Lotus Sametime Version 8.

5
®

Version 8.5.0

Lotus Sametime 8.5 Installation and Administration Guide Part 2

SC23-8624-00

Lotus Sametime Version 8.5
®

Version 8.5.0

Lotus Sametime 8.5 Installation and Administration Guide Part 2

SC23-8624-00

Note Before using this information and the product it supports, read the information in “Notices” on page 541.

Edition notice This edition applies to version 8.5 of IBM Lotus Sametime (program number 5724–J23) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 1996, 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents
Chapter 1. Configuring . . . . . . . . 1
Configuring Sametime to access LDAP without a Sametime System Console . . . . . . . . . . 1 Configuring a Sametime Community Server . . . . 2 Do I need to restart the Sametime server? . . . 2 Mapping the user ID to a unique directory attribute . . . . . . . . . . . . . . 18 Turning off case sensitivity on the Lotus Sametime Community Server . . . . . . . 26 Managing client types and logins . . . . . . 26 Creating custom Java classes for searching the LDAP . . . . . . . . . . . . . . . 28 Ports used by the Sametime Community Server 33 Using reverse proxy or portal servers with the Sametime server . . . . . . . . . . . . 39 Using multiple non-clustered Lotus Sametime Community Servers . . . . . . . . . . 53 Clustering Lotus Sametime Community Servers 77 Configuring SiteMinder for the Lotus Sametime server . . . . . . . . . . . . . . . 92 Configuring the Sametime client . . . . . . . 97 Client update process . . . . . . . . . . 97 Writing custom messages for clients . . . . . 98 Creating an update site for plug-in access . . . 99 Turning off case sensitivity in the Lotus Sametime Connect client . . . . . . . . 100 Basic Sametime Connect client connection process . . . . . . . . . . . . . . 101 Client connections over HTTP tunneling . . . 106 Configuring Lotus Sametime for mobile users . . 107 Configuring the Lotus Domino server for Lotus Sametime Mobile support . . . . . . . . 107 Configuring Sametime Mobile for client downloads . . . . . . . . . . . . . 108 Configuring a Lotus Sametime Proxy Server . . . 112 Configuring connectivity . . . . . . . . 112 Configuring Lotus Connections as the business card server . . . . . . . . . . . . . 114 Setting up click-to-call . . . . . . . . . 115 Clustering Lotus Sametime Proxy Servers . . . 115 Configuring a Lotus Sametime Media Manager . . 127 Clustering Lotus Sametime Media Manager components . . . . . . . . . . . . . 127 Configuring a Lotus Sametime Meeting Server . . 160 Configuring the Sametime Meeting Server for document conversion. . . . . . . . . . 160 Assigning administrators to the Meeting Room Center . . . . . . . . . . . . . . . 163 Clustering Lotus Sametime Meeting Servers . . 163 Configuring Sametime Gateway . . . . . . . 183 Setting up TLS/SSL . . . . . . . . . . 183 Connecting servers to Sametime Gateway . . . 203 Installing and configuring event logging . . . 231 Configuring Sametime Gateway properties . . 236 Configuring security . . . . . . . . . . . 241
© Copyright IBM Corp. 1996, 2009

Using a different SSL certificate for servers running on WebSphere . . . . . . . . . Adding a Sametime server SSL certificate to the Sametime System Console . . . . . . . . Updating Sametime Media Manager connection properties on the console . . . . . . . . Configuring security for the Lotus Sametime Community Server . . . . . . . . . . Importing an SSL certificate from Lotus Sametime Unified Telephony . . . . . . .

241 242 243 244 318

Chapter 2. Administering . . . . . . 319
Command reference for starting and stopping servers . . . . . . . . . . . . . . . Lotus Sametime component URLs . . . . . . Managing users with policies . . . . . . . . Finding policies associated with a user . . . . Creating new user policies . . . . . . . . Assign users and groups to policies . . . . . Changing a user policy’s weight . . . . . . Managing administrator access and roles . . . . Starting the Sametime Administration Tool . . Adding a Sametime administrator in Domino LDAP . . . . . . . . . . . . . . . Roles in Sametime database ACLs . . . . . Administering a Lotus Sametime System Console Backing up the console database . . . . . . Starting the Lotus Sametime System Console Administering a Lotus Sametime Community Server . . . . . . . . . . . . . . . . Updating Sametime Community Server connection properties on the console . . . . Configuring Sametime Community Server connectivity . . . . . . . . . . . . . Managing trusted IP addresses . . . . . . Forcing users to connect to a home server . . . Managing community services . . . . . . Managing anonymous access to virtual places Sending a message to all users . . . . . . Managing business cards . . . . . . . . Changing user names . . . . . . . . . Changing the IP address of an IBM i Sametime Community Server . . . . . . . . . . Changing the host name of an IBM i Sametime Community Server . . . . . . . . . . Monitoring the Sametime Community Server Administering a Lotus Sametime Proxy Server . . Updating Sametime Proxy Server connection properties on the console . . . . . . . . Administering a Lotus Sametime Media Manager Updating Sametime Media Manager connection properties on the console . . . . . . . . Managing UDP ports for voice chat and video calls . . . . . . . . . . . . . . . Managing multiple audio and video streams 319 322 325 326 326 327 339 339 340 340 344 347 348 348 348 348 349 350 351 352 357 358 359 384 403 403 405 407 407 408 408 409 410

iii

Changing the SIP transport protocol in the Sametime Media Manager . . . . . . . . Managing media codecs . . . . . . . . . Managing video bit-rate . . . . . . . . . Administering a SIP Proxy and Registrar . . . Administering a Lotus Sametime Meeting Server Sametime Meetings client comparison . . . . Updating Sametime Meeting Server connection properties on the console . . . . . . . . Managing file sharing . . . . . . . . . Requiring meeting passwords . . . . . . . Limiting guest access to the Meeting Room Center . . . . . . . . . . . . . . . Defining a Sametime Proxy server for awareness in meeting rooms. . . . . . . . . . . . Customizing the Sametime Meeting Server configuration . . . . . . . . . . . . Turning on full-text indexing in the Meeting Room Center . . . . . . . . . . . . Configuring remotely connected Sametime Meeting Servers . . . . . . . . . . . Monitoring meeting room statistics . . . . . Backing up user data for Lotus Sametime meeting rooms . . . . . . . . . . . . Administering the Sametime Gateway Server. . . Updating Sametime Gateway Server connection properties on the console . . . . . . . . Assigning users access to external communities Enabling spam filtering . . . . . . . . . Maintaining and monitoring Lotus Sametime Gateway . . . . . . . . . . . . . . Reference. . . . . . . . . . . . . .

411 411 412 413 418 418 419 420 421 422 423 423 424 426 427 427 428 428 429 431 432 432

Extending the HTTP persistent timeout on the WebSphere proxy server . . . . . . . . . 495 Adjusting LDAP context pool settings . . . . 495

Chapter 4. Troubleshooting . . . . . 497
Troubleshooting a Lotus Sametime Connect client Logging and tracing on Lotus Sametime Connect . . . . . . . . . . . . . . Diagnosing client audio or video quality problems . . . . . . . . . . . . . . Troubleshooting audio video in Lotus Sametime Connect clients . . . . . . . . . . . . Troubleshooting meeting invitations . . . . . Troubleshooting a Lotus Sametime System Console Sametime System Console log locations . . . Determining Sametime server status using the Integrated Solutions Console . . . . . . . The console.properties file . . . . . . . . The productConfig.properties file for WebSphere-based servers . . . . . . . . The productConfig file for Lotus Sametime Community server . . . . . . . . . . Troubleshooting clustering . . . . . . . . Troubleshooting a Lotus Sametime Community Server . . . . . . . . . . . . . . . . Trace file formats . . . . . . . . . . . Domino log . . . . . . . . . . . . . General log settings . . . . . . . . . . Sametime log settings . . . . . . . . . NSD log . . . . . . . . . . . . . . Community Server Events to Log . . . . . Lotus Sametime Runtime Debug Tool . . . . Troubleshooting LDAP in Sametime . . . . . Troubleshooting network problems on Domino Troubleshooting Business Cards . . . . . . Troubleshooting a Lotus Sametime Proxy Server Enabling trace . . . . . . . . . . . . Troubleshooting a Lotus Sametime Media Manager Setting a diagnostic trace on a Lotus Sametime Media Manager server . . . . . . . . . Gathering Lotus Sametime Media Manager logs and traces for IBM Support. . . . . . . . Troubleshooting a Lotus Sametime Media Manager using JVM logs . . . . . . . . Troubleshooting video quality . . . . . . . Troubleshooting Lotus Sametime Media Manager component clusters . . . . . . . Troubleshooting a Lotus Sametime Meeting Server Setting a diagnostic trace on a Lotus Sametime Meeting Server . . . . . . . . . . . . Gathering Lotus Sametime Meeting Server logs and traces for support . . . . . . . . . Troubleshooting a Lotus Sametime Meeting Server using JVM logs . . . . . . . . . Deploying Sametime Proxy Server and Sametime Meeting Server on the same machine . Troubleshooting a Lotus Sametime Meeting Server cluster . . . . . . . . . . . . Troubleshooting a Lotus Sametime Gateway Server Setting a diagnostic trace on a server . . . . Gathering logs and traces for IBM support . . 497 497 498 498 499 499 499 499 500 501 504 504 505 505 506 508 510 510 510 511 513 514 514 516 516 517 517 519 519 520 520 522 522 523 524 524 525 526 526 527

Chapter 3. Tuning

. . . . . . . . . 479
. 479 . 479 483 . 483 . 483 . 484 . 485 . . . . 485 488 488 489

Tuning Sametime Community Server . . . . Tuning Sametime LDAP settings . . . . . Advanced settings to control contact list size Tuning Lotus Sametime Media Manager . . . Limiting participants in a video conference . Modifying the dynamic port range to improve Packet Switcher performance . . . . . . Tuning Sametime Gateway . . . . . . . . Limiting Sametime Gateway global and community-level sessions . . . . . . . Setting thread pool values . . . . . . . Setting the JVM garbage collection policy . . Setting log files size and rotation . . . . . Setting threshold warnings for monitoring server load . . . . . . . . . . . . Tuning the SIP proxy . . . . . . . . . Tuning the data replication service on WebSphere Application Server 6 . . . . . Gathering performance data . . . . . . Tuning a WebSphere proxy server . . . . . Disabling the proxy read-ahead mechanism on the WebSphere proxy server . . . . . . Adjusting the WebSphere proxy server thread pool settings. . . . . . . . . . . . Setting JVM verbose garbage collection and heap sizes on the Websphere proxy server. .

. 490 . 491 . 491 . 492 . 493 . 494 . 494 . 494

iv

Lotus Sametime: Installation and Administration Guide Part 2

Troubleshooting installation . . . . . . . Troubleshooting WebSphere Application Server Troubleshooting the Lotus Sametime Gateway using JVM logs . . . . . . . . . . . . Troubleshooting a failed WebSphere Application Startup . . . . . . . . . . . . . . Troubleshooting starting a cluster. . . . . . Troubleshooting secondary node problems . . Troubleshooting connections to external communities. . . . . . . . . . . . . Troubleshooting message handlers . . . . .

528 529 529 530 531 531 532 533

Troubleshooting slow or missing awareness changes . . . . . . . . . . . . . Troubleshooting XMPP and Google community connections and awareness . . . . . . . Error message severity levels and situations . Directory conventions . . . . . . . . Log file locations . . . . . . . . . . .

. 534 . . . . 535 536 538 538

Notices . . . . . . . . . . . . . . 541
Trademarks . . . . . . . . . . . . . . 543

Contents

v

vi

Lotus Sametime: Installation and Administration Guide Part 2

Chapter 1. Configuring
After setting up your initial IBM® Lotus® Sametime® environment, you may want to make additional changes, such as creating clusters of servers and enabling SSL. This section contains information about enlarging and securing your Lotus Sametime environment.

Configuring Sametime to access LDAP without a Sametime System Console
If you have chosen to use a supported third-party LDAP directory to manage IBM Lotus Sametime users, you must ensure that Lotus Sametime can connect to the LDAP server, search the LDAP directory and authenticate Lotus Sametime users.

About this task
v Configuring LDAP Connection Information v Configuring LDAP Directory settings Configuring LDAP Connection Information The information that Sametime needs in order to connect to an LDAP server is normally provided during Sametime server installation when you select LDAP as the directory type. This information is stored in a Directory Assistance database on the server. This database is normally created by Sametime installation and named da.nsf. If a Directory Assistance database already exists on the server, then Sametime does not create it and the database may be named something else. If you are unable to locate it, check the server document (Basics tab) for the name of the Directory Assistance database. A Directory Assistance document in the database contains the information that enables Sametime to connect to the LDAP server to authenticate Web browser users. The information stored in the Directory Assistance document includes the fully qualified host name of the LDAP server, the IP Port number that Sametime will use for the connection, the Bind distinguished name (DN) to use when binding to the LDAP directory (unless anonymous access is allowed) and the Bind password associated with the Bind distinguished name. If you did not provide the connection information during installation or if the information was incorrect, your Sametime server will be unable to connect to the LDAP server and Sametime will not start. Usually, the underlying Domino® server will start with errors but you can still access the directory assistance database to make the necessary changes. After you have corrected the LDAP connection information, restart the server. Note: If the Sametime startup failures cause a more serious problem and you are not able to access the Directory Assistance database, remove ″staddin″ or ″staddin2″ (on IBM i) from the ″Tasks″ list in the Sametime server’s notes.ini file, and restart the server. After making the necessary configuration changes, put ″staddin″ or ″staddin2″ back in the ″Tasks″ list and restart the Sametime server. Configuring LDAP Directory settings
© Copyright IBM Corp. 1996, 2009

1

Once your Sametime server can connect to the LDAP server, the Sametime server uses information provided by the LDAP directory settings to search the LDAP directory and authenticate Sametime users. The installation program for Windows®, AIX®, Linux®, and Solaris provides the opportunity to fully configure all of the LDAP directory settings for a single LDAP server. If you chose not to update the settings during installation, if you need to configure additional LDAP directories, or if the settings are not correct, use the Sametime Administration Tool to configure the LDAP Directory settings.

Configuring a Sametime Community Server
This section describes how to configure an IBM Lotus Sametime Community Server.

Do I need to restart the Sametime server?
Use this table to determine which changes in server settings require you to restart the server.
Main Function in Admin Logging

Sub Function Settings

Details Setting General

Switches Enable logging to a Domino database. (STLog.nsf) Remove history after (days).

Required restart No

Comments

Yes

General

Enable logging to a text file. Path to log text file

No

Sametime Statistics

Yes Write statistics to the log every 60 minutes. This includes Community Services logging of people and chats, and Meeting Services logging of meeting, duration, and participants

2

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting

Switches

Required restart Yes

Comments

Community Successful Server Events logins to Log Failed logins Community server events and activities

Meeting Failed meeting Server Events authentications to Log Meeting Client Connections Connections to other meeting servers in this community Meeting Events Meeting server events and activities

Yes

Capacity Warnings Sharing in Instant Meetings

Number of active screen sharing/ whiteboard meetings exceeds Number of people in all screen sharing/ whiteboard meetings exceeds Number of people in one active screen sharing/ whiteboard meeting exceeds

No

Chapter 1. Configuring

3

Main Function in Admin Logging

Sub Function Settings

Details Setting Capacity Warnings Sharing in Scheduled Meetings

Switches Number of active screen sharing/ whiteboard meetings exceeds Number of people in all screen sharing/ whiteboard meetings exceeds Number of people in one active screen sharing/ whiteboard meeting exceeds

Required restart No

Comments

Directory

Domino/ LDAP

User Registration

Allow people to No register themselves in the Domino Directory It belongs to Domino feature

Config.

Connectivity

HTTP Services

4

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting Community services network

Switches Address for server connections Host name (if empty, service will bind to all host names on server) Port number Address for client connections Host name (if empty, service will bind to all host names on server) Port number (default 1533) Address for HTTPS tunneled client connections Host name (if empty, service will bind to all host names on server) Port number

Required restart Yes

Comments

Yes Enable the Meeting Room client to try HTTP tunneling to the Community Server after trying other options

Chapter 1. Configuring

5

Main Function in Admin

Sub Function

Details Setting

Switches Address for HTTP tunneled client connections Host name (if empty, service will bind to all host names on server) Port number (default 8082 or 80)

Required restart Yes

Comments

Meeting Services network

Address for server connections Host name (if empty, service will bind to all host names on server) Port number Address for client connections Host name (if empty, service will bind to all host names on server) Port number (default 1503) Address for HTTPS tunneled client connections Host name (if empty, service will bind to all host names on server) Port number (default 8081)

Yes

6

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting

Switches

Required restart

Comments

Yes Enable the Meeting Room client to try HTTP tunneling to the Community Server after trying other options

Address for HTTP tunneled client connections Host name (if empty, service will bind to all host names on server) Port number (default 8081 or 80)

Yes

Event server port (default 9092)

Yes

Token server port (default 9094)

Yes

Broadcast Services Network

Chapter 1. Configuring

7

Main Function in Admin

Sub Function

Details Setting Interactive Audio/Video Network

Switches TCP tunneling address for client connections Host name (if empty, service will bind to all host names on server) Port number (default 8084)

Required restart Yes

Comments

Multimedia Processor (MMP) UDP port numbers start at :49252 Multimedia Processor (MMP) UDP port numbers end at :65535

Yes

Multimedia control address Host name (if empty, service will bind to all host names on server) Port number (default 9093)

Yes

8

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting Reverse Proxy Support

Switches

Required restart

Comments

Enable Reverse Yes Proxy Discovery on the client Server Alias (this is what the Reverse Proxy is using to forward HTTP(S) messages to this server)

Connectivity

Connecting Meeting Servers

Yes Connecting Meeting Servers To allow meeting participants to attend a meeting on more than one server, you must create a connection record from each source server to each destination server. Once you do that, the destination servers are automatically included in a meeting when users schedule a meeting and click the appropriate check boxes on the Location tab.

Chapter 1. Configuring

9

Main Function in Admin

Sub Function Community services

Details Setting General

Switches

Required restart

Comments .

Yes Number of entries on each page in dialog boxes that show names in the Directory :(100) How often to poll for new names added to the Sametime Community Directory (minutes) : (60) How often to poll for new servers added to the Sametime Community (minutes): (60) Maximum user and server connections to the Community server: (20000)

Yes Allow users to authenticate using either LTPA or Sametime Token (stauths.nsf and stautht.nsf). The server uses LTPA if this item is unchecked. (The item is unchecked by default.)

General

Display the No ″Launch Sametime Connect for the desktop″ link on the Sametime Home page.

10

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting

Switches Allow users to transfer files to each other. Maximum file size allowed (KB):1000

Required restart Yes

Comments

Server Features

Allow users to send announcements (unencrypted one-way messages).

Yes

Sametime Connect for Browsers

No Allow Connect users to save their user name, password, and proxy information (automatic login).

No Display the ″Launch Sametime Connect for browsers″ link on the Sametime Home page (stcenter.nsf).

Chapter 1. Configuring

11

Main Function in Admin

Sub Function

Details Setting Display Name Settings for Anonymous Access to Meetings or other Virtual Places

Switches

Required restart

Comments

Yes Anonymous users can participate in meetings or enter virtual places. Their name appears as user1, user2, and so on. Users of Sametime applications (databases such as stconf.nsf or Web sites) can specify a display name so that they do not appear online as ″anonymous.″ This does not authenticate users. (Databases must also allow anonymous access in the ACL.) Default domain for anonymous users:Guest Default name: User

12

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function Community Services

Details Setting

Switches

Required restart No

Comments

Directory Users cannot Searching and browse or search the Browsing Directory. Users can type names (resolve users and groups) to add them to an awareness list. Users can browse the directory (see a list of names) or type names (resolve users and groups). Users can browse the directory to see group content and names, or type names (resolve user and groups).

Meeting services

General

No Automatically extend meetings beyond scheduled end time when there are still people in the meeting. After a meeting, add the names of participants to the meeting document

Chapter 1. Configuring

13

Main Function in Admin

Sub Function

Details Setting When people start or schedule a meeting

Switches

Required restart

Comments

Allow people to No choose the Screen Sharing tool in meetings: Participants can share their screen, view a shared screen, or control a shared screen if the moderator permits. Participants can share their screen if the moderator permits or view a shared screen. Participants can view the shared screen only.

Force Screen Sharing to use 8-bit color.

No

Allow people to No choose the whiteboard tool in meetings Allow people to save whiteboard annotations as attachments to the meeting.

Allow people to No enable the ″Send Web Page″ tool in meetings

14

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting

Switches

Required restart

Comments

Allow people to No choose the Polling tool in meetings

Allow people to No record meetings for later playback (scheduled meetings only). Save recorded meetings in the following location Stop recording when this much disk space is left (MBytes) (an error is written to the log.):300

When People Start an Instant Meeting or Schedule a Meeting

Allow people to No schedule Recorded Meeting Broadcast meetings.

Security

Encrypt all Sametime meetings

No

It does work in Meeting center, but doesn’t affect the instant meeting.

Require all scheduled meetings to have a password

No

Chapter 1. Configuring

15

Main Function in Admin

Sub Function Meeting Services

Details Setting Connection Speed Settings

Switches Meetings with modem users Meetings with LAN/WAN users

Required restart Yes

Comments

Audio/video

When People Schedule a Meeting

Allow people to No choose Sametime IP Audio (in addition to or instead of telephone) in meetings. Allow people to choose Sametime IP Video in meetings.

Switching

Time to wait for silence before switching to next speaker (100 - 500 ms): 250 Time to wait before switching to next video (500 - 4000 ms): 2000

Recorded Meeting Broadcast Meetings Connection Speed Settings

16

Lotus Sametime: Installation and Administration Guide Part 2

Main Function in Admin

Sub Function

Details Setting

Switches

Required restart

Comments

Set a maximum Yes number of interactive audio connections for all instant meetings on this server. :100

Usage Limits and Denied Entry for Instant Meetings

Set a maximum Yes number of interactive video connections for all instant meetings on this server. Each video connection requires an audio connection. Ensure that there are at least as many audio connections allowed as video.:100

Set a maximum Yes number of interactive audio connections for all instant meetings on this server.:100

Chapter 1. Configuring

17

Main Function in Admin

Sub Function

Details Setting Usage Limits and Denied Entry for Scheduled Meetings

Switches

Required restart

Comments

Set a maximum Yes number of interactive video connections for all instant meetings on this server. Each video connection requires an audio connection. Ensure that there are at least as many audio connections allowed as video.:100

Audio/Video

Usage Limits and Denied Entry for Recorded Broadcast Meetings

Mapping the user ID to a unique directory attribute
If you frequently change user names, the IBM Lotus Sametime Community Server lets you optionally map the Sametime user ID to an LDAP directory attribute that is unlikely to change. This way, the need to run the name change utility in the future is removed.

About this task
Sametime provides the RESOLVE mode which lets you run the name conversion utility one time only, in a way that eliminates the need for additional conversions in the future. You change the Lotus Sametime LDAP configuration, to map the user ID to a directory attribute in the person entry that is not bound to change. In such a deployment, where the user ID attribute is constant, a name change does not trigger a user ID change, eliminating the need for running the tool. RESOLVE migrates the VpUserInfo.nsf database, from the old user ID to the new user ID.

Preparing the Sametime Community Server for RESOLVE mode
You must prepare your IBM Lotus Sametime Community servers for running the name conversion utility in RESOLVE mode. You only need to do this once.

About this task
Preparing to run the Name Change task in RESOLVE mode requires editing the sametime.ini file on the IBM Lotus Sametime Community Server.

18

Lotus Sametime: Installation and Administration Guide Part 2

1. Add VP_NCSA_TRACE=1 to the Debug section of the sametime.ini file. This creates a debug log file. 2. Add VP_LDAP_TRACE=1 to the Debug section of the sametime.ini file. This creates StResolve_*.txt debug log file. 3. For UNIX® only, add NC_LOCAL_CONVERSION=1 to the Config section of the sametme.ini file.

Creating a comma-separated value file for RESOLVE mode
A comma-separated value (CSV) file created in a text editor provides the name conversion utility with the information for migrating the old user ID to a new user ID that is a directory attribute that is not likely to change. 1. Use a text editor to create a comma-separated file. 2. Since the RESOLVE mode does not require any additional information, the CSV file is very simple. The content of the CSV file is a single line: RESOLVE. Note: Create a CSV for only one type of change: RESOLVE. You cannot mix name change types in the same CSV. 3. Name and save the file with an extension of .csv in a directory accessible by the Sametime server.

Preparing user IDs for RESOLVE mode
Before you use the name conversion utility in RESOLVE mode, you must make LDAP directory changes (if needed) and IBM Lotus Sametime configuration changes.

About this task
You change the Lotus Sametime LDAP configuration, to map the user ID to a directory attribute in the person entry that is not bound to change. This change eliminates the need for running the tool. RESOLVE migrates the VpUserInfo.nsf database, from the old user ID to the new user ID. Note: The old name will still appear in the contact list for users that have previously added them. If your LDAP directory does not contain an attribute with a unique value in the person entry, then you must change to the schema to provide one. See the documentation provided by your specific LDAP vendor. See also RFC 4530 (http://www.ietf.org/rfc/rfc4530.txt) which introduces the entryUUID attribute in LDAP directories. The value of this attribute is constant by definition, which makes it suitable for the user ID mapping in Lotus Sametime. If your LDAP directory does not support this attribute, consider extending the directory schema to support it. In case you prefer to use an existing attribute instead of modifying the schema, choose an attribute that is not bound to change when users change their name or relocate. Here are examples of stable attributes in some well-known LDAP servers: v IBM Directory Server: ibm-entryUUID v Domino LDAP: dominounid v Novell Directory Server (NDS): guid v SunOne: nsuniqueid v Active Directory: objectGUID Unlike the ID name conversion mode, which expects a table of oldName and newName entries as input, the RESOLVE mode does not expect any input from the
Chapter 1. Configuring

19

administrator. When the name conversion is run in this mode, it looks up each user ID in the database against the directory, and replaces the old user ID with the directory user ID. The tool accomplishes this by using the StResolve service to lookup each person. This requires the administrator to make the LDAP configuration change to use the new user ID mapping before running the tool.

Creating a Name Change task
Create a name change task on the IBM Lotus Sametime Community server.

Before you begin
Before you create a name change task, create a comma-separated value (CSV) file of the name changes in the Lotus Sametime Community Server directory.

About this task
A name change task is not actually a scheduled program; its timestamp merely indicates when the task was created and not when it will be run. The list of tasks is ignored until you run the stnamechange.cmd program, which then operates on all of the tasks in the list, using the .CSV files specified in the Name Change page. Follow the steps below to create a name change task. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server where you want to add a name change task. If you want to create a task to run on multiple servers, then click the deployment name of any of the servers on which you want to run the task. 4. Click the Name Change tab. 5. Click New. Note: If you only want to edit a task, you can click the name of the scheduled task to edit it. 6. Enter a name in the Name of Task field. The name is at your discretion. By default, the name is the date the task is created. 7. Optional: Enter a description for the task. 8. Optional: If you want to run the task on all servers in the cluster, then select All Servers. 9. Browse for the CSV file you want to use, and then click OK. 10. The name change task appears in the list of scheduled tasks. All tasks listed here run when the stnamechange.cmd is run.

Results
After you have completed these steps on one Lotus Sametime Community server, it may be necessary to repeat this process on other home Lotus Sametime Community servers in your environment. You must replicate the NSF file to all the Lotus Sametime Community servers so all are included, regardless of the server on which it was defined. When you are done setting up the task, name changes are saved to stnamechange.nsf. This file is used by Domino to replicate the name changes

20

Lotus Sametime: Installation and Administration Guide Part 2

throughout the server cluster. Domino will pick up all valid name change tasks in the stnamechange.nsf file. You choose the servers or cluster on which the name change task runs on a regular basis using general scheduling tools. The application does not run by default; you must run the task manually. To Delete a name change task, on the Name Change page, select the task, and then click Delete. If any name changes are not entered correctly, you can import a new CSV file.

Running the name conversion utility in RESOLVE mode
The name conversion utility uses the CSV file to update user contact and privacy lists with the latest directory changes.

Before you begin
Before you begin, create a comma-separated value file with name changes, and then create a name change task. IBM recommends running the name conversion utility at off-peak hours.

About this task
It is not necessary to run the name change conversion utility on every IBM Lotus Sametime Community Server in a cluster. For clusters, the task should run once on one server and then replicated to other servers in the cluster. Note that the All servers option on the Name Change page in the Sametime System Console does not work because of the procedure for replicating across all servers. If you create a Name Change task and select All servers, only the server you are logged on to contains the task--other servers do not. This is viewable in stnamechange.nsf through the Notes® client. The correct procedure is to create the name change task on all the servers in the community. Running the name change utility in Resolve mode on Windows: Follow these steps to run the name conversion utility in RESOLVE mode on Windows. Before you begin Before you begin, verify the following: v The IBM Lotus Sametime Community Server is running. Name change in RESOLVE mode differs from running other name conversion modes, because in the RESOLVE mode the Lotus Sametime Community server should be running, so that the name change utility can access StResolve. v You have created a CSV file with the RESOLVE mode indicated. See ″Creating a comma separated value file.″ v The LDAP directory contains a unique and constant attribute in each person entry. The attribute needs to be added to the directory schema if it does not exist, and needs to be populated with a unique value in each person entry. The value needs to be set with a string that will not change when the person’s name changes. About this task Running the name conversion utility in RESOLVE mode, migrates the old user ID to a new user ID that is a directory attribute that is not likely to change. The tool
Chapter 1. Configuring

21

looks up each and every user ID in the database against the directory, and replaces the old user ID with the directory user ID. In such a deployment, where the user ID attribute is constant, a name change does not trigger a user ID change, eliminating the need for running the tool. Name change in RESOLVE mode differs from running other name conversion modes, because in the RESOLVE mode the Lotus Sametime Community server should be running, so that the name change utility can access StResolve 1. Disable the Sametime Community Server multiplexor service Sametime Polling service on all servers in the cluster. a. Open the sametime_installation_directory/STCommLaunch.dep file in an editor and comment out the following lines by putting a number sign # in front of them:
#SERVERAPP ST Mux,ST Community,SOFT #SERVERAPP ST Polling,ST Mux,SOFT

b. Select Start → Control Panel → Administrative Tools → Services. c. In the Services window, right-click ST Mux, and select Stop. d. In the Services window, right-click ST Polling, and select Stop. 2. Change your Lotus Sametime Community Server configuration to use a unique user ID, so you run the name change utility in RESOLVE mode. This is controlled in the LDAPServer document in StConfig.nsf, a. Log in to the Integrated Solutions Console. b. Click Sametime System Console → Sametime Servers → Sametime Community Servers . c. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. d. Click the Community Services tab. e. Under LDAP Attributes, enter the name of the field within the LDAP person entries that contains the unique value used for logging in the Attribute used for determining the internal user ID field. For example, objectGUID contains a commonly-used unique value for logging in to Sametime. f. Click OK. 3. Restart the Lotus Sametime Community Server. 4. Open a command prompt, change to the Domino directory, and then type the following command to run the name conversion utility:
stnamechange.cmd

5. Define the LDAP search filter responsible for selecting a user name from the LDAP directory. The LDAP search attribute must match the Attribute used for determining the internal user ID field of the IBM Lotus Sametime Community Server a. In the Integrated Solutions Console, click Sametime System Console → Sametime Prerequisites → Connect to LDAP Servers. b. Select the Deployment Name of your LDAP server. c. Click Next until you get to Collect Person Settings. d. Edit the Search Attributes field. It must include the attribute that you specified as the Attribute used for determining the internal user ID for the Sametime Community Server. For example, objectGUID. e. Click Next until you get to the Summary screen, then click Finish. 6. Enable the Sametime Community Server multiplexer and Sametime Polling services.

22

Lotus Sametime: Installation and Administration Guide Part 2

a. Open the sametime_installation_directory/STCommLaunch.dep file in an editor and remove the number sign # from the following lines:
SERVERAPP ST Mux,ST Community,SOFT SERVERAPP ST Polling,ST Mux,SOFT

b. Select Start → Control Panel → Administrative Tools → Services. c. In the Services window, right-click ST Mux, and select Start. d. In the Services window, right-click ST Polling, and select Start. 7. Restart all the servers in the cluster. Running the name change utility in RESOLVE mode on IBM i: Follow these steps to run the name conversion utility in RESOLVE mode on IBM i. Before you begin Before you begin, verify the following: v You have created a CSV file with the RESOLVE mode indicated, and it is in the Domino\data directory. v The LDAP directory contains a unique and constant attribute in each person entry. The attribute needs to be added to the directory schema if it does not exist, and needs to be populated with a unique value in each person entry. The value needs to be set with a string that will not change when the person’s name changes. About this task Running the name conversion utility in RESOLVE mode, migrates the old user ID to a new user ID that is a directory attribute that is not likely to change. The tool looks up each and every user ID in the database against the directory, and replaces the old user ID with the directory user ID. In such a deployment, where the user ID attribute is constant, a name change does not trigger a user ID change, eliminating the need for running the tool. 1. Stop the IBM Lotus Sametime Community Server, but leave the Domino server running by running TELL STADDIN2 QUIT from the Domino console. 2. Go to the OS/400® command line and edit the data-directory/ STCommLaunch.dep file and comment out the following line by putting a number sign # in front of it:
#SERVERAPP StMux,StCommunty,SOFT

3. Restart the Lotus Sametime Community Server by running LOAD STADDIN2 from the Domino console. This starts the server without running Sametime Community Server multiplexer service. Name change in RESOLVE mode differs from running other name conversion modes, because in the RESOLVE mode the Lotus Sametime Community server should be running, so that the name change utility can access StResolve 4. Change your Lotus Sametime Community Server configuration to use a unique user ID, so you run the name change utility in RESOLVE mode. This is controlled in the LDAPServer document in StConfig.nsf, a. Log in to the Integrated Solutions Console. b. Click Sametime System Console → Sametime Servers → Sametime Community Servers . c. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change.
Chapter 1. Configuring

23

d. Click the Community Services tab. e. Under LDAP Attributes, enter the name of the field within the LDAP person entries that contains the unique value used for logging in the Attribute used for determining the internal user ID field. For example, objectGUID contains a commonly-used unique value for logging in to Sametime. f. Click OK. 5. Go to the OS/400 command line, and enter the following command: ″QSH″ This opens up a command line where the Name Change task is run. 6. Type the following commands:
cd <data directory> stnamechange <data directory>

7. View the NameConversion**** log file starting with located in the Sametime server directory/trace folder. The asterisks in the file name are variable characters. 8. Define the LDAP search filter responsible for selecting a user name from the LDAP directory. The LDAP search attribute must match the Attribute used for determining the internal user ID field of the IBM Lotus Sametime Community Server a. In the Integrated Solutions Console, click Sametime System Console → Sametime Prerequisites → Connect to LDAP Servers. b. Select the Deployment Name of your LDAP server. c. Click Next until you get to Collect Person Settings. d. Edit the Search Attributes field. It must include the attribute that you specified as the Attribute used for determining the internal user ID for the Sametime Community Server. For example, objectGUID. e. Click Next until you get to the Summary screen, then click Finish. 9. Stop the IBM Lotus Sametime Community Server, but leave the Domino server running by running TELL STADDIN2 QUIT from the Domino console. 10. Go to the OS/400 command line and edit the data-directory/ STCommLaunch.dep file and remove the number sign # from the following line.
SERVERAPP StMux,StCommunty,SOFT

11. Restart the Lotus Sametime Community Server by running LOAD STADDIN2 from the Domino console. This starts the server with the Sametime Community Server multiplexer service running . 12. Restart all Lotus Sametime Community Servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Running the name change utility in RESOLVE mode on UNIX: Follow these steps to run the name conversion utility in RESOLVE mode on UNIX. Before you begin Before you begin, verify the following: v The IBM Lotus Sametime Community Server is running. Name change in RESOLVE mode differs from running other name conversion modes, because in the RESOLVE mode the Lotus Sametime Community server should be running, so that the name change utility can access StResolve. v You have created a CSV file with the RESOLVE mode indicated.

24

Lotus Sametime: Installation and Administration Guide Part 2

v The LDAP directory contains a unique and constant attribute in each person entry. The attribute needs to be added to the directory schema if it does not exist, and needs to be populated with a unique value in each person entry. The value needs to be set with a string that will not change when the person’s name changes. About this task Running the name conversion utility in RESOLVE mode, migrates the old user ID to a new user ID that is a directory attribute that is not likely to change. The tool looks up each and every user ID in the database against the directory, and replaces the old user ID with the directory user ID. In such a deployment, where the user ID attribute is constant, a name change does not trigger a user ID change, eliminating the need for running the tool. 1. Disable the Sametime Community Server multiplexor service on all servers in the cluster. a. Stop the IBM Lotus Sametime Community Server. b. Open a shell and edit the data-directory/STCommLaunch.dep file and comment out the following line by putting a number sign # in front of it:
#SERVERAPP stmux_launcher.sh,stserver,SOFT

c. Restart the Lotus Sametime Community Server. This starts the server without running Sametime Community Server multiplexer service. Name change in RESOLVE mode differs from running other name conversion modes, because in the RESOLVE mode the Lotus Sametime Community server should be running, so that the name change utility can access StResolve 2. Change your Lotus Sametime Community Server configuration to use a unique user ID, so you run the name change utility in RESOLVE mode. This is controlled in the LDAPServer document in StConfig.nsf, a. Log in to the Integrated Solutions Console. b. Click Sametime System Console → Sametime Servers → Sametime Community Servers . c. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. d. Click the Community Services tab. e. Under LDAP Attributes, enter the name of the field within the LDAP person entries that contains the unique value used for logging in the Attribute used for determining the internal user ID field. For example, objectGUID contains a commonly-used unique value for logging in to Sametime. f. Click OK. 3. Restart the Lotus Sametime Community Server. 4. Open a shell and change to the Domino data directory. Type the following command:
./stnamechange.sh <domino_bin_directory> <domino_data_directory>

For example:
./stnamechange.sh /domino/opt/lotus/notes/80020/linux /domino/notesdata

5. Define the LDAP search filter responsible for selecting a user name from the LDAP directory. The LDAP search attribute must match the Attribute used for determining the internal user ID field of the IBM Lotus Sametime Community Server
Chapter 1. Configuring

25

a. In the Integrated Solutions Console, click Sametime System Console → Sametime Prerequisites → Connect to LDAP Servers. b. Select the Deployment Name of your LDAP server. c. Click Next until you get to Collect Person Settings. d. Edit the Search Attributes field. It must include the attribute that you specified as the Attribute used for determining the internal user ID for the Sametime Community Server. For example, objectGUID. e. Click Next until you get to the Summary screen, then click Finish. 6. Enable the Sametime Community Server multiplexer service on all the servers in the cluster. a. Stop the IBM Lotus Sametime Community Server. b. Open a shell and edit the data-directory/STCommLaunch.dep file and remove the number sign # from the following line:
SERVERAPP stmux_launcher.sh,stserver,SOFT

c. Restart all the servers in the cluster.

Turning off case sensitivity on the Lotus Sametime Community Server
You must turn off case sensitivity on the IBM Lotus Sametime Community Server to allow awareness in IBM Lotus iNotes® and WebSphere® applications. 1. Open a text editor on the Lotus Sametime Community server. 2. Open the sametime.ini file located in the Lotus Sametime Community server installation directory The default directory is C:\program files\lotus\domino. 3. In the Config section, add AWARENESS_CASE_SENSITIVE= 0. Starting in Sametime 8.5, by default, the Lotus Sametime Community server is not case-sensitive. This is the suggested configuration. This setting controls whether it is possible to add a user ID to the contact list, using different case, than the case used in the Directory. When you add this setting and give it a value of 0, the Sametime server is no longer case-sensitive. 4. You must restart the Lotus Sametime Community server for the change to take effect.

What to do next
IBM recommends that you also turn off case sensitivity in the Lotus Sametime Connect client. To learn more about this setting and others, see TechNote 1415058:
http://www.ibm.com/support/docview.wss?uid=swg21415058.

Related tasks “Turning off case sensitivity in the Lotus Sametime Connect client” on page 100 If you turn off case sensitivity in the IBM Lotus Sametime Community server, IBM recommends that you also turn off case sensitivity in the Lotus Sametime client.

Managing client types and logins
You can manage the manner and order of client logins to IBM Lotus Sametime.

Configuring allowed client types
You can define the types of clients that can connect to the IBM Lotus Sametime Community Server.

26

Lotus Sametime: Installation and Administration Guide Part 2

About this task
Follow these steps to specify the list of client types that are allowed to connect to the Lotus Sametime Community Server. 1. Open a text editor on the Lotus Sametime Community Server. 2. Open the sametime.ini file located in the Lotus Sametime Community Server installation directory. For example, the default directory in Windows is C:\program files\lotus\domino. 3. In the Config section, enter the client type IDs for the allowed client types in the VPS_ALLOWED_CLIENT_TYPES flag. If the flag is not specified or its value is empty, then all client types are allowed to connect to the server. Its a comma-separated list.
[Config] VPS_ALLOWED_LOGIN_TYPES=8020,8500

For a list of client types, see Technote 1114318 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?uid=swg21114318. 4. Save the sametime.ini file.

Configuring the single login type
The single login type mode means that only one login per user is allowed. When a client attempts to log in to the IBM Lotus Sametime Community Server, the server checks to see if there are any existing logins of the same user, and disconnects them. Any client on the exclusion list is not disconnected, which is useful for users who want to run multiple clients simultaneously.

About this task
To configure the single login function and exclude certain client types from qualifying as logins, edit the sametime.ini file. 1. Open a text editor on the Lotus Sametime Community Server. 2. Open the sametime.ini file located in the Lotus Sametime Community Server installation directory. For example, the default directory in Windows is C:\program files\lotus\domino. 3. In the Config section, set the following flag to activate single client login mode: VP_ONLY_SINGLE_LOGIN_ALLOWED=1 If the flag is set to 1 than the server works in the single login allowed mode. When a new client login request is received, all the previous logins are disconnected. Only one client type connection per machine is allowed at one time (related to client types, not users). 4. Specify which client types are not considered logins when the server checks whether to accept or disconnect clients. Separate the client types with commas. VPS_EXCLUDED_LOGIN_TYPES=clienttype1, clienttype2 For a list of client types, see Technote 1114318 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?uid=swg21114318. In the following configuration, even though single client login mode is activated, logins originating from C++ clients and Unified instant messaging clients will not be disconnected if they have logged in from the Sametime client too.VPS_EXCLUDED_LOGIN_TYPES=1002, 1304 5. Save the sametime.ini file.

Chapter 1. Configuring

27

Configuring the preferred login list
If a user is already connected to the IBM Lotus Sametime Community Server through several different clients, and another user attempts to initiate an instant messaging session with the logged-in user, Sametime uses a default login order to determine which client type should receive the instant messaging session. A preferred login list allows you to override the default order.

About this task
The Lotus Sametime Community Server depends upon the default list of client types, each of which has a pre-defined weight. Login order for each user depends upon the login-type weight. The first login type, having minimal weight, is the one provided for the incoming instant messaging session. Default order of login types on Sametime: 1. Lotus Sametime Connect client (Standalone and Notes Standard) 2. Lotus Notes® Client 3. Java™ client 4. C++ client 5. C++ toolkit 6. Java toolkit 1. Open a text editor on the Lotus Sametime Community Server. 2. Open the sametime.ini file located in the Sametime server installation directory (the default directory in Windows is C:\program files\lotus\domino). 3. In the [Config] section, specify the order of the login types that overrides the default order. VPS_PREFERRED_LOGIN_TYPES=login_type1,login_type2 For a list of login types, see Technote 1114318 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?uid=swg21114318. 4. Save the sametime.ini file.

Creating custom Java classes for searching the LDAP
Create custom Java classes that provide greater control over how the Sametime Community server conducts name searches of an LDAP directory and how results are formatted.

About this task
Creating a custom Java class can be especially effective with complex LDAP directory schemas. The Java code that you write must be compatible with the Java Run-Time Environment (JRE 1.5.0). In addition to the following topics, the Sametime wiki contains an article on writing Java classes that includes sample search filters.

Example: Writing a Java class to filter searches for people and groups
If a single search filter is not adequate to resolve user or group name searches, you can write a Java class containing a method that specifies exactly how directory searches are conducted. The class can invoke different LDAP search filters depending on search criteria entered by users.

28

Lotus Sametime: Installation and Administration Guide Part 2

About this task
The Search filter for resolving person names and the Search filter for resolving group namessettings in the LDAP directory settings of the Sametime Administration Tool define the LDAP directory search filters responsible for selecting user and group names from the LDAP directory. Note: You do not have to write Java classes to control the search behavior for both users and groups. You can use a Java class to control the search behavior for users while using a single LDAP search filter to control the search behavior for groups, or vice versa. The specific source code that you write to support customized LDAP searches is entirely dependent on your environment. This section provides a code sample to help you understand how to write the Java class appropriate for your environment.

Example
The following example invokes different LDAP directory search filters based on the text string that is entered into the Sametime user interface by a user. The search filters invoked by the method are dependent on the directory schema and the search behavior needed for the environment. Assume that three different users want to add the user Victor Lazlow to their Sametime Connect buddy lists. Each of the three users searches for Victor Lazlow in a different way. The logic of the Java class dictates the results of these three user searches: v User 1 Input: User 1 enters ″Victor L*″ into the Sametime client user interface to add Victor Lazlow to the buddy list. Results: This search attempt returns an error because the Java class is programmed to return an error when the user enters a text string that includes an asterisk. v User 2 Input: User 2 enters ″Victor_Lazlow@acme.com″ into the Sametime client interface. Results: This search attempt succeeds and returns the value ″Victor_Lazlow@acme.com″ (Victor Lazlow’s e-mail address) from the LDAP directory. The search attempt succeeds in this way because the Java class is programmed to return an LDAP search filter that can resolve an LDAP directory search to a user’s e-mail address. The Java class returns this e-mail address search filter if the search text string entered by the end user includes the ″at″ character (@). v User 3 Input: User 3 enters ″Victor L″ into the Sametime client interface. This search attempt succeeds and returns the common name (cn) directory attribute of ″Victor Lazlow.″ Results: The search attempt succeeds in this way because the Java class is programmed to return an LDAP search filter that can resolve an LDAP directory search to a user’s common name (cn). The Java class returns this common name search filter if the search text string entered by the end user does not include either an asterisk or ″at″ (@) character. Sample code
Chapter 1. Configuring

29

The code sample below shows the Java source code that produces the search behavior described above. This code creates a Java class named ″StLdapCustomized″ that includes the ″peopleResolveFilter″ method. The if statements in the peopleResolveFilter method examine the text string entered by the user in the Sametime client user interface and return the appropriate LDAP search filter based on this text string. The comments in the source code explain the purpose of each if statement.
public class StLdapCustomized { /** * Generates a search filter for finding a user, given the user's * name. * * @param name The user's name as provided by the Sametime client. * @return The search filter, or null if the name is invalid. */ public static String peopleResolveFilter (String name) { // prevent users from adding their own wildcards if (name.indexOf('*') != -1) return null; // if name looks like e-mail, do not search with wildcards if (name.indexOf('@') != -1) return "(&(objectclass=person)(mail=" + name + ")) "; // otherwise, search as CN with wildcard return "(&(objectclass=person) (cn=" + name + "*))"; } }

What to do next
After writing your Java class, complete the tasks in this section to integrate the class into the Lotus Sametime Community server.

Example: Writing a Java class to format names returned in a search
To return a user name in a format that is not available in an LDAP directory entry attribute, you can write a Java class that manipulates existing information in the LDAP directory to produce the user name in the desired format.

About this task
In most environments, the value of the The attribute of the person entry that defines the user’s name setting can specify a common LDAP directory attribute, such as cn (common name) or mail (e-mail address). When configured in this way, the search returns the value assigned to a user’s cn or mail directory attribute and displays this value in the Sametime client user interface. To return names in a format different from the LDAP directory attributes, create a custom Java class. For example, you might create a Java class that does the following: v Combines the values of two LDAP directory attributes to produce the user name in a desired format. v Edits the information in a single LDAP directory attribute to produce the user name in a format that is different than the value specified by the attribute.

30

Lotus Sametime: Installation and Administration Guide Part 2

Example
The sample code below shows how to combines the values of the sn and givenName attributes to return a user name with the Last Name shown first, assuming the following requirements: v LDAP searches must return a user name in the format LastName, FirstName (for example: Smith, John) v None of the LDAP directory attributes specify the user name in the LastName, FirstName format. v The LDAP directory attribute sn specifies each user’s last name. v The LDAP directory attribute givenName specifies each user’s first name. Sample code This example takes values from the sn and givenName directory attributes and combines these values into a single display name in the format of LastName, FirstName.
public class StLdapCustomizedAttributes { public static String displayName (String givenName, String sn) { String result = sn + ", " + givenName; return result; } }

What to do next
After writing your Java class, complete the tasks in this section to integrate it into the Lotus Sametime Community server.

Adding the new class to the Sametime Community Server
Add a new Java class to the IBM Lotus Sametime Community server by compiling the source code and then copying the class to its new location.

About this task
Follow these steps to add the class to the Sametime Community Server. Note: When you use this feature on IBM AIX, Linux, or Solaris, you must compile your class using Java 1.5 or later. This requires you to use IBM Lotus Domino 8.0 or later because earlier versions do not include the right version of Java. 1. Compile the Java source code file to produce the Java class file. 2. Copy the compiled class file (StLdapCustomized.class) to the ″java″ subdirectory of the Sametime server installation directory. The default path for the class file is: c:\Lotus\Domino\java Limiting the number of open files on the Sametime Community Server (Linux):
Chapter 1. Configuring

31

If your IBM Lotus Sametime Community Server is hosted on Linux and you have loaded custom Java classes for searching the LDAP, limit the number of concurrent open files on the server to prevent performance problems. About this task Java opens many files and Lotus Sametime uses a lot of file descriptors. When a high number of concurrent users (for example, 1,000 or more) connect to the Lotus Sametime Community Server, the server may run out of file descriptors. If that happens, you may see the following exception in the SystemOut.log, with the result that no more users can log in:
[9/9/09 11:09:46:701 EST] 0000109d exception E com.ibm.ws.wim.adapter.ldap. LdapConnection getDirContext CWWIM4520E The 'javax.naming.CommunicationException: pir02pc27.westford5.notesdev.ibm.com:389 [Root exception is java.net .SocketException:Too many open files]' naming exception occurred during processing. [9/9/09 11:09:46:738 EST] 0000109d exception E com.ibm.ws.wim.adapter.ldap. LdapConnection getDirContext com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.CommunicationException: pir02pc27.westford5. notesdev.ibm.com:389 [Root exception is java.net.SocketException: Too many open files]' naming exception occurred during processing.

Prevent this situation by placing an upper limit on the number of file descriptors in the Linux configuration file. 1. Use a text editor and open /etc/security/limits.conf. 2. Add the following lines to the file:
soft hard nofile nofile 65535 65535

3. Save the file. Adding paths for the new class to the sametime.ini file: Add the path for your new custom Java class to the sametime.ini file so that the IBM Lotus Sametime Community Server can locate the new class. About this task Edit the sametime.ini file on the Lotus Sametime Community Server and add the paths for the new custom class. 1. Use a text editor to open the sametime.ini file, which is stored in the Domino installation directory. In Microsoft® Windows, the default location for this file is: C:\Lotus\Domino 2. Add or modify the following statements to the [Config] section of the file: Make sure your file contains all three statements when you finish:
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\StConfig.jar; C:\Lotus\Domino\StConfigXml.jar;C:\Lotus\Domino\xerces.jar;custom_class_directory ST_JAVA_JVM_PATH=java_jvm_install_path ST_JAVA_CUSTOM_PATH=custom_class_directory

where: v java_jvm_install_path indicates the path where the Java JVM is installed (the default path on Windows is: C:\Lotus\Domino\ibm-jre\jre\bin\ classic\jvm.dll; on Solaris use this path: ibm-jre/lib/sparc/server/ libjvm.so v custom_class_directory indicates the path to the new custom Java class (the default path on Windows is C:\Lotus\Domino\java)

32

Lotus Sametime: Installation and Administration Guide Part 2

3. (AIX only) Add this statement to the same section of the file for AIX:
ST_JAVA_CUSTOM_JVM_PATH=java_jvm_install_path/lotus/notes/ 80020/ibmpow/jvm/bin/classic/libjvm.so

where java_jvm_install_path indicates the path where the Java JVM is installed. 4. Save and close the file. Adding the custom Java class name and method to the Lotus Sametime LDAP settings: Use the IBM Lotus Sametime Administration Tool to add the class name and method of your new custom Java class to the LDAP settings used by the Lotus Sametime Community Server. About this task Use the Sametime Administration Tool to add the new custom Java class to the LDAP directory settings. 1. Log on to the Lotus Sametime Community Server as the Sametime administrator. 2. Open the Sametime Administration Tool by clicking Administer the Server. 3. Click LDAP Directory → Basics. 4. In the Search settings for server list, select the LDAP server that contains the LDAP directory you are modifying with your custom Java class. 5. If you are adding a custom Java class that defines a search filter, do the following: a. In the Search filter for resolving person names settings, enter the class name and method name for a Person filter, using this format: Classname.methodname() Following the earlier code example for a Person filter, you would enter StLdapCustomized.peopleResolveFilter() for the new class. b. In the Search filter for resolving group names settings, enter the class name and method name for a Group filter, using this format: Classname.methodname() For example, you might have named your class like this: StLdapCustomized.groupsResolveFilter(). 6. If you are adding a custom Java class that formats search results, locate The attribute of the person entry that defines the user’s name settings, and enter the class name and method name, using this format: Classname.methodname() Following the earlier code example for formatting search results, you would enter StLdapCustomizedAttributes.displayName(givenName, sn) for the new class. 7. After you have added all of your custom Java classes, click Update. 8. Restart the Lotus Sametime Community Server for the changes to take effect.

Ports used by the Sametime Community Server
IBM Lotus Sametime uses a number of ports on the server. This topic lists the default ports and their uses. You can use the Sametime Administration Tool to configure the ports on which the Sametime services listen for connections from clients.

Chapter 1. Configuring

33

The port settings for all services can be accessed from the Configuration → Connectivity → Networks and Ports options of the Sametime Administration Tool.

HTTP Services, Domino Services, LDAP Services, and Sametime intraserver ports
The following ports are used by the Sametime HTTP Services, IBM Lotus Domino Application Services, and LDAP Services.
Default Port Port 80 Purpose If the administrator allows HTTP tunneling on port 80 during the Sametime installation, the Community Services multiplexer on the Sametime Community Server listens for HTTP connections from Web browsers, Sametime Connect clients, Sametime Meeting Room clients, and Sametime Recorded Meeting clients on port 80. If the administrator does not allow HTTP tunneling on port 80 during the Sametime installation, the Domino HTTP server listens for HTTP connections on this port. Alternate HTTP port (8088) If the administrator allows HTTP tunneling on port 80 during the Sametime installation (or afterward), the Domino HTTP server on which Sametime is installed must listen for HTTP connections on a port other than port 80. The Sametime installation changes the Domino HTTP port from port 80 to port 8088 if the administrator allows HTTP tunneling on port 80 during a Sametime Community Server installation. Note: If the administrator allows HTTP tunneling on port 80 during the Sametime installation, Web browsers make HTTP connections to the Community Services multiplexer on port 80, and the Community Services multiplexer makes an intraserver connection to the Sametime HTTP server on port 8088 on behalf of the Web browser. This configuration enables the Sametime Community Server to support HTTP tunneling on port 80 by default following the server installation. Port 389 If you configure the Sametime Community Server to connect to an LDAP server, the Sametime Community Server connects to the LDAP server on this port. The Domino HTTP server listens for HTTPS connections on this port by default. This port is used only if you have set up the Domino HTTP server to use Secure Sockets Layer (SSL) for Web browser connections. To configure the Sametime HTTP server to use SSL for Web browser connections, see About SSL and Sametime.

Port 443

34

Lotus Sametime: Installation and Administration Guide Part 2

Default Port Port 1352

Purpose The Domino server on which Sametime is installed listens for connections from Notes clients and Domino servers on this port. The Event Server port on the Sametime Community Server is used for intraserver connections between Sametime components. Make sure that this port is not used by other applications on the server. The Token Server port on the Sametime Community Server is used for intraserver connections between Sametime components. If this port is used by multiple applications, refer to the topic “Token server port” on page 39 for a discussion on resolving access to this port.

Port 9092

Port 9094

Community Services ports
The following ports are used by the Sametime Community Services. Most of these ports are configurable.
Default Port Port 1516 Purpose Community Services listens for direct TCP/IP connections from the Community Services of other Sametime Community Servers on this port. If you have installed multiple Sametime Community servers, this port must be open for presence, chat, and other Community Services data to pass between the servers. The communications that occur on port 1516 also enable one Sametime Community Server to start a meeting on another server (or ″invite″ the other server to the meeting).

Chapter 1. Configuring

35

Default Port Port 1533

Purpose The Community Services listen for direct TCP/IP connections and HTTP-tunneled connections from the Community Services clients (such as Sametime Connect and Sametime Meeting Room clients) on this port. Note: The term ″direct″ TCP/IP connection means that the Sametime client uses a unique Sametime protocol over TCP/IP to establish a connection with the Community Services. The Community Services also listen for HTTPS connections from the Community Services clients on this port by default. The Community Services clients attempt HTTPS connections when accessing the Sametime Community Server through an HTTPS proxy server. If a Sametime client connects to the Sametime Community Server using HTTPS, the HTTPS connection method is used, but the data passed on this connection is not encrypted. If the administrator does not allow HTTP tunneling on port 80 during the Sametime installation, the Community Services clients attempt HTTP-tunneled connections to the Community Services on port 1533 by default.

Port 80

If the administrator allows HTTP tunneling on port 80 during the Sametime installation, the Community Services clients can make HTTP-tunneled connections to the Community Services multiplexer on port 80. Note: When HTTP tunneling on port 80 is allowed during the Sametime installation, the Community Services multiplexer listens for HTTP-tunneled connections on both port 80 and port 1533. The Community Services multiplexer simultaneously listens for direct TCP/IP connections on port 1533.

36

Lotus Sametime: Installation and Administration Guide Part 2

Default Port Port 8082

Purpose When HTTP tunneling support is enabled, the Community Services clients can make HTTP-tunneled connections to the Community Services multiplexer on port 8082 by default. Community Services clients can make HTTP-tunneled connections on both ports 80 and 8082 by default. Port 8082 ensures backward compatibility with previous Sametime releases. In previous releases, Sametime clients made HTTP-tunneled connections to the Community Services only on port 8082. If a Sametime Connect client from a previous Sametime release attempts an HTTP-tunneled connection to a Sametime Community Server, the client might attempt this connection on port 8082.

Changing the HTTP port of a Domino HTTP server
IBM Lotus Sametime installs on an IBM Lotus Domino server and uses the HTTP server provided with Domino.

About this task
During a Sametime installation, the administrator can allow HTTP tunneling on port 80. To support the HTTP tunneling on port 80 functionality, the Community Services multiplexer on the server listens for HTTP connections from clients (including Web browsers) on port 80. A Web browser connects to the Community Services multiplexer on port 80, and the Community Services multiplexer makes an intraserver connection to the Domino HTTP server on behalf of the Web browser. If the administrator allows HTTP tunneling on port 80 during the Sametime installation, the Domino HTTP server must listen for HTTP connections on a port other than port 80. In this scenario, the Sametime server installation programmatically changes the HTTP port of the Domino HTTP server to port 8088 during the Sametime installation process. It is not necessary to manually change the setting. If the administrator does not allow HTTP tunneling on port 80 during the Sametime installation, the Domino HTTP server listens for HTTP connections on port 80 by default. On some platforms, you can configure Sametime to operate using a Microsoft IIS HTTP server or IBM WebSphere HTTP server. For information on setting up Sametime to use a different HTTP Web server, see ″Sametime Server Installation.″ Follow these instructions if you need to change the HTTP port of the Domino HTTP server: 1. Open the Sametime Administration Tool. 2. Select Configuraton → Connectivity → Networks and Ports. 3. Select Configure HTTP Services on a Web page in its own window. 4. Select Ports. 5. Select Internet Ports.
Chapter 1. Configuring

37

If the Domino server is set up for HTTP connections from Web browsers, you can change the TCP/IP port number setting, located under the Web (HTTP/HTTPS) column of the settings. To change the port used by the HTTP server, change the port associated with the TCP/IP port number field. (For example, if you are enabling HTTP tunneling on port 80 on a Sametime server that includes a single IP address, you may want to change the HTTP port from port 80 to 8088.) 6. Select Internet Protocols. 7. Select Domino Web Engine. 8. Under the Generating References to this server section, make the following changes: If the HTTP server uses HTTP for Web browser connections: v In the Protocol setting, select http. v In the Port number field, enter the same port entered in the TCP/IP port number setting in Step 5. 9. Click Save and Close to save the Server document. 10. Change the port number in the stconvservices.properties file to match, as the HTTP port is pulled from this setting. 11. Restart the Domino server for the change to take effect.

Event server port
The ″Event server″ port (default 9092) is used for intraserver connections between components of the IBM Lotus Sametime server. Generally, it is only necessary to change this port if you have installed multiple Sametime servers on a single server machine or if another application on the server uses port 9092. Note: If you run Sametime on an IBM i, Linux, Sun Solaris, or IBM AIX machine, you can install multiple Sametime servers on a single machine, within the same logical partition. Each Sametime server instance runs on a separate partitioned IBM Lotus Domino server. If you run Sametime on Microsoft Windows, you can only install one server on each Windows machine. If multiple Sametime servers are running on the same machine, you must ensure that each Sametime server specifies a different port as the ″Event server″ port. For example, if Sametime server 1 and Sametime server 2 are running in separate partitions of an IBM i machine, you can specify port 9092 as the ″Event server″ port for Sametime server 1 and port 9095 as the ″Event server″ port for Sametime server 2. Sametime for IBM i provides an option to specify the ″Event server″ port at the time you configure your Sametime server.

Assigning IP addresses to multiple servers installed on a single computer
If you install multiple IBM Lotus Sametime servers on a single computer, you must assign a distinct IP address to each server. If you are operating Sametime on an IBM i, IBM AIX, Linux, or Sun Solaris server, you can install multiple Sametime servers on a single computer, within the same logical partition. In this scenario, each Sametime server instance runs on a separate partitioned IBM Lotus Domino server. Note: Do not install multiple Sametime servers on a Microsoft Windows server as that configuration is not supported.

38

Lotus Sametime: Installation and Administration Guide Part 2

When multiple Sametime servers are running on separate Domino partitions within the same logical partition of an IBM i server, it is important for each Sametime server to be assigned a separate IP address. If you are also running any other Domino servers or HTTP servers within the same logical partition, you must also be certain that those servers are assigned separate IP addresses to avoid port conflicts.

Token server port
The ″Token server″ port (default 9094) is used for intraserver connections between components of the IBM Lotus Sametime server. Generally, it is only necessary to change this port if you have installed multiple Sametime servers on a single server machine or if another application on the server uses port 9094. Note: If you run Sametime on an IBM i, Linux, Sun Solaris, or IBM AIX machine, you can install multiple Sametime servers on a single machine within the same logical partition. Each Sametime server instance runs on a separate partition of the IBM Lotus Domino server. If you run Sametime on Microsoft Windows, you can only install one server on each Windows machine. If multiple Sametime servers are running on the same machine, you must ensure that each Sametime server specifies a different port as the ″Token server″ port. For example, if Sametime server 1 and Sametime server 2 are running in separate partitions of an IBM i machine, you might want to specify port 9094 as the ″Token server″ port for Sametime server 1 and port 9096 as the ″Token server″ port for Sametime server 2. Sametime for IBM i provides an option to specify the Token server port at the time you configure your Sametime server. For more information, see Assigning IP addresses to multiple Sametime servers installed on a single server machine.

Using reverse proxy or portal servers with the Sametime server
The manipulation of IBM Lotus Sametime data by a reverse proxy server imposes specific requirements and limitations, discussed in this section. An IBM Lotus Sametime server can be deployed behind a reverse proxy server or a portal server. This section discusses issues related to using reverse HTTP proxy servers with a Sametime server. The issues discussed in this section also apply to deploying a Sametime server behind a portal server. When a Sametime server is deployed on an internal network behind a reverse proxy server, the reverse proxy server operates as an intermediary between the Sametime server and the Sametime clients. All Sametime data flowing between the Sametime server and its clients passes through the reverse proxy server. To accomplish its security objectives, a reverse proxy server manipulates the data that passes through it. The table below shows the client-side proxy types through which clients can connect to the Sametime server.
Sametime client SOCKS 4 proxy Sametime Connect supported SOCKS 5 proxy supported HTTP proxy supported HTTPS proxy supported

Chapter 1. Configuring

39

Sametime client SOCKS 4 proxy Sametime Mobile Sametime Meeting Room screen-sharing/ whiteboard components Sametime Meeting Room participant list/chat components Sametime Meeting Room interactive audio/video components Sametime Recorded Meeting client not supported supported

SOCKS 5 proxy not supported supported

HTTP proxy supported supported

HTTPS proxy supported not supported

supported

not supported

supported

not supported

supported

not supported

not supported

not supported

supported

not supported

supported

not supported

This section includes topics related to the use of reverse HTTP proxy servers with the Sametime server. Note: If you are configuring the Sametime server to operate behind a Tivoli® Access Manager WebSEAL reverse proxy server, refer to the Lotus Sametime Server Release Notes for additional configuration information.

What is a reverse proxy server?
A reverse proxy server is a security device that is usually deployed in a network DMZ to protect HTTP servers (or IBM Lotus Sametime servers) on a corporate intranet by performing security functions that protect the internal servers from attacks by users on the Internet. The reverse proxy server protects internal HTTP servers by providing a single point of access to the internal network. Providing a single point of access to all HTTP servers on an internal network offers these specific security advantages and network access characteristics: v The administrator can use the authentication and access control features of the reverse proxy server to control who can access the internal servers and control which servers each individual user can access. When a reverse proxy is deployed, the authentication process and access rights to multiple internal servers can be controlled from a single machine, which simplifies the security configuration. v All traffic to your intranet servers appears to be destined for a single network address (the address of the reverse proxy server). When a reverse proxy server is deployed, only URLs that are associated with the reverse proxy server are made public to Web browser users. Users from the Internet use these URLs to access the reverse proxy server. The reverse proxy server handles these requests from Internet users and redirects these requests to the appropriate internal HTTP server.

40

Lotus Sametime: Installation and Administration Guide Part 2

The administrator performs URL mapping configurations on the reverse proxy server that make this redirection possible. When configuring the reverse proxy server, the administrator maps the URLs that are used to access the reverse proxy server to the real URLs of the internal HTTP servers. When an Internet user sends a URL to the reverse proxy server, the reverse proxy server examines the URL and uses these mapping configurations (or rules) to rewrite the URL. The reverse proxy server rewrites the URL by replacing the server address provided by the Internet user (a reverse proxy address) with the real address of the internal server. The HTTP request is then sent on the internal network from the reverse proxy server to the internal server. v All traffic sent to Internet users from your internal servers appears to originate from a single network address. When an internal HTTP server (or Sametime server) responds to a request from an Internet user, the internal server sends the response to the reverse proxy server and the reverse proxy server sends the response to the Internet user. The response sent on the Internet to the Internet user contains the address of the reverse proxy server, not the address of the internal HTTP server. Starting with Release 7.5, Sametime is designed to enable Sametime clients to establish and maintain connectivity with a Sametime server when these clients connect to the Sametime server through a reverse proxy server. The security functionality of reverse proxy servers described above imposes specific requirements and limitations on the use of reverse proxy servers with Sametime. See any of the following topics for specific information about using reverse proxy servers with a Sametime server. v Requirements and limitations associated with using a reverse proxy server with the Sametime server v Configuring mapping rules on a reverse proxy server to support Sametime v Configuring a Sametime server to operate with a reverse proxy server v Sametime client connectivity and reverse proxy servers

Requirements and limitations of Sametime reverse proxy support
Using a reverse proxy server with IBM Lotus Sametime is subject to some limitations as described in this topic. The requirements and limitations associated with using a reverse proxy server with Sametime include: v Reverse proxy server requirements v Sametime client limitations and requirements v Sametime server limitations v Secure Sockets Layer (SSL) issues and requirements v Client certificate authentication issues v IBM Lotus Sametime Enterprise Meeting Server (WCMS) restrictions Each of these topics is discussed under a separate heading below.

Reverse proxy server requirements
This section lists the requirements and issues that are specific to the reverse proxy server.

Chapter 1. Configuring

41

v

URL specification requirement (affinity-id requirement) - Only reverse proxy servers that use the following URL specification to access protected internal servers can be used with Sametime:
Http[s]://hostname:port/affinity-id/

The ″affinity-id″ is an administrator-defined alias for an internal Sametime server. This affinity-id must be present in the URLs sent from Web browsers to the reverse proxy server to enable Web browser users to access the Sametime server through the reverse proxy. For detailed information on this mandatory requirement of the reverse proxy server, see Configuring mapping rules on a reverse proxy server. v Multiple reverse proxy servers must use the same DNS name and mapping configurations - If you have deployed multiple reverse proxy servers in your network environment, and you expect users to access your Sametime server(s) through multiple reverse proxy servers, each of the reverse proxy servers must have the same DNS name and the same mapping configurations as noted below: – DNS name - All reverse proxy servers must use the same DNS name. For example, if one reverse proxy server is named reverseproxy.ibm.com all other reverse proxy servers must be named reverseproxy.ibm.com. If the reverse proxy servers have different DNS names, the Sametime clients will be unable to maintain communications with a Sametime server deployed behind the reverse proxy servers. Note: If a network environment includes multiple reverse proxy servers that have the same DNS names, a connection dispatching device (such as an IBM WebSphere EdgeServer) is usually used to distribute connections from Web browsers to the multiple reverse proxy servers. These devices are frequently used to load balance connections to multiple machines. – Mapping configurations - Each reverse proxy server must use identical mapping rules and configurations to govern the translation of URLs sent by Web browsers to the reverse proxy server for the purpose of accessing an internal Sametime server. If the translation of these URLs to the URLs of the internal Sametime servers does not occur in exactly the same way on each of the reverse proxy servers, the Sametime clients will be unable to maintain communications with a Sametime server deployed behind the reverse proxy server. Note: Each Sametime server must be represented by the same ″affinity-id″ in the mapping rules on each of the reverse proxy servers. For more information about the affinity-id and mapping rules, see Configuring mapping rules on a reverse proxy server. v The reverse proxy server must use cookies for authentication - When an user uses a Web browser to access and authenticate with the reverse proxy server, the reverse proxy server must send an authentication cookie to the Web browser. All subsequent HTTP requests from a Sametime client will then pick up this cookie and use it for automatic authentication with the reverse proxy server. Reverse proxy servers that rewrite URLs for authentication purposes are not supported. Some reverse proxy servers append authentication and session information to the end of URLs embedded in HTML that passes through the proxy back to the client. The client will include this appended data on subsequent requests to the reverse proxy server. When the reverse proxy server receives these subsequent requests from the client, the reverse proxy server strips the authentication data and rewrites the URL to accomplish the internal routing of requests. A Sametime server cannot operate behind a reverse proxy server that handles authentication data in this way.

42

Lotus Sametime: Installation and Administration Guide Part 2

v

A lengthy timeout value should be specified for the authentication cookies The administrator should specify a lengthy timeout value for authentication cookies generated by the reverse proxy server. If the authentication cookie expires when the user is attending a meeting, the user is disconnected from the meeting. To re-enter the meeting, the user must go through the inconvenient process of reconnecting to the reverse proxy, reauthenticating with the reverse proxy, and waiting for the Java applets to be reloaded to the Web browser. Setting a lengthy timeout value for authentication cookies can prevent unexpected user disconnections due to an authentication cookie expiration. Generally, the authentication cookie should be valid for the entire length of the longest meetings that are routinely conducted on the Sametime server deployed behind the reverse proxy server.

Sametime client/Web browser limitations and JVM requirements
The following Sametime clients can communicate with Sametime servers through a reverse proxy server: Sametime Sametime Sametime Sametime Connect) v Sametime v v v v Meeting Room client Recorded Meeting client Connect for browsers (the Java version of Sametime Connect) Connect for the desktop (the Microsoft Windows version of Sametime Links applications built with Sametime developer toolkits

On UNIX and IBM AIX servers, the Meeting start-up log contains the Sametime server name when the Sametime server is configured behind a proxy server. The Sametime Meeting Room client and the Sametime Recorded Meeting client can communicate with a Sametime server through a reverse proxy server when running with the following Web browsers and Java Virtual Machines (JVMs): v A Microsoft Internet Explorer 6 browser that operates with the Microsoft native VM or the Sun Microsystems JVM 1.4.2 (and associated Java Plug-in). v A Netscape 7 browser that operates with the Sun Microsystems JVM 1.4.2 (and associated Java Plug-in). The Sametime Connect for browsers client and Sametime Links applications can communicate with a Sametime server through a reverse proxy server when running in an Internet Explorer 6 or Netscape 7 browser that operates with the Sun JVM 1.4.2. These clients may not function appropriately with other JVMs, including the native Microsoft VM provided for Internet Explorer.

Sametime server limitations
The following limitations apply to Sametime server features when the Sametime server is deployed behind a reverse proxy server. v Audio/video is not available - Audio/video streams cannot be transmitted to Sametime clients that access the Sametime server through a reverse proxy server. v Access to the Sametime Administration Tool is not available - A user that connects to the Sametime server through a reverse proxy server cannot access the Sametime Administration Tool. The user can open a Web browser that is installed on the Sametime server to access the Sametime Administration Tool. The user can also connect to the Sametime server from an internal network
Chapter 1. Configuring

43

location that does not route HTTP traffic through the reverse proxy server to access the Sametime Administration Tool.

Secure Sockets Layer (SSL) issues and requirements
Note the following about SSL and Sametime in a reverse proxy environment: v Secure Sockets Layer (SSL) can be used to encrypt data transmitted between the Sametime clients and the reverse proxy server. v SSL cannot be used to encrypt data transmitted between the Sametime servers and the reverse proxy server. If SSL is used to encrypt data transmitted between Web browsers and the reverse proxy server, the administrator must perform the mapping configurations on the Sametime server necessary to map the HTTPS data received from the Web browser to the HTTP required by the Sametime server. The reverse proxy must also be configured to translate the HTTP data received from the Sametime server to the HTTPS data required by the client. When a reverse proxy server is configured to support SSL, the reverse proxy server sends an SSL server certificate to the Web browser during the SSL connection handshake. The Java 1.4.2 Plug-in used by the Web browser must have access to a Signer certificate that is signed by the same Certificate Authority (CA) as the server certificate that is sent by the reverse proxy. By default, the Java Plug-in has access to several different Signer certificates that can be used for this purpose. To view the Signer certificates that are available to the Java Plug-in 1.4.2, use the Java Plug-in Control Panel as described in “Viewing the Signer certificates.”

Client certificate authentication issues
If the reverse proxy server is configured to require client certificate authentication, the client certificate for an individual user must be imported into the Java Plug-in 1.4.2 Control Panel on that user’s machine as described in “Importing the client certificate” on page 45.

Enterprise Meeting Server restrictions
The IBM Lotus Sametime Enterprise Meeting Server that operates with Sametime servers cannot be deployed behind a reverse proxy server. Viewing the Signer certificates: The Java Plug-in has access to several different Signer certificates that can be used for reverse proxy support. About this task To view the Signer certificates that are available to the Java Plug-in 1.4.2, use the Java Plug-in Control Panel: 1. From the Windows desktop, open the Control Panel by clicking Start → Settings → Control Panel. 2. Double-click on the Java Plug-in 1.4.2 icon to open the Java Plug-in Control Panel.

44

Lotus Sametime: Installation and Administration Guide Part 2

3. Click Certificates. 4. Click Signer CA. Results The server certificate sent by the reverse proxy server to the client Web browser must be signed by one of the CAs that appears in the signer CA list for the SSL connection handshake to succeed. Importing the client certificate: If the reverse proxy server is configured to require client certificate authentication, the client certificate for an individual user must be imported into the Java Plug-in 1.4.2 Control Panel on that user’s machine. About this task You can use the Certificates tab of the Java Plug-in Control Panel to import the client certificate into the Java Plug-in key store: 1. From the Windows desktop, open the Control Panel by clicking Start → Settings → Control Panel. 2. Double-click on the Java Plug-in 1.4.2 icon to open the Java Plug-in Control Panel. 3. Click Certificates. 4. In the Certificates column, click Secure Site. 5. Click Import to import the client certificate.

Configuring mapping rules on a reverse proxy server to support Sametime
When an IBM Lotus Sametime server is deployed behind a reverse proxy server, the Sametime administrator must configure mapping rules on the reverse proxy server. The mapping rules enable the reverse proxy server to translate (or rewrite) a URL associated with the reverse proxy server to the URL of an internal Sametime server. This section discusses how mapping rules are configured on a reverse proxy server to accomplish the translation (or rewriting) of URLs when the reverse proxy operates with Sametime. This section includes the following topics: Affinity-id (server alias) requirement of the reverse proxy server: Only reverse proxy servers that support the use of an affinity-id (or server alias) in the URLs that are associated with internal servers can be used with IBM Lotus Sametime. Specifically, the reverse proxy server must support the following URL specification to access protected internal servers:
Http[s]://hostname:port/affinity-id/

where hostname represents the DNS name of the reverse proxy server and the affinity-id is an alias for an internal server that is protected by the reverse proxy server. A specific example of this URL format is:
Http[s]://reverseproxy.ibm.com/st01/stcenter.nsf

Chapter 1. Configuring

45

where the text sting ″st01″ is the affinity-id. The affinity-id is an alias for a specific Sametime server (such as sametime.ibm.com) that is protected by the reverse proxy server. The affinity-id is used by the reverse proxy server to direct incoming requests to the specific internal Sametime server. For example, if the incoming URL from the Web browser is:
Http[s]://reverseproxy.ibm.com/st01/stcenter.nsf

and the mapping rules on the reverse proxy server map the ″st01″ affinity-id to the Sametime server named ″sametime.ibm.com,″ the affinity-id ensures the reverse proxy server rewrites the incoming URL to:
Http[s]://sametime.ibm.com/stcenter.nsf

Essentially, the affinity-id is an administrator-defined alias for an internal Sametime server. The affinity-id is defined in the mapping rules of the reverse proxy server. If you have multiple Sametime servers deployed behind a reverse proxy server, each Sametime server must have an individual affinity-id as indicated below:
Mapping rule for client-provided URL: /st01/* /st02/* Routed to internal server: http://sametime1.ibm.com/* http://sametime2.ibm.com/*

It is mandatory that any reverse proxy server that operates with a Sametime server support the affinity-id (or server alias) in URLs. For additional information about configuring mapping rules on reverse proxy server, see Example of URL mapping configurations on the reverse proxy server. Important: The Sametime Administration Tool on a Sametime server contains a ″Server Alias″ setting. This Server Alias setting must specify the same affinity-id that is used to represent the Sametime server in the mapping rules on the reverse proxy server. For more information, see Configuring a Sametime server to operate with a reverse proxy server. Example of URL mapping configurations on the reverse proxy server: Here are some examples of how an administrator might configure URL mapping configurations for a reverse proxy server deployed in front of an IBM Lotus Sametime server. When a user connects to a Sametime server through a reverse proxy server, the reverse proxy server must be configured to support the following actions that enable Sametime users to attend meetings and participate in chat sessions: v The user must be able to click on links in the Sametime server home page and navigate to the various HTML pages of the UI. This capability requires the reverse proxy server to rewrite the URLs of the HTML pages that comprise the Sametime UI. v The Sametime Java applet clients that load in a user’s Web browser must be able to connect to the services on the Sametime server. Since these connections must occur through the reverse proxy server, the reverse proxy server must also be able to rewrite the URLs required to establish these connections to the services on the Sametime server.

46

Lotus Sametime: Installation and Administration Guide Part 2

The following sections provide examples of the mapping configurations required to accomplish the two tasks above. Reverse proxy mapping configurations that enable a Web browser user to navigate the Sametime user interface The example below illustrates how an administrator can configure the reverse proxy server to enable users to navigate the HTML pages of the Sametime user interface. This example assumes the following: v The Sametime server name is ″sametime.ibm.com.″ v The URL required to access the reverse proxy server is ″reverseproxy.ibm.com.″ v The affinity-id chosen by the administrator for the Sametime server is ″st01.″ Listed below are two entities of the Sametime server user interface and the URLs required to access these entities on a Sametime server with the server name ″sametime.ibm.com.″ v Sametime server home page - The Sametime server URL for the server home page is http://sametime.ibm.com/stcenter.nsf. v Active Meeting page - The Sametime server URL for the Active Meeting page is http://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenView. Example 1 - Translating the URL of the server home page To access the Sametime server home page through a reverse proxy server, the Web browser would send the following URL to the reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf

The reverse proxy server must contain a mapping rule that translates this URL into the following URL required to access the Sametime server home page:
http[s]://sametime.ibm.com/stcenter.nsf

Example 2 - Translating the URL of the Active Meeting page If the user selects the Attend a Meeting link in the Sametime user interface to view the list of active meetings, the Web browser would send the following URL to the reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stconf.nsf/vwWebActiveMeetings?OpenView

The reverse proxy server must contain a mapping rule that translates this URL into the following URL required to access the Sametime server Active Meetings page:
Http[s]://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenView

A single mapping rule can be used to translate all URLs associated with the Sametime server user interface Through the use of wildcards, the administrator can create a single mapping rule on the reverse proxy server to translate all URLs associated with the Sametime server interface. Following the examples above, the administrator can create a mapping rule that translates the following URL from the Web browser:
Http[s]://reverseproxy.ibm.com/st01/*

To this Sametime server URL:
Http[s]://sametime.ibm.com/*

Chapter 1. Configuring

47

A single mapping rule that accomplishes this type of URL translation should enable users to access all entities of the Sametime user interface through a reverse proxy server. Note: It is not mandatory to configure the mapping rules as described above. The actual configuration of the mapping rules on the reverse proxy server is at the discretion of the administrator. When configuring the mapping rules note that the URL for any entity of the Sametime server user interface will begin with the Sametime server name (sametime.ibm.com in this example). Reverse proxy mapping configurations that enable Sametime Java applet connectivity through the reverse proxy server The following example URL mappings enable the Sametime Java applet clients running in a user’s Web browser to connect to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services on the Sametime server through the reverse proxy server: Example 1 - Mapping configuration for Community Services connectivity This example illustrates the mapping configurations that enable a Java applet client to connect to the Community Services: If the incoming URLs from the Java applet are:
Http[s]://proxy.ibm.com/st01/communityCBR/Http[s]://proxy.ibm.com/st01/CommunityCBR/

The mapping rules on the reverse proxy must translate these URLs to:
http://sametime.ibm.com:8082/communityCBRHttp://sametime.ibm.com:8082/CommunityCBR

Note: The mapping configuration for the Community Services connectivity should contain two case-sensitive mapping rules as indicated above. Some pieces of the Java code contain the lowercase ″c″ in ″communityCBR″ and some pieces of the Java code use the uppercase ″C″ in ″CommunityCBR.″ This difference may prevent connections if the proxy is case-sensitive. Example 2 - Mapping configuration for Meeting Services connectivity This example illustrates the mapping configurations that enable a Java applet client to connect to the Meeting Services: If the incoming URL from the Java applet is:
Http[s]://proxy.ibm.com/st01/MeetingCBR

The mapping rule on the reverse proxy must translate this URL to:
Http://sametime.ibm.com:8081/MeetingCBR

Example 3 - Mapping configuration for Recorded Meeting Broadcast Services connectivity This example illustrates the mapping configurations that enable a Java applet client to connect to the Recorded Meeting Broadcast Services: If the incoming URL from the Java applet is:
Http[s]://proxy.ibm.com/st01/BroadcastCBR

48

Lotus Sametime: Installation and Administration Guide Part 2

The mapping rule on the reverse proxy must translate this URL to:
Http://sametime.ibm.com:554/BroadcastCBR

Information about the Java applet connectivity mapping rule examples During a Sametime server installation, the administrator has the option of allowing or not allowing HTTP tunneling on port 80. If the administrator does not allow HTTP tunneling on port 80 during the Sametime server installation, it is necessary to configure separate mapping rules for each of the three Sametime services (Community Services, Meeting Services, and Recorded Meeting Broadcast Services). Note: Four mapping rules are required: two for the Community Services, one for the Meeting Services, and one for the Recorded Meeting Broadcast Services as shown in the three examples above. When the administrator does not allow HTTP tunneling on port 80, each of the Sametime services listens for HTTP connections on a different port: v The Community Services listen for HTTP connections on port 8082. Port 8082 is reflected in the mapping rule for Community Services connections above. You can view or change this port setting from the Community Services Network Address for HTTP-tunneled client connections option in the Networks and Ports tab of the Sametime Administration Tool. v The Meeting Services listen for HTTP connections on port 8081. Port 8081 is reflected in the mapping rule for Meeting Services connections above. You can view or change this port setting from the Meeting Services Network - Address for HTTP-tunneled client connections option in the Networks and Ports tab of the Sametime Administration Tool. v The Recorded Meeting Broadcast Services listen for HTTP connections on port 554. Port 554 is reflected in the mapping rule for Recorded Meeting Broadcast Services connections above. You can view or change this port setting from the Recorded Meeting Broadcast Services Network - Address for HTTP-tunneled client connections option in the Networks and Ports tab of the Sametime Administration Tool. Because each of these Sametime services listens for a connection on a separate port, separate mapping rules must be established for each of the services. The mapping rule must specify the port on which each of the services is listening for connections. Note: If you change the HTTP-tunneling port number for a specific service in the Sametime Administration Tool, the mapping rules you configure on the reverse proxy server must reflect the new port number. If the administrator allows HTTP tunneling on port 80 during the Sametime server installation, the Sametime clients connect to all of the services on a single port. With this configuration, the single mapping rule that enables users to navigate the Sametime server user interface will also enable the Sametime clients to make connections to the Sametime services. When HTTP tunneling on port 80 is allowed, the Community Services multiplexer on the Sametime server listens for HTTP connections on behalf of the HTTP Services, Community Services, Meeting Services, and Recorded Meeting Broadcast

Chapter 1. Configuring

49

Services on the Sametime server. The Community Services multiplexer listens for connections to all of these services on a single port (port 80). Note: When operating in this mode, the Community Services multiplexer on the Sametime server can distinguish between HTTP requests destined for the HTTP Services, Community Services, Meeting Services, and Recorded Meeting Broadcast Services and establish intraserver connections to each of the services. For example, if the Community Services multiplexer receives an HTTP request for the Meeting Services on port 80, the Community Services handles the request and creates an intraserver connection to the Meeting Services. The Community Services multiplexer then forwards the request to the Meeting Services. The ability of the Community Services multiplexer to handle requests for multiple services in this way is sometimes referred to as ″single port mode.″ When the administrator allows HTTP tunneling on port 80 (that is, when the Sametime server is operating in single port mode), the mapping rules for Java applet connectivity are much simpler. Since all connections from the Sametime Java applet clients occur on the same port, it is not necessary to specify individual ports for each service in the mapping rules. In this scenario, the administrator would only need to ensure that this incoming URL from the Sametime Java applets:
Http[s]://proxy.ibm.com/st01/*

Is translated to this URL by the mapping rules on the reverse proxy server:
Http://sametime.ibm.com/*

Note that server performance is not as efficient when the Sametime server is configured to support HTTP tunneling on port 80 because of the connectivity burden placed on the Community Services multiplexer.

Configuring a Sametime server to operate with a reverse proxy server
Use the IBM Lotus Sametime Administration Tool (hosted on the Sametime server) to configure a Sametime server to operate with a reverse proxy server.

About this task
There are two settings the administrator must configure in the Configuration-Connectivity-Networks and Ports tab of the Sametime Administration Tool to enable a Sametime server to operate with a reverse proxy server. These settings include: v Enable Reverse Proxy Discovery on the client - Selecting this setting allows the administrator to enable or disable the reverse proxy support. This setting enables the logic in the Sametime clients that enables them to connect to a Sametime server through the reverse proxy server. This setting is disabled by default. Note: Enabling this setting does not require that all users on your corporate intranet access the Sametime server through the reverse proxy server. Users on your corporate intranet that are not required to route connections through the reverse proxy servers can still establish connections with the Sametime server using the standard Sametime client connection processes. For more information, see Connecting to a Sametime server without going through the reverse proxy server.

50

Lotus Sametime: Installation and Administration Guide Part 2

v

Server Alias - The Server Alias setting must specify the affinity-id that the administrator uses to represent this Sametime server in the mapping rules on the reverse proxy server. Note: The term ″Server Alias″ is synonymous with affinity-id. For example, if the administrator uses the text string ″st01″ as the affinity-id that represents the Sametime server in the mapping rules on the reverse proxy server, the administrator must also enter ″st01″ as the value for the Server Alias setting in the Sametime Administration Tool. Following a Sametime server installation, the Server Alias setting defaults to the Sametime server name that is extracted from the fully-qualified DNS name of the Sametime server. For example, if the fully-qualified DNS name of the Sametime server is ″sametime.ibm.com,″ the default value for the Server Alias is ″sametime.″ Note: An administrator may want to change the default Server Alias setting to avoid using the real Sametime server name as the affinity-id in the mapping rules on the reverse proxy server. If the real Sametime server name is used as the affinity-id on the reverse proxy server, the real server name will appear in URLs transmitted on the Internet. For more information about the affinity-id, see Configuring mapping rules on a reverse proxy server to support Sametime.

To enable reverse proxy support on a Sametime server: 1. From the Sametime server home page, click Administer the Server to open the Sametime Administration Tool. 2. Click Configuration. 3. Click Connectivity. 4. If necessary, click Networks and Ports. 5. At the bottom of the Networks and Ports tab, click Enable Reverse Proxy Discovery on the client. 6. In the Server Alias text box, type the text string that is used as the affinity-id that represents this Sametime server in the mapping configurations on the reverse proxy server (for example, type st01). 7. Click Update. 8. Restart the Sametime server for the changes to take effect.

Sametime client connectivity and reverse proxy servers
This section briefly discusses IBM Lotus Sametime client connectivity issues when the Sametime Meeting Room client, Sametime Recorded Meeting client, and Sametime Connect client operate with a reverse proxy server. Client connectivity issues for reverse proxy servers are discussed in the following topics: Connecting to a Sametime server without using the reverse proxy server: When an IBM Lotus Sametime server is configured to operate with a reverse proxy server, users on the corporate intranet that are not required to route connections through the reverse proxy server can still connect using the standard Sametime client connection processes.

