametime server
to use it.
Install the GSKit and use the IKeyMan program to create a keystore on the Lotus
Sametime server before you import the Lotus Domino server’s SSL certificate and
complete configuration changes to enable support for SSL. Complete the following
tasks in the sequence shown:
Install the IBM GSKit with the IBM IKeyMan utility and then create a keystore file
to hold the IBM Lotus Domino server’s SSL certificate.
Lotus Sametime on IBM i already includes a keystore file called stkeys.jks, so you
can skip this procedure and proceed directly to obtain and import a copy of the
SSL certificate from the Lotus Domino server into the Lotus Sametime server.
On IBM AIX, Linux, Solaris, and Microsoft Windows, you must create the keystore
file yourself by completing the following tasks:
The IBM IKeyMan utility is contained in the GSKit program, so you must install
both on the IBM Lotus Sametime server before you can set up a keystore file.
The Lotus Sametime server must store a copy of the IBM Lotus Domino server’s
SSL trusted root certificate to complete the SSL handshake when making an SSL
connection to a browser-based client. Before you can import the SSL certificate
from the Lotus Domino server, user the GSKit and IKeyMan utility to create a
keystore file on the Lotus Sametime server for storing the certificate.
Notes:
v On IBM i, Lotus Sametime comes with the IKeyMan utility already installed, but
you must install DCM software instead; the instructions are in this section.
v You only need to install GSKit and IKeyMan once. If you have already installed
these programs during an earlier procedure, you can skip this task.
The instructions for installing DCM, or the GSKit and the IKeyMan utility, vary
according to your server’s operating system; use the instructions in the appropriate
topic:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on IBM AIX.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Linux.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm
6. Edit the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/
security/ directory.
b. Open the java.security file.
c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers
in the java.security file as follows:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
d. Save and close the file.
7. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext
directory, and delete the gskikm.jar file.
8. Set the JAVA_HOME environment variable to the Java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Solaris.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Windows.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Microsoft Windows, follow the steps below:
1. Log on to the Lotus Sametime server as the Windows administrator.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Information on downloading packages for Lotus Sametime is located in the
Lotus Sametime Download document.
4. Open a command prompt and navigate to your server’s copy of the GSKit
directory.
5. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime
installation directory.
b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on the
server.
7. Set the JAVA_HOME environment variable to the Java VM installed under the
Lotus Sametime binaries directory:
a. From the Windows desktop, right click on the My Computer icon and select
System Properties.
b. In the ″System Properties″ dialog box, select the Advanced tab.
c. Click the Environment Variables button.
d. In the ″New System Variable″ dialog box, click the New button under the
″System Variables″ list, and enter the following information:
Table 5. Defining the new JAVA_HOME environment variable
Variable name Variable value
JAVA_HOME Sametime_install_root\ibm-jre\jre
For example:C:\Lotus\Sametime\ibm-jre\jre
Use the IBM IKeyMan utility and to create a keystore file on the IBM Lotus
Sametime server, which will be used for storing a copy of the IBM Lotus Domino
server’s SSL certificate.
On IBM AIX, Linux, and Solaris, create a keystore file is called keys.jks; on
Microsoft Windows, call it stkeys.jks.
Option Description
Key database type Accept the default of jks.
File name Enter a file name for the key database:
v AIX, Linux, Solaris: keys.jks
v Windows: stkeys.jks
Location Choose the directory in which the
″stkeys.jks″ file will be stored. The examples
in this documentation assume the file is
stored in the Sametime_install_root/jvm/
bin directory.
5. In the ″Password″ dialog box, complete these fields and then click OK:
Option Description
Password Type the password that you will use to
access the keystore. You will need this
password later in the procedure.
Confirm password Type the password again to confirm it.
Set expiration time? Click this option to enable it and type the
number of days for which the password will
remain valid.
When the IBM Lotus Domino server is configured to use SSL, an SSL server
certificate is received from a Certification Authority (CA) and merged into the
Lotus Domino Server Certificate Admin database. When you configure SSL for
IBM Lotus Sametime, you import a copy of this certificate to the Lotus Sametime
server.
There are two versions of the SSL certificate that you can use:
Obtaining the SSL certificate directly from the Lotus Domino server:
When configuring SSL for IBM Lotus Sametime, you can import a copy of the SSL
certificate directly from the IBM Lotus Domino server.
When the Lotus Domino server was configured to use SSL, an SSL server
certificate was received from a Certification Authority (CA) and merged into the
Lotus Domino Server Certificate Admin (certsrv.nsf) database. In this procedure,
you export a copy of that certificate and save it as a file so that you can import it
into Lotus Sametime in a later task.
1. Open a browser and navigate to the Lotus Domino server where you enabled
SSL.
Note: The steps below use the Microsoft Internet Explorer browser; steps for
your own browser may differ.
You can locate the Lotus Domino server by navigating to the Lotus Sametime
server that is hosted on the same computer, using an address similar to the
following (replace Sametime.acme.com with your fully qualified Internet host
name):
https://Sametime.acme.com
2. Install the SSL certificate in Microsoft Internet Explorer to ensure it is available
for export:
a. When prompted to ″select the certificate to use when connecting,″ click OK.
b. At the ″Security Alert″ dialog box, click View Certificate.
c. At the ″Certificate″ dialog box, click Install Certificate.
d. At the ″Certificate Manager Import Wizard″ screen, click Next.
e. Click the Automatically select the certificate store based on the type of
certificate option, and then click Next.
f. Back at the ″Certificate Manager Import Wizard″ screen, click Finish.
g. When the message indicating that the SSL server certificate was imported
successfully appears, click OK repeatedly until you have closed all of the
dialog boxes.
3. Now export the SSL certificate from Internet Explorer and save it as a file.
a. From the browser, click Tools → Internet Options.
b. Click the Contents tab.
c. Click the Certificates button.
d. Click the Other People tab.
Note: On IBM i, save the file directly to your server if you have mapped to
the server drive. Otherwise, save the file on your client workstation and
transfer it to your IBM i server later.
j. When the message appears indicating the export was successful, click OK.
If you are unable to obtain a copy of the IBM Lotus Domino server’s SSL
certificate, you can request a trusted root certificate from a CA or export a trusted
root certificate from your Web browser.
If you need to obtain a trusted root certificate, you must obtain the same trusted
root certificate that is used by the Domino server to sign the Domino SSL server
certificate. For example, if the VeriSign Class 4 Public Primary Certification
Authority trusted root certificate is used to sign the Domino SSL server certificate,
you must either export this certificate from your Web browser or request a
VeriSign Class 4 Public Primary Certification Authority trusted root certificate from
VeriSign.
There are two ways to obtain a copy of the trusted root certificate:
When configuring SSL for the IBM Lotus Sametime server, you can import a copy
of the trusted root certificate that was used for signing the IBM Lotus Domino
server’s own SSL certificate from a Web browser, and then import it in the Lotus
Sametime server’s key store.
Rather than obtaining a copy of the Lotus Domino server’s own SSL certificate,
you may choose to obtain a copy of the trusted root certificate that was used for
signing the Lotus Domino server’s certificate. The easiest way to obtain a trusted
root certificate is to export one from your Web browser.
Note: You must use the same trusted root that signed the Lotus Domino server’s
own SSL certificate.
The procedure below illustrates how you can export a trusted root certificate from
a Microsoft Internet Explorer Web browser:
1. From the browser, click Tools → Internet Options.
2. Click the Contents tab.
3. Click the Certificates button.
4. Select the Trusted Root Certification Authorities tab.
5. Select the appropriate trusted root certificate from the list.
6. Click the Export button.
7. At the ″Certificate Manager Export Wizard″ screen, click Next.
8. At the ″Certificate Export File″ screen, select Base64 encoded X.509 (.CER),
and then click Next.
9. At the ″Export File Name″ screen, provide a name for the file, select the Lotus
Sametime server’s data directory as the location where you want to store the
file, and then click Next.
For example, on Windows, you might enter SSLservercertificate.cer as the
file name. and select C:\Lotus\Domino\data as the location.
Note: On IBM i, save the file directly to your server if you have mapped to
the server drive. Otherwise, save the file on your client workstation and
transfer it to your IBM i server later.
10. When the message appears indicating that the export was successful, click
OK.
When configuring SSL for the IBM Lotus Sametime server, you can obtain a copy
of the trusted root certificate used for signing the IBM Lotus Domino server’s SSL
certificate from the original Certificate Authority.
If you are unable to obtain a copy of the Lotus Domino server’s SSL server
certificate, you can request a copy of the trusted root certificate from a CA.
Normally, you request a certificate from a CA by browsing to the CA’s web site.
For example, follow these steps to request a certificate from VeriSign:
1. Open a browser and navigate to the VeriSign site:
www.verisign.com
2. Follow the instructions on the Web site to request a certificate.
Once the certificate request is approved, you will receive an e-mail explaining
how to pick up the certificate.
3. Pick up the certificate as instructed (for example, by browsing to the Web site
and copying it from a field on the specified page).
Importing the Lotus Domino server’s SSL certificate into the keystore:
After you obtain a copy of either the IBM Lotus Domino server’s own SSL
certificate, or the trusted root certificate that was used to sign it, import your copy
into the IBM Lotus Sametime server’s keystore.
The procedure for importing the SSL certificate depends on your operating system:
To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or
Solaris, import the IBM Lotus Domino server’s SSL certificate into the keystore.
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server’s data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
Follow the steps below to import the SSL certificate into the keystore on the Lotus
Sametime server:
1. Verify that the ikeyman.sh file’s SAMETIME_HOME variable specifies the
correct path for your server’s installation directory, modifying it as needed.
The default installation directories for Lotus Sametime are as follows:
v AIX: /opt/ibm/lotus/notes/latest/ibmpow
v Linux: /opt/ibm/lotus/notes/latest/linux
v Solaris: /opt/ibm/lotus/notes/latest/sunspa
2. Make sure the ikeyman.sh file has execute privileges.
3. Start the ikeyman.sh utility.
The ikeyman.sh utility requires a graphical interface. If you run it in a text-only
terminal, be sure to redirect the display to an x-windows session.
4. Click the Add button.
5. In the ″Add CAs certificate from a File″ dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the ″Data type″.
b. Set the Certificate file name to the name of the text file (for example,
CA.txt) into which you copied the certificate.
c. Set the Location to the location to which you transferred the CA.txt file in
the previous procedure (for example, /local/notes/data).
d. Click OK.
6. Close IKeyMan after the file is imported successfully.
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server’s data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
Follow the steps below to import the SSL certificate into the keystore on the Lotus
Sametime server:
1. From an IBM i command line, run the following command to start qshell:
strqsh
2. From qshell, run the following keytool command:
keytool -import -alias certificate_name
-file certificate_filename
-storepass keystore_password
-keystore keystore_path_and_filename
Where:
v certificate_name is CA.txt
v certificate_filename is also CA.txt
v keystore_password is ″sametime.″
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server’s data directory:
Follow the steps below to import the SSL certificate into the keystore on the Lotus
Sametime server:
1. Open a command prompt and navigate to the Sametime_install_root\IBM\
gsk6\bin directory.
The default installation path for Lotus Sametime is C:\Lotus\Domino.
2. Start the IKeyMan utility by running the gsk6ikm.exe program.
3. Browse to and select the stkeys.jks key store file.
4. Enter the password required to access this file.
5. In the ″Key database content″ area, select Signer certificates.
6. Click the Add button.
7. In the ″Add CAs certificate from a File″ dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the ″Data type″
b. Browse to and select the SSL certificate you want to import.
c. Click OK.
8. In the ″Enter a Label″ dialog box, do the following:
a. Type a label for the certificate.
This label identifies the certificate in the Signer Certificates list of the IBM
IKeyMan program.
b. Click OK.
The new certificate’s label appears in the list of Signer Certificates.
9. Close the stkeys.jks keystore file .
10. Close the IKeyMan utility.
Modify the configuration of the IBM Lotus Sametime server to encrypt connections
for Lotus Sametime servlets and the STPolicy.
Modify the IBM Lotus Sametime server’s sametime.ini file on IBM AIX, Linux, or
Solaris to support Secure Socket Layer (SSL) encryption.
Note: Specify the complete path name of the key.jks file for both the
javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings. Specify
the password that you provided for key.jks when you created it for both the
javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword
settings.
5. If these two lines appear in the sametime.ini file, remove them:
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.keyStoreType=JKS
6. Save and close the sametime.ini file.
7. Restart the Lotus Sametime server.
Modify the IBM Lotus Sametime server’s sametime.ini file on IBM i to support
Secure Socket Layer (SSL) encryption.
To modify the Sametime configuration for IBM i, complete the following steps:
1. Stop the Lotus Sametime server.
2. Use a text editor to open the sametime.ini file.
This is located in the Lotus Sametime server’s data directory.
3. Locate the ConfigurationPort= setting. Make sure that it specifies the port on
which the Lotus Domino HTTP server listens for SSL connections (by default,
this is port 443), modifying the setting if necessary.
For example:
ConfigurationPort=443
4. If these settings are not present in the [Config] section at the bottom of the
sametime.ini file, manually type them in:
[Config]
ConfigurationSSLEnabled=true
javax.net.ssl.keyStore=stkeys.jks
javax.net.ssl.trustStore=stkeys.jks
javax.net.ssl.keyStorePassword=sametime
javax.net.ssl.trustStorePassword=sametime
Note: By default, the password for the stkeys.jks file is ″sametime.″ If you
change the password for stkeys.jks, you must change the setting of both
Modify the IBM Lotus Sametime server’s sametime.ini file on Microsoft Windows
to support Secure Socket Layer (SSL) encryption.
To modify the Sametime configuration for Windows, complete the following steps:
1. Stop the Lotus Sametime server.
2. Use a text editor to open the sametime.ini file, which is located in the
Sametime server installation directory (for example: C:\Program
Files\lotus\domino).
3. Verify that the ″ConfigurationPort=″ setting specifies the port on which the
Lotus Domino HTTP server listens for SSL connections (default port is 443).
For example:
ConfigurationPort=443
4. Verify that the [Config] section contains the following settings (or modify as
needed):
[Config]
ConfigurationSSLEnabled=true
javax.net.ssl.keyStore=c:\program files\lotus\domino\jvm\stkeys.jks
javax.net.ssl.trustStore=c:\program files\lotus\domino\jvm\stkeys.jks
javax.net.ssl.keyStorePassword=passw0rd
javax.net.ssl.trustStorePassword=passw0rd
Where:
v For the javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings,
you specify the complete path name for the stkeys.jks file.
v For the javax.net.ssl.keyStorePassword and the
javax.net.ssl.trustStorePassword settings, you specify the password that
you provided for the stkeys.jks file when you created it.
5. Save and close the sametime.ini file.
6. Start the Lotus Sametime server.
Lotus Sametime Connect clients communicate with the Lotus Sametime server by
directing messages to the HTTP server, which listens on port 80. When SSL is
enabled, port 443 is normally used for sending encrypted messages; however, the
Lotus Domino server (which hosts Lotus Sametime) is already listening on port 443
for encrypted Web-based communications. If Lotus Sametime Connect clients also
send messages to the HTTP server on port 443, a conflict arises.
Bind the server’s base DNS to the HTTP server by completing the following steps:
1. On the Lotus Sametime server, open the Sametime Administration Tool.
2. Click Configuration → Connectivity → Networks and Ports.
3. On the ″Networks and Ports″ page, click Configure HTTP services on a Web
page in its own window.
The ″HTTP″ section of the Lotus Domino Directory’s Server document opens in
a separate window.
4. Locate the Host name field.
5. Under the ″Basics″ heading, type the base DNS for the HTTP server (for
example: sametime1.acme.com).
To add a new IP address to a Lotus Sametime server, you can either install an
additional Network Interface Card (NIC) or assign multiple IP addresses to a
single NIC. For additional information, see IBM Tech Note #1181387, ″Forcing a
Sametime server with multiple NICs to bind to the correct IP address,″ at:
www.ibm.com/support/docview.wss?rs=899&uid=swg21181387
Configure an IBM Lotus Sametime server to map an IP address to the specific DNS
and port used by Lotus Sametime Community Services.
You must have already assigned the IP address to the Lotus Sametime server.
Set up your DNS server to map the new IP address to a new DNS name for the
Lotus Sametime server’s Community Services.
To avoid confusion, it is recommended that your new DNS for the Community
Services use the old DNS name plus ″community-″ as a prefix. For example, if
your base DNS for the server is sametime1.acme.com, use the following name for
the new DNS:
community-sametime1.acme.com
Configure the IBM Lotus Sametime Community Services to listen for client
communications using the new DNS and port 443.
You must have already assigned an additional IP address to the Lotus Sametime
server, then mapped a new DNS to it for use by the Community Services.
1. On the Lotus Sametime server, open the Sametime Administration Tool.
2. Click Configuration → Connectivity → Networks and Ports.
3. On the ″Networks and Ports″ page, click Community Services Network →
Address for HTTPS-tunneled client connections and fill in the following
fields:
Option Description
Host name community-base_DNS
Results
With this configuration, the Lotus Sametime Community Services multiplexer will
listen for HTTPS-tunneled connections using host name community-
sametime1.acme.com on port 443.
Every Lotus Sametime Connect client located outside of the firewall requires this
configuration to tunnel through the firewall to the Lotus Sametime Community
Services.
For each Lotus Sametime Connect client, configure the following settings in the
″Sametime Connectivity″ tab:
Option Description
Host Type the new DNS that you mapped to the
IP address that will be used for the
Community Server.
Configure SSL encryption between an IBM Lotus Sametime server and an LDAP
server by enabling the LDAPS protocol.
When you enable this protocol, you can choose whether to encrypt only the data
used for authenticating users in Lotus Sametime, or to encrypt all data that is
transmitted between the two servers.
Note: If you are using an IBM Lotus Domino Directory and it is not configured as
an LDAP directory, this section does not apply to you. You can skip these
procedures.
Enabling SSL encryption for an LDAP server involves the following tasks:
You must enable SSL on your LDAP server before you can configure the IBM
Lotus Sametime server to encrypt its communications with the LDAP directory.
Note: If you are using a Domino Directory and Lotus Sametime is not configured
with an LDAP directory, this section does not apply to you and you should skip
these procedures.
The procedure for enabling SSL depend on the LDAP directory that you use:
You must enable the IBM Lotus Domino server’s LDAP component to support SSL
before you can configure the IBM Lotus Sametime server to encrypt its
communications with the Lotus Domino LDAP Server.
Follow these steps in the Lotus Domino Administrator information center to set up
a Lotus Domino server to support SSL for LDAP connections:
Using SSL to encrypt connections between the Sametime and LDAP servers:
The Sametime and LDAP servers exchange directory information, including user
names and passwords, over these connections. To ensure this information is secure,
the administrator can use SSL to encrypt the data that passes over these
connections. The administrator should consider the level of protection required
before enabling SSL. Using SSL to encrypt these connections can slow the server
performance. The administrator has the following options when using SSL to
encrypt the data transmitted between the Sametime and LDAP servers:
v Encrypt all data - This option encrypts all directory information (both user
names and passwords) that is transmitted between the Sametime server and the
LDAP server. If you encrypt all data, all five connections between the Sametime
server and LDAP server are encrypted with SSL. This option provides the most
security but also has the greatest affect on server performance.
v Encrypt only user passwords - This option encrypts passwords but not other
directory information (such as user names) passing over the connections
between the Sametime and LDAP servers. If you encrypt only user passwords,
only the ″authenticating users″ connection between the Sametime server and the
LDAP server is encrypted with SSL. This option provides an intermediate level
of security and has less affect on server performance than encrypting all of the
data.
v Encrypt no data - This option allows all directory information and passwords to
pass unencrypted between the Sametime and LDAP servers. This option does
not affect server performance and should be used if the administrator feels there
is no chance that an unauthorized user can intercept information transmitted
over the connections between the Sametime and LDAP servers
v Using SSL to encrypt connections between the Sametime servlet and LDAP
v Ensuring the Sametime server trusts the LDAP server certificate on Windows
and AIX/Solaris/Linux servers
Setting up a keystore for the SSL certificate used by the LDAP server:
On IBM AIX, Linux, Microsoft Windows, and Sun Solaris, install the GSKit
program and the IBM IKeyMan utility so you can store a copy of the LDAP
server’s SSL certificate. On IBM i, install the DCM (Digital Certificate Manager)
program instead.
The Lotus Sametime server must store a copy of LDAP Server’s SSL trusted
certificate to complete the SSL handshake when making an SSL connection to that
LDAP server. Before you can import the SSL certificate from the LDAP Server, you
will use the GSKit program and IKeyMan utility (the DCM program on IBM i) to
create a keystore file on the Lotus Sametime server for storing the certificate.
Note: You only need to install these programs once. If you have already installed
these programs during an earlier procedure, you can skip this task.
The instructions for installing GSKit and IKeyMan, or DCM, vary according to
your server’s operating system. Use the instructions in the appropriate topic:
Install and set up the DCM (Digital Certificate Manager) program on an IBM i
server hosting IBM Lotus Sametime, and ensure that Lotus Sametime trusts the
LDAP server’s SSL certificate.
Set up DCM and ensure that Lotus Sametime trusts the LDAP server by
completing the following tasks:
Install the DCM (Digital Certificate Manager) program on an IBM i server that
hosts IBM Lotus Sametime.
On IBM i, SSL certificates are managed using the integrated DCM program. You
must install and set up DCM before you can establish SSL encryption for
communications between the IBM i server’s LDAP client and the deployment’s
LDAP server. All of the following software must be installed on the IBM i server
where your Lotus Sametime server is located:
v 5722-SS1 Option 34, Digital Certificate Manager
v 5722-DG1, IBM HTTP Server
v 5722-AC3, Crypto Access Provider 128-bit
If you need more detailed information about setting up and using DCM in order to
complete the steps in this section, see the IBM i information center at:
www.ibm.com/as400/infocenter
Ensuring that the LDAP client trusts the LDAP server’s certificate:
Ensure that the IBM i LDAP client trusts the SSL certificate used by the LDAP
server with which it communicates.
IBM Lotus Sametime for IBM i uses the LDAP client included with the IBM
Directory Server that is installed as part of the IBM i operating system. Enable the
LDAP client to trust the LDAP server by importing the server’s SSL certificate into
the store on the client (the IBM i server) and then adding the Certificate Authority
to the trust list.
1. Use the DCM (Digital Certificate Manager) program to determine whether the
CA Certificate that signed the LDAP directory server’s certificate is already
included in the DCM *SYSTEM certificate store.
Well-known public Internet Certificate Authorities (CA) that most Web
browsers can recognize readily, such as VeriSign, are already included in the
DCM. If the appropriate CA is included in the certificate store, you have
finished this task; skip the remaining steps.
If the CA used by your LDAP server’s certificate does not appear in the DCM
*SYSTEM certificate store, import it now by completing the remaining steps in
this procedure.
2. Import the LDAP directory server’s certificate into the DCM *SYSTEM
certificate store.
3. Use DCM to add the CA Certificate to the trust list of the IBM Directory Server
LDAP client application.
The application ID is QIBM_GLD_DIRSRV_CLIENT.
Ensuring that Lotus Sametime has access to the *SYSTEM certificate store:
Assign IBM Lotus Sametime access to the IBM i *SYSTEM certificate store.
Lotus Sametime must be able to access certificates located in the DCM *SYSTEM
certificate store when connecting to an LDAP server using SSL. The DCM
*SYSTEM certificate store is located in the /qibm/userdata/icss/cert/server
directory on an IBM i server.
QNOTES is an IBM i user profile created by IBM Lotus Domino and used by Lotus
Sametime. By default, the QNOTES user profile does not have access to the DCM
*SYSTEM certificate store or the /qibm/userdata/icss/cert/server directory,
although the higher level directories usually have *PUBLIC *RX authority which
allows QNOTES to access those directories.
Setting up GSKit, IKeyMan, and the key database on AIX, Linux, Solaris, Windows:
Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux,
Microsoft Windows, or Solaris and then use IKeyMan to create a key database for
storing the LDAP server’s SSL certificate.
Install the programs and create the key database by completing the following
tasks:
Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux,
Microsoft Windows, or Solaris.
Install GSKit and IKeyMan by following the steps in the appropriate topic for your
operating system:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on IBM AIX.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Linux.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm
6. Edit the java.security file as follows:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Solaris.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
Note: The examples show release 6 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Uncompress and untar the gsk6bas.tar.Z file.
b. Use one of the following methods to install GSKit:
v Use the admintool application.
v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in
the java.security file as follows:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Windows.
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Microsoft Windows, follow the steps below:
1. Log on to the Lotus Sametime server as the Windows administrator.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Information on downloading packages for Lotus Sametime is located in the
Lotus Sametime Download document.
4. Open a command prompt and navigate to your server’s copy of the GSKit
directory.
5. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss
For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss
This command performs a silent installation of the IKeyMan program into the
Lotus Sametime installation directory.
6. Verify that the installation is successful:
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime
installation directory.
For example:C:\Lotus\Sametime\ibm-jre\jre
Use the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Sun
Solaris to create a key database on the IBM Lotus Sametime server; the key
database will store a copy the LDAP server’s SSL certificate. Note that you do not
need to create a key database on IBM i.
Note: This procedure does not apply to IBM i because the keystore database is not
used by Lotus Sametime on IBM i.
The keystore database that you create for storing the LDAP server’s SSL certificate
is different from the keystore file used for storing the Lotus Domino server’s SSL
certificate and must use a different file name.
Option Description
Key database type CMS key database file
Note: You will not be able to select the CMS
key database unless you have added
com.ibm.spi.IBMCMSProvider to the
java.security file, as you were instructed to
when you installed GSKit and IKeyMan.
File name key.kdb
Note: If you enabled the HTTPS protocol,
make sure that this keystore database’s file
name is different from that file name, to
avoid conflicts.
Location Enter the path to the Sametime_install_root
(shown in Step 1)
4. In the ″Password″ dialog box, fill in the following fields and click OK:
Option Description
Password Enter the password you will use for
accessing this keystore database.
Confirm password Confirm the password by typing it again.
Stash the password to a file? Click this option to enable it.
A message appears, indicating that the password is encrypted and saved in the
location Sametime_install_root/key.sth.
When the key.kdb database is created, it contains several trusted root (or ″signer″)
certificates by default. If a trusted root certificate used by the LDAP server exists in
the key.kdb database by default, then you can skip this procedure.
If the key.kdb database does not contain an appropriate trusted root certificate by
default, you must obtain a trusted root certificate from the appropriate CA and
add it to the key.kdb database.
The procedure for importing the trusted root certificate depends on your operating
system:
To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or Solaris
and an LDAP server, import the server’s trusted root certificate into the key
database.
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server’s data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
Follow the steps below to import the SSL certificate into the key database on the
Lotus Sametime server:
1. Verify that the ikeyman.sh file’s SAMETIME_HOME variable specifies the
correct path for your server’s installation directory, modifying it as needed.
The default installation directories for Lotus Sametime are as follows:
v AIX: /opt/ibm/lotus/notes/latest/ibmpow
v Linux: /opt/ibm/lotus/notes/latest/linux
v Solaris: /opt/ibm/lotus/notes/latest/sunspa
2. Make sure the ikeyman.sh file has execute privileges.
3. Start the ikeyman.sh utility.
The ikeyman.sh utility requires a graphical interface. If you run it in a text-only
terminal, be sure to redirect the display to an x-windows session.
4. Click the Add button.
5. In the ″Add CAs certificate from a File″ dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the ″Data type″.
b. Set the Certificate file name to the name of the text file (for example,
CA.txt) into which you copied the certificate.
To enable SSL between IBM Lotus Sametime running on IBM i and an LDAP
server, import the server’s trusted root certificate into the keystore file.
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server’s data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
Follow the steps below to import the SSL certificate into the keystore file on the
Lotus Sametime server:
1. From an IBM i command line, run the following command to start qshell:
strqsh
2. From qshell, run the following keytool command:
keytool -import -alias certificate_name
-file certificate_filename
-storepass keystore_password
-keystore keystore_path_and_filename
Where:
v certificate_name is CA.txt
v certificate_filename is also CA.txt
v keystore_password is ″sametime.″
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server’s data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
Follow the steps below to import the SSL certificate into the key database on the
Lotus Sametime server:
1. Open a command prompt and navigate to the Sametime_install_root\IBM\
gsk6\bin directory.
The default installation path for Lotus Sametime is C:\Lotus\Domino.
2. Start the IKeyMan utility by running the gsk6ikm.exe program.
3. Browse to and select the key.kdb key database.
4. Enter the password required to access this file.
5. In the ″Key database content″ area, select Signer certificates.
6. Click the Add button.
7. In the ″Add CAs certificate from a File″ dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the ″Data type″
b. Browse to and select the SSL certificate you want to import.
c. Click OK.
8. In the ″Enter a Label″ dialog box, do the following:
a. Type a label for the certificate.
This label identifies the certificate in the Signer Certificates list of the IBM
IKeyMan program.
b. Click OK.
The new certificate’s label appears in the list of Signer Certificates.
9. Close the key database.
10. Close the IKeyMan utility.
Modifying the IBM Lotus Domino Directory Assistance document is required when
you use SSL to encrypt data transmitted between the IBM Lotus Sametime and the
LDAP server.
In this procedure, you modify the Directory Assistance document for the LDAP
server to ensure that the connection between the Sametime server and the LDAP
server is encrypted using SSL.
1. From a Lotus Notes client, open the Directory Assistance database da.nsf.
a. Click File → Database → Open.
b. For the Server, select Local.
c. Select the Directory Assistance database (da.nsf).
Option Description
Channel encryption Select SSL.
Port Specify the same port that appears in the
LDAP SSL port field of the ″LDAP
Directory - Connectivity″ options in the
Sametime Administration Tool
Enable SSL encryption for connections between IBM Lotus Sametime and the
LDAP server.
1. Configure LDAP connectivity settings in the Sametime Administration Tool as
follows:
a. From the Lotus Sametime server’s home page, click the Administer the
Server link to open the Sametime Administration Tool.
b. Click LDAP Directory → Connectivity.
c. In the Host name or IP address of the LDAP server list, select the name of
the LDAP server.
d. Click the option called Use SSL to authenticate and encrypt the connection
between the Sametime server and the LDAP server.
e. In the LDAP SSL port field, specify the port on which the LDAP server is
listening for SSL LDAP connections (the default is port 636).
f. Click Update.
g. Close the Sametime Administration Tool.
