Lotus Sametime

Lotus Sametime
Lotus Sametime
®
Version 8.5.1
Lotus Sametime 8.5.1
Installation and Administration Guide Part 2
Note
Before using this information and the product it supports, read the information in “Notices” on page 669.
Edition notice
Second edition (October 2010)
This edition applies to version 8.5.1 of IBM Lotus Sametime (program number 5724–J23) and to all subsequent
releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 1996, 2010.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Configuring . . . . . . . . 1
Configuring a Lotus Sametime Community Server. . 1
Do I need to restart the Sametime server? . . . 1
Mapping the user ID to a unique directory
attribute . . . . . . . . . . . . . . 17
Turning off case sensitivity on the Lotus
Sametime Community Server . . . . . . . 25
Managing client types and logins . . . . . . 26
Configuring a mixed-license environment with
clients that connect to Sametime Entry servers. . 28
Creating custom Java classes for searching the
LDAP . . . . . . . . . . . . . . . 30
Ports used by the Sametime Community Server
35
Using reverse proxy or portal servers with the
Sametime server . . . . . . . . . . . . 41
Using multiple non-clustered Lotus Sametime
Community Servers . . . . . . . . . . 57
Creating a cluster of Lotus Sametime Community
Servers . . . . . . . . . . . . . . . 71
Configuring SiteMinder for the Lotus Sametime
server . . . . . . . . . . . . . . . 84
Configuring the Sametime client . . . . . . . 90
Client update process . . . . . . . . . . 90
Configuring Sametime Connect client preferences 91
Enabling Sametime Unified Telephony, extended
status, and telephony status in the client . . . 131
Writing custom messages for clients . . . . . 134
Creating an update site for plug-in access . . . 136
Turning off case sensitivity in the Lotus
Sametime Connect client . . . . . . . . 137
Basic Sametime Connect client connection
process . . . . . . . . . . . . . . 137
Client connections over HTTP tunneling . . . 143
Configuring Lotus Sametime for mobile users . . 144
Configuring the Lotus Domino server for Lotus
Sametime Mobile support . . . . . . . . 144
Configuring Sametime on the iPhone device . . 145
Configuring Sametime Mobile for client
downloads . . . . . . . . . . . . . 145
Configuring a Lotus Sametime Proxy Server . . . 149
Configuring connectivity . . . . . . . . 149
Configuring Lotus Connections as the business
card server . . . . . . . . . . . . . 151
Setting up click-to-call . . . . . . . . . 152
Clustering Lotus Sametime Proxy Servers . . . 153
Configuring a Lotus Sametime Media Manager . . 168
Clustering Lotus Sametime Media Manager
components . . . . . . . . . . . . . 168
Configuring a Lotus Sametime Meeting Server . . 218
Configuring the Sametime Meeting Server for
document conversion. . . . . . . . . . 218
Assigning administrators to the Meeting Room
Center . . . . . . . . . . . . . . . 221
Clustering Lotus Sametime Meeting Servers . . 222
Configuring a Lotus Sametime Gateway . . . . 247
Setting up TLS/SSL . . . . . . . . . . 247
© Copyright IBM Corp. 1996, 2010
Configuring LDAP for a single server on AIX,
Linux, Solaris, and Windows . . . . . . .
Configuring LDAP for a cluster on AIX, Linux,
Solaris, and Windows . . . . . . . . .
Connecting servers to Sametime Gateway . . .
Installing and configuring event logging . . .
Configuring Sametime Gateway properties . .
Configuring security . . . . . . . . . . .
Using a different SSL certificate for servers
running on WebSphere . . . . . . . . .
Adding a Sametime server SSL certificate to the
Sametime System Console . . . . . . . .
Configuring security for the Lotus Sametime
Community Server . . . . . . . . . .
Configuring Sametime Meeting Server for
secure access to a LDAP repository . . . . .
Configuring security for the Lotus Sametime
Media Manager . . . . . . . . . . .
Importing an SSL certificate from Lotus
Sametime Unified Telephony . . . . . . .
267
272
276
305
310
316
316
316
318
394
395
402
Chapter 2. Administering . . . . . . 405
Command reference for starting and stopping
servers . . . . . . . . . . . . . .
Lotus Sametime component URLs . . . . .
Adding administrators . . . . . . . . .
Changing the administrator password . . . .
Updating your DB2 administrator password .
Updating your WAS administrator password
Managing users with policies . . . . . . .
Finding policies associated with a user . . .
Creating new user policies . . . . . . .
Assign users and groups to policies . . . .
Changing a user policy's weight . . . . .
Administering a Lotus Sametime System Console
Backing up the console database . . . . .
Starting the Lotus Sametime System Console
Administering a Lotus Sametime Community
Server . . . . . . . . . . . . . . .
Managing administrator access and roles . .
Updating Sametime Community Server
connection properties on the console . . .
Configuring Sametime Community Server
connectivity . . . . . . . . . . . .
Managing trusted IP addresses . . . . .
Forcing users to connect to a home server . .
Managing community services . . . . .
Managing anonymous access to virtual places
Sending a message to all users . . . . .
Managing business cards . . . . . . .
Changing user names . . . . . . . .
Changing the IP address of an IBM i Sametime
Community Server . . . . . . . . .
Changing the host name of an IBM i Sametime
Community Server . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
405
410
413
414
414
414
415
416
416
417
429
430
430
430
. 431
. 431
. 441
.
.
.
.
442
443
444
445
450
. 452
. 452
. 478
. 497
. 498
iii
Monitoring the Sametime Community Server
Administering a Lotus Sametime Proxy Server . .
Updating Sametime Proxy Server connection
properties on the console . . . . . . . .
Administering a Lotus Sametime Media Manager
Updating Sametime Media Manager connection
properties on the console . . . . . . . .
Managing UDP ports for voice chat and video
calls . . . . . . . . . . . . . . .
Managing multiple audio and video streams
Changing the SIP transport protocol in the
Sametime Media Manager . . . . . . . .
Managing media encryption and codecs . . .
Managing video bit-rate . . . . . . . . .
Changing the default number of maximum
users . . . . . . . . . . . . . . .
Administering a SIP Proxy and Registrar . . .
Administering a Lotus Sametime Meeting Server
Updating Sametime Meeting Server connection
properties on the console . . . . . . . .
Managing file sharing . . . . . . . . .
Requiring meeting passwords . . . . . . .
Limiting guest access to the Meeting Room
Center . . . . . . . . . . . . . . .
Defining a Sametime Proxy server for awareness
in meeting rooms. . . . . . . . . . . .
Customizing the Sametime Meeting Server
configuration . . . . . . . . . . . .
Turning on full-text indexing in the Meeting
Room Center . . . . . . . . . . . .
Configuring remotely connected Sametime
Meeting Servers . . . . . . . . . . .
Monitoring meeting room statistics . . . . .
Backing up user data for Lotus Sametime
meeting rooms . . . . . . . . . . . .
Administering the Sametime Gateway Server. . .
Updating Sametime Gateway Server connection
properties on the console . . . . . . . .
Assigning users access to external communities
Enabling spam filtering . . . . . . . . .
Maintaining and monitoring Lotus Sametime
Gateway . . . . . . . . . . . . . .
Reference. . . . . . . . . . . . . .
Backing up WebSphere Application Server
configurations . . . . . . . . . . . . .
Chapter 3. Tuning
506
507
507
508
509
510
511
513
514
515
520
520
521
522
523
524
524
Setting log files size and rotation for the SIP
Proxy and Registrar . . . . . . . . . .
Tuning Sametime Gateway . . . . . . . . .
Limiting Sametime Gateway global and
community-level sessions . . . . . . . .
Specifying connection attempts and a time out
when connecting with the local Sametime server
Setting thread pool values . . . . . . . .
Configuring automatic thread dumps for hung
threads . . . . . . . . . . . . . .
Setting the JVM garbage collection policy . . .
Setting log files size and rotation . . . . . .
Setting threshold warnings for monitoring
server load . . . . . . . . . . . . .
Tuning the SIP proxy . . . . . . . . . .
Resolving email addresses as Sametime IDs
more efficiently. . . . . . . . . . . .
Tuning the data replication service on
WebSphere Application Server 6 . . . . . .
Tuning a WebSphere proxy server . . . . . .
Disabling the proxy read-ahead mechanism on
the WebSphere proxy server . . . . . . .
Adjusting the WebSphere proxy server thread
pool settings. . . . . . . . . . . . .
Setting JVM verbose garbage collection and
heap sizes on the Websphere proxy server. . .
Extending the HTTP persistent timeout on the
WebSphere proxy server . . . . . . . . .
Enabling full-text indexing in zLinux DB2 . . . .
588
589
589
592
592
593
594
594
595
596
597
597
598
598
599
599
600
600
525
527
528
529
529
529
530
532
533
534
578
. . . . . . . . . 579
Increasing the number of open files on a Sametime
server running on Linux. . . . . . . . . .
Tuning Sametime Community Server . . . . .
Tuning Sametime LDAP settings . . . . . .
Advanced settings to control contact list size
Setting a Sametime Polling "Keep Alive" interval
for client requests . . . . . . . . . . .
Tuning Lotus Sametime Media Manager . . . .
Tuning Sametime Media Manager load . . . .
Limiting participants in a video conference . .
Modifying the dynamic port range to improve
Packet Switcher performance . . . . . . .
Setting log files size and rotation for the
Sametime Media Manager . . . . . . . .
iv
499
506
579
579
579
583
584
585
585
585
586
587
Lotus Sametime: Installation and Administration Guide Part 2
Chapter 4. Troubleshooting . . . . . 603
Troubleshooting a Lotus Sametime Connect client
Logging and tracing on Lotus Sametime
Connect . . . . . . . . . . . . . .
Locating the Lotus Sametime Connect
workspace . . . . . . . . . . . . .
Troubleshooting audio video in Lotus Sametime
Connect clients . . . . . . . . . . . .
Troubleshooting meeting invitations . . . . .
Troubleshooting Business Cards . . . . . .
Troubleshooting a Lotus Sametime System Console
Sametime System Console log locations . . .
Determining Sametime server status using the
Integrated Solutions Console . . . . . . .
The console.properties file . . . . . . . .
The productConfig.properties file for
WebSphere-based servers . . . . . . . .
The productConfig file for Lotus Sametime
Community server . . . . . . . . . .
Troubleshooting clustering . . . . . . . .
Troubleshooting a Lotus Sametime Community
Server . . . . . . . . . . . . . . . .
Troubleshooting general issues in the Sametime
Community Server . . . . . . . . . .
Troubleshooting LDAP in Sametime . . . . .
Troubleshooting network problems on Domino
Troubleshooting a Lotus Sametime Proxy Server
Enabling trace . . . . . . . . . . . .
Troubleshooting a Lotus Sametime Media Manager
Setting a diagnostic trace on a Lotus Sametime
Media Manager server . . . . . . . . .
603
603
605
606
607
607
609
609
610
610
611
614
615
616
616
622
622
623
623
624
624
Gathering Lotus Sametime Media Manager logs
and traces for IBM Support. . . . . . . .
Troubleshooting a Lotus Sametime Media
Manager using JVM logs . . . . . . . .
Troubleshooting video quality . . . . . . .
Troubleshooting Lotus Sametime Media
Manager component clusters . . . . . . .
Troubleshooting a Lotus Sametime Meeting Server
Setting a diagnostic trace on a Lotus Sametime
Meeting Server . . . . . . . . . . . .
Gathering Lotus Sametime Meeting Server logs
and traces for support . . . . . . . . .
Troubleshooting a Lotus Sametime Meeting
Server using JVM logs . . . . . . . . .
Deploying Sametime Proxy Server and
Sametime Meeting Server on the same machine .
Troubleshooting a Lotus Sametime Meeting
Server cluster . . . . . . . . . . . .
Troubleshooting a Lotus Sametime Gateway Server
Setting a diagnostic trace on Sametime Gateway
Setting a diagnostic trace for specific user names
and domains . . . . . . . . . . . .
Gathering logs and traces for IBM support . .
Gathering performance data . . . . . . .
Troubleshooting installation . . . . . . .
Troubleshooting WebSphere Application Server
Troubleshooting the Lotus Sametime Gateway
using JVM logs . . . . . . . . . . . .
Troubleshooting a failed WebSphere Application
Startup . . . . . . . . . . . . . .
Troubleshooting starting a cluster. . . . . .
634
637
638
640
641
Troubleshooting secondary node problems .
Troubleshooting connections to external
communities. . . . . . . . . . . .
Troubleshooting message handlers . . . .
Troubleshooting slow or missing awareness
changes . . . . . . . . . . . . .
Troubleshooting XMPP and Google community
connections and awareness . . . . . . .
Error message severity levels and situations .
Troubleshooting installation or uninstallation . .
Troubleshooting a Lotus Sametime System
Console installation . . . . . . . . .
Troubleshooting a Lotus Sametime Gateway
installation . . . . . . . . . . . .
Registering a Lotus Sametime server manually
on AIX, Linux, Solaris, and Windows . . .
Manually removing WebSphere Application
Server . . . . . . . . . . . . . .
Manually removing DB2 data on AIX, Linux,
Solaris, and Windows . . . . . . . .
Unregistering a Lotus Sametime server on AIX,
Linux, Solaris, or Windows . . . . . . .
Updating the Lotus Sametime System Console
when server unregistration fails . . . . .
Log file locations . . . . . . . . . . .
Directory conventions . . . . . . . . .
642
Notices . . . . . . . . . . . . . . 669
625
626
627
627
629
629
630
631
632
632
633
633
642
643
Trademarks .
.
.
.
.
.
.
.
.
.
.
.
.
. 644
. 644
. 645
. 646
. 647
. 648
. 650
. 650
. 651
. 652
. 655
. 657
. 658
. 662
. 664
. 667
. 671
Contents
v
vi
Lotus Sametime: Installation and Administration Guide Part 2
Chapter 1. Configuring
After setting up your initial IBM® Lotus® Sametime® environment, you may want
to make additional changes, such as creating clusters of servers and enabling SSL.
This section contains information about enlarging and securing your Lotus
Sametime environment.
Configuring a Lotus Sametime Community Server
This section describes how to configure an IBM Lotus Sametime Community
Server.
Do I need to restart the Sametime server?
Use this table to determine which changes in server settings require you to restart
the server.
Main
Function in
Admin
Sub Function
Details Setting
Logging
Settings
General
General
Switches
Required
restart
Enable logging
to a Domino®
database.
(STLog.nsf)
No
Remove history
after (days).
Yes
Enable logging
to a text file.
No
Comments
Path to log text
file
Sametime
Statistics
© Copyright IBM Corp. 1996, 2010
Yes
Write statistics
to the log every
60 minutes. This
includes
Community
Services logging
of people and
chats, and
Meeting
Services logging
of meeting,
duration, and
participants
1
Main
Function in
Admin
Sub Function
Details Setting
Switches
Community
Successful
Server Events logins
to Log
Failed logins
Required
restart
Yes
Community
server events
and activities
Meeting
Failed meeting
Server Events authentications
to Log
Meeting Client
Connections
Yes
Connections to
other meeting
servers in this
community
Meeting Events
Meeting server
events and
activities
Capacity
Warnings Sharing in
Instant
Meetings
Number of
active screen
sharing/
whiteboard
meetings
exceeds
Number of
people in all
screen
sharing/
whiteboard
meetings
exceeds
Number of
people in one
active screen
sharing/
whiteboard
meeting exceeds
2
Lotus Sametime: Installation and Administration Guide Part 2
No
Comments
Main
Function in
Admin
Sub Function
Details Setting
Logging
Settings
Capacity
Warnings Sharing in
Scheduled
Meetings
Switches
Number of
active screen
sharing/
whiteboard
meetings
exceeds
Required
restart
Comments
No
Number of
people in all
screen
sharing/
whiteboard
meetings
exceeds
Number of
people in one
active screen
sharing/
whiteboard
meeting exceeds
Directory
Domino/
LDAP
User
Registration
Config.
Connectivity
HTTP
Services
Allow people to No
register
themselves in
the Domino
Directory
It belongs
to Domino
feature
Chapter 1. Configuring
3
Main
Function in
Admin
Sub Function
Details Setting
Switches
Community
services
network
Address for
server
connections
Required
restart
Yes
Host name (if
empty, service
will bind to all
host names on
server)
Port number
Address for
client
connections
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 1533)
Address for
HTTPS tunneled
client
connections
Host name (if
empty, service
will bind to all
host names on
server)
Port number
Yes
Enable the
Meeting Room
client to try
HTTP tunneling
to the
Community
Server after
trying other
options
4
Lotus Sametime: Installation and Administration Guide Part 2
Comments
Main
Function in
Admin
Sub Function
Details Setting
Switches
Address for
HTTP tunneled
client
connections
Required
restart
Comments
Yes
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 8082 or
80)
Meeting
Services
network
Address for
server
connections
Yes
Host name (if
empty, service
will bind to all
host names on
server)
Port number
Address for
client
connections
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 1503)
Address for
HTTPS tunneled
client
connections
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 8081)
Chapter 1. Configuring
5
Main
Function in
Admin
Sub Function
Details Setting
Switches
Required
restart
Yes
Enable the
Meeting Room
client to try
HTTP tunneling
to the
Community
Server after
trying other
options
Address for
HTTP tunneled
client
connections
Yes
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 8081 or
80)
Broadcast
Services
Network
6
Lotus Sametime: Installation and Administration Guide Part 2
Event server
port (default
9092)
Yes
Token server
port (default
9094)
Yes
Comments
Main
Function in
Admin
Sub Function
Details Setting
Interactive
Audio/Video
Network
Switches
TCP tunneling
address for
client
connections
Required
restart
Comments
Yes
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 8084)
Multimedia
Processor
(MMP) UDP
port numbers
start at :49252
Yes
Multimedia
Processor
(MMP) UDP
port numbers
end at :65535
Multimedia
control address
Yes
Host name (if
empty, service
will bind to all
host names on
server)
Port number
(default 9093)
Chapter 1. Configuring
7
Main
Function in
Admin
Sub Function
Details Setting
Switches
Required
restart
Reverse
Proxy
Support
Enable Reverse Yes
Proxy Discovery
on the client
Server Alias
(this is what the
Reverse Proxy is
using to
forward
HTTP(S)
messages to this
server)
Connectivity
8
Connecting
Meeting
Servers
Lotus Sametime: Installation and Administration Guide Part 2
Yes
Connecting
Meeting Servers
To allow
meeting
participants to
attend a meeting
on more than
one server, you
must create a
connection
record from
each source
server to each
destination
server. Once you
do that, the
destination
servers are
automatically
included in a
meeting when
users schedule a
meeting and
click the
appropriate
check boxes on
the Location tab.
Comments
Main
Function in
Admin
Sub Function
Details Setting
Community
services
General
Switches
Required
restart
Yes
Number of
entries on each
page in dialog
boxes that show
names in the
Directory :(100)
Comments
.
How often to
poll for new
names added to
the Sametime
Community
Directory
(minutes) : (60)
How often to
poll for new
servers added to
the Sametime
Community
(minutes): (60)
Maximum user
and server
connections to
the Community
server: (20000)
Yes
Allow users to
authenticate
using either
LTPA or
Sametime Token
(stauths.nsf and
stautht.nsf). The
server uses
LTPA if this
item is
unchecked. (The
item is
unchecked by
default.)
General
Display the
No
"Launch
Sametime
Connect for the
desktop" link on
the Sametime
Home page.
Chapter 1. Configuring
9
Main
Function in
Admin
Sub Function
Details Setting
Switches
Allow users to
transfer files to
each other.
Required
restart
Yes
Maximum file
size allowed
(KB):1000
Server
Features
Allow users to
send
announcements
(unencrypted
one-way
messages).
Sametime
Connect for
Browsers
No
Allow Connect
users to save
their user name,
password, and
proxy
information
(automatic
login).
Yes
No
Display the
"Launch
Sametime
Connect for
browsers" link
on the Sametime
Home page
(stcenter.nsf).
10
Lotus Sametime: Installation and Administration Guide Part 2
Comments
Main
Function in
Admin
Sub Function
Details Setting
Display
Name
Settings for
Anonymous
Access to
Meetings or
other Virtual
Places
Switches
Required
restart
Comments
Yes
Anonymous
users can
participate in
meetings or
enter virtual
places. Their
name appears as
user1, user2,
and so on.
Users of
Sametime
applications
(databases such
as stconf.nsf or
websites) can
specify a display
name so that
they do not
appear online as
"anonymous."
This does not
authenticate
users.
(Databases must
also allow
anonymous
access in the
ACL.)
Default domain
for anonymous
users:Guest
Default name:
User
Chapter 1. Configuring
11
Main
Function in
Admin
Sub Function
Details Setting
Community
Services
Directory
Users cannot
Searching and browse or
search the
Browsing
Directory.
Switches
Required
restart
No
Users can type
names (resolve
users and
groups) to add
them to an
awareness list.
Users can
browse the
directory (see a
list of names) or
type names
(resolve users
and groups).
Users can
browse the
directory to see
group content
and names, or
type names
(resolve user
and groups).
Meeting
services
General
No
Automatically
extend meetings
beyond
scheduled end
time when there
are still people
in the meeting.
After a meeting,
add the names
of participants
to the meeting
document
12
Lotus Sametime: Installation and Administration Guide Part 2
Comments
Main
Function in
Admin
Sub Function
Details Setting
Switches
Required
restart
When people
start or
schedule a
meeting
Allow people to No
choose the
Screen Sharing
tool in meetings:
Comments
Participants can
share their
screen, view a
shared screen,
or control a
shared screen if
the moderator
permits.
Participants can
share their
screen if the
moderator
permits or view
a shared screen.
Participants can
view the shared
screen only.
Force Screen
Sharing to use
8-bit color.
No
Allow people to No
choose the
whiteboard tool
in meetings
Allow people to
save whiteboard
annotations as
attachments to
the meeting.
Allow people to No
enable the "Send
Web Page" tool
in meetings
Chapter 1. Configuring
13
Main
Function in
Admin
Sub Function
Details Setting
Switches
Required
restart
Comments
Allow people to No
choose the
Polling tool in
meetings
Allow people to No
record meetings
for later
playback
(scheduled
meetings only).
Save recorded
meetings in the
following
location
Stop recording
when this much
disk space is left
(MBytes) (an
error is written
to the log.):300
14
When People
Start an
Instant
Meeting or
Schedule a
Meeting
Allow people to No
schedule
Recorded
Meeting
Broadcast
meetings.
Security
Encrypt all
Sametime
meetings
No
Require all
scheduled
meetings to
have a
password
No
Lotus Sametime: Installation and Administration Guide Part 2
It does
work in
Meeting
center, but
doesn't
affect the
instant
meeting.
Main
Function in
Admin
Sub Function
Details Setting
Meeting
Services
Connection
Speed
Settings
Meetings with
modem users
When People
Schedule a
Meeting
Allow people to No
choose
Sametime IP
Audio (in
addition to or
instead of
telephone) in
meetings.
Audio/video
Switches
Required
restart
Comments
Yes
Meetings with
LAN/WAN
users
Allow people to
choose
Sametime IP
Video in
meetings.
Switching
Time to wait for
silence before
switching to
next speaker
(100 - 500 ms):
250
Time to wait
before switching
to next video
(500 - 4000 ms):
2000
Recorded
Meeting
Broadcast
Meetings
Connection
Speed
Settings
Chapter 1. Configuring
15
Main
Function in
Admin
Sub Function
Details Setting
Switches
Required
restart
Set a maximum Yes
number of
interactive audio
connections for
all instant
meetings on this
server. :100
Usage Limits
and Denied
Entry for
Instant
Meetings
Set a maximum Yes
number of
interactive video
connections for
all instant
meetings on this
server. Each
video
connection
requires an
audio
connection.
Ensure that
there are at least
as many audio
connections
allowed as
video.:100
Set a maximum Yes
number of
interactive audio
connections for
all instant
meetings on this
server.:100
16
Lotus Sametime: Installation and Administration Guide Part 2
Comments
Main
Function in
Admin
Sub Function
Details Setting
Usage Limits
and Denied
Entry for
Scheduled
Meetings
Audio/Video
Switches
Required
restart
Comments
Set a maximum Yes
number of
interactive video
connections for
all instant
meetings on this
server. Each
video
connection
requires an
audio
connection.
Ensure that
there are at least
as many audio
connections
allowed as
video.:100
Usage Limits
and Denied
Entry for
Recorded
Broadcast
Meetings
Mapping the user ID to a unique directory attribute
If you frequently change user names, the IBM Lotus Sametime Community Server
lets you optionally map the Sametime user ID to an LDAP directory attribute that
is unlikely to change. This way, the need to run the name change utility in the
future is removed.
About this task
Sametime provides the RESOLVE mode which lets you run the name conversion
utility one time only, in a way that eliminates the need for additional conversions
in the future. You change the Lotus Sametime LDAP configuration, to map the
user ID to a directory attribute in the person entry that is not bound to change. In
such a deployment, where the user ID attribute is constant, a name change does
not trigger a user ID change, eliminating the need for running the tool. RESOLVE
mode migrates the VpUserInfo.nsf database, from the old user ID to the new user
ID.
Preparing user IDs for RESOLVE mode
Before you use the name conversion utility in RESOLVE mode, you must make
LDAP directory changes (if needed) and IBM Lotus Sametime configuration
changes.
Chapter 1. Configuring
17
About this task
You change the Lotus Sametime LDAP configuration to map the user ID to a
directory attribute in the person entry that is not bound to change. This change
eliminates the need for running the Name Change tool. The Lotus Sametime
Community server stores contact and privacy lists in the vpuserinfo.nsf file.
Name Change RESOLVE mode migrates that database, from the old user ID to the
new user ID
Note: The old name will still appear in the contact list for users that have
previously added them.
If your LDAP directory does not contain an attribute with a unique value in the
person entry, then you must change to the schema to provide one. See the
documentation provided by your specific LDAP vendor. See also RFC 4530
(http://www.ietf.org/rfc/rfc4530.txt) which introduces the entryUUID attribute
in LDAP directories. The value of this attribute is constant by definition, which
makes it suitable for the user ID mapping in Lotus Sametime. If your LDAP
directory does not support this attribute, consider extending the directory schema
to support it. In case you prefer to use an existing attribute instead of modifying
the schema, choose an attribute that is not bound to change when users change
their name or relocate. Here are examples of stable attributes in some well-known
LDAP servers:
v
v
v
v
v
IBM Directory Server: ibm-entryUUID
Domino LDAP: dominounid
Novell Directory Server (NDS): guid
SunOne: nsuniqueid
Active Directory: objectGUID
Unlike the ID name conversion mode, which expects a table of oldName and
newName entries as input, the RESOLVE mode does not expect any input from the
administrator. When the name conversion is run in this mode, it looks up each
user ID in the database against the directory, and replaces the old user ID with the
directory user ID. The tool accomplishes this by using the StResolve service to
lookup each person. This requires the administrator to make the LDAP
configuration change to use the new user ID mapping before running the tool on
every Sametime server in the organization.
Creating a comma-separated value file for RESOLVE mode
A comma-separated value (CSV) file created in a text editor provides the name
conversion utility with the information for migrating the old user ID to a new user
ID that is a directory attribute that is not likely to change.
Procedure
1. Use a text editor to create a comma-separated file.
2. Since the RESOLVE mode does not require any additional information, the CSV
file is very simple. The content of the CSV file is a single line: RESOLVE.
Note: Create a CSV for only one type of change: RESOLVE. You cannot mix
name change types in the same CSV.
3. Name and save the file with an extension of .csv in a directory accessible by
the Sametime server.
18
Lotus Sametime: Installation and Administration Guide Part 2
Creating a Name Change task
Create a name change task on the IBM Lotus Sametime Community server.
Before you begin
Before you create a name change task, create a comma-separated value (CSV) file
of the name changes in the Lotus Sametime Community Server directory.
About this task
A name change task is not actually a scheduled program; its timestamp merely
indicates when the task was created and not when it will be run. The list of tasks
is ignored until you run the stnamechange.cmd program, which then operates on all
of the tasks in the list, using the .CSV files specified in the Name Change page.
Follow the steps below to create a name change task.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server where you want to add a name change task. If you want to create a task
to run on multiple servers, then click the deployment name of any of the
servers on which you want to run the task.
4. Click the Name Change tab.
5. Click New.
Note: If you only want to edit a task, you can click the name of the scheduled
task to edit it.
6. Enter a name in the Name of Task field. The name is at your discretion. By
default, the name is the date the task is created.
7. Optional: Enter a description for the task.
8. Browse for the CSV file you want to use, and then click OK.
9. The name change task appears in the list of scheduled tasks.
All tasks listed here run when the stnamechange.cmd is run.
Results
After you have completed these steps on one Lotus Sametime Community server,
it is necessary to repeat this process on other servers in distributed environment.
When you are finished configuring the task, name changes are saved to the
stnamechange.nsf file. For a clustered environment, create this task on one server
per cluster. All other servers receive the changes through the cluster replication
process.
Lotus Domino picks up all valid name change tasks in the stnamechange.nsf file.
You choose the servers or cluster on which the name change task runs on a regular
basis using general scheduling tools. The application does not run by default; you
must run the task manually.
Chapter 1. Configuring
19
To Delete a name change task, on the Name Change page, select the task, and then
click Delete. If any name changes are entered incorrectly, you can import a new
CSV file.
Running the name conversion utility in RESOLVE mode
Running the name conversion utility in RESOLVE mode updates user contact and
privacy lists with the new Sametime user ID.
Before you begin
The IBM Lotus Sametime Community Server must be running. Name change in
RESOLVE mode differs from running other name conversion modes, because in
RESOLVE mode, the Lotus Sametime Community server must be running, so that
the name change utility can access StResolve. IBM recommends running the name
conversion utility at off-peak hours.
Complete all the previous steps outlined in the parent topic, "Mapping the user ID
to a unique directory attribute."
v Create a CSV file with the RESOLVE mode indicated.
v Create a name change task.
v Prepare user IDs for RESOLVE mode. The LDAP directory contains a unique
and constant attribute in each person entry. The attribute needs to be added to
the directory schema if it does not exist, and needs to be populated with a
unique value in each person entry. The value needs to be set with a string that
will not change when the person's name changes.
About this task
Running the name conversion utility in RESOLVE mode, migrates the old user ID
to a new user ID that is a directory attribute that is not likely to change. The tool
looks up each and every user ID in the database against the directory, and replaces
the old user ID with the directory user ID. Name change in RESOLVE mode differs
from running other name conversion modes, because in the RESOLVE mode the
Lotus Sametime Community server should be running, so that the name change
utility can access StResolve.
Run the name change task on all the servers in the community. In a clustered
environment, run the task for only one server per cluster. The task should run once
on the selected server and then replicated to other servers in the cluster.
Procedure
1. Change your Lotus Sametime Community Server configuration to use a unique
user ID, so you run the name change utility in RESOLVE mode. This is
controlled in the LDAPServer document in the StConfig.nsf file. See "“Change
your Lotus Sametime Community Server user ID” on page 21."
2. Gather diagnostic trace information during the task in case it is necessary for
future verification. See "“Gathering Sametime Community Server name change
utility diagnostic data” on page 619."
3. Stop the Lotus Sametime Proxy Server. See "“Command reference for starting
and stopping servers” on page 405."
4. Follow these steps to run the name conversion utility in RESOLVE mode for
your operating system:
v “Running the name change utility in Resolve mode on Windows” on page 21
v “Running the name change utility in RESOLVE mode on UNIX” on page 25
20
Lotus Sametime: Installation and Administration Guide Part 2
v “Running the name change utility in RESOLVE mode on IBM i” on page 24
5. Disable diagnostic traces that you set in step 2.
6. Restart Lotus Sametime Community Server.
7. Restart all Lotus Sametime Community Servers in your deployment so they can
detect the modified name. If your deployment includes Lotus Sametime Unified
Telephony, restart all Telephony Application Servers as well. Restart the Lotus
Sametime Proxy server as needed.
Running the name change utility in Resolve mode on Windows:
Follow these steps to run the name conversion utility in RESOLVE mode on
Windows.
Procedure
1. Disable the Sametime Community Server multiplexor service Sametime Polling
service on all servers in the cluster.
Open the sametime_installation_directory/STCommLaunch.dep file in an editor
and comment out the following lines by putting a number sign # in front of
them:
#SERVERAPP ST Mux,ST Community,SOFT
#SERVERAPP ST Polling,ST Mux,SOFT
2. Restart the Lotus Sametime Community Server.
3. Open a command prompt, change to the Domino directory, and then type the
following command to run the name conversion utility:
stnamechange.cmd
4. Use the Sametime Administration Tool to change the Lotus Sametime
Community Server LDAP configuration. See "“Change your Lotus Sametime
Community Server LDAP configuration” on page 22."
5. Enable the Sametime Community Server multiplexer and Sametime Polling
services.
Open the sametime_installation_directory/STCommLaunch.dep file in an editor
and remove the number sign # from the following lines:
SERVERAPP ST Mux,ST Community,SOFT
SERVERAPP ST Polling,ST Mux,SOFT
Change your Lotus Sametime Community Server user ID:
Configure the Lotus Sametime Community Server user ID to a directory attribute
that is not likely to change.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Community Services tab.
5. Under LDAP Attributes, enter the name of the field within the LDAP person
entries that contains the unique value used for logging in. This attribute is used
for determining the internal user ID field. This is the value you prepared in
"Preparing user IDs for RESOLVE mode".
6. Click OK.
Chapter 1. Configuring
21
Related tasks
“Preparing user IDs for RESOLVE mode” on page 17
Before you use the name conversion utility in RESOLVE mode, you must make
LDAP directory changes (if needed) and IBM Lotus Sametime configuration
changes.
Change your Lotus Sametime Community Server LDAP configuration:
Change your IBM Lotus Sametime Community Server LDAP configuration to
match the new user ID attribute.
About this task
Use the Sametime Administration Tool to change the Lotus Sametime Community
Server LDAP configuration.
Procedure
1. Open a browser and navigate to the Lotus Sametime Community Server.
Type the following address:
http://host_name/servlet/auth/admin
where host_name is the fully qualified host name of the server; for example:
http://commsvr1.acme.com/servlet/auth/admin
2. Enter the administrator name and password specified during the Lotus
Sametime Community server installation.
3. On the Lotus Sametime home page, click Administer the Server.
4. Extend the Lotus Sametime Community Server LDAP authentication filter. Skip
this step if you are using a Novell LDAP configuration, and see “Creating a
customized class for your Lotus Sametime Community Server Novell LDAP
filters” on page 23.
a. Click LDAP directory → Authentication.
b. Append the unique Sametime user ID attribute to the authentication filter.
For example if the old filter was:
(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)))
and the Sametime user Id is ibm-entryUUID, and the new authentication
filter is:
(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(ibm-entryUUID=%s)))
c. Click Update.
5. Extend the Lotus Sametime Community Server LDAP search filter to include
the new user ID. Skip this step if you are using a Novell LDAP configuration,
and see “Creating a customized class for your Lotus Sametime Community
Server Novell LDAP filters” on page 23.
a. Click LDAP directory → Searching.
b. Append the chosen Sametime user ID attribute to the Search filter for
resolving person names filter.
Note: An asterisk should not be added to the Sametime user Id attribute
while it should be added to the other attributes.
For example if the old filter was:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)))
and the Sametime user ID is ibm-entryUUID, the new authentication filter is:
22
Lotus Sametime: Installation and Administration Guide Part 2
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)(ibm-entryUUID=%s)))
c. Click Update.
6. Define the Lotus Sametime Community Server LDAP attribute used to
distinguish between two similar person names.
a. Click LDAP directory → Basics.
b. Set the Attribute used to distinguish between two similar person names to
DN or leave it empty.
c. Click Update.
Creating a customized class for your Lotus Sametime Community Server Novell LDAP
filters:
The person resolve and the authentication filters need to be customized Java filters.
About this task
The Java code should check whether the string passed by the Lotus Sametime
Connect client is an escaped binary value. The string contains a backslash followed
by 2 hexadecimal digits. In this case only, the GUID attribute should be included
in the filter returned by the Java code. Otherwise a regular filter should return
from the Java code. This filter should not include the GUID attribute.
For additional information about customized Java filters refer see “Creating custom
Java classes for searching the LDAP” on page 30.
public class CustomSearchUUID {
public static String authenticationFilter(String name)
{
String filter = null;
int index = 0;
int length = name.length();
while ( (index < length - 2) && (name.charAt(index) == ’\\’) )
{
if ( ( Character.digit(name.charAt(++index),16) == -1 ) ||
( Character.digit(name.charAt(++index),16) == -1 ) )
{
break;
}
index++;
}
if (index == (length) )
{
// Reached the end of the string, so name is an escaped binary value.
//Search for UUID only
filter = "(&(objectclass=organizationalPerson)(guid=" + name + "))";
}
else
{
// name is a regular text string, use the regular filter
filter = "(&(objectclass=organizationalPerson)(|(cn=" + name+ ")(givenname=" + name + ")
(sn=" + name + ")(mail=" + name + ")))";
}
return filter;
}
public static String personResolveFilter(String name)
{
String filter = null;
int index = 0;
Chapter 1. Configuring
23
int length = name.length();
while ( (index < length - 2) && (name.charAt(index) == ’\\’) )
{
if ( ( Character.digit(name.charAt(++index),16) == -1 ) ||
( Character.digit(name.charAt(++index),16) == -1 ) )
{
break;
}
index++;
}
if (index == (length) )
{
// Reached the end of the string, so name is an escaped binary value.
//Search for UUID only
filter = "(&(objectclass=organizationalPerson)(guid=" + name + "))";
}
else
{
// name is a regular text string, use the regular filter
filter = "(&(objectclass=organizationalPerson)(|(cn=" + name+ "*)(givenname=" + name + "*)
(sn=" + name + "*)(mail=" + name + "*)))";
}
return filter;
}
}
Running the name change utility in RESOLVE mode on IBM i:
Follow these steps to run the name conversion utility in RESOLVE mode on IBM i.
Procedure
1. Stop the IBM Lotus Sametime Community Server, but leave the Domino server
running by running TELL STADDIN2 QUIT from the Domino console.
2. Go to the OS/400® command line and edit the data-directory/
STCommLaunch.dep file and comment out the following line by putting a number
sign # in front of it:
#SERVERAPP StMux,StCommunty,SOFT
#SERVERAPP StPolling,StCommunty,SOFT
3. Restart the Lotus Sametime Community Server by running LOAD STADDIN2
from the Domino console. This starts the server without running Sametime
Community Server multiplexer service. Name change in RESOLVE mode differs
from running other name conversion modes, because in the RESOLVE mode
the Lotus Sametime Community server should be running, so that the name
change utility can access StResolve
4. Go to the OS/400 command line, and enter the following command: "QSH"
This opens up a command line where the Name Change task is run.
5. Type the following commands:
cd <data directory>
stnamechange <data directory>
6. Use the Sametime Administration Tool to change the Lotus Sametime
Community Server LDAP configuration. See “Change your Lotus Sametime
Community Server LDAP configuration” on page 22
7. Stop the IBM Lotus Sametime Community Server, but leave the Domino server
running by running TELL STADDIN2 QUIT from the Domino console.
8. Go to the OS/400 command line and edit the data-directory/
STCommLaunch.dep file and remove the number sign # from the following line.
24
Lotus Sametime: Installation and Administration Guide Part 2
SERVERAPP StMux,StCommunty,SOFT
SERVERAPP StPolling,StCommunty,SOFT
Running the name change utility in RESOLVE mode on UNIX:
Follow these steps to run the name conversion utility in RESOLVE mode on UNIX.
Procedure
1. Disable the Sametime Community Server multiplexor service on all servers in
the cluster.
a. Stop the IBM Lotus Sametime Community Server.
b. Open a shell and edit the data-directory/STCommLaunch.dep file and
comment out the following line by putting a number sign # in front of it:
#SERVERAPP stmux_launcher.sh,stserver,SOFT
#SERVERAPP stpolling,stserver,SOFT
c. Restart the Lotus Sametime Community Server. This starts the server
without running Sametime Community Server multiplexer service. Name
change in RESOLVE mode differs from running other name conversion
modes, because in the RESOLVE mode the Lotus Sametime Community
server should be running, so that the name change utility can access
StResolve
2. Restart the Lotus Sametime Community Server.
3. Open a shell and change to the Domino data directory. Type the following
command:
./stnamechange.sh <domino_bin_directory> <domino_data_directory>
For example:
./stnamechange.sh /domino/opt/lotus/notes/80020/linux /domino/notesdata
4. Use the Sametime Administration Tool to change the Lotus Sametime
Community Server LDAP configuration. See “Change your Lotus Sametime
Community Server LDAP configuration” on page 22
5. Enable the Sametime Community Server multiplexer service on all the servers
in the cluster.
a. Stop the IBM Lotus Sametime Community Server.
b. Open a shell and edit the data-directory/stcommlaunch.dep file and
remove the number sign # from the following line:
SERVERAPP stmux_launcher.sh,stserver,SOFT
SERVERAPP stpolling,stserver,SOFT
Turning off case sensitivity on the Lotus Sametime
Community Server
You must turn off case sensitivity on the IBM Lotus Sametime Community Server
to allow awareness in IBM Lotus iNotes® and WebSphere® applications.
Procedure
1. Open a text editor on the Lotus Sametime Community server.
2. Open the sametime.ini file located in the Lotus Sametime Community server
installation directory The default directory is C:\program files\lotus\domino.
3. In the Config section, add AWARENESS_CASE_SENSITIVE= 0.
Starting in Sametime 8.5, by default, the Lotus Sametime Community server is
not case-sensitive. This is the suggested configuration. This setting controls
whether it is possible to add a user ID to the contact list, using different case,
Chapter 1. Configuring
25
than the case used in the Directory. When you add this setting and give it a
value of 0, the Sametime server is no longer case-sensitive.
4. You must restart the Lotus Sametime Community server for the change to take
effect.
What to do next
IBM recommends that you also turn off case sensitivity in the Lotus Sametime
Connect client.
To learn more about this setting and others, see TechNote 1415058:
http://www.ibm.com/support/docview.wss?uid=swg21415058.
Related tasks
“Turning off case sensitivity in the Lotus Sametime Connect client” on page 137
If you turn off case sensitivity in the IBM Lotus Sametime Community server, IBM
recommends that you also turn off case sensitivity in the Lotus Sametime client.
Managing client types and logins
You can manage the manner and order of client logins to IBM Lotus Sametime.
Configuring allowed client types
You can define the types of clients that can connect to the IBM Lotus Sametime
Community Server.
About this task
Follow these steps to specify the list of client types that are allowed to connect to
the Lotus Sametime Community Server.
Procedure
1. Open a text editor on the Lotus Sametime Community Server.
2. Open the sametime.ini file located in the Lotus Sametime Community Server
installation directory. For example, the default directory in Windows is
C:\program files\lotus\domino.
3. In the Config section, enter the client type IDs for the allowed client types in
the VPS_ALLOWED_LOGIN_TYPES flag. If the flag is not specified or its
value is empty, then all client types are allowed to connect to the server. Its a
comma-separated list.
Note: Once the VPS_ALLOWED_LOGIN_TYPES flag is used, you must
update the values whenever you add new client types; otherwise the new client
type cannot log in.
[Config]
VPS_ALLOWED_LOGIN_TYPES=130B,130A
For a list of client types, see Technote 1114318 on the IBM Lotus Support
website at http://www.ibm.com/support/docview.wss?uid=swg21114318. For
information on adding new client names to match application types and handle
unknown type entries that are displayed in Community Logins, see
http://www.ibm.com/support/docview.wss?uid=swg21291894.
4. Save the sametime.ini file.
26
Lotus Sametime: Installation and Administration Guide Part 2
Configuring the single login type
The single login type mode means that only one login per user is allowed. When
a client attempts to log in to the IBM Lotus Sametime Community Server, the
server checks to see if there are any existing logins of the same user, and
disconnects them. Any client on the exclusion list is not disconnected, which is
useful for users who want to run multiple clients simultaneously.
About this task
To configure the single login function and exclude certain client types from
qualifying as logins, edit the sametime.ini file.
Procedure
1. Open a text editor on the Lotus Sametime Community Server.
2. Open the sametime.ini file located in the Lotus Sametime Community Server
installation directory. For example, the default directory in Windows is
C:\program files\lotus\domino.
3. In the Config section, set the following flag to activate single client login mode:
VP_ONLY_SINGLE_LOGIN_ALLOWED=1
If the flag is set to 1 than the server works in the single login allowed mode.
When a new client login request is received, all the previous logins are
disconnected. Only one client type connection per machine is allowed at one
time (related to client types, not users).
4. Specify which client types are not considered logins when the server checks
whether to accept or disconnect clients. Separate the client types with commas.
VPS_EXCLUDED_LOGIN_TYPES=clienttype1, clienttype2
For a list of client types, see Technote 1114318 on the IBM Lotus Support
website at http://www.ibm.com/support/docview.wss?uid=swg21114318.
In the following configuration, even though single client login mode is
activated, logins originating from C++ clients and Unified instant messaging
clients will not be disconnected if they have logged in from the Sametime client
too.VPS_EXCLUDED_LOGIN_TYPES=1002, 1304
5. Save the sametime.ini file.
Configuring the preferred login list
If a user is already connected to the IBM Lotus Sametime Community Server
through several different clients, and another user attempts to initiate an instant
messaging session with the logged-in user, Sametime uses a default login order to
determine which client type should receive the instant messaging session. A
preferred login list allows you to override the default order.
About this task
The Lotus Sametime Community Server depends upon the default list of client
types, each of which has a predefined weight. Login order for each user depends
upon the login-type weight. The first login type, having minimal weight, is the one
provided for the incoming instant messaging session.
Default order of login types on Sametime:
1. Lotus Sametime Connect clients
2. Lotus Sametime Mobile clients
3. Sametime Proxy clients
Chapter 1. Configuring
27
Procedure
1. Open a text editor on the Lotus Sametime Community Server.
2. Open the sametime.ini file located in the Sametime server installation
directory (the default directory in Windows is C:\program files\lotus\domino).
3. In the [Config] section, specify the order of the login types that overrides the
default order.
VPS_PREFERRED_LOGIN_TYPES=login_type1,login_type2
For example:
VPS_PREFERRED_LOGIN_TYPES=130C,130B,130A,1308,1306,1304,1436,1435,1434,1433,1432,
1431,1430,14A3,14A2,14A1,14A0
For a list of login types, see TechNote 1114318 on the IBM Lotus Support
website at http://www.ibm.com/support/docview.wss?uid=swg21114318.
4. Save the sametime.ini file.
Configuring a mixed-license environment with clients that
connect to Sametime Entry servers
To comply with licensing limitations involving Sametime Entry servers, take steps
to configure the mixed environment for two types of clients – those who are
licensed to use instant messaging and meetings and those who are licensed only
for instant messaging.
Assigning users to the new Sametime server (setting the home
Sametime server)
This topic discusses how the IBM Lotus Sametime administrator can assign users
to a new Sametime server, which designates that server as the user's "home" server.
To assign a user to the new Sametime server, enter the Sametime server name in
the Sametime server field in the Real-Time Collaboration section of a user's
Person document in the Domino Directory. This field identifies the "home"
Sametime server of each user.
Note: Only a portion of the users in your environment should be assigned to the
new Sametime server. For load balancing purposes, you should assign an equal
number of users to each Sametime server in your environment. The network
proximity of the user to the server is also a consideration when assigning users to
a home Sametime server. Generally, you should assign the user to the closest
Sametime server on the network.
To specify a home Sametime server, open the Domino Directory (Address Book),
go to the Real-Time Collaboration section of each user's Person document, and
enter the name of a Sametime server in the Sametime server field. If necessary,
you can create a simple agent to automate the process of populating the Sametime
server field in each user's Person document with the name of a Sametime server.
When entering the name of the Sametime server in the Sametime server field on
the Person document, you can enter the name of the Sametime server in the
Domino hierarchical name format (for example sametime/west/example). The
Sametime server field automatically converts the name to the full canonical name
format. For example, if you enter sametime/west/example in the "Sametime server"
field, the server name is stored as cn=sametime/ou=west/o=example unless, for
example, the name is populated by an agent. It is advisable to enter the server
name using the full hierarchical name format.
28
Lotus Sametime: Installation and Administration Guide Part 2
Community services reads the server name from the Servers view ($Servers) of the
Domino Directory. The name entered in the Sametime server field on the Person
document must match the name of the Sametime server as it appears in the
Servers view of the Domino Directory. If you are using an agent to populate the
home Sametime server field, ensure that the agent specifies the full canonical
name of the Sametime server.
Note also that a Sametime Connect client's Sametime Connectivity settings should
specify the same Sametime server as the Sametime server field on that user's
Person document. In the Sametime Connect client's Sametime Connectivity
settings, the server name must be specified using the DNS name or IP address of
the Sametime server (for example, sametime.example.com or 111.111.111.111).
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
“Integrating a Sametime server into an existing Sametime community” on page 57
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Disabling or enabling meetings on an IBM i Sametime Standard
server
Disable meetings on any IBM i Sametime Standard server that you plan to use as a
Sametime Entry server.
About this task
On IBM i, you have some choices about how to configure Sametime Entry home
servers.
v When you install the Lotus Sametime Entry offering (only *BASE option of
5724J23), any servers you configure are Sametime Entry servers and meetings are
disabled automatically.
v When you install the Lotus Sametime Standard offering (both *BASE and Option
1 of 5724J23), the servers are Lotus Sametime Standard Community servers by
default, but you can elect to make some of them Entry servers by running a
command that disables meetings. For any server that will be assigned to
Sametime Entry users, you must disable meetings on that server to create the
mixed-license environment.
When you upgrade, meetings are re-enabled on all Sametime servers and you
must disable meetings again on any servers that are assigned to Sametime Entry
users.
Follow these steps to use the CHGLSTDOM command to disable meetings on a
particular server.
Procedure
1. On any IBM i command line, type the following and press F4:
CHGLSTDOM
2. On the Change Sametime on Domino display, set Web Conferencing to *NO
and press Enter.
Chapter 1. Configuring
29
What to do next
If you decide to enable Web Conferencing on the server later, run the
CHGLSTDOM command again, specifying *YES for Web Conferencing.
Creating meeting user groups in a mixed-license environment
Add groups for users who have Sametime Standard or Sametime Advanced home
servers and therefore are entitled to access meeting features. Users who are not
members of these groups are prevented from using meetings.
Before you begin
Plan how many groups you need for your organization. Make sure that you have
Editor access or Author access with the GroupCreator role in the IBM Lotus
Domino Directory.
About this task
Follow these steps for each group you want to create.
Procedure
1. From the Domino Administrator or Web Administrator, click the People &
Groups tab.
2. Select Domino Directories, and then select Groups → Add Group.
3. On the Basics tab, enter a name for the group in the Group name field (for
example, Meeting Creator Group 1 or Meeting Attender Group 1).
4. Select a Group type.
5. List the members of the group in the Members field. Make sure to enter a
name exactly as it is entered in the top line of the User name field of the user's
Person document.
6. Click the Administration tab.
7. Enter the names of the group owners in the Owners field. Generally, the group
owner is the administrator creating the group.
8. Click Save and Close.
Creating custom Java classes for searching the LDAP
Create custom Java classes that provide greater control over how the Sametime
Community server conducts name searches of an LDAP directory and how results
are formatted.
About this task
Creating a custom Java class can be especially effective with complex LDAP
directory schemas. The Java code that you write must be compatible with the Java
Run-Time Environment (JRE 1.5.0). In addition to the following topics, the
Sametime wiki contains an article on writing Java classes that includes sample
search filters.
Example: Writing a Java class to filter searches for people and
groups
If a single search filter is not adequate to resolve user or group name searches, you
can write a Java class containing a method that specifies exactly how directory
searches are conducted. The class can invoke different LDAP search filters
depending on search criteria entered by users.
30
Lotus Sametime: Installation and Administration Guide Part 2
About this task
The Search filter for resolving person names and the Search filter for resolving
group namessettings in the LDAP directory settings of the Sametime
Administration Tool define the LDAP directory search filters responsible for
selecting user and group names from the LDAP directory.
Note: You do not have to write Java classes to control the search behavior for both
users and groups. You can use a Java class to control the search behavior for users
while using a single LDAP search filter to control the search behavior for groups,
or vice versa.
The specific source code that you write to support customized LDAP searches is
entirely dependent on your environment. This section provides a code sample to
help you understand how to write the Java class appropriate for your
environment.
Example
The following example invokes different LDAP directory search filters based on the
text string that is entered into the Sametime user interface by a user. The search
filters invoked by the method are dependent on the directory schema and the
search behavior needed for the environment. Assume that three different users
want to add the user Victor Lazlow to their Sametime Connect buddy lists. Each of
the three users searches for Victor Lazlow in a different way. The logic of the Java
class dictates the results of these three user searches:
v User 1
Input: User 1 enters "Victor L*" into the Sametime client user interface to add
Victor Lazlow to the buddy list.
Results: This search attempt returns an error because the Java class is
programmed to return an error when the user enters a text string that includes
an asterisk.
v User 2
Input: User 2 enters "[email protected]" into the Sametime client
interface.
Results: This search attempt succeeds and returns the value
"[email protected]" (Victor Lazlow's email address) from the LDAP
directory. The search attempt succeeds in this way because the Java class is
programmed to return an LDAP search filter that can resolve an LDAP directory
search to a user's email address. The Java class returns this email address search
filter if the search text string entered by the end user includes the "at" character
(@).
v User 3
Input: User 3 enters "Victor L" into the Sametime client interface. This search
attempt succeeds and returns the common name (cn) directory attribute of
"Victor Lazlow."
Results: The search attempt succeeds in this way because the Java class is
programmed to return an LDAP search filter that can resolve an LDAP directory
search to a user's common name (cn). The Java class returns this common name
search filter if the search text string entered by the end user does not include
either an asterisk or "at" (@) character.
Sample code
Chapter 1. Configuring
31
The code sample below shows the Java source code that produces the search
behavior described above. This code creates a Java class named
"StLdapCustomized" that includes the "peopleResolveFilter" method. The if
statements in the peopleResolveFilter method examine the text string entered by
the user in the Sametime client user interface and return the appropriate LDAP
search filter based on this text string. The comments in the source code explain the
purpose of each if statement.
public class StLdapCustomized
{
/**
* Generates a search filter for finding a user, given the user’s
* name. * * @param name The user’s name as provided by the Sametime client.
* @return The search filter, or null if the name is invalid. */
public static String peopleResolveFilter (String name) {
// prevent users from adding their own wildcards
if (name.indexOf(’*’) != -1) return null;
// if name looks like email, do not search with wildcards
if (name.indexOf(’@’) != -1) return
"(&(objectclass=person)(mail=" + name + ")) ";
// otherwise, search as CN with wildcard
return "(&(objectclass=person) (cn=" + name + "*))";
}
}
What to do next
After writing your Java class, complete the tasks in this section to integrate the
class into the Lotus Sametime Community server.
Example: Writing a Java class to format names returned in a
search
To return a user name in a format that is not available in an LDAP directory entry
attribute, you can write a Java class that manipulates existing information in the
LDAP directory to produce the user name in the desired format.
About this task
In most environments, the value of the The attribute of the person entry that
defines the user's name setting can specify a common LDAP directory attribute,
such as cn (common name) or mail (email address). When configured in this way,
the search returns the value assigned to a user's cn or mail directory attribute and
displays this value in the Sametime client user interface.
To return names in a format different from the LDAP directory attributes, create a
custom Java class. For example, you might create a Java class that does the
following:
v Combines the values of two LDAP directory attributes to produce the user name
in a desired format.
v Edits the information in a single LDAP directory attribute to produce the user
name in a format that is different than the value specified by the attribute.
32
Lotus Sametime: Installation and Administration Guide Part 2
Example
The sample code below shows how to combines the values of the sn and
givenName attributes to return a user name with the Last Name shown first,
assuming the following requirements:
v LDAP searches must return a user name in the format LastName, FirstName (for
example: Smith, John)
v None of the LDAP directory attributes specify the user name in the LastName,
FirstName format.
v The LDAP directory attribute sn specifies each user's last name.
v The LDAP directory attribute givenName specifies each user's first name.
Sample code
This example takes values from the sn and givenName directory attributes and
combines these values into a single display name in the format of LastName,
FirstName.
public class StLdapCustomizedAttributes
{
public static String displayName (String givenName, String sn)
{
String result = sn + ", " + givenName;
return result;
}
}
What to do next
After writing your Java class, complete the tasks in this section to integrate it into
the Lotus Sametime Community server.
Adding the new class to the Sametime Community Server
Add a new Java class to the IBM Lotus Sametime Community server by compiling
the source code and then copying the class to its new location.
About this task
Follow these steps to add the class to the Sametime Community Server.
Note:
When you use this feature on IBM AIX®, Linux, or Solaris, you must compile your
class using Java 1.5 or later. This requires you to use IBM Lotus Domino 8.0 or
later because earlier versions do not include the right version of Java.
Procedure
1. Compile the Java source code file to produce the Java class file.
2. Copy the compiled class file (StLdapCustomized.class) to the "java"
subdirectory of the Sametime server installation directory.
Chapter 1. Configuring
33
The default path for the class file is: c:\Lotus\Domino\java
Adding paths for the new class to the sametime.ini file:
Add the path for your new custom Java class to the sametime.ini file so that the
IBM Lotus Sametime Community Server can locate the new class.
About this task
Edit the sametime.ini file on the Lotus Sametime Community Server and add the
paths for the new custom class.
Procedure
1. Use a text editor to open the sametime.ini file, which is stored in the Domino
installation directory.
In Microsoft Windows, the default location for this file is: C:\Lotus\Domino
2. Add or modify the following statements to the [Config] section of the file:
Make sure your file contains all three statements when you finish:
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\StConfig.jar;
C:\Lotus\Domino\StConfigXml.jar;C:\Lotus\Domino\xerces.jar;custom_class_directory
ST_JAVA_JVM_PATH=java_jvm_install_path
ST_JAVA_CUSTOM_PATH=custom_class_directory
where:
v java_jvm_install_path indicates the path where the Java JVM is installed
(the default path on Windows is: C:\Lotus\Domino\ibm-jre\jre\bin\
classic\jvm.dll; on Solaris use this path: ibm-jre/lib/sparc/server/
libjvm.so.
Make sure to use the JVM installed under the ibm-jre folder and not the one
under the jvm folder.
v custom_class_directory indicates the path to the new custom Java class. Since
the jar file is loaded by both C++ and Java-based components, the value
must be provided in two ways, with the double backslash (\\) signs, and
with single backslash (\) signs. The default path on Windows is
C:\Lotus\Domino\java;C:\\Lotus\\Domino\\java.
3. (AIX only) Add this statement to the same section of the file for AIX:
ST_JAVA_CUSTOM_JVM_PATH=java_jvm_install_path
where java_jvm_install_path is domino binaries folder/ibm-jre/jre/bin/
classic/libjvm.so.
Make sure to use the JVM which is installed under the ibm-jre folder and not
the one under the jvm folder.
4. Save and close the file.
Adding the custom Java class name and method to the Lotus Sametime LDAP
settings:
Use the IBM Lotus Sametime Administration Tool to add the class name and
method of your new custom Java class to the LDAP settings used by the Lotus
Sametime Community Server.
About this task
Use the Sametime Administration Tool to add the new custom Java class to the
LDAP directory settings.
34
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. Log on to the Lotus Sametime Community Server as the Sametime
administrator.
2. Open the Sametime Administration Tool by clicking Administer the Server.
3. Click LDAP Directory → Basics.
4. In the Search settings for server list, select the LDAP server that contains the
LDAP directory you are modifying with your custom Java class.
5. If you are adding a custom Java class that defines a search filter, do the
following:
a. In the Search filter for resolving person names settings, enter the class
name and method name for a Person filter, using this format:
Classname.methodname()
Following the earlier code example for a Person filter, you would enter
StLdapCustomized.peopleResolveFilter() for the new class.
b. In the Search filter for resolving group names settings, enter the class
name and method name for a Group filter, using this format:
Classname.methodname()
For example, you might have named your class like this:
StLdapCustomized.groupsResolveFilter().
6. If you are adding a custom Java class that formats search results, locate The
attribute of the person entry that defines the user's name settings, and enter
the class name and method name, using this format: Classname.methodname()
Following the earlier code example for formatting search results, you would
enter StLdapCustomizedAttributes.displayName(givenName, sn) for the new
class.
7. If you are adding a custom Java class that defines an authentication, policy or
business card filter, do the following:
In the Search filter to use when resolving a user name to a distinguished
name settings, enter the class name and method name for this filter, using this
format: Classname.methodname(). Following the earlier code example for this
filter, you would enter StLdapCustomized.authenticationFilter() for the new
class.
8. If you are adding a custom Java class that defines a Policy filter, do the
following:
In the GroupMembership settings, enter the class name and method name for
a group membership filter, using this format: Classname.methodname()
Following the earlier code example for a this filter, you would enter
StLdapCustomized.groupMembershipFilter() for the new class.
9. After you have added all of your custom Java classes, click Update.
10. Restart the Lotus Sametime Community Server for the changes to take effect.
Related tasks
“Creating a customized class for your Lotus Sametime Community Server Novell
LDAP filters” on page 23
The person resolve and the authentication filters need to be customized Java filters.
Ports used by the Sametime Community Server
IBM Lotus Sametime uses a number of ports on the server. This topic lists the
default ports and their uses.
You can use the Sametime Administration Tool to configure the ports on which the
Sametime services listen for connections from clients.
Chapter 1. Configuring
35
The port settings for all services can be accessed from the Configuration →
Connectivity → Networks and Ports options of the Sametime Administration Tool.
HTTP Services, Domino Services, LDAP Services, and Sametime
intraserver ports
The following ports are used by the Sametime HTTP Services, IBM Lotus Domino
Application Services, and LDAP Services.
Default Port
Purpose
Port 80
If the administrator allows HTTP tunneling
on port 80 during the Sametime installation,
the Community Services multiplexer on the
Sametime Community Server listens for
HTTP connections from web browsers,
Sametime Connect clients, Sametime
Meeting Room clients, and Sametime
Recorded Meeting clients on port 80.
If the administrator does not allow HTTP
tunneling on port 80 during the Sametime
installation, the Domino HTTP server listens
for HTTP connections on this port.
Alternate HTTP port (8088)
If the administrator allows HTTP tunneling
on port 80 during the Sametime installation
(or afterward), the Domino HTTP server on
which Sametime is installed must listen for
HTTP connections on a port other than port
80. The Sametime installation changes the
Domino HTTP port from port 80 to port
8088 if the administrator allows HTTP
tunneling on port 80 during a Sametime
Community Server installation.
Note: If the administrator allows HTTP
tunneling on port 80 during the Sametime
installation, web browsers make HTTP
connections to the Community Services
multiplexer on port 80, and the Community
Services multiplexer makes an intraserver
connection to the Sametime HTTP server on
port 8088 on behalf of the web browser.
This configuration enables the Sametime
Community Server to support HTTP
tunneling on port 80 by default following
the server installation.
Port 389
If you configure the Sametime Community
Server to connect to an LDAP server, the
Sametime Community Server connects to the
LDAP server on this port.
Port 443
The Domino HTTP server listens for HTTPS
connections on this port by default.
This port is used only if you have set up the
Domino HTTP server to use Secure Sockets
Layer (SSL) for web browser connections. To
configure the Sametime HTTP server to use
SSL for Web browser connections, see About
SSL and Sametime.
36
Lotus Sametime: Installation and Administration Guide Part 2
Default Port
Purpose
Port 1352
The Domino server on which Sametime is
installed listens for connections from Notes®
clients and Domino servers on this port.
Port 9092
The Event Server port on the Sametime
Community Server is used for intraserver
connections between Sametime components.
Make sure that this port is not used by other
applications on the server.
Port 9094
The Token Server port on the Sametime
Community Server is used for intraserver
connections between Sametime components.
If this port is used by multiple applications,
refer to the topic “Token server port” on
page 41 for a discussion on resolving access
to this port.
Community Services ports
The following ports are used by the Sametime Community Services. Most of these
ports are configurable.
Default Port
Purpose
Port 1516
Community Services listens for direct
TCP/IP connections from the Community
Services of other Sametime Community
Servers on this port. If you have installed
multiple Sametime Community servers, this
port must be open for presence, chat, and
other Community Services data to pass
between the servers.
The communications that occur on port 1516
also enable one Sametime Community
Server to start a meeting on another server
(or "invite" the other server to the meeting).
Chapter 1. Configuring
37
Default Port
Purpose
Port 1533
The Community Services listen for direct
TCP/IP connections and HTTP-tunneled
connections from the Community Services
clients (such as Sametime Connect and
Sametime Meeting Room clients) on this
port.
Note: The term "direct" TCP/IP connection
means that the Sametime client uses a
unique Sametime protocol over TCP/IP to
establish a connection with the Community
Services.
The Community Services also listen for
HTTPS connections from the Community
Services clients on this port by default. The
Community Services clients attempt HTTPS
connections when accessing the Sametime
Community Server through an HTTPS proxy
server. If a Sametime client connects to the
Sametime Community Server using HTTPS,
the HTTPS connection method is used, but
the data passed on this connection is not
encrypted.
If the administrator does not allow HTTP
tunneling on port 80 during the Sametime
installation, the Community Services clients
attempt HTTP-tunneled connections to the
Community Services on port 1533 by
default.
Port 80
38
Lotus Sametime: Installation and Administration Guide Part 2
If the administrator allows HTTP tunneling
on port 80 during the Sametime installation,
the Community Services clients can make
HTTP-tunneled connections to the
Community Services multiplexer on port 80.
Note: When HTTP tunneling on port 80 is
allowed during the Sametime installation,
the Community Services multiplexer listens
for HTTP-tunneled connections on both port
80 and port 1533. The Community Services
multiplexer simultaneously listens for direct
TCP/IP connections on port 1533.
Default Port
Purpose
Port 8082
When HTTP tunneling support is enabled,
the Community Services clients can make
HTTP-tunneled connections to the
Community Services multiplexer on port
8082 by default. Community Services clients
can make HTTP-tunneled connections on
both ports 80 and 8082 by default.
Port 8082 ensures backward compatibility
with previous Sametime releases. In
previous releases, Sametime clients made
HTTP-tunneled connections to the
Community Services only on port 8082. If a
Sametime Connect client from a previous
Sametime release attempts an
HTTP-tunneled connection to a Sametime
Community Server, the client might attempt
this connection on port 8082.
Changing the HTTP port of a Domino HTTP server
IBM Lotus Sametime installs on an IBM Lotus Domino server and uses the HTTP
server provided with Domino.
About this task
During a Sametime installation, the administrator can allow HTTP tunneling on
port 80. To support the HTTP tunneling on port 80 functionality, the Community
Services multiplexer on the server listens for HTTP connections from clients
(including web browsers) on port 80. A web browser connects to the Community
Services multiplexer on port 80, and the Community Services multiplexer makes an
intraserver connection to the Domino HTTP server on behalf of the web browser.
If the administrator allows HTTP tunneling on port 80 during the Sametime
installation, the Domino HTTP server must listen for HTTP connections on a port
other than port 80. In this scenario, the Sametime server installation
programmatically changes the HTTP port of the Domino HTTP server to port 8088
during the Sametime installation process. It is not necessary to manually change
the setting.
If the administrator does not allow HTTP tunneling on port 80 during the
Sametime installation, the Domino HTTP server listens for HTTP connections on
port 80 by default.
On some platforms, you can configure Sametime to operate using a Microsoft IIS
HTTP server or IBM WebSphere HTTP server. For information on setting up
Sametime to use a different HTTP Web server, see "Sametime Server Installation."
Follow these instructions if you need to change the HTTP port of the Domino
HTTP server:
Procedure
1. Open the Sametime Administration Tool.
2. Select Configuraton → Connectivity → Networks and Ports.
3. Select Configure HTTP Services on a web page in its own window.
Chapter 1. Configuring
39
4. Select Ports.
5. Select Internet Ports.
If the Domino server is set up for HTTP connections from web browsers, you
can change the TCP/IP port number setting, located under the Web
(HTTP/HTTPS) column of the settings. To change the port used by the HTTP
server, change the port associated with the TCP/IP port number field. (For
example, if you are enabling HTTP tunneling on port 80 on a Sametime server
that includes a single IP address, you may want to change the HTTP port
from port 80 to 8088.)
6. Select Internet Protocols.
7. Select Domino Web Engine.
8. Under the Generating References to this server section, make the following
changes:
If the HTTP server uses HTTP for web browser connections:
v In the Protocol setting, select http.
v In the Port number field, enter the same port entered in the TCP/IP port
number setting in Step 5.
9. Click Save and Close to save the Server document.
10. Change the port number in the stconvservices.properties file to match, as the
HTTP port is pulled from this setting.
11. Restart the Domino server for the change to take effect.
Event server port
The "Event server" port (default 9092) is used for intraserver connections between
components of the IBM Lotus Sametime server.
Generally, it is only necessary to change this port if you have installed multiple
Sametime servers on a single server machine or if another application on the server
uses port 9092.
Note: If you run Sametime on an IBM i, Linux, Sun Solaris, or IBM AIX machine,
you can install multiple Sametime servers on a single machine, within the same
logical partition. Each Sametime server instance runs on a separate partitioned IBM
Lotus Domino server. If you run Sametime on Microsoft Windows, you can only
install one server on each Windows machine.
If multiple Sametime servers are running on the same machine, you must ensure
that each Sametime server specifies a different port as the "Event server" port. For
example, if Sametime server 1 and Sametime server 2 are running in separate
partitions of an IBM i machine, you can specify port 9092 as the "Event server"
port for Sametime server 1 and port 9095 as the "Event server" port for Sametime
server 2. Sametime for IBM i provides an option to specify the "Event server" port
at the time you configure your Sametime server.
Assigning IP addresses to multiple servers installed on a single
computer
If you install multiple IBM Lotus Sametime servers on a single computer, you must
assign a distinct IP address to each server.
If you are operating Sametime on an IBM i, IBM AIX, Linux, or Sun Solaris server,
you can install multiple Sametime servers on a single computer, within the same
logical partition. In this scenario, each Sametime server instance runs on a separate
partitioned IBM Lotus Domino server.
40
Lotus Sametime: Installation and Administration Guide Part 2
Note: Do not install multiple Sametime servers on a Microsoft Windows server as
that configuration is not supported.
When multiple Sametime servers are running on separate Domino partitions
within the same logical partition of an IBM i server, it is important for each
Sametime server to be assigned a separate IP address. If you are also running any
other Domino servers or HTTP servers within the same logical partition, you must
also be certain that those servers are assigned separate IP addresses to avoid port
conflicts.
Token server port
The "Token server" port (default 9094) is used for intraserver connections between
components of the IBM Lotus Sametime server.
Generally, it is only necessary to change this port if you have installed multiple
Sametime servers on a single server machine or if another application on the server
uses port 9094.
Note: If you run Sametime on an IBM i, Linux, Sun Solaris, or IBM AIX machine,
you can install multiple Sametime servers on a single machine within the same
logical partition. Each Sametime server instance runs on a separate partition of the
IBM Lotus Domino server. If you run Sametime on Microsoft Windows, you can
only install one server on each Windows machine.
If multiple Sametime servers are running on the same machine, you must ensure
that each Sametime server specifies a different port as the "Token server" port. For
example, if Sametime server 1 and Sametime server 2 are running in separate
partitions of an IBM i machine, you might want to specify port 9094 as the "Token
server" port for Sametime server 1 and port 9096 as the "Token server" port for
Sametime server 2. Sametime for IBM i provides an option to specify the Token
server port at the time you configure your Sametime server.
For more information, see Assigning IP addresses to multiple Sametime servers
installed on a single server machine.
Using reverse proxy or portal servers with the Sametime
server
The manipulation of IBM Lotus Sametime data by a reverse proxy server imposes
specific requirements and limitations, discussed in this section.
An IBM Lotus Sametime server can be deployed behind a reverse proxy server or
a portal server. This section discusses issues related to using reverse HTTP proxy
servers with a Sametime server. The issues discussed in this section also apply to
deploying a Sametime server behind a portal server.
When a Sametime server is deployed on an internal network behind a reverse
proxy server, the reverse proxy server operates as an intermediary between the
Sametime server and the Sametime clients. All Sametime data flowing between the
Sametime server and its clients passes through the reverse proxy server.
To accomplish its security objectives, a reverse proxy server manipulates the data
that passes through it. The table below shows the client-side proxy types through
which clients can connect to the Sametime server.
Chapter 1. Configuring
41
Sametime client SOCKS 4 proxy
SOCKS 5 proxy
HTTP proxy
HTTPS proxy
Sametime
Connect
supported
supported
supported
supported
Sametime
Mobile
not supported
not supported
supported
supported
Sametime
Meeting Room
screen-sharing/
whiteboard
components
supported
supported
supported
not supported
Sametime
Meeting Room
participant
list/chat
components
supported
not supported
supported
not supported
Sametime
Meeting Room
interactive
audio/video
components
supported
not supported
not supported
not supported
Sametime
Recorded
Meeting client
supported
not supported
supported
not supported
This section includes topics related to the use of reverse HTTP proxy servers with
the Sametime server.
Note: If you are configuring the Sametime server to operate behind a Tivoli®
Access Manager WebSEAL reverse proxy server, refer to the Lotus Sametime Server
Release Notes for additional configuration information.
What is a reverse proxy server?
A reverse proxy server is a security device that is usually deployed in a network
DMZ to protect HTTP servers (or IBM Lotus Sametime servers) on a corporate
intranet by performing security functions that protect the internal servers from
attacks by users on the Internet.
The reverse proxy server protects internal HTTP servers by providing a single
point of access to the internal network. Providing a single point of access to all
HTTP servers on an internal network offers these specific security advantages and
network access characteristics:
v The administrator can use the authentication and access control features of the
reverse proxy server to control who can access the internal servers and control
which servers each individual user can access. When a reverse proxy is
deployed, the authentication process and access rights to multiple internal
servers can be controlled from a single machine, which simplifies the security
configuration.
v All traffic to your intranet servers appears to be destined for a single network
address (the address of the reverse proxy server).
When a reverse proxy server is deployed, only URLs that are associated with the
reverse proxy server are made public to web browser users. Users from the
42
Lotus Sametime: Installation and Administration Guide Part 2
Internet use these URLs to access the reverse proxy server. The reverse proxy
server handles these requests from Internet users and redirects these requests to
the appropriate internal HTTP server.
The administrator performs URL mapping configurations on the reverse proxy
server that make this redirection possible. When configuring the reverse proxy
server, the administrator maps the URLs that are used to access the reverse
proxy server to the real URLs of the internal HTTP servers. When an Internet
user sends a URL to the reverse proxy server, the reverse proxy server examines
the URL and uses these mapping configurations (or rules) to rewrite the URL.
The reverse proxy server rewrites the URL by replacing the server address
provided by the Internet user (a reverse proxy address) with the real address of
the internal server. The HTTP request is then sent on the internal network from
the reverse proxy server to the internal server.
v All traffic sent to Internet users from your internal servers appears to originate
from a single network address.
When an internal HTTP server (or Sametime server) responds to a request from
an Internet user, the internal server sends the response to the reverse proxy
server and the reverse proxy server sends the response to the Internet user. The
response sent on the Internet to the Internet user contains the address of the
reverse proxy server, not the address of the internal HTTP server.
Starting with Release 7.5, Sametime is designed to enable Sametime clients to
establish and maintain connectivity with a Sametime server when these clients
connect to the Sametime server through a reverse proxy server.
The security functionality of reverse proxy servers described above imposes
specific requirements and limitations on the use of reverse proxy servers with
Sametime. See any of the following topics for specific information about using
reverse proxy servers with a Sametime server.
Requirements and limitations associated with using a reverse proxy server with
the Sametime server
v Configuring mapping rules on a reverse proxy server to support Sametime
v Configuring a Sametime server to operate with a reverse proxy server
v
v
Sametime client connectivity and reverse proxy servers
Requirements and limitations of Sametime reverse proxy support
Using a reverse proxy server with IBM Lotus Sametime is subject to some
limitations as described in this topic.
The requirements and limitations associated with using a reverse proxy server with
Sametime include:
v Reverse proxy server requirements
v Sametime client limitations and requirements
v
v
v
v
Sametime server limitations
Secure Sockets Layer (SSL) issues and requirements
Client certificate authentication issues
IBM Lotus Sametime Enterprise Meeting Server (WCMS) restrictions
Each of these topics is discussed under a separate heading below.
Chapter 1. Configuring
43
Reverse proxy server requirements
This section lists the requirements and issues that are specific to the reverse proxy
server.
v URL specification requirement (affinity-id requirement) - Only reverse proxy
servers that use the following URL specification to access protected internal
servers can be used with Sametime:
Http[s]://hostname:port/affinity-id/
The "affinity-id" is an administrator-defined alias for an internal Sametime
server. This affinity-id must be present in the URLs sent from web browsers to
the reverse proxy server to enable web browser users to access the Sametime
server through the reverse proxy. For detailed information on this mandatory
requirement of the reverse proxy server, see Configuring mapping rules on a
reverse proxy server.
v
Multiple reverse proxy servers must use the same DNS name and mapping
configurations - If you have deployed multiple reverse proxy servers in your
network environment, and you expect users to access your Sametime server(s)
through multiple reverse proxy servers, each of the reverse proxy servers must
have the same DNS name and the same mapping configurations as noted below:
– DNS name - All reverse proxy servers must use the same DNS name. For
example, if one reverse proxy server is named reverseproxy.ibm.com all other
reverse proxy servers must be named reverseproxy.ibm.com. If the reverse
proxy servers have different DNS names, the Sametime clients will be unable
to maintain communications with a Sametime server deployed behind the
reverse proxy servers.
Note: If a network environment includes multiple reverse proxy servers that
have the same DNS names, a connection dispatching device (such as an IBM
WebSphere EdgeServer) is usually used to distribute connections from web
browsers to the multiple reverse proxy servers. These devices are frequently
used to load balance connections to multiple machines.
– Mapping configurations - Each reverse proxy server must use identical
mapping rules and configurations to govern the translation of URLs sent by
web browsers to the reverse proxy server for the purpose of accessing an
internal Sametime server. If the translation of these URLs to the URLs of the
internal Sametime servers does not occur in exactly the same way on each of
the reverse proxy servers, the Sametime clients will be unable to maintain
communications with a Sametime server deployed behind the reverse proxy
server.
Note: Each Sametime server must be represented by the same "affinity-id" in
the mapping rules on each of the reverse proxy servers.
For more information about the affinity-id and mapping rules, see
Configuring mapping rules on a reverse proxy server.
v The reverse proxy server must use cookies for authentication - When an user
uses a web browser to access and authenticate with the reverse proxy server, the
reverse proxy server must send an authentication cookie to the web browser. All
subsequent HTTP requests from a Sametime client will then pick up this cookie
and use it for automatic authentication with the reverse proxy server.
Reverse proxy servers that rewrite URLs for authentication purposes are not
supported. Some reverse proxy servers append authentication and session
information to the end of URLs embedded in HTML that passes through the
proxy back to the client. The client will include this appended data on
subsequent requests to the reverse proxy server. When the reverse proxy server
44
Lotus Sametime: Installation and Administration Guide Part 2
receives these subsequent requests from the client, the reverse proxy server
strips the authentication data and rewrites the URL to accomplish the internal
routing of requests. A Sametime server cannot operate behind a reverse proxy
server that handles authentication data in this way.
v A lengthy timeout value should be specified for the authentication cookies The administrator should specify a lengthy timeout value for authentication
cookies generated by the reverse proxy server.
If the authentication cookie expires when the user is attending a meeting, the
user is disconnected from the meeting. To re-enter the meeting, the user must go
through the inconvenient process of reconnecting to the reverse proxy,
reauthenticating with the reverse proxy, and waiting for the Java applets to be
reloaded to the web browser.
Setting a lengthy timeout value for authentication cookies can prevent
unexpected user disconnections due to an authentication cookie expiration.
Generally, the authentication cookie should be valid for the entire length of the
longest meetings that are routinely conducted on the Sametime server deployed
behind the reverse proxy server.
Sametime client/Web browser limitations and JVM requirements
The following Sametime clients can communicate with Sametime servers through a
reverse proxy server:
v Sametime Meeting Room client
v Sametime Recorded Meeting client
v Sametime Connect for browsers (the Java version of Sametime Connect)
v Sametime Connect for the desktop (the Microsoft Windows version of Sametime
Connect)
v Sametime Links applications built with Sametime developer toolkits
On UNIX and IBM AIX servers, the Meeting start-up log contains the Sametime
server name when the Sametime server is configured behind a proxy server.
The Sametime Meeting Room client and the Sametime Recorded Meeting client can
communicate with a Sametime server through a reverse proxy server when
running with the following Web browsers and Java Virtual Machines (JVMs):
v A Microsoft Internet Explorer 6 browser that operates with the Microsoft native
VM or the Sun Microsystems JVM 1.4.2 (and associated Java Plug-in).
v A Netscape 7 browser that operates with the Sun Microsystems JVM 1.4.2 (and
associated Java Plug-in).
The Sametime Connect for browsers client and Sametime Links applications can
communicate with a Sametime server through a reverse proxy server when
running in an Internet Explorer 6 or Netscape 7 browser that operates with the Sun
JVM 1.4.2. These clients may not function appropriately with other JVMs, including
the native Microsoft VM provided for Internet Explorer.
Sametime server limitations
The following limitations apply to Sametime server features when the Sametime
server is deployed behind a reverse proxy server.
v Audio/video is not available - Audio/video streams cannot be transmitted to
Sametime clients that access the Sametime server through a reverse proxy server.
Chapter 1. Configuring
45
v
Access to the Sametime Administration Tool is not available - A user that
connects to the Sametime server through a reverse proxy server cannot access
the Sametime Administration Tool. The user can open a web browser that is
installed on the Sametime server to access the Sametime Administration Tool.
The user can also connect to the Sametime server from an internal network
location that does not route HTTP traffic through the reverse proxy server to
access the Sametime Administration Tool.
Secure Sockets Layer (SSL) issues and requirements
Note the following about SSL and Sametime in a reverse proxy environment:
v Secure Sockets Layer (SSL) can be used to encrypt data transmitted between the
Sametime clients and the reverse proxy server.
v SSL cannot be used to encrypt data transmitted between the Sametime servers
and the reverse proxy server.
If SSL is used to encrypt data transmitted between web browsers and the reverse
proxy server, the administrator must perform the mapping configurations on the
Sametime server necessary to map the HTTPS data received from the web browser
to the HTTP required by the Sametime server.
The reverse proxy must also be configured to translate the HTTP data received
from the Sametime server to the HTTPS data required by the client.
When a reverse proxy server is configured to support SSL, the reverse proxy server
sends an SSL server certificate to the web browser during the SSL connection
handshake. The Java 1.4.2 Plug-in used by the web browser must have access to a
Signer certificate that is signed by the same Certificate Authority (CA) as the server
certificate that is sent by the reverse proxy.
By default, the Java Plug-in has access to several different Signer certificates that
can be used for this purpose. To view the Signer certificates that are available to
the Java Plug-in 1.4.2, use the Java Plug-in Control Panel as described in “Viewing
the Signer certificates.”
Client certificate authentication issues
If the reverse proxy server is configured to require client certificate authentication,
the client certificate for an individual user must be imported into the Java Plug-in
1.4.2 Control Panel on that user's machine as described in “Importing the client
certificate” on page 47.
Enterprise Meeting Server restrictions
The IBM Lotus Sametime Enterprise Meeting Server that operates with Sametime
servers cannot be deployed behind a reverse proxy server.
Viewing the Signer certificates:
The Java Plug-in has access to several different Signer certificates that can be used
for reverse proxy support.
About this task
To view the Signer certificates that are available to the Java Plug-in 1.4.2, use the
Java Plug-in Control Panel:
46
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. From the Windows desktop, open the Control Panel by clicking Start → Settings
→ Control Panel.