Chapter 1. Configuring

51

Note: In this scenario, both intranet and Internet users connect to the same Sametime server. Connections from Internet users are routed through the reverse proxy server while connections from intranet users are not routed through the reverse proxy server. To configure a Sametime server to operate with a reverse proxy server, the administrator must select the Enable Reverse Proxy Discovery on the client setting in the Sametime Administration Tool. Selecting this setting: v Enables the additional logic in the Meeting Room client, Recorded Meeting client, and Sametime Connect for browsers client that the clients use to connect to a Sametime server through a reverse proxy server. v Does not disable the existing connectivity logic in these Sametime clients. Enabling this setting enhances the existing logic in the Sametime clients by adding the reverse proxy connection logic to the existing logic. This design enables clients that do not connect to the Sametime server through the reverse proxy server to follow the standard Sametime client connection processes when connecting to the Sametime server. To illustrate this point, the Meeting Room client connection process that occurs when the Enable Reverse Proxy Discovery on the client setting is selected is summarized below. 1. Upon loading in a user’s Web browser, the Sametime Meeting Room client attempts a direct TCP/IP connection to the Sametime server. If the direct TCP/IP connection attempt fails, the Meeting Room client continues with the connection process as described below. Note: Step 1 is part of the standard Sametime client connection process. 2. If the user’s Web browser detects the existence of a forward SOCKS proxy server, the Meeting Room client will attempt the TCP/IP connection through the forward SOCKS proxy server to the Sametime server. If the TCP/IP connection through the SOCKS proxy server is not successful, the Meeting Room client continues with the connection process as described below. Note: Step 2 is part of the standard Sametime client connection process. 3. If the TCP/IP connection attempt is not successful, the Meeting Room client attempts to detect the reverse proxy server. If the reverse proxy server is detected, the Meeting Room client attempts to connect to the Sametime server through the reverse proxy server using HTTP tunneling. The client programmatically detects the address of the reverse proxy server. No client-side configurations are required to enable the Sametime client to detect the reverse proxy server. Note: Step 3 represents the major difference in the connection process that occurs when the ″Enable Reverse Proxy Discovery on the client″ setting is selected. 4. If the reverse proxy server is not detected, the Sametime clients will still attempt to connect to the Sametime server using HTTP tunneling but the connection attempts will not be made to the reverse proxy server. Note: These HTTP-tunneled connection attempts are part of the standard Sametime client connection processes. These connection attempts enable

52

Lotus Sametime: Installation and Administration Guide Part 2

Sametime clients that do not connect to the Sametime server through the reverse proxy server to establish HTTP-tunneled connections to the Sametime server. Understanding Sametime client connectivity through a reverse proxy server: This section provides additional notes about IBM Lotus Sametime client connectivity through a reverse proxy server. Generally, there are no client-side configurations required to enable a Sametime Meeting Room client, Sametime Recorded Meeting client, or Sametime Connect for browsers client to connect to a Sametime server through a reverse proxy server. If the administrator has selected the ″Enable reverse proxy discovery on client″ setting and specified the ″Affinity ID″ setting in the Sametime Administration Tool on the Sametime server, the Sametime clients should be able to programmatically detect the presence of the reverse proxy server and connect to the Sametime server through the reverse proxy server. If these clients must connect to the reverse proxy server through a forward (or client-side) HTTP or SOCKS proxy server, the connectivity settings (address and port) of the forward proxy server should be specified the locations noted below: v If the Sametime client runs in a Web browser that operates with the Sun Microsystems Java Virtual Machine (1.4.2), the forward proxy server address and port are specified in the Sun Microsystems Java Plug-in Control Panel on the user’s machine. (The Java Plug-in Control Panel is available from the user’s Windows Control Panel). v If the Sametime client runs in a Web browser that operates with the native Microsoft Virtual Machine (VM), the forward proxy server address and port are specified in the proxy configuration settings of the Web browser. Note the following about using Sametime Connect for browsers with a reverse proxy server: v The Sametime Connect for browsers client loads in the user’s Web browser with either the ″Use my Java Plug-in settings″ option or the ″Use my Internet Explorer Browser settings″ option selected by default in the Options-Preferences-Sametime Connectivity tab. User’s should not change this default setting when operating with a reverse proxy server. These connectivity settings ensure the client will make either a direct connection to the Sametime server or connect through a forward proxy server if one is defined in the Web browser connectivity settings or Java Plug-in as noted above. v The Sametime Connect for browsers client includes a ″Host name″ and ″Port″ setting in the Options-Preferences-Sametime Connectivity tab. The values in these settings are ignored when the Sametime server is configured to operate with a reverse proxy server. (In a normal Sametime deployment, these settings specify the Host name of the Sametime server to which the client should connect and the port number on which the Sametime server listens for connections from Sametime Connect clients).

Using multiple non-clustered Lotus Sametime Community Servers
This topic provides an overview of issues related to deploying multiple IBM Lotus Sametime Community Servers.

Chapter 1. Configuring

53

To support a large or geographically distributed community of IBM Lotus Sametime users, it is usually necessary to deploy multiple Sametime servers. This section discusses the issues associated with deploying multiple Sametime servers, including:

Advantages of using multiple Sametime servers
This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. You can install multiple Sametime servers to: v Spread the load of a large user population among multiple servers. v Reduce network usage and improve server performance when you have significant user populations in remote or distributed locations. v Securely extend meetings conducted on a Sametime server inside your network firewall to a Sametime server deployed outside the firewall in your network DMZ. This arrangement allows Internet users to participate in meetings with users on your corporate intranet without compromising network security. When multiple Sametime servers are installed, you can synchronize the Sametime servers to operate as a single Sametime community. v You can specify different home Sametime servers for members of the Sametime community. v Individual meetings can be simultaneously active on multiple Sametime servers.

Advantages of multiple ″home″ Sametime servers
If you install multiple Sametime servers, you can assign different ″home″ Sametime servers for users in the community. Specifying different home Sametime servers for Sametime community members allows you to spread the load of a large number of users among the Community Services of multiple Sametime servers. The ″home″ Sametime server is the server to which each user connects for the online presence (or awareness) and chat functionality supported by the Community Services. After installing a new Sametime server, you can assign specific users to the new server by entering the name of the new Sametime server in the Sametime server field in each user’s Person document. All users in the community will have presence and chat capabilities with all other users, even though they connect to different ″home″ Sametime servers to get this functionality. Server-to-server connections among the Community Services of the multiple Sametime servers ensure that all users in the community have presence and chat capabilities with all other users.

Advantages of a single meeting on multiple servers
Note: Meetings do not apply to Sametime Limited Use servers. A multiple-Sametime-server deployment includes the concept of ″invited servers.″ When one Sametime server ″invites″ another server to a meeting, that meeting (started on the inviting server) becomes simultaneously active on the invited (destination) server. To enable one Sametime server to invite another to a meeting, the administrator creates Connection Documents in the Domino Directory, specifying a connection between the two Sametime servers. These Connection Documents are of the connection type ″Sametime.″

54

Lotus Sametime: Installation and Administration Guide Part 2

In previous versions of Sametime, these invitations happen ″statically″ in that the Sametime administrator defines the list of ″invited servers″ for each Sametime servers, and those servers are automatically invited to every meeting for which the Configuration → Connectivity → Servers in the Community → Meeting Servers That Are Connected option has other Sametime servers specified. Now servers can be invited ″dynamically,″ establishing server-to-server connections only as needed. This dynamic mode is now the default for Sametime. For more information on dynamically inviting servers, see Inviting servers dynamically. When a Connection Document of the type Sametime exists between two Sametime servers, one Sametime server can invite the other server to a Sametime meeting. For example, if the administrator creates a Connection Document that connects Sametime server A to Sametime server B, a meeting started on Sametime server A can also appear in the list of active meetings in the Sametime Meeting Center on Sametime server B. When the meeting starts on Sametime server A, Sametime server A ″invites″ Sametime server B to the meeting, and the meeting becomes simultaneously active on both servers. Users can access either Sametime server A or Sametime server B to attend the same meeting. Advantages of a single meeting being simultaneously active on multiple Sametime servers are: v Better server performance - Large numbers of users in a single location can access different servers to attend the same meeting. The burden of the meeting is spread among the system resources of multiple servers, which results in better server performance. In addition, using multiple servers in a single location helps prevent network bottlenecks that can occur if a large number of users simultaneously attempt to access a single server. v Reduced network bandwidth usage - Users in remote locations can access a local Sametime server to attend the meeting, which reduces network bandwidth usage and improves meeting performance. For example, if you have a WAN environment serving Boston and Dublin, you can install a Sametime server in each location. When a meeting starts, the meeting becomes simultaneously active on the Boston and Dublin servers. Users in Dublin attend the meeting on the Dublin server, and users in Boston attend the meeting on the Boston server. Network bandwidth usage is reduced because individual clients do not use the WAN connection to attend the meeting. Boston users connect on the Boston LAN, while Dublin users connect on the Dublin LAN. The meeting data passes on a single WAN connection between the two servers. v Secure meeting access for Internet users - A meeting on a Sametime server inside the firewall can be simultaneously active on a Sametime server outside the firewall (in the network DMZ). This capability enables meetings conducted on Sametime servers inside your firewall to be securely extended to Internet clients. For example, if you have Sametime server A operating on your corporate intranet inside your firewall, you can install Sametime server B on a server machine located in the network DMZ (outside of the firewall that protects the corporate intranet). You can connect the two Sametime servers so that a meeting started on Sametime server A on the corporate intranet can become simultaneously active on Sametime server B in the network DMZ. Internet clients can access Sametime server B in the network DMZ to participate in a meeting started on Sametime server A. This arrangement enables Internet clients to participate in a meeting started on a server inside the firewall without making connections through your firewall. By connecting two Sametime servers on opposite sides of a firewall, the administrator can extend Sametime meetings

Chapter 1. Configuring

55

and services to Internet users so that users on the corporate intranet and Internet users can attend the same Sametime meetings without compromising network security.

Integrating a Sametime server into an existing Sametime community
This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. These are the basic processes and issues involved with integrating a new Sametime server into an existing Sametime community. Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. Installing a Sametime server into an existing Sametime community: Installing the IBM Lotus Sametime server software is the first procedure you must perform when integrating a new Sametime server into an existing Sametime community. Before you install the new Sametime server, decide whether you want the server to be accessed by Internet and intranet clients or intranet clients only. If you want the server to be accessed by both Internet and intranet clients, you should install the Sametime server software on a computer that is located in the network DMZ (outside the firewall that protects the corporate intranet). Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. “Integrating a Sametime server into an existing Sametime community” This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. Configuring ports for server-to-server connections: When multiple IBM Lotus Sametime servers are installed in an IBM Lotus Domino environment, the Sametime servers must be able to communicate on specific ports. Ports required for communication between Sametime servers Note: Ports for Meetings do not apply to Sametime Entry, Sametime Limited Use, or versions of Sametime that do not support web conferencing. The table below lists the ports on which Sametime servers communicate with each other. When these ports are open, Community Services and Meeting Services data can pass between the two servers, and one Sametime server can invite the other to a meeting.

56

Lotus Sametime: Installation and Administration Guide Part 2

Port Port 1503

Description Port 1503 is the default ″Meeting Server port for server connections.″ This port is configurable from the Configuration Connectivity - Network and Port Settings Meeting Services Network options in the Sametime Administration Tool. The ″Meeting Server port for server connections″ setting must be set to the same port number for the Sametime servers. The servers must communicate on TCP/IP port 1503 to exchange Meeting Services data.

Port 1516

The Community Services listen for direct TCP/IP connections from the Community Services of other Sametime servers on this port. If you have installed multiple Sametime servers, this port must be open for presence, chat, and other Community Services data to pass between the servers. The communications that occur on this port also enable one Sametime server to start a meeting on another server (or ″invite″ the other server to the meeting).

Port 1352

The servers must be able to communicate on port 1352 for replication to occur between the Sametime servers. This is the port used for Notes and Domino Remote Procedure Calls (RPCs).

About invited servers, audio/video, and client connectivity When one Sametime server invites another Sametime server to a meeting that includes interactive audio/video, the audio/video data is not transmitted between the two Sametime servers. Instead, the user must connect to the Sametime server on which a meeting was started and receive the audio/video streams directly from that host server. For example, assume a meeting that includes chat, screen sharing, and audio/video is started on Sametime server A and Sametime server A invites Sametime server B to the meeting. A user can attend the meeting on Sametime server B (the invited server) and receive the chat and screen sharing data from Sametime server B. However, the user is redirected to Sametime server A for the audio/video data. Next step: Next, perform the procedures described in Synchronize the Sametime server with other Sametime servers deployed in the environment.

Chapter 1. Configuring

57

Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. “Integrating a Sametime server into an existing Sametime community” on page 56 This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. Related reference “Ports used by the Sametime Community Server” on page 33 IBM Lotus Sametime uses a number of ports on the server. This topic lists the default ports and their uses. Synchronizing the Sametime server with other Sametime servers: When multiple Lotus Sametime servers are installed, you must synchronize the Sametime servers to operate as a single community. Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. “Integrating a Sametime server into an existing Sametime community” on page 56 This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. Domino Directory management for multiple Sametime servers: This topic discusses managing IBM Lotus Domino Directories for multiple IBM Lotus Sametime servers. After you have installed a new Sametime server, the administrator should determine how to manage the Directory for the Sametime community. Use these recommendations to manage Domino Directories in multiple Sametime server environments: v If the Sametime server is installed into a Domino environment that uses only a single Domino Directory, the Directory in which all Sametime servers are registered must be replicated to each Sametime server. v If the Sametime server is installed into a Domino environment that uses multiple Domino Directories, the primary Domino Directory (the Directory in which the Sametime server is registered) should be replicated to the Sametime server. Directory Assistance should be set up on the Sametime server to access the other Domino Directories of interest in the environment. The Sametime server can use Domino Directory Assistance to obtain all needed Directory information from the other Directories used in the environment. Ideally, the Directory Assistance database should point to a Directory server that is dedicated to providing Directory services. However, it is not a requirement that Directory servers be used in a Sametime community that includes multiple Sametime servers. For information on setting up Directory Assistance on the Sametime server, see your Domino server Administration documentation. Use the same procedures to set up Directory Assistance on a Sametime server that you use to set up Directory Assistance on a Domino server. The Domino Administration documentation is available from the Documentation Library at the following

58

Lotus Sametime: Installation and Administration Guide Part 2

Internet location: http://www.lotus.com/ldd/doc (and also in the Help subdirectory of the Domino server on which Sametime is installed). v Optionally, in a Domino environment that uses multiple Domino Directories, an Extended Server Directory Catalog can be set up on the Sametime server to enable the server to access Directory information from all directories of interest in the environment. For more information on setting up an Extended Server Directory Catalog for use with Sametime, see Alternate ways to share Directory information across domains. For more information about the Directory issues relevant to extending a single Sametime community across multiple Domino domains, see Extending a single Sametime community across multiple Domino domains. Next step: After determining your directory management strategy, assign users to the new Sametime server. Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. “Integrating a Sametime server into an existing Sametime community” on page 56 This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. Assign users to the new Sametime server (setting the home Sametime server): This topic discusses how the IBM Lotus Sametime administrator can assign users to a new Sametime server, which designates that server as the user’s ″home″ server. To assign a user to the new Sametime server, enter the Sametime server name in the Sametime server field in the Real-Time Collaboration section of a user’s Person document in the Domino Directory. This field identifies the ″home″ Sametime server of each user. Note: Only a portion of the users in your environment should be assigned to the new Sametime server. For load balancing purposes, you should assign an equal number of users to each Sametime server in your environment. The network proximity of the user to the server is also a consideration when assigning users to a home Sametime server. Generally, you should assign the user to the closest Sametime server on the network. To specify a home Sametime server, open the Domino Directory (Address Book), go to the Real-Time Collaboration section of each user’s Person document, and enter the name of a Sametime server in the Sametime server field. If necessary, you can create a simple agent to automate the process of populating the Sametime server field in each user’s Person document with the name of a Sametime server. When entering the name of the Sametime server in the Sametime server field on the Person document, you can enter the name of the Sametime server in the Domino hierarchical name format (for example sametime/west/acme). The Sametime server field automatically converts the name to the full canonical name format. For example, if you enter sametime/west/acme in the ″Sametime server″ field, the server name is stored as cn=sametime/ou=west/o=acme unless, for
Chapter 1. Configuring

59

example, the name is populated by an agent. It is advisable to enter the server name using the full hierarchical name format. Community services reads the server name from the Servers view ($Servers) of the Domino Directory. The name entered in the Sametime server field on the Person document must match the name of the Sametime server as it appears in the Servers view of the Domino Directory. If you are using an agent to populate the home Sametime server field, ensure that the agent specifies the full canonical name of the Sametime server. Note also that a Sametime Connect client’s Sametime Connectivity settings should specify the same Sametime server as the Sametime server field on that user’s Person document. In the Sametime Connect client’s Sametime Connectivity settings, the server name must be specified using the DNS name or IP address of the Sametime server (for example, sametime.acme.com or 111.111.111.111). Next step: After assigning users to the server, the next step is Creating Connection Records to connect Sametime servers. Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. “Integrating a Sametime server into an existing Sametime community” on page 56 This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. Creating Connection Records to connect Sametime servers: This topic explains how to create Connection Records for IBM Lotus Sametime servers. About this task Note: Information about connecting meeting servers does not apply to Sametime Entry. Use the Configuration → Connectivity → Servers in this Community settings of the Sametime Administration Tool to create Connection Records that enable a meeting started on one Sametime server to be simultaneously active on another Sametime server. (You must create a Connection Record to enable one Sametime server to ″invite″ another Sametime server to a meeting.) Note the following when creating Connection Records: v Connection Records enable the Meeting Services of one Sametime server to connect to the Meeting Services of another Sametime server. This connection occurs on the port specified as the ″Meeting server port for server connections″ (TCP/IP port 1503 by default) in the Configuration → Connectivity settings of the Sametime Administration Tool. v A single Connection Record establishes a one-way connection between the Meeting Services of two Sametime servers. For example, if you create a Connection Record that specifies Sametime Server A as the ″Source″ Sametime server and Sametime Server B as the ″Destination″ Sametime server, a meeting started on Sametime server A can be simultaneously active on Sametime server

60

Lotus Sametime: Installation and Administration Guide Part 2

B. (Sametime server A can ″invite″ Sametime server B to the meeting.) However, a meeting started on Sametime server B cannot be simultaneously active on Sametime server A until you create a separate Connection Record that specifies Sametime server B as the ″Source″ Sametime server and Sametime server A as the ″Destination″ Sametime server. To create a Connection Record that specifies Sametime server A as the ″Source″ Sametime server, you must use the Sametime Administration Tool on Sametime server A. To create a Connection Record that specifies Sametime server B as the ″Source″ Sametime server, you must use the Sametime Administration Tool on Sametime server B. v Any Sametime server can be connected to multiple Sametime servers. For example, if you have Sametime servers A, B, C, and D, Sametime server A can be connected to Sametime servers B, C, and D, Sametime server B can be connected to Sametime servers A, C, and D, and so on. A separate Connection Record must exist for each server connection, as noted above. v After creating and adding the Connection Record, the server specified as the ″Destination″ server appears in the Meeting Servers That Are Connected list available from the Configuration → Connectivity → Servers in this Community settings of the Sametime Administration Tool. For each server in the Meeting Servers That Are Connected list, you should select the People Can Attend from Inside the Organization or the People Can Attend from the Internet option. For more information, see Configuring the ″Meeting Servers That Are Connected″ options. v You can use either the Sametime Administration Tool or an IBM Lotus Notes client to create the Connection Records that enable one Sametime server to invite another Sametime server to a meeting. The instructions below explain how to create Connection Records using the Sametime Administration Tool. For information on using a Lotus Notes client to create these Connection Records, see Using a Lotus Notes client to create Connection Records for invited servers. To create a Connection Record to connect the Meeting Services of two Sametime servers: 1. Open the Sametime Administration Tool on the server that will be the ″Source″ Sametime server for this connection. (The ″Source″ Sametime is the server from which the meeting originates. The Source server invites the ″Destination″ server to the meeting.) To open the Sametime Administration Tool, click the Administer the Server link on the Sametime server home page. 2. Click Configuration → Connectivity → Servers in this Community. 3. Complete the following fields to create the Connection Record: Note: Do not complete this if you are configuring Sametime Limited Use. Source server - This is a read-only field that contains the name of the Source server in the Domino hierarchical server name format that includes the domain or community name (for example, sametimeA.acme.com/ACME, where ACME is the domain name). The Source server is the server on which the Meeting is created and started. Destination server - Enter the name of the Destination server in the Domino hierarchical server name format that includes the domain or community name (for example, sametimeB.acme.com/ACME). The Destination server is the remote server on which the meeting will become active (or the server that is ″invited″ to the meeting by the Source server).

Chapter 1. Configuring

61

Make sure the server name you enter is an exact, case-sensitive, match with the server name that appears in the destination Sametime server’s Server Document in the Domino Directory. Also, ensure that the domain or community name (/ACME in the example) is included in the server name. Destination server IP address - You must enter the fully qualified DNS name or IP address of the destination server in this field. If this field is left blank, meetings started on the source server will not become active on the destination server. 4. Click the Add button. The server specified as the ″Destination″ server in the Connection Record appears in the Meeting Servers That Are Connected list in the Configuration → Connectivity → Servers in this Community settings of the Sametime Administration Tool. In the Meeting Servers That Are Connected list, you should specify the settings you want in the People Can Attend from Inside the Organization and People Can Attend from the Internet columns. To make the appropriate selections, see Configuring the ″Meeting Servers That Are Connected″ options. Related concepts “Integrating a Sametime server into an existing Sametime community” on page 56 This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. Using a Lotus Notes client to create Connection Records for invited servers: About this task A Lotus Notes client can also be used to create the Connection Records described above. To use a Lotus Notes client: 1. Open the Directory on the Sametime server. 2. Select the Configuration → Servers → Connections view. 3. Click Add Connection. 4. Click the Replication/Routing tab. 5. In the Replication task field, select Disabled. The purpose of the Connection document is to enable one Sametime server to invite the other server to a meeting. This step ensures that the Connection document does not cause unexpected replication to occur. 6. Click the Basics tab. 7. In the Connection Type field, select Sametime. 8. Enter the name of the Destination server (described above). 9. Select either the within my organization or from the Internet option on the Connection Document. These settings correspond to similar settings in the Sametime Administration Tool that are described in Configuring the ″Meeting Servers That Are Connected″ options. 10. Optional: In the Optional Network Address field, enter the fully qualified DNS name or IP address of the destination server. This field is mandatory for a Sametime Connection document. 11. Save and close the Connection document. Configuring the ″Meeting Servers That Are Connected″ options:

62

Lotus Sametime: Installation and Administration Guide Part 2

The IBM Lotus Sametime administrator can configure settings that determine which Sametime servers are connected and can be ″invited″ to meetings hosted by another Sametime server. The administrator can use the Sametime Administration Tool to configure the Meeting Servers That Are Connected settings for connections between Sametime servers. (The Meeting Servers That Are Connected settings are accessible from the Configuration → Connectivity → Servers in the Community settings of the Sametime Administration Tool.) The Meeting Servers That Are Connected settings list all servers that are specified as ″Destination servers″ in the Connection Records that connect a Sametime server with other Sametime servers in the community. A meeting started on a Sametime server can be simultaneously active on any Sametime server that appears in the Meeting Servers That Are Connected list. (The Sametime server can ″invite″ any Sametime server in the ″Meeting Servers That Are Connected″ list to a meeting.) When creating a meeting on a Sametime server, the user controls whether the Destination servers are invited to the meeting by selecting options in the Locations tab of the New Meeting form. The options available to the users are People are attending from Internal Sametime servers and People are attending from the Internet (outside the organization). The administrator uses the check boxes available in the Meeting Servers That Are Connected list to determine which options appear to the user on the Locations tab of the New Meeting creation form. The check boxes in the Meeting Servers That Are Connected list also control which Destination servers are invited to a meeting when the user selects one of the options in the Locations tab of the New Meeting form. The check boxes the administrator uses to control this behavior include: v People Can Attend from Inside the Organization v People Can Attend from the Internet The functioning of these check boxes is described below. People Can Attend from Inside the Organization This option should be selected for a Sametime server in the Meeting Servers That Are Connected list if both of the following are true: v The Sametime server is deployed inside the firewall (on the corporate intranet and available to internal users). v You want meetings that are started on this Sametime server to be active on the destination Sametime server in the Meeting Servers That Are Connected list. (This Sametime server can invite the Sametime server in the Meeting Servers That Are Connected list to the meeting.) This capability is controlled by the user in the manner described below. If the People Can Attend from Inside the Organization option is selected for a Sametime server, the following occurs: v A People are attending from internal Sametime servers option appears in the Locations tab of the New Meeting form in the Sametime Meeting Center on the Sametime server. If the user selects this setting when creating a meeting, the meeting becomes simultaneously active on every Sametime server that has the People Can Attend

Chapter 1. Configuring

63

from Inside the Organization option selected in the Meeting Servers That Are Connected list of the Sametime Administration Tool. If the People Can Attend from Inside the Organization setting is not selected for a Sametime server in the Sametime Administration Tool, the meeting does not become active on that Sametime server even if the user selects the People are attending from internal Sametime servers option in the Locations tab when creating the meeting. To illustrate, consider the following example scenario: 1. An organization has five Sametime servers (servers A, B, C, D, and E). 2. The administrator creates Connection documents to enable every Sametime server to connect to every other Sametime server. Every Sametime server can ″invite″ every other Sametime server to a meeting. 3. The administrator opens the Sametime Administration Tool on Sametime server A and selects the People Can Attend from Inside the Organization for Sametime servers B and C, but not D and E. 4. An user accesses the Sametime Meeting Center on Sametime server A and schedules a meeting. When scheduling the meeting, the user selects the People are attending from internal Sametime servers option on the Locations tab of the New Meeting form. 5. When the meeting starts, the meeting becomes simultaneously active on Sametime server A, B, and C, but not D or E. Users can attend the meeting by accessing either Sametime server A, B, or C. People Can Attend from the Internet Similar to the People Can Attend from Inside the Organization setting, the People Can Attend from the Internet setting also affects the options that are available to the user and determines whether a meeting started on a Source Sametime server can be simultaneously active on a Destination Sametime server in the Meeting Servers That Are Connected list. This option should be selected for a Sametime server if both of the following are true: v The Sametime server is deployed outside the firewall (in the network DMZ and accessible to Internet clients). v You want meetings that are started on other Sametime servers to be simultaneously active on this Sametime server. This capability is controlled by the user in the manner described below. If the People Can Attend from the Internet option is selected for a Sametime server, the following occurs: v A People are attending from the Internet (outside the organization) option appears in the Locations tab of the New Meeting form in the Sametime Meeting Center when creating a new meeting. v If the user selects the People are attending from the Internet (outside the organization) option in the Locations tab when creating a meeting, the meeting becomes simultaneously active on every Sametime server that has the People Can Attend from the Internet setting selected in the ″Meeting Servers That Are Connected″ list in the Sametime Administration Tool. If the People Can Attend from the Internet setting is not selected for a Sametime server, meetings started on other Sametime servers cannot become active on the Sametime server deployed in the network DMZ. To illustrate, consider the following example scenario:

64

Lotus Sametime: Installation and Administration Guide Part 2

1. An organization has five Sametime servers (servers A, B, C, D, and E). 2. The administrator creates Connection Documents to enable every Sametime server to connect to every other Sametime server. Every Sametime server can ″invite″ every other Sametime server to a meeting. 3. The administrator opens the Sametime Administration Tool on Sametime server A, and selects the People Can Attend from the Internet for Sametime servers D and E, but not B and C. 4. An user accesses the Sametime Meeting Center on Sametime server A and schedules a meeting. When scheduling the meeting, the user selects the People are attending from the Internet (outside the organization) option on the Locations tab of the New Meeting form. 5. When the meeting starts, the meeting becomes simultaneously active on Sametime server A, D, and E, but not B or C. Users can attend the meeting by accessing either Sametime server A, D, or E. The meeting becomes active on Sametime servers D and E because the administrator has created Connection Records that connect Sametime server A to Sametime servers D and E and the administrator has also selected the People Can Attend from the Internet option for servers D and E in the Meeting Servers That Are Connected list in the Sametime Administration Tool. Related concepts “Advantages of using multiple Sametime servers” on page 54 This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. “Integrating a Sametime server into an existing Sametime community” on page 56 This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. “Installing a Sametime server into an existing Sametime community” on page 56 Installing the IBM Lotus Sametime server software is the first procedure you must perform when integrating a new Sametime server into an existing Sametime community. Inviting servers dynamically: IBM Lotus Sametime offers customers an enhanced method of inviting servers. Using ″Dynamic Invitations,″ server-to-server connections are established only as needed, conserving resources if no users attend a meeting from a particular server. Sametime provides the ability for multiple meeting servers to participate in the same meeting. This capability is known as ″Invited Servers.″ Because meeting documents are created on all servers, users may attend the meeting on any server participating. Servers route data directly to each other in a star configuration. The number of connections between servers is fixed, no matter how many users attend. This functionality has been useful for hosting meetings between geographically-dispersed regions. With static invitations, a list of servers to invite is configured on each server through the Administrator’s tool. When a meeting is scheduled, the Administrator chooses either not to invite any servers, or to invite all servers in the list. When the meeting starts, all servers in the list are invited, and connections between the host server and all invited servers are created. This can be a waste of resources if no users attend the meeting on any of the invited servers. Past versions of Sametime have provided only the capability to statically invite meeting servers.

Chapter 1. Configuring

65

With static invitations, Administrators who wanted to make every meeting available to every server have had to modify their servers so that, for all meetings, every server in the organization has invited every other server by default, creating an extra load on each server. Sametime offers customers an enhanced method of inviting servers. Using ″Dynamic Invitations,″ server-to-server connections are established only as needed. Users have the ability to attend the meeting on any server, but in a much more efficient manner. Server-to-server connections for a given meeting are established only when a user actually attends that meeting on an invited server (established ″dynamically″). Dynamic Invitations introduce the concept of a ″region.″ Regions are completely arbitrary designations made by server administrators. They do not coincide with IBM Lotus Domino domains, subnets, or other boundaries; however, it is typical for servers which are co-located, or very near in geographic proximity, to be assigned to the same region. For more information see these topics: Regional dynamic invitations: This topic discusses how regional dynamic invitations work. When you configure IBM Lotus Sametime servers for regional dynamic invitation, meeting documents appear on the server hosting the meeting, as well as on all invited servers, allowing users to connect to the meeting through any of the servers in the set. v If a user attends the meeting on the hosting server, her Meeting Room Client connects to the hosting server for meeting services. v If a user attends the meeting on a server other than the hosting server, but in the same region as the hosting server, his Meeting Room connection for meeting services is forwarded to the hosting server. v If a user attends the meeting on a server in a different region than the hosting server, and no server in that region is attending, then the user’s Meeting Room Client connects directly to that server, and server-to-server connections are established with the hosting server. v If a user attends on a server in a different region from the hosting server, and a different server in that region has already established server-to-server connections, the user’s Meeting Room Client is forwarded to the already-connected server in that region. v For any given meeting, no more than one server in a region participates. For information on configuring dynamic server invitations, see the topic, Configuring invited server behavior. Isolated dynamic invitations: This topic explains the concept of ″isolated″ servers. In configuring invited servers, IBM Lotus Sametime administrators have the option of assigning servers to a reserved region called ″Isolation.″ Isolation characterizes the server as being in its own private region. Even if two different servers are assigned to Isolation, each is treated as being in its own private region. This is a

66

Lotus Sametime: Installation and Administration Guide Part 2

convenient means of putting a server into its own region without having to create a unique region name. Inviting isolated servers to a Sametime meeting is referred to as ″Isolated Dynamic Invitations.″ Configuring ″Invited Server″ behavior: The IBM Lotus Sametime administrator can choose how the ″invited servers″ functionality will be used in a Sametime deployment. About this task In configuring invited server behavior, Sametime Administrators assign servers to a region by means of a parameter in the sametime.ini file. An administrator may choose to assign all the servers in the United States to a region designated as ″USA,″ and all the European servers to a region called ″Europe.″ It’s completely at the administrator’s discretion as to how servers are assigned. Options for Invited Servers will be controlled using the following two entries in the sametime.ini file: EnableStaticInvites=x, where x is 0 or 1 ClusterGroupAffinity=y, where y is a region name, or Isolation For example:
EnableStaticInvites=0 ClusterGroupAffinity=Beijing

The following table describes the behavior of the system, based on settings of the sametime.ini parameters:
Parameter Settings EnableStaticInvites=1 ClusterGroupAffinity=any_value Invited Server Behavior Static Invitations Note: Instant Meetings are also affected by this setting, as follows: the activity provider on Server A is requested to come into the place to provide T120 service. It can redirect this request to the least loaded activity provider using the same ClusterGroupAffinity setting. When an instant meeting request comes in, the current count of instant meetings is checked across the members of the same ClusterGroupAffinity, and the instant meeting is directed to the server with the lowest count; that server’s count is then incremented. The next request is then directed to the server with the lowest count (which may be the same server, or a different server). If you do not want instant meetings to be redirected like this, you must rest EnableStaticInvites to 0. EnableStaticInvites=0 ClusterGroupAffinity=region_name Regional Dynamic Invitations

Chapter 1. Configuring

67

Parameter Settings EnableStaticInvites=0 ClusterGroupAffinity=Isolation

Invited Server Behavior Isolated Dynamic Invitations

If the parameter EnableStaticInvites is missing, or set to a value other than 0 or 1, the parameter will default to a value of 0. When Sametime is installed, the default is for dynamic invitations to be enabled. Also, by default, every server is assigned to the region ″Isolation.″ By default, server-to-server communication is achieved using two connections on port 1503. Meeting Room clients connect on port 8081 for Meeting services, and on port 1533 for Community services. These ports are configurable with the Administrator’s tool. For information on how client users see dynamically invited meetings, see Regional dynamic invitations.

Extending a single Sametime community across multiple Domino domains
This section provides instructions and suggestions on how to link different IBM Lotus Domino domains into a single IBM Lotus Sametime community. When separate Domino domains are linked into a single Sametime community, users in each domain can share presence and chat capabilities and participate in Sametime meetings with users in the other domain. Related concepts “Alternate ways to share Directory information across domains” on page 74 This topic discusses the Directory information that is shared between IBM Lotus Sametime servers and describes some alternate, more efficient ways to share Directory information when connecting Sametime communities across multiple IBM Lotus Domino domains. Example of extending a single Sametime community across two Domino domains: This topic provides an example of how to connect an IBM Lotus Sametime server in an IBM Lotus Domino domain with another Sametime server within a different Domino domain. About this task The procedure below provides an example of how one Sametime server in a Domino domain can be linked with a different Sametime server operating in a different Domino domain. Linking the two Sametime servers extends a single Sametime community to both Domino domains. When a single Sametime community is extended to both Domino domains: v Users in one Domino domain can add users from the other Domino domain to presence lists in Sametime clients and engage in Sametime communications with users in the other domain. v Users in the Sametime community can authenticate on either of the domains to participate in Sametime meetings and communications.

68

Lotus Sametime: Installation and Administration Guide Part 2

v The Sametime server in one Domino domain can invite the Sametime server in the other Domino domain to a meeting so that a single Sametime meeting can be attended by users in both Domino domains. Follow the procedures below to link two Sametime servers that operate in different Domino domains: Setting up the environment by cross-certifying servers: You can extend a single IBM Lotus Sametime community across multiple IBM Lotus Domino domains by cross-certifying the servers. About this task The example below describes the simplest way to cross-certify the two Sametime servers. In this example, the two Sametime servers are Sametimeserver1/East and Sametimeserver2/West. To cross-certify these servers, the West organization certifier (/West) must obtain a cross-certificate for the East organization certifier (/East) and the East organization certifier must obtain a cross-certificate for the West organization certifier. These cross-certificates are stored in the Domino Directories on the respective Sametime servers. For more information about cross-certification, see the Domino Administration Help database, available in the Help directory of any Domino server. Domino administration documentation is also available from the Documentation Library at www.lotus.com/ldd/doc. 1. On Sametimeserver1/East, open the IBM Lotus Notes client. From the Microsoft Windows desktop click Start → Run and browse to C:\Sametime\nlnotes.exe before clicking OK. 2. Click File → Database → Open and specify the Sametimeserver2/West server. 3. When prompted for a cross-certificate, select OK. 4. Repeat steps 1 through 3, but this time use the Notes client on Sametimeserver2/West to access Sametimeserver1/East, and accept the cross-certificate from the Sametimeserver2/West server. What to do next Now that the servers are cross-certified, connect the communities. Connecting the communities: You can extend a single IBM Lotus Sametime community across two IBM Lotus Domino domains by sharing Directory information between domains. About this task In this procedure, the administrator connects the Sametime communities by ensuring that Directory information is shared between the two Domino domains by following these steps: 1. 2. Replicating the Directories Setting up Directory Assistance

Chapter 1. Configuring

69

Results In this example, the two Sametime servers that operate in different domains are Sametimeserver1/East and Sametimeserver2/West. Note: This example describes replicating the entire Directories of both domains. There are more efficient ways to share Directory information between two Domino domains when connecting the communities. For more information on alternate methods for sharing the Directory information, see Alternate ways to share Directory information across domains. Step 1 - Replicating the Directories: About this task This procedure provides an example of replicating Directories between two Sametime servers (Sametimeserver1/East and Sametimeserver2/West) operating in different Domino domains. 1. Using the IBM Lotus Notes client on Sametimeserver1/East, open the Directory (names.nsf) on Sametime server2/West. 2. Click File → Replication → New Replica. 3. Specify Local for the Server and change the filename (names.nsf) to something different, such as sametimeserver2west.nsf. 4. Select Create: Immediately to ensure that the database is created immediately, and then click OK. 5. Repeat steps 1 through 4, except this time create a replica of the Directory existing on Sametimeserver1/East on the Sametimeserver2/West server. What to do next After you have created replicas of the Directories on each Sametime server, you must create Connection Documents to ensure the Directories replicate at regular intervals. When creating the Connection Documents: v For Connection Type, select Local Area Network. v Complete the Destination Server, Source Domain, Destination Domain, and Optional Network Address fields. v For Replication Type, select Pull Push. v In the Files/Directories to Replicate field, enter names.nsf. v In the Schedule field, select Enabled. Note: Be sure to create a Connection Document on each server. One Connection Document should enable the names.nsf file on Sametimeserver1/East to replicate to the Sametimeserver1east.nsf file on the Sametimeserver2/West server. The other Connection Document should enable the names.nsf file on Sametimeserver2/West to replicate to the sametimeserver2west.nsf file on the Sametimeserver1/East server. After creating the Connection Documents, set up Directory Assistance on each of the Sametime servers to ensure that each Sametime server can locate the Directories you have just replicated. Step 2 - Setting up Directory Assistance:

70

Lotus Sametime: Installation and Administration Guide Part 2

About this task The procedures required for setting up Directory Assistance on each of the Sametime servers are summarized below. For more information on Directory Assistance, see the Domino Server Administration Help, available in the Help directory on every Domino server, as well as at www.lotus.com/ldd/doc. To set up Directory Assistance you must: v Ensure that a Directory Assistance database is available on the Sametime server. v Identify the Directory Assistance database on the Sametime server. v Create a Directory Assistance Document within the Directory Assistance database that points to the appropriate Directory. Follow the procedures below to set up Directory Assistance: Ensure that a Directory Assistance database is available on each Sametime server: About this task To ensure that a Directory Assistance database is available on each Sametime server, you can either replicate an existing Directory Assistance database to the Sametime server or create a new Directory Assistance database on the Sametime server. If a Directory Assistance database is already in use on Domino servers in the domain, you can replicate the existing Directory Assistance database to the Sametime server. To replicate an existing Directory Assistance database, follow the normal Domino procedure for replicating a database. First create a new replica of the Directory Assistance database on the Sametime server and then create a Connection Document to schedule replication of the database. See the Domino server Administration Help for more information on these procedures. To create a new Directory Assistance database on each Sametime server: 1. Start the Lotus Notes client. 2. Click File → Database → New. 3. Create the Directory Assistance database as you would any other Domino database. v Create the database on the Sametimeserver1/East server v Provide a database name and filename for the Directory Assistance database v Use the Directory Assistance template (da50.ntf) when creating the database 4. Repeat steps 1 through 3 to create a Directory Assistance database on the Sametime server in the other domain (Sametimeserver2/West in this example). 5. Perform the procedure below to identify the Directory Assistance database on each Sametime server. Identify the Directory Assistance database on each Sametime server: About this task After replicating or creating the Directory Assistance databases on the Sametime servers, you must identify the Directory Assistance databases on each server. To identify a Directory Assistance database on each Sametime server:
Chapter 1. Configuring

71

1. Start the Lotus Notes client. 2. Click Configuration → Server → All Server Documents. 3. Double-click the name of the Sametime server (Sametimeserver1/East) to open the Server document. 4. If necessary, select the Basics tab of the Server document. 5. Click Edit Server. 6. In the Directory Assistance database name field, enter the filename (for example, da.nsf) of the Directory Assistance database. 7. Click Save and Close. 8. Repeat this procedure to identify the Directory Assistance database on the Sametime server in the other domain (Sametimeserver2/West in this example). 9. Perform the procedure below to create a Directory Assistance Document in each Directory Assistance database. Create a Directory Assistance Document in each Directory Assistance database: About this task You must create a Directory Assistance Document in each Directory Assistance database on each Sametime server so that each Sametime server can access the new Directory information that has been replicated to it. To create a Directory Assistance document in the Directory Assistance database on each Sametime server: 1. From the Notes client: v Click File → Database → Open. v Select the Sametimeserver1/East server. v Select the Directory Assistance database (default name is da.nsf). v Click Open. 2. Click Add Directory Assistance. In the Basics tab, enter these settings:
Setting Domain type Domain name Value Click Notes. Enter the name of the Domino domain associated with the secondary Directory (or Directory that was replicated from the other domain to this Sametime server). The domain name must be different from the primary Notes domain and from all other domain names configured in Directory Assistance. Enter the name of your company. A number representing the order in which this directory is searched, relative to other directories in the Directory Assistance database.

Company name Search order

72

Lotus Sametime: Installation and Administration Guide Part 2

Setting Group expansion

Value The suggested setting is Yes. This setting enables Directory Assistance to examine the contents of groups in the LDAP directory. This capability is necessary if you enter the name of a group defined in the LDAP directory in the ACL of a database on the Sametime server. The suggested setting is Yes. This setting enables Directory Assistance to examine the content of an LDAP directory group that is a member of another LDAP directory group. This capability is also used when an LDAP directory group name is entered in the ACL of a database on the Sametime server. Set to Yes to enable Directory Assistance for the LDAP Directory.

Nested group expansion

Enabled

3. Select the Rules tab and enter these settings.
Setting Rule # Value One or more rules that describe the names in the directory. By default, the first rule contains all asterisks, indicating all names in the Directory. Choose one: v No to disable a specific rule. v Yes to enable a specific rule. By default, the first rule is enabled. Trusted for Credentials Choose Yes to allow Domino to use this Directory to authenticate Web clients.

Enabled

Chapter 1. Configuring

73

4. Select the Replicas tab and do the following:
Setting Database Links Value Open the replica of the secondary directory, and then click Edit → Copy As Link → Database Link. Select the Database links field, and then click Edit → Paste. For example, assume you are creating the Directory Assistance document in the Directory Assistance database on the Sametimeserver1/East server and you have replicated the directory file named sametimeserver2west.nsf to the Sametimeserver1/East server. In this example, you must open the sametimeserver2west.nsf file and copy the file as a Database Link. Paste this Database Link into the Database links field in the Directory Assistance Document you are creating in the Directory Assistance database on the Sametimeserver1/East server. Conversely, when creating a Directory Assistance Document on the Sametimeserver2/West server, you would open the directory file sametimeserver1east.nsf, copy the file as a Database Link, and paste the link into the Database links field.

5. You must repeat this procedure to create a Directory Assistance document in the Directory Assistance database on the Sametime server in the other domain (Sametimeserver2/West in this example). Alternate ways to share Directory information across domains: This topic discusses the Directory information that is shared between IBM Lotus Sametime servers and describes some alternate, more efficient ways to share Directory information when connecting Sametime communities across multiple IBM Lotus Domino domains. The example procedure for extending a single Sametime community across two Domino domains earlier in this section explains how you can share Directory information to connect two Sametime communities. When extending a single Sametime community across multiple Domino domains, each Sametime server that is part of the community must have access to the following Directory information for the other domain(s): v Person documents v Group documents v Server documents - The following fields in the Server document are needed for each Sametime server to support online presence (or awareness) between servers: Server name - This field in the Basics tab of the Server document must contain the name of the Sametime server.

74

Lotus Sametime: Installation and Administration Guide Part 2

Is this a Sametime server? - This field in the Basics tab of the Server document must be set to Yes to indicate that the Server document describes a Sametime server. Port - This field in the Ports → Notes Network Ports tab of the Server document must be set to TCPIP. Net Address - This field in the Ports → Notes Network Ports tab must contain the TCP/IP address (for example, sametime.acme.com) of the Sametime server. To share this Directory information, each domain must replicate the information to the other domains that comprise the Sametime community. In the example scenario described in Example of extending a single Sametime community across two Domino domains, the entire Directories of two separate Domino domains are replicated between the two Sametime servers. The Domino components of Sametime provide features that you can use to replicate the Directory information in a more efficient manner. You can use either of the following alternate techniques to share Directory information across Domino domains. v Selective replication of Directory information across domains v Set up Extended Directory Catalogs to share Directory information across domains Each technique is discussed briefly below. Selective replication of Directory information across domains Instead of replicating the entire Domino Directory between domains, you can use selective replication to replicate only the Person, Group, and Server documents. For example, you can open the Directory database to be replicated to the other domain and use the Replication Settings to replicate a subset of the documents contained in the database. Use a selection formula, such as (Type="Person")|(Type="Group")|(Type="Server" and Sametime="1") to ensure that only the Person, Group, and Server documents (for which the Is this a Sametime server? field is set to Yes) are replicated. For more information on selective replication, see the Domino Server Administration Help, available in the Help directory on every Domino server as well as in the Documentation Library at www.lotus.com/ldd. Using Extended Directory Catalogs to share Directory information across domains An Extended Directory Catalog is another Domino feature that can be used to share Directory information when a Sametime community is extended across multiple Domino domains. The Extended Directory Catalog feature allows you to aggregate directory information from several different Domino directories, including directories for different Domino domains, into a single directory catalog. The servers are then configured to access the Extended Server Directory catalog for directory information. Before using this feature, the administrator should read the documentation in Domino Server Administration Help that explains the function and set up of Extended Server Directory Catalogs. This documentation is available in the Help directory on every Domino server as well as in the Documentation Library at www.lotus.com/ldd.

Chapter 1. Configuring

75

You can follow the procedures in the Domino administration documentation to set up an Extended Server Directory Catalog on the Sametime server. When setting up the Extended Server Directory Catalog to be used by Sametime, note the following when creating the Configuration document for the Extended Server Directory Catalog. v The Configuration document contains an Additional fields to include list in the Basics tab. The following field name entries must exist in the Additional fields to include list to ensure that all information needed by Sametime is available in the Extended Server Directory Catalog:
Field Name ServerName ServerTitle Domain ServerBuildNumber Administrator ServerPlatformDisplay Sametime Port_0 - Port_7 Description Server name field in the Basics section of the Server document. Server title field in the Basics section of the Server document. Domain name field in the Basics section of the Server document. Server build number field in the Basics section of the Server document. Administrator field in the Basics section of the Server document. Operating system field in the Basics section of the Server document. Is this a Sametime server? field in the Basics section of the Server document. Ports fields in the Ports → Notes Network Ports section of the Server document. The Port_0 field is required. For completeness it is recommended that you list seven Ports fields (for example Port_0, Port_1, Port_2, Port_3, Port_4, Port_5, Port_6, and Port_7). Protocol fields in the Ports → Notes Network Ports section of the Server document. For completeness, it is recommended that you list seven Protocol fields (for example, Protocol_0, Protocol_1, Protocol_2 and so on). Notes Network fields in the Ports → Notes Network Ports section of the Server document. For completeness, it is recommended that you list seven Notes Network fields (for example, NetName_0, NetName_1, NetName_2, and so on. Net Address fields in the Ports → Notes Network Ports section of the Server document. The NetAddr_0 field is required. For completeness, it is recommended that you list seven Net Address fields. Enabled fields in the Ports → Notes Network Ports section of the Server document. The Enabled_0 field is required. For completeness, it is recommended that you list seven Enabled fields.

Protocol_0 - Protocol_7

NetName_0 - NetName_7

NetAddr_0 - NetAddr_7

Enabled_0 - Enabled_7

76

Lotus Sametime: Installation and Administration Guide Part 2

Field Name SametimeServer

Description Sametime server field in the Administration section of the Person document.

v The Advanced tab of the Configuration document provides a Selection formula (do not include form) setting that enables you to specify a selection formula to ensure that only the Directory documents required by Sametime are used when the ″Dircat″ task creates the Directory Catalog. The selection formula for selecting only the documents required by Sametime is:
(Type = "Person") | (Type = "Group") | (Type = "Server" and Sametime = "1")

Clustering Lotus Sametime Community Servers
IBM Lotus Sametime Community Server clusters provide load balancing and failover functionality for large communities. This section explains how to cluster a group of Lotus Sametime Community servers, using the example of clustering two servers.

Community Services cluster setup procedures
This topic discusses the procedures involved in setting up an IBM Lotus Sametime Community Services cluster without clustering the Meeting Services.

About this task
The procedures required to set up a Community Services cluster without clustering the Meeting Services are listed below. Use the information in these procedures in conjunction with your existing knowledge of your Sametime environment when clustering the Community Services of your Sametime servers. Your unique Sametime environment might require some variation from these procedures. These procedures provide an example of how to cluster the Community Services of two Sametime servers. Once you understand how to cluster the Community Services of two servers, you can easily add the Community Services of other Sametime servers to the cluster. Note: The process of setting up a Community Services cluster requires you to create an IBM Lotus Domino server cluster. A maximum of six Domino servers can operate as part of a Domino server cluster. Because of this limitation, the maximum number of Sametime servers that can operate as part of a Community Services cluster is six. Generally, the largest communities can be supported with fewer than six Sametime servers operating in a cluster. In addition, each Lotus Sametime server can belong to a single cluster. Environments in which two or more clusters point to the same Sametime Server are not supported. The process of setting up a Community Services cluster without clustering the Meeting Services is described in the following procedures Installing the Sametime servers for the Community Services cluster: Install IBM Lotus Sametime server software on each computer that will operate as part of the Community Services cluster.

Chapter 1. Configuring

77

About this task Installing the Sametime servers is one of the tasks associated with clustering Lotus Sametime Community Servers. 1. Install two Domino servers as described in the Lotus Domino Administrator Help. 2. Install a Sametime server on top of each Domino server, as described in ″Sametime Server Installation.″ 3. Ensure that the Sametime servers will operate as part of the same Domino domain by registering them in the same Domino Directory and replicating it between the servers. Note: The Domino Directory must replicate between the Sametime/Domino servers even if you are maintaining the user community in an LDAP directory on a separate server that is not part of the Community Services cluster (replication of the Domino Directory is required for administrative purposes). The LDAP directory serves as the user repository for the members of the Sametime community; the Domino Directory is required for the proper functioning of the Domino servers on which Sametime is installed. 4. Setup up TCP/IP connectivity between the new Sametime servers using the following ports: v Port 1516: The default port for Sametime server-to-server Community Services connections and for extending meeting invitations to other Sametime servers in a community to support Sametime ″invited server″ functionality. v Port 1503: The default port for Sametime server-to-server Meeting Services connections. v

Port 1352: The default port for server-to-server connections between the Domino servers on which the Sametime servers are installed. 5. If you have deployed an LDAP directory on a separate server, configure a TCP/IP connection to that LDAP directory server using port 389 (the default LDAP port for Sametime) for each Sametime server. Creating a Domino server cluster: An IBM Lotus Sametime server cluster is hosted on an IBM Lotus Domino server cluster, as each Sametime server is hosted on a Domino server. About this task Creating a Domino server cluster is one of the tasks required to cluster Lotus Sametime Community Servers. Note: This topic provides basic information on creating a Domino server cluster. If you are unfamiliar with the functioning of Domino clusters, see the Lotus Domino Administrator Help, available from the Documentation Library at www.lotus.com/ldd. To create a cluster, you must have at least ″Author″ access and ″Delete Documents″ rights specified in the Domino Directory’s ACL, and at least ″Author″ access in the Administration Requests database ACL. To create a Domino server cluster: 1. On one of the Sametime servers, start the Domino administrator client. To start this client on a Microsoft Windows machine, click Start → Run and type nlnotes.exe adminonly.

78

Lotus Sametime: Installation and Administration Guide Part 2

2. When the administrator client starts, make sure the Sametime server is the current server. 3. Click the Configuration tab. 4. In the Tasks pane, expand Server and click All Server Documents. 5. In the Results pane, select the servers you want to add to the cluster. Select both Sametime servers that you installed in the previous step. 6. Click Add to Cluster. 7. In the Cluster Name dialog box, click Create New Cluster, and then click OK. 8. Type the name of the new cluster and then click OK. 9. Choose Yes to add the servers to the cluster immediately. The cluster information is immediately added to the Domino Directory of the server that you used to create the cluster. Results If the server you used to create the Domino cluster is part of the cluster, the server immediately starts the cluster processes and replicates its Domino Directory with another server in the cluster. This process informs other servers in the cluster that they are a part of the cluster. If you did not use a cluster member to create the cluster, this process starts when the Domino Directory of the server you used to create the cluster replicates with the Domino Directory of a server in the cluster. Verifying that a cluster was created properly: About this task You can do the following to verify the cluster was created correctly:
Action From the Domino Administrator, expand Clusters in the Server pane. 1. From the Domino Administrator, click the Configuration tab, expand Cluster, and then click Clusters. 2. In the Results pane, open the Server documents of the servers you added to the cluster. From the Domino Administrator, click a cluster server in the Server pane, and then click the Server - Status tab. From the Domino Administrator, click a cluster server in the Server pane, and then click the Files tab. Compare the replica IDs of the Cluster Database Directories on each cluster server. What you should see The name of the cluster followed by the names of the cluster servers. 1. The name of the cluster followed by the names of the cluster servers displayed in the Results pane. 2. The name of the cluster in the Cluster name field on the Basics tab. CLDBDIR (the Cluster Database Directory Manager) and CLREPL (the Cluster Replicator) in the Task list. The title ″Cluster Directory (R4)″ and the file name ″cldbdir.nsf″ to show that Domino created the Cluster Database Directory. The same replica ID on each server.

What to do next Set up replication of the Sametime databases required to support the Community Services cluster Setting up replication of Sametime databases:
Chapter 1. Configuring

79

Setting up replication of IBM Lotus Sametime databases is needed when you set up a Community Services cluster without clustering the Meeting Services. To set up real-time replication between the clustered Domino servers, you must create a new replica of each of the databases listed below on the clustered Domino servers. For example, on Sametime server 1, use an IBM Lotus Notes client to open the vpuserinfo.nsf database, click File → Replication → New Replica, and create a new replica of vpuserinfo.nsf on Sametime server 2. Creating the new replica is the only procedure required to set up real-time replication of the databases in the Domino server cluster. Whenever a change occurs to one of the databases, the change is automatically pushed to the replicas on the other servers in the Domino cluster. Note: By default, an IBM Lotus Domino server does not allow you to create new replicas on a server. To ensure you can create new replicas on the Sametime server, you must do the following: 1. Use a Notes client to open the Server document of the Domino server on which Sametime is installed. 2. Click the Security tab. 3. In the Server Access → Create replica databases field, enter the appropriate user or group name to enable those users to create new replicas on the Domino server. To support a Community Services cluster, the following databases must replicate in real-time between the clustered Domino servers. You must create replicas of the following databases on each of the clustered Domino servers that will be part of the Community Services cluster: v The Privacy database (vpuserinfo.nsf) - Stores privacy information and contact lists for IBM Lotus Sametime Connect users. v The Domino Directory database (names.nsf) - Contains Domino and Sametime server configuration data. This database must be replicated to all Sametime servers in the Community Services cluster. The Sametime Name Change database (stnamechange.nsf) - Contains Sametime Name Change tasks.

v

Note: Real-time replication functionality is available only in a Domino server cluster. If you are unfamiliar with the functioning of Domino clusters, you should review the information in Lotus Domino Administrator Help, available from the Documentation Library at www-10.lotus.com/ldd, before creating the Domino server cluster. Configuring client connectivity for a Lotus Sametime Community Server cluster: After you have created and named the Community Server cluster, ensure that the clients can connect to the cluster. The configuration fields that affect client connectivity are: v The ″Sametime server″ field of the user’s Person document in the Domino Directory, or a Sametime cluster field you have added to an LDAP directory. Note: Sametime uses this field to ensure that a user connects to one of the Sametime servers in the Community Server cluster. This field serves the same

80

Lotus Sametime: Installation and Administration Guide Part 2

purpose as the ″home Sametime server″ field in the single-server approach to Community Server deployment that was used in previous Sametime releases. v The ″Host″ field in the Sametime Connect client. Adding the cluster name to a field in each user’s Person entry in the LDAP directory When the Sametime servers are configured to connect to an LDAP directory on an LDAP server (as in this example), the administrator can do one of the following: v Manually add a field to the LDAP directory to contain the name of the Community Server cluster. The added field must exist in the Person record of every Sametime user in the LDAP directory. v Use an existing field in the LDAP directory to hold the name of the Community Server cluster. This field must exist in the Person record of every Sametime user in the LDAP directory. In this case, you must specify the cluster name in this field in the LDAP directory. Note: This example uses the ″Sametime server″ field of each user’s Person document in the Domino Directory as the field that holds the Sametime cluster name. The field you select to hold the name of the Community Server cluster must be specified in the LDAP Directory-Authentication-Name of the Home Server attribute setting in the Sametime Administration Tool. In this example, the ″Sametime server″ field was specified when you configured the connection to the LDAP server when installing the Sametime servers. To complete the example, you can enter the cluster name in the ″Sametime server″ field of each user’s Person document in the Domino Directory on the Domino LDAP server. Note that you defined the cluster name when creating a cluster document in the Configuration database. If you used a server name as the cluster name, you can enter the server name in the Domino hierarchical name format (sametimeserver1/west/acme) when entering the name in the Sametime server field of the Person document. Configuring the ″Host″ field for Sametime Connect clients The Sametime Connect client attempts to connect to the network address specified in the Options-Preferences-Sametime Connectivity-Host field of the Sametime Connect client. The users in the Sametime community must enter the DNS name or IP address of the load-balancing mechanism for the Community Server cluster in the ″Host″ field of their Sametime Connect clients: v If you have set up a rotating DNS system for load balancing, users must specify the DNS name (for example, sametime.cscluster.com) of the rotating DNS system in this field. v If you have set up a WebSphere Edge Server to perform load balancing, users must enter the IP address or DNS name of the WebSphere Edge Server machine in this field. Running the client packager application You can run the Sametime client packager application on a Sametime server to ensure that each Sametime Connect client downloaded from a Sametime server is pre-configured with the appropriate connectivity settings for your environment, including the Host name setting required to connect to the rotating DNS system or WebSphere Edge Server. For more information, see ″Sametime Server Installation.″

Chapter 1. Configuring

81

Connectivity issues associated with a rotating DNS setup If DNS resolve requests are cached, users might experience some problems when reconnecting following a server failure. For more information on connectivity issues associated with using a rotating DNS setup to accomplish load balancing, see Rotating DNS Limitations with cached DNS resolve requests. Set up the load-balancing mechanism (rotating DNS or Network Dispatcher): Setting up the load-balancing mechanism is one of the tasks associated with setting up an IBM Lotus Sametime Community Services cluster without clustering the Meeting Services. The way in which you set up the load-balancing mechanism varies slightly depending on whether you have deployed Community Services multiplexers on separate machines. Without separate Community Services multiplexers If you have not deployed Community Services multiplexers on separate machines, do one of the following to set up the load balancing mechanism: v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to associate the IP addresses of the Sametime server machines to a single DNS name. For example, associate the IP address of Sametime server 1 (11.22.33.66) and Sametime server 2 (11.22.33.77) to the DNS name cscluster.sametime.com. v Set up an IBM WebSphere Edge Server (Network Dispatcher) in front of the Sametime servers that you intend to cluster. Use the WebSphere Edge Server Network Dispatcher to distribute connections to the Sametime server machines. For more information, see the WebSphere Edge Server documentation, available at the Web site www.redbooks.ibm.com (and also provided with the WebSphere Edge Server). The diagram below shows the Sametime servers with the rotating DNS system in place. Note that the WebSphere Edge Server can be used in place of the rotating DNS system.

82

Lotus Sametime: Installation and Administration Guide Part 2

With separate Community Services multiplexers If you have deployed Community Services multiplexers on separate machines, do one of the following to set up the load balancing mechanism: v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to associate the IP addresses of the Community Services multiplexer machines to a single DNS name. For example, associate the IP address of Community Services multiplexer machine 1 (11.22.33.44) and Community Services multiplexer machine 2 (11.22.33.55) to the DNS name cscluster.sametime.com. v Set up a WebSphere Edge Server (Network Dispatcher) in front of the Sametime servers that you intend to cluster. Use the WebSphere Edge Server Network Dispatcher to distribute connections to the Community Services multiplexer machines. For more information, see the WebSphere Edge Server documentation, available at the Web site www.redbooks.ibm.com (and also provided with the WebSphere Edge Server). The diagram below shows the Community Services multiplexers with the rotating DNS system in place. Note that the WebSphere Edge Server can be used in place of the rotating DNS system.

Chapter 1. Configuring

83

Creating a cluster document in the Configuration database (stconfig.nsf): The cluster document enables the servers in a cluster to operate as part of the cluster, and enables servers outside of the cluster (but still within the community) to communicate with the cluster. About this task Creating a cluster document in the IBM Lotus Sametime Configuration database (stconfig.nsf) is one of the tasks associated with Setting up a Community Services cluster without clustering the Meeting Services. The Sametime administrator must manually create a cluster document in the Sametime Configuration database (stconfig.nsf) on a Sametime server in the Community Services cluster. The cluster document defines the Community Services cluster. The cluster document stores the following information: v The Community Services cluster name. v The DNS name assigned to the rotating DNS system or IBM WebSphere Edge Server that performs the load-balancing operations. v A list of all servers in the Community Services cluster. To create the cluster document in the Sametime Configuration database: 1. Using an IBM Lotus Notes client, open the Sametime Configuration database (stconfig.nsf) that replicates between the Sametime servers in the cluster. 2. Click Create → Cluster Information. 3. In the Cluster Name field, type the cluster’s name.

84

Lotus Sametime: Installation and Administration Guide Part 2

The cluster is named at your discretion. You can name the cluster after one of the servers in the cluster, but it is not mandatory. If you do name the cluster after one of the servers in the cluster, keep the following points in mind: v You might save time when you add the cluster name to the Sametime server field of each user’s Person document to configure client connectivity because users will already have that server name listed in their Person documents (or LDAP directory person entries). v Use the IBM Domino full canonical name of the server when entering the name in the Cluster Name field (for example, cn=servername/ ou=organizational unit/o=organization). 4. In the DNS Name field, enter the fully qualified DNS name for the cluster. This name must be the DNS name of the rotating DNS system or the WebSphere Edge Server Network Dispatcher that performs the load balancing operations for the clustered Community Services. 5. In the List of Servers in Cluster field, type the names of all the servers that are part of the cluster. The names must be entered in the IBM Lotus Domino full canonical name format (do not use the fully qualified DNS names in this field). Separate the server names with a semicolon and a space, as in: cn=sametimeserver1/ou=west/o=acme; cn=sametimeserver2/ou=west/o=acme 6. Save and close the cluster document. Leave the Configuration database open. In the next procedure, you will copy the new Cluster Information document to all other Sametime servers within the Sametime community. Copying a cluster document to other Sametime servers in the community: Every server within an IBM Lotus Sametime community requires a copy of the community’s cluster document. About this task Creating a cluster document on other Sametime servers in the community is one of the tasks associated with clustering Lotus Sametime Community Servers. You must copy the Cluster Information document to all Sametime servers that are part of the community, regardless of whether they are a part of the cluster itself. Every server in the Sametime Community must contain the Cluster Information document in its Configuration database. This procedure enables users who have a home Sametime server that is not part of the Community Services cluster to share presence and instant messaging capabilities with users who are assigned to the Community Services cluster (have the cluster name listed as the home cluster in the user’s Domino or LDAP directory entry). Important: Do not replicate the Configuration database. The Configuration database contains some fields that cannot be replicated to all Sametime servers in a community. To copy the Cluster Information document to all other Sametime servers in the community: 1. If necessary, open the Sametime Configuration database (stconfig.nsf) in which you created the Cluster Information document that defines the cluster. 2. Copy the Cluster Information document: a. Locate ″Cluster Information″ in the Form Name column of the Configuration database.
Chapter 1. Configuring

85

b. In the Cluster Information’s Last Modified Date column, right-click on the date that represents the Cluster Information document you want to copy. c. Select Copy. d. Click File → Close to close the Configuration database. 3. Paste the Cluster Information document into the Configuration database on each Sametime server in the community: a. From the Lotus Notes client, click File → Database → Open. b. In the Server field, type the name of another Sametime server in the community. c. Click Open. d. In the Database list, select the Configuration database (stconfig.nsf). e. Click Open. f. Click Edit → Paste to paste the Cluster Information document into the Configuration database on this Sametime server. The document name and date will appear in the Last Modified Date column of Form Name section in the Configuration database. g. Save and close the Configuration database. 4. Repeat step 3 for every Sametime server in the Sametime community. What to do next Ensure that clients can access the Community Services cluster by configuring client connectivity for the Community Services cluster. Registering a Community Server cluster on IBM i with the System Console: After configuring a cluster of IBM Lotus Sametime servers on IBM i, register the cluster with the Lotus Sametime System Console so you can manage all of the Lotus Sametime servers from a central location. Before you begin Make sure of each these servers is ready for the cluster registration task: v Each of the Lotus Sametime Community Servers in the cluster must be registered with the Lotus Sametime System Console, and must be started. v The Lotus Sametime System Console must be started. v The LDAP server must be started, and must be connected to the Lotus Sametime System Console. 1. Verify that each of the servers in the cluster has been registered with the Lotus Sametime System Console. 2. If you just configured cluster settings for a group of Lotus Sametime Community Servers, restart all of the cluster members now so the cluster goes into effect before you continue. 3. Complete the following steps for each server in the cluster to verify each server document’s Net Address field: a. From a Lotus Notes client, open the Server document for the Lotus Sametime Community Server you are working on. b. Click the Ports tab. c. Click the Notes Network Ports tab and check the Net Address field:

86

Lotus Sametime: Installation and Administration Guide Part 2

This field should contain the fully qualified host name of the current Lotus Sametime Community Server. If the field contains an IP address change it now. d. Click Save if you made a change, and then click Close to close the Server document. e. If you changed the Server document, restart the server. f. Remember to repeat this task for every server in the cluster. 4. Now run the registerSTCluster.sh registration utility from one of the servers in the cluster: a. From an IBM i command line, run the following command to start the QShell Interpreter: QSH b. Navigate to the server’s sametime_server_data_directory/console console directory; for example: cd /stserver/data/console. c. Run the shell script using the command in the scenario below that best applies to your deployment: v The deployment includes a stand-alone Community Mux that was not added to the cluster as a member, but works with the cluster (so the cluster members refer to this server’s host name):
registerSTCluster.sh -external

v The deployment includes a stand-alone rotating DNS server that was not added to the cluster as a member, but works with the cluster (so the cluster members refer to this server’s host name):
registerSTCluster.sh -external

v The deployment includes a stand-alone load balancer that was not added to the cluster as a member, but works with the cluster (so the cluster members refer to this server’s host name):
registerSTCluster.sh -external

v None of the above:
registerSTCluster.sh

d. As the registration utility runs, you will be prompted to enter the following information:
Cluster name Location of notes.ini file Type the name you created when you configured the cluster, and press Enter. Type the full path to the Sametime Community Server data directory containing notes.ini file (for example, /stserver/data), and press Enter. This is the account that you created for managing the Lotus Sametime Community Server from the Community Server Administration Tool. Type the Lotus Domino administrator’s user name, and press Enter. Type the password associated with the Lotus Domino administrator user account, and press Enter.

Lotus Domino administrator user name

Lotus Domino administrator password

e. When the registration script completes, press F3 to exit QSH. The utility registers the cluster, generating a log file called ConsoleUtility.log and storing it in the consoles/logs directory. 5. Restart the Lotus Sametime Community Server where you ran the registration utility.
Chapter 1. Configuring

87

Adding a server to the Community Services cluster
You can add IBM Lotus Sametime Community servers to an existing Community Services cluster. 1. Follow these steps to ensure sure that all databases have the same replica ID. a. Add the Sametime server to the IBM Lotus Domino server cluster following the guidelines described in Creating a Domino server cluster. b. Replicate the Sametime databases to the newly added Sametime server following the guidelines described in Setting up replication of Sametime databases. 2. Update the Cluster Information document and copy the updated document to all Sametime servers in the community: a. Add the name of the new Sametime server to the List of Servers in Cluster field in the Cluster Information document in the Configuration database (stconfig.nsf) on one Sametime server. Enter the server name in the Domino full canonical name format (for example, cn=servername/ou=organizational unit/o=organization). Do not use the fully qualified DNS name in this field. The list includes every Sametime server in the cluster; separate the server names with a semicolon and a space as shown in the example below: cn=sametimeserver1/ou=west/o=acme; cn=sametimeserver2/ou=west/ o=acme b. Copy the updated Cluster Information document and paste it into the Configuration database on every Sametime server in the community (both clustered servers and non-clustered servers). Note: After pasting the new Cluster Information document in the Configuration database, you can delete the previous version of the Cluster Information document. 3. Optional: You can deploy a stand-alone Sametime Community Mux to ensure the connection load for your Community Services cluster is handled efficiently. However, if you do not deploy another Community Services multiplexer, the existing Community Services multiplexers can still make connections to the newly added Sametime server. If you deploy a stand-alone Sametime Community Mux, make sure to update the Community Connectivity configuration document on every Sametime server in the cluster and include the IP address of the new multiplexer.

Creating multiple Community Services clusters in a single Sametime community
If you have a large IBM Lotus Sametime community consisting of many Sametime servers, it is possible to create multiple Community Services clusters within this single Sametime community.

About this task
You might want to create multiple Community Services clusters if you have users who are in the same community, but work in remote locations. For example, you might want to create a Community Services cluster for workers in your Dublin office and a separate Community Services cluster for workers in your Paris office. Creating two separate clusters enables the clusters to function more efficiently. If the servers in Dublin and the servers in Paris were part of the same Community Services cluster, it would be necessary to replicate databases in real-time across a WAN connection, which might result in inefficient performance.

88

Lotus Sametime: Installation and Administration Guide Part 2

Note: Each Lotus Sametime server can belong to a single cluster. Environments in which two or more clusters point to the same Sametime Server are not supported. To create multiple Community Services clusters in a single community: 1. Create each Community Services cluster using the procedures described in Clustering Lotus Sametime Community Servers. 2. Copy the Cluster Information documents to all servers in the Sametime community.

Results
When you create a Community Services cluster, you create a Cluster Information document in the Configuration database (stconfig.nsf) on one Sametime server in the cluster and copy this Cluster Information document to the Configuration databases of every Sametime server in the community. When you create multiple Sametime server clusters in a single community, the Configuration database of every Sametime server in the community must include a Cluster Information document for every cluster in the Sametime community. In such an environment, the Configuration database on each Sametime server in the community will contain multiple Cluster Information documents. For example, if you have three Community Services clusters in your community (Cluster 1, Cluster 2, and Cluster 3), the configuration database of every Sametime server in the community must include three cluster documents (one for each cluster). This rule applies to all servers in the community, even servers that do not operate as a member of a cluster.

What to do next
For more information, see Creating a cluster document in the Configuration database (stconfig.nsf) and Copying a cluster document to other Sametime servers in the community.

Rotating DNS Limitations with cached DNS resolve requests
This section describes some of the limitations related to setting up a rotating DNS system to load balance connections to the IBM Lotus Sametime Community Services cluster. Ideally, as users connect to the rotating DNS system, consecutive attempts to resolve a cluster name will result in an even distribution of connections to the servers in the cluster. In practice, the DNS caching mechanism can cause Sametime Connect to repeatedly attempt connections to the same server in the cluster. If a server fails, and the DNS resolve requests are cached, IBM Lotus Sametime Connect might attempt to reconnect to the server that is down instead of failing over to a different server. The Sametime Connect client’s Sametime Connectivity settings control whether the client attempts to connect to the Sametime server through a proxy server or attempts a direct connection to the Sametime server. These connectivity settings affect the failover behavior when DNS resolve requests are cached. This behavior varies for the IBM Lotus Sametime Connect for the desktop client and the IBM Lotus Sametime Connect for browsers client.
Chapter 1. Configuring

89

The failover behavior of the Sametime Connect clients when DNS resolve requests are cached is discussed below.

Sametime Connect for the desktop
When the DNS resolve requests are cached and a server fails, Sametime Connect for the desktop automatically attempts to connect to another server in the cluster. When any of the following settings are selected on the Sametime Connectivity tab, a successful connection to the cluster depends on the client machine and its settings: v Direct connection using standard Sametime protocol v Use SOCKS4 proxy with ″Resolve server name locally″ checked v Use SOCKS5 proxy with ″Resolve server name locally″ checked v Direct connection using HTTP protocol If Sametime Connect cannot reconnect to the cluster when these settings are selected, the user can try any of the following options: v On Windows 2003 machines, change the registry key that controls the cache time for DNS requests so the DNS requests are cached for only one second: 1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Dnscache\Parameters 2. Change the value of the registry key ″MaxCacheEntryTtlLimit ″ to ″1″ v In the Sametime Connect client’s Sametime Connectivity settings, change the name in the Host setting from the cluster name to the name of a specific server within the cluster. When any of the following settings are selected in the Sametime Connectivity tab, a proxy server resolves the cluster name. Resolving the cluster name depends on the settings of the proxy server. The proxy server might return a valid server name in the cluster, or it might return the address of the server that is already down. v Use HTTP proxy v Use HTTPS proxy v Use SOCKS4 proxy with ″Resolve server name locally″ unchecked v Use SOCKS5 proxy with ″Resolve server name locally″ unchecked If Sametime Connect cannot reconnect to the cluster when these settings are selected, check the settings on the proxy server to verify the proxy is attempting to connect to the servers within the cluster in rotating order. When Use my Internet Explorer browser settings is selected in the Sametime Connectivity tab, the behavior of the client depends on the proxy connectivity settings of the Microsoft Internet Explorer Web browser. v If the browser settings do not specify a proxy server, the client attempts a Direct connection using HTTP protocol. If the client is unable to reconnect following a server failure, the user can try any of the options listed for Direct connection using HTTP protocol above. v If the browser settings specify an HTTP proxy server, the HTTP proxy server resolves the cluster name. If the client cannot reconnect, check the settings on the proxy server to verify the proxy is attempting to connect to the servers in the cluster.

90

Lotus Sametime: Installation and Administration Guide Part 2

Sametime Connect for browsers
With Sametime Connect for browsers, the client resolves the cluster name when any of the following options are selected: v Direct connection using standard Sametime protocol v Direct connection using HTTP protocol v Use SOCKS4 proxy with ″Resolve server name locally″ checked v Use SOCKS5 proxy with ″Resolve server name locally″ checked If Sametime Connect for browsers cannot reconnect to the cluster when these settings are selected, the user should do the following: v On Windows NT® and Windows 98 machines, restart the Sametime Connect client or restart the Web browser. v On Windows 2000 machines, change the registry key that controls the cache time for DNS requests so that DNS requests are cached for only one second: 1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Dnscache\Parameters 2. Change the value of the registry key ″MaxCacheEntryTtlLimit ″ to ″1″ v In the Sametime Connect client’s Sametime Connectivity settings, change the name in the Host field from the cluster name to the name of a specific server within the cluster. When any of the following settings are selected in the Sametime Connect for browsers Sametime Connectivity tab, a proxy server resolves the cluster name. Resolving the cluster name depends on the settings of the proxy server. The proxy server might return a valid server name in the cluster, or it might return the address of the server that is already down. v Use SOCKS4 proxy with ″Resolve server name locally″ unchecked v Use SOCKS5 proxy with ″Resolve server name locally″ unchecked v Use HTTP proxy v Use HTTPS proxy If Sametime Connect cannot reconnect to the cluster when these settings are selected, check the proxy settings to verify the proxy is attempting to connect to the servers in the cluster in rotating order. When Use my browser settings is selected in the Sametime Connectivity tab, the behavior of the client depends on the proxy connectivity settings of the Web browser. v If the browser settings do not specify a proxy server, the client attempts a Direct connection using standard Sametime protocol or a Direct connection using HTTP protocol. If the client is unable to reconnect following a server failure, the user can try any of the options listed for Direct connection using standard Sametime protocol and Direct connection using HTTP protocol above. v If the browser settings specify a SOCKS proxy server, and the client is unable to reconnect following a server failure, the user can try any of the options listed for the Use SOCKS4 and Use SOCKS5 proxy settings above. v If the browser settings specify an HTTP or HTTPS proxy server, the proxy server resolves the cluster name. If the client cannot reconnect, check the settings on the proxy server to verify the proxy is attempting to connect to the servers in the cluster.

Chapter 1. Configuring

91

Configuring SiteMinder for the Lotus Sametime server
This section describes how to configure CA eTrust SiteMinder for the IBM Lotus Sametime 8 server.

About this task
You installed the Lotus Sametime 8 server as part of the process for installing IBM Lotus Sametime Advanced. The Lotus Sametime 8 server is managed with the Lotus Sametime Advanced server. When you configure SiteMinder to work the Lotus Sametime 8 server, you create a new agent object, agent configuration object, Host configuration object, realm, and sub-realms. You should use the same user directory and domain that you created when you configured SiteMinder for Lotus Sametime Advanced.

Creating configuration objects for Sametime
Follow these steps to create configuration objects for IBM Lotus Sametime 8 on the CA eTrust SiteMinder Policy server.

Before you begin
Open the SiteMinder Policy Server console. 1. To create an Agent object, follow these steps. a. Click the System tab. b. Under System Configuration, right-click the Agents icon. c. In the SiteMinder Agent Dialog, type a unique value not used previously for an existing agent in the *Name field. d. Optional: Type a description such as ″Sametime Agent.″ e. Under Agent Type, select SiteMinder. and select Web Agent from the drop-down list. f. Click OK. 2. Create a duplicate of the existing DominoDefaultSettings Agent Conf Object on the SiteMinder Policy Server and modify the duplicate as appropriate. To create an Agent Conf object for your HTTP Server: a. Under System Configuration, click the Agent Conf Objects icon. b. Right-click the DominoDefaultSettings Agent Conf object in the Agent Conf Object List on the right side of the console, and select Duplicate Configuration Object. c. In the SiteMinder Agent Configuration Object Dialog, type a unique value not used previously for an existing agent in the *Name field. d. Optional: Type a description such as ″Domino Configuration Agent.″ e. In the Configuration Values list, set the following parameters to the values indicated or to the appropriate values for your server. Clicking each parameter, and select the Edit: v DefaultAgentName - Name given to agent created in step c. v AllowLocalConfig - Yes v CssChecking - No v BadUrlChars - remove // and /.,%00-%1f,%7f-%ff,%25 from the default list of Bad Url Characters v SkipDominoAuth - No. All other parameters can be left at their default settings.. f. Click OK.

92

Lotus Sametime: Installation and Administration Guide Part 2

3. IBM recommends that you create a duplicate of the existing DefaultHostSettings Host Conf Object on the SiteMinder Policy Server and modify the duplicate as appropriate. To create a Host Conf object for your HTTP Server: a. Under System Configuration, click the Host Conf Objects icon. b. Right-click the DefaultHostSettings object in the Host Conf Object List on the right side of the console, and select Duplicate Configuration Object. c. In the SiteMinder Host Configuration Object Dialog, type a unique value in the *Name field. d. Optional: Type a description such as ″Sametime Advanced Host.″ e. In the Configuration Values list, edit the #Policy Server value by removing the # from in front of the parameter name and enter the IP address of your SiteMinder Policy Server in the appropriate place in the value field. f. Click OK.

Configuring realms for Lotus Sametime
Follow these steps to configure the realms for IBM Lotus Sametime 8 on the CA eTrust SiteMinder Policy Server. 1. Open the SiteMinder Policy Server console. 2. Define the realm definition for the Web Agent domain: a. Click the Domains tab in the left side of the SiteMinder Policy Console. b. Right-click the Web Agent domain that you previously created. c. Click Create Realm. d. In the SiteMinder Realm Dialog, type a unique value in the *Name field, for example, Sametime. e. Optional: Type a description. f. Click the Resource tab. g. In the Agent field, type the name of the agent that you created for the Web Agent for Lotus Sametime 8. You can also select it using Lookup. h. Type the Resource Filter as / i. In Authentication Scheme drop-down list, select Basic. j. Under Default Resource Protection, select Protected. Leave all the other fields on the Resource, Session and Advanced tabs as their default values. k. Click OK. 3. Create sub-realms under the realm you just created. a. Click the Domains tab in the left side of the SiteMinder Policy Console.. b. Right-click the realm that you created in step 2. c. Click Create Realm. d. Create the following sub-realms for your configuration, with the values indicated in each dialog:
Name ST Test ST AdminConfig ST AdminPage ST Src ST Domino Resource Filter stlinks servlet/auth/scs servlet/auth/admin stsrc.nsf/join STDomino.nsf Authentication Scheme Basic Basic Basic Basic Basic Default Resource Protection Unprotected Unprotected Protected Protected Unprotected

Chapter 1. Configuring

93

Name ST Applets ST Applet IMI Sametime ST MMAPI ST Admin CGI ST UserInfoServlet

Resource Filter sametime/applets Sametime/Applet sametime/ hostAddress.xml servlet/auth/mmapi cgi-bin/ StAdminAct.exe servlet/ UserInfoServlet

Authentication Scheme Basic Basic Basic Basic Basic Basic

Default Resource Protection Unprotected Unprotected Unprotected Unprotected Unprotected Unprotected

4. Create rules for the protected realm (Sametime)and the two protected sub-realms (ST AdminPage and ST Src). a. Right-click the realm that was created for the Web Agent domain (for example Sametime), and select Create Rule under Realm. b. Use the SiteMinder Rule dialog to create the following rules named Rule 1 and Rule 2: Rule 1 properties v v v v v *Name - GetPost Rule Realm - Sametime Resource: * Web Agent actions - Get,Post, When this Rule fires - Allow Access

v Enable or Disable this Rule - Enabled Rule 2 properties v v v v v *Name - OnAuthAccept Realm - Sametime Resource: * Authentication events - OnAuthAccept When this Rule fires - Allow Access

v Enable or Disable this Rule - Enabled c. Right-click the ST AdminPage sub-realm , and select Create Rule under Realm. d. Use the SiteMinder Rule dialog to create the following rule named Rule 1: Rule 1 properties v *Name - GetPost Rule v Realm - Sametime.ST AdminPage v Resource: * v Web Agent actions - Get,Post, v When this Rule fires - Allow Access v Enable or Disable this Rule - Enabled e. Right-click the ST Src sub-realm , and select Create Rule under Realm. f. Use the SiteMinder Rule dialog to create the following rules named Rule 1 and Rule 2: Rule 1 properties v *Name - GetPost Rule

94

Lotus Sametime: Installation and Administration Guide Part 2

v v v v v

Realm - Sametime.ST Src Resource: * Web Agent actions - Get,Post, When this Rule fires - Allow Access Enable or Disable this Rule - Enabled

Rule 2 properties v *Name - OnAuthAccept v Realm - Sametime.ST Src v Resource: * v Authentication events - OnAuthAccept v When this Rule fires - Allow Access v Enable or Disable this Rule - Enabled 5. Add the rules to the SiteMinder policy that you created for Lotus Sametime Advanced. a. Double-click the policy you created for Lotus Sametime Advanced, for example, STADVWAPolicy. b. Click the Rules tab, and then click Add/Remove Rules. Add all the rules you created previously for the realm and sub-realms to the current members list. Click OK.

Installing and configuring the SiteMinder Web Agent
IBM recommends that you install the latest available version of the CA eTrust SiteMinder Web Agent as well as the latest available hot fix that is certified by Computer Associates to work with the version of the HTTP server that you are using.

Before you begin
Before you begin, you must download the Siteminder V6-QMR5 W32 Web Agent installation files from the SiteMinder support site at .http://support.netegrity.com.

About this task
Refer to the SiteMinder platform support matrices for more details. These matrices can be obtained from the SiteMinder support site. You can also refer to the SiteMinder WebAgent Installation Guide for details about configuring the Web Agent to work with the HTTP server that you are using. The application agent for IBM Lotus Sametime Advanced should be v6.0 CR005 or later to ensure support of IBM WebSphere Application Server 6.1. Note: To install the SiteMinder Web Agent on platforms other than Microsoft Windows, you can use the relevant Win32 instructions as a reference document. The same configuration information needs to be provided, regardless of platform. There are also additional instructions included with the Web Agent installation files that indicate platform-specific steps that are required for installing and configuring the Web Agent on a specific platform. Follow these steps to install and configure the Win32 6x Web Agent for your HTTP server. 1. If necessary, extract all the files from the ZIP file provided by SiteMinder. 2. Start the Web Agent executable. The format is nete-wa-6qmrX-platform.exe. For example:
Chapter 1. Configuring

95

nete-wa-6qmr5-win32.exe

3. 4. 5. 6. 7. 8. 9. 10. 11.

The CA SiteMinder Web Agent Introduction screen appears. Click Next. On the License Agreement screen, scroll down and select I accept the terms of the License Agreement, and click Next. Click Next on the Important Information screen. On the Choose Install Location screen, accept the default location for installing the Web Agent or click Choose to select a different location, then click Next. Click Next on the Choose Shortcut Folder screen. Click Install on the Pre-Installation Summary screen. On the Install Complete screen, accept the defaults selection and click Done. Your system restarts. Click Start → Programs → Siteminder → Web Agent Configuration Wizard to start the Web Agent Configuration Wizard. On the Host Registration screen, select Yes, I would like to do Host Registration now, but do not select the Enable PKCS11 DLL Cryptographic Hardware check box. Click Next.

12. On the Admin Registration screen, type the SiteMinder administrator name and password provided by your SiteMinder contact. Do not select the Enable Shared Secret Rollover check box. Click Next. 13. On the Trusted Host Name and Configuration Object screen, type the trusted hostname and Host Conf Object provided by your SiteMinder contact. Click Next. 14. On the Policy Server IP Address screen, type the SiteMinder Policy Server IP address provided by your SiteMinder contact and click Add. Click Next. 15. On the Host Configuration file location screen, accept the default file name and location and click Next. 16. On the Select Web Server(s) screen, select the check box next to the http server that you wish to configure with the Web Agent, and then click Next. 17. On the Agent Configuration Object screen, enter the Agent Conf Object provided by the SiteMinder contact and click Next. 18. On the Web Server Configuration Summary screen, click Install. The Web Agent configuration process starts, and then the Configuration Complete screen appears. 19. Click Done to complete the configuration process. Note: You can ignore messages indicating that some warnings occurred during the installation. These warnings appear by default and do not affect the functionality of the Web Agent.

What to do next
There are additional steps that must be completed to enable the Web Agent to function properly for your server. Follow the additional instructions that are provided by your SiteMinder contact in order to complete this setup.

Add the DSAPI filter file name to the Domino Directory
Your IBM Lotus Sametime server will run on a Lotus Domino server. When you integrate IBM Lotus Sametime with CA eTrust SiteMinder, the SiteMinder Web Agent is implemented as a Domino Web Server Application Programming Interface (DSAPI) filter file.

96

Lotus Sametime: Installation and Administration Guide Part 2

About this task
Follow these steps to add the DSAPI filter file name to the Domino Directory. 1. Open the Domino Directory (names.nsf) on the Domino server. 2. Edit the server document for the Domino server as follows: a. Click the Internet Protocols tab, then click the HTTP tab. In the DSAPI filter file names field, type the full path and name of the SiteMinder Web Agent (typically c:\Program Files\Netegrity\Siteminder Web Agent\bin\dominowebagent.dll) b. Click the Domino Web Engine tab, then set the Session authentication field to Disabled. 3. Save and close the server document.

Enabling SiteMinder for Lotus Sametime
Follow these steps to enable the CA eTrust SiteMinder Web Agent for the IBM Lotus Sametime server. 1. Locate the local Web Agent configuration file for the SiteMinder Web Agent that has been configured with your HTTP server. For example:
C:\Program Files\IBM\HTTPServer\conf\WebAgent.conf

2. Use a text editor to open the file and set the EnableWebAgent parameter to YES. 3. Restart your HTTP and Lotus Domino Servers. When you start or stop the Domino server, you are starting and stopping the Lotus Sametime server as well.

Configuring the Sametime client
This section describes how to configure IBM Lotus Sametime clients.

Client update process
The server can push updates out to the IBM Lotus Sametime clients if the update policy key is enabled to ensure all clients have the same features. Administrators can provision new or update existing Lotus Sametime client features in a push mode so each client employs the same set of features as the others do. The push method enables the client to install Lotus Sametime features or updates automatically when he or she logs in to Lotus Sametime.

Setting up automatic updates
When the user logs in from the client, the client looks in the preferences.ini file located in the update plugin (com.ibm.collaboration.realtime.update\ preferences.ini) root directory for the existence of the ″runme″ property. If the property is present and is set to ’true,’ then the update plugin continues. The client then checks the policy key CONNECT_UPDATE_URL on the default Lotus Sametime Community Server. If the server is 7.5.x or later then you, as Administrator, can define the policy to tell the client where the update site is located. If the policy key is not set on the server (see the section on User Policy in this documentation), it is missing for one of two reasons: 1. The administrator did not set the key in the stpolicy.nsf file on the Louts Sametime Community Server. 2. The Lotus Sametime Community Server is a pre-7.5.1 version.

Chapter 1. Configuring

97

If the key is not found, the client will search the preferences.ini file located in the update plugin (com.ibm.collaboration.realtime.update\preferences.ini) root directory for the adminUpdatePolicyURL value. The client then silently downloads all updated features it finds in the administrator’s update site and install them. Updates of features from this site are required so the client does not have the option of not installing them. Once installation is complete, the user receives a message announcing that new updates have been installed and that the user should restart the Sametime client. The user can click the restart button or press a five-minute delay button. If the user is involved in chats with other users, he or she can continue to delay restart for as long as he wishes by continuing to press the restart button at five-minute intervals. After the restart, the client checks again to see if there are more updates, and if it finds none, the user is not interrupted again. This update process takes place each time the user restarts his client and logs in into his default server.

Writing custom messages for clients
You can write custom messages to appear when a user logs in, under ″Welcome to Sametime″ or in the ″New contact″ screen. These messages can be created with Eclipse plug-in programs.