At this point, you have enabled SSL encryption for all data that is transmitted
between the Lotus Sametime server and the LDAP server.
2. (Optional) To improve performance, you may choose to loosen security and
encrypt only user credentials as follows:
a. Open the sametime.ini file (located in the Lotus Sametime installation
directory).
b. Locate the [Directory] section within the file.
c. Add the following setting:
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1
d. Save and close the file.
3. Restart the Lotus Sametime server
This configuration is necessary to enable the Business Card feature when you have
chosen to encrypt all data transmitted between the Lotus Sametime server and the
LDAP server, where the Business Card data is stored.
1. Open a command prompt and navigate to the following directory:
v IBM AIX, IBM i, Linux, Solaris: the Lotus Sametime server’s data directory
v Windows: the Lotus Sametime server’s installation directory
2. Open the UserInfoConfig.xml file in an editor and make the following changes:
a. Locate the <ReadStConfigUpdates> tag and set to value="false".
The statement should look like this:
<ReadStConfigUpdates value="false"/>
If this statement is not in the file, add it now; place it between the
<UserInformation> and <Resources> tags so that it looks like this:
<UserInformation>
<ReadStConfigUpdates value="false"/>
<Resources>
b. Locate the <StorageDetails> tag and set the following values:
SslEnabled="true"
SslPort="636"
Use the value of the port that your LDAP server listens on for SSL
communications (the default is port 636).
c. In the <SslProperties> tag, set the following values:
KeyStorePath="C:\Lotus\Domino\jvm\bin\key.jks_OR_stkeys.jks"
KeyStorePassword="password"
</SslProperties>
</SslProperties>
</SslProperties>
Where:
v KeyStorePath indicates the path to where the keystore database is stored.
On Windows and IBM i, the file is named stkeys.jks; on AIX, Linux, and
Solaris, the file is named keys.jks.
v KeyStorePassword indicates the password you created for accessing the
keystore database.
3. Save and close the file
The Lotus Sametime server includes two separate security features capable of
generating the authentication token used by Sametime:
v Domino Single Sign-On (SSO) authentication feature - The Domino SSO feature
must be enabled on a Lotus Sametime server.
If the Domino SSO feature is not enabled on the Domino server when you install
Lotus Sametime, the Lotus Sametime installation automatically enables and
configures the Domino SSO feature. In some environments, you might need to
Note: Notes client integration with Lotus Sametime (and therefore SSO with Lotus
Sametime) is not supported if the Lotus Sametime server is configured to use
Internet sites, as the Notes client protocol (NRPC) for obtaining an SSO token does
not work in concert with the use of Internet Sites. For more information on how to
configure SSO with a Web Configuration document, see the topic ″Altering the
Domino Web SSO configuration″ later in this chapter.
v Secrets and Tokens authentication databases - Lotus Sametime server releases
earlier than Lotus Sametime 3.0 used only the Secrets and Tokens authentication
databases to create authentication tokens. When Lotus Sametime 8.x operates in
environments that include servers from Lotus Sametime releases earlier than
Lotus Sametime 3.0, the Lotus Sametime 8.x server supports both the Domino
SSO feature and the Secrets and Tokens authentication databases.
A Lotus Sametime 8.x server supports Secrets and Tokens authentication by
default. The following are required to support Secrets and Tokens authentication:
– The Secrets and Tokens databases must be present on the server following a
Lotus Sametime server installation.
– The ″Allow users to authenticate using either LTPA token or Sametime Token
(stauths.nsf and stautht.nsf)″ option must be selected in the
Configuration-Community Services-General settings of the Sametime
Administration Tool.
Both conditions above exist on a Lotus Sametime server following the server
installation, so no additional procedures are required to support Secrets and
Tokens authentication following the installation. However, if you have enhanced
security by enabling the SametimeSecretsGenerator agent in one Secrets database
on one Lotus Sametime server in your community, you must ensure that this
Secrets database is replicated to all Lotus Sametime servers in the community.
For more information, see Replicating the Secrets database (optional).
The Domino Single Sign-On (SSO) feature must be enabled on the Sametime
server. This feature creates Lightweight Third Party Authentication (LTPA) tokens
Lotus Sametime also uses LTPA tokens to authenticate connections from Sametime
clients to the Community Services, Meeting Services, and Recorded Meeting
Broadcast Services on the Sametime server. These clients are Java applets and
include the Meeting Room client, and Recorded Meeting client.
Lotus Sametime supports two versions of LTPA tokens: LTPAv1 and LTPAv2. Lotus
Sametime allows authenticating by a single LTPA token or by a list of LTPA tokens.
For example, a client can send an LTPAv1 token and LTPAv2 token in the same
authentication request to authenticate a user. The Domino configuration determines
which token is validated.
The LTPA token types supported by Domino are configured in the Web SSO
document in names.nsf. When using a Domino SSO key, only LTPAv1 tokens are
supported. When importing a WebSphere LTPA key, both LTPAv1 and LTPAv2
tokens are supported by Domino. The supported formats are defined in the Token
Format field under the WebSphere Information section of the Web SSO document.
Lotus Sametime can generate a single LTPA token or a list of LTPA tokens
depending on the SSO key that is configured in Domino and the Token Format
field in the case of WebSphere LTPA keys.
Authentication by LTPA token occurs after a user has already authenticated once
using password authentication. For example, authentication by token on a
Sametime server might occur as follows:
1. A user accesses a Sametime Meeting Center database that requires
authentication or clicks the ″Log onto Sametime″ link in the Sametime Meeting
Center.
Note To successfully authenticate, the user must enter the fully qualified
domain name of the Sametime server (for example,
sametimeserver.meeting.acme.com) in the Web browser URL locator when
accessing the Sametime server.
2. An SSO logon form appears, and the user enters a valid user name and
password from the Domino Directory (or LDAP directory) to authenticate.
Note Sametime provides a custom Sametime SSO logon form that can be
enabled by the administrator. If the custom logon form is not enabled, the
standard Domino SSO logon form displays to the user.
3. After a successful authentication, the Domino Single Sign-On (SSO) feature
generates an LTPA token containing the user’s authentication information and
passes the token to the user’s Web browser in a cookie.
The user’s Web browser must have cookies enabled to accept the LTPA token.
The same LTPA token described above can be used to authenticate the user when
the user accesses other Sametime, Domino, or WebSphere servers in the same DNS
domain during a single Web browser session. The other Sametime, Domino, or
WebSphere servers must also support the SSO feature (that is, the servers must
accept LTPA tokens).
If the Domino SSO feature is not enabled when you install Sametime, the
Sametime installation automatically enables and configures the Domino SSO
feature. In some environments, it may be necessary to alter the SSO configuration
following the Sametime server installation. For more information, see Altering the
Domino Web SSO configuration following the Sametime server installation.
Related concepts
Authentication by token using Secrets and Tokens databases
To authenticate by token, the Sametime server can accept an authentication token
created by the Secrets and Tokens authentication databases, the Domino Single
Sign-On (SSO) feature, or both. The Sametime server can also generate tokens
using the Secrets and Tokens authentication databases or the Domino SSO feature.
Altering the Domino Web SSO configuration following the Lotus Sametime
server installation:
The IBM Lotus Sametime installation automatically enables and configures the
Domino SSO feature on the Domino server. In some cases, it may be necessary to
alter the default configuration of the Domino SSO feature following the Lotus
Sametime server installation.
This topic discusses the following issues pertaining to the Lotus Sametime
installation and the Domino SSO feature:
v SSO configurations performed by the Lotus Sametime installation - This
section explains how the Lotus Sametime installation configures the Domino
Web SSO feature. You can use this information to determine if it is necessary to
alter the default SSO configuration following a Lotus Sametime server
installation.
v Altering the SSO configuration - This section explains the most common
reasons for altering the SSO configuration following the Lotus Sametime server
installation. In multiple Lotus Sametime server environments, it is frequently
necessary to add the Domino server names of Lotus Sametime servers to the
Domino Web SSO Configuration document.
v Viewing and editing the Domino Web SSO configuration document - This
section explains how to edit the Domino Web SSO configuration document in
the Domino Directory. This document contains the parameters for the Web SSO
configuration that you may need to change.
v Lotus Sametime includes a custom SSO logon form. See Using the Lotus
Sametime custom logon form for SSO for information about enabling this form
following the Lotus Sametime server installation.
The Lotus Sametime installation enables the Domino SSO feature and performs the
SSO configurations described below. The Lotus Sametime installation:
v Generates an LTPA token named LtpaToken. This token (or cookie) is used to
authenticate Web browser and Lotus Sametime client connections to the Lotus
Sametime server.
v Creates a Web SSO Configuration document and populates the following fields
in the Web SSO Configuration document:
– DNS Domain - To populate the DNS Domain field, the installation determines
the fully-qualified domain name of the Lotus Sametime server machine and
then subtracts the hostname value from the fully-qualified domain name.
For example, if the installation determines the fully qualified name of the
Lotus Sametime server is ″Sametimeserver.east.acme.com,″ the installation
writes ″.east.acme.com″ in the DNS Domain field.
The LTPA token is then valid for the servers that belong to the DNS domain
specified in the DNS Domain field.
– Expiration (minutes) - This field specifies the length of time for which the
LTPA token is valid. This value is 30 minutes by default. You may want to
provide a longer value for the token expiration. Lotus software recommends a
setting of 120 minutes.
– Domino Server Names: Each Domino/Sametime server that can accept the
SSO token must be listed in the Domino Server Names field. By default, the
installation writes only the name of the Domino server on which Lotus
Sametime is installed in this field. It may be necessary to add the names of all
other Domino/Sametime servers in the community to this field. For more
information, see Altering the SSO configuration.
v Alters the Sametime/Domino server Server document. The installation changes
the Internet Protocols-Domino Web Engine-Session authentication field in the
Server document to the value ″Multiple servers (SSO).″ The Server
authentication field must have the ″Multiple servers (SSO)″ value even if your
Lotus Sametime community uses only one Lotus Sametime server. If the
″Multiple server (SSO)″ value is not selected, the SSO feature will not function
properly for Lotus Sametime.
v Automatically configures the Lotus Sametime server to use the Lotus Sametime
custom logon form for SSO. To enable the custom logon form, the Sametime
installation:
– Creates a Domino Configuration database named domcfg.nsf in the root data
directory of the Domino server.
Note: If a domcfg.nsf database already exists on the Domino server when
Lotus Sametime is installed, the Lotus Sametime installation overwrites the
existing domcfg.nsf database.
– Creates a ″Mapping a Login Form″ document in the domcfg.nsf database.
– Populates the following fields in the Mapping a Login Form document:
Target database filename - This field is set to the value ″stcenter.nsf.″
Target form name - This field is set to STLogonForm.nsf.
The default configuration outlined above meets the basic requirements necessary
for a Lotus Sametime server to support SSO. In some cases, it may be necessary for
the administrator to alter the ″DNS Domain″ field or the ″Domino Server Names″
field of the Domino Web SSO Configuration document following the Lotus
Sametime server installation.
v Altering the DNS Domain field - The Lotus Sametime installation may not
always accurately detect the fully-qualified domain name of the Lotus Sametime
server machine. If this problem occurs, the DNS Domain field may not specify
the appropriate DNS domain. The administrator might need to manually edit
the Domino Web SSO Configuration document to add the appropriate entry in
the DNS Domain field of the Domino Web SSO Configuration document. Follow
the instructions in ″Viewing and editing the Domino Web SSO Configuration
document″ below to manually edit the document.
v Altering the Domino Server Names field - If the Lotus Sametime community
consists of multiple Sametime/Domino servers, the Domino server names of all
of the Sametime/Domino servers in the Lotus Sametime community must exist
in the ″Domino Server Names″ field of the Domino Web SSO Configuration
document. By default, the installation writes only the name of the Domino
server on which Lotus Sametime is installed to this field. If you have multiple
Lotus Sametime servers, it may be necessary to manually open the Domino Web
SSO configuration document and enter the names of the Domino/Sametime
servers in the ″Domino Server Names″ field.
For example, if you have Sametimeserver1/East/Acme and
Sametimeserver2/East/Acme in your Sametime community, and you install
Sametimeserver3/East/Acme, only Sametimeserver3/East/Acme is written to
the Domino Server Names field during the Lotus Sametime installation. The
administrator may need to open the Domino Web SSO Configuration document
and manually enter the names Sametimeserver1/East/Acme and
Sametimeserver2/East/Acme in the ″Domino Server Names″ field on the
Domino Web SSO Configuration document on Sametimeserver3/East/Acme to
ensure that all servers in the community are entered in this field. To manually
open the Domino Web SSO Configuration document, see ″Viewing and editing
the Domino Web SSO Configuration document″ below.
Note that in multiple server environments, the Domino Directory may already
be replicated to the Domino server at the time the Lotus Sametime server is
installed. If the Domino Directory already exists on the server and contains a
Domino Web SSO configuration document, the Lotus Sametime installation will
not attempt to alter the existing configuration in any way. In this case, the
existing Domino Web SSO configuration document may already contain the
names of the existing servers in the community and it may be necessary to add
the name of the newly installed Lotus Sametime server to the Domino Web SSO
configuration document.
For example, the names Sametimeserver1/East/Acme and Sametimeserver2/
East/Acme may already exist in the Domino Web SSO configuration document
in the Domino Directory on the server reserved for the Sametimeserver3/East/
Acme installation. Since the Sametimeserver3/East/Acme installation does not
alter an existing SSO configuration, that server name will not appear in the
Domino Web SSO Configuration document following the Lotus Sametime server
installation. In this scenario, it is necessary to open the Domino Web SSO
configuration document in the Domino Directory on Sametimeserver3/East/
To view or edit the Web SSO configuration document that is created by the Lotus
Sametime installation, do the following:
1. From a Lotus Notes client, open the Domino Directory on the Lotus Sametime
server.
2. Choose the Configuration → Web → Web Configurations view.
3. In the right-hand pane, select the twistie to display the document under ″Web
SSO Configurations.″
4. Double-click on the document titled Web SSO Configuration for LtpaToken to
open the Domino Web SSO Configuration document.
5. Click Edit to put the document in edit mode.
6. Edit the appropriate field (for example, the DNS Domain or Domino Server
Names field).
7. Click Save and Close after editing the document.
Setting up SSO between Sametime Meeting Server and Sametime Community Server:
You should set up single sign-on (SSO) between the IBM Lotus Sametime Meeting
server and the Lotus Sametime Community Server. The Lotus Sametime Proxy
server does not need to be setup for SSO with the other two servers.
By default the Lotus Sametime installation creates a Domino SSO key. This key
should be replaced by the WebSphere LTPA key from the Lotus Sametime Meeting
Server to allow both Domino and WebSphere to have an identical key for token
validation and generation. Follow these steps to import the LTPA key from
WebSphere to Domino.
1. Log in to the Integrated Solutions Console for the Lotus Sametime Meeting
Server.
2. Click Security → Global Security.
3. Under Authentication, click LTPA.
4. Under Cross Cell single sign-on, Enter a Password, Confirm Password, and a
file name to store the key. Click Export keys. The file created will be imported
into the Lotus Domino server for the Lotus Sametime Community Server.
Note: Lotus Sametime 8.5 requires Lotus Domino 8.0 and higher; if you are
maintaining an older Lotus Sametime server it may be running a version of
Lotus Domino prior to R8.
In the Token Format field of the WebSphere Information section, select the
LTPA token formats to be supported by Domino.
v LtpaToken - LTPAv1 only
v LtpaToken2 - LTPAv2 only
v LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are
supported
With this last option selected, both tokens are created, but the token
returned to the client is determined by the TOKEN_TYPE_TO_RETURN
flag under the AuthToken section of sametime.ini. The default value is
LTPA, which returns the LTPAv1 token. Changing the value to LTPA2
results in the LTPAv2 token being returned instead.
16. Click Save and Close.
17. Configure the Lotus Sametime Community Server so that LtpaToken gets set
by the Sametime Proxy web client instead of the Sametime token:
a. Log in to the Lotus Sametime System Console as the Sametime
administrator.
b. Click Sametime Servers → Sametime Community Servers.
c. In the list of Community Servers, click the name of a Sametime
Community Server to open its Configuration page.
d. Click the Community Services tab.
e. Under the ″General″ section, select the authentication type that users can
use while logging into the community server: LTPA only.
18. Restart the Lotus Domino server to put your changes into effect.
Setting up SSO between Sametime Unified Telephony and Sametime Community Server:
By default the Lotus Sametime installation creates a Domino SSO key. This key
should be replaced by the WebSphere LTPA key from the Lotus Sametime Unified
Telephony deployment’s Telephony Application Server to allow both Domino and
WebSphere to have an identical key for token validation and generation. Follow
these steps to import the LTPA key from WebSphere to Domino.
1. On the Telephony Application Server, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click Security → Secure administration, applications, and infrastructure.
3. Under Authentication, click Authentication mechanisms and expiration.
4. Under ″Cross Cell single sign-on″, Enter a Password, Confirm Password, and
type a file name to store the key; then click Export keys.
The file created will be imported into the Lotus Domino server for the Lotus
Sametime Community Server.
5. Click Web security → Single Sign-on (SSO).
6. Make sure that the Domain name matches the Lotus Sametime Community
Server domain, and verify that Interoperability Mode is selected.
Note: Lotus Sametime 8.5 requires Lotus Domino 8.0 and higher; if you are
maintaining an older Lotus Sametime server it may be running a version of
Lotus Domino prior to R8.
In the Token Format field of the WebSphere Information section, select the
LTPA token formats to be supported by Domino.
v LtpaToken - LTPAv1 only
Single sign-ons for HTTP requests using the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for
WebSphere Application Server allow IBM Lotus Sametime users to log in and
authenticate only once at their desktop and receive automatic authentication from
the WebSphere Application Server.
You must configure the Lotus Sametime Connect client must be configured to use
the SPNEGO SSO feature. Configuration can be established in a silent installation
or done manually by the user.
Silent installation
The settings for token-based login can be pre-configured using the silent installer.
In the silentinstall.ini file found on the Lotus Sametime Connect compact disk,
include the following settings:
v STAUTHSERVERURL=<WebSphere Authentication URL>
v STLOGINBYTOKEN=true
v STUSEAUTHSERVER=true
Manual configuration
To configure the Sametime Connect client manually for SPNEGO single sign-on,
follow these steps:
1. In the Log in to Sametime dialog box, enter your fully qualified host server
name and your user name.
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
This procedure is identical to the procedure used to enable the SSO feature on a
Domino server. After manually enabling the feature, you can configure the server
to use the Lotus Sametime custom SSO logon form.
Generally, the Domino SSO feature will be enabled by default during the Lotus
Sametime installation and it is not necessary to manually enable the feature. For
more information, see Altering the Domino Web SSO feature following the
Sametime server installation.
What to do next
After enabling the Domino SSO feature, follow the procedure described in Using
the custom Sametime SSO logon page to use the custom Lotus Sametime SSO
logon form.
Create a Web SSO document that specifies the servers participating in the shared
authentication, the time-out value for the cookie containing the LTPA access token,
and the encrypted secret used to create the cookie.
Note: The ’Organization’ field of the Web SSO Configuration document should be
empty; otherwise, the LPTA token will not work with Sametime.
1. Using a Lotus Notes client, open the Domino Directory on the Sametime
server.
2. Select Configuration → Servers → All Server Documents.
3. Select the Web button on the taskbar.
4. Select Create Web SSO Configuration.
5. In the document, select the Keys pull-down menu button.
6. Select Create Domino SSO Key.
Note The Import WebSphere LTPA Keys option is usually used to enable a
WebSphere server to communicate with a Domino server. To enable a
WebSphere server to communicate with a Domino server, you must export the
Enable SSO and ″Name & Password″ authentication in the Server document:
Use this procedure to enable SSO and ″Name & Password″ authentication in the
Server document of the Sametime server for which you are enabling the Domino
SSO feature.
This procedure is the second of three required to manually enable the Domino SSO
authentication feature on a Sametime server.
1. In the Configuration - Servers - All Server Documents view of the Domino
Directory, double-click the name of the Sametime server to open the Server
document.
2. Select Edit Server to put the Server document in edit mode.
3. Select the Ports tab.
4. Select the Internet Ports tab.
288 Lotus Sametime: Installation and Administration Guide Part 2
5. Select the Web tab (if it is not displayed by default).
6. For the HTTP TCP/IP port Authentication Options, select Yes in the ″Name &
Password″ field.
7. Select the Internet Protocols tab.
8. Select the Domino Web Engine tab.
9. In the ″HTTP Sessions″ section, select ″Multiple server (SSO)″ in the ″Session
authentication″ field.
Note You must select the ″Multiple server (SSO)″ value even if your
environment includes only a single Sametime server.
10. Click Save and Close to save the Server document.
What to do next
What to do next
Lotus software recommends using the custom Sametime SSO logon form. If you do
not use this logon form, users will see the default Domino SSO logon form the first
time they access a database on the server that requires authentication.
Note: Authentication by token does not occur if you allow anonymous access to
the Sametime server and all its databases.
The IBM Lotus Sametime installation automatically configures the Lotus Sametime
server to use the Lotus Sametime custom logon form for SSO.
The configurations described above ensure that the custom logon form named
″STLogonForm.nsf″ displays to users when users authenticate with the server.
If a database named domcfg.nsf exists on the Lotus Sametime server when Lotus
Sametime is installed, the administrator must manually enable the custom logon
form. This procedure is described below.
Follow the procedure below to manually enable the Lotus Sametime custom logon
form for SSO. The custom logon form displays when the user accesses the first
database on the server that requires authentication or selects the ″Log on to
Sametime″ link in the Sametime Meeting Center.
Note: The custom logon form exists in the Lotus Sametime server home page
database (stcenter.nsf). If you want to require users to authenticate when accessing
the server, you should allow anonymous access to the Lotus Sametime server
home page (stcenter.nsf) and require authentication to the Sametime Meeting
Center database (stconf.nsf). With this arrangement, users access the server home
page anonymously and are presented with the SSO logon form when attempting to
create or attend a meeting.
To use the Lotus Sametime custom logon form for SSO, you must configure
settings in the Domino Configuration database (domcfg.nsf) provided with the
Domino server on which Lotus Sametime is installed.
The Sametime Center database (stcenter.nsf) must meet the following ACL
requirements for the custom logon form to operate properly.
v In the Advanced options of the stcenter.nsf ACL settings, the ″Maximum Internet
name & password″ field must allow at least Reader access. If either Depositor or
No Access are selected, the logon form will not appear.
v In the Basics options of the stcenter.nsf ACL settings, anonymous users must
have an access level of Reader or higher. If the access level provided for
anonymous users is less than Reader, the logon form will not appear. The ″Write
public documents″ and ″Read public documents″ options should also be
selected.
Related tasks
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
There are two procedures associated with ensuring the Secrets and Tokens
authentication databases on the Sametime server are functioning properly:
1. If necessary, select the ″Allow users to authenticate using either LTPA or
Sametime Tokens (stauths.nsf and stautht.nsf)″ option in the Sametime
Administration Tool. (This option is selected by default.)
2. Replicating the Secrets and Tokens databases (optional) - This step is necessary
only if you have deployed Domino databases enabled with Sametime
technology (such as Sametime TeamRoom and Discussion databases) or if you
have enhanced security by enabling the SametimeSecretsGenerator agent in the
Secrets database.
When the ″Allow users to authenticate using either LTPA or Sametime Tokens″
option is selected in the Community Services-Configuration settings of the
Sametime Administration Tool, the Sametime server accepts authentication tokens
generated by both the Domino Single-Sign On (SSO) feature and the Secrets and
Tokens databases on the Sametime server. This option is selected by default.
If you do not select the Allow users to authenticate using either LTPA or
Sametime Tokens option, the Sametime server accepts only LTPA authentication
tokens, which are generated by the Domino SSO feature.
Leave Allow users to authenticate using either LTPA or Sametime Tokens when
you require basic password authentication to the Sametime Meeting Center and
you have Sametime 2.0 or 2.5 servers as part of a single Sametime community. If
all servers in your environment are Sametime 3.0 servers or higher, you may
disable the feature if you require basic password authentication in the Sametime
Meeting Center.
Results
When users log in now, the LTPA token will have the correct organization name.
Selecting the ″Allow users to authenticate using either LTPA or Sametime Tokens
(stauths.nsf and stautht.nsf)″ option:
Note: This procedure might not be necessary as the ″Allow users to authenticate
using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ setting is
enabled by default following the server installation.
If you enable this setting on one Sametime server, you must enable it on all
Sametime servers in your environment. If you disable it on one Sametime server,
you must disable it on all Sametime servers in the environment.
Results
You have the option of replicating the Secrets database to enhance security.
Related tasks
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
This topic discusses the second of two procedures associated with setting up the
Secrets and Tokens authentication system on a Sametime server.
Do not replicate the Tokens database to the other Sametime servers. The replicated
Secrets database can work with the Tokens database that exists on each Sametime
server by default following the server installation.
Sametime also provides security features that enable users to encrypt meetings and
specify meeting-specific passwords. The Security section includes the following
topics:
This section includes basic security information to help you get started with IBM
Lotus Sametime security.
The Domino Single Sign-On (SSO) feature must be enabled on the Lotus Sametime
server. The Domino SSO feature requires the user to enter the fully qualified DNS
name of the server for a successful authentication. For more information, see
Authentication by token using LTPA and Sametime tokens.
The Domino security features also allow you to configure databases for
anonymous access. When a database is configured for anonymous access, the user
is not authenticated when accessing the database.
Authentication by token
After a Web browser user authenticates using basic password authentication, Lotus
Sametime Java applet clients (such as the Meeting Room client, Recorded Meeting
client, and Lotus Sametime Connect for browsers client) load in a user’s Web
browser. These Lotus Sametime clients make connections to the Community
Services, Meeting Services, and Recorded Meeting Broadcast Services when a user
attends a meeting. Lotus Sametime uses ″authentication by token″ to authenticate
the connections from these Lotus Sametime clients to the Lotus Sametime services.
Note: Connections from the Lotus Sametime clients to the Community Services,
Meeting Services, and Recorded Meeting Broadcast Services are authenticated only
if the Lotus Sametime Meeting Center database (stconf.nsf) requires basic password
authentication. If the Lotus Sametime Meeting Center allows anonymous access,
these connections are not authenticated.
When the Lotus Sametime Meeting Center requires basic password authentication,
authentication by token is supported on the Lotus Sametime server using the
Domino Single Sign-On (SSO) authentication feature.
Note: Lotus Sametime TeamRoom and Discussion databases were available with
previous Lotus Sametime releases but are no longer included in the Lotus
Sametime product.
The Lotus Sametime server must support both the Domino SSO feature and the
Secrets and Tokens database authentication system if your environment includes
Lotus Sametime 3.0 (or higher) servers that interoperate with Lotus Sametime
servers from releases earlier than Lotus Sametime 3.0.
When accessing the Lotus Sametime server with a Web browser, a user must enter
a user name and Internet password to access any protected database on the Lotus
Sametime server.
A protected database is a database that has its Access Control List (ACL) set to
require basic password authentication. If the ACL settings of a database allow
anonymous access, the user is not authenticated (prompted for a user name and
Internet password) when accessing the database.
Note: It is important for a user to enter a name when accessing a Lotus Sametime
database so that the user’s name can be displayed in any presence list within the
database. If the ACL settings of a database allow anonymous access, a user is not
prompted for a name unless the ″Users of Sametime applications can specify a
display name so that they do not appear online as anonymous″ setting is selected
in the Configuration-Community Services-Anonymous Access settings of the
Sametime Administration Tool. When this option is selected, it forces a name entry
prompt to appear when an anonymous user attends a scheduled meeting. From
this name entry prompt, the user can enter a name for display purposes in a
presence list. The server accepts any name entered by the user at the name entry
prompt; the user is not authenticated.
A Sametime Connect user must also be authenticated each time the user starts the
Sametime Connect client and connects to the Community Services on the Lotus
Sametime server. Sametime Connect users must enter the user name and Internet
password from the Person document in the Domino Directory when logging on to
Sametime Connect.
Note: If you have configured Lotus Sametime to operate with an LDAP directory,
Sametime authenticates users based on the user names and passwords stored in
the person entries of the LDAP directory.
This section discusses the requirements for basic password authentication when
Lotus Sametime is installed to operate with a Domino Directory. You must choose
either the Domino Directory or an LDAP directory during the Lotus Sametime
installation.
Each member of the Lotus Sametime community must have a Person document in
the Domino Directory to authenticate with the Lotus Sametime server. The names
and password that a user can enter when accessing a Lotus Sametime server are
maintained in the Basics tab of a Person document in the Domino Directory.
To access a Person document, open the Sametime Administration Tool and select
Domino Directory → Domino → Manage People. Double-click a person’s name to
open that user’s Person document.
The table below shows a sample entry in the Basics section of a user’s Person
document. The text that follows the table explains how these entries are used in
the Web browser and Sametime Connect client password authentication processes.
GOllerman
The following fields on the Person document are used by the authentication
process:
v First name - This field is optional.
Web browser - If an entry exists in the ″First name″ field in the Basics tab of the
Person document, the user can enter just this name at the User Name prompt
that appears when accessing a protected database on the Lotus Sametime server
Note: If both the ″First name″ and ″Last name″ fields contain entries, the user
can enter the first and last names at the User Name prompt that appears when
accessing the Lotus Sametime server.
v User name - This field is required. An entry must exist in the ″User name″ field
in the Basics tab of a Person document.
Generally, it is good practice to use a user’s first and last name in the ″User
name″ field. The ″User name″ field can contain multiple entries. In our example,
the User name field contains both Gary Ollerman/Community and GOllerman.
(Each entry must be separated by a semicolon or a carriage return in the ″User
name″ field of the Person document.)
A user can enter any name that appears in the ″User name″ field of the Person
document when logging on to the Lotus Sametime server from the Sametime
Connect client or a Web browser. For example, the user could enter Gary
Ollerman/Community or GOllerman at a Sametime Connect or Web browser
User Name prompt. The name entered by the user is resolved to the topmost
name (Gary Ollerman/Community in the example) in the ″User name″ field. The
topmost name in the ″User name″ field is the name that is displayed in the
presence lists of all Sametime clients.