2. Double-click on the Java Plug-in 1.4.2 icon to open the Java Plug-in Control
Panel.
3. Click Certificates.
4. Click Signer CA.
Results
The server certificate sent by the reverse proxy server to the client web browser
must be signed by one of the CAs that appears in the signer CA list for the SSL
connection handshake to succeed.
Importing the client certificate:
If the reverse proxy server is configured to require client certificate authentication,
the client certificate for an individual user must be imported into the Java Plug-in
1.4.2 Control Panel on that user's machine.
About this task
You can use the Certificates tab of the Java Plug-in Control Panel to import the
client certificate into the Java Plug-in key store:
Procedure
1. From the Windows desktop, open the Control Panel by clicking Start → Settings
→ Control Panel.
2. Double-click on the Java Plug-in 1.4.2 icon to open the Java Plug-in Control
Panel.
3. Click Certificates.
4. In the Certificates column, click Secure Site.
5. Click Import to import the client certificate.
Configuring mapping rules on a reverse proxy server to support
Sametime
When an IBM Lotus Sametime server is deployed behind a reverse proxy server,
the Sametime administrator must configure mapping rules on the reverse proxy
server.
The mapping rules enable the reverse proxy server to translate (or rewrite) a URL
associated with the reverse proxy server to the URL of an internal Sametime server.
This section discusses how mapping rules are configured on a reverse proxy server
to accomplish the translation (or rewriting) of URLs when the reverse proxy
operates with Sametime. This section includes the following topics:
Affinity-id (server alias) requirement of the reverse proxy server:
Only reverse proxy servers that support the use of an affinity-id (or server alias) in
the URLs that are associated with internal servers can be used with IBM Lotus
Sametime.
Specifically, the reverse proxy server must support the following URL specification
to access protected internal servers:
Chapter 1. Configuring
47
Http[s]://hostname:port/affinity-id/
where hostname represents the DNS name of the reverse proxy server and the
affinity-id is an alias for an internal server that is protected by the reverse proxy
server. A specific example of this URL format is:
Http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
where the text sting "st01" is the affinity-id. The affinity-id is an alias for a specific
Sametime server (such as sametime.ibm.com) that is protected by the reverse proxy
server. The affinity-id is used by the reverse proxy server to direct incoming
requests to the specific internal Sametime server.
For example, if the incoming URL from the Web browser is:
Http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
and the mapping rules on the reverse proxy server map the "st01" affinity-id to the
Sametime server named "sametime.ibm.com," the affinity-id ensures the reverse
proxy server rewrites the incoming URL to:
Http[s]://sametime.ibm.com/stcenter.nsf
Essentially, the affinity-id is an administrator-defined alias for an internal Sametime
server. The affinity-id is defined in the mapping rules of the reverse proxy server.
If you have multiple Sametime servers deployed behind a reverse proxy server,
each Sametime server must have an individual affinity-id as indicated below:
Mapping rule for client-provided URL:
Routed to internal server:
/st01/*
http://sametime1.ibm.com/*
/st02/*
http://sametime2.ibm.com/*
It is mandatory that any reverse proxy server that operates with a Sametime server
support the affinity-id (or server alias) in URLs.
For additional information about configuring mapping rules on reverse proxy
server, see Example of URL mapping configurations on the reverse proxy server.
Important: The Sametime Administration Tool on a Sametime server contains a
"Server Alias" setting. This Server Alias setting must specify the same affinity-id
that is used to represent the Sametime server in the mapping rules on the reverse
proxy server. For more information, see Configuring a Sametime server to operate
with a reverse proxy server.
Example of URL mapping configurations on the reverse proxy server:
Here are some examples of how an administrator might configure URL mapping
configurations for a reverse proxy server deployed in front of an IBM Lotus
Sametime server.
When a user connects to a Sametime server through a reverse proxy server, the
reverse proxy server must be configured to support the following actions that
enable Sametime users to attend meetings and participate in chat sessions:
v The user must be able to click on links in the Sametime server home page and
navigate to the various HTML pages of the UI. This capability requires the
reverse proxy server to rewrite the URLs of the HTML pages that comprise the
Sametime UI.
48
Lotus Sametime: Installation and Administration Guide Part 2
v The Sametime Java applet clients that load in a user's web browser must be able
to connect to the services on the Sametime server. Since these connections must
occur through the reverse proxy server, the reverse proxy server must also be
able to rewrite the URLs required to establish these connections to the services
on the Sametime server.
The following sections provide examples of the mapping configurations required to
accomplish the two tasks above.
Reverse proxy mapping configurations that enable a web browser user to
navigate the Sametime user interface
The example below illustrates how an administrator can configure the reverse
proxy server to enable users to navigate the HTML pages of the Sametime user
interface. This example assumes the following:
v The Sametime server name is "sametime.ibm.com."
v The URL required to access the reverse proxy server is "reverseproxy.ibm.com."
v The affinity-id chosen by the administrator for the Sametime server is "st01."
Listed below are two entities of the Sametime server user interface and the URLs
required to access these entities on a Sametime server with the server name
"sametime.ibm.com."
v Sametime server home page - The Sametime server URL for the server home
page is http://sametime.ibm.com/stcenter.nsf.
v Active Meeting page - The Sametime server URL for the Active Meeting page
is http://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenView.
Example 1 - Translating the URL of the server home page
To access the Sametime server home page through a reverse proxy server, the web
browser would send the following URL to the reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
The reverse proxy server must contain a mapping rule that translates this URL into
the following URL required to access the Sametime server home page:
http[s]://sametime.ibm.com/stcenter.nsf
Example 2 - Translating the URL of the Active Meeting page
If the user selects the Attend a Meeting link in the Sametime user interface to view
the list of active meetings, the web browser would send the following URL to the
reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stconf.nsf/vwWebActiveMeetings?OpenView
The reverse proxy server must contain a mapping rule that translates this URL into
the following URL required to access the Sametime server Active Meetings page:
Http[s]://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenView
A single mapping rule can be used to translate all URLs associated with the
Sametime server user interface
Through the use of wildcards, the administrator can create a single mapping rule
on the reverse proxy server to translate all URLs associated with the Sametime
Chapter 1. Configuring
49
server interface. Following the examples above, the administrator can create a
mapping rule that translates the following URL from the web browser:
Http[s]://reverseproxy.ibm.com/st01/*
To this Sametime server URL:
Http[s]://sametime.ibm.com/*
A single mapping rule that accomplishes this type of URL translation should
enable users to access all entities of the Sametime user interface through a reverse
proxy server.
Note: It is not mandatory to configure the mapping rules as described above. The
actual configuration of the mapping rules on the reverse proxy server is at the
discretion of the administrator. When configuring the mapping rules note that the
URL for any entity of the Sametime server user interface will begin with the
Sametime server name (sametime.ibm.com in this example).
Reverse proxy mapping configurations that enable Sametime Java applet
connectivity through the reverse proxy server
The following example URL mappings enable the Sametime Java applet clients
running in a user's Web browser to connect to the Community Services, Meeting
Services, and Recorded Meeting Broadcast Services on the Sametime server
through the reverse proxy server:
Example 1 - Mapping configuration for Community Services connectivity
This example illustrates the mapping configurations that enable a Java applet client
to connect to the Community Services:
If the incoming URLs from the Java applet are:
Http[s]://proxy.ibm.com/st01/communityCBR/Http[s]://proxy.ibm.com/st01/CommunityCBR/
The mapping rules on the reverse proxy must translate these URLs to:
http://sametime.ibm.com:8082/communityCBRHttp://sametime.ibm.com:8082/CommunityCBR
Note: The mapping configuration for the Community Services connectivity should
contain two case-sensitive mapping rules as indicated above. Some pieces of the
Java code contain the lowercase "c" in "communityCBR" and some pieces of the
Java code use the uppercase "C" in "CommunityCBR." This difference may prevent
connections if the proxy is case-sensitive.
Example 2 - Mapping configuration for Meeting Services connectivity
This example illustrates the mapping configurations that enable a Java applet client
to connect to the Meeting Services:
If the incoming URL from the Java applet is:
Http[s]://proxy.ibm.com/st01/MeetingCBR
The mapping rule on the reverse proxy must translate this URL to:
Http://sametime.ibm.com:8081/MeetingCBR
Example 3 - Mapping configuration for Recorded Meeting Broadcast Services
connectivity
50
Lotus Sametime: Installation and Administration Guide Part 2
This example illustrates the mapping configurations that enable a Java applet client
to connect to the Recorded Meeting Broadcast Services:
If the incoming URL from the Java applet is:
Http[s]://proxy.ibm.com/st01/BroadcastCBR
The mapping rule on the reverse proxy must translate this URL to:
Http://sametime.ibm.com:554/BroadcastCBR
Information about the Java applet connectivity mapping rule examples
During a Sametime server installation, the administrator has the option of allowing
or not allowing HTTP tunneling on port 80.
If the administrator does not allow HTTP tunneling on port 80 during the
Sametime server installation, it is necessary to configure separate mapping rules
for each of the three Sametime services (Community Services, Meeting Services,
and Recorded Meeting Broadcast Services).
Note: Four mapping rules are required: two for the Community Services, one for
the Meeting Services, and one for the Recorded Meeting Broadcast Services as
shown in the three examples above.
When the administrator does not allow HTTP tunneling on port 80, each of the
Sametime services listens for HTTP connections on a different port:
v The Community Services listen for HTTP connections on port 8082. Port 8082 is
reflected in the mapping rule for Community Services connections above. You
can view or change this port setting from the Community Services Network Address for HTTP-tunneled client connections option in the Networks and Ports
tab of the Sametime Administration Tool.
v The Meeting Services listen for HTTP connections on port 8081. Port 8081 is
reflected in the mapping rule for Meeting Services connections above. You can
view or change this port setting from the Meeting Services Network - Address
for HTTP-tunneled client connections option in the Networks and Ports tab of
the Sametime Administration Tool.
v The Recorded Meeting Broadcast Services listen for HTTP connections on port
554. Port 554 is reflected in the mapping rule for Recorded Meeting Broadcast
Services connections above. You can view or change this port setting from the
Recorded Meeting Broadcast Services Network - Address for HTTP-tunneled
client connections option in the Networks and Ports tab of the Sametime
Administration Tool.
Because each of these Sametime services listens for a connection on a separate port,
separate mapping rules must be established for each of the services. The mapping
rule must specify the port on which each of the services is listening for
connections.
Note: If you change the HTTP-tunneling port number for a specific service in the
Sametime Administration Tool, the mapping rules you configure on the reverse
proxy server must reflect the new port number.
If the administrator allows HTTP tunneling on port 80 during the Sametime server
installation, the Sametime clients connect to all of the services on a single port.
Chapter 1. Configuring
51
With this configuration, the single mapping rule that enables users to navigate the
Sametime server user interface will also enable the Sametime clients to make
connections to the Sametime services.
When HTTP tunneling on port 80 is allowed, the Community Services multiplexer
on the Sametime server listens for HTTP connections on behalf of the HTTP
Services, Community Services, Meeting Services, and Recorded Meeting Broadcast
Services on the Sametime server. The Community Services multiplexer listens for
connections to all of these services on a single port (port 80).
Note: When operating in this mode, the Community Services multiplexer on the
Sametime server can distinguish between HTTP requests destined for the HTTP
Services, Community Services, Meeting Services, and Recorded Meeting Broadcast
Services and establish intraserver connections to each of the services. For example,
if the Community Services multiplexer receives an HTTP request for the Meeting
Services on port 80, the Community Services handles the request and creates an
intraserver connection to the Meeting Services. The Community Services
multiplexer then forwards the request to the Meeting Services. The ability of the
Community Services multiplexer to handle requests for multiple services in this
way is sometimes referred to as "single port mode."
When the administrator allows HTTP tunneling on port 80 (that is, when the
Sametime server is operating in single port mode), the mapping rules for Java
applet connectivity are much simpler. Since all connections from the Sametime Java
applet clients occur on the same port, it is not necessary to specify individual ports
for each service in the mapping rules.
In this scenario, the administrator would only need to ensure that this incoming
URL from the Sametime Java applets:
Http[s]://proxy.ibm.com/st01/*
Is translated to this URL by the mapping rules on the reverse proxy server:
Http://sametime.ibm.com/*
Note that server performance is not as efficient when the Sametime server is
configured to support HTTP tunneling on port 80 because of the connectivity
burden placed on the Community Services multiplexer.
Configuring a Sametime server to operate with a reverse proxy
server
Use the IBM Lotus Sametime Administration Tool (hosted on the Sametime server)
to configure a Sametime server to operate with a reverse proxy server.
About this task
There are two settings the administrator must configure in the
Configuration-Connectivity-Networks and Ports tab of the Sametime
Administration Tool to enable a Sametime server to operate with a reverse proxy
server. These settings include:
v Enable Reverse Proxy Discovery on the client - Selecting this setting allows the
administrator to enable or disable the reverse proxy support. This setting enables
the logic in the Sametime clients that enables them to connect to a Sametime
server through the reverse proxy server. This setting is disabled by default.
52
Lotus Sametime: Installation and Administration Guide Part 2
Note: Enabling this setting does not require that all users on your corporate
intranet access the Sametime server through the reverse proxy server. Users on
your corporate intranet that are not required to route connections through the
reverse proxy servers can still establish connections with the Sametime server
using the standard Sametime client connection processes. For more information,
see Connecting to a Sametime server without going through the reverse proxy
server.
v Server Alias - The Server Alias setting must specify the affinity-id that the
administrator uses to represent this Sametime server in the mapping rules on the
reverse proxy server.
Note: The term "Server Alias" is synonymous with affinity-id.
For example, if the administrator uses the text string "st01" as the affinity-id that
represents the Sametime server in the mapping rules on the reverse proxy server,
the administrator must also enter "st01" as the value for the Server Alias setting
in the Sametime Administration Tool.
Following a Sametime server installation, the Server Alias setting defaults to the
Sametime server name that is extracted from the fully-qualified DNS name of
the Sametime server. For example, if the fully-qualified DNS name of the
Sametime server is "sametime.ibm.com," the default value for the Server Alias is
"sametime."
Note: An administrator may want to change the default Server Alias setting to
avoid using the real Sametime server name as the affinity-id in the mapping
rules on the reverse proxy server. If the real Sametime server name is used as
the affinity-id on the reverse proxy server, the real server name will appear in
URLs transmitted on the Internet.
For more information about the affinity-id, see Configuring mapping rules on a
reverse proxy server to support Sametime.
To enable reverse proxy support on a Sametime server:
Procedure
1. From the Sametime server home page, click Administer the Server to open the
Sametime Administration Tool.
2. Click Configuration.
3. Click Connectivity.
4. If necessary, click Networks and Ports.
5. At the bottom of the Networks and Ports tab, click Enable Reverse Proxy
Discovery on the client.
6. In the Server Alias text box, type the text string that is used as the affinity-id
that represents this Sametime server in the mapping configurations on the
reverse proxy server (for example, type st01).
7. Click Update.
8. Restart the Sametime server for the changes to take effect.
Sametime client connectivity and reverse proxy servers
This section briefly discusses IBM Lotus Sametime client connectivity issues when
the Sametime Meeting Room client, Sametime Recorded Meeting client, and
Sametime Connect client operate with a reverse proxy server.
Client connectivity issues for reverse proxy servers are discussed in the following
topics:
Chapter 1. Configuring
53
Connecting to a Sametime server without using the reverse proxy server:
When an IBM Lotus Sametime server is configured to operate with a reverse proxy
server, users on the corporate intranet that are not required to route connections
through the reverse proxy server can still connect using the standard Sametime
client connection processes.
Note: In this scenario, both intranet and Internet users connect to the same
Sametime server. Connections from Internet users are routed through the reverse
proxy server while connections from intranet users are not routed through the
reverse proxy server.
To configure a Sametime server to operate with a reverse proxy server, the
administrator must select the Enable Reverse Proxy Discovery on the client
setting in the Sametime Administration Tool. Selecting this setting:
v Enables the additional logic in the Meeting Room client, Recorded Meeting
client, and Sametime Connect for browsers client that the clients use to connect
to a Sametime server through a reverse proxy server.
v Does not disable the existing connectivity logic in these Sametime clients.
Enabling this setting enhances the existing logic in the Sametime clients by
adding the reverse proxy connection logic to the existing logic. This design
enables clients that do not connect to the Sametime server through the reverse
proxy server to follow the standard Sametime client connection processes when
connecting to the Sametime server.
To illustrate this point, the Meeting Room client connection process that occurs
when the Enable Reverse Proxy Discovery on the client setting is selected is
summarized below.
1. Upon loading in a user's web browser, the Sametime Meeting Room client
attempts a direct TCP/IP connection to the Sametime server.
If the direct TCP/IP connection attempt fails, the Meeting Room client
continues with the connection process as described below.
Note: Step 1 is part of the standard Sametime client connection process.
2. If the user's web browser detects the existence of a forward SOCKS proxy
server, the Meeting Room client will attempt the TCP/IP connection through
the forward SOCKS proxy server to the Sametime server.
If the TCP/IP connection through the SOCKS proxy server is not successful, the
Meeting Room client continues with the connection process as described below.
Note: Step 2 is part of the standard Sametime client connection process.
3. If the TCP/IP connection attempt is not successful, the Meeting Room client
attempts to detect the reverse proxy server.
If the reverse proxy server is detected, the Meeting Room client attempts to
connect to the Sametime server through the reverse proxy server using HTTP
tunneling. The client programmatically detects the address of the reverse proxy
server. No client-side configurations are required to enable the Sametime client
to detect the reverse proxy server.
Note: Step 3 represents the major difference in the connection process that
occurs when the "Enable Reverse Proxy Discovery on the client" setting is
selected.
54
Lotus Sametime: Installation and Administration Guide Part 2
4. If the reverse proxy server is not detected, the Sametime clients will still
attempt to connect to the Sametime server using HTTP tunneling but the
connection attempts will not be made to the reverse proxy server.
Note: These HTTP-tunneled connection attempts are part of the standard
Sametime client connection processes. These connection attempts enable
Sametime clients that do not connect to the Sametime server through the
reverse proxy server to establish HTTP-tunneled connections to the Sametime
server.
Understanding Sametime client connectivity through a reverse proxy server:
This section provides additional notes about IBM Lotus Sametime client
connectivity through a reverse proxy server.
Generally, there are no client-side configurations required to enable a Sametime
Meeting Room client, Sametime Recorded Meeting client, or Sametime Connect for
browsers client to connect to a Sametime server through a reverse proxy server.
If the administrator has selected the "Enable reverse proxy discovery on client"
setting and specified the "Affinity ID" setting in the Sametime Administration Tool
on the Sametime server, the Sametime clients should be able to programmatically
detect the presence of the reverse proxy server and connect to the Sametime server
through the reverse proxy server.
If these clients must connect to the reverse proxy server through a forward (or
client-side) HTTP or SOCKS proxy server, the connectivity settings (address and
port) of the forward proxy server should be specified the locations noted below:
v If the Sametime client runs in a web browser that operates with the Sun
Microsystems Java Virtual Machine (1.4.2), the forward proxy server address and
port are specified in the Sun Microsystems Java Plug-in Control Panel on the
user's machine. (The Java Plug-in Control Panel is available from the user's
Windows Control Panel).
v If the Sametime client runs in a web browser that operates with the native
Microsoft Virtual Machine (VM), the forward proxy server address and port are
specified in the proxy configuration settings of the web browser.
Note the following about using Sametime Connect for browsers with a reverse
proxy server:
v The Sametime Connect for browsers client loads in the user's web browser with
either the "Use my Java Plug-in settings" option or the "Use my Internet
Explorer Browser settings" option selected by default in the
Options-Preferences-Sametime Connectivity tab. User's should not change this
default setting when operating with a reverse proxy server. These connectivity
settings ensure the client will make either a direct connection to the Sametime
server or connect through a forward proxy server if one is defined in the web
browser connectivity settings or Java Plug-in as noted above.
v The Sametime Connect for browsers client includes a "Host name" and "Port"
setting in the Options-Preferences-Sametime Connectivity tab. The values in
these settings are ignored when the Sametime server is configured to operate
with a reverse proxy server. (In a normal Sametime deployment, these settings
specify the Host name of the Sametime server to which the client should connect
and the port number on which the Sametime server listens for connections from
Sametime Connect clients).
Chapter 1. Configuring
55
Configuring Sametime Community Server to work behind
WebSEAL reverse proxy
If you are deploying the IBM Lotus Sametime Community Server behind a Tivoli
WebSEAL reverse proxy server, there are some specific procedures and
configurations you must employ to ensure the Lotus Sametime Community Server
can operate behind the WebSEAL reverse proxy server.
Procedure
1.
Follow the instructions below to enable HTTP tunneling on port 80 using the
Sametime Administration Tool.
a. From the Sametime home page, select Administer the server to open the
Sametime Administration Tool.
b. Select Configuration → Connectivity → Networks and Ports.
c. Ensure that the Community Services Network → Enable the Meeting Room
client to try HTTP tunneling to the Community Server after trying other
options setting is enabled.
d. In the Community Services Network → Address for HTTP tunneled client
connections settings:
v If your Sametime Community Server operates on a Microsoft Windows
server, you can leave the Host name field blank.
v In the HTTP tunneling Port number field, delete port number 8082 and
enter port number 80.
e. Click Update and then restart the server for the change to take effect.
2. You must open the stlinks.js file on the Sametime Community Server and
modify the following two lines to point to your WebSEAL reverse proxy server
and WebSEAL junction. The WebSEAL junction is st in the example:
varII_RProxyName="https://ampc0.support.tivlab.austin.ibm.com"
varII_AffinityID="st"
Note: The WebSEAL reverse proxy server must be listening on the default
ports of 80 and 443 for the changes above to work.
3. Enable reverse proxy support and specify the WebSEAL junction in the
Sametime Administration Tool on the Lotus Sametime Community Server.
a. Open the Sametime Administration Tool.
b. Click Configuration → Connectivity.
c. In the "Reverse Proxy Support" section, click Enable Reverse Proxy
Discovery on the client to enable the reverse proxy support.
d. Enter the WebSEAL junction name in the Server Alias field. In this
example, st is the WebSEAL junction name.
4. Create the Tivoli Access Manager WebSEAL junction. Issue the command as
one line:
pdadmin> server task webseald-[servername] create -t tcp -h [sametime hostname] -p 80 -i -j -A -F [path to LTPA key]
-Z [LTPA key password]/junction
You cannot use the -w parameter for this setup. Some requests generated by
Sametime are not allowed through the junction if the -w exists. You must also
ensure that the LTPA key used in the junction is the same LTPA key that the
Lotus Sametime Community Server uses in its Web SSO Configuration
document.
56
Lotus Sametime: Installation and Administration Guide Part 2
What to do next
After performing this configuration, you should be able to log in to
https://webseal/stjunction and be prompted by WebSEAL for authentication.
Once authenticated, SSO between WebSEAL and the Lotus Sametime Community
Server should work and all requests for Sametime will route through WebSEAL.
Using multiple non-clustered Lotus Sametime Community
Servers
This topic provides an overview of issues related to deploying multiple IBM Lotus
Sametime Community Servers.
To support a large or geographically distributed community of IBM Lotus
Sametime users, it is usually necessary to deploy multiple Sametime servers. This
section discusses the issues associated with deploying multiple Sametime servers,
including:
Advantages of using multiple Sametime servers
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
You can install multiple Sametime servers to:
v Spread the load of a large user population among multiple servers.
v Reduce network usage and improve server performance when you have
significant user populations in remote or distributed locations.
Advantages of multiple "home" Sametime servers
If you install multiple Sametime servers, you can assign different "home" Sametime
servers for users in the community. Specifying different home Sametime servers for
Sametime community members allows you to spread the load of a large number of
users among the Community Services of multiple Sametime servers.
The "home" Sametime server is the server to which each user connects for the
online presence (or awareness) and chat functionality supported by the
Community Services. After installing a new Sametime server, you can assign
specific users to the new server by entering the name of the new Sametime server
in the Sametime server field in each user's Person document.
All users in the community will have presence and chat capabilities with all other
users, even though they connect to different "home" Sametime servers to get this
functionality. Server-to-server connections among the Community Services of the
multiple Sametime servers ensure that all users in the community have presence
and chat capabilities with all other users.
Integrating a Sametime server into an existing Sametime
community
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
These are the basic processes and issues involved with integrating a new Sametime
server into an existing Sametime community.
Chapter 1. Configuring
57
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
Installing a Sametime server into an existing Sametime community:
Installing the IBM Lotus Sametime server software is the first procedure you must
perform when integrating a new Sametime server into an existing Sametime
community.
Before you install the new Sametime server, decide whether you want the server to
be accessed by Internet and intranet clients or intranet clients only. If you want the
server to be accessed by both Internet and intranet clients, you should install the
Sametime server software on a computer that is located in the network DMZ
(outside the firewall that protects the corporate intranet).
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
“Integrating a Sametime server into an existing Sametime community” on page 57
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Configuring ports for server-to-server connections:
When multiple IBM Lotus Sametime servers are installed in an IBM Lotus Domino
environment, the Sametime servers must be able to communicate on specific ports.
Ports required for communication between Sametime servers
Note: Ports for Meetings do not apply to Sametime Entry, Sametime Limited Use,
or versions of Sametime that do not support web conferencing.
The table below lists the ports on which Sametime servers communicate with each
other. When these ports are open, Community Services and Meeting Services data
can pass between the two servers, and one Sametime server can invite the other to
a meeting.
Port
Description
Port 1503
Port 1503 is the default "Meeting Server port
for server connections." This port is
configurable from the Configuration Connectivity - Network and Port Settings Meeting Services Network options in the
Sametime Administration Tool. The "Meeting
Server port for server connections" setting
must be set to the same port number for the
Sametime servers.
The servers must communicate on TCP/IP
port 1503 to exchange Meeting Services data.
58
Lotus Sametime: Installation and Administration Guide Part 2
Port
Description
Port 1516
The Community Services listen for direct
TCP/IP connections from the Community
Services of other Sametime servers on this
port. If you have installed multiple
Sametime servers, this port must be open for
presence, chat, and other Community
Services data to pass between the servers.
The communications that occur on this port
also enable one Sametime server to start a
meeting on another server (or "invite" the
other server to the meeting).
Port 1352
The servers must be able to communicate on
port 1352 for replication to occur between
the Sametime servers. This is the port used
for Notes and Domino Remote Procedure
Calls (RPCs).
About invited servers, audio/video, and client connectivity
When one Sametime server invites another Sametime server to a meeting that
includes interactive audio/video, the audio/video data is not transmitted between
the two Sametime servers. Instead, the user must connect to the Sametime server
on which a meeting was started and receive the audio/video streams directly from
that host server. For example, assume a meeting that includes chat, screen sharing,
and audio/video is started on Sametime server A and Sametime server A invites
Sametime server B to the meeting. A user can attend the meeting on Sametime
server B (the invited server) and receive the chat and screen sharing data from
Sametime server B. However, the user is redirected to Sametime server A for the
audio/video data.
Next step:
Next, perform the procedures described in Synchronize the Sametime server with
other Sametime servers deployed in the environment.
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
“Integrating a Sametime server into an existing Sametime community” on page 57
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Related reference
“Ports used by the Sametime Community Server” on page 35
IBM Lotus Sametime uses a number of ports on the server. This topic lists the
default ports and their uses.
Synchronizing the Sametime server with other Sametime servers:
When multiple Lotus Sametime servers are installed, you must synchronize the
Sametime servers to operate as a single community.
Chapter 1. Configuring
59
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
“Integrating a Sametime server into an existing Sametime community” on page 57
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Domino Directory management for multiple Sametime servers:
This topic discusses managing IBM Lotus Domino Directories for multiple IBM
Lotus Sametime servers.
After you have installed a new Sametime server, the administrator should
determine how to manage the Directory for the Sametime community.
Use these recommendations to manage Domino Directories in multiple Sametime
server environments:
v If the Sametime server is installed into a Domino environment that uses only a
single Domino Directory, the Directory in which all Sametime servers are
registered must be replicated to each Sametime server.
v If the Sametime server is installed into a Domino environment that uses multiple
Domino Directories, the primary Domino Directory (the Directory in which the
Sametime server is registered) should be replicated to the Sametime server.
Directory Assistance should be set up on the Sametime server to access the other
Domino Directories of interest in the environment. The Sametime server can use
Domino Directory Assistance to obtain all needed Directory information from
the other Directories used in the environment. Ideally, the Directory Assistance
database should point to a Directory server that is dedicated to providing
Directory services. However, it is not a requirement that Directory servers be
used in a Sametime community that includes multiple Sametime servers.
For information on setting up Directory Assistance on the Sametime server, see
your Domino server Administration documentation. Use the same procedures to
set up Directory Assistance on a Sametime server that you use to set up
Directory Assistance on a Domino server. The Domino Administration
documentation is available from the Documentation Library at the following
Internet location: http://www.lotus.com/ldd/doc (and also in the Help
subdirectory of the Domino server on which Sametime is installed).
v Optionally, in a Domino environment that uses multiple Domino Directories, an
Extended Server Directory Catalog can be set up on the Sametime server to
enable the server to access Directory information from all directories of interest
in the environment. For more information on setting up an Extended Server
Directory Catalog for use with Sametime, see Alternate ways to share Directory
information across domains.
For more information about the Directory issues relevant to extending a single
Sametime community across multiple Domino domains, see Extending a single
Sametime community across multiple Domino domains.
Next step:
After determining your directory management strategy, assign users to the new
Sametime server.
60
Lotus Sametime: Installation and Administration Guide Part 2
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
“Integrating a Sametime server into an existing Sametime community” on page 57
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Assigning users to the new Sametime server (setting the home Sametime server):
This topic discusses how the IBM Lotus Sametime administrator can assign users
to a new Sametime server, which designates that server as the user's "home" server.
To assign a user to the new Sametime server, enter the Sametime server name in
the Sametime server field in the Real-Time Collaboration section of a user's
Person document in the Domino Directory. This field identifies the "home"
Sametime server of each user.
Note: Only a portion of the users in your environment should be assigned to the
new Sametime server. For load balancing purposes, you should assign an equal
number of users to each Sametime server in your environment. The network
proximity of the user to the server is also a consideration when assigning users to
a home Sametime server. Generally, you should assign the user to the closest
Sametime server on the network.
To specify a home Sametime server, open the Domino Directory (Address Book),
go to the Real-Time Collaboration section of each user's Person document, and
enter the name of a Sametime server in the Sametime server field. If necessary,
you can create a simple agent to automate the process of populating the Sametime
server field in each user's Person document with the name of a Sametime server.
When entering the name of the Sametime server in the Sametime server field on
the Person document, you can enter the name of the Sametime server in the
Domino hierarchical name format (for example sametime/west/example). The
Sametime server field automatically converts the name to the full canonical name
format. For example, if you enter sametime/west/example in the "Sametime server"
field, the server name is stored as cn=sametime/ou=west/o=example unless, for
example, the name is populated by an agent. It is advisable to enter the server
name using the full hierarchical name format.
Community services reads the server name from the Servers view ($Servers) of the
Domino Directory. The name entered in the Sametime server field on the Person
document must match the name of the Sametime server as it appears in the
Servers view of the Domino Directory. If you are using an agent to populate the
home Sametime server field, ensure that the agent specifies the full canonical
name of the Sametime server.
Note also that a Sametime Connect client's Sametime Connectivity settings should
specify the same Sametime server as the Sametime server field on that user's
Person document. In the Sametime Connect client's Sametime Connectivity
settings, the server name must be specified using the DNS name or IP address of
the Sametime server (for example, sametime.example.com or 111.111.111.111).
Chapter 1. Configuring
61
Related concepts
“Advantages of using multiple Sametime servers” on page 57
When multiple Sametime servers are installed, you can synchronize the Sametime
servers to operate as a single Sametime community. You can also specify different
home Sametime servers for members of the Sametime community.
“Integrating a Sametime server into an existing Sametime community” on page 57
This topic provides an overview of the tasks involved in integrating a new IBM
Lotus Sametime server into an existing Sametime community.
Extending a single Sametime community across multiple Domino
domains
This section provides instructions and suggestions on how to link different IBM
Lotus Domino domains into a single IBM Lotus Sametime community. When
separate Domino domains are linked into a single Sametime community, users in
each domain can share presence and chat capabilities and participate in Sametime
meetings with users in the other domain.
Related concepts
“Alternate ways to share Directory information across domains” on page 68
This topic discusses the Directory information that is shared between IBM Lotus
Sametime servers and describes some alternate, more efficient ways to share
Directory information when connecting Sametime communities across multiple
IBM Lotus Domino domains.
Example of extending a single Sametime community across two Domino
domains:
This topic provides an example of how to connect an IBM Lotus Sametime server
in an IBM Lotus Domino domain with another Sametime server within a different
Domino domain.
About this task
The procedure below provides an example of how one Sametime server in a
Domino domain can be linked with a different Sametime server operating in a
different Domino domain. Linking the two Sametime servers extends a single
Sametime community to both Domino domains.
When a single Sametime community is extended to both Domino domains:
v Users in one Domino domain can add users from the other Domino domain to
presence lists in Sametime clients and engage in Sametime communications with
users in the other domain.
v Users in the Sametime community can authenticate on either of the domains to
participate in Sametime meetings and communications.
v The Sametime server in one Domino domain can invite the Sametime server in
the other Domino domain to a meeting so that a single Sametime meeting can
be attended by users in both Domino domains.
Follow the procedures below to link two Sametime servers that operate in different
Domino domains:
Setting up the environment by cross-certifying servers:
You can extend a single IBM Lotus Sametime community across multiple IBM
Lotus Domino domains by cross-certifying the servers.
62
Lotus Sametime: Installation and Administration Guide Part 2
About this task
The example below describes the simplest way to cross-certify the two Sametime
servers. In this example, the two Sametime servers are Sametimeserver1/East and
Sametimeserver2/West. To cross-certify these servers, the West organization
certifier (/West) must obtain a cross-certificate for the East organization certifier
(/East) and the East organization certifier must obtain a cross-certificate for the
West organization certifier. These cross-certificates are stored in the Domino
Directories on the respective Sametime servers.
For more information about cross-certification, see the Domino Administration Help
database, available in the Help directory of any Domino server. Domino
administration documentation is also available from the Documentation Library at
www.lotus.com/ldd/doc.
Procedure
1. On Sametimeserver1/East, open the IBM Lotus Notes® client. From the
Microsoft Windows desktop click Start → Run and browse to
C:\Sametime\nlnotes.exe before clicking OK.
2. Click File → Database → Open and specify the Sametimeserver2/West server.
3. When prompted for a cross-certificate, select OK.
4. Repeat steps 1 through 3, but this time use the Notes client on
Sametimeserver2/West to access Sametimeserver1/East, and accept the
cross-certificate from the Sametimeserver2/West server.
What to do next
Now that the servers are cross-certified, connect the communities.
Connecting the communities:
You can extend a single IBM Lotus Sametime community across two IBM Lotus
Domino domains by sharing Directory information between domains.
About this task
In this procedure, the administrator connects the Sametime communities by
ensuring that Directory information is shared between the two Domino domains
by following these steps:
Procedure
1.
2.
Replicating the Directories
Setting up Directory Assistance
Results
In this example, the two Sametime servers that operate in different domains are
Sametimeserver1/East and Sametimeserver2/West.
Note: This example describes replicating the entire Directories of both domains.
There are more efficient ways to share Directory information between two Domino
domains when connecting the communities. For more information on alternate
methods for sharing the Directory information, see Alternate ways to share
Directory information across domains.
Chapter 1. Configuring
63
Step 1 - Replicating the Directories:
About this task
This procedure provides an example of replicating Directories between two
Sametime servers (Sametimeserver1/East and Sametimeserver2/West) operating in
different Domino domains.
Procedure
1. Using the IBM Lotus Notes client on Sametimeserver1/East, open the Directory
(names.nsf) on Sametime server2/West.
2. Click File → Replication → New Replica.
3. Specify Local for the Server and change the filename (names.nsf) to something
different, such as sametimeserver2west.nsf.
4. Select Create: Immediately to ensure that the database is created immediately,
and then click OK.
5. Repeat steps 1 through 4, except this time create a replica of the Directory
existing on Sametimeserver1/East on the Sametimeserver2/West server.
What to do next
After you have created replicas of the Directories on each Sametime server, you
must create Connection Documents to ensure the Directories replicate at regular
intervals. When creating the Connection Documents:
v For Connection Type, select Local Area Network.
v Complete the Destination Server, Source Domain, Destination Domain, and
Optional Network Address fields.
v For Replication Type, select Pull Push.
v In the Files/Directories to Replicate field, enter names.nsf.
v In the Schedule field, select Enabled.
Note: Be sure to create a Connection Document on each server. One Connection
Document should enable the names.nsf file on Sametimeserver1/East to replicate
to the Sametimeserver1east.nsf file on the Sametimeserver2/West server. The
other Connection Document should enable the names.nsf file on
Sametimeserver2/West to replicate to the sametimeserver2west.nsf file on the
Sametimeserver1/East server.
After creating the Connection Documents, set up Directory Assistance on each of
the Sametime servers to ensure that each Sametime server can locate the
Directories you have just replicated.
Step 2 - Setting up Directory Assistance:
About this task
The procedures required for setting up Directory Assistance on each of the
Sametime servers are summarized below. For more information on Directory
Assistance, see the Domino Server Administration Help, available in the Help
directory on every Domino server, as well as at www.lotus.com/ldd/doc.
To set up Directory Assistance you must:
v Ensure that a Directory Assistance database is available on the Sametime server.
64
Lotus Sametime: Installation and Administration Guide Part 2
v Identify the Directory Assistance database on the Sametime server.
v Create a Directory Assistance Document within the Directory Assistance
database that points to the appropriate Directory.
Follow the procedures below to set up Directory Assistance:
Ensure that a Directory Assistance database is available on each Sametime server:
About this task
To ensure that a Directory Assistance database is available on each Sametime
server, you can either replicate an existing Directory Assistance database to the
Sametime server or create a new Directory Assistance database on the Sametime
server.
If a Directory Assistance database is already in use on Domino servers in the
domain, you can replicate the existing Directory Assistance database to the
Sametime server. To replicate an existing Directory Assistance database, follow the
normal Domino procedure for replicating a database. First create a new replica of
the Directory Assistance database on the Sametime server and then create a
Connection Document to schedule replication of the database. See the Domino
server Administration Help for more information on these procedures.
To create a new Directory Assistance database on each Sametime server:
Procedure
1. Start the Lotus Notes client.
2. Click File → Database → New.
3. Create the Directory Assistance database as you would any other Domino
database.
v Create the database on the Sametimeserver1/East server
v Provide a database name and filename for the Directory Assistance database
v Use the Directory Assistance template (da50.ntf) when creating the database
4. Repeat steps 1 through 3 to create a Directory Assistance database on the
Sametime server in the other domain (Sametimeserver2/West in this example).
5. Perform the procedure below to identify the Directory Assistance database on
each Sametime server.
Identify the Directory Assistance database on each Sametime server:
About this task
After replicating or creating the Directory Assistance databases on the Sametime
servers, you must identify the Directory Assistance databases on each server.
To identify a Directory Assistance database on each Sametime server:
Procedure
1. Start the Lotus Notes client.
2. Click Configuration → Server → All Server Documents.
3. Double-click the name of the Sametime server (Sametimeserver1/East) to open
the Server document.
4. If necessary, select the Basics tab of the Server document.
Chapter 1. Configuring
65
5. Click Edit Server.
6. In the Directory Assistance database name field, enter the filename (for
example, da.nsf) of the Directory Assistance database.
7. Click Save and Close.
8. Repeat this procedure to identify the Directory Assistance database on the
Sametime server in the other domain (Sametimeserver2/West in this example).
9. Perform the procedure below to create a Directory Assistance Document in each
Directory Assistance database.
Create a Directory Assistance Document in each Directory Assistance database:
About this task
You must create a Directory Assistance Document in each Directory Assistance
database on each Sametime server so that each Sametime server can access the new
Directory information that has been replicated to it.
To create a Directory Assistance document in the Directory Assistance database on
each Sametime server:
Procedure
1. From the Notes client:
v Click File → Database → Open.
v Select the Sametimeserver1/East server.
v Select the Directory Assistance database (default name is da.nsf).
v Click Open.
2. Click Add Directory Assistance.
In the Basics tab, enter these settings:
66
Setting
Value
Domain type
Click Notes.
Domain name
Enter the name of the Domino domain
associated with the secondary Directory (or
Directory that was replicated from the other
domain to this Sametime server). The
domain name must be different from the
primary Notes domain and from all other
domain names configured in Directory
Assistance.
Company name
Enter the name of your company.
Search order
A number representing the order in which
this directory is searched, relative to other
directories in the Directory Assistance
database.
Group expansion
The suggested setting is Yes. This setting
enables Directory Assistance to examine the
contents of groups in the LDAP directory.
This capability is necessary if you enter the
name of a group defined in the LDAP
directory in the ACL of a database on the
Sametime server.
Lotus Sametime: Installation and Administration Guide Part 2
Setting
Value
Nested group expansion
The suggested setting is Yes. This setting
enables Directory Assistance to examine the
content of an LDAP directory group that is a
member of another LDAP directory group.
This capability is also used when an LDAP
directory group name is entered in the ACL
of a database on the Sametime server.
Enabled
Set to Yes to enable Directory Assistance for
the LDAP Directory.
3. Select the Rules tab and enter these settings.
Setting
Value
Rule #
One or more rules that describe the names
in the directory. By default, the first rule
contains all asterisks, indicating all names in
the Directory.
Enabled
Choose one:
v No to disable a specific rule.
v Yes to enable a specific rule.
By default, the first rule is enabled.
Trusted for Credentials
Choose Yes to allow Domino to use this
Directory to authenticate web clients.
4. Select the Replicas tab and do the following:
Chapter 1. Configuring
67
Setting
Value
Database Links
Open the replica of the secondary directory,
and then click Edit → Copy As Link →
Database Link.
Select the Database links field, and then
click Edit → Paste.
For example, assume you are creating the
Directory Assistance document in the
Directory Assistance database on the
Sametimeserver1/East server and you have
replicated the directory file named
sametimeserver2west.nsf to the
Sametimeserver1/East server. In this
example, you must open the
sametimeserver2west.nsf file and copy the
file as a Database Link. Paste this Database
Link into the Database links field in the
Directory Assistance Document you are
creating in the Directory Assistance database
on the Sametimeserver1/East server.
Conversely, when creating a Directory
Assistance Document on the
Sametimeserver2/West server, you would
open the directory file
sametimeserver1east.nsf, copy the file as a
Database Link, and paste the link into the
Database links field.
5. You must repeat this procedure to create a Directory Assistance document in
the Directory Assistance database on the Sametime server in the other domain
(Sametimeserver2/West in this example).
Alternate ways to share Directory information across domains:
This topic discusses the Directory information that is shared between IBM Lotus
Sametime servers and describes some alternate, more efficient ways to share
Directory information when connecting Sametime communities across multiple
IBM Lotus Domino domains.
The example procedure for extending a single Sametime community across two
Domino domains earlier in this section explains how you can share Directory
information to connect two Sametime communities.
When extending a single Sametime community across multiple Domino domains,
each Sametime server that is part of the community must have access to the
following Directory information for the other domain(s):
v Person documents
v Group documents
v Server documents - The following fields in the Server document are needed for
each Sametime server to support online presence (or awareness) between
servers:
Server name - This field in the Basics tab of the Server document must contain
the name of the Sametime server.
68
Lotus Sametime: Installation and Administration Guide Part 2
Is this a Sametime server? - This field in the Basics tab of the Server document
must be set to Yes to indicate that the Server document describes a Sametime
server.
Port - This field in the Ports → Notes Network Ports tab of the Server document
must be set to TCPIP.
Net Address - This field in the Ports → Notes Network Ports tab must contain
the TCP/IP address (for example, sametime.example.com) of the Sametime
server.
To share this Directory information, each domain must replicate the information to
the other domains that comprise the Sametime community. In the example scenario
described in Example of extending a single Sametime community across two
Domino domains, the entire Directories of two separate Domino domains are
replicated between the two Sametime servers. The Domino components of
Sametime provide features that you can use to replicate the Directory information
in a more efficient manner. You can use either of the following alternate techniques
to share Directory information across Domino domains.
v Selective replication of Directory information across domains
v Set up Extended Directory Catalogs to share Directory information across
domains
Each technique is discussed briefly below.
Selective replication of Directory information across domains
Instead of replicating the entire Domino Directory between domains, you can use
selective replication to replicate only the Person, Group, and Server documents. For
example, you can open the Directory database to be replicated to the other domain
and use the Replication Settings to replicate a subset of the documents contained
in the database. Use a selection formula, such as
(Type="Person")|(Type="Group")|(Type="Server" and Sametime="1") to ensure that
only the Person, Group, and Server documents (for which the Is this a Sametime
server? field is set to Yes) are replicated.
For more information on selective replication, see the Domino Server Administration
Help, available in the Help directory on every Domino server as well as in the
Documentation Library at www.lotus.com/ldd.
Using Extended Directory Catalogs to share Directory information across
domains
An Extended Directory Catalog is another Domino feature that can be used to
share Directory information when a Sametime community is extended across
multiple Domino domains. The Extended Directory Catalog feature allows you to
aggregate directory information from several different Domino directories,
including directories for different Domino domains, into a single directory catalog.
The servers are then configured to access the Extended Server Directory catalog for
directory information.
Before using this feature, the administrator should read the documentation in
Domino Server Administration Help that explains the function and set up of
Extended Server Directory Catalogs. This documentation is available in the Help
directory on every Domino server as well as in the Documentation Library at
www.lotus.com/ldd.
Chapter 1. Configuring
69
You can follow the procedures in the Domino administration documentation to set
up an Extended Server Directory Catalog on the Sametime server. When setting up
the Extended Server Directory Catalog to be used by Sametime, note the following
when creating the Configuration document for the Extended Server Directory
Catalog.
v The Configuration document contains an Additional fields to include list in the
Basics tab. The following field name entries must exist in the Additional fields
to include list to ensure that all information needed by Sametime is available in
the Extended Server Directory Catalog:
70
Field Name
Description
ServerName
Server name field in the Basics section of
the Server document.
ServerTitle
Server title field in the Basics section of the
Server document.
Domain
Domain name field in the Basics section of
the Server document.
ServerBuildNumber
Server build number field in the Basics
section of the Server document.
Administrator
Administrator field in the Basics section of
the Server document.
ServerPlatformDisplay
Operating system field in the Basics section
of the Server document.
Sametime
Is this a Sametime server? field in the
Basics section of the Server document.
Port_0 - Port_7
Ports fields in the Ports → Notes Network
Ports section of the Server document. The
Port_0 field is required. For completeness it
is recommended that you list seven Ports
fields (for example Port_0, Port_1, Port_2,
Port_3, Port_4, Port_5, Port_6, and Port_7).
Protocol_0 - Protocol_7
Protocol fields in the Ports → Notes Network
Ports section of the Server document. For
completeness, it is recommended that you
list seven Protocol fields (for example,
Protocol_0, Protocol_1, Protocol_2 and so
on).
NetName_0 - NetName_7
Notes Network fields in the Ports → Notes
Network Ports section of the Server
document. For completeness, it is
recommended that you list seven Notes
Network fields (for example, NetName_0,
NetName_1, NetName_2, and so on.
NetAddr_0 - NetAddr_7
Net Address fields in the Ports → Notes
Network Ports section of the Server
document. The NetAddr_0 field is required.
For completeness, it is recommended that
you list seven Net Address fields.
Enabled_0 - Enabled_7
Enabled fields in the Ports → Notes Network
Ports section of the Server document. The
Enabled_0 field is required. For
completeness, it is recommended that you
list seven Enabled fields.
Lotus Sametime: Installation and Administration Guide Part 2
Field Name
Description
SametimeServer
Sametime server field in the Administration
section of the Person document.
v The Advanced tab of the Configuration document provides a Selection formula
(do not include form) setting that enables you to specify a selection formula to
ensure that only the Directory documents required by Sametime are used when
the "Dircat" task creates the Directory Catalog. The selection formula for
selecting only the documents required by Sametime is:
(Type = "Person") | (Type = "Group") | (Type = "Server" and Sametime = "1")
Creating a cluster of Lotus Sametime Community Servers
IBM Lotus Sametime Community Server clusters provide load balancing and
failover functionality for large communities and are part of an IBM Lotus Domino
server cluster. Six Domino servers is the maximum number of servers in a cluster,
which means the number of Sametime servers in a cluster is also six. Generally, the
largest communities can be supported with fewer than six Sametime servers
operating in a cluster.
Each Lotus Sametime server must belong to just one cluster. Two or more clusters
pointing to the same Sametime Server is not supported.
This section explains how to cluster a group of Lotus Sametime Community
servers, using the example of clustering two servers.
Setting up the Sametime Community Server cluster
Create a Domino server cluster, then register Community Servers in the cluster.
Replicating the Domino Directory across all servers in the cluster:
Ensure that the Sametime Community servers in the cluster are part of the same
Domino domain by registering them in the same Domino Directory and replicating
the directory with all servers in the cluster.
About this task
The Domino Directory must replicate to all Sametime Community Servers to
ensure proper functioning of the Domino servers on which Sametime is installed.
This is a requirement even if you are maintaining the user community in an LDAP
directory on a separate server that is not part of the cluster.
Procedure
Creating a Domino server cluster:
A Lotus Sametime Community Server cluster runs on Domino. If you are
unfamiliar with the functioning of Domino clusters, see the Lotus Domino
Administrator Help, available from the Documentation Library at
www.lotus.com/ldd.
Before you begin
1. Install the Sametime Community Servers that will be part of the cluster, as
described in Installing a Lotus Sametime Community Server and supporting
software.
Chapter 1. Configuring
71
2. Replicate the Domino Directory across all servers in the cluster.
3. Verify that you have at least "Author" access and "Delete Documents" rights
specified in the Domino Directory's ACL, and at least "Author" access in the
Administration Requests database ACL.
About this task
Follow these basic steps to create a Lotus Sametime Community Server cluster
running on Domino.
Procedure
1. On one of the Sametime servers, start the Domino administrator client.
To start this client on a Microsoft Windows machine, click Start → Run and type
nlnotes.exe adminonly.
2. When the administrator client starts, make sure the Sametime server is the
current server.
3. Click the Configuration tab.
4. In the Tasks pane, expand Server and click All Server Documents.
5. In the Results pane, select the servers you want to add to the cluster. Select
both Sametime servers that you installed in the previous step.
6. Click Add to Cluster.
7. In the Cluster Name dialog box, click Create New Cluster, and then click OK.
8. Type the name of the new cluster and then click OK.
9. Choose Yes to add the servers to the cluster immediately. The cluster
information is immediately added to the Domino Directory of the server that
you used to create the cluster.
Results
If the server you used to create the Domino cluster is part of the cluster, the server
immediately starts the cluster processes and replicates its Domino Directory with
another server in the cluster. This process informs other servers in the cluster that
they are a part of the cluster. If you did not use a cluster member to create the
cluster, this process starts when the Domino Directory of the server you used to
create the cluster replicates with the Domino Directory of a server in the cluster.
Verifying that a cluster was created properly:
About this task
You can do the following to verify the cluster was created correctly:
72
Action
What you should see
From the Domino Administrator, expand
Clusters in the Server pane.
The name of the cluster followed by the
names of the cluster servers.
1. From the Domino Administrator, click
the Configuration tab, expand Cluster,
and then click Clusters.
1. The name of the cluster followed by the
names of the cluster servers displayed in
the Results pane.
2. In the Results pane, open the Server
documents of the servers you added to
the cluster.
2. The name of the cluster in the Cluster
name field on the Basics tab.
Lotus Sametime: Installation and Administration Guide Part 2
Action
What you should see
From the Domino Administrator, click a
cluster server in the Server pane, and then
click the Server - Status tab.
CLDBDIR (the Cluster Database Directory
Manager) and CLREPL (the Cluster
Replicator) in the Task list.
From the Domino Administrator, click a
cluster server in the Server pane, and then
click the Files tab.
The title "Cluster Directory" and the file
name "cldbdir.nsf" to show that Domino
created the Cluster Database Directory.
Compare the replica IDs of the Cluster
Database Directories on each cluster server.
The same replica ID on each server.
Creating a cluster document in the Configuration database (stconfig.nsf):
The cluster document enables the servers in a cluster to operate as part of the
cluster, and enables servers outside of the cluster (but still within the community)
to communicate with the cluster.
About this task
Creating a cluster document in the IBM Lotus Sametime Configuration database
(stconfig.nsf) is one of the tasks associated with Setting up a Community Services
cluster without clustering the Meeting Services.
The Sametime administrator must manually create a cluster document in the
Sametime Configuration database (stconfig.nsf) on a Sametime server in the
Community Services cluster. The cluster document defines the Community Services
cluster.
The cluster document stores the following information:
v The Community Services cluster name.
v The DNS name assigned to the rotating DNS system or IBM WebSphere Edge
Server that performs the load-balancing operations.
v A list of all servers in the Community Services cluster.
To create the cluster document in the Sametime Configuration database:
Procedure
1. Using an IBM Lotus Notes client, open the Sametime Configuration database
(stconfig.nsf) that replicates between the Sametime servers in the cluster.
2. Click Create → Cluster Information.
3. In the Cluster Name field, type the cluster's name.
The cluster is named at your discretion. You can name the cluster after one of
the servers in the cluster, but it is not mandatory. If you do name the cluster
after one of the servers in the cluster, keep the following points in mind:
v You might save time when you add the cluster name to the Sametime server
field of each user's Person document to configure client connectivity because
users will already have that server name listed in their Person documents (or
LDAP directory person entries).
v Use the IBM Domino full canonical name of the server when entering the
name in the Cluster Name field (for example, cn=servername/
ou=organizational unit/o=organization).
v The cluster name must not contain a comma.
Chapter 1. Configuring
73
4. In the DNS Name field, enter the fully qualified DNS name for the cluster. This
name must be the DNS name of the rotating DNS system or the WebSphere
Edge Server Network Dispatcher that performs the load balancing operations
for the clustered Community Services.
5. In the List of Servers in Cluster field, type the names of all the servers that are
part of the cluster. The names must be entered in the IBM Lotus Domino full
canonical name format (do not use the fully qualified DNS names in this field).
Separate the server names with a semicolon and a space, as in:
cn=sametimeserver1/ou=west/o=acme; cn=sametimeserver2/ou=west/o=acme
6. Save and close the cluster document.
Leave the Configuration database open. In the next procedure, you will copy
the new Cluster Information document to all other Sametime servers within the
Sametime community.
Copying a cluster document to all Sametime Community servers:
Each Sametime Community server cluster has a Cluster Information document,
which was created on one Sametime server in the cluster. Every server in the IBM
Lotus Sametime community must have a copy of this Cluster Information
document, even if the server is not part of a cluster. The document allows users to
share presence and instant messaging capabilities with all other users in the
community, regardless of their home server assignment.
About this task
If you have multiple clusters in a single community, there are multiple Cluster
Information documents and every server in the community must have a copy of all
of them. Creating separate clusters for different locations is more efficient because
you avoid replicating databases in real-time across a WAN connection. For
example, you could have one cluster for your Dublin office users and another for
your Paris office users.
Follow these steps to copy each Cluster Information document to all other
Sametime Community servers in the community.
Important: Do not replicate the Configuration database. The Configuration
database contains some fields that cannot be replicated to all Sametime servers in a
community.
Procedure
1. If necessary, open the Sametime Configuration database (stconfig.nsf) in which
you created the Cluster Information document that defines the cluster.
2. Copy the Cluster Information document:
a. Locate "Cluster Information" in the Form Name column of the
Configuration database.
b. In the Cluster Information's Last Modified Date column, right-click on the
date that represents the Cluster Information document you want to copy.
c. Select Copy.
d. Click File → Close to close the Configuration database.
3. Paste the Cluster Information document into the Configuration database on
each Sametime server in the community:
a. From the Lotus Notes client, click File → Database → Open.
74
Lotus Sametime: Installation and Administration Guide Part 2
b. In the Server field, type the name of another Sametime server in the
community.
c. Click Open.
d. In the Database list, select the Configuration database (stconfig.nsf).
e. Click Open.
f. Click Edit → Paste to paste the Cluster Information document into the
Configuration database on this Sametime server. The document name and
date will appear in the Last Modified Date column of Form Name section
in the Configuration database.
g. Save and close the Configuration database.
4. Repeat step 3 for every Sametime server in the Sametime community.
5. Repeat this set of steps until all Cluster Information documents have been
copied to all servers in the community.
What to do next
Ensure that clients can access the Community Services cluster by configuring client
connectivity for the Community Services cluster.
Registering a Community Server cluster on AIX, Linux, Solaris, and Windows:
After configuring a cluster of Lotus Sametime Community Servers on IBM AIX,
Linux, Sun Solaris, or Microsoft Windows, register the cluster with the Lotus
Sametime System Console, so you can manage all of the Lotus Sametime servers
from a central location.
Before you begin
Make sure each of these servers is ready for the cluster registration task:
v Each of the Lotus Sametime Community Servers in the cluster must be
registered with the Lotus Sametime System Console (which occurred when you
used a deployment plan to install them)
v Each Community Server must be started.
v The Lotus Sametime System Console must be started.
v The LDAP server must be started, and must be connected to the Lotus Sametime
System Console.
Procedure
1. If you just configured cluster settings for a group of Lotus Sametime
Community Servers, restart all of the cluster members now so the cluster goes
into effect before you continue.
2. Run the registration utility using the following command:
AIX and Solaris
registerSTCluster.sh
Linux
/your_path/notesdata/console/registerSTCluster.sh
Windows
registerSTCluster.bat
3. As the registration utility runs, you will be prompted to enter the following
information:
Chapter 1. Configuring
75
Cluster name
Type the name you created when you
configured the cluster, and press Enter.
Location of notes.ini file
This is the user name and password that
you use to manage the upgraded Lotus
Sametime Community Server from the
Community Server Administration Tool.
Type the full path to the directory containing
the notes.ini file, and press Enter. For
example, on Windows: C:\Lotus\Domino
Lotus Domino administrator user name
This is the account that you use to manage
the upgraded Lotus Sametime Community
Server from the Community Server
Administration Tool. Type the Lotus Domino
administrator's user name, and press Enter.
Lotus Domino administrator password
Type the password associated with the Lotus
Domino administrator user account, and
press Enter.
The utility registers the server, generating a log file called ConsoleUtility.log
and storing it in the console/logs directory.
4. Restart the Lotus Sametime Community Server where you ran the registration
utility.
Registering a Community Server cluster on IBM i:
After configuring a cluster of IBM Lotus Sametime servers on IBM i, register the
cluster with the Lotus Sametime System Console so you can manage all of the
Lotus Sametime servers from a central location.
Before you begin
Make sure each of these servers is ready for the cluster registration task:
v Each of the Lotus Sametime Community Servers in the cluster must be
registered with the Lotus Sametime System Console, and must be started.
v The Lotus Sametime System Console must be started.
v The LDAP server must be started, and must be connected to the Lotus Sametime
System Console.
Procedure
1. Verify that each of the servers in the cluster has been registered with the Lotus
Sametime System Console.
2. If you just configured cluster settings for a group of Lotus Sametime
Community Servers, restart all of the cluster members now so the cluster goes
into effect before you continue.
3. Complete the following steps for each server in the cluster to verify each server
document's Net Address field:
a. From a Lotus Notes client, open the Server document for the Lotus
Sametime Community Server you are working on.
b. Click the Ports tab.
c. Click the Notes Network Ports tab and check the Net Address field:
This field should contain the fully qualified host name of the current Lotus
Sametime Community Server. If the field contains an IP address change it
now.
76
Lotus Sametime: Installation and Administration Guide Part 2
d. Click Save if you made a change, and then click Close to close the Server
document.
e. If you changed the Server document, restart the server.
f. Remember to repeat this task for every server in the cluster.
4. Now run the registerSTCluster.sh registration utility from one of the servers
in the cluster:
a. From an IBM i command line, run the following command to start the
QShell Interpreter: QSH
b. Navigate to the server's sametime_server_data_directory/console console
directory; for example: cd /stserver/data/console.
c. Run the shell script:
registerSTCluster.sh
d. As the registration utility runs, you will be prompted to enter the following
information:
Cluster name
Type the name you created when you
configured the cluster, and press Enter.
Location of notes.ini file
Type the full path to the Sametime
Community Server data directory containing
notes.ini file (for example,
/stserver/data), and press Enter.
Lotus Domino administrator user name
This is the account that you created for
managing the Lotus Sametime Community
Server from the Community Server
Administration Tool. Type the Lotus Domino
administrator's user name, and press Enter.
Lotus Domino administrator password
Type the password associated with the Lotus
Domino administrator user account, and
press Enter.
e. When the registration script completes, press F3 to exit QSH.
The utility registers the cluster, generating a log file called
ConsoleUtility.log and storing it in the consoles/logs directory.
5. Restart the Lotus Sametime Community Server where you ran the registration
utility.
Creating a community ID for all nodes in a cluster:
To ensure that clients recognize all nodes in a cluster as belonging to a single
community, you must add an ST_COMMUNITY_ID value to sametime.ini.
About this task
Follow these steps to add the same ST_COMMUNITY_ID parameter to each
Community Server node in a cluster. Doing so prevents clients from creating
redundant communities for servers that are in the same cluster.
Procedure
1. Open a text editor on the Lotus Sametime Community Server.
2. Open the sametime.ini file located in the Lotus Sametime Community Server
installation directory. The default directories are listed below:
v AIX: /local/notesdata
v Linux: /local/notesdata
Chapter 1. Configuring
77
v Solaris: /local/notesdata
v Windows: C:\Lotus\Domino
3. In the [Config] section, add the community ID. The value can be any
descriptive string, not necessarily a domain name. Use this syntax:
ST_COMMUNITY_ID=community_name
For example, the following value names the community sametime.example.com:
ST_COMMUNITY_ID=sametime.example.com
4. Save the sametime.ini file.
5. Repeat the procedure for every Community server in the cluster.
Configuring client connectivity for a Lotus Sametime Community Server
cluster:
After you have created and named the Community Server cluster, ensure that the
clients can connect to the cluster.
The configuration fields that affect client connectivity are:
v The "Sametime server" field of the user's Person document in the Domino
Directory, or a Sametime cluster field you have added to an LDAP directory.
Note: Sametime uses this field to ensure that a user connects to one of the
Sametime servers in the Community Server cluster. This field serves the same
purpose as the "home Sametime server" field in the single-server approach to
Community Server deployment that was used in previous Sametime releases.
v The "Host" field in the Sametime Connect client.
Adding the cluster name to a field in each user's Person entry in the LDAP
directory
When the Sametime servers are configured to connect to an LDAP directory on an
LDAP server (as in this example), the administrator can do one of the following:
v Manually add a field to the LDAP directory to contain the name of the
Community Server cluster. The added field must exist in the Person record of
every Sametime user in the LDAP directory.
v Use an existing field in the LDAP directory to hold the name of the Community
Server cluster. This field must exist in the Person record of every Sametime user
in the LDAP directory. In this case, you must specify the cluster name in this
field in the LDAP directory.
Note: This example uses the "Sametime server" field of each user's Person
document in the Domino Directory as the field that holds the Sametime cluster
name. The field you select to hold the name of the Community Server cluster
must be specified in the LDAP Directory-Authentication-Name of the Home
Server attribute setting in the Sametime Administration Tool. In this example,
the "Sametime server" field was specified when you configured the connection to
the LDAP server when installing the Sametime servers.
To complete the example, you can enter the cluster name in the "Sametime
server" field of each user's Person document in the Domino Directory on the
Domino LDAP server. Note that you defined the cluster name when creating a
cluster document in the Configuration database.
If you used a server name as the cluster name, you can enter the server name in
the Domino hierarchical name format (sametimeserver1/west/acme) when
entering the name in the Sametime server field of the Person document.
78
Lotus Sametime: Installation and Administration Guide Part 2
Configuring the "Host" field for Sametime Connect clients
The Sametime Connect client attempts to connect to the network address specified
in the Options-Preferences-Sametime Connectivity-Host field of the Sametime
Connect client. The users in the Sametime community must enter the DNS name or
IP address of the load-balancing mechanism for the Community Server cluster in
the "Host" field of their Sametime Connect clients:
v If you have set up a rotating DNS system for load balancing, users must specify
the DNS name (for example, sametime.cscluster.com) of the rotating DNS system
in this field.
v If you have set up a WebSphere Edge Server to perform load balancing, users
must enter the IP address or DNS name of the WebSphere Edge Server machine
in this field.
Running the client packager application
You can run the Sametime client packager application on a Sametime server to
ensure that each Sametime Connect client downloaded from a Sametime server is
pre-configured with the appropriate connectivity settings for your environment,
including the Host name setting required to connect to the rotating DNS system or
WebSphere Edge Server. For more information, see "Sametime Server Installation."
Connectivity issues associated with a rotating DNS setup
If DNS resolve requests are cached, users might experience some problems when
reconnecting following a server failure. For more information on connectivity
issues associated with using a rotating DNS setup to accomplish load balancing,
see Rotating DNS Limitations with cached DNS resolve requests.
Setting up the load-balancing mechanism (rotating DNS or
Network Dispatcher)
The way in which you set up the load-balancing mechanism varies slightly
depending on whether you have deployed Community Server multiplexers on
separate machines.
Setting up the load-balancing mechanism without separate multiplexers:
If you have not deployed Community Server multiplexers on separate machines,
you have two choices for setting up the load balancing mechanism.
v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to
associate the IP addresses of the Sametime server machines to a single DNS
name.
For example, associate the IP address of Sametime server 1 (11.22.33.66) and
Sametime server 2 (11.22.33.77) to the DNS name cscluster.sametime.com.
v Set up an IBM WebSphere Edge Server (Network Dispatcher) in front of the
Sametime servers that you intend to cluster. Use the WebSphere Edge Server
Network Dispatcher to distribute connections to the Sametime Community
servers. For more information, see the WebSphere Edge Server documentation,
available at the website www.redbooks.ibm.com (and also provided with the
WebSphere Edge Server).
The diagram below shows the Sametime servers with the rotating DNS system in
place. Note that the WebSphere Edge Server can be used in place of the rotating
DNS system.
Chapter 1. Configuring
79
Setting up the load-balancing mechanism with stand-alone multiplexers:
If you have deployed stand-alone Community Server multiplexers, you have two
choices for setting up the load balancing mechanism.
v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to
associate the IP addresses of the Community Services multiplexer machines to a
single DNS name.
For example, associate the IP address of Multiplexer Machine 1 (11.22.33.44) and
Multiplexer Machine 2 (11.22.33.55) to the DNS name cscluster.sametime.com.
v Set up a WebSphere Edge Server (Network Dispatcher) in front of the Sametime
servers that you intend to cluster. Use the WebSphere Edge Server Network
Dispatcher to distribute connections to the multiplexer machines. For more
information, see the WebSphere Edge Server documentation, available at the
website www.redbooks.ibm.com (and also provided with the WebSphere Edge
Server).
The diagram below shows the Community Services multiplexers with the rotating
DNS system in place. Note that the WebSphere Edge Server can be used in place of
the rotating DNS system.
80
Lotus Sametime: Installation and Administration Guide Part 2
Rotating DNS Limitations with cached DNS resolve requests:
This section describes some of the limitations related to setting up a rotating DNS
system to load balance connections to the IBM Lotus Sametime Community
Services cluster.
Ideally, as users connect to the rotating DNS system, consecutive attempts to
resolve a cluster name will result in an even distribution of connections to the
servers in the cluster. In practice, the DNS caching mechanism can cause Sametime
Connect to repeatedly attempt connections to the same server in the cluster. If a
server fails, and the DNS resolve requests are cached, IBM Lotus Sametime
Connect might attempt to reconnect to the server that is down instead of failing
over to a different server.
The Sametime Connect client's Sametime Connectivity settings control whether the
client attempts to connect to the Sametime server through a proxy server or
attempts a direct connection to the Sametime server. These connectivity settings
affect the failover behavior when DNS resolve requests are cached. This behavior
varies for the IBM Lotus Sametime Connect for the desktop client and the IBM
Lotus Sametime Connect for browsers client.
The failover behavior of the Sametime Connect clients when DNS resolve requests
are cached is discussed below.
Sametime Connect for the desktop
When the DNS resolve requests are cached and a server fails, Sametime Connect
for the desktop automatically attempts to connect to another server in the cluster.
Chapter 1. Configuring
81
When any of the following settings are selected on the Sametime Connectivity tab,
a successful connection to the cluster depends on the client machine and its
settings:
v
v
v
v
Direct connection using standard Sametime protocol
Use SOCKS4 proxy with "Resolve server name locally" checked
Use SOCKS5 proxy with "Resolve server name locally" checked
Direct connection using HTTP protocol
If Sametime Connect cannot reconnect to the cluster when these settings are
selected, the user can try any of the following options:
v On Windows 2003 machines, change the registry key that controls the cache time
for DNS requests so the DNS requests are cached for only one second:
1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Dnscache\Parameters
2. Change the value of the registry key "MaxCacheEntryTtlLimit " to "1"
v In the Sametime Connect client's Sametime Connectivity settings, change the
name in the Host setting from the cluster name to the name of a specific server
within the cluster.
When any of the following settings are selected in the Sametime Connectivity tab,
a proxy server resolves the cluster name. Resolving the cluster name depends on
the settings of the proxy server. The proxy server might return a valid server name
in the cluster, or it might return the address of the server that is already down.
v Use HTTP proxy
v Use HTTPS proxy
v Use SOCKS4 proxy with "Resolve server name locally" unchecked
v Use SOCKS5 proxy with "Resolve server name locally" unchecked
If Sametime Connect cannot reconnect to the cluster when these settings are
selected, check the settings on the proxy server to verify the proxy is attempting to
connect to the servers within the cluster in rotating order.
When Use my Internet Explorer browser settings is selected in the Sametime
Connectivity tab, the behavior of the client depends on the proxy connectivity
settings of the Microsoft Internet Explorer web browser.
v If the browser settings do not specify a proxy server, the client attempts a Direct
connection using HTTP protocol. If the client is unable to reconnect following a
server failure, the user can try any of the options listed for Direct connection
using HTTP protocol above.
v If the browser settings specify an HTTP proxy server, the HTTP proxy server
resolves the cluster name. If the client cannot reconnect, check the settings on
the proxy server to verify the proxy is attempting to connect to the servers in
the cluster.
Sametime Connect for browsers
With Sametime Connect for browsers, the client resolves the cluster name when
any of the following options are selected:
v Direct connection using standard Sametime protocol
v Direct connection using HTTP protocol
v Use SOCKS4 proxy with "Resolve server name locally" checked
82
Lotus Sametime: Installation and Administration Guide Part 2
v Use SOCKS5 proxy with "Resolve server name locally" checked
If Sametime Connect for browsers cannot reconnect to the cluster when these
settings are selected, the user should do the following:
v On Windows NT and Windows 98 machines, restart the Sametime Connect
client or restart the web browser.
v On Windows 2000 machines, change the registry key that controls the cache time
for DNS requests so that DNS requests are cached for only one second:
1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Dnscache\Parameters
2. Change the value of the registry key "MaxCacheEntryTtlLimit " to "1"
v In the Sametime Connect client's Sametime Connectivity settings, change the
name in the Host field from the cluster name to the name of a specific server
within the cluster.
When any of the following settings are selected in the Sametime Connect for
browsers Sametime Connectivity tab, a proxy server resolves the cluster name.
Resolving the cluster name depends on the settings of the proxy server. The proxy
server might return a valid server name in the cluster, or it might return the
address of the server that is already down.
v Use SOCKS4 proxy with "Resolve server name locally" unchecked
v Use SOCKS5 proxy with "Resolve server name locally" unchecked
v Use HTTP proxy
v Use HTTPS proxy
If Sametime Connect cannot reconnect to the cluster when these settings are
selected, check the proxy settings to verify the proxy is attempting to connect to
the servers in the cluster in rotating order.
When Use my browser settings is selected in the Sametime Connectivity tab, the
behavior of the client depends on the proxy connectivity settings of the web
browser.
v If the browser settings do not specify a proxy server, the client attempts a Direct
connection using standard Sametime protocol or a Direct connection using
HTTP protocol. If the client is unable to reconnect following a server failure, the
user can try any of the options listed for Direct connection using standard
Sametime protocol and Direct connection using HTTP protocol above.
v If the browser settings specify a SOCKS proxy server, and the client is unable to
reconnect following a server failure, the user can try any of the options listed for
the Use SOCKS4 and Use SOCKS5 proxy settings above.
v If the browser settings specify an HTTP or HTTPS proxy server, the proxy server
resolves the cluster name. If the client cannot reconnect, check the settings on
the proxy server to verify the proxy is attempting to connect to the servers in
the cluster.
Adding a server to the Community Server cluster
You can add IBM Lotus Sametime Community servers to an existing cluster.
Procedure
1. Follow these steps to ensure sure that all databases have the same replica ID.
a. Add the Sametime Community Server to the IBM Lotus Domino server
cluster following the guidelines described in Creating a Domino server
cluster.
Chapter 1. Configuring
83
2. Update the Cluster Information document and copy the updated document to
all Sametime Community servers in the community:
a. Add the name of the new Sametime server to the List of Servers in Cluster
field in the Cluster Information document in the Configuration database
(stconfig.nsf) on one Sametime server.
Enter the server name in the Domino full canonical name format (for
example, cn=servername/ou=organizational unit/o=organization). Do not
use the fully qualified DNS name in this field.
The list includes every Sametime server in the cluster; separate the server
names with a semicolon and a space as shown in the example below:
cn=sametimeserver1/ou=west/o=mycompany; cn=sametimeserver2/
ou=west/o=mycompany
b. Copy the updated Cluster Information document and paste it into the
Configuration database on every Sametime server in the community (both
clustered servers and non-clustered servers).
Note: After pasting the new Cluster Information document in the
Configuration database, you can delete the previous version of the Cluster
Information document.
3. Optional: You can deploy a stand-alone Sametime Community Mux to ensure
the connection load for your Community Services cluster is handled efficiently.
However, if you do not deploy another Community Services multiplexer, the
existing Community Services multiplexers can still make connections to the
newly added Sametime server.
If you deploy a stand-alone Sametime Community Mux, make sure to update
the Community Connectivity configuration document on every Sametime
server in the cluster and include the IP address of the new multiplexer.
Configuring SiteMinder for the Lotus Sametime server
This section describes how to configure CA eTrust SiteMinder for the IBM Lotus
Sametime server.
About this task
When you configure SiteMinder to work the Lotus Sametime server, you create a
new agent object, agent configuration object, Host configuration object, realm, and
sub-realms.
Creating configuration objects for Sametime
Follow these steps to create configuration objects for IBM Lotus Sametime 8 on the
CA eTrust SiteMinder Policy server.
Before you begin
Open the SiteMinder Policy Server console.
Procedure
1. To
a.
b.
c.
create an Agent object, follow these steps.
Click the System tab.
Under System Configuration, right-click the Agents icon.
In the SiteMinder Agent Dialog, type a unique value not used previously
for an existing agent in the *Name field.
d. Optional: Type a description such as "Sametime Agent."
84
Lotus Sametime: Installation and Administration Guide Part 2
e. Under Agent Type, select SiteMinder. and select Web Agent from the
drop-down list.
f. Click OK.
2. Create a duplicate of the existing DominoDefaultSettings Agent Conf Object on
the SiteMinder Policy Server and modify the duplicate as appropriate. To create
an Agent Conf object for your HTTP Server:
a. Under System Configuration, click the Agent Conf Objects icon.
b. Right-click the DominoDefaultSettings Agent Conf object in the Agent
Conf Object List on the right side of the console, and select Duplicate
Configuration Object.
c. In the SiteMinder Agent Configuration Object Dialog, type a unique value
not used previously for an existing agent in the *Name field.
d. Optional: Type a description such as "Domino Configuration Agent."
e. In the Configuration Values list, set the following parameters to the values
indicated or to the appropriate values for your server. Clicking each
parameter, and select the Edit:
v DefaultAgentName - Name given to agent created in step c.
v AllowLocalConfig - Yes
v CssChecking - No
v BadUrlChars - remove // and /.,%00-%1f,%7f-%ff,%25 from the default
list of Bad Url Characters
v SkipDominoAuth - No. All other parameters can be left at their default
settings..
f. Click OK.
3. IBM recommends that you create a duplicate of the existing
DefaultHostSettings Host Conf Object on the SiteMinder Policy Server and
modify the duplicate as appropriate. To create a Host Conf object for your
HTTP Server:
a. Under System Configuration, click the Host Conf Objects icon.
b. Right-click the DefaultHostSettings object in the Host Conf Object List on
the right side of the console, and select Duplicate Configuration Object.
c. In the SiteMinder Host Configuration Object Dialog, type a unique value in
the *Name field.
d. Optional: Type a description such as "Sametime Advanced Host."
e. In the Configuration Values list, edit the #Policy Server value by removing
the # from in front of the parameter name and enter the IP address of your
SiteMinder Policy Server in the appropriate place in the value field.
f. Click OK.
Configuring realms for Lotus Sametime
Follow these steps to configure the realms for IBM Lotus Sametime 8 on the CA
eTrust SiteMinder Policy Server.
Procedure
1. Open the SiteMinder Policy Server console.
2. Define the realm definition for the Web Agent domain:
a. Click the Domains tab in the left side of the SiteMinder Policy Console.
b. Right-click the Web Agent domain that you previously created.
c. Click Create Realm.
Chapter 1. Configuring
85
d. In the SiteMinder Realm Dialog, type a unique value in the *Name field, for
example, Sametime.
e. Optional: Type a description.
f. Click the Resource tab.
g. In the Agent field, type the name of the agent that you created for the Web
Agent for Lotus Sametime 8. You can also select it using Lookup.
h. Type the Resource Filter as /
i. In Authentication Scheme drop-down list, select Basic.
j. Under Default Resource Protection, select Protected. Leave all the other
fields on the Resource, Session and Advanced tabs as their default values.
k. Click OK.
3. Create sub-realms under the realm you just created.
a. Click the Domains tab in the left side of the SiteMinder Policy Console..
b. Right-click the realm that you created in step 2.
c. Click Create Realm.
d. Create the following sub-realms for your configuration, with the values
indicated in each dialog:
Name
Resource Filter
Authentication
Scheme
Default Resource
Protection
ST Test
stlinks
Basic
Unprotected
ST AdminConfig
servlet/auth/scs
Basic
Unprotected
ST AdminPage
servlet/auth/admin
Basic
Protected
ST Src
stsrc.nsf/join
Basic
Protected
ST Domino
STDomino.nsf
Basic
Unprotected
ST Applets
sametime/applets
Basic
Unprotected
ST Applet
Sametime/Applet
Basic
Unprotected
IMI Sametime
sametime/
hostAddress.xml
Basic
Unprotected
ST MMAPI
servlet/auth/mmapi
Basic
Unprotected
ST Admin CGI
cgi-bin/
StAdminAct.exe
Basic
Unprotected
ST UserInfoServlet
servlet/
UserInfoServlet
Basic
Unprotected
4. Create rules for the protected realm (Sametime)and the two protected
sub-realms (ST AdminPage and ST Src).
a. Right-click the realm that was created for the Web Agent domain (for
example Sametime), and select Create Rule under Realm.
b. Use the SiteMinder Rule dialog to create the following rules named Rule 1
and Rule 2:
Rule 1 properties
v *Name - GetPost Rule
v Realm - Sametime
v Resource: *
v Web Agent actions - Get,Post,
v When this Rule fires - Allow Access
86
Lotus Sametime: Installation and Administration Guide Part 2
v Enable or Disable this Rule - Enabled
Rule 2 properties
v *Name - OnAuthAccept
v Realm - Sametime
v Resource: *
v Authentication events - OnAuthAccept
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
c. Right-click the ST AdminPage sub-realm , and select Create Rule under
Realm.
d. Use the SiteMinder Rule dialog to create the following rule named Rule 1:
Rule 1 properties
v *Name - GetPost Rule
v Realm - Sametime.ST AdminPage
v Resource: *
v Web Agent actions - Get,Post,
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
e. Right-click the ST Src sub-realm , and select Create Rule under Realm.
f. Use the SiteMinder Rule dialog to create the following rules named Rule 1
and Rule 2:
Rule 1 properties
v *Name - GetPost Rule
v Realm - Sametime.ST Src
v Resource: *
v Web Agent actions - Get,Post,
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
Rule 2 properties
v *Name - OnAuthAccept
v Realm - Sametime.ST Src
v Resource: *
v Authentication events - OnAuthAccept
v When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled
5. Add the rules to the SiteMinder policy that you created for Lotus Sametime
Advanced.
a. Double-click the policy you created for Lotus Sametime Advanced, for
example, STADVWAPolicy.
b. Click the Rules tab, and then click Add/Remove Rules. Add all the rules
you created previously for the realm and sub-realms to the current members
list. Click OK.
Chapter 1. Configuring
87
Installing and configuring the SiteMinder Web Agent
IBM recommends that you install the latest available version of the CA eTrust
SiteMinder Web Agent as well as the latest available hot fix that is certified by
Computer Associates to work with the version of the HTTP server that you are
using.
Before you begin
Before you begin, you must download the Siteminder V6-QMR5 W32 Web Agent
installation files from the SiteMinder support site at .http://support.netegrity.com.
About this task
Refer to the SiteMinder platform support matrices for more details. These matrices
can be obtained from the SiteMinder support site. You can also refer to the
SiteMinder WebAgent Installation Guide for details about configuring the Web Agent
to work with the HTTP server that you are using. The application agent for IBM
Lotus Sametime Advanced should be v6.0 CR005 or later to ensure support of IBM
WebSphere Application Server 6.1.
Note: To install the SiteMinder Web Agent on platforms other than Microsoft
Windows, you can use the relevant Win32 instructions as a reference document.
The same configuration information needs to be provided, regardless of platform.
There are also additional instructions included with the Web Agent installation
files that indicate platform-specific steps that are required for installing and
configuring the Web Agent on a specific platform.
Follow these steps to install and configure the Win32 6x Web Agent for your HTTP
server.
Procedure
1. If necessary, extract all the files from the ZIP file provided by SiteMinder.
2. Start the Web Agent executable. The format is nete-wa-6qmrX-platform.exe.
For example:
nete-wa-6qmr5-win32.exe
3.
4.
5.
6.
7.
8.
9.
10.
11.
88
The CA SiteMinder Web Agent Introduction screen appears.
Click Next.
On the License Agreement screen, scroll down and select I accept the terms of
the License Agreement, and click Next.
Click Next on the Important Information screen.
On the Choose Install Location screen, accept the default location for installing
the Web Agent or click Choose to select a different location, then click Next.
Click Next on the Choose Shortcut Folder screen.
Click Install on the Pre-Installation Summary screen.
On the Install Complete screen, accept the defaults selection and click Done.
Your system restarts.
Click Start → Programs → Siteminder → Web Agent Configuration Wizard to
start the Web Agent Configuration Wizard.
On the Host Registration screen, select Yes, I would like to do Host
Registration now, but do not select the Enable PKCS11 DLL Cryptographic
Hardware check box. Click Next.
Lotus Sametime: Installation and Administration Guide Part 2
12. On the Admin Registration screen, type the SiteMinder administrator name
and password provided by your SiteMinder contact. Do not select the Enable
Shared Secret Rollover check box. Click Next.
13. On the Trusted Host Name and Configuration Object screen, type the trusted
hostname and Host Conf Object provided by your SiteMinder contact. Click
Next.
14. On the Policy Server IP Address screen, type the SiteMinder Policy Server IP
address provided by your SiteMinder contact and click Add. Click Next.
15. On the Host Configuration file location screen, accept the default file name
and location and click Next.
16. On the Select Web Server(s) screen, select the check box next to the http server
that you wish to configure with the Web Agent, and then click Next.