Before you begin
You can create a branding plug-in that shows a custom message in the user’s ″New contact″ screen or in the login screen. For example, when you are creating a message for the new contact screen, if you connect a particular community to a public instant messaging network, you may want to tell the users which community to use to add a contact from that public network. This branding feature accepts text only. For information on using a wizard to create plug-ins, see the Eclipse documentation: http://help.eclipse.org/help32/topic/ org.eclipse.pde.doc.user/guide/tools/project_wizards/ new_project_wizards.htm. Note: Before you can build plug-ins, you must install: v v v v v v the Sametime software development kit Eclipse IDE (integrated development environment) version 3.2 the JCL Desktop custom run time environment for Windows and Linux the Eclipse J9 JDT launching plug-in for Windows and Linux a standard Java Runtime Environment (1.4.2 or higher version) Windows XP, Linux, or Mac operating system supported by Sametime 7.5. or later

For comprehensive information on setting up the integrated development environment, and building and providing plug-ins to clients, see the IBM Redbooks® publications at http://www.redbooks.ibm.com/abstracts/ sg247346.html.

About this task
The plug-in you create this way is pushed to the client just as Sametime updates are pushed. See the following examples for a template. This is a sample branding plug-in:
<plugin> <extension id="com.ibm.collaboration.realtime.notes.branding"

98

Lotus Sametime: Installation and Administration Guide Part 2

point="com.ibm.collaboration.realtime.ui.stbranding"> <stbranding id="mypackage.messages" name="Custom Sametime Messages"> <messages class="mypackage.Messages"/> </stbranding> </extension> </plugin>

Below are some Sample Messages.java:
import org.eclipse.osgi.util.NLS;
private static final String BUNDLE_NAME = "messages";//$NON-NLS-1$ // Login dialog message public static String com_ibm_collaboration_realtime_login_strings_messages $enter_credentials_for; // Add Contacts dialog message for single community public static String com_ibm_collaboration_realtime_imhub_strings_messages $singleCommunityDefMsgArea; // Add Contacts dialog message for multiple communities public static String com_ibm_collaboration_realtime_imhub_strings_messages $multiCommunityDefMsgArea; static { NLS.initializeMessages(BUNDLE_NAME, Messages.class);}}

Below are Sample resourcebundle messages.properties
com_ibm_collaboration_realtime_login_strings_messages$enter_credentials_for= Customize me: Please enter your user name and password for the default Sametime community. com_ibm_collaboration_realtime_imhub_strings_messages$singleCommunityDefMsgArea= Customize me: Add a new contact by entering a name below. com_ibm_collaboration_realtime_imhub_strings_messages$multiCommunityDefMsgArea= Customize me: Add a new contact by selecting the community where the contact exists. Enter the user's name (or e-mail address if adding an external contact.)

What to do next
After you have created the plug-in by following these examples, provision the messages to the Sametime clients.

Creating an update site for plug-in access
If you want to provide additional IBM Lotus Sametime plug-ins for your users, you can create an update site by using tools available from Eclipse.org. Users can use the site to update features or to get new features for their Instant Messaging component. Creating an update site You can create an update site using the wizard at http://www.eclipse.org. To start the wizard: 1. Choose file > new project. 2. In the new project wizard, choose Plug-in development > update site project. The new update site wizard appears. 3. In project name, name you site. 4. In Location, use the format of HTTP_DOC_Root\myupdatesite. 5. De-select Use default location.
Chapter 1. Configuring

99

6. Select Generate a web page listing all available features within the site. 7. Click Finish. 8. In the site.xml page, in Category Properties, create the name and label for the category. The label appears on the page as a feature for the user to select. 9. In the Feature selection dialog box, add the feature you want to provide to users. 10. Select the Build All button to build the feature and the feature’s required plug-in. User downloads If you want to manually provision the plug-in, make sure that the policy Allow user to install plug-ins is assigned to the user. To deploy the plug-in to a larger audience, you can use software distribute system or a Sametime update site. For more information on using Sametime update sites, see Methods of pushing down Sametime 7.5.x & 8.0 client updates. In Lotus Sametime Connect, the user can select the feature from the Lotus Sametime Connect client. 1. Choose Tools → Plug- ins → Install Plug-ins. 2. Select Search for new features to install, and then click Next. 3. Select the site to include in the search and click Finish. 4. In the Search Results, select the features to install and click Next. 5. In the next window, click Finish to install. Verify by clicking Install. 6. Restart the client. Update existing features If Automatic Updates are selected in the Connect Client, the user receives a dialog box that states that new updates are available, and asks the user if he or she wants to install them now. The user can select Yes or No.

Turning off case sensitivity in the Lotus Sametime Connect client
If you turn off case sensitivity in the IBM Lotus Sametime Community server, IBM recommends that you also turn off case sensitivity in the Lotus Sametime client.

Before you begin
Before you begin, turn off case sensitivity in the IBM Lotus Sametime Community server and restart the server.

About this task
You turn off case sensitivity for Lotus Sametime clients by editing the plugin_customization. For more information on configuring user preferences see the following Technote: http://www-01.ibm.com/support/docview.wss?rs=477&uid=swg21306943 1. Backup the sametime client program directory\plugin_customization.ini. 2. Modify the plugin_customization.ini file, by updating the following line:
com.ibm.collaboration.realtime.people/isCaseInsensitive=true

3. Save and close the configuration file.

100

Lotus Sametime: Installation and Administration Guide Part 2

4. Restart the client. Related tasks “Turning off case sensitivity on the Lotus Sametime Community Server” on page 26 You must turn off case sensitivity on the IBM Lotus Sametime Community Server to allow awareness in IBM Lotus iNotes and WebSphere applications.

Basic Sametime Connect client connection process
This topic discusses the basic connection processes of the IBM Lotus Sametime Connect client. The Lotus Sametime Connect client connects to the Community Services on the Lotus Sametime Community Server. Community Services supports all Sametime presence and chat capabilities.

Settings that affect the connection process
The Sametime Connect client connection process is controlled by two groups of settings: the Lotus Sametime Connect client Sametime Connectivity settings (available on the client) and the Community Services Network settings (available on the server). v The Sametime Connect client Sametime Connectivity settings are available from the File → Preferences → Communities command in the Sametime Connect client. The Sametime Connectivity settings enable the Sametime Connect client to make a direct TCP/IP connection or a direct HTTP-tunneled connection to the Community Services. The Sametime Connectivity settings also enable Sametime Connect clients that access the Internet or intranet through HTTP, HTTPS, or SOCKS proxy servers to connect to the Community Services. Sametime Connect uses the port specified in the Community port setting of the Sametime Connectivity settings when attempting connections to the Community Services. v The Community Services Network settings are available from the Sametime Servers → Sametime Community Servers → deployment_name → Connectivity settings of the Sametime System Console. The settings include the Client connections, the HTTPS client connections, and the HTTP tunneled client connections. These server-side settings control the IP addresses or DNS names and the ports on which the Sametime server Community Services multiplexer listens for Sametime Connect client connections.

Connection process
The basic connection process of the Sametime Connect client is described below. The connection process depends on the Connection, Proxy type, and Port settings that are selected in the Sametime Connect client Sametime Connectivity settings. 1. The user starts the Sametime Connect client. 2. The Sametime Connect client examines the values in the Host field and the Community Port field (default 1533) of the Sametime Connect client’s Sametime Connectivity settings. The Sametime Connect client uses the Host and Community Port values to determine the host name and port it should use when attempting a connection to the Sametime server.

Chapter 1. Configuring

101

Note: For the most efficient connectivity, the Host field of the Sametime Connect client Sametime Connectivity settings and the ″Sametime server″ field of a user’s Person document should specify the same Sametime server (the user’s home Sametime server). 3. The Sametime Connect client uses the Connection setting in its Sametime Connectivity settings to determine how to make the connection to the host machine specified in the Sametime Connectivity settings. The possible Connection settings are: v Use my Internet Explorer HTTP settings v Direct connection v Direct connection using TLS v Direct connection using HTTP protocol v Use Proxy Use my Internet Explorer HTTP settings - The connection process that occurs when this setting is selected is described in a separate section. For more information about these connection processes, see “Sametime Connect for the desktop: ″Use my Internet Explorer HTTP settings″” on page 105. Direct connection - Select this setting if the Sametime Connect client can make a direct TCP/IP connection to the Sametime server. Generally, this setting is used when the connection does not occur through a proxy server, and the network does not block TCP/IP connections on the port used by the Sametime Connect client. When this setting is selected, the Sametime Connect client attempts a connection to the Community Services multiplexer on the Sametime server using a unique Sametime protocol over TCP/IP. The client attempts this connection on the ″Community port″ (default port 1533) specified in the Sametime Connect client Sametime Connectivity settings. The Community Services on the Sametime server listen for direct Sametime protocol over TCP/IP connections on the host name and port specified in the Community Services Network-Address for client connections-Host name and Port settings. By default, the Community Services listen for this connection on port 1533. For this connection to succeed, the port setting specified in the Sametime Connect client’s Sametime Connectivity settings must match one of the ports specified in the Client connections → Port number setting on the Sametime server. (By default, both of these settings specify port 1533.) This connection can fail if the connection must pass through a proxy server or network that prevents direct TCP/IP connections on port 1533 (or other port specified in both the Sametime Connectivity settings of the Sametime Connect client and the Client connections → Port number setting in the Sametime System Console). Direct connection using TLS - Select this option if you want to connect to a FIPS proxy. Direct connection using HTTP protocol - Select this option if you want the Sametime Connect client to use HTTP to establish a connection with the Community Services, but you do not want this connection to occur through an HTTP proxy server. When this setting is selected, the client encases the standard Sametime protocol connection information within an HTTP request. The Sametime Connect client then attempts to establish an HTTP connection directly with the Community

102

Lotus Sametime: Installation and Administration Guide Part 2

Services multiplexer on the Sametime server. The Sametime Connect client attempts this connection on the ″Community port″ specified in its Sametime Connectivity settings. The Community Services multiplexer can listen for HTTP-tunneled connections on multiple ports. The Community Services multiplexer listens for HTTP-tunneled connections on the host name and port specified in the Community Services for client connections-Host name and Port settings of the Sametime System Console and the host name and port specified in the Community Services for HTTP tunneled client connections-Host name and Port number settings of the Sametime System Console. Note: If the administrator allows HTTP tunneling on port 80 during the Sametime server installation, the Community Services multiplexer listens for HTTP-tunneled connections on port 80 by default on the Community Services → HTTP tunneled client connections → Port number. In this scenario, the Community Services multiplexer also listens for HTTP-tunneled connections on port 1533 (specified in Community Services → Client connections → Port number). This setting is used most frequently to enable Sametime Connect clients that operate behind restrictive firewalls without HTTP proxy servers to connect to a Sametime server available to Internet users. The Direct connection using HTTP protocol connectivity option is intended primarily to support the HTTP tunneling on port 80 functionality available with the Sametime server. If a Sametime Connect client operates behind a firewall that allows only HTTP connections on port 80 and the client’s firewall or network environment does not include an HTTP proxy server, select the Direct connection using HTTP protocol setting and change the Community port setting in the Sametime Connect client’s Sametime Connectivity settings from the default of 1533 to port 80. The administrator must also ensure that the Port number setting under HTTP tunneled client connections in the Community Services settings specified in the Sametime System Console also specifies port 80. Such a configuration should enable a Sametime Connect client operating behind a restrictive firewall to establish a connection with an Internet Sametime server using HTTP tunneling over port 80. Use proxy - Selecting this option enables the Sametime Connect client to connect through a SOCKS, HTTP, or HTTPS proxy server when establishing a connection to the Community Services. After selecting the Use proxy connection type, select the appropriate Proxy type in the Sametime Connect client Sametime Connectivity options: v Use SOCKS4 proxy v Use SOCKS5 proxy v Use reverse proxy v Use HTTP proxy Note: You can also select Use my Internet Explorer HTTP settings to establish connections through HTTP and SOCKS proxy servers. Use SOCKS4 proxy and Use SOCKS5 proxy - If the Sametime Connect client connects to a SOCKS proxy server to access the Internet or intranet, you must select the appropriate SOCKS proxy option (either Use SOCKS4 proxy or Use SOCKS5 proxy) as the Proxy type in the Sametime Connect client’s Sametime Connectivity settings.
Chapter 1. Configuring

103

If you select Use SOCKS4 proxy or Use SOCKS5 proxy, you must also specify the Host name (DNS name or IP address) of the SOCKS proxy server and the port required to connect to the SOCKS proxy server in the Proxy server options of the Sametime Connect client’s Sametime Connectivity settings. For SOCKS5 proxies, you must also specify the user name and password required for SOCKS5 authentication. Sametime Connect connects to the SOCKS proxy, and the proxy server connects to the Community Services on the Sametime server on behalf of the Sametime Connect client. The client uses the Standard Sametime protocol over TCP/IP for this connection. The connection from the SOCKS proxy to the Community Services occurs on the ″Community port″ (default 1533) specified in the Sametime Connect client Sametime Connectivity settings. The Resolve server name locally setting determines whether the Sametime server host name is resolved by the Sametime Connect client or the SOCKS4 or SOCKS5 proxy server. When the Resolve server name locally setting is selected, the Sametime Connect client calls a local DNS server to resolve the Sametime server name. The Sametime Connect client passes the IP address to the SOCKS proxy; the SOCKS proxy does not resolve the IP address. When Resolve server name locally is not selected, Sametime Connect does not resolve the DNS name of the Sametime server. Sametime Connect passes the DNS name of the Sametime server to the SOCKS proxy, and the SOCKS proxy server calls a DNS server to resolve the server name. Some organizations do not allow their internal DNS servers to resolve the names of external servers for security reasons. If the DNS server is configured in this way, users should clear the check mark from the Resolve server name locally field. The SOCKS proxy resolves the external server name by calling a different DNS server (which is not available on the internal network). For a connection through a SOCKS proxy to succeed, the port specified in the Community port field of the Sametime Connect client’s Sametime Connectivity settings must match one of the ports listed in the Community Services Network-Address for client connections-Port number setting in the Sametime Administration Tool or one of the ports specified in the Community Services Network-Address for HTTP tunneled client connections-Host name and Port number setting in the Sametime Administration Tool. Use reverse proxy - If the Sametime client connects to a Sametime server over the Internet through a reverse proxy server, you can select Use reverse proxy as the Proxy type in the Sametime Connect client’s Sametime Connectivity settings. The reverse proxy server protects internal HTTP servers by providing a single point of access to the internal network. If Use reverse proxy is selected as the Proxy type, you must also specify the following settings: v The URL of the reverse proxy server. The clients uses this URL to access the reverse proxy server. The reverse proxy server handles requests from the client and redirects the request to the Sametime server v The User name and Password for authenticating with the reverse proxy server. For information about using reverse proxy servers with Sametime servers, see the following topics: v Configuring mapping rules on a reverse proxy server to support Sametime v Configuring a Sametime server to operate with a reverse proxy server

104

Lotus Sametime: Installation and Administration Guide Part 2

Use HTTP proxy - If the Sametime Connect client connects to an HTTP proxy to access the Internet or intranet, you can select Use HTTP proxy as the Proxy type in the Sametime Connect client’s Sametime Connectivity settings. If Use HTTP proxy is selected as the Proxy type, you must also specify the Host name (DNS name or IP address) of the HTTP proxy server and the port required to connect to the HTTP proxy server in the Proxy server options of the Sametime Connect client Sametime Connectivity settings. Note: If the HTTP proxy server requires authentication, the user name and password required for authentication to the HTTP proxy server must also be entered in the Proxy server options of the Sametime Connect client’s Sametime Connectivity settings. When Use HTTP proxy is selected, the client encases the standard Sametime protocol connection information within an HTTP request. Sametime Connect connects to the HTTP proxy, and the HTTP proxy server connects to the Community Services multiplexer on the Sametime server on behalf of the Sametime Connect client. The HTTP connection to the Community Services multiplexer occurs on the ″Community port″ (default 1533) specified in the Sametime Connect client Sametime Connectivity settings. The Community Services multiplexer on the Sametime server listens for HTTP connections on all ports specified in the Port number field under Client connections in the Community Services settings of the Sametime System Console and HTTP tunneled client connections in the Community Services settings of the Sametime System Console. For this connection to succeed, the port specified as the Community port setting in the Sametime Connect client’s Sametime Connectivity settings must match a port number specified in one of these settings in the Sametime System Console: v The Port number field under Client connections in the Community Services settings of the Sametime System Console. v The Port number field under HTTP tunneled client connections in the Community Services settings of the Sametime System Console. Note: If the administrator allows HTTP tunneling on port 80 during the Sametime server installation, the Community Services → Client connections → Port number setting default to port 1533, and the Community Services → HTTP tunneled client connections → Port number settings are ports 80 and 8082. In this configuration, the Sametime Connect client can complete an HTTP-tunneled connection to the Community Services multiplexer using either port 1533, 80, or 8082.

Sametime Connect for the desktop: ″Use my Internet Explorer HTTP settings″
IBM Lotus Sametime Connect for the desktop follows this connection process when the Use my Internet Explorer HTTP settings connectivity option is selected. When the Sametime Connectivity → Use my Internet Explorer HTTP settings option is selected, Sametime Connect for the desktop uses the proxy connectivity settings defined in the user’s Internet Explorer Web browser to attempt an HTTP-tunneled connection to the Sametime server. The connection process is as follows: 1. The Sametime Connect client uses the Web connectivity (or proxy) settings of the Web browser to establish a connection with the Community Services as noted in the remaining steps.
Chapter 1. Configuring

105

2. The Sametime Connect client encases the standard Sametime protocol data within an HTTP request and attempts to connect to the Community Services multiplexer using HTTP. Encasing this connection protocol data within an HTTP request is called ″HTTP-tunneling.″ 3. Sametime Connect examines the Internet Explorer Web browser connectivity settings to attempt the HTTP-tunneled connection to the Community Services multiplexer. If the Web browser settings: v Do not specify a proxy server - The HTTP request is sent directly to the Community Services multiplexer on the Sametime server. This connection is called a ″direct HTTP connection.″ v Specify a SOCKS proxy server - The HTTP request is sent to the Community Services multiplexer through the SOCKS proxy server. v Specify an HTTP proxy server -The HTTP request is sent to the Community Services multiplexer through the HTTP proxy server. For the HTTP-tunneled connection to succeed, the following requirements must be satisfied: v The Sametime Connect client’s Sametime Connectivity → Community port setting must match a port number specified in one of these Community Services Network settings in the Sametime Administration Tool: – Address for client connections → Port number – Address for HTTP tunneled client connections → Port number v All networks between the Sametime Connect client and the Sametime server must allow HTTP connections on the port specified as the Community port in the Sametime Connect client. v The IP address or DNS name specified in the Host setting in the Sametime Connect client’s Sametime Connectivity settings must correspond to any IP address or DNS name specified in the Community Services Network → Address for HTTP tunneled client connections → Host name field. If this field is blank, then it can correspond to any IP address or DNS name assigned to the Sametime server instead. Note The Community Services Network → Network and PortsEnable Web client to try HTTP tunneling after trying other options setting must be enabled for the connection to succeed using the port specified in the as the Community Services Network → Address for HTTP tunneled client connections field. 4. If the HTTP-tunneled connection does not succeed, Sametime Connect for the desktop displays an error message.

Client connections over HTTP tunneling
This topic discusses issues that affect clients who access IBM Lotus Sametime using HTTP-tunneled connections. Administrators should be aware of the following issues concerning clients that connect to the Sametime server using HTTP-tunneled connections. These issues apply regardless of whether the server uses a single IP address or multiple IP addresses to support the HTTP-tunneling functionality. v Clients that do not operate behind restrictive firewalls can still make direct TCP/IP connections. Direct TCP/IP connections operate more efficiently than HTTP-tunneled connections, and clients automatically attempt these connections before attempting HTTP-tunneled connections. Only clients that cannot establish direct TCP/IP connections will attempt the HTTP-tunneled connection.

106

Lotus Sametime: Installation and Administration Guide Part 2

v A Sametime Connect client that operates behind a firewall that only allows outbound connections on port 80 can connect to the Community Services using HTTP over port 80. The following configurations are required in the Sametime Connect client Sametime Connectivity settings for the connection to succeed: – Change the Community port setting to port 80. – If the client does not access the Internet through an HTTP proxy, select Direct connection using HTTP protocol for the Connection type. – If the client accesses the Internet through an HTTP proxy server, select Use proxy as the Connection type. For proxy type, select Use HTTP proxy and specify the DNS name or IP address of the HTTP proxy and the port on which to connect to the proxy. Note: You can also select Use my Internet Explorer HTTP settings to establish connections to the Community Services through HTTP tunneling on port 80. If you select this setting, you must also ensure that the Community port setting in the Sametime Connectivity settings is set to port 80. Note: If the HTTP port is to be changed manually, so must the port be changed in the stconvservices.properties file. This is a limitation in that the server does not pull the port from the server document.

Configuring Lotus Sametime for mobile users
Configure IBM Lotus Sametime with Lotus Sametime Mobile to provide connectivity for users with support mobile devices.

About this task
Configuring Lotus Sametime for mobile users involves the following tasks:

Configuring the Lotus Domino server for Lotus Sametime Mobile support
To enable support for IBM Lotus Sametime Mobile on the IBM Lotus Domino server, you need to create a Web Site Rule document in the Domino Directory and establish a URL redirection.

About this task
Complete the following steps to enable support for Lotus Sametime Mobile on the Lotus Domino server. 1. Create a Web Site Rule document in the Domino Directory and establish a URL redirection. The URL redirection enables users to download the Lotus Sametime Mobile application to their mobile devices using the simplified URL http://yoursametimeserver.yourcompany.com/mobile. a. In the Domino Directory, open the Server document for the Lotus Domino server that hosts the Lotus Sametime Community server. b. Click the Create Web - URL Mapping/Redirection button. c. In the Basics tab, select URL → Redirection URL. d. Click the Mapping tab and enter the following information: v In the Incoming URL path field, enter /mobile/* . v In the Redirection URL string field, enter stcenter.nsf/ WebMobileDownloads?OpenView .
Chapter 1. Configuring

107

e. Click Save & Close. 2. Configure MIME type support on the Lotus Domino server. a. With a text editor, open the file httpd.cnf, located in the Domino data directory. b. Add the following lines to the file at the end of the section ″other application formats″ but before the section ″Fallback MIME types″:
AddType AddType AddType AddType AddType AddType AddType .jad text/vnd.sun.j2me.app-descriptor .jar application/java-archive .alx application/octet-stream .cod application/octet-stream .sisx application/octet-stream .cab application/vnd.ms-cab-compressed .cfg text/Sametime

c. Save and close the modified file. 3. Restart the HTTP task on the server.

What to do next
After these steps are completed, the Lotus Sametime Community server can be used with the Sametime Mobile client; however, before allowing users to download Lotus Sametime Mobile, you should provision the client with appropriate server details. This simplifies the user experience and prevents the user from entering incorrect connectivity details.

Configuring Sametime Mobile for client downloads
Configure IBM Lotus Sametime Mobile support on an IBM Lotus Sametime Community server.

Before you begin
These instructions assume that you do not use the IBM Lotus Sametime Enterprise Meeting Server in your Sametime deployment. If you use the Enterprise Meeting Server, proceed to the topic, Configuring Sametime Mobile for client downloads in the Sametime Enterprise Server Meeting help, instead. Note: Sametime Mobile does not support meeting features.

About this task
Sametime provides three options for connecting mobile devices to the Lotus Sametime Community server: v Connect with a Virtual Private Network (VPN) such as IBM Lotus Mobile Connect or RIM BlackBerry Enterprise Server Mobile Data Services (MDS). This connection model provides end-to-end connectivity from the device into the corporate intranet, allowing for applications to access intranet resources securely. Sametime Mobile would access the server, and intranet, in the same manner as any other application installed on the device. This is typically the most flexible approach as it allows the client to utilize a variety of application that may be hosted on the corporate intranet. v Connect with an authenticating HTTP Proxy, such as IBM HTTP Server or Apache HTTP Server. The Sametime Mobile client supports connecting through a standard Web proxy that issues HTTP 401 or 407 challenge requests with HTML Form Basic Authentication (Digest is not supported at this time). The reverse proxy server

108

Lotus Sametime: Installation and Administration Guide Part 2

must use cookies for authentication. This setup typically places the HTTP proxy in the demilitarized zone (DMZ) of the network, with port 80 opened to the Internet and another port opened from the proxy to the back end application. For more information on configuring IBM HTTP Server as an authenticating proxy, see the IBM WebSphere information center at http:// publib.boulder.ibm.com/infocenter/wasinfo/v7r0//topic/ com.ibm.websphere.base.doc/info/aes/ae/tsec_trust.html. It is recommended that the server be configured with a valid SSL certificate obtained from a trusted and well-known supplier; mobile devices support a variety of root certificates, and most reputable certificate providers function with these devices (self-signed SSL certificates are typically not usable with mobile devices). In addition, most mobile devices must have their time and date set properly to work with SSL-secured servers. v Connect with a direct connection from the client to the server. By default, Sametime Mobile clients communicate with the Lotus Sametime Community server over port 8082, using the Sametime Links protocol and 128-bit encryption. Sametime Links is also accessible over the standard Sametime client port of 1533, and optionally port 80 if HTTP Tunneling is enabled. Appropriate firewall rules should be enabled to allow traffic to pass through on the selected port. Follow the instructions below to configure Sametime Mobile for client downloads. 1. Start the Lotus Sametime Community server and log in. 2. Fill in configuration information for the mobile devices supported in your environment by completing the following steps: a. Click Administer the server. b. Expand Configuration and under it, click Sametime Mobile. The Configuration - Sametime Mobile page displays a link for each supported mobile device. c. Click the link that represents a device you want to configure. d. Enter the appropriate configuration information for your device. The devices supported with the current release of Lotus Sametime Mobile are listed below this topic; refer to the appropriate device for additional configuration details. e. Click Update to save your changes.

What to do next
The following mobile devices are supported with this release of Lotus Sametime Mobile:

Microsoft Windows Mobile 5 and 6
Configure IBM Lotus Sametime Mobile support for Microsoft Windows Mobile 5 and Microsoft Windows Mobile 6 devices. These configuration steps provision information for users of the following mobile devices. These steps are optional but highly recommended. These settings affect both the Windows Mobile MIDP client as well as the new Unified Communications and Collaboration (UCC) Windows Mobile client. v Microsoft Windows Mobile 6 Standard v Microsoft Windows Mobile 6 Professional v Microsoft Windows Mobile 5 Pocket PC
Chapter 1. Configuring

109

v Microsoft Windows Mobile 5 Smartphone Hint for user’s first time login Enter a user name suffix, for example an e-mail suffix such as @acme.com. During login, the User name field displays this suffix as a default value, so that users need only add their names before the suffix. Sametime server name Enter the fully qualified host name of the Lotus Sametime Community server that mobile devices will connect to by default; for example, sametime.acme.com. Port Enter the default port used to connect to the specified Lotus Sametime Community server.

Proxy connection Select this setting if mobile users will connect to the Lotus Sametime Community server through a proxy server. If you enable a proxy connection, you must enter a valid proxy URL in the field that follows. Proxy URL Enter the URL for the proxy server that will connect Sametime Mobile users to the Lotus Sametime Community server. Use Sametime Connect user ID and password Select this option if you want Sametime Mobile users to connect to the Lots Sametime Community server with their IBM Lotus Sametime Connect user name and password.

Nokia Eseries
Configure IBM Lotus Sametime Mobile support for Nokia Eseries devices. The following configuration steps provision information for users of Nokia Eseries mobile devices. These steps are optional but highly recommended. Hint for user’s first time login Enter a user name suffix, for example an e-mail suffix such as @acme.com. During login, the User name field displays this suffix as a default value, so that users need only add their names before the suffix. Sametime server name Enter the fully qualified host name of the Lotus Sametime Community server that mobile devices will connect to by default; for example, sametime.acme.com. Port Enter the default port used to connect to the specified Lotus Sametime Community server.

Proxy connection Select this setting if mobile users will connect to the Lotus Sametime Community server through a proxy server. If you enable a proxy connection, you must enter a valid proxy URL in the field that follows. Proxy URL Enter the URL for the proxy server that will connect Sametime Mobile users to the Lotus Sametime Community server. Use Sametime Connect user ID and password Select this option if you want Sametime Mobile users to connect to the Sametime server with their IBM Lotus Sametime Connect user name and password.

110

Lotus Sametime: Installation and Administration Guide Part 2

RIM BlackBerry 9000 and 9530 Series
Configure IBM Lotus Sametime Mobile support for RIM Blackberry 9000, and 9530 Series devices. The following configuration steps provision information for users of RIM Blackberry 9000, and 9530 Series mobile devices. A BES server is currently required to provision these settings through the BES IT Policy These steps are optional but highly recommended. Hint for user’s first time login Enter a user name suffix, for example an e-mail suffix such as @acme.com. During login, the User name field displays this suffix as a default value, so that users need only add their names before the suffix. Sametime server name Enter the fully qualified host name of the Lotus Sametime Community server that mobile devices will connect to by default; for example, sametime.acme.com. Specify the connection Select one of the following connection types: v BES MDS Connection Service: Select this setting to establish a connection using the Blackberry Enterprise Server. If you use a BES connection, you must set up automatic provisioning using the Automate provisioning of devices with BES: setting described below. v Direct connection: Select this setting to establish a direct connection using the HTTP port. v Proxy connection: Select this setting if mobile users will connect to the Lotus Sametime Community server through a proxy server. If you enable a proxy connection, you must enter a valid proxy URL in the field that follows: – Proxy URL: Enter the URL for the proxy server that will connect Sametime Mobile users to the Lotus Sametime Community server. – Use Sametime Connect user ID and password: Select this option if you want Sametime Mobile users to connect to the Lotus Sametime Community server with their IBM Lotus Sametime Connect user name and password instead of using the device’s proxy user name and password. Automate provisioning of devices with BES A Blackberry Enterprise Server (BES) is required to provision the Sametime Mobile client with this information. Follow the on-screen instructions to generate an IT Policy string and copy it to the BES server. The BES documentation provides further information on generating a custom ″IT Policy Rule″ named ″SametimeMobile″ with a ″Multiline String″ value copied from this text field. If a BES server is not being used, the BlackBerry client is still fully functional, but each user will need to configure the appropriate information for server name, proxy, ports, and so on.

Sony Ericsson M600/P900/P1i Series
Configure IBM Lotus Sametime Mobile support for Sony Ericsson M600, P900, and P1i devices. The following configuration steps provision information for users of Sony Ericsson M600, P900, and P1i mobile devices. These steps are optional but highly recommended.
Chapter 1. Configuring

111

Hint for user’s first time login Enter a user name suffix, for example an e-mail suffix such as @acme.com. During login, the User name field displays this suffix as a default value, so that users need only add their names before the suffix. Sametime server name Enter the fully qualified host name of the Lotus Sametime Community server that mobile devices will connect to by default; for example, sametime.acme.com. Port Enter the default port used to connect to the specified Lotus Sametime Community server.

Proxy connection Select this setting if mobile users will connect to the Sametime server through a proxy server. If you enable a proxy connection, you must enter a valid proxy URL in the field that follows. Proxy URL Enter the URL for the proxy server that will connect Sametime Mobile users to the Lotus Sametime Community server. Use Sametime Connect user ID and password Select this option if you want Sametime Mobile users to connect to the Sametime server with their IBM Lotus Sametime Connect user name and password.

Configuring a Lotus Sametime Proxy Server
Configure connection settings to enable the IBM Lotus Sametime Proxy Server to communicate with other servers in the deployment.

Configuring connectivity
Configure connectivity from the IBM Lotus Sametime Proxy Server to the Lotus Sametime Community Server and Lotus Sametime Meeting Server. Connect to a business card server, set up click-to-call, a FIPS server, and clustering.

Configuring connectivity to a Sametime Community Server
By default, the IBM Lotus Sametime Proxy server works with an entire Lotus Sametime community, but you can optionally configure it to work with one or more clusters of IBM Lotus Sametime Community Servers instead.

Before you begin
Before completing this task, ensure that Lotus Sametime Community server is configured correctly.

About this task
Complete the following steps to connect the Lotus Sametime Proxy server to the Lotus Sametime Community server. 1. Login to the Sametime System Console with administrator privileges. Example: https://yourserver.com:8701/ibm/console 2. Expand the Sametime System Console twistie. 3. Select Sametime Proxy Servers 4. Select the Deployment Name for the Sametime Proxy Server deployment you wish to configure.

112

Lotus Sametime: Installation and Administration Guide Part 2

5. Enter the name of the Lotus Sametime Community cluster. Separate each cluster name by comma. For example: CN=abc/O=ABC,CN=efg/O=EFG This field designates which Lotus Sametime Community Server or cluster will be connected to the current Lotus Sametime Proxy Server in a distributed environment. You can choose to leave this field empty in the following situations: v You want to connect to all Lotus Sametime Community Servers simultaneously v You only have one Lotus Sametime Community Server deployed v You only have one Lotus Sametime Community Server cluster deployed 6. Click Apply.

Configuring connectivity to a Sametime Meeting Server
Enter the connection settings that the IBM Lotus Sametime Proxy server will use to communicate with the IBM Lotus Sametime Meeting server.

Before you begin
Configure Single Sign-On (SSO) between the meeting server and the Community Server (either Lotus Sametime Community Server or Lotus Sametime Standard) that this Lotus Sametime Proxy Server will connect to.

About this task
Complete the following steps to connect the Lotus Sametime Proxy server to a meeting server. 1. Login to the Sametime System Console with administrator privileges. Example: https://yourserver.com:8701/ibm/console 2. Click Sametime System Console → Sametime Proxy Servers. 3. Select the Deployment Name for the Sametime Proxy Server deployment you are configuring. 4. Select the type of meeting server to which the Lotus Sametime Proxy server will connect. The Lotus Sametime Proxy server can connect to any of the following meeting servers: v Lotus Sametime Meeting Server v Lotus Sametime Classic Server v Lotus Sametime Standard server (used in releases prior to Lotus Sametime 8.5) v Lotus Sametime Enterprise Meeting Server (used for clustering meeting servers in releases prior to Lotus Sametime 8.5) 5. (Optional) Enable SSL 6. Enter the fully qualified host name of the meeting server that you selected in step 5. For example: sametime_meeting.acme.com 7. Enter the port number for that meeting server. If you choose Sametime Classic Meeting server, the host name and port fields will be grayed out since the same fully qualified host name and port is used for the Lotus Sametime Community server. 8. Click Apply.
Chapter 1. Configuring

113

Configuring Lotus Connections as the business card server
By default, the IBM Lotus Sametime Proxy Server retrieves business card information from the Lotus Sametime Community Server. You can configure the connection to use a Lotus Connections server instead by completing the tasks below.

About this task
Note: This feature requires the use of Lotus Connections 2.5.0.1 or later. The binding between Lotus Sametime users and Lotus Connections users is based on e-mail address, so e-mail addresses need to be enabled on the Lotus Connections server.

Setting up business cards on the Lotus Sametime Community Server
Enable the business cards feature on the IBM Lotus Sametime Community Server. 1. On the Lotus Sametime System Console, click Sametime Servers → Sametime Community Server. 2. In the Sametime Community Servers list, click the deployment name of the server with the business card information that you want to add or change. 3. Click the Business Card tab. 4. Add ″E-mail address″ to the business card: a. Locate E-mail address in the ″Select″ list under the ″User information″ section. b. Click E-mail address, and then click Add->> to add it to the ″Selected″ list. c. Move down to the attributes table. d. Locate ″E-mail address″ in the ″Attribute Name″ column. e. In the corresponding ″Attribute value″ column, enter the name of the e-mail field in LDAP directory that is registered with the Lotus Sametime System Console. For example, if the ″e-mail″ field in the LDAP uses ″InternetAddress″ then that is the value you enter here. f. Click the Update button. 5. Click OK.

Selecting Lotus Connections as the business card server
Configure the IBM Lotus Sametime Proxy Server to use a Lotus Connections server as the business card provider. 1. Log in to the Lotus Sametime System Console with administrator privileges. Example: https://yourserver.com:8701/ibm/console 2. Click .Sametime System Console → Sametime Proxy Servers. 3. Click the Lotus Sametime Proxy Server’s link to open its Configuration page. 4. Under ″General Properties″ navigate to the ″Business card server″ section. 5. Click Lotus Connections Server and enter the server’s address. The address for a Lotus Connections Profile server typically looks like this:
http://connections_server.acme.com/profiles

6. Click OK, and then click Apply.

114

Lotus Sametime: Installation and Administration Guide Part 2

Setting up click-to-call
Click-to-call enables users of the IBM Lotus Sametime Web Client and Meeting Room clients to make calls if the administrator has configured a telephony conferencing server.

Before you begin
Before completing this task, ensure that your telephony conferencing server is configured correctly. If you will use Lotus Sametime Unified Telephony, make sure the following tasks have been competed before attempting to create the connection as described in this topic: 1. Install the Lotus Sametime Unified Telephony API on the Telephony Application Server (for information, see the Lotus Sametime Unified Telephony API Guide). 2. Configure LDAP access for the API on the Lotus Sametime Unified Telephony server (for information, see the Lotus Sametime Unified Telephony API Guide). 3. Configure Web Single Sign-On (SSO) between the Lotus Sametime Unified Telephony server and the Lotus Sametime Community Server. 4. Import the SSL certificate from the Lotus Sametime Unified Telephony server into the Lotus Sametime Proxy Server’s Cell truststore.

About this task
Complete the following steps to connect the IBM Lotus Sametime Proxy server to the telephony conferencing server. 1. Login to the Sametime System Console with administrator privileges. Example: https://yourserver.com:8701/ibm/console 2. Expand the Sametime System Console twistie. 3. Select Sametime Proxy Servers 4. Select the Deployment Name for the Sametime Proxy Server deployment you wish to configure. 5. Select a telephony service: v No telephony (default) v Enable TCSPI (Telephony Control Service Provider Interface) v Enable Sametime Unified Telephony If using Lotus Sametime Unified Telephony, enter the Host name and Port (9080 is the default) of the Telephony Application Server. 6. Enable Secure Socket Layer (SSL) encryption by clicking Enable SSL. Note: This step is required when you use Lotus Sametime Unified Telephony. 7. Click OK, and then click Apply.

Clustering Lotus Sametime Proxy Servers
Configuring a cluster of IBM Lotus Sametime Proxy Servers involves several tasks, including synchronizing system clocks, configuring the cluster settings, and optionally deploying an IBM Load Balancer in front of the cluster.

Before you begin
You can create two types of clusters:

Chapter 1. Configuring

115

v A Vertical cluster resides on the Primary node and includes two or more cluster members, which run the same application. v A Horizontal cluster includes a Primary node plus one or mode Secondary nodes, all running the same application. Each node contains one cluster member.

Before you can configure a cluster of Lotus Sametime Proxy Servers, you must have installed the following servers: 1. Lotus Sametime System Console This server will function as the cluster’s Deployment Manager; the console can function as the Deployment Manager for multiple clusters. 2. Lotus Sametime Community Server At least one Lotus Sametime Community Server must be deployed to provide presence and awareness for users attending online meetings. 3. One Lotus Sametime Proxy Server installed with the Network Deployment → Primary Node option. Every cluster requires exactly one Primary Node. The application server on the Primary Node will function as the cluster’s application template. All other application servers in the cluster (nodes and cluster members) will be duplicated from the Primary Node’s application server. The Primary node’s application server can only belong to one cluster. The Primary Node can be used as a container for additional cluster members when creating a vertical cluster (multiple cluster members on the same physical system).

116

Lotus Sametime: Installation and Administration Guide Part 2

4. (Horizontal cluster only) One or more Lotus Sametime Proxy Servers installed with the Network Deployment → Secondary Node option. Secondary nodes are used to horizontally scale your cluster across multiple physical systems. These additional nodes act as a container for additional cluster members, which are can be used to balance loads and provide failover within the cluster. During the clustering process, you can deploy additional product application servers on any Secondary Nodes within the cluster, creating a horizontal cluster.

About this task
There are several tasks involved in creating a cluster; complete them in the sequence shown here:

Setting clocks on the servers to be clustered
Synchronize the system clocks on the servers to be clustered with an IBM WebSphere Application Server network deployment.

About this task
This task is required to ensure that the servers can be federated to the Deployment Manager during creation of the cluster. Working on the Lotus Sametime System Console, complete this task for every server that you will add to the cluster. For each server that will be added to the cluster, set the system clock to exactly the same time as the Deployment Manager’s (the Lotus Sametime System Console) system clock.

Changing the location of application binaries on the Primary Node
If you are creating a cluster of IBM Lotus Sametime Proxy Servers and the cluster’s Primary Node will not reside on the same computer as the Deployment Manager, you must change the application binaries location setting on the Primary Node to ensure that the cluster operates properly.

Before you begin
Install a Lotus Sametime Proxy Server using the Network Deployment - Primary Node option.

About this task
When you install the Primary Node, WebSphere creates an application in the Primary Node cell and the path to the Lotus Sametime Proxy Server application binary is hard-coded to ${APP_INSTALL_ROOT}\PrimaryNodeCellName. When Lotus Sametime Proxy Servers are clustered, the applications installed on the Primary Node is transferred to the Deployment Manager cell; however, the application binaries continue to reside under the Primary Node cell path. If the Primary Node is not hosted on the same computer as the Deployment Manager, the hard-coded path that is now referenced on the Deployment Manager will be incorrect. You can prevent this problem by changing that path so that it uses the variable ${CELL} instead of the hard-coded Primary Node’s name. This change ensures that the application will be copied under the Deployment Manager’s cell folder. Complete this task after you have installed the Primary Node, but before you attempt to create a cluster.
Chapter 1. Configuring

117

1. Log in to the WebSphere Integrated Solutions Console (as the WebSphere administrator) on the Lotus Sametime Proxy Server that you installed with the Network Deployment - Primary Node option:
http://primary_node_host_name:9060/ibm/console

This Integrated Solutions Console is used to administer the Primary Node only until it has been federated into a Deployment Manager (either the Lotus Sametime System Console or another Deployment Manager that you installed using the Network Deployment - Deployment Manager option). Note: If you have already completed the federation of this Primary Node (either during the clustering guided activity or manually using the WebSphere addNode utility), log into the Deployment Manager’s Integrated Solutions Console instead. Click Applications → Application Types → WebSphere Enterprise Applications. Select the ″SametimeProxy″ application. Click the Application binaries link. Change the Location (full path) to this value: $(APP_INSTALL_ROOT)/$(CELL).

2. 3. 4. 5.

6. Save your change.

Clustering Sametime servers running on WebSphere Application Server
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers must all be running the same type of server; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.

Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster. Note: This guided activity is only for Lotus Sametime servers hosted on IBM WebSphere Application Server, and does not apply to the Lotus Sametime Community Server.

About this task
Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). If you have not already opened the Cluster WebSphere Application Servers guided activity, follow these steps: 1. From a browser, enter the following URL, replacing serverhostname.domain with the fully qualified domain name of the Lotus Sametime System Console server. http://serverhostname.domain:8700/ibm/console 2. Enter the WebSphere Application Server User ID and password that you created when you installed the Lotus Sametime System Console. 3. Click the Sametime System Console task to open it in the navigation tree. 4. Click Guided Activities → Cluster WebSphere Application Servers.

118

Lotus Sametime: Installation and Administration Guide Part 2

Guided activity: Clustering Sametime servers running on WebSphere Application Server: This guided activity takes you through the steps for clustering IBM Lotus Sametime servers hosted on IBM WebSphere Application Server. The servers you add to the cluster must all be running the same Lotus Sametime product application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar. Before you begin Install the Lotus Sametime System Console and two or more Lotus Sametime servers of the same product type; then start the Lotus Sametime System Console and all of the servers you plan to cluster. This guided activity applies to the following Lotus Sametime servers: v Lotus Sametime Proxy Server v Lotus Sametime Meeting Server v Lotus Sametime Media Manager Clustering is not available for the Packet Switcher; it is also not available for an ″All Components″ installation of the Media Manager, which includes the Packet Switcher. The Conference Manager components and the SIP Proxy and Registrar components must be installed and clustered on dedicated computers. Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). Note that you cannot use this activity to cluster Lotus Sametime Community Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″). Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make sure that you have set the location for the application binaries on the Primary Node (explained in ″Preparing the Primary Node″) before you proceed. About this task Configure a cluster of one type of product server to improve performance with high availability, and to provide failover. You can create a horizontal cluster in which each node is hosted on a separate computer, as well as a vertical cluster with multiple cluster members hosted on the Primary Node. These instructions assume that you will use the Lotus Sametime System Console as the cluster’s Deployment Manager, which provides a single Integrated Solutions Console for all WebSphere administrative functions for all servers participating in the cell – this simplifies the administrative experience. 1. Cluster WebSphere Application Servers. Click Next to begin the clustering activity. 2. Select Product to Cluster. Select the product server to cluster, and then click Next.
Chapter 1. Configuring

119

The list only displays Lotus Sametime products for which one or more servers have been installed and registered with the Lotus Sametime System Console. If you installed servers using deployment plans, they are registered with the console automatically. If you did not use a deployment plan, you must manually register the servers with the console before proceeding (see ″Registering servers with the Lotus Sametime System Console″). 3. Select or Create a Cluster. To create a new cluster: a. Click Create Cluster. b. Type a descriptive name for the cluster in the Cluster Name field. For example, if you are creating a cluster of Lotus Sametime Meeting Servers, you will probably want to indicate that in the cluster name so you can easily identify it later. c. Click Next. To modify an existing cluster; for example, to add a new cluster member: a. Click Select Existing Cluster. b. Select a cluster in the Cluster Name list. If you are going to add a node or cluster member to the cluster, you must use the same Lotus Sametime product. For example, you cannot add a Lotus Sametime Meeting Server cluster member to a cluster of Lotus Sametime Proxy Servers. c. Click Next. 4. Select the Deployment Manager. In the Select Deployment Manager list, select the Lotus Sametime System Console as the cluster’s deployment manager, and then click Next. Every cluster must have exactly one Deployment Manager; the Lotus Sametime System Console can function as the Deployment Manager for multiple clusters. 5. Select the Primary Node. a. In the Select Primary Node list, select the server that will serve as the cluster’s primary node. Every cluster must have exactly one Primary Node, the application server that will function as a template for the cluster member servers. All Secondary Nodes and Cluster Members will be created by duplicating the application server hosted on the Primary Node. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Note: Make sure that the Primary Node’s application server is running. This action allows the Primary Node to be administered from the Deployment Manager’s Integrated Services Console. The federation and clustering processes are very complex and may take 5-10 minutes to complete. Please be patient; click these buttons only once and then wait for the page to finish loading before continuing. If the federate primary node action completed and the Create cluster button is not enabled, or the federate primary node returned an error, wait 3-5 minutes and retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and Primary Node and then click the Federate Node button again to continue the guided activity. c. Click the Create cluster button to configure the cluster settings, and then click Next.

120

Lotus Sametime: Installation and Administration Guide Part 2

Do not click anywhere on the browser until the operation completes or it may interrupt the clustering process. 6. Select One or More Secondary Nodes. If you are creating a horizontal cluster where each node is hosted on a separate computer, add one or more secondary nodes to the cluster. Be sure to federate each selected node before proceeding to select another. a. In the Secondary Node Name list, click the node you want to add to the cluster. You can add only one node at a time, and you must federate it before selecting the next node. If a node’s Status indicates ″Federated″ it already belongs to a cluster (either this cluster or a different one) and cannot be added now. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Once the connection is complete, the node’s Status displays ″Federated″ – this may take some time, but do not proceed until the node has been successfully federated. If the federate node action completed and the Secondary Node’s status has not changed to ″Federated″ or the federate node returned an error, wait 3-5 minutes and then retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and secondary node and then click the Federate Node button again to continue this guided activity. c. Repeat steps a. and b. until you have added all your Secondary Nodes to the cluster. d. Click Next. 7. Add Cluster Members. If you are creating a vertical cluster where multiple copies of the application are hosted on a single computer, add one or more ″cluster members″ to the Primary Node. If you are creating a horizontal cluster, add one cluster member to each of the secondary nodes you federated in the previous step. The table lists Cluster Members, the Node that the cluster resides on, and the Status of each cluster member. Each node in the cluster needs to have at least one cluster member created on it for it for the node to be used in the cluster. The status of a Cluster Member will be ″Clustered″ if the cluster member has been completely configured on the node. If the status is ″Ready to Cluster″, select the Cluster Member and use the ″Add to Cluster″ button to finish configuring the cluster member. Vertical cluster: a. To add new cluster member, click New. b. Select the default name generated for the cluster member or enter your own cluster member server name. c. Select the Primary Node to create the cluster member on. d. Click the Add to Cluster button. The status will change from ″Ready to cluster″ to ″Clustered″. e. Click Next. Horizontal cluster: For each Secondary Node you federated in the previous step, a cluster member is prepopulated into the table for you, one on each of the Secondary Nodes.

Chapter 1. Configuring

121

a. Select the default cluster member name for each server or update with your own name, and verify that the nodes the cluster member servers will be created on are correct for your topology. b. One at a time, select each cluster member and click the Add to Cluster button. Do not proceed until the current cluster member’s status changes from ″Ready to cluster″ to ″Clustered″; then you can add the next cluster member. c. If you want to add more cluster members, click the New button to add another row to the table, and then fill out the information accordingly. d. Click Next. 8. Deployment Summary Click Finish to save the cluster configuration. Continue with the cluster configuration tasks described in the Sametime information center. Restarting and synchronizing nodes in the cluster: Synchronize the nodes an IBM WebSphere Application Server network deployment. About this task Synchronizing nodes in a cluster ensures that the Deployment Manager has an up-to-date copy of each node’s configuration. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Stop the Deployment Manager: a. Click System Administration → Deployment manager. b. Click the ″Configuration″ tab. c. On the Configuration tab of the deployment manager settings, click Stop. 3. Now start the Deployment Manager: a. Open a command window and navigate to the app_server_root/profiles/ DeploymentManagerName/bin directory. b. Run the following command: IBM AIX, Linux, or Solaris
./startManager.sh

Microsoft Windows
startManager.bat

IBM i 1) On the Control Language (CL) command line, run the Start Qshell (STRQSH) command. 2) At the Qshell prompt, run the following commands:
cd app_server_root/bin startServer dmgr

3) Use the Work with Active Jobs (WRKACTJOB) command to determine when the deployment manager is ready to accept administrative requests through the administrative console. 4) Add a node to the network deployment profile, as described in Adding nodes to deployment manager profiles on IBM i.

122

Lotus Sametime: Installation and Administration Guide Part 2

Run the addNode command from the Qshell command shell to federate the default application server profile into the Network Deployment cell. 5) Verify that the node agent is running, as described in Verifying that the node agent is running on IBM i. Use the Work with Active Jobs (WRKACTJOB) command to determine when the node agent is ready to accept administrative requests through the administrative console. 6) Start the administrative console for the deployment manager. Open the administrative console in a Web browser, as described in Starting the administrative console for deployment managers on IBM i. 7) Verify that the node exists, as described in Verifying that nodes exist on IBM i. Use the administrative console to verify that the WebSphere Application Server node was successfully added to the deployment manager domain. 4. Synchronize all the nodes: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Nodes. b. Click Full Resynchronize. 5. Restart all nodes in the cluster: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Node agents. b. Click a node agent, and then click Start (or Restart if the node agent is already running). Restarting the application servers in the cluster: During cluster configuration, each node’s application server was stopped so that the node could be federated. Start all of the application servers now. About this task Use the IBM Lotus Sametime System Console to start each of the application servers in the cluster. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Servers → Server types → WebSphere application servers in the navigation tree. 3. Select the application server’s check box and click Start. The status column changes to show that the application server is running. 4. Repeat for every application server in the cluster. Note: If you created a vertical cluster, you will need to start all of the application servers on every node.

Installing IBM Load Balancer
Install and configure IBM Load Balancer to distribute workload across a cluster of IBM Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers.

Chapter 1. Configuring

123

Before you begin
Create a cluster of Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers; configure the cluster and then start the Deployment Manager (the Lotus Sametime System Console) as well as all node agents and application servers in the cluster. Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a server running a different operating system for use with a Lotus Sametime deployment hosted on IBM i. IBM Load Balancer is not required for a Lotus Sametime clustered deployment; you can use any load-balancing mechanism that supports HTTP session affinity so that a user is repeatedly routed to the same server during a single session. IBM Load Balancer is included in the Lotus Sametime package with the other IBM WebSphere components. 1. Download IBM Load Balancer onto the server where you will install it: a. Open this release’s Download document in the Lotus Sametime Download document. b. Locate the appropriate IBM WebSphere Edge server component in the document’s listing, then download the packages labelled with the corresponding part numbers to the system on which you are installing. 2. Navigate to the folder where you stored the downloaded files, locate the folder for IBM Load Balancer, and start the installation program. For instructions on installing IBM Load Balancer, see the Load Balancer for IPv4 and IPv6 configuration guide. 3. After you have installed IBM Load Balancer, configure two static IP addresses for it: v Non-Forwarding Address: The NFA is the address of the server itself. It is used for logging in and administering the load balancer. v Cluster Address: This is the address by which clients and other servers will access the cluster. It must be DNS-resolvable. For example, suppose your cluster contains two nodes, and you configure an IBM Load Balancer for the cluster. Your IP addresses will look like this:
Table 1. Sample host names and IP addresses for a Lotus Sametime Meeting Server cluster or Lotus Sametime Proxy Server cluster with IBM Load Balancer Fully qualified host name Server’s role in deployment Server’s IP address Load balancer (NFA): 9.51.251.115 Cluster: 9.51.251.44

Load balancer: loadbal.acme.com balancer Load Cluster: st-cluster.acme.com (Cluster address) stconsole.acme.com svr1.acme.com

Deployment Manager 9.51.251.101 (Lotus Sametime System Console) Primary Node 9.51.251.103 (Lotus Sametime Meeting Server or Lotus Sametime Proxy Server) Secondary Node 9.51.251.109 (Lotus Sametime Meeting Server or Lotus Sametime Proxy Server)

svr2.acme.com

Configuring IBM Load Balancer:

124

Lotus Sametime: Installation and Administration Guide Part 2

Configure IBM Load Balancer for a cluster of IBM Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers. Before you begin Install IBM Load Balancer and assign two status IP addresses to it. The server selected for the Load Balancer installation must reside on the same LAN segment as the nodes to be clustered. About this task Configure IBM Load balancer to support your cluster using MAC Address rewriting. With this method, the load balancer receives a packet intended for the cluster. It uses configured metrics to determine which node in the cluster should process the message, and then sends the message back out to the network, routing it to the appropriate node’s MAC address. Each of the nodes in the cluster is configured with a loopback adapter; when the packet is rewritten to the network, the appropriate node will receive and process the packet. 1. Set up the loopback adapters on the cluster nodes: On each of the nodes of the cluster, a loopback adapter must be added with the IP address of the cluster. This step is different for each operating system. Refer to the Load Balancer for IPv4 and IPv6 configuration guide for details. 2. Configure port settings on the cluster nodes so that IBM Load Balancer can route the packets properly: IBM Load Balancer requires every node in the cluster to use same port number for both HTTP and HTTPS service (typically, port 80). If you have configured your nodes to use unique port numbers, change them to the same port now. Tip: When configuring the ports, you can use the wildcard * when specifying the host name for the HTTP and HTTPS. This will listen on all interfaces configured in the system, including the loopback adapter set up for the cluster. 3. On the load balancer server, configure load balancing for the cluster: a. Open a command window on the load balancer server. b. Start the load balancer’s Dispatcher process: v IBM AIX, Linux, Solaris
dsserver

v Microsoft Windows Click Start → Control Panel → Administrative Tools → Services. right-click IBM Dispatcher (ULB), and then click Start. c. If you are using IPv6 addresses, enable the processing of IPv6 packets: These commands enable processing of IPv6 packets in the respective operating systems. Issue this command only once; thereafter, you can start and stop the executor as often as you need. If you do not issue the command to enable processing of IPv6 packets on these systems, the executor will not start (on Solaris, the executor will start, but no IPv6 packets can be viewed). AIX 1) Run the following command:
autoconf6

Chapter 1. Configuring

125

2) To enable uninterrupted processing of IPv6 packets, even after a system reboot, edit the etc/rc.tcpip file and uncomment the following line, and add the -A flag:
start usr/bin/autoconf6 " " -A

Linux Run the following command (you must be logged in as root):
modprobe ipv6

Windows Run the following command (you must be logged in as the system administrator):
netsh interface ipv6 install

Solaris Run the following command (you must be logged in as su) to change the device to your device name, and change the IPv6 IP address and prefix to your address and prefix values:
ifconfig device inet6 plumb ifconfig device inet6 address/prefix up

d. Start the executor function of the dispatcher:
dscontrol executor start

e. Add the cluster to the service:
dscontrol cluster add cluster's_fully_qualified_host_name

where cluster’s_fully_qualified_host_name is the fully qualified host name that you assigned to the cluster when you installed the load balancer; for example:
stms-cluster.acme.com

. f. Add the cluster port:
dscontrol port add cluster's_fully_qualified_host_name@port

where cluster’s_fully_qualified_host_name:port is the fully qualified host name that you assigned to the cluster when you installed the load balancer, with the HTTP/HTTPS port appended to it (typically port 80); for example:
stms-cluster.acme.com@80

g. Add the nodes for which this server will balance workload:
dscontrol server add cluster_host@port@primary_node dscontrol server add cluster_host@port@secondary_node

where: v cluster_host:port:primary_node indicates the cluster’s fully qualified host name with the port appended (as in the previous step) plus now with the primary node’s fully qualified host name appended; for example:
stms-cluster.acme.com@80@meetsvr1.acme.com

v cluster_host@port@secondary_node indicates the cluster’s fully qualified host name with the port appended (as in the previous step) plus now with the secondary node’s fully qualified host name appended (include an additional line for each additional secondary node); for example:
stms-cluster.acme.com@80@meetsvr2.acme.com

h. Add the cluster to the executor:
dscontrol executor add cluster's_fully_qualified_host_name

where cluster’s_fully_qualified_host_name is the fully qualified host name that you assigned to the cluster when you installed the load balancer; for example:
stms-cluster.acme.com

126

Lotus Sametime: Installation and Administration Guide Part 2

. i. Start the manager:
dscontrol manager start

j. Start the HTTP advisor for the port you are using (the port you specified in the previous steps, typically port 80):
dscontrol advisor start http 80

k. Now you can stop the service:
dsserver stop

l. Close the command window. 4. Define server affinity with a ″sticky time″: By default the Load Balancer will round-robin HTTP requests between the cluster members, so that a single client may be routed to different cluster members for subsequent requests rather than continuing to be routed to the same cluster member. Since a client typically accesses an online meeting every 30-40 seconds during the session, you may want to enable server affinity for a Lotus Sametime Meeting Server cluster so that the client continues to access the same server during a single meeting. The dispatcher component of IBM Load Balancer supports a configurable ″sticky time″. This means that the load balancer will remember which cluster member a client was routed to; subsequent requests will ″stick to″ the same server until the preset time expires. IBM recommends a ″sticky″ time configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a Lotus Sametime Proxy Server cluster. a. Start IBM Load Balancer. b. In the navigation tree, select the Executor (the load balancer’s non-forwarding IP address, which appears under its host name). c. Click Configuration Settings. d. In ″Port-Specific Settings″, change the Default sticky-time settings from 0 to 60 second, and click Update Configuration. e. Leave IBM Load Balancer open for the next step. 5. Save the load balancer settings: a. In IBM Load Balancer, return to the navigation tree and right-click on the host name of the load balancer you just configured (for example, loadbal.acme.com). b. Click Save Configuration File as and accept the default name (default.cfg). The configuration settings stored in default.cfg are restored every time the server is restarted. c. Click OK.

Configuring a Lotus Sametime Media Manager
This section describes how to configure the components of the Lotus Sametime Media Manager.

Clustering Lotus Sametime Media Manager components
The IBM Lotus Sametime Media Manager includes several components. You can install the components separately and optionally cluster some of them.

Chapter 1. Configuring

127

About this task
The Lotus Sametime Media Manager comprises three components: v Packet Switcher Based on voice-activated switching, the Packet Switcher routes audio and video data to participant endpoints. There can be one or more Packet Switchers in a deployment; it cannot be clustered. A Packet Switcher can only be registered with one Conference Manager. If you have a Conference Manager cluster then the Packet Switcher is registered with the cluster and each cluster member uses the same Packet Switcher. v Conference Manager Manages multipoint conferences by maintaining a dialog with each participant, and ensuring that all media flows between those participants. You can install multiple Conference Manager components and cluster them for high availability and failover. v SIP Proxy/Registrar Directs conference participants to Conference Manager servers and provides high availability and failover functionality. You can install multiple SIP Proxy/Registrar components and cluster them for high availability and failover. Complete the clustering tasks in the sequence shown:

Clustering SIP Proxy and Registrar components
Configuring a cluster of IBM Lotus Sametime Media Manager ″SIP Proxy and Registrar″ components involves several tasks, including synchronizing system clocks, configuring one or more IBM WebSphere proxy server to operate with the cluster.

Before you begin
You can create two types of clusters: v A Vertical cluster resides on the Primary node and includes two or more cluster members, which run the same application. v A Horizontal cluster includes a Primary node plus one or mode Secondary nodes, all running the same application. Each node contains one cluster member.

128

Lotus Sametime: Installation and Administration Guide Part 2

Before you can configure a cluster of Lotus Sametime Media Manager ″SIP Proxy and Registrar″ components, you must have installed the following servers: 1. Lotus Sametime System Console This server will function as the cluster’s Deployment Manager; the console can function as the Deployment Manager for multiple clusters. 2. Lotus Sametime Community Server At least one Lotus Sametime Community Server must be deployed to provide presence and awareness for users. 3. One Lotus Sametime Media Manager ″SIP Proxy and Registrar″ component, installed with the Network Deployment → Primary Node option. Every cluster requires exactly one Primary Node. The application server on the Primary Node will function as the cluster’s application template. All other application servers in the cluster (nodes and cluster members) will be duplicated from the Primary Node’s application server. The Primary node’s application server can only belong to one cluster. The Primary Node can be used as a container for additional cluster members when creating a vertical cluster (multiple cluster members on the same physical system). 4. (Horizontal cluster only) One or more Lotus Sametime Media Manager ″SIP Proxy and Registrar″ components, installed with the Network Deployment → Secondary Node option. Secondary nodes are used to horizontally scale your cluster across multiple physical systems. These additional nodes act as a container for additional
Chapter 1. Configuring

129

cluster members, which are can be used to balance loads and provide failover within the cluster. During the clustering process, you can deploy additional product application servers on any Secondary Nodes within the cluster, creating a horizontal cluster. To cluster SIP Proxy and Registrar components, complete the following tasks in the sequence shown: Setting clocks on the servers to be clustered: Synchronize the system clocks on the servers to be clustered with an IBM WebSphere Application Server network deployment. About this task This task is required to ensure that the servers can be federated to the Deployment Manager during creation of the cluster. Working on the Lotus Sametime System Console, complete this task for every server that you will add to the cluster. For each server that will be added to the cluster, set the system clock to exactly the same time as the Deployment Manager’s (the Lotus Sametime System Console) system clock. Clustering Sametime servers running on WebSphere Application Server: Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers must all be running the same type of server; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar. Before you begin Start the Lotus Sametime System Console and the servers you intend to cluster. Note: This guided activity is only for Lotus Sametime servers hosted on IBM WebSphere Application Server, and does not apply to the Lotus Sametime Community Server. About this task Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). If you have not already opened the Cluster WebSphere Application Servers guided activity, follow these steps: 1. From a browser, enter the following URL, replacing serverhostname.domain with the fully qualified domain name of the Lotus Sametime System Console server. http://serverhostname.domain:8700/ibm/console 2. Enter the WebSphere Application Server User ID and password that you created when you installed the Lotus Sametime System Console. 3. Click the Sametime System Console task to open it in the navigation tree.

130

Lotus Sametime: Installation and Administration Guide Part 2

4. Click Guided Activities → Cluster WebSphere Application Servers. Guided activity: Clustering Sametime servers running on WebSphere Application Server: This guided activity takes you through the steps for clustering IBM Lotus Sametime servers hosted on IBM WebSphere Application Server. The servers you add to the cluster must all be running the same Lotus Sametime product application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar. Before you begin Install the Lotus Sametime System Console and two or more Lotus Sametime servers of the same product type; then start the Lotus Sametime System Console and all of the servers you plan to cluster. This guided activity applies to the following Lotus Sametime servers: v Lotus Sametime Proxy Server v Lotus Sametime Meeting Server v Lotus Sametime Media Manager Clustering is not available for the Packet Switcher; it is also not available for an ″All Components″ installation of the Media Manager, which includes the Packet Switcher. The Conference Manager components and the SIP Proxy and Registrar components must be installed and clustered on dedicated computers. Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). Note that you cannot use this activity to cluster Lotus Sametime Community Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″). Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make sure that you have set the location for the application binaries on the Primary Node (explained in ″Preparing the Primary Node″) before you proceed. About this task Configure a cluster of one type of product server to improve performance with high availability, and to provide failover. You can create a horizontal cluster in which each node is hosted on a separate computer, as well as a vertical cluster with multiple cluster members hosted on the Primary Node. These instructions assume that you will use the Lotus Sametime System Console as the cluster’s Deployment Manager, which provides a single Integrated Solutions Console for all WebSphere administrative functions for all servers participating in the cell – this simplifies the administrative experience. 1. Cluster WebSphere Application Servers. Click Next to begin the clustering activity. 2. Select Product to Cluster.
Chapter 1. Configuring

131

Select the product server to cluster, and then click Next. The list only displays Lotus Sametime products for which one or more servers have been installed and registered with the Lotus Sametime System Console. If you installed servers using deployment plans, they are registered with the console automatically. If you did not use a deployment plan, you must manually register the servers with the console before proceeding (see ″Registering servers with the Lotus Sametime System Console″). 3. Select or Create a Cluster. To create a new cluster: a. Click Create Cluster. b. Type a descriptive name for the cluster in the Cluster Name field. For example, if you are creating a cluster of Lotus Sametime Meeting Servers, you will probably want to indicate that in the cluster name so you can easily identify it later. c. To a. b. Click Next. modify an existing cluster; for example, to add a new cluster member: Click Select Existing Cluster. Select a cluster in the Cluster Name list. If you are going to add a node or cluster member to the cluster, you must use the same Lotus Sametime product. For example, you cannot add a Lotus Sametime Meeting Server cluster member to a cluster of Lotus Sametime Proxy Servers.

c. Click Next. 4. Select the Deployment Manager. In the Select Deployment Manager list, select the Lotus Sametime System Console as the cluster’s deployment manager, and then click Next. Every cluster must have exactly one Deployment Manager; the Lotus Sametime System Console can function as the Deployment Manager for multiple clusters. 5. Select the Primary Node. a. In the Select Primary Node list, select the server that will serve as the cluster’s primary node. Every cluster must have exactly one Primary Node, the application server that will function as a template for the cluster member servers. All Secondary Nodes and Cluster Members will be created by duplicating the application server hosted on the Primary Node. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Note: Make sure that the Primary Node’s application server is running. This action allows the Primary Node to be administered from the Deployment Manager’s Integrated Services Console. The federation and clustering processes are very complex and may take 5-10 minutes to complete. Please be patient; click these buttons only once and then wait for the page to finish loading before continuing. If the federate primary node action completed and the Create cluster button is not enabled, or the federate primary node returned an error, wait 3-5 minutes and retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and Primary Node and then click the Federate Node button again to continue the guided activity.

132

Lotus Sametime: Installation and Administration Guide Part 2

c. Click the Create cluster button to configure the cluster settings, and then click Next. Do not click anywhere on the browser until the operation completes or it may interrupt the clustering process. 6. Select One or More Secondary Nodes. If you are creating a horizontal cluster where each node is hosted on a separate computer, add one or more secondary nodes to the cluster. Be sure to federate each selected node before proceeding to select another. a. In the Secondary Node Name list, click the node you want to add to the cluster. You can add only one node at a time, and you must federate it before selecting the next node. If a node’s Status indicates ″Federated″ it already belongs to a cluster (either this cluster or a different one) and cannot be added now. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Once the connection is complete, the node’s Status displays ″Federated″ – this may take some time, but do not proceed until the node has been successfully federated. If the federate node action completed and the Secondary Node’s status has not changed to ″Federated″ or the federate node returned an error, wait 3-5 minutes and then retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and secondary node and then click the Federate Node button again to continue this guided activity. c. Repeat steps a. and b. until you have added all your Secondary Nodes to the cluster. d. Click Next. 7. Add Cluster Members. If you are creating a vertical cluster where multiple copies of the application are hosted on a single computer, add one or more ″cluster members″ to the Primary Node. If you are creating a horizontal cluster, add one cluster member to each of the secondary nodes you federated in the previous step. The table lists Cluster Members, the Node that the cluster resides on, and the Status of each cluster member. Each node in the cluster needs to have at least one cluster member created on it for it for the node to be used in the cluster. The status of a Cluster Member will be ″Clustered″ if the cluster member has been completely configured on the node. If the status is ″Ready to Cluster″, select the Cluster Member and use the ″Add to Cluster″ button to finish configuring the cluster member. Vertical cluster: a. To add new cluster member, click New. b. Select the default name generated for the cluster member or enter your own cluster member server name. c. Select the Primary Node to create the cluster member on. d. Click the Add to Cluster button. The status will change from ″Ready to cluster″ to ″Clustered″. e. Click Next. Horizontal cluster:

Chapter 1. Configuring

133

For each Secondary Node you federated in the previous step, a cluster member is prepopulated into the table for you, one on each of the Secondary Nodes. a. Select the default cluster member name for each server or update with your own name, and verify that the nodes the cluster member servers will be created on are correct for your topology. b. One at a time, select each cluster member and click the Add to Cluster button. Do not proceed until the current cluster member’s status changes from ″Ready to cluster″ to ″Clustered″; then you can add the next cluster member. c. If you want to add more cluster members, click the New button to add another row to the table, and then fill out the information accordingly. d. Click Next. 8. Deployment Summary Click Finish to save the cluster configuration. Continue with the cluster configuration tasks described in the Sametime information center. Configuring a WebSphere proxy server: Configure an IBM WebSphere proxy server to perform routing and caching tasks for a cluster of IBM Lotus Sametime servers running on WebSphere Application Server. Before you begin Create a cluster of Lotus Sametime servers running on WebSphere Application Server; start the Deployment Manager (the Lotus Sametime System Console) as well as all node agents and application servers in the cluster. Use these instructions to configure a WebSphere proxy server that operates with the following Lotus Sametime server clusters: v Meeting Server v Conference Manager v SIP Proxy and Registrar About this task A cluster of Lotus Sametime servers that run on WebSphere Application Server can use a WebSphere proxy server to manage routing and caching tasks. To ensure redundancy in the case of a proxy server failure, you may want to configure multiple proxy servers for the cluster. You can host a WebSphere proxy server on any node in the cluster (except the Lotus Sametime System Console) but because it uses a lot of system resources, you may want to host it on its own computer. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. In the navigation tree, click Servers → Server Types → WebSphere proxy servers. 3. In the proxy servers table, click the New button at the top of the table. 4. In the ″Create a new proxy server entry″ dialog box, do the following: a. In the ″Select a node″ box, select the node that will host the WebSphere proxy server.

134

Lotus Sametime: Installation and Administration Guide Part 2

Be sure to select a node that belongs to the appropriate cluster. b. Type a name for the new proxy server; for example ″was_proxy1″, and then click Next. c. In the ″Specify server specific properties″ box, select the appropriate ″Support protocol″ settings for your cluster, select Generate unique ports, and then click Next. v If you are configuring this WebSphere proxy server for a Meeting Server cluster: deselect the SIP protocol. v If you are configuring this WebSphere proxy server for a SIP Proxy and Registrar cluster: accept both HTTP and SIP protocols. v If you are configuring this WebSphere proxy server for a Conference Manager cluster: accept both HTTP and SIP protocols. d. In the ″Select a server template″ box, select proxy_server_foundation (the WebSphere Default Proxy Server Template), and then click Next. e. In the ″Confirm new server″ box, click Finish. 5. Save the new proxy server setting to the master configuration and synchronize the nodes in the cluster: WebSphere Application Server displays a message prompting you to save changes to the master configuration. Click Preferences → Synchronize Nodes, and then click Apply. 6. (Conference Manager cluster, SIP Proxy and Registrar cluster) Assign the new proxy server to the cluster: a. Click Servers → Server Types → Websphere proxy servers → proxy_server_name → SIP Proxy Server Settings → SIP proxy settings. b. In the ″Default cluster″ field, select the cluster that you are configuring this WebSphere proxy server to work with. c. Click Apply. 7. Now start the new WebSphere proxy server: a. Again in the Integrated Solutions Console’s navigation tree, click Servers → Proxy Servers. b. In the ″Proxy Servers″ page, select the new proxy server from the list. c. Click the Start button above the list of proxy servers. Configuring the SIP Proxy and Registrar cluster: Complete the configuration for clustering IBM Lotus Sametime Media Manager SIP Proxy and Registrar components using an IBM WebSphere Application Server network deployment. Before you begin Create a cluster of SIP Proxy and Registrar components using the guided activity. About this task Completing the cluster’s configuration requires the following tasks: Setting up memory-to-memory replication for a SIP Proxy and Registrar cluster: After you create a cluster of IBM Lotus Sametime Media Manager SIP Proxy and Registrar components, you must enable memory-to-memory replication among the cluster members to ensure that the cluster operates properly.
Chapter 1. Configuring

135

Before you begin Create a cluster of SIP Proxy and Registrar components. About this task Complete this task on every member of the SIP Proxy and Registrar cluster. Note: One replication domain is created by the installer, using the same name as the SIP Proxy and Registrar cluster. You need to map servers in the cluster to this replication domain. The number of replicas that you configure in the replication domain affects the performance of your configuration; if you have more than two servers in the cluster, you should create separate replication domains for each pair of servers. 1. On the first 2 servers of your cluster, map the servers to the replication domain as follows: a. On the Deployment Manager (the Lotus Sametime System Console), log in to the IBM WebSphere Integrated Solutions Console as the WebSphere administrator. b. Click Servers → Server Types → Websphere application servers. c. In the ″Application Server″ table, click the cluster member’s name to display the ″Configuration″ page. d. Under ″Container Settings,″ click ″SIP Container Settings″ and then click the SIP container link. e. In the SIP container settings, look under ″Additional Properties″ and click the Session management link. f. In the Session management settings, look under ″Additional Properties″ and click the Distributed environment settings link. g. In the Distributed environment settings, look under ″General Properties″ and click the link labelled Memory-to-memory replication. Do not click the selector to choose this option – click the link itself so you can modify the option’s settings. h. In the Memory-to-memory replication settings, look under ″General Properties″ and set the * Replication domain setting to be the SIP Proxy and Registrar cluster. i. In the ″Replication Mode″ field, click Both client and server. j. Click Apply, and then click OK. k. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. l. Back in the Distributed environment settings, look under ″General Properties″ and verify that the Memory-to-memory replication option is now selected. m. Return to the Integrated Solutions Console navigation pane and select Environment → Replication Domain → cluster_name. n. In the Configuration page, look under ″Additional Properties″ and verify that the ″Replication Domain Members″ list includes the following item: SessionManager:cluster_member_name (the cluster member’s name from substep c). o. Complete this set of substeps for both servers. Note: For performance reasons, you should not map more than two servers to this replication domain.

136

Lotus Sametime: Installation and Administration Guide Part 2

2. If you have additional servers in your cluster, create a replication domain for every 2 servers as follows: a. On the Deployment Manager (the Lotus Sametime System Console), log in to the IBM WebSphere Integrated Solutions Console as the WebSphere administrator. b. Click Environment → Replication domains. In the Replication domains table, click the New button. In the Name field, specify a unique name for the replication domain. Under ″Number of replicas″ click Entire domain. Click OK. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. h. Create a new replication domain for each pair of the remaining servers in the cluster. 3. Now, map each pair of those remaining servers to their own replication domain by following these instructions: c. d. e. f. g. Note: For performance reasons, you should not map more than two servers to each replication domain. a. On the Deployment Manager (the Lotus Sametime System Console), log in to the IBM WebSphere Integrated Solutions Console as the WebSphere administrator. b. Click Servers → Server Types → Websphere application servers. c. In the ″Application Server″ table, click the cluster member’s name to display the ″Configuration″ page. d. Under ″Container Settings,″ click ″SIP Container Settings″ and then click the SIP container link. e. In the SIP container settings, look under ″Additional Properties″ and click the Session management link. f. In the Session management settings, look under ″Additional Properties″ and click the Distributed environment settings link. g. In the Distributed environment settings, look under ″General Properties″ and click the link labelled Memory-to-memory replication. Do not click the selector to choose this option – click the link itself so you can modify the option’s settings. h. In the Memory-to-memory replication settings, look under ″General Properties″ and set the * Replication domain setting to be the newly created domain. i. In the ″Replication Mode″ field, click Both client and server. j. Click Apply, and then click OK. k. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. l. Back in the Distributed environment settings, look under ″General Properties″ and verify that the Memory-to-memory replication option is now selected. m. Return to the Integrated Solutions Console navigation pane and select Environment → Replication Domain → newly_created_domain.

Chapter 1. Configuring

137

n. In the Configuration page, look under ″Additional Properties″ and verify that the ″Replication Domain Members″ list includes the following item: SessionManager:cluster_member_name (the cluster member’s name from substep c). o. Complete this set of substeps for both servers that are being assigned to this replication domain. Creating object cache instances for the SIP Proxy and Registrar: Create an object cache for the IBM Lotus Media Manager SIP Proxy and Registrar; this cache will be available to all cluster members. Before you begin Create a cluster of SIP Proxy and Registrar components. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Resources → Cache Instances → Object Cache Instances. 3. Click in the Scope field (where it displays ″All scopes″) and select the SIP Proxy and Registrar cluster. 4. In the table, click on ProxyRegistrationCache to display the cache instance’s ″Configuration″ page. 5. Under ″Performance Settings″ click High performance and high memory usage. 6. Set the value of Push frequency to 1. 7. Click OK. 8. Save your changes to the master configuration by clicking the Save button when prompted. Adding a path for the JMX interface to the Deployment Manager: Add a path to the IBM Lotus Sametime Media Manager SIP Proxy and Registrar’s ProxyRegCommon-8.5.jar file to make it available to the cluster’s Deployment Manager. Before you begin Create a cluster of SIP Proxy and Registrar components. About this task The SIP Proxy and Registrar component provides a JMX interface. On the cluster’s Deployment Manager, copy the ProxyRegCommon-8.5.jar file to a location that is visible to the Deployment Manager. Then define a JVM custom property called ws.ext.dirs that points to this location. Defining a path for ws.ext.dirs enables the ProxyRegCommon-8.5.jar file to be properly loaded by the root class path loader. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click System administration → Deployment manager to display the ″Configuration″ page. 3. Under ″Server Infrastructure″, expand Java Process Management, and then click Process definitions.

138

Lotus Sametime: Installation and Administration Guide Part 2

Under ″Additional Properties″, click Java Virtual Machine. Under ″Additional Properties″, click Custom Properties. In the table listing the custom properties, click the New button. Create a new entry named ws.ext.dirs; the value is the path to the location where the ProxyRegCommon-8.5.jar file is stored. 8. Click OK to save the new custom property. 4. 5. 6. 7. Adding a path for the JMX interface to the nodes: Add a path to the IBM Lotus Sametime Media Manager SIP Proxy and Registrar’s ProxyRegCommon-8.5.jar file to make it available to all nodes in the cluster. Before you begin Create a cluster of SIP Proxy and Registrar components. About this task The SIP Proxy and Registrar component provides a JMX interface. Copy the ProxyRegCommon-8.5.jar file to a location that is to visible to all node agents in the cluster. Then define a JVM custom property called ws.ext.dirs that points to this location. Defining a path for ws.ext.dirs enables the ProxyRegCommon-8.5.jar file to be properly loaded by the root class path loader. Do this for every node in the SIP Proxy and Registrar cluster. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click System administration → Node agents. 3. In the table listing the node agents, click the link representing a SIP Proxy and Registrar node to display its ″Configuration″ page. 4. Under ″Server Infrastructure″, expand Java Process Management, and then click Process definitions. Under ″Additional Properties″, click Java Virtual Machine. Under ″Additional Properties″, click Custom Properties. In the table listing the custom properties, click the New button. Create a new entry named ws.ext.dirs; the value is the path to the location where the ProxyRegCommon-8.5.jar file is stored. 9. Click OK to save the new custom property. 10. Repeat this process for every node in the SIP Proxy and Registrar cluster. 5. 6. 7. 8. Removing unused ports from cluster members: Each member of a cluster has some ports defined at the server scope. Once the members are added to the cluster, those ports are no longer needed and should be removed. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Servers → Server Types → Websphere application servers → cluster_member_name. 3. In the ″Application Servers″ table, click the name of a cluster member. This displays the server’s ″Configuration″ page.
Chapter 1. Configuring

139

4. On the ″Configuration″ page, look under ″Container Settings″ click SIP Container Settings → SIP container transport chains. 5. In the ″Transport Chain″ table, delete the following entries for by clicking the checkbox for each entry and then clicking the Delete button at the top of the table: v SIPCInboundProxyReg v SIPCInboundProxyRegSecure v SIPCInboundProxyRegUDP 6. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. 7. Now go back up one level to the cluster member’s ″Configuration″ page; look under ″Communication″ and click Ports. 8. In the ″Ports″ table, delete the following entries by clicking the checkbox for each entry and then clicking the Delete button at the top of the table: v SIP_ProxyRegHOST v SIP_ProxyReg_SECURE 9. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. 10. Repeat this process for every cluster member. Increasing the heap size for a clustered SIP Proxy and Registrar component: If you installed the IBM Lotus Sametime Media Manager using either the Primary Node or Secondary Node option to create a clustered server, increase the maximum heap size for the SIP Proxy and Registrar component. Before you begin Install and cluster two or more Lotus Sametime Media Manager SIP Proxy and Registrar components. Then complete this task for every cluster member. About this task Typically, the total value of all server instance JVM heap sizes on a specific node must be less than half of the total RAM of that computer. 1. Log in to the SIP Proxy and Registrar’s Integrated Solutions Console as the WebSphere administrator. 2. Click Servers → Server Types → WebSphere application servers → . 3. Click a server name to display the ″Configuration″ page for the server. 4. In the Server Infrastructure section, click Java and process management, and then click Process definition. 5. Under ″Additional Properties″ click Java virtual machine. 6. Under ″General Properties″ specify the heap size settings as follows:
Table 2. Heap settings for the SIP Proxy and Registrar Initial heap size Maximum heap size 256 1024

7. In the Generic JVM arguments field, type the following information exactly as shown:
-Xverbosegclog:${SERVER_LOG_ROOT}/gc.log,1,14000

140

Lotus Sametime: Installation and Administration Guide Part 2

This will create an approximately 20MB rolling verbose GC log file, stored in the server logs directory. 8. Click OK. 9. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. Disabling authentication for the SIP Container: Create a custom property in IBM WebSphere Application Server to disable the ″Digest TAI on SIP Container″ setting on each member of a cluster of IBM Lotus Sametime Media Manager components. About this task When you use the Lotus Sametime System Console as the Deployment Manager for a cluster of Conference Manager or SIP Proxy and Registrar components, the ″Use available authentication data when an unprotected URI is accessed″ setting is enabled on the console to satisfy a requirement of the Lotus Sametime Meeting Server. As a result, the SIP Container requires authentication even though the Media Manager’s SIP applications are not configured with security constrains. All incoming SIP messages without credentials are rejected with a ″401 Not Authorized″ response. To prevent this problem, create a custom property that disables the ″Digest TAI on SIP Container″ setting for every cluster member. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the IBM WebSphere administrator. 2. Click Servers → Server Types → Websphere application servers. 3. In the ″Application Servers″ table, click the name of a cluster member. 4. Under ″Container settings″ click SIP Container settings → SIP Container. 5. Under ″Additional Properties″ click Custom properties. 6. Click New. 7. In the Name field, enter com.ibm.ws.sip.security.enable.digest.tai exactly as shown here. 8. In the Value field, enter false. 9. Click the OK button 10. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. 11. Repeat this process for every cluster member. Restarting and synchronizing nodes in the cluster: Synchronize the nodes an IBM WebSphere Application Server network deployment. About this task Synchronizing nodes in a cluster ensures that the Deployment Manager has an up-to-date copy of each node’s configuration. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Stop the Deployment Manager:
Chapter 1. Configuring

141

a. Click System Administration → Deployment manager. b. Click the ″Configuration″ tab. c. On the Configuration tab of the deployment manager settings, click Stop. 3. Now start the Deployment Manager: a. Open a command window and navigate to the app_server_root/profiles/ DeploymentManagerName/bin directory. b. Run the following command: IBM AIX, Linux, or Solaris
./startManager.sh

Microsoft Windows
startManager.bat

IBM i 1) On the Control Language (CL) command line, run the Start Qshell (STRQSH) command. 2) At the Qshell prompt, run the following commands:
cd app_server_root/bin startServer dmgr

3) Use the Work with Active Jobs (WRKACTJOB) command to determine when the deployment manager is ready to accept administrative requests through the administrative console. 4) Add a node to the network deployment profile, as described in Adding nodes to deployment manager profiles on IBM i. Run the addNode command from the Qshell command shell to federate the default application server profile into the Network Deployment cell. 5) Verify that the node agent is running, as described in Verifying that the node agent is running on IBM i. Use the Work with Active Jobs (WRKACTJOB) command to determine when the node agent is ready to accept administrative requests through the administrative console. 6) Start the administrative console for the deployment manager. Open the administrative console in a Web browser, as described in Starting the administrative console for deployment managers on IBM i. 7) Verify that the node exists, as described in Verifying that nodes exist on IBM i. Use the administrative console to verify that the WebSphere Application Server node was successfully added to the deployment manager domain. 4. Synchronize all the nodes: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Nodes. b. Click Full Resynchronize. 5. Restart all nodes in the cluster: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Node agents. b. Click a node agent, and then click Start (or Restart if the node agent is already running). Restarting the application servers in the cluster:

142

Lotus Sametime: Installation and Administration Guide Part 2

During cluster configuration, each node’s application server was stopped so that the node could be federated. Start all of the application servers now. About this task Use the IBM Lotus Sametime System Console to start each of the application servers in the cluster. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Servers → Server types → WebSphere application servers in the navigation tree. 3. Select the application server’s check box and click Start. The status column changes to show that the application server is running. 4. Repeat for every application server in the cluster. Note: If you created a vertical cluster, you will need to start all of the application servers on every node.

Clustering Conference Manager components
Configuring a cluster of IBM Lotus Sametime Media Manager ″Conference Manager″ components involves several tasks, including synchronizing system clocks, configuring one or more IBM WebSphere proxy server to operate with the cluster.

Before you begin
You can create two types of clusters: v A Vertical cluster resides on the Primary node and includes two or more cluster members, which run the same application. v A Horizontal cluster includes a Primary node plus one or mode Secondary nodes, all running the same application. Each node contains one cluster member.

Chapter 1. Configuring

143

Before you can configure a cluster of Lotus Sametime Media Manager ″Conference Manager″ components, you must have installed the following servers: 1. Lotus Sametime System Console This server will function as the cluster’s Deployment Manager; the console can function as the Deployment Manager for multiple clusters. 2. Lotus Sametime Community Server At least one Lotus Sametime Community Server must be deployed to provide presence and awareness for users attending online meetings. 3. Lotus Sametime Meeting Server At least one Lotus Sametime Meeting Server must be deployed to host online meetings where the audio and video features will be used. 4. Lotus Sametime Media Manager ″Packet Switcher″ component At least one Packet Switcher component must be deployed to route audio and video data to participant endpoints. 5. One Lotus Sametime Media Manager ″Conference Manager″ component, installed with the Network Deployment → Primary Node option. Every cluster requires exactly one Primary Node. The application server on the Primary Node will function as the cluster’s application template. All other application servers in the cluster (nodes and cluster members) will be duplicated from the Primary Node’s application server. The Primary node’s application server can only belong to one cluster. The Primary Node can be

144

Lotus Sametime: Installation and Administration Guide Part 2

used as a container for additional cluster members when creating a vertical cluster (multiple cluster members on the same physical system). 6. (Horizontal cluster only) One or more Lotus Sametime Media Manager ″Conference Manager″ components, installed with the Network Deployment → Secondary Node option. Secondary nodes are used to horizontally scale your cluster across multiple physical systems. These additional nodes act as a container for additional cluster members, which are can be used to balance loads and provide failover within the cluster. During the clustering process, you can deploy additional product application servers on any Secondary Nodes within the cluster, creating a horizontal cluster. To cluster Conference Manager components, complete the following tasks in the sequence shown: Setting clocks on the servers to be clustered: Synchronize the system clocks on the servers to be clustered with an IBM WebSphere Application Server network deployment. About this task This task is required to ensure that the servers can be federated to the Deployment Manager during creation of the cluster. Working on the Lotus Sametime System Console, complete this task for every server that you will add to the cluster. For each server that will be added to the cluster, set the system clock to exactly the same time as the Deployment Manager’s (the Lotus Sametime System Console) system clock. Clustering Sametime servers running on WebSphere Application Server: Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers must all be running the same type of server; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar. Before you begin Start the Lotus Sametime System Console and the servers you intend to cluster. Note: This guided activity is only for Lotus Sametime servers hosted on IBM WebSphere Application Server, and does not apply to the Lotus Sametime Community Server. About this task Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). If you have not already opened the Cluster WebSphere Application Servers guided activity, follow these steps:
Chapter 1. Configuring

145

1. From a browser, enter the following URL, replacing serverhostname.domain with the fully qualified domain name of the Lotus Sametime System Console server. http://serverhostname.domain:8700/ibm/console 2. Enter the WebSphere Application Server User ID and password that you created when you installed the Lotus Sametime System Console. 3. Click the Sametime System Console task to open it in the navigation tree. 4. Click Guided Activities → Cluster WebSphere Application Servers. Guided activity: Clustering Sametime servers running on WebSphere Application Server: This guided activity takes you through the steps for clustering IBM Lotus Sametime servers hosted on IBM WebSphere Application Server. The servers you add to the cluster must all be running the same Lotus Sametime product application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar. Before you begin Install the Lotus Sametime System Console and two or more Lotus Sametime servers of the same product type; then start the Lotus Sametime System Console and all of the servers you plan to cluster. This guided activity applies to the following Lotus Sametime servers: v Lotus Sametime Proxy Server v Lotus Sametime Meeting Server v Lotus Sametime Media Manager Clustering is not available for the Packet Switcher; it is also not available for an ″All Components″ installation of the Media Manager, which includes the Packet Switcher. The Conference Manager components and the SIP Proxy and Registrar components must be installed and clustered on dedicated computers. Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). Note that you cannot use this activity to cluster Lotus Sametime Community Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″). Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make sure that you have set the location for the application binaries on the Primary Node (explained in ″Preparing the Primary Node″) before you proceed. About this task Configure a cluster of one type of product server to improve performance with high availability, and to provide failover. You can create a horizontal cluster in which each node is hosted on a separate computer, as well as a vertical cluster with multiple cluster members hosted on the Primary Node.