Note: If you want a user’s e-mail address to display in presence lists, enter the
user’s e-mail address as the topmost name in the ″User name″ field of the
Person document. If the e-mail address is included in the User name field, the
user can also enter the e-mail address at the ″User name″ prompt when logging
in from a Sametime Connect client or Web browser.
Lotus Sametime uses the topmost name in the ″User name″ field to validate a
user in a database ACL. If you require basic password authentication for a
database and you enter the names of individual users in the ACL of a database,
enter the topmost name that appears in the ″User name″ field of the Person
document in the database ACL. Although the user can enter ″GOllerman″ when
logging on, Sametime uses ″Gary Ollerman/Community″ to validate the user in
the database ACL. Therefore, ″Gary Ollerman/Community″ must be the name
that appears for this user in database ACLs.
v Internet password - This field is required. Users must enter the Internet
password to authenticate with the Lotus Sametime server using a Web browser
or the Sametime Connect client. In the example, the Internet password is
″sametime.″ The password displays as a series of random characters because
Internet passwords are encrypted on the Person document.
If you are using the self-registration feature of the Lotus Sametime server, a Person
document containing a last name, user name, and Internet password is
automatically created for a user in the Domino Directory on the Lotus Sametime
server at the time the user self-registers. Agents in the Self-Registration database
(streg.nsf) access the Domino Directory to create these Person documents. The
signers of these agents must have the proper access levels and permissions in the
Domino Directory for self-registration to work properly. If you allow self
registration, you might need to add these signers to the Domino Directory ACL.
The Lotus Sametime self-registration feature cannot be used if you have configured
the Lotus Sametime server to operate with an LDAP directory on a third-party
server (such as a Microsoft Exchange or Netscape Directory Server).
LDAP
If you have configured the Lotus Sametime server to operate with an LDAP
directory on a third-party server, the authentication process uses the user names
and passwords stored in the LDAP directory. It is not necessary to create Person
documents containing separate user names and passwords in the Domino
Directory on the Lotus Sametime server.
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Related tasks
Changing a user’s password
When accessing the IBM Lotus Sametime server from any Lotus Sametime client,
the user might be prompted for a user name and password. The password is
specified in the Internet password field on the user’s Person document in the
Domino Directory on the Lotus Sametime server.
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
When accessing the IBM Lotus Sametime server from any Lotus Sametime client,
the user might be prompted for a user name and password. The password is
specified in the Internet password field on the user’s Person document in the
Domino Directory on the Lotus Sametime server.
To change a user’s password, open the user’s Person document and enter a new
password in the ″Internet password″ field.
Note: If you have configured the Lotus Sametime server to operate with an LDAP
directory on an LDAP server, the authentication process uses the passwords
specified in the LDAP directory. Use the administrative tools provided with the
Ensuring Sametime servlet access when Domino requires SSL for all connections:
An IBM Lotus Sametime server installs on a Domino server and relies on the
Domino HTTP server to handle all HTTP traffic to the Lotus Sametime server. To
encrypt Web browser access to the Sametime Meeting Center with SSL, the
administrator must configure the Domino HTTP server to support SSL.
When setting up a Domino HTTP server to support SSL, the administrator can
force all connections to the Domino server to use SSL. The administrator forces all
HTTP connections to use SSL by performing either of the following configurations
in the Ports-Internet Ports-Web section of the Domino Server document during the
Domino HTTP server SSL set up procedure:
v Setting the Web HTTP ″TCP IP port status″ setting to ″Disabled″ and setting the
Web HTTP ″SSL port status″ to ″Enabled.″
v Setting the Web HTTP ″TCP IP port status″ to ″Redirect to SSL.″
If you force all HTTP connections to use SSL, you must also configure the Lotus
Sametime server to support SSL for HTTP connections to its servlets. If you do not
configure the Lotus Sametime server to support SSL for connections to its servlets,
users will be unable to access the Lotus Sametime server.
To ensure access to the Lotus Sametime servlets when Domino requires SSL for all
connections, complete the following steps:
1. Set up the Domino server to support SSL
2. Import the SSL trusted room or SSL server certificate into the key store
database on the Sametime server
3. Modify the Sametime configuration for SSL
Results
You can use these procedures regardless of whether your Lotus Sametime server
operates on the Windows, AIX, Solaris, Linux or IBM i operating system.
To attend a meeting on the Lotus Sametime server, a user first connects to the
Lotus Sametime HTTP server with a Web browser. By default, the user is not
authenticated when accessing the Lotus Sametime server over this port and is able
to access the Lotus Sametime server home page database (stcenter.nsf) without
entering a user name and password.
By using the Access Control List (ACL) settings of individual databases, the Lotus
Sametime administrator can force users to authenticate using basic password
authentication when they attempt to access the databases on the server.
Generally, the first database that a user accesses when connecting to the Lotus
Sametime server is the Domino database that contains the Lotus Sametime server
home page (stcenter.nsf). By default, the ACL settings of the stcenter.nsf database
allow anonymous access so users can access the Lotus Sametime server home page
without being authenticated (entering a user name and password that is verified
against entries in a directory).
After accessing the home page, a user selects links to access other databases on the
Lotus Sametime server. Most users will access the Sametime Meeting Center
(stconf.nsf). The Lotus Sametime Administrator can alter the ACLs of these
databases to force users to authenticate at the time they select the link that accesses
the database.
The databases on the Lotus Sametime server that are accessible from the Lotus
Sametime server home page include:
v Self-Registration (streg.nsf) - An administrator controls whether
self-registration is available on the server. The administrator controls
self-registration by selecting or clearing the ″Allow people to register themselves
in the Directory″ check box available from the Domino Directory - Domino
option in the Sametime Administration Tool. The self-registration database
(streg.nsf) should always allow anonymous access to enable anonymous users to
self register when the administrator allows self-registration.
v Server Administration - You must add users to the ACLs of several Lotus
Sametime databases when allowing other users to have administrative privileges
on the Lotus Sametime server. For more information about controlling access to
the Sametime Administration Tool, see Adding a new Sametime administrator
Note: By default, the connection from a Web browser to the Lotus Sametime server
is neither authenticated nor encrypted. The authentication occurs at the time a user
accesses an individual database on the Lotus Sametime server. You can configure
Lotus Sametime so that all HTTP traffic (including passwords and authentication
tokens) that passes over the connection between the Web browser and the HTTP
server is encrypted using the Secure Sockets Layer (SSL).
For each database on the server, you can set the ACL to allow:
v Anonymous access
or
v Basic password authentication
The settings in the database ACLs work together with the ″Maximum Internet
name & password″ setting for each database to control the level of access that Web
browser users have to a database on the Sametime server.
The database ACL defines user access to the content of the database. Before you set
up basic password authentication or anonymous access to a database, you should
be familiar with how to add users to a database ACL and the available settings
within the ACL. For more information, see:
v Adding a name to a database ACL
v Database ACL settings
The ″Maximum Internet name & password″ setting on the Advanced panel of each
database ACL specifies the maximum level of access to the database that is
allowed for Web browser clients. This setting overrides individual levels set in the
ACL.
Generally, administrators should not need to change the ″Maximum Internet name
& password″ settings for databases on the Sametime server. The default settings
should function adequately in most cases.
Use the Sametime Administration Tool to add a name to a database Access Control
List.
1. From the Sametime server home page, click Administer the Server to open
the Sametime Administration Tool.
2. If you are using a Domino Directory with the Sametime server, select Domino
Directory - Domino. If you are using an LDAP directory with the Sametime
server, select LDAP Directory.
3. Select Access Control.
4. Select a database from the list.
5. Click Access. The database ACL displays.
6. Click Add.
7. In the dialog box, type the exact user name from a Person document or the
group name from a Group document. Click OK.
When entering a user name for a user with a Person document in the Domino
Directory on the Sametime server, type the name exactly as it appears in the
topmost entry of the ″User name″ field in the user’s Person document.
When entering the names of users or groups registered in an LDAP directory
in a Sametime database ACL, use the fully qualified Distinguished Name, but
use forward slashes (/) as delimiters instead of commas. For example, if the
Distinguished Name for the user in the LDAP directory is:
v uid = Joe Waters, ou=West, o=Acme
enter the name in the Sametime database ACL as follows:
v uid = Joe Waters/ou=West/o=Acme
You can also use asterisks for wildcards when entering names from an LDAP
directory or a Domino Directory in an ACL. For example, entering
*/ou=West/o=Acme is equivalent to entering all users in the ou=West/o=Acme
branch of the directory to the ACL.
Note It is possible to enter entities other than user and group names in an
ACL. For more information about the types of entries that can exist in an
ACL, see User type - ACL settings.
8. Click the name entered in the previous step so that the name is selected
(highlighted).
9. In the User Type box, select the type of user (Unspecified, Person, Server,
Person Group, Server Group, or Mixed Group). For more information, see
User type - ACL settings.
10. In the Access Box, assign an access level for the user (Manager, Designer,
Editor, Author, Reader, Depositor, or No Access). For more information, see
Access level - ACL settings.
11. Edit the privileges if necessary. For more information, see Privileges - ACL
settings.
12. Click Submit.
A database Access Control List (ACL) contains a list of users and defines user
access to the contents of the database.
For each user in the database ACL, you can specify the following ACL settings:
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Related tasks
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
When you add a user or group to an ACL, you specify a user type for the entry in
the ACL. A user type identifies whether a name in the ACL is for a person, server,
group, or other entity. You assign a user type to a name to specify the type of ID
required for accessing the database with that name.
You can designate an entry in the ACL as any of the following user types:
Unspecified
Select the Unspecified user type if you want to enable the name you are
entering to access the database with any type of ID (Person, Server, or
Group). The Default entry in an ACL is always assigned the Unspecified
user type. IDs used to sign agents, such as Sametime Development/Lotus
Notes Companion Products, are also assigned the Unspecified user type
when entered in a database ACL.
Person
Select the Person user type if the name you are entering belongs to a user
who has a Person document containing a user name and Internet password
in the Directory on the Lotus Sametime server or if the user has a Person
entry in an LDAP directory on a third-party server.
Server
Select the Server user type if the name you are entering belongs to another
server in the Domino domain. When multiple servers are installed in a
Domino environment, it might be necessary for a server to access data
within the database or to replicate a database. Server names are frequently
added to the pre-existing LocalDomainServers and OtherDomainServers
server groups. The Server user type is generally used only if you have
Access levels are the database ACL settings that control the type of actions a user
can perform on the contents of a database and on the database itself.
Access levels range from No Access, which prevents a user from opening a
database, to Manager, which lets a user read, create, and edit the ACL and all
documents in the database.
Users that are listed both individually and in one or more groups in the ACL
might be assigned different levels of access. The access level granted in an
individual entry takes precedence over the access level granted through a group
entry. If a user is in multiple groups, the user is granted the access level of the
group with the highest level of access.
If a user or group has one level of access in the ACL and another level of access in
a database component (such as a Read or View access list), the database
component access level takes precedence over the user or group access level.
The following access levels are listed from lowest to highest. A higher access level
has all the privileges granted to lower access levels. For example, Authors can
perform all of the functions of a Depositor and a Reader.
No Access
No Access prevents a user from accessing the database. For example, if you
assign No Access as the Default access for a database, only a user who has
a Person document in the Address Book and is listed in the ACL can
access the database.
Depositor
Depositor access allows a user to create documents but not view any
documents in the database, including the documents created by the user.
This access level is not generally used for Lotus Sametime databases. This
ACL type is most frequently used for automatic agents to write documents
into a database for Domino workflow applications.
Reader
Reader access allows a user to read documents in a database, but not
create or edit documents. For example, you can assign Reader access in the
Meeting Center (stconf.nsf) ACL to users who are allowed to attend but
not start meetings.
The database Access Control List (ACL) defines privileges for users.
Depending on the access level assigned to a user, some ACL permissions are
granted, denied, or optional. Privileges listed in the ACL are:
Create documents
This privilege allows users to create documents in a database. This
privilege is:
v Permanently granted to Managers, Designers, Editors, and Depositors
v Permanently denied to Readers
v Optionally granted to Authors
Database Access Control List (ACL) roles grant access to individual database
components, such as forms or views.
You can use ACL roles to delegate authority for managing specific documents in a
database. You can create up to 75 roles in a database. For example, you can assign
the roles of UserCreator and UserModifier in the Directory (Address Book) ACL to
the administrator who has the responsibility for creating and maintaining Person
documents.
ACL roles are optional in most databases. You can choose to rely on a broader
access level and not use roles.
The anonymous access level requires the least maintenance from the administrator,
but it is the least secure. You should only allow anonymous access when you do
not need to know the identity of users accessing your server. For example, use
To allow anonymous access to a database, you can add the Anonymous entry to
the ACL and assign an access level to the Anonymous entry.
Note: Alternatively, you can remove the Anonymous entry from the ACL and
assign an access level to the Default entry in the ACL. When the Anonymous entry
is removed from the ACL, anonymous users receive the access level and privileges
assigned to the Default entry in the database ACL.
What to do next
If you set the ACL of the Sametime Meeting Center database to allow anonymous
access, you should ensure that users are required to enter a display name when
When basic password authentication is enabled for a database, browser clients are
authenticated when they attempt to open a database. For example, a Web browser
user might be authenticated when selecting the ″Attend a Meeting″ link from the
Lotus Sametime server home page to access the Sametime Meeting Center database
(stconf.nsf).
The Lotus Sametime server challenges the user to supply a valid name and
password and then verifies that the user’s response matches the information stored
in the user’s Person document in the Domino Directory (or LDAP directory if you
have configured Lotus Sametime to operate with an LDAP directory).
Authentication succeeds if the user name and password provided by the user
matches the user name and password in the directory and:
v The user is listed individually or as a member of a group in the database ACL.
or
v The Anonymous entry is set to No Access while an access level is specified for
the Default entry in the ACL. Using this method allows you to require users to
authenticate but prevents you from having to add individual entries for every
user and group in the ACL.
When the Anonymous entry in the database ACL is set to No Access, users are
presented with a logon prompt when they attempt to access the database.
If both the Anonymous entry and the Default entry in the database ACL are set to
No Access, a user must be listed in the ACL individually or as part of a group to
access the database. Setting the Anonymous and Default entries to No Access
provides the strictest control over access to the database because only users and
groups that are listed in the ACL are allowed to access the database.
An individual name receives precedence over the Default entry. If a user’s name is
entered in a database ACL and provided with an access level, the user receives the
access level assigned to the user name entry in the database. Only users who are
not listed individually in the database ACL receive the Default access level.
Note: If the Anonymous entry does not exist in the database ACL, the Default
entry in the ACL must be set to ″No access″ to require basic password
authentication to the database. When the Anonymous entry does not exist in the
database ACL, anonymous users can access the database and receive the access
level assigned to the Default entry in the database. If the Anonymous entry exists
in the ACL and is assigned the ″No access″ access level, users are authenticated
when accessing the database and receive the access level specified for the Default
entry in the ACL.
Related concepts
Database ACL settings
A database Access Control List (ACL) contains a list of users and defines user
access to the contents of the database.
Related tasks
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
IBM Lotus Sametime single sign-on (SSO) authentication allows Web users to log
in once to a Domino or WebSphere server, and then access any other Domino or
WebSphere server in the same DNS domain that is enabled for single sign-on (SSO)
without having to log in again. In a multiple server environment, it is possible that
one or more servers in your Domino domain are already configured for Domino
SSO, and the Domino Directory already contains a Domino Web SSO configuration
document. When you install Lotus Sametime, it creates a Web SSO configuration
In some cases, it may be necessary to alter the default configuration of the Domino
SSO feature following the Sametime server installation. For instructions, see
“Altering the Domino Web SSO configuration following the Lotus Sametime server
installation” on page 280.
Complete the steps in this section if your Domino server is not configured for Web
SSO, and you want to use the Web SSO document that Lotus Sametime creates to
configure it.
1. From the Domino Administrator or a Lotus Notes client, click File → Database →
Open. Browse to the Domino server and type names.nsf in the Filename field.
Click Open.
Note: When adding servers to the Participating servers field, click the arrow
and choose the name from an Address Book when possible. If this is not
possible, make sure that you use the full hierarchical name when you add a
server (for example, Server1/Acme where CN=Server/O=Org).
IBM Lotus Sametime has a token-based single sign-on (SSO) feature that uses the
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). This feature
Note: The SPNEGO feature replaces Microsoft Windows Single Sign-On; you
should use SPNEGO instead because Lotus Sametime will no longer support the
Microsoft Windows SSO feature.
Required components
v Sametime Connect client
v Sametime server pointing to an Microsoft Active Directory LDAP server
v WebSphere server
v Microsoft Windows Active Directory Domain Controller and associated Kerberos
Key Distribution Center (KDC)
v Microsoft Windows domain member
When Log In is clicked, a two phase login operation begins. Note that there is no
user interface or user intervention required in this process. In phase 1, the client
executes an HTTP request for a protected URL on the IBM WebSphere server. This
request is processed by the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) trust association interceptor (TAI), which triggers the SPNEGO
negotiation between the client machine and WebSphere. Once trust is established,
an LtpaToken is sent to the client in the HTTP response. In phase 2, the client
securely logs into the Sametime server using the LtpaToken.
The following picture shows the Lotus Sametime SPNEGO login sequence.
Before you can configure IBM Lotus Sametime to use SPNEGO single sign-on, you
must configure the Sametime server to use the Microsoft Windows Active
Directory.
Example
Before using the IBM Lotus Sametime Connect client, you can validate the Simple
and Protected GSS-API Negotiation Mechanism (SPNEGO) configuration.
1. Log in to the Active Directory domain on the Microsoft Windows client
machine.
2. Configure the client browser to use SPNEGO. See ″Configuring the client
browser to use SPNEGO″ in the in the IBM WebSphere information center.
3. Using a browser, request the protected URL from the WebSphere server. This
action triggers the TAI interceptor. Instead of being challenged with a form
authentication dialog, you will be authenticated automatically – the browser
simply loads the secured page. If this is successful, then WebSphere has been
configured for SPNEGO single sign-on correctly.
4. In the same browser window, enter the address of the Sametime Meetings
center (http://hostname.stcenter.nsf). When the page loads, you should be
logged in automatically. If you are successful, single sign-on between Sametime
and WebSphere has been configured correctly
Single sign-ons for HTTP requests using the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for
WebSphere Application Server allow IBM Lotus Sametime users to log in and
authenticate only once at their desktop and receive automatic authentication from
the WebSphere Application Server.
You must configure the Lotus Sametime Connect client must be configured to use
the SPNEGO SSO feature. Configuration can be established in a silent installation
or done manually by the user.
Silent installation
The settings for token-based login can be pre-configured using the silent installer.
In the silentinstall.ini file found on the Lotus Sametime Connect compact disk,
include the following settings:
v STAUTHSERVERURL=<WebSphere Authentication URL>
v STLOGINBYTOKEN=true
v STUSEAUTHSERVER=true
Manual configuration
To configure the Sametime Connect client manually for SPNEGO single sign-on,
follow these steps:
This section contains information about user registration and policies and the tools
that you can use to administer the server.
Note: The Deployment Manager must be running for the cell before starting a
server. Also note that the server name is case sensitive.
Table 8. Start server commands for AIX, Linux, or Solaris
Type Commands
Sametime System Console ./startNode.sh
./startServer.sh STConsoleServer
Meeting Server ./startNode.sh
./startServer.sh STMeetingHttpProxy
./startServer.sh STMeetingServer
Proxy Server ./startNode.sh
./startServer.sh STProxyServer
Media Manager ./startNode.sh
./startServer.sh STMediaServer
./stopServer.sh STMeetingHttpProxy
Windows
The Start Programs menu is also a convenient way to start and stop Sametime
servers running on WebSphere Application Server.
Note: The Deployment Manager must be running for the cell before starting a
server. Also note that the server name is case sensitive.
Table 10. Start server commands for Windows
Server Commands
Sametime System Console startNode.bat
startServer.bat STConsoleServer
Meeting Server startNode.bat
startServer.bat STMeetingHttpProxy
startServer.bat STMeetingServer
Proxy Server startNode.bat
startServer.bat STProxyServer
Media Manager startNode.bat
startServer.bat STMediaServer
stopServer.bat STMeetingHttpProxy
IBM i
Note: The Deployment Manager must be running for the cell before starting a
server. Also note that the server name is case sensitive.
Table 12. Start server commands for IBM i
Server Commands
Sametime System Console startNode
startServer STConsoleServer
Meeting Server startNode
startServer STMeetingHttpProxy
startServer STMeetingServer
Proxy Server startNode
startServer STProxyServer
Media Manager Not supported on IBM i
The following table lists the URLs for logging in to Lotus Sametime:
Table 14. Lotus Sametime URLs
Sametime component URL Logging in
Lotus Sametime System Console http://consoleserverhost Log in with your WebSphere
name.domain:8700/ibm/console Application Server User ID
A single Integrated Solutions Console and password. Click
URL is only applicable if you The
deploy
default port is 8700 for Sametime System Console →
a cluster and choose to use theall platforms except IBM i. Sametime Servers.
Lotus Sametime System For IBM i, the
port number may not be 8700.
Console as the Deployment Manager
for all Sametime products. Use the port that was listed in
the Sametime System
Console installation results summary.
To check the port, open the A
boutThisProfile.txt file for the
Sametime System Console
Deployment Manager Profile
and use the setting specified
for the ″Administrative console
port.″ For the default profile
name (STSCDmgrProfile), the
file is located here:
/QIBM/UserData/
Websphere/AppServer/V7
/SametimeWAS/profiles
/STSCDmgrProfile/logs
/AboutThisProfile.txt
There is also an anonymous policy that is assigned by default to users who have
not authenticated, and unauthenticated users always receive this policy.
Note: If your deployment includes the Lotus Sametime System Console, you must
manage policies there because all settings made in the legacy Sametime
Administration Tool (STCenter.nsf) are ignored. This includes the override all
feature, as well. Moreover, there is no automatic migration of policies from the
You can set policy for users to have access to specific IBM Lotus Sametime
features, depending upon their level of need. For example, the maximum size for a
file being transferred is set by default at 1 megabyte to help manage traffic over
the server(s); however, if you have a group that routinely transfers large files for
business reasons, you can create a new policy specifically for those users and set
the maximum size of files that they can send to a much higher number.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console.
3. Click Manage Policies.
4. Click the Lotus Sametime product for which you want to create a policy.
v Instant Messaging
Results
Tip: You can follow these same basic steps to delete or edit a policy. Delete a
policy by selecting the policy and then click the Delete button. Edit a policy by
clicking the policy name. You cannot delete the anonymous or default policies, but
you can edit them. If you edit a policy, you cannot change the policy ID. To do
this, you must make a copy of the policy by selecting it and clicking Duplicate,
then you can enter a new ID in the copy. Before you delete the original, be sure to
reassign the users and groups to the copy and give it the proper policy weight.
What to do next
You cannot assign users to the default or anonymous policies. Authenticated users
are automatically assigned to the default policies. Unauthenticated users are
assigned to anonymous policies.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console.
3. Click Manage Policies.
4. Click the Lotus Sametime component with the policy to which you want to
assign a user or a group.
v Instant Messaging
v Meetings
v Media Manager
5. Select a policy name from the list, and click Assign.
6. Click Add Users or Add Groups.
At this point you could remove a user from a policy, by selecting the user in
the list and then clicking Remove.
7. Select the criterion for searching for the user or group that you want to add to
the policy in the Search by field.
v User ID
v Name
v E-mail address
All unauthenticated users have the anonymous policy, Sametime Instant Messaging
Anonymous Policy, applied to them. For authenticated users, the Lotus Sametime
searches for a user ID or group match, and then applies the highest weighted
policy. If there is no match, then the default policy, Sametime Instant Messaging
Default Policy, is applied.
Table 15. Chat
Sametime Instant Sametime Instant
Messaging Default Messaging
Setting Purpose Policy Anonymous Policy
User must set this Users must log in to Selected Selected
community as the this community
default server before they can log in
community to other
communities. This
setting does not
apply to browser
users.
Allow user to add If this is checked, Selected Not selected
multiple server community
communities preferences and
menus are available
to users. This setting
does not apply to
browser users.
Allow user to add Allowing users to Not selected Not selected
external users using connect to external
Sametime Gateway communities such as
communities AIM, Yahoo, OCS,
and Google Talk. If
this policy is not
allowed, the check
box and text for
adding external users
by e-mail address is
not available in
clients.
Lotus Sametime does not allow anonymous users to create meeting rooms.
Therefore, any policy that is related to authenticated users or the ability to create
meeting rooms, does not apply to anonymous users.
Note: Although Lotus Sametime Classic meetings are still managed on the server
itself, you can set user policy for Sametime Classic meetings on the Meetings
policy tab in the Sametime Classic Meetings section.
Table 19. General Meeting Settings
Sametime Meetings Sametime Meetings
Setting Purpose Default Policy Anonymous Policy
Maximum persistent Users are limited to 100 0
meeting rooms this creating this number
user can own of meeting rooms per
user. When this limit
is reached or set to
zero, users cannot
create more meeting
rooms.
Allow user to create If not selected, user Selected Not selected
instant does not see the
(nonpersistent) capabilities for
meeting rooms creating instant
meetings. User can,
still see the
capabilities for using
an existing room.
Automatically If not selected the Selected Not selected
connect to meeting user must manually
server when logging connect to each
into Sametime meeting room server
Connect to view the meetings
there. This setting is
stored with the client,
so that changes in the
policy do not take
effect until after the
next time the user
logs in to the server.
This setting does not
apply to browser
users.
Allow searching of If not selected, users Selected Not selected
meeting rooms can attend meeting
rooms only with a
direct URL. The
meeting room
manager interface
never shows. Only
affects browser users.
Read-only - Users
can only read what
others have typed
into the group chat.
Interactive - Users
can type and read
group chats.
Share an application
- Users can share a
specific application.
No other applications
or their desktops are
shared.
Application only -
Users can share a
specific application.
No other applications
or their desktops are
shared.
All unauthenticated users will have the anonymous policy Media Manager
Anonymous Policy, applied to them. For authenticated users, the Lotus Sametime
searches for a user ID or group match, and then applies the highest weighted
policy. If there is no match the default policy, Media Manager Default Policy is
applied.
Table 23. Telephony, Audio, and Video
Media Manager Media Manager
Setting Purpose Default Policy Anonymous Policy
Allow access to Allows outside Not selected Not selected
third-party service vendors to provide
provider capabilities audio and video for
from contact lists, instant messages and
instant messages, and instant meetings.
meetings This setting does not
apply to browser
meetings.
Note: For versions of Lotus Sametime that do not support web conferencing,
enter the following URL in your browser: http://hostname.
Note: For Lotus Sametime Entry and other Sametime offerings that do not
include Web conferencing, access the server page by typing http://hostname/
into a browser URL field where hostname is the fully qualified name of your
Sametime server.
2. From the Sametime server home page (Sametime Welcome page), click
Administer the Server.
3. Enter the administrator name and password specified during the Sametime
server installation. The Sametime Administration Tool opens in its own Web
browser window.
Related concepts
User requirements for basic password authentication
When accessing the Lotus Sametime server with a Web browser, a user must enter
a user name and Internet password to access any protected database on the Lotus
Sametime server.
Adding a new Sametime administrator
Use the Domino Directory to give a group of administrators access to the
Sametime Administration Tool.
Follow these steps to create a Person document using the Sametime Administration
Tool. If the administrator whom you are adding already has a Person document
that contains a last name, user name, and Internet password, skip this procedure.
1. From the Sametime server home page, click Administer the Server.
2. From the Sametime Administration Tool, click LDAP Directory:
3. Choose Add Person.
4. In the Person document, select the Basics tab.
5. Enter the user’s first, middle, and last name in the appropriate fields. Only the
last name is required.
6. Enter a name for the user in the User Name field. An entry in this field is
required for the user to authenticate with the Sametime server.
You can use any of the following characters in a user name: A - Z, 0 - 9,
ampersand (&), dash (-), period (.), underscore (_), apostrophe (’), and space.
Using other characters can cause unexpected results.
7. Enter an Internet password for the person in the ″Internet password″ field. An
entry in this field is required for the user to authenticate when accessing the
Sametime Administration Tool. There are no restrictions on the number of
characters used in the Internet password.
8. Click Save & Close. The Person document is added to the Directory.
In addition to ACL access levels, you must also specify the ACL privileges and
roles that the Administrators Group (or an individual user) has in each database.
Generally, for an Administrators Group, select all ACL privileges and roles.
Note: If you are adding individual user names to Sametime database ACLs instead
of a group name, database roles can be used to prevent or allow access to specific
features of the Sametime Administration Tool.
Add the Administrators Group to the ACLs of the following Sametime databases.
v Sametime Configuration (stconfig.nsf) - Stores the configuration parameters
that are set from the Sametime Administration Tool.
v Domino Directory or Address Book (names.nsf) - Stores Person and Group
documents, ACL settings, and other configuration information for the
Domino/Web Application Services.
v Sametime Log (stlog.nsf) - Stores logging information.
v Domino Web Administration (webadmin.nsf) - Contains the Domino Web
Administration client, which includes monitoring features for the HTTP Services
and free disk space. This is the full Domino Web Administration client that is
included with Domino servers.
1. From the Sametime Administration Tool:
v If you are using the Domino Directory with the Sametime server, choose
Domino Directory - Domino.
v If you are using an LDAP Directory with the Sametime server, choose
LDAP Directory.
2. Choose ″Add Sametime Administrators - Give the administrator group
Manager access for all appropriate databases, such as stconf.nsf and
stcenter.nsf.″ The Access Control options appear.
3. From the Databases list, select Sametime Configuration (stconfig.nsf).
Note: Type a group name exactly as it appears in the Group document. If you
are entering an individual user name in this field, type the user name exactly
as it is entered in the topmost entry of the ″User name″ field on the Person
document. Separate multiple entries in the ″Administer the server from a
browser″ field with commas.
5. In the ″Run unrestricted methods and operations″ field of the Programmability
Restrictions section, type the Administrators Group name (or an individual
user’s name). Separate multiple entries in this field with commas.