17. On the Agent Configuration Object screen, enter the Agent Conf Object
provided by the SiteMinder contact and click Next.
18. On the Web Server Configuration Summary screen, click Install. The Web
Agent configuration process starts, and then the Configuration Complete
screen appears.
19. Click Done to complete the configuration process.
Note: You can ignore messages indicating that some warnings occurred
during the installation. These warnings appear by default and do not affect
the functionality of the Web Agent.
What to do next
There are additional steps that must be completed to enable the Web Agent to
function properly for your server. Follow the additional instructions that are
provided by your SiteMinder contact in order to complete this setup.
Add the DSAPI filter file name to the Domino Directory
Your IBM Lotus Sametime server will run on a Lotus Domino server. When you
integrate IBM Lotus Sametime with CA eTrust SiteMinder, the SiteMinder Web
Agent is implemented as a Domino Web Server Application Programming Interface
(DSAPI) filter file.
About this task
Follow these steps to add the DSAPI filter file name to the Domino Directory.
Procedure
1. Open the Domino Directory (names.nsf) on the Domino server.
2. Edit the server document for the Domino server as follows:
a. Click the Internet Protocols tab, then click the HTTP tab. In the DSAPI
filter file names field, type the full path and name of the SiteMinder Web
Agent (typically c:\Program Files\Netegrity\Siteminder Web
Agent\bin\dominowebagent.dll)
b. Click the Domino Web Engine tab, then set the Session authentication field
to Disabled.
3. Save and close the server document.
Enabling SiteMinder for Lotus Sametime
Follow these steps to enable the CA eTrust SiteMinder Web Agent for the IBM
Lotus Sametime server.
Chapter 1. Configuring
89
Procedure
1. Locate the local Web Agent configuration file for the SiteMinder Web Agent
that has been configured with your HTTP server. For example:
C:\Program Files\IBM\HTTPServer\conf\WebAgent.conf
2. Use a text editor to open the file and set the EnableWebAgent parameter to YES.
3. Restart your HTTP and Lotus Domino Servers. When you start or stop the
Domino server, you are starting and stopping the Lotus Sametime server as
well.
Configuring the Sametime client
This section describes how to configure IBM Lotus Sametime clients.
Client update process
The server can push updates out to the IBM Lotus Sametime clients if the update
policy key is enabled to ensure all clients have the same features.
Administrators can provision new or update existing Lotus Sametime client
features in a push mode so each client employs the same set of features as the
others do. The push method enables the client to install Lotus Sametime features
or updates automatically when he or she logs in to Lotus Sametime.
Setting up automatic updates
When the user logs in from the client, the client looks in the preferences.ini file
located in the update plugin (com.ibm.collaboration.realtime.update\
preferences.ini) root directory for the existence of the "runme" property. If the
property is present and is set to 'true,' then the update plugin continues. The client
then checks the policy key CONNECT_UPDATE_URL on the default Lotus
Sametime Community Server. If the server is 7.5.x or later then you, as
Administrator, can define the policy to tell the client where the update site is
located. If the policy key is not set on the server (see the section on User Policy in
this documentation), it is missing for one of two reasons:
1. The administrator did not set the key in the stpolicy.nsf file on the Lotus
Sametime Community Server.
2. The Lotus Sametime Community Server is a pre-7.5.1 version.
If the key is not found, the client will search the preferences.ini file located in the
update plugin (com.ibm.collaboration.realtime.update\preferences.ini) root
directory for the adminUpdatePolicyURL value. The client then silently downloads
all updated features it finds in the administrator's update site and install them.
Updates of features from this site are required so the client does not have the
option of not installing them. Once installation is complete, the user receives a
message announcing that new updates have been installed and that the user
should restart the Sametime client. The user can click the restart button or press a
five-minute delay button. If the user is involved in chats with other users, he or
she can continue to delay restart for as long as he wishes by continuing to press
the restart button at five-minute intervals. After the restart, the client checks again
to see if there are more updates, and if it finds none, the user is not interrupted
again. This update process takes place each time the user restarts his client and
logs in into his default server.
90
Lotus Sametime: Installation and Administration Guide Part 2
Configuring Sametime Connect client preferences
The following topics describe the different methods for setting preferences for the
Lotus Sametime Connect client.
Configuring client preferences using policies
You can use policies to configure and force IBM Lotus Sametime Connect client
preferences. A client preference determined by a policy cannot be changed by the
user.
About this task
When a user authenticates, Lotus Sametime applies a policy for that user. You can
create new policies that grant or limit access to features, and assign users to these
policies. You can use the Sametime System Console to configure and manage
policies. Any preferences set using this method:
v Are forced on clients so users cannot modify the setting.
v Take highest precedence over any other method used to set client preferences.
For more information on Sametime policies, see Managing users with policies
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console.
3. Click Manage Policies
4. Specify the features that you want to enable or disable for the users or groups
that you will assign to this policy.
Configuring client preferences using Sametime Connect
Users can manually set their client preferences in the Preferences dialog of the
IBM Lotus Sametime Connect client.
About this task
Any preferences set using this method can be overwritten by Sametime policies.
Preferences set using this method are stored in the end-user's profile directory
either within an XML document or a .pref file.
Procedure
1. Log in to the Lotus Sametime Connect client.
2. Click File Preferences.
3. Click a feature in the list on the left.
4. Select you preferred behavior for that feature, and then click Apply.
5. Click OK.
Configuring client preferences using the plugin_customization
file
To give all users a similar initial experience with Lotus Sametime, you can set
default client preferences for all IBM Lotus Sametime Connect clients using a
global plugin_customization.ini file.
Chapter 1. Configuring
91
About this task
The plugin_customization.ini file is effective for users who do not manually change
their preferences. Unlike the setting of policies, this method does not force the
settings to stick. Users can manually override the default preferences using the
Preferences dialog in their Lotus Sametime Connect clients.
If you prefer to set preferences that users cannot change, use the Expeditor
managed settings framework to set read-only preferences instead.
Start by editing the plugin_customization.ini file with the default preferences that
you want. Then post the plugin_customization.ini file on a Lotus Sametime update
site as part of a feature plugin for the Lotus Sametime clients to download. When
a new client logs in, it finds the new plugin and downloads it, and merges the
contents of the plugin_customization.ini with the existing one. The client restarts
and reads the new preferences. Every time the client starts, the
plugin_customization.ini preferences are read. For a list of preferences you can
add, see Sametime Connect preferences.
Related tasks
“Configuring client preferences with the Expeditor managed settings framework”
You can configure and manage user preferences for IBM Lotus Sametime Connect
clients using the Expeditor managed settings framework.
Configuring client preferences with the Expeditor managed
settings framework
You can configure and manage user preferences for IBM Lotus Sametime Connect
clients using the Expeditor managed settings framework.
About this task
The Expeditor managed settings framework lets you set preference values on Lotus
Sametime Connect clients. The Expeditor managed settings framework pulls
preference settings from an associated back-end management system and pushes
the settings to Sametime Connect clients. The framework also lets you designate
read-only settings and schedule update intervals. When a setting is set as
read-only, the user is prevented from changing the setting on the Sametime
preference user interface.
The following topics explain how to configure and update settings using the
Expeditor managed settings framework.
Configuring the Expeditor managed settings framework:
The Expeditor managed settings framework is responsible for retrieving IBM Lotus
Sametime Connect preference settings from an XML file. The managed settings
framework must have a formatted XML file containing the managed setting data
and must know the location of that XML file.
Formatting the XML file:
Follow these instructions to format the XML file.
Procedure
Format the XML file using the these parameters:
92
Lotus Sametime: Installation and Administration Guide Part 2
v It must contain a <ManagedSettings> element that contains one or more
<settingGroup> elements. Each <settingGroup> element must contain one or more
<setting> elements.
v Each <settingGroup> tag must have the following attributes:
– name – Use the same name as the qualifier (typically plugin name, but it can
be anything) that its settings are associated with.
– lastModDate – Specify the date using the jav.text.SimpleDateFormat format. The
syntax is YYYYMMDDThhmmssZ, where YYYY=year, MM=month, DD=day,
hh=hours, mm=minutes, ss=seconds. The values following the T are optional.
Note: Every change to a setting group must be accompanied by a change to the
lastModDate attribute or the new values will not be updated. If no lastModDate
is specified, the values are always updated, even if they are not new.
v Each <setting> tag must have the following attributes:
– name – Use a name that identifies what the setting does.
– value – Provide a default value for the setting.
v Each<setting> tag can have the following optional attributes:
– isLocked – Boolean. The default value is true. If true, the setting is read-only
and any changes that a user or application make to the value set by you, the
administrator, are prevented or later overwritten. If this attribute is set to
false, the administrator's setting is treated as a default value that can be
changed.
– overwriteUnlocked - Boolean. The default value is false. By default, a setting
that is specified as being unlocked will be treated as a default and will not
overwrite any existing value on the client. This is to avoid undoing changes
that the user might have legitimately made. However, if this setting is set to
true, the unlocked value will be overwritten with this new value even if it
means clearing the user's existing value.
Example
Here is an example of a formatted XML file:
<ManagedSettings>
<settingGroup name="com.ibm.collaboration.realtime.chat.logging" lastModDate="20080814T101030Z">
<setting name="logging.enabled" value="false" isLocked="false"/>
<setting name="logging.service" value="7" isLocked="false"/>
<setting name="root.location" value="C:\\work" isLocked="true"/>
<setting name="save.file.location" value="C:\\temp" isLocked="true"/>
</settingGroup>
</ManagedSettings>
Setting the initial location of the XML file:
Set the initial location of the XML file.
Procedure
Using one of the following methods:
1. Use a key of com.ibm.rcp.managedsettings.provider.file/URL in the In the
plugin_customization.ini file. For example:
com.ibm.rcp.managedsettings.provider.file/URL=http://www.ibm.com/settings.xml
or
com.ibm.rcp.managedsettings.provider.file/URL=file://c:/data/mysettings.xml
Chapter 1. Configuring
93
You can update the plugin_customization.ini file in the install/deploy/
directory on a CD-structure or provision the setting using the method
described in TechNote 1261055.
2. Set up automatic update to push new or updated preferences to clients. Name
the settings XML file managed-settings.xml, then post the file to the
policy-configured administration update site URL. For example, if the
administration update site URL is http://acme.com/updates then the client
looks for http://acme.com/updates/managed-settings.xml. Note that the user
will not be prompted to restart; changes to the managed settings take place
when the next time that the user restarts Sametime. This method has a higher
weight than the plugin_customization.ini file method described in (a) above,
so any overlapping settings found in the managed-settings.xml take priority.
Changing the update interval for the Expeditor managed settings framework:
If you want to change the update interval for managed settings in the Expeditor
managed settings framework, you can update the existing XML file.
About this task
By default, managed settings are updated every 720 minutes (12 hours) and
whenever the Sametime Connect client is started. If you would like to change the
update interval, you can update the existing XML file by adding a new setting
group of com.ibm.rcp.managedsettings with a setting of the interval in minutes.
Updating the Expeditor managed settings framework has the following results:
v All unlocked settings can be modified by the user. Once a setting is modified by
the user, any subsequent update to the same setting will not apply unless the
setting is changed to islocked=true on the settings XML file. This behavior is
consistent with settings changed with the plugin_customization.ini.
User-modified preferences take precedent over settings from
plugin_customization.ini and settings XML file. However, if the user's workspace
is cleaned, the administrator's values will apply.
v Any settings or setting groups removed from the settings XML file (for example,
to unmanage those settings) will remain on the client, and if the setting was
previously locked, it will be automatically set to unlocked.
v All unmanaged settings will automatically be managed as standard preferences.
Procedure
Update the existing XML file with a new setting group of
com.ibm.rcp.managedsettings.
<settingGroup name="com.ibm.rcp.managedsettings" lastModDate="20080814T101030Z">
<setting name="UpdateIntervalInMinutes" value="1" isLocked="false"/>
</settingGroup>
Changing the URL of the Expeditor managed settings framework:
If you must change the URL for the Expeditor managed settings framework, you
can update the existing XML file.
About this task
If you want to change the URL for the Expeditor managed settings framework, you
can update the existing XML file by adding a new setting group of
com.ibm.rcp.managedsettings.provider.file with a setting for the URL. The next
94
Lotus Sametime: Installation and Administration Guide Part 2
update runs with the old URL, but subsequent updates run with the new URL. If
the new URL is not reachable at the time of the update, the setting will not be
saved and the original URL will continue to be used. The URL will not be changed
until it is updated at a time that the URL can be reached.
Procedure
Add a new setting group.
<settingGroup name="com.ibm.rcp.managedsettings.provider.file" lastModDate="20080907T101030Z">
</settingGroup>
Note: If the XML file is being hosted by an HTTP server on which authentication
has been enabled, and there is no associated account configured for the server, the
user will be prompted for a name and password the first time the Expeditor
managed settings framework runs. Since the managed settings framework runs in
the background, the user is likely to be confused by this. You can prevent the
authentication prompt from displaying by including code in the application that
creates an account for this URL during its setup.
Discontinuing Expeditor managed settings framework preferences:
If a deployment needs to stop using the Expeditor managed settings framework,
you must remove previously managed settings on all clients, otherwise, these
settings will continue to be managed.
About this task
Follow these steps:
Procedure
1. Unlock all managed settings by editing the XML file:
a. Changing all "islocked=true" instances to "islocked=false"
b. Change the lastModDate attribute to a newer timestamp for all group
settings.
c. Provision the updated XML file to the client.
2. Unconfigure setting XML file, depending which on method was used to
configure the setting XML file:
v Remove the com.ibm.rcp.managedsettings.provider.file/URL setting from
plugin_customization.ini file and provision the updated file to the client.
v Remove the settings XML file from the update site location.
Sametime Connect preferences
The following topics list the IBM Lotus Sametime client preferences that can be
managed:
Accessibility preferences:
The following table lists the IBM Lotus Sametime Connect client accessibility
preferences that can be managed.
Chapter 1. Configuring
95
<setting name="URL" value="file://c:/work/news
Table 1. Accessibility Preferences - com.ibm.collaboration.realtime.accessibility plugin
release 7.5.x and later
Attribute
Variable type
Description
Releasoe
useAcc
Boolean. Default is
false.
Specifies whether or
not to optimize chat
transcript for screen
readers (will replace
the transcript with a
different format).
7.5.1 and later
optimizeAlerts
Boolean. Default is
false.
Specifies whether or 7.5.1 and later
not to optimize
notification settings
for screen readers
(will turn off bring to
front, flash window,
turn on sounds).
useLessVerbose
Boolean. Default is
false.
Specifies whether or 7.5.1 and later
not to set less
verbose messages for
screen readers (less
verbose will not read
status change events
and typing events in
the chat window).
Auto-status change preferences:
The following table lists the IBM Lotus Sametime Connect client auto-status change
preferences that can be managed.
Table 2. Auto-status-Change Preferences - com.ibm.collaboration.realtime.imhub release
7.5.x and later
96
Attribute
Variable type
lockPCWithOSLock
Boolean.
Available "Locking
7.5.1 and later
Default is true. computer with
operating system lock"
feature.
keyboardMouseInactivity
Boolean.
Available "Keyboard
Default is true. and mouse inactivity"
feature.
7.5.1 and later
whenIamInAOnlineMtg
Boolean.
Available "When I am
Default is false. in an online meeting"
feature.
7.5.1 and later
selectStatusOnlyScreenShare
Boolean.
Determines whether to 7.5.1 and later
Default is false. select the "Change my
status only when I'm
sharing my screen"
check box.
Lotus Sametime: Installation and Administration Guide Part 2
Description
Release
Table 2. Auto-status-Change Preferences - com.ibm.collaboration.realtime.imhub release
7.5.x and later (continued)
Attribute
Variable type
Description
Release
autoChangeMyStatusInMtg
Boolean.
Determines whether to 7.5.1 and later
Default is false. select the
"Automatically change
my status" radio
button. Note that if
this radio button is set
as true, then the
"Prompt me before
changing my status"
radio button will be
UNavailable. If this is
set as "false", the
"Prompt me before
changing my status"
radio button will be
available. After
com.ibm.collaboration.
realtime.imhub/
selectStatusOnly
ScreenShare
is set as true,
com.ibm.collaboration.
realtime.imhub/
autoChangeMyStatus
InMtg
works for screen share
status.
minutesForIdleKeyboardMouse
Integer. Default Sets the "When I have 7.5.1 and later
is 20
not used my keyboard
or mouse for the
following number of
minutes:" text field.
backWhenUnlocked
Boolean.
Determines whether to 7.5.1 and later
Default is true. select the "Return to
previous status when
activity is resumed" in
"Locking computer
with operating system
lock" check box.
backWhenKeyboardMouseActive Boolean.
Determine whether to
Default is true. select the "Return to
previous status when
activity is resumed" in
"Keyboard and mouse
inactivity" check box.
7.5.1 and later
Calendar preferences:
The following table lists the IBM Lotus Sametime Connect client calendar
preferences that can be managed.
Chapter 1. Configuring
97
Table 3. Calendar Preferences - com.ibm.collaboration.realtime.calendar release 7.5.x and
later
Attribute
Variable type
Description
Release
enabled
Boolean
Specify wether or not
to enable auto status
change for meetings
scheduled in user's
calendar.
8.0 and later
promptMe
Boolean
In Auto-Status
Changes for meetings
scheduled in my
calendar, specify
whether to prompt
user before changing
the status when user
have a meeting
scheduled in the
calendar.
8.0 and later
statusMsg
String
8.0 and later
In Auto-Status
Changes for meetings
scheduled in my
calendar, specify the
status message when
user select
"Automatically change
my status."
setback
Boolean
In Auto-Status
Changes for meetings
scheduled in my
calendar, specify
whether to return to
user's previous status
when the meeting is
over.
8.0 and later
outlook_enabled
Boolean
In Calendar Service
page, specify whether
to check Outlook
calendar for meetings
to allow auto status
changes. It's valid
only if the Outlook
service is available.
8.0 and later
notes_enabled
Boolean
In Calendar Service
page, specify whether
to check Lotus Notes
calendar for meetings
to allow auto status
changes. It's valid
only if the Notes
service is available.
8.0 and later
interval
Positive integer
value, unit is
minute
In Calendar Service
page, specify the
calendar refresh
interval.
8.0 and later
Chat preferences:
98
Lotus Sametime: Installation and Administration Guide Part 2
The following tables list the IBM Lotus Sametime Connect client chat preferences
that can be managed.
Table 4. Chat History Preferences - com.ibm.collaboration.realtime.chat.logging release
7.5.x and later
Attribute
Variable type
Description
Release
days.storage.max
A positive number.
Delete saved transcripts
after this number of days.
This setting will be
overwritten by the value
set on the server policy.
7.5.1 and later
delete.old
A positive number.
Delete saved transcript.
This setting will be
overwritten by the value
set on the server policy.
7.5.1 and later
logging.default
0 = Automatically
save chats, 1 = Do
not automatically
save chats, 2 =
Prompt me to save
chats
Default chat logging
action
7.5.1 and later
logging.service
service.notes =
Lotus Notes
logging,
service.outlook =
MS Outlook
logging, service.file
= File system
logging
Type of chat logging
service
7.5.1 and later
display.context
True = Display, false Display the saved
= Do not display
transcript between two
users for the current day
in the chat window.
display.context.backgroundTrue = Display, false Display background
= Do not display
highlighting when
displaying saved
transcripts in chats.
7.5.1 and later
7.5.1 and later
Chapter 1. Configuring
99
Table 4. Chat History Preferences - com.ibm.collaboration.realtime.chat.logging release
7.5.x and later (continued)
Attribute
Variable type
Description
Release
root.location
A string of a valid
path on the
computer.
Location for automatically 7.5.1 and later
saved chats Directory
path. Don't use '\' as the
file separator. Use '\\' or
'/' instead. Example using
absolute path:
com.ibm.collaboration.
realtime.chat.logging/
root.location=
C:\\Documents\\user\\
SametimeTranscripts
Example using a path
relative to the user profile
folder: For Windows &
Mac,
com.ibm.collaboration.
realtime.chat.logging
/root.location=
\\SametimeTranscripts
For Linux,
com.ibm.collaboration.
realtime.chat.logging/
root.location=
SametimeTranscripts
save.file.location
A string of a valid
path on the
computer.
Default location for
manually saved chats.
Don't use '\' as the file
separator. Use '\\' or '/'
instead. Example using
absolute path:
7.5.1 and later
Example using a path
relative to the user profile
folder: For Windows &
Mac,
com.ibm.collaboration.
realtime.chat.logging/
root.location=
\\SametimeTranscripts
For Linux,
com.ibm.collaboration.
realtime.chat.logging/
root.location=
SametimeTranscripts
prompt.save
100
Boolean
Lotus Sametime: Installation and Administration Guide Part 2
If using mail service for
logging, specify whether
to display a confirmation
after manually saving
chats to the mail file .
7.5.1 and later
Table 4. Chat History Preferences - com.ibm.collaboration.realtime.chat.logging release
7.5.x and later (continued)
Attribute
Variable type
Description
Release
reset.user.resets.logging.prefs
Boolean. Default is
false.
Specify whether to
prompt user to reset
logging preferences after
resetting user.
7.5.1 and later
firsttime.askprefs
Specify whether to
7.5.1 and later
prompt user to set logging
preferences when
Sametime launched for
the first time.
Boolean. Default is
true.
Table 5. Chat History UI Preferences - com.ibm.collaboration.realtime.chat.logging.ui
release 7.5.x and higher
Attribute
Variable type
Description
Release
allowSaveOverride
Boolean. Default is
true
Specifies whether to 7.5.1 and later
show menu item
"Prevent Transcript
save" in chat window
Tools menu
Table 6. Chat Window Preferences - com.ibm.collaboration.realtime.chatwindow release
7.5.x and higher
Attribute
Variable type
Description
Release
showuserinfo
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to display the
business card in the
chat window.
showtimestamp
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to display
timestamps in the
chat transcript area.
showdatestamp
Boolean.
Specifies whether or 7.5.1 and later
not to display date
stamps in the chat
transcript area.
showemoticons
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to display
emoticons in the
chat transcript.
usemyfont
Boolean. Default is
false.
Specifies whether or 7.5.1 and later
not to override chat
partner's font
settings with my
own.
entersend
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not Enter is used to
send a message or
Shift+Enter. Enter
sends, Shift+Enter
newline
Chapter 1. Configuring
101
Table 6. Chat Window Preferences - com.ibm.collaboration.realtime.chatwindow release
7.5.x and higher (continued)
102
Attribute
Variable type
Description
showstatusupdates
Boolean. Default is
false.
Specifies whether or 7.5.1 and later
not to display
status updates for
my chat partner in
the transcript.
esccloses
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not ESC closes the
chat window.
showuserleft
Boolean. Default is
false.
Specifies whether or 7.5.1 and later
not to display a
message when my
chat partner closes
their chat window.
warnWhenInMtg
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to pop a
warning message
when I try to open
a chat window
when a person is in
a meeting.
warnWhenAway
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to pop a
warning message
when I try to open
a chat window
when a person is
away.
dontPopWhenMin
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not the chat
window pops to the
front when I
manually minimize
the window.
showActionBar
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to show the top
actions toolbar.
showStatusBar
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to show the
status message bar
at the bottom.
showToolsBar
Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to show the
message tools bar
above the typing
area.
showSendButton
Boolean.
Specifies whether or 7.5.1 and later
not to show send
button in the chat
window.
Lotus Sametime: Installation and Administration Guide Part 2
Release
Table 6. Chat Window Preferences - com.ibm.collaboration.realtime.chatwindow release
7.5.x and higher (continued)
Attribute
Variable type
Description
showQuickFind
Boolean.
Specifies whether or 7.5.1 and later
not to show quick
find in the tabbed
chat window.
useTabs
Boolean. Default is
false.
Specifies whether or 7.5.1 and later
not to use a single
tabbed window for
all chats.
horizontalTabs
Boolean. Default is
false (vertical).
Specifies whether to 7.5.1 and later
use horizontal or
vertical tabs. Does
not apply unless
useTabs is true.
warnNewMessageArrived Boolean. Default is
true.
Specifies whether or 7.5.1 and later
not to pop a
message dialog
when I try to close
the window at the
same time I am
receiving a
message.
warnNewMessageArrived Long. Default is
Threshhold
450.
7.5.1 and later
It is used in
conjunction with
the
warnNewMessageArrived
preference. When
warnNewMessageArrived
is true, if set this to
10000 (10 seconds)
and try to close
chat window 5
seconds after the
last message, the
warning dialog will
pop up. It is not
recommended to
change the default
value.
useDefaultGO
Specifies whether or 7.5.1 and later
not to use the
system's default
orientation for
typing or to
manually set one.
Boolean. Default is
true.
Release
Chapter 1. Configuring
103
Table 6. Chat Window Preferences - com.ibm.collaboration.realtime.chatwindow release
7.5.x and higher (continued)
104
Attribute
Variable type
Description
sendAreaGO
Integer.
7.5.1 and later
Specifies which
orientation to use in
the typing area if
useDefaultGO is
false. Not set by
default because
useDefaultGO is
true. Only accepts
two values,
67108864
(SWT.RIGHT_TO_LEFT)
or 33554432
(SWT.LEFT_TO_RIGHT)
timeformat
Integer. Default is
12.
Specifies the default 7.5.1 and later
time format to use
(12 or 24 hour
clock).
maxChatsShowWarn
Boolean
7.5.1 and later
If using tabbed
window, specifies
whether or not to
show a warning
dialog when current
chat count exceeds
the predefined
value.
maxChats
Integer. Default is
50.
7.5.1 and later
Specifies a
predefined value
for
maxChatsShowWarn
saveChats
Boolean
Specifies whether or 7.5.1 and later
not to save opened
chats across
sessions.
transcript.view.limit
Integer. Default is 0. Specifies a limit to
the number of
text/graphics lines
that are maintained
in the chat window
(upper window).
Setting to 0 means
no limit.
ProvideTabbedBrowser
Cache
Boolean. Default is
true.
Lotus Sametime: Installation and Administration Guide Part 2
Release
8.5 and later
8.5.1 and later
Specifies whether
when using tabbed
chats if the browser
window can be
cached to improve
memory when the
chat is not active.
Table 6. Chat Window Preferences - com.ibm.collaboration.realtime.chatwindow release
7.5.x and higher (continued)
Attribute
Variable type
Description
Release
persistPosition
Boolean
Specify whether to 8.5 and later
remember the
position of normal
chat window (does
not apply to tabbed
or multiple parties
chat). If it is set, the
chat window
position is
remembered each
time on window
close action and
used as the default
location for next
chat window open
action.
xpos
Integer
Specify the X value
of chat window
position.
7.5.1 and later
ypos
Integer
Specify the Y value
of chat window
position.
7.5.1 and later
windowWidth
Integer
Specify the width of 7.5.1 and later
chat window.
windowHeight
Integer
Specify the height
of chat window.
7.5.1 and later
sendAreaHeight
Integer
Specify the height
of the input box of
chat window.
7.5.1 and later
Community preferences:
The following table lists the IBM Lotus Sametime Connect client community
preferences that can be managed.
Table 7. Community Preferences - com.ibm.collaboration.realtime.community release 7.5.x
and later
Attribute
Variable type
Description
Release
kioskMode
Boolean
Sets whether or not the 7.5.1 and later
client will function in
kiosk mode.
Chapter 1. Configuring
105
Table 7. Community Preferences - com.ibm.collaboration.realtime.community release 7.5.x
and later (continued)
106
Attribute
Variable type
Description
Release
logoutWhenIdle
Boolean
Sets the initial value of 7.5.1 and later
whether or not the
client logs out when
idle. This pref will only
take effect for new
Sametime users with
no previous
workspace. For any
existing user, this pref
will be overriden to
"false" when the
autostatus settings are
retrieved from the
server since the pref
did not exist prior to
release 8.0.1.
7.5.1 and later
logoutWhenIdleOverride Boolean
Provides a mechanism
for an admin to
override the user's
logoutWhenIdle
setting. If set to true,
then the client will
always logout when
idle, and the user will
not be able to change
the value in the UI.
logoutWhenLocked
Boolean
Sets the initial value of 7.5.1 and later
whether or not the
client logs out when
locked. This pref will
take effect for new
Sametime users with
no previous
workspace. For any
existing user, this pref
will be overridden to
"false" when the
autostatus settings are
retrieved from the
server since the pref
did not exist prior to
release 8.0.1.
logoutWhenLockedOverride
Boolean
Provides a mechanism 7.5.1 and later
for an admin to
override the user's
logoutWhenLocked
setting. If set to true,
then the client will
always logout when
locked, and the user
will not be able to
change the value in the
UI.
Lotus Sametime: Installation and Administration Guide Part 2
Table 7. Community Preferences - com.ibm.collaboration.realtime.community release 7.5.x
and later (continued)
Attribute
Variable type
Description
Release
tokenLoginOnly
Boolean
7.5.1 and later
Specifies the whether
or not to force login by
token for the default
community. Part of
login extensibility (see
Sametime 801 SDK).
Must be set prior to
client launch.
host
String
Specifies the initial
7.5.1 and later
community host value.
Must be set prior to
client launch.
useAuthServer
Boolean
Specifies the initial
useAuthServer value
for the default
community. Part of
login extensibility (see
Sametime 801 SDK).
Must be set prior to
client launch.
7.5.1 and later
authServerUrl
String
Specifies the initial
authentication server
URL value for the
default community.
Part of login
extensibility (see
Sametime 801 SDK).
Must be set prior to
client launch.
7.5.1 and later
defaultAuthType
String
7.5.1 and later
Specifies the
authentication type for
the default community.
Part of login
extensibility (see
Sametime 801 SDK).
Must be set prior to
client launch.
keepAlive
Boolean.
Default is true
Specifies the initial
keep alive value. Must
be set prior to client
launch.
7.5.1 and later
keepAliveInterval
Integer. Default
is 60
Specifies the initial
keep alive interval
value for the default
community. Must be
set prior to client
launch.
7.5.1 and later
Chapter 1. Configuring
107
Table 7. Community Preferences - com.ibm.collaboration.realtime.community release 7.5.x
and later (continued)
108
Attribute
Variable type
Description
loginByToken
Boolean
7.5.1 and later
Specifies the initial
loginByToken value for
the default community.
Part of login
extensibility (see
Sametime 801 SDK).
Must be set prior to
client launch.
name
String
Specifies the initial
name for the default
community. Must be
set prior to client
launch.
port
Integer. Default
is 1533
7.5.1 and later
Specifies the initial
community port value.
Must be set prior to
client launch.
savePassword
Boolean.
Default is false
Specifies the initial
savePassword value
for the default
community. Must be
set prior to client
launch.
7.5.1 and later
connectionType
String. Valid
values include
direct, tls-direct,
http-direct,
socks4-proxy,
socks5-proxy,
http-proxy,
https-proxy,
reverse-proxy
Specifies the initial
connectionType value
for the default
community. Must be
set prior to client
launch.
7.5.1 and later
proxyHost
String
Specifies the initial
7.5.1 and later
proxy host value for
the default community.
Must be set prior to
client launch.
proxyPort
Integer
Specifies the initial
7.5.1 and later
proxy port value for
the default community.
Must be set prior to
client launch.
proxyUserName
String
7.5.1 and later
Specifies the initial
proxy user name for
the default community.
Must be set prior to
client launch.
proxyPassword
String
Specifies the initial
7.5.1 and later
proxy password for the
default community.
Must be set prior to
client launch.
Lotus Sametime: Installation and Administration Guide Part 2
Release
7.5.1 and later
Table 7. Community Preferences - com.ibm.collaboration.realtime.community release 7.5.x
and later (continued)
Attribute
Variable type
Description
Release
proxyResolvesLocally
Boolean
Specifies the initial
proxyResolvesLocally
value for the default
community. Must be
set prior to client
launch.
7.5.1 and later
Contact list preferences:
The following table lists the IBM Lotus Sametime Connect client contact list
preferences that can be managed.
Table 8. Contact List Preferences - com.ibm.collaboration.realtime.imhub release 7.5.x and
later
Attribute
Variable type
Description
Release
sortGroups
Boolean.
Default is true.
Specifies whether by
default to alphabetically
sort groups in the
contact list.
7.5.1 and later
sortContacts
Boolean.
Default is true.
Specifies whether by
default to alphabetically
sort contacts in the
contact list.
7.5.1 and later
alwaysEditStatusMsgActive
Boolean.
Default is true.
Specifies whether by
7.5.1 and later
default to always edit the
status message when
changing status to
available.
alwaysEditStatusMsgAway
Boolean.
Default is true.
7.5.1 and later
Specifies whether by
default to always edit the
status message when
changing status to away.
alwaysEditStatusMsgInMtg
Boolean.
Default is true.
Specifies whether by
7.5.1 and later
default to always edit the
status message when
changing status to in a
meeting.
alwaysEditStatusMsgDnd
Boolean.
Default is true.
7.5.1 and later
Specifies whether by
default to always edit the
status message when
changing status to in a
do not disturb.
showActionToolBar
Boolean.
Default is true.
Specifies whether by
default to show the
action toolbar in the
contact list window.
7.5.1 and later
showStatusBar
Boolean.
Default is true.
Specifies whether by
default to show the
status bar in the contact
list window.
7.5.1 and later
Chapter 1. Configuring
109
Table 8. Contact List Preferences - com.ibm.collaboration.realtime.imhub release 7.5.x and
later (continued)
110
Attribute
Variable type
Description
Release
showQuickFind
Boolean.
Default is true.
Specifies whether by
default to show quick
find in the contact list
window.
7.5.1 and later
flashAddedContacts
Boolean.
Default is true.
Specifies whether by
default to flash newly
added contacts.
7.5.1 and later
showAddDialogSuccess
Boolean.
Default is true.
Specifies whether by
default to open a
confirmation dialog after
a contact has been
added.
7.5.1 and later
showAddGroupSuccess
Boolean.
Default is true.
Specifies whether by
default to open a
confirmation dialog after
a group has been added.
7.5.1 and later
showAddPartnerSuccess
Boolean.
Default is true.
Specifies whether by
default to open a
confirmation dialog after
a chat partner has been
added (through add
button in chat window).
7.5.1 and later
autoSyncDefaultCommunity
BuddyList
Boolean.
Default is true.
7.5.1 and later
Specifies whether by
default to synchronize
the 7.5 XML buddylist
with the previous pre 7.5
contact list used by older
clients. Windows only.
launchAtStartup
Boolean.
Specifies whether or not
to launch Sametime at
system startup. It's valid
only for standalone and
windows platform. If set
it in
plugin_customization.ini
or managed preferences
framework, it doesn't
really work for the first
launch of Sametime
Client.
launchMinimized
Boolean.
Specifies whether or not 7.5.1 and later
to minimize Sametime
when launching. It's
valid only for standalone
and windows platform.
hideWhenMinimized
Boolean.
Default is true.
Specifies whether by
7.5.1 and later
default to hide the
contact list window
when minimized. It's
valid only for standalone
and windows platform.
Lotus Sametime: Installation and Administration Guide Part 2
7.5.1 and later
Table 8. Contact List Preferences - com.ibm.collaboration.realtime.imhub release 7.5.x and
later (continued)
Attribute
Variable type
Description
Release
showCommunityIconBackground
Boolean.
Specifies whether by
Default is false. default to show the
community icon behind
the contacts.
7.5.1 and later
statusImgBackgroundTransparency
Integer. Default Specifies the
is 60.
transparency of the
community background
image. 0 is very
prominent, 100 is
completely transparent.
7.5.1 and later
Specifies whether or not 7.5.1 and later
to show the business
card when hovering over
contacts.
showHoverBizCard
Boolean.
Default is true.
hideContactsWhenOffline
Boolean.
Specifies whether or not
Default is false. to hide the contact list
tree when offline.
7.5.1 and later
showBuddyListConflictDialog Boolean.
Default is true.
Specifies whether or not 7.5.1 and later
to show the contact list
conflict dialog when
synchronizing the remote
contact list.
buddyListConflictPref
7.5.1 and later
Specifies the default
behavior to follow in
case of a remote/local
synchronization conflict.
Options include "merge",
"keepLocal", and
"replaceLocal".
String. Default
is merge.
warnWhenWatchLimitExceededBoolean.
When the watch limit is 7.5.1 and later
in effect, specifies
whether or not to warn
user when the number of
contacts that can be
monitored is exceeded
warnWhenContactLimitExceeded
Boolean.
When
"LimitContactListSize"
policy is set, specifies
whether or not to warn
user when the contact
list is approaching the
maximum number
allowed.
7.5.1 and later
showShortNames
Boolean.
Specifies whether or not
to show short names for
contact list .
7.5.1 and later
alwaysOnTop
Boolean.
Specifies whether or not
to make the contact list
window always on top.
7.5.1 and later
Chapter 1. Configuring
111
Table 8. Contact List Preferences - com.ibm.collaboration.realtime.imhub release 7.5.x and
later (continued)
Attribute
Variable type
Description
Release
showOnlineOnly
Boolean.
Specifies whether or not
to show online contacts
only in the contact list
window.
7.5.1 and later
showStatusToolBar
Boolean
Specifies whether or not 7.5.1 and later
to show My Status
ToolBar in the contact list
window.
showContactList
Boolean
Specifies whether or not
to show contact list in
the contact list window.
7.5.1 and later
confirmMultiPartyChatInvitation
Boolean
ToMoreThanX
Specifies whether or not
to confirm when user
start events with groups
larger than a specified
number of people. The
number value is
specified by
7.5.1 and later
confirmMultiPartyChatInvitationToMoreThanXNumber
.
confirmMultiPartyChatInvitation
Integer
ToMoreThanXNumber
Specifies a limit number.
See
7.5.1 and later
confirmMultiPartyChatInvitationToMoreThanX
.
External application preferences:
The following table lists the IBM Lotus Sametime Connect client external
application preferences that can be managed.
Table 9. External application Preferences - com.ibm.collaboration.realtime.ui release 7.5.x
and later
112
Attribute
Variable type
Description
Release
external.application.use.
default.mail
Boolean.
Default is true.
Specifies whether or to
use default mail program
for email.
7.5.1 and later
AllowEMailFunction
Boolean.
Default is true.
Provides a mechanism for 8.0 and later
disable/enable the mail
function entries. If set to
true, user can use mail
function in Sametime
client; if set to false, the
menu/toolbar about mail
function will be disabled.
external.application.use.
custom.browser
Boolean
Specifies whether or not
to use a custom browser
on Linux.
Lotus Sametime: Installation and Administration Guide Part 2
7.5.1 and later
Table 9. External application Preferences - com.ibm.collaboration.realtime.ui release 7.5.x
and later (continued)
Attribute
Variable type
Description
Release
external.application.use.
custom.mail
Boolean
Specifies whether or not
to use a custom mail
application on Linux.
7.5.1 and later
external.custom.browser
String
Specifies the custom
browser on Linux.
7.5.1 and later
external.application.mail
String.
Specifies the default mail
application.
7.5.1 and later
"System
Default", "Lotus
Notes",
"Evolution",
"KMail" and
"Thunderbird"
on Linux. "
Lotus Notes",
"Outlook
Express®" and
other available
mail
applications on
Windows.
external.application.use.
default.mail
Boolean
Specifies whether or not
to use default mail
application.
7.5.1 and later
external.custom.mail
String
Specifies the user mail
application on Linux.
7.5.1 and later
disableHostnameWarning Boolean.
Default is false.
Specifies whether or not
8.5.1 and later
to validate that the server
name is a fully qualified
domain name.
File transfer preferences:
The following table lists the IBM Lotus Sametime Connect client file transfer
preferences that can be managed.
Chapter 1. Configuring
113
Table 10. File Transfer Preferences - com.ibm.collaboration.realtime.filetransfer release
7.5.x and later
Attribute
Variable type
Description
Release
saveFileLocation
A text string of a
valid full path to
a folder on the
user's computer.
Specifies the path on the user's 7.5.1 and later
computer where files from File
Transfers will be saved. Don't
use '\' as the file separator. Use
'\\' or '/' instead. Example
using absolute path:
com.ibm.collaboration.realtime.filetransfer/saveFileLocation=C:\\Documents\\user\\SametimeFileTransfer
Example using a path relative
to the user profile folder: For
Windows & Mac,
com.ibm.collaboration.
realtime.filetransfer/
saveFileLocation=
\\SametimeFileTransfer
For Linux,
com.ibm.collaboration.
realtime.filetransfer/
saveFileLocation=
SametimeFileTransfer
Location preferences:
The following table lists the IBM Lotus Sametime Connect client location
preferences that can be managed.
Table 11. Location Preferences - com.ibm.collaboration.realtime.location release 7.5.x and
later
114
Attribute
Variable type
Description
Release
showProfWindow
Boolean. Default is
false.
Toggle for do not
show the alert for
editing location
settings at location
change again.
7.5.1 and later
optIn
Boolean
Specifies whether or
not to share user's
location information
with other users.
7.5.1 and later
manualModeVisible
Boolean
Specifies whether the
check box "Do not
automatically detect
location changes" is
visible.
8.5 and later
manualModeSelected Boolean
Specifies whether or
8.5 and later
not to detect location
changes automatically.
advancedView
Specifies whether or
not to show the
advanced view for
Location.
Boolean
Lotus Sametime: Installation and Administration Guide Part 2
7.5.1 and later
Login preferences:
The following table lists the IBM Lotus Sametime Connect client login preferences
that can be managed.
Table 12. Login Preferences - com.ibm.collaboration.realtime.login release 7.5.x and later
Attribute
Variable type
Description
Release
enableAutoReconnect
Boolean.
Default is
true.
Specifies whether or not to enable
7.5.1 and
automatic re-connection to the
later
Sametime server in case the client is
inadvertently disconnected.
autoReconnectAttempt long. Default
Interval
is 20000.
Specifies the interval in
7.5.1 and
milliseconds at which the client will later
attempt to reconnect.
autoReconnectAttempts long. Default
is -1.
Specifies the number of attempts to
reconnect. The value -1 means to
never stop trying.
7.5.1 and
later
verifyConnectionPriorToLogin
Boolean.
Default is
true.
Specifies whether or not to verify
that a network connection is
available before logging in.
7.5.1 and
later
notifyWhenNetConnLostBoolean.
Default is
true.
Specifies whether or not to alert the 7.5.1 and
user when the network connection later
is lost.
alwaysLoggedIn
Boolean
Keeps "Automatically log in" and
7.5.1 and
"Remember password" disabled and later
checked and disables all "Log out"
menu items.
disableExit
Boolean
Keeps the "Exit" menu items
disabled.
7.5.1 and
later
disableHostName
Boolean
Sets edit state of host name text
field on login dialog.
7.5.1 and
later
displayResetUserBtn
Boolean
Makes the reset button show or not 7.5.1 and
later
on the login dialog. If the
preference is set to true and
com.ibm.collaboration.
realtime.communit/host
is set to true, the reset button will
automatically be disabled.
allowSave
Boolean
Specifies whether or not to allow
saving password.
7.5.1 and
later
earlyStartupLogin
Boolean
Specifies whether or not to show
login dialog when UIM started.
7.5.1 and
later
resetUser
Boolean.
Default is
false.
Specifies whether or not to reset
7.5.1 and
user information when UIM started later
.
displayAuthServerSSO Boolean.
Default is
true.
Specifies whether or not to display
Authentication server information
in the community Log In tab.
7.5.1 and
later
Lotus Notes preferences:
Chapter 1. Configuring
115
The following table lists the IBM Lotus Sametime Connect client Lotus Notes
preferences that can be managed.
Table 13. Lotus Notes Preferences com.ibm.collaboration.realtime.calendar.notes.connector release 7.5.x and later
Attribute
Variable type
Description
Release
install_directory
String. Should be a
valid path for Lotus
Notes.
8.0 and later
Specify the Lotus
Notes installation
directory. Don't use
'\' as the file
separator. Use '\\' or
'/' instead. For
example,
com.ibm.collaboration.realtime.calendar.notes.connector/install_directory=D:\\Notes
notes_password
String
Specify the Notes
password
8.0 and later
Microsoft Outlook preferences:
The following tables list the IBM Lotus Sametime Connect client preferences for
Microsoft Outlook and Sametime Meeting Integrator for Microsoft Outlook that can
be managed.
Table 14. Sametime Microsoft Outlook Preferences com.ibm.collaboration.realtime.exchange
Attribute
Variable type
Description
Release
ExchangeTranscriptFolder
A mail box
folder name
The name of the
Microsoft Exchange mail
box folder used for
storing chat history.
8.0 and later
ExchangeMessageStore
A message store The name of the message 8.0 and later
such as
store used for storing chat
'Mailbox - John history.
Doe'
ExchangeStorageId
The ID of a
storage method
The storage method used
for storing chat history.
For example,
8.0 and later
com.ibm.collaboration.
realtime.exchange.
storage.outlook.
OutlookStorage.
Table 15. Sametime Meeting Integrator for Microsoft Outlook Preferences com.ibm.collaboration.realtime
116
Attribute
Variable type
Description
Release
Mtg802SettingsEditable
True or false
Determines whether or
not 8.0.2 meetings
("Classic meetings")
settings are editable by
the user.
8.5 and later
Lotus Sametime: Installation and Administration Guide Part 2
Table 15. Sametime Meeting Integrator for Microsoft Outlook Preferences com.ibm.collaboration.realtime (continued)
Attribute
Variable type
Description
Release
MeetingServerUrl
A server URL
The URL of the Sametime 8.0 and later
Classic Meeting (8.0.x)
server. For example,
http://
sametime.mycompany.com
MeetingServerUsesSSO
True or false
Whether Single-Sign-On
8.5 and later
should be used to
authenticate with the
Sametime Classic Meeting
(8.0.x) server .
AlwaysCreateMeetings
True or false
Whether a meeting
should always be created
on a Sametime Classic
Meeting (8.0.x) server
when an appointment is
scheduled in Outlook.
Mtg85SettingsEditable
True or false
Whether meetings settings 8.5 and later
are editable by the user
Meeting85Server
A server host
name
8.5 and later
The host name of the
Sametime Meeting server.
For example,
sametime.mycompany.com
Meeting85ServerUsesSSO
True or false
Whether Single-Sign-On
should be used to
authenticate with the
Sametime Meeting server.
8.5 and later
8.5 and later
Example entries in plugin_customization.ini:
com.ibm.collaboration.realtime.exchange/ExchangeTranscriptFolder=STTranscript
com.ibm.collaboration.realtime/MeetingServerUrl=http://sametime.mycompany.com
com.ibm.collaboration.realtime/MeetingServerUsesSSO=true
com.ibm.collaboration.realtime/AlwaysCreateMeetings=false
Meeting preferences:
The following tables list the IBM Lotus Sametime Connect client meeting
preferences that can be managed.
Table 16. Meeting Preferences - com.ibm.collaboration.realtime.meetings release 7.5.x and
later
Attribute
Variable type
Description
hasMic
Boolean. Default is Specifies whether the user's 7.5.1 and later
false.
computer has a microphone.
hasSpeakers
Boolean. Default is Specifies whether the user's
false.
computer has speakers.
7.5.1 and later
hasCamera
Boolean. Default is Specifies whether the user's
false.
computer has a camera.
7.5.1 and later
hideLegacyMeetingUI Boolean. Default is For hiding all legacy
false.
meeting UI.
Release
8.5 and later
Chapter 1. Configuring
117
Table 17. Meeting Preferences - com.ibm.rtc.meetings.shelf release 8.5.x and higher
Attribute
Variable type
Description
Release
connectionType
Default is 1.
Controls how the meetings
client connects to the server.
There are two choices: 1.
Direct connection (0) 2. Via
reverse proxy (1)
8.5 and later
hideUI
String. Default is
false.
Hides the Sametime 8.5.x
Meeting user interface.
8.5 and later
serverName
String.
Name of the meeting server
to connect to. For example,
renovations.ibm.com
8.5 and later
serverPort
String. Default is
80.
Specifies server port number. 8.5 and later
useCommunityCredentials
String. Default is
true.
If the user can re-use their
credentials from the
community server they are
logged into, set this to true.
Otherwise, false.
8.5 and later
useHTTP
String. Default is
true
Uses HTTP
8.5 and later
useHTTPS
String. Default is
false.
Uses HTTPS
8.5 and later
useHTTPProxy
String. Default is
false.
If clients should connect
using a forward HTTP
proxy, set this to true.
8.5 and later
proxyServerName
String.
Name of proxy server to
use. For example,
proxy.ibm.com
8.5 and later
proxyServerPort
String
Port number of the proxy
8.5 and later
reverseProxyUrl
String.
URL for the reverse proxy. If 8.5 and later
the client is using a reverse
proxy to connect, set this to
the right proxy URL.
canRemoveServer
String. Default is
true.
Set this to "false" if this
server should not be
removed by the end user.
8.5 and later
canAddOtherServers
String. Default is
true.
Set this to "false" if users
cannot add other servers.
8.5 and later
Name of the community
server. This should be set to
the name of the community
server that should be used
for credentials.
8.5 and later
communityServerNameString.
118
Lotus Sametime: Installation and Administration Guide Part 2
Table 17. Meeting Preferences - com.ibm.rtc.meetings.shelf release 8.5.x and
higher (continued)
Attribute
Variable type
Description
Release
loginByToken
Boolean. Default is If this preference is set, then
false.
meetings use tokens instead
of the user name and
password to log in to the
Meeting server. The
Community server and
Meeting server must be
configured in an SSO
domain for this setting to
work.
8.5 and later
Notification preferences:
The following table lists the IBM Lotus Sametime Connect client notification
preferences that can be managed.
Table 18. Notification Preferences - com.ibm.collaboration.realtime.alertmanager release
7.5.x and later
Attribute
Variable type
pref_alertbubble_window_corner
String. Default is
"SE". Four possible
values, "NE", "NW",
"SE", SW"
(corresponding to
northeast, northwest,
southeast,
southwest).
Description
Release
This stores one of four
possible values of which
corner of the user's
screen the alert bubble
will appear.
7.5.1 and
later
pref_alertbubble_window_width
Positive integer value Stores the width in pixels 7.5.1 and
of the alert bubble .
later
pref_alertbubble_window_height
Positive integer value Stores the height in
7.5.1 and
pixels of the alert bubble. later
pref_alertbubble_window_ Positive integer value Stores the amount in
edge_padding
pixels that the alert
bubble's top and bottom
edge will be from the
edge of the desktop.
7.5.1 and
later
pref_alertbubble_show
Determines whether to
show the alert bubble or
a standard OS window
for an alert.
7.5.1 and
later
Determines whether to
automatically close an
alert after it appears.
7.5.1 and
later
String value,
"standard" = show
standard OS window,
"less" or others =
show alert bubble for
an alert
pref_alertbubble_close_alertsBoolean. TRUE =
automatically close
alert, FALSE = do
not automatically
close alert
pref_alertbubble_close_alerts_
Positive integer value If alerts are set to
delay
automatically close, this
is the delay amount in
seconds before the alert
is closed.
7.5.1 and
later
Chapter 1. Configuring
119
Table 18. Notification Preferences - com.ibm.collaboration.realtime.alertmanager release
7.5.x and later (continued)
Attribute
120
Variable type
Description
Release
pref_alertbubble_animation String value, "none"
= no window
animation, "slide" =
animate using slide
effect, and "fade" =
animate using fade
effect. The default
value is "slide"
Specify the Alert bubble
animation type.
7.5.1 and
later
pref_alertbubble_bring_window_
Boolean
to_front
The default value,
whether to Bring the
Popup window to front.
7.5.1 and
later
pref_alertbubble_flash_taskbar
Boolean
The default value,
whether to Flash the
taskbar to indicate new
Popup window.
7.5.1 and
later
pref_event_0_playsound
Boolean
Determines whether one 7.5.1 and
on one chat events play a later
sound.
pref_event_1_playsound
Boolean
Determines whether
7.5.1 and
invitations to multi-party later
chat events play a sound.
pref_event_2_playsound
Boolean
Determines whether
announcement events
play a sound.
7.5.1 and
later
pref_event_3_playsound
Boolean
Determines whether
Invitations to Sametime
Classic online meeting
play a sound.
7.5.1 and
later
pref_event_6_playsound
Boolean
Determines whether
status alert events (Alert
me When) play a sound.
7.5.1 and
later
pref_event_7_playsound
Boolean
Determines whether
Location Awareness
events play a sound.
7.5.1 and
later
pref_event_0_soundfile
Text string. Full path
to a valid sound file
of .WAV format.
7.5.1 and
The sound file that will
play for one on one chat later
events, if playing sounds
is enabled for this event.
Don't use '\' as the file
separator. Use '\\' or '/'
instead. For example,
com.ibm.collaboration.realtime.alertmanager/pref_event_0_soundfile=C:\\Documents\\sound.wav
Lotus Sametime: Installation and Administration Guide Part 2
Table 18. Notification Preferences - com.ibm.collaboration.realtime.alertmanager release
7.5.x and later (continued)
Attribute
Variable type
Description
Release
pref_event_1_soundfile
Text string. Full path
to a valid sound file
of .WAV format.
The sound file that will
play for Invitations to
multi-party chat events,
if playing sounds is
enabled for this event .
Don't use '\' as the file
separator. Use '\\' or '/'
instead. For example,
7.5.1 and
later
com.ibm.collaboration.realtime.alertmanager/pref_event_1_soundfile=C:\\Documents\\sound.wav
pref_event_2_soundfile
Text string. Full path
to a valid sound file
of .WAV format.
7.5.1 and
The sound file that will
later
play for announcement
events, if playing sounds
is enabled for this event.
Don't use '\' as the file
separator. Use '\\' or '/'
instead. For example,
com.ibm.collaboration.realtime.alertmanager/pref_event_2_soundfile=C:\\Documents\\sound.wav .
pref_event_3_soundfile
Text string. Full path
to a valid sound file
of .WAV format.
7.5.1 and
The sound file that will
later
play for Invitations to
Sametime Classic online
meeting events, if
playing sounds is
enabled for this event.
Don't use '\' as the file
separator. Use '\\' or '/'
instead. For example,
com.ibm.collaboration.realtime.alertmanager/pref_event_3_soundfile=C:\\Documents\\sound.wav
pref_event_6_soundfile
Text string. Full path
to a valid sound file
of .WAV format.
7.5.1 and
The sound file that will
later
play for status alert
events (Alert me When)
events, if playing sounds
is enabled for this event.
Don't use '\' as the file
separator. Use '\\' or '/'
instead. For example,
com.ibm.collaboration.realtime.alertmanager/pref_event_6_soundfile=C:\\Documents\\sound.wav.
Chapter 1. Configuring
121
Table 18. Notification Preferences - com.ibm.collaboration.realtime.alertmanager release
7.5.x and later (continued)
Attribute
Variable type
Description
Release
pref_event_7_soundfile
Text string. Full path
to a valid sound file
of .WAV format.
The sound file that will
play for Location
Awareness events, if
playing sounds is
enabled for this event.
Don't use '\' as the file
separator. Use '\\' or '/'
instead. For example,
7.5.1 and
later
com.ibm.collaboration.
realtime.alertmanager/
pref_event_7_soundfile=
C:\\Documents\\
sound.wav.
122
pref_event_0_option_1
Boolean
For one on one chats,
determines whether to
bring chat window to
front.
7.5.1 and
later
pref_event_0_option_2
Boolean
For one on one chats,
determines whether to
flash the taskbar to
indicate new window.
7.5.1 and
later
pref_event_0_option_3
Boolean
7.5.1 and
For one on one chats,
later
determines, whether to
show a system tray icon
to indicate new message.
pref_event_1_option_1
Boolean
For invitations to
multi-party chats,
determines whether to
bring invitation window
to front.
7.5.1 and
later
pref_event_1_option_2
Boolean
For invitations to
multi-party chats,
determines whether to
flash the taskbar to
indicate new invitation.
7.5.1 and
later
pref_event_9_option_1
Boolean
For calls, determines
whether to bring the
invitation window to
front.
8.5 and later
pref_event_9_option_2
Boolean
For calls, determines
whether to flash the
taskbar to indicate new
window.
8.5 and later
pref_event_9_timeout_seconds
Integer, unit is
second
For calls, specify the
seconds before incoming
invitation time out.
8.5 and later
allow_response
For Send Announcement
dialog, determines
whether to allow
recipients to send
responses.
7.5.1 and
later
Boolean
Lotus Sametime: Installation and Administration Guide Part 2
Table 18. Notification Preferences - com.ibm.collaboration.realtime.alertmanager release
7.5.x and later (continued)
Attribute
Variable type
Description
Release
pref_event_9_alert_incomingBoolean
For calls, determines
whether to display
incoming invitation.
8.5 and later
pref_event_10_playsound
Boolean
Determines whether
calendar events play a
sound.
8.5 and later
pref_event_10_soundfile
Boolean
The sound file that will
play for calendar events,
if playing sounds is
enabled for this event.
8.5 and later
People preferences:
The following table lists the IBM Lotus Sametime Connect client people preferences
that can be managed.
Table 19. People Preferences - com.ibm.collaboration.realtime.people release 7.5.x and
later
Attribute
Variable type
Description
Release
7.5.1 and later
userInfoReplacesDefault Boolean. Default Specifies whether or
DisplayName
is false.
not the user's directory
name retrieved for the
business card replaces
the default display
name shown in the
contact list and
elsewhere.
Specifies the number
of days a users
directory info is
considered up to date.
A value of 0 means
refresh a user's
directory info for each
client session.
7.5.1 and later
lookupExpirationDays
Integer. Default
is 7.
wrapBusinessCard
Boolean. Default Specifies whether or
is true.
not to wrap text in
business card
7.5.1 and later
showNoPhotoPhoto
Boolean. Default Specifies whether or
is true.
not to show a
placeholder image in
business card when
user doesn't have a
photo.
7.5.1 and later
Chapter 1. Configuring
123
Table 19. People Preferences - com.ibm.collaboration.realtime.people release 7.5.x and
later (continued)
Attribute
Variable type
Description
Release
isCaseInsensitive
7.5.1 and later
Boolean. Default Specifies if it is case
is false.
insensitive when
looking up people.
Please see following
topic for details:
Turning off case
sensitivity on the Lotus
Sametime Community
Server.
Rules manager preferences:
The following tables list the IBM Lotus Sametime Connect client rules manager
preferences that can be managed.
Table 20. Sametime Rules Manager Preferences com.ibm.collaboration.realtime.telephony.sti.rulesmgr release 8.5.1 and later
Attribute
Variable type
Description
blockIncomingCalls
Boolean. Default
is true.
Block all incoming calls. 8.5.1 and later
rulesForComputerOnlyUsers
Boolean. Default
is true.
Causes default rules to
only apply for
computer only users.
8.5.1 and later
hideCallRoutingPrefs
Boolean. Default
is false.
Hide the call routing
preference pages.
8.5.1 and later
disableRulesEditing
Boolean. Default
is true.
Disable the ability to
edit call routing rules.
8.5.1 and later
disableOfflineCalling
Boolean. Default
is true.
Disable ability for a
computer only user to
call an offline contact.
8.5.1 and later
disableExternalCalling
Boolean. Default
is true.
Disable ability for a
computer only user to
call an external contact
or phone number.
8.5.1 and later
disableNonComputerCallsBoolean. Default
is true.
Disable ability for a
computer only user to
call using anything
other than their
computer.
8.5.1 and later
hidePreferredDevices
Hide the preferred
device dropdown.
8.5.1 and later
disablePreferredDevices Boolean. Default
is true.
Disable the preferred
devices dropdown.
8.5.1 and later
hideAllocatedDevices
Hide allocated devices
so they cannot be used
to answer calls or as a
transfer target.
8.5.1 and later
Disable the ability to
add new preferred
numbers.
8.5.1 and later
Boolean. Default
is false.
Boolean. Default
is true.
disablePreferredNumber Boolean. Default
Changes
is true.
124
Release
Lotus Sametime: Installation and Administration Guide Part 2
Table 20. Sametime Rules Manager Preferences com.ibm.collaboration.realtime.telephony.sti.rulesmgr release 8.5.1 and later (continued)
Attribute
Variable type
Description
Release
replaceConditions
Boolean. Default
is true.
Replace the users
conditions with the
defaults.
8.5.1 and later
computerOnlyPrefix
String. Default is
+999.
Unified number prefix
which identifies a user
as a computer only
user.
8.5.1 and later
callRoutingConditions
String. Default is
URL pointing to an
XML file which defines
/config/callRoutingConditions.xml
the default call routing
rules.
.
8.5.1 and later
Spell checker preferences:
The following table lists the IBM Lotus Sametime Connect client spell checker
preferences that can be managed.
Table 21. Spell Checker Preferences - com.ibm.collaboration.realtime.spellchecker release
7.5.x and later
Attribute
Variable type
Description
Release
checkSpelling
Boolean. Default is
true.
Specifies whether by
default to check
spelling as you type.
7.5.1 and later
dictionaryLanguage
String. Default is
en-US.
Specifies the default
language to use for
spellchecking. Must
have corresponding
dictionary installed.
7.5.1 and later
Telephony, Audio, and Video preferences:
The following table lists the IBM Lotus Sametime Connect client telephony, audio,
and video preferences that can be managed.
Chapter 1. Configuring
125
Table 22. Global Preferences - com.ibm.collaboration.realtime release 8.5.1 and later
126
Attribute
Variable type
Description
enableSUT
Boolean. Default is
false.
Applies to Sametime 8.5.1 and later
Unified Telephony
subscribers only.
When the value is set
to true, the Sametime
Unified Telephony
plug-ins installed
with the client
become active.
Subscribers see
telephony status icons
in the contact list and
features such as call
history and the phone
book are enabled.
Restart the client for
the change to take
effect. .
enableTelephonyStatus Boolean. Default is
false.
8.5.1 and later
Set the value to true
to enable the display
of telephony presence
status icons for live
names on the contact
list or elsewhere. This
is used for telephony
presence published
using the Sametime
Telephony Presence
Adapter, which is
used by both
Sametime Unified
Telephony and some
third-party telephony
presence solutions. If
you set enableSUT to
true, it is not
necessary to also set
enableTelephonyStatus
to true. When
Sametime Unified
Telephony is enabled,
telephony status
shows regardless of
this preference value.
However, in
environments with
both Sametime
Unified Telephony
users and nonusers,
you can set
enableTelephonyStatus
to true so nonusers
can see telephony
presence for
Sametime Unified
Telephony users. .
Lotus Sametime: Installation and Administration Guide Part 2
Release
Table 22. Global Preferences - com.ibm.collaboration.realtime release 8.5.1 and
later (continued)
Attribute
Variable type
enableExtendedStatus Boolean. Default is
false.
Description
Release
8.5.1 and later
Set the value to true
to enable the use of
extended status icons
for live names on the
contact list or
elsewhere. Extended
status icons are most
often used for
telephony presence
status, however some
third-party
applications use
extended status icons
for other types of
status. To display
telephony status icons
for applications that
use the Sametime
Telephony Presence
Adadpter, use
enableTelephonyStatus
rather than
enableExtendedStatus.
It is only necessary to
set
enableExtendedStatus
when not using
telephony presence
from the Sametime
Telephony Presence
Adapter. As with
enableTelephonyStatus,
enableExtendedStatus
is ignored when you
set enableSUT to true,
since Sametime
Unified Telephony
always shows
telephony status
icons. .
Table 23. Telephony, Audio, and Video Preferences com.ibm.collaboration.realtime.telephony.ui release 8.5 and higher
Attribute
Variable type
Description
Release
deviceIn
A valid string
value for the
device. The default
value is "Default
device".
For computer
sound devices,
specifies which
device is selected
for Microphone.
8.5 and later
deviceOut
A valid string
value for the
device. The default
value is "Default
device".
For computer
sound devices,
specifies which
device is selected
for Speakers.
8.5 and later
Chapter 1. Configuring
127
Table 23. Telephony, Audio, and Video Preferences com.ibm.collaboration.realtime.telephony.ui release 8.5 and higher (continued)
128
Attribute
Variable type
Description
Release
deviceRing
A valid string
value for the
device. The default
value is "Default
device".
For computer
sound devices,
specifies which
device is selected
for Ringing.
8.5 and later
mic_boost_disabled
Boolean.
For computer
8.5 and later
sound devices,
specifies whether or
not to disable
microphone boost.
always_show_my_video
Boolean
Specifies whether or 8.5 and later
not to show my
video automatically
when I participate
in a video-enabled
session.
closeWindow2
Boolean
Specifies whether or 8.5 and later
not to close the call
window
automatically when
user disconnect.
warnCallAway
Boolean
Specifies whether or 8.5 and later
not to warn me if
user is Away before
starting new calls.
warnCallInTheMeeting
Boolean
Specifies whether or 8.5 and later
not to warn me if
user is Away before
starting new calls.
warnCallDND
Boolean
Specifies whether or 8.5 and later
not to warn me if
user is on Do Not
Disturb before
starting new calls.
warnCallOnThePhone
Boolean
Specifies whether or 8.5 and later
not to warn me if
user is On the
Phone before
starting new calls.
For SUT only.
participantView
Integer. 0 for
"Image View" or 1
for "List View"
Specifies the default 8.5 and later
participant view for
3-6 participants.
callwindowAlwaysOnTop
Boolean
Specifies whether or 8.5 and later
not to keep call
window always on
top. For windows
only.
enableSoundAlerts
Boolean
Specifies whether or 8.5 and later
not to enable sound
alerts.
Lotus Sametime: Installation and Administration Guide Part 2
Table 23. Telephony, Audio, and Video Preferences com.ibm.collaboration.realtime.telephony.ui release 8.5 and higher (continued)
Attribute
Variable type
Description
Release
soundCalleeRing
A valid absolute
sound file path.
The sound file that
will play for
incoming voice or
video chats, if
sound alerts is
enabled.
8.5 and later
soundHangUp
A valid absolute
sound file path.
The sound file that 8.5 and later
will play when
connection ended, if
sound alerts is
enabled.
soundPause
A valid absolute
sound file path.
The sound file that
will play when
pause audio, if
sound alerts is
enabled.
8.5 and later
soundResume
A valid absolute
sound file path.
The sound file that
will play when
resume audio, if
sound alerts is
enabled.
8.5 and later
soundAlert
A valid absolute
sound file path.
The sound file that 8.5 and later
will play for
incoming call alerts,
if sound alerts is
enabled.
muteSoundEnabled
Boolean
Specifies whether or 8.5 and later
not to mute other
Sametime alerts
during calls.
preferredConferencingSolution
"ext_avc" or
"st_avc". If set to
"st_avc", Sametime
Audio/Video
Conferencing will
be used instead.
For Connection and 8.5 and later
Conference Settings,
specifies whether or
not to use the
external service for
user's video calls.
auto_vc_non_sut
Specifies whether or 8.5 and later
not to always
establish a
computer-tocomputer (Voice
Chat) session when
callee does not have
Sametime Unified
Telephony.
Boolean
Chapter 1. Configuring
129
Table 23. Telephony, Audio, and Video Preferences com.ibm.collaboration.realtime.telephony.ui release 8.5 and higher (continued)
Attribute
Variable type
Description
Release
hideTelephonyUI
Boolean
Specifies whether or 8.5 and later
not to hide all
telephony and
audio/video user
interface elements,
include menu items,
toolbar actions, and
preference pages.
This can be used in
environments that
either do not use
any telephony or
audio/video
features, or use
third-party
telephony or
audio/video
solutions that
provide their own
user interface.
showCallComputer
Boolean. Default is
false.
Specifies whether or 8.5 and later
not uses can use
"Call Computer" to
start an audio call
when both
Sametime Unified
Telephony and
Sametime Media
Manager have been
deployed.
Update preferences:
The following table lists the IBM Lotus Sametime Connect update preferences that
can be managed.
130
Lotus Sametime: Installation and Administration Guide Part 2
Table 24. Update Preferences - com.ibm.collaboration.realtime.update release 8.5.x and
later
Attribute
Variable type
Description
restartAction
restart.now - user is
presented with a
restart dialog with
Restart Now button
only.
Defines how restart 8.5 and later
should be initiated
on the client after an
update is completed.
Note this preference
is just valid for
administratorinitiated updates,
but be invalid for
users' manual
updates by Tools ->
Plug-ins menu.
restart.now.or.later user is presented
with a restart dialog
with Restart Now
and Wait x minutes
buttons.
Release
restart.on.next.login
- user is presented
with an info
message that the
plug-in updates will
be effected on next
restart.
restart.now.no.prompt
- the client is
restarted
automatically when
update is completed
without any user
interaction.
Default is
restart.now.or.later.
restartRemindDelayMinutes
Integer. Default is 5.
Defines how long to 8.5 and later
delay the restart of
the client after an
update is completed.
This setting is
ignored if
restartAction is set
to restart.now or
restart.on.next.login.
Example entry in plugin_customization.ini:
com.ibm.collaboration.realtime.update/restartAction=restart.now.no.prompt
com.ibm.collaboration.realtime.update/restartRemindDelayMinutes=1
Enabling Sametime Unified Telephony, extended status, and
telephony status in the client
The IBM Lotus Sametime Connect 8.5.1 client, both standalone and integrated with
Lotus Notes, includes plug-ins that were available separately in previous releases:
v Sametime Unified Telephony plug-ins
These plug-ins provide access to Sametime Unified Telephony features for users
who have access to an Sametime Unified Telephony infrastructure and are
provisioned to use it. In previous releases, the Sametime Unified Telephony
Chapter 1. Configuring
131
client plug-ins were provided as a client add-on in the Sametime Unified
Telephony product, and were installed using an add-on installer or update site.
v Extended status plug-in (com.ibm.collaboration.realtime.status.ext)
This plug-in provides the ability to display custom live name status icons. This
is typically used to display telephony status icons, but this mechanism can be
used to display any custom status icons. This plug-in first appeared in Lotus
Sametime 7.5.1, and prior to Lotus Sametime 8.5.1, this plug-in was only
available in the Sametime SDK and as part of the Sametime Unified Telephony
client add-on.
v
Telephony status plug-in (com.ibm.collaboration.realtime.telephony.status)
This plug-in, which was added for Lotus Sametime 8.0, makes use of the
extended status plug-in to display telephony status icons for live names. This
plug-in is used in conjunction with the Sametime Telephony Presence Adapter
server component, which integrates the Sametime server with Sametime Unified
Telephony and third-party telephony presence systems. The Sametime server
obtains telephony status from the Telephony Presence Adapter and publishes
status changes via Sametime user attributes. The telephony status plug-in
responds to telephony status user attributes by displaying the appropriate
telephony status icon next to the Sametime presence icon. Like the extended
status plug-in, the telephony status plug-in was only available in the Sametime
SDK and Sametime Unified Telephony client add-on in previous releases.
Simplified client installation
There were a number of reasons why these plug-ins were incorporated into the
standard Lotus Sametime Connect 8.5.1 client, but the most important one was to
simplify the client installation experience for end users, administrators, and
third-party developers, by eliminating the need to install separate client
components. In previous releases, Sametime Unified Telephony users or their
administrators needed to install the Sametime Unified Telephony client add-on in
order to use Sametime Unified Telephony. Similarly, third-party developers who
made use of extended status or telephony status needed to package those plug-ins
from the Sametime SDK and ask their customers to install them.
In previous releases of Lotus Sametime, installing any of these plug-ins would alter
the behavior of the Lotus Sametime Connect client. The extended status and
telephony status plug-ins altered the appearance of the contact list and live names,
to make room for the additional status icons. The Sametime Unified Telephony
plug-ins prevented the client from using telephony services other than those
provided by Sametime Unified Telephony. Since these changes are not appropriate
for all Lotus Sametime users, Lotus Sametime 8.5.1 introduced new client
preferences that allow the additional plug-ins to be enabled only when needed.
This means that even though the Sametime Unified Telephony, extended status,
and telephony status plug-ins are always present in the Lotus Sametime Connect
8.5.1 client, they have no impact on client behavior until they are explicitly
activated.
The remainder of this topic describes how the Sametime Unified Telephony,
extended status, and telephony status plug-ins are enabled or disabled in the Lotus
Sametime Connect 8.5.1 client. Since the different plug-ins are somewhat
dependent on one another, it's important for both administrators and third-party
developers to understand how to enable or disable them and the impact of doing
so.
132
Lotus Sametime: Installation and Administration Guide Part 2
New client preferences
A number of different options were considered that would allow administrators to
enable or disable the Sametime Unified Telephony, extended status, and telephony
status plug-ins. The two best options were client preferences and new policies,
because either one could be applied to specific users and groups, but client
preferences were chosen. Unlike policies, client preferences can be used to prevent
plug-ins from loading at startup if the plug-ins will not be used, improving startup
time, and client preferences can be used with older Sametime servers.
This section describes the new client preferences, which are listed below. The
default value in all cases is false, which means the corresponding feature is
disabled. To enable a feature, set the preference value to true. To disable the feature
after enabling it, set the preference to false again.
v com.ibm.collaboration.realtime/enableSUT=false
Set this preference to true to enable Sametime Unified Telephony features in the
client. Once enabled, the client will only be able to make use of Sametime
Unified Telephony telephony service (and Sametime audio/video service), so
don't enable this preference for users who are not provisioned to use Sametime
Unified Telephony, since that will prevent them from getting access to other
telephony services. When this preference is enabled (true), both telephony status
and extended status are used, regardless of the values of the other preferences.
v com.ibm.collaboration.realtime/enableTelephonyStatus=false
Set this preference to true to enable the display of telephony presence status
icons for live names on the contact list or elsewhere. This is used for telephony
presence published using the Sametime Telephony Presence Adapter, used by
both Sametime Unified Telephony and third-party telephony presence solutions.
Enabling telephony status also enables extended status. It is not necessary to
enable both preferences. In environments that include both Sametime Unified
Telephony and non-Sametime Unified Telephony users, this preference can be
enabled for the non-Sametime Unified Telephony users, to allow them to see
telephony status for Sametime Unified Telephony users.
v com.ibm.collaboration.realtime/enableExtendedStatus=false
Set this preference to true to enable the use of non-telephony extended status
icons for live names on the contact list or elsewhere. Although extended status
icons are most often used for telephony presence status, some third-party
applications use extended status icons for other purposes. To display telephony
status icons for applications that use the Sametime Telephony Presence Adapter,
enable telephony status rather than this preference.
The following table summarizes how the three preferences affect extended status
icons and telephony status:
Table 25. Extended status icons and telephony status
enableExtendedStatus
enableTelephonyStatus
enableSUT
Extended status
icons displayed
Telephony
status displayed
any value
any value
true
yes
yes
any value
true
any value
yes
yes
true
false
false
yes
no
false
false
false
no
no
Chapter 1. Configuring
133
Modifying client preferences
Lotus Sametime provides different options for administrators to change client
preferences, without requiring any action from end users. Any of these options can
be used to modify the three client preferences described previously, however, IBM
recommends the managed preferences mechanism is for changing these and other
client preferences. Here's an overview of the managed preferences mechanism:
v It was first supported by the Lotus Sametime Connect 8.5 client, but does not
require a Sametime 8.5 server.
v You place a file named managed-settings.xml (example follows) on your server
at the location specified by the administration update site URL. This is the same
URL that specifies where the client looks for updated features posted by the
administrator, which are automatically installed. This URL is specified by a
Sametime user policy, so a different URL can be used for different users and
groups.
v Lotus Sametime Connect 8.5 and later clients use the administration update site
URL to look for updated features, but also look for a managed-settings.xml file
at that location. If found, the managed-settings.xml settings are read and
processed by the client.
v Older clients use the administration update site URL to look for updated
features, but ignore any managed-settings.xml file at that location.
This is the format of the managed-settings.xml file used to enable or disable the
three preferences described in this topic, with the default values:
<ManagedSettings>
<settingGroup name="com.ibm.collaboration.realtime">
<setting name="enableSUT" value="false"/>
<setting name="enableTelephonyStatus" value="false"/>
<setting name="enableExtendedStatus" value="false"/>
</settingGroup>
</ManagedSettings>
For more information on using managed settings, see Configuring client
preferences with the Expeditor managed settings framework.
Note: Unlike other client preferences, changes to the three preferences described
here do not take effect until the client is restarted. Because the end user is unaware
of preference changes made using the managed preferences mechanism, a dialog
box with the following message appears if changes are detected to any of the three
preferences:
Sametime has detected a configuration change from the administrator and needs to restart.
From the dialog, the user can choose to restart the client.
Writing custom messages for clients
You can write custom messages to appear when a user logs in, under "Welcome to
Sametime" or in the "New contact" screen. These messages can be created with
Eclipse plug-in programs.
Before you begin
You can create a branding plug-in that shows a custom message in the user's "New
contact" screen or in the login screen. For example, when you are creating a
message for the new contact screen, if you connect a particular community to a
public instant messaging network, you may want to tell the users which
134
Lotus Sametime: Installation and Administration Guide Part 2
community to use to add a contact from that public network. This branding feature
accepts text only. For information on using a wizard to create plug-ins, see the
Eclipse documentation: http://help.eclipse.org/help32/topic/
org.eclipse.pde.doc.user/guide/tools/project_wizards/
new_project_wizards.htm.
Note: Before you can build plug-ins, you must install:
v the Sametime software development kit
v Eclipse IDE (integrated development environment) version 3.2
v the JCL Desktop custom run time environment for Windows and Linux
v the Eclipse J9 JDT launching plug-in for Windows and Linux
v a standard Java Runtime Environment (1.4.2 or higher version)
v Windows XP, Linux, or Mac operating system supported by Sametime 7.5. or
later
For comprehensive information on setting up the integrated development
environment, and building and providing plug-ins to clients, see the IBM
Redbooks® publications at http://www.redbooks.ibm.com/abstracts/
sg247346.html.
About this task
The plug-in you create this way is pushed to the client just as Sametime updates
are pushed. See the following examples for a template.
This is a sample branding plug-in:
<plugin>
<extension
id="com.ibm.collaboration.realtime.notes.branding"
point="com.ibm.collaboration.realtime.ui.stbranding">
<stbranding
id="mypackage.messages"
name="Custom Sametime Messages">
<messages class="mypackage.Messages"/>
</stbranding>
</extension>
</plugin>
Below are some Sample Messages.java:
import org.eclipse.osgi.util.NLS;
private static final String BUNDLE_NAME = "messages";//$NON-NLS-1$
// Login dialog message
public static String
com_ibm_collaboration_realtime_login_strings_messages
$enter_credentials_for;
// Add Contacts dialog message for single community
public static String
com_ibm_collaboration_realtime_imhub_strings_messages
$singleCommunityDefMsgArea;
// Add Contacts dialog message for multiple communities
public static String
com_ibm_collaboration_realtime_imhub_strings_messages
$multiCommunityDefMsgArea;
static {
NLS.initializeMessages(BUNDLE_NAME, Messages.class);}}
Below are Sample resourcebundle messages.properties
Chapter 1. Configuring
135
com_ibm_collaboration_realtime_login_strings_messages$enter_credentials_for=
Customize me:
Please enter your user name and password for the default Sametime community.
com_ibm_collaboration_realtime_imhub_strings_messages$singleCommunityDefMsgArea=
Customize me:
Add a new contact by entering a name below.
com_ibm_collaboration_realtime_imhub_strings_messages$multiCommunityDefMsgArea=
Customize me:
Add a new contact by selecting the community where the contact exists.
Enter the user’s name (or email address if adding an external contact.)
What to do next
After you have created the plug-in by following these examples, provision the
messages to the Sametime clients.
Creating an update site for plug-in access
If you want to provide additional IBM Lotus Sametime plug-ins for your users,
you can create an update site by using tools available from Eclipse.org. Users can
use the site to update features or to get new features for their Instant Messaging
component.
Creating an update site
You can create an update site using the wizard at http://www.eclipse.org.
To start the wizard:
1. Choose file > new project.
2. In the new project wizard, choose Plug-in development > update site project.
The new update site wizard appears.
3. In project name, name you site.
4. In Location, use the format of HTTP_DOC_Root\myupdatesite.
De-select Use default location.
Select Generate a web page listing all available features within the site.
Click Finish.
In the site.xml page, in Category Properties, create the name and label for the
category. The label appears on the page as a feature for the user to select.
9. In the Feature selection dialog box, add the feature you want to provide to
users.
10. Select the Build All button to build the feature and the feature's required
plug-in.
5.
6.
7.
8.
User downloads
If you want to manually provision the plug-in, make sure that the policy Allow
user to install plug-ins is assigned to the user. To deploy the plug-in to a larger
audience, you can use software distribute system or a Sametime update site. For
more information on using Sametime update sites, see Methods of pushing down
Sametime 7.5.x & 8.0 client updates. In Lotus Sametime Connect, the user can
select the feature from the Lotus Sametime Connect client.
1. Choose Tools → Plug- ins → Install Plug-ins.
2. Select Search for new features to install, and then click Next.
3. Select the site to include in the search and click Finish.
4. In the Search Results, select the features to install and click Next.
5. In the next window, click Finish to install. Verify by clicking Install.
136
Lotus Sametime: Installation and Administration Guide Part 2
6. Restart the client.
Update existing features
If Automatic Updates are selected in the Connect Client, the user receives a dialog
box that states that new updates are available, and asks the user if he or she wants
to install them now. The user can select Yes or No.
Turning off case sensitivity in the Lotus Sametime Connect
client
If you turn off case sensitivity in the IBM Lotus Sametime Community server, IBM
recommends that you also turn off case sensitivity in the Lotus Sametime client.
Before you begin
Before you begin, turn off case sensitivity in the IBM Lotus Sametime Community
server and restart the server.
About this task
You turn off case sensitivity for Lotus Sametime clients by editing the
plugin_customization. For more information on configuring user preferences see
the following Technote:
http://www-01.ibm.com/support/docview.wss?rs=477&uid=swg21306943
Procedure
1. Backup the sametime client program directory\plugin_customization.ini.
2. Modify the plugin_customization.ini file, by updating the following line:
com.ibm.collaboration.realtime.people/isCaseInsensitive=true
3. Save and close the configuration file.
4. Restart the client.
Related tasks
“Turning off case sensitivity on the Lotus Sametime Community Server” on page
25
You must turn off case sensitivity on the IBM Lotus Sametime Community Server
to allow awareness in IBM Lotus iNotes and WebSphere applications.
Basic Sametime Connect client connection process
This topic discusses the basic connection processes of the IBM Lotus Sametime
Connect client.
The Lotus Sametime Connect client connects to the Community Services on the
Lotus Sametime Community Server. Community Services supports all Sametime
presence and chat capabilities.
Settings that affect the connection process
The Sametime Connect client connection process is controlled by two groups of
settings: the Lotus Sametime Connect client Sametime Connectivity settings
(available on the client) and the Community Services Network settings (available
on the server).
Chapter 1. Configuring
137
v The Sametime Connect client Sametime Connectivity settings are available from
the File → Preferences → Communities command in the Sametime Connect client.
The Sametime Connectivity settings enable the Sametime Connect client to make
a direct TCP/IP connection or a direct HTTP-tunneled connection to the
Community Services. The Sametime Connectivity settings also enable Sametime
Connect clients that access the Internet or intranet through HTTP, HTTPS, or
SOCKS proxy servers to connect to the Community Services. Sametime Connect
uses the port specified in the Community port setting of the Sametime
Connectivity settings when attempting connections to the Community Services.
v The Community Services Network settings are available from the Sametime
Servers → Sametime Community Servers → deployment_name → Connectivity
settings of the Sametime System Console. The settings include the Client
connections, the HTTPS client connections, and the HTTP tunneled client
connections. These server-side settings control the IP addresses or DNS names
and the ports on which the Sametime server Community Services multiplexer
listens for Sametime Connect client connections.
Connection process
The basic connection process of the Sametime Connect client is described below.
The connection process depends on the Connection, Proxy type, and Port settings
that are selected in the Sametime Connect client Sametime Connectivity settings.
1. The user starts the Sametime Connect client.
2. The Sametime Connect client examines the values in the Host field and the
Community Port field (default 1533) of the Sametime Connect client's
Sametime Connectivity settings.