146

Lotus Sametime: Installation and Administration Guide Part 2

These instructions assume that you will use the Lotus Sametime System Console as the cluster’s Deployment Manager, which provides a single Integrated Solutions Console for all WebSphere administrative functions for all servers participating in the cell – this simplifies the administrative experience. 1. Cluster WebSphere Application Servers. Click Next to begin the clustering activity. 2. Select Product to Cluster. Select the product server to cluster, and then click Next. The list only displays Lotus Sametime products for which one or more servers have been installed and registered with the Lotus Sametime System Console. If you installed servers using deployment plans, they are registered with the console automatically. If you did not use a deployment plan, you must manually register the servers with the console before proceeding (see ″Registering servers with the Lotus Sametime System Console″). 3. Select or Create a Cluster. To create a new cluster: a. Click Create Cluster. b. Type a descriptive name for the cluster in the Cluster Name field. For example, if you are creating a cluster of Lotus Sametime Meeting Servers, you will probably want to indicate that in the cluster name so you can easily identify it later. c. Click Next. To modify an existing cluster; for example, to add a new cluster member: a. Click Select Existing Cluster. b. Select a cluster in the Cluster Name list. If you are going to add a node or cluster member to the cluster, you must use the same Lotus Sametime product. For example, you cannot add a Lotus Sametime Meeting Server cluster member to a cluster of Lotus Sametime Proxy Servers. c. Click Next. 4. Select the Deployment Manager. In the Select Deployment Manager list, select the Lotus Sametime System Console as the cluster’s deployment manager, and then click Next. Every cluster must have exactly one Deployment Manager; the Lotus Sametime System Console can function as the Deployment Manager for multiple clusters. 5. Select the Primary Node. a. In the Select Primary Node list, select the server that will serve as the cluster’s primary node. Every cluster must have exactly one Primary Node, the application server that will function as a template for the cluster member servers. All Secondary Nodes and Cluster Members will be created by duplicating the application server hosted on the Primary Node. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Note: Make sure that the Primary Node’s application server is running. This action allows the Primary Node to be administered from the Deployment Manager’s Integrated Services Console. The federation and clustering processes are very complex and may take 5-10 minutes to

Chapter 1. Configuring

147

complete. Please be patient; click these buttons only once and then wait for the page to finish loading before continuing. If the federate primary node action completed and the Create cluster button is not enabled, or the federate primary node returned an error, wait 3-5 minutes and retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and Primary Node and then click the Federate Node button again to continue the guided activity. c. Click the Create cluster button to configure the cluster settings, and then click Next. Do not click anywhere on the browser until the operation completes or it may interrupt the clustering process. 6. Select One or More Secondary Nodes. If you are creating a horizontal cluster where each node is hosted on a separate computer, add one or more secondary nodes to the cluster. Be sure to federate each selected node before proceeding to select another. a. In the Secondary Node Name list, click the node you want to add to the cluster. You can add only one node at a time, and you must federate it before selecting the next node. If a node’s Status indicates ″Federated″ it already belongs to a cluster (either this cluster or a different one) and cannot be added now. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Once the connection is complete, the node’s Status displays ″Federated″ – this may take some time, but do not proceed until the node has been successfully federated. If the federate node action completed and the Secondary Node’s status has not changed to ″Federated″ or the federate node returned an error, wait 3-5 minutes and then retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and secondary node and then click the Federate Node button again to continue this guided activity. c. Repeat steps a. and b. until you have added all your Secondary Nodes to the cluster. d. Click Next. 7. Add Cluster Members. If you are creating a vertical cluster where multiple copies of the application are hosted on a single computer, add one or more ″cluster members″ to the Primary Node. If you are creating a horizontal cluster, add one cluster member to each of the secondary nodes you federated in the previous step. The table lists Cluster Members, the Node that the cluster resides on, and the Status of each cluster member. Each node in the cluster needs to have at least one cluster member created on it for it for the node to be used in the cluster. The status of a Cluster Member will be ″Clustered″ if the cluster member has been completely configured on the node. If the status is ″Ready to Cluster″, select the Cluster Member and use the ″Add to Cluster″ button to finish configuring the cluster member. Vertical cluster: a. To add new cluster member, click New.

148

Lotus Sametime: Installation and Administration Guide Part 2

b. Select the default name generated for the cluster member or enter your own cluster member server name. c. Select the Primary Node to create the cluster member on. d. Click the Add to Cluster button. The status will change from ″Ready to cluster″ to ″Clustered″. e. Click Next. Horizontal cluster: For each Secondary Node you federated in the previous step, a cluster member is prepopulated into the table for you, one on each of the Secondary Nodes. a. Select the default cluster member name for each server or update with your own name, and verify that the nodes the cluster member servers will be created on are correct for your topology. b. One at a time, select each cluster member and click the Add to Cluster button. Do not proceed until the current cluster member’s status changes from ″Ready to cluster″ to ″Clustered″; then you can add the next cluster member. c. If you want to add more cluster members, click the New button to add another row to the table, and then fill out the information accordingly. d. Click Next. 8. Deployment Summary Click Finish to save the cluster configuration. Continue with the cluster configuration tasks described in the Sametime information center. Configuring a WebSphere proxy server: Configure an IBM WebSphere proxy server to perform routing and caching tasks for a cluster of IBM Lotus Sametime servers running on WebSphere Application Server. Before you begin Create a cluster of Lotus Sametime servers running on WebSphere Application Server; start the Deployment Manager (the Lotus Sametime System Console) as well as all node agents and application servers in the cluster. Use these instructions to configure a WebSphere proxy server that operates with the following Lotus Sametime server clusters: v Meeting Server v Conference Manager v SIP Proxy and Registrar About this task A cluster of Lotus Sametime servers that run on WebSphere Application Server can use a WebSphere proxy server to manage routing and caching tasks. To ensure redundancy in the case of a proxy server failure, you may want to configure multiple proxy servers for the cluster. You can host a WebSphere proxy server on any node in the cluster (except the Lotus Sametime System Console) but because it uses a lot of system resources, you may want to host it on its own computer.

Chapter 1. Configuring

149

1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. In the navigation tree, click Servers → Server Types → WebSphere proxy servers. 3. In the proxy servers table, click the New button at the top of the table. 4. In the ″Create a new proxy server entry″ dialog box, do the following: a. In the ″Select a node″ box, select the node that will host the WebSphere proxy server. Be sure to select a node that belongs to the appropriate cluster. b. Type a name for the new proxy server; for example ″was_proxy1″, and then click Next. c. In the ″Specify server specific properties″ box, select the appropriate ″Support protocol″ settings for your cluster, select Generate unique ports, and then click Next. v If you are configuring this WebSphere proxy server for a Meeting Server cluster: deselect the SIP protocol. v If you are configuring this WebSphere proxy server for a SIP Proxy and Registrar cluster: accept both HTTP and SIP protocols. v If you are configuring this WebSphere proxy server for a Conference Manager cluster: accept both HTTP and SIP protocols. d. In the ″Select a server template″ box, select proxy_server_foundation (the WebSphere Default Proxy Server Template), and then click Next. e. In the ″Confirm new server″ box, click Finish. 5. Save the new proxy server setting to the master configuration and synchronize the nodes in the cluster: WebSphere Application Server displays a message prompting you to save changes to the master configuration. Click Preferences → Synchronize Nodes, and then click Apply. 6. (Conference Manager cluster, SIP Proxy and Registrar cluster) Assign the new proxy server to the cluster: a. Click Servers → Server Types → Websphere proxy servers → proxy_server_name → SIP Proxy Server Settings → SIP proxy settings. b. In the ″Default cluster″ field, select the cluster that you are configuring this WebSphere proxy server to work with. c. Click Apply. 7. Now start the new WebSphere proxy server: a. Again in the Integrated Solutions Console’s navigation tree, click Servers → Proxy Servers. b. In the ″Proxy Servers″ page, select the new proxy server from the list. c. Click the Start button above the list of proxy servers. Configuring the Conference Manager cluster: Complete the configuration for clustering IBM Lotus Sametime Media Manager Conference Manager components using an IBM WebSphere Application Server network deployment. Before you begin Create a cluster of Conference Manager components using the guided activity.

150

Lotus Sametime: Installation and Administration Guide Part 2

About this task Completing the cluster’s configuration requires the following tasks: Creating the McuEntryCache in the cluster scope: After the Conference Manager cluster has been created, remove all of the existing McuEntryCache instances and create a new one at the cluster scope. Before you begin Create a cluster of Conference Manager components. About this task The McuEntryCache object instance is required at the cluster scope so that all cluster members can access the list of Packet Switchers which are registered with the cluster. You need to remove the existing McuEntryCache from all scopes and create a new one at the cluster scope. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Resources → Cache Instances → Object Cache Instances. 3. Make sure that All scopes is selected. 4. In the table, click the box next to every occurrence of McuEntryCache, and then click the Delete button at the top of the table. 5. Click OK. 6. Next, create an McuEntryCache object at the cluster’s scope: a. In the All scopes list, select the Conference Manager cluster scope. b. In the table, click the New button at the top of the table. c. Fill in the following information for the new cache object:
Name JNDI name Cache size ″Consistency settings″ Enable cache replication Full group replication domain Replication type Push frequency McuEntryCache services/cache/mcu_map 20000 Select this option Select the domain name Select Push only 1

7. Click OK. 8. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. Removing unused ports from cluster members: Each member of a cluster has some ports defined at the server scope. Once the members are added to the cluster, those ports are no longer needed and should be removed. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator.
Chapter 1. Configuring

151

2. Click Servers → Server Types → Websphere application servers → cluster_member_name. 3. In the ″Application Servers″ table, click the name of a cluster member. This displays the server’s ″Configuration″ page. 4. On the ″Configuration″ page, look under ″Container Settings″ click SIP Container Settings → SIP container transport chains. 5. In the ″Transport Chain″ table, delete the following entries for by clicking the checkbox for each entry and then clicking the Delete button at the top of the table: v SIPCInboundProxyReg v SIPCInboundProxyRegSecure v SIPCInboundProxyRegUDP Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. Now go back up one level to the cluster member’s ″Configuration″ page; look under ″Communication″ and click Ports. In the ″Ports″ table, delete the following entries by clicking the checkbox for each entry and then clicking the Delete button at the top of the table: v SIP_ProxyRegHOST v SIP_ProxyReg_SECURE Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. Repeat this process for every cluster member.

6. 7. 8.

9. 10.

Adding ports to the virtual host alias: After creating a cluster, add the SIP ports of each cluster member to the virtual host alias. Before you begin Create a cluster of IBM Lotus Sametime Media Manager ″Conference Manager″ components. About this task On the cluster’s Deployment Manager (the Lotus Sametime System Console), update the default_host virtual host with a unique set of Web access ports. Such a configuration lets a single host machine resemble multiple host machines. Tip: Print this page and use the table to record the port settings as you look them up in steps 1 and 2:
Table 3. Write down the port numbers used for these settings in every cluster member
WC_ defaulthost Cluster member 1 Cluster member 2 Cluster member 3 Cluster member 4 Cluster member 5 SOAP_ CONNECTOR_ ADDRESS SIP_ DEFAULTHOST SIP_DEFAULTHOST_ SECURE PROXY_SIP_ ADDRESS PROXY_SIPS_ ADDRESS

1. Determine the ports used by every cluster member:

152

Lotus Sametime: Installation and Administration Guide Part 2

a. In the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console, click Servers → Server Types → WebSphere application servers. b. In the table listing the servers, click the name of the cluster member. This displays the cluster member’s ″Configuration″ page. c. On the ″Configuration″ page, look under ″Communication″, and expand Ports. d. Look in the Ports table and write down the following port settings for use in the next step: v WC_defaulthost v SOAP_CONNECTOR_ADDRESS v SIP_DEFAULTHOST v SIP_DEFAULTHOST_SECURE e. Repeat this process for every cluster member. 2. Next, determine the ports used by every WebSphere proxy server that operates with this cluster. a. In the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console, click Servers → Server Types → WebSphere proxy servers. b. In the table listing the servers, click the name of the WebSphere proxy server. This displays the cluster member’s ″Configuration″ page. c. On the ″Configuration″ page, look under ″Communication″, and expand Ports. d. Look in the Ports table and write down the following port settings for use in the next step: v PROXY_SIP_ADDRESS v PROXY_SIPS_ADDRESS e. Repeat this process for every WebSphere proxy server used by the cluster. 3. Now add the ports used by all the cluster members and all of the WebSphere proxy servers to the Deployment Manager’s Virtual Hosts table. a. Now return to the Integrated Solutions Console navigation tree and click Environment → Virtual Hosts. b. In the Virtual Hosts table, click the host called default_host. This displays the ″Configuration″ page for the default_host. c. Under ″Additional Properties″, click Host Aliases. d. In the ″Host Aliases″ table, add the ports used by all of the cluster members (the information you collected in Step 1): Remember that you have information on 3 ports for each cluster member; however if a port is already listed in the table, you do not need to add it again. To add a port: 1) Click the New button at the top of the table. 2) 3) 4) 5) In the Host Name field, type *. In the Port field, type a port from your list. Click OK. Repeat this for all 3 ports for every cluster member (unless a port is already listed in this table).
Chapter 1. Configuring

153

e. Now delete all of the table entries that do not use * as the Host Name. To delete an entry, click on the check box next to it, and then click the Delete button at the top of the table. f. Save the new port settings to the master configuration and synchronize the nodes in the cluster: WebSphere Application Server displays a message prompting you to save changes to the master configuration. Click Preference → Synchronize nodes option before clicking the Save button. Disabling authentication for the SIP Container: Create a custom property in IBM WebSphere Application Server to disable the ″Digest TAI on SIP Container″ setting on each member of a cluster of IBM Lotus Sametime Media Manager components. About this task When you use the Lotus Sametime System Console as the Deployment Manager for a cluster of Conference Manager or SIP Proxy and Registrar components, the ″Use available authentication data when an unprotected URI is accessed″ setting is enabled on the console to satisfy a requirement of the Lotus Sametime Meeting Server. As a result, the SIP Container requires authentication even though the Media Manager’s SIP applications are not configured with security constrains. All incoming SIP messages without credentials are rejected with a ″401 Not Authorized″ response. To prevent this problem, create a custom property that disables the ″Digest TAI on SIP Container″ setting for every cluster member. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the IBM WebSphere administrator. 2. Click Servers → Server Types → Websphere application servers. 3. In the ″Application Servers″ table, click the name of a cluster member. 4. Under ″Container settings″ click SIP Container settings → SIP Container. 5. Under ″Additional Properties″ click Custom properties. 6. Click New. 7. In the Name field, enter com.ibm.ws.sip.security.enable.digest.tai exactly as shown here. 8. In the Value field, enter false. 9. Click the OK button 10. Save your changes by clicking the Save link in the ″Messages″ box at the top of the page. 11. Repeat this process for every cluster member. Configuring the Conference Manager cluster to use the SIP Proxy and Registrar cluster: After you create clusters of IBM Lotus Sametime Media Manager Conference Manager components and SIP Proxy and Registrar components, configure the Conference Manager cluster to work with the IBM WebSphere proxy server that is used by the SIP Proxy and Registrar cluster.

154

Lotus Sametime: Installation and Administration Guide Part 2

Before you begin Create and configure the Conference Manager and SIP Proxy and Registrar clusters. About this task By default, a Conference Manager is configured to access the SIP Proxy and Registrar component directly, and must be reconfigured to communicate with a cluster. Modify the Conference Manager’s stavconfig.xml file to access the WebSphere proxy server used by the SIP Proxy Registrar cluster. The WebSphere proxy server will direct SIP requests to available nodes in the cluster. Complete this task for every Conference Manager in the cluster. 1. On the server that is being used as the Deployment Manager, open the stavconfig.xml file for editing. The stavconfig.xml is located at:
dm_install_root/config/cells/cell_name/nodes/node_name/servers/server_name

For example:
config/cells/bassMediaCell1/nodes/bassMediaNode1/servers/STMediaServer

2. Modify the following settings:
Option SIPProxyServerHost Description Use the host name of the computer where the WebSphere proxy server is installed for the SIP Proxy and Registrar cluster. Use the PROXY_SIP_ADDRESS port value of the same WebSphere proxy server (used by the SIP Proxy and Registrar cluster).

SIPProxyServerPort

For example:
<configuration lastUpdated="1226425838277" name="SIPProxyServerHost" value="wasproxy_pr.acme.com"/> <configuration lastUpdated="1226425838277" name="SIPProxyServerPort" value="5080"/>

3. Save and close the file. 4. Repeat for every Conference Manager in the cluster. 5. Now synchronize all nodes in the cluster: a. In the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console, click System Administration → Nodes. b. Click Full Resynchronize. Restarting and synchronizing nodes in the cluster: Synchronize the nodes an IBM WebSphere Application Server network deployment. About this task Synchronizing nodes in a cluster ensures that the Deployment Manager has an up-to-date copy of each node’s configuration. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Stop the Deployment Manager: a. Click System Administration → Deployment manager.
Chapter 1. Configuring

155

b. Click the ″Configuration″ tab. c. On the Configuration tab of the deployment manager settings, click Stop. 3. Now start the Deployment Manager: a. Open a command window and navigate to the app_server_root/profiles/ DeploymentManagerName/bin directory. b. Run the following command: IBM AIX, Linux, or Solaris
./startManager.sh

Microsoft Windows
startManager.bat

IBM i 1) On the Control Language (CL) command line, run the Start Qshell (STRQSH) command. 2) At the Qshell prompt, run the following commands:
cd app_server_root/bin startServer dmgr

3) Use the Work with Active Jobs (WRKACTJOB) command to determine when the deployment manager is ready to accept administrative requests through the administrative console. 4) Add a node to the network deployment profile, as described in Adding nodes to deployment manager profiles on IBM i. Run the addNode command from the Qshell command shell to federate the default application server profile into the Network Deployment cell. 5) Verify that the node agent is running, as described in Verifying that the node agent is running on IBM i. Use the Work with Active Jobs (WRKACTJOB) command to determine when the node agent is ready to accept administrative requests through the administrative console. 6) Start the administrative console for the deployment manager. Open the administrative console in a Web browser, as described in Starting the administrative console for deployment managers on IBM i. 7) Verify that the node exists, as described in Verifying that nodes exist on IBM i. Use the administrative console to verify that the WebSphere Application Server node was successfully added to the deployment manager domain. 4. Synchronize all the nodes: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Nodes. b. Click Full Resynchronize. 5. Restart all nodes in the cluster: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Node agents. b. Click a node agent, and then click Start (or Restart if the node agent is already running). Restarting the application servers in the cluster: During cluster configuration, each node’s application server was stopped so that the node could be federated. Start all of the application servers now.

156

Lotus Sametime: Installation and Administration Guide Part 2

About this task Use the IBM Lotus Sametime System Console to start each of the application servers in the cluster. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Servers → Server types → WebSphere application servers in the navigation tree. 3. Select the application server’s check box and click Start. The status column changes to show that the application server is running. 4. Repeat for every application server in the cluster. Note: If you created a vertical cluster, you will need to start all of the application servers on every node. Configuring the Packet Switcher to access the cluster’s WebSphere proxy server: After you create clusters of IBM Lotus Sametime Media Manager Conference Manager and SIP Proxy and Registrar components, configure the Packet Switcher component to communicate with the cluster through the IBM WebSphere proxy server. Before you begin Install the Lotus Media Manager Packet Switcher component and start the server. Create and configure the Conference Manager and SIP Proxy and Registrar clusters. About this task By default, the Packet Switcher is configured to access the Conference Manager and the SIP Proxy and Registrar components directly, and must be reconfigured to communicate with clusters. Modify the Packet Switcher’s stavconfig.xml file to access the WebSphere proxy servers used by the Conference Manager cluster and the SIP Proxy and Registrar cluster. The WebSphere proxy server will direct SIP requests to available nodes in the cluster. 1. On the server hosting the Packet Switcher, open the stavconfig.xml file for editing. The stavconfig.xml is located at:
dm_install_root/config/cells/cell_name/nodes/node_name/servers/server_name

For example:
config/cells/bassMediaCell1/nodes/bassMediaNode1/servers/STMediaServer

2. Modify the following settings:
Option ConferenceServerHost Description Use the host name of the computer where the WebSphere proxy server is installed for the Conference Manager cluster. Use the PROXY_SIP_ADDRESS port value of the same WebSphere proxy server (used by the Conference Manager cluster).

ConferenceServerPort

Chapter 1. Configuring

157

Option SIPProxyServerHost

Description Use the host name of the computer where the WebSphere proxy server is installed for the SIP Proxy and Registrar cluster. Use the PROXY_SIP_ADDRESS port value of the same WebSphere proxy server (used by the SIP Proxy and Registrar cluster).

SIPProxyServerPort

For example:
<configuration lastUpdated="1226425838277" value="wasproxy_cf.acme.com"/> <configuration lastUpdated="1226425838277" <configuration lastUpdated="1226425838277" value="wasproxy_pr.acme.com"/> <configuration lastUpdated="1226425838277" name="ConferenceServerHost" name="ConferenceServerPort" value="5062"/> name="SIPProxyServerHost" name="SIPProxyServerPort" value="5080"/>

3. Save and close the file. 4. (Optional) Synchronize all nodes in the Deployment Manager that manages the Packet Switcher: This step is not needed if the Packet Switcher was installed using the Network Deployment → Primary Node option. a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Nodes. b. Click Full Resynchronize. 5. Restart the Packet Switcher.

Mapping application modules to the correct cluster
If you created clusters for both the SIP Proxy and Registrar components and the Conference Manager components, and will use the IBM Lotus Sametime System Console as the Deployment Manager for both clusters, you must map the specific component applications to their respective clusters.

Before you begin
Create a cluster of SIP Proxy and Registrar components and a cluster of Conference Manager components.

About this task
This task is only needed when the following conditions are true: v Both the SIP Proxy and Registrar components and the Conference Manager components are clustered. v The Lotus Sametime System Console is serving as the Deployment Manager for both clusters. You will map the SIP Proxy application and the SIP Registrar application to the SIP Proxy and Registrar cluster; then you will map the Conference Focus application to the Conference Manager cluster. 1. Map the SIP Proxy application module to the SIP Proxy and Registrar cluster. a. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the IBM WebSphere administrator. b. Click Applications → Application Types → Websphere enterprise applications.

158

Lotus Sametime: Installation and Administration Guide Part 2

c. In the Enterprise Applications table, click the IBM Lotus SIP Proxy link to open its Configuration page. d. Under ″Module″ click Manage Modules. In the Modules table, look at the ″Server″ column for ″IBM Lotus SIP Proxy″. This value should be the SIP Proxy and Registrar cluster (look for the name you assigned when you created that cluster). If the value is correct, skip to Step 2. Otherwise, continue with this step and assign the SIP Proxy to the correct cluster. e. Click the box in front of the IBM Lotus SIP Proxy link to select that row in the table. f. Now click the ″Clusters and servers″ list above the table, and select the SIP Proxy and Registrar component cluster (look for the name you assigned when you created the cluster). This assigns the ″IBM Lotus SIP Proxy″ application module to the newly selected cluster. In the table, check the ″Server″ column for ″IBM Lotus SIP Proxy″ and make sure the correct cluster name now appears. g. Click OK. h. Save this change by clicking the Save link in the ″Messages″ box at the top of the page. 2. Now map the SIP Registrar application module to the SIP Proxy and Registrar cluster. a. Click the Enterprise Applications link in the breadcrumb trail (at the top of the page) to return to the list of Enterprise Applications table. b. In the Enterprise Applications table, click the IBM Lotus SIP Registrar link to open its Configuration page. c. Under ″Module″ click Manage Modules. In the Modules table, look at the ″Server″ column for ″IBM Lotus SIP Proxy″. This value should be the SIP Proxy and Registrar cluster (look for the name you assigned when you created that cluster). If the value is correct, skip to Step 3. Otherwise, continue with this step and assign the SIP Registrar to the correct cluster. d. Click the box in front of the IBM Lotus SIP Registrar link to select that row in the table. e. Now click the ″Clusters and servers″ list above the table, and select the SIP Proxy and Registrar component cluster (look for the name you assigned when you created the cluster). This assigns the ″IBM Lotus SIP Registrar″ application module to the newly selected cluster. In the table, check the ″Server″ column for ″IBM Lotus SIP Registrar″ and make sure the correct cluster name now appears. f. Click OK. g. Save this change by clicking the Save link in the ″Messages″ box at the top of the page. 3. Finally, map the Conference Focus application module to the Conference Manager cluster. a. Click the Enterprise Applications link in the breadcrumb trail (at the top of the page) to return to the list of Enterprise Applications table. b. In the Enterprise Applications table, click the ConferenceFocus link to open its Configuration page. c. Under ″Module″ click Manage Modules.

Chapter 1. Configuring

159

In the Modules table, look at the ″Server″ column for ″IBM Lotus SIP Proxy″. This value should be the SIP Proxy and Registrar cluster (look for the name you assigned when you created that cluster). If the value is correct, you have completed this task and can skip the rest of this step. Otherwise, continue with this step and assign the Conference Focus to the correct cluster. d. Click the box in front of the ConferenceFocus link to select that row in the table. e. Now click the ″Clusters and servers″ list above the table, and select the Conference Manager component cluster (look for the name you assigned when you created the cluster). This assigns the ″ConferenceFocus″ application module to the newly selected cluster. In the table, check the ″Server″ column for ″ConferenceFocus″ and make sure the correct cluster name now appears. f. Click OK. g. Save this change by clicking the Save link in the ″Messages″ box at the top of the page.

Configuring a Lotus Sametime Meeting Server
This section describes how to configure a Lotus Sametime Meeting Server.

Configuring the Sametime Meeting Server for document conversion
IBM Lotus Sametime Meeting Server lets you take files of various formats (slides, images, and documents) and converts them so they can be shared in a meeting room as slides.

About this task
The Lotus Sametime Meeting Server uses the file system on the server to store and convert documents and presentations to slides. This section shows you how to configure the server for document conversion technology. Note: There are no special configuration steps for using document conversion technology on Windows servers.

Configuring the Sametime Meeting Server for document conversion on AIX
The IBM Lotus Sametime Meeting Server uses the file system on the server to store and convert documents and presentations for the meeting room. Follow these steps to configure document conversion technology on an AIX server. 1. Set the following environment variables. The WebSphere path might be different in your deployment.
PATH=$PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent export PATH LIBPATH=$LIBPATH:/opt/IBM/WebSphere/STMeetingsServer/stellent export LIBPATH

2. Install the X Virtual Frame Buffer (Xvfb) and configure it so it runs whenever you start Websphere a. Install the XVFB packages from your operating system CDs: v OpenGL.OpenGL_X.dev.vfb.05.01.0000.0000 or the equivalent v X11.vfb.05.01.0000.0000 or the equivalent

160

Lotus Sametime: Installation and Administration Guide Part 2

b. Log in from a terminal shell as the root user and run the following command:
/usr/bin/X11/X -vfb -x GLX -x abx -x dbe -force :1 &

c. Verify that the VFB is running properly by entering the following command:
/usr/lpp/X11/Xamples/bin/xprop -display server_name:1 -root | grep VFB

Where server_name is the name of your AIX server and 1 is the display number you have associated with this instance of the XVFB. It can be any number except 0. The following message appears:
XVFB_SCREEN(STRING) = "TRUE"

3. Set the DISPLAY variable to the display number you defined in the previous step:
DISPLAY=server_name:1 export DISPLAY

Configuring the Sametime Meeting Server for document conversion on Linux
The IBM Lotus Sametime Meeting Server uses the file system on the server to store and convert documents and presentations for the meeting room. Follow these steps to configure document conversion technology on a Linux server. 1. If you have legally licensed true-type fonts available, copy them to /opt/IBM/WebSphere/STMeetingsServer/stellent/fonts. Make sure that the extensions for the fonts are lowercase (*.ttf) and each font has the correct permission level (755). 2. Set the following environment variables. The WebSphere path might be different in your deployment.
PATH=$PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent export PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent export LD_LIBRARY_PATH GDFONTPATH=/opt/IBM/WebSphere/STMeetingsServer/stellent/fonts export GDFONTPATH

Note: The LD_LIBRARY_PATH variable can be overwritten other scripts. If you are able to convert image files and not other documents (.txt, .doc, .ppt, etc.), then this might be the cause. Type ’set’ in a terminal to see if this variable is still set and has the correct value. Note: The GDFONTPATH variable must not contain a ’:’ in the beginning. The only value that should be set here is the path to the fonts. Do not append anything before or after.

Configuring the Sametime Meeting Server for document conversion on Solaris
The IBM Lotus Sametime Meeting Server uses the file system on the server to store and convert documents and presentations for the meeting room. Follow these steps to configure document conversion technology on a Solaris server. 1. If you have legally licensed true-type fonts available, copy them to /opt/IBM/WebSphere/STMeetingsServer/stellent/fonts. Make sure that the extensions for the fonts are lowercase (*.ttf) and each font has the correct permission level (755). 2. Set the following environment variables. The WebSphere path might be different in your deployment.

Chapter 1. Configuring

161

PATH=$PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent export PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent export LD_LIBRARY_PATH GDFONTPATH=/opt/IBM/WebSphere/STMeetingsServer/stellent/fonts export GDFONTPATH

Note: The GDFONTPATH variable must not contain a ’:’ in the beginning. The only value that should be set here is the path to the fonts. Do not append anything before or after. 3. If you cannot obtain suitable fonts for the GDFONTPATH option, you may set up an X Virtual Frame Buffer for conversion. Xvfb is already installed on Solaris 9 in /usr/openwin/bin. Solaris 8 users must obtain a separate implementation of Xvfb. a. Log in from a terminal shell as the root user and run the following command:
/usr/openwin/bin/Xvfb :1 -screen 0 1280x1024x8 &

You can assign any number except 0 in place of the number 1 in the above example. This is the display number you wish to have associated with this instance of the XVFB. You might get a ″No such file or directory″ message. This is normal. b. Verify that the VFB is running properly by entering the following command:
ps -ef | grep vfb

You should see the Xvfb process running. 4. Set the DISPLAY variable to the display number you defined in the previous step:
DISPLAY=server_name:1 export DISPLAY

Configuring the Sametime Meeting Server for document conversion on IBM i
The IBM Lotus Sametime Meeting Server uses the file system on the server to store and convert documents and presentations for the meeting room. Follow these steps to configure document conversion technology on an IBM i server.

Before you begin
The following products must be installed in order to run conversion services on IBM i: v Portable Application Solutions Environment (PASE), 5722SS1 or 5761SS1, option 33 v OS/400 - Additional Fonts, 5722SS1 or 5761SS1, option 43 1. The number set in the DISPLAY environment variable must match the number used in the command to start the XVFB server in the next step.
'ADDENVVAR ENVVAR(DISPLAY) VALUE('localhost:1') LEVEL(*SYS) REPLACE(*YES) ADDENVVAR ENVVAR(LIBPATH) VALUE('/qibm/proddata/websphere/appserver/v7/ STMeetingsServer/stellent') LEVEL(*SYS) REPLACE(*YES) ADDENVVAR ENVVAR(PATH) VALUE('/usr/bin:.:/QOpenSys/usr/bin:/qibm/ proddata/websphere/appserver/v7/STMeetingsServer/stellent') LEVEL(*SYS) REPLACE(*YES)

162

Lotus Sametime: Installation and Administration Guide Part 2

2. The X Virtual Frame Buffer is used in the file conversion process. It must be running for file conversions to take place. From an IBM i command line, run the following command. This example was formatted for readability; you must enter the command as a single line.
'QSYS/SBMJOB CMD(QSYS/CALL PGM(QSYS/QP2SHELL) PARM('/usr/bin/X11/X' '-vfb' ':1' '-d' '24')) USER(QEJBSVR) JOB(QSTXVFB1) JOBQ(QSYSNOMAX)

This command starts the XVFB on DISPLAY :10 Note: To check whether the XVFB server is running, use this command: WRKACTJOB JOB(QSTXVFB*). The environment variables must be set when the Lotus Sametime Meeting Server starts. The XVFB server must be running for file conversions to occur. If the Lotus Sametime Meeting Server was already running during this setup, then the Lotus Sametime Meeting Server must be restarted before files will be converted

Assigning administrators to the Meeting Room Center
The administrator role must be assigned to a subset of users that are allowed to see meeting statistics for all meeting rooms.

Before you begin
You need to do this first.

About this task
The default IBM Lotus Sametime Meeting Server installation maps all users to the administrator role, which allows all users to see meeting statistics. Meeting statistics will show all meeting rooms, including those that are hidden. Map the administrator role to a subset of users that are allowed to see meeting statistics for all rooms. 1. Log in the Integrated Solutions Console. 2. Click Applications → Application Types → WebSphere enterprise applications. 3. Click the Lotus Sametime Meeting Server. 4. Under Detailed Properties, click Security role to user/group mapping 5. To map the administrator role to a select set of users or groups, follow these steps: a. Select the administrator role, and click Map Users... or Map Groups.... b. Select the name of the user or group and click the right arrow. c. Click OK. 6. To remove all authenticated users from the administrators role, follow these steps: a. b. c. d. Select the administrator role. Click Map Special Subjects. Select none. Click OK.

Clustering Lotus Sametime Meeting Servers
Configuring a cluster of IBM Lotus Sametime Meeting Servers involves several tasks, including synchronizing system clocks, configuring the cluster settings, and
Chapter 1. Configuring

163

configuring an IBM WebSphere proxy server for the cluster, as well as optionally deploying an IBM Load Balancer in front of the cluster.

Before you begin
You can create two types of clusters: v A Vertical cluster resides on the Primary node and includes two or more cluster members, which run the same application. v A Horizontal cluster includes a Primary node plus one or mode Secondary nodes, all running the same application. Each node contains one cluster member.

Before you can configure a cluster of Lotus Sametime Meeting Servers, you must have installed the following servers: 1. The Lotus Sametime System Console This server will function as the cluster’s Deployment Manager; the console can function as the Deployment Manager for multiple clusters. 2. (Optional) Lotus Sametime Community Servers At least one Lotus Sametime Community Server must be deployed if you want to provide presence and awareness for users attending online meetings. 3. One Lotus Sametime Meeting Server installed with the Network Deployment → Primary Node option.

164

Lotus Sametime: Installation and Administration Guide Part 2

Every cluster requires exactly one Primary Node. The application server on the Primary Node will function as the cluster’s application template. All other application servers in the cluster (nodes and cluster members) will be duplicated from the Primary Node’s application server. The Primary node’s application server can only belong to one cluster. The Primary Node can be used as a container for additional cluster members when creating a vertical cluster (multiple cluster members on the same physical system). 4. (Horizontal cluster only) One or more Lotus Sametime Meeting Servers installed with the Network Deployment → Secondary Node option. Secondary nodes are used to horizontally scale your cluster across multiple physical systems. These additional nodes act as containers for additional cluster members, which can be used to balance loads and provide failover within the cluster. During the clustering process, you can deploy additional product application servers on any Secondary Nodes within the cluster, creating a horizontal cluster (one cluster member on each Secondary Node, plus one cluster member or one vertical cluster on the Primary Node).

About this task
There are several tasks involved in creating a cluster; complete them in the sequence shown here:

Setting clocks on the servers to be clustered
Synchronize the system clocks on the servers to be clustered with an IBM WebSphere Application Server network deployment.

About this task
This task is required to ensure that the servers can be federated to the Deployment Manager during creation of the cluster. Working on the Lotus Sametime System Console, complete this task for every server that you will add to the cluster. For each server that will be added to the cluster, set the system clock to exactly the same time as the Deployment Manager’s (the Lotus Sametime System Console) system clock.

Clustering Sametime servers running on WebSphere Application Server
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers must all be running the same type of server; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.

Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster. Note: This guided activity is only for Lotus Sametime servers hosted on IBM WebSphere Application Server, and does not apply to the Lotus Sametime Community Server.

About this task
Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported
Chapter 1. Configuring

165

when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). If you have not already opened the Cluster WebSphere Application Servers guided activity, follow these steps: 1. From a browser, enter the following URL, replacing serverhostname.domain with the fully qualified domain name of the Lotus Sametime System Console server. http://serverhostname.domain:8700/ibm/console 2. Enter the WebSphere Application Server User ID and password that you created when you installed the Lotus Sametime System Console. 3. Click the Sametime System Console task to open it in the navigation tree. 4. Click Guided Activities → Cluster WebSphere Application Servers. Guided activity: Clustering Sametime servers running on WebSphere Application Server: This guided activity takes you through the steps for clustering IBM Lotus Sametime servers hosted on IBM WebSphere Application Server. The servers you add to the cluster must all be running the same Lotus Sametime product application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar. Before you begin Install the Lotus Sametime System Console and two or more Lotus Sametime servers of the same product type; then start the Lotus Sametime System Console and all of the servers you plan to cluster. This guided activity applies to the following Lotus Sametime servers: v Lotus Sametime Proxy Server v Lotus Sametime Meeting Server v Lotus Sametime Media Manager Clustering is not available for the Packet Switcher; it is also not available for an ″All Components″ installation of the Media Manager, which includes the Packet Switcher. The Conference Manager components and the SIP Proxy and Registrar components must be installed and clustered on dedicated computers. Multiple product clusters are not supported on a single computer; however, vertical clusters (all cluster members installed on the Primary Node) are supported when each product cluster is on a dedicated computer. A horizontal cluster is defined as a cluster with each cluster member having a dedicated computer (one on the Primary Node and one on each Secondary Node). Note that you cannot use this activity to cluster Lotus Sametime Community Servers (see ″Clustering Lotus Sametime Community Servers″) or Lotus Sametime Gateway servers (see ″Installing Lotus Sametime Gateway servers in a cluster″). Attention: If you are creating a cluster of Lotus Sametime Proxy Servers, make sure that you have set the location for the application binaries on the Primary Node (explained in ″Preparing the Primary Node″) before you proceed.

166

Lotus Sametime: Installation and Administration Guide Part 2

About this task Configure a cluster of one type of product server to improve performance with high availability, and to provide failover. You can create a horizontal cluster in which each node is hosted on a separate computer, as well as a vertical cluster with multiple cluster members hosted on the Primary Node. These instructions assume that you will use the Lotus Sametime System Console as the cluster’s Deployment Manager, which provides a single Integrated Solutions Console for all WebSphere administrative functions for all servers participating in the cell – this simplifies the administrative experience. 1. Cluster WebSphere Application Servers. Click Next to begin the clustering activity. 2. Select Product to Cluster. Select the product server to cluster, and then click Next. The list only displays Lotus Sametime products for which one or more servers have been installed and registered with the Lotus Sametime System Console. If you installed servers using deployment plans, they are registered with the console automatically. If you did not use a deployment plan, you must manually register the servers with the console before proceeding (see ″Registering servers with the Lotus Sametime System Console″). 3. Select or Create a Cluster. To create a new cluster: a. Click Create Cluster. b. Type a descriptive name for the cluster in the Cluster Name field. For example, if you are creating a cluster of Lotus Sametime Meeting Servers, you will probably want to indicate that in the cluster name so you can easily identify it later. c. Click Next. To modify an existing cluster; for example, to add a new cluster member: a. Click Select Existing Cluster. b. Select a cluster in the Cluster Name list. If you are going to add a node or cluster member to the cluster, you must use the same Lotus Sametime product. For example, you cannot add a Lotus Sametime Meeting Server cluster member to a cluster of Lotus Sametime Proxy Servers. c. Click Next. 4. Select the Deployment Manager. In the Select Deployment Manager list, select the Lotus Sametime System Console as the cluster’s deployment manager, and then click Next. Every cluster must have exactly one Deployment Manager; the Lotus Sametime System Console can function as the Deployment Manager for multiple clusters. 5. Select the Primary Node. a. In the Select Primary Node list, select the server that will serve as the cluster’s primary node. Every cluster must have exactly one Primary Node, the application server that will function as a template for the cluster member servers. All Secondary Nodes and Cluster Members will be created by duplicating the application server hosted on the Primary Node.

Chapter 1. Configuring

167

b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Note: Make sure that the Primary Node’s application server is running. This action allows the Primary Node to be administered from the Deployment Manager’s Integrated Services Console. The federation and clustering processes are very complex and may take 5-10 minutes to complete. Please be patient; click these buttons only once and then wait for the page to finish loading before continuing. If the federate primary node action completed and the Create cluster button is not enabled, or the federate primary node returned an error, wait 3-5 minutes and retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and Primary Node and then click the Federate Node button again to continue the guided activity. c. Click the Create cluster button to configure the cluster settings, and then click Next. Do not click anywhere on the browser until the operation completes or it may interrupt the clustering process. 6. Select One or More Secondary Nodes. If you are creating a horizontal cluster where each node is hosted on a separate computer, add one or more secondary nodes to the cluster. Be sure to federate each selected node before proceeding to select another. a. In the Secondary Node Name list, click the node you want to add to the cluster. You can add only one node at a time, and you must federate it before selecting the next node. If a node’s Status indicates ″Federated″ it already belongs to a cluster (either this cluster or a different one) and cannot be added now. b. Click the Federate Node button to provide the Deployment Manager with configuration information about the new node. Once the connection is complete, the node’s Status displays ″Federated″ – this may take some time, but do not proceed until the node has been successfully federated. If the federate node action completed and the Secondary Node’s status has not changed to ″Federated″ or the federate node returned an error, wait 3-5 minutes and then retry the operation by clicking the Federate Node button again. If this operation continues to fail, it may be necessary to restart the Deployment Manager and secondary node and then click the Federate Node button again to continue this guided activity. c. Repeat steps a. and b. until you have added all your Secondary Nodes to the cluster. d. Click Next. 7. Add Cluster Members. If you are creating a vertical cluster where multiple copies of the application are hosted on a single computer, add one or more ″cluster members″ to the Primary Node. If you are creating a horizontal cluster, add one cluster member to each of the secondary nodes you federated in the previous step. The table lists Cluster Members, the Node that the cluster resides on, and the Status of each cluster member. Each node in the cluster needs to have at least one cluster member created on it for it for the node to be used in the cluster. The status of a Cluster Member will be ″Clustered″ if the cluster member has

168

Lotus Sametime: Installation and Administration Guide Part 2

been completely configured on the node. If the status is ″Ready to Cluster″, select the Cluster Member and use the ″Add to Cluster″ button to finish configuring the cluster member. Vertical cluster: a. To add new cluster member, click New. b. Select the default name generated for the cluster member or enter your own cluster member server name. c. Select the Primary Node to create the cluster member on. d. Click the Add to Cluster button. The status will change from ″Ready to cluster″ to ″Clustered″. e. Click Next. Horizontal cluster: For each Secondary Node you federated in the previous step, a cluster member is prepopulated into the table for you, one on each of the Secondary Nodes. a. Select the default cluster member name for each server or update with your own name, and verify that the nodes the cluster member servers will be created on are correct for your topology. b. One at a time, select each cluster member and click the Add to Cluster button. Do not proceed until the current cluster member’s status changes from ″Ready to cluster″ to ″Clustered″; then you can add the next cluster member. c. If you want to add more cluster members, click the New button to add another row to the table, and then fill out the information accordingly. d. Click Next. 8. Deployment Summary Click Finish to save the cluster configuration. Continue with the cluster configuration tasks described in the Sametime information center.

Configuring the cluster
Complete the configuration for clustering IBM Lotus Sametime Meeting Servers using an IBM WebSphere Application Server network deployment.

Before you begin
Create a cluster of Lotus Sametime Meeting Servers using the guided activity, synchronize the nodes in the cluster, and start all of the application servers.

About this task
Completing the cluster’s configuration requires the following tasks: Restarting and synchronizing nodes in the cluster: Synchronize the nodes an IBM WebSphere Application Server network deployment. About this task Synchronizing nodes in a cluster ensures that the Deployment Manager has an up-to-date copy of each node’s configuration.
Chapter 1. Configuring

169

1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Stop the Deployment Manager: a. Click System Administration → Deployment manager. b. Click the ″Configuration″ tab. c. On the Configuration tab of the deployment manager settings, click Stop. 3. Now start the Deployment Manager: a. Open a command window and navigate to the app_server_root/profiles/ DeploymentManagerName/bin directory. b. Run the following command: IBM AIX, Linux, or Solaris
./startManager.sh

Microsoft Windows
startManager.bat

IBM i 1) On the Control Language (CL) command line, run the Start Qshell (STRQSH) command. 2) At the Qshell prompt, run the following commands:
cd app_server_root/bin startServer dmgr

3) Use the Work with Active Jobs (WRKACTJOB) command to determine when the deployment manager is ready to accept administrative requests through the administrative console. 4) Add a node to the network deployment profile, as described in Adding nodes to deployment manager profiles on IBM i. Run the addNode command from the Qshell command shell to federate the default application server profile into the Network Deployment cell. 5) Verify that the node agent is running, as described in Verifying that the node agent is running on IBM i. Use the Work with Active Jobs (WRKACTJOB) command to determine when the node agent is ready to accept administrative requests through the administrative console. 6) Start the administrative console for the deployment manager. Open the administrative console in a Web browser, as described in Starting the administrative console for deployment managers on IBM i. 7) Verify that the node exists, as described in Verifying that nodes exist on IBM i. Use the administrative console to verify that the WebSphere Application Server node was successfully added to the deployment manager domain. 4. Synchronize all the nodes: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Nodes. b. Click Full Resynchronize. 5. Restart all nodes in the cluster: a. In the Deployment Manager’s Integrated Solutions Console, click System Administration → Node agents. b. Click a node agent, and then click Start (or Restart if the node agent is already running).

170

Lotus Sametime: Installation and Administration Guide Part 2

Restarting the application servers in the cluster: During cluster configuration, each node’s application server was stopped so that the node could be federated. Start all of the application servers now. About this task Use the IBM Lotus Sametime System Console to start each of the application servers in the cluster. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Servers → Server types → WebSphere application servers in the navigation tree. 3. Select the application server’s check box and click Start. The status column changes to show that the application server is running. 4. Repeat for every application server in the cluster. Note: If you created a vertical cluster, you will need to start all of the application servers on every node. Deleting the cluster-wide topic space: Delete the default topic space assigned to a cluster to prevent messages directed to a specific cluster member appearing for every cluster member. About this task A topic space publishes messages that subscriber processes can receive. When you create a cluster, the cluster as a whole is assigned to the default topic space, which publishes messages for all cluster members. This can cause confusion when an error is reported against a particular cluster member and yet shows up in the logs for all of the other cluster members as well. Delete the cluster-wide topic space by completing the following steps: 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Resources → JMS → Topics. 3. In the table listing the topics, locate the topic whose ″Scope″ is set to: Cluster=cluster_name where cluster_name is the name of the cluster you are configuring. 4. Click the box next to the topic’s name to select it. The topic space is deleted along with the topic. 5. Click the Delete button at the top of the table, and then confirm the deletion. What to do next In the next task, you will create a separate topic space for each cluster member, where that cluster member can subscribe to receive only messages intended for it. Creating specific topic spaces for cluster members: Create a topic space for each cluster member so it can subscribe to receive only its own messages.

Chapter 1. Configuring

171

About this task A topic space publishes messages that subscriber processes can receive. Create a new topic space for each cluster member, where it can subscribe to receive only its own messages. This is less confusing than using a single, cluster-wise topic space that publishes all messages to all cluster members. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Resources → JMS → Topics. 3. In the ″All scopes″ list, select the scope corresponding to a cluster member. 4. In the table listing the topics, click the topic representing the same cluster member. The topic name is a link, which displays a page where you define settings for the topic. 5. In the ″Connection″ section of the page, click in the Topic space field and select Create service bus integration destination. This launches a wizard that creates the new topic space. 6. In the ″Create a new topic space″ dialog box, type a descriptive name for the new topic space, and then click Next. For example, the name could consist of the cluster member’s name with ″topicspace″ appended. 7. Click Finish to create the new topic space. 8. Click OK and save your changes by clicking the Save link in the ″Messages″ box at the top of the page. 9. Repeat this process for each topic (cluster member) listed in the table. Adding a cluster member’s messaging engine to the meeting_server_bus topology: Add all of the nodes in the cluster to the same service integration bus to support messaging. About this task Add each cluster member to the meeting_server_bus topology so they can share messaging. The cluster’s Primary Node is added to the bus by default; you must add all additional cluster members manually. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Service integration → Buses. 3. In the buses table, click meeting_service_bus. 4. Click the Local Topology tab. 5. Expand the bus and click Add. The ″Add a new bus member″ wizard launches. 6. In the ″Add a new bus member″ dialog box, click the Server option, select a cluster member on that server, and then click Next. 7. In the next dialog box, click File Store, and then click Next. 8. In the next dialog box, click Next to accept the default file store settings. 9. In the ″Tune performance parameters″ dialog box, click Next to accept the default tuning settings.

172

Lotus Sametime: Installation and Administration Guide Part 2

10. At the summary page, click Finish to add the new bus. 11. Repeat this process for every cluster member. Results When you have finished, all cluster members will appear in the bus topology diagram.

Configuring a WebSphere proxy server
Configure an IBM WebSphere proxy server to perform routing and caching tasks for a cluster of IBM Lotus Sametime servers running on WebSphere Application Server.

Before you begin
Create a cluster of Lotus Sametime servers running on WebSphere Application Server; start the Deployment Manager (the Lotus Sametime System Console) as well as all node agents and application servers in the cluster. Use these instructions to configure a WebSphere proxy server that operates with the following Lotus Sametime server clusters: v Meeting Server v Conference Manager v SIP Proxy and Registrar

About this task
A cluster of Lotus Sametime servers that run on WebSphere Application Server can use a WebSphere proxy server to manage routing and caching tasks. To ensure redundancy in the case of a proxy server failure, you may want to configure multiple proxy servers for the cluster. You can host a WebSphere proxy server on any node in the cluster (except the Lotus Sametime System Console) but because it uses a lot of system resources, you may want to host it on its own computer. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. In the navigation tree, click Servers → Server Types → WebSphere proxy servers. 3. In the proxy servers table, click the New button at the top of the table. 4. In the ″Create a new proxy server entry″ dialog box, do the following: a. In the ″Select a node″ box, select the node that will host the WebSphere proxy server. Be sure to select a node that belongs to the appropriate cluster. b. Type a name for the new proxy server; for example ″was_proxy1″, and then click Next. c. In the ″Specify server specific properties″ box, select the appropriate ″Support protocol″ settings for your cluster, select Generate unique ports, and then click Next. v If you are configuring this WebSphere proxy server for a Meeting Server cluster: deselect the SIP protocol. v If you are configuring this WebSphere proxy server for a SIP Proxy and Registrar cluster: accept both HTTP and SIP protocols.

Chapter 1. Configuring

173

v If you are configuring this WebSphere proxy server for a Conference Manager cluster: accept both HTTP and SIP protocols. d. In the ″Select a server template″ box, select proxy_server_foundation (the WebSphere Default Proxy Server Template), and then click Next. e. In the ″Confirm new server″ box, click Finish. 5. Save the new proxy server setting to the master configuration and synchronize the nodes in the cluster: WebSphere Application Server displays a message prompting you to save changes to the master configuration. Click Preferences → Synchronize Nodes, and then click Apply. 6. (Conference Manager cluster, SIP Proxy and Registrar cluster) Assign the new proxy server to the cluster: a. Click Servers → Server Types → Websphere proxy servers → proxy_server_name → SIP Proxy Server Settings → SIP proxy settings. b. In the ″Default cluster″ field, select the cluster that you are configuring this WebSphere proxy server to work with. c. Click Apply. 7. Now start the new WebSphere proxy server: a. Again in the Integrated Solutions Console’s navigation tree, click Servers → Proxy Servers. b. In the ″Proxy Servers″ page, select the new proxy server from the list. c. Click the Start button above the list of proxy servers. Enabling the WebSphere proxy server to cache dynamic content: Optionally configure an IBM WebSphere proxy server to cache dynamic content. Before you begin Configure a WebSphere proxy server for use with a cluster of Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers, and then start the WebSphere proxy server. About this task The WebSphere proxy server does not cache application server dynamic content by default; you can optionally enable caching by completing these steps. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Server Types → WebSphere Proxy Servers. 3. In the ″WebSphere Proxy Servers″ dialog box, select the proxy you would like to enable dynamic caching on. 4. On the ″Configuration″ page, expand HTTP Proxy Server Settings and under it, click Proxy Settings. 5. On the ″Proxy Settings″ page, locate the ″Caching section″ and do the following: a. Click Enable Caching. b. Select a cache from the ″Cache instance name″ list. c. Click Cache Dynamic Content. d. Accept the default ″Cache update URI″ value. e. Click OK.

174

Lotus Sametime: Installation and Administration Guide Part 2

6. Synchronize all nodes in the cluster: a. Back in the Integrated Solution Console’s navigation tree, click System Administration → Nodes. b. Select all of the nodes in the cluster. c. Click Full Resynchronize. Creating object cache instances for the WebSphere proxy server: Create an object cache for the IBM WebSphere proxy server so it can track which server hosts each online meeting. Before you begin Add one or more WebSphere proxy servers that will operate with a cluster of IBM Lotus Sametime Meeting Servers. About this task The WebSphere proxy server requires an object cache in which to store information tracking which online meetings are hosted on which Lotus Sametime Meeting Servers. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Resources → Cache Instances → Object Cache Instances. 3. Click in the Scope field and select a WebSphere proxy server that will be used by the cluster of Lotus Sametime Meeting Servers. 4. Click New. This launches a wizard to create the new object cache. 5. In the ″New Object Cache″ dialog box, click in the Name field and type a descriptive name for the new cache; for example ″Wasproxy1_Id_Cache″. 6. In the JNDI Name field, type proxy/rtc4web_id_cache exactly as shown. 7. Click OK to complete the wizard. 8. Save your changes to the master configuration by clicking the Save button when prompted. 9. Repeat this process for each WebSphere proxy server used by the cluster. Adding a path for routing filters on the WebSphere proxy server: Add a path to the IBM WebSphere proxy server’s class path loader to enable the IBM Lotus Sametime routing filters to be loaded correctly for a cluster. Before you begin Configure one or more WebSphere proxy servers to operate with the cluster of Lotus Sametime servers. About this task Defining a path for ″ws.ext.dirs″ enables the Lotus Sametime routing filters to be properly loaded by the root class path loader. 1. Log in to the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator.
Chapter 1. Configuring

175

2. Click Servers → Server Types → WebSphere proxy servers. 3. In the table listing the WebSphere proxy servers, click the link representing the proxy server you want to modify. This displays the Configuration tab for the selected proxy server. 4. Under ″Server Infrastructure″, expand Java Process Management, and then click Process definitions. 5. Under ″Additional Properties″, click Java Virtual Machine. 6. Under ″Additional Properties″, click Custom Properties. 7. In the table listing the custom properties, click the New button. 8. Create a new entry named ws.ext.dirs with the value ${USER_INSTALL_ROOT}/ optionalLibraries/rtc (spell it exactly as shown here). 9. Click OK to save the new custom property. 10. Repeat this process for every WebSphere proxy server that is operating with the cluster. Tuning a WebSphere proxy server: This section contains procedures for tuning a WebSphere proxy server that is used by a cluster of IBM Lotus Sametime servers running on WebSphere Application Server. About this task Note that this section is not referring to the SIP Proxy, but rather to a WebSphere proxy server. Disabling the proxy read-ahead mechanism on the WebSphere proxy server: You can disable the read-ahead mechanism on the IBM WebSphere proxy server to resolves a HIGH CPU issue that occurs when terminating connections with read-ahead enabled. 1. Log in to the Integrated Services Console. 2. Click Servers → Server Types → WebSphere proxy servers. 3. In the table listing the WebSphere proxy servers, click the link representing the proxy server you want to modify. 4. Under Proxy Settings, expand HTTP Proxy Server Settings. 5. Click Proxy settings. 6. Under Additional Properties, click Custom properties. 7. Click New to create a custom property. 8. Specify the Name of the new property as http.connectionPoolReadAheadEnabled. 9. Set the Value of the new property to false. 10. Click New to create another custom property. 11. Specify the Name of the new property as dynacache.extension.lookup_timeout_property. 12. Set the Value of the new property to 20000. 13. Click Apply, and then click Save. Adjusting the WebSphere proxy server thread pool settings:

176

Lotus Sametime: Installation and Administration Guide Part 2

Increase the WebContainer thread pool settings of the IBM WebSphere proxy server to match the same settings as the IBM Lotus Sametime Meeting Server. About this task A thread pool lets servers reuse threads instead of creating new threads at run time. 1. Log in to the Integrated Services Console. 2. Click Servers → Server Types → WebSphere proxy servers . 3. In the table listing the WebSphere proxy servers, click the link representing the proxy server you want to modify. 4. Under Additional Properties, click Thread pools. 5. Click Proxy. 6. Under General Properties,, make sure the Minimum Size and Maximum Size are both set to 50 threads. 7. Click Apply, and then click Save. Setting JVM verbose garbage collection and heap sizes on the Websphere proxy server: In order to monitor IBM WebSphere Application Server JVM heap for specific applications, enable the JVM verbose garbage collection logging for the WebSphere Application Servers. 1. Log in to the Integrated Services Console. 2. Click Servers → Server Types → WebSphere proxy servers . 3. In the table listing the WebSphere proxy servers, click the link representing the proxy server you want to modify. 4. 5. 6. 7. Under Server Infrastructure, expand the Java and Process Management tree. Click Process definition. Under Additional properties, click Java Virtual Machine. Under General Properties, make sure the Verbose garbage collection check box is cleared.

8. Under General Properties, make sure the Minimum heap size is set to 256MB. 9. Under General Properties, make sure the Maximum heap size is set to 512MB. 10. Click Apply, and then click Save. Extending the HTTP persistent timeout on the WebSphere proxy server: You can extend the HTTP persistent timeout on the IBM WebSphere proxy server to stay connected longer. Before you begin About this task The default rtc4web timeout value is 30 seconds. This is the default timeout for the WebSphere proxy server persistent timeout setting, too. This can causes a rare condition to occur where both sides of the connection can let go at the same time. In order to minimize this conflict, extend the WebSphere proxy server HTTP Persistent timeout to stay connected longer. 1. Log into Integrated Solutions Console on the server where the WebSphere proxy server is configured .
Chapter 1. Configuring

177

2. Click Servers → Server Types → WebSphere proxy servers . 3. In the table listing the WebSphere proxy servers, click the link representing the proxy server you want to modify. 4. Under Proxy Settings, expand the HTTP Proxy Server Settings tree. 5. Click Proxy server transports. 6. Click HTTP_PROXY_CHAIN. It should be associated with port 80. 7. Click HTTP inbound channel (HTTP 3) . 8. Under General Properties, set the Persistent timeout to 60 seconds. 9. 10. 11. 12. 13. 14. 15. Click Apply, and then click Save. Click Servers → Server Types → WebSphere proxy servers . Click STMeetingHttpProxy. Under Proxy Settings, expand the HTTP Proxy Server Settings tree. Click Proxy server transports. Click HTTPS_PROXY_CHAIN. It should be associated with port 443. Click HTTP inbound channel (HTTP 4).

16. Under General Properties, set the Persistent timeout to 60 seconds. 17. Click Apply, and then click Save. 18. Repeat for every WebSphere proxy server that you configured for the cluster. Adjusting LDAP context pool settings: Follow these instructions to adjust LDAP context pool settings. About this task In order to handle a large set of LDAP operations, the context pool between the WebSphere Application Server and LDAP can be optimized by setting the following items. This might also require an LDAP server optimization as well in order to handle a large number of LOGIN/BIND requests simultaneously. This particular setting only manages the pool between WebSphere Application Server and LDAP. For LOGIN/BIND operations, this pool is bypassed and WebSphere Application Server connects directly to LDAP. Make sure your LDAP server can handle the volume of connections based on your login rate/profile. 1. Log in to the Integrated Services Console. 2. Click Security → Global security. 3. Click Configure... next to the Available realm definition, which is set to Federated repositories. 4. Click your LDAP Repository Identifier link. 5. Under Additional Properties, click Performance. 6. Under General Properties Context Pool, leave the Initial size set to 1, set the Preferred size to 20, and set the Maximum size to 200. Do not change any other settings. 7. Click Apply, and then click Save. Enabling traces and logs for the WebSphere proxy server used by a Meeting Server cluster: Enable traces and logs for an IBM WebSphere proxy server that is used with an IBM Lotus Sametime Meeting Server cluster.

178

Lotus Sametime: Installation and Administration Guide Part 2

1. Log into the Deployment Manager’s (the Lotus Sametime System Console) Integrated Solutions Console as the WebSphere administrator. 2. Click Troubleshooting → Logs and trace. 3. In the ″Logging and Tracing″ table, click the name of a WebSphere proxy server to open its ″Logging and Tracing″ page. 4. Under ″General Properties″ click Diagnostic Trace. 5. Under ″Additional Properties″ click Change Log Detail Levels. 6. In the text box, append the following settings:
:com.ibm.ws.sip.*=all :com.ibm.ws.proxy.*=all

7. Click Apply and then save the changes by clicking the Save link the ″Messages″ box at the top of the page. 8. Repeat for every WebSphere proxy server used by the cluster.

Installing IBM Load Balancer
Install and configure IBM Load Balancer to distribute workload across a cluster of IBM Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers.

Before you begin
Create a cluster of Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers; configure the cluster and then start the Deployment Manager (the Lotus Sametime System Console) as well as all node agents and application servers in the cluster. Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a server running a different operating system for use with a Lotus Sametime deployment hosted on IBM i. IBM Load Balancer is not required for a Lotus Sametime clustered deployment; you can use any load-balancing mechanism that supports HTTP session affinity so that a user is repeatedly routed to the same server during a single session. IBM Load Balancer is included in the Lotus Sametime package with the other IBM WebSphere components. 1. Download IBM Load Balancer onto the server where you will install it: a. Open this release’s Download document in the Lotus Sametime Download document. b. Locate the appropriate IBM WebSphere Edge server component in the document’s listing, then download the packages labelled with the corresponding part numbers to the system on which you are installing. 2. Navigate to the folder where you stored the downloaded files, locate the folder for IBM Load Balancer, and start the installation program. For instructions on installing IBM Load Balancer, see the Load Balancer for IPv4 and IPv6 configuration guide. 3. After you have installed IBM Load Balancer, configure two static IP addresses for it: v Non-Forwarding Address: The NFA is the address of the server itself. It is used for logging in and administering the load balancer. v Cluster Address: This is the address by which clients and other servers will access the cluster. It must be DNS-resolvable. For example, suppose your cluster contains two nodes, and you configure an IBM Load Balancer for the cluster. Your IP addresses will look like this:
Chapter 1. Configuring

179

Table 4. Sample host names and IP addresses for a Lotus Sametime Meeting Server cluster or Lotus Sametime Proxy Server cluster with IBM Load Balancer Fully qualified host name Server’s role in deployment Server’s IP address Load balancer (NFA): 9.51.251.115 Cluster: 9.51.251.44

Load balancer: loadbal.acme.com balancer Load Cluster: st-cluster.acme.com (Cluster address) stconsole.acme.com svr1.acme.com

Deployment Manager 9.51.251.101 (Lotus Sametime System Console) Primary Node 9.51.251.103 (Lotus Sametime Meeting Server or Lotus Sametime Proxy Server) Secondary Node 9.51.251.109 (Lotus Sametime Meeting Server or Lotus Sametime Proxy Server)

svr2.acme.com

Configuring IBM Load Balancer: Configure IBM Load Balancer for a cluster of IBM Lotus Sametime Meeting Servers or Lotus Sametime Proxy Servers. Before you begin Install IBM Load Balancer and assign two status IP addresses to it. The server selected for the Load Balancer installation must reside on the same LAN segment as the nodes to be clustered. About this task Configure IBM Load balancer to support your cluster using MAC Address rewriting. With this method, the load balancer receives a packet intended for the cluster. It uses configured metrics to determine which node in the cluster should process the message, and then sends the message back out to the network, routing it to the appropriate node’s MAC address. Each of the nodes in the cluster is configured with a loopback adapter; when the packet is rewritten to the network, the appropriate node will receive and process the packet. 1. Set up the loopback adapters on the cluster nodes: On each of the nodes of the cluster, a loopback adapter must be added with the IP address of the cluster. This step is different for each operating system. Refer to the Load Balancer for IPv4 and IPv6 configuration guide for details. 2. Configure port settings on the cluster nodes so that IBM Load Balancer can route the packets properly: IBM Load Balancer requires every node in the cluster to use same port number for both HTTP and HTTPS service (typically, port 80). If you have configured your nodes to use unique port numbers, change them to the same port now. Tip: When configuring the ports, you can use the wildcard * when specifying the host name for the HTTP and HTTPS. This will listen on all interfaces configured in the system, including the loopback adapter set up for the cluster. 3. On the load balancer server, configure load balancing for the cluster: a. Open a command window on the load balancer server. b. Start the load balancer’s Dispatcher process:

180

Lotus Sametime: Installation and Administration Guide Part 2

v IBM AIX, Linux, Solaris
dsserver

v Microsoft Windows Click Start → Control Panel → Administrative Tools → Services. right-click IBM Dispatcher (ULB), and then click Start. c. If you are using IPv6 addresses, enable the processing of IPv6 packets: These commands enable processing of IPv6 packets in the respective operating systems. Issue this command only once; thereafter, you can start and stop the executor as often as you need. If you do not issue the command to enable processing of IPv6 packets on these systems, the executor will not start (on Solaris, the executor will start, but no IPv6 packets can be viewed). AIX 1) Run the following command:
autoconf6

2) To enable uninterrupted processing of IPv6 packets, even after a system reboot, edit the etc/rc.tcpip file and uncomment the following line, and add the -A flag:
start usr/bin/autoconf6 " " -A

Linux Run the following command (you must be logged in as root):
modprobe ipv6

Windows Run the following command (you must be logged in as the system administrator):
netsh interface ipv6 install

Solaris Run the following command (you must be logged in as su) to change the device to your device name, and change the IPv6 IP address and prefix to your address and prefix values:
ifconfig device inet6 plumb ifconfig device inet6 address/prefix up

d. Start the executor function of the dispatcher:
dscontrol executor start

e. Add the cluster to the service:
dscontrol cluster add cluster's_fully_qualified_host_name

where cluster’s_fully_qualified_host_name is the fully qualified host name that you assigned to the cluster when you installed the load balancer; for example:
stms-cluster.acme.com

. f. Add the cluster port:
dscontrol port add cluster's_fully_qualified_host_name@port

where cluster’s_fully_qualified_host_name:port is the fully qualified host name that you assigned to the cluster when you installed the load balancer, with the HTTP/HTTPS port appended to it (typically port 80); for example:
stms-cluster.acme.com@80

g. Add the nodes for which this server will balance workload:
dscontrol server add cluster_host@port@primary_node dscontrol server add cluster_host@port@secondary_node

where:

Chapter 1. Configuring

181

v cluster_host:port:primary_node indicates the cluster’s fully qualified host name with the port appended (as in the previous step) plus now with the primary node’s fully qualified host name appended; for example:
stms-cluster.acme.com@80@meetsvr1.acme.com

v cluster_host@port@secondary_node indicates the cluster’s fully qualified host name with the port appended (as in the previous step) plus now with the secondary node’s fully qualified host name appended (include an additional line for each additional secondary node); for example:
stms-cluster.acme.com@80@meetsvr2.acme.com

h. Add the cluster to the executor:
dscontrol executor add cluster's_fully_qualified_host_name

where cluster’s_fully_qualified_host_name is the fully qualified host name that you assigned to the cluster when you installed the load balancer; for example:
stms-cluster.acme.com

. i. Start the manager:
dscontrol manager start

j. Start the HTTP advisor for the port you are using (the port you specified in the previous steps, typically port 80):
dscontrol advisor start http 80

k. Now you can stop the service:
dsserver stop

l. Close the command window. 4. Define server affinity with a ″sticky time″: By default the Load Balancer will round-robin HTTP requests between the cluster members, so that a single client may be routed to different cluster members for subsequent requests rather than continuing to be routed to the same cluster member. Since a client typically accesses an online meeting every 30-40 seconds during the session, you may want to enable server affinity for a Lotus Sametime Meeting Server cluster so that the client continues to access the same server during a single meeting. The dispatcher component of IBM Load Balancer supports a configurable ″sticky time″. This means that the load balancer will remember which cluster member a client was routed to; subsequent requests will ″stick to″ the same server until the preset time expires. IBM recommends a ″sticky″ time configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a Lotus Sametime Proxy Server cluster. a. Start IBM Load Balancer. b. In the navigation tree, select the Executor (the load balancer’s non-forwarding IP address, which appears under its host name). c. Click Configuration Settings. d. In ″Port-Specific Settings″, change the Default sticky-time settings from 0 to 60 second, and click Update Configuration. e. Leave IBM Load Balancer open for the next step. 5. Save the load balancer settings: a. In IBM Load Balancer, return to the navigation tree and right-click on the host name of the load balancer you just configured (for example, loadbal.acme.com).

182

Lotus Sametime: Installation and Administration Guide Part 2

b. Click Save Configuration File as and accept the default name (default.cfg). The configuration settings stored in default.cfg are restored every time the server is restarted. c. Click OK.

Configuring Sametime Gateway
Configure one or more IBM Lotus Sametime Gateway servers.

Setting up TLS/SSL
Transport Layer Security (TLS) and Secure Sockets Later (SSL) provide encrypted SIP communications between Lotus Sametime Gateway and the external instant messaging communities such as AOL, Yahoo!, Office Communications Server, and Lotus Sametime communities, but only if the other Lotus Sametime community requires SSL. TLS/SSL also provides encrypted XMPP communications for XMPP communities. The TLS/SSL protocols allow Lotus Sametime messages to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. Use these steps to set up SSL with a certificate signed by a Certificate Authority and exchange trusted certificates with external communities.

About this task
Messages that flow between Lotus Sametime Gateway and AOL Office Communications Server, and Yahoo always require a TLS/SSL connection. Lotus Sametime and XMPP communities may or may not require a TLS/SSL connection, depending whether the external community requires a CA-signed certificate. Google Talk does not work over TLS/SSL. This section provides steps for a single Lotus Sametime Gateway server or cluster of Lotus Sametime Gateway servers. In addition, this section provides steps needed to set up SSL on a Sametime 6.5.1 or later server in an external community. You can provide these steps as a courtesy to an external community or refer them to the Lotus Sametime Standard help in this information center. SSL can encrypt sensitive information for SIP and XMPP communications, and provides authenticity and data signing to ensure a secure connection between the local Lotus Sametime Gateway community and an external instant messaging community. The foundation technology for SSL is public key cryptography, which guarantees that when an entity encrypts data using its private key, only entities with the corresponding public key can decrypt that data. SSL is required for connections to the following communities: v External community using AOL Instant Messenger v External community using Office Communications Server v External community using Yahoo! Messenger v AOL clearinghouse community SSL is not required but it is recommended for connections to XMPP or Lotus Sametime communities. You cannot use SSL between Lotus Sametime Gateway and Google Talk communities.
Chapter 1. Configuring

183

SSL is not needed between Lotus Sametime Gateway and the local Sametime community because the connection uses the Virtual Places (VP) protocol over TCP and includes built-in encryption.

Setting up SSL on a single server
These procedures describe how to set up Secure Sockets Layer (SSL) on a single Lotus Sametime Gateway server for both SIP and XMPP communications.

Before you begin
Before you begin, make sure the Lotus Sametime Gateway server is running.

About this task
To have a secure network connection, you will create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server. WebSphere Application Server uses the certificates that reside in keystores to establish trust for a SSL connection. WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation. A default, self-signed certificate is also created in the key.p12 file at this time. Do not use this self-signed or other self-signed certificate to connect to external communities. Note: Ensure that the SSL certificate contains the Basic Constraints extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the IBM JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints extension. If the extension is not set, WebSphere Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn’t allow to validate a server certificate as valid, because the issuing CA is not found. Trial certificates are not publicly trusted and so cannot be used to test against public instant messaging providers such as Yahoo Messenger or AOL Instant Messenger. The following procedures describe how to: 1. Import the certificate authorities’ public certificate used by each of the public or private external communities your Sametime Gateway server will be communicating with. 2. Request a CA-signed certificate, and then import the signed certificate that the CA provided in response. Before performing this step you might have to import intermediary certificates. 3. Configure the WebSphere environment to make use of the imported keys A complete technical reference of how to setup up SSL on the WebSphere Application Server can be found in the WebSphere Application Server information center. Adding trust for certificate authorities used by external communities:

184

Lotus Sametime: Installation and Administration Guide Part 2

External communities certificates are signed by a specific certificate authority probably a different authority from the CA used to sign your Sametime Gateway certificate. In order for the Sametime Gateway to trust a certificate presented by an external community, the CA that issued this certificate would have to be configured to be trusted in advance. About this task This topic explains what CA certificate needs to be downloaded and imported into the WebSphere Application Server trust store. v Steps 1-4 explain how to obtain the required CA certificate. v Steps 5-7 explain how to import the obtained CA certificates into the WebSphere Application Server. 1. To connect to AOL or Yahoo! download the following CA certificate. Navigate to http://www.geotrust.com/resources/root_certificates/index.asp and download the Equifax Secure Certificate Authority:
Download - Equifax Secure Certificate Authority (Base-64 encoded X.509)

2. To connect to AOL you are also required to download the following additional certificates: a. Navigate to https://pki-info.aol.com/AOL/ and download both certificates titled: ″America Online Root CA 1 certificate″ and the ″America Online Root CA 2 certificate. b. Navigate to https://pki-info.aol.com/AOLMSPKI/index.html and download the certificate titled: ″AOL Member CA certificate 3. To connect to an external Lotus Sametime-based IM community over SSL you will need to obtain the CA certificate used by external community a. Check with the external community administrator to determine which trusted certificate authority they are using. b. Obtain the CA certificate. 4. To connect to an external XMPP-based IM community over SSL. Note that the Google talk public community does not use SSL you need to obtain the CA certificate used by external community. a. Check with the external community administrator to determine which trusted certificate authority they are using. b. Obtain the CA certificate. 5. In case the received certificate is stored in any type of a certificate file database (a file with a suffix of .db or .p12, for example), you have to extract the certificate to an independent file, before you can import it to WebSphere Application Server. 6. Complete the following tasks in the Integrated Solutions Console: Click Security → SSL Certificate and key management → Key stores and certificates → NodeDefaultTrustStore → Signer Certificate. 7. 7. Click Add. a. Type an alias to identify the Certificate Authority in the Alias field. This is a freeform value used to identify the certificate inside WebSphere, a good idea would be to set the alias to the certificate’s CN (common name) field value. b. Type in the full path to the file name containing the Certificate Authority’s public key. For example: c:\certificates\acme_external_community.arm. c. Select the data type. Note: Attention: For IBM i, you must select binary as the data type.
Chapter 1. Configuring

185

d. Click OK. Note: For IBM i only, Certificates are automatically downloaded with the .CER file extension, so you must manually rename them to the .DER file extension Requesting a certificate signed by a Certificate Authority: To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA. Before you begin The keystore that contains a personal certificate request must already exist. In WebSphere Application Server, the keystore file key.p12 exists. 1. Log in to the Integrated Solutions Console. 2. Click Security → SSL certificate and key management → Related items → Key stores and certificates → NodeDefaultKeyStore. 3. Under ″Additional Properties,″ click Personal certificate requests. 4. Click New. 5. In the File for certificate request field, type the full path where the certificate request is to be stored, plus a file name. For example: c:\servercertreq.arm (for a Windows machine). 6. Type an alias name in the Key label field. The alias is the name you use to identify the certificate request in the keystore. For example: stgwcertificate 7. Type a common name (CN) value. The CN must be your external visible DNS address to which the external community (AOL for example) would be opening a TCP connection to. The CN value does not have to be identical to any of the email domains associated with your community. You should decide on the CN value in advance primarily by consulting your network administrator 8. Type an organization name in the Organization field. This value is the ″organization″ value in the certificate’s distinguished name. 9. In the Organization unit field, type the ″organization unit″ portion of the distinguished name. 10. 11. In the Locality field, type the ″locality″ portion of the distinguished name. In the State or Province field, type the ″state″ portion of the distinguished name. 12. In the Zip Code field, type the ″zip code″ portion of the distinguished name. 13. In the Country or region drop down list, select the two-letter ″country code″ portion of the distinguished name. 14. Click Apply and Save. The certificate request is created in the specified file location in the keystore. The request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore. Note: Key store tools (such as iKeyman and keyTool) cannot receive signed certificates that are generated by certificate requests from WebSphere

186

Lotus Sametime: Installation and Administration Guide Part 2

Application Server. Similarly, WebSphere Application Server cannot accept certificates that are generated by certificate requests from other keystore utilities. 15. Send the certification request arm file to a Certificate Authority for signing. See the Certificate Authority web site for instructions on sending your certificate request in for signing. 16. Stop the Lotus Sametime Gateway server. 17. Make a backup copy of your keystore file. Make this backup before receiving the CA-signed certificate into the keystore. The default password for the keystore is WebAS. The Integrated Solutions Console has the path information for the keystore’s location. The path to the NodeDefaultKeyStore is listed in the Integrated Solutions Console as:
stgw_profile_root\config\cells\cell_name\nodes\node_name\key.p12

18. Start the Lotus Sametime Gateway server. Importing any intermediate CA certificates into the keystore: If your server certificate is issued by an intermediary CA, then complete the steps that follow. Before you begin You have received the signed certificate from the certificate authority, but before importing the signed certificate into the keystore, you have to determine if the received certificate had been signed by a root Certificate Authority (CA), or by a intermediary Certificate Authority. If the certificate was signed by a root CA you could skip this topic completely and continue straight to ″Importing a signed certificate into the keystore″. If the certificate was signed by an intermediary CA you will need to import the intermediary signer certificates as described in this topic. About this task IBM WebSphere Application Server creates a certificate chain when the signed certificate is received. The chain is constructed from the signer certificates that are in the keystore at the time the certificate is received. Therefore, it is important to import all intermediate certificates as signer certificates into the keystore before receiving the Certificate Authority-signed certificate. When you purchase a server certificate for Sametime Gateway, the certificate is issued by a Certificate Authority (CA). The CA can either be a root CA or an intermediary CA. 1. The following steps describe how to tell if your certificate was signed by a root CA or an intermediary CA (example given is on the Windows operating system) a. Save the signed certificate to a text file with a .cer extension. For example: signed-certificate.cer. Include the Begin Certificate and End Certificate lines when you save the file. For example:
-----BEGIN CERTIFICATE----ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3 WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g
Chapter 1. Configuring

187

OPiRcPY8oYlZ5R7Bq1fI/t5MFUTJhYw7k6z95jfIufzai2Bn3e+jzm7ivJ5dckEZ Gm3ajjYQgwjCJBfOh7P9fE13dWJSZZZZzWcCAwEAAaOBrjCBqzAOBgNVHQ8BAf8E BAMCBPAwHQYDVR0OBBYEFMHrh2oiTGbcBH759lnRZZZZn+NSMDoGA1UdHwQzMDEw L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/ZZZZGA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjANBZZZZkiG9w0BAQUFAAOBgQBKq8lUVj/DOPuNL/Nn IGlrr1ot8VoZS7wZZZZlgeQLOmnZjIdRkbaoH04N3W3qZsQVs2/h4JZJj3mKVjjX FeRVHFFyGZZZZ4hHWH+Zqf/PJwjhVPKEwsiKFaAGJS5VzP3btMG8tGan02zZUE4L wPZZZZpMmvPI3U12W+76bqyvVg== -----END CERTIFICATE-----

b. Double-click the new file that you created and a Certificate dialog box opens. c. Click the Certification Path tab. d. Look at the tree-like structure representing the full certificate chain. The top of the chain is referred to as the root Certificate Authority (CA). The bottom of the chain represents your server’s certificate. If your server is not listed one-level below the root CA, then your certificate was issued by an intermediary CA. However, if your server is listed one-level below the root CA, then the certificate was issued by the root CA. For example, the following screen capture shows a certificate chain where an intermediary CA, VeriSign Class 3 Secure Server CA, issued a certificate for stgw.lotus.com.

e. If the server certificate is not issued by an intermediary CA, stop here and click Next topic at the bottom of this topic.

188

Lotus Sametime: Installation and Administration Guide Part 2

2. One you determine that the certificate is an intermediate certificate, you must export the certificate from the chain into its own certificate file: a. Double-click the server’s certificate (i.e. server.cer) file and a Certificate dialog box opens. b. Click Certification Path tab. c. Highlight an entry of the certificate chain. d. Click View Certificate. e. In the Certificate dialog window, click the Details tab. f. Click Copy to File... g. In the Certificate Export Wizard that appears, click Next. h. Select Base-64 encoded X.509 (.CER), and click Next. i. Type in a unique name for the certificate you are exporting and click Next. For example, ″VS-intermediary-CA″ for VeriSign’s intermediary certificate authority. j. Click Finish. k. Click OK in the dialog box that displays the following message: The export was successful. l. Repeat the preceding sub steps for each intermediate certificate in the chain. Note that there is no need to repeat these steps for the bottom entry of the chain because the server’s certificate already exists. When you are done, you will have a certificate file (.cer) for each entry of the chain. In our example, there are three certificate files:
Certificate type Root Intermediary Server Name VeriSign Class 3 Public Primary CA VeriSign Class 3 Secure Server CA stgw.lotus.com Certificate file name VS-root-CA.cer VS-intermediary-CA.cer stgw.cer

3. Finally, import the intermediary CA certificate into the keystore by completing the following steps: a. Using the Integrated Solutions Console, click Security → SSL Certificate and key management. b. Click Key stores and certificates. c. Click NodeDefaultKeyStore. d. Click Signer certificates. e. Click Add. f. In the Alias field, type a short descriptive name for the certificate. For example, ″Verisign Intermediary CA.″ g. In the File name field, type the path to the certificate file of the intermediary CA. For example, C:\certs\VS-intermediary-CA.cer. h. Accept the default file data type. i. Click Apply and Save. j. Repeat the preceding steps for each intermediary CA that is part of the certificate chain. In most cases, only one intermediary CA exists. Importing a signed certificate issued into the keystore:

Chapter 1. Configuring

189

Before you begin You have received the signed certificate from the certificate authority. You have determined whether the certificate is signed by a root CA or an intermediate CA, if the certificate was signed by an intermediate CA, then you have imported into the keystore all intermediate CA certificates. Now you are ready to import the signed certificate itself into the keystore. About this task WebSphere Application Server can receive only those certificates that are generated by a WebSphere Application Server certificate request. It cannot receive certificates that are created with certificate requests from other keystore tools, such as iKeyman and keyTool. The keystore must contain the certificate request that was created and sent to the CA. This means that you cannot import a certificate to the keystore if the keystore does not contain the original certificate request. Make sure the certificate file you have received does not contain any text lines before the " -----BEGIN CERTIFICATE-----" line appears on top. These lines can cause the certificate import process to fail, and therefore you must delete these lines if they are present in the certificate file. 1. Log in to the Integrated Solutions Console . 2. Click Security → SSL certificate and key management → Related items → Key stores and certificates → NodeDefaultKeyStore . 3. Under Additional Properties, click Personal certificates. 4. Click Receive a certificate from a certificate authority. 5. Type the full path and name of the certificate file. For example on windows: c:\mycertificate.cer 6. Do not change the default data type on the list (Base64-encoded ASCII Data). 7. Click Apply and Save. Setting up Sametime Gateway to use a new certificate: Set up IBM Lotus Sametime Gateway server to use the new certificates. 1. Log in to the Integrated Solutions Console. 2. Click Security → SSL certificate and key management → Configuration settings → Manage endpoint security configurations. 3. Expand the Inbound node, and then expand all levels below Nodes. 4. In the tree view, click the Sametime Gateway server. 5. On the configuration panel, under Specific SSL configuration for this endpoint, select Override inherited values if this option is available. 6. Select the SSL Configuration name from the drop down list that you specified when you defined the SSL configuration. 7. Click Update certificate alias list. 8. Select the certificate alias from the Certificate alias in key store drop down that you specified when you received the certificates from the CA. 9. Click Apply and then Save. 10. Important: Repeat the preceding steps on the Outbound node of the local topology tree. 11. Restart the Sametime Gateway server. For a standalone: the single Java process.

190

Lotus Sametime: Installation and Administration Guide Part 2

For a cluster configuration: restart the DMGR, STGW servers, XMPP proxies, SIP Proxies. You do not need to restart the node agents.

Setting up SSL on a cluster
These procedures describe how to set up Secure Sockets Layer (SSL) on a cluster of Lotus Sametime Gateway servers.

Before you begin
You must first install Lotus Sametime Gateway on each node, including a Deployment Manager node, create the cluster, and create a SIP proxy server for the cluster.

About this task
To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server. WebSphere Application Server uses the certificates that reside in keystores to establish trust for a SSL connection. WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation. A default, self-signed certificate is also created in the key.p12 file at this time. Note: If you use a certificate other than the default self-signed certificate provided, ensure that the SSL certificate contains the Basic Constraints extension. Do not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the IBM JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints extension. If the extension is not set, WebSphere Application Server assumes that the CA is not a valid CA but a user certificate, which in returns doesn’t allow to validate a server certificate as valid, because the issuing CA is not found. Trial certificates are not publicly trusted and so cannot be used to test against public instant messaging providers such as Yahoo Messenger or AOL Instant Messenger. The following procedure describes how to request a Certificate Authority-signed certificate, receive the request, then extract the certificate to the keystore. For complete details for setting up SSL in WebSphere Application Server, see the WebSphere Application Server information center. Purchasing a certificate from a Certificate Authority: Purchase a Certificate Authority-signed certificate for secure connections between Lotus Sametime Gateway and other instant messaging providers. About this task The CA certificate installed on Lotus Sametime Gateway must conform to RFC 3280 certificate standards. The CA certificate can be a root certificate or an intermediary certificate. When requesting a certificate, check with the vendor to make sure that the certificate supports both TLS Web Server Authentication and TLS Web Client Authentication. Some certificate authorities provide certificates that
Chapter 1. Configuring

191

support server authentication only or client authentication only. Certificates must include both server and client authentication EKU flags. Thawte certificates meet these standards. It is your responsibility to make sure that the certificate supports both. 1. Review the list of Certificate Authorities recognized by AOL, Yahoo!, and XMPP. 2. Purchase a certificate that supports both client and server authentication. Creating a new keystore: The keystore file is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. A Secure Sockets Layer (SSL) configuration references keystore configurations during WebSphere Application Server runtime. Whether a keystore file was created by another keystore tool or saved from a previous configuration, the file must be part of a keystore configuration object. You can create a keystore configuration for the existing keystore object. Before you begin Expected state: the Deployment Manager, node agents, and servers are started. 1. Stop all Lotus Sametime Gateway servers, but leave the Deployment Manager and node agents running. 2. Using the Integrated Solutions Console, click Security → SSL certificate and key management → Key stores and certificates. 3. Click New. 4. Type a name in the Name field that specifies the unique name to identify the key store; for example: STGWKS. 5. Type a path in the Path field that specifies the location of the keystore file in the format needed by the keystore type; for example: STGWKS.p12. 6. Type a password in the Password field. The password is used to protect the keystore. 7. Type the keystore password again in the Confirm Password field to confirm the password. 8. Select PKCS12 from the list. The type that you select is for the keystore file that you specified in the Path field. 9. Click Apply and Save. Creating a certificate request: To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA. Before you begin The keystore that contains a personal certificate request must already exist. In WebSphere Application Server, the keystore file p12 exists. About this task Complete the following tasks in the WebSphere Integrated Solutions Console.

192

Lotus Sametime: Installation and Administration Guide Part 2

Expected state: the Deployment Manager and node agents are started. The servers are stopped. 1. Click Security → SSL certificate and key management → Key stores and certificates. 2. Click the keystore that you created in the previous step. 3. Click Personal certificate requests, then click New. 4. In the File for certificate request field, specify the fully qualified file name from which the certificate request is exported. This portion of the certificate request can be given to the certificate authority to generate the real certificate. For example: c:\servercertreq.arm (for a Windows machine). 5. Type an alias name in the Key label field. The alias is the name you give to identify the certificate request in the keystore. 6. Type a common name (CN) value in the Common Name field. The common name must be the Fully qualified domain host name of your proxy server node machine. The CN of the certificate must match the domain name of your community. For example, if your Sametime community is us.acme.com, then the CN of the SSL certificate that you create for your community must be us.acme.com. 7. Type an organization name in the Organization field. This value is the organization value in the certificate distinguished name. 8. In the Organization unit field, type the organization unit portion of the distinguished name. 9. In the Locality field, type the locality portion of the distinguished name. 10. In the State or Province field, type the state portion of the distinguished name. 11. In the Zip Code field, type the zip code portion of the distinguished name. 12. In the Country or region drop down list, select the two-letter country code portion of the distinguished name. 13. Click Apply and Save. The certificate request is created in the specified file location in the keystore. The request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore. Note: Key store tools (such as iKeyman and keyTool) cannot receive signed certificates that are generated by certificate requests from WebSphere Application Server. Similarly, WebSphere Application Server cannot accept certificates that are generated by certificate requests from other keystore utilities. 14. Synchronize your changes to all nodes in the cluster. Click System Administration → Nodes 15. Select all nodes in the cluster, then click Full Resynchronize. 16. Stop the Lotus Sametime Gateway server. 17. Make a backup copy of your keystore file. Make this backup before receiving the CA-signed certificate into the keystore. The default password for the keystore is WebAS. The Integrated Solutions Console has the path information for the keystore’s location. The path to the CellDefaultKeyStore is listed in the Integrated Solutions Console as:
stgw_profile_root\config\cells\cell_name\key.p12

18. Now start the Lotus Sametime Gateway server.

Chapter 1. Configuring

193

What to do next After you receive the certificate back from the Certificate authority, you are ready to proceed to the next step. Importing intermediate CA certificates into the keystore: IBM WebSphere Application Server creates a certificate chain when the signed certificate is received. The chain is constructed from the signer certificates that are in the keystore at the time the certificate is received. Therefore, it is important to import all intermediate certificates as signer certificates into the keystore before receiving the Certificate Authority-signed certificate. When you purchase a server certificate for Sametime Gateway, the certificate is issued by a Certificate Authority (CA). The CA can either be a root CA or an intermediary CA. About this task If your server certificate is issued by an intermediary CA, then complete the steps that follow, otherwise skip these steps and click Next topic at the bottom of this topic. 1. Before you import an intermediate CA, first determine if your server’s certificate was issued by an intermediary CA: a. Save the signed certificate to a text file with a .cer extension. For example: signed-certificate.cer. Include the Begin Certificate and End Certificate lines when you save the file. For example:
-----BEGIN CERTIFICATE----ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3 WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g OPiRcPY8oYlZ5R7Bq1fI/t5MFUTJhYw7k6z95jfIufzai2Bn3e+jzm7ivJ5dckEZ Gm3ajjYQgwjCJBfOh7P9fE13dWJSZZZZzWcCAwEAAaOBrjCBqzAOBgNVHQ8BAf8E BAMCBPAwHQYDVR0OBBYEFMHrh2oiTGbcBH759lnRZZZZn+NSMDoGA1UdHwQzMDEw L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/ZZZZGA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjANBZZZZkiG9w0BAQUFAAOBgQBKq8lUVj/DOPuNL/Nn IGlrr1ot8VoZS7wZZZZlgeQLOmnZjIdRkbaoH04N3W3qZsQVs2/h4JZJj3mKVjjX FeRVHFFyGZZZZ4hHWH+Zqf/PJwjhVPKEwsiKFaAGJS5VzP3btMG8tGan02zZUE4L wPZZZZpMmvPI3U12W+76bqyvVg== -----END CERTIFICATE-----

b. Double-click on the new file that you created and a Certificate dialog box opens. c. Click on the Certification Path tab. d. Look at the tree-like structure representing the full certificate chain. The top of the chain is referred to as the root Certificate Authority (CA). The bottom of the chain represents your server’s certificate. If your server is not listed one-level below the root CA, then your certificate was issued by an intermediary CA. However, if your server is listed one-level below the root CA, then the certificate was issued by the root CA. For example, the following screen capture shows a certificate chain where an intermediary CA, VeriSign Class 3 Secure Server CA, issued a certificate for stgw.lotus.com.