6. Click Save & Close.
Adding a user’s name to the Administrators Group document provides the user
with access to the Sametime Administration Tool. Removing a user’s name from
Access Control List (ACL) roles are defined in the following Sametime databases:
The following table lists the commands and features available with the Sametime
Administration Tool and the roles that an administrator must be assigned in the
stconfig.nsf database to use the Sametime Administration Tool commands and
features. If an administrator does not have the appropriate roles, the Sametime
Administration Tool does not display the command.
Note: The Domino server cannot resolve the user if given the internet address in
the person entry that defines the internal ID of a Sametime user. The mail attribute
is not supported in this field. The field may be left blank.
The Domino Directory also contains the Server document that you access to
provide another user with administrative privileges to the Sametime
Administration Tool.
Note: If you use Sametime in a Domino environment, the Domino Directory roles
function the same as they do on Domino servers.
The Domino Directory contains eight roles. The privileges for each role are listed in
this table:
Role Description
Related reference
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and
settings of the Sametime Administration Tool.
Role Description
Note: The Domino server cannot resolve the user if given the internet address in
the person entry that defines the internal ID of a Sametime user. The mail attribute
is not supported in this field. The field may be left blank.
The following table defines the roles in the Domino Web Administration database:
Role Description
ServerAdmin A Sametime administrator requires this role
to access the Server document when
providing other users with access to the
Sametime Administration Tool.
ServerMonitor A Sametime administrator requires this role
to access the Monitoring - Miscellaneous
functions of the Sametime Administration
Tool. These monitoring functions enable the
administrator to monitor HTTP commands
and requests, server memory usage, and free
disk space. The Sametime administrator also
requires this role to access the Logging -
Domino Log functions of the Sametime
Administration Tool, which report
information about the Domino Application
Services.
DatabaseAdmin A Sametime administrator requires this role
to change database ACLs from the Sametime
Administration Tool.
FileRead This feature provides access to the
Configuration - System Files (read-only)
command of the Domino Web
Administration Tool. This feature is usually
not used with Sametime.
FileModify This feature provides access to the
Configuration - System Files (read/write)
command. This feature is usually not used
with Sametime.
Related reference
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and
settings of the Sametime Administration Tool.
Domino log
To access the Domino log, choose Logging - Domino Log in the Sametime
Administration Tool, and then click the link that appears on the right. The Domino
log launches in a new browser window.
Back up the database regularly to protect the server data and to minimize
downtime if you need to restore lost or corrupted data. Follow the instructions in
the DB2 information center:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp
What to do next
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the Lotus
Sametime Community Server. These settings are only used by the Sametime
System Console to connect to the Sametime Community Server.
If you are configuring the Lotus Sametime Community Server to use SSL (Secure
Socket Layer), make sure the server’s Domino CA certificate has been added to the
Sametime System Console’s trust store using the Integrated Solutions Console
(Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore →
Signer certificates). See the WebSphere Application Server information center for
more information on adding certificates to a trust store.
Community Services supports all presence (or awareness) and text chat activity in
a Lotus Sametime community. Any Lotus Sametime client that contains a presence
list must connect to Community Services on the Lotus Sametime Community
Server.
This must be completed separately for each server within a Lotus Sametime
Community Server cluster.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime
Community Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Connectivity tab.
5. Under Server Connections, type the fully qualified Host Name and Port for
the internal Sametime processes to communicate with one another.
Community Services listens for direct TCP/IP connections from Community
Services of other Lotus Sametime Community Servers on this port. If you
have installed multiple Sametime servers, this port must be open for presence,
chat, and other data to pass between the servers.
6. Under Client Connections, type the fully qualified Host Name and Port from
which Community Services listen for direct TCP/IP connections and
HTTP-tunneled connections from the Community Services clients. A direct
TCP/IP connection occurs when the Sametime client uses a unique Sametime
protocol over TCP/IP to establish a connection with the Community Services.
7. Under HTTP Tunneled Client Connections, type the fully qualified Host
Name and Port from which Community Services clients can make
HTTP-tunneled connections to the Community Services multiplexer.
Community Services clients can make HTTP-tunneled connections on both
ports 80 and 8082 by default. Port 8082 ensures compatibility with previous
Sametime releases. In previous releases, Sametime clients made
HTTP-tunneled connections to the Community Services only on port 8082. If a
Sametime Connect client from a previous Sametime release attempts an
HTTP-tunneled connection to a Sametime server, the client might attempt this
connection on port 8082.
8. If you will be using previous version of the Sametime Meeting Room client,
click Enable pre 8.5 releases of the Meeting Room client to try HTTP
Tunneling to the Community Server after trying other options.
9. Under HTTPS Tunneled Client Connections, type the fully qualified Host
Name and Port from which the Community Services clients attempt HTTPS
connections when accessing the Sametime Community Server through an
HTTPS proxy server. If a Community Services client connects to the Sametime
Community server using HTTPS, the HTTPS connection method is used, but
the data passed on this connection is not encrypted.
10. Click OK.
11. Restart the Lotus Sametime Community Server for settings to take effect.
The Lotus Sametime Community Server accepts connections from the Lotus
Sametime Media Manager, the Lotus Sametime Gateway, the Lotus Sametime
Community Mux, and the Lotus Sametime Proxy Server, as well as other servers
that are listed in the Community Services page. To ensure that the Lotus Sametime
Community Server trusts these components when they establish a connection, you
must add the trusted server’s IP address to the Lotus Sametime Community
Server.
You do not need to add the Lotus Sametime System Console’s IP address because
it is added automatically when you install the Lotus Sametime Community Server
using a deployment plan or register the Lotus Sametime Community Server with
the console after installation.
This task must be completed separately for each server within a Lotus Sametime
Community Server cluster, as well as for multiple non-clustered Community
Servers.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the list of trusted IP addresses that you want to change.
4. Click the Connectivity tab.
5. Under Trusted Servers, enter the IP address of the server that must connect to
the Lotus Sametime Community Server in the New IP Address field, and click
Add.
Note: For the Lotus Sametime Media Manager, enter the Conference Manager
server IP address. Each instance of a Conference Manager cluster must be
entered.
To delete an IP address from the list, select it and click Delete Selected.
6. Click OK.
7. Restart the Lotus Sametime Community Server for the change to take effect.
Related tasks
“Adding a local Community Server to Sametime Gateway” on page 208
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
For users that must log in through FaceTime or similar proxies, the Lotus
Sametime Community Server should allow them to connect through the home
server only. The Lotus Sametime Community Mux Server should accept
connections that come from Facetime IP addresses only. You must dedicate a
These settings must be addressed for each server within a Lotus Sametime
Community Server cluster.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Community Services tab.
5. Use the following table to set general server-wide settings for users of the
Lotus Sametime Community Server.
6. Click OK.
7. Restart the Lotus Sametime Community Server for settings to take effect.
The home Lotus Sametime Community Server is the server on which the
preferences and data of a user are saved. Users connect to the home Lotus
Sametime Community Server for presence and chat functionality. If you have
installed multiple Lotus Sametime Community Servers, each user’s person entry in
an LDAP directory must contain a field in which a user’s home Sametime
Community Server can be specified. You can either:
v Add a new field to the LDAP directory to hold the name of each user’s home
Lotus Sametime Community server. This added field must appear in the person
entry of every Sametime user in the LDAP directory.
v Use a field that already exists in the person entries of each Sametime user (such
as the e-mail address) for this purpose.
Follow these steps to specify the name of the field within person entries of the
LDAP directory that contains the name of each user’s home Lotus Sametime
Community Server. These steps must be completed separately for each server
within a Lotus Sametime Community Server cluster.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Community Services tab.
5. Under LDAP Attributes, enter the name of the field within the LDAP person
entries that contains the name of each user’s home Lotus Sametime Community
server in the Attribute used for determining the home server field.
6. Click OK.
7. Restart the Lotus Sametime Community Server for settings to take effect.
Determine the value of the LDAP attribute of the person entry that defines the
internal ID of a Sametime user that it is appropriate for logging in to Lotus
Sametime. This task must be completed separately for each server within a Lotus
Sametime Community Server cluster.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Community Services tab.
5. Under LDAP Attributes, enter the name of the field within the LDAP person
entries that contains the ID used for logging in the Attribute used for
determining the internal user ID field.
6. Click OK.
7. Restart the Lotus Sametime Community Server for settings to take effect.
When you enable this feature, you should also set a file size limit and virus
scanning preference.
Computer viruses can be spread through transferred files. To protect against this
possibility, users should have current third-party anti-virus software installed. The
Virus scan files setting should be enabled and set to scan all files.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Community Services tab.
5. In the Server Features section, click Allow users to transfer files to each other.
6. To increase or decrease the size of files that users can transfer, enter a value in
the Maximum file transfer size, in Kilobytes field.
7. Under Virus scan files, select one of the following choices:
Option Description
Always If scanning cannot be done, the file is not
transferred
When available The file is sent with a message that the file
was not scanned, allowing the user to decide
how to handle the file, or it is not sent if
scanning reveals a virus
Never Files are not scanned
8. Click OK.
9. Restart the Lotus Sametime Community Server for settings to take effect.
This capability to have awareness of other users in the same virtual place is
sometimes called place-based awareness. Place-based awareness differs from
community-wide awareness. With community-wide awareness, users can have awareness
of any user in the community who is online. IBM Lotus Sametime Connect
provides users with community-wide awareness functionality. Anonymous users are
not allowed to have community-wide awareness in any Sametime clients.
The Anonymous users can enter virtual places field controls the ability of
anonymous users to enter virtual places created by custom-built applications
created with the Sametime Software Development Kit. For more information on
virtual places, see the IMWC Directory and Database Access Toolkit documentation
available from IBM developerWorks® at http://www.ibm.com/developerworks/
lotus/downloads/toolkits.html.
Enter information for anonymous access to a virtual place. Each attendee who
accepts the default name has a number added to the end (For example, User1,
User2).
This task must be completed separately for each server within a Lotus Sametime
Community Server cluster.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime
Community Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Anonymous tab.
5. Click the Anonymous users can enter virtual places
Note: The following fields do not take effect unless the Anonymous users can
enter virtual places field is selected.
6. If you want to let an anonymous user have a unique display name when
accessing a Lotus Sametime application that includes awareness, click Users of
Sametime applications (databases such as stconf.nsf or Web sites) can
specify a display name so that they do not appear online as ″anonymous.″ A
display name entry dialog box appears when a user accesses the Lotus
Note: The ACL settings of the application must allow anonymous access, too.
7. If you want to have a domain name automatically appended to the display
name entered by the user at the name entry dialog box, click Default domain
for anonymous users.
8. If you want a name to appear by default in the name entry dialog box, click
Default name. For instance, if the Default name field contains the entry User
the first person entering a meeting sees User displayed by default in the name
field of the name entry dialog box. If the person accepts the default and enters
the application, the person is identified as User1 in any presence list in the
application.
9. Specify the level of access that an anonymous user of an application enabled
with Sametime technology has to the directory. You can limit an anonymous
user’s ability to view names in the directory. For example, you might prevent
anonymous users from browsing all names in a directory or searching for
names in the directory.
v Users cannot browse or search the Directory
Anonymous users cannot search or browse the directory.
v Users can type names to add them to an awareness list
Anonymous users can type text in an user search interface to search for
person or group entries in the directory. However, users cannot view or
browse a list containing all entries in the directory. Users might perform
such searches to add users to a presence list.
v Users can browse the directory (see a list of names) or type names (resolve
users and groups)
Anonymous users can type text in an user search interface and search for
group or person entries in the directory. Anonymous users can also browse
lists that contain all entries in the directory. When this option is selected,
anonymous users can see all group and name entries in the directory, but
cannot see the content of a group entry (the list of names within a group
entry). Users cannot browse the LDAP directory on the LDAP server
v Users can browse the directory to see group content and names, or type
names
Anonymous users have all searching and browsing privileges described for
the Users can browse the directory (see a list of names) or type names
(resolve users and groups) setting above. In addition, users can search and
browse within group entries in the directory and access the user and group
names that are specified within group entries in the directory.
10. Click OK
11. Restart the Lotus Sametime Community Server for settings to take effect.
Business card can access user information from any of three types of storage
repositories: the native Domino directory, the LDAP directory (including Domino
LDAP), or a custom Notes application. Each repository stores user information
differently, so to facilitate user searches, Sametime provides a search engine, called
a black box, for each storage type.
Since there are three different storage types, Sametime provides three different
black boxes to search for user information (one per storage type). These are:
v LDAP – used to search a LDAP directory
v Notes – used to search a native Domino directory
v Notes_custom_db – used to search a customized Notes application
Using information in the LDAP server or the native Domino directory, you can
choose the fields that represent the information that you want to display in the
business card. The available fields are:
v Photo
v Name
v Company
v E-mail address
v Telephone
v Address or location
v Title
You can set up or change the details you want to retrieve by changing the values
for these fields on the main Business Card page.
Before you start setting up your business cards, be sure the following conditions
are true for your site.
v IBM Lotus Domino and IBM Lotus Sametime Community Server have been
installed and configured
v Lotus Sametime authentication is configured to use an LDAP directory
v The LDAP server is running and accessible by the Lotus Sametime Community
Server
v All LDAP attributes needed by Business Card are accessible for query via
anonymous connection or by using a specific bind account and password
v The Lotus Sametime Community Server is running
v For Domino LDAP only: To allow anonymous users to access required user
details, you can edit the All Servers document in names.nsf. Under the LDAP
tab, all LDAP attributes that you want to be retrieved by anonymous users
should be added to the list of Anonymous Users Can Query.
This task must be completed separately for each server within a Lotus Sametime
Community Server cluster.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the business card information that you want to add or change.
4. Click the Business Card tab.
5. In the Business Card Contents section, select the attribute you want displayed
in users’ business cards, and then click Add to include the selected attribute. If
you do not want to display any pre-selected information, select each attribute,
and then click Remove.
6. Under Attribute Definition, choose Attribute Values that are appropriate for
your deployment. Each LDAP directory has its own naming schema, so be sure
to confirm that each attribute value selected for display is mapped to the
correct LDAP attribute as defined by your LDAP schema. If you prefer to map
another attribute value to the attribute name instead of the default value, then
choose User Defined. The following table lists the default attribute value that is
mapped to each attribute name.
Table 26. Attribute names and values
Attribute Name Attribute Value
E-mail address mail
Telephone telephoneNumber
Title title
Photo jpegPhoto
Address postalAddress
Company ou
Name cn
Domino LDAP does not contain the postalAddress field. The value retrieved
for this LDAP attribute is the concatenation of City, State/Province, and
360 Lotus Sametime: Installation and Administration Guide Part 2
Country. Also, Domino LDAP contains a hidden field for the ou attribute. This
field cannot be set through the Domino LDAP, and a third-party LDAP
management tool can be used to add a value to it.
7. If you select User Defined for an Attribute Value, then enter an attribute to
map to the Attribute Name.
8. Click OK.
9. Restart the Lotus Sametime Community Server.
To store photos in Domino LDAP and enable UserInfo to retrieve them, please
follow the steps below. A third-party LDAP management tool is required for
adding a JPEG Photo field to Domino LDAP. Most LDAP V3-compliant tools will
work.
Note: Unless the jpegphoto field is removed the image data is lost when a
person document is opened and re-saved.
2. Use Domino Administrator to enable Domino LDAP write access. Within
default Configuration Setting Document LDAP, click Yes next to Allow
LDAP users write access.
3. Using the third party LDAP tool, connect to the Domino LDAP server and
bind as a Domino Administrator. Once a successful connection is made, select
a user and add an Attribute. The Attribute name for Domino LDAP should be
specified as: jpegphoto;binary and the type should be selected as binary. Note
the name being used for the attribute. If you use just jpegPhoto or Photo as the
name, depending on the LDAP tool, you might not be able to store images in
the field. The -;binary is required for Domino LDAP to understand the
binary data.
4. Use the third party LDAP tool to import the JPEG or GIF photo into the new
field.
5. Use ldapsearch or the LDAP tool to check that the photo has uploaded
successfully
6. Log in to the Integrated Solutions Console.
a. Click Sametime System Console → Sametime Servers → Sametime
Community Servers.
b. In the Sametime Community Servers list, click the deployment name of
the server with the connectivity information that you want to change.
c. Click the Business Card tab.
d. In the Business Card Contents section, select the Photo attribute, and then
click Add to include it in the business card.
e. Under Attribute Definition, choose User Defined as the attribute value
for Photo.
Configuring business card photos for the Lotus Sametime browser client:
Follow these steps to configure the business card photo that displays for users that
chat using the IBM Lotus Sametime browser client.
After you have configured your business card feature, you can verify the
configuration.
To display user information, the business card uses an IBM Lotus Sametime
Community Server application named UserInfo. UserInfo retrieves and delivers user
information for each client request to view a user’s business card. Follow these
instructions to verify your business card configuration.
Prerequisites:
v Domino and Sametime are installed and configured to run
v Sametime authentication is configured to use a Domino directory
v The Sametime server is running
Follow these steps to configure the Business Card to display data that is stored in a
single data repository–a Domino directory.
1. Open an Internet browser and enter this URL into the URL-locater field:
http://sametime.austin.ibm.com/stcenter.nsf, substituting the host name
sametime.austin.ibm.com with your server’s actual host name.
2. Click Administer the server, and then log in as Administrator.
3. Click the plus sign next to Configuration to expand the contents, and then click
’Business Card Setup.’
</Details>
</Storage>
</Resources>
<ParamsSets>
<Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/>
<Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/>
</ParamsSets>
<BlackBoxConfiguration>
<BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB"
MaxInstances="4"/>
</BlackBoxConfiguration>
</UserInformation>
The Domino directory does not have a standard field for photo, but photos can be
retrieved from the Domino Name and Address Book (NAB) as follows:
1. Add a rich text field or rich-text lite field to the Person form of the Name and
Address Book in Domino.
When you set up dual repositories, you set up a primary repository and a
secondary repository:
Note: The primary storage can never be of the same type as the second repository;
for example, the primary and secondary storage cannot both be a Domino
directory.
For retrieving business card information, you can set up a dual repository of a
LDAP directory and a native Domino Directory.
This section describes how to configure the business card using two storage
repositories: LDAP directory as the primary storage, a native (non-LDAP) Domino
Directory as the secondary storage.
Note: For Business Card purposes, the secondary storage does NOT have to
be trusted for credentials.
3. Once you have completed the changes, save and close the document. The
resultant Directory Assistance database may show the following:
Note: The directory assistance database must be listed on the Basics tab of the
Sametime server document in the Directory assistance database name field. If
it is not listed, fill in the field, and restart the Sametime server to effect that
change.
4. Log in to the Integrated Solutions Console.
5. Click Sametime System Console → Sametime Servers → Sametime
Community Servers.
Telephone telephoneNumber
Title title
Photo jpegPhoto
Address postalAddress
Company ou
Name cn
10. If you select User Defined for an Attribute Value, then enter an attribute to
map to the Attribute Name.
11. In the Attribute Definition table, change the Attribute Value for the attributes
that will be retrieved from the secondary storage to User Defined and leave
the User Defined field blank. For example, if you are retrieving users’
Telephone and Title information from the Domino Directory; therefore, change
the values for the Telephone & Title attributes to User Defined, and leave the
User Defined field blank, and then click OK to save the changes
Note: These values are blank to ensure they are retrieved from the secondary
repository (the Domino Directory) and not from the primary repository, which
is the LDAP directory.
12. Modify the UserInfoConfig.xml file located in the Domino program directory
(\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo
application fetches and delivers user information for each incoming client
request (an user’s request to view a particular user’s business card). When you
are using an LDAP directory as primary storage and a Domino Notes
directory as secondary storage, make the following modifications. Add an
additional Storage tag of Notes type within the Resources tag:
<Storage type="NOTES">
<CommonField CommonFieldName="MailAddress"/>
<Details>
<Detail Id="Title" FieldName="JobTitle" Type="text/plain"/>
Note: The Details section defines the attributes that will be retrieved by
Sametime from the corresponding storage repository. In this example, we are
retrieving Title and Telephone information from Domino.
13. To ensure Telephone and Title fields come from Domino, remove the following
from the Details tag of the LDAP storage type:
<Detail Id="Title" FieldName="title" Type="text/plain"/>
<Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/>
14. 13. Add the following to the <BlackBoxConfiguration> section. Make sure it is
listed after the LDAP blackbox as the order defines the search order:
<BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB"
MaxInstances="4"/></BlackBoxConfiguration>
Results
You have successfully configured the business card to display information for a
single user from dual storage repositories: an LDAP directory and the Domino
Directory.
For retrieving business card information, you can set up a dual repository of a
LDAP directory and a custom IBM Lotus Notes application.
This section describes how to configure the business card using two storage
repositories: LDAP with a custom Lotus Notes application repository. Here, we
describe how you can set up LDAP as the primary storage, and a custom Lotus
Notes application as the second storage.
7. If you select User Defined for an Attribute Value, then enter an attribute to
map to the Attribute Name.
8. In the Attribute Definition table, change the Attribute Value for the attributes
that will be retrieved from the secondary storage to User Defined and leave
the User Defined field blank. For example, if you are retrieving users’
Telephone and Title information from the custom Lotus Notes application;
therefore, change the values for the Telephone & Title attributes to User
Defined, and leave the User Defined field blank, and then click Reset to save
the changes
Note: These values are blank to ensure they are retrieved from the secondary
repository (the Lotus Notes application) and not from the primary repository,
which is the LDAP directory.
9. Modify the UserInfoConfig.xml file located in the Domino program directory
(\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo
application fetches and delivers user information for each incoming client
request (an user’s request to view a particular user’s business card). When you
are using an LDAP directory as primary storage and a custom Notes
application as secondary storage, make these modifications:
a. Add the following NOTES_CUSTOM_DB Storage tag inside the Resources
tag:
<Storage type="NOTES_CUSTOM_DB">
<StorageDetails DbName="bcardstorage.nsf " View="$BCardView"/>
<Details>
<Detail Id="Title" FieldName="JobTitle" Type="text/plain"/>
<Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/>
</Details>
</Storage>
What to do next
You have successfully configured the business card to display information for a
single user from dual storage repositories: an LDAP directory and a custom Notes
application.
You can configure Business Card with the use of two (dual) repositories–Domino
and LDAP. The primary storage repository is the native (non-LDAP) Domino
Directory, and the auxiliary storage is the LDAP directory.
Note: Update the Storage details tag with the appropriate settings for your
LDAP directory.
Note: The Details section defines the attributes that Sametime will retrieve
from the corresponding storage repository. In this example, we are pulling
the
telephonenumber attribute from the LDAP directory.
b. To ensure the telephone number is retrieved from LDAP, and not from
Domino, remove the following from the <details> tag of the (Domino)
Notes storage type:<Detail Id="Telephone"
For retrieving Business Card information, you can set up a dual repository of a
Domino Directory and a custom Lotus Notes application.
This section describes how to configure the Business Card using two storage
repositories: Domino Directory with a custom Lotus Notes repository. Here, we
describe how you can set up Domino Directory as the primary storage, and a
custom Lotus Notes application as the secondary storage.
What to do next
You have successfully configured the business card to display information for a
single user from dual storage repositories: the Domino directory and a custom
Notes application.
For a Sametime installation that is configured to work with Domino but that can
also retrieve data from Domino LDAP, Notes would be listed as the first black box,
and LDAP as the second. Each of these special configurations requires manual
settings in the UserInfoConfig.xml file.
This version of Sametime includes an additional black box that enables data
retrieval from a separate Notes database (other than the Domino directory). This
black box should be applied as a part of a special configuration designated to
retrieve data from the Sametime directory and from an additional Notes database
that contains users’ business card details.
See the topic “Retrieving data from a customized database” for more information
on how to configure data retrieval from the additional Notes database.
For additional help with these special configurations, please contact Support.
Retrieving user data from customized Notes databases allows you to:
v Retrieve some details from the Sametime Domino directory and the rest from a
customized Notes database (Domino)
v retrieve some details from the LDAP directory Sametime is configured to work
with and the rest of the details from an additional Notes database.
What to do next
Note: For complete information on how to use these ″black boxes″ and on how to
use all the storage repositories for LDAP, Sametime, and Domino, see the section in
Business Card entitled ″Using repositories.″ This section provides detailed
information on how to store and retrieve user data contained in both single and
dual repositories.
Options
Before trying these options, check and validate the configuration as shown in
Business Card configuration in the Sametime Information Center. In most cases,
invalid configurations are the root cause of problems with the Business Card. If,
after you have validated that the configuration is correct, the Business Card still
does not appear to be working, you might want to try the options described below.
In general, there are two points of failure for Business Cards (There could be more
depending upon your configuration, but in terms of troubleshooting, we’ll focus on
two components involved with the Business Card feature.)
Note:
v Do not use spaces in the URL for the UserInfo servlet operation.
A space is translated into %20 in the URL, and the servlet will not produce a
result; for example:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime
User/O=IBM
is translated to:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=
cn=Sametime%20User/O=IBM
. The characters ″%20″ are inserted before the word ″User″ to represent the
space.
v The name ″UserInfoServlet″ is case sensitive.
v Do not use apostrophes or quotation marks in the URL.
3. Enter the URL you’ve composed into a Web browser’s address field, and view
the result.
You should see the details you are expecting to see. If you do not, then you will
need to enable tracing for the userInfo servlet. See section below.
Requirements
Listed below are some requirements that can cause problems if they are not
followed in the Business Card:
v Photos must be less than 64 kilobytes (recommended: 10 kb)
v Business Card photo requires .jpg or .gif
v Using the jpegPhoto LDAP attribute to store photos requires the inetOrgPerson
objectClass
You can change user names with the AdminP integration feature, or with the
Name Conversion utility:
Changing names
When you change user or group names in the directory, the change is not reflected
in IBM Lotus Sametime Community Server databases. In order to synchronize the
directory names with the names in the Lotus Sametime Community Server
databases, you must run the name conversion utility.
Running the name conversion utility updates Lotus Sametime Community Server
user or group names with the latest directory changes. The name conversion utility
Users create a contact list, a privacy list, and an alert-me-when list in the IBM
Lotus Sametime Connect client by selecting user names or group names from the
Domino or Domino LDAP directory that is used with the IBM Lotus Sametime
Community server. These contact, privacy, alert-me-when lists are stored in the
user information database (vpuserinfo.nsf) on Lotus Sametime Community servers.
When a user starts the Lotus Sametime Connect client, the lists are downloaded
from the database to update the lists stored on the client’s local computer
You do not need to run the name conversion utility when you add new users or
groups to the Domino or LDAP directory.
Note: Be sure to stop the Domino server before you run the name conversion
utility.
Before you can run the name conversion utility, you need to perform the following
tasks:
You do not need to use the name conversion utility if you add new users or
groups to directory. Use the name conversion utility only if you change user
names or group names that exist in the directory.
A comma-separated value (CSV) file created in a text editor provides the name
conversion utility with the information it needs to make a name change to user
contact, privacy, and alert-me-when lists. The CSV file includes the type of change
and typically provides details such as the old name and the new name, and
optionally, the display name.
1. Use a text editor to create a comma-separated file.
2. Create a CSV for only one type of change; you cannot mix name change types
in the same CSV.
v ID
v ORGANIZATION
v DELETE
v LDAP
3. Name and save the file with an extension of .csv in a directory accessible by
the Sametime server.
A CSV file created in a text editor provides the server with the information it
needs to make a name change to user contact lists or privacy lists. The CSV file
You can create the CSV text file using any text editor. Some spreadsheet programs
also allow you to export spreadsheet values to a CSV file. The CSV file should
include only the list of comma-separated oldname, newname pairs that reflect the
changes you have made to the directory. Do not include any header information in
your CSV file. Name the file at your discretion. After you create the CSV file, store
it in a network location that is accessible from the Sametime server. You must
browse to this file to import it when you create the Name Change Task from the
Administrator’s tool in Sametime.
When you create a CSV file, you must format it correctly following the syntax
rules below. CSV files are case-sensitive and sensitive to spaces. You can create
multiple CSV files. The CSV file can include only one descriptor:
Descriptor Purpose
ID Change specified first names, last names,
display names, or group names.
ORGANIZATION Change the organization name for all users.
LDAP Change all contact list information from
Domino directory format to LDAP format
(users/public group/domino to
ldap/organization name).
DELETE Remove specified individual contact names
from contact lists and privacy lists.
The second part of the CSV file includes one line for each change that includes the
old name, the new name, and, optionally, the new display name.
Change all contact list information from Domino directory format to LDAP format
(users/public group/domino to ldap/organization name).
Create a name change task on the IBM Lotus Sametime Community server.
Before you create a name change task, create a comma-separated value (CSV) file
of the name changes in the Lotus Sametime Community Server directory.
A name change task is not actually a scheduled program; its timestamp merely
indicates when the task was created and not when it will be run. The list of tasks
is ignored until you run the stnamechange.cmd program, which then operates on all
of the tasks in the list, using the .CSV files specified in the Name Change page.
Note: If you only want to edit a task, you can click the name of the scheduled
task to edit it.
6. Enter a name in the Name of Task field. The name is at your discretion. By
default, the name is the date the task is created.
7. Optional: Enter a description for the task.
8. Optional: If you want to run the task on all servers in the cluster, then select
All Servers.
9. Browse for the CSV file you want to use, and then click OK.
10. The name change task appears in the list of scheduled tasks.
All tasks listed here run when the stnamechange.cmd is run.
Results
After you have completed these steps on one Lotus Sametime Community server,
it may be necessary to repeat this process on other home Lotus Sametime
When you are done setting up the task, name changes are saved to
stnamechange.nsf. This file is used by Domino to replicate the name changes
throughout the server cluster. Domino will pick up all valid name change tasks in
the stnamechange.nsf file. You choose the servers or cluster on which the name
change task runs on a regular basis using general scheduling tools. The application
does not run by default; you must run the task manually.
To Delete a name change task, on the Name Change page, select the task, and then
click Delete. If any name changes are not entered correctly, you can import a new
CSV file.
To run a name change task, start the name conversion utility. The name conversion
utility uses the CSV file to update user contact and privacy lists with the latest
directory changes.
Before you begin, create a comma-separated value file with name changes, and
then create a name change task. IBM recommends running the name conversion
utility at off-peak hours, and stopping the Domino server before you begin.
Starting the name conversion utility starts the name change task. You can create
many tasks, but name change conversion utility executes only one task at a time.