The Sametime Connect client uses the Host and Community Port values to
determine the host name and port it should use when attempting a connection
to the Sametime server.
Note: For the most efficient connectivity, the Host field of the Sametime
Connect client Sametime Connectivity settings and the "Sametime server" field
of a user's Person document should specify the same Sametime server (the
user's home Sametime server).
3. The Sametime Connect client uses the Connection setting in its Sametime
Connectivity settings to determine how to make the connection to the host
machine specified in the Sametime Connectivity settings. The possible
Connection settings are:
v Use my Internet Explorer HTTP settings
v Direct connection
v Direct connection using TLS
v Direct connection using HTTP protocol
v Use Proxy
Use my Internet Explorer HTTP settings - The connection process that occurs
when this setting is selected is described in a separate section. For more
information about these connection processes, see “Sametime Connect for the
desktop: "Use my Internet Explorer HTTP settings"” on page 142.
Direct connection - Select this setting if the Sametime Connect client can make
a direct TCP/IP connection to the Sametime server. Generally, this setting is
used when the connection does not occur through a proxy server, and the
network does not block TCP/IP connections on the port used by the Sametime
Connect client.
138
Lotus Sametime: Installation and Administration Guide Part 2
When this setting is selected, the Sametime Connect client attempts a
connection to the Community Services multiplexer on the Sametime server
using a unique Sametime protocol over TCP/IP. The client attempts this
connection on the "Community port" (default port 1533) specified in the
Sametime Connect client Sametime Connectivity settings.
The Community Services on the Sametime server listen for direct Sametime
protocol over TCP/IP connections on the host name and port specified in the
Community Services Network-Address for client connections-Host name and
Port settings. By default, the Community Services listen for this connection on
port 1533.
For this connection to succeed, the port setting specified in the Sametime
Connect client's Sametime Connectivity settings must match one of the ports
specified in the Client connections → Port number setting on the Sametime
server. (By default, both of these settings specify port 1533.)
This connection can fail if the connection must pass through a proxy server or
network that prevents direct TCP/IP connections on port 1533 (or other port
specified in both the Sametime Connectivity settings of the Sametime Connect
client and the Client connections → Port number setting in the Sametime
System Console).
Direct connection using TLS - Select this option if you want to connect to a
FIPS proxy.
Direct connection using HTTP protocol - Select this option if you want the
Sametime Connect client to use HTTP to establish a connection with the
Community Services, but you do not want this connection to occur through an
HTTP proxy server.
When this setting is selected, the client encases the standard Sametime protocol
connection information within an HTTP request. The Sametime Connect client
then attempts to establish an HTTP connection directly with the Community
Services multiplexer on the Sametime server. The Sametime Connect client
attempts this connection on the "Community port" specified in its Sametime
Connectivity settings.
The Community Services multiplexer can listen for HTTP-tunneled connections
on multiple ports. The Community Services multiplexer listens for
HTTP-tunneled connections on the host name and port specified in the
Community Services for client connections-Host name and Port settings of the
Sametime System Console and the host name and port specified in the
Community Services for HTTP tunneled client connections-Host name and Port
number settings of the Sametime System Console.
Note: If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, the Community Services multiplexer listens for
HTTP-tunneled connections on port 80 by default on the Community Services
→ HTTP tunneled client connections → Port number. In this scenario, the
Community Services multiplexer also listens for HTTP-tunneled connections on
port 1533 (specified in Community Services → Client connections → Port
number).
This setting is used most frequently to enable Sametime Connect clients that
operate behind restrictive firewalls without HTTP proxy servers to connect to a
Sametime server available to Internet users.
The Direct connection using HTTP protocol connectivity option is intended
primarily to support the HTTP tunneling on port 80 functionality available
with the Sametime server.
Chapter 1. Configuring
139
If a Sametime Connect client operates behind a firewall that allows only HTTP
connections on port 80 and the client's firewall or network environment does
not include an HTTP proxy server, select the Direct connection using HTTP
protocol setting and change the Community port setting in the Sametime
Connect client's Sametime Connectivity settings from the default of 1533 to
port 80.
The administrator must also ensure that the Port number setting under HTTP
tunneled client connections in the Community Services settings specified in
the Sametime System Console also specifies port 80. Such a configuration
should enable a Sametime Connect client operating behind a restrictive firewall
to establish a connection with an Internet Sametime server using HTTP
tunneling over port 80.
Use proxy - Selecting this option enables the Sametime Connect client to
connect through a SOCKS, HTTP, or HTTPS proxy server when establishing a
connection to the Community Services. After selecting the Use proxy
connection type, select the appropriate Proxy type in the Sametime Connect
client Sametime Connectivity options:
v Use SOCKS4 proxy
v Use SOCKS5 proxy
v Use reverse proxy
v Use HTTP proxy
Note: You can also select Use my Internet Explorer HTTP settings to
establish connections through HTTP and SOCKS proxy servers.
Use SOCKS4 proxy and Use SOCKS5 proxy - If the Sametime Connect client
connects to a SOCKS proxy server to access the Internet or intranet, you must
select the appropriate SOCKS proxy option (either Use SOCKS4 proxy or Use
SOCKS5 proxy) as the Proxy type in the Sametime Connect client's Sametime
Connectivity settings.
If you select Use SOCKS4 proxy or Use SOCKS5 proxy, you must also specify
the Host name (DNS name or IP address) of the SOCKS proxy server and the
port required to connect to the SOCKS proxy server in the Proxy server options
of the Sametime Connect client's Sametime Connectivity settings. For SOCKS5
proxies, you must also specify the user name and password required for
SOCKS5 authentication.
Sametime Connect connects to the SOCKS proxy, and the proxy server connects
to the Community Services on the Sametime server on behalf of the Sametime
Connect client. The client uses the Standard Sametime protocol over TCP/IP
for this connection. The connection from the SOCKS proxy to the Community
Services occurs on the "Community port" (default 1533) specified in the
Sametime Connect client Sametime Connectivity settings.
The Resolve server name locally setting determines whether the Sametime
server host name is resolved by the Sametime Connect client or the SOCKS4 or
SOCKS5 proxy server.
When the Resolve server name locally setting is selected, the Sametime
Connect client calls a local DNS server to resolve the Sametime server name.
The Sametime Connect client passes the IP address to the SOCKS proxy; the
SOCKS proxy does not resolve the IP address.
When Resolve server name locally is not selected, Sametime Connect does not
resolve the DNS name of the Sametime server. Sametime Connect passes the
DNS name of the Sametime server to the SOCKS proxy, and the SOCKS proxy
server calls a DNS server to resolve the server name.
140
Lotus Sametime: Installation and Administration Guide Part 2
Some organizations do not allow their internal DNS servers to resolve the
names of external servers for security reasons. If the DNS server is configured
in this way, users should clear the check mark from the Resolve server name
locally field. The SOCKS proxy resolves the external server name by calling a
different DNS server (which is not available on the internal network).
For a connection through a SOCKS proxy to succeed, the port specified in the
Community port field of the Sametime Connect client's Sametime Connectivity
settings must match one of the ports listed in the Community Services
Network-Address for client connections-Port number setting in the Sametime
Administration Tool or one of the ports specified in the Community Services
Network-Address for HTTP tunneled client connections-Host name and Port
number setting in the Sametime Administration Tool.
Use reverse proxy - If the Sametime client connects to a Sametime server over
the Internet through a reverse proxy server, you can select Use reverse proxy as
the Proxy type in the Sametime Connect client's Sametime Connectivity
settings. The reverse proxy server protects internal HTTP servers by providing
a single point of access to the internal network.
If Use reverse proxy is selected as the Proxy type, you must also specify the
following settings:
v The URL of the reverse proxy server. The clients uses this URL to access the
reverse proxy server. The reverse proxy server handles requests from the
client and redirects the request to the Sametime server
v The User name and Password for authenticating with the reverse proxy
server.
For information about using reverse proxy servers with Sametime servers, see
the following topics:
v Configuring mapping rules on a reverse proxy server to support Sametime
v Configuring a Sametime server to operate with a reverse proxy server
Use HTTP proxy - If the Sametime Connect client connects to an HTTP proxy
to access the Internet or intranet, you can select Use HTTP proxy as the Proxy
type in the Sametime Connect client's Sametime Connectivity settings.
If Use HTTP proxy is selected as the Proxy type, you must also specify the
Host name (DNS name or IP address) of the HTTP proxy server and the port
required to connect to the HTTP proxy server in the Proxy server options of the
Sametime Connect client Sametime Connectivity settings.
Note: If the HTTP proxy server requires authentication, the user name and
password required for authentication to the HTTP proxy server must also be
entered in the Proxy server options of the Sametime Connect client's Sametime
Connectivity settings.
When Use HTTP proxy is selected, the client encases the standard Sametime
protocol connection information within an HTTP request. Sametime Connect
connects to the HTTP proxy, and the HTTP proxy server connects to the
Community Services multiplexer on the Sametime server on behalf of the
Sametime Connect client. The HTTP connection to the Community Services
multiplexer occurs on the "Community port" (default 1533) specified in the
Sametime Connect client Sametime Connectivity settings.
The Community Services multiplexer on the Sametime server listens for HTTP
connections on all ports specified in the Port number field under Client
connections in the Community Services settings of the Sametime System
Console and HTTP tunneled client connections in the Community Services
settings of the Sametime System Console.
Chapter 1. Configuring
141
For this connection to succeed, the port specified as the Community port
setting in the Sametime Connect client's Sametime Connectivity settings must
match a port number specified in one of these settings in the Sametime System
Console:
v The Port number field under Client connections in the Community Services
settings of the Sametime System Console.
v The Port number field under HTTP tunneled client connections in the
Community Services settings of the Sametime System Console.
Note: If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, the Community Services → Client connections
→ Port number setting default to port 1533, and the Community Services →
HTTP tunneled client connections → Port number settings are ports 80 and
8082. In this configuration, the Sametime Connect client can complete an
HTTP-tunneled connection to the Community Services multiplexer using
either port 1533, 80, or 8082.
Sametime Connect for the desktop: "Use my Internet Explorer
HTTP settings"
IBM Lotus Sametime Connect for the desktop follows this connection process when
the Use my Internet Explorer HTTP settings connectivity option is selected.
When the Sametime Connectivity → Use my Internet Explorer HTTP settings
option is selected, Sametime Connect for the desktop uses the proxy connectivity
settings defined in the user's Internet Explorer web browser to attempt an
HTTP-tunneled connection to the Sametime server. The connection process is as
follows:
1. The Sametime Connect client uses the web connectivity (or proxy) settings of
the web browser to establish a connection with the Community Services as
noted in the remaining steps.
2. The Sametime Connect client encases the standard Sametime protocol data
within an HTTP request and attempts to connect to the Community Services
multiplexer using HTTP. Encasing this connection protocol data within an
HTTP request is called "HTTP-tunneling."
3. Sametime Connect examines the Internet Explorer web browser connectivity
settings to attempt the HTTP-tunneled connection to the Community Services
multiplexer. If the web browser settings:
v Do not specify a proxy server - The HTTP request is sent directly to the
Community Services multiplexer on the Sametime server. This connection is
called a "direct HTTP connection."
v Specify a SOCKS proxy server - The HTTP request is sent to the
Community Services multiplexer through the SOCKS proxy server.
Specify an HTTP proxy server -The HTTP request is sent to the Community
Services multiplexer through the HTTP proxy server.
For the HTTP-tunneled connection to succeed, the following requirements must
be satisfied:
v The Sametime Connect client's Sametime Connectivity → Community port
setting must match a port number specified in one of these Community
Services Network settings in the Sametime Administration Tool:
– Address for client connections → Port number
v
– Address for HTTP tunneled client connections → Port number
142
Lotus Sametime: Installation and Administration Guide Part 2
v All networks between the Sametime Connect client and the Sametime server
must allow HTTP connections on the port specified as the Community port
in the Sametime Connect client.
v The IP address or DNS name specified in the Host setting in the Sametime
Connect client's Sametime Connectivity settings must correspond to any IP
address or DNS name specified in the Community Services Network →
Address for HTTP tunneled client connections → Host name field. If this
field is blank, then it can correspond to any IP address or DNS name
assigned to the Sametime server instead.
Note The Community Services Network → Network and PortsEnable web
client to try HTTP tunneling after trying other options setting must be
enabled for the connection to succeed using the port specified in the as the
Community Services Network → Address for HTTP tunneled client
connections field.
4. If the HTTP-tunneled connection does not succeed, Sametime Connect for the
desktop displays an error message.
Client connections over HTTP tunneling
This topic discusses issues that affect clients who access IBM Lotus Sametime using
HTTP-tunneled connections.
Administrators should be aware of the following issues concerning clients that
connect to the Sametime server using HTTP-tunneled connections. These issues
apply regardless of whether the server uses a single IP address or multiple IP
addresses to support the HTTP-tunneling functionality.
v Clients that do not operate behind restrictive firewalls can still make direct
TCP/IP connections. Direct TCP/IP connections operate more efficiently than
HTTP-tunneled connections, and clients automatically attempt these connections
before attempting HTTP-tunneled connections. Only clients that cannot establish
direct TCP/IP connections will attempt the HTTP-tunneled connection.
v A Sametime Connect client that operates behind a firewall that only allows
outbound connections on port 80 can connect to the Community Services using
HTTP over port 80. The following configurations are required in the Sametime
Connect client Sametime Connectivity settings for the connection to succeed:
– Change the Community port setting to port 80.
– If the client does not access the Internet through an HTTP proxy, select Direct
connection using HTTP protocol for the Connection type.
– If the client accesses the Internet through an HTTP proxy server, select Use
proxy as the Connection type. For proxy type, select Use HTTP proxy and
specify the DNS name or IP address of the HTTP proxy and the port on
which to connect to the proxy.
Note: You can also select Use my Internet Explorer HTTP settings to
establish connections to the Community Services through HTTP tunneling on
port 80. If you select this setting, you must also ensure that the Community
port setting in the Sametime Connectivity settings is set to port 80.
Note: If the HTTP port is to be changed manually, so must the port be changed in
the stconvservices.properties file. This is a limitation in that the server does not
pull the port from the server document.
Chapter 1. Configuring
143
Configuring Lotus Sametime for mobile users
Configure IBM Lotus Sametime with Lotus Sametime Mobile to provide
connectivity for users with support mobile devices.
About this task
Configuring Lotus Sametime for mobile users involves the following tasks:
Configuring the Lotus Domino server for Lotus Sametime
Mobile support
To enable support for IBM Lotus Sametime Mobile on the IBM Lotus Domino
server, you need to create a Web Site Rule document in the Domino Directory and
establish a URL redirection.
About this task
Complete the following steps to enable support for Lotus Sametime Mobile on the
Lotus Domino server.
Procedure
1. Create a Web Site Rule document in the Domino Directory and establish a URL
redirection. The URL redirection enables users to download the Lotus Sametime
Mobile application to their mobile devices using the simplified URL
http://yoursametimeserver.yourcompany.com/mobile.
a. In the Domino Directory, open the Server document for the Lotus Domino
server that hosts the Lotus Sametime Community server.
b. Click the Create Web - URL Mapping/Redirection button.
c. In the Basics tab, select URL → Redirection URL.
d. Click the Mapping tab and enter the following information:
v In the Incoming URL path field, enter /mobile/* .
v In the Redirection URL string field, enter stcenter.nsf/
WebMobileDownloads?OpenView .
e. Click Save & Close.
2. Configure MIME type support on the Lotus Domino server.
a. With a text editor, open the file httpd.cnf, located in the Domino data
directory.
b. Add the following lines to the file at the end of the section "other
application formats" but before the section "Fallback MIME types":
AddType
AddType
AddType
AddType
AddType
AddType
AddType
.jad text/vnd.sun.j2me.app-descriptor
.jar application/java-archive
.alx application/octet-stream
.cod application/octet-stream
.sisx application/octet-stream
.cab application/vnd.ms-cab-compressed
.cfg text/Sametime
c. Save and close the modified file.
3. Restart the HTTP task on the server.
What to do next
After these steps are completed, the Lotus Sametime Community server can be
used with the Sametime Mobile client; however, before allowing users to download
144
Lotus Sametime: Installation and Administration Guide Part 2
Lotus Sametime Mobile, you should provision the client with appropriate server
details. This simplifies the user experience and prevents the user from entering
incorrect connectivity details.
Configuring Sametime on the iPhone device
Provide your users with the following steps to run IBM Lotus Sametime on the
iPhone device.
Before you begin
The Lotus Sametime iPhone client runs within a client's browser session, and is
hosted on a Lotus Sametime Proxy server. For more information on installing the
Lotus Sametime Proxy Server, see Installing a Lotus Sametime Proxy Server.
Users in your deployment must have JavaScript enabled on the iPhone to use the
Sametime iPhone client. From the iPhone home screen, go to Settings -> Safari,
and toggle the JavaScript preference to ON under the Security section.
Procedure
1. Start the Safari browser.
2. Go to the Lotus Sametime login page by entering the following URL, replacing
serverhostname.domain:port with the fully qualified domain name and port of the
Sametime Proxy Server.
http://serverhostname.domain:port/stwebclient/iphone_index.jsp
The default value for port is 9080 or 9043 if SSL has been deployed.
Loading Sametime the first time takes a little longer than usual, depending on
your connection speed. Subsequent loads of Sametime will be faster, since
much of the Sametime application is stored locally on the device after that first
load.
3. Now add a Sametime icon to your desktop, which allows you to start
Sametime from the home screen. From the Sametime login page, select Add to
Home Screen on the Safari menu, then click Add in the upper right of the
screen.
What to do next
Point your users to the following video to get them started with the Sametime
iPhone client: Video: Using Lotus Sametime on iPhone (8.5).
Configuring Sametime Mobile for client downloads
Configure IBM Lotus Sametime Mobile support on an IBM Lotus Sametime
Community server.
Before you begin
These instructions assume that you do not use the IBM Lotus Sametime Enterprise
Meeting Server in your Sametime deployment. If you use the Enterprise Meeting
Server, proceed to the topic, Configuring Sametime Mobile for client downloads in
the Sametime Enterprise Server Meeting help, instead.
Note: Sametime Mobile does not support meeting features.
Chapter 1. Configuring
145
About this task
Sametime provides three options for connecting mobile devices to the Lotus
Sametime Community server:
v Connect with a Virtual Private Network (VPN) such as IBM Lotus Mobile
Connect or RIM BlackBerry Enterprise Server Mobile Data Services (MDS).
This connection model provides end-to-end connectivity from the device into the
corporate intranet, allowing for applications to access intranet resources securely.
Sametime Mobile would access the server, and intranet, in the same manner as
any other application installed on the device. This is typically the most flexible
approach as it allows the client to utilize a variety of application that may be
hosted on the corporate intranet.
v Connect with an authenticating HTTP Proxy, such as IBM HTTP Server or
Apache HTTP Server.
The Sametime Mobile client supports connecting through a standard web proxy
that issues HTTP 401 or 407 challenge requests with HTML Form Basic
Authentication (Digest is not supported at this time). The reverse proxy server
must use cookies for authentication. This setup typically places the HTTP proxy
in the demilitarized zone (DMZ) of the network, with port 80 opened to the
Internet and another port opened from the proxy to the back end application.
For more information on configuring IBM HTTP Server as an authenticating
proxy, see the IBM WebSphere information center at http://
publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp.
It is recommended that the server be configured with a valid SSL certificate
obtained from a trusted and well-known supplier; mobile devices support a
variety of root certificates, and most reputable certificate providers function with
these devices (self-signed SSL certificates are typically not usable with mobile
devices). In addition, most mobile devices must have their time and date set
properly to work with SSL-secured servers.
v Connect with a direct connection from the client to the server.
By default, Sametime Mobile clients communicate with the Lotus Sametime
Community server over port 8082, using the Sametime Links protocol and
128-bit encryption. Sametime Links is also accessible over the standard Sametime
client port of 1533, and optionally port 80 if HTTP Tunneling is enabled.
Appropriate firewall rules should be enabled to allow traffic to pass through on
the selected port.
Follow the instructions below to configure Sametime Mobile for client downloads.
Procedure
1. Start the Lotus Sametime Community server and log in.
2. Fill in configuration information for the mobile devices supported in your
environment by completing the following steps:
a. Click Administer the server.
b. Expand Configuration and under it, click Sametime Mobile. The
Configuration - Sametime Mobile page displays a link for each supported
mobile device.
c. Click the link that represents a device you want to configure.
d. Enter the appropriate configuration information for your device.
The devices supported with the current release of Lotus Sametime Mobile
are listed below this topic; refer to the appropriate device for additional
configuration details.
146
Lotus Sametime: Installation and Administration Guide Part 2
e. Click Update to save your changes.
What to do next
The following mobile devices are supported with this release of Lotus Sametime
Mobile:
Microsoft Windows Mobile 5 and 6
Configure IBM Lotus Sametime Mobile support for Microsoft Windows Mobile 5
and Microsoft Windows Mobile 6 devices.
These configuration steps provision information for users of the following mobile
devices. These steps are optional but highly recommended. These settings affect
both the Windows Mobile MIDP client as well as the new Unified Communications
and Collaboration (UCC) Windows Mobile client.
v Microsoft Windows Mobile 6 Standard
v Microsoft Windows Mobile 6 Professional
v Microsoft Windows Mobile 5 Pocket PC
v Microsoft Windows Mobile 5 Smartphone
Hint for user's first time login
Enter a user name suffix, for example an email suffix such as @acme.com.
During login, the User name field displays this suffix as a default value, so
that users need only add their names before the suffix.
Sametime server name
Enter the fully qualified host name of the Lotus Sametime Community
server that mobile devices will connect to by default; for example,
sametime.acme.com.
Port
Enter the default port used to connect to the specified Lotus Sametime
Community server.
Proxy connection
Select this setting if mobile users will connect to the Lotus Sametime
Community server through a proxy server. If you enable a proxy
connection, you must enter a valid proxy URL in the field that follows.
Proxy URL
Enter the URL for the proxy server that will connect Sametime Mobile
users to the Lotus Sametime Community server.
Use Sametime Connect user ID and password
Select this option if you want Sametime Mobile users to connect to the Lots
Sametime Community server with their IBM Lotus Sametime Connect user
name and password.
Nokia Eseries
Configure IBM Lotus Sametime Mobile support for Nokia Eseries devices.
The following configuration steps provision information for users of Nokia Eseries
mobile devices. These steps are optional but highly recommended.
Hint for user's first time login
Enter a user name suffix, for example an email suffix such as @acme.com.
During login, the User name field displays this suffix as a default value, so
that users need only add their names before the suffix.
Chapter 1. Configuring
147
Sametime server name
Enter the fully qualified host name of the Lotus Sametime Community
server that mobile devices will connect to by default; for example,
sametime.acme.com.
Port
Enter the default port used to connect to the specified Lotus Sametime
Community server.
Proxy connection
Select this setting if mobile users will connect to the Lotus Sametime
Community server through a proxy server. If you enable a proxy
connection, you must enter a valid proxy URL in the field that follows.
Proxy URL
Enter the URL for the proxy server that will connect Sametime Mobile
users to the Lotus Sametime Community server.
Use Sametime Connect user ID and password
Select this option if you want Sametime Mobile users to connect to the
Sametime server with their IBM Lotus Sametime Connect user name and
password.
RIM BlackBerry 9000 and 9530 Series
Configure IBM Lotus Sametime Mobile support for RIM Blackberry 9000, and 9530
Series devices.
The following configuration steps provision information for users of RIM
Blackberry 9000, and 9530 Series mobile devices. A BES server is currently required
to provision these settings through the BES IT Policy These steps are optional but
highly recommended.
Hint for user's first time login
Enter a user name suffix, for example an email suffix such as @acme.com.
During login, the User name field displays this suffix as a default value, so
that users need only add their names before the suffix.
Sametime server name
Enter the fully qualified host name of the Lotus Sametime Community
server that mobile devices will connect to by default; for example,
sametime.acme.com.
Specify the connection
Select one of the following connection types:
v BES MDS Connection Service: Select this setting to establish a
connection using the Blackberry Enterprise Server. If you use a BES
connection, you must set up automatic provisioning using the Automate
provisioning of devices with BES: setting described below.
v Direct connection: Select this setting to establish a direct connection
using the HTTP port.
v Proxy connection: Select this setting if mobile users will connect to the
Lotus Sametime Community server through a proxy server. If you
enable a proxy connection, you must enter a valid proxy URL in the
field that follows:
– Proxy URL: Enter the URL for the proxy server that will connect
Sametime Mobile users to the Lotus Sametime Community server.
– Use Sametime Connect user ID and password: Select this option if
you want Sametime Mobile users to connect to the Lotus Sametime
148
Lotus Sametime: Installation and Administration Guide Part 2
Community server with their IBM Lotus Sametime Connect user
name and password instead of using the device's proxy user name
and password.
Automate provisioning of devices with BES
A Blackberry Enterprise Server (BES) is required to provision the Sametime
Mobile client with this information. Follow the on-screen instructions to
generate an IT Policy string and copy it to the BES server. The BES
documentation provides further information on generating a custom "IT
Policy Rule" named "SametimeMobile" with a "Multiline String" value
copied from this text field. If a BES server is not being used, the BlackBerry
client is still fully functional, but each user will need to configure the
appropriate information for server name, proxy, ports, and so on.
Sony Ericsson M600/P900/P1i Series
Configure IBM Lotus Sametime Mobile support for Sony Ericsson M600, P900, and
P1i devices.
The following configuration steps provision information for users of Sony Ericsson
M600, P900, and P1i mobile devices. These steps are optional but highly
recommended.
Hint for user's first time login
Enter a user name suffix, for example an email suffix such as @acme.com.
During login, the User name field displays this suffix as a default value, so
that users need only add their names before the suffix.
Sametime server name
Enter the fully qualified host name of the Lotus Sametime Community
server that mobile devices will connect to by default; for example,
sametime.acme.com.
Port
Enter the default port used to connect to the specified Lotus Sametime
Community server.
Proxy connection
Select this setting if mobile users will connect to the Sametime server
through a proxy server. If you enable a proxy connection, you must enter a
valid proxy URL in the field that follows.
Proxy URL
Enter the URL for the proxy server that will connect Sametime Mobile
users to the Lotus Sametime Community server.
Use Sametime Connect user ID and password
Select this option if you want Sametime Mobile users to connect to the
Sametime server with their IBM Lotus Sametime Connect user name and
password.
Configuring a Lotus Sametime Proxy Server
Configure connection settings to enable the IBM Lotus Sametime Proxy Server to
communicate with other servers in the deployment.
Configuring connectivity
Configure connectivity from the IBM Lotus Sametime Proxy Server to the Lotus
Sametime Community Server and Lotus Sametime Meeting Server. Connect to a
business card server, set up click-to-call, a FIPS server, and clustering.
Chapter 1. Configuring
149
Configuring connectivity to a Sametime Community Server
By default, the IBM Lotus Sametime Proxy server works with an entire Lotus
Sametime community, but you can optionally configure it to work with one or
more clusters of IBM Lotus Sametime Community Servers instead.
Before you begin
Before completing this task, ensure that Lotus Sametime Community server is
configured correctly.
About this task
Complete the following steps to connect the Lotus Sametime Proxy server to the
Lotus Sametime Community server.
For information on connecting the Lotus Sametime Proxy Server to an 8.0.2 Lotus
Sametime Community Server, see Configuring Sametime 8.5.1 Media and Proxy
Servers with an 8.0.2 Community Server using Sametime System Console in the
Sametime wiki.
Procedure
1. Login to the Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Expand the Sametime System Console twistie.
3. Select Sametime Proxy Servers
4. Select the Deployment Name for the Sametime Proxy Server deployment you
wish to configure.
5. Enter the name of the Lotus Sametime Community cluster. Separate each
cluster name by comma.
For example: CN=abc/O=ABC,CN=efg/O=EFG
This field designates which Lotus Sametime Community Server or cluster will
be connected to the current Lotus Sametime Proxy Server in a distributed
environment. You can choose to leave this field empty in the following
situations:
v You want to connect to all Lotus Sametime Community Servers
simultaneously
v You only have one Lotus Sametime Community Server deployed
v You only have one Lotus Sametime Community Server cluster deployed
6. Click Apply.
Configuring connectivity to a Sametime Meeting Server
Connecting the Lotus Sametime Proxy server to a Sametime Meeting server allows
browser clients to log in to a Community Server and authenticate automatically
with Meeting servers.
Before you begin
Configure Single Sign-On (SSO) between the meeting server and the Community
Server (either Lotus Sametime Community Server or Lotus Sametime Standard)
that this Lotus Sametime Proxy Server will connect to.
150
Lotus Sametime: Installation and Administration Guide Part 2
About this task
Complete the following steps to connect the Lotus Sametime Proxy server to a
meeting server.
Procedure
1. Log in to the Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Click Sametime System Console → Sametime Proxy Servers.
3. Select the Deployment Name for the Sametime Proxy Server deployment you
are configuring.
4. Select the type of meeting server to which the Lotus Sametime Proxy server
will connect.
The Lotus Sametime Proxy server can connect to any of the following meeting
servers:
v Lotus Sametime Classic Server (for releases of Sametime 8.5 and higher that
are using classic-style meetings hosted on an older Sametime server)
v Lotus Sametime Standard server (used in releases prior to Lotus Sametime
8.5)
v Lotus Sametime Enterprise Meeting Server (used for clustering meeting
servers in releases prior to Lotus Sametime 8.5)
v Lotus Sametime Meeting Server (for releases of Sametime 8.5 and higher)
5. (Optional) Enable SSL.
6. Enter the fully qualified host name of the meeting server that you selected
above.
For example: sametime_meeting.example.com
7. Enter the port number for that meeting server.
If you choose Sametime Classic Meeting server, the host name and port fields
will be grayed out since the same fully qualified host name and port is used for
the Lotus Sametime Community server.
8. Click Apply.
Related concepts
“Authentication by token using the Domino Single Sign-On (SSO) feature” on page
354
The Domino Single Sign-On (SSO) feature must be enabled on the Sametime
server. This feature creates Lightweight Third Party Authentication (LTPA) tokens
that enable web browser users to log in a single time to access multiple Sametime,
Domino, or IBM WebSphere servers that are in the same DNS domain. This
capability is called "single sign-on."
Configuring Lotus Connections as the business card server
By default, the IBM Lotus Sametime Proxy Server retrieves business card
information from the Lotus Sametime Community Server. You can configure the
connection to use a Lotus Connections server instead by completing the tasks
below.
Chapter 1. Configuring
151
About this task
Note: This feature requires the use of Lotus Connections 2.5.0.1 or later. The
binding between Lotus Sametime users and Lotus Connections users is based on
email address, so email addresses need to be enabled on the Lotus Connections
server.
Setting up business cards on the Lotus Sametime Community
Server
Enable the business cards feature on the IBM Lotus Sametime Community Server.
Procedure
1. On the Lotus Sametime System Console, click Sametime Servers → Sametime
Community Server.
2. In the Sametime Community Servers list, click the deployment name of the
server with the business card information that you want to add or change.
3. Click the Business Card tab.
4. Add "Email address" to the business card:
a. Locate Email address in the "Select" list under the "User information"
section.
b.
c.
d.
e.
Click Email address, and then click Add->> to add it to the "Selected" list.
Move down to the attributes table.
Locate "Email address" in the "Attribute Name" column.
In the corresponding "Attribute value" column, enter the name of the email
field in LDAP directory that is registered with the Lotus Sametime System
Console.
For example, if the "email" field in the LDAP uses "InternetAddress" then
that is the value you enter here.
f. Click the Update button.
5. Click OK.
Selecting Lotus Connections as the business card server
Configure the IBM Lotus Sametime Proxy Server to use a Lotus Connections server
as the business card provider.
Procedure
1. Log in to the Lotus Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Click .Sametime System Console → Sametime Proxy Servers.
3. Click the Lotus Sametime Proxy Server's link to open its Configuration page.
4. Under "General Properties" navigate to the "Business card server" section.
5. Click Lotus Connections Server and enter the server's address.
The address for a Lotus Connections Profile server typically looks like this:
http://connections_server.example.com/profiles
6. Click OK, and then click Apply.
Setting up click-to-call
Click-to-call enables users of the IBM Lotus Sametime Web Client and Meeting
Room clients to make calls if the administrator has configured a telephony
conferencing server.
152
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
Before completing this task, ensure that your telephony conferencing server is
configured correctly. If you will use Lotus Sametime Unified Telephony, make sure
the following tasks have been competed before attempting to create the connection
as described in this topic:
1. Install the Lotus Sametime Unified Telephony API on the Telephony
Application Server (for information, see the Lotus Sametime Unified Telephony
API Guide).
2. Configure LDAP access for the API on the Lotus Sametime Unified Telephony
server (for information, see the Lotus Sametime Unified Telephony API Guide).
3. Configure Web Single Sign-On (SSO) between the Lotus Sametime Unified
Telephony server and the Lotus Sametime Community Server.
4. Import the SSL certificate from the Lotus Sametime Unified Telephony server
into the Lotus Sametime Proxy Server's Cell truststore.
About this task
Complete the following steps to connect the IBM Lotus Sametime Proxy server to
the telephony conferencing server.
Procedure
1. Login to the Sametime System Console with administrator privileges.
Example: https://yourserver.com:8701/ibm/console
2. Expand the Sametime System Console twistie.
3. Select Sametime Proxy Servers
4. Select the Deployment Name for the Sametime Proxy Server deployment you
wish to configure.
5. Select a telephony service:
v No telephony (default)
v Enable TCSPI (Telephony Control Service Provider Interface)
v Enable Sametime Unified Telephony
If using Lotus Sametime Unified Telephony, enter the Host name and Port
(9080 is the default) of the Telephony Application Server.
6. Enable Secure Socket Layer (SSL) encryption by clicking Enable SSL.
Note: This step is required when you use Lotus Sametime Unified Telephony.
7. Click OK, and then click Apply.
8. Restart the server if you are using Lotus Sametime Unified Telephony.
Clustering Lotus Sametime Proxy Servers
Configuring a cluster of IBM Lotus Sametime Proxy Servers involves several tasks,
including synchronizing system clocks, configuring the cluster settings, and
optionally deploying an IBM Load Balancer in front of the cluster.
Before you begin
You can create two types of clusters:
v A Vertical cluster resides on the Primary node and includes two or more cluster
members, which run the same application.
Chapter 1. Configuring
153
v A Horizontal cluster includes a Primary node plus one or mode Secondary
nodes, all running the same application. Each node contains one cluster member.
Before you can configure a cluster of Lotus Sametime Proxy Servers, you must
have installed the following servers:
v
1. Lotus Sametime System Console
This server will function as the cluster's Deployment Manager; the console
can function as the Deployment Manager for multiple clusters.
Attention: Each Deployment Manager (including the Sametime System
Console when it is used as a Deployment Manager) can support one cluster
of each Sametime product. For example, a single Deployment Manager can
support a Sametime Proxy server cluster, a Media Manager cluster, and a
Meeting server cluster. If you want to create additional clusters for a
particular product, you must deploy additional Deployment Managers.
2. Lotus Sametime Community Server
At least one Lotus Sametime Community Server must be deployed to
provide presence and awareness for users attending online meetings.
3. One Lotus Sametime Proxy Server installed with the Network Deployment →
Primary Node option.
Every cluster requires exactly one Primary Node. The application server on
the Primary Node will function as the cluster's application template. All
154
Lotus Sametime: Installation and Administration Guide Part 2
other application servers in the cluster (nodes and cluster members) will be
duplicated from the Primary Node's application server. The Primary node's
application server can only belong to one cluster. The Primary Node can be
used as a container for additional cluster members when creating a vertical
cluster (multiple cluster members on the same physical system).
4. (Horizontal cluster only) One or more Lotus Sametime Proxy Servers
installed with the Network Deployment → Secondary Node option.
Secondary nodes are used to horizontally scale your cluster across multiple
physical systems. These additional nodes act as a container for additional
cluster members, which are can be used to balance loads and provide
failover within the cluster. During the clustering process, you can deploy
additional product application servers on any Secondary Nodes within the
cluster, creating a horizontal cluster.
About this task
There are several tasks involved in creating a cluster; complete them in the
sequence shown here:
Setting clocks on the servers to be clustered
Synchronize the system clocks on the servers to be clustered with an IBM
WebSphere Application Server network deployment.
About this task
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
Procedure
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager's (the Lotus Sametime System Console)
system clock.
Clustering Sametime servers running on WebSphere Application
Server
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
Chapter 1. Configuring
155
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
Procedure
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
Guided activity: Clustering Sametime servers running on WebSphere
Application Server:
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Before you begin
1. Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System
Console and all of the servers you plan to cluster.
This guided activity applies to the following Lotus Sametime servers:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
Clustering is not available for the Packet Switcher; it is also not available for
an "All Components" installation of the Media Manager, which includes the
Packet Switcher. The Conference Manager components and the SIP Proxy
and Registrar components must be installed and clustered on dedicated
computers.
2. Run the backupConfig utility for the Deployment Manager, the Primary Node,
and any Secondary Nodes before beginning the cluster guided activity. The
utility is located in the bin folder under the profile of each server. The utility
automatically shuts down any running servers in the profile, so you must
restart the severs after running the utility. Use the restoreConfig utility to
restore the configuration if the changes need to be undone. For more
information on backupConfig and restoreConfig, see the WebSphere
Application Server Information Center.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
156
Lotus Sametime: Installation and Administration Guide Part 2
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see "Clustering Lotus Sametime Community Servers") or Lotus Sametime
Gateway servers (see "Installing Lotus Sametime Gateway servers in a cluster").
Configure a cluster of one type of product server to improve performance with
high availability, and to provide failover. You can create a horizontal cluster in
which each node is hosted on a separate computer, as well as a vertical cluster
with multiple cluster members hosted on the Primary Node.
These instructions generally assume that you will use the Lotus Sametime System
Console as the cluster's Deployment Manager, which provides a single Integrated
Solutions Console for all WebSphere administrative functions for all servers
participating in the cell – this simplifies the administrative experience. If you create
clusters for both Lotus Sametime Proxy Server and Lotus Sametime Meeting
Server, then at least one of those clusters will require a dedicated Deployment
Manager; this is only true when you deploy both types of clusters.
Procedure
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
The list only displays Lotus Sametime products for which one or more servers
have been installed and registered with the Lotus Sametime System Console. If
you installed servers using deployment plans, they are registered with the
console automatically. If you did not use a deployment plan, you must
manually register the servers with the console before proceeding (see
"Registering servers with the Lotus Sametime System Console").
3. Select or Create a Cluster.
To create a cluster or upgrade a cluster:
a. Click Create Cluster if you are setting up a new cluster, or click Upgrade
Existing Cluster.
b. Type a descriptive name for the cluster in the Cluster Name field.
For example, if you are creating a cluster of Lotus Sametime Meeting
Servers, you will probably want to indicate that in the cluster name so you
can easily identify it later.
Click Next.
modify an existing cluster; for example, to add a new cluster member:
Click Select Existing Cluster.
Select a cluster in the Cluster Name list.
If you are going to add a node or cluster member to the cluster, you must
use the same Lotus Sametime product. For example, you cannot add a
Lotus Sametime Meeting Server cluster member to a cluster of Lotus
Sametime Proxy Servers.
c. Click Next.
4. Select the Deployment Manager.
In the Select Deployment Manager list, select the Lotus Sametime System
Console as the cluster's deployment manager, and then click Next.
c.
To
a.
b.
Chapter 1. Configuring
157
Every cluster must have exactly one Deployment Manager; the Lotus Sametime
System Console can function as the Deployment Manager for multiple clusters.
Remember that if you will create clusters for both Lotus Sametime Proxy Server
and Lotus Sametime Meeting Server, at least one of those clusters requires a
dedicated Deployment Manager; this is only true when your deployment will
include both types of cluster.
5. Select the Primary Node.
a. In the Select Primary Node list, select the server that will serve as the
cluster's primary node.
Every cluster must have exactly one Primary Node, the application server
that will function as a template for the cluster member servers. All
Secondary Nodes and Cluster Members will be created by duplicating the
application server hosted on the Primary Node.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Note: Make sure that the Primary Node's application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager's Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
Do not click anywhere on the browser until the operation completes or it
may interrupt the clustering process.
6. Select One or More Secondary Nodes.
If you are creating a horizontal cluster where each node is hosted on a separate
computer, add one or more secondary nodes to the cluster. Be sure to federate
each selected node before proceeding to select another.
a. In the Secondary Node Name list, click the node you want to add to the
cluster.
You can add only one node at a time, and you must federate it before
selecting the next node. If a node's Status indicates "Federated" it already
belongs to a cluster (either this cluster or a different one) and cannot be
added now.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Once the connection is complete, the node's Status displays "Federated" –
this may take some time, but do not proceed until the node has been
successfully federated.
If the federate node action completed and the Secondary Node's status has
not changed to "Federated" or the federate node returned an error, wait 3-5
minutes and then retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
158
Lotus Sametime: Installation and Administration Guide Part 2
Deployment Manager and secondary node and then click the Federate
Node button again to continue this guided activity.
c. Repeat steps a. and b. until you have added all your Secondary Nodes to
the cluster.
d. Click Next.
7. Add Cluster Members.
If you are creating a vertical cluster where multiple copies of the application
are hosted on a single computer, add one or more "cluster members" to the
Primary Node. If you are creating a horizontal cluster, add one cluster member
to each of the secondary nodes you federated in the previous step.
The table lists Cluster Members, the Node that the cluster resides on, and the
Status of each cluster member. Each node in the cluster needs to have at least
one cluster member created on it for it for the node to be used in the cluster.
The status of a Cluster Member will be "Clustered" if the cluster member has
been completely configured on the node. If the status is "Ready to Cluster",
select the Cluster Member and use the "Add to Cluster" button to finish
configuring the cluster member.
Vertical cluster:
a. To add new cluster member, click New.
b. Select the default name generated for the cluster member or enter your own
cluster member server name.
c. Select the Primary Node to create the cluster member on.
d. Click the Add to Cluster button.
The status will change from "Ready to cluster" to "Clustered".
e. Click Next.
Horizontal cluster:
For each Secondary Node you federated in the previous step, a cluster member
is prepopulated into the table for you, one on each of the Secondary Nodes.
a. Select the default cluster member name for each server or update with your
own name, and verify that the nodes the cluster member servers will be
created on are correct for your topology.
b. One at a time, select each cluster member and click the Add to Cluster
button.
Do not proceed until the current cluster member's status changes from
"Ready to cluster" to "Clustered"; then you can add the next cluster member.
c. If you want to add more cluster members, click the New button to add
another row to the table, and then fill out the information accordingly.
d. Click Next.
8. Deployment Summary
Click Finish to save the cluster configuration.
Continue with the cluster configuration tasks described in the Sametime
information center.
Restarting and synchronizing nodes in the cluster:
Synchronize the nodes in an IBM WebSphere Application Server network
deployment.
Chapter 1. Configuring
159
About this task
Synchronizing nodes in a cluster ensures that the Deployment Manager has an
up-to-date copy of each node's configuration.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Stop the Deployment Manager:
a. Click System Administration → Deployment manager.
b. Click the "Configuration" tab.
c. On the Configuration tab of the deployment manager settings, click Stop.
3. Now start the Deployment Manager:
a. Open a command window and navigate to the app_server_root/profiles/
DeploymentManagerName/bin directory.
b. Run the following command:
IBM AIX, Linux, or Solaris
./startManager.sh
Microsoft Windows
startManager.bat
IBM i
1) On the Control Language (CL) command line, run the Start Qshell
(STRQSH) command.
2) At the Qshell prompt, run the following commands:
cd app_server_root/profiles/DeploymentManagerName/bin
startManager dmgr
4. Synchronize all the nodes:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Select all nodes in the cluster.
c. Click Full Resynchronize.
5. Restart all nodes in the cluster:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Node agents.
b. Click a node agent, and then click Start (or Restart if the node agent is
already running).
Restarting the application servers in the cluster:
During cluster configuration, each node's application server was stopped so that
the node could be federated. Start all of the application servers now.
About this task
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
160
Lotus Sametime: Installation and Administration Guide Part 2
2. Click Servers → Clusters → WebSphere application server clusters in the
navigation tree.
3. Select the cluster's check box and click Start to start all cluster member servers.
Installing IBM Load Balancer
Install and configure IBM Load Balancer to distribute workload among a cluster of
these type of servers: Sametime Proxy Server, Sametime Meeting Server, Media
Manager Conference Manager, or Media Manager SIP Proxy and Registrar.
Before you begin
Create the cluster of servers first. Then configure the cluster and then start the
Deployment Manager (the Lotus Sametime System Console) as well as all node
agents and application servers in the cluster.
Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a
server running a different operating system for use with a Lotus Sametime
deployment hosted on IBM i.
IBM Load Balancer is not required for a Lotus Sametime clustered deployment;
you can use any load-balancing mechanism that supports HTTP session affinity so
that a user is not repeatedly routed to the same server during a single session. IBM
Load Balancer is included in the Lotus Sametime package with the other IBM
WebSphere components.
Procedure
1. Download IBM Load Balancer onto the server where you will install it:
a. Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
b. Locate the appropriate IBM WebSphere Edge server component in the
document's listing, then download the packages labelled with the
corresponding part numbers to the system on which you are installing.
2. Navigate to the folder where you stored the downloaded files, locate the folder
for IBM Load Balancer, and start the installation program.
For instructions on installing IBM Load Balancer, see the Load Balancer for
IPv4 and IPv6 configuration guide.
3. After you have installed IBM Load Balancer, configure two static IP addresses
for it:
v Non-Forwarding Address: The NFA is the address of the server itself. It is
used for logging in and administering the load balancer.
v Cluster Address: This is the address by which clients and other servers will
access the cluster. It must be DNS-resolvable.
For example, suppose your cluster contains two nodes, and you configure an
IBM Load Balancer for the cluster. Your IP addresses will look like this:
Chapter 1. Configuring
161
Table 26. Sample host names and IP addresses for a Lotus Sametime cluster with IBM
Load Balancer
Fully qualified host name
Load balancer:
loadbal.example.com
Server's role in
deployment
Load balancer
(Cluster address)
Cluster:
st-cluster.example.com
stconsole.example.com
Server's IP address
Load balancer (NFA):
192.0.2.15
Cluster:
Deployment
Manager
192.0.2.0
192.0.2.3
(Lotus Sametime
System Console)
svr1.example.com
Primary Node
192.0.2.4
(a Lotus Sametime
server)
svr2.example.com
Secondary Node
192.0.2.5
(a Lotus Sametime
server)
Configuring IBM Load Balancer:
Configure IBM Load Balancer for a cluster of IBM Lotus Sametime servers.
About this task
The steps to configure IBM Load Balancer are different for the various operating
systems; choose the appropriate topic:
Configuring IBM Load Balancer in AIX, Linux, or Solaris:
Configure IBM Load Balancer on a server running IBM AIX, Linux, or Sun Solaris.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address. Each of the nodes in the cluster is
configured with a loopback adapter; when the packet is rewritten to the network,
the appropriate node will receive and process the packet.
As you work through the procedure, you will switch back and forth between the
Load Balancer interface and a command window.
162
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on AIX, Linux, and Solaris
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. Configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process with the following command:
dsserver
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Issue this command only once; thereafter, you can start and stop the
executor as often as you need. If you do not issue the command to enable
processing of IPv6 packets on these systems, the executor will not start (on
Solaris, the executor will start, but no IPv6 packets can be viewed).
AIX
1) Run the following command:
autoconf6
2) To enable uninterrupted processing of IPv6 packets, even after a system
reboot, edit the etc/rc.tcpip file and uncomment the following line, and
add the -A flag:
start usr/bin/autoconf6 " " -A
Linux Run the following command (you must be logged in as root):
modprobe ipv6
Solaris Run the following command (you must be logged in as su) to
change the device to your device name, and change the IPv6 IP address and
prefix to your address and prefix values:
ifconfig device inet6 plumb
ifconfig device inet6 address/prefix up
Chapter 1. Configuring
163
d. Start the executor function of the dispatcher:
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended as in the previous step, plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Now start the Load Balancer administration interface with the following
command:
./lbadmin
Note: If you have difficulty starting the administration interface, try
stopping and then starting the executor and dsserver services before
running the command again:
dsserver stop
dscontrol executor stop
dscontrol executor start
dsserver start
./lbadmin
4. Continue configuring Load Balancer as follows:
a. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
b. Start the manager:
dscontrol manager start
164
Lotus Sametime: Installation and Administration Guide Part 2
c. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
5. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
a. Open a command window on the load balancer server.
b. Stop the service with the following command:
dsserver stop
c. Set the sticky time with the following command:
dscontrol port set [email protected]_number stickytime number_of_seconds
Where:
v fully_qualified_host_name is the fully qualified host name of the server
where IBM Load Balancer runs.
v port_number is the port that will be affected by the new sticky time
setting.
v number_of_seconds is the duration, in seconds, of the time that a client
should "stick to" the specified port.
For example:
dscontrol port set [email protected] stickytime 60
6. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring IBM Load Balancer in Windows:
Configure IBM Load Balancer on a server running Microsoft Windows.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
Chapter 1. Configuring
165
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address.
Each of the nodes in the cluster is configured with a loopback adapter; when the
packet is rewritten to the network, the appropriate node will receive and process
the packet.
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on Windows
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. On the load balancer server, configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process by clicking Start → Control
Panel → Administrative Tools → Services. right-click IBM Dispatcher (ULB),
and then click Start.
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Run the following command while logged in as the Windows administrator:
netsh interface ipv6 install
Theis command enables processing of IPv6 packets. Issue this command
only once; thereafter, you can start and stop the executor as often as you
need. If you do not issue the command to enable processing of IPv6 packets
on these systems, the executor will not start.
d. Start the executor function of the dispatcher:
166
Lotus Sametime: Installation and Administration Guide Part 2
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
primary node's fully qualified host name appended; for example:
stms-cluster.exam[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
i. Start the manager:
dscontrol manager start
j. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
k. Now you can stop the service:
dsserver stop
l. Close the command window.
4. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
Chapter 1. Configuring
167
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
Windows
a. Start IBM Load Balancer.
b. In the navigation tree, select the Executor (the load balancer's
non-forwarding IP address, which appears under its host name).
c. Click Configuration Settings.
d. In "Port-Specific Settings", change the Default sticky-time settings from 0 to
60 seconds, and click Update Configuration.
e. Leave IBM Load Balancer open for the next step.
5. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring a Lotus Sametime Media Manager
This section describes how to configure the components of the Lotus Sametime
Media Manager.
Clustering Lotus Sametime Media Manager components
The IBM Lotus Sametime Media Manager includes several components. You can
install the components separately and optionally cluster some of them.
About this task
The Lotus Sametime Media Manager comprises three components:
v Packet Switcher
Based on voice-activated switching, the Packet Switcher routes audio and video
data to participant endpoints. There can be one or more Packet Switchers in a
deployment; it cannot be clustered. A Packet Switcher can only be registered
with one Conference Manager. If you have a Conference Manager cluster then
the Packet Switcher is registered with the cluster and each cluster member uses
the same Packet Switcher.
v Conference Manager
Manages multipoint conferences by maintaining a dialog with each participant,
and ensuring that all media flows between those participants. You can install
multiple Conference Manager components and cluster them for high availability
and failover.
168
Lotus Sametime: Installation and Administration Guide Part 2
v SIP Proxy/Registrar
Directs conference participants to Conference Manager servers and provides
high availability and failover functionality. You can install multiple SIP
Proxy/Registrar components and cluster them for high availability and failover.
Complete the clustering tasks in the sequence shown:
Clustering SIP Proxy and Registrar components
Configuring a cluster of IBM Lotus Sametime Media Manager "SIP Proxy and
Registrar" components involves several tasks, including synchronizing system
clocks, configuring one or more IBM WebSphere proxy server to operate with the
cluster.
Before you begin
You can create two types of clusters:
v A Vertical cluster resides on the Primary node and includes two or more cluster
members, which run the same application.
v A Horizontal cluster includes a Primary node plus one or more Secondary
nodes, all running the same application. Each node contains one cluster member.
Before you can configure a cluster of Lotus Sametime Media Manager "SIP Proxy
and Registrar" components, you must have installed the following servers:
Chapter 1. Configuring
169
1. Lotus Sametime System Console
This server will function as the cluster's Deployment Manager; the console can
function as the Deployment Manager for multiple clusters.
Attention: Each Deployment Manager (including the Sametime System
Console when it is used as a Deployment Manager) can support one cluster of
each Sametime product. For example, a single Deployment Manager can
support a Sametime Proxy server cluster, a Media Manager cluster, and a
Meeting server cluster. If you want to create additional clusters for a particular
product, you must deploy additional Deployment Managers.
2. Lotus Sametime Community Server
At least one Lotus Sametime Community Server must be deployed to provide
presence and awareness for users.
3. One Lotus Sametime Media Manager "SIP Proxy and Registrar" component,
installed with the Network Deployment → Primary Node option.
Every cluster requires exactly one Primary Node. The application server on the
Primary Node will function as the cluster's application template. All other
application servers in the cluster (nodes and cluster members) will be
duplicated from the Primary Node's application server. The Primary node's
application server can only belong to one cluster. The Primary Node can be
used as a container for additional cluster members when creating a vertical
cluster (multiple cluster members on the same physical system).
4. (Horizontal cluster only) One or more Lotus Sametime Media Manager "SIP
Proxy and Registrar" components, installed with the Network Deployment →
Secondary Node option.
Secondary nodes are used to horizontally scale your cluster across multiple
physical systems. These additional nodes act as a container for additional
cluster members, which are can be used to balance loads and provide failover
within the cluster. During the clustering process, you can deploy additional
product application servers on any Secondary Nodes within the cluster,
creating a horizontal cluster.
To cluster SIP Proxy and Registrar components, complete the following tasks in the
sequence shown:
Setting clocks on the servers to be clustered:
Synchronize the system clocks on the servers to be clustered with an IBM
WebSphere Application Server network deployment.
About this task
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
Procedure
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager's (the Lotus Sametime System Console)
system clock.
Clustering Sametime servers running on WebSphere Application Server:
170
Lotus Sametime: Installation and Administration Guide Part 2
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
Procedure
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
Guided activity: Clustering Sametime servers running on WebSphere Application Server:
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Before you begin
1. Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System
Console and all of the servers you plan to cluster.
This guided activity applies to the following Lotus Sametime servers:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
Clustering is not available for the Packet Switcher; it is also not available for
an "All Components" installation of the Media Manager, which includes the
Chapter 1. Configuring
171
Packet Switcher. The Conference Manager components and the SIP Proxy
and Registrar components must be installed and clustered on dedicated
computers.
2. Run the backupConfig utility for the Deployment Manager, the Primary Node,
and any Secondary Nodes before beginning the cluster guided activity. The
utility is located in the bin folder under the profile of each server. The utility
automatically shuts down any running servers in the profile, so you must
restart the severs after running the utility. Use the restoreConfig utility to
restore the configuration if the changes need to be undone. For more
information on backupConfig and restoreConfig, see the WebSphere
Application Server Information Center.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see "Clustering Lotus Sametime Community Servers") or Lotus Sametime
Gateway servers (see "Installing Lotus Sametime Gateway servers in a cluster").
Configure a cluster of one type of product server to improve performance with
high availability, and to provide failover. You can create a horizontal cluster in
which each node is hosted on a separate computer, as well as a vertical cluster
with multiple cluster members hosted on the Primary Node.
These instructions generally assume that you will use the Lotus Sametime System
Console as the cluster's Deployment Manager, which provides a single Integrated
Solutions Console for all WebSphere administrative functions for all servers
participating in the cell – this simplifies the administrative experience. If you create
clusters for both Lotus Sametime Proxy Server and Lotus Sametime Meeting
Server, then at least one of those clusters will require a dedicated Deployment
Manager; this is only true when you deploy both types of clusters.
Procedure
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
The list only displays Lotus Sametime products for which one or more servers
have been installed and registered with the Lotus Sametime System Console. If
you installed servers using deployment plans, they are registered with the
console automatically. If you did not use a deployment plan, you must
manually register the servers with the console before proceeding (see
"Registering servers with the Lotus Sametime System Console").
3. Select or Create a Cluster.
To create a cluster or upgrade a cluster:
a. Click Create Cluster if you are setting up a new cluster, or click Upgrade
Existing Cluster.
b. Type a descriptive name for the cluster in the Cluster Name field.
172
Lotus Sametime: Installation and Administration Guide Part 2
For example, if you are creating a cluster of Lotus Sametime Meeting
Servers, you will probably want to indicate that in the cluster name so you
can easily identify it later.
Click Next.
modify an existing cluster; for example, to add a new cluster member:
Click Select Existing Cluster.
Select a cluster in the Cluster Name list.
If you are going to add a node or cluster member to the cluster, you must
use the same Lotus Sametime product. For example, you cannot add a
Lotus Sametime Meeting Server cluster member to a cluster of Lotus
Sametime Proxy Servers.
c. Click Next.
4. Select the Deployment Manager.
c.
To
a.
b.
In the Select Deployment Manager list, select the Lotus Sametime System
Console as the cluster's deployment manager, and then click Next.
Every cluster must have exactly one Deployment Manager; the Lotus Sametime
System Console can function as the Deployment Manager for multiple clusters.
Remember that if you will create clusters for both Lotus Sametime Proxy Server
and Lotus Sametime Meeting Server, at least one of those clusters requires a
dedicated Deployment Manager; this is only true when your deployment will
include both types of cluster.
5. Select the Primary Node.
a. In the Select Primary Node list, select the server that will serve as the
cluster's primary node.
Every cluster must have exactly one Primary Node, the application server
that will function as a template for the cluster member servers. All
Secondary Nodes and Cluster Members will be created by duplicating the
application server hosted on the Primary Node.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Note: Make sure that the Primary Node's application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager's Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
Do not click anywhere on the browser until the operation completes or it
may interrupt the clustering process.
6. Select One or More Secondary Nodes.
If you are creating a horizontal cluster where each node is hosted on a separate
computer, add one or more secondary nodes to the cluster. Be sure to federate
each selected node before proceeding to select another.
Chapter 1. Configuring
173
a. In the Secondary Node Name list, click the node you want to add to the
cluster.
You can add only one node at a time, and you must federate it before
selecting the next node. If a node's Status indicates "Federated" it already
belongs to a cluster (either this cluster or a different one) and cannot be
added now.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Once the connection is complete, the node's Status displays "Federated" –
this may take some time, but do not proceed until the node has been
successfully federated.
If the federate node action completed and the Secondary Node's status has
not changed to "Federated" or the federate node returned an error, wait 3-5
minutes and then retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and secondary node and then click the Federate
Node button again to continue this guided activity.
c. Repeat steps a. and b. until you have added all your Secondary Nodes to
the cluster.
d. Click Next.
7. Add Cluster Members.
If you are creating a vertical cluster where multiple copies of the application
are hosted on a single computer, add one or more "cluster members" to the
Primary Node. If you are creating a horizontal cluster, add one cluster member
to each of the secondary nodes you federated in the previous step.
The table lists Cluster Members, the Node that the cluster resides on, and the
Status of each cluster member. Each node in the cluster needs to have at least
one cluster member created on it for it for the node to be used in the cluster.
The status of a Cluster Member will be "Clustered" if the cluster member has
been completely configured on the node. If the status is "Ready to Cluster",
select the Cluster Member and use the "Add to Cluster" button to finish
configuring the cluster member.
Vertical cluster:
a. To add new cluster member, click New.
b. Select the default name generated for the cluster member or enter your own
cluster member server name.
c. Select the Primary Node to create the cluster member on.
d. Click the Add to Cluster button.
The status will change from "Ready to cluster" to "Clustered".
e. Click Next.
Horizontal cluster:
For each Secondary Node you federated in the previous step, a cluster member
is prepopulated into the table for you, one on each of the Secondary Nodes.
a. Select the default cluster member name for each server or update with your
own name, and verify that the nodes the cluster member servers will be
created on are correct for your topology.
b. One at a time, select each cluster member and click the Add to Cluster
button.
Do not proceed until the current cluster member's status changes from
"Ready to cluster" to "Clustered"; then you can add the next cluster member.
174
Lotus Sametime: Installation and Administration Guide Part 2
c. If you want to add more cluster members, click the New button to add
another row to the table, and then fill out the information accordingly.
d. Click Next.
8. Deployment Summary
Click Finish to save the cluster configuration.
Continue with the cluster configuration tasks described in the Sametime
information center.
Restarting and synchronizing the SIP Proxy and Registrar cluster:
Complete the configuration for clustering IBM Lotus Sametime Media Manager SIP
Proxy and Registrar components using an IBM WebSphere Application Server
network deployment by restarting and synchronizing nodes in the cluster and
restarting the application servers in the cluster.
Before you begin
Create a cluster of SIP Proxy and Registrar components using the guided activity.
About this task
Completing the cluster's configuration requires the following tasks:
Restarting and synchronizing nodes in the cluster:
Synchronize the nodes in an IBM WebSphere Application Server network
deployment.
About this task
Synchronizing nodes in a cluster ensures that the Deployment Manager has an
up-to-date copy of each node's configuration.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Stop the Deployment Manager:
a. Click System Administration → Deployment manager.
b. Click the "Configuration" tab.
c. On the Configuration tab of the deployment manager settings, click Stop.
3. Now start the Deployment Manager:
a. Open a command window and navigate to the app_server_root/profiles/
DeploymentManagerName/bin directory.
b. Run the following command:
IBM AIX, Linux, or Solaris
./startManager.sh
Microsoft Windows
startManager.bat
IBM i
1) On the Control Language (CL) command line, run the Start Qshell
(STRQSH) command.
2) At the Qshell prompt, run the following commands:
Chapter 1. Configuring
175
cd app_server_root/profiles/DeploymentManagerName/bin
startManager dmgr
4. Synchronize all the nodes:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Select all nodes in the cluster.
c. Click Full Resynchronize.
5. Restart all nodes in the cluster:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Node agents.
b. Click a node agent, and then click Start (or Restart if the node agent is
already running).
Restarting the application servers in the cluster:
During cluster configuration, each node's application server was stopped so that
the node could be federated. Start all of the application servers now.
About this task
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Clusters → WebSphere application server clusters in the
navigation tree.
3. Select the cluster's check box and click Start to start all cluster member servers.
Setting up a WebSphere proxy server for the cluster:
Set up an IBM WebSphere proxy server for use with a cluster of IBM Lotus
Sametime servers. The proxy server can be hosted on a product node, or on a
separate computer; it performs routing and caching tasks for the servers in the
cluster.
About this task
If you deployed the Lotus Sametime Meeting Server cluster using a standalone
Deployment Manager, you must deploy a WebSphere proxy server to operate with
the cluster. If the cluster uses the Lotus Sametime System Console as its
Deployment Manager, the WebSphere proxy server was automatically deployed on
the console but may need to be configured.
If the Meeting Server cluster experiences a high level of demand, you may want to
deploy an additional, stand-alone, WebSphere proxy server to distribute the load
and mitigate the single point-of-failure.
(Optional) Adding a stand-alone WebSphere proxy server to the cluster:
Install a stand-alone IBM WebSphere proxy server for use with a cluster of IBM
Lotus Sametime servers.
176
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
This topic explains how to install a stand-alone WebSphere proxy server by
installing an extra node into the Lotus Sametime cluster, removing the Lotus
Sametime application, and then configuring the WebSphere proxy server that
remains. If you just want to configure the WebSphere proxy server that was
automatically installed with WebSphere Application Server on one of existing
nodes in your Lotus Sametime cluster, skip this task and proceed directly to
Configuring a WebSphere proxy server.
About this task
A cluster of Lotus Sametime servers requires at least one WebSphere proxy server
to handle routing and caching tasks. When you install Lotus Sametime on a node
in the cluster, WebSphere Application Server and WebSphere proxy server are also
installed. The WebSphere proxy server merely needs to be configured for use.
To reduce the resource load on product nodes and avoid port conflicts, you may
choose to install a stand-alone WebSphere proxy server on a separate computer
instead of using the instance that was installed on a Lotus Sametime node. Or, you
may configure the instance on the Lotus Sametime node and then install an
additional instance on a separate computer, and use a load balancer to share the
load between them.
Note: If you previously installed a WebSphere proxy server on one of the Lotus
Sametime nodes in the cluster and are now seeing excessive CPU usage on that
node, you should install and configure an additional proxy server now.
To install a stand-alone WebSphere proxy server, you will install an extra Lotus
Sametime node using the "Secondary Node" option, and then federate the new
node into the cluster. You will then remove the Lotus Sametime application from
the new node while leaving WebSphere proxy server intact. Finally, you will
configure the WebSphere proxy server for use with the cluster.
Installing an additional Lotus Sametime server as a Secondary Node:
Install an IBM Lotus Sametime product server as a Secondary Node, and then
federate it into a cluster.
About this task
The first stage in deploying a stand-alone IBM WebSphere proxy server is to create
a deployment plan, and then use the Lotus Sametime System Console to install the
new Lotus Sametime server. Because you will later federate the new product node
into the cluster, you must install the same product now. For example, if you are
working with a cluster of Lotus Sametime Meeting Servers, then install a new
Meeting Server.
Important: Install the new node using the "Secondary Node" option to ensure you
can federate it to the cluster later.
Federating the new Secondary Node to the cluster:
Federate the newly installed Secondary Node into a cluster of IBM Lotus Sametime
servers.
Chapter 1. Configuring
177
About this task
The next stage in deploying a stand-alone IBM WebSphere proxy server is to
federate the new Lotus Sametime node into the existing cluster. For this task, you
will use the Clustering guided activity, selecting the "Select Existing Cluster" option
(in Step 3) and then choosing the appropriate cluster.
When you run the cluster guided activity there are phases: first, the proxy server is
federated to the cluster's Deployment Manager; then the proxy server is added into
the cluster as a new member. Be sure to complete all steps in the guided activity to
properly add the proxy server to the cluster.
Removing the Lotus Sametime product from the new node:
After you have federated a new IBM Lotus Sametime node to a cluster, remove the
Lotus Sametime application but leave the IBM WebSphere proxy server intact.
About this task
After the new node has been federated to the cluster, it can be managed by the
cluster's Deployment Manager. Since the purpose of this new node is to provide a
WebSphere proxy server, the Lotus Sametime product application is no longer
needed on that node, and can be removed.
Procedure
1. On the cluster's Deployment Manager, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click Servers → WebSphere application servers.
3. In the list of servers, click the name of the new Lotus Sametime node.
4. At the top of the list, click the Delete button.
5. When prompted for confirmation, click OK.
6. Save the change by clicking the Save link the "Messages" box at the top of the
page.
7. Verify that the server has been deleted by making sure it no longer appears in
the list of servers.
Configuring a WebSphere proxy server:
Configure an IBM WebSphere proxy server to perform routing and caching tasks
for a cluster of IBM Lotus Sametime servers running on WebSphere Application
Server.
Before you begin
Create a cluster of Lotus Sametime servers running on WebSphere Application
Server; start the Deployment Manager (the Lotus Sametime System Console) as
well as all node agents and application servers in the cluster.
Use these instructions to configure a WebSphere proxy server that operates with
the following Lotus Sametime server clusters:
v Meeting Server
v Conference Manager
v SIP Proxy and Registrar
178
Lotus Sametime: Installation and Administration Guide Part 2
About this task
A cluster of Lotus Sametime servers that run on WebSphere Application Server can
use a WebSphere proxy server to manage routing and caching tasks. To ensure
redundancy in the case of a proxy server failure, you may want to configure
multiple proxy servers for the cluster. Use a Load Balancer in that case to divide
the incoming load between the proxy servers. You can host a WebSphere proxy
server on any node in the cluster (except the Lotus Sametime System Console) but
because it uses a lot of system resources, you may want to host it on its own
computer.
Note: If you install multiple WebSphere proxy servers, you will need a Load
Balancer to divide the incoming load among the proxy servers. Installing IBM
Load Balancer is discussed later in this section.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. In the navigation tree, click Servers → Server Types → WebSphere proxy
servers.
3. In the proxy servers table, click the New button at the top of the table.
4. In the "Create a new proxy server entry" dialog box, do the following:
a. In the "Select a node" box, select the node that will host the WebSphere
proxy server.
Be sure to select a node that belongs to the appropriate cluster.
b. Type a name for the new proxy server; for example "was_proxy1", and then
click Next.
c. In the "Specify server specific properties" box, select the appropriate
"Support protocol" settings for your cluster, select Generate unique ports,
and then click Next.
v If you are configuring this WebSphere proxy server for a Meeting Server
cluster: deselect the SIP protocol.
v If you are configuring this WebSphere proxy server for a SIP Proxy and
Registrar cluster: accept both HTTP and SIP protocols.
v If you are configuring this WebSphere proxy server for a Conference
Manager cluster: accept both HTTP and SIP protocols.
d. In the "Select a server template" box, select proxy_server_foundation (the
WebSphere Default Proxy Server Template), and then click Next.
e. In the "Confirm new server" box, click Finish.
5. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
6. Resynchronize the nodes:
a. On the Deployment Manager, log in to the Integrated Solutions Console as
the WebSphere administrator.
b. Click System Administration → Nodes.
c. Select all of the nodes in the cluster.
d. Click Full Resynchronization.
7. (Conference Manager cluster, SIP Proxy and Registrar cluster) Assign the new
proxy server to the cluster:
a. Click Servers → Server Types → Websphere proxy servers →
proxy_server_name → SIP Proxy Server Settings → SIP proxy settings.
Chapter 1. Configuring
179
b. In the "Default cluster" field, select the cluster that you are configuring this
WebSphere proxy server to work with.
c. Click Apply.
8. Now start the new WebSphere proxy server:
a. Again in the Integrated Solutions Console's navigation tree, click Servers →
Proxy Servers.
b. In the "Proxy Servers" page, select the new proxy server from the list.
c. Click the Start button above the list of proxy servers.
Adding ports to the virtual host alias:
After creating an IBM Lotus Sametime Media Manager SIP Proxy and Registrar
cluster, add the SIP ports of each cluster member to the virtual host alias.
Before you begin
Create a cluster of SIP Proxy and Registrar components. Adding the SIP ports of
each cluster member to the virtual host alias is required to ensure that the cluster
operates properly.
About this task
On the cluster's Deployment Manager (the Lotus Sametime System Console),
update the sip_proxyreg_host virtual host with a unique set of web access ports.
Such a configuration lets a single host machine resemble multiple host machines.
Tip: Print this page and use the table to record the port settings as you look them
up in steps 1 and 2:
Table 27. Write down the port numbers used for these settings in every cluster member
SIP_
DEFAULTHOST
SIP_DEFAULTHOST_
SECURE
PROXY_SIP_
ADDRESS
PROXY_SIPS_
ADDRESS
Cluster member 1
Cluster member 2
Cluster member 3
Cluster member 4
Cluster member 5
Procedure
1. Determine the ports used by every cluster member:
a. In the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console, click Servers → Server Types → WebSphere
application servers.
b. In the table listing the servers, click the name of the cluster member.
This displays the cluster member's "Configuration" page.
c. On the "Configuration" page, look under "Communication", and expand
Ports.
d. Look in the Ports table and write down the following port settings for use
in the next step:
v SIP_DEFAULTHOST
v SIP_DEFAULTHOST_SECURE
e. Repeat this process for every cluster member.
180
Lotus Sametime: Installation and Administration Guide Part 2
2. Next, determine the ports used by every WebSphere proxy server that operates
with this cluster.
a. In the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console, click Servers → Server Types → WebSphere
proxy servers.
b. In the table listing the servers, click the name of the WebSphere proxy
server.
This displays the cluster member's "Configuration" page.
c. On the "Configuration" page, look under "Communication", and expand
Ports.
d. Look in the Ports table and write down the following port settings for use
in the next step:
v PROXY_SIP_ADDRESS
v PROXY_SIPS_ADDRESS
e. Repeat this process for every WebSphere proxy server used by the cluster.
3. Now add the ports used by all the cluster members and all of the WebSphere
proxy servers to the Deployment Manager's Virtual Hosts table.
a. Now return to the Integrated Solutions Console navigation tree and click
Environment → Virtual Hosts.
b. In the Virtual Hosts table, click the host called sip_proxyreg_host.
This displays the "Configuration" page for the sip_proxyreg_host.
c. Under "Additional Properties", click Host Aliases.
d. In the "Host Aliases" table, add the ports used by all of the cluster members
(the information you collected in Step 1):
Remember that you have information on the two ports for each cluster
member; however if a port is already listed in the table, you do not need to
add it again.
To add a port:
1) Click the New button at the top of the table.
2) In the Host Name field, type *.
3) In the Port field, type a port from your list.
4) Click OK.
5) Repeat this for the two ports for every cluster member (unless a port is
already listed in this table).
e. Now delete all of the table entries that do not use * as the Host Name.
To delete an entry, click on the check box next to it, and then click the
Delete button at the top of the table.
f. Save the new port settings to the master configuration and synchronize the
nodes in the cluster:
WebSphere Application Server displays a message prompting you to save
changes to the master configuration. Click Preference → Synchronize nodes
option before clicking the Save button.
Reconfiguring ports for a WebSphere proxy server hosted on a product node:
If the IBM WebSphere proxy server is hosted on the same computer as an IBM
Lotus Sametime product, reconfigure ports to avoid a conflict.
Checking for port conflicts between Lotus Sametime and WebSphere proxy server:
Chapter 1. Configuring
181
Verify that the IBM WebSphere proxy server is listening on the correct ports and is
not in conflict with the IBM Lotus Sametime server running on the same computer.
Before you begin
This task is only necessary when Lotus Sametime and WebSphere proxy server are
running on the same computer.
About this task
If your cluster has both Lotus Sametime and WebSphere proxy server running on
multiple nodes, be sure check the ports on each node.
Procedure
1. On the node being checked, log in to the Integrated Solutions Console as the
WebSphere administrator.
2. Check the ports used by the WebSphere proxy server:
a. Click Servers → Proxy Servers.
b. In the list of proxy servers, click the node's WebSphere proxy server to open
its Configuration page.
c. Under "Communications" click Ports.
d. Write down the values assigned to the following ports:
v PROXY_SIP_ADDRESS
v PROXY_SIPS_ADDRESS
3. Check the ports used by the Lotus Sametime server:
a. Click Servers → Application Servers.
b. In the list of application servers, click the name of the Lotus Sametime
server to open its Configuration page.
c. Under "Communications" click Ports.
d. Write down the values assigned to the following ports:
v PROXY_SIP_ADDRESS
v PROXY_SIPS_ADDRESS
4. Decide whether the ports are in conflict:
Ports are in conflict if either of the following conditions is true:
v The WebSphere proxy server is listening on ports other than 5060
(PROXY_SIP_ADDRESS) and 5061 (PROXY_SIPS_ADDRESS).
v The Lotus Sametime server is listening on the same ports as the WebSphere
proxy server.
What to do next
Your next task depends on whether there is a port conflict to resolve:
v If the ports are in conflict, proceed to Changing a WebSphere proxy server's port
settings.
v If the ports are not in conflict, then the WebSphere proxy server configuration is
complete. Skip to Installing IBM Load Balancer.
Changing a WebSphere proxy server's port settings:
Change the defined port settings on an IBM WebSphere proxy server used by an
IBM Lotus Sametime cluster.
182
Lotus Sametime: Installation and Administration Guide Part 2
About this task
If any of the WebSphere proxy server's port settings is incorrect, change it to the
correct value.
Procedure
1. On the node where WebSphere proxy server is running, log in to the Integrated
Solutions Console as the WebSphere administrator.
2. Click Servers → Proxy Servers.
3. In the list of proxy servers, click the node's WebSphere proxy server to open its
Configuration page.
4. Under "Communications" click Ports.
5. Use the Ports table to change the SIP ports as follows:
a. Click on the PROXY_SIP_ADDRESS link, change its setting (for example,
to 5060), and then click OK.
b. Click on the PROXY_SIPS_ADDRESS link, change its setting to (for
example, to 5061), and then click OK.
6. Use the Ports table to change the HTTP ports as follows:
Although the HTTP and HTTPS ports will not be used by the Lotus Sametime
server (so there will not be a conflict), you still need to make sure they are
using the correct values.
a. Click on the HTTP link, change its setting (for example, to 80), and then
click OK.
b. Click on the HTTPS link, change its setting (for example, to 443), and then
click OK.
7. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
Changing the Lotus Sametime server's port settings:
Change the defined port settings on an IBM Lotus Sametime node to avoid a
conflict with the IBM WebSphere proxy server running on the same computer.
About this task
If any of the Lotus Sametime server's port settings conflicts with a port used by the
WebSphere proxy server running on the same node, enter new port settings now.
Procedure
1. On the node where the Lotus Sametime server is running, log in to the
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Application Servers.
3. In the list of application servers, click the Lotus Sametime server to open its
Configuration page.
4. Under "Communications" click Ports.
5. Use the Ports table to change the SIP ports as follows:
a. Click on the PROXY_SIP_ADDRESS link, change its setting (for example,
to 5062), and then click OK.
b. Click on the PROXY_SIPS_ADDRESS link, change its setting to (for
example, to 5063), and then click OK.
Chapter 1. Configuring
183
6. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
Verifying ports for the WebSphere proxy server's virtual host alias:
On the IBM WebSphere proxy server, verify that the ports specified for the virtual
host alias are correct.
About this task
Verify that the virtual host table contains the correct entries for the WebSphere
proxy server's SIP ports, creating or modifying entries as needed.
Procedure
1. On the node where WebSphere proxy server is running, log in to the Integrated
Solutions Console as the WebSphere administrator.
2. Click Environment → Virtual Hosts.
3. In the list of hosts, click default_host.
4. Click Host Aliases.
5. Verify the host for port 5060:
v If an entry exists for port 5060 and the host name or IP address for the
WebSphere proxy server is correct, skip to step 6.
v If an entry exists for port 5060 but specifies an incorrect host name or IP
address for the WebSphere proxy server, click Edit, update the entry with the
correct information, and then click OK.
v If no entry exists for port 5060, click Add, enter 5060 as the port, leave the
host name as *, and then click Apply.
6. Verify the host for port 5061:
v If an entry exists for port 5061 and the host name or IP address for the
WebSphere proxy server is correct, skip to step 7.
v If an entry exists for port 5061 but specifies an incorrect host name or IP
address for the WebSphere proxy server, click Edit, update the entry with the
correct information, and then click OK.
v If no entry exists for port 5061, click Add, enter 5061 as the port, leave the
host name as *, and then click Apply.
7. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
Synchronizing nodes in the cluster:
Synchronize all nodes in the IBM Lotus Sametime cluster.
Procedure
1. On the cluster's Deployment Manager, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click System administration → Nodes.
3. Select all of the nodes in the cluster.
4. Click Full Resynchronize.
Verifying that the port collision has been resolved:
184
Lotus Sametime: Installation and Administration Guide Part 2
After resolving port collisions between IBM WebSphere proxy server and IBM
Lotus Sametime, verify that the port settings are now correct.
About this task
Start the servers in the cluster; clear the WebSphere proxy server's logs before
starting that server, and then check the logs for errors that may indicate a port
collision.
Procedure
1. Start all of the servers and processes in the cluster except for the WebSphere
proxy server where you just resolved the ports conflict.
2. Clear all of the WebSphere proxy server logs.
3. Start the WebSphere proxy server.
4. Check the WebSphere proxy server log for any errors indicating a possible a
port collision; for example:
v ADMU3028I
v TCPC0003E
v The port may already be in use
What to do next
If other nodes in the cluster have both Lotus Sametime and WebSphere proxy
server, be sure to check those nodes for possible port conflicts as well before
continuing proceeding to the next task.
Installing IBM Load Balancer:
Install and configure IBM Load Balancer to distribute workload among a cluster of
these type of servers: Sametime Proxy Server, Sametime Meeting Server, Media
Manager Conference Manager, or Media Manager SIP Proxy and Registrar.
Before you begin
Create the cluster of servers first. Then configure the cluster and then start the
Deployment Manager (the Lotus Sametime System Console) as well as all node
agents and application servers in the cluster.
Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a
server running a different operating system for use with a Lotus Sametime
deployment hosted on IBM i.
IBM Load Balancer is not required for a Lotus Sametime clustered deployment;
you can use any load-balancing mechanism that supports HTTP session affinity so
that a user is not repeatedly routed to the same server during a single session. IBM
Load Balancer is included in the Lotus Sametime package with the other IBM
WebSphere components.
Procedure
1. Download IBM Load Balancer onto the server where you will install it:
a. Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
Chapter 1. Configuring
185
b. Locate the appropriate IBM WebSphere Edge server component in the
document's listing, then download the packages labelled with the
corresponding part numbers to the system on which you are installing.
2. Navigate to the folder where you stored the downloaded files, locate the folder
for IBM Load Balancer, and start the installation program.
For instructions on installing IBM Load Balancer, see the Load Balancer for
IPv4 and IPv6 configuration guide.
3. After you have installed IBM Load Balancer, configure two static IP addresses
for it:
v Non-Forwarding Address: The NFA is the address of the server itself. It is
used for logging in and administering the load balancer.
v Cluster Address: This is the address by which clients and other servers will
access the cluster. It must be DNS-resolvable.
For example, suppose your cluster contains two nodes, and you configure an
IBM Load Balancer for the cluster. Your IP addresses will look like this:
Table 28. Sample host names and IP addresses for a Lotus Sametime cluster with IBM
Load Balancer
Fully qualified host name
Load balancer:
loadbal.example.com
Server's role in
deployment
Load balancer
(Cluster address)
Cluster:
st-cluster.example.com
stconsole.example.com
Server's IP address
Load balancer (NFA):
192.0.2.15
Cluster:
Deployment
Manager
192.0.2.0
192.0.2.3
(Lotus Sametime
System Console)
svr1.example.com
Primary Node
192.0.2.4
(a Lotus Sametime
server)
svr2.example.com
Secondary Node
192.0.2.5
(a Lotus Sametime
server)
Configuring IBM Load Balancer:
Configure IBM Load Balancer for a cluster of IBM Lotus Sametime servers.
About this task
The steps to configure IBM Load Balancer are different for the various operating
systems; choose the appropriate topic:
Configuring IBM Load Balancer in AIX, Linux, or Solaris:
Configure IBM Load Balancer on a server running IBM AIX, Linux, or Sun Solaris.
186
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address. Each of the nodes in the cluster is
configured with a loopback adapter; when the packet is rewritten to the network,
the appropriate node will receive and process the packet.
As you work through the procedure, you will switch back and forth between the
Load Balancer interface and a command window.
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on AIX, Linux, and Solaris
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. Configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process with the following command:
dsserver
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Chapter 1. Configuring
187
Issue this command only once; thereafter, you can start and stop the
executor as often as you need. If you do not issue the command to enable
processing of IPv6 packets on these systems, the executor will not start (on
Solaris, the executor will start, but no IPv6 packets can be viewed).
AIX
1) Run the following command:
autoconf6
2) To enable uninterrupted processing of IPv6 packets, even after a system
reboot, edit the etc/rc.tcpip file and uncomment the following line, and
add the -A flag:
start usr/bin/autoconf6 " " -A
Linux Run the following command (you must be logged in as root):
modprobe ipv6
Solaris Run the following command (you must be logged in as su) to
change the device to your device name, and change the IPv6 IP address and
prefix to your address and prefix values:
ifconfig device inet6 plumb
ifconfig device inet6 address/prefix up
d. Start the executor function of the dispatcher:
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended as in the previous step, plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Now start the Load Balancer administration interface with the following
command:
./lbadmin
188
Lotus Sametime: Installation and Administration Guide Part 2
Note: If you have difficulty starting the administration interface, try
stopping and then starting the executor and dsserver services before
running the command again:
dsserver stop
dscontrol executor stop
dscontrol executor start
dsserver start
./lbadmin
4. Continue configuring Load Balancer as follows:
a. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
b. Start the manager:
dscontrol manager start
c. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
5. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
a. Open a command window on the load balancer server.
b. Stop the service with the following command:
dsserver stop
c. Set the sticky time with the following command:
dscontrol port set [email protected]_number stickytime number_of_seconds
Where:
v fully_qualified_host_name is the fully qualified host name of the server
where IBM Load Balancer runs.
v port_number is the port that will be affected by the new sticky time
setting.
v number_of_seconds is the duration, in seconds, of the time that a client
should "stick to" the specified port.