194

Lotus Sametime: Installation and Administration Guide Part 2

e. If the server certificate is not issued by an intermediary CA, stop here and click Next topic at the bottom of this topic. 2. One you determine that the certificate is an intermediate certificate, you must export the certificate from the chain into its own certificate file: a. Double-click the server’s certificate (i.e. server.cer) file and a Certificate dialog box opens. b. Click Certification Path tab. c. d. e. f. g. h. Highlight an entry of the certificate chain. Click View Certificate. In the Certificate dialog window, click the Details tab. Click Copy to File... In the Certificate Export Wizard that appears, click Next. Select Base-64 encoded X.509 (.CER), and click Next.

i. Type in a unique name for the certificate you are exporting and click Next. For example, ″VS-intermediary-CA″ for VeriSign’s intermediary certificate authority. j. Click Finish. k. Click OK in the dialog box that displays the following message: The export was successful. l. Repeat the preceding sub steps for each intermediate certificate in the chain. Note that there is no need to repeat these steps for the bottom entry of the chain because the server’s certificate already exists. When you are done, you will have a certificate file (.cer) for each entry of the chain. In our example, there are three certificate files:

Chapter 1. Configuring

195

Certificate type Root Intermediary Server

Name VeriSign Class 3 Public Primary CA VeriSign Class 3 Secure Server CA stgw.lotus.com

Certificate file name VS-root-CA.cer VS-intermediary-CA.cer stgw.cer

3. Finally, import the intermediary CA certificate into the keystore by completing the following steps: a. Using the Integrated Solutions Console, click Security → SSL Certificate and key management. b. Click Key stores and certificates. c. Click CellDefaultKeyStore. d. Click Signer certificates. e. Click Add. f. In the Alias field, type a short descriptive name for the certificate. For example, ″Verisign Intermediary CA.″ g. In the File name field, type the path to the certificate file of the intermediary CA. For example, C:\certs\VS-intermediary-CA.cer. h. Accept the default file data type. i. Click Apply and Save. j. Repeat the preceding steps for each intermediary CA that is part of the certificate chain. In most cases, only one intermediary CA exists. Receiving a signed certificate: A Certificate Authority (CA) creates a certificate from a certificate request. WebSphere Application Server keystore receives the certificate from the CA and generates a CA-signed personal certificate that your Lotus Sametime Gateway cluster can use for Secure Sockets Layer (SSL) security. Before you begin The keystore must contain the certificate request that was created and sent to the Certificate Authority. Also, the keystore must be able to access the certificate that is returned by the Certificate Authority. Expected state: the Deployment Manager and the node agents are started. The servers are stopped. Note: WebSphere Application Server creates the certificate chain when the signed certificate is received. The chain is constructed from the signer certificates that are in the keystore at the time the certificate is received. Be sure to import all intermediate certificates as signer certificates into the keystore before receiving the CA-signed certificate. 1. Click Security → SSL certificate and key management → Key stores and certificates. 2. Click the keystore that you created previously. 3. Click Personal certificates. 4. Click Receive a certificate from a certificate authority. 5. Type the full path and name of the certificate file generated by the CA.

196

Lotus Sametime: Installation and Administration Guide Part 2

6. Select the appropriate data from the list. 7. Click Apply and Save. What to do next Now you are ready to define a new SSL configuration. Defining the SSL configuration for a cluster: Complete these steps to create a new SSL configuration for a cluster of Lotus Sametime Gateway servers. About this task Secure Sockets Layer (SSL) configurations contain the attributes that you need to control the behavior of client and server SSL endpoints. You create a single SSL configuration to be used on the inbound and outbound trees in the configuration topology. Expected state: the Deployment Manager and node agents are started. The servers are stopped. 1. Using the Integrated Solutions Console, click Security → SSL certificate and key management → SSL Configurations. 2. Click New to display the SSL configuration panel. 3. Type name in the Name field for your SSL configuration. 4. In the Trust store name drop-down list, replace the default CellDefaultKeyStore value with CellDefaultTrustStore. The truststore name refers to a specific truststore that holds signer certificates that validate the trust of certificates sent by remote connections during an SSL handshake. 5. Select the keystore that you created from the Keystore name drop-down list. A keystore contains the personal certificates that represent a signer identity and the private key that WebSphere Application Server uses to encrypt and sign data. 6. Click Get certificate aliases. 7. Select your certificate alias as the default server certificate alias. 8. Select your certificate alias as the default client certificate alias. 9. Click Apply, and then Save. 10. Synchronize your changes to all nodes in the cluster. Click System Administration → Nodes. 11. Select all nodes in the cluster, then click Full Resynchronize. Obtaining the root certificate: Download a certificate authority’s (CA) root certificate. After you download the certificate, you must add it to the WebSphere Application Server truststore. For connections to AOL or Yahoo, download the Equifax Secure CA because this certificate is used by both communities. For connections to XMPP communities, you must determine what root certificate, if any, is being used, and then check to see if WebSphere Application Server already recognizes the certificate, and, if necessary, download and add the certificate to your truststore.

Chapter 1. Configuring

197

About this task XMPP communities are free to use either a TLS/SSL or TCP connection, so a certificate may not be needed. If the XMPP community is using TLS/SSL, the root certificate CA may already be in the WebSphere Application Server truststore. If not, you must obtain it. 1. To obtain the same certificate used by AOL and Yahoo: a. Go to http://www.geotrust.com/resources/root_certificates/index.asp and download the Equifax Secure Certificate Authority. b. In the list of certificates, navigate to the following:
All other SSL certificates except for Quick SSL: Equifax Secure Certificate Authority

c. Select the following download:
Download - Equifax Secure Certificate Authority (Base-64 encoded X.509)

d. Add this root CA to your WebSphere Application Server truststore (see next step in setting up SSL). 2. AOL users require additional certificates: a. Navigate to https://pki-info.aol.com/AOL/ and download both the ″America Online Root CA 1″ certificate and the ″America Online Root CA 2″ certificate. b. Navigate to https://pki-info.aol.com/AOLMSPKI/index.html and download the ″AOL Member CA″ certificate. 3. To obtain a root certificate used by a XMPP community: a. Check with the XMPP community to determine which trusted certificate authority they are using. b. Determine if WebSphere Application Server supports the certificate. c. If the certificate is recognized, there’s nothing more to do on this step. d. If the certificate is not recognized, obtain the certificate from the CA and add it to your truststore (see next step in setting up SSL). What to do next If for any reason the root certificate authority for an instant messaging community changes or you add an additional instant messaging community to your Lotus Sametime Gateway, you must explicitly add the new root CA to your WebSphere Application Server truststore. Adding a trusted CA certificate to the keystore: Add your new Certificate Authority certificate to the keystore to establish the trust relationship in SSL communication. Before you begin The keystore that you want to add the CA certificate to must already exist. Expected state: the Deployment Manager and node agents are started. The servers are stopped. 1. In the Integrated Solutions Console, click Security → SSL certificates and key management. 2. Click Key stores and certificates → CellDefaultTrustStore → Signer certificates .

198

Lotus Sametime: Installation and Administration Guide Part 2

3. Click Add. 4. Type a certificate alias in the Alias field. The alias is how the certificate is referenced in the keystore. 5. In the File name field, type the file name and path to where the certificate is located. 6. Select the appropriate file data type. 7. Click Apply and then Save. 8. Synchronize your changes to all nodes in the cluster. Click System Administration → Nodes 9. Select all nodes in the cluster, then click Full Resynchronize. 10. Open a command window. 11. In the command window, stop the Deployment Manager and wait for the command to finish, and then restart the Deployment Manager. Use the user name and password that you provided when you enabled administrative security to stop the Deployment Manager. Open a command window and navigate to the stgw_profile_root\bin directory and use the following commands: AIX, Linux, and Solaris
./stopManager.sh -username username -password password ./startManager.sh

Windows
stopManager.bat -username username -password password startManager.bat

IBM i
stopManager -username username -password password startManager

12. Restart the node agents. a. Log into the Integrated Solutions Console (http://localhost:9060/ibm/ console) on the Deployment Manager. b. Click System Administration → Node agents . c. Select all node agents, and then click Restart. 13. Choose Servers → Clusters. 14. Select the Lotus Sametime Gateway cluster and click Start. 15. Click Servers → Proxy servers. Note that if you are not connecting to any instant messaging service over SIP, it’s not necessary to start the SIP proxy server. 16. Select the SIP proxy server or servers and click Start. 17. Choose Server → Application servers. 18. Select the XMPP proxy server and click Start. Note that if you are not connecting to any instant messaging service over XMPP, it’s not necessary to start the XMPP proxy server. Configuring the SIP proxy server to use SSL: Apply the new SSL definition to the SIP proxy server. Before you begin Expected state: the Deployment Manager, node agents, and all servers in the cluster are started.

Chapter 1. Configuring

199

1. In the Integrated Solutions Console, click Security → SSL certificate and key management → Manage endpoint security configurations.. 2. Expand the Inbound node on the local topology tree. a. Expand cell with sip proxy. b. Expand nodes. c. Expand node with sip proxy. d. Expand servers. 3. Select sip proxy server from the tree. 4. On the configuration panel, select Override inherited values. 5. Select the SSL configuration that you defined from the SSL configuration drop-down list. 6. Click Update certificate alias list. 7. Select your certificate alias from the Certificate alias in key store drop-down list. 8. Click Apply. 9. Repeat the preceding steps on the Outbound node of the local topology tree. 10. Change the SSL configuration on the SIP proxy server: a. Click Servers → Proxy Servers → name of your SIP proxy server → SIP Proxy Server Settings → SIP proxy server transports → SIPS PROXY CHAIN → SSL inbound channel (SSL_4). b. Under SSL Configuration, select Centrally Managed. c. Click OK, and then Save. 11. Synchronize your changes to all nodes in the cluster. Click System Administration → Nodes. 12. Select all nodes in the cluster, then click Full Resynchronize. 13. Open a command window. 14. In the command window, stop the Deployment Manager and wait for the command to finish, and then restart the Deployment Manager. Use the user name and password that you provided when you enabled administrative security to stop the Deployment Manager. Open a command window and navigate to the stgw_profile_root\bin directory and use the following commands: AIX, Linux, and Solaris
./stopManager.sh -username username -password password ./startManager.sh

Windows
stopManager.bat -username username -password password startManager.bat

IBM i
stopManager -username username -password password startManager

15. Restart the node agents. a. Log into the Integrated Solutions Console (http://localhost:9060/ibm/ console) on the Deployment Manager node. b. Click System Administration → Node agents . c. Select all node agents, and then click Restart. 16. Click Servers → Clusters. 17. Select the Lotus Sametime Gateway cluster, and click Stop, and wait for the cluster to stop.

200

Lotus Sametime: Installation and Administration Guide Part 2

18. 19. 20. 21.

Click Servers → Clusters. Select the Lotus Sametime Gateway cluster, and click Start. Click Servers → Proxy servers. Select the SIP proxy server and click Start.

What to do next Now you can exchange signer certificates with other server communities. Configuring the XMPP proxy server to use SSL: Apply the new SSL definition to the XMPP proxy server. Before you begin Expected state: the Deployment Manager, node agents, and all servers in the cluster are started. 1. In the Integrated Solutions Console, click Security → SSL certificate and key management → Manage endpoint security configurations.. 2. Expand the Inbound node on the local topology tree. a. Expand cell with XMPP proxy. b. Expand nodes. c. Select the node with the XMPP proxy. 3. On the configuration panel, select Override inherited values. 4. Make sure NodeDefaultSSLSettings is selected in the SSL configuration drop-down list. 5. Click Update certificate alias list. 6. Select your certificate alias from the Certificate alias in key store drop-down list. 7. Click Apply. 8. Repeat the preceding steps on the Outbound node of the local topology tree. 9. Click OK and Save. What to do next Now you can exchange signer certificates with other server communities.

List of supported Certificate Authorities
Certificate authorities (CAs) can issue public key certificates which state that the CA attests that the public key contained in the certificate belongs to you. You then use your CA-signed certificate to exchange certificates with AOL, Yahoo!, XMPP to provide for the secure exchange of instant messages. Certificate vendors sometimes change the product names of their offerings without changing the underlying CA certificate. AOL, Yahoo!, and XMPP can not keep track of all the product-naming conventions of each certificate vendor.

Chapter 1. Configuring

201

Attention: Server certificate installed on Sametime Gateway must conform to RFC 3280 certificate standards. When requesting a certificate, make sure the certificate supports both server and client authentication. Some certificate authorities provide certificates that support server authentication only or client authentication only. Certificates must include both server and client authentication EKU flags. Thawte certificates in the following list meet these standards. It is your responsibility to make sure that the certificate supports both. As part of a public key infrastructure (PKI), a CA checks with a registration authority to verify information provided by your digital certificate. If the registration authority verifies your information, the CA can then issue a certificate to you. For the current list of Certificate Authorities and accepted by Lotus Sametime Gateway and AOL, XMPP, and Yahoo, see the IBM FAQ Tech Note #1372445, ″List of Certificate Authorities (CAs) accepted by Lotus Sametime Gateway″ at: www.ibm.com/support/docview.wss?&uid=swg21372445

Setting up SSL on Sametime
These are the steps that an external community must follow to set up SSL on Sametime servers 7.0 or 6.5.1 so that the external community can connect to your local Sametime community and Lotus Sametime Gateway over SSL. SSL is not needed between Lotus Sametime Gateway and later versions of Sametime server because the connection uses the Virtual Places (VP) protocol over TCP that contains built-in encryption.

About this task
In this procedure, you create a key database on the Sametime SIP Connector machine and create an SSL certificate signed by a Certificate Authority. 1. Specify the host name and port for SSL connections. 2. Enable a SIP Connector to require client certificate authentication. 3. Manage the certificates required for TLS connections by ensuring that the SIP Connector can operate as a server in a TLS handshake. a. Install the IKeyMan program on the SIP Connector machine. b. Use the IKeyMan program to create a key database on the SIP Connector machine. c. Identify the signer (or ″trusted root″) certificate you will use. d. Create and submit a server certificate request. e. Import the server certificate into the key database. 4. Manage the certificates required for TLS connections by ensuring that the SIP Connector can operate as a client in a TLS connection handshake. 5. Enable a SIP Connector to require client certificate authentication. a. Enter the client certificate name in the ExternCommunity document in the stconfig.nsf database. b. Ensure the SIP Connector has access to the certificates necessary to trust the client certificate. 6. Edit the CommunityConnector document in the stconfig.nsf database to include the local SIP Connector machine information. 7. Edit the ExternCommunity document in the stconfig.nsf database to include the external community (Lotus Sametime Gateway community) to which the SIP Gateway is connecting.

202

Lotus Sametime: Installation and Administration Guide Part 2

What to do next
You now need to export the signed certificate and add it to the Sametime Gateway’s trust store. Then, you must export the CA-signed personal certificate from the keystore file of Lotus Sametime Gateway and add this certificate as a signer certificate to the Sametime SIP Connector’s key database.

Connecting servers to Sametime Gateway
To complete IBM Lotus Sametime Gateway setup, you connect servers to the Lotus Sametime Gateway by performing some configuration steps on the local Sametime server, adding the local community to the Lotus Sametime Gateway, registering your Sametime Gateway server with AOL so that Lotus Sametime Gateway can connect to the AOL clearinghouse, and then, after you complete your registration, adding the AOL clearinghouse community to the Lotus Sametime Gateway. Finally, you want to note the port numbers so you can provide these ports to external communities.

Opening ports in the firewalls
Open specific ports in the internal and external firewalls to allow messages to flow to and from the Sametime Gateway server in the DMZ to the local Sametime community, and to permit access to LDAP and DB2®. In addition, verify that the external firewall allows inbound and outbound connections to and from specific IP addresses. Make sure any kind of SIP fixup or SIP inspection is disabled in your firewall settings.

About this task
A Sametime Gateway server or cluster is normally deployed in the DMZ, which is the zone between the internal and external firewalls. Work with your network firewall administrator to open ports in the internal firewall to allow Sametime Gateway to connect to the local Sametime community servers, LDAP, and DB2. You also need to open ports in the external firewall to allow Sametime Gateway to connect with external communities.

Chapter 1. Configuring

203

You can deploy a Network Address Translator (NAT) between local Lotus Sametime community servers and a Lotus Sametime Gateway. However, deploying a NAT device between Lotus Sametime Gateway and the Internet is not supported when trying to connect Lotus Sametime Gateway to AOL, Yahoo, or TLS-encrypted SIP-based external communities. While there are SIP-aware NAT devices, they are not sufficient because both AOL and Yahoo communities require secure SIP (SSL/TLS) communication, and a NAT device would not be able to decrypt and translate the packets for proper operation. NAT has no affect on the XMPP protocol, so exchanges using Google Talk over XMPP are always permitted to pass through a NAT-enabled firewall that is between Lotus Sametime Gateway and the Internet. 1. Open the following ports in the internal firewall: v Port 1516 on the internal firewall to each Sametime community server in the local Sametime community, allowing both inbound and outbound traffic between Sametime Gateway and each community server. v Port 389 on the internal firewall to the LDAP directory, or port 636 if LDAP access is over SSL. v Port 50000 on the internal firewall to a DB2 server. 2. Open the following ports on the external firewall as needed: v Port 5269 on the external firewall to Google Talk and non-secured XMPP. v Port 5270 on the external firewall to secured XMPP. v Port 5061 on the external firewall to external Lotus Sametime, AOL, or Yahoo! Messenger communities using a secure TLS/SSL connection. v Port 5060 on the external firewall to an external Lotus Sametime community (only if using a non-TLS/SSL connection). v Port 53 on the external firewall to external DNS servers to resolve the fully qualified domain name of external community servers. 3. Verify that the external firewall allows inbound and outbound connections to and from the following IP addresses:

204

Lotus Sametime: Installation and Administration Guide Part 2

v AOL:
64.12.162.248, 205.188.153.55

v For Yahoo! Messenger, you have two options: Choosing between options A and B when configuring your firewall is a matter of trade-offs. Option A offers more security (by using specific addresses instead of Class-C range addresses), while option B requires less firewall-rules maintenance (if Yahoo! adds a server to their array, its IP address will probably be contained within the allowed IP addresses range, and so would not require a firewall update – but this is not guaranteed). Consult your network administrator and security officer; if in doubt, use option A, which is more secure. – Option A: Define the exact Yahoo! Servers IPs that the Sametime Gateway will interact with, using the list below:
iopsgw1.msg.re3.yahoo.com 69.147.79.246 iopsgw2.msg.re3.yahoo.com 69.147.79.247 iopsgw3.msg.re3.yahoo.com 69.147.79.248 iopsgw4.msg.re3.yahoo.com 69.147.79.249 iopsgw5.msg.re3.yahoo.com 69.147.79.250 iopsgw6.msg.re3.yahoo.com 69.147.79.251 iopsgw7.msg.re3.yahoo.com 69.147.79.252 iopsgw8.msg.re3.yahoo.com 69.147.79.253 sgw.ibm.msg.vip.ac4.yahoo.com 98.136.112.84 sgw101.ibm.msg.ac4.yahoo.com 98.136.113.23 sgw102.ibm.msg.ac4.yahoo.com 98.136.113.24 sgw103.ibm.msg.ac4.yahoo.com 98.136.113.25 sgw104.ibm.msg.ac4.yahoo.com 98.136.113.26 sgw105.ibm.msg.ac4.yahoo.com 98.136.113.27 sgw106.ibm.msg.ac4.yahoo.com 98.136.113.28 sgw107.ibm.msg.ac4.yahoo.com 98.136.113.29 sgw108.ibm.msg.ac4.yahoo.com 98.136.113.30 sgw.ibm.msg.vip.sp1.yahoo.com 98.136.56.113 sgw101.ibm.msg.sp1.yahoo.com 98.136.43.128 sgw102.ibm.msg.sp1.yahoo.com 98.136.43.129 sgw103.ibm.msg.sp1.yahoo.com 98.136.43.130 sgw104.ibm.msg.sp1.yahoo.com 98.136.43.131 sgw105.ibm.msg.sp1.yahoo.com 98.136.43.132 sgw106.ibm.msg.sp1.yahoo.com 98.136.43.133 sgw107.ibm.msg.sp1.yahoo.com 98.136.43.134 sgw108.ibm.msg.sp1.yahoo.com 98.136.43.135

– Option B: Configure your firewall to restrict incoming and outgoing communication to a range of Class-C IP addresses used by Yahoo! Messenger:
98.136.112.84 98.136.56.113 69.147.79.* 98.136.113.* 98.136.43.*

v For Google Talk, include all the IP addresses resolvable from a DNS lookup of talky.l.google.com and talkz.l.google.com. The talky.l.google.com addresses are for connections that are incoming from the enterprise to Google. The talkz.l.google.com addresses are for connections that are incoming from Google to the enterprise. In the command window, type:
nslookup talky.l.google.com

Then type:
nslookup talkz.l.google.com

For example:

Chapter 1. Configuring

205

C:\>nslookup talky.l.google.com Name: talky.l.google.com Addresses: 74.125.47.125, 74.125.65.125, 74.125.155.125, 209.85.137.125 209.85.163.125, 209.85.229.125, 216.239.51.125, 64.233.169.125, 72.14.203.125 72.14.247.125 C:\>nslookup talkz.l.google.com Non-authoritative answer: Name: talkz.l.google.com Addresses: 209.85.200.129, 72.14.252.129, 209.85.162.129

4. Make sure that the Lotus Sametime Gateway server can resolve a reverse lookup on each of the Google IP addresses below. You can verify this by substituting each IP address into the following command:
:\nslookup > 209.85.163.125 Server: UnKnown Address: 129.42.250.40 Name: el-in-f125.google.com Address: 209.85.163.125

Connecting the local Sametime Community Server to Sametime Gateway
Complete these steps to prepare and then add your local Community Server to Lotus Sametime Gateway. Managing trusted IP addresses: Whenever you install a server that communicates with an IBM Lotus Sametime Community Server, you must add the new server’s IP address to the Community Server’s settings. About this task The Lotus Sametime Community Server accepts connections from the Lotus Sametime Media Manager, the Lotus Sametime Gateway, the Lotus Sametime Community Mux, and the Lotus Sametime Proxy Server, as well as other servers that are listed in the Community Services page. To ensure that the Lotus Sametime Community Server trusts these components when they establish a connection, you must add the trusted server’s IP address to the Lotus Sametime Community Server. You do not need to add the Lotus Sametime System Console’s IP address because it is added automatically when you install the Lotus Sametime Community Server using a deployment plan or register the Lotus Sametime Community Server with the console after installation. This task must be completed separately for each server within a Lotus Sametime Community Server cluster, as well as for multiple non-clustered Community Servers. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers.

206

Lotus Sametime: Installation and Administration Guide Part 2

3. In the Sametime Community Servers list, click the deployment name of the server with the list of trusted IP addresses that you want to change. 4. Click the Connectivity tab. 5. Under Trusted Servers, enter the IP address of the server that must connect to the Lotus Sametime Community Server in the New IP Address field, and click Add. Note: For the Lotus Sametime Media Manager, enter the Conference Manager server IP address. Each instance of a Conference Manager cluster must be entered. To delete an IP address from the list, select it and click Delete Selected. 6. Click OK. 7. Restart the Lotus Sametime Community Server for the change to take effect. Specifying the mail attribute for LDAP person records: If your Sametime servers are configured to use an LDAP server that is not a native internal Domino directory, you must specify the attribute in an LDAP record that contains the user’s e-mail address. This setting is required because SIP entities are identified by their e-mail addresses. 1. From the Sametime server home page, click the Administer the Server link to open the Sametime Administration Tool. 2. Choose LDAP Directory - Basics. 3. In the Basics settings for server drop-down list, select the LDAP server. 4. In the Attribute of a person entry that defines the person’s e-mail address setting, type the attribute that your LDAP directory uses to hold the user’s e-mail address. Default attribute names include the following: v Type mail (default) if your LDAP directory is a Domino Directory, IBM Directory Server, or Sun ONE Java System Directory Server. v Type userPrincipalName (default) if you are using Microsoft Active Directory. 5. Click Update. 6. Choose LDAP Directory - Searching. 7. In the search filter for resolving person names, update the search filter to contain the attribute specified in step 4 above. For example, if the LDAP directory uses the mail attribute, then update the search filter to include the mail attribute. For example:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))

8. Click Update and restart the server for the change to take effect. Disabling the Sametime SIP Gateway on the local Sametime server: To use Lotus Sametime Gateway with a local Sametime server version 6.5.1 or 7.0, you must disable the Sametime SIP Gateway application. 1. Windows: Disable the Sametime SIP Gateway application by completing the following steps: a. b. c. d. e. Click Start → Programs → Administrative tools → Services. Right click on ST SIP Gateway and click Stop. Right click on ST SIP Gateway and click Properties. In the Startup type drop-down list, select Disabled. Click OK.
Chapter 1. Configuring

207

f. Restart the Sametime server. 2. AIX, Solaris, IBM i: Disable the Sametime SIP Gateway application by completing the following steps: a. Open a command window. On IBM i, run the STRQSH (Start Qshell) command. b. Navigate to \lotus\domino. c. Use a text editor and open the StCommLaunch.dep file d. Delete the following line from the file: AIX and Solaris:
SERVERAPP ST SIP Gateway,ST Community,SOFT

IBM i:
SERVERAPP StGateway,StCommunity,SOFT

e. Save the file. f. Restart the Sametime server. Allowing local Sametime clients to add external users to Contact Lists: Complete these steps to allow your Sametime clients to add external users to Contact Lists. About this task After you complete these steps, users will see an External Contact check box on the Add New Contact dialog. To add an external contact, users type the external user’s email address (name@domain), select External Contact, and then click Add. 1. Log in as the Sametime administrator to the following URL, substituting your Sametime server’s Web address: http://SametimeServer.yourco.com/ stcenter.nsf. 2. Click Administer the server. 3. Click Policies in the navigation panel, and open the Policy in use. 4. Select Yes next to the statement Allow users to add external users using the Sametime Gateway. 5. Click OK to save. 6. Using a Lotus Notes client, open the Sametime server’s stconfig.nsf file. 7. Click Create at the top of the client, and select Community Gateway. 8. Accept the defaults of True for Support external communities and Convert ID. 9. Save and close the document. 10. Repeat the preceding steps for each Sametime server in the Sametime cluster. 11. Restart each Sametime server. Adding a local Community Server to Sametime Gateway: Connect a local Lotus Sametime Community Server or Lotus Sametime community cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant messaging with external users.

208

Lotus Sametime: Installation and Administration Guide Part 2

Before you begin Before you can add a local Sametime server to Lotus Sametime Gateway, make sure you’ve completed the preceding steps: v Opened port 1516 on the internal firewall to the local Sametime community server. If the Lotus Sametime community is clustered, you opened port 1516 to each of the Sametime community servers, allowing both inbound and outbound traffic between Lotus Sametime Gateway and each community server. v Configured the Sametime server to trust the IP addresses of Lotus Sametime Gateway servers. v Disabled the legacy Sametime SIP Gateway on the Sametime community server. v Allowed local Sametime clients to add external users to Contact Lists. Important: You can only connect one gateway to a community; otherwise the awareness and chat features may not work properly. Likewise, you can connect only one local Lotus Sametime community to Lotus Sametime Gateway. You must add the local community to Lotus Sametime Gateway before you add external communities. About this task Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway servers are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities. 2. In the table that lists communities, click New. 3. In the Name field, type a logical name for the local community such as Acme Sametime Users. 4. In the Community Type field, select Local. 5. In the Domains field, type the domain names in which users are found in the local community. Notes: v Wildcards are not supported in this field, you must type each complete domain name. v Each domain name must access the same user directory. For example: acme.com, us.acme.com, fr.acme.com, and uk.acme.com must all be linked by a common user directory to be in the community. Obtain this information from the system administrator of the local Lotus Sametime community. v If you plan to connect to Google Talk or other XMPP communities, all the domains listed must have an existing SRV record. See the instructions in Connecting to Google talk community. If even a single listed domain does not have an SRV record, the Google community cannot connect. 6. In the Translation Protocol field, select VP. 7. Type the Host name of the Sametime community server, or any Sametime server that’s part of a cluster in the local community. For example, sametimeserver1.acme.com. If Sametime community server is part of a cluster, enter the host name of any Sametime community server. Do not enter the host name of a MUX or IP sprayer server. Sametime Gateway receives the cluster

Chapter 1. Configuring

209

configuration information from the Sametime community server and through its own VP translation protocol, provides load balancing for the Sametime community servers. 8. Set the Port to 1516. The transport protocol is automatically set to TCP (Transmission Control Protocol). 9. Click OK. 10. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus Sametime Gateway servers, restart the cluster. Related tasks “Connecting to a Google Talk community” on page 218 IBM Lotus Sametime Gateway users can exchange instant messages with the Google Talk community over the Extensible Messaging and Presence Protocol, or XMPP. To communicate with the Google Talk community, you must first set up a DNS service (SRV) record and publish it to DNS so that Google Talk users and local Sametime users can discover each other and establish a connection. This topic instructs you to create a DNS SRV record first, and then add Google Talk as an external community. “Adding external Sametime communities” on page 225 Add an external Sametime community to IBM Lotus Sametime Gateway. You connect to a Sametime community by specifying domains in the external community, selecting a translation protocol, and setting the host name, port, and transport protocol for the external community. “Connecting to the AOL clearinghouse community” on page 214 Use this procedure to add the AOL clearinghouse community to IBM Lotus Sametime Gateway. The AOL clearinghouse connects your Sametime users to a wide community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. Connect to the AOL clearinghouse community or the AOL community, but not both, as the former is a superset of the latter. “Managing trusted IP addresses” on page 350 Whenever you install a server that communicates with an IBM Lotus Sametime Community Server, you must add the new server’s IP address to the Community Server’s settings. Related reference “Sametime Gateway communities” on page 433 View the list of communities and use the list as the starting place to set up communities, assign local users access to external communities, and set properties on communities. The communities list shows the community name, the type of community, and the translation protocol used. “Community properties” on page 436 Use this page to connect IBM Lotus Sametime Gateway to one internal community and multiple external communities, or to edit the connection properties of an existing community. Specify the type of community, the domains to use when accessing the community, the translation protocol that Lotus Sametime Gateway uses to communicate with the community, connection details, and any custom properties for the connection or community. After you create a community, use the Assign local users to this community link to give permission to local users to access the external or clearinghouse community. Specifying connection attempts and a time out when connecting with the local Sametime server:

210

Lotus Sametime: Installation and Administration Guide Part 2

You can optionally set properties for when the IBM Lotus Sametime Gateway server becomes disconnected from the local Sametime community server. You can set how many times Sametime Gateway should try to connect to the local Sametime community server. Also, you can set the time to wait between attempts to connect. About this task When the Sametime Gateway server is disconnected from the Sametime server, by default Sametime Gateway tries to connect for one minute, then stops, then tries again to connect. This process goes on indefinitely unless you change these defaults by creating two custom properties, one for connection attempts and the other for the connection time out. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities. 2. In the table that lists communities, click the Local community. 3. On the local community panel, click Custom properties, and then click New. 4. To set the number of connection attempts, in the name field, type Server connection attempts. 5. In the value field, type -1 (to try infinitely), or some other number. 6. Click OK. 7. To set the connection time out, in the name field, type Server connection time out. 8. In the value field, type a number in milliseconds. For example, type 30000 to set the time out to 30 seconds. 9. Click OK. 10. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus Sametime Gateway servers, restart the cluster. Related reference “Custom properties details” on page 447 Use this page to edit custom properties for a community, translation protocol, or message handler. You can also specify new properties that are needed to configure third-party elements used by the IBM Lotus Sametime Gateway.

Connecting to instant messaging communities
Add instant messaging communities such as the AOL clearinghouse, AOL Instant Messenger, Google Talk, XMPP, Office Communications Server, and Yahoo Messenger to Lotus Sametime Gateway.

About this task
When you set up a connection with AOL, you have the option of connecting with AOL users only, or connecting with the AOL clearinghouse community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. IBM recommends that you do not configure both communities, as users served by the AOL clearinghouse are a superset of users served by the AOL community. If you set up AOL only, and later decide to connect with the AOL clearinghouse community, delete the AOL community first before adding the AOL clearinghouse community to Sametime Gateway. Note: Lotus Sametime client users must use the Sametime client version 7.5 or later when exchanging instant messages and presence information with public instant messaging providers such as AOL Instant Messenger, Yahoo Messenger,
Chapter 1. Configuring

211

Office Communications Server, and Google Talk. Pre-7.5 clients are not licensed to connect with public instant messaging providers. The Sametime server will check and disable the Add external user checkbox if a client of a lower version is used. It is the responsibility of the Sametime Gateway administrator to comply with the licensing agreement. Registering your Sametime Gateway with AOL and Yahoo!: The IBM Lotus Sametime Provisioning Application enables you to set up interoperability with certain public instant messaging services such as Yahoo! and AOL. The application prompts you for relevant information, validates your organization’s entitlement to use IBM Lotus Sametime Gateway, provides the information to the instant messaging service, and notifies you when you have been added by the service. Before you begin The procedure for registering your Lotus Sametime Gateway depends on how you acquired Lotus Sametime Standard or Lotus Sametime Advanced: Related tasks “Connecting to the AOL clearinghouse community” on page 214 Use this procedure to add the AOL clearinghouse community to IBM Lotus Sametime Gateway. The AOL clearinghouse connects your Sametime users to a wide community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. Connect to the AOL clearinghouse community or the AOL community, but not both, as the former is a superset of the latter. If you used IBM Passport Advantage: If you acquired licenses for IBM Lotus Sametime Standard or Lotus Sametime Advanced using the IBM Passport Advantage® Web site, then register your IBM Lotus Sametime Gateway directly using the Lotus Sametime Provisioning Application. Before you begin Before you begin, collect the following information: v The primary contact for your site. The primary contact is the person who is entering into the Passport Advantage or Passport Advantage Express™ contractual relationship with IBM on behalf of your company. IBM communicates directly with this person on issues such as Agreement modification and so forth. This person may be a procurement or purchasing professional. v Your Passport Advantage site number. v Your Lotus Sametime Gateway name. This can be any name that you assign to Lotus Sametime Gateway. v Your Lotus Sametime Gateway host name. v Your Lotus Sametime Gateway port number. v Your Lotus Sametime Gateway SSL certificate common name. v Your Lotus Sametime Gateway SSL certificate issuer (VeriSign, Comodo, Thawte, and so on). v An e-mail address for you to be notified when provisioned.

212

Lotus Sametime: Installation and Administration Guide Part 2

v The Sametime community domains that you want to expose to the instant messaging service. 1. Navigate to http://www.ibm.com/software/lotus/sametime/federation to access the Lotus Sametime Provisioning Application. 2. Type your IBM ID and password: v If you do not have an IBM ID and password, click the register link. You receive your Web Identity when you complete the registration. v If your Web identity is not affiliated with a Passport Online Advantage site, you will be redirected to a self-nomination site where you should use the information you collected before starting this procedure. Unless you know you are the primary contact for your site, please select No when prompted ″I believe I am the Primary Contact for this Site.″ Once you have completed the self-nomination form, the Primary Contact for your site must process the form. When you receive a self-nomination approval by e-mail, go to http://www.ibm.com/software/lotus/sametime/federation and start the provisioning process Once your Web Identity is verified, the system checks whether you are a Lotus Sametime customer that is entitled to deploy the Lotus Sametime Gateway. 3. If you are entitled to deploy Lotus Sametime Gateway, enter the information needed by the instant messaging service. 4. Submit the provisioning form. After the instant messaging service receives your information and adds your site, you will receive an e-mail notification from IBM that you have been provisioned. This can take up to seven business days. 5. Before accessing a public instant messaging service through the Lotus Sametime Gateway, you are required to agree to the terms of service or end-user license agreement for such public instant messaging services and IBM is not a party to any such agreement. If you did not use IBM Passport Advantage: If you did not acquire licenses for IBM Lotus Sametime Standard or Lotus Sametime Advanced through IBM Passport Advantage, then register your IBM Lotus Sametime Gateway by e-mailing the required information to the provided address. For example, if you are an IBM Business Partner or have purchased IBM Lotus Sametime Standard for Cisco Unified Communications from Cisco or an authorized Cisco reseller, you must use this procedure. Before you begin Send the information below to the following e-mail address: sametime@us.ibm.com: Registration Code: v Registration code This is available on the Lotus Sametime for Cisco Unified Communications software DVD. If you are an IBM Business Partner, you can get this code from your Business Partner representative. Technical information: v Gateway host name (the fully qualified domain name of your gateway; for example: stgateway.company.com) v The port on which you want to accept incoming TLS/SIP requests (port 5061 is used by default)
Chapter 1. Configuring

213

v v v v v

Gateway certificate common name Gateway certificate issuer SIP realm to be used (for example: company.com) Do you wish to be provisioned for AOL AIM? Do you wish to participate in the AOL Clearing House?

v Do you wish to be provisioned for Yahoo Messenger? Contact information: v Company Name v ID or Order # (If IBM Business Partner, use Partnerworld ID #; otherwise, use Order #) v Contact first/last name v Contact e-mail address v Contact telephone number v Contact instant messaging address (optional) Connecting to an AOL community: Set up a connection by choosing either the AOL instant messenger community or the AOL clearinghouse community, but not both. The AOL clearinghouse is a superset of the AOL instant messenger community. Before you begin You must set up SSL prior to connecting to an AOL community. About this task When you set up a connection with AOL, you have the option of connecting with AOL users only, or connecting with the AOL clearinghouse community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. IBM recommends that you do not configure both communities, as users served by the AOL clearinghouse are a superset of users served by the AOL community. If you set up AOL only, and later decide to connect with the AOL clearinghouse community, delete the AOL community first before adding the AOL clearinghouse community to Sametime Gateway. Connecting to the AOL clearinghouse community: Use this procedure to add the AOL clearinghouse community to IBM Lotus Sametime Gateway. The AOL clearinghouse connects your Sametime users to a wide community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. Connect to the AOL clearinghouse community or the AOL community, but not both, as the former is a superset of the latter. Before you begin You must set up SSL prior to connecting to an AOL clearinghouse community.

214

Lotus Sametime: Installation and Administration Guide Part 2

Remember that the Lotus Sametime Gateway servers must have access to a DNS server that can resolve public DNS records (A records, SRV records, and PTR records). For example the following commands should be able to resolve successfully:
nslookup sip.oscar.aol.com nslookup 64.12.162.248 nslookup -type=all -class=all _xmpp-server._tcp.google.com

Note: IBM recommends that you do not configure both the AOL clearinghouse and the AOL communities, as users served by the AOL clearinghouse are a superset of users served by the AOL community. If you set up AOL only, and later decide to connect with the AOL clearinghouse community, delete the AOL community first before adding the AOL clearinghouse community to Sametime Gateway. Before you add the AOL clearinghouse community, you must establish the local community, and use the provisioning application to register your Lotus Sametime with AOL Public Instant Messaging Services. About this task Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities . 2. In the table that lists communities, click New. 3. In the Name field, type a logical name for the new clearinghouse community. 4. In the Community Type field, select Clearinghouse. 5. Select a Translation Protocol. Choose SIP for AOL for AOL Clearinghouse community connections. 6. In the Host Name field, type the following:
sip.oscar.aol.com

7. In the Port field, type the port number. The default port is 5061. 8. Because AOL clearinghouse requires a secure connection, the Transport protocol is set to TLS, so there is nothing to do. 9. Click OK to save the new community. 10. On the Communities panel, select the name of the community that you created , scroll to the bottom, and click Assign local users to this community to assign users access to the AOL clearinghouse community. 11. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus Sametime Gateway servers, restart the cluster. 12. The following steps are optional, but be sure to restart the Sametime Gateway servers if you make any changes to the community. a. Click Custom Properties to include additional IP addresses for AOL Instant Messenger servers. Sametime Gateway uses these IP addresses to determine which SIP requests originate from AOL. The Custom properties link is available only after the community is saved.

Chapter 1. Configuring

215

b. In the Route properties field, set the maximum sessions for instant messaging or presence for this community. The session numbers set for this community cannot exceed the global maximum sessions set for Sametime Gateway. c. Select the check box to disable the route to the community. d. Click the Translation Protocol link to set custom properties for the translation protocol. The Custom properties links are available only after the community is saved. What to do next For troubleshooting help, see Technote 1317952 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952. Related tasks “Registering your Sametime Gateway with AOL and Yahoo!” on page 212 The IBM Lotus Sametime Provisioning Application enables you to set up interoperability with certain public instant messaging services such as Yahoo! and AOL. The application prompts you for relevant information, validates your organization’s entitlement to use IBM Lotus Sametime Gateway, provides the information to the instant messaging service, and notifies you when you have been added by the service. “Adding a local Community Server to Sametime Gateway” on page 208 Connect a local Lotus Sametime Community Server or Lotus Sametime community cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant messaging with external users. Related reference “Sametime Gateway communities” on page 433 View the list of communities and use the list as the starting place to set up communities, assign local users access to external communities, and set properties on communities. The communities list shows the community name, the type of community, and the translation protocol used. “Community properties” on page 436 Use this page to connect IBM Lotus Sametime Gateway to one internal community and multiple external communities, or to edit the connection properties of an existing community. Specify the type of community, the domains to use when accessing the community, the translation protocol that Lotus Sametime Gateway uses to communicate with the community, connection details, and any custom properties for the connection or community. After you create a community, use the Assign local users to this community link to give permission to local users to access the external or clearinghouse community. Connecting to the AOL Instant Messenger community: Use this procedure to add the AOL Instant Messenger community to IBM Lotus Sametime Gateway so that your users can exchange instant messages and presence with AOL Instant Messenger users. Add the AOL community only if you have not added the AOL clearinghouse community because the AOL clearinghouse is a superset of the AOL community. Before you begin You must set up SSL prior to connecting to an AOL clearinghouse community.

216

Lotus Sametime: Installation and Administration Guide Part 2

Remember that the Lotus Sametime Gateway servers must have access to a DNS server that can resolve public DNS records (A records, SRV records, and PTR records). For example the following commands should be able to resolve successfully:
nslookup sip.oscar.aol.com nslookup 64.12.162.248 nslookup -type=all -class=all _xmpp-server._tcp.google.com

Note: IBM recommends that you do not configure both the AOL clearinghouse and the AOL communities, as users served by the AOL clearinghouse are a superset of users served by the AOL community. If you set up AOL only, and later decide to connect with the AOL clearinghouse community, delete the AOL community first before adding the AOL clearinghouse community to Sametime Gateway. You must establish the local community first before adding an external community. About this task Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities . 2. In the table that lists communities, click New. 3. In the Name field, type a logical name for the new community such as AOL IM. 4. Under Community Type, select External. 5. In the Domains field, type: aol.net, corp.aol.com, aol.com 6. In the Translation Protocol list, select SIP for AOL. 7. In the Host Name field, type sip.oscar.aol.com. 8. In the Port field, type a port number. The default port is 5061. 9. In the Transport protocol field, TLS (Transport Layer Security) is already selected. 10. Click AOL IM from the list to edit the connection properties. 11. Click OK to save the new community. 12. On the Communities panel, select the name of the community that you created, scroll to the bottom, and click Assign local users to this community to assign local users access to the external community. 13. Click Assign local users to this community to assign local users access to the external community. This link is inoperable until you first save the new external community. 14. Restart the Lotus Sametime Gateway server. If you have a cluster of servers, restart the cluster. 15. The following steps are optional, but be sure to restart the Sametime Gateway servers if you make any changes to the community. a. Click Custom Properties to include additional TCP/IP addresses for AOL Instant Messenger servers. Sametime Gateway uses these IP addresses to determine which SIP requests originate from AOL. When setting up the community for the first time, the Custom properties links are available only after the community is saved.
Chapter 1. Configuring

217

b. In the Route properties field, set the maximum sessions for instant messaging or presence for this community. The session numbers set for this community cannot exceed the global maximum sessions set for Sametime Gateway. If Route properties are not visible, you must connect to a local community first. c. Select the check box to disable the route to the community. d. Click the Translation Protocol link to set custom properties for the translation protocol. The Custom properties links are available only after the community is saved. What to do next For troubleshooting help, see Technote 1317952 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952. Connecting to a Google Talk community: IBM Lotus Sametime Gateway users can exchange instant messages with the Google Talk community over the Extensible Messaging and Presence Protocol, or XMPP. To communicate with the Google Talk community, you must first set up a DNS service (SRV) record and publish it to DNS so that Google Talk users and local Sametime users can discover each other and establish a connection. This topic instructs you to create a DNS SRV record first, and then add Google Talk as an external community. Before you begin Remember that the Lotus Sametime Gateway servers must have access to a DNS server that can resolve public DNS records (A records, SRV records, and PTR records). For example the following commands should be able to resolve successfully:
nslookup talkz.l.google.com nslookup 64.12.162.248 nslookup -type=SRV -class=all _xmpp-server._tcp.google.com

Make sure all domains you specified in the internal community are not registered with ″Google Apps.″ To determine whether a domain is registered with Google Apps, see the IBM Technote Unable to establish awareness with Google Talk users through the Sametime Gateway. Your firewall rules should be set up as described in the ″GoogleTalk″ section of the topic, “Opening ports in the firewalls” on page 203. About this task Work with your network administrator to set up a DNS SRV record for each domain defined in your internal community using the following format:
_xmpp-server._tcp.domain name. IN SRV priority weight port target.

For example:
_xmpp-server._tcp.lotus.com. IN SRV 5 0 5269 sttest.lotus.com.

218

Lotus Sametime: Installation and Administration Guide Part 2

SRV record format Description domain name Wild cards are not allowed. Note that the domain name must end with a period. The domain name must match the domain name that you used when you added the local Sametime server to the Lotus Sametime Gateway. Priority determines the proxy query order when used in an Lotus Sametime Gateway cluster. With multiple SRV records, lower values are queried first. Weight determines proportionally how often a proxy is queried when you have multiple SRV records of similar priority in a cluster. Higher values are queried more often. So, a weight of 20 would be queried twice as often as one of 10. A weight of 30 would be queried three times as often as one of 10. The port on which this service is found. Use port 5269. Fully qualified host name of the machine running the Lotus Sametime Gateway. Note that the target must end with a period. For example: sttest.lotus.com.

priority

weight

port target

Expected state: the Lotus Sametime Gateway single server or cluster is started 1. Create an individual DNS SRV record (_xmpp-server._tcp) for each domain name that you will support. For example, you might support two local domain names, called lotus.com and ibm.com®. For each of the domain names you want to support, you must create an individual DNS SRV record. The records will be identical except for the domain name field’s value. 2. Verify that the DNS SRV record that you added to DNS is correct by using the nslookup command: a. Open a command window and run nslookup. b. Type set type=SRV. c. Type set class=IN. d. Search the _xmpp-server.tcp record using the supported domains added in the previous step. Using the example above, you enter _xmpp-server._tcp.lotus.com and repeat the searching for _xmpp-server._tcp.ibm.com. Using lotus.com, the full command and returned value appears as follows:
nslookup>set type=SRV >set class=IN >_xmpp-server._tcp.lotus.com.

Make sure the correct hostname of the Sametime Gateway server and IP address are returned. The following is an example only:
Server: sbydns01.srv.ibm.com Address: 9.0.4.1 Non-authoritative answer: _xmpp-server._tcp.lotus.com SRV service location priority = 5 weight = 0 port = 5269 svr hostname = sttest.lotus.com lotus.com nameserver = wtf-ns1.lotus.com

Chapter 1. Configuring

219

lotus.com nameserver = wtf-ns2.lotus.com lotus.com nameserver = ns0.lotus.com sttest.lotus.com internet address = 129.42.249.45 >

3. 4. 5. 6. 7.

In the Integrated Solutions Console, click Sametime Gateway → Communities. In the table that lists communities, click New. In the Name field, type Google Talk. Under Community Type, select External. In the Domains field, type:
gmail.com

8. Select XMPP as the Translation Protocol. 9. Ignore the host name. XMPP uses the Fully qualified domain name of the host as specified in the target field of the DNS SRV record instead. 10. In the Port field, type 5269. 11. In the Transport protocol field, select TCP. TCP is the only transport protocol for Google Talk. 12. Click OK to save the new community. 13. On the Communities panel, select the name of the community that you created, scroll to the bottom, and click Assign local users to this community to assign local users access to the external community. By default all users can access the external community. 14. The following sub steps are optional: a. In the Route properties field, set the maximum sessions for instant messaging or presence for this community. The session numbers set for this community cannot exceed the global maximum sessions set for Sametime Gateway. If Route properties are not visible, you must connect to a local community first. b. Select the check box if you ever need to disable the route to the community. c. Click the Translation Protocol link to set custom properties for the translation protocol. The Custom properties links are available only after the community is saved. 15. Restart the Sametime Gateway server. What to do next IP addresses associated with talky.l.google.com and talkz.l.google.com change occasionally. Work with your network administrator to actively monitor DNS and update the firewall rules to accommodate new IP addresses. For troubleshooting help, see Technote 1316296 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21316296. Related tasks “Adding a local Community Server to Sametime Gateway” on page 208 Connect a local Lotus Sametime Community Server or Lotus Sametime community cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant messaging with external users. Connecting to an Office Communications Server community: Connect to a Office Communications Server community so that your users can exchange instant messages with Microsoft Communicator users.

220

Lotus Sametime: Installation and Administration Guide Part 2

Before you begin You must establish the local community first before adding an Office Communications Server community. Please also note that setting SSL is a prerequisite for connecting to an Office Communications Server community. Remember that the IBM Lotus Sametime Gateway servers must have access to a DNS server that can resolve public DNS records (A records, SRV records, and PTR records). For example the following commands should be able to resolve successfully:
nslookup nslookup nslookup nslookup sip.oscar.aol.com 64.12.162.248 -type=all -class=all _xmpp-server._tcp.google.com [OCS Edge Server]

Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. About this task The 1. 2. 3. 4. stage needs to be set just so. In the Integrated Solutions Console, click Sametime → Gateway Communities In the table that lists communities, click New. In the Name field, type a logical name for the new community. Under Community Type, select External.

5. In the Domains field, type the domain names of the Office Communications Server community. For example: ocs.acme.com. 6. Select SIP for OCS as the translation protocol. 7. In the Host Name field, type the host name or the IP address of the OCS Edge Server. 8. In the Port field, type a port number. The default port is 5061. 9. In the Transport protocol field, TLS (Transport Layer Security) is already selected. 10. Click OK to save the new community. 11. Click Sametime Gateway → Communities → ocs_community_name . Under Additional properties select custom properties, and click New. 12. In the Name field type com.ibm.sametime.gateway.fqdn. 13. In the Value field type the gateway’s fully qualified domain name. For example: ocs2stgw.acme.com. 14. Click OK to save the new custom property. 15. Click New again. 16. In the Name field type com.ibm.sametime.gateway.port 17. In the Value field type the gateway’s port. For example: 5061. 18. Click OK to save this new custom property. 19. On the Communities panel, select the name of the community that you created, scroll to the bottom, and click Assign local users and capabilities to assign users access to the external community. 20. Restart the Lotus Sametime Gateway server. If you have a cluster of servers, restart the cluster.
Chapter 1. Configuring

221

21. The following steps are optional, but be sure to restart the Lotus Sametime Gateway servers if you make any changes to the community. a. Click Custom Properties to include additional host names for OCS edge servers. Lotus Sametime Gateway uses these IP addresses to determine which SIP requests originate from Office Communications Server. When setting up the community for the first time, the Custom properties links are available only after the community is saved. Connecting to a Yahoo! Messenger community: Connect to the Yahoo! Messenger community so that your users can exchange instant messages with Yahoo! Messenger users. Before you begin You must set up SSL and establish the local community first before adding the Yahoo! Messenger community. Remember that the Lotus Sametime Gateway servers must have access to a DNS server that can resolve public DNS records (A records, SRV records, and PTR records). For example the following commands should be able to resolve successfully:
nslookup sip.oscar.aol.com nslookup 64.12.162.248 nslookup -type=all -class=all _xmpp-server._tcp.google.com

About this task Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities . 2. In the table that lists communities, click New. 3. In the Name field, type a logical name for the new community. 4. Under Community Type, select External. 5. In the Domains field, type the following domain names: yahoo.com, ymail.com, rocketmail.com, ameritech.net, btinternet.com, btopenworld.com, demobroadband.com, flash.net,nl.rogers.com, nvbell.net, ort.nl.rogers.com, ort.rogers.com, pacbell.net, prodigy.net, rogers.com, sbcglobal.net, snet.net, swbell.net, uat.nl.rogers.com, uat.rogers.com, verizon.net, wans.net Notes v When adding Yahoo! domains, do not use Yahoo domains other than yahoo.com and the partner domains listed above. Yahoo domains such as yahoo.ca and yahoo.co.uk are not supported. For example, when a user wants to add an external contact such as jsmith@yahoo.ca, the user must enter the contact as jsmith@yahoo.com. v Sametime users cannot add Yahoo Japan e-mail addresses using the e-mail address domain yahoo.co.jp. Yahoo Japan is a separate company whose network is completely separate from Yahoo.com. 6. Select SIP for Yahoo as the translation protocol. 7. In the Host Name field, type iopibm.msg.yahoo.com.

222

Lotus Sametime: Installation and Administration Guide Part 2

8. In the Port field, type a port number. The default port is 5061. 9. In the Transport protocol field, TLS (Transport Layer Security) is already selected. 10. Click OK to save the new community. 11. Click the Yahoo! Messenger community name from the list to edit its properties if necessary. 12. Click OK to save the new community. 13. On the Communities panel, select the name of the community that you created, scroll to the bottom, and click Assign local users to this community to assign users access to the external community. 14. Restart the Lotus Sametime Gateway server. If you have a cluster of servers, restart the cluster. 15. The following steps are optional, but be sure to restart the Sametime Gateway servers if you make any changes to the community. a. Click Custom Properties to include additional host names for Yahoo! Messenger servers. Sametime Gateway uses these IP addresses to determine which SIP requests originate from Yahoo! Messenger. When setting up the community for the first time, the Custom properties links are available only after the community is saved. b. In the Route properties field, set the maximum sessions for instant messaging or presence for this community. The session numbers set for this community cannot exceed the global maximum sessions set for Sametime Gateway. If Route properties are not visible, you must connect to a local community first. c. Select the check box to disable the route to the community. d. Click the Translation Protocol link to set custom properties for the translation protocol. The Custom properties links are available only after the community is saved. What to do next For troubleshooting help, see Technote 1317952 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952. Connecting to an XMPP community: IBM Lotus Sametime Gateway users can exchange instant messages with an XMPP community over the Extensible Messaging and Presence Protocol, or XMPP. Before you begin You must set up SSL and establish the local community first before adding the XMPP community. Remember that the Lotus Sametime Gateway servers must have access to a DNS server that can resolve public DNS records (A records, SRV records, and PTR records). For example the following commands should be able to resolve successfully:
nslookup sip.oscar.aol.com nslookup 64.12.162.248 nslookup -type=all -class=all _xmpp-server._tcp.google.com

Chapter 1. Configuring

223

About this task Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities . 2. In the table that lists communities, click New. 3. In the Name field, type a logical name for the new community. 4. Under Community Type, select External. 5. In the Domains field, type the domains provided by the XMPP community. Attention: Wildcards are not supported in this field, you must type each complete domain name. 6. Select XMPP as the translation protocol. When you select XMPP as your protocol, the Host Name field defaults to ″Localhost″ as its value while Lotus Sametime Gateway resolves the domain value that you entered in step 5; once the domain is resolved, an appropriate value is entered automatically into the Host Name field. 7. In the Port field, the default port is 5269. 8. In the Transport protocol field, select TCP (Transmission Control Protocol) or TLS (Transport Layer Security). 9. Click OK to save the new community. 10. On the Communities panel, select the name of the community that you created, scroll to the bottom, and click Assign local users to this community to assign local users access to the external community. 11. Restart the Lotus Sametime Gateway server. If you have a cluster of servers, restart the cluster. 12. The following steps are optional, but be sure to restart the Sametime Gateway servers if you make any changes to the community. a. Click Custom Properties to include additional host names for XMPP servers. Sametime Gateway uses these IP addresses to determine which XMPP requests originate from this community. Note that the Custom properties link is available only after the community is saved. b. In the Route properties field, set the maximum sessions for instant messaging or presence for this community. The session numbers set for this community cannot exceed the global maximum sessions set for Sametime Gateway. If Route properties are not visible, you must connect to a local community first. c. Select the check box to disable the route to the community. d. Click the Translation Protocol link to set custom properties for the translation protocol. The Custom properties links are available only after the community is saved. What to do next For troubleshooting help, see Technote 1316296 on the IBM Lotus Support Web site at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21316296. Managing external watching:

224

Lotus Sametime: Installation and Administration Guide Part 2

The Sametime server allows an external watcher, or user who has someone on his or her contact list that is unaware of being watched, to conduct this activity; however, this capability can be disabled. Configuring user consent Instant messaging users from commercial IM providers such as Yahoo and Google can watch the status of internal Sametime users unless the server is configured to manage this functionality. This functionality can be managed through the ’user consent’ feature. When the server is configured to require permission from the Sametime user, the Sametime user sees a pop-up window on his screen, asking for permission for the external user to watch the Sametime user’s status. The Sametime user can give consent, or not. To require the external IM watcher to gain permission of the ’watched’ person, follow these steps: 1. Open the sametime.ini file. 2. In the [Config] section, add: AWARENESS_EXTERNAL_NEED_PERMISSION=1 3. Shut down and restart the Sametime server to effect the change. By default, the configuration flag is set to 0. When the server is configured to require permission from the Sametime user, the Sametime user sees a popup window requesting permission for the external user to watch the Sametime user’s status. The Sametime user can approve or decline.

Connecting to external Sametime communities
Connect to external Sametime communities by working, if necessary, with an administrator from an external community to prepare the external Sametime server and by then adding the external Sametime community to your list of communities. Preparing external Sametime servers: This topic presents general information on steps needed to configure Sametime servers versions 6.5.1 or 7.0 that exist in external communities. Work with the external community’s administrator to prepare the legacy Sametime server for Sametime Gateway communications. For example, if your local Sametime server is a member of widgets.com, and you want to connect to an external Sametime 6.5.1 server at acme.com, you may want to know the steps required to set up the external Sametime server to have instant messaging and presence with your Lotus Sametime Gateway. 1. If the external community’s Sametime server is version 6.5.1, or 7.0, the external community must enable the Sametime SIP Gateway on the server. See the chapter ″Enabling the SIP Gateway″ in the Sametime Server Administration Guide. 2. The latest patches and Cumulative Fix Packs must be installed on the external community’s Sametime server. Go to Lotus Sametime Product Support to download the latest support files for the external Sametime server. Adding external Sametime communities: Add an external Sametime community to IBM Lotus Sametime Gateway. You connect to a Sametime community by specifying domains in the external
Chapter 1. Configuring

225

community, selecting a translation protocol, and setting the host name, port, and transport protocol for the external community. Before you begin You must add the local Sametime community first before adding an external community. In addition, if you are not connecting to a Sametime 7.5 or later server using its own Lotus Sametime Gateway, be sure that the external Sametime 6.5.1 or 7.0 server has the Sametime SIP Gateway enabled. Finally, confirm that the external Sametime server and Lotus Sametime Gateway have the latest fixes installed. About this task Expected state: v Single server: the local Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and a Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities . 2. In the table that lists communities, click New. 3. In the Name field, type a name for the new community. 4. Under Community Type, select External. 5. In the Domains field, type the Fully qualified domain names in which users are found in the external community. Each domain name must access the same user directory. For example: acme.com, us.acme.com, fr.acme.com, and uk.acme.com must all be linked by a common user directory to be in the community. Obtain this information from the system administrator in the external community. 6. Select a Translation Protocol:
Option SIP for Sametime Gateway Description Use SIP for Sametime Gateway for connections to Lotus Sametime Gateway versions 7.5 or later communities. Use SIP for legacy Sametime Gateway for Lotus Sametime versions 7.0 or 6.5.1 communities.

SIP for legacy Sametime Gateway

7. In the Host Name field, type the name of the external real-time communication server such as AcmeServer1.com, for example. Note: If the host name is an IPv6–format network address, set an explicit address here; do not use an abbreviated address (no brackets, no leading zeroes). For example, all of these IPv6–format network addresses are equivalent, but only the first form is accepted: v 1:2:0:0:0:6:7:8 [acceptable] v 1:2::6:7:8 [do not use this abbreviated format] v 01:2:0:0:0:006:0007:8 [do not use leading zeroes] 8. In the Port field, type the port number (the default port number is 5061). The port you use is dependent on the Transport protocol you select in the next step: v TLS uses port 5061

226

Lotus Sametime: Installation and Administration Guide Part 2

v TCP uses port 5060 9. In the Transport protocol field, select TLS (Transport Layer Security) or TCP (Transmission Control Program or TCP/IP). If you select TLS as the protocol, you must set up SSL with a certificate signed by a Certificate Authority and exchange trusted certificates with the external community. 10. Click OK to save the new community. Note that you can’t assign users to the community until you save the community. 11. On the Communities panel, select the name of the community that you created, scroll to the bottom, and click Assign local users to this community to assign local users access to the external community. 12. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus Sametime Gateway servers, restart the cluster. 13. The following steps are optional: a. In the Route properties field, set the maximum sessions for instant messaging or presence for this community. The session numbers set for this community cannot exceed the global maximum sessions set for Sametime Gateway. If Route properties are not visible, you must connect to a local community first. b. Select the check box to disable the route to the community. c. Click the Translation Protocol link to set custom properties for the translation protocol. The Custom properties links are available only after the community is saved. d. Click Custom Properties to set additional properties for the community. The Custom properties links are available only after the community is saved. Related tasks “Adding a local Community Server to Sametime Gateway” on page 208 Connect a local Lotus Sametime Community Server or Lotus Sametime community cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant messaging with external users. Related reference “Sametime Gateway communities” on page 433 View the list of communities and use the list as the starting place to set up communities, assign local users access to external communities, and set properties on communities. The communities list shows the community name, the type of community, and the translation protocol used. “Community properties” on page 436 Use this page to connect IBM Lotus Sametime Gateway to one internal community and multiple external communities, or to edit the connection properties of an existing community. Specify the type of community, the domains to use when accessing the community, the translation protocol that Lotus Sametime Gateway uses to communicate with the community, connection details, and any custom properties for the connection or community. After you create a community, use the Assign local users to this community link to give permission to local users to access the external or clearinghouse community. Preventing communication with external communities:

Chapter 1. Configuring

227

You can prevent external users from communicating with a particular IBM Lotus Sametime community by creating an exclusion list. The Lotus Sametime Gateway server will deny external communication requests for users hosted on all servers and clusters specified on the list. Before you begin This feature requires you to define a Home Server (cluster) for all users within the targeted community, so that the Lotus Sametime Gateway server can determine whether the user belongs to a community on the exclusion list. For information on defining a user’s Home Server, see Forcing users to connect to a home server. About this task An exclusion list is a list of clusters (for a stand-alone Lotus Sametime server, the cluster name is the server name) deployed within a local Lotus Sametime community; you define the list as a Lotus Sametime Gateway custom property. Use the exclusion list to prohibit external users from communicating with users in a community hosted on one of the specified clusters. Subscribe (awareness) and chat (instant messaging) requests from all external users to the local users hosted on the clusters listed on the exclusion list, will be rejected by the Lotus Sametime Gateway server. You enable this feature with the custom property called ″Sametime community exclusion list″. For example, suppose the Acme Corporation has two distributed Lotus Sametime clusters, called eu.acme.com (Europe) and usa.acme.com (USA). In addition, Lotus Sametime Gateway is installed on gw.acme.com. On the Lotus Sametime Gateway server (gw.acme.com), there is an exclusion list containing ″eu.acme.com″ – this prevents the Lotus Sametime Gateway server from connecting to any servers in the eu.acme.com cluster. When an external user (outside of Acme Corporation; for example, on AOL) adds a user hosted on eu.acme.com to her contact list, the subscribe request is routed to the Lotus Sametime Gateway server, which denies the request because it cannot access users in that cluster. In this example, the usa.acme.com cluster does not appear on the exclusion list, so the external user can access people in that cluster. Follow these steps to define an exclusion list. For details see Adding custom properties. 1. Log in to the Integrated Services Console as a Lotus Sametime Gateway administrator. 2. Click Sametime Gateway → Communities. 3. Select the local community for which you want to define an exclusion list. 4. In the Name field, type: Sametime community exclusion list as the name of the new property. 5. In the Value field, type the list of excluded servers and clusters. Type the server names and cluster names as a list using any of these characters to separate names: v comma , v semicolon ; v space Cluster names must appear as defined in the Cluster Document; for more information, see ″Creating a cluster document in the Configuration database″.

228

Lotus Sametime: Installation and Administration Guide Part 2

Standalone server names must appear as they are defined in the sametime.ini file’s VPS_NAME property (for example, CN=st1/O=acme). 6. Click OK. 7. Restart the Lotus Sametime Gateway server so your changes can take effect. If the server was previously connected to Lotus Sametime servers that are now excluded, restart those servers as well. Related reference “Custom properties details” on page 447 Use this page to edit custom properties for a community, translation protocol, or message handler. You can also specify new properties that are needed to configure third-party elements used by the IBM Lotus Sametime Gateway.

Providing a port number to external communities
The procedures describe how to obtain and update the port number that the SIP container uses to communicate with external communities. You want to provide the port number to external communities so they can use the same port. You may also need to change the TLS port number that Lotus Sametime Gateway uses. Providing a port number to external communities for single server installations: These steps describe how to obtain and update the port number that the SIP container uses to communicate with external communities. You want to provide the port number to external communities so they can use the same port. You may also need to change the TLS port number that the Lotus Sametime Gateway uses. Before you begin This procedure assumes that you have installed the Lotus Sametime Gateway. About this task A standalone Lotus Sametime Gateway server uses a SIP container port that is, by default, 5061 for Transport Layer Security (TLS). Therefore, if an external community wants to connect to Lotus Sametime Gateway, the external community must define port 5061. Check the SIP_DEFAULTHOST_SECURE parameter to verify the TLS port for the SIP container service. Expected state: the Lotus Sametime Gateway server is started. 1. To obtain the port number used by a single Lotus Sametime Gateway server, in the Integrated Solutions Console: a. Click Servers → Application servers → server_name, where server_name is the name of the Lotus Sametime Gateway server. b. Under Communication, click Ports. c. Look for the port number in SIP_DEFAULTHOST_SECURE and make a note of this number. 2. Check that the port number is added to the Default Virtual Host. The port is added default but you may need to update the default virtual host if you make changes to the ports: a. Click Environment → Virtual Hosts → default_host → Host Aliases. b. Click New and type a new port number if the port does not exist . c. Click OK, and then Save, and Save again.

Chapter 1. Configuring

229

What to do next Now you can provide a port number to external communities. Providing port numbers to external communities for clusters: These steps describe how to obtain and update port numbers that the SIP and XMPP proxy servers uses to communicate with external communities. You want to provide the port numbers to external communities so they can use the same port. You may also need to change the TLS/SSL port number Lotus Sametime Gateway uses. Before you begin This procedure assumes that you have installed Lotus Sametime Gateway, have created a cluster, and have installed and configured a SIP and XMPP proxy server. About this task By default, the SIP proxy uses port 5061 over TLS/SSL, and the XMPP proxy server uses port 5269 for SSL and non-SSL connections. Expected state: the Deployment Manager is started. 1. To obtain the port numbers used by the Lotus Sametime Gateway cluster: a. In the Integrated Solutions Console, click Servers → Proxy servers → SIPProxyServer. b. Under Communication, click Ports. c. Look for the port number in PROXY_SIPS_ADDRESS and make a note of this number. 2. Click Application Servers → Server Name and, under the Communications section, click Ports to view the port number for XMPP_SERVER_ADDRESS. Make a note of this number. 3. Check that the ports are added to the Default Virtual Host. The port is added by default but you may need to update the default virtual host if you make changes to the port: a. Click Environment → Virtual Hosts → default_host → Host Aliases. b. Click New and type a new port number if the port does not exist . c. Click OK, and then Save, and Save again. What to do next The port number in combination with the DNS name of the node on which the SIP and XMPP proxy servers run is needed for configuring external instant messaging communities to connect to your Lotus Sametime Gateway.

Adding external contacts to the Sametime Connect Contacts List
After you install and configure Lotus Sametime Gateway, and add an external community or clearinghouse community, your users can add external contacts to their Sametime Contact List. Give these instructions to your Sametime users so they will know how to add external contacts to their Contact List. 1. In the Sametime Connect client, click File → Add → Contact. 2. Select the Add external user by e-mail address check box. 3. Type the external contact’s e-mail address.

230

Lotus Sametime: Installation and Administration Guide Part 2

4. Select an existing group, or type a new group name, in the Add to group field. 5. Click Add

What to do next
Note: When adding Yahoo! Messenger users, use the yahoo.com domain, even if the Yahoo user’s e-mail domain is different. For example, if the external contact is jsmith@yahoo.ca, enter the contact as jsmith@yahoo.com. Similarly, if a Yahoo user’s e-mail is sbrown@yahoo.co.uk, enter the contact as sbrown@yahoo.com. Note that users who have Yahoo Japan e-mail addresses using the domain yahoo.co.jp cannot use Lotus Sametime Gateway. Yahoo Japan is a separate company whose network is completely separate from Yahoo.com.

Installing and configuring event logging
The Lotus Sametime Software Developer Kit includes a sample ear file that you can install to view the event log. The event log may contain content logging, instant messaging logging, or subscription logging events, depending on what you enable.

Before you begin
The event logging feature is available only for a clustered deployment. When you configure the Lotus Sametime Gateway cluster, the Common Event Infrastructure data source is installed automatically on IBM AIX, Linux, Microsoft Windows, and Solaris. If you are using IBM i, you must install this data source yourself before you can enable event logging.

About this task
For complete details regarding functionality and how to read the logging codes in the event log, see the Lotus Sametime Gateway Integration Guide included in the Lotus Sametime Software Development Kit.

Creating an activation specification for event logging
Before you install the Lotus Sametime Gateway samples ear file that is available from the Lotus Sametime Software Developer’s Kit, you must create an activation specification in WebSphere Application Server. The samples ear file contains an application that makes reading the event log possible.

Before you begin
The event logging feature is available only for a clustered deployment. When you configure the Lotus Sametime Gateway cluster, the Common Event Infrastructure data source is installed automatically on IBM AIX, Linux, Microsoft Windows, and Solaris. If you are using IBM i, you must install this data source yourself before you can enable event logging.

About this task
Follow these steps to create an activation specification. 1. From the Integrated Solutions Console, click Service Integration → Buses. 2. Select CommonEventInfrastructure_Bus, and then click Destinations. 3. Select the destination with one of the following names:

Chapter 1. Configuring

231

v Single server installation: node.server.CommonEventInfrastructureTopicDestination where node is the node name and server is the Lotus Sametime Gateway server name. v Cluster: cluster_name.CommonEventInfrastructureTopicDestination where cluster_name is the name of the cluster. 4. Click Publication Points. 5. Using a text editor, copy and paste the long name for use later. For example (the following is all on one line but split over two lines here for printing purposes):
dibby.RTCGWServer.CommonEventInfrastructureTopic Destination@dibby.RTCGWServer-CommonEventInfrastructure_Bus

6. From the Integrated Solutions Console, click Resources → JMS → Activation Specifications. 7. In scope, select one of the following: v For single server installations, select the server level. For example: Node=dibby, Server=RTCGWServer v For cluster installations, select the cluster: RTCCluster. 8. Click New. 9. With Default messaging provider selected, click OK. 10. Type any name in the Name field. For example:
CEI_Topic_ActivationSpec

11. For the JNDI Name, type:
jms/cei/TopicActivationSpec

12. For the Destination type , select Topic. 13. For the Destination JNDI Name, type the following:
jms/cei/notification/AllEventsTopic

14. For the Bus name, select CommonEventInfrastructure_Bus. 15. For the Subscription durability, select Non-durable. 16. For the Subscription name field, paste the long name that you copied in Step 5. For example (the following is all on one line but split over two lines here for printing purposes):
dibby.RTCGWServer.CommonEventInfrastructureTopic Destination@dibby.RTCGWServer-CommonEventInfrastructure_Bus

17. For the Client identifier field, paste the portion that comes before the @ symbol. For example:
dibby.RTCGWServer.CommonEventInfrastructureTopicDestination

18. For the Durable subscription home field, paste the portion that comes after the @ symbol. For example:
dibby.RTCGWServer-CommonEventInfrastructure_Bus

19. Click OK, and then Save.

Creating the message store for event logging (clusters only)
This procedure creates a message store for event logging for use by Lotus Sametime Gateway clusters. 1. In the Integrated Solutions Console, click Service Integration → Buses . 2. Click the CommonEventInfrastructure_Bus. 3. Under Topology, click Messaging engines. 4. Click the messaging engine name. 5. On the Configuration panel, under Additional properties, click Message store.

232

Lotus Sametime: Installation and Administration Guide Part 2

6. In the Authentication alias field, select cell_name/RTCDBUser, where cell_name is the name of your cluster’s cell. 7. Click OK, and then Save.

Installing the event logging application
To view the event log, you must install the event logging application included in the Lotus Sametime Gateway samples ear file. While Lotus Sametime Gateway does ship with an event logger that sends events to a database, you must install a sample ear file to view those events.

Before you begin
The Lotus Sametime Software Development Kit includes a samples ear file (rtc_gatewaySamplesEAR.ear) that you install as a regular J2EE application in WebSphere Application Server. Once the ear file is installed and the event logger is enabled, Lotus Sametime Gateway event logger can then send easy to read output to the trace.log file. For complete details regarding installation, configuration, and the functionality of the sample Logger Event Consumer, see the Lotus Sametime Gateway Integration Guide included with the Sametime SDK.

About this task
The sample application sends the name and value pairs of extendedDataElements in any event that is captured with extensionName RtcGatewayLoggerEvent to the trace.log file. The sample Logger Event Consumer distributed with the SDK only writes information when diagnostic trace is enabled. Review the topic ″Setting a diagnostic trace″ for more information. Logging for the samples must be enabled and set to All Message and Trace Levels for com.ibm.collaboration.realtime.sample. The installation of the sample application on a node in a cluster binds the application to the cluster. There’s no need to install the rtc_gatewaySamplesEAR.ear file on every node. 1. From the Integrated Solutions Console, click Applications → Install New Application. 2. Browse to the Lotus Sametime Software Development Kit and locate the file:
...\samples\rtc_gatewaySamplesEAR.ear

3. Accept the defaults provided by WebSphere Application Server and click Next. 4. Click Next again to go to the Bind listeners for message-driven beans panel. 5. Select the EJB module. 6. Select Activation Specification. 7. In the Target Resource JNDI Name field, type:
jms/cei/TopicActivationSpec

8. For the Destination JNDI Name, type:
jms/cei/notification/AllEventsTopic

9. In the Activation spec authentication alias field, type one of the following entries: v Single server installations: type your primary administrative user name that you created when you enabled administrative security. v Cluster installations: type CommonEventInfrastructureJMSAuthAlias. 10. Click Next.
Chapter 1. Configuring

233

11. Check the summary, click Finish. 12. Click Save. 13. From the Integrated Solutions Console, click Applications → Enterprise Applications. 14. Select rtc.gatewaySamplesEAR. 15. Click Start. 16. If you are installing the sample ear file on a cluster, complete the following substeps, otherwise skip this step: a. Install the rtc_gatewaySamplesEAR.ear on the Deployment Manager node. b. Synchronize your changes to all nodes in the cluster. Click System Administration → Nodes. c. Select all nodes in the cluster, then click Full Resynchronize. d. Open a command window. e. In the command window, stop the Deployment Manager and wait for the command to finish, and then restart the Deployment Manager. Use the user name and password that you provided when you enabled administrative security to stop the Deployment Manager. Open a command window and navigate to the stgw_profile_root\bin directory and use the following commands: AIX, Linux, and Solaris
./stopManager.sh -username username -password password ./startManager.sh

Windows
stopManager.bat -username username -password password startManager.bat

IBM i
stopManager -username username -password password startManager

f. Restart the node agents. 1) Log into the Integrated Solutions Console (http://localhost:9060/ibm/ console) on the Deployment Manager node. 2) Click System Administration → Node agents . 3) Select all node agents, and then click Restart. 17. Click Sametime Gateway → Message Handlers. 18. Select the Event logger, and click the Move Down button to make the event logger the last message handler in the list. 19. Select the User locator message handler and click the Move Up button to make the user locator the first message handler in the list. 20. Select the newly installed Event logger and click Enable. Uninstalling the event logging application: Uninstall the event logging application, which is part of the Sametime Gateway samples ear file, by first disabling the event logging message handler, then stopping the enterprise application, and finally uninstalling the application. 1. From the Integrated Solutions Console, click Sametime Gateway → Message Handlers. 2. In the list of message handlers, select the event logger, helloworld, chatlog, and presblock. 3. Click Disable.

234

Lotus Sametime: Installation and Administration Guide Part 2

4. Click Applications → Enterprise Applications . 5. Select rtc_gatewaySamplesEAR.ear from the list and click Stop, and then Uninstall.

Logging events
Complete these steps to enable content, instant messaging, or presence logging. To actually view the log results, you must install the sample ear file.

About this task
When you first install Lotus Sametime Gateway, event logging is enabled. But to begin logging events, you must enable at least one custom property for the event logger. You can record three types of events: the actual content of an instant messaging session, instant messaging data, and presence (or subscription) data. Each type of event records basic information such as when a session starts and stops, when an instant message is sent, when a presence subscription is created or released, and when a presence notification takes place. Event logging for content, instant messaging, and presence is disabled (set to 0) by default. Values 0 or 1 and true or false are acceptable. Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Message Handlers. 2. Click the event logger plugin in the table. 3. Click Custom properties. 4. Select one of the following properties: v enableContentLogging v enableImLogging v enablePresenceLogging 5. Set the value as follows:
Values 0 OR false 1 OR true Meaning disabled enabled

6. Click OK. You cannot view logged events until you install the sample application that logs information to trace.log. See the sample ear file and Lotus Sametime Gateway Integration Guide included in the Lotus Sametime Software Development Kit.

Chapter 1. Configuring

235

What to do next
Related reference “Message handler properties” on page 443 Use this page to configure the properties of a message handler such as the user locator, authorization controller, or event logger.

Configuring Sametime Gateway properties
You can put limits on sessions and subscriptions, and specify blacklist domains to check when Lotus Sametime Gateway receives a subscription request. You can also add or edit custom properties for communities, connections, translation protocols, or message handlers.

Setting the blacklist domains
You can specify the DNS blacklisted sites to check when the Lotus Sametime Gateway receives a subscription request. A blacklisted domain is an e-mail address domain that you do not want to give access through Lotus Sametime Gateway.

About this task
Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Gateway Properties. 2. Type the blacklist domain names. Use Fully qualified domains names or TCP/IP addresses separated by a comma, semicolon, or space. Wildcards using an asterisk in the left-most subdomain position are allowed. For example, *.spamalot.com is allowed. 3. Click Apply. Related reference “Sametime Gateway properties” on page 432 Use this page to set the maximum chat sessions. You can also specify domains from which to block messages.

Setting a session timeout for an external community
Setting a session timeout applies to the instant messaging capability only. By default, the session timeout is set on the translation protocol only and disabled at the external community level. Note that setting a community session to timeout may cause instant messaging sessions to expire, terminate, or be lost.

About this task
If the session timeout property is set for a community, the community value takes precedence over the translation protocol value. You can set a session timeout on communities that use the following translation protocols: v SIP for Sametime Gateway v SIP for legacy Sametime Gateway v SIP for AOL v SIP for Yahoo

236

Lotus Sametime: Installation and Administration Guide Part 2

v SIP for Microsoft Office Collaboration Server (OCS) The session timeout does not apply to the VP or XMPP translation protocols. Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities. 2. Select a community to view the community properties. 3. At the top, click Custom Properties. 4. In this is the first time you are setting the session timeout at the community level, click New, otherwise click session_timeout to edit the custom property. 5. Type session_timeout as the name for the property. 6. Type an interval, in seconds, in the Value field, for example: 3600. 7. Click OK, and then Save. 8. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus Sametime Gateway servers, restart the cluster.

Setting a session timeout for a translation protocol
A session timeout applies to instant messaging sessions only, not presence, and to the following translation protocols: SIP for Sametime Gateway, SIP for AOL, SIP for OCS (Office Communications Server), SIP for Yahoo, and SIP for legacy Sametime Gateway. By default, this property is set on the translation protocol, but you can set the property at the community level.

About this task
The session timeout does not apply to VP or other protocols. By default, after 60 minutes of inactivity, Lotus Sametime Gateway removes session records. The next instant message that the user types in the same instant messaging window is considered to be the start of a new instant messaging session. Starting a new session is internal to Lotus Sametime Gateway. Session timeouts are transparent to users. If the property is defined for a community, the community value takes precedence over translation protocol value. Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Translation Protocols. 2. Select a translation protocol: SIP for Sametime Gateway, SIP for AOL, SIP for OCS, SIP for Yahoo, or SIP for legacy Sametime Gateway. 3. Under Additional properties, click Custom Properties. 4. Select session_timeout. 5. Type a new session timeout in the Value field. The default timeout is 3600 seconds (60 minutes). 6. Click OK, and then Save.
Chapter 1. Configuring

237

7. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus Sametime Gateway servers, restart the cluster.

Setting a subscription timeout for an external community
Setting a subscription timeout applies only to the presence capability when connecting to a community using the SIP for legacy Sametime Gateway protocol. The subscription timeout cancels or re-subscribes a SIP-based presence session.

About this task
By default, the subscription timeout is set on the translation protocol only. You can set the same property on an external community, allowing fine-grained control on a community basis. If the property is defined for a community, the community value takes precedence over the translation protocol value. Subscription timeout applies to only to the SIP for legacy Sametime Gateway translation protocol. The subscription timeout does not apply to VP or other protocols. Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities. 2. Select a community that uses SIP for legacy Sametime Gateway to view the community properties. 3. At the top, click Custom Properties. 4. In this is the first time you are setting the subscription timeout at the community level, click New, otherwise click subscription_timeout to edit the custom property. 5. Type subscription_timeout as the name for the property. 6. Type an interval in seconds in the Value field, for example: 3600. 7. Click OK, and then Save. 8. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus Sametime Gateway servers, restart the cluster.

Setting subscription timeouts for a translation protocol
Setting a subscription timeout applies only to the presence capability. The subscription timeout cancels or re-subscribes a SIP for legacy Sametime Gateway presence session.

About this task
By default, the subscription timeout is set on the translation protocol only. You can set the same property on a community, allowing fine-grained control on a community basis. If the property is defined for a community, the community value takes precedence over the translation protocol value. Subscription timeout applies to the SIP for legacy Sametime Gateway protocol. The subscription timeout does not apply to VP, XMPP, or other protocols. Expected state: v Single server: the Lotus Sametime Gateway server is started.

238

Lotus Sametime: Installation and Administration Guide Part 2

v Cluster: the Deployment Manager is started, and the node agent and Lotus Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Translation Protocols. 2. Select a translation protocol from the list. 3. Under Additional properties, click Custom Properties. 4. Select subscription timeout. 5. Type a new subscription timeout in the Value field. The default subscription timeout is 3600 seconds (60 minutes). 6. Click OK, and then Save. 7. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus Sametime Gateway servers, restart the cluster.

Customizing the error message for when instant messaging fails
You can create and display custom text for users when an instant message fails.

Before you begin
You must create the external community first before you specify the custom error message.

About this task
You can set a custom property at the community level to display a specific error message that users see when they are unable to connect to a user in an external community. Without specifying the custom property, user always see a default message ″Your message has not been delivered. Please verify that the recipient is online.″ The steps below describe how to create a custom error message to provide additional feedback to users when trying to connect to a specific community. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities. From the list of communities, select an external community. Click Custom Properties. Click New to create a new custom property. In the Name field, type IM failure message . In the Value field, type the custom error message to display to users when sending an instant message fails. 7. Click Apply. 8. Restart the Lotus Sametime Gateway server. 2. 3. 4. 5. 6.

Updating AOL, Yahoo, Office Communications Server, or Google host addresses
Complete these steps to update the server IP addresses that Sametime Gateway uses to determine when SIP requests originate from AOL Instant Messenger, Yahoo! Messenger, Office Communications Server, Google Talk.

Before you begin
Update host or IP addresses only after new addresses have been published by IBM.

Chapter 1. Configuring

239

About this task
Sametime Gateway uses a custom property called server to store Fully qualified domain names (FQDN) or host IP addresses of instant messaging services. The property enables Sametime Gateway to determine when a SIP request is coming from AOL Instant Messenger, Office Communications Server, or Yahoo! Messenger, or when an or XMPP request is coming from Google Talk. The property is pre-set when you add an external community that uses one of the aforementioned services, so if a FQDN or a host IP addresses changes, you must update the custom property for any community that relies on that service. Note that you can change only the custom property at the community level after you create the connection to a community. 1. Log into the Integrated Solutions Console (http://localhost:9060/ibm/console), and click Sametime Gateway → Communities. 2. Click a community that uses the translation protocol that you want to update:
Translation protocol SIP for AOL SIP for OCS SIP for Yahoo XMPP Instant messaging provider AOL Instant Messenger Office Communications Server Yahoo! Messenger Google Talk

3. Click Custom properties. 4. Click servers. 5. In the Value field, edit the host names or IP addresses. 6. Click OK. 7. Repeat the preceding steps for other communities that use the same translation protocol (SIP for AOL, SIP for OCS, SIP for Yahoo, or XMPP). 8. Restart the Sametime Gateway server, or, if you have a cluster of Sametime Gateway servers, restart the cluster.

Adding custom properties
You can add a custom property for a community, connection, translation protocol, or message handler. You can view or edit existing properties, or specify new properties that are needed to configure third-party elements used by the Lotus Sametime Gateway.

About this task
Expected state: v Single server: the Lotus Sametime Gateway server is started. v Cluster: the Deployment Manager is started, and the node agent and Sametime Gateway server are started on at least one node. 1. In the Integrated Solutions Console, click Sametime Gateway → Communities. 2. Select a community to view the community properties. 3. At the top, click Custom Properties. 4. Click New. 5. Type the name of the custom property in the Name field. 6. Type the value in the Value field. 7. Select Required to enable the custom property.

240

Lotus Sametime: Installation and Administration Guide Part 2

8. Click OK. Translation protocol additions: You can extend the IBM Lotus Sametime Gateway by adding translation protocols. Additional translation protocols expand the communities that the Lotus Sametime Gateway can connect with. A new translation protocol permits the Lotus Sametime Gateway’s ability to connect to additional instant messaging communities. A translation protocol needs to implement the API defined by the Lotus Sametime Gateway core. The core exposes an API for use by the translation protocol, and incudes documentation on how to use it. Your new translation protocol is responsible for connectivity with the corresponding presence servers. If the presence server supports distribution or fail over, the translation protocol is responsible for implementing these features. During deployment, the Lotus Sametime Gateway configuration must be updated to be made aware of the existence of the new translation protocol. Restart the Gateway to initiate the new translation protocol.

Configuring security
After setting up your initial IBM Lotus Sametime environment, you may want to make additional changes to safeguard information at your site, including limiting user access to certain features, using encryption, and modifying default security settings. This section contains information about securing your Lotus Sametime servers running on Domino and WebSphere Application Server.

Using a different SSL certificate for servers running on WebSphere
The IBM Lotus Sametime servers that run on IBM WebSphere Application Server install with SSL enabled, using a self-signed certificate from IBM. If you want to use a different certificate, you can import it into the keystore yourself.

About this task
The following Lotus Sametime servers install with SSL already enabled, using a self-signed certificate provided by IBM: v Lotus Sametime Proxy Server v Lotus Sametime Meeting Server v Lotus Sametime Media Manager If you install the Media Manager components on separate servers, each is installed with SSL enabled. Note: The Lotus Sametime Gateway server does not install with SSL enabled; the configuration instructions in this information center explain how to enable SSL and import a certificate for Lotus Sametime Gateway servers. If you want to modify your deployment to use a different SSL certificate, follow the instructions in the WebSphere information center topic, Import certificate from a key file or managed keystore.

Chapter 1. Configuring

241

Adding a Sametime server SSL certificate to the Sametime System Console
If you need to enable SSL (Secure Socket Layer), make sure you add the certificate from the IBM Lotus Sametime server (Sametime Meeting, Proxy, Media Manager, Gateway, or SIP) to the Lotus Sametime System Console.

About this task
To enable SSL, you must extract the certificate from the Lotus Sametime product server and add it to the trust store of the Sametime System Console. The Lotus Sametime product servers include: v v v v v Lotus Sametime Meeting Server Lotus Sametime Proxy Server Lotus Sametime Media Manager Lotus Sametime Gateway Server SIP Proxy and Registrar

Follow these instructions. See the WebSphere Application Server information center for more information on extracting and adding certificates. 1. Log in to the Integrated Solutions Console for the Lotus Sametime product server. 2. Click Security → SSL certificate and key management → SSL configurations → CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore → Signer certificates 3. Select the alias named root, and click Extract. 4. Enter the name of the .cer file, and select Base64 as the type for storing the process server signer certificate. 5. Log in to the Integrated Solutions Console for the Lotus Sametime System Console. 6. Click Security → SSL certificate and key management → SSL configurations → CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore → Signer certificates 7. Click Add. 8. Enter an alias. 9. Enter the file name where you stored the extracted process server signer certificate from the product server. 10. Click Apply. 11. Restart the Lotus Sametime System Console deployment manager.

242

Lotus Sametime: Installation and Administration Guide Part 2

Related tasks “Updating Sametime Proxy Server connection properties on the console” on page 407 You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Proxy Server. “Updating Sametime Media Manager connection properties on the console” on page 408 You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Media Manager. “Updating Sametime Meeting Server connection properties on the console” on page 419 You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Meeting Server. “Updating Sametime Gateway Server connection properties on the console” on page 428 You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Gateway Server.

Updating Sametime Media Manager connection properties on the console
You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Media Manager.

Before you begin
If you are configuring the Lotus Sametime Media Manager to use SSL (Secure Socket Layer), make sure the server’s certificate has been added to the Sametime System Console’s trust store.