You can have only one name change task scheduled or in progress. If a name
change task is scheduled or in progress, you cannot create another name change
task until the existing name change task completes.
It is not necessary to run the name change conversion utility on every IBM Lotus
Sametime Community Server in a cluster. For clusters, the task should run once on
one server and then replicated to other servers in the cluster. Note that the All
servers option on the Name Change page in the Sametime System Console does
not work because of the procedure for replicating across all servers. If you create a
Name Change task and select All servers, only the server you are logged on to
contains the task--other servers do not. This is viewable in stnamechange.nsf
through the Notes client. The correct procedure is to create the name change task
on all the servers in the community.
Follow these steps to run the name conversion utility on Microsoft Windows.
1. Stop the IBM Lotus Sametime Community Server and the Lotus Domino server.
2. Type the following command:
stnamechange.cmd
Follow these instructions to run the name conversion utility on a UNIX operating
system.
1. Stop the IBM Lotus Sametime Community Server and the Lotus Domino server.
2. Open a new shell and change to the domino data directory.
cd /domino/notesdata
3. Type the following command:
./stnamechange.sh domino_bin_directory domino_data_directory
For example:
./stnamechange.sh /domino/opt/lotus/notes/80020/linux /domino/notesdata
4. When the name change task completes, restart the Lotus Sametime Community
Server and the Lotus Domino server.
Restart all Lotus Sametime Community Servers in your deployment so they can
detect the modified name. If your deployment includes Lotus Sametime Unified
Telephony, restart all Telephony Application Servers as well.
Follow these instructions to run the name conversion utility on an IBM i operating
system.
1. Make sure the CSV file is in the Domino\data directory.
2. Stop the IBM Lotus Sametime Community Server, and the Lotus Domino
server.
3. Go to the OS/400 command line, and enter the following command: ″QSH″
This opens up a command line where the Name Change task is run.
4. Type the following commands:
cd <data directory>
stnamechange <data directory>
5. View the NameConversion**** log file starting with located in the Sametime
server directory/trace folder. The asterisks in the file name are variable
characters.
6. Restart the Lotus Sametime Community Server and the Lotus Domino server.
The IBM Lotus Sametime name change utility for IBM i now includes an optional
parameter that allows you to specify that the command should use a level of IBM
Lotus Domino other than the latest installed version.
The name conversion utility for IBM i servers was updated in Lotus Sametime
8.0.1. In previous releases, an error would occur if the Lotus Sametime server was
using a level of Lotus Domino that was not the latest installed version. To execute
the Lotus Sametime 8.0.1 version of the name change task on IBM i manually,
prepare by following these steps:
1. Add VP_NCSA_TRACE=1 (this will create debug log file) to Debug section of
the sametime.ini file.
2. Launch the Sametime server, and create the Name Change tasks through the
Administration tool.
3. Shut down the Lotus Sametime server, but leave the Lotus Domino server
running by running TELL STADDIN2 QUIT from the Lotus Domino console.
4. Once the Lotus Sametime jobs have ended, go to the IBM i command line, and
enter the following command: ″QSH″ This opens up a pase command line
where the name change utility is run. Enter the following commands:
CD server_data_directory
stnamechange server_data_directory domino_bin_directory
where domino_bin_directory is an optional parameter. (The default is
/qibm/proddata/lotus/notes which causes the command to use the latest
installed version of Lotus Domino.) Refer to the list below to specify a different
level of Lotus Domino:
Table 28. Values for domino_bin_directory parameter
Lotus Domino version used by Lotus
Sametime server Associated domino_bin_directory
Domino 7.0.0 /qibm/proddata/lotus/domino700
Domino 7.0.1 /qibm/proddata/lotus/domino701
Domino 7.0.2 /qibm/proddata/lotus/domino702
Domino 7.0.3 /qibm/proddata/lotus/domino703
Domino 8.0.0 /qibm/proddata/lotus/domino800
Domino 8.0.1 /qibm/proddata/lotus/domino801
When you create a name change task, the task is saved in a file called
stnamechange.nsf, and this file is replicated to all home IBM Lotus Sametime
Community Servers so that updates can be made to each server’s vpuserinfo.nsf
database. The file vpuserinfo.nsf is the Lotus Sametime user information database
that contains contact lists and privacy lists.
Note that the All servers option on the name change page in the Sametime System
Console does not work because of the procedure for replicating across all servers.
If you create a name change task and select All servers, only the server you are
logged on to contains the task--other servers do not. This is viewable in
stnamechange.nsf through the Notes client. The correct procedure is to create the
name change task on all the servers in the community.
Sample deployments
The examples below illustrate how you might run name change tasks in different
Lotus Sametime Community Server deployments.
Example Deployment 1
With this deployment, you must create and run the name change task three
times--one on each server. Though you create the task only once, you run it three
times, and the run can be scheduled automatically.
Example Deployment 2
With this deployment, you must run the name change task four times. You can
schedule the tasks to run automatically on one Lotus Sametime Community Server
in Community Services cluster 1, on one Lotus Sametime Community Server on
Community Services cluster 2, and on each of the two Lotus Sametime Community
Servers that operate as home Lotus Sametime Community Servers but are not part
of a cluster.
Example Deployment 3
This topic describes the status of the name change tasks, how to view tasks in
progress, and how to delete a name change task.
After you create a name change task, the task defaults to the Scheduled status. A
scheduled task begins executing on the IBM Lotus Sametime Community Server at
the time specified in the server setting on the Name Change page of the Sametime
System Console (Sametime System Console → Sametime Servers → Sametime
Community Servers → server_name → Name Change). You cannot edit a name
change task that has the Scheduled status. The only way to change a scheduled
task is to delete the task and then create a new task in its place.
Once a task begins executing, its status changes from Scheduled to In Progress if
any of the servers have the name change task with the status that is in progress or
scheduled. You cannot delete a task that is in progress. If all the servers have tasks
that are marked Check error log or Disabled, the name change task can be marked
Finished.
Finished means the task has completed the name change successfully. At this
status level, you can add or delete any task.
Note: The status column provides only the status of the task running on the server
being used; it does not provide a summary of the task across servers and clusters
of servers.
You can have only one name change task scheduled or in progress on a IBM Lotus
Sametime Community Server. If a name change task is scheduled or in progress,
you cannot create another name change task on the Lotus Sametime Community
Server until the existing name change task completes.
You cannot delete a task that is marked In Progress. You can delete a task that is
marked Scheduled, Finished or Check log status. There is a log file on the server
that collects failures in Name Conversion.
v A user name that is changed in the directory but is not yet changed in the
vpuserinfo.nsf database will appear as offline in the contact list and privacy list
of another user until the name change task executes on the other user’s home
Lotus Sametime Community Server.
v All members of a changed group appear as offline in the contact list and privacy
list of a user until the name change task executes on the user’s home Lotus
Sametime Community Server.
You can view the status of the names being changed. The vpuserinfo.nsf database
includes a view for name change tasks. The task you are running is not marked
complete. If several Lotus Sametime Community Servers operate as a Community
Services cluster, you view the status of a name change task on only one Lotus
Sametime Community Server in the cluster. The database replicates in real-time
among the servers in the cluster. When the name change task changes the
vpuserinfo.nsf database on one server, the changes are automatically replicated to
the vpuserinfo.nsf databases on all other servers in the cluster.
Prior to Lotus Sametime 8.0.1, when a Lotus Domino Administrator executed name
changes through the Lotus Domino Administrator client and the AdminP process,
the users’ names were changed automatically in the Lotus Domino Directory but
were not changed in the corresponding Lotus Sametime records. The administrator
had to manually generate a CSV text file that contained the renaming information,
and run the Lotus Sametime name change utility on one or more servers,
depending on the configuration.
Note: It is still necessary to manually run the name conversion utility even when
AdminP integration code is working. The Name Change Integration with AdminP
feature creates a new Name Change task and only partially updates vpuserinfo.nsf.
For example, it does not update the contact lists that include the old name. For a
full update, the Name conversion utility must be executed.
In addition, the AdminP functionality is only available for Lotus Sametime servers
that use Lotus Domino authentication running on Lotus Domino 8.0.2 or later. If
the Lotus Sametime server is using LDAP authentication, or if you are using a
version of Lotus Domino earlier than 8.0.2, you cannot use the AdminP feature to
change names.
The following components contain the code for the Name change integration with
AdminP feature. These components are located under the Domino program
directory (by default \Lotus\Domino in Windows):
v StUpdateAdminP.dll -- the code loaded by the AdminP process. This DLL file
receives notifications from Domino regarding renaming operations. We will refer
to it as the AdminP add-in.
v AdminpUpdate.jar -- the java code executed by the StUpdateAdminP.dll
v NameChangeUtils.jar -- a library that provides services of updating the different
Sametime databases. called by AdminUpdate.jar to perform the actual change in
vpuserinfo.nsf and stnamechange.nsf
Please note the following issues concerning AdminP integration with Lotus
Sametime:
v This feature is supported starting in Domino 6.0, but is currently not available
with Domino 8.0.1.
v In Lotus Sametime, this feature is supported starting with release 8.0.1.
v Only name updates are handled; deletions and additions are not supported by
AdminP.
The name change AdminP integration will run on one Sametime server in each
cluster, is part of a Sametime server installation, and is disabled by default.
The name change AdminP integration functionality is only available for Lotus
Sametime 8.0.1 servers hosted on Microsoft Windows and configured to use IBM
Domino Directory for authentication. If your deployment uses an LDAP directory,
you must use the Name Conversion utility as in previous releases. For information
on the Name Conversion utility, see the topic, ″About the Name Conversion
utility″ in this Sametime information center.
To change the administration server for a Domino database, you must have
Manager access to the database or be designated as a Full access administrator on
the Security tab of the Server document.
Field Enter
Administration Server Choose one of these:
v None -- If you do not want an
administration server assigned for the
database.
v Server -- Select a server from the list.
Choose one of these according to whether
you want modifications to the indicated
fields to occur during a rename group,
rename user, or rename server action; or
during a delete server, delete group, or
delete user action:
v Do not modify Names fields -- Names
fields are not updated during any of the
above rename and delete actions.
v Modify all Readers and Authors fields --
Reader and Author fields are updated
during the rename and delete actions
listed above.
v Modify all Names fields -- All names
fields are updated during any of the
rename or delete actions listed above.
Sample configurations:
AdminP operates with various configurations of the IBM Lotus Sametime server
and IBM Domino.
The Sametime and Domino directory are on the same server. When a rename is
made the AdminP add-in is notified and the callback updates the relevant
databases. After the Name Change Utility is run all users can see each other’s
updated names.
Two or more Domino servers, each hosting Lotus Sametime and a Domino
Directory
The Domino directories are replicated between all servers. Names.nsf and
admin4.nsf are replicated on all servers. A name change executed on either one of
these servers will trigger the AdminP process on both servers. Each AdminP
process updates only the database that their administration server matches. This
setting avoids replication conflicts.
Domino Directory hosted remotely from Lotus Sametime but within the same
Domino domain
One or more Lotus Sametime servers and Domino directory are in the same
domain. Each Lotus Sametime server accesses the Domino Directory through the
directory assistance feature. Since all are in the same domain and the remote
directory is accessed through da.nsf, updates are done on the remote directory and
This time, the Lotus Sametime servers and the Domino directory are in different
domains. For rename updates to go from the Domino directory on Domain A to
the Lotus Sametime servers on Domain B, a cross domain configuration should be
applied on these domains. When a name is updated on the directory in domain B,
a mail message is sent to domain A (assuming cross domain configuration is
applied). This mail message is treated as a request for the AdminP and is added to
the admin4.nsf which logs the request for the AdminP process.
The Sametime servers and Domino directory are in different domains, and the
Domino directory is not the primary directory for the deployment.
Two or more Domino Directories on remote servers, replicated with one or more
Lotus Sametime servers
The Lotus Sametime servers and the Domino directories are in different domains.
A Cross Domain Configuration should be applied and the da.nsf on each Lotus
Sametime server should point to the required NAB in the remote Domino cluster.
One server in the Domino environment (domain B) should be defined as the
Administration server of the Primary address book for the Domino Domain. The
da.nsf of each Lotus Sametime server should point to the NAB on this server.
You can use the AdminP feature to change a user’s name in IBM Lotus Sametime.
If your AdminP integration does not work properly, use the information below to
help resolve issues.
The AdminP feature is not working
1. Ensure the AdminP name change add-in is enabled by the following
line in the notes.ini:
EXTMGR_ADDINS=StUpdateAdminP.dll
2. Turn on the trace files flags, rename in the directory, and analyze the
trace files.
The trace files indicate that the JNI does not find the java class
1. Ensure the following files are located in the program directory:
v nadminp.exe
Directory Contains
StUpdateAdminP_080608_1046_ C trace files
2508_000.txt
stupdateJava_080608_1122.txt.0 Java code trace files for the AdminP name change
addin and Name Change API together
Validation
Verify that the stupdateJava_080624_1456.txt.0 trace file contains lines similar to the
following:
Jun 24, 2008 2:56:23 PM
com.ibm.sametime.stupdate.StUpdateDBs updateDb
FINE: from java method old name is CN=Sara Lester/O=AcmeCorp newName = CN=Sara Webster/O=AcmeCorp
To change the IP address for your Lotus Sametime Community server, follow these
steps:
1. Update your host table so that the new IP address is associated with the
appropriate host name. Make sure that the fully qualified host name is listed
first among the entries for your IBM i Lotus Sametime Community Server,
before any short names. For more information, see ″Updating the host table on
IBM i.″
2. Likewise, update your DNS entries so that the new IP address is associated
with the appropriate host name. Check whether your server is configured to
search the Domain Name Server (DNS) before the host table. If it is, you must
also make sure that the fully qualified host name of your Lotus Sametime
Community Server is listed first in the DNS. To check the configured search
order, see ″Updating the Domain Name Server for IBM i.″
3. Stop and restart the Lotus Sametime Community Server for the changes to take
effect.
The procedure described in this section can also be used to correct problems with
the configuration of your Sametime server. For example, if your TCP/IP host table
did not correctly list the fully qualified host name first at the time that you setup
your Lotus Sametime Community Server, many elements of your server
configuration may be incorrect. You can correct this problem by following this
procedure to change the host name of your Lotus Sametime Community Server.
Note: If your server is enabled for both IPv4 and IPv6 addressing, you must
manually update the sametime.ini file so that ″VPS HOST=″ is set to an
explicit IP address, rather than the host name, after running the
CHGLSTDOM command. See Configuring the Community Services for IPv6
for detailed instructions.
7. Start the IBM i Lotus Sametime Community Server.
8. Open the Domino directory (names.nsf) on your IBM i Lotus Sametime
Community Server and edit the Server document. Look at the Internet
Protocols - HTTP tab in the Server document and locate the Basics - Host
name(s) field.
9. The Basics - Host name(s) field may contain more than one name. If any of
the names are incorrect or not needed, delete them. Make sure that the correct
fully qualified host name is listed first in the field.
Note: If your server is configured for both IPv4 and IPv6 addressing, there
are additional considerations when updating the Host name field. See
Configuring Lotus Domino for IPv6 on IBM i for detailed instructions.
10. Save and close the Server document.
11. If you are using HTTP Tunneling with multiple IP addresses, then additional
configuration updates are required. See ″Updating the host names when using
HTTP Tunneling with multiple IP addresses″ later in this section.
12. Stop and restart the IBM i Lotus Sametime Community Server for the changes
to take effect.
Updating the IBM i host names when using HTTP Tunneling with multiple IP
addresses
If you are using HTTP Tunneling with multiple IP addresses, then you must
update your configuration manually after using the CHGLSTDOM command to
change the IBM i server host name. If you are not using HTTP Tunneling with
multiple IP addresses then this step is not applicable.
The CHGLSTDOM command placed the new host name in the tunneling host
name fields, but did not preserve the required prefixes, such as community-,
meeting- and broadcast-, in the Sametime configuration. Use the Sametime
Administration tool to update the host names in the following fields in the
″Connectivity″ section:
v Community Services Network settings -> Address for client connections-Host
name should have prefix of community-
v Community Services Network settings -> Address for HTTP tunneled client
connections-Host name should have prefix of community-
All monitoring charts are available from the Monitoring menu in the Sametime
Administration Tool. The charts that are available from the Miscellaneous link in
the Monitoring menu are part of the Domino Web Administration Tool. These
charts provide information on Web statistics, server memory, and disk space. To
view the status of the Sametime Community services since the last server restart,
click the Overview link in the Sametime Administration Tool. Also note that the
time of day that is listed in the monitoring charts is calculated according to the
browser’s time zone, not the server’s time zone.
1. Enter the URL for the Lotus Sametime Community server:
http://hostname /servlet/auth/admin
Where hostname is the fully qualified Domain Name Service (DNS) name or the
IP address of the Lotus Sametime Community server you want to administer.
2. Enter the administrator name and password specified during the Lotus
Sametime Community server installation.
3. Select Monitoring.
Note: To view the status of the Sametime services since the last server restart,
click Overview.
4. Select the appropriate chart for monitoring.
To access the Logins chart, open the Sametime Administration Tool and select
Monitoring → Logins. The Logins chart displays:
v Community Server Total Logins - The total number of logins to Community
Services, including multiple logins from the same user. For example, if a user is
logged in from both the Sametime Connect client and the Participant List
component of the Meeting Room, this chart records two logins for that user.
Internal components of the Community Services also log in to the Community
Services. These are intra-server connections between Community Services
components that occur as part of the normal operations of the Community
Services. These logins are also counted in the total logins chart.
v Community Server Total Unique Logins - If a user is simultaneously logged in
from multiple Community Services clients, this chart records only one login for
that user. A user logged in from multiple clients is considered a single ″unique″
login. Use this chart to determine the current number of Community Services
users
You can monitor various statistics and events from the Lotus Domino Web
Administration pages, including:
v Memory
v Statistics
v Disk Space
If you are configuring the Lotus Sametime Proxy Server to use SSL (Secure Socket
Layer), make sure the server’s certificate has been added to the Sametime System
Console’s trust store.
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the Lotus
Sametime Proxy Server. These settings are only used by the Sametime System
Console to connect to the Sametime Proxy Server.
The Lotus Sametime Media Manager manages Lotus Sametime meeting rooms by
maintaining a dialog with each participant, and ensuring that all media flows
between those participants. The Lotus Sametime Media Manager supports
interactive IP audio and video capabilities and enables clients with the appropriate
hardware (sound card, microphone, speakers, and camera) to transmit and receive
real-time audio and video in a Lotus Sametime meeting room.
If you are configuring the Lotus Sametime Media Manager to use SSL (Secure
Socket Layer), make sure the server’s certificate has been added to the Sametime
System Console’s trust store.
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the Lotus
Sametime Media Manager. These settings are only used by the Sametime System
Console to connect to the Sametime Media Manager.
IBM Lotus Sametime comes with voice chat. With voice chat, users can place and
receive audio calls with up to six participants by default, using their computer’s
and their chat partners’ computer audio capabilities. Once a user has a
computer-to-computer voice chat started, the user can convert it to a video call so
that the user can both see and hear call participants.
Voice chat works with user datagram protocol (UDP) packets which flow through
UDP ports on the firewall of every client machine to allow users to speak to other
users orally over the computer. The client machines use a single port (UDP port
20830 is the default) for all audio chats, so this port must be opened for both
incoming and outgoing UDP traffic.
Video calls also work with user datagram protocol (UDP) packets which flow
through UDP ports on the firewall of every client machine to allow users to see
video of users with whom they are chatting over the computer. The client
machines use a single port (UDP port 20832 is the default) for all video calls, so
this port must be opened for both incoming and outgoing UDP traffic.
The Lotus Sametime Media Manager scans the meeting participants and locates the
person currently speaking (transmitting audio packets). The Lotus Sametime Media
Manager performs switching operations as different people speak during a
meeting. When a meeting participant speaks, the Lotus Sametime Media Manager
locks onto that client’s audio stream and distributes that stream to all other clients
in the meeting. When a participant stops speaking, the Lotus Sametime Media
Manager waits for a brief period of time, and then begins scanning for the other
active audio clients.
The video follows the audio. When the Lotus Sametime Media Manager switches
to a new audio source (speaking person), the Lotus Sametime Media Manager
through its connections to the clients, ensures that the icon indicating the current
speaker is properly updated for all clients. After this update, the Lotus Sametime
Media Manager sets the video source to the person currently speaking. It is
important to ensure that the video does not switch too quickly. Rapid video
switching reduces usability and can consume considerable network bandwidth.
You can control the time interval that must pass before the video switches to the
new speaking person.
Note: If the current speaker does not have video capabilities or has the video
window paused, the Lotus Sametime Media Manager send’s the next loudest
speaker’s video as the active speaker to all participants.
By default, the Lotus Sametime Media Manager can lock onto and broadcast a
maximum of five audio streams at the same time. In a meeting, if five people
speak at the same time, it is possible for all meeting participants to simultaneously
hear five people speaking. The Lotus Sametime Media Manager designates the
audio stream that has been transmitting the longest (generally, the person who
started speaking first) as the primary audio stream. The source of the primary
audio stream is also the source of the video stream. Audio and video services
provided by the Lotus Sametime Media Manager have been tested and optimized
for sessions with six participants. The actual number of participants will vary
based on network and environmental conditions. The higher the number of
switched audio streams, then the more bandwidth that is required.
SIP makes use of elements called proxy servers to help route requests to the user’s
current location, authenticate and authorize users for media services, and provide
Lotus Sametime Media features to users. SIP also provides a registration function
that allows users to send their current locations for use by proxy servers.
The transport protocol determines the network transport mechanism to use for
sending SIP messages. The SIP proxy application examines all requests sent by the
Lotus Sametime Media Manager to determine whether a given request is sent by
an appropriate proxy application. All requests are routed according to the transport
protocol defined here.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Media
Manager.
3. In the Sametime Media Managers list, click the deployment name of the Lotus
Sametime Media Manager.
4. Click the Configuration tab.
5. Under Server Integration, select a Transport protocol of UDP or TCP.
6. Set how frequently in seconds you want SIP to check if a client is still
connected. Enter a number between 30 and 300 in the Session expiration field.
7. Click OK.
8. Restart the Lotus Sametime Media Manager.
One of the key factors effecting video quality is the available network bandwidth.
The higher the video resolution, the more bandwidth is required and the better
quality. The Lotus Sametime video codec can automatically adapts to the available
bandwidth and reduces the bit-rate to a certain threshold for each chosen video
resolution. However, the quality will suffer when the available bandwidth becomes
too low, especially during peak utilization when the contention in the network
routers causes packet loss. Use the following information as the guideline to set the
desire codec resolution.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Media
Manager.
3. In the Sametime Media Managers list, click the deployment name of the Lotus
Sametime Media Manager.
4. Click the Configuration tab.
To enable SSL, you must extract the certificate from the Lotus Sametime product
server and add it to the trust store of the Sametime System Console. The Lotus
Sametime product servers include:
v Lotus Sametime Meeting Server
v Lotus Sametime Proxy Server
v Lotus Sametime Media Manager
v Lotus Sametime Gateway Server
v SIP Proxy and Registrar
Follow these instructions. See the WebSphere Application Server information center
for more information on extracting and adding certificates.
1. Log in to the Integrated Solutions Console for the Lotus Sametime product
server.
2. Click Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore
→ Signer certificates
3. Select the alias named root, and click Extract.
4. Enter the name of the .cer file, and select Base64 as the type for storing the
process server signer certificate.
5. Log in to the Integrated Solutions Console for the Lotus Sametime System
Console.
6. Click Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore
→ Signer certificates
7. Click Add.
8. Enter an alias.
9. Enter the file name where you stored the extracted process server signer
certificate from the product server.
10. Click Apply.
11. Restart the Lotus Sametime System Console deployment manager.
If you are configuring the SIP Proxy and Registrar to use SSL (Secure Socket
Layer), make sure the server’s certificate has been added to the Sametime System
Console’s trust store.
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the SIP Proxy
and Registrar. These settings are only used by the Sametime System Console to
connect to the SIP Proxy and Registrar.
SIP makes use of elements called proxy servers to help route requests to the user’s
current location, authenticate and authorize users to access media services, and
provide Lotus Sametime media features to users.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → SIP Proxies and
Registrars.
3. Click the Deployment Name of the SIP Proxy server.
4. In SIP Proxy and Registrar, click Proxy Administration.
5. Use the following table to set basic SIP proxy properties:
Option Description
Record route mode When record route mode is enabled, the
optional Record-Route header is inserted by
the SIP proxy server that wants to remain in
the signalling path for the duration of the
session. The Record-Route header is used to
establish a route for transactions belonging
to a session. When record route mode is
disabled, SIP messages flow directly through
the SIP gateways once a call has been
established.
6. Lotus Sametime forces all requests from clients to be routed through the SIP
proxy server. The SIP proxy server examines all requests to determine whether
a given request is sent by an appropriate proxy application. You can also force
all requests to be routed according to the host and port defined here:
Option Description
Forced routing host The fully qualified host name of the server
Forced routing port Port on the server through which requests
are routed.
Scheme The scheme can be either SIP or SIPS, which
is a secure version of SIP.
Transport Determines the network transport
mechanism to use for sending SIP messages:
TCP, UDP, or TLS.
7. Configure a new static route where proxy requests travel through a fixed path.
If no match is found in its registrations table, the SIP Proxy can use static
routes to determine where to forward the request. Static routes also are used
for requests for domains that are not served by the SIP Proxy.
a. Under Static Routes, click New Static Route.
b. Enter a matching rule for the Request-URI in the Route Address Pattern
field. It can be a regular expression or a SIP URI.
c. Specifies the destination to send the request to in the Destination Address
field.
d. Click Same Request URI to define whether or not to keep the
Request-URI or replace it with the Destination Address. When this check
box is selected, the SIP Proxy pushes the destination address into the
Route header field, the Request-URI is left unchanged; otherwise, the
Request-URI of the incoming request is replaced with the address defined
in the Destination Address field
8. Specify Handled Domains. These are domains that are managed by the SIP
Proxy and Registrar
9. Click OK.
10. Restart the SIP Proxy and Registrar.
SIP provides a registrar that allows users to send their current locations for use by
proxy servers. The SIP registrar accepts user requests and places the information it
receives from those requests into the registration table. Registration is how media
Follow these steps to set expiration properties for the SIP registrar.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → SIP Proxies and
Registrars.
3. Click the Deployment Name of the SIP Proxy server.
4. In SIP Proxy and Registrar, click Registrar Administration.
5. In the Default Registration Expiration field, type a value in seconds to use as
the registration expiration when there is no such parameter set in the user
request.
6. In the Minimum Registration Expiration field, type a value in seconds for the
minimum expiration interval the SIP Registrar is willing to honor. A request
with an expiration interval lower than the minimum expiration will be rejected.
7. Click OK.
8. Restart the SIP Proxy and Registrar.
The registration of the user occurs during client login and is extended by the client
automatically if the client remains logged in. The registration table is a location
service used by a SIP to obtain information about a user’s possible location. The
registration table specifies the SIP addresses associated with device addresses, as
well as the expiration times for currently registered users.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → SIP Proxies and
Registrars.
3. Click the Deployment Name of the SIP Proxy server.
4. In SIP Proxy and Registrar, click Registered Bindings. Use this page to find,
view, or delete bindings.
5. Use the following table to view binding properties:
Option Description
SIP URI Identifies a user in IBM Lotus Sametime. A
SIP URI contains the information to initiate
and maintain a communication session with
another user. It can have the following
formats: sip:user_identifier@host or
sips:user_identifier@host.
Device Address The location of the machine into which the
user is currently logged. The format is
sip:host:port;transport=<transport-type>.
If you do not add any domains to the Handled Domains page, then all domains
will be managed by the SIP Proxy and Registrar.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → SIP Proxies and
Registrars.
3. Click the Deployment Name of the SIP Proxy server.
4. In SIP Proxy and Registrar, click Handled Domains.
5. To add a domain which will be handled by the SIP Proxy and Registrar, enter a
domain in the Domain field and click Add.
6. Click OK.
If you are configuring the Lotus Sametime Meeting Server to use SSL (Secure
Socket Layer), make sure the server’s certificate has been added to the Sametime
System Console’s trust store.
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the Lotus
You can edit but not delete any of the file conversion settings that come installed
with IBM Lotus Sametime. You can delete any new settings that you have added.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Meeting
Servers.
3. In the Meeting Servers list, click a server with the configuration that you want
to change.
4. Click the Server Configuration tab.
5. Click Edit.
6. Edit the appropriate configuration value. You can only edit the value; you
cannot edit a configuration key name.
Table 30. Configuration key values
Configuration Key Default Configuration Value Description
docshare.conversion.include pdf, sam, bmp, gif, cgm, htm, List of file type extensions
html, jpg, jpeg, jpe, 123, wk3, that can be converted by the
wk4, 123, pre, prz, pic, lwp, xls, Lotus Sametime Meeting
xlsx, ppt, pptx, doc, docx, sdd, Server for document sharing.
sxi, sxw, sdc, sxc, pcx, pct, png, Separate extensions by a
rft, rtf, ods, odp, odt, tiff, tif, comma.
eps, txt, bat, ini, vsd, wmf,
wpd, wpg, wpg2, xml
Examples:
c:\temp\docshare
or /opt/temp
docshare.native.codebase c:\Program Location of the executable
Files\IBM\Websphere\ file for the Lotus Sametime
STMeetingServer\stellent\ Meeting Server document
exporter.exe conversion.
Examples:
c:\Program
Files\IBM\Websphere\
STMeetingServer\stellent\
exporter.exe
or/opt/IBM/WebSphere/
STMeetingServer/stellent/
exporter
docshare.remote.url Blank. URL to a remote Lotus
Sametime Meeting Server for
document conversion. Leave
blank for local conversion.
Example:
http://
hostname.domain.com/
DocumentShare/docshare
7. Click OK.
Results
Meeting rooms are not required to have passwords by default. You can change this
configuration setting so that meeting rooms are required to have passwords.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Meeting
Servers.
3. In the Meeting Servers list, click a server with the configuration that you want
to change.
4. Click the Server Configuration tab.
Option Description
0 No password required. This is the default
value.
1 Password required. The password must
contain at least five characters.