For example:
dscontrol port set [email protected] stickytime 60
6. Save the load balancer settings:
Chapter 1. Configuring
189
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring IBM Load Balancer in Windows:
Configure IBM Load Balancer on a server running Microsoft Windows.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address.
Each of the nodes in the cluster is configured with a loopback adapter; when the
packet is rewritten to the network, the appropriate node will receive and process
the packet.
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on Windows
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
190
Lotus Sametime: Installation and Administration Guide Part 2
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. On the load balancer server, configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process by clicking Start → Control
Panel → Administrative Tools → Services. right-click IBM Dispatcher (ULB),
and then click Start.
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Run the following command while logged in as the Windows administrator:
netsh interface ipv6 install
Theis command enables processing of IPv6 packets. Issue this command
only once; thereafter, you can start and stop the executor as often as you
need. If you do not issue the command to enable processing of IPv6 packets
on these systems, the executor will not start.
d. Start the executor function of the dispatcher:
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
Chapter 1. Configuring
191
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
i. Start the manager:
dscontrol manager start
j. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
k. Now you can stop the service:
dsserver stop
l. Close the command window.
4. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
Windows
a. Start IBM Load Balancer.
b. In the navigation tree, select the Executor (the load balancer's
non-forwarding IP address, which appears under its host name).
c. Click Configuration Settings.
d. In "Port-Specific Settings", change the Default sticky-time settings from 0 to
60 seconds, and click Update Configuration.
e. Leave IBM Load Balancer open for the next step.
5. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Clustering Conference Manager components
Configuring a cluster of IBM Lotus Sametime Media Manager "Conference
Manager" components involves several tasks, including synchronizing system
clocks, configuring one or more IBM WebSphere proxy servers to operate with the
cluster.
192
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
You can create two types of clusters:
v A Vertical cluster resides on the Primary node and includes two or more cluster
members, which run the same application.
v A Horizontal cluster includes a Primary node plus one or mode Secondary
nodes, all running the same application. Each node contains one cluster member.
Before you can configure a cluster of Lotus Sametime Media Manager "Conference
Manager" components, you must have installed the following servers:
1. Lotus Sametime System Console
This server will function as the cluster's Deployment Manager; the console can
function as the Deployment Manager for multiple clusters.
Attention: Each Deployment Manager (including the Sametime System
Console when it is used as a Deployment Manager) can support one cluster of
each Sametime product. For example, a single Deployment Manager can
support a Sametime Proxy server cluster, a Media Manager cluster, and a
Meeting server cluster. If you want to create additional clusters for a particular
product, you must deploy additional Deployment Managers.
2. Lotus Sametime Community Server
At least one Lotus Sametime Community Server must be deployed to provide
presence and awareness for users attending online meetings.
Chapter 1. Configuring
193
3. Lotus Sametime Meeting Server
At least one Lotus Sametime Meeting Server must be deployed to host online
meetings where the audio and video features will be used.
4. Lotus Sametime Media Manager "Packet Switcher" component
At least one Packet Switcher component must be deployed to route audio and
video data to participant endpoints. You can deploy multiple Packet Switchers,
but they cannot be clustered (the Conference Managers will balance the load
among multiple Packet Switchers).
5. One Lotus Sametime Media Manager "Conference Manager" component,
installed with the Network Deployment → Primary Node option.
Every cluster requires exactly one Primary Node. The application server on the
Primary Node will function as the cluster's application template. All other
application servers in the cluster (nodes and cluster members) will be
duplicated from the Primary Node's application server. The Primary node's
application server can only belong to one cluster. The Primary Node can be
used as a container for additional cluster members when creating a vertical
cluster (multiple cluster members on the same physical system).
6. (Horizontal cluster only) One or more Lotus Sametime Media Manager
"Conference Manager" components, installed with the Network Deployment →
Secondary Node option.
Secondary nodes are used to horizontally scale your cluster across multiple
physical systems. These additional nodes act as a container for additional
cluster members, which are can be used to balance loads and provide failover
within the cluster. During the clustering process, you can deploy additional
product application servers on any Secondary Nodes within the cluster,
creating a horizontal cluster.
To cluster Conference Manager components, complete the following tasks in the
sequence shown:
Attention: You must complete all of the tasks to ensure your cluster operates
properly.
Setting clocks on the servers to be clustered:
Synchronize the system clocks on the servers to be clustered with an IBM
WebSphere Application Server network deployment.
About this task
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
Procedure
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager's (the Lotus Sametime System Console)
system clock.
Clustering Sametime servers running on WebSphere Application Server:
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
194
Lotus Sametime: Installation and Administration Guide Part 2
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
Procedure
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
Guided activity: Clustering Sametime servers running on WebSphere Application Server:
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Before you begin
1. Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System
Console and all of the servers you plan to cluster.
This guided activity applies to the following Lotus Sametime servers:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
Clustering is not available for the Packet Switcher; it is also not available for
an "All Components" installation of the Media Manager, which includes the
Chapter 1. Configuring
195
Packet Switcher. The Conference Manager components and the SIP Proxy
and Registrar components must be installed and clustered on dedicated
computers.
2. Run the backupConfig utility for the Deployment Manager, the Primary Node,
and any Secondary Nodes before beginning the cluster guided activity. The
utility is located in the bin folder under the profile of each server. The utility
automatically shuts down any running servers in the profile, so you must
restart the severs after running the utility. Use the restoreConfig utility to
restore the configuration if the changes need to be undone. For more
information on backupConfig and restoreConfig, see the WebSphere
Application Server Information Center.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see "Clustering Lotus Sametime Community Servers") or Lotus Sametime
Gateway servers (see "Installing Lotus Sametime Gateway servers in a cluster").
Configure a cluster of one type of product server to improve performance with
high availability, and to provide failover. You can create a horizontal cluster in
which each node is hosted on a separate computer, as well as a vertical cluster
with multiple cluster members hosted on the Primary Node.
These instructions generally assume that you will use the Lotus Sametime System
Console as the cluster's Deployment Manager, which provides a single Integrated
Solutions Console for all WebSphere administrative functions for all servers
participating in the cell – this simplifies the administrative experience. If you create
clusters for both Lotus Sametime Proxy Server and Lotus Sametime Meeting
Server, then at least one of those clusters will require a dedicated Deployment
Manager; this is only true when you deploy both types of clusters.
Procedure
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
The list only displays Lotus Sametime products for which one or more servers
have been installed and registered with the Lotus Sametime System Console. If
you installed servers using deployment plans, they are registered with the
console automatically. If you did not use a deployment plan, you must
manually register the servers with the console before proceeding (see
"Registering servers with the Lotus Sametime System Console").
3. Select or Create a Cluster.
To create a cluster or upgrade a cluster:
a. Click Create Cluster if you are setting up a new cluster, or click Upgrade
Existing Cluster.
b. Type a descriptive name for the cluster in the Cluster Name field.
196
Lotus Sametime: Installation and Administration Guide Part 2
For example, if you are creating a cluster of Lotus Sametime Meeting
Servers, you will probably want to indicate that in the cluster name so you
can easily identify it later.
Click Next.
modify an existing cluster; for example, to add a new cluster member:
Click Select Existing Cluster.
Select a cluster in the Cluster Name list.
If you are going to add a node or cluster member to the cluster, you must
use the same Lotus Sametime product. For example, you cannot add a
Lotus Sametime Meeting Server cluster member to a cluster of Lotus
Sametime Proxy Servers.
c. Click Next.
4. Select the Deployment Manager.
c.
To
a.
b.
In the Select Deployment Manager list, select the Lotus Sametime System
Console as the cluster's deployment manager, and then click Next.
Every cluster must have exactly one Deployment Manager; the Lotus Sametime
System Console can function as the Deployment Manager for multiple clusters.
Remember that if you will create clusters for both Lotus Sametime Proxy Server
and Lotus Sametime Meeting Server, at least one of those clusters requires a
dedicated Deployment Manager; this is only true when your deployment will
include both types of cluster.
5. Select the Primary Node.
a. In the Select Primary Node list, select the server that will serve as the
cluster's primary node.
Every cluster must have exactly one Primary Node, the application server
that will function as a template for the cluster member servers. All
Secondary Nodes and Cluster Members will be created by duplicating the
application server hosted on the Primary Node.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Note: Make sure that the Primary Node's application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager's Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
Do not click anywhere on the browser until the operation completes or it
may interrupt the clustering process.
6. Select One or More Secondary Nodes.
If you are creating a horizontal cluster where each node is hosted on a separate
computer, add one or more secondary nodes to the cluster. Be sure to federate
each selected node before proceeding to select another.
Chapter 1. Configuring
197
a. In the Secondary Node Name list, click the node you want to add to the
cluster.
You can add only one node at a time, and you must federate it before
selecting the next node. If a node's Status indicates "Federated" it already
belongs to a cluster (either this cluster or a different one) and cannot be
added now.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Once the connection is complete, the node's Status displays "Federated" –
this may take some time, but do not proceed until the node has been
successfully federated.
If the federate node action completed and the Secondary Node's status has
not changed to "Federated" or the federate node returned an error, wait 3-5
minutes and then retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and secondary node and then click the Federate
Node button again to continue this guided activity.
c. Repeat steps a. and b. until you have added all your Secondary Nodes to
the cluster.
d. Click Next.
7. Add Cluster Members.
If you are creating a vertical cluster where multiple copies of the application
are hosted on a single computer, add one or more "cluster members" to the
Primary Node. If you are creating a horizontal cluster, add one cluster member
to each of the secondary nodes you federated in the previous step.
The table lists Cluster Members, the Node that the cluster resides on, and the
Status of each cluster member. Each node in the cluster needs to have at least
one cluster member created on it for it for the node to be used in the cluster.
The status of a Cluster Member will be "Clustered" if the cluster member has
been completely configured on the node. If the status is "Ready to Cluster",
select the Cluster Member and use the "Add to Cluster" button to finish
configuring the cluster member.
Vertical cluster:
a. To add new cluster member, click New.
b. Select the default name generated for the cluster member or enter your own
cluster member server name.
c. Select the Primary Node to create the cluster member on.
d. Click the Add to Cluster button.
The status will change from "Ready to cluster" to "Clustered".
e. Click Next.
Horizontal cluster:
For each Secondary Node you federated in the previous step, a cluster member
is prepopulated into the table for you, one on each of the Secondary Nodes.
a. Select the default cluster member name for each server or update with your
own name, and verify that the nodes the cluster member servers will be
created on are correct for your topology.
b. One at a time, select each cluster member and click the Add to Cluster
button.
Do not proceed until the current cluster member's status changes from
"Ready to cluster" to "Clustered"; then you can add the next cluster member.
198
Lotus Sametime: Installation and Administration Guide Part 2
c. If you want to add more cluster members, click the New button to add
another row to the table, and then fill out the information accordingly.
d. Click Next.
8. Deployment Summary
Click Finish to save the cluster configuration.
Continue with the cluster configuration tasks described in the Sametime
information center.
Configuring the Conference Manager cluster:
Complete the configuration for clustering IBM Lotus Sametime Media Manager
Conference Manager components using an IBM WebSphere Application Server
network deployment.
Before you begin
Create a cluster of Conference Manager components using the guided activity.
About this task
Completing the cluster's configuration requires the following tasks:
Configuring the Conference Manager cluster to use the SIP Proxy and Registrar cluster:
After you create clusters of IBM Lotus Sametime Media Manager Conference
Manager components and SIP Proxy and Registrar components, configure the
Conference Manager cluster to work with the IBM WebSphere proxy server that is
used by the SIP Proxy and Registrar cluster (so that the two clusters share the
proxy server).
Before you begin
Create and configure the Conference Manager and SIP Proxy and Registrar
clusters.
About this task
By default, a Conference Manager is configured to access the SIP Proxy and
Registrar component directly, and must be reconfigured to communicate with a
cluster. Modify the Conference Manager's stavconfig.xml file to access the
WebSphere proxy server used by the SIP Proxy Registrar cluster. The WebSphere
proxy server will direct SIP requests to available nodes in the cluster. Complete
this task for every Conference Manager in the cluster.
Procedure
1. On the server that is being used as the Deployment Manager, open the
stavconfig.xml file for editing.
The stavconfig.xml is located at:
dm_install_root/config/cells/cell_name/nodes/node_name/servers/server_name
For example:
config/cells/bassMediaCell1/nodes/bassMediaNode1/servers/STMediaServer
2. Modify the following settings:
Chapter 1. Configuring
199
Option
Description
SIPProxyServerHost
Use the host name of the computer where
the WebSphere proxy server is installed for
the SIP Proxy and Registrar cluster.
SIPProxyServerPort
Use the PROXY_SIPS_ADDRESS port value
of the same WebSphere proxy server (used
by the SIP Proxy and Registrar cluster).
For example:
<configuration lastUpdated="1226425838277" name="SIPProxyServerHost"
value="wasproxy_pr.acme.com"/>
<configuration lastUpdated="1226425838277" name="SIPProxyServerPort" value="5080"/>
3. Save and close the file.
4. Repeat for every Conference Manager in the cluster.
5. Now synchronize all nodes in the cluster:
a. In the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console, click System Administration → Nodes.
b. Click Full Resynchronize.
Restarting and synchronizing nodes in the cluster:
Synchronize the nodes in an IBM WebSphere Application Server network
deployment.
About this task
Synchronizing nodes in a cluster ensures that the Deployment Manager has an
up-to-date copy of each node's configuration.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Stop the Deployment Manager:
a. Click System Administration → Deployment manager.
b. Click the "Configuration" tab.
c. On the Configuration tab of the deployment manager settings, click Stop.
3. Now start the Deployment Manager:
a. Open a command window and navigate to the app_server_root/profiles/
DeploymentManagerName/bin directory.
b. Run the following command:
IBM AIX, Linux, or Solaris
./startManager.sh
Microsoft Windows
startManager.bat
IBM i
1) On the Control Language (CL) command line, run the Start Qshell
(STRQSH) command.
2) At the Qshell prompt, run the following commands:
cd app_server_root/profiles/DeploymentManagerName/bin
startManager dmgr
200
Lotus Sametime: Installation and Administration Guide Part 2
4. Synchronize all the nodes:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Select all nodes in the cluster.
c. Click Full Resynchronize.
5. Restart all nodes in the cluster:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Node agents.
b. Click a node agent, and then click Start (or Restart if the node agent is
already running).
Restarting the application servers in the cluster:
During cluster configuration, each node's application server was stopped so that
the node could be federated. Start all of the application servers now.
About this task
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Clusters → WebSphere application server clusters in the
navigation tree.
3. Select the cluster's check box and click Start to start all cluster member servers.
Setting up a WebSphere proxy server for the cluster:
Set up an IBM WebSphere proxy server for use with a cluster of IBM Lotus
Sametime servers. The proxy server can be hosted on a product node, or on a
separate computer; it performs routing and caching tasks for the servers in the
cluster.
About this task
If you deployed the Lotus Sametime Meeting Server cluster using a standalone
Deployment Manager, you must deploy a WebSphere proxy server to operate with
the cluster. If the cluster uses the Lotus Sametime System Console as its
Deployment Manager, the WebSphere proxy server was automatically deployed on
the console but may need to be configured.
If the Meeting Server cluster experiences a high level of demand, you may want to
deploy an additional, stand-alone, WebSphere proxy server to distribute the load
and mitigate the single point-of-failure.
(Optional) Adding a stand-alone WebSphere proxy server to the cluster:
Install a stand-alone IBM WebSphere proxy server for use with a cluster of IBM
Lotus Sametime servers.
Chapter 1. Configuring
201
Before you begin
This topic explains how to install a stand-alone WebSphere proxy server by
installing an extra node into the Lotus Sametime cluster, removing the Lotus
Sametime application, and then configuring the WebSphere proxy server that
remains. If you just want to configure the WebSphere proxy server that was
automatically installed with WebSphere Application Server on one of existing
nodes in your Lotus Sametime cluster, skip this task and proceed directly to
Configuring a WebSphere proxy server.
About this task
A cluster of Lotus Sametime servers requires at least one WebSphere proxy server
to handle routing and caching tasks. When you install Lotus Sametime on a node
in the cluster, WebSphere Application Server and WebSphere proxy server are also
installed. The WebSphere proxy server merely needs to be configured for use.
To reduce the resource load on product nodes and avoid port conflicts, you may
choose to install a stand-alone WebSphere proxy server on a separate computer
instead of using the instance that was installed on a Lotus Sametime node. Or, you
may configure the instance on the Lotus Sametime node and then install an
additional instance on a separate computer, and use a load balancer to share the
load between them.
Note: If you previously installed a WebSphere proxy server on one of the Lotus
Sametime nodes in the cluster and are now seeing excessive CPU usage on that
node, you should install and configure an additional proxy server now.
To install a stand-alone WebSphere proxy server, you will install an extra Lotus
Sametime node using the "Secondary Node" option, and then federate the new
node into the cluster. You will then remove the Lotus Sametime application from
the new node while leaving WebSphere proxy server intact. Finally, you will
configure the WebSphere proxy server for use with the cluster.
Installing an additional Lotus Sametime server as a Secondary Node:
Install an IBM Lotus Sametime product server as a Secondary Node, and then
federate it into a cluster.
About this task
The first stage in deploying a stand-alone IBM WebSphere proxy server is to create
a deployment plan, and then use the Lotus Sametime System Console to install the
new Lotus Sametime server. Because you will later federate the new product node
into the cluster, you must install the same product now. For example, if you are
working with a cluster of Lotus Sametime Meeting Servers, then install a new
Meeting Server.
Important: Install the new node using the "Secondary Node" option to ensure you
can federate it to the cluster later.
Federating the new Secondary Node to the cluster:
Federate the newly installed Secondary Node into a cluster of IBM Lotus Sametime
servers.
202
Lotus Sametime: Installation and Administration Guide Part 2
About this task
The next stage in deploying a stand-alone IBM WebSphere proxy server is to
federate the new Lotus Sametime node into the existing cluster. For this task, you
will use the Clustering guided activity, selecting the "Select Existing Cluster" option
(in Step 3) and then choosing the appropriate cluster.
When you run the cluster guided activity there are phases: first, the proxy server is
federated to the cluster's Deployment Manager; then the proxy server is added into
the cluster as a new member. Be sure to complete all steps in the guided activity to
properly add the proxy server to the cluster.
Removing the Lotus Sametime product from the new node:
After you have federated a new IBM Lotus Sametime node to a cluster, remove the
Lotus Sametime application but leave the IBM WebSphere proxy server intact.
About this task
After the new node has been federated to the cluster, it can be managed by the
cluster's Deployment Manager. Since the purpose of this new node is to provide a
WebSphere proxy server, the Lotus Sametime product application is no longer
needed on that node, and can be removed.
Procedure
1. On the cluster's Deployment Manager, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click Servers → WebSphere application servers.
3. In the list of servers, click the name of the new Lotus Sametime node.
4. At the top of the list, click the Delete button.
5. When prompted for confirmation, click OK.
6. Save the change by clicking the Save link the "Messages" box at the top of the
page.
7. Verify that the server has been deleted by making sure it no longer appears in
the list of servers.
Configuring a WebSphere proxy server:
Configure an IBM WebSphere proxy server to perform routing and caching tasks
for a cluster of IBM Lotus Sametime servers running on WebSphere Application
Server.
Before you begin
Create a cluster of Lotus Sametime servers running on WebSphere Application
Server; start the Deployment Manager (the Lotus Sametime System Console) as
well as all node agents and application servers in the cluster.
Use these instructions to configure a WebSphere proxy server that operates with
the following Lotus Sametime server clusters:
v Meeting Server
v Conference Manager
v SIP Proxy and Registrar
Chapter 1. Configuring
203
About this task
A cluster of Lotus Sametime servers that run on WebSphere Application Server can
use a WebSphere proxy server to manage routing and caching tasks. To ensure
redundancy in the case of a proxy server failure, you may want to configure
multiple proxy servers for the cluster. Use a Load Balancer in that case to divide
the incoming load between the proxy servers. You can host a WebSphere proxy
server on any node in the cluster (except the Lotus Sametime System Console) but
because it uses a lot of system resources, you may want to host it on its own
computer.
Note: If you install multiple WebSphere proxy servers, you will need a Load
Balancer to divide the incoming load among the proxy servers. Installing IBM
Load Balancer is discussed later in this section.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. In the navigation tree, click Servers → Server Types → WebSphere proxy
servers.
3. In the proxy servers table, click the New button at the top of the table.
4. In the "Create a new proxy server entry" dialog box, do the following:
a. In the "Select a node" box, select the node that will host the WebSphere
proxy server.
Be sure to select a node that belongs to the appropriate cluster.
b. Type a name for the new proxy server; for example "was_proxy1", and then
click Next.
c. In the "Specify server specific properties" box, select the appropriate
"Support protocol" settings for your cluster, select Generate unique ports,
and then click Next.
v If you are configuring this WebSphere proxy server for a Meeting Server
cluster: deselect the SIP protocol.
v If you are configuring this WebSphere proxy server for a SIP Proxy and
Registrar cluster: accept both HTTP and SIP protocols.
v If you are configuring this WebSphere proxy server for a Conference
Manager cluster: accept both HTTP and SIP protocols.
d. In the "Select a server template" box, select proxy_server_foundation (the
WebSphere Default Proxy Server Template), and then click Next.
e. In the "Confirm new server" box, click Finish.
5. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
6. Resynchronize the nodes:
a. On the Deployment Manager, log in to the Integrated Solutions Console as
the WebSphere administrator.
b. Click System Administration → Nodes.
c. Select all of the nodes in the cluster.
d. Click Full Resynchronization.
7. (Conference Manager cluster, SIP Proxy and Registrar cluster) Assign the new
proxy server to the cluster:
a. Click Servers → Server Types → Websphere proxy servers →
proxy_server_name → SIP Proxy Server Settings → SIP proxy settings.
204
Lotus Sametime: Installation and Administration Guide Part 2
b. In the "Default cluster" field, select the cluster that you are configuring this
WebSphere proxy server to work with.
c. Click Apply.
8. Now start the new WebSphere proxy server:
a. Again in the Integrated Solutions Console's navigation tree, click Servers →
Proxy Servers.
b. In the "Proxy Servers" page, select the new proxy server from the list.
c. Click the Start button above the list of proxy servers.
Adding ports to the virtual host alias:
After creating an IBM Lotus Sametime Media Manager Conference Manager
cluster, you must now add the SIP ports of each cluster member to the virtual host
alias. This step is required.
Before you begin
Create a cluster of IBM Lotus Sametime Media Manager "Conference Manager"
components. Adding the SIP ports of each cluster member to the virtual host alias
is required to ensure that the cluster operates properly.
About this task
On the cluster's Deployment Manager (the Lotus Sametime System Console),
update the default_host virtual host with a unique set of web access ports. Such a
configuration lets a single host machine resemble multiple host machines.
Tip: Print this page and use the table to record the port settings as you look them
up in steps 1 and 2:
Table 29. Write down the port numbers used for these settings in every cluster member
SIP_
DEFAULTHOST
SIP_DEFAULTHOST_
SECURE
PROXY_SIP_
ADDRESS
PROXY_SIPS_
ADDRESS
Cluster member 1
Cluster member 2
Cluster member 3
Cluster member 4
Cluster member 5
Procedure
1. Determine the ports used by every cluster member:
a. In the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console, click Servers → Server Types → WebSphere
application servers.
b. In the table listing the servers, click the name of the cluster member.
This displays the cluster member's "Configuration" page.
c. On the "Configuration" page, look under "Communication", and expand
Ports.
d. Look in the Ports table and write down the following port settings for use
in the next step:
v SIP_DEFAULTHOST
v SIP_DEFAULTHOST_SECURE
e. Repeat this process for every cluster member.
Chapter 1. Configuring
205
2. Next, determine the ports used by every WebSphere proxy server that operates
with this cluster.
a. In the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console, click Servers → Server Types → WebSphere
proxy servers.
b. In the table listing the servers, click the name of the WebSphere proxy
server.
This displays the cluster member's "Configuration" page.
c. On the "Configuration" page, look under "Communication", and expand
Ports.
d. Look in the Ports table and write down the following port settings for use
in the next step:
v PROXY_SIP_ADDRESS
v PROXY_SIPS_ADDRESS
e. Repeat this process for every WebSphere proxy server used by the cluster.
3. Now add the ports used by all the cluster members and all of the WebSphere
proxy servers to the Deployment Manager's Virtual Hosts table.
a. Now return to the Integrated Solutions Console navigation tree and click
Environment → Virtual Hosts.
b. In the Virtual Hosts table, click the host called default_host.
This displays the "Configuration" page for the default_host.
c. Under "Additional Properties", click Host Aliases.
d. In the "Host Aliases" table, add the ports used by all of the cluster members
(the information you collected in Step 1):
Remember that you have information on two ports for each cluster member;
however if a port is already listed in the table, you do not need to add it
again.
To add a port:
1) Click the New button at the top of the table.
2) In the Host Name field, type *.
3) In the Port field, type a port from your list.
4) Click OK.
5) Repeat this for the two ports for every cluster member (unless a port is
already listed in this table).
e. Now delete all of the table entries that do not use * as the Host Name.
To delete an entry, click on the check box next to it, and then click the
Delete button at the top of the table.
f. Save the changes by clicking the Save link in the "Messages" box at the top
of the page.
4. Synchronize all of the nodes:
a. Still working on the Deployment Manager, click System Administration →
Nodes.
b. Select all nodes in the cluster.
c. Click Full Resynchronize.
Reconfiguring ports for a WebSphere proxy server hosted on a product node:
If the IBM WebSphere proxy server is hosted on the same computer as an IBM
Lotus Sametime product, reconfigure ports to avoid a conflict.
206
Lotus Sametime: Installation and Administration Guide Part 2
Checking for port conflicts between Lotus Sametime and WebSphere proxy server:
Verify that the IBM WebSphere proxy server is listening on the correct ports and is
not in conflict with the IBM Lotus Sametime server running on the same computer.
Before you begin
This task is only necessary when Lotus Sametime and WebSphere proxy server are
running on the same computer.
About this task
If your cluster has both Lotus Sametime and WebSphere proxy server running on
multiple nodes, be sure check the ports on each node.
Procedure
1. On the node being checked, log in to the Integrated Solutions Console as the
WebSphere administrator.
2. Check the ports used by the WebSphere proxy server:
a. Click Servers → Proxy Servers.
b. In the list of proxy servers, click the node's WebSphere proxy server to open
its Configuration page.
c. Under "Communications" click Ports.
d. Write down the values assigned to the following ports:
v PROXY_SIP_ADDRESS
v PROXY_SIPS_ADDRESS
3. Check the ports used by the Lotus Sametime server:
a. Click Servers → Application Servers.
b. In the list of application servers, click the name of the Lotus Sametime
server to open its Configuration page.
c. Under "Communications" click Ports.
d. Write down the values assigned to the following ports:
v PROXY_SIP_ADDRESS
v PROXY_SIPS_ADDRESS
4. Decide whether the ports are in conflict:
Ports are in conflict if either of the following conditions is true:
v The WebSphere proxy server is listening on ports other than 5060
(PROXY_SIP_ADDRESS) and 5061 (PROXY_SIPS_ADDRESS).
v The Lotus Sametime server is listening on the same ports as the WebSphere
proxy server.
What to do next
Your next task depends on whether there is a port conflict to resolve:
v If the ports are in conflict, proceed to Changing a WebSphere proxy server's port
settings.
v If the ports are not in conflict, then the WebSphere proxy server configuration is
complete. Skip to Installing IBM Load Balancer.
Changing a WebSphere proxy server's port settings:
Chapter 1. Configuring
207
Change the defined port settings on an IBM WebSphere proxy server used by an
IBM Lotus Sametime cluster.
About this task
If any of the WebSphere proxy server's port settings is incorrect, change it to the
correct value.
Procedure
1. On the node where WebSphere proxy server is running, log in to the Integrated
Solutions Console as the WebSphere administrator.
2. Click Servers → Proxy Servers.
3. In the list of proxy servers, click the node's WebSphere proxy server to open its
Configuration page.
4. Under "Communications" click Ports.
5. Use the Ports table to change the SIP ports as follows:
a. Click on the PROXY_SIP_ADDRESS link, change its setting (for example,
to 5060), and then click OK.
b. Click on the PROXY_SIPS_ADDRESS link, change its setting to (for
example, to 5061), and then click OK.
6. Use the Ports table to change the HTTP ports as follows:
Although the HTTP and HTTPS ports will not be used by the Lotus Sametime
server (so there will not be a conflict), you still need to make sure they are
using the correct values.
a. Click on the HTTP link, change its setting (for example, to 80), and then
click OK.
b. Click on the HTTPS link, change its setting (for example, to 443), and then
click OK.
7. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
Changing the Lotus Sametime server's port settings:
Change the defined port settings on an IBM Lotus Sametime node to avoid a
conflict with the IBM WebSphere proxy server running on the same computer.
About this task
If any of the Lotus Sametime server's port settings conflicts with a port used by the
WebSphere proxy server running on the same node, enter new port settings now.
Procedure
1. On the node where the Lotus Sametime server is running, log in to the
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Application Servers.
3. In the list of application servers, click the Lotus Sametime server to open its
Configuration page.
4. Under "Communications" click Ports.
5. Use the Ports table to change the SIP ports as follows:
a. Click on the PROXY_SIP_ADDRESS link, change its setting (for example,
to 5062), and then click OK.
208
Lotus Sametime: Installation and Administration Guide Part 2
b. Click on the PROXY_SIPS_ADDRESS link, change its setting to (for
example, to 5063), and then click OK.
6. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
Synchronizing nodes in the cluster:
Synchronize all nodes in the IBM Lotus Sametime cluster.
Procedure
1. On the cluster's Deployment Manager, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click System administration → Nodes.
3. Select all of the nodes in the cluster.
4. Click Full Resynchronize.
Verifying that the port collision has been resolved:
After resolving port collisions between IBM WebSphere proxy server and IBM
Lotus Sametime, verify that the port settings are now correct.
About this task
Start the servers in the cluster; clear the WebSphere proxy server's logs before
starting that server, and then check the logs for errors that may indicate a port
collision.
Procedure
1. Start all of the servers and processes in the cluster except for the WebSphere
proxy server where you just resolved the ports conflict.
2. Clear all of the WebSphere proxy server logs.
3. Start the WebSphere proxy server.
4. Check the WebSphere proxy server log for any errors indicating a possible a
port collision; for example:
v ADMU3028I
v TCPC0003E
v The port may already be in use
What to do next
If other nodes in the cluster have both Lotus Sametime and WebSphere proxy
server, be sure to check those nodes for possible port conflicts as well before
continuing proceeding to the next task.
Configuring the Packet Switchers to access the cluster's WebSphere proxy
server:
After you create clusters of IBM Lotus Sametime Media Manager Conference
Manager and SIP Proxy and Registrar components, configure the Packet Switcher
components to communicate with the cluster through the IBM WebSphere proxy
server.
Chapter 1. Configuring
209
Before you begin
Install at least one Lotus Media Manager Packet Switcher component and start the
server. Create and configure the Conference Manager and SIP Proxy and Registrar
clusters.
About this task
By default, a Packet Switcher is configured to access the Conference Manager and
the SIP Proxy and Registrar components directly, and must be reconfigured to
communicate with clusters. Modify the Packet Switcher's stavconfig.xml file to
access the WebSphere proxy servers used by the Conference Manager cluster and
the SIP Proxy and Registrar cluster. The WebSphere proxy server will direct SIP
requests to available nodes in the cluster.
You will need to complete this task for every Packet Switcher.
Procedure
1. On the server hosting the Packet Switcher, open the stavconfig.xml file for
editing.
The stavconfig.xml is located at:
dm_install_root/config/cells/cell_name/nodes/node_name/servers/server_name
For example:
config/cells/bassMediaCell1/nodes/bassMediaNode1/servers/STMediaServer
2. Modify the following settings:
Option
Description
ConferenceServerHost
Use the host name of the computer where
the WebSphere proxy server is installed for
the Conference Manager cluster.
ConferenceServerPort
Use the PROXY_SIPS_ADDRESS port value
of the same WebSphere proxy server (used
by the Conference Manager cluster).
SIPProxyServerHost
Use the host name of the computer where
the WebSphere proxy server is installed for
the SIP Proxy and Registrar cluster.
SIPProxyServerPort
Use the PROXY_SIPS_ADDRESS port value
of the same WebSphere proxy server (used
by the SIP Proxy and Registrar cluster).
For example:
<configuration lastUpdated="1226425838277"
value="wasproxy_cf.acme.com"/>
<configuration lastUpdated="1226425838277"
<configuration lastUpdated="1226425838277"
value="wasproxy_pr.acme.com"/>
<configuration lastUpdated="1226425838277"
name="ConferenceServerHost"
name="ConferenceServerPort" value="5062"/>
name="SIPProxyServerHost"
name="SIPProxyServerPort" value="5080"/>
3. Save and close the file.
4. Repeat steps 1 through 3 for each additional Packet Switcher in the
deployment.
5. (Optional) Synchronize all nodes in the Deployment Manager that manages the
Packet Switcher:
This step is not needed if the Packet Switcher was installed using the Network
Deployment → Primary Node option.
210
Lotus Sametime: Installation and Administration Guide Part 2
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Click Full Resynchronize.
6. Restart the Packet Switchers.
Installing IBM Load Balancer:
Install and configure IBM Load Balancer to distribute workload among a cluster of
these type of servers: Sametime Proxy Server, Sametime Meeting Server, Media
Manager Conference Manager, or Media Manager SIP Proxy and Registrar.
Before you begin
Create the cluster of servers first. Then configure the cluster and then start the
Deployment Manager (the Lotus Sametime System Console) as well as all node
agents and application servers in the cluster.
Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a
server running a different operating system for use with a Lotus Sametime
deployment hosted on IBM i.
IBM Load Balancer is not required for a Lotus Sametime clustered deployment;
you can use any load-balancing mechanism that supports HTTP session affinity so
that a user is not repeatedly routed to the same server during a single session. IBM
Load Balancer is included in the Lotus Sametime package with the other IBM
WebSphere components.
Procedure
1. Download IBM Load Balancer onto the server where you will install it:
a. Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
b. Locate the appropriate IBM WebSphere Edge server component in the
document's listing, then download the packages labelled with the
corresponding part numbers to the system on which you are installing.
2. Navigate to the folder where you stored the downloaded files, locate the folder
for IBM Load Balancer, and start the installation program.
For instructions on installing IBM Load Balancer, see the Load Balancer for
IPv4 and IPv6 configuration guide.
3. After you have installed IBM Load Balancer, configure two static IP addresses
for it:
v Non-Forwarding Address: The NFA is the address of the server itself. It is
used for logging in and administering the load balancer.
v Cluster Address: This is the address by which clients and other servers will
access the cluster. It must be DNS-resolvable.
For example, suppose your cluster contains two nodes, and you configure an
IBM Load Balancer for the cluster. Your IP addresses will look like this:
Chapter 1. Configuring
211
Table 30. Sample host names and IP addresses for a Lotus Sametime cluster with IBM
Load Balancer
Fully qualified host name
Load balancer:
loadbal.example.com
Server's role in
deployment
Load balancer
(Cluster address)
Cluster:
st-cluster.example.com
stconsole.example.com
Server's IP address
Load balancer (NFA):
192.0.2.15
Cluster:
Deployment
Manager
192.0.2.0
192.0.2.3
(Lotus Sametime
System Console)
svr1.example.com
Primary Node
192.0.2.4
(a Lotus Sametime
server)
svr2.example.com
Secondary Node
192.0.2.5
(a Lotus Sametime
server)
Configuring IBM Load Balancer:
Configure IBM Load Balancer for a cluster of IBM Lotus Sametime servers.
About this task
The steps to configure IBM Load Balancer are different for the various operating
systems; choose the appropriate topic:
Configuring IBM Load Balancer in AIX, Linux, or Solaris:
Configure IBM Load Balancer on a server running IBM AIX, Linux, or Sun Solaris.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address. Each of the nodes in the cluster is
configured with a loopback adapter; when the packet is rewritten to the network,
the appropriate node will receive and process the packet.
As you work through the procedure, you will switch back and forth between the
Load Balancer interface and a command window.
212
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on AIX, Linux, and Solaris
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. Configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process with the following command:
dsserver
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Issue this command only once; thereafter, you can start and stop the
executor as often as you need. If you do not issue the command to enable
processing of IPv6 packets on these systems, the executor will not start (on
Solaris, the executor will start, but no IPv6 packets can be viewed).
AIX
1) Run the following command:
autoconf6
2) To enable uninterrupted processing of IPv6 packets, even after a system
reboot, edit the etc/rc.tcpip file and uncomment the following line, and
add the -A flag:
start usr/bin/autoconf6 " " -A
Linux Run the following command (you must be logged in as root):
modprobe ipv6
Solaris Run the following command (you must be logged in as su) to
change the device to your device name, and change the IPv6 IP address and
prefix to your address and prefix values:
ifconfig device inet6 plumb
ifconfig device inet6 address/prefix up
Chapter 1. Configuring
213
d. Start the executor function of the dispatcher:
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended as in the previous step, plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Now start the Load Balancer administration interface with the following
command:
./lbadmin
Note: If you have difficulty starting the administration interface, try
stopping and then starting the executor and dsserver services before
running the command again:
dsserver stop
dscontrol executor stop
dscontrol executor start
dsserver start
./lbadmin
4. Continue configuring Load Balancer as follows:
a. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
b. Start the manager:
dscontrol manager start
214
Lotus Sametime: Installation and Administration Guide Part 2
c. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
5. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
a. Open a command window on the load balancer server.
b. Stop the service with the following command:
dsserver stop
c. Set the sticky time with the following command:
dscontrol port set [email protected]_number stickytime number_of_seconds
Where:
v fully_qualified_host_name is the fully qualified host name of the server
where IBM Load Balancer runs.
v port_number is the port that will be affected by the new sticky time
setting.
v number_of_seconds is the duration, in seconds, of the time that a client
should "stick to" the specified port.
For example:
dscontrol port set [email protected] stickytime 60
6. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring IBM Load Balancer in Windows:
Configure IBM Load Balancer on a server running Microsoft Windows.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
Chapter 1. Configuring
215
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address.
Each of the nodes in the cluster is configured with a loopback adapter; when the
packet is rewritten to the network, the appropriate node will receive and process
the packet.
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on Windows
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. On the load balancer server, configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process by clicking Start → Control
Panel → Administrative Tools → Services. right-click IBM Dispatcher (ULB),
and then click Start.
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Run the following command while logged in as the Windows administrator:
netsh interface ipv6 install
Theis command enables processing of IPv6 packets. Issue this command
only once; thereafter, you can start and stop the executor as often as you
need. If you do not issue the command to enable processing of IPv6 packets
on these systems, the executor will not start.
d. Start the executor function of the dispatcher:
216
Lotus Sametime: Installation and Administration Guide Part 2
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
i. Start the manager:
dscontrol manager start
j. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
k. Now you can stop the service:
dsserver stop
l. Close the command window.
4. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
Chapter 1. Configuring
217
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
Windows
a. Start IBM Load Balancer.
b. In the navigation tree, select the Executor (the load balancer's
non-forwarding IP address, which appears under its host name).
c. Click Configuration Settings.
d. In "Port-Specific Settings", change the Default sticky-time settings from 0 to
60 seconds, and click Update Configuration.
e. Leave IBM Load Balancer open for the next step.
5. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring a Lotus Sametime Meeting Server
This section describes how to configure a Lotus Sametime Meeting Server.
Configuring the Sametime Meeting Server for document
conversion
IBM Lotus Sametime Meeting Server lets you take files of various formats (slides,
images, and documents) and converts them so they can be shared in a meeting
room as slides.
About this task
The Lotus Sametime Meeting Server uses the file system on the server to store and
convert documents and presentations to slides. This section shows you how to
configure the server for document conversion technology.
Note: There are no special configuration steps for using document conversion
technology on Windows servers.
Configuring the Sametime Meeting Server for document
conversion on AIX
The IBM Lotus Sametime Meeting Server uses the file system on the server to store
and convert documents and presentations for the meeting room. Follow these steps
to configure document conversion technology on an AIX server.
218
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. Set the following environment variables. The WebSphere path might be
different in your deployment.
PATH=$PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent
export PATH
LIBPATH=$LIBPATH:/opt/IBM/WebSphere/STMeetingsServer/stellent
export LIBPATH
2. Install the X Virtual Frame Buffer (Xvfb) and configure it so it runs whenever
you start Websphere
a. Install the XVFB packages from your operating system CDs:
v OpenGL.OpenGL_X.dev.vfb.05.01.0000.0000 or the equivalent
v X11.vfb.05.01.0000.0000 or the equivalent
b. Log in from a terminal shell as the root user and run the following
command:
/usr/bin/X11/X -vfb -x GLX -x abx -x dbe -force :1 &
c. Verify that the VFB is running properly by entering the following command:
/usr/lpp/X11/Xamples/bin/xprop -display server_name:1 -root | grep VFB
Where server_name is the name of your AIX server and 1 is the display
number you have associated with this instance of the XVFB. It can be any
number except 0. The following message appears:
XVFB_SCREEN(STRING) = "TRUE"
3. Set the DISPLAY variable to the display number you defined in the previous
step:
DISPLAY=server_name:1
export DISPLAY
Configuring the Sametime Meeting Server for document
conversion on Linux
The IBM Lotus Sametime Meeting Server uses the file system on the server to store
and convert documents and presentations for the meeting room. Follow these steps
to configure document conversion technology on a Linux server. Document
conversion is supported on all Linux servers except for those running on IBM
System z®. A separate remote Meeting server can be deployed specifically for
document conversion and can run on Windows or any other supported operating
system.
Procedure
1. If you have legally licensed true-type fonts available, copy them to
/opt/IBM/WebSphere/STMeetingsServer/stellent/fonts. Make sure that the
extensions for the fonts are lowercase (*.ttf) and each font has the correct
permission level (755).
2. Set the following environment variables. The WebSphere path might be
different in your deployment.
PATH=$PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent
export PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent
export LD_LIBRARY_PATH
GDFONTPATH=/opt/IBM/WebSphere/STMeetingsServer/stellent/fonts
export GDFONTPATH
Note: The LD_LIBRARY_PATH variable can be overwritten other scripts. If you
are able to convert image files and not other documents (.txt, .doc, .ppt, etc.),
then this might be the cause. Type 'set' in a terminal to see if this variable is
still set and has the correct value.
Chapter 1. Configuring
219
Note: The GDFONTPATH variable must not contain a ':' in the beginning. The
only value that should be set here is the path to the fonts. Do not append
anything before or after.
Configuring the Sametime Meeting Server for document
conversion on Solaris
The IBM Lotus Sametime Meeting Server uses the file system on the server to store
and convert documents and presentations for the meeting room. Follow these steps
to configure document conversion technology on a Solaris server.
Procedure
1. If you have legally licensed true-type fonts available, copy them to
/opt/IBM/WebSphere/STMeetingsServer/stellent/fonts. Make sure that the
extensions for the fonts are lowercase (*.ttf) and each font has the correct
permission level (755).
2. Set the following environment variables. The WebSphere path might be
different in your deployment.
PATH=$PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent
export PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/IBM/WebSphere/STMeetingsServer/stellent
export LD_LIBRARY_PATH
GDFONTPATH=/opt/IBM/WebSphere/STMeetingsServer/stellent/fonts
export GDFONTPATH
Note: The GDFONTPATH variable must not contain a ':' in the beginning. The
only value that should be set here is the path to the fonts. Do not append
anything before or after.
3. If you cannot obtain suitable fonts for the GDFONTPATH option, you may set
up an X Virtual Frame Buffer for conversion. Xvfb is already installed on
Solaris 9 in /usr/openwin/bin. Solaris 8 users must obtain a separate
implementation of Xvfb.
a. Log in from a terminal shell as the root user and run the following
command:
/usr/openwin/bin/Xvfb :1 -screen 0 1280x1024x8 &
You can assign any number except 0 in place of the number 1 in the above
example. This is the display number you wish to have associated with this
instance of the XVFB. You might get a "No such file or directory" message.
This is normal.
b. Verify that the VFB is running properly by entering the following command:
ps -ef | grep vfb
You should see the Xvfb process running.
4. Set the DISPLAY variable to the display number you defined in the previous
step:
DISPLAY=server_name:1
export DISPLAY
Configuring the Sametime Meeting Server for document
conversion on IBM i
The IBM Lotus Sametime Meeting Server uses the file system on the server to store
and convert documents and presentations for the meeting room. Follow these steps
to configure document conversion technology on an IBM i server.
220
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
The following products must be installed in order to run conversion services on
IBM i:
v Portable Application Solutions Environment (PASE), 5722SS1 or 5761SS1, option
33
v OS/400 - Additional Fonts, 5722SS1 or 5761SS1, option 43
Procedure
1. The number set in the DISPLAY environment variable must match the number
used in the command to start the XVFB server in the next step.
ADDENVVAR ENVVAR(DISPLAY) VALUE(’localhost:10’) LEVEL(*SYS) REPLACE(*YES)
ADDENVVAR ENVVAR(LIBPATH) VALUE(’/qibm/proddata/websphere/appserver/v7/
STMeetingsServer/stellent’) LEVEL(*SYS) REPLACE(*YES)
ADDENVVAR ENVVAR(PATH) VALUE(’/usr/bin:.:/QOpenSys/usr/bin:/qibm/
proddata/websphere/appserver/v7/STMeetingsServer/stellent’) LEVEL(*SYS)
REPLACE(*YES)
2. The X Virtual Frame Buffer is used in the file conversion process. It must be
running for file conversions to take place. From an IBM i command line, run
the following command. This example was formatted for readability; you must
enter the command as a single line.
QSYS/SBMJOB CMD(QSYS/CALL PGM(QSYS/QP2SHELL)
PARM(’/usr/bin/X11/X’ ’-vfb’ ’:10’ ’-d’ ’24’))
USER(QEJBSVR) JOB(QSTXVFB1) JOBQ(QSYSNOMAX)
This command starts the XVFB on DISPLAY :10
Note: To check whether the XVFB server is running, use this command:
WRKACTJOB JOB(QSTXVFB*).
The environment variables must be set when the Lotus Sametime Meeting
Server starts. The XVFB server must be running for file conversions to occur. If
the Lotus Sametime Meeting Server was already running during this setup,
then the Lotus Sametime Meeting Server must be restarted before files will be
converted
Assigning administrators to the Meeting Room Center
The administrator role must be assigned to a subset of users that are allowed to
see meeting statistics for all meeting rooms.
Before you begin
You need to do this first.
About this task
The default IBM Lotus Sametime Meeting Server installation maps all users to the
administrator role, which allows all users to see meeting statistics. Meeting
statistics will show all meeting rooms, including those that are hidden. Map the
administrator role to a subset of users that are allowed to see meeting statistics for
all rooms.
Procedure
1. Log in the Integrated Solutions Console.
2. Click Applications → Application Types → WebSphere enterprise applications.
Chapter 1. Configuring
221
3. Click the Lotus Sametime Meeting Server.
4. Under Detailed Properties, click Security role to user/group mapping
5. To map the administrator role to a select set of users or groups, follow these
steps:
a. Select the administrator role, and click Map Users... or Map Groups....
b. Select the name of the user or group and click the right arrow.
c. Click OK.
6. To remove all authenticated users from the administrators role, follow these
steps:
a. Select the administrator role.
b. Click Map Special Subjects.
c. Select none.
d. Click OK.
Clustering Lotus Sametime Meeting Servers
Configuring a cluster of IBM Lotus Sametime Meeting Servers involves several
tasks, including synchronizing system clocks, configuring the cluster settings, and
configuring an IBM WebSphere proxy server for the cluster, as well as optionally
deploying an IBM Load Balancer in front of the cluster.
Before you begin
You can create two types of clusters:
v A Vertical cluster resides on the Primary node and includes two or more cluster
members, which run the same application.
v A Horizontal cluster includes a Primary node plus one or mode Secondary
nodes, all running the same application. Each node contains one cluster member.
222
Lotus Sametime: Installation and Administration Guide Part 2
Before you can configure a cluster of Lotus Sametime Meeting Servers, you must
have installed the following servers:
1.
v The Lotus Sametime System Console
This server can function as the Deployment Manager for the vertical or
horizontal cluster scenarios described in this procedure.
Attention: Each Deployment Manager (including the Sametime System
Console when it is used as a Deployment Manager) can support one cluster
of each Sametime product. For example, a single Deployment Manager can
support a Sametime Proxy server cluster, a Media Manager cluster, and a
Meeting server cluster. If you want to create additional clusters for a
particular product, you must deploy additional Deployment Managers.
v (Optional) Lotus Sametime Community Servers
At least one Lotus Sametime Community Server must be deployed if you
want to provide presence and awareness for users attending online meetings.
v One Lotus Sametime Meeting Server installed with the Network
Deployment → Primary Node option.
Every cluster requires exactly one Primary Node. The application server on
the Primary Node will function as the cluster's application template. All
other application servers in the cluster (nodes and cluster members) will be
duplicated from the Primary Node's application server. The Primary node's
application server can only belong to one cluster. The Primary Node can be
Chapter 1. Configuring
223
used as a container for additional cluster members when creating a vertical
cluster (multiple cluster members on the same physical system).
v (Horizontal cluster only) One or more Lotus Sametime Meeting Servers
installed with the Network Deployment → Secondary Node option.
Secondary nodes are used to horizontally scale your cluster across multiple
physical systems. These additional nodes act as containers for additional
cluster members, which can be used to balance loads and provide failover
within the cluster. During the clustering process, you can deploy additional
product application servers on any Secondary Nodes within the cluster,
creating a horizontal cluster (one cluster member on each Secondary Node,
plus one cluster member or one vertical cluster on the Primary Node).
About this task
There are several tasks involved in creating a cluster; complete them in the
sequence shown here:
Attention:
Complete all of the tasks to ensure your cluster operates properly.
Setting clocks on the servers to be clustered
Synchronize the system clocks on the servers to be clustered with an IBM
WebSphere Application Server network deployment.
About this task
This task is required to ensure that the servers can be federated to the Deployment
Manager during creation of the cluster. Working on the Lotus Sametime System
Console, complete this task for every server that you will add to the cluster.
Procedure
For each server that will be added to the cluster, set the system clock to exactly the
same time as the Deployment Manager's (the Lotus Sametime System Console)
system clock.
Clustering Sametime servers running on WebSphere Application
Server
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
224
Lotus Sametime: Installation and Administration Guide Part 2
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
Procedure
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
Guided activity: Clustering Sametime servers running on WebSphere
Application Server:
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Before you begin
1. Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System
Console and all of the servers you plan to cluster.
This guided activity applies to the following Lotus Sametime servers:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
Clustering is not available for the Packet Switcher; it is also not available for
an "All Components" installation of the Media Manager, which includes the
Packet Switcher. The Conference Manager components and the SIP Proxy
and Registrar components must be installed and clustered on dedicated
computers.
2. Run the backupConfig utility for the Deployment Manager, the Primary Node,
and any Secondary Nodes before beginning the cluster guided activity. The
utility is located in the bin folder under the profile of each server. The utility
automatically shuts down any running servers in the profile, so you must
restart the severs after running the utility. Use the restoreConfig utility to
restore the configuration if the changes need to be undone. For more
information on backupConfig and restoreConfig, see the WebSphere
Application Server Information Center.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
Chapter 1. Configuring
225
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see "Clustering Lotus Sametime Community Servers") or Lotus Sametime
Gateway servers (see "Installing Lotus Sametime Gateway servers in a cluster").
Configure a cluster of one type of product server to improve performance with
high availability, and to provide failover. You can create a horizontal cluster in
which each node is hosted on a separate computer, as well as a vertical cluster
with multiple cluster members hosted on the Primary Node.
These instructions generally assume that you will use the Lotus Sametime System
Console as the cluster's Deployment Manager, which provides a single Integrated
Solutions Console for all WebSphere administrative functions for all servers
participating in the cell – this simplifies the administrative experience. If you create
clusters for both Lotus Sametime Proxy Server and Lotus Sametime Meeting
Server, then at least one of those clusters will require a dedicated Deployment
Manager; this is only true when you deploy both types of clusters.
Procedure
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
The list only displays Lotus Sametime products for which one or more servers
have been installed and registered with the Lotus Sametime System Console. If
you installed servers using deployment plans, they are registered with the
console automatically. If you did not use a deployment plan, you must
manually register the servers with the console before proceeding (see
"Registering servers with the Lotus Sametime System Console").
3. Select or Create a Cluster.
To create a cluster or upgrade a cluster:
a. Click Create Cluster if you are setting up a new cluster, or click Upgrade
Existing Cluster.
b. Type a descriptive name for the cluster in the Cluster Name field.
For example, if you are creating a cluster of Lotus Sametime Meeting
Servers, you will probably want to indicate that in the cluster name so you
can easily identify it later.
Click Next.
modify an existing cluster; for example, to add a new cluster member:
Click Select Existing Cluster.
Select a cluster in the Cluster Name list.
If you are going to add a node or cluster member to the cluster, you must
use the same Lotus Sametime product. For example, you cannot add a
Lotus Sametime Meeting Server cluster member to a cluster of Lotus
Sametime Proxy Servers.
c. Click Next.
4. Select the Deployment Manager.
In the Select Deployment Manager list, select the Lotus Sametime System
Console as the cluster's deployment manager, and then click Next.
c.
To
a.
b.
226
Lotus Sametime: Installation and Administration Guide Part 2
Every cluster must have exactly one Deployment Manager; the Lotus Sametime
System Console can function as the Deployment Manager for multiple clusters.
Remember that if you will create clusters for both Lotus Sametime Proxy Server
and Lotus Sametime Meeting Server, at least one of those clusters requires a
dedicated Deployment Manager; this is only true when your deployment will
include both types of cluster.
5. Select the Primary Node.
a. In the Select Primary Node list, select the server that will serve as the
cluster's primary node.
Every cluster must have exactly one Primary Node, the application server
that will function as a template for the cluster member servers. All
Secondary Nodes and Cluster Members will be created by duplicating the
application server hosted on the Primary Node.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Note: Make sure that the Primary Node's application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager's Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
Do not click anywhere on the browser until the operation completes or it
may interrupt the clustering process.
6. Select One or More Secondary Nodes.
If you are creating a horizontal cluster where each node is hosted on a separate
computer, add one or more secondary nodes to the cluster. Be sure to federate
each selected node before proceeding to select another.
a. In the Secondary Node Name list, click the node you want to add to the
cluster.
You can add only one node at a time, and you must federate it before
selecting the next node. If a node's Status indicates "Federated" it already
belongs to a cluster (either this cluster or a different one) and cannot be
added now.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Once the connection is complete, the node's Status displays "Federated" –
this may take some time, but do not proceed until the node has been
successfully federated.
If the federate node action completed and the Secondary Node's status has
not changed to "Federated" or the federate node returned an error, wait 3-5
minutes and then retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Chapter 1. Configuring
227
Deployment Manager and secondary node and then click the Federate
Node button again to continue this guided activity.
c. Repeat steps a. and b. until you have added all your Secondary Nodes to
the cluster.
d. Click Next.
7. Add Cluster Members.
If you are creating a vertical cluster where multiple copies of the application
are hosted on a single computer, add one or more "cluster members" to the
Primary Node. If you are creating a horizontal cluster, add one cluster member
to each of the secondary nodes you federated in the previous step.
The table lists Cluster Members, the Node that the cluster resides on, and the
Status of each cluster member. Each node in the cluster needs to have at least
one cluster member created on it for it for the node to be used in the cluster.
The status of a Cluster Member will be "Clustered" if the cluster member has
been completely configured on the node. If the status is "Ready to Cluster",
select the Cluster Member and use the "Add to Cluster" button to finish
configuring the cluster member.
Vertical cluster:
a. To add new cluster member, click New.
b. Select the default name generated for the cluster member or enter your own
cluster member server name.
c. Select the Primary Node to create the cluster member on.
d. Click the Add to Cluster button.
The status will change from "Ready to cluster" to "Clustered".
e. Click Next.
Horizontal cluster:
For each Secondary Node you federated in the previous step, a cluster member
is prepopulated into the table for you, one on each of the Secondary Nodes.
a. Select the default cluster member name for each server or update with your
own name, and verify that the nodes the cluster member servers will be
created on are correct for your topology.
b. One at a time, select each cluster member and click the Add to Cluster
button.
Do not proceed until the current cluster member's status changes from
"Ready to cluster" to "Clustered"; then you can add the next cluster member.
c. If you want to add more cluster members, click the New button to add
another row to the table, and then fill out the information accordingly.
d. Click Next.
8. Deployment Summary
Click Finish to save the cluster configuration.
Continue with the cluster configuration tasks described in the Sametime
information center.
Configuring the cluster
Complete the configuration for clustering IBM Lotus Sametime Meeting Servers
using an IBM WebSphere Application Server network deployment.
Before you begin
Create a cluster of Lotus Sametime Meeting Servers using the guided activity,
synchronize the nodes in the cluster, and start all of the application servers.
228
Lotus Sametime: Installation and Administration Guide Part 2
About this task
Completing the cluster's configuration requires the following tasks:
Restarting and synchronizing nodes in the cluster:
Synchronize the nodes in an IBM WebSphere Application Server network
deployment.
About this task
Synchronizing nodes in a cluster ensures that the Deployment Manager has an
up-to-date copy of each node's configuration.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Stop the Deployment Manager:
a. Click System Administration → Deployment manager.
b. Click the "Configuration" tab.
c. On the Configuration tab of the deployment manager settings, click Stop.
3. Now start the Deployment Manager:
a. Open a command window and navigate to the app_server_root/profiles/
DeploymentManagerName/bin directory.
b. Run the following command:
IBM AIX, Linux, or Solaris
./startManager.sh
Microsoft Windows
startManager.bat
IBM i
1) On the Control Language (CL) command line, run the Start Qshell
(STRQSH) command.
2) At the Qshell prompt, run the following commands:
cd app_server_root/profiles/DeploymentManagerName/bin
startManager dmgr
4. Synchronize all the nodes:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Select all nodes in the cluster.
c. Click Full Resynchronize.
5. Restart all nodes in the cluster:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Node agents.
b. Click a node agent, and then click Start (or Restart if the node agent is
already running).
Restarting the application servers in the cluster:
During cluster configuration, each node's application server was stopped so that
the node could be federated. Start all of the application servers now.
Chapter 1. Configuring
229
About this task
Use the IBM Lotus Sametime System Console to start each of the application
servers in the cluster.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Clusters → WebSphere application server clusters in the
navigation tree.
3. Select the cluster's check box and click Start to start all cluster member servers.
Setting up a WebSphere proxy server for the cluster
Set up an IBM WebSphere proxy server for use with a cluster of IBM Lotus
Sametime servers. The proxy server can be hosted on a product node, or on a
separate computer; it performs routing and caching tasks for the servers in the
cluster.
About this task
If you deployed the Lotus Sametime Meeting Server cluster using a standalone
Deployment Manager, you must deploy a WebSphere proxy server to operate with
the cluster. If the cluster uses the Lotus Sametime System Console as its
Deployment Manager, the WebSphere proxy server was automatically deployed on
the console but may need to be configured.
If the Meeting Server cluster experiences a high level of demand, you may want to
deploy an additional, stand-alone, WebSphere proxy server to distribute the load
and mitigate the single point-of-failure.
(Optional) Adding a stand-alone WebSphere proxy server to the cluster:
Install a stand-alone IBM WebSphere proxy server for use with a cluster of IBM
Lotus Sametime servers.
Before you begin
This topic explains how to install a stand-alone WebSphere proxy server by
installing an extra node into the Lotus Sametime cluster, removing the Lotus
Sametime application, and then configuring the WebSphere proxy server that
remains. If you just want to configure the WebSphere proxy server that was
automatically installed with WebSphere Application Server on one of existing
nodes in your Lotus Sametime cluster, skip this task and proceed directly to
Configuring a WebSphere proxy server.
About this task
A cluster of Lotus Sametime servers requires at least one WebSphere proxy server
to handle routing and caching tasks. When you install Lotus Sametime on a node
in the cluster, WebSphere Application Server and WebSphere proxy server are also
installed. The WebSphere proxy server merely needs to be configured for use.
To reduce the resource load on product nodes and avoid port conflicts, you may
choose to install a stand-alone WebSphere proxy server on a separate computer
instead of using the instance that was installed on a Lotus Sametime node. Or, you
230
Lotus Sametime: Installation and Administration Guide Part 2
may configure the instance on the Lotus Sametime node and then install an
additional instance on a separate computer, and use a load balancer to share the
load between them.
Note: If you previously installed a WebSphere proxy server on one of the Lotus
Sametime nodes in the cluster and are now seeing excessive CPU usage on that
node, you should install and configure an additional proxy server now.
To install a stand-alone WebSphere proxy server, you will install an extra Lotus
Sametime node using the "Secondary Node" option, and then federate the new
node into the cluster. You will then remove the Lotus Sametime application from
the new node while leaving WebSphere proxy server intact. Finally, you will
configure the WebSphere proxy server for use with the cluster.
Installing an additional Lotus Sametime server as a Secondary Node:
Install an IBM Lotus Sametime product server as a Secondary Node, and then
federate it into a cluster.
About this task
The first stage in deploying a stand-alone IBM WebSphere proxy server is to create
a deployment plan, and then use the Lotus Sametime System Console to install the
new Lotus Sametime server. Because you will later federate the new product node
into the cluster, you must install the same product now. For example, if you are
working with a cluster of Lotus Sametime Meeting Servers, then install a new
Meeting Server.
Important: Install the new node using the "Secondary Node" option to ensure you
can federate it to the cluster later.
Federating the new Secondary Node to the cluster:
Federate the newly installed Secondary Node into a cluster of IBM Lotus Sametime
servers.
About this task
The next stage in deploying a stand-alone IBM WebSphere proxy server is to
federate the new Lotus Sametime node into the existing cluster. For this task, you
will use the Clustering guided activity, selecting the "Select Existing Cluster" option
(in Step 3) and then choosing the appropriate cluster.
When you run the cluster guided activity there are phases: first, the proxy server is
federated to the cluster's Deployment Manager; then the proxy server is added into
the cluster as a new member. Be sure to complete all steps in the guided activity to
properly add the proxy server to the cluster.
Clustering Sametime servers running on WebSphere Application Server:
Use the IBM Lotus Sametime System Console to create a cluster of Lotus Sametime
Servers hosted on IBM WebSphere Application Server. The Lotus Sametime servers
must all be running the same type of server; for example, Lotus Sametime Meeting
Server, Lotus Sametime Proxy Server, Lotus Sametime Media Manager Conference
Manager, or Lotus Sametime Media Manager SIP Proxy and Registrar.
Chapter 1. Configuring
231
Before you begin
Start the Lotus Sametime System Console and the servers you intend to cluster.
Note: This guided activity is only for Lotus Sametime servers hosted on IBM
WebSphere Application Server, and does not apply to the Lotus Sametime
Community Server.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
If you have not already opened the Cluster WebSphere Application Servers guided
activity, follow these steps:
Procedure
1. From a browser, enter the following URL, replacing serverhostname.domain with
the fully qualified domain name of the Lotus Sametime System Console server.
http://serverhostname.domain:8700/ibm/console
2. Enter the WebSphere Application Server User ID and password that you
created when you installed the Lotus Sametime System Console.
3. Click the Sametime System Console task to open it in the navigation tree.
4. Click Guided Activities → Cluster WebSphere Application Servers.
Guided activity: Clustering Sametime servers running on WebSphere Application Server:
This guided activity takes you through the steps for clustering IBM Lotus
Sametime servers hosted on IBM WebSphere Application Server. The servers you
add to the cluster must all be running the same Lotus Sametime product
application; for example, Lotus Sametime Meeting Server, Lotus Sametime Proxy
Server, Lotus Sametime Media Manager Conference Manager, or Lotus Sametime
Media Manager SIP Proxy and Registrar.
Before you begin
1. Install the Lotus Sametime System Console and two or more Lotus Sametime
servers of the same product type; then start the Lotus Sametime System
Console and all of the servers you plan to cluster.
This guided activity applies to the following Lotus Sametime servers:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
Clustering is not available for the Packet Switcher; it is also not available for
an "All Components" installation of the Media Manager, which includes the
Packet Switcher. The Conference Manager components and the SIP Proxy
and Registrar components must be installed and clustered on dedicated
computers.
2. Run the backupConfig utility for the Deployment Manager, the Primary Node,
and any Secondary Nodes before beginning the cluster guided activity. The
utility is located in the bin folder under the profile of each server. The utility
232
Lotus Sametime: Installation and Administration Guide Part 2
automatically shuts down any running servers in the profile, so you must
restart the severs after running the utility. Use the restoreConfig utility to
restore the configuration if the changes need to be undone. For more
information on backupConfig and restoreConfig, see the WebSphere
Application Server Information Center.
About this task
Multiple product clusters are not supported on a single computer; however,
vertical clusters (all cluster members installed on the Primary Node) are supported
when each product cluster is on a dedicated computer. A horizontal cluster is
defined as a cluster with each cluster member having a dedicated computer (one
on the Primary Node and one on each Secondary Node).
Note that you cannot use this activity to cluster Lotus Sametime Community
Servers (see "Clustering Lotus Sametime Community Servers") or Lotus Sametime
Gateway servers (see "Installing Lotus Sametime Gateway servers in a cluster").
Configure a cluster of one type of product server to improve performance with
high availability, and to provide failover. You can create a horizontal cluster in
which each node is hosted on a separate computer, as well as a vertical cluster
with multiple cluster members hosted on the Primary Node.
These instructions generally assume that you will use the Lotus Sametime System
Console as the cluster's Deployment Manager, which provides a single Integrated
Solutions Console for all WebSphere administrative functions for all servers
participating in the cell – this simplifies the administrative experience. If you create
clusters for both Lotus Sametime Proxy Server and Lotus Sametime Meeting
Server, then at least one of those clusters will require a dedicated Deployment
Manager; this is only true when you deploy both types of clusters.
Procedure
1. Cluster WebSphere Application Servers.
Click Next to begin the clustering activity.
2. Select Product to Cluster.
Select the product server to cluster, and then click Next.
The list only displays Lotus Sametime products for which one or more servers
have been installed and registered with the Lotus Sametime System Console. If
you installed servers using deployment plans, they are registered with the
console automatically. If you did not use a deployment plan, you must
manually register the servers with the console before proceeding (see
"Registering servers with the Lotus Sametime System Console").
3. Select or Create a Cluster.
To create a cluster or upgrade a cluster:
a. Click Create Cluster if you are setting up a new cluster, or click Upgrade
Existing Cluster.
b. Type a descriptive name for the cluster in the Cluster Name field.
For example, if you are creating a cluster of Lotus Sametime Meeting
Servers, you will probably want to indicate that in the cluster name so you
can easily identify it later.
c. Click Next.
To modify an existing cluster; for example, to add a new cluster member:
a. Click Select Existing Cluster.
Chapter 1. Configuring
233
b. Select a cluster in the Cluster Name list.
If you are going to add a node or cluster member to the cluster, you must
use the same Lotus Sametime product. For example, you cannot add a
Lotus Sametime Meeting Server cluster member to a cluster of Lotus
Sametime Proxy Servers.
c. Click Next.
4. Select the Deployment Manager.
In the Select Deployment Manager list, select the Lotus Sametime System
Console as the cluster's deployment manager, and then click Next.
Every cluster must have exactly one Deployment Manager; the Lotus Sametime
System Console can function as the Deployment Manager for multiple clusters.
Remember that if you will create clusters for both Lotus Sametime Proxy Server
and Lotus Sametime Meeting Server, at least one of those clusters requires a
dedicated Deployment Manager; this is only true when your deployment will
include both types of cluster.
5. Select the Primary Node.
a. In the Select Primary Node list, select the server that will serve as the
cluster's primary node.
Every cluster must have exactly one Primary Node, the application server
that will function as a template for the cluster member servers. All
Secondary Nodes and Cluster Members will be created by duplicating the
application server hosted on the Primary Node.
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Note: Make sure that the Primary Node's application server is running.
This action allows the Primary Node to be administered from the
Deployment Manager's Integrated Services Console. The federation and
clustering processes are very complex and may take 5-10 minutes to
complete. Please be patient; click these buttons only once and then wait for
the page to finish loading before continuing.
If the federate primary node action completed and the Create cluster button
is not enabled, or the federate primary node returned an error, wait 3-5
minutes and retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and Primary Node and then click the Federate Node
button again to continue the guided activity.
c. Click the Create cluster button to configure the cluster settings, and then
click Next.
Do not click anywhere on the browser until the operation completes or it
may interrupt the clustering process.
6. Select One or More Secondary Nodes.
If you are creating a horizontal cluster where each node is hosted on a separate
computer, add one or more secondary nodes to the cluster. Be sure to federate
each selected node before proceeding to select another.
a. In the Secondary Node Name list, click the node you want to add to the
cluster.
You can add only one node at a time, and you must federate it before
selecting the next node. If a node's Status indicates "Federated" it already
belongs to a cluster (either this cluster or a different one) and cannot be
added now.
234
Lotus Sametime: Installation and Administration Guide Part 2
b. Click the Federate Node button to provide the Deployment Manager with
configuration information about the new node.
Once the connection is complete, the node's Status displays "Federated" –
this may take some time, but do not proceed until the node has been
successfully federated.
If the federate node action completed and the Secondary Node's status has
not changed to "Federated" or the federate node returned an error, wait 3-5
minutes and then retry the operation by clicking the Federate Node button
again. If this operation continues to fail, it may be necessary to restart the
Deployment Manager and secondary node and then click the Federate
Node button again to continue this guided activity.
c. Repeat steps a. and b. until you have added all your Secondary Nodes to
the cluster.
d. Click Next.
7. Add Cluster Members.
If you are creating a vertical cluster where multiple copies of the application
are hosted on a single computer, add one or more "cluster members" to the
Primary Node. If you are creating a horizontal cluster, add one cluster member
to each of the secondary nodes you federated in the previous step.
The table lists Cluster Members, the Node that the cluster resides on, and the
Status of each cluster member. Each node in the cluster needs to have at least
one cluster member created on it for it for the node to be used in the cluster.
The status of a Cluster Member will be "Clustered" if the cluster member has
been completely configured on the node. If the status is "Ready to Cluster",
select the Cluster Member and use the "Add to Cluster" button to finish
configuring the cluster member.
Vertical cluster:
a. To add new cluster member, click New.
b. Select the default name generated for the cluster member or enter your own
cluster member server name.
c. Select the Primary Node to create the cluster member on.
d. Click the Add to Cluster button.
The status will change from "Ready to cluster" to "Clustered".
e. Click Next.
Horizontal cluster:
For each Secondary Node you federated in the previous step, a cluster member
is prepopulated into the table for you, one on each of the Secondary Nodes.
a. Select the default cluster member name for each server or update with your
own name, and verify that the nodes the cluster member servers will be
created on are correct for your topology.
b. One at a time, select each cluster member and click the Add to Cluster
button.
Do not proceed until the current cluster member's status changes from
"Ready to cluster" to "Clustered"; then you can add the next cluster member.
c. If you want to add more cluster members, click the New button to add
another row to the table, and then fill out the information accordingly.
d. Click Next.
8. Deployment Summary
Click Finish to save the cluster configuration.
Chapter 1. Configuring
235
Continue with the cluster configuration tasks described in the Sametime
information center.
Removing the Lotus Sametime product from the new node:
After you have federated a new IBM Lotus Sametime node to a cluster, remove the
Lotus Sametime application but leave the IBM WebSphere proxy server intact.
About this task
After the new node has been federated to the cluster, it can be managed by the
cluster's Deployment Manager. Since the purpose of this new node is to provide a
WebSphere proxy server, the Lotus Sametime product application is no longer
needed on that node, and can be removed.
Procedure
1. On the cluster's Deployment Manager, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click Servers → WebSphere application servers.
3. In the list of servers, click the name of the new Lotus Sametime node.
4. At the top of the list, click the Delete button.
5. When prompted for confirmation, click OK.
6. Save the change by clicking the Save link the "Messages" box at the top of the
page.
7. Verify that the server has been deleted by making sure it no longer appears in
the list of servers.
Configuring a WebSphere proxy server:
Configure an IBM WebSphere proxy server to perform routing and caching tasks
for a cluster of IBM Lotus Sametime servers running on WebSphere Application
Server.
Before you begin
Create a cluster of Lotus Sametime servers running on WebSphere Application
Server; start the Deployment Manager (the Lotus Sametime System Console) as
well as all node agents and application servers in the cluster.
Use these instructions to configure a WebSphere proxy server that operates with
the following Lotus Sametime server clusters:
v Meeting Server
v Conference Manager
v SIP Proxy and Registrar
About this task
A cluster of Lotus Sametime servers that run on WebSphere Application Server can
use a WebSphere proxy server to manage routing and caching tasks. To ensure
redundancy in the case of a proxy server failure, you may want to configure
multiple proxy servers for the cluster. Use a Load Balancer in that case to divide
the incoming load between the proxy servers. You can host a WebSphere proxy
236
Lotus Sametime: Installation and Administration Guide Part 2
server on any node in the cluster (except the Lotus Sametime System Console) but
because it uses a lot of system resources, you may want to host it on its own
computer.
Note: If you install multiple WebSphere proxy servers, you will need a Load
Balancer to divide the incoming load among the proxy servers. Installing IBM
Load Balancer is discussed later in this section.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. In the navigation tree, click Servers → Server Types → WebSphere proxy
servers.
3. In the proxy servers table, click the New button at the top of the table.
4. In the "Create a new proxy server entry" dialog box, do the following:
a. In the "Select a node" box, select the node that will host the WebSphere
proxy server.
Be sure to select a node that belongs to the appropriate cluster.
b. Type a name for the new proxy server; for example "was_proxy1", and then
click Next.
c. In the "Specify server specific properties" box, select the appropriate
"Support protocol" settings for your cluster, select Generate unique ports,
and then click Next.
v If you are configuring this WebSphere proxy server for a Meeting Server
cluster: deselect the SIP protocol.
v If you are configuring this WebSphere proxy server for a SIP Proxy and
Registrar cluster: accept both HTTP and SIP protocols.
v If you are configuring this WebSphere proxy server for a Conference
Manager cluster: accept both HTTP and SIP protocols.
d. In the "Select a server template" box, select proxy_server_foundation (the
WebSphere Default Proxy Server Template), and then click Next.
e. In the "Confirm new server" box, click Finish.
5. Save the changes by clicking the Save link in the "Messages" box at the top of
the page.
6. Resynchronize the nodes:
a. On the Deployment Manager, log in to the Integrated Solutions Console as
the WebSphere administrator.
b. Click System Administration → Nodes.
c. Select all of the nodes in the cluster.
d. Click Full Resynchronization.
7. (Conference Manager cluster, SIP Proxy and Registrar cluster) Assign the new
proxy server to the cluster:
a. Click Servers → Server Types → Websphere proxy servers →
proxy_server_name → SIP Proxy Server Settings → SIP proxy settings.
b. In the "Default cluster" field, select the cluster that you are configuring this
WebSphere proxy server to work with.
c. Click Apply.
8. Now start the new WebSphere proxy server:
a. Again in the Integrated Solutions Console's navigation tree, click Servers →
Proxy Servers.
Chapter 1. Configuring
237
b. In the "Proxy Servers" page, select the new proxy server from the list.
c. Click the Start button above the list of proxy servers.
Enabling the WebSphere proxy server to cache dynamic content:
Optionally configure an IBM WebSphere proxy server to cache dynamic content.
Before you begin
Configure a WebSphere proxy server for use with a cluster of Lotus Sametime
Meeting Servers, and then start the WebSphere proxy server.
About this task
The WebSphere proxy server does not cache application server dynamic content by
default; you can optionally enable caching by completing these steps.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Server Types → WebSphere Proxy Servers.
3. In the "WebSphere Proxy Servers" dialog box, select the proxy you would like
to enable dynamic caching on.
4. On the "Configuration" page, expand HTTP Proxy Server Settings and under
it, click Proxy Settings.
5. On the "Proxy Settings" page, locate the "Caching section" and do the following:
a.
b.
c.
d.
Go to "Enable Caching" section.
Select a cache from the "Cache instance name" list.
Click Cache Dynamic Content.
Accept the default "Cache update URI" value.
e. Click OK.
6. Synchronize all nodes in the cluster:
a. Back in the Integrated Solution Console's navigation tree, click System
Administration → Nodes.
b. Select all of the nodes in the cluster.
c. Click Full Resynchronize.
Creating object cache instances for the WebSphere proxy server:
Create an object cache for the IBM WebSphere proxy server so it can track which
server hosts each online meeting.
Before you begin
Add one or more WebSphere proxy servers that will operate with a cluster of IBM
Lotus Sametime Meeting Servers.
About this task
The WebSphere proxy server requires an object cache in which to store information
tracking which online meetings are hosted on which Lotus Sametime Meeting
Servers.
238
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Resources → Cache Instances → Object Cache Instances.
3. Click in the Scope field and select a WebSphere proxy server that will be used
by the cluster of Lotus Sametime Meeting Servers.
4. Click New.
This launches a wizard to create the new object cache.
5. In the "New Object Cache" dialog box, click in the Name field and type a
descriptive name for the new cache; for example "Wasproxy1_Id_Cache".
6. In the JNDI Name field, type proxy/rtc4web_id_cache exactly as shown.
7. Click OK to complete the wizard.
8. Save your changes to the master configuration by clicking the Save button
when prompted.
9. Repeat this process for each WebSphere proxy server used by the cluster.
Adding a path for routing filters on the WebSphere proxy server:
Add a path to the IBM WebSphere proxy server's class path loader to enable the
IBM Lotus Sametime routing filters to be loaded correctly for a cluster.
Before you begin
Configure one or more WebSphere proxy servers to operate with the cluster of
Lotus Sametime servers.
About this task
Defining a path for "ws.ext.dirs" enables the Lotus Sametime routing filters to be
properly loaded by the root class path loader.
Procedure
1. Log in to the Deployment Manager's (the Lotus Sametime System Console)
Integrated Solutions Console as the WebSphere administrator.
2. Click Servers → Server Types → WebSphere proxy servers.
3. In the table listing the WebSphere proxy servers, click the link representing the
proxy server you want to modify.
This displays the Configuration tab for the selected proxy server.
4. Under "Server Infrastructure", expand Java Process Management, and then
click Process definitions.
5. Under "Additional Properties", click Java Virtual Machine.
6. Under "Additional Properties", click Custom Properties.
7. In the table listing the custom properties, click the New button.
8. Create a new entry named ws.ext.dirs with the value ${USER_INSTALL_ROOT}/
optionalLibraries/rtc (spell it exactly as shown here).
9. Click OK to save the new custom property.
10. Click Save.
11. Repeat this process for every WebSphere proxy server that is operating with
the cluster.
Chapter 1. Configuring
239
Installing IBM Load Balancer
Install and configure IBM Load Balancer to distribute workload among a cluster of
these type of servers: Sametime Proxy Server, Sametime Meeting Server, Media
Manager Conference Manager, or Media Manager SIP Proxy and Registrar.
Before you begin
Create the cluster of servers first. Then configure the cluster and then start the
Deployment Manager (the Lotus Sametime System Console) as well as all node
agents and application servers in the cluster.
Note: The IBM Load Balancer is not available on IBM i, but you can deploy it on a
server running a different operating system for use with a Lotus Sametime
deployment hosted on IBM i.
IBM Load Balancer is not required for a Lotus Sametime clustered deployment;
you can use any load-balancing mechanism that supports HTTP session affinity so
that a user is not repeatedly routed to the same server during a single session. IBM
Load Balancer is included in the Lotus Sametime package with the other IBM
WebSphere components.
Procedure
1. Download IBM Load Balancer onto the server where you will install it:
a. Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
b. Locate the appropriate IBM WebSphere Edge server component in the
document's listing, then download the packages labelled with the
corresponding part numbers to the system on which you are installing.
2. Navigate to the folder where you stored the downloaded files, locate the folder
for IBM Load Balancer, and start the installation program.
For instructions on installing IBM Load Balancer, see the Load Balancer for
IPv4 and IPv6 configuration guide.
3. After you have installed IBM Load Balancer, configure two static IP addresses
for it:
v Non-Forwarding Address: The NFA is the address of the server itself. It is
used for logging in and administering the load balancer.
v Cluster Address: This is the address by which clients and other servers will
access the cluster. It must be DNS-resolvable.
For example, suppose your cluster contains two nodes, and you configure an
IBM Load Balancer for the cluster. Your IP addresses will look like this:
Table 31. Sample host names and IP addresses for a Lotus Sametime cluster with IBM
Load Balancer
Fully qualified host name
Load balancer:
loadbal.example.com
Cluster:
st-cluster.example.com
240
Lotus Sametime: Installation and Administration Guide Part 2
Server's role in
deployment
Load balancer
(Cluster address)
Server's IP address
Load balancer (NFA):
192.0.2.15
Cluster:
192.0.2.0
Table 31. Sample host names and IP addresses for a Lotus Sametime cluster with IBM
Load Balancer (continued)
Fully qualified host name
stconsole.example.com
Server's role in
deployment
Deployment
Manager
Server's IP address
192.0.2.3
(Lotus Sametime
System Console)
svr1.example.com
Primary Node
192.0.2.4
(a Lotus Sametime
server)
svr2.example.com
Secondary Node
192.0.2.5
(a Lotus Sametime
server)
Configuring IBM Load Balancer:
Configure IBM Load Balancer for a cluster of IBM Lotus Sametime servers.
About this task
The steps to configure IBM Load Balancer are different for the various operating
systems; choose the appropriate topic:
Configuring IBM Load Balancer in AIX, Linux, or Solaris:
Configure IBM Load Balancer on a server running IBM AIX, Linux, or Sun Solaris.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address. Each of the nodes in the cluster is
configured with a loopback adapter; when the packet is rewritten to the network,
the appropriate node will receive and process the packet.
As you work through the procedure, you will switch back and forth between the
Load Balancer interface and a command window.
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on AIX, Linux, and Solaris
Chapter 1. Configuring
241
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. Configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process with the following command:
dsserver
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Issue this command only once; thereafter, you can start and stop the
executor as often as you need. If you do not issue the command to enable
processing of IPv6 packets on these systems, the executor will not start (on
Solaris, the executor will start, but no IPv6 packets can be viewed).
AIX
1) Run the following command:
autoconf6
2) To enable uninterrupted processing of IPv6 packets, even after a system
reboot, edit the etc/rc.tcpip file and uncomment the following line, and
add the -A flag:
start usr/bin/autoconf6 " " -A
Linux Run the following command (you must be logged in as root):
modprobe ipv6
Solaris Run the following command (you must be logged in as su) to
change the device to your device name, and change the IPv6 IP address and
prefix to your address and prefix values:
ifconfig device inet6 plumb
ifconfig device inet6 address/prefix up
d. Start the executor function of the dispatcher:
dscontrol executor start
e. Add the cluster to the service:
242
Lotus Sametime: Installation and Administration Guide Part 2
dscontrol cluster add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended as in the previous step, plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Now start the Load Balancer administration interface with the following
command:
./lbadmin
Note: If you have difficulty starting the administration interface, try
stopping and then starting the executor and dsserver services before
running the command again:
dsserver stop
dscontrol executor stop
dscontrol executor start
dsserver start
./lbadmin
4. Continue configuring Load Balancer as follows:
a. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
b. Start the manager:
dscontrol manager start
c. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
5. Define server affinity with a "sticky time":
Chapter 1. Configuring
243
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
a. Open a command window on the load balancer server.
b. Stop the service with the following command:
dsserver stop
c. Set the sticky time with the following command:
dscontrol port set [email protected]_number stickytime number_of_seconds
Where:
v fully_qualified_host_name is the fully qualified host name of the server
where IBM Load Balancer runs.
v port_number is the port that will be affected by the new sticky time
setting.
v number_of_seconds is the duration, in seconds, of the time that a client
should "stick to" the specified port.