About this task
Any changes that you make to the credential and connection information on the Connection Properties page does not change the actual settings on the Lotus Sametime Media Manager. These settings are only used by the Sametime System Console to connect to the Sametime Media Manager. Follow these steps to update connection setting information. 1. Log in the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Media Manager. 3. In the Sametime Media Managers list, click the Edit next to the deployment name of the server with the connection information that you want to change. 4. Under Connection Properties, enter the administrator’s User name and Password for connecting to the Lotus Sametime Media Manager. 5. If your deployment uses SSL, then click Is SSL?. Note: The Lotus Sametime Media Manager does not support TLS. It supports SSL between servers, but not between the server and the client. 6. Click Save. 7. If you enabled SSL, then you must restart the Lotus Sametime System Console for the changes to take effect.

Chapter 1. Configuring

243

Configuring security for the Lotus Sametime Community Server
The IBM Lotus Sametime server uses the Internet and intranet security features of the Domino server on which it is installed to authenticate Web browser users who access Domino databases on the server.

About this task
Follow the instructions in this section to set up SSL, HTTP tunneling, and user authentication.

Configuring Sametime to use SSL encryption
Configure IBM Lotus Sametime to use SSL (Secure Socket Layer) for its services; and configure HTTPS when communicating with Web clients or enable LDAPS (LDAP over SSL) with LDAP server.

About this task
You can encrypt communications for Lotus Sametime Services and the communication between Lotus Sametime and Web browsers. You can also encrypt communications between an LDAP server and the Lotus Sametime server with the LDAPS protocol. You can set up either, or both, of these protocols independently: Enabling encryption for Lotus Sametime Services, and between Lotus Sametime and Web browsers: Configure SSL encryption for IBM Lotus Sametime Services and enable HTTPS for Web browsers. About this task Enabling SSL encryption with the HTTPS (browser-based) protocol involves the following tasks: Preparing Lotus Domino to use SSL: Because IBM Lotus Sametime resides on an IBM Lotus Domino server, you must enable the Lotus Domino server’s HTTP component to support Secure Socket Layer (SSL) before you can configure the Lotus Sametime server to encrypt communications. About this task Follow these steps in the Lotus Domino Administrator information center to set up a Lotus Domino server to support SSL for HTTP connections: Setting up SSL on a Domino server Preparing Lotus Sametime to use SSL: Set up SSL encryption on the IBM Lotus Sametime server by importing the SSL certificate used by IBM Lotus Domino and configuring the Lotus Sametime server to use it.

244

Lotus Sametime: Installation and Administration Guide Part 2

About this task Install the GSKit and use the IKeyMan program to create a keystore on the Lotus Sametime server before you import the Lotus Domino server’s SSL certificate and complete configuration changes to enable support for SSL. Complete the following tasks in the sequence shown: Setting up a keystore for the SSL certificate used by Lotus Domino: Install the IBM GSKit with the IBM IKeyMan utility and then create a keystore file to hold the IBM Lotus Domino server’s SSL certificate. About this task Lotus Sametime on IBM i already includes a keystore file called stkeys.jks, so you can skip this procedure and proceed directly to obtain and import a copy of the SSL certificate from the Lotus Domino server into the Lotus Sametime server. On IBM AIX, Linux, Solaris, and Microsoft Windows, you must create the keystore file yourself by completing the following tasks: Installing GSKit and IKeyMan on the Lotus Sametime server: The IBM IKeyMan utility is contained in the GSKit program, so you must install both on the IBM Lotus Sametime server before you can set up a keystore file. About this task The Lotus Sametime server must store a copy of the IBM Lotus Domino server’s SSL trusted root certificate to complete the SSL handshake when making an SSL connection to a browser-based client. Before you can import the SSL certificate from the Lotus Domino server, user the GSKit and IKeyMan utility to create a keystore file on the Lotus Sametime server for storing the certificate. Notes: v On IBM i, Lotus Sametime comes with the IKeyMan utility already installed, but you must install DCM software instead; the instructions are in this section. v You only need to install GSKit and IKeyMan once. If you have already installed these programs during an earlier procedure, you can skip this task. The instructions for installing DCM, or the GSKit and the IKeyMan utility, vary according to your server’s operating system; use the instructions in the appropriate topic: Installing GSKit and IKeyMan on AIX: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on IBM AIX. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on AIX, follow the steps below:
Chapter 1. Configuring

245

1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Navigate to your server’s copy of the GSKit directory and open a command prompt. 5. Install GSKit using the System Management Interface Tool (SMIT) utility to install the gskak.rte package. The package name is ″version AIX Certificate and SSL Base ACME Runtime Toolkit″. 6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ security directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #

d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/

Installing GSKit and IKeyMan on Linux: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Linux. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on Linux, follow the steps below: 1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document.

246

Lotus Sametime: Installation and Administration Guide Part 2

4. Navigate to your server’s copy of the GSKit directory and open a command prompt. 5. Install the GSkit RPM. Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm

6. Edit the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #

d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Installing GSKit and IKeyMan on Solaris: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Solaris. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on Solaris, follow the steps below: 1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Navigate to your server’s copy of the GSKit directory and open a command prompt. 5. Install GSKit as follows:

Chapter 1. Configuring

247

Note: The examples show release 6 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Uncompress and untar the gsk6bas.tar.Z file. b. Use one of the following methods to install GSKit: v Use the admintool application. v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas

6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider#

d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/sunspa/ibm-jre/export JAVA_HOME

Installing GSKit and IKeyMan on Windows: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Windows. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Microsoft Windows, follow the steps below: Log on to the Lotus Sametime server as the Windows administrator. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Open a command prompt and navigate to your server’s copy of the GSKit directory. 5. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss

248

Lotus Sametime: Installation and Administration Guide Part 2

For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss

This command performs a silent installation of the IKeyMan program into the Lotus Sametime installation directory. 6. Verify that the installation is successful: Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime installation directory. b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on the server. 7. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory: a. From the Windows desktop, right click on the My Computer icon and select System Properties. b. In the ″System Properties″ dialog box, select the Advanced tab. c. Click the Environment Variables button. d. In the ″New System Variable″ dialog box, click the New button under the ″System Variables″ list, and enter the following information:
Table 5. Defining the new JAVA_HOME environment variable Variable name JAVA_HOME Variable value Sametime_install_root\ibm-jre\jre For example:C:\Lotus\Sametime\ibm-jre\jre

e. Click OK to close the ″New System Variable″ dialog box. f. Click OK to close the ″Environment Variables″ dialog box. g. Click OK to close the ″System Properties″ dialog box. 8. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the Sametime_install_root\ibm-jre\jre\lib\security directory. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\security

b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
## List of providers and their preference orders (see above)# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #

9. Navigate to the Sametime_install_root\ibm-jre\jre\lib\ext directory, and delete the gskikm.jar file.
Chapter 1. Configuring

249

For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar

Creating a keystore file: Use the IBM IKeyMan utility and to create a keystore file on the IBM Lotus Sametime server, which will be used for storing a copy of the IBM Lotus Domino server’s SSL certificate. About this task On IBM AIX, Linux, and Solaris, create a keystore file is called keys.jks; on Microsoft Windows, call it stkeys.jks. Note: On IBM i, the keystore already exists; skip this procedure. To create a key store file on the Sametime server: 1. Open a command prompt and navigate to the /jvm/bin directory of your Lotus Sametime installation: v AIX /opt/ibm/lotus/notes/latest/ibmpow/jvm/bin v Linux /opt/ibm/lotus/notes/latest/linux/jvm/bin v Solaris/opt/ibm/lotus/notes/latest/sunspa/jvm/bin v Windows C:\Program Files\Lotus\Domino\jvm\bin 2. Start the IKeyMan program by running the following command:
java com.ibm.gsk.ikeyman.Ikeyman

3. Click Key Database File → New. 4. In the ″New″ dialog box, complete these fields and then click OK:
Option Key database type File name Description Accept the default of jks. Enter a file name for the key database: v AIX, Linux, Solaris: keys.jks v Windows: stkeys.jks Location Choose the directory in which the ″stkeys.jks″ file will be stored. The examples in this documentation assume the file is stored in the Sametime_install_root/jvm/ bin directory.

5. In the ″Password″ dialog box, complete these fields and then click OK:
Option Password Description Type the password that you will use to access the keystore. You will need this password later in the procedure. Type the password again to confirm it. Click this option to enable it and type the number of days for which the password will remain valid. If you do not want the password to expire, leave this option disabled.

Confirm password Set expiration time?

250

Lotus Sametime: Installation and Administration Guide Part 2

Obtaining a copy of the SSL certificate used by Lotus Domino: When the IBM Lotus Domino server is configured to use SSL, an SSL server certificate is received from a Certification Authority (CA) and merged into the Lotus Domino Server Certificate Admin database. When you configure SSL for IBM Lotus Sametime, you import a copy of this certificate to the Lotus Sametime server. About this task There are two versions of the SSL certificate that you can use: Obtaining the SSL certificate directly from the Lotus Domino server: When configuring SSL for IBM Lotus Sametime, you can import a copy of the SSL certificate directly from the IBM Lotus Domino server. About this task When the Lotus Domino server was configured to use SSL, an SSL server certificate was received from a Certification Authority (CA) and merged into the Lotus Domino Server Certificate Admin (certsrv.nsf) database. In this procedure, you export a copy of that certificate and save it as a file so that you can import it into Lotus Sametime in a later task. 1. Open a browser and navigate to the Lotus Domino server where you enabled SSL. Note: The steps below use the Microsoft Internet Explorer browser; steps for your own browser may differ. You can locate the Lotus Domino server by navigating to the Lotus Sametime server that is hosted on the same computer, using an address similar to the following (replace Sametime.acme.com with your fully qualified Internet host name):
https://Sametime.acme.com

2. Install the SSL certificate in Microsoft Internet Explorer to ensure it is available for export: a. When prompted to ″select the certificate to use when connecting,″ click OK. b. At the ″Security Alert″ dialog box, click View Certificate. c. At the ″Certificate″ dialog box, click Install Certificate. d. At the ″Certificate Manager Import Wizard″ screen, click Next. e. Click the Automatically select the certificate store based on the type of certificate option, and then click Next. f. Back at the ″Certificate Manager Import Wizard″ screen, click Finish. g. When the message indicating that the SSL server certificate was imported successfully appears, click OK repeatedly until you have closed all of the dialog boxes. 3. Now export the SSL certificate from Internet Explorer and save it as a file. a. From the browser, click Tools → Internet Options. b. Click the Contents tab. c. Click the Certificates button. d. Click the Other People tab.

Chapter 1. Configuring

251

e. Scroll down the list of certificates and select the server certificate that you imported earlier in this procedure. The certificate name should provide some indication that the certificate is associated with the Domino server from which it was imported. For example, if the certificate was imported from a server named Sametime.acme.com, the certificate might be issued to ″Sametime″ or to ″Acme.″ f. Click the Export button. g. At the ″Certificate Manager Export Wizard″ screen, click Next. h. At the ″Certificate Export File″ screen, select Base64 encoded X.509 (.CER), and then click Next. i. At the ″Export File Name″ screen, provide a name for the file, select the Lotus Sametime server’s data directory as the location where you want to store the file, and then click Next. For example, on Windows, you might enter SSLservercertificate.cer as the file name. and select C:\Lotus\Domino\data as the location. Note: On IBM i, save the file directly to your server if you have mapped to the server drive. Otherwise, save the file on your client workstation and transfer it to your IBM i server later. j. When the message appears indicating the export was successful, click OK. Obtaining a copy of the trusted root certificate: If you are unable to obtain a copy of the IBM Lotus Domino server’s SSL certificate, you can request a trusted root certificate from a CA or export a trusted root certificate from your Web browser. About this task If you need to obtain a trusted root certificate, you must obtain the same trusted root certificate that is used by the Domino server to sign the Domino SSL server certificate. For example, if the VeriSign Class 4 Public Primary Certification Authority trusted root certificate is used to sign the Domino SSL server certificate, you must either export this certificate from your Web browser or request a VeriSign Class 4 Public Primary Certification Authority trusted root certificate from VeriSign. There are two ways to obtain a copy of the trusted root certificate: Obtaining a trusted root certificate from the Web browser: When configuring SSL for the IBM Lotus Sametime server, you can import a copy of the trusted root certificate that was used for signing the IBM Lotus Domino server’s own SSL certificate from a Web browser, and then import it in the Lotus Sametime server’s key store. About this task Rather than obtaining a copy of the Lotus Domino server’s own SSL certificate, you may choose to obtain a copy of the trusted root certificate that was used for signing the Lotus Domino server’s certificate. The easiest way to obtain a trusted root certificate is to export one from your Web browser.

252

Lotus Sametime: Installation and Administration Guide Part 2

Web browsers include many different SSL trusted root certificates by default. If your Web browser contains a trusted root certificate that corresponds with the Lotus Domino server’s trusted root certificate that was used to sign the Lotus Domino SSL server certificate, you can export it from the browser and save it as a file. Note: You must use the same trusted root that signed the Lotus Domino server’s own SSL certificate. The procedure below illustrates how you can export a trusted root certificate from a Microsoft Internet Explorer Web browser: 1. From the browser, click Tools → Internet Options. 2. Click the Contents tab. 3. Click the Certificates button. Select the Trusted Root Certification Authorities tab. Select the appropriate trusted root certificate from the list. Click the Export button. At the ″Certificate Manager Export Wizard″ screen, click Next. At the ″Certificate Export File″ screen, select Base64 encoded X.509 (.CER), and then click Next. 9. At the ″Export File Name″ screen, provide a name for the file, select the Lotus Sametime server’s data directory as the location where you want to store the file, and then click Next. 4. 5. 6. 7. 8. For example, on Windows, you might enter SSLservercertificate.cer as the file name. and select C:\Lotus\Domino\data as the location. Note: On IBM i, save the file directly to your server if you have mapped to the server drive. Otherwise, save the file on your client workstation and transfer it to your IBM i server later. 10. When the message appears indicating that the export was successful, click OK. Obtaining a trusted root certificate from the Certification Authority: When configuring SSL for the IBM Lotus Sametime server, you can obtain a copy of the trusted root certificate used for signing the IBM Lotus Domino server’s SSL certificate from the original Certificate Authority. About this task If you are unable to obtain a copy of the Lotus Domino server’s SSL server certificate, you can request a copy of the trusted root certificate from a CA. Normally, you request a certificate from a CA by browsing to the CA’s web site. For example, follow these steps to request a certificate from VeriSign: 1. Open a browser and navigate to the VeriSign site:
www.verisign.com

2. Follow the instructions on the Web site to request a certificate. Once the certificate request is approved, you will receive an e-mail explaining how to pick up the certificate. 3. Pick up the certificate as instructed (for example, by browsing to the Web site and copying it from a field on the specified page).
Chapter 1. Configuring

253

You can provide a file name for the certificate when receiving it from the CA and then store it in the Lotus Sametime server’s data directory. Importing the Lotus Domino server’s SSL certificate into the keystore: After you obtain a copy of either the IBM Lotus Domino server’s own SSL certificate, or the trusted root certificate that was used to sign it, import your copy into the IBM Lotus Sametime server’s keystore. About this task The procedure for importing the SSL certificate depends on your operating system: Importing an SSL certificate on AIX, Linux, Solaris: To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or Solaris, import the IBM Lotus Domino server’s SSL certificate into the keystore. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server’s data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore on the Lotus Sametime server: 1. Verify that the ikeyman.sh file’s SAMETIME_HOME variable specifies the correct path for your server’s installation directory, modifying it as needed. The default installation directories for Lotus Sametime are as follows: v AIX: /opt/ibm/lotus/notes/latest/ibmpow v Linux: /opt/ibm/lotus/notes/latest/linux v Solaris: /opt/ibm/lotus/notes/latest/sunspa 2. Make sure the ikeyman.sh file has execute privileges. 3. Start the ikeyman.sh utility. The ikeyman.sh utility requires a graphical interface. If you run it in a text-only terminal, be sure to redirect the display to an x-windows session. 4. Click the Add button. 5. In the ″Add CAs certificate from a File″ dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the ″Data type″. b. Set the Certificate file name to the name of the text file (for example, CA.txt) into which you copied the certificate. c. Set the Location to the location to which you transferred the CA.txt file in the previous procedure (for example, /local/notes/data). d. Click OK. 6. Close IKeyMan after the file is imported successfully. Importing an SSL certificate on IBM i:

254

Lotus Sametime: Installation and Administration Guide Part 2

To enable SSL between IBM Lotus Sametime running on IBM i, import the IBM Lotus Domino server’s SSL certificate into the keystore. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server’s data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore on the Lotus Sametime server: 1. From an IBM i command line, run the following command to start qshell:
strqsh

2. From qshell, run the following keytool command:
keytool -import -alias certificate_name -file certificate_filename -storepass keystore_password -keystore keystore_path_and_filename

Where: v certificate_name is CA.txt v certificate_filename is also CA.txt v keystore_password is ″sametime.″ Note: On IBM i versions of Sametime, stkeys.jks is provided by default and uses ″sametime″ as the default password v keystore_path_and_filename is stserver/data/stkeys.jks Example:
keytool -import -alias stserver1cert -file /stserver/data/CA.txt -storepass sametime -keystore /stserver/data/stkeys.jks

3. After you have imported the certificate, use the following command to view the list of certificates in the stkeys.jks file and verify that the certificate was imported successfully:
keytool -list -storepass keystore_password -keystore keystore_path_and_filename

Example:
keytool -list -storepass sametime -keystore /stserver/data/stkeys.jks

4. Press F3 to exit qshell. Importing an SSL certificate on Windows: To enable SSL between IBM Lotus Sametime running on Microsoft Windows, import the IBM Lotus Domino server’s SSL certificate into the keystore. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server’s data directory:
Chapter 1. Configuring

255

v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore on the Lotus Sametime server: 1. Open a command prompt and navigate to the Sametime_install_root\IBM\ gsk6\bin directory. 2. 3. 4. 5. 6. 7. The default installation path for Lotus Sametime is C:\Lotus\Domino. Start the IKeyMan utility by running the gsk6ikm.exe program. Browse to and select the stkeys.jks key store file. Enter the password required to access this file. In the ″Key database content″ area, select Signer certificates. Click the Add button. In the ″Add CAs certificate from a File″ dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the ″Data type″ Browse to and select the SSL certificate you want to import. Click OK. the ″Enter a Label″ dialog box, do the following: Type a label for the certificate. This label identifies the certificate in the Signer Certificates list of the IBM IKeyMan program. b. Click OK. The new certificate’s label appears in the list of Signer Certificates. 9. Close the stkeys.jks keystore file . b. c. 8. In a. 10. Close the IKeyMan utility. Modifying the Lotus Sametime server configuration for SSL: Modify the configuration of the IBM Lotus Sametime server to encrypt connections for Lotus Sametime servlets and the STPolicy. About this task Modify the Lotus Sametime server’s configuration by making changes to the sametime.ini file. The necessary changes vary with your operating system: Modifying the Lotus Sametime configuration on AIX, Linux, Solaris: Modify the IBM Lotus Sametime server’s sametime.ini file on IBM AIX, Linux, or Solaris to support Secure Socket Layer (SSL) encryption. About this task To modify the Lotus Sametime configuration, complete the following steps: 1. Stop the Lotus Sametime server. 2. Use a text editor to open the sametime.ini file. This is located in the Lotus Sametime installation directory.

256

Lotus Sametime: Installation and Administration Guide Part 2

3.

Locate the ConfigurationPort= setting. Make sure that it specifies the port on which the Lotus Domino HTTP server listens for SSL connections (by default, this is port 443), modifying the setting if necessary. For example:
ConfigurationPort=443

4. If these settings are not present in the [Config] section at the bottom of the sametime.ini file, manually type them in:
[Config] ConfigurationSSLEnabled=true javax.net.ssl.keyStore=/local/notesdata/key.jks javax.net.ssl.trustStore=/local/notesdata/key.jks javax.net.ssl.keyStorePassword=keystore_password javax.net.ssl.trustStorePassword=truststore_password

Note: Specify the complete path name of the key.jks file for both the javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings. Specify the password that you provided for key.jks when you created it for both the javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword settings. 5. If these two lines appear in the sametime.ini file, remove them:
javax.net.ssl.trustStoreType=JKS javax.net.ssl.keyStoreType=JKS

6. Save and close the sametime.ini file. 7. Restart the Lotus Sametime server. Modifying the Lotus Sametime Configuration on IBM i: Modify the IBM Lotus Sametime server’s sametime.ini file on IBM i to support Secure Socket Layer (SSL) encryption. About this task To modify the Sametime configuration for IBM i, complete the following steps: 1. Stop the Lotus Sametime server. 2. Use a text editor to open the sametime.ini file. This is located in the Lotus Sametime server’s data directory. 3. Locate the ConfigurationPort= setting. Make sure that it specifies the port on which the Lotus Domino HTTP server listens for SSL connections (by default, this is port 443), modifying the setting if necessary. For example:
ConfigurationPort=443

4. If these settings are not present in the [Config] section at the bottom of the sametime.ini file, manually type them in:
[Config] ConfigurationSSLEnabled=true javax.net.ssl.keyStore=stkeys.jks javax.net.ssl.trustStore=stkeys.jks javax.net.ssl.keyStorePassword=sametime javax.net.ssl.trustStorePassword=sametime

Note: By default, the password for the stkeys.jks file is ″sametime.″ If you change the password for stkeys.jks, you must change the setting of both

Chapter 1. Configuring

257

javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword to match the new password. The full path for the stkeys.jks file is not needed for the IBM i version of Sametime. 5. Save the sametime.ini file. 6. Restart the Lotus Sametime server. Modifying the Lotus Sametime configuration on Windows: Modify the IBM Lotus Sametime server’s sametime.ini file on Microsoft Windows to support Secure Socket Layer (SSL) encryption. About this task To modify the Sametime configuration for Windows, complete the following steps: 1. Stop the Lotus Sametime server. 2. Use a text editor to open the sametime.ini file, which is located in the Sametime server installation directory (for example: C:\Program Files\lotus\domino). 3. Verify that the ″ConfigurationPort=″ setting specifies the port on which the Lotus Domino HTTP server listens for SSL connections (default port is 443). For example:
ConfigurationPort=443

4. Verify that the [Config] section contains the following settings (or modify as needed):
[Config] ConfigurationSSLEnabled=true javax.net.ssl.keyStore=c:\program files\lotus\domino\jvm\stkeys.jks javax.net.ssl.trustStore=c:\program files\lotus\domino\jvm\stkeys.jks javax.net.ssl.keyStorePassword=passw0rd javax.net.ssl.trustStorePassword=passw0rd

Where: v For the javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings, you specify the complete path name for the stkeys.jks file. v For the javax.net.ssl.keyStorePassword and the javax.net.ssl.trustStorePassword settings, you specify the password that you provided for the stkeys.jks file when you created it. 5. Save and close the sametime.ini file. 6. Start the Lotus Sametime server. Tunneling through the firewall when SSL is enabled: Configure an IBM Lotus Sametime server to allow clients to tunnel through a firewall when SSL is enabled. Before you begin Lotus Sametime Connect clients communicate with the Lotus Sametime server by directing messages to the HTTP server, which listens on port 80. When SSL is enabled, port 443 is normally used for sending encrypted messages; however, the Lotus Domino server (which hosts Lotus Sametime) is already listening on port 443 for encrypted Web-based communications. If Lotus Sametime Connect clients also send messages to the HTTP server on port 443, a conflict arises.

258

Lotus Sametime: Installation and Administration Guide Part 2

You can work around this conflict by configuring clients to access the Lotus Sametime server by tunneling to its Community Services multiplexer with an HTTPS proxy. In this type of configuration, both the Lotus Sametime Community Server and the Lotus Domino server listen for connections on port 443 – but they use different addresses to avoid conflicts. You set up this type of connection by assigning an additional IP address to the Lotus Sametime server, and then configuring both the Community Services multiplexer and your clients to use that address when communicating on port 443. The following picture shows an example of this type of connection:

Restriction: This connection is not encrypted. In addition, clients using this connection will not have access to the Meeting Server and the Web Server, so Meeting services, as well as audio and video services, are not supported in this configuration. About this task If you want to allow clients to tunnel to the Community Services multiplexer on port 443 when SSL is enabled, complete the following tasks: Binding the base DNS to the HTTP server: Before assigning an additional IP address to an IBM Lotus Sametime server, avoid potential conflicts by binding the server’s base DNS to the HTTP server where it listens for communications. This ensures that the IBM Lotus Domino server hosting Lotus Sametime (and using this HTTP server) still receives all communications intended for it. About this task Bind the server’s base DNS to the HTTP server by completing the following steps: 1. On the Lotus Sametime server, open the Sametime Administration Tool. 2. Click Configuration → Connectivity → Networks and Ports. 3. On the ″Networks and Ports″ page, click Configure HTTP services on a Web page in its own window. The ″HTTP″ section of the Lotus Domino Directory’s Server document opens in a separate window. 4. Locate the Host name field. 5. Under the ″Basics″ heading, type the base DNS for the HTTP server (for example: sametime1.acme.com).
Chapter 1. Configuring

259

6. Still in the same field, type a comma and the following IP address: 127.0.0.1 so it looks like this:
sametime1.acme.com,127.0.0.1

This additional entry is required for enabling the Sametime Administration Tool to operate in this configuration. 7. Click the Save & Close button at the top of the Server document. 8. After the document closes, close the ″Server-Servers″ view of the Domino Directory. Adding a new IP address to the Lotus Sametime server: Assign an additional IP address to an IBM Lotus Sametime server. Before you begin To add a new IP address to a Lotus Sametime server, you can either install an additional Network Interface Card (NIC) or assign multiple IP addresses to a single NIC. For additional information, see IBM Tech Note #1181387, ″Forcing a Sametime server with multiple NICs to bind to the correct IP address,″ at: www.ibm.com/support/docview.wss?rs=899&uid=swg21181387 About this task To assign multiple IP addresses to a single NIC on server running Microsoft Windows: 1. 2. 3. 4. Open the Windows Control Panel. Click the Protocols tab. Click TCP/IP Protocols → Properties → Specify an IP Address. Click the Advanced tab.

5. Use the ″Advanced IP Addressing″ page to assign multiple IP addresses to a single NIC. 6. Save your changes and close all of the dialog boxes. Mapping the IP address and DNS for Community Services: Configure an IBM Lotus Sametime server to map an IP address to the specific DNS and port used by Lotus Sametime Community Services. Before you begin You must have already assigned the IP address to the Lotus Sametime server. Set up your DNS server to map the new IP address to a new DNS name for the Lotus Sametime server’s Community Services. To avoid confusion, it is recommended that your new DNS for the Community Services use the old DNS name plus ″community-″ as a prefix. For example, if your base DNS for the server is sametime1.acme.com, use the following name for the new DNS:
community-sametime1.acme.com

Configuring HTTPS tunneling settings for clients using port 443: Configure the IBM Lotus Sametime Community Services to listen for client communications using the new DNS and port 443.

260

Lotus Sametime: Installation and Administration Guide Part 2

Before you begin You must have already assigned an additional IP address to the Lotus Sametime server, then mapped a new DNS to it for use by the Community Services. 1. On the Lotus Sametime server, open the Sametime Administration Tool. 2. Click Configuration → Connectivity → Networks and Ports. 3. On the ″Networks and Ports″ page, click Community Services Network → Address for HTTPS-tunneled client connections and fill in the following fields:
Option Host name Description community-base_DNS For example, if your base DNS for the server is sametime1.acme.com, type the following name for the new DNS: community-sametime1.acme.com Port 443

4. Restart the Lotus Sametime and Lotus Domino servers. 5. Close the Sametime Administration Tool. Results With this configuration, the Lotus Sametime Community Services multiplexer will listen for HTTPS-tunneled connections using host name communitysametime1.acme.com on port 443. Connecting clients to the new Community Services DNS: Configure an IBM Lotus Sametime Connect client to communicate with a Lotus Sametime server that is listening for HTTPS connections using the host name (DNS) and port that you specified in the HTTPS tunneling settings for the server. About this task Every Lotus Sametime Connect client located outside of the firewall requires this configuration to tunnel through the firewall to the Lotus Sametime Community Services. For each Lotus Sametime Connect client, configure the following settings in the ″Sametime Connectivity″ tab:
Option Host Description Type the new DNS that you mapped to the IP address that will be used for the Community Server. For example, if your base DNS for the server is sametime1.acme.com, it was recommended that you use the following name for the new DNS: community-sametime1.acme.com That is the name you should type here.

Chapter 1. Configuring

261

Option Community port Use proxy Use HTTPS proxy Host name Port

Description 443 Select this setting. Select this setting and enter the host name (community-sametime1.acme.com) and port (443) on which the Lotus Sametime Connect clients connect to the HTTPS proxy.

Enabling encryption between Lotus Sametime and the LDAP server: Configure SSL encryption between an IBM Lotus Sametime server and an LDAP server by enabling the LDAPS protocol. About this task When you enable this protocol, you can choose whether to encrypt only the data used for authenticating users in Lotus Sametime, or to encrypt all data that is transmitted between the two servers. Note: If you are using an IBM Lotus Domino Directory and it is not configured as an LDAP directory, this section does not apply to you. You can skip these procedures. Enabling SSL encryption for an LDAP server involves the following tasks: Enabling SSL on the LDAP server: You must enable SSL on your LDAP server before you can configure the IBM Lotus Sametime server to encrypt its communications with the LDAP directory. About this task Note: If you are using a Domino Directory and Lotus Sametime is not configured with an LDAP directory, this section does not apply to you and you should skip these procedures. The procedure for enabling SSL depend on the LDAP directory that you use: Setting up a Lotus Domino LDAP directory to use SSL: You must enable the IBM Lotus Domino server’s LDAP component to support SSL before you can configure the IBM Lotus Sametime server to encrypt its communications with the Lotus Domino LDAP Server. About this task Follow these steps in the Lotus Domino Administrator information center to set up a Lotus Domino server to support SSL for LDAP connections: Setting up SSL on a Domino server Enabling third-party LDAP servers to use SSL:

262

Lotus Sametime: Installation and Administration Guide Part 2

You must enable the LDAP server to support SSL before you can configure the IBM Lotus Sametime server to encrypt communications to the LDAP directory hosted on that server. About this task Refer to the documentation provided by the LDAP directory’s vendor for instructions on enabling SSL. Using SSL to encrypt connections between the Sametime and LDAP servers: When Sametime is configured to connect to an LDAP server, the Sametime server makes five separate connections to the LDAP server. About this task Sametime makes a separate connection to the LDAP server to perform each of these five tasks: v Authenticate users v Resolve a user name to a distinguished name as part of the login procedure v Resolve user and group names (for example, as a response to an ″Add Person or Group″ request from a Sametime Connect client) v Browse the directory v Get the content of public groups The Sametime and LDAP servers exchange directory information, including user names and passwords, over these connections. To ensure this information is secure, the administrator can use SSL to encrypt the data that passes over these connections. The administrator should consider the level of protection required before enabling SSL. Using SSL to encrypt these connections can slow the server performance. The administrator has the following options when using SSL to encrypt the data transmitted between the Sametime and LDAP servers: v Encrypt all data - This option encrypts all directory information (both user names and passwords) that is transmitted between the Sametime server and the LDAP server. If you encrypt all data, all five connections between the Sametime server and LDAP server are encrypted with SSL. This option provides the most security but also has the greatest affect on server performance. Encrypt only user passwords - This option encrypts passwords but not other directory information (such as user names) passing over the connections between the Sametime and LDAP servers. If you encrypt only user passwords, only the ″authenticating users″ connection between the Sametime server and the LDAP server is encrypted with SSL. This option provides an intermediate level of security and has less affect on server performance than encrypting all of the data. Encrypt no data - This option allows all directory information and passwords to pass unencrypted between the Sametime and LDAP servers. This option does not affect server performance and should be used if the administrator feels there is no chance that an unauthorized user can intercept information transmitted over the connections between the Sametime and LDAP servers Using SSL to encrypt connections between the Sametime servlet and LDAP Ensuring the Sametime server trusts the LDAP server certificate on Windows and AIX/Solaris/Linux servers

v

v

v v

Chapter 1. Configuring

263

Note: If you are encrypting connections between an AIX version of the Sametime server and an LDAP directory, xlC.aix50.rte must be 6.0.0.3 (or higher). Setting up a keystore for the SSL certificate used by the LDAP server: On IBM AIX, Linux, Microsoft Windows, and Sun Solaris, install the GSKit program and the IBM IKeyMan utility so you can store a copy of the LDAP server’s SSL certificate. On IBM i, install the DCM (Digital Certificate Manager) program instead. About this task The Lotus Sametime server must store a copy of LDAP Server’s SSL trusted certificate to complete the SSL handshake when making an SSL connection to that LDAP server. Before you can import the SSL certificate from the LDAP Server, you will use the GSKit program and IKeyMan utility (the DCM program on IBM i) to create a keystore file on the Lotus Sametime server for storing the certificate. Note: You only need to install these programs once. If you have already installed these programs during an earlier procedure, you can skip this task. The instructions for installing GSKit and IKeyMan, or DCM, vary according to your server’s operating system. Use the instructions in the appropriate topic: Installing and setting up Digital Certificate Manager on IBM i: Install and set up the DCM (Digital Certificate Manager) program on an IBM i server hosting IBM Lotus Sametime, and ensure that Lotus Sametime trusts the LDAP server’s SSL certificate. About this task Set up DCM and ensure that Lotus Sametime trusts the LDAP server by completing the following tasks: Installing Digital Certificate Manager: Install the DCM (Digital Certificate Manager) program on an IBM i server that hosts IBM Lotus Sametime. About this task On IBM i, SSL certificates are managed using the integrated DCM program. You must install and set up DCM before you can establish SSL encryption for communications between the IBM i server’s LDAP client and the deployment’s LDAP server. All of the following software must be installed on the IBM i server where your Lotus Sametime server is located: v 5722-SS1 Option 34, Digital Certificate Manager v 5722-DG1, IBM HTTP Server v 5722-AC3, Crypto Access Provider 128-bit If you need more detailed information about setting up and using DCM in order to complete the steps in this section, see the IBM i information center at:
www.ibm.com/as400/infocenter

264

Lotus Sametime: Installation and Administration Guide Part 2

After selecting the appropriate IBM i release and your preferred language, select the ″Digital Certificate Manager″ topic in the ″Security″ section. Ensuring that the LDAP client trusts the LDAP server’s certificate: Ensure that the IBM i LDAP client trusts the SSL certificate used by the LDAP server with which it communicates. About this task IBM Lotus Sametime for IBM i uses the LDAP client included with the IBM Directory Server that is installed as part of the IBM i operating system. Enable the LDAP client to trust the LDAP server by importing the server’s SSL certificate into the store on the client (the IBM i server) and then adding the Certificate Authority to the trust list. 1. Use the DCM (Digital Certificate Manager) program to determine whether the CA Certificate that signed the LDAP directory server’s certificate is already included in the DCM *SYSTEM certificate store. Well-known public Internet Certificate Authorities (CA) that most Web browsers can recognize readily, such as VeriSign, are already included in the DCM. If the appropriate CA is included in the certificate store, you have finished this task; skip the remaining steps. If the CA used by your LDAP server’s certificate does not appear in the DCM *SYSTEM certificate store, import it now by completing the remaining steps in this procedure. 2. Import the LDAP directory server’s certificate into the DCM *SYSTEM certificate store. 3. Use DCM to add the CA Certificate to the trust list of the IBM Directory Server LDAP client application. The application ID is QIBM_GLD_DIRSRV_CLIENT. Ensuring that Lotus Sametime has access to the *SYSTEM certificate store: Assign IBM Lotus Sametime access to the IBM i *SYSTEM certificate store. About this task Lotus Sametime must be able to access certificates located in the DCM *SYSTEM certificate store when connecting to an LDAP server using SSL. The DCM *SYSTEM certificate store is located in the /qibm/userdata/icss/cert/server directory on an IBM i server. QNOTES is an IBM i user profile created by IBM Lotus Domino and used by Lotus Sametime. By default, the QNOTES user profile does not have access to the DCM *SYSTEM certificate store or the /qibm/userdata/icss/cert/server directory, although the higher level directories usually have *PUBLIC *RX authority which allows QNOTES to access those directories. Provide Lotus Sametime with access to the *SYSTEM certificate store by completing the following step: 1. Run the following command from any IBM i command line to view the contents of the /qibm/userdata/icss/cert/server directory and verify the name of the certificate store:

Chapter 1. Configuring

265

By default, the certificate store is named default.kdb and uses ″sametime″ as the password.
WRKLNK '/QIBM/USERDATA/ICSS/CERT/Server/*'

2. Run the following commands from any IBM i command line to ensure QNOTES has the necessary authority to the DCM *SYSTEM certificate store and associated directory:
CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server') USER(QNOTES) DTAAUT(*RX) CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.RDB') USER(QNOTES) DTAAUT(*RX) CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.KDB') USER(QNOTES) DTAAUT(*RX)

In this example: v QNOTES is the user receiving access v default.kdb is the name of the certificate store Setting up GSKit, IKeyMan, and the key database on AIX, Linux, Solaris, Windows: Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Solaris and then use IKeyMan to create a key database for storing the LDAP server’s SSL certificate. About this task Install the programs and create the key database by completing the following tasks: Installing GSKIt and IKeyMan: Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Solaris. About this task Install GSKit and IKeyMan by following the steps in the appropriate topic for your operating system: Installing GSKit and IKeyMan on AIX: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on IBM AIX. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on AIX, follow the steps below: 1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Navigate to your server’s copy of the GSKit directory and open a command prompt. 5. Install GSKit using the System Management Interface Tool (SMIT) utility to install the gskak.rte package.

266

Lotus Sametime: Installation and Administration Guide Part 2

The package name is ″version AIX Certificate and SSL Base ACME Runtime Toolkit″. 6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ security directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #

d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/

Installing GSKit and IKeyMan on Linux: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Linux. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Linux, follow the steps below: Log on to the Lotus Sametime server as the root user. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Navigate to your server’s copy of the GSKit directory and open a command prompt. 5. Install the GSkit RPM. Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm

6. Edit the java.security file as follows:
Chapter 1. Configuring

267

a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #

d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Installing GSKit and IKeyMan on Solaris: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Solaris. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on Solaris, follow the steps below: 1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Navigate to your server’s copy of the GSKit directory and open a command prompt. 5. Install GSKit as follows: Note: The examples show release 6 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Uncompress and untar the gsk6bas.tar.Z file. b. Use one of the following methods to install GSKit: v Use the admintool application. v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas

6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows:

268

Lotus Sametime: Installation and Administration Guide Part 2

a. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider#

d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/sunspa/ibm-jre/export JAVA_HOME

Installing GSKit and IKeyMan on Windows: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Windows. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on Microsoft Windows, follow the steps below: 1. Log on to the Lotus Sametime server as the Windows administrator. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Lotus Sametime Download document. 4. Open a command prompt and navigate to your server’s copy of the GSKit directory. 5. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss

For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss

This command performs a silent installation of the IKeyMan program into the Lotus Sametime installation directory. 6. Verify that the installation is successful: Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime installation directory.
Chapter 1. Configuring

269

b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on the server. 7. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory: a. From the Windows desktop, right click on the My Computer icon and select System Properties. b. In the ″System Properties″ dialog box, select the Advanced tab. c. Click the Environment Variables button. d. In the ″New System Variable″ dialog box, click the New button under the ″System Variables″ list, and enter the following information:
Table 6. Defining the new JAVA_HOME environment variable Variable name JAVA_HOME Variable value Sametime_install_root\ibm-jre\jre For example:C:\Lotus\Sametime\ibm-jre\jre

e. Click OK to close the ″New System Variable″ dialog box. f. Click OK to close the ″Environment Variables″ dialog box. g. Click OK to close the ″System Properties″ dialog box. 8. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the Sametime_install_root\ibm-jre\jre\lib\security directory. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\security

b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider

The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
## List of providers and their preference orders (see above)# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #

9. Navigate to the Sametime_install_root\ibm-jre\jre\lib\ext directory, and delete the gskikm.jar file. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar

Creating a keystore database for the LDAP server’s SSL certificate: Use the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Sun Solaris to create a key database on the IBM Lotus Sametime server; the key database will store a copy the LDAP server’s SSL certificate. Note that you do not need to create a key database on IBM i.

270

Lotus Sametime: Installation and Administration Guide Part 2

Before you begin Note: This procedure does not apply to IBM i because the keystore database is not used by Lotus Sametime on IBM i. The keystore database that you create for storing the LDAP server’s SSL certificate is different from the keystore file used for storing the Lotus Domino server’s SSL certificate and must use a different file name. About this task Create the keystore database by completing the following steps: 1. Start the IBM IKeyMan utility: a. Open a command prompt and navigate to the Sametime_install_root/IBM/ gsk6/bin directory. The default installation path for Lotus Sametime is as follows: v AIX: /opt/ibm/lotus/notes/latest/ibmpow v Linux: /opt/ibm/lotus/notes/latest/linux v Solaris: /opt/ibm/lotus/notes/latest/sunspa v Windows: C:\Lotus\Domino b. Run the gsk6ikm program. 2. From the IKeyMan utility’s menu, click Key Database → File → New. 3. In the ″New″ dialog box, fill in the following fields and click OK:
Option Key database type Description CMS key database file Note: You will not be able to select the CMS key database unless you have added com.ibm.spi.IBMCMSProvider to the java.security file, as you were instructed to when you installed GSKit and IKeyMan. key.kdb Note: If you enabled the HTTPS protocol, make sure that this keystore database’s file name is different from that file name, to avoid conflicts. Enter the path to the Sametime_install_root (shown in Step 1)

File name

Location

4. In the ″Password″ dialog box, fill in the following fields and click OK:
Option Password Confirm password Stash the password to a file? Description Enter the password you will use for accessing this keystore database. Confirm the password by typing it again. Click this option to enable it.

A message appears, indicating that the password is encrypted and saved in the location Sametime_install_root/key.sth. Importing a copy of the LDAP server’s trusted root certificate:

Chapter 1. Configuring

271

Import a copy of the LDAP server’s trusted root SSL certificate into the keystore database on the IBM Lotus Sametime server to encrypt communications between Lotus Sametime and the LDAP server. Before you begin When the key.kdb database is created, it contains several trusted root (or ″signer″) certificates by default. If a trusted root certificate used by the LDAP server exists in the key.kdb database by default, then you can skip this procedure. If the key.kdb database does not contain an appropriate trusted root certificate by default, you must obtain a trusted root certificate from the appropriate CA and add it to the key.kdb database. About this task The procedure for importing the trusted root certificate depends on your operating system: Importing a trusted root certificate on AIX, Linux, Solaris: To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or Solaris and an LDAP server, import the server’s trusted root certificate into the key database. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server’s data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the key database on the Lotus Sametime server: 1. Verify that the ikeyman.sh file’s SAMETIME_HOME variable specifies the correct path for your server’s installation directory, modifying it as needed. The default installation directories for Lotus Sametime are as follows: v AIX: /opt/ibm/lotus/notes/latest/ibmpow v Linux: /opt/ibm/lotus/notes/latest/linux v Solaris: /opt/ibm/lotus/notes/latest/sunspa 2. Make sure the ikeyman.sh file has execute privileges. 3. Start the ikeyman.sh utility. The ikeyman.sh utility requires a graphical interface. If you run it in a text-only terminal, be sure to redirect the display to an x-windows session. 4. Click the Add button. 5. In the ″Add CAs certificate from a File″ dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the ″Data type″. b. Set the Certificate file name to the name of the text file (for example, CA.txt) into which you copied the certificate.

272

Lotus Sametime: Installation and Administration Guide Part 2

c. Set the Location to the location to which you transferred the CA.txt file in the previous procedure (for example, /local/notes/data). d. Click OK. 6. Close IKeyMan after the file is imported successfully. Importing a trusted root certificate on IBM i: To enable SSL between IBM Lotus Sametime running on IBM i and an LDAP server, import the server’s trusted root certificate into the keystore file. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server’s data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore file on the Lotus Sametime server: 1. From an IBM i command line, run the following command to start qshell:
strqsh

2. From qshell, run the following keytool command:
keytool -import -alias certificate_name -file certificate_filename -storepass keystore_password -keystore keystore_path_and_filename

Where: v certificate_name is CA.txt v certificate_filename is also CA.txt v keystore_password is ″sametime.″ Note: On IBM i versions of Sametime, the keystore is called ″stkeys.jks″ and uses ″sametime″ as the default password v keystore_path_and_filename is stserver/data/stkeys.jks Example:
keytool -import -alias stserver1cert -file /stserver/data/CA.txt -storepass sametime -keystore /stserver/data/stkeys.jks

3. After you have imported the certificate, use the following command to view the list of certificates in the stkeys.jks file and verify that the certificate was imported successfully:
keytool -list -storepass keystore_password -keystore keystore_path_and_filename

Example:
keytool -list -storepass sametime -keystore /stserver/data/stkeys.jks

4. Press F3 to exit qshell. Importing a trusted root certificate on Windows:

Chapter 1. Configuring

273

To enable SSL between IBM Lotus Sametime running on Microsoft Windows and an LDAP server, import the server’s trusted root certificate into the key database. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server’s data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the key database on the Lotus Sametime server: 1. Open a command prompt and navigate to the Sametime_install_root\IBM\ gsk6\bin directory. The default installation path for Lotus Sametime is C:\Lotus\Domino. 2. Start the IKeyMan utility by running the gsk6ikm.exe program. 3. Browse to and select the key.kdb key database. 4. Enter the password required to access this file. 5. In the ″Key database content″ area, select Signer certificates. 6. Click the Add button. 7. In the ″Add CAs certificate from a File″ dialog box, do the following: a. b. c. 8. In Verify that Base64-encoded ASCII data is selected as the ″Data type″ Browse to and select the SSL certificate you want to import. Click OK. the ″Enter a Label″ dialog box, do the following:

a. Type a label for the certificate. This label identifies the certificate in the Signer Certificates list of the IBM IKeyMan program. b. Click OK. The new certificate’s label appears in the list of Signer Certificates. 9. Close the key database. 10. Close the IKeyMan utility. Configuring Directory Assistance for SSL: Modifying the IBM Lotus Domino Directory Assistance document is required when you use SSL to encrypt data transmitted between the IBM Lotus Sametime and the LDAP server. About this task In this procedure, you modify the Directory Assistance document for the LDAP server to ensure that the connection between the Sametime server and the LDAP server is encrypted using SSL. 1. From a Lotus Notes client, open the Directory Assistance database da.nsf. a. Click File → Database → Open. b. For the Server, select Local. c. Select the Directory Assistance database (da.nsf).

274

Lotus Sametime: Installation and Administration Guide Part 2

d. Click Open. 2. In the Directory Assistance database, double-click the Directory Assistance document for the LDAP server to open the document. 3. Click Edit Directory Assistance. 4. Next, click the Basics tab. 5. In the Make this domain available to: field, select Notes Clients & Internet Authentication/Authorization. 6. Now click the LDAP tab. 7. Fill in the following fields
Option Channel encryption Port Description Select SSL. Specify the same port that appears in the LDAP SSL port field of the ″LDAP Directory - Connectivity″ options in the Sametime Administration Tool This port is the one on which the LDAP server listens for SSL connections; the default is port 636. Accept expired SSL certificates Select Yes (the default setting) to accept a certificate from the LDAP directory server, even if the certificate has expired. For tighter security, select No to require the Sametime server to check certificate expiration dates. If the certificate presented by the LDAP server has expired, the connection is terminated. SSL protocol version Select the version number of the SSL protocol to use. The choices are: v V2.0 only - This setting allows only SSL 2.0 connections. v V3.0 handshake - This setting attempts an SSL 3.0 connection. If this connection attempt fails but Sametime detects that SSL 2.0 is available on the LDAP server, Sametime attempts the connection using SSL 2.0. v V3.0 only - This setting allows only SSL 3.0 connections. v V3.0 and V2.0 handshake - This setting attempts an SSL 3.0 connection, but starts with an SSL 2.0 handshake that displays relevant error messages. This setting is used to receive V2.0 error messages when trying to connect to the LDAP server. These error message might provide information about any compatibility problems found during the connection. v Negotiated - This setting allows SSL to determine the handshake and protocol version required.

Chapter 1. Configuring

275

Option Verify server name with remote server’s certificate

Description Select Enabled (the default setting) to verify the server name with the remote server’s certificate. If Enabled is selected, the Sametime server verifies the name of the LDAP server with the remote server’s certificate. If the names do not match, the connection is terminated. For more relaxed security, select Disabled (the server name is not verified with the certificate).

8. Click Save and Close to close the Directory Assistance document. 9. Close the Directory Assistance database. Connecting Lotus Sametime to the LDAP server: Enable SSL encryption for connections between IBM Lotus Sametime and the LDAP server. 1. Configure LDAP connectivity settings in the Sametime Administration Tool as follows: a. From the Lotus Sametime server’s home page, click the Administer the Server link to open the Sametime Administration Tool. b. Click LDAP Directory → Connectivity. c. In the Host name or IP address of the LDAP server list, select the name of the LDAP server. d. Click the option called Use SSL to authenticate and encrypt the connection between the Sametime server and the LDAP server. e. In the LDAP SSL port field, specify the port on which the LDAP server is listening for SSL LDAP connections (the default is port 636). f. Click Update. g. Close the Sametime Administration Tool. At this point, you have enabled SSL encryption for all data that is transmitted between the Lotus Sametime server and the LDAP server. 2. (Optional) To improve performance, you may choose to loosen security and encrypt only user credentials as follows: a. Open the sametime.ini file (located in the Lotus Sametime installation directory). b. Locate the [Directory] section within the file. c. Add the following setting:
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1

d. Save and close the file. 3. Restart the Lotus Sametime server Encrypting the UserInfo servlet: If your IBM Lotus Sametime deployment uses SSL encryption when communicating with the LDAP server, you can additionally choose to encrypt the UserInfo servlet.

276

Lotus Sametime: Installation and Administration Guide Part 2

About this task This configuration is necessary to enable the Business Card feature when you have chosen to encrypt all data transmitted between the Lotus Sametime server and the LDAP server, where the Business Card data is stored. 1. Open a command prompt and navigate to the following directory: v IBM AIX, IBM i, Linux, Solaris: the Lotus Sametime server’s data directory v Windows: the Lotus Sametime server’s installation directory 2. Open the UserInfoConfig.xml file in an editor and make the following changes: a. Locate the <ReadStConfigUpdates> tag and set to value="false". The statement should look like this:
<ReadStConfigUpdates value="false"/>

If this statement is not in the file, add it now; place it between the <UserInformation> and <Resources> tags so that it looks like this:
<UserInformation> <ReadStConfigUpdates value="false"/> <Resources>

b. Locate the <StorageDetails> tag and set the following values:
SslEnabled="true" SslPort="636"

Use the value of the port that your LDAP server listens on for SSL communications (the default is port 636). c. In the <SslProperties> tag, set the following values:
KeyStorePath="C:\Lotus\Domino\jvm\bin\key.jks_OR_stkeys.jks" KeyStorePassword="password" </SslProperties> </SslProperties> </SslProperties>

Where: v KeyStorePath indicates the path to where the keystore database is stored. On Windows and IBM i, the file is named stkeys.jks; on AIX, Linux, and Solaris, the file is named keys.jks. v KeyStorePassword indicates the password you created for accessing the keystore database. 3. Save and close the file

Authentication by token using LTPA and Sametime tokens
Lotus Sametime uses authentication by token to authenticate connections that occur after a user has authenticated to Domino once using password authentication. Authentication by token prevents a user from having to re-enter authentication credentials when accessing different servers or using Lotus Sametime Web clients or Domino applications that connect to a Lotus Sametime server. The Lotus Sametime server includes two separate security features capable of generating the authentication token used by Sametime: v Domino Single Sign-On (SSO) authentication feature - The Domino SSO feature must be enabled on a Lotus Sametime server. If the Domino SSO feature is not enabled on the Domino server when you install Lotus Sametime, the Lotus Sametime installation automatically enables and configures the Domino SSO feature. In some environments, you might need to
Chapter 1. Configuring

277

alter the default SSO configuration provided by the Lotus Sametime installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation. The user must enter the fully qualified domain name of the Lotus Sametime server (for example, sametimeserver.meetings.acme.com) in the Web browser URL locator when accessing the Lotus Sametime server to authenticate successfully using SSO. If your Lotus Sametime environment includes only Lotus Sametime 3.0 (or higher) servers, and you do not use Sametime TeamRoom or Discussion databases that were available with earlier Lotus Sametime server releases, only the Domino SSO feature is required to support authentication by token. If your Lotus Sametime environment includes Lotus Sametime 3.0 (or higher) servers that interoperate with Lotus Sametime servers from releases earlier than Lotus Sametime 3.0, both the Domino SSO feature and the Secrets and Tokens databases must be supported on the Lotus Sametime server to enforce authentication by token. Lotus Sametime includes a custom logon form for the SSO feature. This custom logon form can be used in place of the default SSO logon form. The custom logon form is presented to the user the first time the user accesses a database on the server that requires basic password authentication. Note: Notes client integration with Lotus Sametime (and therefore SSO with Lotus Sametime) is not supported if the Lotus Sametime server is configured to use Internet sites, as the Notes client protocol (NRPC) for obtaining an SSO token does not work in concert with the use of Internet Sites. For more information on how to configure SSO with a Web Configuration document, see the topic ″Altering the Domino Web SSO configuration″ later in this chapter. v Secrets and Tokens authentication databases - Lotus Sametime server releases earlier than Lotus Sametime 3.0 used only the Secrets and Tokens authentication databases to create authentication tokens. When Lotus Sametime 8.x operates in environments that include servers from Lotus Sametime releases earlier than Lotus Sametime 3.0, the Lotus Sametime 8.x server supports both the Domino SSO feature and the Secrets and Tokens authentication databases. A Lotus Sametime 8.x server supports Secrets and Tokens authentication by default. The following are required to support Secrets and Tokens authentication: – The Secrets and Tokens databases must be present on the server following a Lotus Sametime server installation. – The ″Allow users to authenticate using either LTPA token or Sametime Token (stauths.nsf and stautht.nsf)″ option must be selected in the Configuration-Community Services-General settings of the Sametime Administration Tool. Both conditions above exist on a Lotus Sametime server following the server installation, so no additional procedures are required to support Secrets and Tokens authentication following the installation. However, if you have enhanced security by enabling the SametimeSecretsGenerator agent in one Secrets database on one Lotus Sametime server in your community, you must ensure that this Secrets database is replicated to all Lotus Sametime servers in the community. For more information, see Replicating the Secrets database (optional). Authentication by token using the Domino Single Sign-On (SSO) feature: The Domino Single Sign-On (SSO) feature must be enabled on the Sametime server. This feature creates Lightweight Third Party Authentication (LTPA) tokens

278

Lotus Sametime: Installation and Administration Guide Part 2

that enable Web browser users to log in a single time to access multiple Sametime, Domino, or IBM WebSphere servers that are in the same DNS domain. This capability is called ″single sign-on.″ Lotus Sametime also uses LTPA tokens to authenticate connections from Sametime clients to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services on the Sametime server. These clients are Java applets and include the Meeting Room client, and Recorded Meeting client. Lotus Sametime supports two versions of LTPA tokens: LTPAv1 and LTPAv2. Lotus Sametime allows authenticating by a single LTPA token or by a list of LTPA tokens. For example, a client can send an LTPAv1 token and LTPAv2 token in the same authentication request to authenticate a user. The Domino configuration determines which token is validated. The LTPA token types supported by Domino are configured in the Web SSO document in names.nsf. When using a Domino SSO key, only LTPAv1 tokens are supported. When importing a WebSphere LTPA key, both LTPAv1 and LTPAv2 tokens are supported by Domino. The supported formats are defined in the Token Format field under the WebSphere Information section of the Web SSO document. Lotus Sametime can generate a single LTPA token or a list of LTPA tokens depending on the SSO key that is configured in Domino and the Token Format field in the case of WebSphere LTPA keys. Note: Sametime also requires users to present an authentication token when attending an instant meeting. Client applications generate this token from the user’s home Sametime server. Users with Sametime 2.5 (or earlier) home Sametime servers will present Sametime tokens (generated from the Secrets and Tokens databases) when connecting to instant meetings started on a Sametime 8.x server. For this reason, Sametime 8.x servers operating in Sametime environments that include Sametime servers from previous releases must also support the Secrets and Tokens databases for authentication by token. Authentication by LTPA token occurs after a user has already authenticated once using password authentication. For example, authentication by token on a Sametime server might occur as follows: 1. A user accesses a Sametime Meeting Center database that requires authentication or clicks the ″Log onto Sametime″ link in the Sametime Meeting Center. Note To successfully authenticate, the user must enter the fully qualified domain name of the Sametime server (for example, sametimeserver.meeting.acme.com) in the Web browser URL locator when accessing the Sametime server. 2. An SSO logon form appears, and the user enters a valid user name and password from the Domino Directory (or LDAP directory) to authenticate. Note Sametime provides a custom Sametime SSO logon form that can be enabled by the administrator. If the custom logon form is not enabled, the standard Domino SSO logon form displays to the user. 3. After a successful authentication, the Domino Single Sign-On (SSO) feature generates an LTPA token containing the user’s authentication information and passes the token to the user’s Web browser in a cookie. The user’s Web browser must have cookies enabled to accept the LTPA token.

Chapter 1. Configuring

279

4. The user attends a meeting, and the Meeting Room client loads in the user’s Web browser. 5. The Meeting Room client connects to the Meeting Services and Community Services and passes the LTPA token to Sametime. The Meeting Services and Community Services connections are authenticated using the LTPA token. The user is not required to re-enter authentication credentials to authenticate these connections. The same LTPA token described above can be used to authenticate the user when the user accesses other Sametime, Domino, or WebSphere servers in the same DNS domain during a single Web browser session. The other Sametime, Domino, or WebSphere servers must also support the SSO feature (that is, the servers must accept LTPA tokens). If the Domino SSO feature is not enabled when you install Sametime, the Sametime installation automatically enables and configures the Domino SSO feature. In some environments, it may be necessary to alter the SSO configuration following the Sametime server installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation. Related concepts Authentication by token using Secrets and Tokens databases To authenticate by token, the Sametime server can accept an authentication token created by the Secrets and Tokens authentication databases, the Domino Single Sign-On (SSO) feature, or both. The Sametime server can also generate tokens using the Secrets and Tokens authentication databases or the Domino SSO feature. Altering the Domino Web SSO configuration following the Lotus Sametime server installation: The IBM Lotus Sametime installation automatically enables and configures the Domino SSO feature on the Domino server. In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Lotus Sametime server installation. This topic discusses the following issues pertaining to the Lotus Sametime installation and the Domino SSO feature: v SSO configurations performed by the Lotus Sametime installation - This section explains how the Lotus Sametime installation configures the Domino Web SSO feature. You can use this information to determine if it is necessary to alter the default SSO configuration following a Lotus Sametime server installation. Altering the SSO configuration - This section explains the most common reasons for altering the SSO configuration following the Lotus Sametime server installation. In multiple Lotus Sametime server environments, it is frequently necessary to add the Domino server names of Lotus Sametime servers to the Domino Web SSO Configuration document. v Viewing and editing the Domino Web SSO configuration document - This section explains how to edit the Domino Web SSO configuration document in the Domino Directory. This document contains the parameters for the Web SSO configuration that you may need to change. v Lotus Sametime includes a custom SSO logon form. See Using the Lotus Sametime custom logon form for SSO for information about enabling this form following the Lotus Sametime server installation. v

280

Lotus Sametime: Installation and Administration Guide Part 2

Note: If for some reason it is necessary to manually enable the Domino SSO feature, you can use the procedures described in Manually enabling the Domino SSO feature. You can also review these procedures to understand all configurations that are required to support SSO for the Lotus Sametime server. SSO configurations performed by the Lotus Sametime installation The Lotus Sametime installation enables the Domino SSO feature and performs the SSO configurations described below. The Lotus Sametime installation: v Generates an LTPA token named LtpaToken. This token (or cookie) is used to authenticate Web browser and Lotus Sametime client connections to the Lotus Sametime server. v Creates a Web SSO Configuration document and populates the following fields in the Web SSO Configuration document: – DNS Domain - To populate the DNS Domain field, the installation determines the fully-qualified domain name of the Lotus Sametime server machine and then subtracts the hostname value from the fully-qualified domain name. For example, if the installation determines the fully qualified name of the Lotus Sametime server is ″Sametimeserver.east.acme.com,″ the installation writes ″.east.acme.com″ in the DNS Domain field. The LTPA token is then valid for the servers that belong to the DNS domain specified in the DNS Domain field. – Expiration (minutes) - This field specifies the length of time for which the LTPA token is valid. This value is 30 minutes by default. You may want to provide a longer value for the token expiration. Lotus software recommends a setting of 120 minutes. – Domino Server Names: Each Domino/Sametime server that can accept the SSO token must be listed in the Domino Server Names field. By default, the installation writes only the name of the Domino server on which Lotus Sametime is installed in this field. It may be necessary to add the names of all other Domino/Sametime servers in the community to this field. For more information, see Altering the SSO configuration. v Alters the Sametime/Domino server Server document. The installation changes the Internet Protocols-Domino Web Engine-Session authentication field in the Server document to the value ″Multiple servers (SSO).″ The Server authentication field must have the ″Multiple servers (SSO)″ value even if your Lotus Sametime community uses only one Lotus Sametime server. If the ″Multiple server (SSO)″ value is not selected, the SSO feature will not function properly for Lotus Sametime. v Automatically configures the Lotus Sametime server to use the Lotus Sametime custom logon form for SSO. To enable the custom logon form, the Sametime installation: – Creates a Domino Configuration database named domcfg.nsf in the root data directory of the Domino server. Note: If a domcfg.nsf database already exists on the Domino server when Lotus Sametime is installed, the Lotus Sametime installation overwrites the existing domcfg.nsf database. – Creates a ″Mapping a Login Form″ document in the domcfg.nsf database. – Populates the following fields in the Mapping a Login Form document: Target database filename - This field is set to the value ″stcenter.nsf.″ Target form name - This field is set to STLogonForm.nsf.

Chapter 1. Configuring

281

The configurations described above ensure that the custom logon form named ″STLogonForm.nsf″ displays to users when users authenticate with the server. Altering the SSO configuration The default configuration outlined above meets the basic requirements necessary for a Lotus Sametime server to support SSO. In some cases, it may be necessary for the administrator to alter the ″DNS Domain″ field or the ″Domino Server Names″ field of the Domino Web SSO Configuration document following the Lotus Sametime server installation. v Altering the DNS Domain field - The Lotus Sametime installation may not always accurately detect the fully-qualified domain name of the Lotus Sametime server machine. If this problem occurs, the DNS Domain field may not specify the appropriate DNS domain. The administrator might need to manually edit the Domino Web SSO Configuration document to add the appropriate entry in the DNS Domain field of the Domino Web SSO Configuration document. Follow the instructions in ″Viewing and editing the Domino Web SSO Configuration document″ below to manually edit the document. v Altering the Domino Server Names field - If the Lotus Sametime community consists of multiple Sametime/Domino servers, the Domino server names of all of the Sametime/Domino servers in the Lotus Sametime community must exist in the ″Domino Server Names″ field of the Domino Web SSO Configuration document. By default, the installation writes only the name of the Domino server on which Lotus Sametime is installed to this field. If you have multiple Lotus Sametime servers, it may be necessary to manually open the Domino Web SSO configuration document and enter the names of the Domino/Sametime servers in the ″Domino Server Names″ field. For example, if you have Sametimeserver1/East/Acme and Sametimeserver2/East/Acme in your Sametime community, and you install Sametimeserver3/East/Acme, only Sametimeserver3/East/Acme is written to the Domino Server Names field during the Lotus Sametime installation. The administrator may need to open the Domino Web SSO Configuration document and manually enter the names Sametimeserver1/East/Acme and Sametimeserver2/East/Acme in the ″Domino Server Names″ field on the Domino Web SSO Configuration document on Sametimeserver3/East/Acme to ensure that all servers in the community are entered in this field. To manually open the Domino Web SSO Configuration document, see ″Viewing and editing the Domino Web SSO Configuration document″ below. Note that in multiple server environments, the Domino Directory may already be replicated to the Domino server at the time the Lotus Sametime server is installed. If the Domino Directory already exists on the server and contains a Domino Web SSO configuration document, the Lotus Sametime installation will not attempt to alter the existing configuration in any way. In this case, the existing Domino Web SSO configuration document may already contain the names of the existing servers in the community and it may be necessary to add the name of the newly installed Lotus Sametime server to the Domino Web SSO configuration document. For example, the names Sametimeserver1/East/Acme and Sametimeserver2/ East/Acme may already exist in the Domino Web SSO configuration document in the Domino Directory on the server reserved for the Sametimeserver3/East/ Acme installation. Since the Sametimeserver3/East/Acme installation does not alter an existing SSO configuration, that server name will not appear in the Domino Web SSO Configuration document following the Lotus Sametime server installation. In this scenario, it is necessary to open the Domino Web SSO configuration document in the Domino Directory on Sametimeserver3/East/

282

Lotus Sametime: Installation and Administration Guide Part 2

Acme and manually enter ″Sametimeserver3/East/Acme″ in the ″Domino Server Names″ field. All other parameters in the existing Web SSO Configuration document should be valid for the newly-added server. Altering the SSO key By default the Lotus Sametime installation creates a Domino SSO key. If WebSphere is participating in SSO, this key should be replaced by the WebSphere LTPA key to allow both Domino and WebSphere to have an identical key for token validation and generation. Do this by importing the LTPA key from WebSphere to Domino. For more information, see “Setting up SSO between Sametime Meeting Server and Sametime Community Server.” Viewing and editing the Domino Web SSO Configuration document To view or edit the Web SSO configuration document that is created by the Lotus Sametime installation, do the following: 1. From a Lotus Notes client, open the Domino Directory on the Lotus Sametime server. 2. Choose the Configuration → Web → Web Configurations view. 3. In the right-hand pane, select the twistie to display the document under ″Web SSO Configurations.″ 4. Double-click on the document titled Web SSO Configuration for LtpaToken to open the Domino Web SSO Configuration document. 5. Click Edit to put the document in edit mode. 6. Edit the appropriate field (for example, the DNS Domain or Domino Server Names field). 7. Click Save and Close after editing the document. Setting up SSO between Sametime Meeting Server and Sametime Community Server: You should set up single sign-on (SSO) between the IBM Lotus Sametime Meeting server and the Lotus Sametime Community Server. The Lotus Sametime Proxy server does not need to be setup for SSO with the other two servers. Before you begin Make sure both servers use the same LDAP directory. About this task By default the Lotus Sametime installation creates a Domino SSO key. This key should be replaced by the WebSphere LTPA key from the Lotus Sametime Meeting Server to allow both Domino and WebSphere to have an identical key for token validation and generation. Follow these steps to import the LTPA key from WebSphere to Domino. 1. Log in to the Integrated Solutions Console for the Lotus Sametime Meeting Server. 2. Click Security → Global Security. 3. Under Authentication, click LTPA. 4. Under Cross Cell single sign-on, Enter a Password, Confirm Password, and a file name to store the key. Click Export keys. The file created will be imported into the Lotus Domino server for the Lotus Sametime Community Server.
Chapter 1. Configuring

283

5. Click Security → Global Security → WEP and SIP Security → Single Sign-on (SSO). 6. Make sure that the Domain name matches the Lotus Sametime Server domain, and verify that Interoperability Mode is selected. Note: If you choose LtpaToken2 - LTPAv2 only in step 15 below, then Interoperability Mode should be not be selected. 7. Open the names.nsf file on the Domino server for the Lotus Sametime Community Server. Click Configuration → Web Web Configurations view. Open the Web SSO Configuration for LtpaToken document. Click Edit SSO Configuration. Click Keys → Import WebSphere LTPA keys. Type in the exact file location of the key file you created on the Lotus Sametime Meeting Server. 13. Enter the password you created on the server when you enabled single sign-on. 8. 9. 10. 11. 12. 14. Click OK. The message ″Successfully imported WebSphere LTPA keys″ appears after the key has been imported. 15. For Domino 8.0 and higher: Note: Lotus Sametime 8.5 requires Lotus Domino 8.0 and higher; if you are maintaining an older Lotus Sametime server it may be running a version of Lotus Domino prior to R8. In the Token Format field of the WebSphere Information section, select the LTPA token formats to be supported by Domino. v LtpaToken - LTPAv1 only v LtpaToken2 - LTPAv2 only v LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are supported With this last option selected, both tokens are created, but the token returned to the client is determined by the TOKEN_TYPE_TO_RETURN flag under the AuthToken section of sametime.ini. The default value is LTPA, which returns the LTPAv1 token. Changing the value to LTPA2 results in the LTPAv2 token being returned instead. 16. Click Save and Close. 17. Configure the Lotus Sametime Community Server so that LtpaToken gets set by the Sametime Proxy web client instead of the Sametime token: a. Log in to the Lotus Sametime System Console as the Sametime administrator. b. Click Sametime Servers → Sametime Community Servers. c. In the list of Community Servers, click the name of a Sametime Community Server to open its Configuration page. d. Click the Community Services tab. e. Under the ″General″ section, select the authentication type that users can use while logging into the community server: LTPA only. 18. Restart the Lotus Domino server to put your changes into effect. Setting up SSO between Sametime Unified Telephony and Sametime Community Server:

284

Lotus Sametime: Installation and Administration Guide Part 2

If you plan to enable the Click to Call feature, set up single sign-on (SSO) between IBM Lotus Sametime Unified Telephony and the Lotus Sametime Community Server. The Lotus Sametime Proxy server does not need to be enabled for SSO with these two servers. Before you begin Make sure both servers use the same LDAP directory. About this task By default the Lotus Sametime installation creates a Domino SSO key. This key should be replaced by the WebSphere LTPA key from the Lotus Sametime Unified Telephony deployment’s Telephony Application Server to allow both Domino and WebSphere to have an identical key for token validation and generation. Follow these steps to import the LTPA key from WebSphere to Domino. 1. On the Telephony Application Server, log in to the Integrated Solutions Console as the WebSphere administrator. 2. Click Security → Secure administration, applications, and infrastructure. 3. Under Authentication, click Authentication mechanisms and expiration. 4. Under ″Cross Cell single sign-on″, Enter a Password, Confirm Password, and type a file name to store the key; then click Export keys. The file created will be imported into the Lotus Domino server for the Lotus Sametime Community Server. 5. Click Web security → Single Sign-on (SSO). 6. Make sure that the Domain name matches the Lotus Sametime Community Server domain, and verify that Interoperability Mode is selected. Note: If you choose LtpaToken2 - LTPAv2 only in step 15 below, then Interoperability Mode should be not be selected. Open the names.nsf file on the Domino server for the Lotus Sametime Community Server. Click Configuration → Web Web Configurations view. Open the Web SSO Configuration for LtpaToken document. Click Edit SSO Configuration. Click Keys → Import WebSphere LTPA keys. Type in the exact file location of the key file you created on the Lotus Sametime Meeting Server. Enter the password you created on the server when you enabled single sign-on. Click OK. The message ″Successfully imported WebSphere LTPA keys″ appears after the key has been imported. For Domino 8.0 and higher: Note: Lotus Sametime 8.5 requires Lotus Domino 8.0 and higher; if you are maintaining an older Lotus Sametime server it may be running a version of Lotus Domino prior to R8. In the Token Format field of the WebSphere Information section, select the LTPA token formats to be supported by Domino. v LtpaToken - LTPAv1 only
Chapter 1. Configuring

7. 8. 9. 10. 11. 12. 13. 14.

15.

285

v LtpaToken2 - LTPAv2 only v LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are supported With this last option selected, both tokens are created, but the token returned to the client is determined by the TOKEN_TYPE_TO_RETURN flag under the AuthToken section of sametime.ini. The default value is LTPA, which returns the LTPAv1 token. Changing the value to LTPA2 results in the LTPAv2 token being returned instead. 16. Click Save and Close. 17. Configure the Lotus Sametime Community Server so that LtpaToken gets set by the Sametime Proxy web client instead of the Sametime token: a. Open a Web browser and navigate to http://your_st_server/ stcenter.nsf. b. Click Administer the server n the page and log in using your Sametime administrator account. c. Click Configuration → Community Services. d. Click the Community Services tab. e. Under ″General″ deselect the following option: Allow users to authenticate using either LTPA or Sametime Token (stauths.nsf and stautht.nsf). If this option is not selected, users will authenticate using the LTPA token. 18. Restart the Lotus Domino server to put your changes into effect. Configuring the Sametime Connect client for token login: Single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server allow IBM Lotus Sametime users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server. About this task You must configure the Lotus Sametime Connect client must be configured to use the SPNEGO SSO feature. Configuration can be established in a silent installation or done manually by the user. Silent installation The settings for token-based login can be pre-configured using the silent installer. In the silentinstall.ini file found on the Lotus Sametime Connect compact disk, include the following settings: v STAUTHSERVERURL=<WebSphere Authentication URL> v STLOGINBYTOKEN=true v STUSEAUTHSERVER=true Manual configuration To configure the Sametime Connect client manually for SPNEGO single sign-on, follow these steps: 1. In the Log in to Sametime dialog box, enter your fully qualified host server name and your user name.

286

Lotus Sametime: Installation and Administration Guide Part 2

2. Click Connectivity. 3. Select the Use token based single sign on box. 4. Enter the URL for your authentication server in the Authentication server URL box. For example, http://authenserverurl.com. 5. Click OK. 6. In the Log in to Sametime dialog box, click Log In. Manually enabling the Domino SSO feature: If your environment requires you to manually enable the Domino SSO feature instead of using the default configuration provided by the IBM Lotus Sametime installation, you can use the steps in this section to manually enable the Domino SSO feature. About this task This procedure is identical to the procedure used to enable the SSO feature on a Domino server. After manually enabling the feature, you can configure the server to use the Lotus Sametime custom SSO logon form. Generally, the Domino SSO feature will be enabled by default during the Lotus Sametime installation and it is not necessary to manually enable the feature. For more information, see Altering the Domino Web SSO feature following the Sametime server installation. To enable the Domino SSO feature on the Lotus Sametime server: What to do next After enabling the Domino SSO feature, follow the procedure described in Using the custom Sametime SSO logon page to use the custom Lotus Sametime SSO logon form. Create the Web SSO Configuration document in the Domino Directory: Create a Web SSO document that specifies the servers participating in the shared authentication, the time-out value for the cookie containing the LTPA access token, and the encrypted secret used to create the cookie. About this task Note: The ’Organization’ field of the Web SSO Configuration document should be empty; otherwise, the LPTA token will not work with Sametime. 1. Using a Lotus Notes client, open the Domino Directory on the Sametime server. 2. Select Configuration → Servers → All Server Documents. 3. Select the Web button on the taskbar. 4. Select Create Web SSO Configuration. 5. In the document, select the Keys pull-down menu button. 6. Select Create Domino SSO Key. Note The Import WebSphere LTPA Keys option is usually used to enable a WebSphere server to communicate with a Domino server. To enable a WebSphere server to communicate with a Domino server, you must export the
Chapter 1. Configuring

287

LTPA keys from the WebSphere server and import the LTPA keys to the Domino server. See the WebSphere Information Center documentation for details. 7. Configure the Token Expiration field. Note that a token does not expire based on inactivity; it is valid only for the number of minutes specified from the time of issue. The token is also valid only for a single browser session. Lotus software recommends an expiration value of 120 minutes. Note Generally, the expiration value should reflect the average length of a Sametime meeting in your environment. Setting a high value may create a security risk. If the LTPA token is intercepted by an attacker, the attacker may use the token to illegally gain access to the Sametime server until the token expires. Setting up the Domino server to support SSL for Web browser connections makes provides the highest level of security against attempts to intercept LTPA tokens. 8. In the DNS Domain field, enter the DNS domain (for example, lotus.com or meetings.acme.com) for which the tokens will be generated. The servers enabled for SSO must all belong to the same DNS domain. This field is required. When users access the Sametime server, they must enter the fully qualified domain name of the Sametime server for authentication to be successful (for example, sametimeserver/meetings/acme/com). 9. In the Server Names field, enter the servers that will be participating in SSO. Generally, this field should contain the Domino hierarchical names of all Sametime servers in your environment. You can browse and select the server names from the Domino Directory. Note Groups and wildcards are not allowed in the field. 10. Select Save & Close to save the Web SSO Configuration document. The document will appear in the Web Configurations view. This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Server Names field. Related tasks Manually enabling the Domino SSO feature If your environment requires you to manually enable the Domino SSO feature instead of using the default configuration provided by the IBM Lotus Sametime installation, you can use the steps in this section to manually enable the Domino SSO feature. Enable SSO and ″Name & Password″ authentication in the Server document: Use this procedure to enable SSO and ″Name & Password″ authentication in the Server document of the Sametime server for which you are enabling the Domino SSO feature. About this task This procedure is the second of three required to manually enable the Domino SSO authentication feature on a Sametime server. 1. In the Configuration - Servers - All Server Documents view of the Domino Directory, double-click the name of the Sametime server to open the Server document. 2. Select Edit Server to put the Server document in edit mode. 3. Select the Ports tab. 4. Select the Internet Ports tab.

288

Lotus Sametime: Installation and Administration Guide Part 2

5. Select the Web tab (if it is not displayed by default). 6. For the HTTP TCP/IP port Authentication Options, select Yes in the ″Name & Password″ field. 7. Select the Internet Protocols tab. 8. Select the Domino Web Engine tab. 9. In the ″HTTP Sessions″ section, select ″Multiple server (SSO)″ in the ″Session authentication″ field. Note You must select the ″Multiple server (SSO)″ value even if your environment includes only a single Sametime server. 10. Click Save and Close to save the Server document. What to do next Start (or restart) the HTTP task on the SSO-enabled server Related tasks Manually enabling the Domino SSO feature If your environment requires you to manually enable the Domino SSO feature instead of using the default configuration provided by the IBM Lotus Sametime installation, you can use the steps in this section to manually enable the Domino SSO feature. Start (or restart) the HTTP task on the SSO-enabled server: Use the Domino console to start or stop the HTTP server. About this task This procedure is required to manually enable the Domino SSO authentication feature on a Sametime server. To start the HTTP task on the SSO-enabled server: 1. Open the Domino console. 2. Start the HTTP server, or stop and restart the HTTP server if it is already running. v Use the Tell HTTP Quit command to stop the HTTP server. v Use the Load HTTP command to start the HTTP server. 3. On the Domino console, the following message should appear: HTTP: Successfully loaded Web SSO Configuration 4. If a server enabled for SSO cannot find a Web SSO Configuration document or is not included in the Server Names field (and thus cannot decrypt the document), then the following message should appear on your server’s console. HTTP: Error Loading Web SSO configuration. Reverting to single server session authentication. What to do next Lotus software recommends using the custom Sametime SSO logon form. If you do not use this logon form, users will see the default Domino SSO logon form the first time they access a database on the server that requires authentication. Note: Authentication by token does not occur if you allow anonymous access to the Sametime server and all its databases.
Chapter 1. Configuring

289

To configure the Sametime server to use the custom Sametime SSO logon form, see Using the Sametime custom logon form for SSO. Using the Sametime custom logon form for SSO: The IBM Lotus Sametime installation automatically configures the Lotus Sametime server to use the Lotus Sametime custom logon form for SSO. The Lotus Sametime installation performs the following configurations to enable the custom logon form: 1. Creates a Domino Configuration database named domcfg.nsf in the root data directory of the Domino server on which Lotus Sametime is installed. This database is created from the domcfg5.ntf template available with the Domino server. 2. Creates a ″Mapping a Login Form″ document in the domcfg.nsf database. 3. Populates the following fields in the Mapping a Login Form document: v Target database filename - This field is set to the value ″stcenter.nsf.″ v Target form name - This field is set to STLogonForm.nsf. The configurations described above ensure that the custom logon form named ″STLogonForm.nsf″ displays to users when users authenticate with the server. If a database named domcfg.nsf exists on the Lotus Sametime server when Lotus Sametime is installed, the administrator must manually enable the custom logon form. This procedure is described below. Manually enabling the custom logon form Follow the procedure below to manually enable the Lotus Sametime custom logon form for SSO. The custom logon form displays when the user accesses the first database on the server that requires authentication or selects the ″Log on to Sametime″ link in the Sametime Meeting Center. Note: The custom logon form exists in the Lotus Sametime server home page database (stcenter.nsf). If you want to require users to authenticate when accessing the server, you should allow anonymous access to the Lotus Sametime server home page (stcenter.nsf) and require authentication to the Sametime Meeting Center database (stconf.nsf). With this arrangement, users access the server home page anonymously and are presented with the SSO logon form when attempting to create or attend a meeting. To use the Lotus Sametime custom logon form for SSO, you must configure settings in the Domino Configuration database (domcfg.nsf) provided with the Domino server on which Lotus Sametime is installed. To use the Lotus Sametime custom logon form for SSO: 1. Verify that the Lotus Sametime server has a Domino Configuration database named domcfg.nsf. Note If your server includes an existing domcfg.nsf database, but you do not want to use that database you can delete the existing domcfg.nsf database and create a new one. To create a new domcfg.nsf database, use the Domino Configuration (R5) template (domcfg5.ntf) available with a Domino server. When creating the new database, you must select the ″Show advanced templates″ option to access the domcfg5.ntf template.

290

Lotus Sametime: Installation and Administration Guide Part 2

2. If necessary, copy the domcfg.nsf Domino Configuration database to the root data directory of the Domino server on which Lotus Sametime is installed (for example C:\Lotus\Domino\Data directory). 3. 4. 5. 6. 7. From a Lotus Notes client, open the Domino Configuration database. Choose Add Mapping. Under Site Information, accept the default of All Web Sites/Entire Server. In the ″Target database filename″ field, enter stcenter.nsf. In the ″Target form name″ field, enter STLogonForm.

Required ACL settings for the Sametime Center database (stcenter.nsf) The Sametime Center database (stcenter.nsf) must meet the following ACL requirements for the custom logon form to operate properly. v In the Advanced options of the stcenter.nsf ACL settings, the ″Maximum Internet name & password″ field must allow at least Reader access. If either Depositor or No Access are selected, the logon form will not appear. v In the Basics options of the stcenter.nsf ACL settings, anonymous users must have an access level of Reader or higher. If the access level provided for anonymous users is less than Reader, the logon form will not appear. The ″Write public documents″ and ″Read public documents″ options should also be selected. Related tasks Manually enabling the Domino SSO feature If your environment requires you to manually enable the Domino SSO feature instead of using the default configuration provided by the IBM Lotus Sametime installation, you can use the steps in this section to manually enable the Domino SSO feature. Authentication by token using Secrets and Tokens databases: To authenticate by token, the Sametime server can accept an authentication token created by the Secrets and Tokens authentication databases, the Domino Single Sign-On (SSO) feature, or both. The Sametime server can also generate tokens using the Secrets and Tokens authentication databases or the Domino SSO feature. If the Sametime server is operating in an environment that includes Sametime servers from releases earlier than Sametime 3.0, or if Domino databases enabled with Sametime technology (such as the Sametime Discussion and TeamRoom databases that were available with earlier releases) are used in your environment, the Sametime server must support both the Secrets and Tokens authentication databases and the Domino SSO authentication feature. The Sametime server is set up to support Secrets and Tokens authentication by default. The basic requirements for this authentication system are: v The Secrets (stauths.nsf) and Tokens (stautht.nsf) databases must exist on the Sametime server. These databases are created during the Sametime server installation. v The ″Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ option must be selected in the Sametime Administration Tool. (This option is selected by default.) Note that previous releases of Sametime allowed an administrator to enhance the level of security provided by the Secrets and Tokens databases by enabling the
Chapter 1. Configuring

291

SametimeSecretsGenerator agent in one Sametime Secrets database (stauths.nsf) on one Sametime server in the Sametime community. If you enable the SametimeSecretsGenerator agent on one Secrets database on one Sametime server, that Secrets database must be replicated to all Sametime servers in the community. If your environment includes Sametime servers from previous releases and you are currently replicating a Secrets database to all of the servers in your environment, you must also replicate that Secrets database to the Sametime servers. There are two procedures associated with ensuring the Secrets and Tokens authentication databases on the Sametime server are functioning properly: 1. If necessary, select the ″Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ option in the Sametime Administration Tool. (This option is selected by default.) 2. Replicating the Secrets and Tokens databases (optional) - This step is necessary only if you have deployed Domino databases enabled with Sametime technology (such as Sametime TeamRoom and Discussion databases) or if you have enhanced security by enabling the SametimeSecretsGenerator agent in the Secrets database. Allowing users to authenticate using LTPA or Sametime tokens: When the ″Allow users to authenticate using either LTPA or Sametime Tokens″ option is selected in the Community Services-Configuration settings of the Sametime Administration Tool, the Sametime server accepts authentication tokens generated by both the Domino Single-Sign On (SSO) feature and the Secrets and Tokens databases on the Sametime server. This option is selected by default. About this task If you do not select the Allow users to authenticate using either LTPA or Sametime Tokens option, the Sametime server accepts only LTPA authentication tokens, which are generated by the Domino SSO feature. Leave Allow users to authenticate using either LTPA or Sametime Tokens when you require basic password authentication to the Sametime Meeting Center and you have Sametime 2.0 or 2.5 servers as part of a single Sametime community. If all servers in your environment are Sametime 3.0 servers or higher, you may disable the feature if you require basic password authentication in the Sametime Meeting Center. Note: By default, anonymous access is allowed to the Sametime Meeting Center and authentication by token is not enforced on the Sametime server. If a Sametime client sends a lightweight third-party authentication (LTPA) token with the organization parameter set to ″null,″ the user will fail to log into the server. Follow these steps to ensure that the token has the correct value for the organization name in the Web Single Sign-On (SSO) document and in sametime.ini. 1. From a Lotus Notes client, open the Domino Directory on the Lotus Sametime server. 2. Choose the Configuration → Web → Web Configurations view. 3. In the right-hand pane, select the twistie to display the document under ″Web SSO Configurations.″ 4. Double-click on the document titled Web SSO Configuration for LtpaToken to open the Domino Web SSO Configuration document.

292

Lotus Sametime: Installation and Administration Guide Part 2

Click Edit to put the document in edit mode. Add the organization name. Click Save and Close after editing the document. On the Sametime Community Server, open sametime.ini in a text editor. Add the flag ST_ORG_NAME=, followed by the name of the organization as it appears in the Web SSO document. 10. Save sametime.ini. 11. Restart the server. 5. 6. 7. 8. 9. Results When users log in now, the LTPA token will have the correct organization name. Selecting the ″Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ option: The ″Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ setting must be enabled in the Sametime Administration Tool to enable the Sametime server to accept both the LTPA and Sametime Tokens. This setting must be set consistently on all Sametime 8.x, 7.x, 6.5.1, 3.x servers in your environment. About this task Note: This procedure might not be necessary as the ″Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ setting is enabled by default following the server installation. If you enable this setting on one Sametime server, you must enable it on all Sametime servers in your environment. If you disable it on one Sametime server, you must disable it on all Sametime servers in the environment. To enable this setting: 1. From the Sametime server home page, click Administer the server to open the Sametime Administration Tool. 2. Choose Configuration. 3. Choose Community Services. 4. Select the ″Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)″ option. 5. Click Update. 6. Restart the server for the setting to take effect. Results You have the option of replicating the Secrets database to enhance security. Related tasks Manually enabling the Domino SSO feature If your environment requires you to manually enable the Domino SSO feature instead of using the default configuration provided by the IBM Lotus Sametime installation, you can use the steps in this section to manually enable the Domino SSO feature. Replicating the Secrets and Tokens databases (optional):
Chapter 1. Configuring

293

If you have installed multiple Sametime servers, you can enable the SametimeSecretsGenerator agent in the Secrets database. Enabling the SametimeSecretsGenerator agent is an optional procedure that increases security against outside attacks. About this task This topic discusses the second of two procedures associated with setting up the Secrets and Tokens authentication system on a Sametime server. The Secrets and Tokens databases exist on every Sametime server. If you enable the SametimeSecretsGenerator agent, only one Secrets database should be used for all Sametime servers in the environment. You should replicate the Sametime Secrets database in which you have enabled the SametimeSecretsGenerator agent to all Sametime servers in the environment. Create a replication schedule for the Secrets database in which you have enabled the SametimeSecretsGenerator agent to ensure it replicates at regular intervals. Delete all other copies of the Secrets database from all Sametime servers in the environment. For more information, see Integrating a Sametime server into an existing Sametime community. Do not replicate the Tokens database to the other Sametime servers. The replicated Secrets database can work with the Tokens database that exists on each Sametime server by default following the server installation. If you do not enable the SametimeSecretsGenerator agent in any Secrets database on any Sametime server, it is not necessary to replicate the Secrets database. If you do not enable the SametimeSecretsGenerator agent, administration is simpler because no replications or replication schedules are required, but the security level is not as high.

Working with Sametime security
The IBM Lotus Sametime server uses the Internet and intranet security features of the Domino server on which it is installed to authenticate Web browser users who access Domino databases on the server. These databases include the Sametime Center database (stcenter.nsf), which contains the Sametime server home page, and the Sametime Meeting Center database (stconf.nsf). Sametime also uses authentication-by-token features to authenticate connections from Sametime clients to the Sametime server. The authentication-by-token features include the Secrets and Tokens databases supported by all previous Sametime releases and the Domino Single Sign-On (SSO) authentication feature that is supported by Sametime 3.0 and higher-version servers. Sametime also provides security features that enable users to encrypt meetings and specify meeting-specific passwords. The Security section includes the following topics: Getting started with Lotus Sametime security: This section includes basic security information to help you get started with IBM Lotus Sametime security. The required fully-qualified server name:

294

Lotus Sametime: Installation and Administration Guide Part 2

The user must enter the fully qualified DNS name of the IBM Lotus Sametime server (for example, sametimeserver.meetings.acme.com) in the Web browser URL locator when accessing the Sametime server to authenticate with a Lotus Sametime server. The Domino Single Sign-On (SSO) feature must be enabled on the Lotus Sametime server. The Domino SSO feature requires the user to enter the fully qualified DNS name of the server for a successful authentication. For more information, see Authentication by token using LTPA and Sametime tokens. Basic password authentication and authentication by token: IBM Lotus Sametime uses two types of authentication: Basic password authentication and authentication by token. Basic password authentication Lotus Sametime uses basic password authentication to authenticate Web browser connections and Lotus Sametime Connect client connections. Lotus Sametime uses the same Internet and intranet security features as a Domino server to authenticate the Web browser connections. These features include Domino database Access Control Lists (ACLs) and security settings in the Server document of the Domino server on which Lotus Sametime is installed. The Domino security features also allow you to configure databases for anonymous access. When a database is configured for anonymous access, the user is not authenticated when accessing the database. The following topics in this section discuss basic password authentication: v User requirements for basic password authentication v v v Using database ACLs for identification and authentication Basic password authentication and database ACLs Setting up basic password authentication in a database Access Control List (ACL)

Authentication by token After a Web browser user authenticates using basic password authentication, Lotus Sametime Java applet clients (such as the Meeting Room client, Recorded Meeting client, and Lotus Sametime Connect for browsers client) load in a user’s Web browser. These Lotus Sametime clients make connections to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services when a user attends a meeting. Lotus Sametime uses ″authentication by token″ to authenticate the connections from these Lotus Sametime clients to the Lotus Sametime services. Note: Connections from the Lotus Sametime clients to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services are authenticated only if the Lotus Sametime Meeting Center database (stconf.nsf) requires basic password authentication. If the Lotus Sametime Meeting Center allows anonymous access, these connections are not authenticated. When the Lotus Sametime Meeting Center requires basic password authentication, authentication by token is supported on the Lotus Sametime server using the Domino Single Sign-On (SSO) authentication feature.