2 Strong password required.
8. Click OK.
Results
Unauthenticated users have limited access to the Meeting Room Center. They can
view information in the Meeting Room Center, but they can never create meeting
rooms or edit meeting room information. You can change this default value to
completely deny them access to the Meeting Room Center.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Meeting
Servers.
3. In the Meeting Servers list, click a server with the configuration that you want
to change.
4. Click the Server Configuration tab.
5. Click Edit.
6. Scroll down to the meetingroomcenter.allowGuestAccess configuration key.
You can only edit the value; you cannot edit a configuration key name.
7. In the Configuration Value field, type 0 to deny unauthenticated user access to
the Meeting Room Center.
Note: If you change your mind, or if you ever want to grant unauthenticated
user access, type 1.
8. Click OK.
Results
You must have an Lotus Sametime Proxy server installed and configured. You
must set up SSO between the Lotus Sametime Meeting Server and the Lotus
Sametime Community Server.
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Meeting
Servers.
3. In the Meeting Servers list, click a server with the configuration that you want
to change.
4. Click the Server Configuration tab.
5. Click Edit.
6. Scroll down to the meetingroomcenter.stProxyAddress configuration key. You
can only edit the value; you cannot edit a configuration key name.
7. Enter the URL for the Lotus Sametime Proxy server used fore awareness in the
Configuration Value field. For example:
http://myhostname.mydomain.com:9080
8. Click OK.
9. Restart the Lotus Sametime Meeting Server.
Related tasks
Setting up SSO between the Lotus Sametime Meeting Server and the Lotus
Sametime Community Server
You should set up single sign-on (SSO) between the IBM Lotus Sametime Meeting
server and the Lotus Sametime Community Server. The Lotus Sametime Proxy
server does not need to be setup for SSO with the other two servers.
The custom configuration keys that you create yourself display after the
configuration keys that come pre-configured with the Lotus Sametime Meeting
Server. Custom configuration keys that you create yourself can be edited and these
are the only configuration keys that can be deleted. Do not edit or delete any of
the pre-configured custom configuration keys unless directed to do so by IBM.
Full-text indexing takes advantage of the IBM DB2 Text Search service to build,
maintain, and search by an enhanced set of indexes on the meeting room name
and owner name. This augments search performance.
Full-text indexing is only used when you explicitly search for listed meeting rooms
from the meeting room search box. It is not used when you search for hidden
rooms, access My Meeting Rooms or access a Selected Contact’s Meeting Rooms.
Full-text indexes are created for both the room name and owner name.
Full-text indexes are updated every 12 hours. Rooms created in the past 24 hours
cannot be found by their full-text index, but can be found by a limited table scan.
This action avoids missing a room because the index has not been created, yet.
Once a room has been live for more than 24 hours, full-text indexing is available.
What to do next
If you restart the server, the service does not restart automatically.
On Windows, you can go into Services and change the DB2TS service to start
automatically. From the Start menu, click Run, and type services.msc, and change
the DB2TS services to start automatically.
On Linux, you can edit one of the startup scripts to start db2ts when you restart.
The command to start db2ts is db2ts start for text.
What to do next
These steps are sufficient to turn off full-text indexing; however, the full-text
indexes still exist and take up disk space. If you want to permanently delete the
full-text indexes, copy dropFullTextIndexing.bat/sh to the DB2 bin directory and
run dropFullTextIndex.bat/sh database_name. For example,
Determine the routing prefix. The routing prefix is the alias which will be used to
route requests to the remote server. This value can be any string value and should
make logical sense to the user since it will appear in the meeting URL. For
example, if you are setting up routing between the US and Europe, you may want
to choose /eu for the routing prefix for Europe and /us for the United states. This
value will be entered into a URI Group and will be used as the key to routing http
requests to the remote server.
Only administrators can view statistics for meeting rooms. Other Lotus Sametime
users cannot view meeting room statistics. Deleted meeting rooms are not included
in these statistics.
1. Log in to the Lotus Sametime Meeting Room Center.
http://hostname/stmeetings/
2. Click Meeting Room Statistics.
3. Click one of the following views:
Option Description
Summary Displays the total number of rooms and
active participants, and the total size of all
libraries. An active participant is a
participant that is currently in a room.
Active rooms Lists all the rooms by meeting room name
that currently have participants.
Usage by room Lists all active and inactive rooms by
meeting room name.
Usage by owner Lists all room owners by Sametime ID.
Rooms can be active or inactive.
You can click on a column heading in any view to sort the information.
In the Active room or Usage by room views, you can click an owner or room
name to get detailed usage statistics on that particular owner or room. In the
Usage by owner view, you can click an owner name to get detailed usage
statistics.
The default Lotus Sametime configuration requires that DB2 be shut down for
backup. This is because by default, DB2 is configured to reuse the recovery logs. If
you want online backup, the database can be configured to archive the recovery
logs. In that case, the database is backed up, and all archived recovery logs are
backed up. The recovery logs that have been backed up must also be periodically
removed. If the database runs out of space to archive the recovery logs, the
database will stop accepting changes until space is available.
If you are configuring the Lotus Sametime Gateway Server to use SSL (Secure
Socket Layer), make sure the server’s certificate has been added to the Sametime
System Console’s trust store.
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the Lotus
Sametime Gateway Server. These settings are only used by the Sametime System
Console to connect to the Sametime Gateway Server.
Before you assign users, you must first add an external community or
clearinghouse and set its properties. You must also make sure that the IBM Lotus
Sametime Gateway is configured for use with an LDAP directory that contains
person records of users in the local Sametime community.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. Select an external community from the table.
3. Click Assign users.
4. Determine if you want to assign equal access to the external community or
clearinghouse for everyone or set access for each user.
v Select Assign access to all users for this route to give everyone the same
access.
v Select Assign access to individual users and groups for this route to set
access for each user.
5. In the Search by field, select group. first name, or last name.
6. In the Search for field, type the name, or use an asterisk (*) as a wildcard
7. From the Search results, select the users to be given access to the external
community. Use the Page buttons to see additional names. Search results show
names from the local community only because only local users may be
assigned to an external or clearinghouse community.
8. Select users and click Add to assign the users. Note that any user assigned to
access the external community automatically receives both instant messaging
and presence capabilities. These capabilities cannot be changed.
9. Optional. To take names off the assigned users list, select the users and click
Remove Selected Names.
10. Click OK.
What to do next
Finding users
Determine if a local user is assigned access to an external community. In addition,
determine the capabilities assigned to the user.
You must create an external community and assign users to the community first.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities .
2. Select an external community from the table.
3. Click Find Users.
4. Type the user’s e-mail address and click Search to determine if the user is
assigned to access the external or clearinghouse community, and to see the
capabilities assigned to the user.
Related reference
“Find user” on page 443
Find a user in LDAP and view the capabilities that the user has permission to use
when accessing the selected instant messaging community.
Viewing users
Determine the users and groups that are assigned to access an external community
or clearinghouse community.
You must create an external community and assign users and groups to the
community first.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities .
2. Click the name of an external or clearing house community to open the details
about that community.
The message handler must be a J2EE application that implements the Lotus
Sametime Gateway plug-in API. See the Lotus Sametime Gateway Integration
Guide that is included in the Lotus Sametime Software Development Kit for
information on how to create a message handler plug-in.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
1. To add a message handler to Lotus Sametime Gateway, log into the Integrated
Solutions Console (http://localhost:9060/ibm/console) and click Applications
→ Enterprise Applications.
2. Click Install and follow the instructions for installing the application.
3. Click Start to start the application. Starting the application causes it to appear
in the list of message handlers.
4. Click Sametime Gateway → Message Handlers to view the message handler
list.
5. Click the newly installed message handler to edit its properties.
6. Select the type: event logger, access control list, user locator, or other.
7. Optional. Select Run the message handler regardless of whether previous
handlers complete their processing of messages. If not selected, the message
handler does not run if the preceding message handler failed to complete its
handling of a message.
8. Click OK. You should now be back on the message handler list page.
9. Click Sametime Gateway → Message Handlers, select a message handler, and
click the Move Up and Move Down buttons to change the order in which the
message handler processes messages. Note that User locator message handler
must be first and the Event logger message handle must be last.
10. On the Message Handler list page, select the newly installed message handler
and click Enable.
To remove a message handler, you must disable the message handler first, and
then uninstall the plug-in through WebSphere Application Server.
Related reference
“Troubleshooting message handlers” on page 533
This topic discusses how to troubleshoot message handlers in various stopped and
started or enabled and disabled conditions.
“Message handler properties” on page 443
Use this page to configure the properties of a message handler such as the user
locator, authorization controller, or event logger.
“Message handler list” on page 445
Use this page to configure message handlers that perform such tasks as finding
users in the local community for whom to relay messages, checking the access
control for local community members, and logging IBM Lotus Sametime Gateway
events. Message handlers that are provided by Lotus Sametime Gateway, with the
exception of the Event logger, do not need configuring.
You can find recommendations in the Lotus Sametime wiki on the following areas:
v Log files lifecycle and maintenance
v Renewing any SSL certificates
v Monitoring communities
v Periodic maintenance for DB2
v Recycling of Websphere processes
v File system cleanup
Reference
This topic provides property reference help for the administrative user interface,
scripting commands, and sample JACL scripts.
Use this page to set the maximum chat sessions. You can also specify domains
from which to block messages.
This option sets the maximum instant messaging and presence sessions. A limit of
1000 instant messaging and 1000 presence sessions is set by default. Note that
Value Meaning
-1 no limit
0 no sessions allowed
n n sessions allowed, where n is any integer between 1 and 2147483647
Blacklist domains
Specify the DNS blacklist sites to check when the Lotus Sametime Gateway
receives a subscription request. The Lotus Sametime Gateway rejects messages
when either the destination or source domains are in this list. Use Fully qualified
domain names or TCP/IP addresses separated by a comma, semicolon, or space.
Wild cards using an asterisk in the left-most subdomain position are allowed. For
example, *.spamalot.com is allowed.
Related tasks
“Setting a global limit on sessions” on page 486
You can set a global limit for the maximum number of sessions allowed on a
server, which helps prevent out-of-memory errors. The value set here will
supersede a larger value set in the “Route maximum sessions” property.
“Setting the blacklist domains” on page 236
You can specify the DNS blacklisted sites to check when the Lotus Sametime
Gateway receives a subscription request. A blacklisted domain is an e-mail address
domain that you do not want to give access through Lotus Sametime Gateway.
View the list of communities and use the list as the starting place to set up
communities, assign local users access to external communities, and set properties
on communities. The communities list shows the community name, the type of
community, and the translation protocol used.
Task buttons
Use the communities list to create a new community or edit the properties of an
existing community. Select a community first before using the button actions.
Name
The name is the name given to the community when the community is first
created. Click a name to configure properties or assign users to the community.
Type
Translation protocol
Assign users
Click this link to assign users and groups to the route to this community. Note that
you must first create the community, and then select the community in the table
before you can assign users to the community.
View users
Click this link to view users assigned to the route for this community. Note that
you must first create the community, and then select the community in the table
before you can view users in the community.
Community properties:
Use this page to connect IBM Lotus Sametime Gateway to one internal community
and multiple external communities, or to edit the connection properties of an
existing community. Specify the type of community, the domains to use when
accessing the community, the translation protocol that Lotus Sametime Gateway
uses to communicate with the community, connection details, and any custom
properties for the connection or community. After you create a community, use the
Assign local users to this community link to give permission to local users to
access the external or clearinghouse community.
Name
Community type
Click this link to add custom properties to the community, or edit existing custom
properties. Some external communities may require extending the Lotus Sametime
Gateway functionality by adding a custom property in order to connect to the
community.
Domains
Type at least one unique, Fully qualified domain name or TCP/IP address for the
community. List multiple domain names separated by a comma, semicolon, or
space. Domain names have two or more parts separated by dots, such as
acme.com. Each domain name must access the same user directory. For example:
acme.com, us.acme.com, fr.acme.com, de.acme.com must access the same user
directory in the community. The wildcard asterisk (*) is accepted in the first
subdomain only.
Instant messaging
communities Available domains
AOL Instant aol.net, corp.aol.com, aol.com
Messenger
Google Talk gmail.com
Note: When adding Yahoo domains, do not use yahoo domains other
than yahoo.com and the partner domains listed above. Yahoo domains
such as yahoo.ca and yahoo.co.uk are not supported. If a user wants
to add an external contact such as jsmith@yahoo.ca, the user must
enter the contact as jsmith@yahoo.com. Note that users who have
Yahoo Japan e-mail addresses using the domain yahoo.co.jp cannot
use Lotus Sametime Gateway. Yahoo Japan is a separate company
whose network is completely separate from Yahoo.com.
Translation protocol
Click this link to view translation protocol properties and custom properties for the
protocol.
Connection
Specify the connection properties that the Lotus Sametime Gateway uses to connect
to the local, external, or clearinghouse community. You are prompted for
connection information based on the translation protocol that you select.
Hostname: iopibm.msg.yahoo.com
External SIP for Sametime 5060 TCP Host name: domain name of the external
Gateway or (5060) Sametime Gateway server or Sametime
5061 Server such as AcmeServer1.com, for
SIP for legacy TLS example.
Sametime (5061)
Gateway Domains: list of domains used by the
external Sametime community.
External XMPP (for 5269 TCP Requires that you set up a domain service
Google Talk) (SRV) record and publish it to DNS if
connecting to Google Talk.
Route properties
You must add an internal community before you can view or edit Route
properties.
Set the maximum sessions for each capability for the route
Select to set the maximum sessions for each capability on the route. Sessions
should always be larger than presence. Note that global maximum allowed Lotus
Sametime Gateway sessions override the maximum sessions for each capability. To
increase maximum sessions for each capability, make sure you increase the
maximum allowed Lotus Sametime Gateway sessions.
Value Meaning
-1 no limit
0 no sessions allowed
n n sessions allowed, where n is any integer between 1 and
35000.
Select the capabilities, instant messaging and presence, to assign to the route. Both
capabilities are assigned to the route and are disabled. You must click Assign users
to complete the set up of the community by assigning users to use the route.
Related tasks
“Adding external Sametime communities” on page 225
Add an external Sametime community to IBM Lotus Sametime Gateway. You
connect to a Sametime community by specifying domains in the external
community, selecting a translation protocol, and setting the host name, port, and
transport protocol for the external community.
“Connecting to the AOL clearinghouse community” on page 214
Use this procedure to add the AOL clearinghouse community to IBM Lotus
Sametime Gateway. The AOL clearinghouse connects your Sametime users to a
wide community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. Connect to the AOL clearinghouse community or the AOL
community, but not both, as the former is a superset of the latter.
“Adding a local Community Server to Sametime Gateway” on page 208
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
Name
Use this page to view properties for translation protocols. A translation protocol is
a communication standard used by a collaborative service provider to initiate
interactive, real-time sessions between users. You cannot edit the Name or Java
Class.
Name
Java Class
Custom properties
Click the custom properties to set name and value pairs for the translation
protocol, or to edit the session timeout or subscription timeout properties for
SIP-based protocols. This link supports the configuration of custom properties,
allowing you to capture third-party software requirements that are not covered by
the configuration provided by the Lotus Sametime Gateway.
Assign users:
Assign users and groups from the local community permission to exchange
real-time messages with an external community or clearinghouse community. Use
this panel to control access to Sametime Gateway and external messaging
communities.
Select capabilities
Assign access
Select to allow access to the external community to all users, or select to allow
access to the external community to individual users and groups in the local
directory. When you select the All users option, the user interface hides the Search
and assign users and groups field.
Use the Search by field to select one of the attributes by which you want to search.
The default value is Group.
Use the Search for field to type a value that you want to search for, or use the
wildcard character (*). The default value is * (all). Whether the search is
case-sensitive depends on the user registry that is being used. For example, you
might type these values if searching by group:
v To search for all groups, type *.
v To search for groups that begin with the letters luc, type luc*.
v To search for groups that end with the letters cas, type *cas.
v To search for groups that begin with the letters lu and ending with the letter s,
type lu*s.
In the Maximum results field, type the maximum number of search results that
you want to be displayed. Valid values are 1 to 100.
Click Search to find and display a list of one or more existing users that match
your search criteria.
In the Search results table, use the Select column to select individual or multiple
users or groups. Click the select all icon ( ) to select all users listed. Only those
visible on the table are selected if the list of users takes more than one page. If you
have more than one page, you must select users from additional pages separately.
You can then clear (deselect) only those users that you do not want to select.
Click the deselect all icon ( ) to clear all check boxes on the visible page of the
table only.
The Name column lists group names if groups are searched, or short names or
user ID if last names or first names are searched.
442 Lotus Sametime: Installation and Administration Guide Part 2
The E-mail column lists the e-mail address of the user. Nothing appears in this
column when you are searching for groups.
In the Selected names field, after you select names, click Add to move the selected
groups or names to the Selected names table. The names in the Selected names
table have access to the external community. The Selected names table may
potentially be very large, so it displays names over several pages if necessary. Data
are thus sorted by data subset only. To use the Remove selected name tool, select a
name and click this button to remove users from accessing the external community
through the Lotus Sametime Gateway.
Related tasks
“Assigning users access to external communities” on page 429
Assign local users access to external or clearinghouse communities so that they can
exchange real-time communications with users from external communities. You can
assign access only for local users.
Find user:
Find a user in LDAP and view the capabilities that the user has permission to use
when accessing the selected instant messaging community.
Purpose
Use this page to determine if a local user is assigned to access the external or
clearinghouse community. Also, you can determine the capabilities such as instant
messaging and presence that are assigned to the user.
General properties
Type the user’s e-mail address and click Search to return a list of capabilities.
Related tasks
“Finding users” on page 430
Determine if a local user is assigned access to an external community. In addition,
determine the capabilities assigned to the user.
View users:
See who has access to exchange real-time messaging with an external community
or clearinghouse.
Purpose
Use this page to view a list of users who have access to capabilities on the route
between the local IBM Lotus Sametime community and an external community.
General Properties
Message handlers, also known as plug-ins, process instant messages as they pass
through IBM Lotus Sametime Gateway. They perform such tasks as locating users,
checking the access list to use, checking for spam instant messages, and logging
events. Messages are processed by handlers in the order that the message handlers
appear in the list. Message handlers that are installed and started but are not yet
configured are labeled Undefined in the message handler list. The User locator
message handler must always be first on the message handler list. The event log
handler must run and appear last in the list.
Message handlers are WebSphere Application Server applications that you install
through the Integrated Solutions Console by clicking Applications → Enterprise
Applications.
Name
There are three message handlers that are part of Lotus Sametime Gateway and
cannot be removed:
Select the type of message handler. Choices are User locator, Access control, Event
log, and Other. When a message handler is first installed, the default type is
undefined and its status is disabled. To enable the message handler, you must
select Enable the message handler .
Run this message handler regardless of the status of previous message handlers
Select to make running the message handler mandatory. That is, run the message
handler regardless of whether a previously run message handler completed its
process or encountered an error. If this setting is not selected, and any preceding
message handler raises an error, the message handler will not run. A message
handler that is not mandatory is considered conditional.
For example, the table that follows shows that in processing a message the Custom
User Locator raises an error. Consequently, the mandatory Virus Checker and
System Logger handlers run (in that order), while the conditional handlers, the
SPIM Filter and the Custom Logger are skipped.
Mandatory or
Name Type Conditional Status
Default User Locator Access Control List Conditional Run
Custom User Locator Access Control List Conditional Error
Virus Checker Virus Checker Mandatory Run
SPIM Filter Other Conditional Skip
Custom Logger Event Logger Conditional Skip
System Logger Event Logger Mandatory Run
Custom properties
Use this page to configure message handlers that perform such tasks as finding
users in the local community for whom to relay messages, checking the access
control for local community members, and logging IBM Lotus Sametime Gateway
events. Message handlers that are provided by Lotus Sametime Gateway, with the
exception of the Event logger, do not need configuring.
Message handlers are WebSphere Application Server applications that you install
using the Integrated Solutions Console by clicking Applications → Enterprise
You can enable and disable message handlers or move message handlers up or
down to change the order in which a message handler processes messages.
Note: The Default User Locator must be at the top of the list.
Table columns
Use the Select column to select individual or multiple message handlers. Click the
select all icon ( ) to select all message handlers listed, if, for example, you want
to enable or disable all message handlers. Only those visible on the table are
selected if the list of message handlers takes more than one page. If you have more
than one page, you must select handlers from additional pages separately. You can
then clear (deselect) only those message handlers that you do not want to select.
Click the deselect all icon ( ) to clear all check boxes on the visible page of the
table only.
The Name is the programmatic name of the message handler. Click the name to
view or edit the message handler properties.
The Type is one of four types assigned to the message handler. The type provides
a general description of the message handler’s purpose but has no effect on how
the message handler functions.
Use this page to create new properties or to edit existing custom properties for
communities, message handlers, connections, or translation protocols. Custom
Buttons
Use this page to edit custom properties for a community, translation protocol, or
message handler. You can also specify new properties that are needed to configure
third-party elements used by the IBM Lotus Sametime Gateway.
You can set arbitrary name-value pairs of data, where the name is a property key
and any value that can be used to set internal system configuration properties.
Defining a new property enables you to configure a setting beyond that which is
available in the Integrated Solutions Console. The Lotus Sametime Gateway
contains several custom properties pages that work similarly to other property
pages in the Integrated Solutions Console.
You can change the value of a translation protocol custom property and add a new
name-value pair to an existing translation protocol. You can add new name-value
pairs when adding a third party message handler or when changing the properties
of an existing message handler.
Required
Required properties are those custom properties that are provided by the Lotus
Sametime Gateway. If you create a new custom property, it cannot be considered
required. Required properties cannot be deleted or renamed, but you can edit the
Value and Description fields.
Name
Specifies the name (or key) for the property. Each property name must be unique.
If the same name is used for multiple properties, the value specified for the first
property that has that name is used. Do not start your property names with was
because this prefix is reserved for properties that are predefined in the application
server. Existing custom property names must not be changed if they are required,
although you can change the value.
Description
Lotus Sametime Gateway provides the following default properties that you can
change to fit your environment.
Custom
Property Type Name Default value
Message Event logger enableContentLogging
0 (disabled)
handler
Message Event logger enableImLogging 0 (disabled)
handler
Message Event logger enablePresenceLogging
0 (disabled)
handler
Translation SIP for Sametime session_timeout 3600 (seconds)
protocol Gateway, legacy
Sametime
Gateway, AOL,
Office
Communications
Server, Yahoo
Translation legacy Sametime subscription_timeout
3600 (seconds)
protocol Gateway
Community SIP for AOL servers 205.188.*.*, 64.12.*.*
Note: If the host name is an
IPv6–format network address, set an
explicit address here; do not use an
abbreviated address (no brackets, no
leading zeroes). For example, all of
these IPv6–format network addresses
are equivalent, but only the first form
is accepted:
v 1:2:0:0:0:6:7:8 [acceptable]
v 1:2::6:7:8 [do not use this
abbreviated format]
v 01:2:0:0:0:006:0007:8 [do not use
leading zeroes]
Wildcards (such as 205:188:*:*) are
supported, as well as a mixture of
IPv4 and IPv6 network addresses.
Script commands
Lotus Sametime Gateway provides many wsadmin script commands to help you
administer and maintain the Lotus Sametime Gateway.
The Lotus Sametime Gateway accepts a hash table in string format ($HashString)
from the wsadmin script. A hash table, or a hash map, is a data structure that
associates keys with values. The primary operation it supports efficiently is a look
up. For example, when given a key such as person’s e-mail address for example,
find the corresponding value for that person’s Virtual Member Manager (VMM)
ID. The hash table works by transforming the key using a hash function into a
hash, a number that the hash table uses to locate the desired value. The script
commands handles objects in the Lotus Sametime Gateway such as a community,
translation protocol, message handler, and so on, in which each entry’s key is the
name of an attribute in the object, and the entry’s value is the associated object
value. If there is a nested object in the encoded object, this is represented by a
nested hash table.
Jacl reference
Wsadmin tool
A hash string has the following format (white space ignored except in quotation
marks):
key=value,...
Or:
{key=value,...}
Or:
{key=value}
Or:
[{key=value},...]
String A sequence of any characters except quotation mark (″), apostrophe (’),
comma (,), backslash (\), and space ( ). However, you can include the
above characters by enclosing in single or double quotes. But a nested
single or double quote must be escaped by preceding it with a backslash.
The backslash is excluded.
Examples
getRestrictedDomains:
Syntax
getRestrictedDomains
Purpose
Sample
This sample returns a list of blacklisted domains in the Lotus Sametime Gateway:
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getRestrictedDomains
addRestrictedDomain:
Syntax
addRestrictedDomain ″domain_name″
Parameter Description
domain_name A Fully qualified domain name or IP
address.
Purpose
Sample
Syntax
deleteRestrictedDomain ″domain_name″
Parameter Desription
domain_name A Fully qualified domain name or IP
address.
Purpose
Sample
setMaxIMSessions:
Syntax
setMaxIMSessions session_count
Parameter Description
session_count Maximum instant messaging sessions in the
Lotus Sametime Gateway.
Purpose
The setMaxIMSessions command sets the maximum instant messaging sessions for
the Lotus Sametime Gateway. Note that maximum sessions set with this command
override community-based settings.
Sample
setMaxPresenceSessions:
Syntax
setMaxPresenceSessions session_count
Parameter Description
session_count Maximum presence sessions in the Lotus
Sametime Gateway.
Purpose
Sample
This sample allows 1000 presence sessions in the Lotus Sametime Gateway:
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons setMaxPresenceSessions 1000
getMaxIMSessions:
Syntax
getMaxIMSessions
Purpose
Sample
This sample gets the maximum sessions allowed in the Lotus Sametime Gateway:
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getMaxIMSessions
getMaxPresenceSessions:
Syntax
getMaxPresenceSessions
Purpose
Sample
This sample gets the maximum presence sessions allowed in the Lotus Sametime
Gateway:
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getMaxPresenceSessions
getAuthenticationAliases:
Returns an array containing the valid authentication types for the Lotus Sametime
Gateway.
Syntax
getAuthenticationAliases
Purpose
Sample
This sample gets the authentication types in the Lotus Sametime Gateway:
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getAuthenticationAliases
getUserIDBye-mailAddress:
Syntax
Purpose
Sample
getPersonPropertiesByVMMID:
Returns a person’s display name and e-mail address based on their VMM ID.
Syntax
getPersonPropertiesByVMMID ″vmmid″
Purpose
Sample
This sample program first get the user IDs from e-mail addresses, then uses the
result to obtain properties of the users based on their VMM ID.
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*] $AdminControl
set m [$AdminControl invoke $ons getUserIDBye-mailAddress ahernm@us.ibm.com]
set p [$AdminControl invoke $ons getUserIDBye-mailAddress wangpin@us.ibm.com]
$AdminControl invoke $ons getPersonPropertiesByVMMID "$m $p"
getListGroupsOfUser:
Returns the list of groups a person is member of, including nested groups.
Syntax
getListGroupsOfUser(vmmid)
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getListGroupsOfUser(vmmid)
getPersonPropertiesBySearchExp:
Syntax
Purpose
Sample
The example that follows searches for last names beginning with ″m″.
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getPersonPropertiesBySearchExp "2 m* 3"
C2E755D60DDD18968525719A00642F8E
mail5
mail5@us.ibm.com
9DB3D27FF355A6568525719A00643C0C
mail7
mail7@us.ibm.com
04687B65F5492BA58525719A006448A3
mail9
mail9@us.ibm.com
This topic describes wsadmin commands that perform message handler operations.
getMessageHandlerList:
Syntax
getMessageHandlerList handlerName
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getMessageHandlerList “*”
setMessageHandlerProperties:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set mhp { enabled=true, type=eventLogger, customProperties=[ {name=A, value=B} ] }
$AdminControl invoke $ons setMessageHandlerProperties “evtlogger {$mhp}”
Community operations:
getLocalCommunityName:
Syntax
getLocalCommunityName
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons getRouteByCommunities “$local acme”
getLocalCommunityUid:
Syntax
getLocalCommunityUid
Purpose
getCommunityList:
Syntax
getCommunityList communityName
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getCommunityList “*”
newCommunity:
Syntax
newCommunity hashString
The newCommunity command adds a community based on the attributes that you
specify in a hash string.
The following samples are taken from the sample Jacl scripts available in
stgw_server_root/samples/scripts. Consult the actual scripts for information on
properties and parameters.
set c {name=InternalCommunityTestName,rTCServers=[{transport=TCP,hostname=localhost,port=1516}],
internal=true,protocolConnector={name="VP"},domains=[internal.com,internal2.com]}
puts [$AdminControl invoke $ons newCommunity "{$c}"]
set c {name=externalCommunityTestName,rTCServers=[{transport=TLS,hostname=localhost,port=5061}],
internal=false,protocolConnector={name="SIP for legacy Sametime Gateway"},customProperties=
[{name="session_timeout",value=3600,required=false,description="Optional session timeout for
externalCommunityTestName"}, {name="subscription_timeout",value=3600,required=false,
description="Optional subscription timeout for externalCommunityTestName"}],domains=
[test1.com,test2.com]}puts [$AdminControl invoke $ons newCommunity "{$c}"]
setCommunityProperties:
Sets the attribute named by the key to the value in the community named by
communityName.
Syntax
Purpose
The setCommunityProperties command sets the attribute named by the key to the
value in the communityName.
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set c {provider = {name=GenericProvider }, customProperties=[{name=f, value=”some value”}]}
$AdminControl invoke $ons setCommunityProperties “aol {$c}”
removeCommunity:
Syntax
removeCommunity communityName
Connection operations:
getRTCServerList:
Syntax
Purpose
setPrimaryRTCServerProperties:
Syntax
Type Value
Parameter Data type
communityName string
attributes hash string
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set s {hostname=acme.com,port=15,transport=TLS,customProperties=[{name=A,value=B}]}
$AdminControl invoke $ons setPrimaryRTCServerProperties "GE {$s}"
Route operations:
getRouteByCommunities:
Returns the attributes for the local and destination communities, including access
control information.
Syntax
Purpose
The getRouteByCommunities command returns the route between the local and
external community as a hash string table.
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons getRouteByCommunities “$local acme”
setRoutePropertiesByCommunities:
Sets properties for the route between the local and external communities.
Syntax
Purpose
This topic describes wsadmin commands that perform Lotus Sametime Gateway
user and group operations.