For example:
dscontrol port set [email protected] stickytime 60
6. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring IBM Load Balancer in Windows:
Configure IBM Load Balancer on a server running Microsoft Windows.
Before you begin
Install IBM Load Balancer and assign two static IP addresses to it. The server
selected for the Load Balancer installation must reside on the same LAN segment
as the nodes to be clustered.
About this task
Configure IBM Load balancer to support your cluster using MAC Address
rewriting. With this method, the load balancer receives a packet intended for the
cluster. It uses configured metrics to determine which node in the cluster should
244
Lotus Sametime: Installation and Administration Guide Part 2
process the message, and then sends the message back out to the network, routing
it to the appropriate node's MAC address.
Each of the nodes in the cluster is configured with a loopback adapter; when the
packet is rewritten to the network, the appropriate node will receive and process
the packet.
Procedure
1. Configure the nodes of the cluster.
For cluster nodes running on Windows
Add a loopback adapter with the IP address of the cluster on each of the nodes
of the cluster. For instructions, see the Load Balancer for IPv4 and IPv6
configuration guide.
For cluster nodes running on IBM i
Use the Add TCP/IP Interface command to create a virtual IP address with the
"cluster" IP address you want to use.
For example:
ADDTCPIFC INTNETADR(’192.0.2.0’) LIND(*VIRTUALIP) SUBNETMASK(*HOST)
When the virtual TCP/IP interface is started, the server accepts packets for that
address.
Note: Do not enable proxy ARP for the Virtual IP Address. In other words, do
not specify the PREFIFC parameter on the command or enable proxy through
the graphical user interface configuration. Doing so prevents multiple systems
from using the same "cluster" IP address simultaneously.
2. Configure port settings on the cluster nodes so that IBM Load Balancer can
route the packets properly:
IBM Load Balancer requires every node in the cluster to use same port number
for both HTTP and HTTPS service (typically, port 80). If you have configured
your nodes to use unique port numbers, change them to the same port now.
Tip: When configuring the ports, you can use the wildcard * when specifying
the host name for the HTTP and HTTPS. This will listen on all interfaces
configured in the system, including the loopback adapter set up for the cluster.
3. On the load balancer server, configure load balancing for the cluster:
a. Open a command window on the load balancer server.
b. Start the load balancer's Dispatcher process by clicking Start → Control
Panel → Administrative Tools → Services. right-click IBM Dispatcher (ULB),
and then click Start.
c. If you are using IPv6 addresses, enable the processing of IPv6 packets:
Run the following command while logged in as the Windows administrator:
netsh interface ipv6 install
Theis command enables processing of IPv6 packets. Issue this command
only once; thereafter, you can start and stop the executor as often as you
need. If you do not issue the command to enable processing of IPv6 packets
on these systems, the executor will not start.
d. Start the executor function of the dispatcher:
dscontrol executor start
e. Add the cluster to the service:
dscontrol cluster add cluster’s_fully_qualified_host_name
Chapter 1. Configuring
245
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
f. Add the cluster port:
dscontrol port add cluster’[email protected]
where cluster'[email protected] is the fully qualified host name
that you assigned to the cluster when you installed the load balancer, with
the HTTP/HTTPS port appended to it (typically port 80); for example:
[email protected]
g. Add the nodes for which this server will balance workload:
dscontrol server add [email protected]@primary_node
dscontrol server add [email protected]@secondary_node
where:
v [email protected]@primary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
primary node's fully qualified host name appended; for example:
[email protected]@meetsvr1.example.com
v [email protected]@secondary_node indicates the cluster's fully qualified host
name with the port appended (as in the previous step) plus now with the
secondary node's fully qualified host name appended (include an
additional line for each additional secondary node); for example:
[email protected]@meetsvr2.example.com
h. Add the cluster to the executor:
dscontrol executor add cluster’s_fully_qualified_host_name
where cluster's_fully_qualified_host_name is the fully qualified host name that
you assigned to the cluster when you installed the load balancer; for
example:
stms-cluster.example.com
.
i. Start the manager:
dscontrol manager start
j. Start the HTTP advisor for the port you are using (the port you specified in
the previous steps, typically port 80):
dscontrol advisor start http 80
k. Now you can stop the service:
dsserver stop
l. Close the command window.
4. Define server affinity with a "sticky time":
By default the Load Balancer will round-robin HTTP requests between the
cluster members, so that a single client may be routed to different cluster
members for subsequent requests rather than continuing to be routed to the
same cluster member. Since a client typically accesses an online meeting every
30-40 seconds during the session, you may want to enable server affinity for a
Lotus Sametime Meeting Server cluster so that the client continues to access the
same server during a single meeting.
The dispatcher component of IBM Load Balancer supports a configurable
"sticky time". This means that the load balancer will remember which cluster
246
Lotus Sametime: Installation and Administration Guide Part 2
member a client was routed to; subsequent requests will "stick to" the same
server until the preset time expires. IBM recommends a "sticky" time
configuration of 60 seconds for a Lotus Sametime Meeting Server cluster or a
Lotus Sametime Proxy Server cluster.
Windows
a. Start IBM Load Balancer.
b. In the navigation tree, select the Executor (the load balancer's
non-forwarding IP address, which appears under its host name).
c. Click Configuration Settings.
d. In "Port-Specific Settings", change the Default sticky-time settings from 0 to
60 seconds, and click Update Configuration.
e. Leave IBM Load Balancer open for the next step.
5. Save the load balancer settings:
a. In IBM Load Balancer, return to the navigation tree and right-click on the
host name of the load balancer you just configured (for example,
loadbal.example.com).
b. Click Save Configuration File as and accept the default name
(default.cfg).
The configuration settings stored in default.cfg are restored every time the
server is restarted.
c. Click OK.
Configuring a Lotus Sametime Gateway
Configure one or more IBM Lotus Sametime Gateway servers.
Setting up TLS/SSL
Transport Layer Security (TLS) and Secure Sockets Later (SSL) provide encrypted
SIP communications between Lotus Sametime Gateway and the external instant
messaging communities such as AOL, Yahoo!, Office Communications Server, and
Lotus Sametime communities, but only if the other Lotus Sametime community
requires SSL. TLS/SSL also provides encrypted XMPP communications for XMPP
communities. The TLS/SSL protocols allow Lotus Sametime messages to
communicate across a network in a way designed to prevent eavesdropping,
tampering, and message forgery. Use these steps to set up SSL with a certificate
signed by a Certificate Authority and exchange trusted certificates with external
communities.
About this task
Messages that flow between Lotus Sametime Gateway and AOL, Office
Communications Server, and Yahoo always require a TLS/SSL connection. Lotus
Sametime and XMPP communities may or may not require a TLS/SSL connection,
depending whether the external community requires a CA-signed certificate.
Google Talk does not work over TLS/SSL.
This section provides steps for a single Lotus Sametime Gateway server or cluster
of Lotus Sametime Gateway servers. In addition, this section provides steps
needed to set up SSL on a Sametime 6.5.1 or later server in an external community.
You can provide these steps as a courtesy to an external community or refer them
to the Lotus Sametime Standard help in this information center.
Chapter 1. Configuring
247
SSL can encrypt sensitive information for SIP and XMPP communications, and
provides authenticity and data signing to ensure a secure connection between the
local Lotus Sametime Gateway community and an external instant messaging
community. The foundation technology for SSL is public key cryptography, which
guarantees that when an entity encrypts data using its private key, only entities
with the corresponding public key can decrypt that data.
SSL is required for connections to the following communities:
v External community using AOL Instant Messenger
v External community using Office Communications Server
v External community using Yahoo! Messenger
v AOL clearinghouse community
SSL is not required but it is recommended for connections to XMPP or Lotus
Sametime communities.
You cannot use SSL between Lotus Sametime Gateway and Google Talk
communities.
SSL is not needed between Lotus Sametime Gateway and the local Sametime
community because the connection uses the Virtual Places (VP) protocol over TCP
and includes built-in encryption.
Setting up SSL on a single server
These procedures describe how to set up Secure Sockets Layer (SSL) on a single
Lotus Sametime Gateway server for both SIP and XMPP communications.
Before you begin
Before you begin, make sure the Lotus Sametime Gateway server is running.
About this task
To have a secure network connection, you will create a key for secure network
communications and receive a certificate from a certificate authority (CA) that is
designated as a trusted CA on your server.
WebSphere Application Server uses the certificates that reside in keystores to
establish trust for a SSL connection. WebSphere Application Server creates the
key.p12 default keystore file and the trust.p12 default truststore file during profile
creation.
A default, self-signed certificate is also created in the key.p12 file at this time. Do
not use this self-signed or other self-signed certificate to connect to external
communities.
Note: Ensure that the SSL certificate contains the Basic Constraints extension. Do
not use a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1
uses the IBM JDK 1.5.0 JSSE2 which checks for the presence of the Basic
Constraints extension. If the extension is not set, WebSphere Application Server
assumes that the CA is not a valid CA but a user certificate, which in returns
doesn't allow to validate a server certificate as valid, because the issuing CA is not
found.
248
Lotus Sametime: Installation and Administration Guide Part 2
Trial certificates are not publicly trusted and so cannot be used to test against
public instant messaging providers such as Yahoo Messenger or AOL Instant
Messenger.
The following procedures describe how to:
1. Import the certificate authorities' public certificate used by each of the public or
private external communities your Sametime Gateway server will be
communicating with.
2. Request a CA-signed certificate, and then import the signed certificate that the
CA provided in response. Before performing this step you might have to
import intermediary certificates.
3. Configure the WebSphere environment to make use of the imported keys
A complete technical reference of how to setup up SSL on the WebSphere
Application Server can be found in the WebSphere Application Server information
center.
Adding trust for certificate authorities used by external communities:
External communities certificates are signed by a specific certificate authority probably a different authority from the CA used to sign your Sametime Gateway
certificate. In order for the Sametime Gateway to trust a certificate presented by an
external community, the CA that issued this certificate would have to be
configured to be trusted in advance.
About this task
This topic explains what CA certificate needs to be downloaded and imported into
the WebSphere Application Server trust store.
v Steps 1-4 explain how to obtain the required CA certificate.
v Steps 5-7 explain how to import the obtained CA certificates into the WebSphere
Application Server.
Procedure
1. To connect to AOL or Yahoo! download the following CA certificate. Navigate
to http://www.geotrust.com/resources/root_certificates/index.asp and
download the Equifax Secure Certificate Authority:
Download - Equifax Secure Certificate Authority (Base-64 encoded X.509)
2. To connect to AOL you are also required to download the following additional
certificates:
a. Navigate to https://pki-info.aol.com/AOL/ and download both certificates
titled: "America Online Root CA 1 certificate" and the "America Online Root
CA 2 certificate.
b. Navigate to https://pki-info.aol.com/AOLMSPKI/index.html and download
the certificate titled: "AOL Member CA certificate
3. To connect to an external Lotus Sametime-based IM community over SSL you
will need to obtain the CA certificate used by external community
a. Check with the external community administrator to determine which
trusted certificate authority they are using.
b. Obtain the CA certificate.
4. To connect to an external XMPP-based IM community over SSL. Note that the
Google talk public community does not use SSL you need to obtain the CA
certificate used by external community.
Chapter 1. Configuring
249
a. Check with the external community administrator to determine which
trusted certificate authority they are using.
b. Obtain the CA certificate.
5. In case the received certificate is stored in any type of a certificate file database
(a file with a suffix of .db or .p12, for example), you have to extract the
certificate to an independent file, before you can import it to WebSphere
Application Server.
6. Complete the following tasks in the Integrated Solutions Console: Click
Security → SSL Certificate and key management → Key stores and certificates
→ NodeDefaultTrustStore → Signer Certificate.
7. 7. Click Add.
a. Type an alias to identify the Certificate Authority in the Alias field. This is a
freeform value used to identify the certificate inside WebSphere, a good idea
would be to set the alias to the certificate's CN (common name) field value.
b. Type in the full path to the file name containing the Certificate Authority's
public key. For example: c:\certificates\acme_external_community.arm.
c. Select the data type.
Note: Attention: For IBM i, you must select binary as the data type.
d. Click OK.
Note: For IBM i only, Certificates are automatically downloaded with the .CER
file extension, so you must manually rename them to the .DER file extension
Requesting a certificate signed by a Certificate Authority:
To ensure Secure Sockets Layer (SSL) communication, servers require a personal
certificate that is signed by a certificate authority (CA). You must first create a
personal certificate request to obtain a certificate that is signed by a CA.
Before you begin
The keystore that contains a personal certificate request must already exist. In
WebSphere Application Server, the keystore file key.p12 exists.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Security → SSL certificate and key management → Related items → Key
stores and certificates → NodeDefaultKeyStore.
3. Under "Additional Properties," click Personal certificate requests.
4. Click New.
5. In the File for certificate request field, type the full path where the certificate
request is to be stored, plus a file name.
For example: c:\servercertreq.arm (for a Windows machine).
6. Type an alias name in the Key label field.
The alias is the name you use to identify the certificate request in the keystore.
For example: stgwcertificate
7. Type a common name (CN) value.
250
Lotus Sametime: Installation and Administration Guide Part 2
8.
9.
10.
11.
12.
13.
14.
The CN must be your external visible DNS address to which the external
community (AOL for example) would be opening a TCP connection to. The
CN value does not have to be identical to any of the email domains
associated with your community.
You should decide on the CN value in advance primarily by consulting your
network administrator
Type an organization name in the Organization field.
This value is the "organization" value in the certificate's distinguished name.
In the Organization unit field, type the "organization unit" portion of the
distinguished name.
In the Locality field, type the "locality" portion of the distinguished name.
In the State or Province field, type the "state" portion of the distinguished
name.
In the Zip Code field, type the "zip code" portion of the distinguished name.
In the Country or region drop down list, select the two-letter "country code"
portion of the distinguished name.
Click Apply and Save.
The certificate request is created in the specified file location in the keystore.
The request functions as a temporary placeholder for the signed certificate
until you manually receive the certificate in the keystore.
Note: Key store tools (such as iKeyman and keyTool) cannot receive signed
certificates that are generated by certificate requests from WebSphere
Application Server. Similarly, WebSphere Application Server cannot accept
certificates that are generated by certificate requests from other keystore
utilities.
15. Send the certification request arm file to a Certificate Authority for signing.
For more information, see List of supported Certificate Authorities.
16. Stop the Lotus Sametime Gateway server.
17. Make a backup copy of your keystore file. Make this backup before receiving
the CA-signed certificate into the keystore. The default password for the
keystore is WebAS. The Integrated Solutions Console has the path information
for the keystore's location.
The path to the NodeDefaultKeyStore is listed in the Integrated Solutions
Console as:
stgw_profile_root\config\cells\cell_name\nodes\node_name\key.p12
18. Start the Lotus Sametime Gateway server.
Importing any intermediate CA certificates into the keystore:
If your server certificate is issued by an intermediary CA, then complete the steps
that follow.
Before you begin
You have received the signed certificate from the certificate authority, but before
importing the signed certificate into the keystore, you have to determine if the
received certificate had been signed by a root Certificate Authority (CA), or by a
intermediary Certificate Authority. If the certificate was signed by a root CA you
could skip this topic completely and continue straight to "Importing a signed
certificate into the keystore". If the certificate was signed by an intermediary CA
Chapter 1. Configuring
251
you will need to import the intermediary signer certificates as described in this
topic.
About this task
IBM WebSphere Application Server creates a certificate chain when the signed
certificate is received. The chain is constructed from the signer certificates that are
in the keystore at the time the certificate is received. Therefore, it is important to
import all intermediate certificates as signer certificates into the keystore before
receiving the Certificate Authority-signed certificate. When you purchase a server
certificate for Sametime Gateway, the certificate is issued by a Certificate Authority
(CA). The CA can either be a root CA or an intermediary CA.
Procedure
1. The following steps describe how to tell if your certificate was signed by a root
CA or an intermediary CA (example given is on the Windows operating
system)
a. Save the signed certificate to a text file with a .cer extension. For example:
signed-certificate.cer. Include the Begin Certificate and End
Certificate lines when you save the file. For example:
-----BEGIN CERTIFICATE----ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3
WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp
bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn
YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti
obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g
OPiRcPY8oYlZ5R7Bq1fI/t5MFUTJhYw7k6z95jfIufzai2Bn3e+jzm7ivJ5dckEZ
Gm3ajjYQgwjCJBfOh7P9fE13dWJSZZZZzWcCAwEAAaOBrjCBqzAOBgNVHQ8BAf8E
BAMCBPAwHQYDVR0OBBYEFMHrh2oiTGbcBH759lnRZZZZn+NSMDoGA1UdHwQzMDEw
L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/ZZZZGA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjANBZZZZkiG9w0BAQUFAAOBgQBKq8lUVj/DOPuNL/Nn
IGlrr1ot8VoZS7wZZZZlgeQLOmnZjIdRkbaoH04N3W3qZsQVs2/h4JZJj3mKVjjX
FeRVHFFyGZZZZ4hHWH+Zqf/PJwjhVPKEwsiKFaAGJS5VzP3btMG8tGan02zZUE4L
wPZZZZpMmvPI3U12W+76bqyvVg==
-----END CERTIFICATE-----
b. Double-click the new file that you created and a Certificate dialog box
opens.
c. Click the Certification Path tab.
d. Look at the tree-like structure representing the full certificate chain. The top
of the chain is referred to as the root Certificate Authority (CA). The bottom
of the chain represents your server's certificate. If your server is not listed
one-level below the root CA, then your certificate was issued by an
intermediary CA. However, if your server is listed one-level below the root
CA, then the certificate was issued by the root CA. For example, the
following screen capture shows a certificate chain where an intermediary
CA, VeriSign Class 3 Secure Server CA, issued a certificate for
252
Lotus Sametime: Installation and Administration Guide Part 2
stgw.lotus.com.
e. If the server certificate is not issued by an intermediary CA, stop here and
click Next topic at the bottom of this topic.
2. One you determine that the certificate is an intermediate certificate, you must
export the certificate from the chain into its own certificate file:
a. Double-click the server's certificate (i.e. server.cer) file and a Certificate
dialog box opens.
b.
c.
d.
e.
f.
g.
h.
Click Certification Path tab.
Highlight an entry of the certificate chain.
Click View Certificate.
In the Certificate dialog window, click the Details tab.
Click Copy to File...
In the Certificate Export Wizard that appears, click Next.
Select Base-64 encoded X.509 (.CER), and click Next.
i. Type in a unique name for the certificate you are exporting and click Next.
For example, "VS-intermediary-CA" for VeriSign's intermediary certificate
authority.
j. Click Finish.
k. Click OK in the dialog box that displays the following message: The export
was successful.
Chapter 1. Configuring
253
l. Repeat the preceding sub steps for each intermediate certificate in the chain.
Note that there is no need to repeat these steps for the bottom entry of the
chain because the server's certificate already exists. When you are done, you
will have a certificate file (.cer) for each entry of the chain. In our example,
there are three certificate files:
Certificate type
Name
Certificate file name
Root
VeriSign Class 3 Public
Primary CA
VS-root-CA.cer
Intermediary
VeriSign Class 3 Secure
Server CA
VS-intermediary-CA.cer
Server
stgw.lotus.com
stgw.cer
3. Finally, import the intermediary CA certificate into the keystore by completing
the following steps:
a. Using the Integrated Solutions Console, click Security → SSL Certificate and
key management.
b. Click Key stores and certificates.
c.
d.
e.
f.
g.
h.
i.
j.
Click NodeDefaultKeyStore.
Click Signer certificates.
Click Add.
In the Alias field, type a short descriptive name for the certificate. For
example, "Verisign Intermediary CA."
In the File name field, type the path to the certificate file of the
intermediary CA. For example, C:\certs\VS-intermediary-CA.cer.
Accept the default file data type.
Click Apply and Save.
Repeat the preceding steps for each intermediary CA that is part of the
certificate chain. In most cases, only one intermediary CA exists.
Importing a signed certificate issued into the keystore:
Before you begin
You have received the signed certificate from the certificate authority. You have
determined whether the certificate is signed by a root CA or an intermediate CA, if
the certificate was signed by an intermediate CA, then you have imported into the
keystore all intermediate CA certificates. Now you are ready to import the signed
certificate itself into the keystore.
About this task
WebSphere Application Server can receive only those certificates that are generated
by a WebSphere Application Server certificate request. It cannot receive certificates
that are created with certificate requests from other keystore tools, such as
iKeyman and keyTool. The keystore must contain the certificate request that was
created and sent to the CA. This means that you cannot import a certificate to the
keystore if the keystore does not contain the original certificate request.
Make sure the certificate file you have received does not contain any text lines
before the " -----BEGIN CERTIFICATE-----" line appears on top. These lines can
cause the certificate import process to fail, and therefore you must delete these
lines if they are present in the certificate file.
254
Lotus Sametime: Installation and Administration Guide Part 2
Procedure
1. Log in to the Integrated Solutions Console .
2. Click Security → SSL certificate and key management → Related items → Key
stores and certificates → NodeDefaultKeyStore .
3. Under Additional Properties, click Personal certificates.
4. Click Receive a certificate from a certificate authority.
5. Type the full path and name of the certificate file. For example on windows:
c:\mycertificate.cer
6. Do not change the default data type on the list (Base64-encoded ASCII Data).
7. Click Apply and Save.
Setting up Sametime Gateway to use a new certificate:
Set up IBM Lotus Sametime Gateway server to use the new certificates.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Security → SSL certificate and key management → Configuration
settings → Manage endpoint security configurations.
3. Expand the Inbound node, and then expand all levels below Nodes.
4. In the tree view, click the Sametime Gateway server.
5. On the configuration panel, under Specific SSL configuration for this
endpoint, select Override inherited values if this option is available.
6. Select NodeDefaultSSLSettings in the SSL configuration drop down.
7. Click Update certificate alias list.
8. Select the certificate alias from the Certificate alias in key store drop down
that you specified when you received the certificates from the CA.
9. Click Apply and then Save.
10. Important: Repeat the preceding steps on the Outbound node of the local
topology tree.
11. Restart the Sametime Gateway server.
For a standalone: the single Java process.
For a cluster configuration: restart the DMGR, STGW servers, XMPP proxies,
SIP Proxies.
You do not need to restart the node agents.
Setting up SSL on a cluster
These procedures describe how to set up Secure Sockets Layer (SSL) on a cluster of
Lotus Sametime Gateway servers.
Before you begin
You must first install Lotus Sametime Gateway on each node, including a
Deployment Manager node, create the cluster, and create a SIP proxy server for the
cluster.
About this task
To have a secure network connection, create a key for secure network
communications and receive a certificate from a certificate authority (CA) that is
designated as a trusted CA on your server.
Chapter 1. Configuring
255
WebSphere Application Server uses the certificates that reside in keystores to
establish trust for a SSL connection. WebSphere Application Server creates the
key.p12 default keystore file and the trust.p12 default truststore file during profile
creation. A default, self-signed certificate is also created in the key.p12 file at this
time.
Note: If you use a certificate other than the default self-signed certificate provided,
ensure that the SSL certificate contains the Basic Constraints extension. Do not use
a non-SSLv3-compliant self-signed CA. WebSphere Application Server 6.1 uses the
IBM JDK 1.5.0 JSSE2 which checks for the presence of the Basic Constraints
extension. If the extension is not set, WebSphere Application Server assumes that
the CA is not a valid CA but a user certificate, which in returns doesn't allow to
validate a server certificate as valid, because the issuing CA is not found.
Trial certificates are not publicly trusted and so cannot be used to test against
public instant messaging providers such as Yahoo Messenger or AOL Instant
Messenger.
The following procedure describes how to request a Certificate Authority-signed
certificate, receive the request, then extract the certificate to the keystore.
For complete details for setting up SSL in WebSphere Application Server, see the
WebSphere Application Server information center.
Purchasing a certificate from a Certificate Authority:
Purchase a Certificate Authority-signed certificate for secure connections between
Lotus Sametime Gateway and other instant messaging providers.
About this task
The CA certificate installed on Lotus Sametime Gateway must conform to RFC
3280 certificate standards. The CA certificate can be a root certificate or an
intermediary certificate. When requesting a certificate, check with the vendor to
make sure that the certificate supports both TLS Web Server Authentication and
TLS Web Client Authentication. Some certificate authorities provide certificates that
support server authentication only or client authentication only. Certificates must
include both server and client authentication EKU flags. Thawte certificates meet
these standards. It is your responsibility to make sure that the certificate supports
both.
Procedure
1. Review the list of Certificate Authorities recognized by AOL, Yahoo!, and
XMPP.
For more information, see List of supported Certificate Authorities.
2. Purchase a certificate that supports both client and server authentication.
Creating a new keystore:
The keystore file is a key database file that contains both public keys and private
keys. Public keys are stored as signer certificates while private keys are stored in
the personal certificates. A Secure Sockets Layer (SSL) configuration references
keystore configurations during WebSphere Application Server runtime. Whether a
keystore file was created by another keystore tool or saved from a previous
256
Lotus Sametime: Installation and Administration Guide Part 2
configuration, the file must be part of a keystore configuration object. You can
create a keystore configuration for the existing keystore object.
Before you begin
Expected state: the Deployment Manager, node agents, and servers are started.
Procedure
1. Stop all Lotus Sametime Gateway servers, but leave the Deployment Manager
and node agents running.
2. Using the Integrated Solutions Console, click Security → SSL certificate and
key management → Key stores and certificates.
3. Click New.
4. Type a name in the Name field that specifies the unique name to identify the
key store; for example: STGWKS.
5. In the Path field, specify this location for the keystore file:
${CONFIG_ROOT}/STGWKS.p12.
6. Type a password in the Password field. The password is used to protect the
keystore.
7. Type the keystore password again in the Confirm Password field to confirm
the password.
8. Select PKCS12 from the list. The type that you select is for the keystore file
that you specified in the Path field.
9. Click Apply and Save.
10. Ensure that all of the nodes in the cluster are started.
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Node agents.
b. Start any node agent that is not running.
11. Synchronize all the nodes.
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Select all available nodes and click Full Resynchronize.
Creating a certificate request:
To ensure Secure Sockets Layer (SSL) communication, servers require a personal
certificate that is signed by a certificate authority (CA). You must first create a
personal certificate request to obtain a certificate that is signed by a CA.
Before you begin
The keystore that contains a personal certificate request must already exist. In
WebSphere Application Server, the keystore file p12 exists.
About this task
Complete the following tasks in the WebSphere Integrated Solutions Console.
Expected state: the Deployment Manager and node agents are started. The servers
are stopped.
Chapter 1. Configuring
257
Procedure
1. Click Security → SSL certificate and key management → Key stores and
certificates.
2. Click the keystore that you created in the previous step.
3. Click Personal certificate requests, then click New.
4. In the File for certificate request field, specify the fully qualified file name
from which the certificate request is exported. This portion of the certificate
request can be given to the certificate authority to generate the real certificate.
For example: c:\servercertreq.arm (for a Windows machine).
5. Type an alias name in the Key label field. The alias is the name you give to
identify the certificate request in the keystore.
6. Type a common name (CN) value in the Common Name field. The common
name must be the Fully qualified domain host name of your proxy server
node machine. The CN of the certificate must match the domain name of your
community. For example, if your Sametime community is us.acme.com, then
the CN of the SSL certificate that you create for your community must be
us.acme.com.
7. Type an organization name in the Organization field. This value is the
organization value in the certificate distinguished name.
8. In the Organization unit field, type the organization unit portion of the
distinguished name.
9. In the Locality field, type the locality portion of the distinguished name.
In the State or Province field, type the state portion of the distinguished
name.
11. In the Zip Code field, type the zip code portion of the distinguished name.
10.
12.
In the Country or region drop down list, select the two-letter country code
portion of the distinguished name.
13. Click Apply and Save. The certificate request is created in the specified file
location in the keystore. The request functions as a temporary placeholder for
the signed certificate until you manually receive the certificate in the keystore.
Note: Key store tools (such as iKeyman and keyTool) cannot receive signed
certificates that are generated by certificate requests from WebSphere
Application Server. Similarly, WebSphere Application Server cannot accept
certificates that are generated by certificate requests from other keystore
utilities.
14. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes
15. Select all nodes in the cluster, then click Full Resynchronize.
16. Stop the Lotus Sametime Gateway server.
17. Make a backup copy of your keystore file. Make this backup before receiving
the CA-signed certificate into the keystore. The default password for the
keystore is WebAS. The Integrated Solutions Console has the path information
for the keystore's location. The path to the CellDefaultKeyStore is listed in the
Integrated Solutions Console as:
stgw_profile_root\config\cells\cell_name\key.p12
18. Now start the Lotus Sametime Gateway server.
What to do next
After you receive the certificate back from the Certificate authority, you are ready
to proceed to the next step.
258
Lotus Sametime: Installation and Administration Guide Part 2
Importing intermediate CA certificates into the keystore:
IBM WebSphere Application Server creates a certificate chain when the signed
certificate is received. The chain is constructed from the signer certificates that are
in the keystore at the time the certificate is received. Therefore, it is important to
import all intermediate certificates as signer certificates into the keystore before
receiving the Certificate Authority-signed certificate. When you purchase a server
certificate for Sametime Gateway, the certificate is issued by a Certificate Authority
(CA). The CA can either be a root CA or an intermediary CA.
About this task
If your server certificate is issued by an intermediary CA, then complete the steps
that follow, otherwise skip these steps and click Next topic at the bottom of this
topic.
Procedure
1. Before you import an intermediate CA, first determine if your server's
certificate was issued by an intermediary CA:
a. Save the signed certificate to a text file with a .cer extension. For example:
signed-certificate.cer. Include the Begin Certificate and End
Certificate lines when you save the file. For example:
-----BEGIN CERTIFICATE----ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3
WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp
bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn
YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti
obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g
OPiRcPY8oYlZ5R7Bq1fI/t5MFUTJhYw7k6z95jfIufzai2Bn3e+jzm7ivJ5dckEZ
Gm3ajjYQgwjCJBfOh7P9fE13dWJSZZZZzWcCAwEAAaOBrjCBqzAOBgNVHQ8BAf8E
BAMCBPAwHQYDVR0OBBYEFMHrh2oiTGbcBH759lnRZZZZn+NSMDoGA1UdHwQzMDEw
L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/ZZZZGA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjANBZZZZkiG9w0BAQUFAAOBgQBKq8lUVj/DOPuNL/Nn
IGlrr1ot8VoZS7wZZZZlgeQLOmnZjIdRkbaoH04N3W3qZsQVs2/h4JZJj3mKVjjX
FeRVHFFyGZZZZ4hHWH+Zqf/PJwjhVPKEwsiKFaAGJS5VzP3btMG8tGan02zZUE4L
wPZZZZpMmvPI3U12W+76bqyvVg==
-----END CERTIFICATE-----
b. Double-click on the new file that you created and a Certificate dialog box
opens.
c. Click on the Certification Path tab.
d. Look at the tree-like structure representing the full certificate chain. The top
of the chain is referred to as the root Certificate Authority (CA). The bottom
of the chain represents your server's certificate. If your server is not listed
one-level below the root CA, then your certificate was issued by an
intermediary CA. However, if your server is listed one-level below the root
CA, then the certificate was issued by the root CA. For example, the
following screen capture shows a certificate chain where an intermediary
CA, VeriSign Class 3 Secure Server CA, issued a certificate for
stgw.lotus.com.
Chapter 1. Configuring
259
e. If the server certificate is not issued by an intermediary CA, stop here and
click Next topic at the bottom of this topic.
2. One you determine that the certificate is an intermediate certificate, you must
export the certificate from the chain into its own certificate file:
a. Double-click the server's certificate (i.e. server.cer) file and a Certificate
dialog box opens.
b. Click Certification Path tab.
c. Highlight an entry of the certificate chain.
d. Click View Certificate.
e. In the Certificate dialog window, click the Details tab.
f. Click Copy to File...
g. In the Certificate Export Wizard that appears, click Next.
h. Select Base-64 encoded X.509 (.CER), and click Next.
i. Type in a unique name for the certificate you are exporting and click Next.
For example, "VS-intermediary-CA" for VeriSign's intermediary certificate
authority.
j. Click Finish.
k. Click OK in the dialog box that displays the following message: The export
was successful.
l. Repeat the preceding sub steps for each intermediate certificate in the chain.
Note that there is no need to repeat these steps for the bottom entry of the
chain because the server's certificate already exists. When you are done, you
will have a certificate file (.cer) for each entry of the chain. In our example,
there are three certificate files:
260
Lotus Sametime: Installation and Administration Guide Part 2
Certificate type
Name
Certificate file name
Root
VeriSign Class 3 Public
Primary CA
VS-root-CA.cer
Intermediary
VeriSign Class 3 Secure
Server CA
VS-intermediary-CA.cer
Server
stgw.lotus.com
stgw.cer
3. Finally, import the intermediary CA certificate into the keystore by completing
the following steps:
a. Using the Integrated Solutions Console, click Security → SSL Certificate and
key management.
b. Click Key stores and certificates.
c. Click CellDefaultKeyStore.
d. Click Signer certificates.
e. Click Add.
f. In the Alias field, type a short descriptive name for the certificate. For
example, "Verisign Intermediary CA."
g. In the File name field, type the path to the certificate file of the
intermediary CA. For example, C:\certs\VS-intermediary-CA.cer.
h. Accept the default file data type.
i. Click Apply and Save.
j. Repeat the preceding steps for each intermediary CA that is part of the
certificate chain. In most cases, only one intermediary CA exists.
Receiving a signed certificate:
A Certificate Authority (CA) creates a certificate from a certificate request.
WebSphere Application Server keystore receives the certificate from the CA and
generates a CA-signed personal certificate that your Lotus Sametime Gateway
cluster can use for Secure Sockets Layer (SSL) security.
Before you begin
The keystore must contain the certificate request that was created and sent to the
Certificate Authority. Also, the keystore must be able to access the certificate that is
returned by the Certificate Authority.
Expected state: the Deployment Manager and the node agents are started. The
servers are stopped.
Note: WebSphere Application Server creates the certificate chain when the signed
certificate is received. The chain is constructed from the signer certificates that are
in the keystore at the time the certificate is received. Be sure to import all
intermediate certificates as signer certificates into the keystore before receiving the
CA-signed certificate.
Procedure
1. Click Security → SSL certificate and key management → Key stores and
certificates.
2. Click the keystore that you created previously.
3. Click Personal certificates.
Chapter 1. Configuring
261
4.
5.
6.
7.
Click Receive a certificate from a certificate authority.
Type the full path and name of the certificate file generated by the CA.
Select the appropriate data from the list.
Click Apply and Save.
What to do next
Now you are ready to define a new SSL configuration.
Defining the SSL configuration for a cluster:
Complete these steps to create a new SSL configuration for a cluster of Lotus
Sametime Gateway servers.
About this task
Secure Sockets Layer (SSL) configurations contain the attributes that you need to
control the behavior of client and server SSL endpoints. You create a single SSL
configuration to be used on the inbound and outbound trees in the configuration
topology.
Expected state: the Deployment Manager and node agents are started. The servers
are stopped.
Procedure
1. Using the Integrated Solutions Console, click Security → SSL certificate and
key management → SSL Configurations.
2. Click New to display the SSL configuration panel.
3. Type name in the Name field for your SSL configuration.
4. In the Trust store name drop-down list, replace the default
CellDefaultKeyStore value with CellDefaultTrustStore. The truststore name
refers to a specific truststore that holds signer certificates that validate the
trust of certificates sent by remote connections during an SSL handshake.
5. Select the keystore that you created from the Keystore name drop-down list. A
keystore contains the personal certificates that represent a signer identity and
the private key that WebSphere Application Server uses to encrypt and sign
data.
6. Click Get certificate aliases.
7. Select your certificate alias as the default server certificate alias.
8. Select your certificate alias as the default client certificate alias.
9. Click Apply, and then Save.
10. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes.
11. Select all nodes in the cluster, then click Full Resynchronize.
Obtaining the root certificate:
Download a certificate authority's (CA) root certificate. After you download the
certificate, you must add it to the WebSphere Application Server truststore. For
connections to AOL or Yahoo, download the Equifax Secure CA because this
certificate is used by both communities. For connections to XMPP communities,
you must determine what root certificate, if any, is being used, and then check to
262
Lotus Sametime: Installation and Administration Guide Part 2
see if WebSphere Application Server already recognizes the certificate, and, if
necessary, download and add the certificate to your truststore.
About this task
XMPP communities are free to use either a TLS/SSL or TCP connection, so a
certificate may not be needed. If the XMPP community is using TLS/SSL, the root
certificate CA may already be in the WebSphere Application Server truststore. If
not, you must obtain it.
Procedure
1. To obtain the same certificate used by AOL and Yahoo:
a. Go to http://www.geotrust.com/resources/root_certificates/index.asp and
download the Equifax Secure Certificate Authority.
b. In the list of certificates, navigate to the following:
All other SSL certificates except for Quick SSL:
Equifax Secure Certificate Authority
c. Select the following download:
Download - Equifax Secure Certificate Authority (Base-64 encoded X.509)
d. Add this root CA to your WebSphere Application Server truststore (see next
step in setting up SSL).
2. AOL users require additional certificates:
a. Navigate to https://pki-info.aol.com/AOL/ and download both the
"America Online Root CA 1" certificate and the "America Online Root CA 2"
certificate.
b. Navigate to https://pki-info.aol.com/AOLMSPKI/index.html and
download the "AOL Member CA" certificate.
3. To obtain a root certificate used by a XMPP community:
a. Check with the XMPP community to determine which trusted certificate
authority they are using.
b. Determine if WebSphere Application Server supports the certificate.
c. If the certificate is recognized, there's nothing more to do on this step.
d. If the certificate is not recognized, obtain the certificate from the CA and
add it to your truststore (see next step in setting up SSL).
What to do next
If for any reason the root certificate authority for an instant messaging community
changes or you add an additional instant messaging community to your Lotus
Sametime Gateway, you must explicitly add the new root CA to your WebSphere
Application Server truststore.
Adding a trusted CA certificate to the keystore:
Add your new Certificate Authority certificate to the keystore to establish the trust
relationship in SSL communication.
Before you begin
The keystore that you want to add the CA certificate to must already exist.
Expected state: the Deployment Manager and node agents are started. The servers
are stopped.
Chapter 1. Configuring
263
Procedure
1. In the Integrated Solutions Console, click Security → SSL certificates and key
management.
2. Click Key stores and certificates → CellDefaultTrustStore → Signer certificates
.
3. Click Add.
4. Type a certificate alias in the Alias field. The alias is how the certificate is
referenced in the keystore.
5. In the File name field, type the file name and path to where the certificate is
located.
6. Select the appropriate file data type.
7. Click Apply and then Save.
8. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes
9. Select all nodes in the cluster, then click Full Resynchronize.
10. Open a command window.
11. In the command window, stop the Deployment Manager and wait for the
command to finish, and then restart the Deployment Manager. Use the user
name and password that you provided when you enabled administrative
security to stop the Deployment Manager. Open a command window and
navigate to the stgw_profile_root\bin directory and use the following
commands:
AIX, Linux, and Solaris
./stopManager.sh -username username -password password
./startManager.sh
Windows
stopManager.bat -username username -password password
startManager.bat
IBM i
stopManager -username username -password password
startManager
12. Restart the node agents.
a. Log into the Integrated Solutions Console (http://localhost:9060/ibm/
console) on the Deployment Manager.
b. Click System Administration → Node agents .
c. Select all node agents, and then click Restart.
13. Choose Servers → Clusters.
14. Select the Lotus Sametime Gateway cluster and click Start.
15. Click Servers → Proxy servers. Note that if you are not connecting to any
instant messaging service over SIP, it's not necessary to start the SIP proxy
server.
16. Select the SIP proxy server or servers and click Start.
17. Choose Server → Application servers.
18. Select the XMPP proxy server and click Start. Note that if you are not
connecting to any instant messaging service over XMPP, it's not necessary to
start the XMPP proxy server.
Configuring the SIP proxy server to use SSL:
Apply the new SSL definition to the SIP proxy server.
264
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
Expected state: the Deployment Manager, node agents, and all servers in the
cluster are started.
Procedure
1. In the Integrated Solutions Console, click Security → SSL certificate and key
management → Manage endpoint security configurations..
2. Expand the Inbound node on the local topology tree.
3.
4.
5.
6.
7.
8.
9.
a. Expand cell with sip proxy.
b. Expand nodes.
c. Expand node with sip proxy.
d. Expand servers.
Select sip proxy server from the tree.
On the configuration panel, select Override inherited values.
Select the SSL configuration that you defined from the SSL configuration
drop-down list.
Click Update certificate alias list.
Select your certificate alias from the Certificate alias in key store drop-down
list.
Click Apply.
Repeat the preceding steps on the Outbound node of the local topology tree.
10. Change the SSL configuration on the SIP proxy server:
a. Click Servers → Proxy Servers → name of your SIP proxy server → SIP
Proxy Server Settings → SIP proxy server transports → SIPS PROXY
CHAIN → SSL inbound channel (SSL_4).
b. Under SSL Configuration, select Centrally Managed.
c. Click OK, and then Save.
11. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes.
12. Select all nodes in the cluster, then click Full Resynchronize.
13. Open a command window.
14. In the command window, stop the Deployment Manager and wait for the
command to finish, and then restart the Deployment Manager. Use the user
name and password that you provided when you enabled administrative
security to stop the Deployment Manager. Open a command window and
navigate to the stgw_profile_root\bin directory and use the following
commands:
AIX, Linux, and Solaris
./stopManager.sh -username username -password password
./startManager.sh
Windows
stopManager.bat -username username -password password
startManager.bat
IBM i
stopManager -username username -password password
startManager
15. Restart the node agents.
Chapter 1. Configuring
265
16.
17.
18.
19.
20.
21.
a. Log into the Integrated Solutions Console (http://localhost:9060/ibm/
console) on the Deployment Manager node.
b. Click System Administration → Node agents .
c. Select all node agents, and then click Restart.
Click Servers → Clusters.
Select the Lotus Sametime Gateway cluster, and click Stop, and wait for the
cluster to stop.
Click Servers → Clusters.
Select the Lotus Sametime Gateway cluster, and click Start.
Click Servers → Proxy servers.
Select the SIP proxy server and click Start.
What to do next
Now you can exchange signer certificates with other server communities.
Configuring the XMPP proxy server to use SSL:
Apply the new SSL definition to the XMPP proxy server.
Before you begin
Expected state: the Deployment Manager, node agents, and all servers in the
cluster are started.
Procedure
1. In the Integrated Solutions Console, click Security → SSL certificate and key
management → Manage endpoint security configurations..
2. Expand the Inbound node on the local topology tree.
a. Expand cell with XMPP proxy.
b. Expand nodes.
c. Select the node with the XMPP proxy.
3. On the configuration panel, select Override inherited values.
4. Make sure NodeDefaultSSLSettings is selected in the SSL configuration
drop-down list.
5. Click Update certificate alias list.
6. Select your certificate alias from the Certificate alias in key store drop-down
list.
7. Click Apply.
8. Repeat the preceding steps on the Outbound node of the local topology tree.
9. Click OK and Save.
What to do next
Now you can exchange signer certificates with other server communities.
List of supported Certificate Authorities
Certificate authorities (CAs) can issue public key certificates which state that the
CA attests that the public key contained in the certificate belongs to you. You then
use your CA-signed certificate to exchange certificates with AOL, Yahoo!, XMPP to
provide for the secure exchange of instant messages.
266
Lotus Sametime: Installation and Administration Guide Part 2
Certificate vendors sometimes change the product names of their offerings without
changing the underlying CA certificate. AOL, Yahoo!, and XMPP can not keep
track of all the product-naming conventions of each certificate vendor.
Attention: Server certificate installed on Sametime Gateway must conform to RFC
3280 certificate standards. When requesting a certificate, make sure the certificate
supports both server and client authentication. Some certificate authorities provide
certificates that support server authentication only or client authentication only.
Certificates must include both server and client authentication EKU flags. Thawte
certificates in the following list meet these standards. It is your responsibility to
make sure that the certificate supports both.
As part of a public key infrastructure (PKI), a CA checks with a registration
authority to verify information provided by your digital certificate. If the
registration authority verifies your information, the CA can then issue a certificate
to you.
For the current list of Certificate Authorities and accepted by Lotus Sametime
Gateway and AOL, XMPP, and Yahoo, see the IBM FAQ Tech Note #1372445, "List
of Certificate Authorities (CAs) accepted by Lotus Sametime Gateway" at:
www.ibm.com/support/docview.wss?&uid=swg21372445
Setting up email notifications for certificate expiration
This optional procedure allows the Sametime Gateway administrator to receive
email notifications about SSL certificates that are about to expire soon.
About this task
Follow these steps to create a list of people who need to be notified of SSL
certificate expirations.
Procedure
1. On the Sametime Gateway, log in to the Integrated Solutions Console.
2. Click Security → SSL Certificate and key management → Manage certificate
expiration.
3. Click NotificationsMessageLog.
4. Select Email sent to notification list.
5. In the Email address to add field, add the administrator's email address.
6. In the Outgoing mail (SMTP) server, provide your organization's outgoing
SMTP server host name.
7. Click to add the email address to the list of email addresses.
8. Repeat Steps 4 - 6 for additional email addresses you want to add.
9. Click OK.
10. Click Save.
Configuring LDAP for a single server on AIX, Linux, Solaris,
and Windows
IBM Lotus Sametime Gateway requires that IBM WebSphere Application Server be
configured to use a Lightweight Director Access Protocol (LDAP) user registry that
contains members of the local Sametime community. Complete the following steps
if you did not create a connection to LDAP at installation, or you completed a
connection to LDAP but want to secure that connection over SSL.
Chapter 1. Configuring
267
Before you begin
Expected state: Administrative security is enabled. The Deployment Manager is
running.
Procedure
1. If not already started, start Lotus Sametime Gateway:
a. Open a command window.
b. Navigate to the Lotus Sametime Gateway profile directory that contains
binaries: rtcgw_profile_root\bin
c. Type the following command. Note that RTCGWServer is case-sensitive.
AIX, Linux, and Solaris
./startServer.sh RTCGWServer
Windows
startServer.bat RTCGWServer
2. Ensure that the enterprise LDAP server is running.
3. Complete the following sub steps to connect to connect to LDAP over SSL,
otherwise skip this step. If the LDAP server is using a public certificate, then
you need to obtain the public root CA and import it. If your LDAP server is
using a self-signed certificate, then you simply import the self-signed
certificate.
a. From the Integrated Solutions Console, select Security → SSL Certificates
and key management, then select Key stores and certificates.
b. Click NodeDefaultTrustStore.
c. Click Signer certificates.
d. Click Add.
e. In the Alias field, type a description for the certificate, whether it's
self-signed or a public CA.
f. In the File name field, type the path to the certificate file. For example,
c:\certname.cer.
g. Click Apply and then Save.
4. From the Integrated Solutions Console, select Security → Secure
administration, applications, and infrastructure.
5. Make sure the Enable administrative security and Enable application
security options are selected.
6. In the Available realm definitions, select Federated repositories.
7.
8.
9.
10.
11.
Click Set as current.
Click Configure.
Click Add base entry to the Realm.
On the next screen, click Add Repository...
Type a logical name for the repository in the Repository Identifier field. The
identifer can be any value, as long as it's unique within the cell.
12. Select the type of LDAP server to use from the Type list. If you have an IBM
Lotus Domino Version 7.0 server, select IBM Lotus Domino Version 6.5 as
your LDAP type.
13. Enter the fully qualified host name of the LDAP server in the Primary Host
field. You can enter either the IP address or domain name system (DNS)
name.
268
Lotus Sametime: Installation and Administration Guide Part 2
14. Enter the LDAP server port number in the Port field. The host name and the
port number represent the realm for this LDAP server in the WebSphere
Application Server cell. The default value is 389.
15. Optionally, enter the bind DN name in the Bind distinguished name field.
The bind distinguished name can be any user with read permission for the
directory server. The bind DN need not be the LDAP administrator. Leave this
field blank to connect to the LDAP server anonymously.
16. Optionally enter the password corresponding to the bind DN in the Bind
password field. Leave this field blank to connect to the LDAP server
anonymously.
17. Specify the Login properties when setting up the repository. The cn, uid, and
mail are common login property values. If your LDAP server uses a login
property other than uid, you must change the value to match your user prefix.
18. Click Apply, and then click Save.
19. In the Distinguished name of a base entry that uniquely identifies this set
of entries in the realm field, type the base DN of your choice such as
"o=myLDAPRealm" or "o=defaultWIMLDAPBasedRealm". This DN is for
internal Websphere Application Server use only and is used to identify a set of
entries when returning search results.
20. In the Distinguished name of a base entry in this repository field, type the
DN of the base entry within the directory to begin searches. Leave this field
blank to start LDAP searches at the root of your LDAP repository, or if you
have a Domino LDAP, which always begins searches at the root of the
directory. An example of a DN for the base entry in a repository:
dc=IBM,dc=COM
21. Click Apply, and then click Save.
22. Use a text editor and open wimconfig.xml. The directory path that follows is
all on one line but represented here on two lines for printing:
app_server_root\profiles\RTCGW_Profile
\config\cells\cell_name\wim\config\wimconfig.xml
Replace cell_name with the name of your cell.
23. Now find the LDAP repository type in the config:repositories element:
<config:repositories>
<config:repositories xsi:type="config:LdapRepositoryType">
Add the following line to the <config:attributeConfiguration> element block:
<config:externalIdAttributes name="unique_attribute"
syntax="attribute_syntax"/>
where unique_attribute is the unique LDAP attribute that you want to use and
attribute_syntax identifies the syntax. Include the syntax attribute only if the
syntax is something other than a type of string.
For example, to use a string called dominounid, edit the wimconfig.xml file to
include the following element:
<config:externalIdAttributes name="dominounid"/>
If the attribute was not a string, you would identify its syntax as well. For
example:
<config:externalIdAttributes name="GUID" syntax="octetString"/>
The following are some examples of commonly used unique attributes for
different some flavors of LDAP:
v Domino LDAP: dominounid
Chapter 1. Configuring
269
v IDS: ibm-entryuuid v Active Directory: objectguid
v Novell eDirectory: guid
v Sun ONE: nsuniqueid
24. Save the file. Note: the dominounid attribute was introduced in Lotus
Domino 6.5.4 and 7.0. In some cases this attribute may not appear in the
schema database or on the Server Configuration document (LDAP tab). This
can occur when the administration server for the Domino domain is version
6.5.3 or lower. The Administration server controls the creation of the Schema
database, as well as which attributes are available for anonymous queries
through the Configuration document. To resolve the issue, the Administration
server should be upgraded to Domino version 6.5.4 or above. In addition,
while a particular Domino LDAP may not require to bind, binding is
necessary to retrieve the dominounid attribute. Any bind user would be
acceptable, read only is fine.
25. Stop and then restart the Lotus Sametime Gateway server:
a. Navigate to the directory that contains binaries: rtcgw_profile_root\bin
b. Type the following commands, depending on your operating system, to
stop and then start Lotus Sametime Gateway. You must use the user name
and password that you provided when you enabled administrative
security to stop the server. Wait for the stopserver command to finish
before executing the startserver command. Note that RTCGWServer is
case-sensitive.
AIX, Linux, and Solaris
./stopServer.sh RTCGWServer -username username -password password
./startServer.sh RTCGWServer
Windows
stopServer.bat RTCGWServer -username username -password password
startServer.bat RTCGWServer
26. log into the Integrated Solutions Console.
27. Select Users and Groups → Manage Users.
28. Click Search to verify that you can search your LDAP directory. If your LDAP
functionality is enabled, you should see a list of users on the screen.
29. Click a user name and make sure you can see the user's content. You can
verify group names as well.
30. Copy the script: stgw_server_root/config/adminscripts/rtcgw_vmm.jacl to
app_server_root/bin .
31. Open a separate command window and navigate to app_server_root/bin .
32. Run the following command:
wsadmin -username username -password password -f rtcgw_vmm.jacl
Where username is the administrative user ID that you use to log into the
Integrated Solutions Console. You created this user ID when you installed
Lotus Sametime Gateway. For example:
wsadmin -username wasadmin -password gateway4u -f rtcgw_vmm.jacl
This script will place the default file repository of the WebSphere Application
Server at the bottom of listed config:repositories tags of wimconfig.xml, so it
is searched after the newly created repository.
33. Stop and then restart the Lotus Sametime Gateway server:
a. Navigate to the directory that contains binaries: rtcgw_profile_root\bin
270
Lotus Sametime: Installation and Administration Guide Part 2
b. Type the following commands, depending on your operating system, to
stop and then start Lotus Sametime Gateway. You must use the user name
and password that you provided when you enabled administrative
security to stop the server. Wait for the stopserver command to finish
before executing the startserver command. Note that RTCGWServer is
case-sensitive.
AIX, Linux, and Solaris
./stopServer.sh RTCGWServer -username username -password password
./startServer.sh RTCGWServer
Windows
stopServer.bat RTCGWServer -username username -password password
startServer.bat RTCGWServer
34. The remaining optional steps apply to an LDAP server that is not a Domino
LDAP directory. By default, Sametime uses mail as the attribute in an LDAP
record to search for users. If your LDAP directory uses a different attribute,
you can change Sametime to use that attribute instead. For example, if you
want to change Sametime to instead use the attribute displayName, complete
the following steps:
a. Use a Lotus Notes client on the Sametime server to open the Sametime
Configuration database (stconfig.nsf).
b. Click File → Database → Open and select the Local server.
c. Select the Sametime Configuration database (stconfig.nsf).
d. Click Open.
e. In the right pane of the Configuration database, locate the LDAP server
entry in the Form Name column of the Configuration.
f. Each LDAP Server document is listed to the right and beneath the LDAP
Server entry under the Last Modified Date column. The date represents
the last time the LDAP server document was modified.
g. To open an LDAP Server document, double-click the date in the Last
Modified Date column that represents the document.
h. When the LDAP Server document opens, double-click the document to put
it in edit mode.
i. Search and replace mail with displayname.
Search filter for resolving person names:(&(objectclass=organizationalPerson)
(|(uid=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name:
(&(objectclass=organizationalPerson)(|(uid=%s)(givenname=%s)(sn=%s)(mail=%s)))
"Attribute of the person entry that defines the person’s email address" mail
j. Save your changes and then restart the Domino server.
k. On the Lotus Sametime Gateway server that is connected to LDAP, use a
text editor and open the following file:
rtcgw_profile_root\config\cells\<cell_name>\wim\config\wimconfig.xml
l. Add the following line under the other configuration attributes:
<config:attributes name="displayName" propertyName="mail"/> For
example:
<config:attributeConfiguration>
<config:externalIdAttributes name="dominounid" />
<config:attributes name="userPassword" propertyName="password" />
- <config:attributes name="cn" propertyName="displayName">
Chapter 1. Configuring
271
<config:attributes name="displayName" propertyName="mail"/>
<config:entityTypes>Group</config:entityTypes>
</config:attributes>
- <config:attributes name="cn" propertyName="cn">
<config:entityTypes>Group</config:entityTypes>
</config:attributes>
<config:propertiesNotSupported name="businessAddress" />
</config:attributeConfiguration>
m. Save the file.
n. Stop and restart the Lotus Sametime Gateway server.
Configuring LDAP for a cluster on AIX, Linux, Solaris, and
Windows
The IBM Lotus Sametime Gateway requires that IBM WebSphere Application
Server be configured to use the Lightweight Director Access Protocol (LDAP) user
registry that contains members of the local Sametime community. These steps
include information for setting up a connection to LDAP using a self-signed
certificate. Complete the following steps if you did not create a connection to
LDAP at installation, or you completed a connection to LDAP but want to secure
that connection over SSL.
Before you begin
Expected state: the Deployment Manager and node agents are started. The servers
are stopped. Administrative security is enabled.
Procedure
1. Log in to the Deployment Manager node as a user with administrative
privileges. Make sure you have an enterprise LDAP server that contains
members of the local Sametime community and the LDAP server is running.
2. Complete the following sub steps to connect to LDAP over SSL, otherwise
skip this step. If your LDAP server is using a public CA, then you need to
obtain the public root CA and import it. If your LDAP server is using a
self-signed certificate, then you simply import the self-signed certificate.
a. From the Integrated Solutions Console, select Security → SSL Certificates
and key management, then select Key stores and certificates.
b. Click CellDefaultTrustStore.
c. Click Signer certificates.
d. Click Add.
e. In the Alias field, type a description for the certificate, whether it's
self-signed or a public CA.
f. In the File name field, type the path to the certificate file. For example,
c:\certname.cer.
g. Click Apply and then Save.
3. Select Security → Secure administration, applications, and infrastructure.
4. Make sure the Enable administrative security and Enable application
security options are selected.
5. In the Available realm definitions, select Federated repositories.
6. Click Set as current.
7. Click Configure.
8. Click Add base entry to the Realm...
9. On the next screen, click Add Repository...
272
Lotus Sametime: Installation and Administration Guide Part 2
10. Type a logical name for the repository in the Repository Identifier field. The
identifer can be any value, as long as it is unique within the cell.
11. Select the type of LDAP server to use from the Type list. If you have a IBM
Lotus Domino Version 7.0 server, select IBM Lotus Domino Version 6.5 as your
LDAP type.
12. Enter the fully qualified host name of the LDAP server in the Primary Host
field. You can enter either the IP address or domain name system (DNS)
name.
13. Enter the LDAP server port number in the Port field. The host name and the
port number represent the realm for this LDAP server in the WebSphere
Application Server cell. The default value is 389.
14. Optionally, enter the bind DN name in the Bind distinguished name field.
The bind distinguished name can be any user with read permission for the
directory server. The bind DN need not be the LDAP administrator. Leave this
field blank to connect to the LDAP server anonymously.
15. Optionally, enter the password corresponding to the bind DN in the Bind
password field. Leave this field blank to connect to the LDAP server
anonymously.
16. Specify the Login properties when setting up the repository. The cn, uid, and
mail are common login property values. If your LDAP server uses a login
property other than uid, you must change the value to match your user prefix.
17. Click Apply, and then click Save.
18. In the Distinguished name of a base entry that uniquely identifies this set
of entries in the realm field, type the base DN of your choice such as
"o=myLDAPRealm" or "o=defaultWIMLDAPBasedRealm". This DN is for
internal Websphere Application Server use only and is used to identify a set of
entries when returning search results.
19. In the Distinguished name of a base entry in this repository field, type the
DN of the base entry within the directory to begin searches. Leave this field
blank to start LDAP searches at the root of your LDAP repository, or if you
have a Domino LDAP, which always begins searches at the root of the
directory. An example of a DN for the base entry in a repository:
dc=IBM,dc=COM
20. Click Apply, and then click Save.
21. Log out of the Integrated Solutions Console.
22. On the Deployment Manager, use a text editor and open wimconfig.xml. The
directory path that follows is all on one line but represented here on two lines
for printing:
app_server_root\profiles\RTCGW_Profile
\config\cells\cell_name\wim\config\wimconfig.xml
The cell_name is the name of your cell.
23. Find the configLdapRepository section:
</config:repositories><config:repositories xsi:type="config:LdapRepositoryType">
24. Within that section, find the config:attributeConfiguration element block.
25. Add a line for config:externalIdAttributes if one does not already exist, using
one of the following formats.
v Add this line if the ID attribute has a default syntax type of string.
<config:externalIdAttributes name="unique_attribute"/>
where unique_attribute is the unique LDAP attribute that you want to use.
The following example adds a string called dominounid:
Chapter 1. Configuring
273
<config:externalIdAttributes name="dominounid"/>
v Add this line if the ID attribute has a syntax type other than string.
<config:externalIdAttributes name="unique_attribute"
syntax="attribute_syntax"/>
where unique_attribute is the unique LDAP attribute that you want to use
and attribute_syntax identifies the syntax. You must include the syntax
attribute only if the syntax is a type other than string.
The following example adds an octetString attribute called GUID, which is
the Novell eDirectory attribute:
<config:externalIdAttributes name="GUID" syntax="octetString"/>
The following are some examples of commonly used unique attributes for
different flavors of LDAP:
– Domino LDAP: dominounid
– IDS: ibm-entryuuid
– Active Directory: objectguid
– Novell eDirectory: guid
– Sun ONE: nsuniqueid
26. Save the file.
27. Navigate to the rtcgw_profile_root\bin directory.
28. Stop the Deployment Manager and wait for the command to finish, and then
restart the Deployment Manager. Use the user name and password that you
created when you enabled administrative security. Type the following
commands:
AIX, Linux, and Solaris
./stopManager.sh -username username -password password
./startManager.sh
Windows
stopManager.bat -username username -password password
startManager.bat
29. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes
30. Select all nodes in the cluster, then click Full Resynchronize.
31. Restart the node agents.
a. Log into the Integrated Solutions Console on the Deployment Manager
node.
b. Click System Administration → Node agents .
c. Select all node agents, and then click Restart.
32. Choose Servers → Clusters
33. Select the Lotus Sametime Gateway cluster and click Start. Verify that the
cluster status is started. (shown with a green arrow).
34. Select Users and Groups → Manage Users.
35. Click Search to verify that you can search your LDAP directory. If your LDAP
functionality is enabled, you should see a list of users on the screen.
36. Click a user name and make sure you can see the user's content. You can
verify group names as well.
37. Copy the following script:
from:
stgw_server_root/config/adminscripts/rtcgw_vmm.jacl
to the Deployment Manager node:
app_server_root/bin
274
Lotus Sametime: Installation and Administration Guide Part 2
38. Open a command window and navigate to app_server_root/bin .
39. Run the following command:
wsadmin -username username -password password -f rtcgw_vmm.jacl
Where username is the administrative user ID that you use to log into the
Integrated Solutions Console. You created this user ID when you installed
Lotus Sametime Gateway. For example:
wsadmin -username wasadmin -password gateway4u -f rtcgw_vmm.jacl
This script will place the default file repository of the WebSphere Application
Server at the bottom of listed config:repositories tags of wimconfig.xml, so it
is searched after the newly created repository.
40. In the DB2 window on the Deployment Manager node, stop the Deployment
Manager and wait for the command to finish, and then restart the
Deployment Manager. Use the user name and password that you provided
when you enabled administrative security. Type the following commands:
AIX, Linux, and Solaris
./stopManager.sh -username username -password password
./startManager.sh
Windows
stopManager.bat -username username -password password
startManager.bat
41. Restart the node agents.
a. Log into the Integrated Solutions Console on the Deployment Manager
node.
b. Click System Administration → Node agents .
c. Select all node agents, and then click Restart.
42. Choose Servers → Clusters
43. Select the Lotus Sametime Gateway cluster and click Start. Verify that the
cluster status is started. (shown with a green arrow).
44. The remaining optional steps apply to an LDAP server that is not a native
internal Domino directory. Complete these steps to change the default
attribute of the person entry that defines the person's email address in
app_server_root\profiles\RTCGW_Profile \config\cells\cell_name\wim\config\
wimconfig.xml. The default attribute is mail. If you want to change the
default attribute to displayName, complete the following steps:
a. Use a Lotus Notes client on the Sametime server to open the Sametime
Configuration database (stconfig.nsf).
b. Click File → Database → Open and select the Local server.
c. Select the Sametime Configuration database (stconfig.nsf).
d. Click Open.
e. In the right pane of the Configuration database, locate the LDAP server
entry in the Form Name column of the Configuration.
f. Each LDAP Server document is listed to the right and beneath the LDAP
Server entry under the Last Modified Date column. The date represents
the last time the LDAP server document was modified.
g. To open an LDAP Server document, double-click the date in the Last
Modified Date column that represents the document.
h. When the LDAP Server document opens, double-click the document to put
it in edit mode.
i. Search and replace mail with displayname.
Chapter 1. Configuring
275
Search filter for resolving person names:(&(objectclass=organizationalPerson)
(|(uid=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name:
(&(objectclass=organizationalPerson)(|(uid=%s)(givenname=%s)(sn=%s)(mail=%s)))
"Attribute of the person entry that defines the person’s email address" mail
j. Save your changes and then restart the Domino server.
k. On the Lotus Sametime Gateway server that is connected to LDAP, use a
text editor and open the following file:
app_server_root\profiles\RTCGW_Profile
\config\cells\<cell_name>\wim\config\wimconfig.xml
l. Add the following line under the other configuration attributes:
<config:attributes name="displayName" propertyName="mail"/> For
example:
<config:attributeConfiguration>
<config:externalIdAttributes name="dominounid" />
<config:attributes name="userPassword" propertyName="password" />
<config:attributes name="cn" propertyName="displayName">
<config:attributes name="displayName" propertyName="mail"/>
<config:entityTypes>Group</config:entityTypes>
</config:attributes>
<config:attributes name="cn" propertyName="cn">
<config:entityTypes>Group</config:entityTypes>
</config:attributes>
<config:propertiesNotSupported name="businessAddress" />
</config:attributeConfiguration>
m. Save the file. Note: the dominounid attribute was introduced in Lotus
Domino 6.5.4 and 7.0. In some cases this attribute may not appear in the
schema database or on the Server Configuration document (LDAP tab).
This can occur when the administration server for the Domino domain is
version 6.5.3 or lower. The Administration server controls the creation of
the Schema database, as well as which attributes are available for
anonymous queries through the Configuration document. To resolve the
issue, the Administration server should be upgraded to Domino version
6.5.4 or above. In addition, while a particular Domino LDAP may not
require to bind, binding is necessary to retrieve the dominounid attribute.
Any bind user would be acceptable, read only is fine.
n. Stop and restart the Deployment Manager, the node agents and Lotus
Sametime Gateway servers.
Results
You are now ready to set up SSL on a cluster.
Connecting servers to Sametime Gateway
To complete IBM Lotus Sametime Gateway setup, you connect servers to the Lotus
Sametime Gateway by performing some configuration steps on the local Sametime
server, adding the local community to the Lotus Sametime Gateway, registering
your Sametime Gateway server with AOL so that Lotus Sametime Gateway can
connect to the AOL clearinghouse, and then, after you complete your registration,
adding the AOL clearinghouse community to the Lotus Sametime Gateway. Finally,
you want to note the port numbers so you can provide these ports to external
communities.
Opening ports in the firewalls
Open specific ports in the internal and external firewalls to allow messages to flow
to and from the Sametime Gateway server in the DMZ to the local Sametime
276
Lotus Sametime: Installation and Administration Guide Part 2
community, and to permit access to LDAP and DB2®. In addition, verify that the
external firewall allows inbound and outbound connections to and from specific IP
addresses. Make sure any kind of SIP fixup or SIP inspection is disabled in your
firewall settings.
About this task
A Sametime Gateway server or cluster is normally deployed in the DMZ, which is
the zone between the internal and external firewalls. Work with your network
firewall administrator to open ports in the internal firewall to allow Sametime
Gateway to connect to the local Sametime community servers, LDAP, and DB2.
You also need to open ports in the external firewall to allow Sametime Gateway to
connect with external communities.
You can deploy a Network Address Translator (NAT) between local Lotus
Sametime community servers and a Lotus Sametime Gateway. However, deploying
a NAT device between Lotus Sametime Gateway and the Internet is not supported
when trying to connect Lotus Sametime Gateway to AOL, Yahoo, or TLS-encrypted
SIP-based external communities. While there are SIP-aware NAT devices, they are
not sufficient because both AOL and Yahoo communities require secure SIP
(SSL/TLS) communication, and a NAT device would not be able to decrypt and
translate the packets for proper operation. NAT has no affect on the XMPP
protocol, so exchanges using Google Talk over XMPP are always permitted to pass
through a NAT-enabled firewall that is between Lotus Sametime Gateway and the
Internet.
Procedure
1. Open the following ports in the internal firewall:
v Port 1516 on the internal firewall to each Sametime community server in the
local Sametime community, the Sametime Gateway will be the one creating
the TCP connection to the destination IP at destination port 1516.
Chapter 1. Configuring
277
v Port 389 on the internal firewall to the LDAP directory, or port 636 if LDAP
access is over SSL.
v Port 50000 on the internal firewall to a DB2 server.
2. Open the following ports on the external firewall as needed:
v Port 5269 on the external firewall to Google Talk and non-secured XMPP.
v Port 5270 on the external firewall to secured XMPP.
v Port 5061 on the external firewall to external Lotus Sametime, AOL, or
Yahoo! Messenger communities using a secure TLS/SSL connection.
v Port 5060 on the external firewall to an external Lotus Sametime community
(only if using a non-TLS/SSL connection).
v Port 53 on the external firewall to external DNS servers to resolve the fully
qualified domain name of external community servers.
3. Verify that the external firewall allows inbound and outbound connections to
and from the following IP addresses:
v AOL:
64.12.162.248, 205.188.153.55
v For Yahoo! Messenger, you have two options:
Choosing between options A and B when configuring your firewall is a
matter of trade-offs. Option A offers more security (by using specific
addresses instead of Class-C range addresses), while option B requires less
firewall-rules maintenance (if Yahoo! adds a server to their array, its IP
address will probably be contained within the allowed IP addresses range,
and so would not require a firewall update – but this is not guaranteed).
Consult your network administrator and security officer; if in doubt, use
option A, which is more secure.
– Option A: Define the exact Yahoo! Servers IPs that the Sametime Gateway
will interact with, using the list below:
iopsgw1.msg.re3.yahoo.com 69.147.79.246
iopsgw2.msg.re3.yahoo.com 69.147.79.247
iopsgw3.msg.re3.yahoo.com 69.147.79.248
iopsgw4.msg.re3.yahoo.com 69.147.79.249
iopsgw5.msg.re3.yahoo.com 69.147.79.250
iopsgw6.msg.re3.yahoo.com 69.147.79.251
iopsgw7.msg.re3.yahoo.com 69.147.79.252
iopsgw8.msg.re3.yahoo.com 69.147.79.253
sgw.ibm.msg.vip.ac4.yahoo.com 98.136.112.84
sgw101.ibm.msg.ac4.yahoo.com 98.136.113.23
sgw102.ibm.msg.ac4.yahoo.com 98.136.113.24
sgw103.ibm.msg.ac4.yahoo.com 98.136.113.25
sgw104.ibm.msg.ac4.yahoo.com 98.136.113.26
sgw105.ibm.msg.ac4.yahoo.com 98.136.113.27
sgw106.ibm.msg.ac4.yahoo.com 98.136.113.28
sgw107.ibm.msg.ac4.yahoo.com 98.136.113.29
sgw108.ibm.msg.ac4.yahoo.com 98.136.113.30
sgw.ibm.msg.vip.sp1.yahoo.com 98.136.56.113
sgw101.ibm.msg.sp1.yahoo.com 98.136.43.128
sgw102.ibm.msg.sp1.yahoo.com 98.136.43.129
sgw103.ibm.msg.sp1.yahoo.com 98.136.43.130
sgw104.ibm.msg.sp1.yahoo.com 98.136.43.131
sgw105.ibm.msg.sp1.yahoo.com 98.136.43.132
sgw106.ibm.msg.sp1.yahoo.com 98.136.43.133
sgw107.ibm.msg.sp1.yahoo.com 98.136.43.134
sgw108.ibm.msg.sp1.yahoo.com 98.136.43.135
– Option B: Configure your firewall to restrict incoming and outgoing
communication to a range of Class-C IP addresses used by Yahoo!
Messenger:
278
Lotus Sametime: Installation and Administration Guide Part 2
98.136.112.84
98.136.56.113
69.147.79.*
98.136.113.*
98.136.43.*
v For Google Talk, include all the IP addresses resolvable from a DNS lookup
of talky.l.google.com and talkz.l.google.com. The talky.l.google.com
addresses are for connections that are incoming from the enterprise to
Google. The talkz.l.google.com addresses are for connections that are
incoming from Google to the enterprise.
In the command window, type:
nslookup talky.l.google.com
Then type:
nslookup talkz.l.google.com
For example:
C:\>nslookup talky.l.google.com
Name:
talky.l.google.com
Addresses: 74.125.47.125, 74.125.65.125, 74.125.155.125, 209.85.137.125
209.85.163.125, 209.85.229.125, 216.239.51.125, 64.233.169.125, 72.14.203.125
72.14.247.125
C:\>nslookup talkz.l.google.com
Non-authoritative answer:
Name:
talkz.l.google.com
Addresses: 209.85.200.129, 72.14.252.129, 209.85.162.129
4. Make sure that the Lotus Sametime Gateway server can resolve a reverse
lookup on each of the Google IP addresses below.
You can verify this by substituting each IP address into the following
command:
:\nslookup
> 209.85.163.125
Server: UnKnown
Address: 129.42.250.40
Name: el-in-f125.google.com
Address: 209.85.163.125
5. Yahoo now strictly enforces the ability to perform reverse DNS lookups on the
Sametime Gateway's public IP address. Use a program like the Kify DNS
Query Tool to verify that a reverse DNS lookup on the Gateway's public IP
address resolves to the external hostname that has been provisioned with
Yahoo.
If the reverse DNS lookup does not resolve to the correct hostname, have your
DNS administrator correct this setting in DNS. Once corrected, you should be
able to verify that the IP address resolves to the correct, provisioned hostname.
Enabling reverse DNS lookup for Yahoo! servers:
Provision an external host name for an IBM Lotus Sametime Gateway server to
enable reverse DNS lookups for Yahoo! servers.
About this task
Yahoo! strictly enforces the ability to perform reverse DNS lookups on the Lotus
Sametime Gateway's public IP address. This means that the public IP associated
Chapter 1. Configuring
279
with the Sametime Gateway must be configured in DNS to allow reverse DNS
lookups so that a reverse DNS lookup on the Gateway's public IP resolves to the
external host name that has been provisioned with the Yahoo! server.
Procedure
1. Open a web browser and navigate to the Kify DNS query tool.
2. On the Kify DNS Query Tool page, select the following settings:
a. Under "Host information" select Resolve/Reverse Lookup.
b. Under "Host connectivity" type the Lotus Sametime Gateway's public IP
address in the Enter host or IP field.
You do not need to select any options from this list; if "Do it all" is selected
by default, you can just leave it selected.
c. Click Check.
Verify that the response indicates a successful lookup:
v Successful response: The IP resolves to the external host name that is
provisioned for the Lotus Sametime Gateway server.
v Unsuccessful response: Either of these results indicates a problem
– The IP resolves to itself (the same IP address).
– The IP resolves to the wrong host name (not the one you provisioned for
the Lotus Sametime Gateway server).
3. If the response indicates a problem, engage your DNS administrators to correct
this setting in DNS before testing the lookup again.
Connecting the local Sametime Community Server to Sametime
Gateway
Complete these steps to prepare and then add your local Community Server to
Lotus Sametime Gateway.
Managing trusted IP addresses:
Whenever you install a server that communicates with an IBM Lotus Sametime
Community Server, you must add the new server's IP address to the Community
Server's settings.
About this task
The Lotus Sametime Community Server accepts connections from the Lotus
Sametime Media Manager, the Lotus Sametime Gateway, the Lotus Sametime
Community Mux, and the Lotus Sametime Proxy Server, as well as other servers
that are listed in the Community Services page. To ensure that the Lotus Sametime
Community Server trusts these components when they establish a connection, you
must add the trusted server's IP address to the Lotus Sametime Community Server.
If you are installing a cluster of Lotus Sametime Media Manager servers, Lotus
Sametime Gateway servers, or Lotus Sametime Proxy Servers, be sure to complete
include the IP address of the Primary Node as well as every Secondary Node in
the cluster (you do not need to include the Deployment Manager).
You do not need to add the Lotus Sametime System Console's IP address because
it is added automatically when you install the Lotus Sametime Community Server
using a deployment plan or register the Lotus Sametime Community Server with
the console after installation.
280
Lotus Sametime: Installation and Administration Guide Part 2
This task must be completed separately for each server within a Lotus Sametime
Community Server cluster, as well as for multiple non-clustered Community
Servers.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the list of trusted IP addresses that you want to change.
4. Click the Connectivity tab.
5. Under Trusted Servers, enter the IP address of the server that must connect to
the Lotus Sametime Community Server in the New IP Address field, and click
Add.
Note:
v If you have a cluster, type the IP addresses of the primary node and all
secondary nodes, separating each address with a comma. Do not include the
IP address of the Deployment Manager.
v For the Lotus Sametime Media Manager, enter the Conference Manager
server IP address.
To delete an IP address from the list, select it and click Delete Selected.
6. Click OK.
7. Restart the Lotus Sametime Community Server for the change to take effect.
Specifying the mail attribute for LDAP person records:
If your Sametime servers are configured to use an LDAP server that is not a native
internal Domino directory, you must specify the attribute in an LDAP record that
contains the user's email address. This setting is required because SIP entities are
identified by their email addresses.
Procedure
1. From the Sametime server home page, click the Administer the Server link to
open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the Basics settings for server drop-down list, select the LDAP server.
4. In the Attribute of a person entry that defines the person's email address
setting, type the attribute that your LDAP directory uses to hold the user's
email address. Default attribute names include the following:
v Type mail (default) if your LDAP directory is a Domino Directory, IBM
Directory Server, or Sun ONE Java System Directory Server.
v Type userPrincipalName (default) if you are using Microsoft Active
Directory.
5. Click Update.
6. Choose LDAP Directory - Searching.
7. In the search filter for resolving person names, update the search filter to
contain the attribute specified in step 4 above. For example, if the LDAP
directory uses the mail attribute, then update the search filter to include the
mail attribute. For example:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))
Chapter 1. Configuring
281
8. Click Update and restart the server for the change to take effect.
Allowing local Sametime clients to add external users to Contact Lists:
Complete these steps to allow your Sametime clients to add external users to
Contact Lists.
About this task
Follow these steps to change policies to allow users to add external contacts.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console.
3. Click Manage Policies.
4. In the Instant Messaging tab, select the policy you want to change and click
Edit.
5. In the Chat section select "Allow user to add external users using Sametime
gateway communities."
6. Click OK.
Results
After you complete these steps, users will see an External Contact check box on
the Add New Contact dialog. To add an external contact, users type the external
user's email address ([email protected]), select External Contact, and then click Add.
Disabling the Sametime SIP Gateway on the local Sametime server:
To use Lotus Sametime Gateway with a local Sametime server version 6.5.1 or 7.0,
you must disable the Sametime SIP Gateway application.
Procedure
1. Windows: Disable the Sametime SIP Gateway application by completing the
following steps:
a. Click Start → Programs → Administrative tools → Services.
b. Right click on ST SIP Gateway and click Stop.
c. Right click on ST SIP Gateway and click Properties.
d. In the Startup type drop-down list, select Disabled.
e. Click OK.
f. Restart the Sametime server.
2. AIX, Solaris, IBM i: Disable the Sametime SIP Gateway application by
completing the following steps:
a. Open a command window. On IBM i, run the STRQSH (Start Qshell)
command.
b. Navigate to \lotus\domino.
c. Use a text editor and open the StCommLaunch.dep file
d. Delete the following line from the file:
AIX and Solaris:
SERVERAPP ST SIP Gateway,ST Community,SOFT
282
Lotus Sametime: Installation and Administration Guide Part 2
IBM i:
SERVERAPP StGateway,StCommunity,SOFT
e. Save the file.
f. Restart the Sametime server.
Adding a local Community Server to Sametime Gateway:
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
Before you begin
Before you can add a local Sametime server to Lotus Sametime Gateway, make
sure you've completed the preceding steps:
v Opened port 1516 on the internal firewall to the local Sametime community
server. If the Lotus Sametime community is clustered, you opened port 1516 to
each of the Sametime community servers, allowing both inbound and outbound
traffic between Lotus Sametime Gateway and each community server.
v Configured the Sametime server to trust the IP addresses of Lotus Sametime
Gateway servers.
v Disabled the legacy Sametime SIP Gateway on the Sametime community server.
v Allowed local Sametime clients to add external users to Contact Lists.
Important: You can only connect one gateway to a community; otherwise the
awareness and chat features may not work properly. Likewise, you can connect
only one local Lotus Sametime community to Lotus Sametime Gateway. You must
add the local community to Lotus Sametime Gateway before you add external
communities.
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway servers are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the local community such as
Sametime Users.
4. In the Community Type field, select Local.
5. In the Domains field, type the domain names in which users are found in the
local community.
Notes:
v Wildcards are not supported in this field, you must type each complete
domain name.
v Each domain name must access the same user directory. For example:
acme.com, us.acme.com, fr.acme.com, and uk.acme.com must all be linked
Chapter 1. Configuring
283
by a common user directory to be in the community. Obtain this
information from the system administrator of the local Lotus Sametime
community.
v If you plan to connect to Google Talk or other XMPP communities, all the
domains listed must have an existing SRV record. See the instructions in
Connecting to Google talk community. If even a single listed domain does
not have an SRV record, the Google community cannot connect.
6. In the Translation Protocol field, select VP.
7. Provide the Host name that Gateway connects to when it reads the overall
configuration of the Community Servers. Depending on the size of your
deployment, Sametime Gateway connects to either a single Sametime
Community Server or a virtual IP address if you have one configured one for
routing to multiple Community Servers.
Type the appropriate host name.
v One Sametime Community Server
Enter the server's host name.
v Multiple Community Servers (in a distributed or clustered environment)
Enter the host name of a Virtual IP (VIP) configured to route to an available
Community Server at all times. This is a bootstrapping phase, in which the
Gateway connects to the Community Server the VIP is currently pointing to
so it can read the cluster configuration information. This information
contains the list of Community Server host names. The Gateway then closes
the connection to the VIP and begins connecting to each of the Community
Servers directly instead.
Note: Do not enter the host name of a MUX or IP sprayer that Sametime
clients connect to.
8. Set the Port to 1516. The transport protocol is automatically set to TCP
(Transmission Control Protocol).
9. Click OK.
10. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
284
Lotus Sametime: Installation and Administration Guide Part 2
Related tasks
“Connecting to a Google Talk community” on page 292
IBM Lotus Sametime Gateway users can exchange instant messages with the
Google Talk community over the Extensible Messaging and Presence Protocol, or
XMPP. To communicate with the Google Talk community, you must first set up a
DNS service (SRV) record and publish it to DNS so that Google Talk users and
local Sametime users can discover each other and establish a connection. This topic
instructs you to create a DNS SRV record first, and then add Google Talk as an
external community.
“Adding external Sametime communities” on page 300
Add an external Sametime community to IBM Lotus Sametime Gateway. You
connect to a Sametime community by specifying domains in the external
community, selecting a translation protocol, and setting the host name, port, and
transport protocol for the external community.
“Connecting to the AOL clearinghouse community” on page 288
Use this procedure to add the AOL clearinghouse community to IBM Lotus
Sametime Gateway. The AOL clearinghouse connects your Sametime users to a
wide community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. Connect to the AOL clearinghouse community or the AOL
community, but not both, as the former is a superset of the latter.
“Managing trusted IP addresses” on page 443
Whenever you install a server that communicates with an IBM Lotus Sametime
Community Server, you must add the new server's IP address to the Community
Server's settings.
Related reference
“Sametime Gateway communities” on page 534
View the list of communities and use the list as the starting place to set up
communities, assign local users access to external communities, and set properties
on communities. The communities list shows the community name, the type of
community, and the translation protocol used.
“Community properties” on page 537
Use this page to connect IBM Lotus Sametime Gateway to one internal community
and multiple external communities, or to edit the connection properties of an
existing community. Specify the type of community, the domains to use when
accessing the community, the translation protocol that Lotus Sametime Gateway
uses to communicate with the community, connection details, and any custom
properties for the connection or community. After you create a community, use the
Assign local users to this community link to give permission to local users to
access the external or clearinghouse community.