Chapter 1. Configuring

295

If your environment includes only Lotus Sametime 3.0 (or higher) servers, it is only necessary to enable the Domino SSO feature on the Lotus Sametime servers. Note: Lotus Sametime TeamRoom and Discussion databases were available with previous Lotus Sametime releases but are no longer included in the Lotus Sametime product. The Lotus Sametime server must support both the Domino SSO feature and the Secrets and Tokens database authentication system if your environment includes Lotus Sametime 3.0 (or higher) servers that interoperate with Lotus Sametime servers from releases earlier than Lotus Sametime 3.0. The following topics discuss authentication by token: v v v Authentication by token Authentication by token using the Domino Single Sign-On (SSO) feature Authentication by token using Secrets and Tokens databases

User requirements for basic password authentication: When accessing the Lotus Sametime server with a Web browser, a user must enter a user name and Internet password to access any protected database on the Lotus Sametime server. A protected database is a database that has its Access Control List (ACL) set to require basic password authentication. If the ACL settings of a database allow anonymous access, the user is not authenticated (prompted for a user name and Internet password) when accessing the database. Note: It is important for a user to enter a name when accessing a Lotus Sametime database so that the user’s name can be displayed in any presence list within the database. If the ACL settings of a database allow anonymous access, a user is not prompted for a name unless the ″Users of Sametime applications can specify a display name so that they do not appear online as anonymous″ setting is selected in the Configuration-Community Services-Anonymous Access settings of the Sametime Administration Tool. When this option is selected, it forces a name entry prompt to appear when an anonymous user attends a scheduled meeting. From this name entry prompt, the user can enter a name for display purposes in a presence list. The server accepts any name entered by the user at the name entry prompt; the user is not authenticated. A Sametime Connect user must also be authenticated each time the user starts the Sametime Connect client and connects to the Community Services on the Lotus Sametime server. Sametime Connect users must enter the user name and Internet password from the Person document in the Domino Directory when logging on to Sametime Connect. Note: If you have configured Lotus Sametime to operate with an LDAP directory, Sametime authenticates users based on the user names and passwords stored in the person entries of the LDAP directory.

296

Lotus Sametime: Installation and Administration Guide Part 2

Person document, User names, and Internet passwords in the Domino Directory This section discusses the requirements for basic password authentication when Lotus Sametime is installed to operate with a Domino Directory. You must choose either the Domino Directory or an LDAP directory during the Lotus Sametime installation. Each member of the Lotus Sametime community must have a Person document in the Domino Directory to authenticate with the Lotus Sametime server. The names and password that a user can enter when accessing a Lotus Sametime server are maintained in the Basics tab of a Person document in the Domino Directory. To access a Person document, open the Sametime Administration Tool and select Domino Directory → Domino → Manage People. Double-click a person’s name to open that user’s Person document. The table below shows a sample entry in the Basics section of a user’s Person document. The text that follows the table explains how these entries are used in the Web browser and Sametime Connect client password authentication processes. Sample settings in the Basics section of a Person document
Field First name Middle initial Last name User name Ollerman Gary Ollerman/Community GOllerman Note: The Community (or domain) name is appended to the first entry in the user name field by default. Alternate name Short name/UserID Generational qualifier Internet password (FCF5F3960B0A289D3) This field is optional. This field is optional. This field is optional. This field is required. Entry Gary Comment This field is optional. This field is optional. This field is required. This field is required.

The following fields on the Person document are used by the authentication process: v First name - This field is optional. Web browser - If an entry exists in the ″First name″ field in the Basics tab of the Person document, the user can enter just this name at the User Name prompt that appears when accessing a protected database on the Lotus Sametime server

Chapter 1. Configuring

297

with a Web browser. The user must also enter the Internet password to access the database. (A protected database is a database that has its ACL set to require basic password authentication.) Sametime Connect - The first name is not a valid entry at the User Name prompt that appears when logging on to the Sametime Connect client. v Last name - This field is required. An entry must exist in the ″Last name″ field of the Basics tab of a Person document. The last name can be entered in the User Name prompt that appears when accessing a protected database on the Lotus Sametime server with a Web browser. The last name can also be used when logging on from the Lotus Sametime Connect client. A user must also enter the Internet password to complete the authentication process. Note: If both the ″First name″ and ″Last name″ fields contain entries, the user can enter the first and last names at the User Name prompt that appears when accessing the Lotus Sametime server. v User name - This field is required. An entry must exist in the ″User name″ field in the Basics tab of a Person document. Generally, it is good practice to use a user’s first and last name in the ″User name″ field. The ″User name″ field can contain multiple entries. In our example, the User name field contains both Gary Ollerman/Community and GOllerman. (Each entry must be separated by a semicolon or a carriage return in the ″User name″ field of the Person document.) A user can enter any name that appears in the ″User name″ field of the Person document when logging on to the Lotus Sametime server from the Sametime Connect client or a Web browser. For example, the user could enter Gary Ollerman/Community or GOllerman at a Sametime Connect or Web browser User Name prompt. The name entered by the user is resolved to the topmost name (Gary Ollerman/Community in the example) in the ″User name″ field. The topmost name in the ″User name″ field is the name that is displayed in the presence lists of all Sametime clients. Note: If you want a user’s e-mail address to display in presence lists, enter the user’s e-mail address as the topmost name in the ″User name″ field of the Person document. If the e-mail address is included in the User name field, the user can also enter the e-mail address at the ″User name″ prompt when logging in from a Sametime Connect client or Web browser. Lotus Sametime uses the topmost name in the ″User name″ field to validate a user in a database ACL. If you require basic password authentication for a database and you enter the names of individual users in the ACL of a database, enter the topmost name that appears in the ″User name″ field of the Person document in the database ACL. Although the user can enter ″GOllerman″ when logging on, Sametime uses ″Gary Ollerman/Community″ to validate the user in the database ACL. Therefore, ″Gary Ollerman/Community″ must be the name that appears for this user in database ACLs. v Internet password - This field is required. Users must enter the Internet password to authenticate with the Lotus Sametime server using a Web browser or the Sametime Connect client. In the example, the Internet password is ″sametime.″ The password displays as a series of random characters because Internet passwords are encrypted on the Person document.

298

Lotus Sametime: Installation and Administration Guide Part 2

Self-registration If you are using the self-registration feature of the Lotus Sametime server, a Person document containing a last name, user name, and Internet password is automatically created for a user in the Domino Directory on the Lotus Sametime server at the time the user self-registers. Agents in the Self-Registration database (streg.nsf) access the Domino Directory to create these Person documents. The signers of these agents must have the proper access levels and permissions in the Domino Directory for self-registration to work properly. If you allow self registration, you might need to add these signers to the Domino Directory ACL. The Lotus Sametime self-registration feature cannot be used if you have configured the Lotus Sametime server to operate with an LDAP directory on a third-party server (such as a Microsoft Exchange or Netscape Directory Server). LDAP If you have configured the Lotus Sametime server to operate with an LDAP directory on a third-party server, the authentication process uses the user names and passwords stored in the LDAP directory. It is not necessary to create Person documents containing separate user names and passwords in the Domino Directory on the Lotus Sametime server. Related concepts Using database ACLs for identification and authentication Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. Basic password authentication and database ACLs You can set a database ACL to require basic password authentication. Related tasks Changing a user’s password When accessing the IBM Lotus Sametime server from any Lotus Sametime client, the user might be prompted for a user name and password. The password is specified in the Internet password field on the user’s Person document in the Domino Directory on the Lotus Sametime server. Setting up basic password authentication in a database Access Control List (ACL) You can require users to specify a valid name and password when accessing a database on the Sametime server. Changing a user’s password: When accessing the IBM Lotus Sametime server from any Lotus Sametime client, the user might be prompted for a user name and password. The password is specified in the Internet password field on the user’s Person document in the Domino Directory on the Lotus Sametime server. About this task To change a user’s password, open the user’s Person document and enter a new password in the ″Internet password″ field. Note: If you have configured the Lotus Sametime server to operate with an LDAP directory on an LDAP server, the authentication process uses the passwords specified in the LDAP directory. Use the administrative tools provided with the
Chapter 1. Configuring

299

third-party LDAP server to access the LDAP directory and make password changes for individual users. You cannot change passwords stored in an LDAP directory from the Sametime Administration Tool. To change a user’s Internet password in the Domino Directory on the Lotus Sametime server: 1. From the Lotus Sametime server home page, open the Sametime Administration Tool. 2. Select Domino Directory. 3. 4. 5. 6. 7. Select Domino. Select Manage People. Double-click the name of the user whose password you want to change. Click Edit Person. Enter the new password in the ″Internet password″ field of the Person document. You might want to write the new password down before closing and saving the Person document. After you close and save the Person document, the Internet password is encrypted and you cannot view it. 8. Select Save and Close. Ensuring Sametime servlet access when Domino requires SSL for all connections: An IBM Lotus Sametime server installs on a Domino server and relies on the Domino HTTP server to handle all HTTP traffic to the Lotus Sametime server. To encrypt Web browser access to the Sametime Meeting Center with SSL, the administrator must configure the Domino HTTP server to support SSL. About this task When setting up a Domino HTTP server to support SSL, the administrator can force all connections to the Domino server to use SSL. The administrator forces all HTTP connections to use SSL by performing either of the following configurations in the Ports-Internet Ports-Web section of the Domino Server document during the Domino HTTP server SSL set up procedure: v Setting the Web HTTP ″TCP IP port status″ setting to ″Disabled″ and setting the Web HTTP ″SSL port status″ to ″Enabled.″ v Setting the Web HTTP ″TCP IP port status″ to ″Redirect to SSL.″ If you force all HTTP connections to use SSL, you must also configure the Lotus Sametime server to support SSL for HTTP connections to its servlets. If you do not configure the Lotus Sametime server to support SSL for connections to its servlets, users will be unable to access the Lotus Sametime server. To ensure access to the Lotus Sametime servlets when Domino requires SSL for all connections, complete the following steps: 1. Set up the Domino server to support SSL 2. Import the SSL trusted room or SSL server certificate into the key store database on the Sametime server 3. Modify the Sametime configuration for SSL Results You can use these procedures regardless of whether your Lotus Sametime server operates on the Windows, AIX, Solaris, Linux or IBM i operating system.

300

Lotus Sametime: Installation and Administration Guide Part 2

Note: It is possible to configure a Domino server to allow unencrypted HTTP connections on port 80 and simultaneously allow SSL-encrypted HTTP (or HTTPS) connections on port 443. This configuration enables you to encrypt connections to databases containing sensitive data while allowing unencrypted connections to databases that do not contain sensitive data. Since the Domino server on which Lotus Sametime is installed is dedicated to supporting only Lotus Sametime, it is unlikely that such a configuration would be implemented on a Domino/Sametime server. Domino security and the Web browser connection: To attend a meeting on the Lotus Sametime server, a user first connects to the Lotus Sametime HTTP server with a Web browser. By default, the user is not authenticated when accessing the Lotus Sametime server over this port and is able to access the Lotus Sametime server home page database (stcenter.nsf) without entering a user name and password. By using the Access Control List (ACL) settings of individual databases, the Lotus Sametime administrator can force users to authenticate using basic password authentication when they attempt to access the databases on the server. Generally, the first database that a user accesses when connecting to the Lotus Sametime server is the Domino database that contains the Lotus Sametime server home page (stcenter.nsf). By default, the ACL settings of the stcenter.nsf database allow anonymous access so users can access the Lotus Sametime server home page without being authenticated (entering a user name and password that is verified against entries in a directory). After accessing the home page, a user selects links to access other databases on the Lotus Sametime server. Most users will access the Sametime Meeting Center (stconf.nsf). The Lotus Sametime Administrator can alter the ACLs of these databases to force users to authenticate at the time they select the link that accesses the database. The databases on the Lotus Sametime server that are accessible from the Lotus Sametime server home page include: v Self-Registration (streg.nsf) - An administrator controls whether self-registration is available on the server. The administrator controls self-registration by selecting or clearing the ″Allow people to register themselves in the Directory″ check box available from the Domino Directory - Domino option in the Sametime Administration Tool. The self-registration database (streg.nsf) should always allow anonymous access to enable anonymous users to self register when the administrator allows self-registration. v Server Administration - You must add users to the ACLs of several Lotus Sametime databases when allowing other users to have administrative privileges on the Lotus Sametime server. For more information about controlling access to the Sametime Administration Tool, see Adding a new Sametime administrator Note: By default, the connection from a Web browser to the Lotus Sametime server is neither authenticated nor encrypted. The authentication occurs at the time a user accesses an individual database on the Lotus Sametime server. You can configure Lotus Sametime so that all HTTP traffic (including passwords and authentication tokens) that passes over the connection between the Web browser and the HTTP server is encrypted using the Secure Sockets Layer (SSL).

Chapter 1. Configuring

301

Note: References to the Sametime Meeting Center and to the web browser connection do not apply to Sametime Entry servers. Related concepts Using database ACLs for identification and authentication Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. Anonymous access and database ACLs You can set a database ACL to allow anonymous access. Basic password authentication and database ACLs You can set a database ACL to require basic password authentication. Related tasks Setting up anonymous access in a database Access Control List (ACL) To allow anonymous access to a database, you can add the Anonymous entry to the ACL and assign an access level to the Anonymous entry. Setting up basic password authentication in a database Access Control List (ACL) You can require users to specify a valid name and password when accessing a database on the Sametime server. Using database ACLs for identification and authentication: Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. For each database on the server, you can set the ACL to allow: v Anonymous access or v Basic password authentication

The settings in the database ACLs work together with the ″Maximum Internet name & password″ setting for each database to control the level of access that Web browser users have to a database on the Sametime server. Using database ACLs The database ACL defines user access to the content of the database. Before you set up basic password authentication or anonymous access to a database, you should be familiar with how to add users to a database ACL and the available settings within the ACL. For more information, see: v Adding a name to a database ACL v Database ACL settings Maximum Internet name & password setting The ″Maximum Internet name & password″ setting on the Advanced panel of each database ACL specifies the maximum level of access to the database that is allowed for Web browser clients. This setting overrides individual levels set in the ACL. Generally, administrators should not need to change the ″Maximum Internet name & password″ settings for databases on the Sametime server. The default settings should function adequately in most cases.

302

Lotus Sametime: Installation and Administration Guide Part 2

Adding a name to a database Access Control List (ACL): Use the Sametime Administration Tool to add a name to a database Access Control List. 1. From the Sametime server home page, click Administer the Server to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. 4. 5. 6. 7. Select Access Control. Select a database from the list. Click Access. The database ACL displays. Click Add. In the dialog box, type the exact user name from a Person document or the group name from a Group document. Click OK. When entering a user name for a user with a Person document in the Domino Directory on the Sametime server, type the name exactly as it appears in the topmost entry of the ″User name″ field in the user’s Person document. When entering the names of users or groups registered in an LDAP directory in a Sametime database ACL, use the fully qualified Distinguished Name, but use forward slashes (/) as delimiters instead of commas. For example, if the Distinguished Name for the user in the LDAP directory is:

v uid = Joe Waters, ou=West, o=Acme enter the name in the Sametime database ACL as follows: v uid = Joe Waters/ou=West/o=Acme You can also use asterisks for wildcards when entering names from an LDAP directory or a Domino Directory in an ACL. For example, entering */ou=West/o=Acme is equivalent to entering all users in the ou=West/o=Acme branch of the directory to the ACL. Note It is possible to enter entities other than user and group names in an ACL. For more information about the types of entries that can exist in an ACL, see User type - ACL settings. 8. Click the name entered in the previous step so that the name is selected (highlighted). 9. In the User Type box, select the type of user (Unspecified, Person, Server, Person Group, Server Group, or Mixed Group). For more information, see User type - ACL settings. 10. In the Access Box, assign an access level for the user (Manager, Designer, Editor, Author, Reader, Depositor, or No Access). For more information, see Access level - ACL settings. 11. Edit the privileges if necessary. For more information, see Privileges - ACL settings. 12. Click Submit.

Chapter 1. Configuring

303

Related concepts Using database ACLs for identification and authentication Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. Basic password authentication and database ACLs You can set a database ACL to require basic password authentication. Database ACL settings: A database Access Control List (ACL) contains a list of users and defines user access to the contents of the database. For each user in the database ACL, you can specify the following ACL settings: Related concepts Using database ACLs for identification and authentication Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. Basic password authentication and database ACLs You can set a database ACL to require basic password authentication. Related tasks Setting up basic password authentication in a database Access Control List (ACL) You can require users to specify a valid name and password when accessing a database on the Sametime server. User type - ACL settings: When you add a user or group to an ACL, you specify a user type for the entry in the ACL. A user type identifies whether a name in the ACL is for a person, server, group, or other entity. You assign a user type to a name to specify the type of ID required for accessing the database with that name. You can designate an entry in the ACL as any of the following user types: Unspecified Select the Unspecified user type if you want to enable the name you are entering to access the database with any type of ID (Person, Server, or Group). The Default entry in an ACL is always assigned the Unspecified user type. IDs used to sign agents, such as Sametime Development/Lotus Notes Companion Products, are also assigned the Unspecified user type when entered in a database ACL. Person Select the Person user type if the name you are entering belongs to a user who has a Person document containing a user name and Internet password in the Directory on the Lotus Sametime server or if the user has a Person entry in an LDAP directory on a third-party server. Server Select the Server user type if the name you are entering belongs to another server in the Domino domain. When multiple servers are installed in a Domino environment, it might be necessary for a server to access data within the database or to replicate a database. Server names are frequently added to the pre-existing LocalDomainServers and OtherDomainServers server groups. The Server user type is generally used only if you have

304

Lotus Sametime: Installation and Administration Guide Part 2

installed Lotus Sametime in a Domino environment. This user type performs the same function as it does on a Domino server. Mixed Group Select the Mixed Group user type if the name you are entering belongs to a group that consists of both Server and Person names. Person Group Select the Person Group user type if you are entering the name of a group that contains only people. You can enter a group from the Directory on the Lotus Sametime server, or you can enter a group stored in an LDAP directory on a third-party server in the ACL of a database. Server Group Select the Server Group user type if the name you are entering belongs to a group that consists of only servers. Access level - ACL settings: Access levels are the database ACL settings that control the type of actions a user can perform on the contents of a database and on the database itself. Access levels range from No Access, which prevents a user from opening a database, to Manager, which lets a user read, create, and edit the ACL and all documents in the database. Users that are listed both individually and in one or more groups in the ACL might be assigned different levels of access. The access level granted in an individual entry takes precedence over the access level granted through a group entry. If a user is in multiple groups, the user is granted the access level of the group with the highest level of access. If a user or group has one level of access in the ACL and another level of access in a database component (such as a Read or View access list), the database component access level takes precedence over the user or group access level. The following access levels are listed from lowest to highest. A higher access level has all the privileges granted to lower access levels. For example, Authors can perform all of the functions of a Depositor and a Reader. No Access No Access prevents a user from accessing the database. For example, if you assign No Access as the Default access for a database, only a user who has a Person document in the Address Book and is listed in the ACL can access the database. Depositor Depositor access allows a user to create documents but not view any documents in the database, including the documents created by the user. This access level is not generally used for Lotus Sametime databases. This ACL type is most frequently used for automatic agents to write documents into a database for Domino workflow applications. Reader Reader access allows a user to read documents in a database, but not create or edit documents. For example, you can assign Reader access in the Meeting Center (stconf.nsf) ACL to users who are allowed to attend but not start meetings.

Chapter 1. Configuring

305

Note: If you assign a user the Reader access level in the Meeting Center (stconf.nsf), the user can attend listed meetings but cannot attend unlisted meetings in the Meeting Center. To enable a user with Reader access to also attend unlisted meetings, you must select the ″Write public documents″ check box for that user in the ACL. Author Author access allows a user to create and edit documents. Users with Author access can edit documents they have created themselves, but they cannot edit documents created by other users. Assign Author access in the Meeting Center ACL to allow users to create meetings in the Lotus Sametime Meeting Center. Meeting Center users with Author access can modify the meetings they create, but they cannot modify meetings created by other users. To create a meeting, the user must have Author access and the Write Public Documents privilege selected. Editor Editor access allows users to read, create, and edit all documents in the database, including those created by other users. Assign Editor access in the Meeting Center ACL to users who are allowed to modify meetings they create and meetings that are created by other users. Editors can also start meetings in the Meeting Center. To create meetings, the user must also have the Write Public Documents privilege selected. Designer Designer access allows a user to create full-text indexes, modify all database design elements, and read, create, and edit all documents in the database. This access level is primarily for programmers and database developers. Manager Manager access allows a user to read, create, and edit the ACL and all documents in a database, modify ACL settings, and delete the database. Modifying the ACL and deleting databases are tasks permitted by no other access level. This access level is usually assigned to Lotus Sametime administrators and is not recommended for general users. Each database must have at least one Manager. Generally, the Manager access level is provided in each database to the person specified as the administrator during the Lotus Sametime installation and setup procedure. You should assign Manager access to two people in case one manager is unavailable. For information about granting other users administrative privileges, see Allowing others to use the Sametime Administration Tool. Privileges - ACL settings: The database Access Control List (ACL) defines privileges for users. Depending on the access level assigned to a user, some ACL permissions are granted, denied, or optional. Privileges listed in the ACL are: Create documents This privilege allows users to create documents in a database. This privilege is: v Permanently granted to Managers, Designers, Editors, and Depositors v Permanently denied to Readers v Optionally granted to Authors

306

Lotus Sametime: Installation and Administration Guide Part 2

Delete documents This privilege allows users to delete documents from a database. This privilege is: v Permanently denied to Readers and Depositors v Optionally granted to Managers, Designers, Editors, and Authors Create personal agents This privilege allows an Lotus Notes developer or user to create agents that perform automated procedures in a database. This privilege is: v Permanently granted to Managers and Designers v Optionally granted to Editors, Authors, and Readers Clear this option on server databases to prevent certain users from creating personal agents that take up server disk space and processing time. Use the Agent Restrictions settings in the Security tab of the Server document in the Directory to prevent users from running personal agents on a server, even if the ″Create personal agents″ permission in a server database ACL is selected. Create personal folders/views This privilege is: v Permanently granted to Managers and Designers v Permanently denied to Depositors v Optionally granted to Editors, Authors, and Readers Personal folders and views created on a server are more secure and are available on multiple servers. Also, administrative agents can operate only on folders and views stored on a server. If this permission is not selected, users can still create personal folders and views that are stored on their local workstations. Clear this option to save disk space on a server. Create shared folders/views This privilege is: v Permanently granted to Managers and Designers v Permanently denied to Authors, Readers, and Depositors v Optionally granted to Editors Deny this privilege to Editors to save disk space on a server and maintain tighter control over database design. Create LotusScript® This privilege is: v Permanently granted to Managers v Permanently denied to Depositors v Optionally granted to Designers, Editors, Authors, and Readers Clear this option on server databases to prevent certain users from running restricted and unrestricted LotusScript agents that take up server disk space and processing time. Use the Agent Restrictions settings in the Security tab of the Server document in the Directory to prevent users from running restricted and unrestricted LotusScript agents on a server, even if the ″Create personal agents″ permission in a server database ACL is selected. Read Public Documents
Chapter 1. Configuring

307

This privilege is: v Permanently granted to Managers, Designers, Editors, Authors, and Readers v Optionally granted to Depositors Write Public Documents This privilege is: v Permanently granted to Managers, Designers, and Editors v Optionally granted to Authors, Readers, and Depositors Public documents, such as the meeting details document in the Sametime Meeting Center, are designed to be accessed by a wide audience. Users with the Write Public Documents permission can read, create, edit, and delete public documents from a database. To create a meeting in the Sametime Meeting Center, a user must have the Author access level with the Write Public Documents privilege selected. A user must also have the Write Public Documents privilege selected to attend unlisted meetings on the Sametime server. Users without the Write Public Documents privilege are prompted for a password when accessing a database with public documents. After entering the user name and Internet password, the user is given the Default access level to the database. Roles - ACL settings: Database Access Control List (ACL) roles grant access to individual database components, such as forms or views. You can use ACL roles to delegate authority for managing specific documents in a database. You can create up to 75 roles in a database. For example, you can assign the roles of UserCreator and UserModifier in the Directory (Address Book) ACL to the administrator who has the responsibility for creating and maintaining Person documents. ACL roles are optional in most databases. You can choose to rely on a broader access level and not use roles. For more information on roles available in important Sametime databases, see Roles in Sametime databases ACLs. Anonymous access and database ACLs: You can set a database ACL to allow anonymous access. Anonymous access has the following characteristics: v Users are not identified or authenticated when they access databases and applications on the server. v Data sent between the user and the Sametime server is not encrypted. v Anonymous users are not identified in the maintenance log files. All anonymous user activity is recorded under the name ″Anonymous.″ The anonymous access level requires the least maintenance from the administrator, but it is the least secure. You should only allow anonymous access when you do not need to know the identity of users accessing your server. For example, use

308

Lotus Sametime: Installation and Administration Guide Part 2

anonymous access if the Sametime server is behind your firewall and you plan to allow only trusted intranet users to access it. Setting up anonymous access in a database Access Control List (ACL): To allow anonymous access to a database, you can add the Anonymous entry to the ACL and assign an access level to the Anonymous entry. About this task Note: Alternatively, you can remove the Anonymous entry from the ACL and assign an access level to the Default entry in the ACL. When the Anonymous entry is removed from the ACL, anonymous users receive the access level and privileges assigned to the Default entry in the database ACL. Use the following procedure to allow anonymous users to access a database: 1. From the Sametime server home page, click the ″Administer the Server″ link to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Select Access Control. 4. Select a database from the list. 5. Click the Advanced button. 6. Set the ″Maximum Internet name & password″ access to Manager, which is the maximum access level. Note The ″Maximum Internet name & password″ setting on the advanced panel of each database Access Control List (ACL) specifies the maximum database access level granted to Web browser clients. This setting overrides higher individual access levels set in the ACL. For example, if you set the ″Maximum Internet name & password″ to Author, and assign Editor access to the Anonymous entry in the database ACL, anonymous users will only have Author access to the database. Alternatively, if you set the ″Maximum Internet name & password″ to Manager, and assign Reader access to the Anonymous entry in the database ACL, anonymous users will only have Reader access to the database. 7. Click the Access button. If the Anonymous entry exists in the ACL, select the Anonymous entry and assign an access level (for example, Author). Edit the default privileges if necessary. If the Anonymous entry does not exist in the ACL, users who access the database anonymously receive the access level and privileges assigned to the Default entry in the ACL. Note If the Anonymous entry does not exist in the ACL, the administrator also has the option to create an Anonymous entry and assign an access level and privileges. In this case, users receive the access level associated with the Anonymous entry instead of the Default entry. 8. Click Submit. What to do next If you set the ACL of the Sametime Meeting Center database to allow anonymous access, you should ensure that users are required to enter a display name when
Chapter 1. Configuring

309

accessing the database. To ensure that users will be required to enter a display name to appear in the Participant List of the Sametime Meeting Room during a scheduled meeting, make sure that the ″Users of Sametime or Sametime applications can specify a display name so that they do not appear online as ’anonymous’″ setting is selected in the Sametime Servers → Sametime Community Servers → deployment_name → Anonymous setting of the Sametime System Console. Basic password authentication and database ACLs: You can set a database ACL to require basic password authentication. Basic password authentication has the following characteristics: v Users are identified or authenticated when they access databases and applications on the server. v A Web browser user must have a user name and an Internet password stored in the user’s Person document to access databases. Only users with these credentials can access a database that requires basic password authentication. v Data transmitted between the user and the Lotus Sametime server (including the name and password) is not encrypted. v Users are identified in the maintenance log files. Basic password authentication identifies users, but it does not prevent unauthorized users from listening to network transmissions or gaining server access by guessing passwords. For information on using Secure Sockets Layer (SSL) to encrypt the data that passes over the Web browser connection to the IBM Lotus Sametime server, see Configuring Sametime to use SSL encryption. Using the Default entry or individual names in database ACLs When basic password authentication is enabled for a database, browser clients are authenticated when they attempt to open a database. For example, a Web browser user might be authenticated when selecting the ″Attend a Meeting″ link from the Lotus Sametime server home page to access the Sametime Meeting Center database (stconf.nsf). The Lotus Sametime server challenges the user to supply a valid name and password and then verifies that the user’s response matches the information stored in the user’s Person document in the Domino Directory (or LDAP directory if you have configured Lotus Sametime to operate with an LDAP directory). Authentication succeeds if the user name and password provided by the user matches the user name and password in the directory and: v The user is listed individually or as a member of a group in the database ACL. or v The Anonymous entry is set to No Access while an access level is specified for the Default entry in the ACL. Using this method allows you to require users to authenticate but prevents you from having to add individual entries for every user and group in the ACL. When the Anonymous entry in the database ACL is set to No Access, users are presented with a logon prompt when they attempt to access the database.

310

Lotus Sametime: Installation and Administration Guide Part 2

Users must enter the user name and Internet password at the logon prompt. Users that are successfully authenticated are then provided with the access level that is specified for the Default entry in the database ACL. If both the Anonymous entry and the Default entry in the database ACL are set to No Access, a user must be listed in the ACL individually or as part of a group to access the database. Setting the Anonymous and Default entries to No Access provides the strictest control over access to the database because only users and groups that are listed in the ACL are allowed to access the database. An individual name receives precedence over the Default entry. If a user’s name is entered in a database ACL and provided with an access level, the user receives the access level assigned to the user name entry in the database. Only users who are not listed individually in the database ACL receive the Default access level. Note: If the Anonymous entry does not exist in the database ACL, the Default entry in the ACL must be set to ″No access″ to require basic password authentication to the database. When the Anonymous entry does not exist in the database ACL, anonymous users can access the database and receive the access level assigned to the Default entry in the database. If the Anonymous entry exists in the ACL and is assigned the ″No access″ access level, users are authenticated when accessing the database and receive the access level specified for the Default entry in the ACL. Related concepts Database ACL settings A database Access Control List (ACL) contains a list of users and defines user access to the contents of the database. Related tasks Setting up basic password authentication in a database Access Control List (ACL) You can require users to specify a valid name and password when accessing a database on the Sametime server. Setting up basic password authentication in a database Access Control List (ACL): You can require users to specify a valid name and password when accessing a database on the Sametime server. About this task Follow these steps to set up basic password authentication for a database. 1. From the Sametime server home page, click Administer the Server to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory → Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. 4. 5. 6. Select Access Control. Select a database from the list. Click Advanced. Set the ″Maximum Internet name & password″ access to Manager, which is the maximum access level. Note The ″Maximum Internet name & password″ setting on the advanced panel of each database Access Control List (ACL) specifies the maximum database access level granted to Web browser clients. This setting overrides
Chapter 1. Configuring

311

higher individual access levels set in the ACL. For example, if you set the ″Maximum Internet name & password″ to Author and assign Manager access to the Anonymous entry in the database ACL, anonymous users will only have Author access to the database. Alternatively, if you set the ″Maximum Internet name & password″ to Manager and assign Reader access to the Anonymous entry in the database ACL, anonymous users will only have Reader access to the database. 7. Click Access. 8. Select the Anonymous entry, and then select No Access in the Access box. If the Anonymous entry does not exist, you must create it. Use the following procedure to create an Anonymous entry and assign the No Access level to the entry: v Click Add. v Type Anonymous in the dialog box and click OK. v Select the Anonymous entry, and then select No Access in the Access box. 9. Select the Default entry. You can either set an access level for the Default entry, or set the Default entry to No Access. v If you specify an access level for the Default entry other than No Access, all users are required to authenticate when accessing the database. Each authenticated user receives the access level you have specified for the Default entry. It is not necessary to enter individual names or groups in the ACL. After selecting an access level for the Default entry, click Submit. You have finished the procedure required to set up basic password authentication in a database ACL. Skip the remaining steps. v If you select No Access for the Default entry, you must enter individual user names or group names in the ACL. Only the names and groups you enter can access the database. Complete steps 10 and 11 to add users to the ACL. 10. Click Add to add user names or group names to the ACL. Click OK after adding each name. 11. Click Submit. Related concepts Using database ACLs for identification and authentication Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. Basic password authentication and database ACLs You can set a database ACL to require basic password authentication. Database ACL settings A database Access Control List (ACL) contains a list of users and defines user access to the contents of the database. Setting up single sign on authentication: IBM Lotus Sametime single sign-on (SSO) authentication allows Web users to log in once to a Domino or WebSphere server, and then access any other Domino or WebSphere server in the same DNS domain that is enabled for single sign-on (SSO) without having to log in again. In a multiple server environment, it is possible that one or more servers in your Domino domain are already configured for Domino SSO, and the Domino Directory already contains a Domino Web SSO configuration document. When you install Lotus Sametime, it creates a Web SSO configuration

312

Lotus Sametime: Installation and Administration Guide Part 2

document called LtpaToken unless one already exists in the Domino Directory. If an LtpaToken configuration document already exists, Lotus Sametime does not attempt to alter it. About this task In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Sametime server installation. For instructions, see “Altering the Domino Web SSO configuration following the Lotus Sametime server installation” on page 280. Configuring the Domino Server for Web SSO Complete the steps in this section if your Domino server is not configured for Web SSO, and you want to use the Web SSO document that Lotus Sametime creates to configure it. 1. From the Domino Administrator or a Lotus Notes client, click File → Database → Open. Browse to the Domino server and type names.nsf in the Filename field. Click Open. Note: If you attempt to open this document from Domino Administrator Configurations tab, Web - Web Configurations view, the Web SSO Configuration document will not display. 2. Expand the list of Web SSO Configurations. 3. Double click the ″Web SSO Configuration for LtpaToken″ document to open it in edit mode. 4. Update these fields as necessary: v Configuration name -- Enter LtpaToken. v DNS Domain -- make sure this is the fully qualified domain suffix of the Sametime server. For example, if the server’s fully qualified name is server.domain.com, the .domain.com should be entered in this field. Ensure that the leading period (.) is present in front of the domain suffix. v Organization -- Leave this field blank. v Participating servers -- Add the Sametime server and other servers that belong to the SSO realm to the list. 5. After entering the information, select Keysand do one of the following: v Create a Domino SSO Key v If WebSphere is participating in SSO, the Domino SSO key created by the install program should be replaced by the WebSphere LTPA key to allow both Domino and WebSphere to have an identical key for token validation and generation. Do this by importing the LTPA key from WebSphere to Domino. For more information, see “Setting up SSO between Sametime Meeting Server and Sametime Community Server” on page 283. Note: When adding servers to the Participating servers field, click the arrow and choose the name from an Address Book when possible. If this is not possible, make sure that you use the full hierarchical name when you add a server (for example, Server1/Acme where CN=Server/O=Org). Configuring Sametime for SPNEGO single sign-on: IBM Lotus Sametime has a token-based single sign-on (SSO) feature that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). This feature
Chapter 1. Configuring

313

requires the integration of several distinct components that when completed, allows Sametime users to log in and authenticate only once at their desktop and thereafter automatically authenticate with the Sametime server. Before you begin Note: The SPNEGO feature replaces Microsoft Windows Single Sign-On; you should use SPNEGO instead because Lotus Sametime will no longer support the Microsoft Windows SSO feature. Required components v Sametime Connect client v Sametime server pointing to an Microsoft Active Directory LDAP server v WebSphere server v Microsoft Windows Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC) v Microsoft Windows domain member Follow these steps to configure Sametime for SPNEGO single sign-on: 1. Configure Sametime to use Active Directory. 2. Configure WebSphere for SPNEGO single sign-on, a. Connect WebSphere to Active Directory. b. Enable WebSphere security. c. Enable the SPNEGO TAI. d. Establish the secured resource URL to be used by the Sametime client. For more detailed information on setting up the SPNEGO see ″Creating a single sign-on for HTTP requests using the SPNEGO TAI″ in the IBM WebSphere information center. 3. Enable single sign-on for Domino and WebSphere application servers. Once WebSphere has been configured for SPNEGO single sign-on, the Domino server must import WebSphere’s LTPA key to allow single sign-on between WebSphere and Sametime. For more information, see the Domino Administrator Help topic ″Multi-server session-based name-and-password authentication for Web users (single sign-on).″ 4. Validate the SPNEGO configuration. Related concepts “Sametime SPNEGO login sequence” After logging into the Active Directory domain on a Microsoft Windows desktop, the user starts the IBM Lotus Sametime Connect client. When Log In is clicked, a two phase login operation begins. Related tasks “Configuring the Sametime Connect client for token login” on page 286 Single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server allow IBM Lotus Sametime users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server. Related information Single sign-on for HTTP requests using SPNEGO Sametime SPNEGO login sequence:

314

Lotus Sametime: Installation and Administration Guide Part 2

After logging into the Active Directory domain on a Microsoft Windows desktop, the user starts the IBM Lotus Sametime Connect client. When Log In is clicked, a two phase login operation begins. When Log In is clicked, a two phase login operation begins. Note that there is no user interface or user intervention required in this process. In phase 1, the client executes an HTTP request for a protected URL on the IBM WebSphere server. This request is processed by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI), which triggers the SPNEGO negotiation between the client machine and WebSphere. Once trust is established, an LtpaToken is sent to the client in the HTTP response. In phase 2, the client securely logs into the Sametime server using the LtpaToken. The following picture shows the Lotus Sametime SPNEGO login sequence.

Configuring Sametime to use Active Directory: Before you can configure IBM Lotus Sametime to use SPNEGO single sign-on, you must configure the Sametime server to use the Microsoft Windows Active Directory.

Chapter 1. Configuring

315

About this task 1. On the Sametime server home page, click Administer the Server. 2. Expand the LDAP Directory. 3. Enter values in the LDAP Directory that are appropriate for your site, and click Update when you are finished. See the example in the following table. Example
Tab Connectivity Field Host name or IP address of the LDAP server Example yourserver.yourdomain.yourcompany.com

Administrator distinguished cn=administer,ou=Users,ou=Company, name ou=Division,o=Group1,dc=floor5, dc=market,dc=ourcompany,dc=com Administrator password Basics People - Where to start searching for people (Base object for person entries) mypassword OU=Company,O=Group,DC=floor5, DC=market,DC=ourcompany,DC=com

People - The attribute of the CN person entry that defines the person’s name (for example, cn or mail) People - The object class used to determine if an entry is a person (for example, organizationalPerson) Groups - Where to start searching for groups (Base object for group entries) Groups - Attribute of the group that defines the group name (for example, cn or mail) organizationalPerson

OU=Company,O=Group,DC=floor5, DC=market,DC=ourcompany,DC=com member

Group Groups - The group object class used to determine if an entry is a group (for example, groupOfNames or groupOfUniqueNames) Authentication Search filter to use when (&(objectcategory=person)(|(cn=%s*) resolving a user name to a (givenname=%s*)(sn=%s*)(mail=%s*))) distinguished name (Modifying this field affects the name people use to authenticate.) Search filter for resolving person names Search filter for resolving group names (&(objectcategory=person)(|(cn=%s*) (givenname=%s*)(sn=%s*)(mail=%s*))) (&(objectcategory=group)(cn=%s*))

Searching

316

Lotus Sametime: Installation and Administration Guide Part 2

Tab Group Contents

Field

Example

Attribute in the group member object class that has the names of the group members (for example, member or uniqueMember)

Validating the SPNEGO configuration: Before using the IBM Lotus Sametime Connect client, you can validate the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) configuration. 1. Log in to the Active Directory domain on the Microsoft Windows client machine. 2. Configure the client browser to use SPNEGO. See ″Configuring the client browser to use SPNEGO″ in the in the IBM WebSphere information center. 3. Using a browser, request the protected URL from the WebSphere server. This action triggers the TAI interceptor. Instead of being challenged with a form authentication dialog, you will be authenticated automatically – the browser simply loads the secured page. If this is successful, then WebSphere has been configured for SPNEGO single sign-on correctly. 4. In the same browser window, enter the address of the Sametime Meetings center (http://hostname.stcenter.nsf). When the page loads, you should be logged in automatically. If you are successful, single sign-on between Sametime and WebSphere has been configured correctly Configuring the Sametime Connect client for token login: Single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server allow IBM Lotus Sametime users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server. About this task You must configure the Lotus Sametime Connect client must be configured to use the SPNEGO SSO feature. Configuration can be established in a silent installation or done manually by the user. Silent installation The settings for token-based login can be pre-configured using the silent installer. In the silentinstall.ini file found on the Lotus Sametime Connect compact disk, include the following settings: v STAUTHSERVERURL=<WebSphere Authentication URL> v STLOGINBYTOKEN=true v STUSEAUTHSERVER=true Manual configuration To configure the Sametime Connect client manually for SPNEGO single sign-on, follow these steps:

Chapter 1. Configuring

317

1. In the Log in to Sametime dialog box, enter your fully qualified host server name and your user name. 2. Click Connectivity. 3. Select the Use token based single sign on box. 4. Enter the URL for your authentication server in the Authentication server URL box. For example, http://authenserverurl.com. 5. Click OK. 6. In the Log in to Sametime dialog box, click Log In.

Importing an SSL certificate from Lotus Sametime Unified Telephony
If you plan to configure telephony services in your deployment using IBM Lotus Sametime Unified Telephony, import the Telephony Application Server’s SSL certificate into the Lotus Sametime Proxy Server’s truststore.

Before you begin
Secure Socket Layer (SSL) encryption is required for telephony services. You must import the telephony server’s SSL certificate into the Lotus Sametime Proxy Server’s truststore before you enable SSL between Lotus Sametime Proxy Server and Lotus Sametime Unified Telephony. 1. Copy the SSL certificate from Lotus Sametime Unified Telephony: a. On the Telephony Application Server, log in to the IBM WebSphere Application Server Integrated Solutions Console as the WebSphere administrator. b. Click Security → SSL certificate and key management → Key stores and certificates → NodeDefaultTrustStore → Signer certificates. c. Select the Alias default_signer or the appropriate one, if you customized, and click Extract. d. Type a file name for storing the signer certificate. 2. Now import the SSL certificate into the Lotus Sametime Proxy Server’s truststore: a. On the Lotus Sametime Proxy Server, log in to the WebSphere Application Server Integrated Solutions Console as the WebSphere administrator. b. Click Security → SSL certificate and key management → Key stores and certificates → CellDefaultTrustStore → Signer certificates. c. Click Add. d. Type an alias for the certificate; for example, ″SUT″. e. Type the name of the file where you stored the SSL certificate in Step 1-d. f. Click Apply. g. Save the imported certificate by clicking Save in the ″Messages″ box at the top of the page. h. Restart the Lotus Sametime Proxy Server.

318

Lotus Sametime: Installation and Administration Guide Part 2

Chapter 2. Administering
IBM Lotus Sametime administrators set up and maintain users and their ability to use Lotus Sametime features. They also maintain and monitor the servers. This section contains information about user registration and policies and the tools that you can use to administer the server.

Command reference for starting and stopping servers
You may use a command window to start and stop Sametime components running on WebSphere Application Server. To stop servers, you will supply the WebSphere Application Server administrator password that was established when you installed the server. Important: Verify that the Deployment Manager for the cell is running before starting any server.
Table 7. Server command directories Type Sametime System Console Meeting Server Proxy Server Media Manager Primary node STSCAppProfile/bin STMAppProfile/bin STPAppProfile/bin STMSAppProfile/bin Secondary node STSCSNAppProfile/bin STMSNAppProfile/bin STPSNAppProfile/bin STMSSNAppProfile/bin

AIX, Linux, or Solaris
Note: The Deployment Manager must be running for the cell before starting a server. Also note that the server name is case sensitive.
Table 8. Start server commands for AIX, Linux, or Solaris Type Sametime System Console Commands ./startNode.sh ./startServer.sh STConsoleServer Meeting Server ./startNode.sh ./startServer.sh STMeetingHttpProxy ./startServer.sh STMeetingServer Proxy Server ./startNode.sh ./startServer.sh STProxyServer Media Manager ./startNode.sh ./startServer.sh STMediaServer

© Copyright IBM Corp. 1996, 2009

319

Table 9. Stop server commands for AIX, Linux, or Solaris Type Sametime System Console Commands ./stopServer.sh STConsoleServer -username username -password password ./stopNode.sh -username username -password password Meeting Server ./stopServer.sh STMeetingServer -username username -password password ./stopServer.sh STMeetingHttpProxy ./stopNode.sh -username username -password password Proxy Server ./stopServer.sh STProxyServer -username username -password password ./stopNode.sh -username username -password password Media Manager ./stopServer.sh STMediaServer -username username -password password ./stopNode.sh -username username -password password

Windows
The Start Programs menu is also a convenient way to start and stop Sametime servers running on WebSphere Application Server. Note: The Deployment Manager must be running for the cell before starting a server. Also note that the server name is case sensitive.
Table 10. Start server commands for Windows Server Sametime System Console Commands startNode.bat startServer.bat STConsoleServer Meeting Server startNode.bat startServer.bat STMeetingHttpProxy startServer.bat STMeetingServer Proxy Server startNode.bat startServer.bat STProxyServer Media Manager startNode.bat startServer.bat STMediaServer

320

Lotus Sametime: Installation and Administration Guide Part 2

Table 11. Stop server commands for Windows Server Sametime System Console Commands stopServer.bat STConsoleServer -username username -password password stopNode.bat -username username -password password Meeting Server stopServer.bat STMeetingServer -username username -password password stopServer.bat STMeetingHttpProxy stopNode.bat -username username -password password Proxy Server stopServer.bat STProxyServer -username username -password password stopNode.bat -username username -password password Media Manager stopServer.bat STMediaServer -username username -password password stopNode.bat -username username -password password

IBM i
Note: The Deployment Manager must be running for the cell before starting a server. Also note that the server name is case sensitive.
Table 12. Start server commands for IBM i Server Sametime System Console Commands startNode startServer STConsoleServer Meeting Server startNode startServer STMeetingHttpProxy startServer STMeetingServer Proxy Server startNode startServer STProxyServer Media Manager Table 13. Stop server commands for IBM i Server Sametime System Console Commands stopServer STConsoleServer -username username -password password stopNode -username username -password password Not supported on IBM i

Chapter 2. Administering

321

Table 13. Stop server commands for IBM i (continued) Server Meeting Server Commands stopServer STMeetingServer -username username-password password stopServer STMeetingHttpProxy -username username -password password stopNode -username username -password password Proxy Server stopServer STProxyServer -username username -password password stopNode -username username -password password Media Manager Not supported on IBM i

Lotus Sametime component URLs
This section lists the URLs for IBM Lotus Sametime severs and components. The following table lists the URLs for logging in to Lotus Sametime:
Table 14. Lotus Sametime URLs Sametime component URL Logging in

Log in with your WebSphere Lotus Sametime System Console http://consoleserverhost name.domain:8700/ibm/console Application Server User ID and password. Click A single Integrated Solutions Console URL is only applicable if you The default port is 8700 for Sametime System Console → deploy a cluster and choose to use the platforms except IBM i. Sametime Servers. all For IBM i, the Lotus Sametime System port number may not be 8700. Console as the Deployment Manager for all Sametime products. Use the port that was listed in the Sametime System Console installation results summary. To check the port, open the A boutThisProfile.txt file for the Sametime System Console Deployment Manager Profile and use the setting specified for the ″Administrative console port.″ For the default profile name (STSCDmgrProfile), the file is located here: /QIBM/UserData/ Websphere/AppServer/V7 /SametimeWAS/profiles /STSCDmgrProfile/logs /AboutThisProfile.txt

322

Lotus Sametime: Installation and Administration Guide Part 2

Table 14. Lotus Sametime URLs (continued) Sametime component Lotus Sametime Gateway URL Logging in

http:/gatewayserverhostname. Login with your WebSphere Application Server User ID domain:port/ibm/console. and password The default port is 9060 for all platforms except IBM i. For IBM i, the port number may not be 9060. To check the port, open the logs/ AboutThisProfile.txt file for the Websphere Application Server profile that is running the ISC for your Gateway server and use the setting specified for the ″Administrative console port.″ If you have installed a single Sametime Gateway server, this will be the one Sametime Gateway profile you have. If you have a cluster setup, this profile will be the Deployment Manager profile that your Sametime Gateway server has been clustered with.

Chapter 2. Administering

323

Table 14. Lotus Sametime URLs (continued) Sametime component Sametime Web client URL Logging in

http://proxyserverhostname. Log in with your user name and password. domain:port/stwebclient/index.jsp To verify the port number being used by the Lotus Sametime Proxy Server, log in the Lotus Sametime System Console. In the WebSphere Application Server administrative console, click Servers WebSphere application servers - STProxyServer - ports -WC_defaulthost to find the port number. For IBM i, to verify the HTTP port number being used by the Lotus Sametime Proxy Server, open the AboutThisProfile.txt file for the Sametime Proxy Application Server Profile and use the setting specified for the HTTP transport port. The default profile name is STPAppProfile. On IBM® i, look for the AboutThisProfile.txt file in the following location: /QIBM/UserData/ Websphere/AppServer/ V7/SametimeWAS /profiles/STPAppProfile /logs/AboutThisProfile

324

Lotus Sametime: Installation and Administration Guide Part 2

Table 14. Lotus Sametime URLs (continued) Sametime component Meeting Room Center URL http://meetingserver hostname.domain:port/ stmeetings Logging in Log in with your user name and password.

To verify the HTTP port number being used by the Lotus Sametime Meeting Server , open the AboutThisProfile.txt file for the Sametime Meeting Application Server Profile and use the setting specified for the HTTP transport port. The default profile name is STMAppProfile. For IBM i, look for the AboutThisProfile.txt file in the following location: /QIBM/UserData/Websphere /AppServer/V7/SametimeWAS /profiles/STMAppProfile /logs/ AboutThisProfile.txt Lotus Sametime Community http://communityserver Server Administrator Tool hostname.domain:port/ stcenter.nsf Login in with your Domino administrator’s name and password. Under Administrator Tools, click Specify the port number if it Administer the server. is not the default port number 80.

Managing users with policies
All IBM Lotus Sametime users are automatically assigned to default policies. Sametime Instant Messaging, Meetings, and Media Services each has a default policy to be applied to users. You can create additional user policies, and assign users and groups to these policies.

About this task
When a user authenticates, Lotus Sametime applies a default policy if no other policy can be found for that user. You can create new policies that grant or limit access to features, and assign users to these policies. Users can be assigned to more than one policy. If a user belongs to more than one policy, then Lotus Sametime uses the policy weight to determine policy precedence. Custom policies can be designed for specific groups in the company, and the default policy can be inherited or assigned. Meetings policy changes take effect immediately, while Instant Messaging and Media Services policy changes take effect within an hour. There is also an anonymous policy that is assigned by default to users who have not authenticated, and unauthenticated users always receive this policy. Note: If your deployment includes the Lotus Sametime System Console, you must manage policies there because all settings made in the legacy Sametime Administration Tool (STCenter.nsf) are ignored. This includes the override all feature, as well. Moreover, there is no automatic migration of policies from the
Chapter 2. Administering

325

Sametime Administration Tool to the Lotus Sametime System Console. You must do this manually because Sametime Administration Tool policies do not map one-to-one to policies in the Lotus Sametime System Console.

Finding policies associated with a user
You can find all the policies associated with a user for all the IBM Lotus Sametime products to which the user has access. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console. 3. Click Manage Policies. 4. Click any user Lotus Sametime component. It does not matter which component that you select, because your search results display all the policies for all the Sametime components to which the user has access. v Instant Messaging v Meetings v Media Manager 5. Click Find Active Policies. 6. Select the criterion for the user for which you want to find the associated policies in the Search by field. v User ID v Name v E-mail address 7. Enter the entire or partial user ID, e-mail address, or name of the user or group in the Search for field If you enter partial information, use an asterisk as a wild card character for missing or incomplete information. For example, type sm* for all names starting with sm. 8. Select the number of listings in the search results in the Maximum results field. 9. Click Search. The results display the users that match your search criteria. 10. Select a name in the results table, and then click Find Active Policies to show the policies for that user. 11. Click Done.

Creating new user policies
You can create user policies, and assign users and groups to these policies.

About this task
You can set policy for users to have access to specific IBM Lotus Sametime features, depending upon their level of need. For example, the maximum size for a file being transferred is set by default at 1 megabyte to help manage traffic over the server(s); however, if you have a group that routinely transfers large files for business reasons, you can create a new policy specifically for those users and set the maximum size of files that they can send to a much higher number. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console. 3. Click Manage Policies. 4. Click the Lotus Sametime product for which you want to create a policy. v Instant Messaging

326

Lotus Sametime: Installation and Administration Guide Part 2

5. 6. 7.

8.

v Meetings v Media Manager Click New. Enter a name to use to identify the policy in the Policy Name field. Specify the features that you want to enable or disable for the users or groups that you will assign to this policy. Some instant messaging features are flagged with IC characters after the field label. This flag indicates that a feature is only available for installed clients. The feature is not available to browser clients. Click OK.

Results
Tip: You can follow these same basic steps to delete or edit a policy. Delete a policy by selecting the policy and then click the Delete button. Edit a policy by clicking the policy name. You cannot delete the anonymous or default policies, but you can edit them. If you edit a policy, you cannot change the policy ID. To do this, you must make a copy of the policy by selecting it and clicking Duplicate, then you can enter a new ID in the copy. Before you delete the original, be sure to reassign the users and groups to the copy and give it the proper policy weight.

What to do next
You can now assign users and groups to this policy.

Assign users and groups to policies
You can assign users and groups to specific user polices to grant or limit access to features in IBM Lotus Sametime.

About this task
You cannot assign users to the default or anonymous policies. Authenticated users are automatically assigned to the default policies. Unauthenticated users are assigned to anonymous policies. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console. 3. Click Manage Policies. 4. Click the Lotus Sametime component with the policy to which you want to assign a user or a group. v Instant Messaging v Meetings v Media Manager 5. Select a policy name from the list, and click Assign. 6. Click Add Users or Add Groups. At this point you could remove a user from a policy, by selecting the user in the list and then clicking Remove. 7. Select the criterion for searching for the user or group that you want to add to the policy in the Search by field. v User ID v Name v E-mail address
Chapter 2. Administering

327

8. Enter user ID, e-mail address, or name or partial name with wildcard characters (asterisks) of the user or group in the Search for field 9. Select the number of listings on each search results page in the Maximum results field. 10. Click Search. The results display the DN, display name, and e-mail address of the users that matched your search. 11. Select a user and click Assign. 12. Click Done.

Sametime Instant Messaging user policy settings
You can grant or limit access to features in IBM Lotus Sametime Instant Messaging by enabling or disabling various policies for users. Policy changes take effect immediately. All unauthenticated users have the anonymous policy, Sametime Instant Messaging Anonymous Policy, applied to them. For authenticated users, the Lotus Sametime searches for a user ID or group match, and then applies the highest weighted policy. If there is no match, then the default policy, Sametime Instant Messaging Default Policy, is applied.
Table 15. Chat Sametime Instant Messaging Default Policy Sametime Instant Messaging Anonymous Policy Selected

Setting User must set this community as the default server community

Purpose

Users must log in to Selected this community before they can log in to other communities. This setting does not apply to browser users. If this is checked, community preferences and menus are available to users. This setting does not apply to browser users. Selected

Allow user to add multiple server communities

Not selected

Allow user to add external users using Sametime Gateway communities

Not selected Allowing users to connect to external communities such as AIM, Yahoo, OCS, and Google Talk. If this policy is not allowed, the check box and text for adding external users by e-mail address is not available in clients.

Not selected

328

Lotus Sametime: Installation and Administration Guide Part 2

Table 15. Chat (continued) Sametime Instant Messaging Default Policy Sametime Instant Messaging Anonymous Policy Not selected

Setting Allow user to save chat transcripts

Purpose

Selected If this is enabled, users see the File-Save option in the chat window. Chat history capabilities are available. This setting does not apply to browser users. This is not valid unless Allow user to save chat transcripts is selected. If this is not selected, then users do not see preferences for chat history or the chat history viewer in their clients. This setting does not apply to browser users. This setting does not apply to browser users. If Allow to automatically save chat transcripts is selected , then a value must be entered in this field. Users cannot set a larger value in their clients than the one specified here. This setting does not apply to browser users. Selected

Automatically save chat transcripts

Not selected

Maximum days to save automatically saved chat transcripts:

365

0

Limit contact list size This limits the number of contacts that users can enter in their contact lists. Contacts

Not selected

Not selected

If Limit contact list 500 size is selected, then a value must be entered in this field. Specify the number of contacts that users can enter in their contact lists.

500

Chapter 2. Administering

329

Table 15. Chat (continued) Sametime Instant Messaging Default Policy Sametime Instant Messaging Anonymous Policy Not selected

Setting Allow all Sametime Connect features to be used with integrated clients

Purpose

If this is not selected, Not selected some Lotus Sametime Connect features do not display when Lotus Sametime is integrated with other products. This setting does not apply to browser users. This feature lets users Selected deploy Lotus Sametime awareness and chat features mobile device.

Allow mobile client

Selected

updates.sametime.ibm.com Blank. Sametime update site Provides a URL URL: where users can retrieve updates to features for the Lotus Sametime Connect client. This setting does not apply to browser users. Table 16. Image Settings Sametime Instant Messaging Default Policy Selected Sametime Instant Messaging Anonymous Policy Not Selected

Setting Allow custom emoticons

Purpose Allows all actions on the preferences palette: new, import, export, add picture, add palettes. This setting does not apply to browser users.

Allow screen capture and images

Selected Allows pasting and right- click copying of image and screen captures. This setting does not apply to browser users.

Not Selected

330

Lotus Sametime: Installation and Administration Guide Part 2

Table 16. Image Settings (continued) Sametime Instant Messaging Default Policy Not selected Sametime Instant Messaging Anonymous Policy Not Selected

Setting Set maximum image size for custom emoticons, screen captures, and inline images

Purpose This setting Includes images pasted inline through the palette emoticons, cut and paste, screen captures, and print screen. It does not include images sent through file transfer. This setting does not apply to browser users.

KB

500 If Set maximum image size for custom emoticons, screen captures, and inline images is selected, then a value must be entered in this field. Users sees a message if the they attempt to send a file that is larger than the specified size. This setting does not apply to browser users.

0

Table 17. File Transfer Sametime Instant Messaging Default Policy Selected. Sametime Instant Messaging Anonymous Policy Not selected

Setting Allow user to transfer files

Purpose Allows user to transfer files to other users. This setting does not apply to browser users.

Maximum file transfer in Kilobytes

Limits the size of the 1000 file that can be transferred by the specified value. In kilobytes. This setting does not apply to browser users. Allows users to transfer files without passing the files through the Lotus Sametime server. These files are not logged. This setting does not apply to browser users. Selected

0

Allow client-to-client file transfer

Not selected

Chapter 2. Administering

331

Table 17. File Transfer (continued) Sametime Instant Messaging Default Policy Not selected. Sametime Instant Messaging Anonymous Policy Not selected

Setting Use exclude file types transfer list

Purpose Limits the types of files that users can transfer. This setting does not apply to browser users.

Types to exclude from transfer. Type the three-letter extension of each file type, separated by a comma or semicolon:

exe, com, bat If Use exclude file types transfer list is selected , then a value must be entered in this field. Type the three-letter extension of each file type, separated by a comma or semicolon. Accepts bmp, gif, txt, pdf, sxi, sxc, sxw file extensions. Comma separated, values, and spaces are acceptable. This setting does not apply to browser users.

Blank

Table 18. Plugin Management Sametime Instant Messaging Default Policy Selected Sametime Instant Messaging Anonymous Policy Selected

Setting Allow user to install plug-in

Purpose Allows users to install plugins and updates from the Lotus Sametime Connect Tools → Plug-ins menu. This setting does not apply to browser users. If no value is specified, then the Check for Optional Features item on the Tools → Plug-ins menu not valid. This setting does not apply to browser users.

Sametime optional plug-in site URLs. Type the URLs separated by a comma or semicolon:

Blank. Type the URLs Blank. separated by a comma or semicolon

Meetings user policy settings
You can grant or limit access to features in meetings by enabling or disabling various policies for users. Policy changes take effect immediately.

332

Lotus Sametime: Installation and Administration Guide Part 2

All unauthenticated IBM Lotus Sametime users have the anonymous policy, Sametime Meetings Anonymous Policy, applied to them. For authenticated users, Lotus Sametime searches for a user ID or group match, and then applies the highest weighted policy. If there is no match the default policy, Sametime Meetings Default Policy is applied. Lotus Sametime does not allow anonymous users to create meeting rooms. Therefore, any policy that is related to authenticated users or the ability to create meeting rooms, does not apply to anonymous users. Note: Although Lotus Sametime Classic meetings are still managed on the server itself, you can set user policy for Sametime Classic meetings on the Meetings policy tab in the Sametime Classic Meetings section.
Table 19. General Meeting Settings Setting Maximum persistent meeting rooms this user can own Purpose Sametime Meetings Default Policy Sametime Meetings Anonymous Policy 0

Users are limited to 100 creating this number of meeting rooms per user. When this limit is reached or set to zero, users cannot create more meeting rooms. If not selected, user does not see the capabilities for creating instant meetings. User can, still see the capabilities for using an existing room. Selected

Allow user to create instant (nonpersistent) meeting rooms

Not selected

Automatically connect to meeting server when logging into Sametime Connect

Selected If not selected the user must manually connect to each meeting room server to view the meetings there. This setting is stored with the client, so that changes in the policy do not take effect until after the next time the user logs in to the server. This setting does not apply to browser users. If not selected, users Selected can attend meeting rooms only with a direct URL. The meeting room manager interface never shows. Only affects browser users.

Not selected

Allow searching of meeting rooms

Not selected

Chapter 2. Administering

333

Table 19. General Meeting Settings (continued) Setting Allow searching of hidden meeting rooms Purpose Sametime Meetings Default Policy Sametime Meetings Anonymous Policy Not selected

Not selected If selected, the interface allows the user to explicitly search for hidden meeting rooms by exact name. If not selected, the interface for searching for hidden meeting rooms does not appear, and hidden meeting rooms are never returned in search results. Determines whether Selected to show the ″Scheduled Meetings″ view in the shelf. This setting does not apply to browser users. Selected

Show ″Scheduled Meetings″ view

Not selected

Allow meetings to be Allows users to recorded record meetings for rooms they have created. This setting does not apply to browser users. Allow meeting content to be downloaded Meeting room group chats Allow users to download content from the meeting library. Hidden - Users cannot see or create group chats. Read-only - Users can only read what others have typed into the group chat. Interactive - Users can type and read group chats. Table 20. Meeting Room Library Setting Purpose

Not selected

Selected

Selected

Interactive

Interactive

Sametime Meetings Default Policy

Sametime Meetings Anonymous Policy 0

Maximum file upload Maximum file upload 50 size, in Megabytes size in megabytes. Users cannot upload a larger file into the library.

334

Lotus Sametime: Installation and Administration Guide Part 2

Table 20. Meeting Room Library (continued) Setting Maximum total size of library in Megabytes Purpose Sametime Meetings Default Policy Sametime Meetings Anonymous Policy 0

Maximum total size 200 in megabytes of all files that library can hold . If the size limit is reached, or if the value is zero, then users can not upload files to library

Table 21. Screen Sharing Feature list Allow screen sharing Purpose Disabled - Users cannot share screens or applications. Share an application - Users can share a specific application. No other applications or their desktops are shared. Entire screen, frame, and applications Users share their whole screen including any applications that they open on their screens. Selected Allow user to control Allow others to another user’s shared control a user’s screen shared screen. Any participant can make changes to the shared information. This setting does not apply to browser users. Allow peer-to-peer application sharing Whenever this user hosts screen sharing, peer-to-peer can be used by any viewers that support it. Selected Not selected Sametime Meetings Default Policy Entire screen, frame, and applications Sametime Meetings Anonymous Policy Entire screen, frame, and applications

Not selected

Enforce bandwidth limitations.

Not selected Any time the user hosts sharing, the experience is limited by the value specified in the Maximum bandwidth size

Not selected

Chapter 2. Administering

335

Table 21. Screen Sharing (continued) Feature list Purpose Sametime Meetings Default Policy 500 Sametime Meetings Anonymous Policy 500

Maximum bandwidth This is not used size, in Kilobytes per unless ″Enforce second: bandwidth limitations″ is selected. Table 22. Sametime Classic Meetings. Feature list Purpose

Sametime Meetings Default Policy Selected

Sametime Meetings Anonymous Policy Not selected

Allow users to create Lets users start a instant meetings and meeting from the breakout sessions. contact list, from an existing chat, and from within a meeting (breakout session). Allow Sametime IP audio and video in instant meetings and breakout sessions. No Does not allow use of Sametime Internet Protocol audio and video in instant meetings and breakout sessions. IP audio only Allow use of Sametime Internet Protocol audio but not video in instant meetings and breakout sessions. IP video only Allows use of Sametime Internet Protocol video but not audio in instant meetings and breakout sessions. Allow participation in meeting room chats.

No

No

Allows participants Selected in the meeting to use the chat window to communicate with any other participant in the meeting.

Not selected

336

Lotus Sametime: Installation and Administration Guide Part 2

Table 22. Sametime Classic Meetings (continued). Feature list Allow screen sharing Purpose No - Users cannot share screens or applications. Application only Users can share a specific application. No other applications or their desktops are shared. Entire screen, frame, and applications Users share their whole screen including any applications that they open on their screens. Selected Allow user to control Allow others to another user’s shared control a user’s screen shared screen. Any participant can make changes to the shared information. This setting does not apply to browser users. Not selected Sametime Meetings Default Policy Entire screen, frame, and applications Sametime Meetings Anonymous Policy

Media Manager user policy settings
You can grant or limit access to media features in by enabling or disabling various policies for users. Policy changes take effect immediately. All unauthenticated users will have the anonymous policy Media Manager Anonymous Policy, applied to them. For authenticated users, the Lotus Sametime searches for a user ID or group match, and then applies the highest weighted policy. If there is no match the default policy, Media Manager Default Policy is applied.
Table 23. Telephony, Audio, and Video Setting Allow access to third-party service provider capabilities from contact lists, instant messages, and meetings Purpose Media Manager Default Policy Media Manager Anonymous Policy Not selected

Not selected Allows outside vendors to provide audio and video for instant messages and instant meetings. This setting does not apply to browser meetings.

Chapter 2. Administering

337

Table 23. Telephony, Audio, and Video (continued) Setting Allow changes to preferred numbers Purpose Media Manager Default Policy Media Manager Anonymous Policy Selected

Selected If not selected, user cannot add telephony devices. This gives the administrator control over the devices that can make or receive calls in the system. ″Allow access to third-party service provider capabilities from contact lists, instant messages, and meetings″ must be selected to specify this setting. Audio and video Allows users to use computer audio and video in instant messages and instant meetings. Choices are: v None v Audio only v Audio and video This setting does not apply to browser users.

Voice and video capabilities available through the Sametime Media Server:

Audio and video

Table 24. Sametime Unified Telephony Setting Purpose Media Manager Default Policy Selected Media Manager Anonymous Policy Selected

Allow changes to the If this setting is not permanent call selected a lock routing rule appears next to this rule in the user’s preferences. ″Allow access to third-party service provider capabilities from contact lists, instant messages, and meetings″ must be selected to specify this setting. This setting does not apply to browser users.

338

Lotus Sametime: Installation and Administration Guide Part 2

Table 24. Sametime Unified Telephony (continued) Setting Allow use of ″Offline″ status in call routing rules. Purpose Media Manager Default Policy Media Manager Anonymous Policy Selected

Allows users to add Selected their own devices to make and receive calls. ″Allow access to third-party service provider capabilities from contact lists, instant messages, and meetings″ must be selected to specify this setting. This setting does not apply to browser users.

Changing a user policy’s weight
IBM Lotus Sametime products implement user policies that have higher weights over policies with lower weights. You can change the weight of policies.

About this task
User policies in Lotus Sametime have weights. A policy’s weight determines whether or not its attributes take precedence over the attributes of other policies. For a given user or group assigned two or more policies, Lotus Sametime implements the policy with the highest weight. Anonymous policies always have the lowest weight; default policies have the next lowest weight. For authenticated users, Lotus Sametime searches for an exact ID match, and then applies the highest weighted policy. If there is no match for the user ID in any policy, the Lotus Sametime applies the highest weighted group match. If no group matches are found, the default policy applied. You can change the weight of policies by moving them up and down the policy list of a Lotus Sametime product. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console. 3. Click Manage Policies. 4. Click the Lotus Sametime component with the policy with the weight that you want to change. v Instant Messaging v Meetings v Media Manager 5. Select a Policy ID from the list, and click Move Up or Move Down. Moving the policy up increases its wight; moving the policy down decreases its weight. You cannot change the weight of a default or and anonymous policy.

Managing administrator access and roles
Manage administrator access and roles using the Sametime Administration Tool.

Chapter 2. Administering

339

Starting the Sametime Administration Tool
You administer Sametime through a Web browser application. You must enable Java applets and JavaScript™ or ActiveX Controls in your browser to use the Sametime Administration Tool.

About this task
To start the Sametime Administration Tool: 1. Enter the URL for the Sametime server:
http://hostname/stcenter.nsf

where hostname is the fully qualified Domain Name Service (DNS) name or the IP address of the Sametime server you want to administer. Note: For versions of Lotus Sametime that do not support web conferencing, enter the following URL in your browser: http://hostname. Note: For Lotus Sametime Entry and other Sametime offerings that do not include Web conferencing, access the server page by typing http://hostname/ into a browser URL field where hostname is the fully qualified name of your Sametime server. 2. From the Sametime server home page (Sametime Welcome page), click Administer the Server. 3. Enter the administrator name and password specified during the Sametime server installation. The Sametime Administration Tool opens in its own Web browser window. Related concepts User requirements for basic password authentication When accessing the Lotus Sametime server with a Web browser, a user must enter a user name and Internet password to access any protected database on the Lotus Sametime server. Adding a new Sametime administrator Use the Domino Directory to give a group of administrators access to the Sametime Administration Tool.

Adding a Sametime administrator in Domino LDAP
Use the Domino Directory to give a group of administrators access to the Sametime Administration Tool. A Sametime administrator name and password is specified during the Sametime installation and setup process. The administrator specified during the Sametime server installation and setup can access all features of the Sametime Administration Tool and can provide other administrators with access to the Sametime Administration Tool. This is the procedure for adding an administrator in Domino. If your Sametime server is configured for LDAP, then you must create the new administrator using your LDAP Directory tools.

Creating a Person document for the administrator
Administrators must have a Person document in the Domino Directory.

340

Lotus Sametime: Installation and Administration Guide Part 2

About this task
Follow these steps to create a Person document using the Sametime Administration Tool. If the administrator whom you are adding already has a Person document that contains a last name, user name, and Internet password, skip this procedure. From the Sametime server home page, click Administer the Server. From the Sametime Administration Tool, click LDAP Directory: Choose Add Person. In the Person document, select the Basics tab. Enter the user’s first, middle, and last name in the appropriate fields. Only the last name is required. 6. Enter a name for the user in the User Name field. An entry in this field is required for the user to authenticate with the Sametime server. 1. 2. 3. 4. 5. You can use any of the following characters in a user name: A - Z, 0 - 9, ampersand (&), dash (-), period (.), underscore (_), apostrophe (’), and space. Using other characters can cause unexpected results. 7. Enter an Internet password for the person in the ″Internet password″ field. An entry in this field is required for the user to authenticate when accessing the Sametime Administration Tool. There are no restrictions on the number of characters used in the Internet password. 8. Click Save & Close. The Person document is added to the Directory.

Creating an Administrators Group document
Create a group document to hold the names of Sametime administrators.

About this task
Use the Sametime Administration Tool to create an Administrators Group document. 1. From the Sametime server home page, click Administer the Server. 2. From the Sametime Administration Tool: v If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. v If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Choose ″Add Sametime Administrators - Create a group for the administrators.″ 4. Click Add Group. 5. Enter a name for the group in the ″Group name″ field (for example, ″Administrators″ or ″Sametime Administrators″). 6. For group type, select Multipurpose. 7. Optional: Enter a description of the group in the Description field. 8. In the Members field, list the names of users you want to access the Sametime Administration Tool. Make sure to enter the name exactly as it is entered in the topmost entry of the ″User name″ field of a user’s Person document. 9. Select Administration at the top of the Group document. 10. Enter the names of the group owners in the Owners field. Generally, the group owner is the administrator creating the group. Only the administrator listed in the Owners field can modify this Group document. If the Owners field is blank, any administrator can modify this Group document.
Chapter 2. Administering

341

11. Click Save & Close.

Adding the Administrators Group document to Sametime database ACLs
Add the Administrators Group document to Sametime database Access Control Lists (ACLs) and provide the Manager access level to the group.

About this task
In addition to ACL access levels, you must also specify the ACL privileges and roles that the Administrators Group (or an individual user) has in each database. Generally, for an Administrators Group, select all ACL privileges and roles. Note: If you are adding individual user names to Sametime database ACLs instead of a group name, database roles can be used to prevent or allow access to specific features of the Sametime Administration Tool. Add the Administrators Group to the ACLs of the following Sametime databases. v Sametime Configuration (stconfig.nsf) - Stores the configuration parameters that are set from the Sametime Administration Tool. v Domino Directory or Address Book (names.nsf) - Stores Person and Group documents, ACL settings, and other configuration information for the Domino/Web Application Services. v Sametime Log (stlog.nsf) - Stores logging information. v Domino Web Administration (webadmin.nsf) - Contains the Domino Web Administration client, which includes monitoring features for the HTTP Services and free disk space. This is the full Domino Web Administration client that is included with Domino servers. 1. From the Sametime Administration Tool: v If you are using the Domino Directory with the Sametime server, choose Domino Directory - Domino. v If you are using an LDAP Directory with the Sametime server, choose LDAP Directory. 2. Choose ″Add Sametime Administrators - Give the administrator group Manager access for all appropriate databases, such as stconf.nsf and stcenter.nsf.″ The Access Control options appear. 3. From the Databases list, select Sametime Configuration (stconfig.nsf). Note: The database filename appears below the Databases list. 4. Click Access. 5. Click Add. Enter the Administrators Group document name in the dialog box (for example, ″Administrators″ or ″Sametime Administrators″). If you are adding individual user names, enter the person’s user name in the dialog box. Enter the name as it is entered in the top entry of the ″User name″ field on the user’s Person document. 6. Click OK. 7. Select the Administrators Group name (or individual person’s name) from the list in the Database Security window. 8. In the User Type drop-down list, select Group (or Person if you are adding an individual user’s name). 9. In the Access drop-down list, select Manager.

342

Lotus Sametime: Installation and Administration Guide Part 2

10. 11. 12.

13. 14.

Make sure that all ACL privileges, such as ″Create documents″ and ″Delete documents,″ are selected. Click Roles. If you want the Administrators Group to have access to the full range of administrative functions, select all roles. Click OK. The roles determine which administration tasks the members of the group can perform. If you are adding individual user names to the ACLs, you can use the roles to control the administrative features that are available to individual administrators. For more information, see Roles in Sametime databases ACLs. Click Submit. After adding the Administrators Group to the ACL of the Sametime Configuration database (stconfig.nsf), repeat steps 4 through 14 to add the Administrators Group to the ACL of each of the Sametime databases listed below: v Domino Address Book or Domino Directory (names.nsf) v Sametime Online Meeting Center (stconf.nsf) v Sametime Log (stlog.nsf) v Sametime Self Registration (streg.nsf) v Domino Web Administration (webadmin.nsf)

Modifying the Server document of the Sametime server
Add the Administrators Group document (or the name of an individual user) to two fields on the Server document. 1. From the Sametime Administration Tool: v If you are using the Domino Directory with the Sametime server, choose Domino Directory - Domino. v If you are using an LDAP Directory with the Sametime server, choose LDAP Directory. 2. Choose ″Add Sametime Administrators - Edit the Server document.″ 3. Click Security. 4. In the ″Administrators″ field of the Administrators section, type the name of the Administrators Group (or enter the name of an individual user). Note: Type a group name exactly as it appears in the Group document. If you are entering an individual user name in this field, type the user name exactly as it is entered in the topmost entry of the ″User name″ field on the Person document. Separate multiple entries in the ″Administer the server from a browser″ field with commas. 5. In the ″Run unrestricted methods and operations″ field of the Programmability Restrictions section, type the Administrators Group name (or an individual user’s name). Separate multiple entries in this field with commas. 6. Click Save & Close.

Adding and removing names from an Administrators Group document
Control access to the Sametime Administration Tool by editing the Group document.

About this task
Adding a user’s name to the Administrators Group document provides the user with access to the Sametime Administration Tool. Removing a user’s name from
Chapter 2. Administering

343

the Group document revokes the user’s access to the Sametime Administration Tool. 1. From the Sametime server home page, click Administer the Server. 2. From the Sametime Administration Tool: v If you are using the Domino Directory with the Sametime server, choose Domino Directory - Domino. v If you are using an LDAP Directory with the Sametime server, choose LDAP Directory. 3. Choose ″Add Sametime Administrators - Create a group for the administrators.″ 4. Double-click a group name. 5. Select Edit Group. 6. In the Members field, add or remove a user’s name from the Group document. If you add a user’s name, the user must have a Person document in the Domino Directory that contains a last name, user name, and Internet password. Make sure to enter the name exactly as it is entered in the top entry of the ″User name″ field of a user’s Person document. The user must enter a last name or user name and the Internet password from the Person document to access the Sametime Administration Tool. 7. Click Save & Close.

Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and settings of the Sametime Administration Tool. For example, the Sametime Configuration database (stconfig.nsf) ACL contains three roles: ServerMonitor, ServerAdmin, or DatabaseAdmin. If you assign only the ServerMonitor role to an administrator, the administrator can monitor server memory, disk space, and other server statistics but cannot perform any other administrative functions. Assign all roles to an administrator if you want the administrator to have full access to all administrative functions. Access Control List (ACL) roles are defined in the following Sametime databases:

Roles in the Sametime Configuration database (stconfig.nsf)
The Sametime Configuration database (stconfig.nsf) stores the values for parameters that are available from the Sametime Administration Tool. The roles in this database affect the administrative tasks that an administrator can perform from the Sametime Administration Tool. The following table lists the commands and features available with the Sametime Administration Tool and the roles that an administrator must be assigned in the stconfig.nsf database to use the Sametime Administration Tool commands and features. If an administrator does not have the appropriate roles, the Sametime Administration Tool does not display the command.
Command Group Command or feature Role required [ServerMonitor] or [SametimeAdmin] or [DatabaseAdmin]

Message From Administrator Sends message to all users logged into Community Services

344

Lotus Sametime: Installation and Administration Guide Part 2

Command Group Monitoring

Command or feature All monitoring features

Role required [ServerMonitor] or [SametimeAdmin] or [DatabaseAdmin] [ServerMonitor] or [SametimeAdmin] or [DatabaseAdmin] [ServerMonitor] or [SametimeAdmin] or [DatabaseAdmin] [ServerMonitor] or [SametimeAdmin] or [DatabaseAdmin] No roles required

Logging

All logging features

Directory

Add directory features

Configuration

Connectivity, Community Services, Meeting Services, Audio/Video Services Online help for administrators

Help

Note: The Domino server cannot resolve the user if given the internet address in the person entry that defines the internal ID of a Sametime user. The mail attribute is not supported in this field. The field may be left blank.

Roles in the Domino Directory (names.nsf)
The Domino Directory (or Address Book) contains the Person and Group documents that you create and edit when you use the Sametime Administration Tool. The roles in the Domino Directory determine who can create or edit a particular type of document in the Directory. The Domino Directory also contains the Server document that you access to provide another user with administrative privileges to the Sametime Administration Tool. Note: If you use Sametime in a Domino environment, the Domino Directory roles function the same as they do on Domino servers. The Domino Directory contains eight roles. The privileges for each role are listed in this table:
Role UserCreator Description Allows an administrator to create Person documents in the Domino Directory Allows an administrator to edit all Person documents in the Domino Directory Allows an administrator to create Group documents in the Domino Directory

UserModifier

GroupCreator

Chapter 2. Administering

345

Role GroupModifier

Description Allows an administrator to edit all Group documents in the Domino Directory Allows an administrator to create Server documents in the Domino Directory Allows an administrator to edit all Server documents in the Domino Directory Not used by Sametime Not used by Sametime

ServerCreator

ServerModifier

NetCreator NetModifier

Related reference Roles in Sametime database ACLs Roles provide a way to define the access an administrator has to the features and settings of the Sametime Administration Tool.

Roles in the Sametime Meeting Center (stconf.nsf)
The Sametime Meeting Center database contains only the Sametime Admin role.
Role Sametime Admin Description Allows an administrator to see hidden meetings displayed in the All Meetings view of the Meeting Center. Allows an administrator to see the Hidden Meetings view in the Meeting Center. This view displays only hidden meetings. Allows the administrator to alter the meeting details of any meeting. For example, the administrator can delete or change the end time of a meeting that the administrator did not create. Allows an administrator to see and use the ″Delete the Recording,″ ″Export the Recording,″ ″Replace the Recording,″ and Import Recording options in the Meeting Center forms. These features enable the administrator to manage the recorded meeting files if the administrator makes the Record and Playback feature available on the Sametime server.

Note: The Domino server cannot resolve the user if given the internet address in the person entry that defines the internal ID of a Sametime user. The mail attribute is not supported in this field. The field may be left blank.

346

Lotus Sametime: Installation and Administration Guide Part 2

Related reference Roles in Sametime database ACLs Roles provide a way to define the access an administrator has to the features and settings of the Sametime Administration Tool.

Roles in the Domino Web Administration database (webadmin.nsf)
The Domino Web Administration database is available on the Sametime server to enable administrators to monitor the HTTP server and access logging information about the Domino Application Services. The following table defines the roles in the Domino Web Administration database:
Role ServerAdmin Description A Sametime administrator requires this role to access the Server document when providing other users with access to the Sametime Administration Tool. A Sametime administrator requires this role to access the Monitoring - Miscellaneous functions of the Sametime Administration Tool. These monitoring functions enable the administrator to monitor HTTP commands and requests, server memory usage, and free disk space. The Sametime administrator also requires this role to access the Logging Domino Log functions of the Sametime Administration Tool, which report information about the Domino Application Services. A Sametime administrator requires this role to change database ACLs from the Sametime Administration Tool. This feature provides access to the Configuration - System Files (read-only) command of the Domino Web Administration Tool. This feature is usually not used with Sametime. This feature provides access to the Configuration - System Files (read/write) command. This feature is usually not used with Sametime.

ServerMonitor

DatabaseAdmin

FileRead

FileModify

Related reference Roles in Sametime database ACLs Roles provide a way to define the access an administrator has to the features and settings of the Sametime Administration Tool. Domino log To access the Domino log, choose Logging - Domino Log in the Sametime Administration Tool, and then click the link that appears on the right. The Domino log launches in a new browser window.

Administering a Lotus Sametime System Console
This section describes how to manage the IBM Lotus Sametime System Console.
Chapter 2. Administering

347

Backing up the console database
The IBM Lotus Sametime System Console database stores information about all the Sametime servers that are connected to it.

About this task
Back up the database regularly to protect the server data and to minimize downtime if you need to restore lost or corrupted data. Follow the instructions in the DB2 information center:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp

Starting the Lotus Sametime System Console
When started, the Lotus Sametime System Console runs as a task in the WebSphere Application Server administrative console.

Before you begin
Verify that the Deployment Manager is running for the cell. 1. In a command window, navigate to the local app_server_root/profiles/ STSCAppProfile profile directory and change to the bin directory: 2. Run the following commands: AIX, Linux, or Solaris ./startNode.sh ./startServer.sh STConsoleServer Windows startNode.bat startServer.bat STConsoleServer IBM i startNode startServer STConsoleServer

What to do next
Logging in to the Lotus Sametime System Console

Administering a Lotus Sametime Community Server
This section describes how to manage an IBM Lotus Sametime Community Server

About this task
Use the instructions in this section to manage connectivity, community services, anonymous access, and business cards on the Lotus Sametime Community Server.

Updating Sametime Community Server connection properties on the console
You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Community Server.

348

Lotus Sametime: Installation and Administration Guide Part 2

About this task
Any changes that you make to the credential and connection information on the Connection Properties page does not change the actual settings on the Lotus Sametime Community Server. These settings are only used by the Sametime System Console to connect to the Sametime Community Server. If you are configuring the Lotus Sametime Community Server to use SSL (Secure Socket Layer), make sure the server’s Domino CA certificate has been added to the Sametime System Console’s trust store using the Integrated Solutions Console (Security → SSL certificate and key management → SSL configurations → CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore → Signer certificates). See the WebSphere Application Server information center for more information on adding certificates to a trust store. Follow these steps to update connection setting information. 1. Log in the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the Edit next to the deployment name of the server with the connection information that you want to change. 4. Under Connection Properties, enter the administrator’s User name and Password for connecting to the Lotus Sametime Community Server. 5. Enter the HTTP port (typically 80) and HTTPS port (typically 443). 6. If your deployment uses SSL, then click Is SSL? 7. Click Save. 8. If you enabled SSL, then you must restart the Lotus Sametime System Console for the changes to take effect.

Configuring Sametime Community Server connectivity
Define the host names and ports for Community Services on the IBM Lotus Sametime Community Server.

About this task
Community Services supports all presence (or awareness) and text chat activity in a Lotus Sametime community. Any Lotus Sametime client that contains a presence list must connect to Community Services on the Lotus Sametime Community Server. Community Services includes: v Client login requests v Connections from clients that access the Sametime server through a direct TCP/IP connection, or a HTTP, HTTPS, or SOCKS proxy server. Community Services clients connect to the Community Services multiplexer component, which is deployed on a separate machine from the Lotus Sametime Community Server. v Directory access for user name search and display. v Directory access to compile lists of all servers and users in the community. v Dissemination of presence and chat data to all users connected to Community Services. v Maintenance of privacy information for online users.
Chapter 2. Administering

349

v Connections from the Community Services on other Lotus Sametime Community servers when multiple servers are installed. v Logging of server community events to the Sametime log (stlog.nsf). This must be completed separately for each server within a Lotus Sametime Community Server cluster. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Connectivity tab. 5. Under Server Connections, type the fully qualified Host Name and Port for the internal Sametime processes to communicate with one another. Community Services listens for direct TCP/IP connections from Community Services of other Lotus Sametime Community Servers on this port. If you have installed multiple Sametime servers, this port must be open for presence, chat, and other data to pass between the servers. 6. Under Client Connections, type the fully qualified Host Name and Port from which Community Services listen for direct TCP/IP connections and HTTP-tunneled connections from the Community Services clients. A direct TCP/IP connection occurs when the Sametime client uses a unique Sametime protocol over TCP/IP to establish a connection with the Community Services. 7. Under HTTP Tunneled Client Connections, type the fully qualified Host Name and Port from which Community Services clients can make HTTP-tunneled connections to the Community Services multiplexer. Community Services clients can make HTTP-tunneled connections on both ports 80 and 8082 by default. Port 8082 ensures compatibility with previous Sametime releases. In previous releases, Sametime clients made HTTP-tunneled connections to the Community Services only on port 8082. If a Sametime Connect client from a previous Sametime release attempts an HTTP-tunneled connection to a Sametime server, the client might attempt this connection on port 8082. 8. If you will be using previous version of the Sametime Meeting Room client, click Enable pre 8.5 releases of the Meeting Room client to try HTTP Tunneling to the Community Server after trying other options. 9. Under HTTPS Tunneled Client Connections, type the fully qualified Host Name and Port from which the Community Services clients attempt HTTPS connections when accessing the Sametime Community Server through an HTTPS proxy server. If a Community Services client connects to the Sametime Community server using HTTPS, the HTTPS connection method is used, but the data passed on this connection is not encrypted. 10. Click OK. 11. Restart the Lotus Sametime Community Server for settings to take effect.

Managing trusted IP addresses
Whenever you install a server that communicates with an IBM Lotus Sametime Community Server, you must add the new server’s IP address to the Community Server’s settings.

350

Lotus Sametime: Installation and Administration Guide Part 2

About this task
The Lotus Sametime Community Server accepts connections from the Lotus Sametime Media Manager, the Lotus Sametime Gateway, the Lotus Sametime Community Mux, and the Lotus Sametime Proxy Server, as well as other servers that are listed in the Community Services page. To ensure that the Lotus Sametime Community Server trusts these components when they establish a connection, you must add the trusted server’s IP address to the Lotus Sametime Community Server. You do not need to add the Lotus Sametime System Console’s IP address because it is added automatically when you install the Lotus Sametime Community Server using a deployment plan or register the Lotus Sametime Community Server with the console after installation. This task must be completed separately for each server within a Lotus Sametime Community Server cluster, as well as for multiple non-clustered Community Servers. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the list of trusted IP addresses that you want to change. 4. Click the Connectivity tab. 5. Under Trusted Servers, enter the IP address of the server that must connect to the Lotus Sametime Community Server in the New IP Address field, and click Add. Note: For the Lotus Sametime Media Manager, enter the Conference Manager server IP address. Each instance of a Conference Manager cluster must be entered. To delete an IP address from the list, select it and click Delete Selected. 6. Click OK. 7. Restart the Lotus Sametime Community Server for the change to take effect. Related tasks “Adding a local Community Server to Sametime Gateway” on page 208 Connect a local Lotus Sametime Community Server or Lotus Sametime community cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant messaging with external users.

Forcing users to connect to a home server
When you are deploying security applications such as FaceTime, you want to ensure that your users connect to their home IBM Lotus Sametime Community servers or home clusters. Preventing users from connecting to remote servers is done by specifying trusted IP addresses and rejecting forwarded logins during the login process.

About this task
For users that must log in through FaceTime or similar proxies, the Lotus Sametime Community Server should allow them to connect through the home server only. The Lotus Sametime Community Mux Server should accept connections that come from Facetime IP addresses only. You must dedicate a
Chapter 2. Administering

351

specific Mux to a specific server, and limit users to connecting to that Mux through FaceTime only. This applies to local Muxes, as well as standalone Muxes. The following settings should be set on all Muxes in your deployment. 1. Use a text editor to open the sametime.ini file located in the Lotus Sametime Community server installation directory (for example, root/lotus/domino). 2. In the Connectivity section, add or create a comma-separated list of trusted IP addresses of proxies. VPMX_TRUSTED_CLIENT_IPS=IPaddress1, IPaddress2This setting controls which clients are allowed to connect by assigning a comma separated list of IP addresses. An empty list of trusted addresses (default) means the feature is turned off, and that clients from all IP addresses can connect. 3. Create or edit the VP_REJECT_FORWARDED_LOGINS setting so that forwarded logins are rejected. VP_REJECT_FORWARDED_LOGINS=1When that setting is set to 1, the users is be forced to connect to the user’s home server. This is essential when users must connect through FaceTime. 4. Save the sametime.ini file.