Returns a list of users that are granted access to the specified capabilities on this
route.
Syntax
Purpose
The getUsers command returns a list of users associated with the specified
capability on the named route for the named community. Capabilities are
numerically indexed but only 2 is valid. Additionally, the command returns
pageSize entries at a time starting at index. User operations may only be performed
on all capabilities.
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons getUsers “$somerouteuid 2 0 10”
getUsersByCommunities:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons getUsersByCommunities “$local acme 2 0 10”
getGroups:
Syntax
Purpose
The getGroups command returns a list of groups associated with the specified
capability on the named route for the named community. Capabilities are
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons getGrooups “$somerouteuid 2 0 10”
getGroupsByCommunities:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons getGroupsByCommunities “$local acme 2 0 10”
addUser:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons addUser “$somerouteuid 2 jsmith”
addUserByCommunities:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons addUserByCommunities “$local aol 2 jsmith”
addGroup:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons addGroup “$somerouteuid 2 sales”
addGroupByCommunities:
Syntax
Purpose
removeUser:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons removeUser “$somerouteuid 2 jsmith”
removeUserByCommunities:
Syntax
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons removeUserByCommunities “$local aol 2 jsmith”
removeGroup:
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons removeGroup “$somerouteuid 2 sales”
removeGroupByCommunities:
Removes a group so that the group can no longer access the specified external
community.
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
set local [$AdminControl invoke $ons getLocalCommunityName]
$AdminControl invoke $ons removeGroupByCommunities “$local aol 2 sales”
getNumOfUsers:
Returns the number of users that are present on a given route and capability.
Syntax
Purpose
The getNumOfUsers command returns the number of users present on a given route
and capability.
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getNumOfUsers "$somerouteuid 2"
getNumOfUsersByCommunities:
Returns the number of users that are present on a given community and capability.
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getNumOfUsersByCommunities "$somerouteuid 2"
getNumOfGroups:
Returns the number of groups that are present on a given route and capability.
Syntax
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getNumOfGroups "$somerouteuid 2"
getNumOfGroupsByCommunities:
Returns the number of groups that are present on a given community and
capability.
Purpose
Sample
set ons [$AdminControl completeObjectName type=RTCAdminMbean,*]
$AdminControl invoke $ons getNumOfGroupsByCommunities "$somerouteuid 2"
Script exceptions:
This topic describes the attributes available for each object type and provides the
data type and whether the attribute is read, write, or both read and write.
Community object
STGWServer object
ProtocolConnector Object
MessageHandler Object
Route Object
CustomProperty Object
Jacl reference
Wsadmin tool
Script location
Jacl scripts
Jacl scripts are a non-graphical alternative that you can use to configure and
manage the Lotus Sametime Gateway. The WebSphere administrative scripting
tool, wsadmin, is a non-graphical command interpreter environment enabling you
to run administrative operations on a server in Jacl.
The scripts perform some of the functions available using the Integrated Solutions
Console. But in some cases, the scripts offer increased flexibility. For example,
when using the graphical interface to add or update an external community that
uses a SIP-based protocol, you must use TLS (Transport Layer Security) as the
transport protocol. The updateExternalCommunity script commands allows you to
use other transport protocols such as TCP or UDP.
The sample scripts include documentation inside each script. See the script and
script command reference for command details and syntax.
Script Purpose
updateExternalCommunity
Updates the external community by changing its properties such as
.jacl hostname, domains, port number, and so on.
GiveAllAcl.jacl Gives all local Sametime users access to an external community.
disableAuthz.jacl Disables the authorization controller message handler. The
Authorization controller’s main task is to allow or disallow the
initiator of the message in one community to perform the requested
operation with the destination user in another community.
EnableEventlogging Enables content, instant message, or presence logging in the
.jacl systemOut.log file.
getMsghandlerList Gets information on message handlers, including message handler
.jacl names.
Related reference
“Script commands” on page 449
Lotus Sametime Gateway provides many wsadmin script commands to help you
administer and maintain the Lotus Sametime Gateway.
“Object attribute reference” on page 471
This topic describes the attributes available for each object type and provides the
data type and whether the attribute is read, write, or both read and write.
Related information
Jacl reference
to:
stgw_profile_root/bin
6. Using a text editor, open the sample script to customize it for your task. The
script contains documentation to guide you while editing the script.
7. Open a command window (QSHELL session on IBM i) and navigate to
stgw_profile_root/bin.
8. Run the script as follows:
wsadmin -username username -password password -f script_name.jacl
Where username and password are the credentials that you created when you
enabled administrative security, and script_name.jacl is the name of the sample
Jacl script. You must run the wsadmin tool with the -f option. To see your
changes in the Integrated Solutions Console, you must log out of the console,
and then log back into it. Some operations may require stopping and restarting
the Sametime Gateway server.
Wsadmin tool
In addition to the topics in this section, see Optimizing Lotus Sametime’s Name
Lookup solution on the Sametime wiki.
The MAX and LOW pending queue sizes are highly dependent upon many factors,
such as the resources available to the Lotus Sametime Community Server process
on the host machine, the resources available to the LDAP process on the LDAP
server, the network latency between the Lotus Sametime Community Server and
LDAP servers, the types of generated searches, and so on. As a result, there is no
golden number to guarantee the greatest efficiency for all configurations. By
default, MAX and LOW are set to 10 and 5, respectively. However, advanced
guidelines for optimizing LDAP configurations generally recommend 60 and 30.
IBM typically recommends a size of 120 and 100 for larger corporations with
high-powered LDAP servers.
As the Lotus Sametime Community Server receives LDAP queries (for example,
Sametime Resolve or Authentication requests requiring LDAP look ups), Sametime
tries to fulfill those queries by sending corresponding LDAP queries to the LDAP
Server. These LDAP queries remain in the “Pending” queue until they are resolved
or responded back from the LDAP Server or timed out.
If the PENDING MAX value is 10, the Lotus Sametime Community Server does
not send more than ten requests to the LDAP Server initially until at least 5
requests are resolved by the LDAP Server so that the low end threshold value
specified by PENDING_LOW is reached. Once the number of requests waiting for
responses reaches the PENDING_LOW value, the Lotus Sametime Community
Server once again starts sending more requests to the LDAP Server but repeats the
cycle and limits the number of requests in flight to the LDAP Server.
Note: If the MAX and LOW sizes for the Pending Queue are not set appropriately,
it is possible to overwhelm or throttle the LDAP server or artificially reduce the
potential high throughput of LDAP requests sent by the Lotus Sametime
Community Server to the LDAP server.
An anonymous bind is the easiest way to establish a connection with the LDAP
server. However, the anonymous client will have limited access to the directory
when compared to authenticated clients. Using a simple bind, a client can be
authenticated on the LDAP server by providing its DN and password in plain text.
The server verifies that such a person exists in the directory and that the supplied
password is correct.
The LDAP protocol is asynchronous, so a client can send multiple requests to the
LDAP server on the same connection, and does not need to wait for the response
of one request before sending the next one. Each request is identified by a request
ID, and every response is associated with the original request ID. However, some
LDAP servers limit the maximum number of requests that can be pending per
single connection.
The following settings are under the [Directory] section of the sametime.ini file:
v ST_DB_LDAP_PENDING_BIND_MAX=X
v ST_DB_LDAP_PENDING_BIND_LOW=Y
These settings only affect the bind requests allowing other requests (mainly search
requests) to be sent to LDAP in different rates.
To force the IBM Lotus Sametime Server to send BIND requests synchronously use
the following settings:
v ST_DB_LDAP_PENDING_BIND_MAX=1
v ST_DB_LDAP_PENDING_BIND_LOW=0
This settings make sure that no other requests will be sent to LDAP on the same
connection before getting the response to the bind request.
Before increasing the value to greater than one consider the following points:
v Assume that ST_DB_LDAP_CONNECTIONS_NUMBER=3. Note that a value of 3 means
that the Lotus Sametime Community Server creates 3*N connections to the
LDAP server, where N stands for the number of Lotus Sametime components
that have an open connection to LDAP. In addition, meeting and Domino
components are connected to LDAP so the overall number of connections is
greater than 3*N.
Note: In pre-8.5 versions of Lotus Sametime, the RESPRAY interval must be higher
than the KEEPALIVE interval. Bear in mind that the RESPRAY operation is an
expensive resource task, and might impact performance in an environment where
the RESPRAY intervals are set to low values.
For more information on sametime.ini file settings related to the LDAP directory
and other techniques for tweaking the Sametime server behavior, refer to
Optimizing LDAP connections and queries on a Sametime server. This article has
several references to online technical notes and documentation on Lotus Sametime
Community Server and directory fine-tuning to achieve optimal performance and
streamlined connections.
Sametime.ini file
[Config]
MAX_NUMBER_OF_SUBSCRIBES_PER_CLIENT=750
IGNORE_SUBSCRIBES_ABOVE_MAX=751
Network factors affecting audio and video services include bandwidth and latency.
The more bandwidth available to the server and the shorter latency will allow
more participants per call. The bandwidth to the server is recommended at least
1Gbps (Gigabit per second), and latency from client to server should be less than
150ms.
#
# MaximumVideoConferenceUsers is the maximum number of users the service provider supports
for each video conference call.
#
MaximumVideoConferenceUsers=6
4. Change the values for the MaximumVideoConferenceUsers and
MaximumAudioConferenceUsers settings.
5. Save and close the file.
6. Restart the server so the change can take effect.
7. Repeat this process on every Conference Manager component. if you have a
clustered deployment, apply to every cluster member..
The default range of audio and video ports on the Packet Switcher might fall in
the range of dynamic port for the system. If the port is already allocated by a
system process when the Packet Switcher tries to allocate it for a conference, the
packet switcher marks this as a bad port and will not use this port again, until
after restart. If too many ports in the range get marked as bad ports, this could
lead to starvation and performance degradation. You can change the default port
range by using the Lotus Sametime System Console (Sametime System Console →
To determine UDP dynamic port range, type the following command from the
command line:
Windows 2008:
netsh int ipv4 show dynamicport udp
Linux:
cat /proc/sys/net/ipv4/ip_local_port_range
There are two configuration levels regarding the maximum sessions limit in Lotus
Sametime Gateway: global limits and community limits. The global limit will be
enforced on all communities in your Lotus Sametime Gateway deployment as a
whole (that is, the sum of all the external communities’ sessions cannot exceed the
global limit). The community limit is applied to a specific Lotus Sametime
Gateway community and helps ensure that a single community doesn’t use up all
of the available memory for its own sessions while blocking others from creating
new sessions. If you have only one community, then there is no need to specify
community limits; specifying global limits is enough.
In a cluster, the maximum number of sessions is applied to each node, so the true
maximum is the number of nodes multiplied by the maximum sessions value; for
example, if your cluster has two nodes and your maximum sessions is set to 5000,
then your cluster actually supports a maximum of 2 * 5000 = 10,000 sessions.
The procedure that follows sets a global limit for the maximum number of sessions
allowed at one time on a particular server. The global limit that you specify here
will be enforced on all communities in your IBM Lotus Sametime Gateway
deployment as a whole (that is, the sum of all the external communities sessions
cannot exceed the global limit).
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and the Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Gateway
Properties.
2. Select Set maximum sessions.
Deselect the box if you do not want to limit instant messaging and presence
sessions.
3. Set the maximum sessions for instant messaging by typing an integer.
The recommended value is 8,000 for a single server deployment. (Assuming
max JVM heap was set to 1.5GB).
4. Set the maximum sessions for presence by typing an integer.
The recommended value is 100,000 for a single server deployment. (Assuming
max JVM heap was set to 1.5GB).
5. Click Apply.
6. Restart the Lotus Sametime Gateway server; if you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
Related reference
“Sametime Gateway properties” on page 432
Use this page to set the maximum chat sessions. You can also specify domains
from which to block messages.
If you have more than one external community, there are a number of factors to
consider when deciding on community-level maximum session limits. The
following table shows different strategies for choosing community limits:
The procedure that follows sets community-level limits for the maximum number
of sessions allowed at one time on a particular server.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and the Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. In the ″Communities″ table, select a community for which you want add or
change session limits.
3. Select Set maximum sessions for the route.
Deselect this option if you do not want to limit the number of instant
messaging and presence sessions.
4. Set the maximum sessions for instant messaging by typing an integer.
The recommended value is the matching global value divided by the number
of external communities, though you may choose a different limits strategy.
5. Set the maximum sessions for presence by typing an integer.
The recommended value is the matching global value divided by the number
of external communities, though you may choose a different limits strategy.
6. Click Apply.
What to do next
Note: If you set either (or both) of the community’s session limits to a value
higher than the overall global limit, the global limit will still be enforced.
Attention: Do not set the following JVM garbage collection policy on SUN Solaris
machines, otherwise you will not be able to start Sametime Gateway.
1. From Integrated Solutions Console, click Servers → Application Servers →
RTCGWServer.
2. Under Server Infrastructure, click Java and Process management → Process
Definition.
3. Under Additional Properties, click Java Virtual Machine.
4. In the Generic JVM arguments field, enter the following value as one
continuous line. (It has been formatted with line breaks to fit into this page
format.)
Before performing this procedure, make sure you have the required disk space.
IBM recommends that the IBM Lotus Sametime Gateway server retain a history at
least 2GB in size, to assist with troubleshooting. If you can spare more disk space
than that, feel free to set the file ″Maximum Size″ (shown in the table below) to
more than 20MB.
Complete these steps using the Integrated Solutions Console on the Lotus
Sametime Gateway server where the logs will be stored.
1. In the Integrated Solutions Console, click Servers → Application Servers →
RTCGWServer.
2. Under ″Server Infrastructure,″ click Java and Process management → Process
Definition.
3. Under ″Additional Properties,″ click Logging and Tracing → JVM Logs.
4. Under ″General Properties,″ update the following fields both for System.out
and System.err sections:
Option Description
Log File Rotation Make sure this is managed by file size rather
than file age.
Maximum size Set this value to at least 20MB.
Maximum Number of Historical Log Files Set this to a value that, when multiplied by
the file size, gives you at least 2GB of
history in your logs; in this example, you
would use 50 files as the maximum.
5. Click OK.
6. Click Save to save these changes to the master configuration.
7. If Lotus Sametime Gateway is clustered, repeat Steps 1 through 6 for each node
within the cluster.
Create custom properties that define two threshold values: one for instant
messaging sessions, and one for subscriptions. Whenever either of these values is
reached, the warning message will appear in the log.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and the Lotus
Sametime Gateway server are started on at least one node.
1. In the Integrated Solutions Console, open the Custom properties page for the
server.
v On a single server: Click Servers → Server Types → WebSphere application
servers → server_name → Server Infrastructure → Administration → Custom
Properties.
v On a clustered server: Click System administration → Cell → Custom
Properties
2. Click New and enter the following information for the subscriptions threshold
warning:
Option Description
Name com.ibm.sametime.gateway.max.
subscriptions.warning.threshold
Value A number representing the threshold value
(the maximum number of subscriptions
allowed before the warning message is
generated in the log).
Description Threshold warning message for maximum
subscriptions
Option Description
Name com.ibm.sametime.gateway.max.im.
warning.threshold
Tune the JVM garbage collection policy for the SIP proxy server as follows:
1. In the Integrated Solutions Console, click Servers → Proxy Servers →
SIPProxyServer.
2. Perform the following instructions for each of the sip proxies in the list:
a. Select a proxy server by clicking it in the list.
b. Under Server Infrastructure, click Java and Process management → Process
Definition.
c. Under Additional Properties, click Java Virtual Machine.
d. In the Initial Heap Size field, enter 600.
e. In the Maximum Heap Size field, enter 600.
f. In the Generic JVM arguments field, enter the following value as one
continuous line :
-Xmo60m -Xgcpolicy:gencon -Xgc:noAdaptiveTenure,tenureAge=8,
stdGlobalCompactToSatisfyAllocate -Xtgc:parallel
g. Click OK, and click Save to save changes to the master configuration.
In WebSphere Application Server Version 7.0, the new transport memory size
setting at Servers → Core Groups → Core group settings → CORE_GROUP_NAME
replaces the IBM_CS_DATASTACK_MEG custom property and the per process
transport buffer size setting. The transport memory size has a default value of 100
MB, so setting this property is no longer necessary.
1. In the Integrated Solutions Console, click Servers → Core Groups → Core
Group Settings.
2. Click DefaultCoreGroup.
3. Under Additional Properties, click Custom Properties
You can enable and view the following statistics about Sametime Gateway:
What to do next
Note that this section is not referring to the SIP Proxy, but rather to a WebSphere
proxy server.
A thread pool lets servers reuse threads instead of creating new threads at run
time.
1. Log in to the Integrated Services Console.
2. Click Servers → Server Types → WebSphere proxy servers .
3. In the table listing the WebSphere proxy servers, click the link representing the
proxy server you want to modify.
4. Under Additional Properties, click Thread pools.
5. Click Proxy.
6. Under General Properties,, make sure the Minimum Size and Maximum Size
are both set to 50 threads.
7. Click Apply, and then click Save.
The default rtc4web timeout value is 30 seconds. This is the default timeout for the
WebSphere proxy server persistent timeout setting, too. This can causes a rare
condition to occur where both sides of the connection can let go at the same time.
In order to minimize this conflict, extend the WebSphere proxy server HTTP
Persistent timeout to stay connected longer.
1. Log into Integrated Solutions Console on the server where the WebSphere
proxy server is configured .
2. Click Servers → Server Types → WebSphere proxy servers .
3. In the table listing the WebSphere proxy servers, click the link representing the
proxy server you want to modify.
4. Under Proxy Settings, expand the HTTP Proxy Server Settings tree.
5. Click Proxy server transports.
6. Click HTTP_PROXY_CHAIN. It should be associated with port 80.
7. Click HTTP inbound channel (HTTP 3) .
8. Under General Properties, set the Persistent timeout to 60 seconds.
9. Click Apply, and then click Save.
10. Click Servers → Server Types → WebSphere proxy servers .
11. Click STMeetingHttpProxy.
12. Under Proxy Settings, expand the HTTP Proxy Server Settings tree.
13. Click Proxy server transports.
14. Click HTTPS_PROXY_CHAIN. It should be associated with port 443.
15. Click HTTP inbound channel (HTTP 4).
16. Under General Properties, set the Persistent timeout to 60 seconds.
17. Click Apply, and then click Save.
18. Repeat for every WebSphere proxy server that you configured for the cluster.
In order to handle a large set of LDAP operations, the context pool between the
WebSphere Application Server and LDAP can be optimized by setting the
following items. This might also require an LDAP server optimization as well in
order to handle a large number of LOGIN/BIND requests simultaneously. This
particular setting only manages the pool between WebSphere Application Server
and LDAP. For LOGIN/BIND operations, this pool is bypassed and WebSphere
Application Server connects directly to LDAP. Make sure your LDAP server can
handle the volume of connections based on your login rate/profile.
1. Log in to the Integrated Services Console.
2. Click Security → Global security.
3. Click Configure... next to the Available realm definition, which is set to
Federated repositories.
4. Click your LDAP Repository Identifier link.
5. Under Additional Properties, click Performance.
6. Under General Properties Context Pool, leave the Initial size set to 1, set the
Preferred size to 20, and set the Maximum size to 200. Do not change any
other settings.
7. Click Apply, and then click Save.
This section contains information about troubleshooting and logging tools that can
help you debug and fix problems affecting servers or users.
Use the following links to find other hints and tips when troubleshooting Lotus
Sametime servers:
v Lotus Sametime wiki:
www.lotus.com/ldd/stwiki.nsf/
v Tech Notes for Lotus Sametime:
www.ibm.com/support/search.wss?q=Sametime%20Standard&rs=477&tc=SSKTXQ&dc=DB520&dtm
v Tech Notes for Lotus Sametime Gateway:
www.ibm.com/support/search.wss?q=Sametime%20Gateway&rs=477&tc=SSKTXQ&dc=DB520&dtm
If your Lotus Sametime clients are using multiple communities configured with
telephony services (TCSPI), only one community can get telephony service at a
time – the community the user logs in to first. All telephony calls are processed on
this community. Any users on other communities will be treated as external users
in telephony calls.
If a Lotus Sametime Community Server is not configured with the Lotus Sametime
Media Manager, or if it is configured with the Lotus Sametime Media Manager, but
a called party is on a pre-8.5 version of the Sametime client, then the caller will not
be able to process the audio-video call.
If a user enters a value for a server preference that is not a fully qualified host
name, then the users that he or she invites into meetings might not be able to
attend.
1. In the IBM Lotus Sametime Connect client, click File → Preferences... .
2. In Preferences, click Server Communities.
3. Click the host name for the server community that hosts the meeting room.
4. Click the Server tab.
5. Verify that the host name is fully qualified.
For example, it should be messaging.yourcompanya.com and not messaging.
6. If it is not a fully qualified host name, click Server Communities and remove
the server community and re-add with the correct host name.
7. Click OK.
Find logs for the product server registration For example: c:\WebSphere\STServerCell\
into the console. This post-registration utility Console\logs
refers to product servers as being clients of
the console.
Product installation log for installer temp\SSClogs
You should verify the node agent, the server, and installed applications are
running.
1. Log in to the Integrated Solutions Console.
2. Click System Administration → Node agents .
3. Locate the node for your server and verify that the Started indicator is
displaying in the Status column.
4. Click Servers → Server Types → WebSphere application servers .
5. Locate your server and verify that the Started indicator is displaying in the
Status column.
6. Click Applications > Application Types > WebSphere enterprise applications.
7. Locate your resource and verify that the Started indicator is displaying in the
Application Status column.
What to do next
To start a server or node, see Starting and stopping servers from the Sametime
System Console.
Sample settings for registering a Lotus Sametime server with the Lotus Sametime
System Console:
#Specify the fully qualified host name for Sametime System Console
SSCHostName=ssc.in.ibm.com
#Specify true if you want to connect to Sametime System Console server using Secure
Connection, else false.
SSCSSLEnabled=true
#The log level for the Sametime System Console Client logs
# INFO - Information logs
# FINE - Information logs as well severe messages(recommended)
# FINEST - ALL logs
LogLevel=FINEST
Sample settings for registering a WebSphere-based Lotus Sametime server with the
Lotus Sametime System Console; settings will vary depending on the server and
your own environment.
##################################
#ProductType - It specifies the type of product Installed
#Community Server - com.ibm.lotus.sametime.communityserver
#Proxy Server - com.ibm.lotus.sametime.proxyserver
#Media Server - com.ibm.lotus.sametime.mediaserver
#Gateway Server - com.ibm.lotus.sametime.gatewayserver
#Meeting Server - com.ibm.lotus.sametime.meetingserver
ProductType=com.ibm.lotus.sametime.meetingserver
#InstallType-Installation Type -PN,SN,DM or Cell (WAS based Product) .For Domino Based STNODE.
InstallType=Cell
#DepName = Specify a unique Deployment Name with which you want to register the server.
DepName=Meeting Server 85
#MeetingInstallLocation - The location where the Product Specific files are copied.
#ProxyInstallLocation=C:\Program Files\IBM\Websphere\STPServerCell
#MediaInstallLocation=C:\Program Files\IBM\Websphere\MediaServerCell
#SSCInstallLocation=C:\Program Files\IBM\Websphere\STSCServerCell
#GatewayInstallLocation=C:\Program Files\IBM\Websphere\STGWServerCell
MeetingInstallLocation=C:\Program Files\IBM\Websphere\STMServerCell
##################################
##################################
#NodeIP- The IP of the machine on which the product server is installed
NodeIP=9.126.186.45
#NodeHostName- The fully qualified Hostname of the machine on which the product is installed
NodeHostName=myserver.abc.com
##################################
##################################
###WAS##
# Was Credentials - User Name and Password of Product Was server
WASUserID=wsadmin
WASPassword=wsadmin
##################################
##################################
#PreRequisite Database Details
##################################
##################################
#PreRequisite Ldap Details
#LDAPHost - The hostname of ldap registered with the product.
LDAPHost=bluepages.ibm.com
#LDAPBindAnonymous - Is anonymous access allowed for ldap registered with the product.
LDAPBindAnonymous=true
#LDAPBindDN - The Bind Distinguished name for ldap registered with the product.
LDAPBindDN=cn=root
#LDAPBindPwd - The Bind password for ldap registered with the product.
LDAPBindPwd=password
#STCommunityServerPort - The Community server port which registered with the product.
STCommunityServerPort=1516
##################################
##################################
##################################
#ComponentName - The component installed on the Media Server
ComponentName=Complete
#ConsoleDBPort - The port on which the System Console database server listens
ConsoleDBPort=50000
Purpose
Example settings for registering a Lotus Sametime Community server with the
Lotus Sametime System Console:
##################################
#ProductType - It specifies the type of product Installed
#Community Server - com.ibm.lotus.sametime.communityserver
#Proxy Server - com.ibm.lotus.sametime.proxyserver
#Media Server - com.ibm.lotus.sametime.mediaserver
#Gateway Server - com.ibm.lotus.sametime.gatewayserver
#Meeting Server - com.ibm.lotus.sametime.meetingserver
ProductType=com.ibm.lotus.sametime.communityserver
#InstallType-Installation Type -PN,SN,DM or Cell (WAS based Product) .For Domino Based STNODE.
InstallType=STNODE
#DepName = Specify a unique Deployment Name with which you want to register the server.
DepName=Comm Server
#NodeHostName- The fully qualified Hostname of the machine on which the product is installed
NodeHostName=myserver.abc.com
Troubleshooting clustering
This section describes how to troubleshoot problems with clustering servers in IBM
Lotus Sametime.
The Lotus Sametime System Console tests as many factors as possible to ensure
that the federation succeeds prior to actually running the addNode command, and
gives the user a warning if one of these conditions is found. Once the addNode
command is initiated, the Lotus Sametime System Console begins polling the
Deployment Manager configuration at intervals until it detects that the Primary
Node’s configuration has been added successfully. Once it determines it has been
successfully added, it alerts the administrator that the federation was successful. If
after 5 minutes it does not detect the node in the Deployment Manager’s
configuration, it gives an error stating that federation did not succeed.
Occasionally, federation actually takes longer than 5 minutes. In this case, simply
waiting a few minutes and clicking Federate Node again results in a success
message. Other times, the Deployment Manager has to be restarted, and then
clicking Federate Node results in a success message. Very rarely, there is another
condition that cannot be anticipated by the Lotus Sametime System Console that
leads to the failure. In these cases, the administrator needs to look at the Primary
Node’s AddNode.log for additional information to help resolve the issue, and if
necessary, contact IBM Support for assistance.
In other extremely rare cases, running the federation from the Lotus Sametime
System Console results in an error in the AddNode.log, but running the addNode
command directly successfully federates the node into the Deployment Manager.
This is an acceptable workaround if the administrator cannot figure out why the
clustering guided activity is failing. Run the following command to federate the
node:
addNode.(bat/sh) <dmgrhost> <dmgrsoapport> -username <username> -password <password> -includeapps -includebuses
After manually running addNode, the administrator can use the clustering guided
activity for the remainder of the clustering process without any issues. The
application recognizes the federated status of the node and proceeds accordingly.
After running the clustering guided activity, the administrator should make sure
that all nodes are synchronized before restarting any node agents. In the Integrated
System Console, click System Administration → Nodes, and select the nodes you
want to synchronize. and then click the Synchronize.
Always displays/Optionally
Component displays Example
The name of the process Always StResolve
Date of process startup Optional 090720
Time of process startup Optional 1922
Process id number in the OS Optional 5544
Trace file counter Optional 088
Domino log
To access the Domino log, choose Logging - Domino Log in the Sametime
Administration Tool, and then click the link that appears on the right. The Domino
log launches in a new browser window.
The Domino log is only available from the Sametime Administration Tool. If you
record Sametime log information in a text file, the text file does not include
information about the Domino log.
A administrator can view additional information about the Sametime server in the
Domino log database (log.nsf). The Domino log database records server activity
information related to the Domino server and Domino databases, including
databases used by the Sametime server (such as the Sametime Meeting Center).
During setup, the Domino log database is automatically created and the server is
assigned Manager access in the database’s Access Control List (ACL). The default
access for all other users is Reader.
The Domino log database records information about all server activities, such as
database size and usage, server events, calls made to and from the server, and
billing for server services. Check the Domino log to monitor:
v Available server disk space
v Available server memory
v Server load
v Server performance
v Databases that need maintenance
The administrator cannot use the Sametime log settings or the Sametime
Administration Tool options to determine what appears in the Domino log. The
Domino log records information about the activities of the Domino server on
which Sametime is installed. Generally, the default settings should provide an
adequate record of server activity. However, you can record additional information
The Domino log includes many views that do not apply to Sametime. Use the table
below to determine which views are relevant for Sametime.
View Description
The four types of General log settings are: (Note that meeting server events do not
apply to Sametime Limited Use.)
v Database or text file settings - Allow you to specify the format for the log and
to automatically remove information from the log.
v Sametime statistics settings - Allow you to control whether to log statistics
related to chats, meetings, and users.
v Server community events to log settings - Allow you to control which
Community Services events are recorded in the Sametime log.
v Meeting server events to log settings - Allow you to control which Meeting
Services events are recorded in the Sametime log.
The ″database or text file″ settings allow you to specify the format for the log and
to automatically remove old information from the log.
Select this setting to record Sametime Meeting Services and Community Services
data in the Sametime log database (stlog.nsf). During setup of the Sametime server,
the Sametime Log database is automatically created, and the administrator
specified during setup is assigned Manager access in the database Access Control
List (ACL). The server is also assigned Manager access to the database so that it
can write information to the log. The default access for all other users is Reader.
When this option is selected, a Sametime administrator can view all of the
information in the Sametime log by opening the Sametime Administration Tool
and selecting Logging. The links available from the Logging menu display different
views of the Sametime log database.
When this option is selected, you can use the ″Remove history after (days)″ setting
to prevent the Sametime log from growing too large.
If you select this option, you cannot select the ″Enable logging to a text file″
option; it is not possible to record Sametime activity in both database and text file
format.
After selecting this option, click Update and restart the server for the setting to
take effect.
Select this setting to automatically remove old information from the Sametime log
database (stlog.nsf). In the field provided, specify the age (in days) of information
that is automatically removed from the database. The default setting is 60 days.