Connecting to instant messaging communities
Add instant messaging communities such as the AOL clearinghouse, AOL Instant
Messenger, Google Talk, XMPP, Office Communications Server, and Yahoo
Messenger to Lotus Sametime Gateway.
About this task
When you set up a connection with AOL, you have the option of connecting with
AOL users only, or connecting with the AOL clearinghouse community that
includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner
communities, including external Sametime communities. IBM recommends that
you do not configure both communities, as users served by the AOL clearinghouse
are a superset of users served by the AOL community. If you set up AOL only, and
Chapter 1. Configuring
285
later decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
Note: Lotus Sametime client users must use the Sametime client version 7.5 or
later when exchanging instant messages and presence information with public
instant messaging providers such as AOL Instant Messenger, Yahoo Messenger,
Office Communications Server, and Google Talk. Pre-7.5 clients are not licensed to
connect with public instant messaging providers. The Sametime server will check
and disable the Add external user checkbox if a client of a lower version is used. It
is the responsibility of the Sametime Gateway administrator to comply with the
licensing agreement.
Registering your Sametime Gateway with AOL and Yahoo!:
The IBM Lotus Sametime Provisioning Application enables you to set up
interoperability with certain public instant messaging services such as Yahoo! and
AOL. The application prompts you for relevant information, validates your
organization's entitlement to use IBM Lotus Sametime Gateway, provides the
information to the instant messaging service, and notifies you when you have been
added by the service.
Before you begin
Attention: The Lotus Sametime Gateway host name's public DNS registration is
required before creating the provisioning request; otherwise public external
provider might fail during the provisioning request.
The procedure for registering your Lotus Sametime Gateway depends on how you
acquired Lotus Sametime Standard or Lotus Sametime Advanced:
Related tasks
“Connecting to the AOL clearinghouse community” on page 288
Use this procedure to add the AOL clearinghouse community to IBM Lotus
Sametime Gateway. The AOL clearinghouse connects your Sametime users to a
wide community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. Connect to the AOL clearinghouse community or the AOL
community, but not both, as the former is a superset of the latter.
If you used IBM Passport Advantage:
If you acquired licenses for IBM Lotus Sametime Standard or Lotus Sametime
Advanced using the IBM Passport Advantage® website, then register your IBM
Lotus Sametime Gateway directly using the Lotus Sametime Provisioning
Application.
Before you begin
Before you begin, collect the following information:
v The primary contact for your site. The primary contact is the person who is
entering into the Passport Advantage or Passport Advantage Express contractual
relationship with IBM on behalf of your company. IBM communicates directly
with this person on issues such as Agreement modification and so forth. This
person may be a procurement or purchasing professional.
v Your Passport Advantage site number.
286
Lotus Sametime: Installation and Administration Guide Part 2
v Your Lotus Sametime Gateway name. This can be any name that you assign to
Lotus Sametime Gateway.
v Your Lotus Sametime Gateway host name.
v Your Lotus Sametime Gateway port number.
v Your Lotus Sametime Gateway SSL certificate common name.
v Your Lotus Sametime Gateway SSL certificate issuer (VeriSign, Comodo, Thawte,
and so on).
v An email address for you to be notified when provisioned.
v The Sametime community domains that you want to expose to the instant
messaging service.
Procedure
1. Navigate to http://www.ibm.com/software/lotus/sametime/federation to
access the Lotus Sametime Provisioning Application.
2. Type your IBM ID and password:
v If you do not have an IBM ID and password, click the register link. You
receive your web identity when you complete the registration.
v If your web identity is not affiliated with a Passport Online Advantage site,
you will be redirected to a self-nomination site where you should use the
information you collected before starting this procedure. Unless you know
you are the primary contact for your site, please select No when prompted "I
believe I am the Primary Contact for this Site." Once you have completed the
self-nomination form, the Primary Contact for your site must process the
form. When you receive a self-nomination approval by email, go to
http://www.ibm.com/software/lotus/sametime/federation and start the
provisioning process
Once your web identity is verified, the system checks whether you are a Lotus
Sametime customer that is entitled to deploy the Lotus Sametime Gateway.
3. If you are entitled to deploy Lotus Sametime Gateway, enter the information
needed by the instant messaging service.
4. Submit the provisioning form. After the instant messaging service receives your
information and adds your site, you will receive an email notification from IBM
that you have been provisioned. This can take up to seven business days.
5. Before accessing a public instant messaging service through the Lotus Sametime
Gateway, you are required to agree to the terms of service or end-user license
agreement for such public instant messaging services and IBM is not a party to
any such agreement.
If you did not use IBM Passport Advantage:
If you did not acquire licenses for IBM Lotus Sametime Standard or Lotus
Sametime Advanced through IBM Passport Advantage, then register your IBM
Lotus Sametime Gateway by emailing the required information to the provided
address. For example, if you are an IBM Business Partner or have purchased IBM
Lotus Sametime Standard for Cisco Unified Communications from Cisco or an
authorized Cisco reseller, you must use this procedure.
Before you begin
Send the information below to the following email address:
[email protected]:
Chapter 1. Configuring
287
Registration Code:
v Registration code
This is available on the Lotus Sametime for Cisco Unified Communications
software DVD. If you are an IBM Business Partner, you can get this code from
your Business Partner representative.
Technical information:
v Gateway host name (the fully qualified domain name of your gateway; for
example: stgateway.company.com)
v The port on which you want to accept incoming TLS/SIP requests (port 5061 is
used by default)
v Gateway certificate common name
v Gateway certificate issuer
v SIP realm to be used (for example: company.com)
v Do you wish to be provisioned for AOL AIM?
v Do you wish to participate in the AOL Clearing House?
v Do you wish to be provisioned for Yahoo Messenger?
Contact information:
v Company Name
v ID or Order # (If IBM Business Partner, use Partnerworld ID #; otherwise, use
Order #)
v
v
v
v
Contact
Contact
Contact
Contact
first/last name
email address
telephone number
instant messaging address (optional)
Connecting to an AOL community:
Set up a connection by choosing either the AOL instant messenger community or
the AOL clearinghouse community, but not both. The AOL clearinghouse is a
superset of the AOL instant messenger community.
Before you begin
You must set up SSL prior to connecting to an AOL community.
About this task
When you set up a connection with AOL, you have the option of connecting with
AOL users only, or connecting with the AOL clearinghouse community that
includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner
communities, including external Sametime communities. IBM recommends that
you do not configure both communities, as users served by the AOL clearinghouse
are a superset of users served by the AOL community. If you set up AOL only, and
later decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
Connecting to the AOL clearinghouse community:
288
Lotus Sametime: Installation and Administration Guide Part 2
Use this procedure to add the AOL clearinghouse community to IBM Lotus
Sametime Gateway. The AOL clearinghouse connects your Sametime users to a
wide community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. Connect to the AOL clearinghouse community or the AOL
community, but not both, as the former is a superset of the latter.
Before you begin
You must set up SSL prior to connecting to an AOL clearinghouse community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
Note: IBM recommends that you do not configure both the AOL clearinghouse
and the AOL communities, as users served by the AOL clearinghouse are a
superset of users served by the AOL community. If you set up AOL only, and later
decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
Before you add the AOL clearinghouse community, you must establish the local
community, and use the provisioning application to register your Lotus Sametime
with AOL Public Instant Messaging Services.
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new clearinghouse community.
4. In the Community Type field, select Clearinghouse.
5. Select a Translation Protocol. Choose SIP for AOL for AOL Clearinghouse
community connections.
6. In the Host Name field, type the following:
sip.oscar.aol.com
7. In the Port field, type the port number. The default port is 5061.
8. Because AOL clearinghouse requires a secure connection, the Transport
protocol is set to TLS, so there is nothing to do.
9. Click OK to save the new community.
Chapter 1. Configuring
289
10. On the Communities panel, select the name of the community that you
created , scroll to the bottom, and click Assign local users to this community
to assign users access to the AOL clearinghouse community.
11. Restart the Lotus Sametime Gateway server, or, if you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
12. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional IP addresses for AOL
Instant Messenger servers. Sametime Gateway uses these IP addresses to
determine which SIP requests originate from AOL. The Custom properties
link is available only after the community is saved.
b. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway.
c. Select the check box to disable the route to the community.
d. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
What to do next
For troubleshooting help, see Technote 1317952 on the IBM Lotus Support website
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952.
Related tasks
“Registering your Sametime Gateway with AOL and Yahoo!” on page 286
The IBM Lotus Sametime Provisioning Application enables you to set up
interoperability with certain public instant messaging services such as Yahoo! and
AOL. The application prompts you for relevant information, validates your
organization's entitlement to use IBM Lotus Sametime Gateway, provides the
information to the instant messaging service, and notifies you when you have been
added by the service.
“Adding a local Community Server to Sametime Gateway” on page 283
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
Related reference
“Sametime Gateway communities” on page 534
View the list of communities and use the list as the starting place to set up
communities, assign local users access to external communities, and set properties
on communities. The communities list shows the community name, the type of
community, and the translation protocol used.
“Community properties” on page 537
Use this page to connect IBM Lotus Sametime Gateway to one internal community
and multiple external communities, or to edit the connection properties of an
existing community. Specify the type of community, the domains to use when
accessing the community, the translation protocol that Lotus Sametime Gateway
uses to communicate with the community, connection details, and any custom
properties for the connection or community. After you create a community, use the
Assign local users to this community link to give permission to local users to
access the external or clearinghouse community.
Connecting to the AOL Instant Messenger community:
290
Lotus Sametime: Installation and Administration Guide Part 2
Use this procedure to add the AOL Instant Messenger community to IBM Lotus
Sametime Gateway so that your users can exchange instant messages and presence
with AOL Instant Messenger users. Add the AOL community only if you have not
added the AOL clearinghouse community because the AOL clearinghouse is a
superset of the AOL community.
Before you begin
You must set up SSL prior to connecting to an AOL clearinghouse community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
Note: IBM recommends that you do not configure both the AOL clearinghouse
and the AOL communities, as users served by the AOL clearinghouse are a
superset of users served by the AOL community. If you set up AOL only, and later
decide to connect with the AOL clearinghouse community, delete the AOL
community first before adding the AOL clearinghouse community to Sametime
Gateway.
You must establish the local community first before adding an external community.
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new community such as AOL
IM.
4. Under Community Type, select External.
5. In the Domains field, type: aol.net, corp.aol.com, aol.com
6. In the Translation Protocol list, select SIP for AOL.
7. In the Host Name field, type sip.oscar.aol.com.
8. In the Port field, type a port number. The default port is 5061.
9. In the Transport protocol field, TLS (Transport Layer Security) is already
selected.
10. Click AOL IM from the list to edit the connection properties.
11. Click OK to save the new community.
12. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign local users access to the external community.
Chapter 1. Configuring
291
13. Click Assign local users to this community to assign local users access to the
external community. This link is inoperable until you first save the new
external community.
14. Restart the Lotus Sametime Gateway server. If you have a cluster of servers,
restart the cluster.
15. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional TCP/IP addresses for AOL
Instant Messenger servers. Sametime Gateway uses these IP addresses to
determine which SIP requests originate from AOL. When setting up the
community for the first time, the Custom properties links are available
only after the community is saved.
b. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway. If Route properties are not visible, you must connect
to a local community first.
c. Select the check box to disable the route to the community.
d. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
What to do next
For troubleshooting help, see Technote 1317952 on the IBM Lotus Support website
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952.
Connecting to a Google Talk community:
IBM Lotus Sametime Gateway users can exchange instant messages with the
Google Talk community over the Extensible Messaging and Presence Protocol, or
XMPP. To communicate with the Google Talk community, you must first set up a
DNS service (SRV) record and publish it to DNS so that Google Talk users and
local Sametime users can discover each other and establish a connection. This topic
instructs you to create a DNS SRV record first, and then add Google Talk as an
external community.
Before you begin
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup talkz.l.google.com
nslookup 64.12.162.248
nslookup -type=SRV -class=all _xmpp-server._tcp.google.com
Make sure all domains you specified in the internal community are not registered
with "Google Apps." To determine whether a domain is registered with Google
Apps, see the IBM Technote Unable to establish awareness with Google Talk users
through the Sametime Gateway.
Your firewall rules should be set up as described in the "GoogleTalk" section of the
topic, “Opening ports in the firewalls” on page 276.
292
Lotus Sametime: Installation and Administration Guide Part 2
About this task
Work with your network administrator to set up a DNS SRV record for each
domain defined in your internal community using the following format:
_xmpp-server._tcp.domain name. IN SRV priority weight port target.
For example:
_xmpp-server._tcp.lotus.com. IN SRV 5 0 5269 sttest.lotus.com.
SRV record format Description
domain name
Wild cards are not allowed. Note that the domain name must end
with a period. The domain name must match the domain name that
you used when you added the local Sametime server to the Lotus
Sametime Gateway.
priority
Priority determines the proxy query order when used in an Lotus
Sametime Gateway cluster. With multiple SRV records, lower values
are queried first.
weight
Weight determines proportionally how often a proxy is queried when
you have multiple SRV records of similar priority in a cluster. Higher
values are queried more often. So, a weight of 20 would be queried
twice as often as one of 10. A weight of 30 would be queried three
times as often as one of 10.
port
The port on which this service is found. Use port 5269.
target
Fully qualified host name of the machine running the Lotus Sametime
Gateway. Note that the target must end with a period. For example:
sttest.lotus.com.
Expected state: the Lotus Sametime Gateway single server or cluster is started
Procedure
1. Create an individual DNS SRV record (_xmpp-server._tcp) for each domain
name that you will support.
For example, you might support two local domain names, called lotus.com
and ibm.com®. For each of the domain names you want to support, you must
create an individual DNS SRV record. The records will be identical except for
the domain name field's value.
2. Verify that the DNS SRV record that you added to DNS is correct by using the
nslookup command:
a. Open a command window and run nslookup.
b. Type set type=SRV.
c. Type set class=IN.
d. Search the _xmpp-server.tcp record using the supported domains added in
the previous step.
Using the example above, you enter _xmpp-server._tcp.lotus.com and repeat
the searching for _xmpp-server._tcp.ibm.com. Using lotus.com, the full
command and returned value appears as follows:
nslookup>set type=SRV
>set class=IN
>_xmpp-server._tcp.lotus.com.
Make sure the correct hostname of the Sametime Gateway server and IP
address are returned. The following is an example only:
Chapter 1. Configuring
293
Server: sbydns01.srv.ibm.com
Address: 9.0.4.1
Non-authoritative answer:
_xmpp-server._tcp.lotus.com
SRV service location
priority
= 5
weight
= 0
port
= 5269
svr hostname
= sttest.lotus.com
lotus.com
nameserver = wtf-ns1.lotus.com
lotus.com
nameserver = wtf-ns2.lotus.com
lotus.com
nameserver = ns0.lotus.com
sttest.lotus.com
internet address = 129.42.249.45
>
3.
4.
5.
6.
In the Integrated Solutions Console, click Sametime Gateway → Communities.
In the table that lists communities, click New.
In the Name field, type Google Talk.
Under Community Type, select External.
7. In the Domains field, type:
gmail.com
8. Select XMPP as the Translation Protocol.
9. Ignore the host name. XMPP uses the Fully qualified domain name of the host
as specified in the target field of the DNS SRV record instead.
10. In the Port field, type 5269.
11. In the Transport protocol field, select TCP. TCP is the only transport protocol
for Google Talk.
12. Click OK to save the new community.
13. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign local users access to the external community. By default all users can
access the external community.
14. The following sub steps are optional:
a. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway. If Route properties are not visible, you must connect
to a local community first.
b. Select the check box if you ever need to disable the route to the
community.
c. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
15. Restart the Sametime Gateway server.
What to do next
IP addresses associated with talky.l.google.com and talkz.l.google.com change
occasionally. Work with your network administrator to actively monitor DNS and
update the firewall rules to accommodate new IP addresses.
For troubleshooting help, see Technote 1316296 on the IBM Lotus Support website
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21316296.
294
Lotus Sametime: Installation and Administration Guide Part 2
Related tasks
“Adding a local Community Server to Sametime Gateway” on page 283
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
Connecting to an Office Communications Server community:
Connect to a Office Communications Server community so that your users can
exchange instant messages with Microsoft Communicator users.
Before you begin
You must establish the local community first before adding an Office
Communications Server community. Please also note that setting SSL is a
prerequisite for connecting to an Office Communications Server community.
Remember that the IBM Lotus Sametime Gateway servers must have access to a
DNS server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup
nslookup
nslookup
nslookup
sip.oscar.aol.com
64.12.162.248
-type=all -class=all _xmpp-server._tcp.google.com
[OCS Edge Server]
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
About this task
The stage needs to be set just so.
Procedure
1. In the Integrated Solutions Console, click Sametime → Gateway Communities
2.
3.
4.
5.
In the table that lists communities, click New.
In the Name field, type a logical name for the new community.
Under Community Type, select External.
In the Domains field, type the domain names of the Office Communications
Server community. For example: ocs.acme.com.
6. Select SIP for OCS as the translation protocol.
7. In the Host Name field, type the host name or the IP address of the OCS Edge
Server.
8. In the Port field, type a port number. The default port is 5061.
9. In the Transport protocol field, TLS (Transport Layer Security) is already
selected.
10. Click OK to save the new community.
11. Click Sametime Gateway → Communities → ocs_community_name . Under
Additional properties select custom properties, and click New.
12. In the Name field type com.ibm.sametime.gateway.fqdn.
Chapter 1. Configuring
295
13. In the Value field type the gateway's fully qualified domain name. For
example: ocs2stgw.acme.com.
14. Click OK to save the new custom property.
15. Click New again.
16. In the Name field type com.ibm.sametime.gateway.port
17. In the Value field type the gateway's port. For example: 5061.
18. Click OK to save this new custom property.
19. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users and capabilities to
assign users access to the external community.
20. Restart the Lotus Sametime Gateway server. If you have a cluster of servers,
restart the cluster.
21. The following steps are optional, but be sure to restart the Lotus Sametime
Gateway servers if you make any changes to the community.
a. Click Custom Properties to include additional host names for OCS edge
servers. Lotus Sametime Gateway uses these IP addresses to determine
which SIP requests originate from Office Communications Server. When
setting up the community for the first time, the Custom properties links
are available only after the community is saved.
Connecting to a Yahoo! Messenger community:
Connect to the Yahoo! Messenger community so that your users can exchange
instant messages with Yahoo! Messenger users.
Before you begin
You must set up SSL and establish the local community first before adding the
Yahoo! Messenger community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a logical name for the new community.
4. Under Community Type, select External.
296
Lotus Sametime: Installation and Administration Guide Part 2
5. In the Domains field, type the following domain names: yahoo.com,
ymail.com, rocketmail.com, ameritech.net, btinternet.com, btopenworld.com,
demobroadband.com, flash.net,nl.rogers.com, nvbell.net, ort.nl.rogers.com,
ort.rogers.com, pacbell.net, prodigy.net, rogers.com, sbcglobal.net, snet.net,
swbell.net, uat.nl.rogers.com, uat.rogers.com, verizon.net, wans.net
Notes
v When adding Yahoo! domains, do not use Yahoo domains other than
yahoo.com and the partner domains listed above. Yahoo domains such as
yahoo.ca and yahoo.co.uk are not supported. For example, when a user
wants to add an external contact such as [email protected], the user must
enter the contact as [email protected]
v Sametime users cannot add Yahoo Japan email addresses using the email
address domain yahoo.co.jp. Yahoo Japan is a separate company whose
network is completely separate from Yahoo.com.
6. Select SIP for Yahoo as the translation protocol.
7. In the Host Name field, type iopibm.msg.yahoo.com.
8. In the Port field, type a port number. The default port is 5061.
9. In the Transport protocol field, TLS (Transport Layer Security) is already
selected.
10. Click OK to save the new community.
11. Click the Yahoo! Messenger community name from the list to edit its
properties if necessary.
12. Click OK to save the new community.
13. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign users access to the external community.
14. Restart the Lotus Sametime Gateway server. If you have a cluster of servers,
restart the cluster.
15. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional host names for Yahoo!
Messenger servers. Sametime Gateway uses these IP addresses to
determine which SIP requests originate from Yahoo! Messenger. When
setting up the community for the first time, the Custom properties links
are available only after the community is saved.
b. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway. If Route properties are not visible, you must connect
to a local community first.
c. Select the check box to disable the route to the community.
d. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
What to do next
For troubleshooting help, see Technote 1317952 on the IBM Lotus Support website
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21317952.
Connecting to an XMPP community:
Chapter 1. Configuring
297
IBM Lotus Sametime Gateway users can exchange instant messages with an XMPP
community over the Extensible Messaging and Presence Protocol, or XMPP.
Before you begin
You must set up SSL and establish the local community first before adding the
XMPP community.
Remember that the Lotus Sametime Gateway servers must have access to a DNS
server that can resolve public DNS records (A records, SRV records, and PTR
records). For example the following commands should be able to resolve
successfully:
nslookup sip.oscar.aol.com
nslookup 64.12.162.248
nslookup -type=all -class=all _xmpp-server._tcp.google.com
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
In the table that lists communities, click New.
In the Name field, type a logical name for the new community.
Under Community Type, select External.
In the Domains field, type the domains provided by the XMPP community.
Attention: Wildcards are not supported in this field, you must type each
complete domain name.
6. Select XMPP as the translation protocol.
When you select XMPP as your protocol, the Host Name field defaults to
"Localhost" as its value while Lotus Sametime Gateway resolves the domain
value that you entered in step 5; once the domain is resolved, an appropriate
value is entered automatically into the Host Name field.
7. In the Port field, the default port is 5269.
2.
3.
4.
5.
8. In the Transport protocol field, select TCP (Transmission Control Protocol) or
TLS (Transport Layer Security).
9. Click OK to save the new community.
10. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign local users access to the external community.
11. Restart the Lotus Sametime Gateway server. If you have a cluster of servers,
restart the cluster.
12. The following steps are optional, but be sure to restart the Sametime Gateway
servers if you make any changes to the community.
a. Click Custom Properties to include additional host names for XMPP
servers. Sametime Gateway uses these IP addresses to determine which
XMPP requests originate from this community. Note that the Custom
properties link is available only after the community is saved.
298
Lotus Sametime: Installation and Administration Guide Part 2
b. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway. If Route properties are not visible, you must connect
to a local community first.
c. Select the check box to disable the route to the community.
d. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
What to do next
For troubleshooting help, see Technote 1316296 on the IBM Lotus Support website
at http://www.ibm.com/support/docview.wss?rs=899&uid=swg21316296.
Managing external watching:
The Sametime server allows an external watcher, or user who has someone on his
or her contact list that is unaware of being watched, to conduct this activity;
however, this capability can be disabled.
Configuring user consent
Instant messaging users from commercial IM providers such as Yahoo and Google
can watch the status of internal Sametime users unless the server is configured to
manage this functionality. This functionality can be managed through the 'user
consent' feature. When the server is configured to require permission from the
Sametime user, the Sametime user sees a pop-up window on his screen, asking for
permission for the external user to watch the Sametime user's status. The Sametime
user can give consent, or not.
To require the external IM watcher to gain permission of the 'watched' person,
follow these steps:
1. Open the sametime.ini file.
2. In the [Config] section, add:
AWARENESS_EXTERNAL_NEED_PERMISSION=1
3. Shut down and restart the Sametime server to effect the change.
By default, the configuration flag is set to 0.
When the server is configured to require permission from the Sametime user, the
Sametime user sees a popup window requesting permission for the external user
to watch the Sametime user's status. The Sametime user can approve or decline.
Connecting to external Sametime communities
Connect to external Sametime communities by working, if necessary, with an
administrator from an external community to prepare the external Sametime server
and by then adding the external Sametime community to your list of communities.
Preparing external Sametime servers:
This topic presents general information on steps needed to configure Sametime
servers versions 6.5.1 or 7.0 that exist in external communities. Work with the
external community's administrator to prepare the legacy Sametime server for
Sametime Gateway communications. For example, if your local Sametime server is
Chapter 1. Configuring
299
a member of widgets.com, and you want to connect to an external Sametime 6.5.1
server at acme.com, you may want to know the steps required to set up the
external Sametime server to have instant messaging and presence with your Lotus
Sametime Gateway.
Procedure
1. If the external community's Sametime server is version 6.5.1, or 7.0, the external
community must enable the Sametime SIP Gateway on the server. See the
chapter "Enabling the SIP Gateway" in the Sametime Server Administration
Guide.
2. The latest patches and Cumulative Fix Packs must be installed on the external
community's Sametime server. Go to Lotus Sametime Product Support to
download the latest support files for the external Sametime server.
Adding external Sametime communities:
Add an external Sametime community to IBM Lotus Sametime Gateway. You
connect to a Sametime community by specifying domains in the external
community, selecting a translation protocol, and setting the host name, port, and
transport protocol for the external community.
Before you begin
You must add the local Sametime community first before adding an external
community. In addition, if you are not connecting to a Sametime 7.5 or later server
using its own Lotus Sametime Gateway, be sure that the external Sametime 6.5.1 or
7.0 server has the Sametime SIP Gateway enabled. Finally, confirm that the external
Sametime server and Lotus Sametime Gateway have the latest fixes installed.
About this task
Expected state:
v Single server: the local Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and a Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities
.
2. In the table that lists communities, click New.
3. In the Name field, type a name for the new community.
4. Under Community Type, select External.
5. In the Domains field, type the Fully qualified domain names in which users
are found in the external community. Each domain name must access the
same user directory. For example: acme.com, us.acme.com, fr.acme.com, and
uk.acme.com must all be linked by a common user directory to be in the
community. Obtain this information from the system administrator in the
external community.
6. Select a Translation Protocol:
300
Lotus Sametime: Installation and Administration Guide Part 2
Option
Description
SIP for Sametime Gateway
Use SIP for Sametime Gateway for
connections to Lotus Sametime Gateway
versions 7.5 or later communities.
SIP for legacy Sametime Gateway
Use SIP for legacy Sametime Gateway for
Lotus Sametime versions 7.0 or 6.5.1
communities.
7. In the Host Name field, type the name of the external real-time
communication server such as ExampleServer1.com, for example.
Note: If the host name is an IPv6–format network address, set an explicit
address here; do not use an abbreviated address (no brackets, no leading
zeroes). For example, all of these IPv6–format network addresses are
equivalent, but only the first form is accepted:
v 1:2:0:0:0:6:7:8 [acceptable]
v 1:2::6:7:8 [do not use this abbreviated format]
v 01:2:0:0:0:006:0007:8 [do not use leading zeroes]
8. In the Port field, type the port number (the default port number is 5061).
The port you use is dependent on the Transport protocol you select in the
next step:
v TLS uses port 5061
v TCP uses port 5060
9. In the Transport protocol field, select TLS (Transport Layer Security) or TCP
(Transmission Control Program or TCP/IP).
If you select TLS as the protocol, you must set up SSL with a certificate signed
by a Certificate Authority and exchange trusted certificates with the external
community.
10. Click OK to save the new community. Note that you can't assign users to the
community until you save the community.
11. On the Communities panel, select the name of the community that you
created, scroll to the bottom, and click Assign local users to this community
to assign local users access to the external community.
12. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
13. The following steps are optional:
a. In the Route properties field, set the maximum sessions for instant
messaging or presence for this community. The session numbers set for
this community cannot exceed the global maximum sessions set for
Sametime Gateway. If Route properties are not visible, you must connect
to a local community first.
b. Select the check box to disable the route to the community.
c. Click the Translation Protocol link to set custom properties for the
translation protocol. The Custom properties links are available only after
the community is saved.
d. Click Custom Properties to set additional properties for the community.
The Custom properties links are available only after the community is
saved.
Chapter 1. Configuring
301
Related tasks
“Adding a local Community Server to Sametime Gateway” on page 283
Connect a local Lotus Sametime Community Server or Lotus Sametime community
cluster to Lotus Sametime Gateway to enable Lotus Sametime users to have instant
messaging with external users.
Related reference
“Sametime Gateway communities” on page 534
View the list of communities and use the list as the starting place to set up
communities, assign local users access to external communities, and set properties
on communities. The communities list shows the community name, the type of
community, and the translation protocol used.
“Community properties” on page 537
Use this page to connect IBM Lotus Sametime Gateway to one internal community
and multiple external communities, or to edit the connection properties of an
existing community. Specify the type of community, the domains to use when
accessing the community, the translation protocol that Lotus Sametime Gateway
uses to communicate with the community, connection details, and any custom
properties for the connection or community. After you create a community, use the
Assign local users to this community link to give permission to local users to
access the external or clearinghouse community.
Preventing communication with external communities:
You can prevent external users from communicating with a particular IBM Lotus
Sametime community by creating an exclusion list. The Lotus Sametime Gateway
server will deny external communication requests for users hosted on all servers
and clusters specified on the list.
Before you begin
This feature requires you to define a Home Server (cluster) for all users within the
targeted community, so that the Lotus Sametime Gateway server can determine
whether the user belongs to a community on the exclusion list. For information on
defining a user's Home Server, see Forcing users to connect to a home server.
About this task
An exclusion list is a list of clusters (for a stand-alone Lotus Sametime server, the
cluster name is the server name) deployed within a local Lotus Sametime
community; you define the list as a Lotus Sametime Gateway custom property. Use
the exclusion list to prohibit external users from communicating with users in a
community hosted on one of the specified clusters. Subscribe (awareness) and chat
(instant messaging) requests from all external users to the local users hosted on the
clusters listed on the exclusion list, will be rejected by the Lotus Sametime
Gateway server. You enable this feature with the custom property called "Sametime
community exclusion list".
For example, suppose the Example Corporation has two distributed Lotus
Sametime clusters, called eu.acme.com (Europe) and usa.acme.com (USA). In
addition, Lotus Sametime Gateway is installed on gw.acme.com.
On the Lotus Sametime Gateway server (gw.acme.com), there is an exclusion list
containing "eu.acme.com" – this prevents the Lotus Sametime Gateway server from
connecting to any servers in the eu.acme.com cluster. When an external user
(outside of Example Corporation; for example, on AOL) adds a user hosted on
302
Lotus Sametime: Installation and Administration Guide Part 2
eu.acme.com to her contact list, the subscribe request is routed to the Lotus
Sametime Gateway server, which denies the request because it cannot access users
in that cluster. In this example, the usa.acme.com cluster does not appear on the
exclusion list, so the external user can access people in that cluster.
Follow these steps to define an exclusion list. For details see Adding custom
properties.
Procedure
1. Log in to the Integrated Services Console as a Lotus Sametime Gateway
administrator.
2. Click Sametime Gateway → Communities.
3. Select the local community for which you want to define an exclusion list.
4. In the Name field, type: Sametime community exclusion list as the name of
the new property.
5. In the Value field, type the list of excluded servers and clusters.
Type the server names and cluster names as a list using any of these characters
to separate names:
v comma ,
v semicolon ;
v space
Cluster names must appear as defined in the Cluster Document; for more
information, see "Creating a cluster document in the Configuration database".
Standalone server names must appear as they are defined in the sametime.ini
file's VPS_NAME property (for example, CN=st1/O=acme).
6. Click OK.
7. Restart the Lotus Sametime Gateway server so your changes can take effect. If
the server was previously connected to Lotus Sametime servers that are now
excluded, restart those servers as well.
Related reference
“Custom properties details” on page 548
Use this page to edit custom properties for a community, translation protocol, or
message handler. You can also specify new properties that are needed to configure
third-party elements used by the IBM Lotus Sametime Gateway.
Providing a port number to external communities
The procedures describe how to obtain and update the port number that the SIP
container uses to communicate with external communities. You want to provide
the port number to external communities so they can use the same port. You may
also need to change the TLS port number that Lotus Sametime Gateway uses.
Providing a port number to external communities for single server installations:
These steps describe how to obtain and update the port number that the SIP
container uses to communicate with external communities. You want to provide
the port number to external communities so they can use the same port. You may
also need to change the TLS port number that the Lotus Sametime Gateway uses.
Before you begin
This procedure assumes that you have installed the Lotus Sametime Gateway.
Chapter 1. Configuring
303
About this task
A standalone Lotus Sametime Gateway server uses a SIP container port that is, by
default, 5061 for Transport Layer Security (TLS). Therefore, if an external
community wants to connect to Lotus Sametime Gateway, the external community
must define port 5061. Check the SIP_DEFAULTHOST_SECURE parameter to
verify the TLS port for the SIP container service.
Expected state: the Lotus Sametime Gateway server is started.
Procedure
1. To obtain the port number used by a single Lotus Sametime Gateway server, in
the Integrated Solutions Console:
a. Click Servers → Application servers → server_name, where server_name is the
name of the Lotus Sametime Gateway server.
b. Under Communication, click Ports.
c. Look for the port number in SIP_DEFAULTHOST_SECURE and make a
note of this number.
2. Check that the port number is added to the Default Virtual Host. The port is
added default but you may need to update the default virtual host if you make
changes to the ports:
a. Click Environment → Virtual Hosts → default_host → Host Aliases.
b. Click New and type a new port number if the port does not exist .
c. Click OK, and then Save, and Save again.
What to do next
Now you can provide a port number to external communities.
Providing port numbers to external communities for clusters:
These steps describe how to obtain and update port numbers that the SIP and
XMPP proxy servers uses to communicate with external communities. You want to
provide the port numbers to external communities so they can use the same port.
You may also need to change the TLS/SSL port number Lotus Sametime Gateway
uses.
Before you begin
This procedure assumes that you have installed Lotus Sametime Gateway, have
created a cluster, and have installed and configured a SIP and XMPP proxy server.
About this task
By default, the SIP proxy uses port 5061 over TLS/SSL, and the XMPP proxy
server uses port 5269 for SSL and non-SSL connections.
Expected state: the Deployment Manager is started.
Procedure
1. To obtain the port numbers used by the Lotus Sametime Gateway cluster:
a. In the Integrated Solutions Console, click Servers → Proxy servers →
SIPProxyServer.
304
Lotus Sametime: Installation and Administration Guide Part 2
b. Under Communication, click Ports.
c. Look for the port number in PROXY_SIPS_ADDRESS and make a note of
this number.
2. Click Application Servers → Server Name and, under the Communications
section, click Ports to view the port number for XMPP_SERVER_ADDRESS.
Make a note of this number.
3. Check that the ports are added to the Default Virtual Host. The port is added
by default but you may need to update the default virtual host if you make
changes to the port:
a. Click Environment → Virtual Hosts → default_host → Host Aliases.
b. Click New and type a new port number if the port does not exist .
c. Click OK, and then Save, and Save again.
What to do next
The port number in combination with the DNS name of the node on which the SIP
and XMPP proxy servers run is needed for configuring external instant messaging
communities to connect to your Lotus Sametime Gateway.
Adding external contacts to the Sametime Connect Contacts List
After you install and configure Lotus Sametime Gateway, and add an external
community or clearinghouse community, your users can add external contacts to
their Sametime Contact List. Give these instructions to your Sametime users so
they will know how to add external contacts to their Contact List.
Procedure
1. In the Sametime Connect client, click File → Add → Contact.
2. Select the Add external user by email address check box.
3. Type the external contact's email address.
4. Select an existing group, or type a new group name, in the Add to group field.
5. Click Add
What to do next
Note: When adding Yahoo! Messenger users, use the yahoo.com domain, even if
the Yahoo user's email domain is different. For example, if the external contact is
[email protected], enter the contact as [email protected] Similarly, if a Yahoo
user's email is [email protected], enter the contact as [email protected] Note
that users who have Yahoo Japan email addresses using the domain yahoo.co.jp
cannot use Lotus Sametime Gateway. Yahoo Japan is a separate company whose
network is completely separate from Yahoo.com.
Installing and configuring event logging
The Lotus Sametime Software Developer Kit includes a sample ear file that you
can install to view the event log. The event log may contain content logging,
instant messaging logging, or subscription logging events, depending on what you
enable.
Before you begin
The event logging feature is available only for a clustered deployment. When you
configure the Lotus Sametime Gateway cluster, the Common Event Infrastructure
data source is installed automatically on IBM AIX, Linux, Microsoft Windows, and
Chapter 1. Configuring
305
Solaris. If you are using IBM i, you must install this data source yourself before
you can enable event logging.
About this task
For complete details regarding functionality and how to read the logging codes in
the event log, see the Lotus Sametime Gateway Integration Guide included in the
Lotus Sametime Software Development Kit.
Creating an activation specification for event logging
Before you install the Lotus Sametime Gateway samples ear file that is available
from the Lotus Sametime Software Developer's Kit, you must create an activation
specification in WebSphere Application Server. The samples ear file contains an
application that makes reading the event log possible.
Before you begin
The event logging feature is available only for a clustered deployment. When you
configure the Lotus Sametime Gateway cluster, the Common Event Infrastructure
data source is installed automatically on IBM AIX, Linux, Microsoft Windows, and
Solaris. If you are using IBM i, you must install this data source yourself before
you can enable event logging.
About this task
Follow these steps to create an activation specification.
Procedure
1. From the Integrated Solutions Console, click Service Integration → Buses.
2. Select CommonEventInfrastructure_Bus, and then click Destinations.
3. Select the destination with one of the following names:
v Single server installation:
node.server.CommonEventInfrastructureTopicDestination where node is the
node name and server is the Lotus Sametime Gateway server name.
v Cluster: cluster_name.CommonEventInfrastructureTopicDestination where
cluster_name is the name of the cluster.
4. Click Publication Points.
5. Using a text editor, copy and paste the long name for use later. For example
(the following is all on one line but split over two lines here for printing
purposes):
dibby.RTCGWServer.CommonEventInfrastructureTopic
[email protected]_Bus
6. From the Integrated Solutions Console, click Resources → JMS → Activation
Specifications.
7. In scope, select one of the following:
v For single server installations, select the server level. For example:
Node=dibby, Server=RTCGWServer
v For cluster installations, select the cluster: RTCCluster.
8. Click New.
9. With Default messaging provider selected, click OK.
10. Type any name in the Name field. For example:
CEI_Topic_ActivationSpec
306
Lotus Sametime: Installation and Administration Guide Part 2
11. For the JNDI Name, type:
jms/cei/TopicActivationSpec
12. For the Destination type , select Topic.
13. For the Destination JNDI Name, type the following:
jms/cei/notification/AllEventsTopic
14. For the Bus name, select CommonEventInfrastructure_Bus.
15. For the Subscription durability, select Non-durable.
16. For the Subscription name field, paste the long name that you copied in Step
5. For example (the following is all on one line but split over two lines here
for printing purposes):
dibby.RTCGWServer.CommonEventInfrastructureTopic
[email protected]_Bus
17. For the Client identifier field, paste the portion that comes before the @
symbol. For example:
dibby.RTCGWServer.CommonEventInfrastructureTopicDestination
18. For the Durable subscription home field, paste the portion that comes after
the @ symbol. For example:
dibby.RTCGWServer-CommonEventInfrastructure_Bus
19. Click OK, and then Save.
Creating the message store for event logging (clusters only)
This procedure creates a message store for event logging for use by Lotus
Sametime Gateway clusters.
Procedure
1. In the Integrated Solutions Console, click Service Integration → Buses .
2. Click the CommonEventInfrastructure_Bus.
Under Topology, click Messaging engines.
Click the messaging engine name.
On the Configuration panel, under Additional properties, click Message store.
In the Authentication alias field, select cell_name/RTCDBUser, where cell_name
is the name of your cluster's cell.
7. Click OK, and then Save.
3.
4.
5.
6.
Installing the event logging application
To view the event log, you must install the event logging application included in
the Lotus Sametime Gateway samples ear file. While Lotus Sametime Gateway
does ship with an event logger that sends events to a database, you must install a
sample ear file to view those events.
Before you begin
The Lotus Sametime Software Development Kit includes a samples ear file
(rtc_gatewaySamplesEAR.ear) that you install as a regular J2EE application in
WebSphere Application Server. Once the ear file is installed and the event logger is
enabled, Lotus Sametime Gateway event logger can then send easy to read output
to the trace.log file. For complete details regarding installation, configuration, and
the functionality of the sample Logger Event Consumer, see the Lotus Sametime
Gateway Integration Guide included with the Sametime SDK.
Chapter 1. Configuring
307
About this task
The sample application sends the name and value pairs of extendedDataElements
in any event that is captured with extensionName RtcGatewayLoggerEvent to the
trace.log file. The sample Logger Event Consumer distributed with the SDK only
writes information when diagnostic trace is enabled. Review the topic "Setting a
diagnostic trace" for more information. Logging for the samples must be enabled
and set to All Message and Trace Levels for
com.ibm.collaboration.realtime.sample.
The installation of the sample application on a node in a cluster binds the
application to the cluster. There's no need to install the rtc_gatewaySamplesEAR.ear
file on every node.
Procedure
1. From the Integrated Solutions Console, click Applications → Install New
Application.
2. Browse to the Lotus Sametime Software Development Kit and locate the file:
...\samples\rtc_gatewaySamplesEAR.ear
3. Accept the defaults provided by WebSphere Application Server and click
Next.
4.
5.
6.
7.
Click Next again to go to the Bind listeners for message-driven beans panel.
Select the EJB module.
Select Activation Specification.
In the Target Resource JNDI Name field, type:
jms/cei/TopicActivationSpec
8. For the Destination JNDI Name, type:
jms/cei/notification/AllEventsTopic
9. In the Activation spec authentication alias field, type one of the following
entries:
v Single server installations: type your primary administrative user name that
you created when you enabled administrative security.
v Cluster installations: type CommonEventInfrastructureJMSAuthAlias.
Click Next.
Check the summary, click Finish.
Click Save.
From the Integrated Solutions Console, click Applications → Enterprise
Applications.
14. Select rtc.gatewaySamplesEAR.
15. Click Start.
10.
11.
12.
13.
16. If you are installing the sample ear file on a cluster, complete the following
substeps, otherwise skip this step:
a. Install the rtc_gatewaySamplesEAR.ear on the Deployment Manager node.
b. Synchronize your changes to all nodes in the cluster. Click System
Administration → Nodes.
c. Select all nodes in the cluster, then click Full Resynchronize.
d. Open a command window.
e. In the command window, stop the Deployment Manager and wait for the
command to finish, and then restart the Deployment Manager. Use the
user name and password that you provided when you enabled
308
Lotus Sametime: Installation and Administration Guide Part 2
administrative security to stop the Deployment Manager. Open a
command window and navigate to the stgw_profile_root\bin directory
and use the following commands:
AIX, Linux, and Solaris
./stopManager.sh -username username -password password
./startManager.sh
Windows
stopManager.bat -username username -password password
startManager.bat
IBM i
stopManager -username username -password password
startManager
17.
18.
19.
20.
f. Restart the node agents.
1) Log into the Integrated Solutions Console (http://localhost:9060/ibm/
console) on the Deployment Manager node.
2) Click System Administration → Node agents .
3) Select all node agents, and then click Restart.
Click Sametime Gateway → Message Handlers.
Select the Event logger, and click the Move Down button to make the event
logger the last message handler in the list.
Select the User locator message handler and click the Move Up button to
make the user locator the first message handler in the list.
Select the newly installed Event logger and click Enable.
Uninstalling the event logging application:
Uninstall the event logging application, which is part of the Sametime Gateway
samples ear file, by first disabling the event logging message handler, then
stopping the enterprise application, and finally uninstalling the application.
Procedure
1. From the Integrated Solutions Console, click Sametime Gateway → Message
Handlers.
2. In the list of message handlers, select the event logger, helloworld, chatlog, and
presblock.
3. Click Disable.
4. Click Applications → Enterprise Applications .
5. Select rtc_gatewaySamplesEAR.ear from the list and click Stop, and then
Uninstall.
Logging events
Complete these steps to enable content, instant messaging, or presence logging. To
actually view the log results, you must install the sample ear file.
About this task
When you first install Lotus Sametime Gateway, event logging is enabled. But to
begin logging events, you must enable at least one custom property for the event
logger. You can record three types of events: the actual content of an instant
messaging session, instant messaging data, and presence (or subscription) data.
Each type of event records basic information such as when a session starts and
Chapter 1. Configuring
309
stops, when an instant message is sent, when a presence subscription is created or
released, and when a presence notification takes place.
Event logging for content, instant messaging, and presence is disabled (set to 0) by
default. Values 0 or 1 and true or false are acceptable.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Message
Handlers.
2. Click the event logger plugin in the table.
3. Click Custom properties.
4. Select one of the following properties:
v enableContentLogging
v enableImLogging
v enablePresenceLogging
5. Set the value as follows:
Values
Meaning
0 OR false
disabled
1 OR true
enabled
6. Click OK. You cannot view logged events until you install the sample
application that logs information to trace.log. See the sample ear file and Lotus
Sametime Gateway Integration Guide included in the Lotus Sametime Software
Development Kit.
What to do next
Related reference
“Message handler properties” on page 545
Use this page to configure the properties of a message handler such as the user
locator, authorization controller, or event logger.
Configuring Sametime Gateway properties
You can put limits on sessions and subscriptions, and specify blacklist domains to
check when Lotus Sametime Gateway receives a subscription request. You can also
add or edit custom properties for communities, connections, translation protocols,
or message handlers.
Setting the blacklist domains
You can specify the DNS blacklisted sites to check when the Lotus Sametime
Gateway receives a subscription request. A blacklisted domain is an email address
domain that you do not want to give access through Lotus Sametime Gateway.
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
310
Lotus Sametime: Installation and Administration Guide Part 2
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Gateway
Properties.
2. Type the blacklist domain names. Use Fully qualified domains names or
TCP/IP addresses separated by a comma, semicolon, or space. Wildcards using
an asterisk in the left-most subdomain position are allowed. For example,
*.spamalot.com is allowed.
3. Click Apply.
Related reference
“Sametime Gateway properties” on page 534
Use this page to set the maximum chat sessions. You can also specify domains
from which to block messages.
Setting a session timeout for an external community
Setting a session timeout applies to the instant messaging capability only. By
default, the session timeout is set on the translation protocol only and disabled at
the external community level. Note that setting a community session to timeout
may cause instant messaging sessions to expire, terminate, or be lost.
About this task
If the session timeout property is set for a community, the community value takes
precedence over the translation protocol value.
You can set a session timeout on communities that use the following translation
protocols:
v SIP for Sametime Gateway
v SIP for legacy Sametime Gateway
v SIP for AOL
v SIP for Yahoo
v SIP for Microsoft Office Collaboration Server (OCS)
The session timeout does not apply to the VP or XMPP translation protocols.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. Select a community to view the community properties.
3. At the top, click Custom Properties.
4. In this is the first time you are setting the session timeout at the community
level, click New, otherwise click session_timeout to edit the custom property.
5. Type session_timeout as the name for the property.
6. Type an interval, in seconds, in the Value field, for example: 3600.
7. Click OK, and then Save.
Chapter 1. Configuring
311
8. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
Setting a session timeout for a translation protocol
A session timeout applies to instant messaging sessions only, not presence, and to
the following translation protocols: SIP for Sametime Gateway, SIP for AOL, SIP for
OCS (Office Communications Server), SIP for Yahoo, and SIP for legacy Sametime
Gateway. By default, this property is set on the translation protocol, but you can
set the property at the community level.
About this task
The session timeout does not apply to VP or other protocols.
By default, after 60 minutes of inactivity, Lotus Sametime Gateway removes session
records. The next instant message that the user types in the same instant
messaging window is considered to be the start of a new instant messaging
session. Starting a new session is internal to Lotus Sametime Gateway. Session
timeouts are transparent to users.
If the property is defined for a community, the community value takes precedence
over translation protocol value.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Translation
Protocols.
2. Select a translation protocol: SIP for Sametime Gateway, SIP for AOL, SIP for
OCS, SIP for Yahoo, or SIP for legacy Sametime Gateway.
3. Under Additional properties, click Custom Properties.
4. Select session_timeout.
5. Type a new session timeout in the Value field. The default timeout is 3600
seconds (60 minutes).
6. Click OK, and then Save.
7. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
Setting a subscription timeout for an external community
Setting a subscription timeout applies only to the presence capability when
connecting to a community using the SIP for legacy Sametime Gateway protocol.
The subscription timeout cancels or re-subscribes a SIP-based presence session.
About this task
By default, the subscription timeout is set on the translation protocol only. You can
set the same property on an external community, allowing fine-grained control on
a community basis. If the property is defined for a community, the community
value takes precedence over the translation protocol value.
312
Lotus Sametime: Installation and Administration Guide Part 2
Subscription timeout applies to only to the SIP for legacy Sametime Gateway
translation protocol. The subscription timeout does not apply to VP or other
protocols.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. Select a community that uses SIP for legacy Sametime Gateway to view the
community properties.
3. At the top, click Custom Properties.
4. In this is the first time you are setting the subscription timeout at the
community level, click New, otherwise click subscription_timeout to edit the
custom property.
5. Type subscription_timeout as the name for the property.
6. Type an interval in seconds in the Value field, for example: 3600.
7. Click OK, and then Save.
8. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
Setting subscription timeouts for a translation protocol
Setting a subscription timeout applies only to the presence capability. The
subscription timeout cancels or re-subscribes a SIP for legacy Sametime Gateway
presence session.
About this task
By default, the subscription timeout is set on the translation protocol only. You can
set the same property on a community, allowing fine-grained control on a
community basis. If the property is defined for a community, the community value
takes precedence over the translation protocol value.
Subscription timeout applies to the SIP for legacy Sametime Gateway protocol. The
subscription timeout does not apply to VP, XMPP, or other protocols.
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Lotus
Sametime Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Translation
Protocols.
2. Select a translation protocol from the list.
3. Under Additional properties, click Custom Properties.
4. Select subscription timeout.
5. Type a new subscription timeout in the Value field. The default subscription
timeout is 3600 seconds (60 minutes).
6. Click OK, and then Save.
Chapter 1. Configuring
313
7. Restart the Lotus Sametime Gateway server. If you have a cluster of Lotus
Sametime Gateway servers, restart the cluster.
Customizing the error message for when instant messaging fails
You can create and display custom text for users when an instant message fails.
Before you begin
You must create the external community first before you specify the custom error
message.
About this task
You can set a custom property at the community level to display a specific error
message that users see when they are unable to connect to a user in an external
community. Without specifying the custom property, user always see a default
message "Your message has not been delivered. Please verify that the recipient is
online." The steps below describe how to create a custom error message to provide
additional feedback to users when trying to connect to a specific community.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. From the list of communities, select an external community.
Click Custom Properties.
Click New to create a new custom property.
In the Name field, type IM failure message .
In the Value field, type the custom error message to display to users when
sending an instant message fails.
7. Click Apply.
8. Restart the Lotus Sametime Gateway server.
3.
4.
5.
6.
Updating AOL, Yahoo, Office Communications Server, or Google
host addresses
Complete these steps to update the server IP addresses that Sametime Gateway
uses to determine when SIP requests originate from AOL Instant Messenger,
Yahoo! Messenger, Office Communications Server, Google Talk.
Before you begin
Update host or IP addresses only after new addresses have been published by
IBM.
About this task
Sametime Gateway uses a custom property called server to store Fully qualified
domain names (FQDN) or host IP addresses of instant messaging services. The
property enables Sametime Gateway to determine when a SIP request is coming
from AOL Instant Messenger, Office Communications Server, or Yahoo! Messenger,
or when an or XMPP request is coming from Google Talk. The property is pre-set
when you add an external community that uses one of the aforementioned
services, so if a FQDN or a host IP addresses changes, you must update the
custom property for any community that relies on that service.
314
Lotus Sametime: Installation and Administration Guide Part 2
Note that you can change only the custom property at the community level after
you create the connection to a community.
Procedure
1. Log into the Integrated Solutions Console (http://localhost:9060/ibm/console),
and click Sametime Gateway → Communities.
2. Click a community that uses the translation protocol that you want to update:
Translation protocol
Instant messaging provider
SIP for AOL
AOL Instant Messenger
SIP for OCS
Office Communications Server
SIP for Yahoo
Yahoo! Messenger
XMPP
Google Talk
3. Click Custom properties.
4. Click servers.
5. In the Value field, edit the host names or IP addresses.
6. Click OK.
7. Repeat the preceding steps for other communities that use the same translation
protocol (SIP for AOL, SIP for OCS, SIP for Yahoo, or XMPP).
8. Restart the Sametime Gateway server, or, if you have a cluster of Sametime
Gateway servers, restart the cluster.
Adding custom properties
You can add a custom property for a community, connection, translation protocol,
or message handler. You can view or edit existing properties, or specify new
properties that are needed to configure third-party elements used by the Lotus
Sametime Gateway.
About this task
Expected state:
v Single server: the Lotus Sametime Gateway server is started.
v Cluster: the Deployment Manager is started, and the node agent and Sametime
Gateway server are started on at least one node.
Procedure
1. In the Integrated Solutions Console, click Sametime Gateway → Communities.
2. Select a community to view the community properties.
3. At the top, click Custom Properties.
4. Click New.
5. Type the name of the custom property in the Name field.
6. Type the value in the Value field.
7. Select Required to enable the custom property.
8. Click OK.
Translation protocol additions:
You can extend the IBM Lotus Sametime Gateway by adding translation protocols.
Additional translation protocols expand the communities that the Lotus Sametime
Gateway can connect with.
Chapter 1. Configuring
315
A new translation protocol permits the Lotus Sametime Gateway's ability to
connect to additional instant messaging communities. A translation protocol needs
to implement the API defined by the Lotus Sametime Gateway core. The core
exposes an API for use by the translation protocol, and incudes documentation on
how to use it. Your new translation protocol is responsible for connectivity with
the corresponding presence servers. If the presence server supports distribution or
fail over, the translation protocol is responsible for implementing these features.
During deployment, the Lotus Sametime Gateway configuration must be updated
to be made aware of the existence of the new translation protocol. Restart the
Gateway to initiate the new translation protocol.
Configuring security
After setting up your initial IBM Lotus Sametime environment, you may want to
make additional changes to safeguard information at your site, including limiting
user access to certain features, using encryption, and modifying default security
settings.
This section contains information about securing your Lotus Sametime servers
running on Domino and WebSphere Application Server.
Using a different SSL certificate for servers running on
WebSphere
The IBM Lotus Sametime servers that run on IBM WebSphere Application Server
install with SSL enabled, using a self-signed certificate from IBM. If you want to
use a different certificate, you can import it into the keystore yourself.
About this task
The following Lotus Sametime servers install with SSL already enabled, using a
self-signed certificate provided by IBM:
v Lotus Sametime Proxy Server
v Lotus Sametime Meeting Server
v Lotus Sametime Media Manager
If you install the Media Manager components on separate servers, each is
installed with SSL enabled.
Note: The Lotus Sametime Gateway server does not install with SSL enabled; the
configuration instructions in this information center explain how to enable SSL and
import a certificate for Lotus Sametime Gateway servers.
If you want to modify your deployment to use a different SSL certificate, follow
the instructions in the WebSphere information center topic, Import certificate from
a key file or managed keystore.
Adding a Sametime server SSL certificate to the Sametime
System Console
If you need to enable SSL (Secure Socket Layer), make sure you add the certificate
from the IBM Lotus Sametime server (Sametime Meeting, Proxy, Media Manager,
Gateway, or SIP) to the Lotus Sametime System Console.
316
Lotus Sametime: Installation and Administration Guide Part 2
About this task
To enable SSL, you must extract the certificate from the Lotus Sametime product
server and add it to the trust store of the Sametime System Console. The Lotus
Sametime product servers include:
v
v
v
v
v
Lotus Sametime Meeting Server
Lotus Sametime Proxy Server
Lotus Sametime Media Manager
Lotus Sametime Gateway Server
SIP Proxy and Registrar
Follow these instructions. See the WebSphere Application Server information center
for more information on extracting and adding certificates.
Procedure
1. Log in to the Integrated Solutions Console for the Lotus Sametime product
server.
2. Click Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore
→ Signer certificates
3. Select the alias named root, and click Extract.
4. Enter the name of the .cer file, and select Base64 as the type for storing the
process server signer certificate.
5. Log in to the Integrated Solutions Console for the Lotus Sametime System
Console.
6. Click Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore
→ Signer certificates
7. Click Add.
8. Enter an alias.
9. Enter the file name where you stored the extracted process server signer
certificate from the product server.
10. Click Apply.
11. Restart the Lotus Sametime System Console deployment manager.
Chapter 1. Configuring
317
Related tasks
“Updating Sametime Proxy Server connection properties on the console” on page
506
You can update connection setting information that the IBM Lotus Sametime
System Console uses to connect to the Lotus Sametime Proxy Server.
“Updating Sametime Media Manager connection properties on the console” on
page 507
You can update connection setting information that the IBM Lotus Sametime
System Console uses to connect to the Lotus Sametime Media Manager.
“Updating Sametime Meeting Server connection properties on the console” on
page 520
You can update connection setting information that the IBM Lotus Sametime
System Console uses to connect to the Lotus Sametime Meeting Server.
“Updating Sametime Gateway Server connection properties on the console” on
page 529
You can update connection setting information that the IBM Lotus Sametime
System Console uses to connect to the Lotus Sametime Gateway Server.
Configuring security for the Lotus Sametime Community
Server
The IBM Lotus Sametime server uses the Internet and intranet security features of
the Domino server on which it is installed to authenticate web browser users who
access Domino databases on the server.
About this task
Follow the instructions in this section to set up SSL, HTTP tunneling, and user
authentication.
Configuring Sametime to use SSL encryption
Configure IBM Lotus Sametime to use SSL (Secure Socket Layer) for its services;
and configure HTTPS when communicating with Web clients or enable LDAPS
(LDAP over SSL) with LDAP server.
About this task
You can encrypt communications for Lotus Sametime Services and the
communication between Lotus Sametime and web browsers. You can also encrypt
communications between an LDAP server and the Lotus Sametime server with the
LDAPS protocol.
You can set up either, or both, of these protocols independently:
Enabling encryption for Lotus Sametime Services, and between Lotus Sametime
and web browsers:
Configure SSL encryption for IBM Lotus Sametime Services and enable HTTPS for
Web browsers.
About this task
Enabling SSL encryption with the HTTPS (browser-based) protocol involves the
following tasks:
318
Lotus Sametime: Installation and Administration Guide Part 2
Preparing Lotus Domino to use SSL:
Because IBM Lotus Sametime resides on an IBM Lotus Domino server, you must
enable the Lotus Domino server's HTTP component to support Secure Socket Layer
(SSL) before you can configure the Lotus Sametime server to encrypt
communications.
About this task
Follow these steps in the Lotus Domino Administrator information center to set up
a Lotus Domino server to support SSL for HTTP connections:
Setting up SSL on a Domino server
Preparing Lotus Sametime to use SSL:
Set up SSL encryption on the IBM Lotus Sametime server by importing the SSL
certificate used by IBM Lotus Domino and configuring the Lotus Sametime server
to use it.
About this task
Install the GSKit and use the IKeyMan program to create a keystore on the Lotus
Sametime server before you import the Lotus Domino server's SSL certificate and
complete configuration changes to enable support for SSL. Complete the following
tasks in the sequence shown:
Setting up a keystore for the SSL certificate used by Lotus Domino:
Install the IBM GSKit with the IBM IKeyMan utility and then create a keystore file
to hold the IBM Lotus Domino server's SSL certificate.
About this task
Lotus Sametime on IBM i already includes a keystore file called stkeys.jks, so you
can skip this procedure and proceed directly to obtain and import a copy of the
SSL certificate from the Lotus Domino server into the Lotus Sametime server.
On IBM AIX, Linux, Solaris, and Microsoft Windows, you must create the keystore
file yourself by completing the following tasks:
Installing GSKit and IKeyMan on the Lotus Sametime server:
The IBM IKeyMan utility is contained in the GSKit program, so you must install
both on the IBM Lotus Sametime server before you can set up a keystore file.
About this task
The Lotus Sametime server must store a copy of the IBM Lotus Domino server's
SSL trusted root certificate to complete the SSL handshake when making an SSL
connection to a browser-based client. Before you can import the SSL certificate
from the Lotus Domino server, user the GSKit and IKeyMan utility to create a
keystore file on the Lotus Sametime server for storing the certificate.
Notes:
Chapter 1. Configuring
319
v On IBM i, Lotus Sametime comes with the IKeyMan utility already installed, but
you must install DCM software instead; the instructions are in this section.
v You only need to install GSKit and IKeyMan once. If you have already installed
these programs during an earlier procedure, you can skip this task.
The instructions for installing DCM, or the GSKit and the IKeyMan utility, vary
according to your server's operating system; use the instructions in the appropriate
topic:
Installing GSKit and IKeyMan on AIX:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on IBM AIX.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on AIX, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the root user.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Navigate to your server's copy of the GSKit directory and open a command
prompt.
5. Install GSKit using the System Management Interface Tool (SMIT) utility to
install the gskak.rte package.
The package name is "version AIX Certificate and SSL Base ACME Runtime
Toolkit".
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in
the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/
security directory.
b. Open the java.security file.
c. In the java.security file, and add the following statement to the list of
security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
d. Save and close the file.
7. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ext
directory, and delete the gskikm.jar file.
320
Lotus Sametime: Installation and Administration Guide Part 2
8. Set the JAVA_HOME environment variable to the java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/
Installing GSKit and IKeyMan on Linux:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Linux.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Linux, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the root user.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Navigate to your server's copy of the GSKit directory and open a command
prompt.
5. Install the GSkit RPM.
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm
6. Edit the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/
security/ directory.
b. Open the java.security file.
c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers
in the java.security file as follows:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
d. Save and close the file.
7. Set the JAVA_HOME environment variable to the Java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME
Installing GSKit and IKeyMan on Solaris:
Chapter 1. Configuring
321
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Solaris.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Solaris, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the root user.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Navigate to your server's copy of the GSKit directory and open a command
prompt.
5. Install GSKit as follows:
Note: The examples show release 6 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Uncompress and untar the gsk6bas.tar.Z file.
b. Use one of the following methods to install GSKit:
v Use the admintool application.
v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in
the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/
security/ directory.
b. Open the java.security file.
c. In the java.security file, and add the following statement to the list of
security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider#
d. Save and close the file.
7. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ext
directory, and delete the gskikm.jar file.
8. Set the JAVA_HOME environment variable to the java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/sunspa/ibm-jre/export JAVA_HOME
322
Lotus Sametime: Installation and Administration Guide Part 2
Installing GSKit and IKeyMan on Windows:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Windows.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Microsoft Windows, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the Windows administrator.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Run gsk7bas.exe to extract the GSKit to a path that you supply.
5. Open a command prompt and navigate to the path of the GSKit directory
6. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss
For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss
This command performs a silent installation of the IKeyMan program into the
Lotus Sametime installation directory.
7. Verify that the installation is successful:
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime
installation directory.
b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on
the server.
8. Set the JAVA_HOME environment variable to the Java VM installed under the
Lotus Sametime binaries directory:
a. From the Windows desktop, right click on the My Computer icon and
select System Properties.
b. In the "System Properties" dialog box, select the Advanced tab.
c. Click the Environment Variables button.
d. In the "New System Variable" dialog box, click the New button under the
"System Variables" list, and enter the following information:
Table 32. Defining the new JAVA_HOME environment variable
Variable name
Variable value
JAVA_HOME
Sametime_install_root\ibm-jre\jre
For example:C:\Lotus\Sametime\ibm-jre\jre
e. Click OK to close the "New System Variable" dialog box.
Chapter 1. Configuring
323
f. Click OK to close the "Environment Variables" dialog box.
g. Click OK to close the "System Properties" dialog box.
9. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers
in the java.security file as follows:
a. Navigate to the Sametime_install_root\ibm-jre\jre\lib\security
directory.
For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\security
b. Open the java.security file.
c. In the java.security file, and add the following statement to the list of
security providers as shown:
security.provider.6=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file
(notice that the preference numbers must be in sequence):
## List of providers and their preference orders (see above)#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
10. Navigate to the Sametime_install_root\ibm-jre\jre\lib\ext directory, and
delete the gskikm.jar file.
For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar
Creating a keystore file:
Use the IBM IKeyMan utility and to create a keystore file on the IBM Lotus
Sametime server, which will be used for storing a copy of the IBM Lotus Domino
server's SSL certificate.
About this task
On IBM AIX, Linux, and Solaris, create a keystore file is called keys.jks; on
Microsoft Windows, call it stkeys.jks.
Note: On IBM i, the keystore already exists; skip this procedure.
To create a key store file on the Sametime server:
Procedure
1. Open a command prompt and navigate to the /jvm/bin directory of your Lotus
Sametime installation:
v AIX /opt/ibm/lotus/notes/latest/ibmpow/jvm/bin
v Linux /opt/ibm/lotus/notes/latest/linux/jvm/bin
v Solaris/opt/ibm/lotus/notes/latest/sunspa/jvm/bin
v Windows C:\Program Files\Lotus\Domino\jvm\bin
2. Start the IKeyMan program by running the following command:
java com.ibm.gsk.ikeyman.Ikeyman
3. Click Key Database File → New.
4. In the "New" dialog box, complete these fields and then click OK:
324
Lotus Sametime: Installation and Administration Guide Part 2
Option
Description
Key database type
Accept the default of jks.
File name
Enter a file name for the key database:
v AIX, Linux, Solaris: keys.jks
v Windows: stkeys.jks
Location
Choose the directory in which the
"stkeys.jks" file will be stored. The examples
in this documentation assume the file is
stored in the Sametime_install_root/jvm/
bin directory.
5. In the "Password" dialog box, complete these fields and then click OK:
Option
Description
Password
Type the password that you will use to
access the keystore. You will need this
password later in the procedure.
Confirm password
Type the password again to confirm it.
Set expiration time?
Click this option to enable it and type the
number of days for which the password will
remain valid.
If you do not want the password to expire,
leave this option disabled.
Obtaining a copy of the SSL certificate used by Lotus Domino:
When the IBM Lotus Domino server is configured to use SSL, an SSL server
certificate is received from a Certification Authority (CA) and merged into the
Lotus Domino Server Certificate Admin database. When you configure SSL for
IBM Lotus Sametime, you import a copy of this certificate to the Lotus Sametime
server.
About this task
There are two versions of the SSL certificate that you can use:
Obtaining the SSL certificate directly from the Lotus Domino server:
When configuring SSL for IBM Lotus Sametime, you can import a copy of the SSL
certificate directly from the IBM Lotus Domino server.
About this task
When the Lotus Domino server was configured to use SSL, an SSL server
certificate was received from a Certification Authority (CA) and merged into the
Lotus Domino Server Certificate Admin (certsrv.nsf) database. In this procedure,
you export a copy of that certificate and save it as a file so that you can import it
into Lotus Sametime in a later task.
Procedure
1. Open a browser and navigate to the Lotus Domino server where you enabled
SSL.
Chapter 1. Configuring
325
Note: The steps below use the Microsoft Internet Explorer browser; steps for
your own browser may differ.
You can locate the Lotus Domino server by navigating to the Lotus Sametime
server that is hosted on the same computer, using an address similar to the
following (replace Sametime.acme.com with your fully qualified Internet host
name):
https://Sametime.acme.com
2. Install the SSL certificate in Microsoft Internet Explorer to ensure it is available
for export:
a. When prompted to "select the certificate to use when connecting," click OK.
b. At the "Security Alert" dialog box, click View Certificate.
c. At the "Certificate" dialog box, click Install Certificate.
d. At the "Certificate Manager Import Wizard" screen, click Next.
e. Click the Automatically select the certificate store based on the type of
certificate option, and then click Next.
f. Back at the "Certificate Manager Import Wizard" screen, click Finish.
g. When the message indicating that the SSL server certificate was imported
successfully appears, click OK repeatedly until you have closed all of the
dialog boxes.
3. Now export the SSL certificate from Internet Explorer and save it as a file.
a. From the browser, click Tools → Internet Options.
b. Click the Contents tab.
c. Click the Certificates button.
d. Click the Other People tab.
e. Scroll down the list of certificates and select the server certificate that you
imported earlier in this procedure.
The certificate name should provide some indication that the certificate is
associated with the Domino server from which it was imported. For
example, if the certificate was imported from a server named
Sametime.acme.com, the certificate might be issued to "Sametime" or to
"Example."
f. Click the Export button.
g. At the "Certificate Manager Export Wizard" screen, click Next.
h. At the "Certificate Export File" screen, select Base64 encoded X.509 (.CER),
and then click Next.
i. At the "Export File Name" screen, provide a name for the file, select the
Lotus Sametime server's data directory as the location where you want to
store the file, and then click Next.
For example, on Windows, you might enter SSLservercertificate.cer as
the file name. and select C:\Lotus\Domino\data as the location.
Note: On IBM i, save the file directly to your server if you have mapped to
the server drive. Otherwise, save the file on your client workstation and
transfer it to your IBM i server later.
j. When the message appears indicating the export was successful, click OK.
Obtaining a copy of the trusted root certificate:
326
Lotus Sametime: Installation and Administration Guide Part 2
If you are unable to obtain a copy of the IBM Lotus Domino server's SSL
certificate, you can request a trusted root certificate from a CA or export a trusted
root certificate from your web browser.
About this task
If you need to obtain a trusted root certificate, you must obtain the same trusted
root certificate that is used by the Domino server to sign the Domino SSL server
certificate. For example, if the VeriSign Class 4 Public Primary Certification
Authority trusted root certificate is used to sign the Domino SSL server certificate,
you must either export this certificate from your web browser or request a VeriSign
Class 4 Public Primary Certification Authority trusted root certificate from
VeriSign.
There are two ways to obtain a copy of the trusted root certificate:
Obtaining a trusted root certificate from the web browser:
When configuring SSL for the IBM Lotus Sametime server, you can import a copy
of the trusted root certificate that was used for signing the IBM Lotus Domino
server's own SSL certificate from a web browser, and then import it in the Lotus
Sametime server's key store.
About this task
Rather than obtaining a copy of the Lotus Domino server's own SSL certificate, you
may choose to obtain a copy of the trusted root certificate that was used for
signing the Lotus Domino server's certificate. The easiest way to obtain a trusted
root certificate is to export one from your web browser.
Web browsers include many different SSL trusted root certificates by default. If
your Web browser contains a trusted root certificate that corresponds with the
Lotus Domino server's trusted root certificate that was used to sign the Lotus
Domino SSL server certificate, you can export it from the browser and save it as a
file.
Note: You must use the same trusted root that signed the Lotus Domino server's
own SSL certificate.
The procedure below illustrates how you can export a trusted root certificate from
a Microsoft Internet Explorer web browser:
Procedure
1. From the browser, click Tools → Internet Options.
2. Click the Contents tab.
3. Click the Certificates button.
4. Select the Trusted Root Certification Authorities tab.
5.
6.
7.
8.
Select the appropriate trusted root certificate from the list.
Click the Export button.
At the "Certificate Manager Export Wizard" screen, click Next.
At the "Certificate Export File" screen, select Base64 encoded X.509 (.CER),
and then click Next.
Chapter 1. Configuring
327
9. At the "Export File Name" screen, provide a name for the file, select the Lotus
Sametime server's data directory as the location where you want to store the
file, and then click Next.
For example, on Windows, you might enter SSLservercertificate.cer as the
file name. and select C:\Lotus\Domino\data as the location.
Note: On IBM i, save the file directly to your server if you have mapped to
the server drive. Otherwise, save the file on your client workstation and
transfer it to your IBM i server later.
10. When the message appears indicating that the export was successful, click
OK.
Obtaining a trusted root certificate from the Certification Authority:
When configuring SSL for the IBM Lotus Sametime server, you can obtain a copy
of the trusted root certificate used for signing the IBM Lotus Domino server's SSL
certificate from the original Certificate Authority.
About this task
If you are unable to obtain a copy of the Lotus Domino server's SSL server
certificate, you can request a copy of the trusted root certificate from a CA.
Normally, you request a certificate from a CA by browsing to the CA's website. For
example, follow these steps to request a certificate from VeriSign:
Procedure
1. Open a browser and navigate to the VeriSign site:
www.verisign.com
2. Follow the instructions on the website to request a certificate.
Once the certificate request is approved, you will receive an email explaining
how to pick up the certificate.
3. Pick up the certificate as instructed (for example, by browsing to the website
and copying it from a field on the specified page).
You can provide a file name for the certificate when receiving it from the CA
and then store it in the Lotus Sametime server's data directory.
Importing the Lotus Domino server's SSL certificate into the keystore:
After you obtain a copy of either the IBM Lotus Domino server's own SSL
certificate, or the trusted root certificate that was used to sign it, import your copy
into the IBM Lotus Sametime server's keystore.
About this task
The procedure for importing the SSL certificate depends on your operating system:
Importing an SSL certificate on AIX, Linux, Solaris:
To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or
Solaris, import the IBM Lotus Domino server's SSL certificate into the keystore.
328
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server's data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
About this task
Follow the steps below to import the SSL certificate into the keystore on the Lotus
Sametime server:
Procedure
1. Verify that the ikeyman.sh file's SAMETIME_HOME variable specifies the
correct path for your server's installation directory, modifying it as needed.
The default installation directories for Lotus Sametime are as follows:
v AIX: /opt/ibm/lotus/notes/latest/ibmpow
v Linux: /opt/ibm/lotus/notes/latest/linux
v Solaris: /opt/ibm/lotus/notes/latest/sunspa
2. Make sure the ikeyman.sh file has execute privileges.
3. Start the ikeyman.sh utility.
The ikeyman.sh utility requires a graphical interface. If you run it in a text-only
terminal, be sure to redirect the display to an x-windows session.
4. Click the Add button.
5. In the "Add CAs certificate from a File" dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the "Data type".
b. Set the Certificate file name to the name of the text file (for example,
CA.txt) into which you copied the certificate.
c. Set the Location to the location to which you transferred the CA.txt file in
the previous procedure (for example, /local/notes/data).
d. Click OK.
6. Close IKeyMan after the file is imported successfully.
Importing an SSL certificate on IBM i:
To enable SSL between IBM Lotus Sametime running on IBM i, import the IBM
Lotus Domino server's SSL certificate into the keystore.
Before you begin
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server's data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
About this task
Follow the steps below to import the SSL certificate into the keystore on the Lotus
Sametime server:
Chapter 1. Configuring
329
Procedure
1. From an IBM i command line, run the following command to start qshell:
strqsh
2. From qshell, run the following keytool command:
keytool -import -alias certificate_name
-file certificate_filename
-storepass keystore_password
-keystore keystore_path_and_filename
Where:
v certificate_name is CA.txt
v certificate_filename is also CA.txt
v keystore_password is "sametime."
Note: On IBM i versions of Sametime, stkeys.jks is provided by default and
uses "sametime" as the default password
v keystore_path_and_filename is stserver/data/stkeys.jks
Example:
keytool -import -alias stserver1cert
-file /stserver/data/CA.txt
-storepass sametime
-keystore /stserver/data/stkeys.jks
3. After you have imported the certificate, use the following command to view
the list of certificates in the stkeys.jks file and verify that the certificate was
imported successfully:
keytool -list -storepass keystore_password
-keystore keystore_path_and_filename
Example:
keytool -list -storepass sametime
-keystore /stserver/data/stkeys.jks
4. Press F3 to exit qshell.
Importing an SSL certificate on Windows:
To enable SSL between IBM Lotus Sametime running on Microsoft Windows,
import the IBM Lotus Domino server's SSL certificate into the keystore.
Before you begin
Make sure you have copied one of the following certificates from the server into
the Lotus Sametime server's data directory:
v CA.txt (the trusted root certificate)
v Server.txt (the SSL server certificate)
About this task
Follow the steps below to import the SSL certificate into the keystore on the Lotus
Sametime server:
Procedure
1. Open a command prompt and navigate to the Sametime_install_root\IBM\
gsk6\bin directory.
The default installation path for Lotus Sametime is C:\Lotus\Domino.
2. Start the IKeyMan utility by running the gsk6ikm.exe program.
330
Lotus Sametime: Installation and Administration Guide Part 2
3.
4.
5.
6.
7.
Browse to and select the stkeys.jks key store file.
Enter the password required to access this file.
In the "Key database content" area, select Signer certificates.
Click the Add button.
In the "Add CAs certificate from a File" dialog box, do the following:
Verify that Base64-encoded ASCII data is selected as the "Data type"
Browse to and select the SSL certificate you want to import.
Click OK.
the "Enter a Label" dialog box, do the following:
Type a label for the certificate.
This label identifies the certificate in the Signer Certificates list of the IBM
IKeyMan program.
b. Click OK.
The new certificate's label appears in the list of Signer Certificates.
9. Close the stkeys.jks keystore file .
a.
b.
c.
8. In
a.
10. Close the IKeyMan utility.
Modifying the Lotus Sametime server configuration for SSL:
Modify the configuration of the IBM Lotus Sametime server to encrypt connections
for Lotus Sametime servlets and the STPolicy.
About this task
Modify the Lotus Sametime server's configuration by making changes to the
sametime.ini file. The necessary changes vary with your operating system:
Modifying the Lotus Sametime configuration on AIX, Linux, Solaris:
Modify the IBM Lotus Sametime server's sametime.ini file on IBM AIX, Linux, or
Solaris to support Secure Socket Layer (SSL) encryption.
About this task
To modify the Lotus Sametime configuration, complete the following steps:
Procedure
Stop the Lotus Sametime server.
Use a text editor to open the sametime.ini file.
This is located in the Lotus Sametime installation directory.
3. Locate the ConfigurationPort= setting. Make sure that it specifies the port on
which the Lotus Domino HTTP server listens for SSL connections (by default,
this is port 443), modifying the setting if necessary.
For example:
1.
2.
ConfigurationPort=443
4. If these settings are not present in the [Config] section at the bottom of the
sametime.ini file, manually type them in:
[Config]
ConfigurationSSLEnabled=true
javax.net.ssl.keyStore=/local/notesdata/key.jks
Chapter 1. Configuring
331
javax.net.ssl.trustStore=/local/notesdata/key.jks
javax.net.ssl.keyStorePassword=keystore_password
javax.net.ssl.trustStorePassword=truststore_password
Note: Specify the complete path name of the key.jks file for both the
javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings. Specify
the password that you provided for key.jks when you created it for both the
javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword
settings.
5. If these two lines appear in the sametime.ini file, remove them:
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.keyStoreType=JKS
6. Save and close the sametime.ini file.
7. Restart the Lotus Sametime server.
Modifying the Lotus Sametime Configuration on IBM i:
Modify the IBM Lotus Sametime server's sametime.ini file on IBM i to support
Secure Socket Layer (SSL) encryption.
About this task
To modify the Sametime configuration for IBM i, complete the following steps:
Procedure
1. Stop the Lotus Sametime server.
2. Use a text editor to open the sametime.ini file.
This is located in the Lotus Sametime server's data directory.
3.
Locate the ConfigurationPort= setting. Make sure that it specifies the port on
which the Lotus Domino HTTP server listens for SSL connections (by default,
this is port 443), modifying the setting if necessary.
For example:
ConfigurationPort=443
4. If these settings are not present in the [Config] section at the bottom of the
sametime.ini file, manually type them in:
[Config]
ConfigurationSSLEnabled=true
javax.net.ssl.keyStore=stkeys.jks
javax.net.ssl.trustStore=stkeys.jks
javax.net.ssl.keyStorePassword=sametime
javax.net.ssl.trustStorePassword=sametime
Note: By default, the password for the stkeys.jks file is "sametime." If you
change the password for stkeys.jks, you must change the setting of both
javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword to
match the new password. The full path for the stkeys.jks file is not needed for
the IBM i version of Sametime.
5. Save the sametime.ini file.
6. Restart the Lotus Sametime server.
Modifying the Lotus Sametime configuration on Windows:
Modify the IBM Lotus Sametime server's sametime.ini file on Microsoft Windows
to support Secure Socket Layer (SSL) encryption.
332
Lotus Sametime: Installation and Administration Guide Part 2
About this task
To modify the Sametime configuration for Windows, complete the following steps:
Procedure
1. Stop the Lotus Sametime server.
2. Use a text editor to open the sametime.ini file, which is located in the
Sametime server installation directory (for example: C:\Program
Files\lotus\domino).
3. Verify that the "ConfigurationPort=" setting specifies the port on which the
Lotus Domino HTTP server listens for SSL connections (default port is 443).
For example:
ConfigurationPort=443
4. Verify that the [Config] section contains the following settings (or modify as
needed):
[Config]
ConfigurationSSLEnabled=true
javax.net.ssl.keyStore=c:\program files\lotus\domino\jvm\bin\stkeys.jks
javax.net.ssl.trustStore=c:\program files\lotus\domino\jvm\bin\stkeys.jks
javax.net.ssl.keyStorePassword=passw0rd
javax.net.ssl.trustStorePassword=passw0rd
Where:
v For the javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings,
you specify the complete path name for the stkeys.jks file.
v For the javax.net.ssl.keyStorePassword and the
javax.net.ssl.trustStorePassword settings, you specify the password that
you provided for the stkeys.jks file when you created it.
5. Save and close the sametime.ini file.
6. Start the Lotus Sametime server.
Tunneling through the firewall when SSL is enabled:
Configure an IBM Lotus Sametime server to allow clients to tunnel through a
firewall when SSL is enabled.
Before you begin
Lotus Sametime Connect clients communicate with the Lotus Sametime server by
directing messages to the HTTP server, which listens on port 80. When SSL is
enabled, port 443 is normally used for sending encrypted messages; however, the
Lotus Domino server (which hosts Lotus Sametime) is already listening on port 443
for encrypted Web-based communications. If Lotus Sametime Connect clients also
send messages to the HTTP server on port 443, a conflict arises.
You can work around this conflict by configuring clients to access the Lotus
Sametime server by tunneling to its Community Services multiplexer with an
HTTPS proxy. In this type of configuration, both the Lotus Sametime Community
Server and the Lotus Domino server listen for connections on port 443 – but they
use different addresses to avoid conflicts. You set up this type of connection by
assigning an additional IP address to the Lotus Sametime server, and then
configuring both the Community Services multiplexer and your clients to use that
address when communicating on port 443.
The following picture shows an example of this type of connection:
Chapter 1. Configuring
333
Restriction: This connection is not encrypted. In addition, clients using this
connection will not have access to the Meeting Server and the web server, so
Meeting services, as well as audio and video services, are not supported in this
configuration.
About this task
If you want to allow clients to tunnel to the Community Services multiplexer on
port 443 when SSL is enabled, complete the following tasks:
Binding the base DNS to the HTTP server:
Before assigning an additional IP address to an IBM Lotus Sametime server, avoid
potential conflicts by binding the server's base DNS to the HTTP server where it
listens for communications. This ensures that the IBM Lotus Domino server
hosting Lotus Sametime (and using this HTTP server) still receives all
communications intended for it.
About this task
Bind the server's base DNS to the HTTP server by completing the following steps:
Procedure
1. On the Lotus Sametime server, open the Sametime Administration Tool.
2. Click Configuration → Connectivity → Networks and Ports.
3. On the "Networks and Ports" page, click Configure HTTP services on a web
page in its own window.
The "HTTP" section of the Lotus Domino Directory's Server document opens in
a separate window.
4. Locate the Host name field.
5. Under the "Basics" heading, type the base DNS for the HTTP server (for
example: sametime1.acme.com).
6. Still in the same field, type a comma and the following IP address: 127.0.0.1
so it looks like this:
sametime1.acme.com,127.0.0.1
This additional entry is required for enabling the Sametime Administration Tool
to operate in this configuration.
7. Click the Save & Close button at the top of the Server document.
8. After the document closes, close the "Server-Servers" view of the Domino
Directory.
334
Lotus Sametime: Installation and Administration Guide Part 2
Adding a new IP address to the Lotus Sametime server:
Assign an additional IP address to an IBM Lotus Sametime server.
Before you begin
To add a new IP address to a Lotus Sametime server, you can either install an
additional Network Interface Card (NIC) or assign multiple IP addresses to a
single NIC. For additional information, see IBM Tech Note #1181387, "Forcing a
Sametime server with multiple NICs to bind to the correct IP address," at:
www.ibm.com/support/docview.wss?rs=899&uid=swg21181387
About this task
To assign multiple IP addresses to a single NIC on server running Microsoft
Windows:
Procedure
Open the Windows Control Panel.