Managing community services
Community services settings support all online presence (or awareness), instant messaging, and chat features at a server-wide level. These settings supersede any feature settings that you set at the policy level for users or groups. Community services settings carry a greater weight.

Managing general community services
The general community services settings control the interaction of the IBM Lotus Sametime Community Server with an LDAP directory and the maximum number of users allowed on the server.

About this task
These settings must be addressed for each server within a Lotus Sametime Community Server cluster. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Community Services tab. 5. Use the following table to set general server-wide settings for users of the Lotus Sametime Community Server.

352

Lotus Sametime: Installation and Administration Guide Part 2

Table 25. Server-wide settings Field Number of entries on each page in dialog boxes that show names in the directory Description Controls the number of user and group names that display when a user browses the directory. When an user browses the names and groups in the directory, the directory entries (names and groups) are listed on ″pages″ in a dialog box. The default is 100 entries per page. It is best to use a setting between 100 and 200 entries. Higher settings cause more data to be transmitted on the network when a user browses the directory. Controls how frequently the cache of user names is updated with new information from the directory. The Lotus Sametime Community Server maintains a cache that contains information about the users and groups in the community. This cache must be or refreshed periodically to ensure that users who have recently been added to a directory can be displayed in the presence lists of all Lotus Sametime clients. The update occurs only if changes are made to the directory during the update interval. The default setting is 60 minutes.

How often to poll for new names added to the Sametime community directory (minutes)

How often to poll for new servers added to Controls the time interval in which the the Sametime community (minutes) Sametime Community Server receives an updated list of all Sametime servers. If you have deployed more than one Sametime Community Server, the community services on each server must maintain a list of all other Sametime Community Servers in the Sametime community. Community services uses this list to ensure that users who have different home servers or different home clusters can see each other in presence lists and communicate through instant messaging and chat. The default setting is 60 minutes. Maximum user and server connections to the community server Controls the maximum number of connections allowed to Sametime Community Server. The connections include both client connections and server-to-server connections. A client connection occurs when a user starts the Sametime client. Server-to-server connections occur when you have deployed multiple Sametime Community Servers and different home servers are specified for users. The limit is 20,000 connections.

Chapter 2. Administering

353

Table 25. Server-wide settings (continued) Field Select the authentication type that users can use while logging into the Community server: v LTPA or Sametime token v LTPA only Description Controls the authentication type. When LTPA or Sametime Tokens option is selected, the Sametime Community Server accepts authentication tokens generated by both Single-Sign On (SSO) and the Secrets and Tokens databases on the Sametime Community Server. This option is selected by default. When LTPA only is selected, selected, the Sametime Community Server accepts authentication tokens generated only by SSO (LTPA tokens).

6. Click OK. 7. Restart the Lotus Sametime Community Server for settings to take effect.

Determining a user’s home Sametime Community Server
Specify the field within the LDAP directory that contains the name of each user’s home IBM Lotus Sametime Community Server.

About this task
The home Lotus Sametime Community Server is the server on which the preferences and data of a user are saved. Users connect to the home Lotus Sametime Community Server for presence and chat functionality. If you have installed multiple Lotus Sametime Community Servers, each user’s person entry in an LDAP directory must contain a field in which a user’s home Sametime Community Server can be specified. You can either: v Add a new field to the LDAP directory to hold the name of each user’s home Lotus Sametime Community server. This added field must appear in the person entry of every Sametime user in the LDAP directory. v Use a field that already exists in the person entries of each Sametime user (such as the e-mail address) for this purpose. Follow these steps to specify the name of the field within person entries of the LDAP directory that contains the name of each user’s home Lotus Sametime Community Server. These steps must be completed separately for each server within a Lotus Sametime Community Server cluster. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Community Services tab. 5. Under LDAP Attributes, enter the name of the field within the LDAP person entries that contains the name of each user’s home Lotus Sametime Community server in the Attribute used for determining the home server field. 6. Click OK. 7. Restart the Lotus Sametime Community Server for settings to take effect.

Specifying a user’s login ID
Specify an LDAP attribute that it is appropriate for logging in to IBM Lotus Sametime.

354

Lotus Sametime: Installation and Administration Guide Part 2

About this task
Determine the value of the LDAP attribute of the person entry that defines the internal ID of a Sametime user that it is appropriate for logging in to Lotus Sametime. This task must be completed separately for each server within a Lotus Sametime Community Server cluster. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Community Services tab. 5. Under LDAP Attributes, enter the name of the field within the LDAP person entries that contains the ID used for logging in the Attribute used for determining the internal user ID field. 6. Click OK. 7. Restart the Lotus Sametime Community Server for settings to take effect.

Enabling chat logging
Each text chat has a transcript, the record of the text messages exchanged between chat partners during a chat session. You can configure the IBM Lotus Sametime Community Server to automatically log all chats and announcements, making these transcripts available to users for viewing in their chat history. 1. Use a text editor to edit the sametime.ini file, which is located in the Lotus Sametime Community Server installation directory (for example: C:\Program Files\lotus\domino). a. Set ST_CHAT_LOG to file in the sametime.ini file under the ST_BB_NAMES section.
ST_CHAT_LOG=file

b. Create chatlogging.ini in the same folder as sametime.ini. c. Move all the attributes from sametime.ini related to [ChatLogging] to chatlogging.ini. For example:
[ChatLogging] CL_CHAT_START_DISCLAIMER=Disclamer message. CL_CHAT_START_DISCLAIMER_RICH_TEXT=<span style="color:#ff0000; font-size:11pt;font-family:Tahoma;"><b><i>Rich Text Disclaimer message.</i></b></span>

Note: If you want to use BB_CL_LIBRARY_PATH to change the default location of where the chat logs are stored, then move the [Library] section from sametime.ini to the chatlogging.ini file. 2. Log in to the Integrated Solutions Console. 3. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 4. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 5. Click the Community Services tab. 6. In the Server Features section, under Enable chat logging, select one of the following choices: v Always v When available v Never
Chapter 2. Administering

355

7. Click OK. 8. Restart the Lotus Sametime Community Server for settings to take effect.

Allowing users to transfer files to each other
Community Services allow users to transfer files to each other over the network while using Sametime Connect.

About this task
When you enable this feature, you should also set a file size limit and virus scanning preference. Computer viruses can be spread through transferred files. To protect against this possibility, users should have current third-party anti-virus software installed. The Virus scan files setting should be enabled and set to scan all files. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Community Services tab. 5. In the Server Features section, click Allow users to transfer files to each other. 6. To increase or decrease the size of files that users can transfer, enter a value in the Maximum file transfer size, in Kilobytes field. 7. Under Virus scan files, select one of the following choices:
Option Always When available Description If scanning cannot be done, the file is not transferred The file is sent with a message that the file was not scanned, allowing the user to decide how to handle the file, or it is not sent if scanning reveals a virus Files are not scanned

Never

8. Click OK. 9. Restart the Lotus Sametime Community Server for settings to take effect.

Allowing users to send announcements
Community Services allows users to send unencrypted announcements to others who are online in the Lotus Sametime Community.

About this task
When you enable this feature users can: v Send unencrypted announcements to anyone who is online in Sametime Connect or in an online meeting. To receive an announcement, a user must be online, and in either active or away status. Users who are offline or have a status of ″do not disturb″ do not receive announcements. v Allow the recipients of the announcement to respond to the announcement, or prevent them from responding. 1. Log in to the Integrated Solutions Console.

356

Lotus Sametime: Installation and Administration Guide Part 2

2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Community Services tab. 5. In the Server Features section, click Allow users to send announcements (unencrypted one-way messages). 6. Click OK. 7. Restart the Lotus Sametime Community Server for settings to take effect.

Managing anonymous access to virtual places
The Sametime Software Development Kit provides developers with the capability to build applications that create virtual places. Anonymous users can enter a virtual place and have awareness of other users in the same virtual place.

About this task
This capability to have awareness of other users in the same virtual place is sometimes called place-based awareness. Place-based awareness differs from community-wide awareness. With community-wide awareness, users can have awareness of any user in the community who is online. IBM Lotus Sametime Connect provides users with community-wide awareness functionality. Anonymous users are not allowed to have community-wide awareness in any Sametime clients. The Anonymous users can enter virtual places field controls the ability of anonymous users to enter virtual places created by custom-built applications created with the Sametime Software Development Kit. For more information on virtual places, see the IMWC Directory and Database Access Toolkit documentation available from IBM developerWorks® at http://www.ibm.com/developerworks/ lotus/downloads/toolkits.html. Enter information for anonymous access to a virtual place. Each attendee who accepts the default name has a number added to the end (For example, User1, User2). This task must be completed separately for each server within a Lotus Sametime Community Server cluster. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. 4. Click the Anonymous tab. 5. Click the Anonymous users can enter virtual places Note: The following fields do not take effect unless the Anonymous users can enter virtual places field is selected. 6. If you want to let an anonymous user have a unique display name when accessing a Lotus Sametime application that includes awareness, click Users of Sametime applications (databases such as stconf.nsf or Web sites) can specify a display name so that they do not appear online as ″anonymous.″ A display name entry dialog box appears when a user accesses the Lotus
Chapter 2. Administering

357

Sametime application. This display name allows the anonymous user to be individually identified in any presence lists in the Lotus Sametime application. Note: The ACL settings of the application must allow anonymous access, too. 7. If you want to have a domain name automatically appended to the display name entered by the user at the name entry dialog box, click Default domain for anonymous users. 8. If you want a name to appear by default in the name entry dialog box, click Default name. For instance, if the Default name field contains the entry User the first person entering a meeting sees User displayed by default in the name field of the name entry dialog box. If the person accepts the default and enters the application, the person is identified as User1 in any presence list in the application. 9. Specify the level of access that an anonymous user of an application enabled with Sametime technology has to the directory. You can limit an anonymous user’s ability to view names in the directory. For example, you might prevent anonymous users from browsing all names in a directory or searching for names in the directory. v Users cannot browse or search the Directory Anonymous users cannot search or browse the directory. v Users can type names to add them to an awareness list Anonymous users can type text in an user search interface to search for person or group entries in the directory. However, users cannot view or browse a list containing all entries in the directory. Users might perform such searches to add users to a presence list. v Users can browse the directory (see a list of names) or type names (resolve users and groups) Anonymous users can type text in an user search interface and search for group or person entries in the directory. Anonymous users can also browse lists that contain all entries in the directory. When this option is selected, anonymous users can see all group and name entries in the directory, but cannot see the content of a group entry (the list of names within a group entry). Users cannot browse the LDAP directory on the LDAP server v Users can browse the directory to see group content and names, or type names Anonymous users have all searching and browsing privileges described for the Users can browse the directory (see a list of names) or type names (resolve users and groups) setting above. In addition, users can search and browse within group entries in the directory and access the user and group names that are specified within group entries in the directory. 10. Click OK 11. Restart the Lotus Sametime Community Server for settings to take effect.

Sending a message to all users
Use the Sametime Administration Tool to simultaneously send a single message to all users currently logged in to Community Services from any Lotus Sametime client.

About this task
Follow these steps to send a message to all users currently logged in to Community Services.

358

Lotus Sametime: Installation and Administration Guide Part 2

1. Open a browser and navigate to the Lotus Sametime Community Server. Type the following address:
http://host_name/servlet/auth/admin

where host_name is the fully qualified host name of the server; for exmaple:
http://commsvr1.acme.com/servlet/auth/admin

2. 3. 4. 5. 6.

From the Lotus Sametime home page, click Administer the Server. Log in as the Lotus Sametime administrator. Select Message From Administrator. Enter the message in the text box provided. Click Send. You receive a confirmation that your message was sent.

Managing business cards
You can configure the IBM Lotus Sametime Community Server so that business card information about an individual displays when a user hovers over a name in a chat window or a contact list.

About this task
Business card can access user information from any of three types of storage repositories: the native Domino directory, the LDAP directory (including Domino LDAP), or a custom Notes application. Each repository stores user information differently, so to facilitate user searches, Sametime provides a search engine, called a black box, for each storage type. Since there are three different storage types, Sametime provides three different black boxes to search for user information (one per storage type). These are: v LDAP – used to search a LDAP directory v Notes – used to search a native Domino directory v Notes_custom_db – used to search a customized Notes application Using information in the LDAP server or the native Domino directory, you can choose the fields that represent the information that you want to display in the business card. The available fields are: v v v v v v Photo Name Company E-mail address Telephone Address or location

v Title You can set up or change the details you want to retrieve by changing the values for these fields on the main Business Card page.

Configuring business cards using an LDAP directory
Follow these steps to configure the business card using an LDAP directory. Domino LDAP is considered an LDAP directory.

Chapter 2. Administering

359

Before you begin
Before you start setting up your business cards, be sure the following conditions are true for your site. v IBM Lotus Domino and IBM Lotus Sametime Community Server have been installed and configured v Lotus Sametime authentication is configured to use an LDAP directory v The LDAP server is running and accessible by the Lotus Sametime Community Server v All LDAP attributes needed by Business Card are accessible for query via anonymous connection or by using a specific bind account and password v The Lotus Sametime Community Server is running v For Domino LDAP only: To allow anonymous users to access required user details, you can edit the All Servers document in names.nsf. Under the LDAP tab, all LDAP attributes that you want to be retrieved by anonymous users should be added to the list of Anonymous Users Can Query.

About this task
This task must be completed separately for each server within a Lotus Sametime Community Server cluster. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the business card information that you want to add or change. 4. Click the Business Card tab. 5. In the Business Card Contents section, select the attribute you want displayed in users’ business cards, and then click Add to include the selected attribute. If you do not want to display any pre-selected information, select each attribute, and then click Remove. 6. Under Attribute Definition, choose Attribute Values that are appropriate for your deployment. Each LDAP directory has its own naming schema, so be sure to confirm that each attribute value selected for display is mapped to the correct LDAP attribute as defined by your LDAP schema. If you prefer to map another attribute value to the attribute name instead of the default value, then choose User Defined. The following table lists the default attribute value that is mapped to each attribute name.
Table 26. Attribute names and values Attribute Name E-mail address Telephone Title Photo Address Company Name Attribute Value mail telephoneNumber title jpegPhoto postalAddress ou cn

Domino LDAP does not contain the postalAddress field. The value retrieved for this LDAP attribute is the concatenation of City, State/Province, and

360

Lotus Sametime: Installation and Administration Guide Part 2

Country. Also, Domino LDAP contains a hidden field for the ou attribute. This field cannot be set through the Domino LDAP, and a third-party LDAP management tool can be used to add a value to it. 7. If you select User Defined for an Attribute Value, then enter an attribute to map to the Attribute Name. 8. Click OK. 9. Restart the Lotus Sametime Community Server. Configuring business card photos for Domino LDAP: To store photos in Domino LDAP and enable UserInfo to retrieve them, please follow the steps below. A third-party LDAP management tool is required for adding a JPEG Photo field to Domino LDAP. Most LDAP V3-compliant tools will work. Before you begin Configuring Business Card with an authenticated LDAP bind account is highly recommended. Allowing Anonymous LDAP Schema write access is a security risk and additional security changes to Domino Directory Access Control List may be required to allow anonymous write access to Domino LDAP. 1. Use Domino Designer to remove the jpegphoto under Forms → Person → LDAP hidden fields from the person form of names.nsf or pubnames.ntf and reapply the design to the Names.nsf before proceeding. Note: Unless the jpegphoto field is removed the image data is lost when a person document is opened and re-saved. Use Domino Administrator to enable Domino LDAP write access. Within default Configuration Setting Document LDAP, click Yes next to Allow LDAP users write access. Using the third party LDAP tool, connect to the Domino LDAP server and bind as a Domino Administrator. Once a successful connection is made, select a user and add an Attribute. The Attribute name for Domino LDAP should be specified as: jpegphoto;binary and the type should be selected as binary. Note the name being used for the attribute. If you use just jpegPhoto or Photo as the name, depending on the LDAP tool, you might not be able to store images in the field. The -;binary is required for Domino LDAP to understand the binary data. Use the third party LDAP tool to import the JPEG or GIF photo into the new field. Use ldapsearch or the LDAP tool to check that the photo has uploaded successfully Log in to the Integrated Solutions Console. a. Click Sametime System Console → Sametime Servers → Sametime Community Servers. b. In the Sametime Community Servers list, click the deployment name of the server with the connectivity information that you want to change. c. Click the Business Card tab. d. In the Business Card Contents section, select the Photo attribute, and then click Add to include it in the business card. e. Under Attribute Definition, choose User Defined as the attribute value for Photo.
Chapter 2. Administering

2.

3.

4. 5. 6.

361

f. In the User Defined column next to Photo, type jpegphoto;binary. g. Click OK. 7. Open the LDAP server’s Domino Directory (names.nsf) in a Lotus Notes client. a. Expand the Configurations → Servers, and select the Configurations view. Select the document for [All Servers]. Open this document in Edit mode and click the LDAP tab. b. Click Choose Fields that Anonymous Users Can Query via LDAP. c. Click New in the window that displays. d. Type jpegphoto in the field and click OK to save the value. Click OK again to close the window. e. Save and close the document. 8. Restart the LDAP server. From the server console, type tell ldap quit and then load ldap. 9. Using LDAP tool or ldapsearch, check if you can anonymously retrieve jpegPhoto. See ″ldapsearch utility″ in the Lotus Domino Administrator Help at https://www.ibm.com/developerworks/lotus/documentation/domino/ 10. Browse to UserInfoConfig.xml file within the Domino Install folder. Under Details section, check to make sure Photo field is set to jpegPhoto;binary.
<Detail Id="Photo" FieldName="jpegPhoto;binary" Type="image/jpeg" />

11. Restart the Lotus Sametime Community Server. Configuring business card photos for the Lotus Sametime browser client: Follow these steps to configure the business card photo that displays for users that chat using the IBM Lotus Sametime browser client. Before you begin Enable the PhotoURL attribute in your LDAP directory. Refer to the documentation for your LDAP directory. 1. In the Lotus Sametime Community Server, find the UserInfoConfig.xml file. 2. Open the file with a text editor, and add the following tag to the Details section:
<Detail Id="PhotoURL" FieldName="PhotoURL" Type="text/plain"/>

3. Restart the Lotus Sametime Community Server. 4. Upload user photos into a Web server repository, so that users can access the photos using a URL. For example: http://iddirectory.mycompany.com/ userphoto/mybuscardpic.jpg Verifying business card configuration: After you have configured your business card feature, you can verify the configuration. About this task To display user information, the business card uses an IBM Lotus Sametime Community Server application named UserInfo. UserInfo retrieves and delivers user information for each client request to view a user’s business card. Follow these instructions to verify your business card configuration.

362

Lotus Sametime: Installation and Administration Guide Part 2

1. Open \lotus\domino\UserInfoConfig.xml in a text editor. When you use an LDAP directory to store user information, the UserInfoConfig.xml should look like this:
<UserInformation> <Resources> <Storage type="LDAP"> <CommonField CommonFieldName="MailAddress"/> <StorageDetails HostName="ldap.mycomany.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s) (mail=%s)))"/> <!-- Add another StorageDetails tag to support another ldap server. The listing order implies the searching order --> <!-- Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE--> <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="e-mail" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/> <Detail Id="Company" FieldName="ou" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> </BlackBoxConfiguration> </UserInformation>

2. Verify that stconfig.nsf has valid data for the LDAP document and the UserInfo document. 3. Verify that the HTTP server has been restarted after any changes have been made to the xml file.

Configuring business cards using a Domino directory
This task demonstrates how to configure the Business Card using the Domino directory.

Before you begin
Prerequisites: v Domino and Sametime are installed and configured to run v Sametime authentication is configured to use a Domino directory v The Sametime server is running

About this task
Follow these steps to configure the Business Card to display data that is stored in a single data repository–a Domino directory. 1. Open an Internet browser and enter this URL into the URL-locater field: http://sametime.austin.ibm.com/stcenter.nsf, substituting the host name sametime.austin.ibm.com with your server’s actual host name. 2. Click Administer the server, and then log in as Administrator. 3. Click the plus sign next to Configuration to expand the contents, and then click ’Business Card Setup.’

Chapter 2. Administering

363

4. In the User Information section, highlight the entry you want displayed in users’ business cards, and then click the add button to move the entry to the right-side list box. To remove pre-selected entries, click the entry(ies) and click remove. In most cases, the bottom section requires no modification; however, if the information you want displayed in the users’ business cards is not mapped to the default fields provided by the users’ person documents, then you may need to update the bottom section. For example, the XYZ corporation stores users’ job title information in the occupation title field which is not the default field provided by Notes/Domino to store users’ job title information. So, to display the proper information for users’ job titles in the business card, the mapping for the title must be updated. In XYZ’s case, the value for the title attribute is modified from job title to occupation title. 5. Click update to save the changes. To display user information, the business card feature uses a server-side application called UserInfo which is designed to fetch and deliver user information for each incoming client request (a request from a client to view a specific user’s business card). To ensure this application is configured properly to search the proper data storage, confirm the settings as defined in UserInfo.xml.

364

Lotus Sametime: Installation and Administration Guide Part 2

6. Open the UserInfoConfig.xml file in a text editor. The file is located in the Domino program directory (\\lotus\domino\UserInfoConfig.xml). Here is a section of the UserInfoConfig file edited for XYZ’s scenario:
<UserInformation> <Resources> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Location" FieldName="Location" Type="text/plain"/> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> <Detail Id="Company" FieldName="CompanyName" Type="text/plain" /> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation>

Photos in the Domino directory: The Domino directory does not have a standard field for photo, but photos can be retrieved from the Domino Name and Address Book (NAB) as follows: 1. Add a rich text field or rich-text lite field to the Person form of the Name and Address Book in Domino.
Chapter 2. Administering

365

a. b. c. d. e.

Open names.nsf in Domino Designer. Open the Person form. Click the section where you want to add the field. A sub-form will open. In the sub-form, click where you want to add the field. Select Create > field from the menu, and edit the field’s properties.

f. Add the name to the field and select Rich Text as the type. g. Save the form. 2. To store photo information in the newly-added rich-text field, choose either: v Import--click on the rich text field and choose Create > Picture. This adds the file contents to the field. v Attach--save the image file in the rich text field as an attachment. 3. Using the Sametime Administration tool, go to the Business Card Attribute page. 4. In the text box for the Photo attribute, type the name of the rich text field that you added to the Name and Address Book, above, matching the case, then click Update. 5. Restart the Sametime server. Photo types used by Domino are .jpeg and .gif.

Configuring business cards to use two repositories
For retrieving business card information, you can set up a dual repository: When you set up dual repositories, you set up a primary repository and a secondary repository: Primary repository – The first storage repository search by the UserInfo application to retrieve user information; must always be the Sametime directory. Secondary repository – The second storage repository searched by the UserInfo application to retrieve user information. Note: The primary storage can never be of the same type as the second repository; for example, the primary and secondary storage cannot both be a Domino directory. There are a variety of ways you can use dual repositories: v The dual repository with Domino/LDAP directories v The dual repository with LDAP/Domino directories v The dual repository with Domino/Custom Notes databases v The dual repository with LDAP/Custom Notes databases Configuring a dual repository with LDAP and a native Domino Directory: For retrieving business card information, you can set up a dual repository of a LDAP directory and a native Domino Directory. Before you begin This section describes how to configure the business card using two storage repositories: LDAP directory as the primary storage, a native (non-LDAP) Domino Directory as the secondary storage.

366

Lotus Sametime: Installation and Administration Guide Part 2

About this task These directions assume the following: v Lotus Domino & IBM Lotus Sametime Community Server have already been installed & configured to run properly v Sametime authentication is configured to use an LDAP directory v The LDAP server is running and accessible by the Lotus Sametime Community Server v All LDAP attributes needed by business card accessible for query via anonymous connection or using a specific bind account/password v The Lotus Sametime Community server is running v Business card information can be retrieved from your Sametime directory v A Notes database based off of the Domino directory template (pubnames.ntf) has been created and contains person documents for each corresponding user account defined in the Sametime directory. (In our example, this database is named bcardstorage.nsf; and the user accounts correspond to the accounts in the Lotus Sametime directory by users’ e-mail address. 1. Using Lotus Notes, open your Directory Assistance database (typically da.nsf). If such a database does not exist, you must create one based upon the Directory Assistance template. 2. Click Add Directory Assistance to add an additional directory assistance document, and then specify the secondary storage. See the sample Directory Assistance document for the bcardstorage.nsf below:

Naming contexts (Rules) tab Note: For Business Card purposes, the secondary storage does NOT have to be trusted for credentials.

Chapter 2. Administering

367

Replicas tab

3. Once you have completed the changes, save and close the document. The resultant Directory Assistance database may show the following:

Note: The directory assistance database must be listed on the Basics tab of the Sametime server document in the Directory assistance database name field. If it is not listed, fill in the field, and restart the Sametime server to effect that change. 4. Log in to the Integrated Solutions Console. 5. Click Sametime System Console → Sametime Servers → Sametime Community Servers.

368

Lotus Sametime: Installation and Administration Guide Part 2

6. In the Sametime Community Servers list, click the deployment name of the server with the business card information that you want to add or change. 7. Click the Business Card tab. 8. In the Business Card Contents section, select the attribute you want displayed in users’ business cards, and then click Add to include the selected attribute. If you do not want to display any pre-selected information, select each attribute, and then click Remove. 9. Under Attribute Definition, choose Attribute Values that are appropriate for your deployment. Each LDAP directory has its own naming schema, so be sure to confirm that each attribute value selected for display is mapped to the correct LDAP attribute as defined by your LDAP schema. If you prefer to map another attribute value to the attribute name instead of the default value, then choose User Defined. The following table lists the default attribute value that is mapped to each attribute name.
Attribute Name E-mail address Telephone Title Photo Address Company Name Attribute Value mail telephoneNumber title jpegPhoto postalAddress ou cn

10. If you select User Defined for an Attribute Value, then enter an attribute to map to the Attribute Name. 11. In the Attribute Definition table, change the Attribute Value for the attributes that will be retrieved from the secondary storage to User Defined and leave the User Defined field blank. For example, if you are retrieving users’ Telephone and Title information from the Domino Directory; therefore, change the values for the Telephone & Title attributes to User Defined, and leave the User Defined field blank, and then click OK to save the changes Note: These values are blank to ensure they are retrieved from the secondary repository (the Domino Directory) and not from the primary repository, which is the LDAP directory. 12. Modify the UserInfoConfig.xml file located in the Domino program directory (\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo application fetches and delivers user information for each incoming client request (an user’s request to view a particular user’s business card). When you are using an LDAP directory as primary storage and a Domino Notes directory as secondary storage, make the following modifications. Add an additional Storage tag of Notes type within the Resources tag:
<Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/>
Chapter 2. Administering

369

<Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage> </Resources> </Storage>

Note: The Details section defines the attributes that will be retrieved by Sametime from the corresponding storage repository. In this example, we are retrieving Title and Telephone information from Domino. 13. To ensure Telephone and Title fields come from Domino, remove the following from the Details tag of the LDAP storage type:
<Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/>

14. 13. Add the following to the <BlackBoxConfiguration> section. Make sure it is listed after the LDAP blackbox as the order defines the search order:
<BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/></BlackBoxConfiguration>

Note: Since Sametime is the storage to be searched first by the UserInfo application, and the LDAP directory is the Sametime directory, the NOTES black box must be listed after the LDAP black box. 15. Once these changes are made, the UserInfoConfig.xml looks like this:
<UserInformation> <Resources> <Storage type="LDAP"> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s) (sn=%s)(mail=%s)))"/> <!-- Add another StorageDetails tag to support another ldap server. The listing order implies the searching order --> <!-- Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE--> <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="e-mail" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Company" FieldName="ou" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation>

370

Lotus Sametime: Installation and Administration Guide Part 2

16. UserInfo must have a common field shared among the various storage repositories to retrieve data for a single user–from multiple sources. By default, the user’s e-mail address is the common attribute, but any unique value may be used. If you prefer to use a different attribute, update the following field:
<CommonField CommonFieldName="MailAddress"/>

17. Restart your Lotus Sametime Community and Domino servers to effect the changes. Results You have successfully configured the business card to display information for a single user from dual storage repositories: an LDAP directory and the Domino Directory. Configuring a dual repository with LDAP and a custom application: For retrieving business card information, you can set up a dual repository of a LDAP directory and a custom IBM Lotus Notes application. Before you begin This section describes how to configure the business card using two storage repositories: LDAP with a custom Lotus Notes application repository. Here, we describe how you can set up LDAP as the primary storage, and a custom Lotus Notes application as the second storage. These directions assume the following: v Lotus Domino & IBM Lotus Sametime Community Server have already been installed & configured to run properly v Sametime authentication is configured to use an LDAP directory v The LDAP server is running and accessible by the Lotus Sametime Community Server v Business card information can be retrieved from your Sametime directory v A custom Lotus Notes application based upon any template has been created and contains user records for each corresponding person document defined in the Sametime directory. (In our example, this custom application is named bcardstorage.nsf). v To use a custom Lotus Notes application as a secondary repository, each user record in the custom application must have a common field whose unique value matches the value of the same field for the person in the Sametime directory. By default, the common field that is used is the internet e-mail address). About this task 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server with the business card information that you want to add or change. 4. Click the Business Card tab.

Chapter 2. Administering

371

5. In the Business Card Contents section, select the attribute you want displayed in users’ business cards, and then click Add to include the selected attribute. If you do not want to display any pre-selected information, select each attribute, and then click Remove. 6. Under Attribute Definition, choose Attribute Values that are appropriate for your deployment. Each LDAP directory has its own naming schema, so be sure to confirm that each attribute value selected for display is mapped to the correct LDAP attribute as defined by your LDAP schema. If you prefer to map another attribute value to the attribute name instead of the default value, then choose User Defined. The following table lists the default attribute value that is mapped to each attribute name.
Table 27. Attribute names and values Attribute Name E-mail address Telephone Title Photo Address Company Name Attribute Value mail telephoneNumber title jpegPhoto postalAddress ou cn

7. If you select User Defined for an Attribute Value, then enter an attribute to map to the Attribute Name. 8. In the Attribute Definition table, change the Attribute Value for the attributes that will be retrieved from the secondary storage to User Defined and leave the User Defined field blank. For example, if you are retrieving users’ Telephone and Title information from the custom Lotus Notes application; therefore, change the values for the Telephone & Title attributes to User Defined, and leave the User Defined field blank, and then click Reset to save the changes Note: These values are blank to ensure they are retrieved from the secondary repository (the Lotus Notes application) and not from the primary repository, which is the LDAP directory. 9. Modify the UserInfoConfig.xml file located in the Domino program directory (\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo application fetches and delivers user information for each incoming client request (an user’s request to view a particular user’s business card). When you are using an LDAP directory as primary storage and a custom Notes application as secondary storage, make these modifications: a. Add the following NOTES_CUSTOM_DB Storage tag inside the Resources tag:
<Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName="bcardstorage.nsf " View="$BCardView"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage>

Note: In the <StorageDetails> tag, the following settings are specified:

372

Lotus Sametime: Installation and Administration Guide Part 2

v DbName = database_path Filename of the custom Notes application (relative path to the domino data directory) v View = view_name The name of the Notes view that displays the documents containing the user records. v The <Details> section defines the attributes that will be retrieved by Sametime from the corresponding storage repository. In this example, we are pulling the telephone attribute from the custom Notes application database b. The attributes Title and Telephone must come from the custom Notes application rather than from LDAP, so remove the following information from the <details> tag of the LDAP storage: <Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/> c. Add the following information to the <BlackBoxConfiguration> section. Make sure it is listed after the LDAP blackbox as the list order defines the search order:<BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/></BlackBoxConfiguration> d. The UserInfoConfig.xml now looks like this:
<UserInformation> <Resources> <Storage type="LDAP"> <CommonField CommonFieldName="MailAddress"/> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s) (sn=%s)(mail=%s)))"/> <!-- Add another StorageDetails tag to support another ldap server. The listing order implies the searching order --> <!-- Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE--> <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="e-mail" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Company" FieldName="ou" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName="bcardstorage.nsf" View="$BCardView"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> <BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation>

e. UserInfo must have a common field shared among the various storage repositories to retrieve data for a single user–from multiple sources. By
Chapter 2. Administering

373

default, the user’s e-mail address is the common attribute, but any unique value may be used. If you prefer to use a different attribute, update the following field:<CommonField CommonFieldName="MailAddress"/> 10. Restart the Lotus Sametime Community Server and the Lotus Domino server to effect the changes. What to do next You have successfully configured the business card to display information for a single user from dual storage repositories: an LDAP directory and a custom Notes application. Configuring a dual repository with Domino Directory and LDAP: You can configure Business Card with the use of two (dual) repositories–Domino and LDAP. The primary storage repository is the native (non-LDAP) Domino Directory, and the auxiliary storage is the LDAP directory. Before you begin These directions assume the following: v Domino & IBM Lotus Sametime have been installed and configured to run properly v Sametime authentication is configured to use a native Domino Directory v The LDAP server is running and is accessible by the Sametime server v All LDAP attributes needed by Business Card are accessible for query via anonymous connection or by using a specific bind account/password v The Sametime server is running v Business card information can be retrieved from your Sametime directory About this task Enter this URL in the address window of a browser: http://hostname/stcenter.nsf, using your server’s actual host name. 1. Click Administer the server, and then log in as Administrator. 2. Expand the plus sign next to Configuration, and then select Business Card setup.

374

Lotus Sametime: Installation and Administration Guide Part 2

3. In the User Information section on the left side, highlight the entry you want displayed in users’ business cards, and click the Add button to move the selected entry into the right side list box. If you did not want to display any of the pre-selected information (as listed on the right-hand side), highlight the entry, and then click Remove 4. In the bottom section of the page where the table of Attribute names and values are defined, remove the attribute values for the attributes that will be retrieved from the auxiliary storage. In our example, we’ll be pulling users’ Telephone information from the LDAP directory; so delete the value for the Telephone attribute, and then click Update to save the changes. Removing attributes here insures they are pulled from auxiliary storage, and not primary storage.

Chapter 2. Administering

375

5. Using a text editor (Notepad or Wordpad), open the file called UserInfoConfig.xml, a file that contains information the server uses to display user information for Business Card. The UserInfo application is designed to fetch & deliver user information for each incoming client request, an user request to view a specific user’s business card. To ensure this application is configured properly to search the correct data storages, confirm the settings as defined in UserInfoConfig.xml. 6. When Domino Directory is primary storage and LDAP is auxiliary storage, make the following modifications: a. Add the following LDAP <storage> tag within the <Resources> tag:
<Storage type="LDAP"> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&amp;(objectclass=organizationalPerson) (|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))"/> <!-- Add another StorageDetails tag to support another ldap server. The listing order implies the searching order --> <!-- Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE--> <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="Telephone" FieldName="telephonenumber" Type="text/plain"/> </Details> </Storage>

Note: Update the Storage details tag with the appropriate settings for your LDAP directory. Note: The Details section defines the attributes that Sametime will retrieve from the corresponding storage repository. In this example, we are pulling the telephonenumber attribute from the LDAP directory. b. To ensure the telephone number is retrieved from LDAP, and not from Domino, remove the following from the <details> tag of the (Domino) Notes storage type:<Detail Id="Telephone"

376

Lotus Sametime: Installation and Administration Guide Part 2

FieldName="OfficePhoneNumber" Type="text/plain"/> After you have made these changes, the UserInfoConfig.xml file should look like the below:
<UserInformation> <Resources> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Location" FieldName="Location" Type="text/plain"/> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain"/> <Detail Id="Company" FieldName="CompanyName" Type="text/plain"/> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="LDAP"> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson) (|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))"/> <!-- Add another StorageDetails tag to support another ldap server. The listing order implies the searching order --> <!-- Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE--> <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="Telephone" FieldName="telephonenumber" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> </BlackBoxConfiguration> </UserInformation>

So the UserInfo application can retrieve data for a user from multiple data sources, a common field must be shared among the storage repositories; this field must be unique for its corresponding directory. By default, users’ e-mail address are used as the common attribute; consequently, users must be uniquely identified by their e-mail addresses. If another attribute is preferred, the following line must be updated to reflect the field for that attribute: <CommonField CommonFieldName="MailAddress"/> 7. Restart your Lotus Sametime server and the Domino server to effect all the changes. c. Configuring a dual repository with Domino Directory and custom: For retrieving Business Card information, you can set up a dual repository of a Domino Directory and a custom Lotus Notes application. Before you begin This section describes how to configure the Business Card using two storage repositories: Domino Directory with a custom Lotus Notes repository. Here, we describe how you can set up Domino Directory as the primary storage, and a custom Lotus Notes application as the secondary storage.
Chapter 2. Administering

377

These directions assume the following: v Domino and IBM Lotus Sametime have already been installed and configured to run properly v Business card information can be retrieved from your Sametime directory v A custom Lotus Notes application based upon any template has been created and contains user records for each corresponding person document defined in the Sametime directory. (In our example, this custom application is named bcardstorage.nsf). v To use a custom Lotus Notes application as a auxiliary repository, each user record in the custom database must have a common field whose unique value matches the value of the same field for the person in the Sametime directory. By default, the common field that is used is the internet e-mail address). 1. Open an Internet browser and enter http://hostname/stcenter.nsf into the URL field, and then click Administer the server. 2. Click the plus sign next to Configuration to expand the list. Choose Business card setup. 3. In the user information section on the left side, highlight the entry you want displayed in the users’ business cards, and click the Add button to move the entry to the right side list box. To remove pre-selected entries, highlight them, and click Remove. 4. In the bottom attributes section, if the information you want displayed in users’ business cards is not mapped to the appropriate attributes used in your company, then you may need to update it. 5. To prepare attributes for use by the auxiliary storage, in the attribute name/attribute value section, remove the values for the attributes that are to be retrieved from the auxiliary storage. In this example, we are retrieving the Telephone information from the custom Notes application; therefore, you should delete the value for the Telephone attribute, and then click Update to save the changes. These values are removed to ensure the appropriate values are retrieved from the auxiliary data repository, and not the first.

378

Lotus Sametime: Installation and Administration Guide Part 2

6. Modify the UserInfoConfig.xml file located in the Domino program directory (\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo application fetches and delivers user information for each incoming client request (an user’s request to view a particular user’s business card. a. Add the following NOTES_Custom_DB Storage tag inside the Resources tag:
<Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName=" bcardstorage.nsf " View="persons"/> <Details> <Detail Id="Telephone" FieldName="telephone" Type="text/plain"/> </Details> </Storage>

Note: In the StorageDetails tag, the following settings are specified: v DbName = database_path Filename of the custom Lotus Notes application (relative path to the domino data directory) v View = view_name The name of the Notes view that displays the documents containing the user records v The Details section defines the attributes that will be retrieved by Sametime from the corresponding storage repository. In this example, we are pulling the telephone attribute from the custom Lotus Notes application. b. Since the Telephone number must come from the custom Notes application, ensure the information is not retried from the Domino directory by removing the following information from the Details tag of the Notes storage:
<Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/>

c. Add the following information to the BlackBox Configuration section. The Notes black box must come first since the listed order defines the search order:
<BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb. UserInfoNotesCustomBB" MaxInstances="4"/>

Note: The Sametime directory must be configured as the primary storage so it can be searched first by the UserInfo application. In this example, the Domino directory is the Sametime directory; therefore, the NOTES_CUSTOM_DB black box is listed AFTER the Notes black box. Now the UserInfoConfig.xml should look like this:
<UserInformation> <Resources> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Location" FieldName="Location" Type="text/plain"/> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain"/> <Detail Id="Company" FieldName="CompanyName" Type="text/plain"/> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName=" bcardstorage.nsf " View="persons"/> <Details> <Detail Id="Telephone" FieldName="telephone" Type="text/plain"/> </Details> </Storage>
Chapter 2. Administering

379

</Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> <BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation>

7. So the UserInfo application can retrieve data for a single user from multiple sources, a common field must be shared among the storage repositories. By default (though any unique value may be used), the user’s e-mail address is the common attribute, so in both storage repositories, users must be uniquely identified by their e-mail addresses. If you want to use a different attribute, you must update this line to show which attribute you plan to use: <CommonField CommonFieldName="MailAddress"/> 8. Restart the Lotus Sametime server and the Domino server to effect all the changes. What to do next You have successfully configured the business card to display information for a single user from dual storage repositories: the Domino directory and a custom Notes application.

Additional configurations for black boxes
Though Sametime ships with two black boxes or special implementations already present for configuring with LDAP or Domino, additional black boxes can be configured to retrieve data from more than one resource. A special configuration can be used to designate NOTES as its first box, if Sametime is configured with Domino, and with LDAP as its second black box. For a Sametime installation that is configured to work with Domino but that can also retrieve data from Domino LDAP, Notes would be listed as the first black box, and LDAP as the second. Each of these special configurations requires manual settings in the UserInfoConfig.xml file. This version of Sametime includes an additional black box that enables data retrieval from a separate Notes database (other than the Domino directory). This black box should be applied as a part of a special configuration designated to retrieve data from the Sametime directory and from an additional Notes database that contains users’ business card details. See the topic “Retrieving data from a customized database” for more information on how to configure data retrieval from the additional Notes database. A newly-written black box or special implementation can be used to retrieve data from any selected data resource. The black box should be implemented and configured according to the Application Programming Interface (API) and to the instructions published with the Sametime Software Development Kit (SDK). For additional help with these special configurations, please contact Support. Retrieving data from a customized database:

380

Lotus Sametime: Installation and Administration Guide Part 2

For the user data included in the Business Card, Administrators can retrieve details about the user from separate Notes databases that are dedicated to storing user details and that function independently of the Domino directory that is used for Sametime. About this task Retrieving user data from customized Notes databases allows you to: v Retrieve some details from the Sametime Domino directory and the rest from a customized Notes database (Domino) v retrieve some details from the LDAP directory Sametime is configured to work with and the rest of the details from an additional Notes database. An additional black box, which functions as a customized special implementation, is provided to enable data retrieval from the customized Notes database. This ’customized’ black box should always be preceded by a call to the black box that handles the Sametime directory. A CommonField tag is used for synchronization between the black boxes. If the common field is defined as MailAddress, then the value retrieved for MailAddress from the first storage (LDAP or Domino) is used as the ID to query for in the customized database. The application first queries the database using the userID received as a parameter; if no record is found, it queries the database again, using the value retrieved for the CommonFieldName as userID. To use the customized database feature: v Perform the following manual steps: 1. Open UserInfoConfig.xml and update the CommonField tag in the first ’storage’ section to hold the ID property of a Detail tag that represents the same detail in the different storage types. This detail tag is assigned a different field name in each storage section, but the value in each of these fields should be identical for the specific user. The default value for the Common field tag is ″MailAddress.″ The attributes holding the e-mail address for a user should have the same value in both storages. 2. Using the Administrator’s Tool, update the Business Card attribute page with the values to be retrieved from the Sametime directory, leaving blank the field name for items required from the customized database. 3. Remove the Detail tags of the fields you left blank in the set-up page from the first ’storage’ section in the UserInfoConfig.xml file. 4. Add an additional ’storage’ section to the UserInfoConfig.xml as the second storage. This storage section is a new section added specifically for this feature; it differs from the standard Notes storage section through the additional parameters specified below:
<Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName="" View="$users" /> - <Details> <Detail Id="Location" FieldName="Location" Type="text/plain" /> <Detail Id="Title" FieldName="JobTitle" Type="text/plain" /> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain" /> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain" /> <Detail Id="Company" FieldName="CompanyName" Type="text/plain" /> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain" /> </Details> </Storage>

5. In the newly-added ″storage″ section, delete the Detail tags of the items that you do not want to retrieve from this database, and update: a. The DbName property, including the full path
Chapter 2. Administering

381

b. The view name (if needed) c. The mapping of the ″Detail″ tag so each item is mapped to the correct field name of the new database 6. Add a BlackBox tag to the BlackBoxConfiguration section in UserInfoConfig.xml as a second record:
<BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb. UserInfoNotesCustomBB" MaxInstances="4" />

7. Restart StConfiguration and the HTTP task. What to do next Note: For complete information on how to use these ″black boxes″ and on how to use all the storage repositories for LDAP, Sametime, and Domino, see the section in Business Card entitled ″Using repositories.″ This section provides detailed information on how to store and retrieve user data contained in both single and dual repositories.

UserInfoConfig Debug tracing
If additional information is need to trace a problem, tracing information can be collected. Trace information is written to the file Userinfo_<date>_<hour>.txt, which can be found in the Trace folder. To enable trace collection, a debugLevel.class file compiled to level 3 and higher should be added to the folder that contains the UserInfo.jar file. Follow these steps: 1. Copy DebugLevel.class.5 from the stlinks\debug directory, and paste it into the Domino program directory. 2. Rename the file from DebugLevel.class.5 to DebugLevel.class. 3. Restart the Domino Sametime server, and the output will be in the trace directory.

Troubleshooting Business Cards
If the Business Card is not displaying user information as expected, you have a couple of options to try to identify the root cause of the failure.

Options
Before trying these options, check and validate the configuration as shown in Business Card configuration in the Sametime Information Center. In most cases, invalid configurations are the root cause of problems with the Business Card. If, after you have validated that the configuration is correct, the Business Card still does not appear to be working, you might want to try the options described below. In general, there are two points of failure for Business Cards (There could be more depending upon your configuration, but in terms of troubleshooting, we’ll focus on two components involved with the Business Card feature.) 1. Connect client–One potential point of failure is at the Sametime Connect client. To display Business Card information, the Connect client depends upon the UserInfo servlet to provide the requested details. If you have confirmed that the UserInfo servlet is providing the right details (see below), then you must enable client-side tracing to determine what is happening at the client-side. See ″Logging and tracing on Lotus Sametime Connect.″

382

Lotus Sametime: Installation and Administration Guide Part 2

2. UserInfo servlet–the second potential point of failure. As described above, the main purpose of the UserInfo servlet is to receive/respond to client requests, so the servlet must provide the requested details for Business Card to display them. To determine if the servlet is responding correctly, use the following technique: 1. Determine the distinguished name (DN) of the user whose Business Card you want to view. Here are sample DNs of the various directory types: v Domino directory: cn=sametime User/O=IBM v Active directory: cn=Sametime User, cn=users,dc=austin,dc=ibm,dc=com v TDS directory: uid=Sametime user,ou=Austin,o=IBM 2. Compose a URL to simulate the HTTP request that the client makes to retrieve details for Business Card: v [protocol]://[hostname]/servlet/UserInfoServlet?operation=3&setid=1 &UserId=[User DN] v [protocol] = {http, https} v [hostname] = {Fully qualified hostname of the Sametime server] v [User DN ] = {The full distinguished name of the user for whose information you are seeking} Examples: v Domino Directory:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime User/O=IBM

v Active Directory:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime User,cn=users,dc=austin,dc=ibm,dc=com

v TDS Directory:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=uid=Sametime user,ou=Austin,o=IBM

Note: v Do not use spaces in the URL for the UserInfo servlet operation. A space is translated into %20 in the URL, and the servlet will not produce a result; for example:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime User/O=IBM

is translated to:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId= cn=Sametime%20User/O=IBM

. The characters ″%20″ are inserted before the word ″User″ to represent the space. v The name ″UserInfoServlet″ is case sensitive. v Do not use apostrophes or quotation marks in the URL. 3. Enter the URL you’ve composed into a Web browser’s address field, and view the result. You should see the details you are expecting to see. If you do not, then you will need to enable tracing for the userInfo servlet. See section below.

Chapter 2. Administering

383

Note: If you receive an UNKNOWN error for the ″user id,″ this means the user ID specified could not be located. This could happen for a variety of the reasons, but the most common are: 1. 2. an incorrect user distinguished name has been specified the directory in which the user is located is not reachable/searchable

Enabling traces on the UserInfo servlet 1. Copy [Domino program directory]\data\domino\html\sametime\stlinks\ debug\DebugLevel.class.5 to the [Domino program directory] (i.e. C:\Lotus\Domino\) 2. Rename ’DebugLevel.class.5’ to ’DebugLevel.class’ 3. Restart the entire Sametime (including the Domino server as well) The trace information is written to the file Userinfo_<data>_<hour>.txt, which can be found in the [Domino program directory] \Trace directory.

Requirements
Listed below are some requirements that can cause problems if they are not followed in the Business Card: v Photos must be less than 64 kilobytes (recommended: 10 kb) v Business Card photo requires .jpg or .gif v Using the jpegPhoto LDAP attribute to store photos requires the inetOrgPerson objectClass Note: Active Directory 2000 native/mixed mode does not provide inetOrgPerson objectClass by default v When you are using more than one storage type to store user information, the secondary storage repository cannot be of the same TYPE as the primary storage (the directory used by Sametime for authentication). For example, if Sametime is configured to use the Domino directory, then the secondary storage CANNOT be a Domino directory.

Changing user names
After users have been registered in IBM Lotus Sametime, you can change their names.

About this task
You can change user names with the AdminP integration feature, or with the Name Conversion utility:

Changing names
When you change user or group names in the directory, the change is not reflected in IBM Lotus Sametime Community Server databases. In order to synchronize the directory names with the names in the Lotus Sametime Community Server databases, you must run the name conversion utility.

About this task
Running the name conversion utility updates Lotus Sametime Community Server user or group names with the latest directory changes. The name conversion utility

384

Lotus Sametime: Installation and Administration Guide Part 2

uses a comma-separated value list that you compile to change names, delete names, or convert all names from Domino to Domino LDAP formatted names. Users create a contact list, a privacy list, and an alert-me-when list in the IBM Lotus Sametime Connect client by selecting user names or group names from the Domino or Domino LDAP directory that is used with the IBM Lotus Sametime Community server. These contact, privacy, alert-me-when lists are stored in the user information database (vpuserinfo.nsf) on Lotus Sametime Community servers. When a user starts the Lotus Sametime Connect client, the lists are downloaded from the database to update the lists stored on the client’s local computer You do not need to run the name conversion utility when you add new users or groups to the Domino or LDAP directory. Run the name conversion utility manually on a stand-alone Lotus Sametime Community server, or on a server in a cluster which will replicate the change throughout the cluster. Note: Be sure to stop the Domino server before you run the name conversion utility. Preparing for changing names: Before you can run the name conversion utility, you need to perform the following tasks: About this task You do not need to use the name conversion utility if you add new users or groups to directory. Use the name conversion utility only if you change user names or group names that exist in the directory. Creating a comma separated value file: A comma-separated value (CSV) file created in a text editor provides the name conversion utility with the information it needs to make a name change to user contact, privacy, and alert-me-when lists. The CSV file includes the type of change and typically provides details such as the old name and the new name, and optionally, the display name. 1. Use a text editor to create a comma-separated file. 2. Create a CSV for only one type of change; you cannot mix name change types in the same CSV. v ID v ORGANIZATION v DELETE v LDAP 3. Name and save the file with an extension of .csv in a directory accessible by the Sametime server. Comma-separated value files: A CSV file created in a text editor provides the server with the information it needs to make a name change to user contact lists or privacy lists. The CSV file

Chapter 2. Administering

385

includes the type of change (or descriptor) and typically provides details such as the old name and the new name, and optionally, the display name. You can create the CSV text file using any text editor. Some spreadsheet programs also allow you to export spreadsheet values to a CSV file. The CSV file should include only the list of comma-separated oldname, newname pairs that reflect the changes you have made to the directory. Do not include any header information in your CSV file. Name the file at your discretion. After you create the CSV file, store it in a network location that is accessible from the Sametime server. You must browse to this file to import it when you create the Name Change Task from the Administrator’s tool in Sametime. When you create a CSV file, you must format it correctly following the syntax rules below. CSV files are case-sensitive and sensitive to spaces. You can create multiple CSV files. The CSV file can include only one descriptor:
Descriptor ID ORGANIZATION LDAP Purpose Change specified first names, last names, display names, or group names. Change the organization name for all users. Change all contact list information from Domino directory format to LDAP format (users/public group/domino to ldap/organization name). Remove specified individual contact names from contact lists and privacy lists.

DELETE

The second part of the CSV file includes one line for each change that includes the old name, the new name, and, optionally, the new display name.

386

Lotus Sametime: Installation and Administration Guide Part 2

Changing the user and group IDs.
CSV File Syntax ID "old ID", "new ID"[,"new display name"] . . . where the [ ] indicate that the new display name is optional but if you use it, you must precede it with a comma as in the first example (where ″Maria Brown″ is the new display name), and the new display name must immediately follow the comma (if you leave a blank space between the comma and the new display name, the conversion will not work). Example Sample CSV showing changes from a Domino directory: Note: These examples have been formatted for spacing issues; make sure your syntax adheres to any restrictions noted in the text. ID "CN=Maria Smith/OU=Sales/O=IBM", "CN=Maria Brown/OU=Sales/O=IBM", "Maria Brown" "CN=John/OU=New York/O=IBM", "CN=John/OU=Texas/O=IBM" "52e811 85256500/Old Group", "52e811 85256500/New Group Name", "New Group Name" Note that ″52e811 85256500″ in the example above is replica ID of Domino Directory. Be sure to change the colon in the replica ID to a space. For example: ″52e811:85256500″ should be ″52e811 85256500″. Sample CSV showing changes from an LDAP directory: ID "CN=Maria Smith,OU=Sales,O=IBM", "CN=Maria Brown,OU=Sales,O=IBM", "Maria Brown" "CN=John,OU=New York,O=IBM", "CN=John,OU=Texas,O=IBM" "CN=Old Group,OU=groups,O=IBM", "CN=New Group Name,OU=groups,O=IBM", "New Group Name"

Changing the organization name.
CSV File Syntax ORGANIZATION "oldOrg","newOrg" Example Sample CSV showing changes from a Domino or LDAP directory: ORGANIZATION "lotus","ibm"

Change all contact list information from Domino directory format to LDAP format (users/public group/domino to ldap/organization name).
CSV File Syntax LDAP Example Sample CSV: LDAP You cannot change the format from LDAP to Domino.

Chapter 2. Administering

387

Delete specified users and groups.
CSV File Syntax DELETE uid . . . Example Sample CSV: DELETE uid=John Deere,ou=sametime,dc=ibm,dc=com uid=Marta Smith,ou=sametime,dc=ibm,dc=com cn=portaladminid,o=example.com

Creating a Name Change task: Create a name change task on the IBM Lotus Sametime Community server. Before you begin Before you create a name change task, create a comma-separated value (CSV) file of the name changes in the Lotus Sametime Community Server directory. About this task A name change task is not actually a scheduled program; its timestamp merely indicates when the task was created and not when it will be run. The list of tasks is ignored until you run the stnamechange.cmd program, which then operates on all of the tasks in the list, using the .CSV files specified in the Name Change page. Follow the steps below to create a name change task. 1. Log in to the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Community Servers. 3. In the Sametime Community Servers list, click the deployment name of the server where you want to add a name change task. If you want to create a task to run on multiple servers, then click the deployment name of any of the servers on which you want to run the task. 4. Click the Name Change tab. 5. Click New. Note: If you only want to edit a task, you can click the name of the scheduled task to edit it. 6. Enter a name in the Name of Task field. The name is at your discretion. By default, the name is the date the task is created. 7. Optional: Enter a description for the task. 8. Optional: If you want to run the task on all servers in the cluster, then select All Servers. 9. Browse for the CSV file you want to use, and then click OK. 10. The name change task appears in the list of scheduled tasks. All tasks listed here run when the stnamechange.cmd is run. Results After you have completed these steps on one Lotus Sametime Community server, it may be necessary to repeat this process on other home Lotus Sametime

388

Lotus Sametime: Installation and Administration Guide Part 2

Community servers in your environment. You must replicate the NSF file to all the Lotus Sametime Community servers so all are included, regardless of the server on which it was defined. When you are done setting up the task, name changes are saved to stnamechange.nsf. This file is used by Domino to replicate the name changes throughout the server cluster. Domino will pick up all valid name change tasks in the stnamechange.nsf file. You choose the servers or cluster on which the name change task runs on a regular basis using general scheduling tools. The application does not run by default; you must run the task manually. To Delete a name change task, on the Name Change page, select the task, and then click Delete. If any name changes are not entered correctly, you can import a new CSV file. Running the name conversion utility: To run a name change task, start the name conversion utility. The name conversion utility uses the CSV file to update user contact and privacy lists with the latest directory changes. Before you begin Before you begin, create a comma-separated value file with name changes, and then create a name change task. IBM recommends running the name conversion utility at off-peak hours, and stopping the Domino server before you begin. About this task Starting the name conversion utility starts the name change task. You can create many tasks, but name change conversion utility executes only one task at a time. You can have only one name change task scheduled or in progress. If a name change task is scheduled or in progress, you cannot create another name change task until the existing name change task completes. It is not necessary to run the name change conversion utility on every IBM Lotus Sametime Community Server in a cluster. For clusters, the task should run once on one server and then replicated to other servers in the cluster. Note that the All servers option on the Name Change page in the Sametime System Console does not work because of the procedure for replicating across all servers. If you create a Name Change task and select All servers, only the server you are logged on to contains the task--other servers do not. This is viewable in stnamechange.nsf through the Notes client. The correct procedure is to create the name change task on all the servers in the community. Running the name conversion utility on Windows: Follow these steps to run the name conversion utility on Microsoft Windows. 1. Stop the IBM Lotus Sametime Community Server and the Lotus Domino server. 2. Type the following command:
stnamechange.cmd

Chapter 2. Administering

389

3. When the name change task completes, restart the Lotus Sametime Community Server and the Lotus Domino server. Restart all Lotus Sametime Community Servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Running the name conversion utility on UNIX: Follow these instructions to run the name conversion utility on a UNIX operating system. 1. Stop the IBM Lotus Sametime Community Server and the Lotus Domino server. 2. Open a new shell and change to the domino data directory.
cd /domino/notesdata

3. Type the following command:
./stnamechange.sh domino_bin_directory domino_data_directory

For example:
./stnamechange.sh /domino/opt/lotus/notes/80020/linux /domino/notesdata

4. When the name change task completes, restart the Lotus Sametime Community Server and the Lotus Domino server. Restart all Lotus Sametime Community Servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Running the name conversion utility on IBM i: Follow these instructions to run the name conversion utility on an IBM i operating system. 1. Make sure the CSV file is in the Domino\data directory. 2. Stop the IBM Lotus Sametime Community Server, and the Lotus Domino server. 3. Go to the OS/400 command line, and enter the following command: ″QSH″ This opens up a command line where the Name Change task is run. 4. Type the following commands:
cd <data directory> stnamechange <data directory>

5. View the NameConversion**** log file starting with located in the Sametime server directory/trace folder. The asterisks in the file name are variable characters. 6. Restart the Lotus Sametime Community Server and the Lotus Domino server.

390

Lotus Sametime: Installation and Administration Guide Part 2

Restart all Lotus Sametime Community Servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Changing names with an older version of Domino: The IBM Lotus Sametime name change utility for IBM i now includes an optional parameter that allows you to specify that the command should use a level of IBM Lotus Domino other than the latest installed version. About this task The name conversion utility for IBM i servers was updated in Lotus Sametime 8.0.1. In previous releases, an error would occur if the Lotus Sametime server was using a level of Lotus Domino that was not the latest installed version. To execute the Lotus Sametime 8.0.1 version of the name change task on IBM i manually, prepare by following these steps: 1. Add VP_NCSA_TRACE=1 (this will create debug log file) to Debug section of the sametime.ini file. 2. Launch the Sametime server, and create the Name Change tasks through the Administration tool. 3. Shut down the Lotus Sametime server, but leave the Lotus Domino server running by running TELL STADDIN2 QUIT from the Lotus Domino console. 4. Once the Lotus Sametime jobs have ended, go to the IBM i command line, and enter the following command: ″QSH″ This opens up a pase command line where the name change utility is run. Enter the following commands:
CD server_data_directory stnamechange server_data_directory domino_bin_directory

where domino_bin_directory is an optional parameter. (The default is /qibm/proddata/lotus/notes which causes the command to use the latest installed version of Lotus Domino.) Refer to the list below to specify a different level of Lotus Domino:
Table 28. Values for domino_bin_directory parameter Lotus Domino version used by Lotus Sametime server Domino 7.0.0 Domino 7.0.1 Domino 7.0.2 Domino 7.0.3 Domino 8.0.0 Domino 8.0.1 Associated domino_bin_directory /qibm/proddata/lotus/domino700 /qibm/proddata/lotus/domino701 /qibm/proddata/lotus/domino702 /qibm/proddata/lotus/domino703 /qibm/proddata/lotus/domino800 /qibm/proddata/lotus/domino801

For example, if the Lotus Sametime server is using Domino 7.0.2:
stnamechange server_data_directory /qibm/proddata/lotus/domino702

5. Press F3 to exit QSH. 6. View the log file starting with NameConversion****, located in the Sametime_server_directory/trace folder. 7. Restart Lotus Sametime by running LOAD STADDIN2 from the Domino console.

Chapter 2. Administering

391

Restart all Lotus Sametime servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Name Change task replication: When you create a name change task, the task is saved in a file called stnamechange.nsf, and this file is replicated to all home IBM Lotus Sametime Community Servers so that updates can be made to each server’s vpuserinfo.nsf database. The file vpuserinfo.nsf is the Lotus Sametime user information database that contains contact lists and privacy lists. Set up a Domino replication task to replicate stnamechange.nsf among all servers. By default, stnamechange.nsf is replicated to all servers in a cluster, but not between clusters. This step makes it unnecessary to add future tasks to each stnamechange.nsf database in the environment. When a new task is added, all servers get the new information as a result of the replication procedure. Note that the All servers option on the name change page in the Sametime System Console does not work because of the procedure for replicating across all servers. If you create a name change task and select All servers, only the server you are logged on to contains the task--other servers do not. This is viewable in stnamechange.nsf through the Notes client. The correct procedure is to create the name change task on all the servers in the community. If several Lotus Sametime Community Servers operate as a cluster, create a name change task on only one server in the cluster. The vpuserinfo.nsf database replicates in real time among the servers in the cluster. When the name change task changes the vpuserinfo.nsf database on one server, the changes are automatically replicated to the vpuserinfo.nsf databases on all other servers in the cluster. Declaring the task in one cluster can populate all the clusters because you set replica information for the stnamechange.nsf between all the clusters. Sample deployments The examples below illustrate how you might run name change tasks in different Lotus Sametime Community Server deployments. Example Deployment 1 In this example, the Sametime community has the following characteristics: Three Lotus Sametime Community Servers are deployed. None of the servers are clustered. With this deployment, you must create and run the name change task three times--one on each server. Though you create the task only once, you run it three times, and the run can be scheduled automatically. Example Deployment 2 In this example, the Sametime community has the following characteristics: Eight Lotus Sametime Community Servers are deployed.

392

Lotus Sametime: Installation and Administration Guide Part 2

Three Lotus Sametime Community Servers operate as Community Services cluster 1. Three Lotus Sametime Community Servers operate as Community Services cluster 2. Two Lotus Sametime Community Servers operate as home Lotus Sametime Community Servers but are not part of a Community Services cluster. With this deployment, you must run the name change task four times. You can schedule the tasks to run automatically on one Lotus Sametime Community Server in Community Services cluster 1, on one Lotus Sametime Community Server on Community Services cluster 2, and on each of the two Lotus Sametime Community Servers that operate as home Lotus Sametime Community Servers but are not part of a cluster. Example Deployment 3 In this example, the Sametime community has the following characteristics: v Six Lotus Sametime Community Servers are deployed v Three Lotus Sametime Community Servers operate as a Community Services cluster v Two Lotus Sametime Community Servers operate as home Lotus Sametime Community Servers but are not part of a Community Services cluster v One Sametime server is not used as a home Sametime server and is not part of a Community Services cluster With this deployment, you must create the name change task three times. Create the name change task on one of the Lotus Sametime Community Servers in the Community Services cluster and on each of the two Lotus Sametime Community Servers that operate as home Lotus Sametime Community Servers but are not part of a cluster. You do not need to create the name change Task on the Lotus Sametime Community Server that is not part of a cluster. Name Change task status: This topic describes the status of the name change tasks, how to view tasks in progress, and how to delete a name change task. After you create a name change task, the task defaults to the Scheduled status. A scheduled task begins executing on the IBM Lotus Sametime Community Server at the time specified in the server setting on the Name Change page of the Sametime System Console (Sametime System Console → Sametime Servers → Sametime Community Servers → server_name → Name Change). You cannot edit a name change task that has the Scheduled status. The only way to change a scheduled task is to delete the task and then create a new task in its place. Once a task begins executing, its status changes from Scheduled to In Progress if any of the servers have the name change task with the status that is in progress or scheduled. You cannot delete a task that is in progress. If all the servers have tasks that are marked Check error log or Disabled, the name change task can be marked Finished. Finished means the task has completed the name change successfully. At this status level, you can add or delete any task.

Chapter 2. Administering

393

Check error log means there were errors incurred while the task was running. At this stage, you can add or delete a task. Note: The status column provides only the status of the task running on the server being used; it does not provide a summary of the task across servers and clusters of servers. You can have only one name change task scheduled or in progress on a IBM Lotus Sametime Community Server. If a name change task is scheduled or in progress, you cannot create another name change task on the Lotus Sametime Community Server until the existing name change task completes. You cannot delete a task that is marked In Progress. You can delete a task that is marked Scheduled, Finished or Check log status. There is a log file on the server that collects failures in Name Conversion. v A user name that is changed in the directory but is not yet changed in the vpuserinfo.nsf database will appear as offline in the contact list and privacy list of another user until the name change task executes on the other user’s home Lotus Sametime Community Server. v All members of a changed group appear as offline in the contact list and privacy list of a user until the name change task executes on the user’s home Lotus Sametime Community Server. You can view the status of the names being changed. The vpuserinfo.nsf database includes a view for name change tasks. The task you are running is not marked complete. If several Lotus Sametime Community Servers operate as a Community Services cluster, you view the status of a name change task on only one Lotus Sametime Community Server in the cluster. The database replicates in real-time among the servers in the cluster. When the name change task changes the vpuserinfo.nsf database on one server, the changes are automatically replicated to the vpuserinfo.nsf databases on all other servers in the cluster. Below is an example of viewable statuses. In the example, Servers X, Y, and Z are not clustered, and servers A, B, and C are clustered.
Servers Server X Server Y task is created on Server X task appears in Name Change page task does NOT appear in Name Change page, but it is in the log file task does NOT appear in Name Change page, but it is in the log file task does NOT appear in Name Change page, but it is in the log file task does NOT appear in the Name Change page, and it does NOT appear in the log file task does NOT appear in the Name Change Status page, and it does NOT appear in the log file

Server Z

Server A

Server B

Server C

394

Lotus Sametime: Installation and Administration Guide Part 2

Note: Turn on the sametime.ini flag if you are working locally: NC_LOCAL_CONVERSION = |

Changing names with AdminP
This feature allows IBM Lotus Sametime to synchronize name change updates made to the IBM Lotus Domino directory via the Domino Administration Process (AdminP) with updates to Sametime User Information database (vpuserinfo.nsf). Prior to Lotus Sametime 8.0.1, when a Lotus Domino Administrator executed name changes through the Lotus Domino Administrator client and the AdminP process, the users’ names were changed automatically in the Lotus Domino Directory but were not changed in the corresponding Lotus Sametime records. The administrator had to manually generate a CSV text file that contained the renaming information, and run the Lotus Sametime name change utility on one or more servers, depending on the configuration. In Lotus Sametime 8.0.1, this process is enhanced, allowing Lotus Sametime to update VPUserInfo.nsf and add a new CSV text file to stnamechange.nsf whenever a change is made in the Domino Directory. Note: It is still necessary to manually run the name conversion utility even when AdminP integration code is working. The Name Change Integration with AdminP feature creates a new Name Change task and only partially updates vpuserinfo.nsf. For example, it does not update the contact lists that include the old name. For a full update, the Name conversion utility must be executed. In addition, the AdminP functionality is only available for Lotus Sametime servers that use Lotus Domino authentication running on Lotus Domino 8.0.2 or later. If the Lotus Sametime server is using LDAP authentication, or if you are using a version of Lotus Domino earlier than 8.0.2, you cannot use the AdminP feature to change names.

AdminP integration components
The following components contain the code for the Name change integration with AdminP feature. These components are located under the Domino program directory (by default \Lotus\Domino in Windows): v StUpdateAdminP.dll -- the code loaded by the AdminP process. This DLL file receives notifications from Domino regarding renaming operations. We will refer to it as the AdminP add-in. v AdminpUpdate.jar -- the java code executed by the StUpdateAdminP.dll v NameChangeUtils.jar -- a library that provides services of updating the different Sametime databases. called by AdminUpdate.jar to perform the actual change in vpuserinfo.nsf and stnamechange.nsf

Known issues with AdminP integration
Please note the following issues concerning AdminP integration with Lotus Sametime: v This feature is supported starting in Domino 6.0, but is currently not available with Domino 8.0.1. v In Lotus Sametime, this feature is supported starting with release 8.0.1. v Only name updates are handled; deletions and additions are not supported by AdminP.
Chapter 2. Administering

395

v To complete the name change process, you must still execute the name change application (AdminP integration simplifies the process but does not replace it) v When Lotus Sametime databases are being updated as a result of the AdminP operation, warning messages are seen on the Domino console. These messages are not an indication of any issue with the process and should be ignored. Enabling AdminP integration: The name change AdminP integration will run on one Sametime server in each cluster, is part of a Sametime server installation, and is disabled by default. Before you begin The name change AdminP integration functionality is only available for Lotus Sametime 8.0.1 servers hosted on Microsoft Windows and configured to use IBM Domino Directory for authentication. If your deployment uses an LDAP directory, you must use the Name Conversion utility as in previous releases. For information on the Name Conversion utility, see the topic, ″About the Name Conversion utility″ in this Sametime information center. About this task Enable the AdminP integration for your Lotus Sametime environment by completing the following steps: 1. Remove the comment marker from the following statement in the notes.ini file:
EXTMGR_ADDINS=StUpdateAdminP.dll

If there are multiple servers in one community, only perform this step on one server. 2. Using a text editor, open sametime.ini and confirm that the following flags are set as follows:
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\java;C:\Lotus\Domino\StConfig.jar; C:\Lotus\Domino\StConfigXml.jar;C:\Lotus\Domino\AdminpUpdate.jar ST_JAVA_JVM_PATH=C:\Lotus\Domino\ibm-jre\jre\bin\classic\jvm.dll ST_JAVA_LIB_PATH=C:\Lotus\Domino

The paths may be different based on your deployment. Note: Ensure ST_JAVA_CLASS_PATH contains the full path of the AdminpUpdate.jar file (the default path is \Lotus\Domino\ AdminpUpdate.jar). 3. If the Sametime community consists of more than one Sametime server, ensure that the following databases are replicated among all of the servers in the community: names.nsf, admin4.nsf. A Domino administrator can configure Connection documents to ensure these databases are replicated on a defined schedule. For more information on how to create Connection documents, see the ″Scheduling server-to-server replication″ topic in the Domino Administrator Help information center. Now the environment is setup properly for Sametime to capture name changes carried out by the AdminP. 4. Run the stnamechange.cmd as described in the topic, ″Running Name Change Tasks on Sametime servers in a community″ in this Sametime information center. Specifying an administration server for databases:

396

Lotus Sametime: Installation and Administration Guide Part 2

AdminP uses administration servers to manage administrative changes that apply to IBM Domino databases. Either the administrator or the database manager can specify the administration server for a database. Perform this procedure on an as-needed basis. Before you begin To change the administration server for a Domino database, you must have Manager access to the database or be designated as a Full access administrator on the Security tab of the Server document. About this task 1. From the IBM Lotus Domino Administrator, open the domain containing the server with the database for which you are setting an administration server. 2. From the Servers pane, select the server containing the database you are setting as an administration server. 3. Click the Files tab and then select the database to which you are assigning an administration server. 4. From the ″Tools″ pane, click Tools → Database → Manage ACL. 5. Click Advanced. 6. Complete these fields and then click OK:
Field Administration Server Enter Choose one of these: v None -- If you do not want an administration server assigned for the database. v Server -- Select a server from the list. Choose one of these according to whether you want modifications to the indicated fields to occur during a rename group, rename user, or rename server action; or during a delete server, delete group, or delete user action: v Do not modify Names fields -- Names fields are not updated during any of the above rename and delete actions. v Modify all Readers and Authors fields -Reader and Author fields are updated during the rename and delete actions listed above. v Modify all Names fields -- All names fields are updated during any of the rename or delete actions listed above.

7. If you will be processing administration requests across domains, complete the procedure in the topic ″Creating a Cross-domain Configuration document″ in the Domino Administration information center. Sample configurations: AdminP operates with various configurations of the IBM Lotus Sametime server and IBM Domino.

Chapter 2. Administering

397

Lotus Sametime and the Domino Directory are hosted on the same machine The Sametime and Domino directory are on the same server. When a rename is made the AdminP add-in is notified and the callback updates the relevant databases. After the Name Change Utility is run all users can see each other’s updated names.

Two or more Domino servers, each hosting Lotus Sametime and a Domino Directory The Domino directories are replicated between all servers. Names.nsf and admin4.nsf are replicated on all servers. A name change executed on either one of these servers will trigger the AdminP process on both servers. Each AdminP process updates only the database that their administration server matches. This setting avoids replication conflicts.

Domino Directory hosted remotely from Lotus Sametime but within the same Domino domain One or more Lotus Sametime servers and Domino directory are in the same domain. Each Lotus Sametime server accesses the Domino Directory through the directory assistance feature. Since all are in the same domain and the remote directory is accessed through da.nsf, updates are done on the remote directory and

398

Lotus Sametime: Installation and Administration Guide Part 2

are received on the Lotus Sametime server. The Lotus Sametime server triggers the update of the databases that set their administration server to be the local server and activate the callback in the AddIns.

Domino Directory hosted remotely from Lotus Sametime, in a different Domino domain This time, the Lotus Sametime servers and the Domino directory are in different domains. For rename updates to go from the Domino directory on Domain A to the Lotus Sametime servers on Domain B, a cross domain configuration should be applied on these domains. When a name is updated on the directory in domain B, a mail message is sent to domain A (assuming cross domain configuration is applied). This mail message is treated as a request for the AdminP and is added to the admin4.nsf which logs the request for the AdminP process. Refer to the Domino Administration guide for additional information on cross-domain configuration.

Chapter 2. Administering

399

Domino Directory hosted remotely from Lotus Sametime, in a different Domino domain, and not serving as primary directory The Sametime servers and Domino directory are in different domains, and the Domino directory is not the primary directory for the deployment. As In the previous configuration, the Cross Domain Configuration should be applied and the da.nsf on the Sametime servers should point to the required NAB in the remote Domino server (instead of names.nsf).

Two or more Domino Directories on remote servers, replicated with one or more Lotus Sametime servers The Lotus Sametime servers and the Domino directories are in different domains. A Cross Domain Configuration should be applied and the da.nsf on each Lotus Sametime server should point to the required NAB in the remote Domino cluster. One server in the Domino environment (domain B) should be defined as the Administration server of the Primary address book for the Domino Domain. The da.nsf of each Lotus Sametime server should point to the NAB on this server.

400

Lotus Sametime: Installation and Administration Guide Part 2

Changing a person’s name with AdminP: You can use the AdminP feature to change a user’s name in IBM Lotus Sametime. About this task To change a name in an environment with the AdminP add-in enabled: 1. From the IBM Lotus Domino Administrator, click the People & Groups tab. 2. In the left-hand column, choose People under the selected directory. 3. Select the name that you want to change; for example, ″Sara Lester″. 4. On the right-hand side, select the People tab and choose Rename. 5. In the ″Rename selected HTTP, POP3, and IMAP people″ dialog box, specify the time frame allowed for a user to login with both the old and the new names and click Next. 6. Now select a user name, fill in information in the appropriate fields to change the name, and click Next. For example, to change Sara’s last name from ″Lester″ to ″Webster,″ type Webster in the Last Name field. Domino processes these name changes periodically (every 60 minutes by default). When the process is complete, the changes are reflected in vpuserinfo.nsf and stnamechange.nsf as follows: v In vpuserinfo.nsf, the storageUserId of the renamed user is changed to the new name. For example, ″Sara″ storageUserId is changed from ″CN=Sara Lester″ to ″CN=Sara Webster″. v In stnamechange.nsf, a new name change task is created, containing a CSV file that describes the name change. An adminp.csv file containing your changes is then attached to the newly created task. For example, the adminp.csv file for changing Sara’s last name looks like this:
ID, "CN=Sara Lester/O=AcmeCorp", "CN=Sara Webster/O=AcmeCorp", "Sara Webster/AcmeCorp"

7. Run the stnamechange.cmd to complete the name change process. For more information, refer to the topic ″Running Name Change Tasks on Sametime servers in a community″ in this Lotus Sametime Information Center. Additional information is available in the Tech Note ″NameChange administration tasks in Lotus Sametime 8″ at the following Web address:
http://www.ibm.com/support/docview.wss?&uid=swg21290627

Troubleshooting AdminP integration: If your AdminP integration does not work properly, use the information below to help resolve issues. The AdminP feature is not working 1. Ensure the AdminP name change add-in is enabled by the following line in the notes.ini:
EXTMGR_ADDINS=StUpdateAdminP.dll

2. Turn on the trace files flags, rename in the directory, and analyze the trace files. The trace files indicate that the JNI does not find the java class 1. Ensure the following files are located in the program directory: v nadminp.exe
Chapter 2. Administering

401

v StUpdateAdminP.dll v AdminpUpdate.jar v NameChangeUtils.jar v stnamechange.jar 2. Ensure the following directory flags in sametime.ini have the correct values: v ST_JAVA_CLASS_PATH v ST_JAVA_JVM_PATH v ST_JAVA_LIB_PATH Working with trace files: Trace files are located in the trace directory. The Trace flags are located in the [Debug] section of sametime.ini:
VP_ADMINP_UPDATE_TRACE=1 ADMINP_ADDIN_DEBUG_LEVEL=5

:
Directory StUpdateAdminP_080608_1046_ 2508_000.txt stupdateJava_080608_1122.txt.0 Contains C trace files Java code trace files for the AdminP name change addin and Name Change API together

Validation Do the following to validate that a name change worked: 1. Rename a user in the Domino directory. 2. On the Domino console, type:r tell adminp process all (this will process all the AdminP requests immediately). 3. Verify that a new task with the correct name change was added to stnamechange.nsf. 4. Verify that the user’s “StorageUserId” value was renamed. Updated trace information Verify that the StUpdateAdminP_080624_1451_3192_000.txt trace file contains a line similar to the following:
080624_145626,INF,DEBUG , JNI call completed for name = CN=Sara Lester/O=AcmeCorp

Verify that the stupdateJava_080624_1456.txt.0 trace file contains lines similar to the following:
Jun 24, 2008 2:56:23 PM com.ibm.sametime.stupdate.StUpdateDBs updateDb FINE: from java method old name is CN=Sara Lester/O=AcmeCorp newName = CN=Sara Webster/O=AcmeCorp Jun 24, 2008 2:56:23 PM com.ibm.sametime.namechangeutils.NameChangeUtils createChangeNameTask INFO: completed. Jun 24, 2008 2:56:23 AM

402

Lotus Sametime: Installation and Administration Guide Part 2

com.ibm.sametime.namechangeutils.NameChangeUtils updateInfoUserID INFO: changing from="CN=Sara Lester/O=AcmeCorp" Jun 24, 2008 2:56:23 AM com.ibm.sametime.namechangeutils.NameChangeUtils updateInfoUserID INFO: changing to="CN=Sara Webster/O=AcmeCorp" Jun 24, 2008 2:56:23 AM com.ibm.sametime.namechangeutils.NameChangeUtils updateInfoUserID INFO: completed.

Changing the IP address of an IBM i Sametime Community Server
Your IBM i Lotus Sametime Community Server should be set up so that it uses host names and does not refer directly to IP addresses. This allows you to change the IP address for your Lotus Sametime Community server by simply updating the host table and DNS.

About this task
To change the IP address for your Lotus Sametime Community server, follow these steps: 1. Update your host table so that the new IP address is associated with the appropriate host name. Make sure that the fully qualified host name is listed first among the entries for your IBM i Lotus Sametime Community Server, before any short names. For more information, see ″Updating the host table on IBM i.″ 2. Likewise, update your DNS entries so that the new IP address is associated with the appropriate host name. Check whether your server is configured to search the Domain Name Server (DNS) before the host table. If it is, you must also make sure that the fully qualified host name of your Lotus Sametime Community Server is listed first in the DNS. To check the configured search order, see ″Updating the Domain Name Server for IBM i.″ 3. Stop and restart the Lotus Sametime Community Server for the changes to take effect.

Changing the host name of an IBM i Sametime Community Server
The command CHGLSTDOM simplifies the process for changing the host name setting of an IBM i Lotus Sametime Community Server.

About this task
The procedure described in this section can also be used to correct problems with the configuration of your Sametime server. For example, if your TCP/IP host table did not correctly list the fully qualified host name first at the time that you setup your Lotus Sametime Community Server, many elements of your server configuration may be incorrect. You can correct this problem by following this procedure to change the host name of your Lotus Sametime Community Server. To change the host name, follow these steps: 1. Update your host table so that the new host name is associated with the appropriate IP address. Make sure that the fully qualified host name is listed first among the entries for your Sametime server, before any short names. For more information, see ″Updating the host table on IBM i.″
Chapter 2. Administering

403

2. Likewise, update your DNS entries so that the new host name is associated with the appropriate IP address. Check whether your server is configured to search the Domain Name Server (DNS) before the host table. If it is, you must also make sure that the fully qualified host name of your Lotus Sametime Community Server is listed first in the DNS. To check the configured search order, see ″Updating the Domain Name Server for IBM i.″ 3. End the IBM i Lotus Sametime Community Server. 4. Update the host name for the Domino server using the CHGDOMSVR command. For detailed information on changing the configuration of a Domino server, refer to ″Updating the configuration of existing IBM i Domino servers.″ 5. On any IBM i command line, type the following and press F4:
CHGLSTDOM

6. On the Change Sametime on Domino display, specify the following and then press Enter: v The name of the IBM i Lotus Sametime Community Server where you want to make this change (for example, stdom1). v The new fully qualified host name for the IBM i Lotus Sametime Community Server (for example, stdom1.acme.com). – Updates the Ports - Notes Network Ports - Net Address field in the Server document. – Adds the host name to the Internet Protocols - HTTP - Host name field in the Server document. – Updates Sametime files that reference the host name. Note: If your server is enabled for both IPv4 and IPv6 addressing, you must manually update the sametime.ini file so that ″VPS HOST=″ is set to an explicit IP address, rather than the host name, after running the CHGLSTDOM command. See Configuring the Community Services for IPv6 for detailed instructions. 7. Start the IBM i Lotus Sametime Community Server. 8. Open the Domino directory (names.nsf) on your IBM i Lotus Sametime Community Server and edit the Server document. Look at the Internet Protocols - HTTP tab in the Server document and locate the Basics - Host name(s) field. 9. The Basics - Host name(s) field may contain more than one name. If any of the names are incorrect or not needed, delete them. Make sure that the correct fully qualified host name is listed first in the field. Note: If your server is configured for both IPv4 and IPv6 addressing, there are additional considerations when updating the Host name field. See Configuring Lotus Domino for IPv6 on IBM i for detailed instructions. 10. Save and close the Server document. 11. If you are using HTTP Tunneling with multiple IP addresses, then additional configuration updates are required. See ″Updating the host names when using HTTP Tunneling with multiple IP addresses″ later in this section. 12. Stop and restart the IBM i Lotus Sametime Community Server for the changes to take effect.

404

Lotus Sametime: Installation and Administration Guide Part 2

What to do next
Updating the IBM i host names when using HTTP Tunneling with multiple IP addresses If you are using HTTP Tunneling with multiple IP addresses, then you must update your configuration manually after using the CHGLSTDOM command to change the IBM i server host name. If you are not using HTTP Tunneling with multiple IP addresses then this step is not applicable. The CHGLSTDOM command placed the new host name in the tunneling host name fields, but did not preserve the required prefixes, such as community-, meeting- and broadcast-, in the Sametime configuration. Use the Sametime Administration tool to update the host names in the following fields in the ″Connectivity″ section: v Community Services Network settings -> Address for client connections-Host name should have prefix of communityv Community Services Network settings -> Address for HTTP tunneled client connections-Host name should have prefix of community-

Monitoring the Sametime Community Server
The IBM Lotus Sametime monitoring charts allow you to monitor Lotus Sametime Community server statistics by providing up-to-the-second information about Community Services, Web statistics, and free disk space on the server.

About this task
All monitoring charts are available from the Monitoring menu in the Sametime Administration Tool. The charts that are available from the Miscellaneous link in the Monitoring menu are part of the Domino Web Administration Tool. These charts provide information on Web statistics, server memory, and disk space. To view the status of the Sametime Community services since the last server restart, click the Overview link in the Sametime Administration Tool. Also note that the time of day that is listed in the monitoring charts is calculated according to the browser’s time zone, not the server’s time zone. 1. Enter the URL for the Lotus Sametime Community server:
http://hostname /servlet/auth/admin

Where hostname is the fully qualified Domain Name Service (DNS) name or the IP address of the Lotus Sametime Community server you want to administer. 2. Enter the administrator name and password specified during the Lotus Sametime Community server installation. 3. Select Monitoring. Note: To view the status of the Sametime services since the last server restart, click Overview. 4. Select the appropriate chart for monitoring.

Monitoring general Sametime Community Server status
General Server Status monitoring chart allows you to see the status of the IBM Lotus Sametime Community Server at a glance

Chapter 2. Administering

405

Total Community Logins
The Total Community Logins chart displays current information about. v Total Community Logins - The total number of logins to Community Services on the Lotus Sametime Community Server that you are monitoring. The Total Community Logins chart includes multiple logins from the same user. For example, if a user is logged in from both the Sametime Connect client and the Participant List component of the Meeting Room, this chart records two logins for that user. v Total Unique Logins - If a user is simultaneously logged in from multiple Community Services clients, the Total Unique Logins chart records only one login for that user. A user logged in from multiple clients is considered a single unique login. Use this chart to determine the current number of Community Services users. v Total 2-way Chats - The total number of 2-person chats taking place on the Lotus Sametime Community Server. This chart only includes chats that were started from the Lotus Sametime Community Server you are monitoring. For example, if you are monitoring server A and a user who has specified server A as her home server starts a chat with another user, that chat will be counted in the Total 2-way Chats chart. You will not see chats that were started by users who have specified a server other than server A as their home server. v Total n-way Chats - The total number of multi-person chats taking place on the Lotus Sametime Community Server. This chart only includes chats that were started from the Lotus Sametime Community Server you are monitoring. For example, if you are monitoring server A and a user who has specified server A as her home server starts a chat with two other users, that chat will be counted in the Total n-way Chats chart. You will not see chats that were started by users who have specified a server other than server A as their home server. v Total Number of Active Places - The Total Number of Active Places chart lists the combined number of n-way Chats and active meetings. Both n-way Chats and online meetings are counted as Active Places; 2-way Chats are not counted in this chart.

Monitoring Lotus Sametime Community Services logins
A user can be logged in to the IBM Lotus Sametime Community Services from more than one client. To access the Logins chart, open the Sametime Administration Tool and select Monitoring → Logins. The Logins chart displays: v Community Server Total Logins - The total number of logins to Community Services, including multiple logins from the same user. For example, if a user is logged in from both the Sametime Connect client and the Participant List component of the Meeting Room, this chart records two logins for that user. Internal components of the Community Services also log in to the Community Services. These are intra-server connections between Community Services components that occur as part of the normal operations of the Community Services. These logins are also counted in the total logins chart. v Community Server Total Unique Logins - If a user is simultaneously logged in from multiple Community Services clients, this chart records only one login for that user. A user logged in from multiple clients is considered a single ″unique″ login. Use this chart to determine the current number of Community Services users

406

Lotus Sametime: Installation and Administration Guide Part 2

The Logins chart updates at the time interval specified in the Polling Interval (seconds). Enter a new interval to change the rate at which the chart updates. To update the chart immediately, click Refresh.

Monitoring miscellaneous Domino Web Administration statistics
The Miscellaneous charts are part of the IBM Lotus Domino Web Administration pages. The IBM Lotus Sametime Community Server uses features in the Lotus Domino server and its associated Web administration pages. You can monitor various statistics and events from the Lotus Domino Web Administration pages, including: v Memory v Statistics v Disk Space To access the Domino Web Administration pages, choose Monitoring → Miscellaneous in the Sametime Administration Tool, and then click the link that appears at the bottom: You can view the Lotus Domino Web Administration pages in a new browser window.

Administering a Lotus Sametime Proxy Server
This section describes how to manage a IBM Lotus Sametime Proxy Server.

Updating Sametime Proxy Server connection properties on the console
You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Proxy Server.

Before you begin
If you are configuring the Lotus Sametime Proxy Server to use SSL (Secure Socket Layer), make sure the server’s certificate has been added to the Sametime System Console’s trust store.

About this task
Any changes that you make to the credential and connection information on the Connection Properties page does not change the actual settings on the Lotus Sametime Proxy Server. These settings are only used by the Sametime System Console to connect to the Sametime Proxy Server. Follow these steps to update connection setting information. 1. Log in the Integrated Solutions Console. 2. Click Sametime System Console → Sametime Servers → Sametime Proxy Server. 3. In the Sametime Proxy Servers list, click the Edit next to the deployment name of the server with the connection information that you want to change. 4. Under Connection Properties, enter the administrator’s User name and Password for connecting to the Lotus Sametime Proxy Server. 5. If your deployment uses SSL, then click Is SSL? 6. Click Save.

Chapter 2. Administering

407

7. If you enabled SSL, then you must restart the Lotus Sametime System Console for the changes to take effect. Related tasks “Adding a Sametime server SSL certificate to the Sametime System Console” on page 242 If you need to enable SSL (Secure Socket Layer), make sure you add the certificate from the IBM Lotus Sametime server (Sametime Meeting, Proxy, Media Manager, Gateway, or SIP) to the Lotus Sametime System Console.

Administering a Lotus Sametime Media Manager
The audio/video services are enabled by default following an IBM Lotus Sametime Media Manager installation. You can enable and disable the audio/video services from the Lotus Sametime System Console. This section describes how to manage the Lotus Sametime Media Manager.

About this task
The Lotus Sametime Media Manager manages Lotus Sametime meeting rooms by maintaining a dialog with each participant, and ensuring that all media flows between those participants. The Lotus Sametime Media Manager supports interactive IP audio and video capabilities and enables clients with the appropriate hardware (sound card, microphone, speakers, and camera) to transmit and receive real-time audio and video in a Lotus Sametime meeting room.

Updating Sametime Media Manager connection properties on the console
You can update connection setting information that the IBM Lotus Sametime System Console uses to connect to the Lotus Sametime Media Manager.

Before you begin
If you are configuring the Lotus Sametime Media Manager to use SSL (Secure Socket Layer), make sure the server’s certificate has been added to the Sametime System Console’s trust store.

About this task
Any changes that you make to the credential and connection information on the Connection Properties page does not change the actual settings on the Lotus Sametime Media Manager. These settings are only used by the Sametime System Console to connect to the Sametime Media Manager. Follow these steps to update connection setting information. 1. Log in the Integrated S