This setting only applies to the Sametime log database; it does not remove
Sametime log information stored in text files. You must manually delete old text
files.
After selecting this option, click Update and restart the server for the setting to
take effect.
Select this setting to record Sametime log information in a text file. When this
option is selected, a new Sametime log text file is created every day. By default, the
name of each text file contains the date on which the file was created (for example,
log_23_Mar_2009.txt). After you select this option, specify a path and file name for
the log file in the ″Path to log text file″ field; for example, in Microsoft Windows:
d:\notesdata\chatlogs\txtfiles\log.txt
If you select this option, you cannot simultaneously select the ″Enable logging to a
Domino database″ option; it is not possible to record Sametime activity in both
database and text file format.
After selecting this option, click Update and restart the server for the setting to
take effect.
NSD log
When an IBM Lotus Sametime Community Services process crashes, an NSD log is
created with the relevant information about the crash.
The log contains information about the tasks which were running when the
process crashed, as well as general system information that may help determine
the cause of the crash. The log is stored in the server’s .\data\trace directory. Part
of the Sametime Community Components, using Notes API libraries, creates an
NSD log in alternate directory:.\data\IBM_TECHNICAL_SUPPORT.
Important: The date in the NSD log file’s name is not its creation date, but rather
the date when the crashing process was first executed. To find the date when the
NSD log was produced, look inside the log or use the file creation date based on
the operating system information.
The Community Server Events to Log settings allow you to control which
Community Services events are recorded in the Sametime log. After selecting any
of these options, click Update for the settings to take effect.
Successful logins
Failed logins
Select this setting to record information about failed logins to Community Services
in the Place Login Failures, Meeting Login Failures, , and Community
Logins/Logouts sections of the Sametime log.
Select this setting to record information about Community Services events in the
Community Events section of the Sametime log. For example, you can view the
name and status of each service.
You can use the IBM Lotus Sametime Runtime Debug Tool to produce trace files
and create new trace file sets for troubleshooting purposes. Use it to enable or
disable debug settings whenever you need to debug a problem. These trace files
contain debug messages that aid IBM Technical Support in troubleshooting IBM
Lotus Sametime problems. If you have never worked with Sametime trace files
before, you should use the tool only under the guidance of IBM Technical Support.
Before running the Lotus Sametime Runtime Debug Tool, you must install
StdebugTool.exe in the Domino directory on Lotus Sametime Community server
machines, and then restart the http service on Domino servers as part of the
installation. Next, you must enable all the flags for the relevant components by
setting values to 1. After finishing, you can disable the traces with the tool. Do the
same for any component at any time without the need to restart Lotus Sametime.
Note: The Lotus Sametime Runtime Debug tool is available only for Lotus
Sametime Community servers that run on the Windows operating system.
To start the StdebugTool.exe utility, you enter the StdebugTool.exe command from
the server command prompt.
When the utility starts, you are presented with a second command prompt. At this
second command prompt, you enter a command option to direct the
StdebugTool.exe utility to perform a specific action.
The possible command options are described below. These options include: ?, s, I,
f, p, r, q:
v ? - Prints a help message
v S <FLAG_NAME> <value> - Sets a value to enable or disable a trace file flag
that already exists in the sametime.ini file. The <FLAG_NAME> string is a
variable representing a specific trace flag. The <value> parameter is usually
either ″1″ to enable the flag or ″0″ to disable it.
For example, the VP_DB_TRACE flag in the sametime.ini file is used to enable
or disable all trace file reporting capabilities. The following s command option
will enable the trace file reporting capabilities if the VP_DB_TRACE=0 setting
already exists in the Sametime.ini file:
s VP_DB_TRACE 1
v i <FLAG_NAME> <value> - Adds a specific flag to the sametime.ini file and
sets a value to enable or disable the trace file flag. Use this option if the flag you
want to use does not currently exist in the sametime.ini file.
For example, the VP_LDAP_TRACE flag controls trace file reporting for LDAP
directory access operations. The following I command option will add the
VP_LDAP_TRACE flag to the Sametime.ini file and enable the LDAP access
trace file reporting:
I VP_LDAP_TRACE 1
v f - Prints a list of debug flags
v p - Prints a list of services
v r - Replaces existing trace files with new ones. Use this option to delete existing
trace files, or copy over existing trace files with new ones.
v q - Stops (quits) the StdebugTool.exe utility.
The ″Best Practices for using LDAP with Lotus Sametime″ article in the Sametime
wiki contains a table with common problems and resolutions:
http://www-10.lotus.com/ldd/stwiki.nsf/dx/Best_Practices_for_using_LDAP_with_Lotus_Sametime#_Toc246828786
Use Ping, Telnet, Netstat and IPConfig to verify that tunneling is set up correctly
on the network and in DNS.
Use the Telnet utility to connect to a Domino server and check the status of an
application on a well-known port.
Options
Before trying these options, check and validate the configuration as shown in
Business Card configuration in the Sametime Information Center. In most cases,
invalid configurations are the root cause of problems with the Business Card. If,
after you have validated that the configuration is correct, the Business Card still
does not appear to be working, you might want to try the options described below.
Note:
v Do not use spaces in the URL for the UserInfo servlet operation.
A space is translated into %20 in the URL, and the servlet will not produce a
result; for example:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime
User/O=IBM
is translated to:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=
cn=Sametime%20User/O=IBM
. The characters ″%20″ are inserted before the word ″User″ to represent the
space.
You should see the details you are expecting to see. If you do not, then you will
need to enable tracing for the userInfo servlet. See section below.
Note: If you receive an UNKNOWN error for the ″user id,″ this means the user ID
specified could not be located. This could happen for a variety of the reasons, but
the most common are:
1. an incorrect user distinguished name has been specified
2. the directory in which the user is located is not reachable/searchable
Requirements
Listed below are some requirements that can cause problems if they are not
followed in the Business Card:
v Photos must be less than 64 kilobytes (recommended: 10 kb)
v Business Card photo requires .jpg or .gif
v Using the jpegPhoto LDAP attribute to store photos requires the inetOrgPerson
objectClass
Enabling trace
The IBM Lotus Sametime Proxy Server utilizes the JSR-47 logging to record various
events for troubleshooting. Using the IBM Websphere Integrated Solutions Console,
you can fine tune the amount of captured trace content.
Other logs are very specific in nature and focused on a component or activity. The
general purpose logs such as the JVM logs and the IBM service log can be helpful
in monitoring the health of the application server, however, the problem
determination procedure for a specific component might instruct you to examine
the contents of a component- or product-specific log. This section describes the log
files available for IBM WebSphere Application Server, the logs that the server and
services make use of, and how you can configure and view the files.
1. The first source of information for configuration and administration problems
are the general-purpose logs.
2. If you cannot solve the problems using these files, try using a trace.
3. For runtime code problems, again look at the general-purpose logs first. Then
running a trace with component-specific flags as required.
For more information about logging and tracing, go to the Monitoring and
Troubleshooting documentation for distributed operating systems in the
WebSphere Application Server Library at http://www-01.ibm.com/software/
webservers/appserv/was/library/.
The collector tool gathers information about your WebSphere Application Server
installation and packages it in a Java archive (JAR) file that you can send to IBM
Customer Support to assist in determining and analyzing your problem.
Information in the JAR file includes logs, property files, configuration files,
operating system and Java data, and the presence and level of each software
prerequisite.
1. Use the IBM Websphere Collector tool to gather logs and traces from all of the
environment machines.
For more information, see the following topic in the WebSphere Application
Server information center:
Gathering information with the collector tool (deprecated).
2. Run the collector on the IBM Lotus Sametime Media Manager server.
v Run collector on the WebSphere Application Server profiles.
The profiles are stored in the \profiles directory; for example on Microsoft
Windows:
C:\Program Files\ibm\WebSphere\AppServer\profiles
Note: The generated files will include all log files located in the ″logs″
directory under the profile directory. To reduce the log size, you might choose
to delete all of the existing log files, recreate the problem, and only then gather
the logs.
3. Submit the collector generated log files to IBM support.
An application can write print data to the JVM logs either directly in the form of
System.out.print() or System.err.print() method calls or by calling a JVM function,
such as Exception.printStackTrace(). In addition, the System.out JVM log contains
The JVM log files are self-managing to the extent that they can be configured not
to grow beyond a certain size. Also, you can set how many historical, or archived,
files to keep and which of the log files to rollover or archive based by time or size
or both.
1. In the Integrated Solutions Console, click Troubleshooting → Logs and Trace.
2. Click STMediaServer.
3. Under General Properties, click JVM Logs.
Note: Any configuration changes to the JVM logs that are made to a running
Lotus Sametime Media Manager do not take effect until you restart the server.
4. To configure or change a log setting, use the settings on the Configuration tab.
5. To view the output of the logs, click the Runtime tab, then click View.
Lotus Sametime Connect video calls and video-enabled Lotus Sametime meeting
rooms take advantage of the hardware acceleration available in modern video
cards and their associated drivers. If you are experiencing difficulty in establishing
video call connections, or experience poor video quality in video in meeting rooms,
ensure that you are using a video driver that takes full advantage of your video
card’s acceleration hardware.
Refer to the A/V Client Support & Requirements section in the system
requirements:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg27016451
This task is only necessary if you see the ST_CONNECT_HOST_UNREACHABLE error in the
Conference Manager logs, which means that the Lotus Sametime Community
Server is not allowing connections from the Conference Manager nodes. Enable the
connection by adding each Conference Manager node’s IP address to the list of
Trusted IPs for the Lotus Sametime Community Server.
1. Log into the Lotus Sametime System Console’s Integrated Solutions Console as
the WebSphere administrator.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the ″Sametime Community Servers″ table, click the name of a Community
Server.
4. Click the Connectivity tab.
5. Add the Conference Manager nodes to the list of trusted servers:
Enabling traces and logs for the WebSphere proxy server used
by a Media Manager cluster
Enable traces and logs for an IBM WebSphere proxy server that is used with an
IBM Lotus Sametime Media Manager cluster.
Both Conference Manager clusters and SIP Proxy and Registrar clusters can use a
WebSphere proxy server; this task applies to both clusters.
1. Log into the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Troubleshooting → Logs and trace.
3. In the ″Logging and Tracing″ table, click the name of a WebSphere proxy server
to open its ″Logging and Tracing″ page.
4. Under ″General Properties″ click Diagnostic Trace.
5. Under ″Additional Properties″ click Change Log Detail Levels.
6. In the text box, append the following settings:
:com.ibm.ws.sip.*=all
:com.ibm.ws.proxy.*=all
7. Click Apply and then save the changes by clicking the Save link the
″Messages″ box at the top of the page.
Other logs are very specific in nature and focused on a component or activity. The
general purpose logs such as the JVM logs and the IBM service log can be helpful
in monitoring the health of the application server, however, the problem
determination procedure for a specific component might instruct you to examine
the contents of a component- or product-specific log. This section describes the log
files available for IBM WebSphere Application Server, the logs that the server and
services make use of, and how you can configure and view the files.
1. The first source of information for configuration and administration problems
are the general-purpose logs.
2. If you cannot solve the problems using these files, try using a trace.
3. For runtime code problems, again look at the general-purpose logs first. Then
running a trace with component-specific flags as required.
For more information about logging and tracing, go to the Monitoring and
Troubleshooting documentation for distributed operating systems in the
WebSphere Application Server Library at http://www-01.ibm.com/software/
webservers/appserv/was/library/.
Note: The generated files will include all log files located in the ″logs″
directory under the profile directory. To reduce the log size, you might choose
to delete all of the existing log files, recreate the problem, and only then gather
the logs.
3. Submit the collector generated log files to IBM support.
An application can write print data to the JVM logs either directly in the form of
System.out.print() or System.err.print() method calls or by calling a JVM function,
such as Exception.printStackTrace(). In addition, the System.out JVM log contains
system message events written by the WebSphere Application Server. In the case of
a IBM WebSphere Application Server Network Deployment configuration, JVM
logs are also created for the deployment manager and each node manager, since
they also represent JVMs.
v SystemOut.log is more useful monitoring the health of the running application
server but can help in determining a problem, although it’s better to use the IBM
Service log and the advanced capabilities of the Log Analyzer to determine a
problem.
v SystemErr.log contains exception stack trace information that is useful when
performing problem analysis.
The JVM log files are self-managing to the extent that they can be configured not
to grow beyond a certain size. Also, you can set how many historical, or archived,
files to keep and which of the log files to rollover or archive based by time or size
or both.
1. In the Integrated Solutions Console, click Troubleshooting --> Logs and Trace.
2. Click the IBM Lotus Sametime Meeting Server.
3. Under General Properties, click JVM Logs.
Note: Any configuration changes to the JVM logs that are made to a running
Lotus Sametime Meeting Server do not take effect until you restart the server.
4. To configure or change a log setting, use the settings on the Configuration tab.
5. To view the output of the logs, click the Runtime tab, then click View.
If you deploy the Lotus Sametime Proxy Server and the Lotus Sametime Meeting
Server on one machine, and both servers have the same host name, users cannot
stay connected to instant meetings initiated by the Lotus Sametime Proxy web
client. Users can start instant meetings, but eventually they are disconnected. This
error occurs because Websphere sets the JSESSIONID cookie whenever an
application is started, and the JSESSIONID cookie is being overwritten because the
Lotus Sametime Proxy Server and the Lotus Sametime Meeting Server share a
hostname. Due to the matching host names, the WebSphere JSESSIONID is not
recognizing them as separate applications. You can workaround this by providing
the Lotus Sametime Proxy Server with a host alias with a hostname different from
the Lotus Sametime Meeting Server host name.
1. Install the Lotus Sametime Meeting Server and the Lotus Sametime Proxy
Server on the same server.
2. Change host name of the Lotus Sametime Proxy Server using a host alias:
a. Log in to the Integrated Solutions Console on the Lotus Sametime Proxy
Server.
b. Click Environment → Virtual Hosts → default_host → Host Aliases .
c. Configure the host aliases of the Virtual Host, default_host, of the Lotus
Sametime Proxy Server so that their host names do not match either the
host name of the Lotus Sametime Meeting Server or the wild card character,
’*’ (asterisk). Update the host name of all of the host alias entries to the host
name that the Sametime Proxy Server will use. Use the same host name for
all aliases,
1) Click the host name link associated with each port.
2) Enter the fully qualified host name for the Lotus Sametime Proxy Server.
It must not be the same host name assigned to the Lotus Sametime
Meeting Server
3) Click Apply, and then click Save
d. Restart the Lotus Sametime Proxy Server.
Enabling traces and logs for the WebSphere proxy server used
by a Meeting Server cluster
Enable traces and logs for an IBM WebSphere proxy server that is used with an
IBM Lotus Sametime Meeting Server cluster.
1. Log into the Deployment Manager’s (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Troubleshooting → Logs and trace.
3. In the ″Logging and Tracing″ table, click the name of a WebSphere proxy server
to open its ″Logging and Tracing″ page.
4. Under ″General Properties″ click Diagnostic Trace.
5. Under ″Additional Properties″ click Change Log Detail Levels.
6. In the text box, append the following settings:
Use the following links to find other hints and tips when troubleshooting Lotus
Sametime Gateway:
v Lotus Sametime wiki:
www.lotus.com/ldd/stwiki.nsf/
v Technotes for Lotus Sametime Gateway:
www.ibm.com/support/search.wss?q=Sametime%20Gateway&rs=477&tc=SSKTXQ&dc=DB520&dtm
v WebSphere Application Server diagnostic tools to help troubleshoot database
connection problems:
Troubleshooting data access problems
Other logs are very specific in nature and focused on a component or activity. The
general purpose logs such as the JVM logs and the IBM service log can be helpful
For more information about logging and tracing, go to the Monitoring and
Troubleshooting documentation for distributed operating systems in the
WebSphere Application Server Library at http://www-01.ibm.com/software/
webservers/appserv/was/library/.
The collector tool gathers information about your WebSphere Application Server
installation and packages it in a Java archive (JAR) file that you can send to IBM
Customer Support to assist in determining and analyzing your problem.
Information in the JAR file includes logs, property files, configuration files,
operating system and Java data, and the presence and level of each software
prerequisite. Be sure you set the log file size and rotation before you collect the
information. The default log file rotation leaves the user only one file, which fills
up and gets overwritten rather quickly.
1. Follow these steps to configure the log file size and rotation settings.
a. Log in to the Integrated Solutions Console.
b. Click Servers Server Types WebSphere Application Server.
c. In the Application Servers list, click the server name.
d. Under Troubleshooting, click Diagnostic trace service.
e. Under General Properties, update the following fields:
Table 33. Log settings
Option Description
Log File Rotation Make sure this is managed by file size rather
than file age.
Maximum size Set this value to at least 20MB.
Maximum Number of Historical Log Files Set this to a value that, when multiplied by
the file size, gives you at least 2GB of
history in your logs; in this example, you
would use 50 files as the maximum.
Note: The generated files will include all log files located in the ″logs″
directory under the profile directory. To reduce the log size, you might choose
to delete all of the existing log files, recreate the problem, and only then gather
the logs.
4. Submit the collector generated log files to IBM support.
Troubleshooting installation
These steps help you troubleshoot installation problems by describing how you can
use a different tablespace name for the database and how you can clean your
system of previous installations.
Many installation problems are caused when the installer cannot locate the
database or when installing a new instance of Sametime Gateway and a previous
installation has not been completely removed from the system. The following steps
describe how to use a different tablespace in the database or clean your system of
previous installations.
1. Open the installation log file at stgw_server_root\logs\installlog.txt
2. If log reports an error in finding the DB2 database, check to make sure you are
using the tablespace name USERSPACE1. Sametime Gateway expects USERSPACE1
by default. To install using a different tablespace name, use the following
command when you run the installer:
install.bat -VTableSpaceName="tableSpaceName"
Where tableSpaceName is the name of the tablespace that you want the installer
to use.
3. To clean your system of previous installations, use the log to find the location
of the Install Shield Multiplatform (ISMP) database called the Vital Product
Database (VPD). For example, examine this log entry from Windows (formatted
to fit on the page):
(Nov 24, 2007 2:22:22 PM), stGwInstall,
com.ibm.rtc.gateway.install.CheckVPDRegistry, msg1,
using VPD registry at C:\Program Files\Common
Files\InstallShield\Universal\common\Gen2\_vpddb\vpd
An application can write print data to the JVM logs either directly in the form of
System.out.print() or System.err.print() method calls or by calling a JVM function,
such as Exception.printStackTrace(). In addition, the System.out JVM log contains
system message events written by the WebSphere Application Server. In the case of
a IBM WebSphere Application Server Network Deployment configuration, JVM
logs are also created for the deployment manager and each node manager, since
they also represent JVMs.
v SystemOut.log is more useful monitoring the health of the running application
server but can help in determining a problem, although it’s better to use the IBM
Service log and the advanced capabilities of the Log Analyzer to determine a
problem.
v SystemErr.log contains exception stack trace information that is useful when
performing problem analysis.
The JVM log files are self-managing to the extent that they can be configured not
to grow beyond a certain size. Also, you can set how many historical, or archived,
files to keep and which of the log files to rollover or archive based by time or size
or both.
1. In the Integrated Solutions Console, click Troubleshooting --> Logs and Trace.
2. Click the RTCGWServer.
3. Under General Properties, click JVM Logs.
Note: Any configuration changes to the JVM logs that are made to a running
RTCGWServer do not take effect until you restart the server.
4. To configure or change a log setting, use the settings on the Configuration tab.
5. To view the output of the logs, click the Runtime tab, then click View.
If you find this error, the virtual hosts definitions must be updated to have host
aliases defined for the SIP ports configured on each cluster member.
1. In the Integrated Solutions Console, gather the port configurations for each
defined cluster member by selecting Servers → Application Servers.
2. Select a cluster member.
3. Under Communications, click Ports.
4. Record both the SIP_DEFAULTHOST and SIP_DEFAULTHOST_SECURE port
numbers.
5. Repeat the preceding steps for each cluster member.
6. Select Environment → Virtual Hosts.
7. Select default_host
8. Under Additional Properties, click Host Aliases.
9. For each of the defined cluster members, ensure the ports that you recorded
are present in the definitions. Example: If the secondary node is defined on
server1.acme.com at ports 5062 and 5063, ensure host aliases exist for
server1.acme.com:5062 and server1.acme.com:5063. Do not use wildcards as in
*:5062 and *:5063.
10. To create a new virtual host definition:
a. Click New.
b. Type the Fully qualified domain name of the host.
c. Type the port number.
d. Click OK and Save.
e. Repeat for each port that requires a virtual host.
Log messages
If you see ″Not all the message handlers are up″ in the SystemOut.log:
v Use the Integrated Solutions Console to check if all default message handler
plugins are up and running. Click Applications → Enterprise Applications to
view the state of the message handler applications.
v Also check if any message handler is disabled. Click Sametime Gateway →
Message Handlers to view the message handler list.
If an application is enabled and you stop an application without first disabling it,
the plugin manager considers this as a fatal condition and starts failing the
requests. To disable a plugin, disable the application from the message handler
page first, then stop the application from Integrated Solutions Console. This will
alert the core plugin manager to omit the message handler from the execution
sequence without failing the requests.
Always disable the message handler first, and then stop it before removing the
message handler. If you are debugging the core functionality, and wishes to disable
the plugin, this is the sequence to follow. When a message handler plugin stops
after being disabled, the configuration service removes the message handler object
from the database. The configuration service alerts the core plugin manager of the
change, and the core plugin manager subsequently omits this message handler
from the execution sequence without adversely affecting the requests. You do not
need to restart the server in order to disable or delete the message handler.
Stopping the message handler before disabling it creates an error condition. The
core plugin manager fails all the requests until the message handler plugin is
disabled.
The core plugin manager takes the message handler plugin out of the execution
sequence. Requests continue to be processed and the plugin application is not
invoked. If the message handler plugin is enabled, the core plugin manager puts
the plugin back in the execution sequence, and starts forwarding requests to the
newly enabled plugin.
For each resolve request, the Lotus Sametime community server consults the
directory server. Receiving the response from the Lotus Sametime community
server is time consuming. To provide a warning on unreasonable response times,
the Lotus Sametime Gateway collects resolve statistics. By default, the Lotus
Sametime Gateway provides a warning only if the response time of the resolve
request is greater then 25 seconds. The warning time is configurable, and it is
possible to change it by adding a custom property to the local community.
Valid values:
v All - prints the response time of all resolve requests.
v Number of seconds - Prints the response time of the resolve requests which are
greater then the defined value.
To avoid a heavy load of messages on the Lotus Sametime Gateway server, for
each 1000 identical messages only the first 5 are printed to the SystemOut.log file. If
there are more than 5 identical messages, the first five are printed individually,
followed by a summary of the rest of the identical messages. See below:
[6/9/09 15:39:58:926 IDT] 00000021 ResolverStat W com.ibm.rtc.gateway.vp.util.resolve.
ResolverStat printToTrace CLFRC0268W: Performance warning: The resolve operation:
e-mail --> STId ( ibm15@ibm.com --> uid=ibm15,cn=ibm,cn=users,dc=teamspace,dc=com )
took 28 seconds to complete. Awaiting 6 more resolve requests to complete.
[6/9/09 15:39:58:932 IDT] 00000021 ResolverStat W com.ibm.rtc.gateway.vp.util.resolve.
ResolverStat printToTrace CLFRC0268W: Performance warning: The resolve operation:
e-mail --> STId ( ibm106@ibm.com --> uid=ibm106,cn=ibm,cn=users,dc=teamspace,dc=com )
took 30 seconds to complete. Awaiting 5 more resolve requests to complete.
[6/9/09 15:39:58:937 IDT] 00000021 ResolverStat W com.ibm.rtc.gateway.vp.util.resolve.
ResolverStat printToTrace CLFRC0268W: Performance warning: The resolve operation:
e-mail --> STId ( ibm101@ibm.com --> uid=ibm101,cn=ibm,cn=users,dc=teamspace,dc=com )
took 33 seconds to complete. Awaiting 4 more resolve requests to complete.
[6/9/09 15:39:58:942 IDT] 00000021 ResolverStat W com.ibm.rtc.gateway.vp.util.resolve.
ResolverStat printToTrace CLFRC0268W: Performance warning: The resolve operation:
e-mail --> STId ( ibm105@ibm.com --> uid=ibm105,cn=ibm,cn=users,dc=teamspace,dc=com )
took 37 seconds to complete. Awaiting 3 more resolve requests to complete.
[6/9/09 15:39:58:947 IDT] 00000021 ResolverStat W com.ibm.rtc.gateway.vp.util.resolve.
ResolverStat printToTrace CLFRC0268W: Performance warning: The resolve operation:
e-mail --> STId ( ibm104@ibm.com --> uid=ibm104,cn=ibm,cn=users,dc=teamspace,dc=com )
took 43 seconds to complete. Awaiting 2 more resolve requests to complete.
[6/9/09 15:39:58:948 IDT] 00000021 ResolverStat W com.ibm.rtc.gateway.vp.util.resolve.
ResolverStat printToTrace The previous log message printed by this thread has been
printed 5 times. The next 995 messages of this message code would not be printed to the log.
Non-authoritative answer:
_xmpp-server._tcp.google.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server1.l.google.com
_xmpp-server._tcp.google.com SRV service location:
Directory conventions
Directory variables are abbreviations for the default installation paths for IBM AIX,
Linux, Solaris, Windows, and IBM i. This topic defines the directory variable and
its matching default installation directory for each supported operating system.
Directory variable Operating system Default installation root
app_server_root IBM AIX /usr/IBM/WebSphere/AppServer
WebSphere Note: The default installation root is /usr/IBM/WebSphere/AppServer7 if the system went through an
Application Server upgrade from Sametime Gateway 8.0.x (WebSphere 6) to Sametime Gateway 8.5.x (WebSphere 7).
installation
Linux and Solaris /opt/IBM/WebSphere/AppServer
directory (not
available on the
Deployment Note: The default installation root is /opt/IBM/WebSphere/AppServer7 if the system went through an
Manager node). upgrade from Sametime Gateway 8.0.x (WebSphere 6) to Sametime Gateway 8.5.x (WebSphere 7).
IBM i For the product files of WebSphere Application Server, Network Deployment edition:
/QIBM/ProdData/WebSphere/AppServer/V61/ND
Installation Files
Lotus Sametime System Console log files can be found in the following locations:
v Windows
C:\Program Files\ibm\WebSphere\AppServer\profiles\STSCDMgrProfile\logs
C:\Program Files\ibm\WebSphere\AppServer\profiles\STSCAppProfile\logs
v AIX/Linux/Solaris
/opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/logs
/opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/logs
v IBM i
/QIBM/UserData/Websphere/AppServer/V7/SametimeWAS/profiles/
STSCDMgrProfile/logs
/QIBM/UserData/Websphere/AppServer/V7/SametimeWAS/profiles/
STSCAppProfile/logs
Lotus Sametime Proxy Server log files can be found in the following locations:
v Windows
C:\Program Files\IBM\WebSphere\AppServer\profiles\STPAppProfile\logs
C:\Program Files\IBM\WebSphere\AppServer\profiles\STPDMgrProfile\logs
v AIX/Linux/Solaris
/opt/IBM/WebSphere/AppServer/profiles/STPDMgrProfile/logs
/opt/IBM/WebSphere/AppServer/profiles/STPAppProfile/logs
v IBM i
/QIBM/UserData/Websphere/AppServer/V7/SametimeWAS/profiles/
STPDMgrProfile/logs
/QIBM/UserData/Websphere/AppServer/V7/SametimeWAS/profiles/STPAppProfile/
logs
Lotus Sametime Meeting Server log files can be found in the following locations:
v Windows
C:\Program Files\IBM\WebSphere\AppServer\profiles\STMDMgrProfile\logs
C:\Program Files\IBM\WebSphere\AppServer\profiles\STMAppProfile\logs
v AIX/Linux/Solaris
/opt/IBM/WebSphere/AppServer/profiles/STMDMgrProfile/logs
/opt/IBM/WebSphere/AppServer/profiles/STMAppProfile/logs
v IBM i
/QIBM/UserData/Websphere/AppServer/V7/SametimeWAS/profiles/
STMDMgrProfile/logs
/QIBM/UserData/Websphere/AppServer/V7/SametimeWAS/profiles/STMAppProfile/
logs
Lotus Sametime Media Manager log files can be found in the following locations:
v Windows
C:\Program Files\IBM\WebSphere\AppServer\profiles\STMSDMgrProfile\logs
C:\Program Files\IBM\WebSphere\AppServer\profiles\STMSAppProfile\logs
v Linux
/opt/IBM/WebSphere/AppServer/profiles/STMSDMgrProfile/logs
/opt/IBM/WebSphere/AppServer/profiles/STMSAppProfile/logs
The Lotus Sametime Community Server has a series of configuration and log files
for problem determination. You can run a script that automatically collects these
logs.
v Windows
From the Domino program directory, run the stdiagzip.bat file.
For example:
C:\Program Files\ibm\Lotus\Domino\stdiagzip.bat
v AIX/Linux/Solaris
/local/notesdata> sh stdiagzip.sh
A zip file generated by the stdiagzip script is created in the data_dir/Trace
directory
v IBM i
call QSAMETIME/STDIAGZIP servername
A zip file generated by the stdiagzip program is created in the data_dir/trace
directory
Lotus Sametime Connect log files can be found in the following location on the
user’s computer:
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
Software Interoperability Coordinator, Department 49XA
3605 Highway 52 N
Rochester, MN 55901
U.S.A.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
All statements regarding IBM’s future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM’s suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
Each copy or any portion of these sample programs or any derivative work, must
include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp.
Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights
reserved.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
These terms are trademarks of International Business Machines Corporation in the
United States, other countries, or both:
IBM
AIX
DB2
DB2 Universal Database Domino
Domino
Domino Designer
Domino Directory
i5/OS
Lotus
Lotus Notes
Notes
OS/400
Sametime
WebSphere
AOL is a registered trademark of AOL LLC in the United States, other countries, or
both.
AOL Instant Messenger is a trademark of AOL LLC in the United States, other
countries, or both.
Google Talk is a trademark of Google, Inc, in the United States, other countries, or
both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
Notices 543
Microsoft, and Windows are registered trademarks of Microsoft Corporation in the
United States, other countries, or both.
Printed in USA
SC23-8624-00