Click the Protocols tab.
Click TCP/IP Protocols → Properties → Specify an IP Address.
Click the Advanced tab.
Use the "Advanced IP Addressing" page to assign multiple IP addresses to a
single NIC.
6. Save your changes and close all of the dialog boxes.
1.
2.
3.
4.
5.
Mapping the IP address and DNS for Community Services:
Configure an IBM Lotus Sametime server to map an IP address to the specific DNS
and port used by Lotus Sametime Community Services.
Before you begin
You must have already assigned the IP address to the Lotus Sametime server.
Procedure
Set up your DNS server to map the new IP address to a new DNS name for the
Lotus Sametime server's Community Services.
To avoid confusion, it is recommended that your new DNS for the Community
Services use the old DNS name plus "community-" as a prefix. For example, if your
base DNS for the server is sametime1.example.com, use the following name for the
new DNS:
community-sametime1.example.com
Configuring HTTPS tunneling settings for clients using port 443:
Configure the IBM Lotus Sametime Community Services to listen for client
communications using the new DNS and port 443.
Before you begin
You must have already assigned an additional IP address to the Lotus Sametime
server, then mapped a new DNS to it for use by the Community Services.
Chapter 1. Configuring
335
Procedure
1. On the Lotus Sametime server, open the Sametime Administration Tool.
2. Click Configuration → Connectivity → Networks and Ports.
3. On the "Networks and Ports" page, click Community Services Network →
Address for HTTPS-tunneled client connections and fill in the following
fields:
Option
Description
Host name
community-base_DNS
For example, if your base DNS for the server
is sametime1.example.com, type the
following name for the new DNS:
community-sametime1.example.com
Port
443
4. Restart the Lotus Sametime and Lotus Domino servers.
5. Close the Sametime Administration Tool.
Results
With this configuration, the Lotus Sametime Community Services multiplexer will
listen for HTTPS-tunneled connections using host name communitysametime1.example.com on port 443.
Connecting clients to the new Community Services DNS:
Configure an IBM Lotus Sametime Connect client to communicate with a Lotus
Sametime server that is listening for HTTPS connections using the host name
(DNS) and port that you specified in the HTTPS tunneling settings for the server.
About this task
Every Lotus Sametime Connect client located outside of the firewall requires this
configuration to tunnel through the firewall to the Lotus Sametime Community
Services.
Procedure
For each Lotus Sametime Connect client, configure the following settings in the
"Sametime Connectivity" tab:
Option
Description
Host
Type the new DNS that you mapped to the
IP address that will be used for the
Community Server.
For example, if your base DNS for the server
is sametime1.example.com, it was
recommended that you use the following
name for the new DNS:
community-sametime1.example.com
That is the name you should type here.
Community port
336
Lotus Sametime: Installation and Administration Guide Part 2
443
Option
Description
Use proxy
Select this setting.
Use HTTPS proxy
Host name
Port
Select this setting and enter the host name
(community-sametime1.example.com) and
port (443) on which the Lotus Sametime
Connect clients connect to the HTTPS proxy.
Enabling encryption between Lotus Sametime and the LDAP server:
Configure SSL encryption between an IBM Lotus Sametime server and an LDAP
server by enabling the LDAPS protocol.
About this task
When you enable this protocol, you can choose whether to encrypt only the data
used for authenticating users in Lotus Sametime, or to encrypt all data that is
transmitted between the two servers.
Note: If you are using an IBM Lotus Domino Directory and it is not configured as
an LDAP directory, this section does not apply to you. You can skip these
procedures.
Enabling SSL encryption for an LDAP server involves the following tasks:
Enabling SSL on the LDAP server:
You must enable SSL on your LDAP server before you can configure the IBM
Lotus Sametime server to encrypt its communications with the LDAP directory.
About this task
Note: If you are using a Domino Directory and Lotus Sametime is not configured
with an LDAP directory, this section does not apply to you and you should skip
these procedures.
The procedure for enabling SSL depend on the LDAP directory that you use:
Setting up a Lotus Domino LDAP directory to use SSL:
You must enable the IBM Lotus Domino server's LDAP component to support SSL
before you can configure the IBM Lotus Sametime server to encrypt its
communications with the Lotus Domino LDAP Server.
About this task
Follow these steps in the Lotus Domino Administrator information center to set up
a Lotus Domino server to support SSL for LDAP connections:
Setting up SSL on a Domino server
Enabling third-party LDAP servers to use SSL:
You must enable the LDAP server to support SSL before you can configure the
IBM Lotus Sametime server to encrypt communications to the LDAP directory
hosted on that server.
Chapter 1. Configuring
337
About this task
Refer to the documentation provided by the LDAP directory's vendor for
instructions on enabling SSL.
Using SSL to encrypt connections between the Sametime and LDAP servers:
When Sametime is configured to connect to an LDAP server, the Sametime server
makes five separate connections to the LDAP server.
About this task
Sametime makes a separate connection to the LDAP server to perform each of
these five tasks:
v Authenticate users
v Resolve a user name to a distinguished name as part of the login procedure
v Resolve user and group names (for example, as a response to an "Add Person or
Group" request from a Sametime Connect client)
v Browse the directory
v Get the content of public groups
The Sametime and LDAP servers exchange directory information, including user
names and passwords, over these connections. To ensure this information is secure,
the administrator can use SSL to encrypt the data that passes over these
connections. The administrator should consider the level of protection required
before enabling SSL. Using SSL to encrypt these connections can slow the server
performance. The administrator has the following options when using SSL to
encrypt the data transmitted between the Sametime and LDAP servers:
v Encrypt all data - This option encrypts all directory information (both user
names and passwords) that is transmitted between the Sametime server and the
LDAP server. If you encrypt all data, all five connections between the Sametime
server and LDAP server are encrypted with SSL. This option provides the most
security but also has the greatest affect on server performance.
v Encrypt only user passwords - This option encrypts passwords but not other
directory information (such as user names) passing over the connections
between the Sametime and LDAP servers. If you encrypt only user passwords,
only the "authenticating users" connection between the Sametime server and the
LDAP server is encrypted with SSL. This option provides an intermediate level
of security and has less affect on server performance than encrypting all of the
data.
v Encrypt no data - This option allows all directory information and passwords to
pass unencrypted between the Sametime and LDAP servers. This option does
not affect server performance and should be used if the administrator feels there
is no chance that an unauthorized user can intercept information transmitted
over the connections between the Sametime and LDAP servers
v Using SSL to encrypt connections between the Sametime servlet and LDAP
v Ensuring the Sametime server trusts the LDAP server certificate on Windows
and AIX/Solaris/Linux servers
Note: If you are encrypting connections between an AIX version of the Sametime
server and an LDAP directory, xlC.aix50.rte must be 6.0.0.3 (or higher).
Setting up a keystore for the SSL certificate used by the LDAP server:
338
Lotus Sametime: Installation and Administration Guide Part 2
On IBM AIX, Linux, Microsoft Windows, and Sun Solaris, install the GSKit
program and the IBM IKeyMan utility so you can store a copy of the LDAP
server's SSL certificate. On IBM i, install the DCM (Digital Certificate Manager)
program instead.
About this task
The Lotus Sametime server must store a copy of LDAP Server's SSL trusted
certificate to complete the SSL handshake when making an SSL connection to that
LDAP server. Before you can import the SSL certificate from the LDAP Server, you
will use the GSKit program and IKeyMan utility (the DCM program on IBM i) to
create a keystore file on the Lotus Sametime server for storing the certificate.
Note: You only need to install these programs once. If you have already installed
these programs during an earlier procedure, you can skip this task.
The instructions for installing GSKit and IKeyMan, or DCM, vary according to
your server's operating system. Use the instructions in the appropriate topic:
Installing and setting up Digital Certificate Manager on IBM i:
Install and set up the DCM (Digital Certificate Manager) program on an IBM i
server hosting IBM Lotus Sametime, and ensure that Lotus Sametime trusts the
LDAP server's SSL certificate.
About this task
Set up DCM and ensure that Lotus Sametime trusts the LDAP server by
completing the following tasks:
Installing Digital Certificate Manager:
Install the DCM (Digital Certificate Manager) program on an IBM i server that
hosts IBM Lotus Sametime.
About this task
On IBM i, SSL certificates are managed using the integrated DCM program. You
must install and set up DCM before you can establish SSL encryption for
communications between the IBM i server's LDAP client and the deployment's
LDAP server. All of the following software must be installed on the IBM i server
where your Lotus Sametime server is located:
v 5722-SS1 Option 34, Digital Certificate Manager
v 5722-DG1, IBM HTTP Server
v 5722-AC3, Crypto Access Provider 128-bit
If you need more detailed information about setting up and using DCM in order to
complete the steps in this section, see the IBM i information center at:
www.ibm.com/as400/infocenter
After selecting the appropriate IBM i release and your preferred language, select
the "Digital Certificate Manager" topic in the "Security" section.
Ensuring that the LDAP client trusts the LDAP server's certificate:
Chapter 1. Configuring
339
Ensure that the IBM i LDAP client trusts the SSL certificate used by the LDAP
server with which it communicates.
About this task
IBM Lotus Sametime for IBM i uses the LDAP client included with the IBM
Directory Server that is installed as part of the IBM i operating system. Enable the
LDAP client to trust the LDAP server by importing the server's SSL certificate into
the store on the client (the IBM i server) and then adding the Certificate Authority
to the trust list.
Procedure
1. Use the DCM (Digital Certificate Manager) program to determine whether the
CA Certificate that signed the LDAP directory server's certificate is already
included in the DCM *SYSTEM certificate store.
Well-known public Internet Certificate Authorities (CA) that most web
browsers can recognize readily, such as VeriSign, are already included in the
DCM. If the appropriate CA is included in the certificate store, you have
finished this task; skip the remaining steps.
If the CA used by your LDAP server's certificate does not appear in the DCM
*SYSTEM certificate store, import it now by completing the remaining steps in
this procedure.
2. Import the LDAP directory server's certificate into the DCM *SYSTEM
certificate store.
3. Use DCM to add the CA Certificate to the trust list of the IBM Directory Server
LDAP client application.
The application ID is QIBM_GLD_DIRSRV_CLIENT.
Ensuring that Lotus Sametime has access to the *SYSTEM certificate store:
Assign IBM Lotus Sametime access to the IBM i *SYSTEM certificate store.
About this task
Lotus Sametime must be able to access certificates located in the DCM *SYSTEM
certificate store when connecting to an LDAP server using SSL. The DCM
*SYSTEM certificate store is located in the /qibm/userdata/icss/cert/server
directory on an IBM i server.
QNOTES is an IBM i user profile created by IBM Lotus Domino and used by Lotus
Sametime. By default, the QNOTES user profile does not have access to the DCM
*SYSTEM certificate store or the /qibm/userdata/icss/cert/server directory,
although the higher level directories usually have *PUBLIC *RX authority which
allows QNOTES to access those directories.
Provide Lotus Sametime with access to the *SYSTEM certificate store by
completing the following step:
Procedure
1. Run the following command from any IBM i command line to view the
contents of the /qibm/userdata/icss/cert/server directory and verify the
name of the certificate store:
By default, the certificate store is named default.kdb and uses "sametime" as
the password.
340
Lotus Sametime: Installation and Administration Guide Part 2
WRKLNK ’/QIBM/USERDATA/ICSS/CERT/Server/*’
2. Run the following commands from any IBM i command line to ensure
QNOTES has the necessary authority to the DCM *SYSTEM certificate store
and associated directory:
CHGAUT OBJ(’/QIBM/USERDATA/ICSS/CERT/Server’) USER(QNOTES) DTAAUT(*RX)
CHGAUT OBJ(’/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.RDB’) USER(QNOTES) DTAAUT(*RX)
CHGAUT OBJ(’/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.KDB’) USER(QNOTES) DTAAUT(*RX)
In this example:
v QNOTES is the user receiving access
v default.kdb is the name of the certificate store
Setting up GSKit, IKeyMan, and the key database on AIX, Linux, Solaris, Windows:
Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux,
Microsoft Windows, or Solaris and then use IKeyMan to create a key database for
storing the LDAP server's SSL certificate.
About this task
Install the programs and create the key database by completing the following
tasks:
Installing GSKIt and IKeyMan:
Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux,
Microsoft Windows, or Solaris.
About this task
Install GSKit and IKeyMan by following the steps in the appropriate topic for your
operating system:
Installing GSKit and IKeyMan on AIX:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on IBM AIX.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on AIX, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the root user.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Navigate to your server's copy of the GSKit directory and open a command
prompt.
5. Install GSKit using the System Management Interface Tool (SMIT) utility to
install the gskak.rte package.
Chapter 1. Configuring
341
The package name is "version AIX Certificate and SSL Base ACME Runtime
Toolkit".
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in
the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/
security directory.
b. Open the java.security file.
c. In the java.security file, and add the following statement to the list of
security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
d. Save and close the file.
7. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ext
directory, and delete the gskikm.jar file.
8. Set the JAVA_HOME environment variable to the java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/
Installing GSKit and IKeyMan on Linux:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Linux.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Linux, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the root user.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Navigate to your server's copy of the GSKit directory and open a command
prompt.
5. Install the GSkit RPM.
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
For example:
342
Lotus Sametime: Installation and Administration Guide Part 2
rpm -i gsk7bas-7.0-3.31.i386.rpm
6. Edit the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/
security/ directory.
b. Open the java.security file.
c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers
in the java.security file as follows:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
d. Save and close the file.
7. Set the JAVA_HOME environment variable to the Java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME
Installing GSKit and IKeyMan on Solaris:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Solaris.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Solaris, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the root user.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Navigate to your server's copy of the GSKit directory and open a command
prompt.
5. Install GSKit as follows:
Note: The examples show release 6 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Uncompress and untar the gsk6bas.tar.Z file.
b. Use one of the following methods to install GSKit:
v Use the admintool application.
v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas
Chapter 1. Configuring
343
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in
the java.security file as follows:
a. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/
security/ directory.
b. Open the java.security file.
c. In the java.security file, and add the following statement to the list of
security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice
that the preference numbers must be in sequence):
#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider#
d. Save and close the file.
7. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ext
directory, and delete the gskikm.jar file.
8. Set the JAVA_HOME environment variable to the java VM installed under the
Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/sunspa/ibm-jre/export JAVA_HOME
Installing GSKit and IKeyMan on Windows:
Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that
runs on Windows.
About this task
IBM Lotus Domino also ships with a version of GSKit, but for this task you must
use the version included with Lotus Sametime.
To install GSKit and IKeyMan on Microsoft Windows, follow the steps below:
Procedure
1. Log on to the Lotus Sametime server as the Windows administrator.
2. Stop the Lotus Domino and Lotus Sametime server.
3. Download the GSKit directory to a temporary location on the server.
Open this release's Download document at the following web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg24027054
4. Run gsk7bas.exe to extract the GSKit to a path that you supply.
5. Open a command prompt and navigate to the path of the GSKit directory
6. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss
For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss
This command performs a silent installation of the IKeyMan program into the
Lotus Sametime installation directory.
7. Verify that the installation is successful:
344
Lotus Sametime: Installation and Administration Guide Part 2
Note: The examples show release 7 of GSKit, but this program is periodically
updated in the Lotus Sametime kits, so you may find that a newer version of
GSKit was installed on your server.
a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime
installation directory.
b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on
the server.
8. Set the JAVA_HOME environment variable to the Java VM installed under the
Lotus Sametime binaries directory:
a. From the Windows desktop, right click on the My Computer icon and
select System Properties.
b. In the "System Properties" dialog box, select the Advanced tab.
c. Click the Environment Variables button.
d. In the "New System Variable" dialog box, click the New button under the
"System Variables" list, and enter the following information:
Table 33. Defining the new JAVA_HOME environment variable
Variable name
Variable value
JAVA_HOME
Sametime_install_root\ibm-jre\jre
For example:C:\Lotus\Sametime\ibm-jre\jre
e. Click OK to close the "New System Variable" dialog box.
f. Click OK to close the "Environment Variables" dialog box.
g. Click OK to close the "System Properties" dialog box.
9. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers
in the java.security file as follows:
a. Navigate to the Sametime_install_root\ibm-jre\jre\lib\security
directory.
For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\security
b. Open the java.security file.
c. In the java.security file, and add the following statement to the list of
security providers as shown:
security.provider.6=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file
(notice that the preference numbers must be in sequence):
## List of providers and their preference orders (see above)#
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.spi.IBMCMSProvider
#
10. Navigate to the Sametime_install_root\ibm-jre\jre\lib\ext directory, and
delete the gskikm.jar file.
For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar
Creating a keystore database for the LDAP server's SSL certificate:
Chapter 1. Configuring
345
Use the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Sun
Solaris to create a key database on the IBM Lotus Sametime server; the key
database will store a copy the LDAP server's SSL certificate.
Before you begin
Note: This procedure does not apply to IBM i because the keystore database is not
used by Lotus Sametime on IBM i.
The keystore database that you create for storing the LDAP server's SSL certificate
is different from the keystore file used for storing the Lotus Domino server's SSL
certificate and must use a different file name.
About this task
Create the keystore database by completing the following steps:
Procedure
1. Start the IBM IKeyMan utility:
a. Open a command prompt and navigate to the Sametime_install_root/IBM/
gsk6/bin directory.
The default installation path for Lotus Sametime is as follows:
v AIX: /local/notesdata
v Linux: /local/notesdata
v Solaris: /local/notesdata
v Windows: C:\Lotus\Domino
b. Run the gsk6ikm program.
2. From the IKeyMan utility's menu, click Key Database → File → New.
3. In the "New" dialog box, fill in the following fields and click OK:
Option
Description
Key database type
CMS key database file
Note: You will not be able to select the CMS
key database unless you have added
com.ibm.spi.IBMCMSProvider to the
java.security file, as you were instructed to
when you installed GSKit and IKeyMan.
File name
key.kdb
Note: If you enabled the HTTPS protocol,
make sure that this keystore database's file
name is different from that file name, to
avoid conflicts.
Location
Enter the path to the directory where the
sametime.ini file is stored:
v AIX: /local/notesdata
v Linux: /local/notesdata
v Solaris: /local/notesdata
v Windows: C:\Lotus\Domino
4. In the "Password" dialog box, fill in the following fields and click OK:
346
Lotus Sametime: Installation and Administration Guide Part 2
Option
Description
Password
Enter the password you will use for
accessing this keystore database.
Confirm password
Confirm the password by typing it again.
Stash the password to a file?
Click this option to enable it.
A message appears, indicating that the password is encrypted and saved in the
location Sametime_install_root/key.sth.
Importing a copy of the LDAP server's trusted root certificate:
Import a copy of the LDAP server's trusted root SSL certificate into the keystore
database on the IBM Lotus Sametime server to encrypt communications between
Lotus Sametime and the LDAP server.
Before you begin
When the key.kdb database is created, it contains several trusted root (or "signer")
certificates by default. If a trusted root certificate used by the LDAP server exists in
the key.kdb database by default, then you can skip this procedure.
If the key.kdb database does not contain an appropriate trusted root certificate by
default, you must obtain a trusted root certificate from the appropriate CA and
add it to the key.kdb database.
Make sure you have copied the trusted root certificate from the LDAP server into
the Lotus Sametime server's data directory. The data type should be
Base64-encoded ASCII. The file format can be .CER, .p12 or .txt.
About this task
The procedure for importing the trusted root certificate depends on your operating
system:
Importing a trusted root certificate on AIX, Linux, Solaris:
To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or Solaris
and an LDAP server, import the server's trusted root certificate into the key
database.
Before you begin
Make sure you have copied the trusted root certificate from the LDAP server into
the Lotus Sametime server's data directory. The data type should be
Base64-encoded ASCII. The file format can be .CER, .p12 or .txt. You use this file
in step 6b.
About this task
Follow the steps below to import the SSL certificate into the key database on the
Lotus Sametime server:
Procedure
1. Verify that the ikeyman.sh file's SAMETIME_HOME variable specifies the
correct path for your server's installation directory, modifying it as needed.
Chapter 1. Configuring
347
The default installation directories for Lotus Sametime are as follows:
v AIX: /local/notes/data
v Linux: /local/notes/data
v Solaris: /local/notes/data
2. Make sure the ikeyman.sh file has execute privileges.
3. Start the ikeyman.sh utility.
The ikeyman.sh utility requires a graphical interface. If you run it in a text-only
terminal, be sure to redirect the display to an x-windows session.
4. Open the key.kdb file.
5. Click the Add button.
6. In the "Add CAs certificate from a File" dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the "Data type".
b. Set the Certificate file name to the name of the text file (for example,
CA.txt) into which you copied the certificate.
c. Set the Location to the location to which you transferred the CA.txt file in
the previous procedure (for example, /local/notes/data).
d. Click OK.
e. Type a label for the certificate.
This label identifies the certificate in the Signer Certificates list of the IBM
IKeyMan program.
f. Click OK.
7. Close IKeyMan after the file is imported successfully.
Importing a trusted root certificate on IBM i:
To enable SSL between IBM Lotus Sametime running on IBM i and an LDAP
server, import the server's trusted root certificate into the keystore file.
Before you begin
Make sure you have copied the trusted root certificate from the LDAP server into
the Lotus Sametime server's data directory. The data type should be
Base64-encoded ASCII. The file format can be .CER, .p12 or .txt.
About this task
Follow the steps below to import the SSL certificate into the keystore file on the
Lotus Sametime server:
Procedure
1. From an IBM i command line, run the following command to start qshell:
strqsh
2. From qshell, run the following keytool command:
keytool -import -alias certificate_name
-file certificate_filename
-storepass keystore_password
-keystore keystore_path_and_filename
Where:
v certificate_name is CA.txt
v certificate_filename is also CA.txt
348
Lotus Sametime: Installation and Administration Guide Part 2
v keystore_password is "sametime."
Note: On IBM i versions of Sametime, the keystore is called "stkeys.jks" and
uses "sametime" as the default password
v keystore_path_and_filename is stserver/data/stkeys.jks
Example:
keytool -import -alias stserver1cert
-file /stserver/data/CA.txt
-storepass sametime
-keystore /stserver/data/stkeys.jks
3. After you have imported the certificate, use the following command to view
the list of certificates in the stkeys.jks file and verify that the certificate was
imported successfully:
keytool -list -storepass keystore_password
-keystore keystore_path_and_filename
Example:
keytool -list -storepass sametime
-keystore /stserver/data/stkeys.jks
4. Press F3 to exit qshell.
Importing a trusted root certificate on Windows:
To enable SSL between IBM Lotus Sametime running on Microsoft Windows and
an LDAP server, import the server's trusted root certificate into the key database.
Before you begin
Make sure you have copied the trusted root certificate from the LDAP server into
the Lotus Sametime server's data directory. The data type should be
Base64-encoded ASCII. The file format can be .CER, .p12 or .txt. You use this file
in step 7b.
About this task
Follow the steps below to import the SSL certificate into the key database on the
Lotus Sametime server:
Procedure
1. Open a command prompt and navigate to the Sametime_install_root\IBM\
gsk7\bin directory.
The default installation path for Lotus Sametime is C:\Lotus\Domino.
2. Start the IKeyMan utility by running the gsk7ikm.exe program.
3.
4.
5.
6.
7.
Browse to and select the key.kdb key database.
Enter the password required to access this file.
In the "Key database content" area, select Signer certificates.
Click the Add button.
In the "Add CAs certificate from a File" dialog box, do the following:
a. Verify that Base64-encoded ASCII data is selected as the "Data type".
b. Set the Certificate file name to the name of the text file (for example,
CA.txt) into which you copied the certificate.
c. Set the Location to the location to which you transferred the CA.txt file in
the previous procedure (for example, C:\Lotus\Domino).
Chapter 1. Configuring
349
d. Click OK.
8. In the "Enter a Label" dialog box, do the following:
a. Type a label for the certificate.
This label identifies the certificate in the Signer Certificates list of the IBM
IKeyMan program.
b. Click OK.
The new certificate's label appears in the list of Signer Certificates.
9. Close the key database.
10. Close the IKeyMan utility.
Configuring Directory Assistance for SSL:
Modifying the IBM Lotus Domino Directory Assistance document is required when
you use SSL to encrypt data transmitted between the IBM Lotus Sametime and the
LDAP server.
About this task
In this procedure, you modify the Directory Assistance document for the LDAP
server to ensure that the connection between the Sametime server and the LDAP
server is encrypted using SSL.
Procedure
1. From a Lotus Notes client, open the Directory Assistance database da.nsf.
a. Click File → Database → Open.
b. For the Server, select Local.
c. Select the Directory Assistance database (da.nsf).
d. Click Open.
2. In the Directory Assistance database, double-click the Directory Assistance
document for the LDAP server to open the document.
3. Click Edit Directory Assistance.
4. Next, click the Basics tab.
5. In the Make this domain available to: field, select Notes Clients & Internet
Authentication/Authorization.
6. Now click the LDAP tab.
7. Fill in the following fields
Option
Description
Channel encryption
Select SSL.
Port
Specify the same port that appears in the
LDAP SSL port field of the "LDAP
Directory - Connectivity" options in the
Sametime Administration Tool
This port is the one on which the LDAP
server listens for SSL connections; the
default is port 636.
350
Lotus Sametime: Installation and Administration Guide Part 2
Option
Description
Accept expired SSL certificates
Select Yes (the default setting) to accept a
certificate from the LDAP directory server,
even if the certificate has expired.
For tighter security, select No to require the
Sametime server to check certificate
expiration dates. If the certificate presented
by the LDAP server has expired, the
connection is terminated.
SSL protocol version
Select the version number of the SSL
protocol to use. The choices are:
v V2.0 only - This setting allows only SSL
2.0 connections.
v V3.0 handshake - This setting attempts an
SSL 3.0 connection. If this connection
attempt fails but Sametime detects that
SSL 2.0 is available on the LDAP server,
Sametime attempts the connection using
SSL 2.0.
v V3.0 only - This setting allows only SSL
3.0 connections.
v V3.0 and V2.0 handshake - This setting
attempts an SSL 3.0 connection, but starts
with an SSL 2.0 handshake that displays
relevant error messages. This setting is
used to receive V2.0 error messages when
trying to connect to the LDAP server.
These error message might provide
information about any compatibility
problems found during the connection.
v Negotiated - This setting allows SSL to
determine the handshake and protocol
version required.
Verify server name with remote server's
certificate
Select Enabled (the default setting) to verify
the server name with the remote server's
certificate.
If Enabled is selected, the Sametime server
verifies the name of the LDAP server with
the remote server's certificate. If the names
do not match, the connection is terminated.
For more relaxed security, select Disabled
(the server name is not verified with the
certificate).
8. Click Save and Close to close the Directory Assistance document.
9. Close the Directory Assistance database.
Connecting Lotus Sametime to the LDAP server:
Enable SSL encryption for connections between IBM Lotus Sametime and the
LDAP server.
Before you begin
The Sametime Community server must be running.
Chapter 1. Configuring
351
Procedure
1. Configure LDAP connectivity settings in the Sametime Administration Tool as
follows:
a. From the Lotus Sametime server's home page, click the Administer the
Server link to open the Sametime Administration Tool.
b. Click LDAP Directory → Connectivity.
c. In the Host name or IP address of the LDAP server list, select the name of
the LDAP server.
d. Click the option called Use SSL to authenticate and encrypt the connection
between the Sametime server and the LDAP server.
e. In the LDAP SSL port field, specify the port on which the LDAP server is
listening for SSL LDAP connections (the default is port 636).
f. Click Update.
g. Close the Sametime Administration Tool.
At this point, you have enabled SSL encryption for all data that is transmitted
between the Lotus Sametime server and the LDAP server.
2. (Optional) To improve performance, you may choose to loosen security and
encrypt only user credentials as follows:
a. Open the sametime.ini file (located in the Lotus Sametime installation
directory).
b. Locate the [Directory] section within the file.
c. Add the following setting:
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1
d. Save and close the file.
3. Restart the Lotus Sametime server
Encrypting the UserInfo servlet:
If your IBM Lotus Sametime deployment uses SSL encryption when
communicating with the LDAP server, you can additionally choose to encrypt the
UserInfo servlet.
About this task
This configuration is necessary to enable the Business Card feature when you have
chosen to encrypt all data transmitted between the Lotus Sametime server and the
LDAP server, where the Business Card data is stored.
Procedure
1. Open a command prompt and navigate to the following directory:
v IBM AIX, IBM i, Linux, Solaris: the Lotus Sametime server's data directory
v Windows: the Lotus Sametime server's installation directory
2. Open the UserInfoConfig.xml file in an editor and make the following changes:
a. Locate the <ReadStConfigUpdates> tag and set to value="true". If this
statement is not in the file, you do not need to add it.
The statement should look like this:
<ReadStConfigUpdates value="true"/>
b. Locate the <StorageDetails> tag and set the following values:
SslEnabled="true"
SslPort="636"
352
Lotus Sametime: Installation and Administration Guide Part 2
Use the value of the port that your LDAP server listens on for SSL
communications (the default is port 636).
c. In the <SslProperties> tag, set the following values:
<SslProperties KeyStorePath="D:\IBM\Lotus\Domino\jvm\bin\key.jks_OR_stkeys.jks"
KeyStorePassword="mypwd"/>
Where:
v KeyStorePath indicates the path to where the keystore database is stored.
On Windows and IBM i, the file is named stkeys.jks; on AIX, Linux, and
Solaris, the file is named keys.jks.
v KeyStorePassword indicates the password you created for accessing the
keystore database.
3. Save and close the file
Authentication by token using LTPA and Sametime tokens
Lotus Sametime uses authentication by token to authenticate connections that
occur after a user has authenticated to Domino once using password
authentication.
Authentication by token prevents a user from having to re-enter authentication
credentials when accessing different servers or using Lotus Sametime web clients
or Domino applications that connect to a Lotus Sametime server.
The Lotus Sametime server includes two separate security features capable of
generating the authentication token used by Sametime:
v
Domino Single Sign-On (SSO) authentication feature - The Domino SSO feature
must be enabled on a Lotus Sametime server.
If the Domino SSO feature is not enabled on the Domino server when you install
Lotus Sametime, the Lotus Sametime installation automatically enables and
configures the Domino SSO feature. In some environments, you might need to
alter the default SSO configuration provided by the Lotus Sametime installation.
For more information, see Altering the Domino Web SSO configuration
following the Sametime server installation.
The user must enter the fully qualified domain name of the Lotus Sametime
server (for example, sametimeserver.meetings.example.com) in the web browser
URL locator when accessing the Lotus Sametime server to authenticate
successfully using SSO.
If your Lotus Sametime environment includes only Lotus Sametime 3.0 (or
higher) servers, and you do not use Sametime TeamRoom or Discussion
databases that were available with earlier Lotus Sametime server releases, only
the Domino SSO feature is required to support authentication by token.
If your Lotus Sametime environment includes Lotus Sametime 3.0 (or higher)
servers that interoperate with Lotus Sametime servers from releases earlier than
Lotus Sametime 3.0, both the Domino SSO feature and the Secrets and Tokens
databases must be supported on the Lotus Sametime server to enforce
authentication by token.
Lotus Sametime includes a custom logon form for the SSO feature. This custom
logon form can be used in place of the default SSO logon form. The custom
logon form is presented to the user the first time the user accesses a database on
the server that requires basic password authentication.
Note: If the Lotus Sametime Server is configured to use Internet Sites, the Notes
client integration with Lotus Sametime (and therefore SSO with Lotus Sametime)
has been supported only since Lotus Sametime 8.5.1 and Notes client 8.5. When
Chapter 1. Configuring
353
configuring the Lotus Sametime Server to use Internet Sites the following settings
must be configured under the [AuthToken] section of the sametime.ini file:
v ST_TOKEN_TYPE must contain the name of the Web SSO document used by the
Sametime Community server. The default value is LtpaToken.
v ST_ORG_NAME must contain the organization name that is set in the Web SSO
document used by Sametime Community server. The default value is an empty
organization name.
For additional information about the Domino Internet Sites configuration see
Domino documentation.
v Secrets and Tokens authentication databases - Lotus Sametime server releases
earlier than Lotus Sametime 3.0 used only the Secrets and Tokens authentication
databases to create authentication tokens. When Lotus Sametime 8.x operates in
environments that include servers from Lotus Sametime releases earlier than
Lotus Sametime 3.0, the Lotus Sametime 8.x server supports both the Domino
SSO feature and the Secrets and Tokens authentication databases.
A Lotus Sametime 8.x server supports Secrets and Tokens authentication by
default. The following are required to support Secrets and Tokens authentication:
– The Secrets and Tokens databases must be present on the server following a
Lotus Sametime server installation.
– The "Allow users to authenticate using either LTPA token or Sametime Token
(stauths.nsf and stautht.nsf)" option must be selected in the
Configuration-Community Services-General settings of the Sametime
Administration Tool.
Both conditions above exist on a Lotus Sametime server following the server
installation, so no additional procedures are required to support Secrets and
Tokens authentication following the installation. However, if you have enhanced
security by enabling the SametimeSecretsGenerator agent in one Secrets database
on one Lotus Sametime server in your community, you must ensure that this
Secrets database is replicated to all Lotus Sametime servers in the community.
For more information, see Replicating the Secrets database (optional).
Authentication by token using the Domino Single Sign-On (SSO) feature:
The Domino Single Sign-On (SSO) feature must be enabled on the Sametime
server. This feature creates Lightweight Third Party Authentication (LTPA) tokens
that enable web browser users to log in a single time to access multiple Sametime,
Domino, or IBM WebSphere servers that are in the same DNS domain. This
capability is called "single sign-on."
Lotus Sametime also uses LTPA tokens to authenticate connections from Sametime
clients to the Community Services, Meeting Services, and Recorded Meeting
Broadcast Services on the Sametime server. These clients are Java applets and
include the Meeting Room client, and Recorded Meeting client.
Lotus Sametime supports two versions of LTPA tokens: LTPAv1 and LTPAv2. Lotus
Sametime allows authenticating by a single LTPA token or by a list of LTPA tokens.
For example, a client can send an LTPAv1 token and LTPAv2 token in the same
authentication request to authenticate a user. The Domino configuration determines
which token is validated.
The LTPA token types supported by Domino are configured in the Web SSO
document in names.nsf. When using a Domino SSO key, only LTPAv1 tokens are
supported. When importing a WebSphere LTPA key, both LTPAv1 and LTPAv2
354
Lotus Sametime: Installation and Administration Guide Part 2
tokens are supported by Domino. The supported formats are defined in the Token
Format field under the WebSphere Information section of the Web SSO document.
Lotus Sametime can generate a single LTPA token or a list of LTPA tokens
depending on the SSO key that is configured in Domino and the Token Format
field in the case of WebSphere LTPA keys.
Note: Sametime also requires users to present an authentication token when
attending an instant meeting. Client applications generate this token from the
user's home Sametime server. Users with Sametime 2.5 (or earlier) home Sametime
servers will present Sametime tokens (generated from the Secrets and Tokens
databases) when connecting to instant meetings started on a Sametime 8.x server.
For this reason, Sametime 8.x servers operating in Sametime environments that
include Sametime servers from previous releases must also support the Secrets and
Tokens databases for authentication by token.
Authentication by LTPA token occurs after a user has already authenticated once
using password authentication. For example, authentication by token on a
Sametime server might occur as follows:
1. A user accesses a Sametime Meeting Center database that requires
authentication or clicks the "Log onto Sametime" link in the Sametime Meeting
Center.
Note To successfully authenticate, the user must enter the fully qualified
domain name of the Sametime server (for example,
sametimeserver.meeting.acme.com) in the web browser URL locator when
accessing the Sametime server.
2. An SSO logon form appears, and the user enters a valid user name and
password from the Domino Directory (or LDAP directory) to authenticate.
Note Sametime provides a custom Sametime SSO logon form that can be
enabled by the administrator. If the custom logon form is not enabled, the
standard Domino SSO logon form displays to the user.
3. After a successful authentication, the Domino Single Sign-On (SSO) feature
generates an LTPA token containing the user's authentication information and
passes the token to the user's web browser in a cookie.
The user's web browser must have cookies enabled to accept the LTPA token.
4. The user attends a meeting, and the Meeting Room client loads in the user's
web browser.
5. The Meeting Room client connects to the Meeting Services and Community
Services and passes the LTPA token to Sametime. The Meeting Services and
Community Services connections are authenticated using the LTPA token. The
user is not required to re-enter authentication credentials to authenticate these
connections.
The same LTPA token described above can be used to authenticate the user when
the user accesses other Sametime, Domino, or WebSphere servers in the same DNS
domain during a single web browser session. The other Sametime, Domino, or
WebSphere servers must also support the SSO feature (that is, the servers must
accept LTPA tokens).
If the Domino SSO feature is not enabled when you install Sametime, the
Sametime installation automatically enables and configures the Domino SSO
feature. In some environments, it may be necessary to alter the SSO configuration
following the Sametime server installation. For more information, see Altering the
Domino Web SSO configuration following the Sametime server installation.
Chapter 1. Configuring
355
Related concepts
Authentication by token using Secrets and Tokens databases
To authenticate by token, the Sametime server can accept an authentication token
created by the Secrets and Tokens authentication databases, the Domino Single
Sign-On (SSO) feature, or both. The Sametime server can also generate tokens
using the Secrets and Tokens authentication databases or the Domino SSO feature.
Altering the Domino Web SSO configuration following the Lotus Sametime
server installation:
The IBM Lotus Sametime installation automatically enables and configures the
Domino SSO feature on the Domino server. In some cases, it may be necessary to
alter the default configuration of the Domino SSO feature following the Lotus
Sametime server installation.
This topic discusses the following issues pertaining to the Lotus Sametime
installation and the Domino SSO feature:
v SSO configurations performed by the Lotus Sametime installation - This
section explains how the Lotus Sametime installation configures the Domino
Web SSO feature. You can use this information to determine if it is necessary to
alter the default SSO configuration following a Lotus Sametime server
installation.
Altering the SSO configuration - This section explains the most common
reasons for altering the SSO configuration following the Lotus Sametime server
installation. In multiple Lotus Sametime server environments, it is frequently
necessary to add the Domino server names of Lotus Sametime servers to the
Domino Web SSO Configuration document.
v Viewing and editing the Domino Web SSO configuration document - This
section explains how to edit the Domino Web SSO configuration document in
the Domino Directory. This document contains the parameters for the Web SSO
configuration that you may need to change.
v Lotus Sametime includes a custom SSO logon form. See Using the Lotus
Sametime custom logon form for SSO for information about enabling this form
following the Lotus Sametime server installation.
v
Note: If for some reason it is necessary to manually enable the Domino SSO
feature, you can use the procedures described in Manually enabling the Domino
SSO feature. You can also review these procedures to understand all configurations
that are required to support SSO for the Lotus Sametime server.
SSO configurations performed by the Lotus Sametime installation
The Lotus Sametime installation enables the Domino SSO feature and performs the
SSO configurations described below. The Lotus Sametime installation:
v Creates a Web SSO Configuration document named LtpaToken. This document
contains the SSO configuration needed for generation and validation of LTPA
tokens. The following fields are populated into this document:
– DNS Domain - To populate the DNS Domain field, the installation determines
the fully-qualified domain name of the Lotus Sametime server machine and
then subtracts the hostname value from the fully-qualified domain name.
For example, if the installation determines the fully qualified name of the
Lotus Sametime server is "Sametimeserver.east.acme.com," the installation
writes ".east.acme.com" in the DNS Domain field.
356
Lotus Sametime: Installation and Administration Guide Part 2
The LTPA token is then valid for the servers that belong to the DNS domain
specified in the DNS Domain field.
– Expiration (minutes) - This field specifies the length of time for which the
LTPA token is valid. This value is 30 minutes by default. You may want to
provide a longer value for the token expiration. Lotus software recommends a
setting of 120 minutes.
– Domino Server Names: Each Domino/Sametime server that can accept the
SSO token must be listed in the Domino Server Names field. By default, the
installation writes only the name of the Domino server on which Lotus
Sametime is installed in this field. It may be necessary to add the names of all
other Domino/Sametime servers in the community to this field. For more
information, see Altering the SSO configuration.
v Alters the Sametime/Domino server Server document. The installation changes
the Internet Protocols-Domino Web Engine-Session authentication field in the
Server document to the value "Multiple servers (SSO)." The Server authentication
field must have the "Multiple servers (SSO)" value even if your Lotus Sametime
community uses only one Lotus Sametime server. If the "Multiple server (SSO)"
value is not selected, the SSO feature will not function properly for Lotus
Sametime.
v Automatically configures the Lotus Sametime server to use the Lotus Sametime
custom logon form for SSO. To enable the custom logon form, the Sametime
installation:
– Creates a Domino Configuration database named domcfg.nsf in the root data
directory of the Domino server.
Note: If a domcfg.nsf database already exists on the Domino server when
Lotus Sametime is installed, the Lotus Sametime installation overwrites the
existing domcfg.nsf database.
– Creates a "Mapping a Login Form" document in the domcfg.nsf database.
– Populates the following fields in the Mapping a Login Form document:
Target database filename - This field is set to the value "stcenter.nsf."
Target form name - This field is set to STLogonForm.nsf.
The configurations described above ensure that the custom logon form named
"STLogonForm.nsf" displays to users when users authenticate with the server.
Altering the SSO configuration
The default configuration outlined above meets the basic requirements necessary
for a Lotus Sametime server to support SSO. In some cases, it may be necessary for
the administrator to alter the "DNS Domain" field or the "Domino Server Names"
field of the Domino Web SSO Configuration document following the Lotus
Sametime server installation.
v Altering the DNS Domain field - The Lotus Sametime installation may not
always accurately detect the fully-qualified domain name of the Lotus Sametime
server machine. If this problem occurs, the DNS Domain field may not specify
the appropriate DNS domain. The administrator might need to manually edit
the Domino web SSO Configuration document to add the appropriate entry in
the DNS Domain field of the Domino web SSO Configuration document. Follow
the instructions in "Viewing and editing the Domino Web SSO Configuration
document" below to manually edit the document.
v Altering the Domino Server Names field - If the Lotus Sametime community
consists of multiple Sametime/Domino servers, the Domino server names of all
of the Sametime/Domino servers in the Lotus Sametime community must exist
in the "Domino Server Names" field of the Domino Web SSO Configuration
Chapter 1. Configuring
357
document. By default, the installation writes only the name of the Domino
server on which Lotus Sametime is installed to this field. If you have multiple
Lotus Sametime servers, it may be necessary to manually open the Domino Web
SSO configuration document and enter the names of the Domino/Sametime
servers in the "Domino Server Names" field.
For example, if you have Sametimeserver1/East/Example and
Sametimeserver2/East/Example in your Sametime community, and you install
Sametimeserver3/East/Example, only Sametimeserver3/East/Example is written
to the Domino Server Names field during the Lotus Sametime installation. The
administrator may need to open the Domino Web SSO Configuration document
and manually enter the names Sametimeserver1/East/Example and
Sametimeserver2/East/Example in the "Domino Server Names" field on the
Domino Web SSO Configuration document on Sametimeserver3/East/Example
to ensure that all servers in the community are entered in this field. To manually
open the Domino Web SSO Configuration document, see "Viewing and editing
the Domino Web SSO Configuration document" below.
Note that in multiple server environments, the Domino Directory may already
be replicated to the Domino server at the time the Lotus Sametime server is
installed. If the Domino Directory already exists on the server and contains a
Domino Web SSO configuration document, the Lotus Sametime installation will
not attempt to alter the existing configuration in any way. In this case, the
existing Domino Web SSO configuration document may already contain the
names of the existing servers in the community and it may be necessary to add
the name of the newly installed Lotus Sametime server to the Domino Web SSO
configuration document.
For example, the names Sametimeserver1/East/Example and
Sametimeserver2/East/Example may already exist in the Domino Web SSO
configuration document in the Domino Directory on the server reserved for the
Sametimeserver3/East/Example installation. Since the Sametimeserver3/East/
Example installation does not alter an existing SSO configuration, that server
name will not appear in the Domino Web SSO Configuration document
following the Lotus Sametime server installation. In this scenario, it is necessary
to open the Domino Web SSO configuration document in the Domino Directory
on Sametimeserver3/East/Example and manually enter "Sametimeserver3/East/
Example" in the "Domino Server Names" field. All other parameters in the
existing Web SSO Configuration document should be valid for the newly-added
server.
Altering the SSO key
By default the Lotus Sametime installation creates a Domino SSO key. If
WebSphere is participating in SSO, this key should be replaced by the WebSphere
LTPA key to allow both Domino and WebSphere to have an identical key for token
validation and generation. Do this by importing the LTPA key from WebSphere to
Domino. For more information, see “Setting up SSO between Sametime Meeting
Server and Sametime Community Server” on page 359.
Viewing and editing the Domino Web SSO Configuration document
To view or edit the Web SSO configuration document that is created by the Lotus
Sametime installation, do the following:
1. From a Lotus Notes client, open the Domino Directory on the Lotus Sametime
server.
2. Choose the Configuration → Web → Web Configurations view.
358
Lotus Sametime: Installation and Administration Guide Part 2
3. In the right-hand pane, select the twistie to display the document under "Web
SSO Configurations."
4. Double-click on the document titled Web SSO Configuration for LtpaToken to
open the Domino Web SSO Configuration document.
5. Click Edit to put the document in edit mode.
6. Edit the appropriate field (for example, the DNS Domain or Domino Server
Names field).
7. Click Save and Close after editing the document.
In some cases the name of the Web SSO configuration document can be different
than LtpaToken, and the Organization field in the document might not be empty.
This is mainly relevant for Internet Sites configuration. In this case the following
settings must be set under the [AuthToken] section of the sametime.ini file:
v ST_TOKEN_TYPE must contain the name of the Web SSO document used by the
Sametime Community server. The default value is LtpaToken.
v ST_ORG_NAME must contain the organization name that is set in the Web SSO
document used by Sametime Community server. The default value is an empty
organization name.
Setting up SSO between Sametime Meeting Server and Sametime Community Server:
You should set up single sign-on (SSO) between the IBM Lotus Sametime Meeting
server and the Lotus Sametime Community Server. The Lotus Sametime Proxy
server does not need to be setup for SSO with the other two servers.
Before you begin
Make sure both servers use the same LDAP directory.
About this task
By default the Lotus Sametime installation creates a Domino SSO key. This key
should be replaced by the WebSphere LTPA key from the Lotus Sametime Meeting
Server to allow both Domino and WebSphere to have an identical key for token
validation and generation. Follow these steps to import the LTPA key from
WebSphere to Domino.
Procedure
1. Log in to the Integrated Solutions Console for the Lotus Sametime Meeting
Server.
2. Click Security → Global Security.
3. Under Authentication, click LTPA.
4. Under Cross Cell single sign-on, Enter a Password, Confirm Password, and a
file name to store the key. Click Export keys. The file created will be imported
into the Lotus Domino server for the Lotus Sametime Community Server.
5. Click Security → Global Security → WEB and SIP Security → Single Sign-on
(SSO).
6. Make sure that the Domain name matches the Lotus Sametime Server domain,
and verify that Interoperability Mode is selected.
Note: If you choose LtpaToken2 - LTPAv2 only in step 15 below, then
Interoperability Mode should be not be selected.
Chapter 1. Configuring
359
7. Open the names.nsf file on the Domino server for the Lotus Sametime
Community Server.
8. Click Configuration → Web Web Configurations view.
9. Open the Web SSO Configuration for LtpaToken document.
10. Click Edit SSO Configuration.
11. Click Keys → Import WebSphere LTPA keys.
12. Type in the exact file location of the key file you created on the Lotus
Sametime Meeting Server.
13. Enter the password you created on the server when you enabled single
sign-on.
14. Click OK.
The message "Successfully imported WebSphere LTPA keys" appears after the
key has been imported.
15. For Domino 8.0 and higher:
Note: Lotus Sametime 8.5 requires Lotus Domino 8.0 and higher; if you are
maintaining an older Lotus Sametime server it may be running a version of
Lotus Domino prior to R8.
In the Token Format field of the WebSphere Information section, select the
LTPA token formats to be supported by Domino.
v LtpaToken - LTPAv1 only
v LtpaToken2 - LTPAv2 only
v LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are
supported
With this last option selected, both tokens are created, but the token
returned to the client is determined by the TOKEN_TYPE_TO_RETURN
flag under the AuthToken section of sametime.ini. The default value is
LTPA, which returns the LTPAv1 token. Changing the value to LTPA2
results in the LTPAv2 token being returned instead.
16. Click Save and Close.
17. Configure the Lotus Sametime Community Server so that LtpaToken gets set
by the Sametime Proxy web client instead of the Sametime token:
a. Log in to the Lotus Sametime System Console as the Sametime
administrator.
b. Click Sametime Servers → Sametime Community Servers.
c. In the list of Community Servers, click the name of a Sametime
Community Server to open its Configuration page.
d. Click the Community Services tab.
e. Under the "General" section, select the authentication type that users can
use while logging into the community server: LTPA only.
18. Restart the Lotus Domino server to put your changes into effect.
Setting up SSO between Sametime Unified Telephony and Sametime Community Server:
If you plan to enable the Click to Call feature, set up single sign-on (SSO) between
IBM Lotus Sametime Unified Telephony and the Lotus Sametime Community
Server. The Lotus Sametime Proxy server does not need to be enabled for SSO with
these two servers.
360
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
Make sure both servers use the same LDAP directory.
About this task
By default the Lotus Sametime installation creates a Domino SSO key. This key
should be replaced by the WebSphere LTPA key from the Lotus Sametime Unified
Telephony deployment's Telephony Application Server to allow both Domino and
WebSphere to have an identical key for token validation and generation. Follow
these steps to import the LTPA key from WebSphere to Domino.
Procedure
1. On the Telephony Application Server, log in to the Integrated Solutions
Console as the WebSphere administrator.
2. Click Security → Secure administration, applications, and infrastructure.
3. Under Authentication, click Authentication mechanisms and expiration.
4. Under "Cross Cell single sign-on", Enter a Password, Confirm Password, and
type a file name to store the key; then click Export keys.
The file created will be imported into the Lotus Domino server for the Lotus
Sametime Community Server.
5. Click Web security → Single Sign-on (SSO).
6. Make sure that the Domain name matches the Lotus Sametime Community
Server domain, and verify that Interoperability Mode is selected.
Note: If you choose LtpaToken2 - LTPAv2 only in step 15 below, then
Interoperability Mode should be not be selected.
7. Open the names.nsf file on the Domino server for the Lotus Sametime
Community Server.
8. Click Configuration → Web Web Configurations view.
9. Open the Web SSO Configuration for LtpaToken document.
10. Click Edit SSO Configuration.
11. Click Keys → Import WebSphere LTPA keys.
12. Type in the exact file location of the key file you created on the Lotus
Sametime Meeting Server.
13. Enter the password you created on the server when you enabled single
sign-on.
14. Click OK.
The message "Successfully imported WebSphere LTPA keys" appears after the
key has been imported.
15. For Domino 8.0 and higher:
Note: Lotus Sametime 8.5 requires Lotus Domino 8.0 and higher; if you are
maintaining an older Lotus Sametime server it may be running a version of
Lotus Domino prior to R8.
In the Token Format field of the WebSphere Information section, select the
LTPA token formats to be supported by Domino.
v LtpaToken - LTPAv1 only
v LtpaToken2 - LTPAv2 only
v LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are
supported
Chapter 1. Configuring
361
With this last option selected, both tokens are created, but the token
returned to the client is determined by the TOKEN_TYPE_TO_RETURN
flag under the AuthToken section of sametime.ini. The default value is
LTPA, which returns the LTPAv1 token. Changing the value to LTPA2
results in the LTPAv2 token being returned instead.
16. Click Save and Close.
17. Configure the Lotus Sametime Community Server so that LtpaToken gets set
by the Sametime Proxy web client instead of the Sametime token:
a. Open a web browser and navigate to http://your_st_server/
stcenter.nsf.
b. Click Administer the server n the page and log in using your Sametime
administrator account.
c. Click Configuration → Community Services.
d. Click the Community Services tab.
e. Under "General" deselect the following option:
Allow users to authenticate using either LTPA or Sametime Token
(stauths.nsf and stautht.nsf).
If this option is not selected, users will authenticate using the LTPA token.
18. Restart the Lotus Domino server to put your changes into effect.
19. If you have a Lotus Sametime Meeting Server, it should be part of the same
SSO environment. The same LTPA encryption key should be configured on
this server, too. You must import the LTPA encryption key to the Meeting
server.
a. From the Integrated Solutions Console of the Lotus Sametime Meeting
Server, click Global security → LTPA.
b. Scroll down to "Cross-cell single sign-on."
c. In the Password and Confirm password fields, enter the password that is
used to decrypt the LTPA keys. This password must match the password
that was used in the cell from which you are importing the keys.
d. Enter the fully qualified key file name, and click Import.
e. Click Apply and then Save.
f. Restart the Sametime Meeting server to put your changes into effect.
20. Synchronize all the nodes in the environment:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Select all nodes in the cluster.
c. Click Full Resynchronize.
21. Restart all nodes in the cluster:
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Node agents.
b. Click a node agent, and then click Start, or click Restart if the node agent
is already running.
Configuring the Sametime Connect client for token login:
Single sign-ons for HTTP requests using the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for
WebSphere Application Server allow IBM Lotus Sametime users to log in and
authenticate only once at their desktop and receive automatic authentication from
the WebSphere Application Server.
362
Lotus Sametime: Installation and Administration Guide Part 2
About this task
You must configure the Lotus Sametime Connect client must be configured to use
the SPNEGO SSO feature. Configuration can be established in a silent installation
or done manually by the user.
Silent installation
The settings for token-based login can be pre-configured using the silent installer.
In the silentinstall.ini file found on the Lotus Sametime Connect compact disk,
include the following settings:
v STAUTHSERVERURL=<WebSphere Authentication URL>
v STLOGINBYTOKEN=true
v STUSEAUTHSERVER=true
Manual configuration
To configure the Sametime Connect client manually for SPNEGO single sign-on,
follow these steps:
Procedure
1. In the Log in to Sametime dialog box, enter your fully qualified host server
name and your user name.
2. Click Connectivity.
3. Select the Use token based single sign on box.
4. Enter the URL for your authentication server in the Authentication server URL
box. For example, http://authenserverurl.com.
5. Click OK.
6. In the Log in to Sametime dialog box, click Log In.
Manually enabling the Domino SSO feature:
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
About this task
This procedure is identical to the procedure used to enable the SSO feature on a
Domino server. After manually enabling the feature, you can configure the server
to use the Lotus Sametime custom SSO logon form.
Generally, the Domino SSO feature will be enabled by default during the Lotus
Sametime installation and it is not necessary to manually enable the feature. For
more information, see Altering the Domino Web SSO feature following the
Sametime server installation.
To enable the Domino SSO feature on the Lotus Sametime server:
Chapter 1. Configuring
363
What to do next
After enabling the Domino SSO feature, follow the procedure described in Using
the custom Sametime SSO logon page to use the custom Lotus Sametime SSO
logon form.
Create the Web SSO Configuration document in the Domino Directory:
Create a Web SSO document that specifies the servers participating in the shared
authentication, the time-out value for the cookie containing the LTPA access token,
and the encrypted secret used to create the cookie.
Procedure
1. Using a Lotus Notes client, open the Domino Directory on the Sametime
server.
2. Select Configuration → Servers → All Server Documents.
3. Select the Web button on the taskbar.
4. Select Create Web SSO Configuration.
5. In the document, select the Keys pull-down menu button.
6. The default value for the Configuration Name field is LtpaToken. This is the
preferred value and usually it should not be changed. In case another value is
configured as the Web SSO document name, the ST_TOKEN_TYPE setting under
the [AuthToken] section of the sametime.ini file must contain the same value.
7. Select Create Domino SSO Key.
Note The Import WebSphere LTPA Keys option is usually used to enable a
WebSphere server to communicate with a Domino server. To enable a
WebSphere server to communicate with a Domino server, you must export the
LTPA keys from the WebSphere server and import the LTPA keys to the
Domino server. See the WebSphere Information Center documentation for
details.
8. Configure the Token Expiration field. Note that a token does not expire based
on inactivity; it is valid only for the number of minutes specified from the
time of issue. The token is also valid only for a single browser session. Lotus
software recommends an expiration value of 120 minutes.
Note Generally, the expiration value should reflect the average length of a
Sametime meeting in your environment. Setting a high value may create a
security risk. If the LTPA token is intercepted by an attacker, the attacker may
use the token to illegally gain access to the Sametime server until the token
expires. Setting up the Domino server to support SSL for web browser
connections makes provides the highest level of security against attempts to
intercept LTPA tokens.
9. In the DNS Domain field, enter the DNS domain (for example, .lotus.com or
.meetings.acme.com.) for which the tokens will be generated. The servers
enabled for SSO must all belong to the same DNS domain. This field is
required and the DNS domain must start with a comma.
When users access the Sametime server, they must enter the fully qualified
domain name of the Sametime server for authentication to be successful (for
example, sametimeserver/meetings/acme/com).
10. In the Server Names field, enter the servers that will be participating in SSO.
Generally, this field should contain the Domino hierarchical names of all
Sametime servers in your environment. You can browse and select the server
names from the Domino Directory.
364
Lotus Sametime: Installation and Administration Guide Part 2
Note Groups and wildcards are not allowed in the field.
11. The Organization field should usually stay empty. In case it has a value,
which is mandatory only for Internet Sites configuration, the ST_ORG_NAME field
setting under the [AuthToken] section of the sametime.ini file must contain a
similar value. For additional information about Internet Sites see the Domino
documentation.
12. Select Save & Close to save the Web SSO Configuration document. The
document will appear in the Web Configurations view. This document will be
encrypted for the creator of the document, the members of the Owners and
Administrators fields, and the servers specified in the Server Names field.
Related tasks
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
Enable SSO and "Name & Password" authentication in the Server document:
Use this procedure to enable SSO and "Name & Password" authentication in the
Server document of the Sametime server for which you are enabling the Domino
SSO feature.
About this task
This procedure is the second of three required to manually enable the Domino SSO
authentication feature on a Sametime server.
Procedure
1. In the Configuration - Servers - All Server Documents view of the Domino
Directory, double-click the name of the Sametime server to open the Server
document.
2. Select Edit Server to put the Server document in edit mode.
3. Select the Ports tab.
4. Select the Internet Ports tab.
5. Select the Web tab (if it is not displayed by default).
6. For the HTTP TCP/IP port Authentication Options, select Yes in the "Name &
Password" field.
7. Select the Internet Protocols tab.
8. Select the Domino Web Engine tab.
9. In the "HTTP Sessions" section, select "Multiple server (SSO)" in the "Session
authentication" field.
Note You must select the "Multiple server (SSO)" value even if your
environment includes only a single Sametime server.
10. Click Save and Close to save the Server document.
What to do next
Start (or restart) the HTTP task on the SSO-enabled server
Chapter 1. Configuring
365
Related tasks
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
Start (or restart) the HTTP task on the SSO-enabled server:
Use the Domino console to start or stop the HTTP server.
About this task
This procedure is required to manually enable the Domino SSO authentication
feature on a Sametime server.
To start the HTTP task on the SSO-enabled server:
Procedure
1. Open the Domino console.
2. Start the HTTP server, or stop and restart the HTTP server if it is already
running.
v Use the Tell HTTP Quit command to stop the HTTP server.
v Use the Load HTTP command to start the HTTP server.
3. On the Domino console, the following message should appear:
HTTP: Successfully loaded Web SSO Configuration
4. If a server enabled for SSO cannot find a Web SSO Configuration document or
is not included in the Server Names field (and thus cannot decrypt the
document), then the following message should appear on your server's console.
HTTP: Error Loading Web SSO configuration. Reverting to single server session
authentication.
What to do next
Lotus software recommends using the custom Sametime SSO logon form. If you do
not use this logon form, users will see the default Domino SSO logon form the first
time they access a database on the server that requires authentication.
Note: Authentication by token does not occur if you allow anonymous access to
the Sametime server and all its databases.
To configure the Sametime server to use the custom Sametime SSO logon form, see
Using the Sametime custom logon form for SSO.
Using the Sametime custom logon form for SSO:
The IBM Lotus Sametime installation automatically configures the Lotus Sametime
server to use the Lotus Sametime custom logon form for SSO.
The Lotus Sametime installation performs the following configurations to enable
the custom logon form:
366
Lotus Sametime: Installation and Administration Guide Part 2
1. Creates a Domino Configuration database named domcfg.nsf in the root data
directory of the Domino server on which Lotus Sametime is installed. This
database is created from the domcfg5.ntf template available with the Domino
server.
2. Creates a "Mapping a Login Form" document in the domcfg.nsf database.
3. Populates the following fields in the Mapping a Login Form document:
v Target database filename - This field is set to the value "stcenter.nsf."
v Target form name - This field is set to STLogonForm.nsf.
The configurations described above ensure that the custom logon form named
"STLogonForm.nsf" displays to users when users authenticate with the server.
If a database named domcfg.nsf exists on the Lotus Sametime server when Lotus
Sametime is installed, the administrator must manually enable the custom logon
form. This procedure is described below.
Manually enabling the custom logon form
Follow the procedure below to manually enable the Lotus Sametime custom logon
form for SSO. The custom logon form displays when the user accesses the first
database on the server that requires authentication or selects the "Log on to
Sametime" link in the Sametime Meeting Center.
Note: The custom logon form exists in the Lotus Sametime server home page
database (stcenter.nsf). If you want to require users to authenticate when accessing
the server, you should allow anonymous access to the Lotus Sametime server
home page (stcenter.nsf) and require authentication to the Sametime Meeting
Center database (stconf.nsf). With this arrangement, users access the server home
page anonymously and are presented with the SSO logon form when attempting to
create or attend a meeting.
To use the Lotus Sametime custom logon form for SSO, you must configure
settings in the Domino Configuration database (domcfg.nsf) provided with the
Domino server on which Lotus Sametime is installed.
To use the Lotus Sametime custom logon form for SSO:
1. Verify that the Lotus Sametime server has a Domino Configuration database
named domcfg.nsf.
Note If your server includes an existing domcfg.nsf database, but you do not
want to use that database you can delete the existing domcfg.nsf database and
create a new one. To create a new domcfg.nsf database, use the Domino
Configuration (R5) template (domcfg5.ntf) available with a Domino server.
When creating the new database, you must select the "Show advanced
templates" option to access the domcfg5.ntf template.
2. If necessary, copy the domcfg.nsf Domino Configuration database to the root
data directory of the Domino server on which Lotus Sametime is installed (for
example C:\Lotus\Domino\Data directory).
3. From a Lotus Notes client, open the Domino Configuration database.
4. Choose Add Mapping.
5. Under Site Information, accept the default of All Websites/Entire Server.
6. In the "Target database filename" field, enter stcenter.nsf.
7. In the "Target form name" field, enter STLogonForm.
Chapter 1. Configuring
367
Required ACL settings for the Sametime Center database (stcenter.nsf)
The Sametime Center database (stcenter.nsf) must meet the following ACL
requirements for the custom logon form to operate properly.
v In the Advanced options of the stcenter.nsf ACL settings, the "Maximum Internet
name & password" field must allow at least Reader access. If either Depositor or
No Access are selected, the logon form will not appear.
v In the Basics options of the stcenter.nsf ACL settings, anonymous users must
have an access level of Reader or higher. If the access level provided for
anonymous users is less than Reader, the logon form will not appear. The "Write
public documents" and "Read public documents" options should also be selected.
Related tasks
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
Authentication by token using Secrets and Tokens databases:
To authenticate by token, the Sametime server can accept an authentication token
created by the Secrets and Tokens authentication databases, the Domino Single
Sign-On (SSO) feature, or both. The Sametime server can also generate tokens
using the Secrets and Tokens authentication databases or the Domino SSO feature.
If the Sametime server is operating in an environment that includes Sametime
servers from releases earlier than Sametime 3.0, or if Domino databases enabled
with Sametime technology (such as the Sametime Discussion and TeamRoom
databases that were available with earlier releases) are used in your environment,
the Sametime server must support both the Secrets and Tokens authentication
databases and the Domino SSO authentication feature.
The Sametime server is set up to support Secrets and Tokens authentication by
default. The basic requirements for this authentication system are:
v The Secrets (stauths.nsf) and Tokens (stautht.nsf) databases must exist on the
Sametime server. These databases are created during the Sametime server
installation.
v The "Allow users to authenticate using either LTPA or Sametime Tokens
(stauths.nsf and stautht.nsf)" option must be selected in the Sametime
Administration Tool. (This option is selected by default.)
Note that previous releases of Sametime allowed an administrator to enhance the
level of security provided by the Secrets and Tokens databases by enabling the
SametimeSecretsGenerator agent in one Sametime Secrets database (stauths.nsf) on
one Sametime server in the Sametime community. If you enable the
SametimeSecretsGenerator agent on one Secrets database on one Sametime server,
that Secrets database must be replicated to all Sametime servers in the community.
If your environment includes Sametime servers from previous releases and you are
currently replicating a Secrets database to all of the servers in your environment,
you must also replicate that Secrets database to the Sametime servers.
There are two procedures associated with ensuring the Secrets and Tokens
authentication databases on the Sametime server are functioning properly:
368
Lotus Sametime: Installation and Administration Guide Part 2
1. If necessary, select the "Allow users to authenticate using either LTPA or
Sametime Tokens (stauths.nsf and stautht.nsf)" option in the Sametime
Administration Tool. (This option is selected by default.)
2.
Replicating the Secrets and Tokens databases (optional) - This step is necessary
only if you have deployed Domino databases enabled with Sametime
technology (such as Sametime TeamRoom and Discussion databases) or if you
have enhanced security by enabling the SametimeSecretsGenerator agent in the
Secrets database.
Selecting the "Allow users to authenticate using either LTPA or Sametime Tokens
(stauths.nsf and stautht.nsf)" option:
The "Allow users to authenticate using either LTPA or Sametime Tokens
(stauths.nsf and stautht.nsf)" setting must be enabled in the Sametime
Administration Tool to enable the Sametime server to accept both the LTPA and
Sametime Tokens. This setting must be set consistently on all Sametime 8.x, 7.x,
6.5.1, 3.x servers in your environment.
About this task
Note: This procedure might not be necessary as the "Allow users to authenticate
using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" setting is
enabled by default following the server installation.
If you enable this setting on one Sametime server, you must enable it on all
Sametime servers in your environment. If you disable it on one Sametime server,
you must disable it on all Sametime servers in the environment.
To enable this setting:
Procedure
1. From the Sametime server home page, click Administer the server to open the
Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
4. Select the "Allow users to authenticate using either LTPA or Sametime Tokens
(stauths.nsf and stautht.nsf)" option.
5. Click Update.
6. Restart the server for the setting to take effect.
Results
You have the option of replicating the Secrets database to enhance security.
Related tasks
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino SSO feature
instead of using the default configuration provided by the IBM Lotus Sametime
installation, you can use the steps in this section to manually enable the Domino
SSO feature.
Replicating the Secrets and Tokens databases (optional):
Chapter 1. Configuring
369
If you have installed multiple Sametime servers, you can enable the
SametimeSecretsGenerator agent in the Secrets database. Enabling the
SametimeSecretsGenerator agent is an optional procedure that increases security
against outside attacks.
About this task
This topic discusses the second of two procedures associated with setting up the
Secrets and Tokens authentication system on a Sametime server.
The Secrets and Tokens databases exist on every Sametime server.
If you enable the SametimeSecretsGenerator agent, only one Secrets database
should be used for all Sametime servers in the environment. You should replicate
the Sametime Secrets database in which you have enabled the
SametimeSecretsGenerator agent to all Sametime servers in the environment.
Create a replication schedule for the Secrets database in which you have enabled
the SametimeSecretsGenerator agent to ensure it replicates at regular intervals.
Delete all other copies of the Secrets database from all Sametime servers in the
environment. For more information, see Integrating a Sametime server into an
existing Sametime community.
Do not replicate the Tokens database to the other Sametime servers. The replicated
Secrets database can work with the Tokens database that exists on each Sametime
server by default following the server installation.
If you do not enable the SametimeSecretsGenerator agent in any Secrets database
on any Sametime server, it is not necessary to replicate the Secrets database. If you
do not enable the SametimeSecretsGenerator agent, administration is simpler
because no replications or replication schedules are required, but the security level
is not as high.
Working with Sametime security
The IBM Lotus Sametime server uses the Internet and intranet security features of
the Domino server on which it is installed to authenticate web browser users who
access Domino databases on the server. These databases include the Sametime
Center database (stcenter.nsf), which contains the Sametime server home page, and
the Sametime Meeting Center database (stconf.nsf).
Sametime also uses authentication-by-token features to authenticate connections
from Sametime clients to the Sametime server. The authentication-by-token features
include the Secrets and Tokens databases supported by all previous Sametime
releases and the Domino Single Sign-On (SSO) authentication feature that is
supported by Sametime 3.0 and higher-version servers.
Sametime also provides security features that enable users to encrypt meetings and
specify meeting-specific passwords. The Security section includes the following
topics:
Getting started with Lotus Sametime security:
This section includes basic security information to help you get started with IBM
Lotus Sametime security.
The required fully-qualified server name:
370
Lotus Sametime: Installation and Administration Guide Part 2
The user must enter the fully qualified DNS name of the IBM Lotus Sametime
server (for example, sametimeserver.meetings.acme.com) in the web browser URL
locator when accessing the Sametime server to authenticate with a Lotus Sametime
server.
The Domino Single Sign-On (SSO) feature must be enabled on the Lotus Sametime
server. The Domino SSO feature requires the user to enter the fully qualified DNS
name of the server for a successful authentication. For more information, see
Authentication by token using LTPA and Sametime tokens.
Basic password authentication and authentication by token:
IBM Lotus Sametime uses two types of authentication: Basic password
authentication and authentication by token.
Basic password authentication
Lotus Sametime uses basic password authentication to authenticate web browser
connections and Lotus Sametime Connect client connections. Lotus Sametime uses
the same Internet and intranet security features as a Domino server to authenticate
the web browser connections. These features include Domino database Access
Control Lists (ACLs) and security settings in the Server document of the Domino
server on which Lotus Sametime is installed.
The Domino security features also allow you to configure databases for
anonymous access. When a database is configured for anonymous access, the user
is not authenticated when accessing the database.
The following topics in this section discuss basic password authentication:
v User requirements for basic password authentication
v
v
v
Using database ACLs for identification and authentication
Basic password authentication and database ACLs
Setting up basic password authentication in a database Access Control List
(ACL)
Authentication by token
After a web browser user authenticates using basic password authentication, Lotus
Sametime Java applet clients (such as the Meeting Room client, Recorded Meeting
client, and Lotus Sametime Connect for browsers client) load in a user's web
browser. These Lotus Sametime clients make connections to the Community
Services, Meeting Services, and Recorded Meeting Broadcast Services when a user
attends a meeting. Lotus Sametime uses "authentication by token" to authenticate
the connections from these Lotus Sametime clients to the Lotus Sametime services.
Note: Connections from the Lotus Sametime clients to the Community Services,
Meeting Services, and Recorded Meeting Broadcast Services are authenticated only
if the Lotus Sametime Meeting Center database (stconf.nsf) requires basic password
authentication. If the Lotus Sametime Meeting Center allows anonymous access,
these connections are not authenticated.
When the Lotus Sametime Meeting Center requires basic password authentication,
authentication by token is supported on the Lotus Sametime server using the
Domino Single Sign-On (SSO) authentication feature.
Chapter 1. Configuring
371
If your environment includes only Lotus Sametime 3.0 (or higher) servers, it is
only necessary to enable the Domino SSO feature on the Lotus Sametime servers.
Note: Lotus Sametime TeamRoom and Discussion databases were available with
previous Lotus Sametime releases but are no longer included in the Lotus
Sametime product.
The Lotus Sametime server must support both the Domino SSO feature and the
Secrets and Tokens database authentication system if your environment includes
Lotus Sametime 3.0 (or higher) servers that interoperate with Lotus Sametime
servers from releases earlier than Lotus Sametime 3.0.
The following topics discuss authentication by token:
v
v
Authentication by token
Authentication by token using the Domino Single Sign-On (SSO) feature
v
Authentication by token using Secrets and Tokens databases
User requirements for basic password authentication:
When accessing the Lotus Sametime server with a Web browser, a user must enter
a user name and Internet password to access any protected database on the Lotus
Sametime server.
A protected database is a database that has its Access Control List (ACL) set to
require basic password authentication. If the ACL settings of a database allow
anonymous access, the user is not authenticated (prompted for a user name and
Internet password) when accessing the database.
Note: It is important for a user to enter a name when accessing a Lotus Sametime
database so that the user's name can be displayed in any presence list within the
database. If the ACL settings of a database allow anonymous access, a user is not
prompted for a name unless the "Users of Sametime applications can specify a
display name so that they do not appear online as anonymous" setting is selected
in the Configuration-Community Services-Anonymous Access settings of the
Sametime Administration Tool. When this option is selected, it forces a name entry
prompt to appear when an anonymous user attends a scheduled meeting. From
this name entry prompt, the user can enter a name for display purposes in a
presence list. The server accepts any name entered by the user at the name entry
prompt; the user is not authenticated.
A Sametime Connect user must also be authenticated each time the user starts the
Sametime Connect client and connects to the Community Services on the Lotus
Sametime server. Sametime Connect users must enter the user name and Internet
password from the Person document in the Domino Directory when logging on to
Sametime Connect.
Note: If you have configured Lotus Sametime to operate with an LDAP directory,
Sametime authenticates users based on the user names and passwords stored in
the person entries of the LDAP directory.
372
Lotus Sametime: Installation and Administration Guide Part 2
Person document, User names, and Internet passwords in the Domino Directory
This section discusses the requirements for basic password authentication when
Lotus Sametime is installed to operate with a Domino Directory. You must choose
either the Domino Directory or an LDAP directory during the Lotus Sametime
installation.
Each member of the Lotus Sametime community must have a Person document in
the Domino Directory to authenticate with the Lotus Sametime server. The names
and password that a user can enter when accessing a Lotus Sametime server are
maintained in the Basics tab of a Person document in the Domino Directory.
To access a Person document, open the Sametime Administration Tool and select
Domino Directory → Domino → Manage People. Double-click a person's name to
open that user's Person document.
The table below shows a sample entry in the Basics section of a user's Person
document. The text that follows the table explains how these entries are used in
the web browser and Sametime Connect client password authentication processes.
Sample settings in the Basics section of a Person document
Field
Entry
Comment
First name
Gary
This field is optional.
Middle initial
This field is optional.
Last name
Ollerman
This field is required.
User name
Gary Ollerman/Community
This field is required.
GOllerman
Note: The Community (or
domain) name is appended
to the first entry in the user
name field by default.
Alternate name
This field is optional.
Short name/UserID
This field is optional.
Generational qualifier
This field is optional.
Internet password
(FCF5F3960B0A289D3)
This field is required.
The following fields on the Person document are used by the authentication
process:
v First name - This field is optional.
Web browser - If an entry exists in the "First name" field in the Basics tab of the
Person document, the user can enter just this name at the User Name prompt
that appears when accessing a protected database on the Lotus Sametime server
Chapter 1. Configuring
373
with a web browser. The user must also enter the Internet password to access
the database. (A protected database is a database that has its ACL set to require
basic password authentication.)
Sametime Connect - The first name is not a valid entry at the User Name prompt
that appears when logging on to the Sametime Connect client.
v Last name - This field is required. An entry must exist in the "Last name" field
of the Basics tab of a Person document.
The last name can be entered in the User Name prompt that appears when
accessing a protected database on the Lotus Sametime server with a Web
browser. The last name can also be used when logging on from the Lotus
Sametime Connect client. A user must also enter the Internet password to
complete the authentication process.
Note: If both the "First name" and "Last name" fields contain entries, the user
can enter the first and last names at the User Name prompt that appears when
accessing the Lotus Sametime server.
v User name - This field is required. An entry must exist in the "User name" field
in the Basics tab of a Person document.
Generally, it is good practice to use a user's first and last name in the "User
name" field. The "User name" field can contain multiple entries. In our example,
the User name field contains both Gary Ollerman/Community and GOllerman.
(Each entry must be separated by a semicolon or a carriage return in the "User
name" field of the Person document.)
A user can enter any name that appears in the "User name" field of the Person
document when logging on to the Lotus Sametime server from the Sametime
Connect client or a web browser. For example, the user could enter Gary
Ollerman/Community or GOllerman at a Sametime Connect or web browser
User Name prompt. The name entered by the user is resolved to the topmost
name (Gary Ollerman/Community in the example) in the "User name" field. The
topmost name in the "User name" field is the name that is displayed in the
presence lists of all Sametime clients.
Note: If you want a user's email address to display in presence lists, enter the
user's email address as the topmost name in the "User name" field of the Person
document. If the email address is included in the User name field, the user can
also enter the email address at the "User name" prompt when logging in from a
Sametime Connect client or web browser.
Lotus Sametime uses the topmost name in the "User name" field to validate a
user in a database ACL. If you require basic password authentication for a
database and you enter the names of individual users in the ACL of a database,
enter the topmost name that appears in the "User name" field of the Person
document in the database ACL. Although the user can enter "GOllerman" when
logging on, Sametime uses "Gary Ollerman/Community" to validate the user in
the database ACL. Therefore, "Gary Ollerman/Community" must be the name
that appears for this user in database ACLs.
v Internet password - This field is required. Users must enter the Internet
password to authenticate with the Lotus Sametime server using a Web browser
or the Sametime Connect client. In the example, the Internet password is
"sametime." The password displays as a series of random characters because
Internet passwords are encrypted on the Person document.
374
Lotus Sametime: Installation and Administration Guide Part 2
Self-registration
If you are using the self-registration feature of the Lotus Sametime server, a Person
document containing a last name, user name, and Internet password is
automatically created for a user in the Domino Directory on the Lotus Sametime
server at the time the user self-registers. Agents in the Self-Registration database
(streg.nsf) access the Domino Directory to create these Person documents. The
signers of these agents must have the proper access levels and permissions in the
Domino Directory for self-registration to work properly. If you allow self
registration, you might need to add these signers to the Domino Directory ACL.
The Lotus Sametime self-registration feature cannot be used if you have configured
the Lotus Sametime server to operate with an LDAP directory on a third-party
server (such as a Microsoft Exchange or Netscape Directory Server).
LDAP
If you have configured the Lotus Sametime server to operate with an LDAP
directory on a third-party server, the authentication process uses the user names
and passwords stored in the LDAP directory. It is not necessary to create Person
documents containing separate user names and passwords in the Domino
Directory on the Lotus Sametime server.
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Related tasks
Changing a user's password
When accessing the IBM Lotus Sametime server from any Lotus Sametime client,
the user might be prompted for a user name and password. The password is
specified in the Internet password field on the user's Person document in the
Domino Directory on the Lotus Sametime server.
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
Changing a user's password:
When accessing the IBM Lotus Sametime server from any Lotus Sametime client,
the user might be prompted for a user name and password. The password is
specified in the Internet password field on the user's Person document in the
Domino Directory on the Lotus Sametime server.
About this task
To change a user's password, open the user's Person document and enter a new
password in the "Internet password" field.
Note: If you have configured the Lotus Sametime server to operate with an LDAP
directory on an LDAP server, the authentication process uses the passwords
specified in the LDAP directory. Use the administrative tools provided with the
Chapter 1. Configuring
375
third-party LDAP server to access the LDAP directory and make password changes
for individual users. You cannot change passwords stored in an LDAP directory
from the Sametime Administration Tool.
To change a user's Internet password in the Domino Directory on the Lotus
Sametime server:
Procedure
1. From the Lotus Sametime server home page, open the Sametime
Administration Tool.
2. Select Domino Directory.
3. Select Domino.
4. Select Manage People.
5. Double-click the name of the user whose password you want to change.
6. Click Edit Person.
7. Enter the new password in the "Internet password" field of the Person
document. You might want to write the new password down before closing
and saving the Person document. After you close and save the Person
document, the Internet password is encrypted and you cannot view it.
8. Select Save and Close.
Ensuring Sametime servlet access when Domino requires SSL for all connections:
An IBM Lotus Sametime server installs on a Domino server and relies on the
Domino HTTP server to handle all HTTP traffic to the Lotus Sametime server. To
encrypt web browser access to the Sametime Meeting Center with SSL, the
administrator must configure the Domino HTTP server to support SSL.
About this task
When setting up a Domino HTTP server to support SSL, the administrator can
force all connections to the Domino server to use SSL. The administrator forces all
HTTP connections to use SSL by performing either of the following configurations
in the Ports-Internet Ports-Web section of the Domino Server document during the
Domino HTTP server SSL set up procedure:
v Setting the Web HTTP "TCP IP port status" setting to "Disabled" and setting the
Web HTTP "SSL port status" to "Enabled."
v Setting the Web HTTP "TCP IP port status" to "Redirect to SSL."
If you force all HTTP connections to use SSL, you must also configure the Lotus
Sametime server to support SSL for HTTP connections to its servlets. If you do not
configure the Lotus Sametime server to support SSL for connections to its servlets,
users will be unable to access the Lotus Sametime server.
To ensure access to the Lotus Sametime servlets when Domino requires SSL for all
connections, complete the following steps:
Procedure
1. Set up the Domino server to support SSL
2. Import the SSL trusted room or SSL server certificate into the key store
database on the Sametime server
3.
376
Modify the Sametime configuration for SSL
Lotus Sametime: Installation and Administration Guide Part 2
Results
You can use these procedures regardless of whether your Lotus Sametime server
operates on the Windows, AIX, Solaris, Linux or IBM i operating system.
Note: It is possible to configure a Domino server to allow unencrypted HTTP
connections on port 80 and simultaneously allow SSL-encrypted HTTP (or HTTPS)
connections on port 443. This configuration enables you to encrypt connections to
databases containing sensitive data while allowing unencrypted connections to
databases that do not contain sensitive data. Since the Domino server on which
Lotus Sametime is installed is dedicated to supporting only Lotus Sametime, it is
unlikely that such a configuration would be implemented on a Domino/Sametime
server.
Domino security and the web browser connection:
To attend a meeting on the Lotus Sametime server, a user first connects to the
Lotus Sametime HTTP server with a web browser. By default, the user is not
authenticated when accessing the Lotus Sametime server over this port and is able
to access the Lotus Sametime server home page database (stcenter.nsf) without
entering a user name and password.
By using the Access Control List (ACL) settings of individual databases, the Lotus
Sametime administrator can force users to authenticate using basic password
authentication when they attempt to access the databases on the server.
Generally, the first database that a user accesses when connecting to the Lotus
Sametime server is the Domino database that contains the Lotus Sametime server
home page (stcenter.nsf). By default, the ACL settings of the stcenter.nsf database
allow anonymous access so users can access the Lotus Sametime server home page
without being authenticated (entering a user name and password that is verified
against entries in a directory).
After accessing the home page, a user selects links to access other databases on the
Lotus Sametime server. Most users will access the Sametime Meeting Center
(stconf.nsf). The Lotus Sametime Administrator can alter the ACLs of these
databases to force users to authenticate at the time they select the link that accesses
the database.
The databases on the Lotus Sametime server that are accessible from the Lotus
Sametime server home page include:
Self-Registration (streg.nsf) - An administrator controls whether
self-registration is available on the server. The administrator controls
self-registration by selecting or clearing the "Allow people to register themselves
in the Directory" check box available from the Domino Directory - Domino
option in the Sametime Administration Tool. The self-registration database
(streg.nsf) should always allow anonymous access to enable anonymous users to
self register when the administrator allows self-registration.
v Server Administration - You must add users to the ACLs of several Lotus
Sametime databases when allowing other users to have administrative privileges
on the Lotus Sametime server. For more information about controlling access to
the Sametime Administration Tool, see Adding a new Sametime administrator
v
Note: By default, the connection from a web browser to the Lotus Sametime server
is neither authenticated nor encrypted. The authentication occurs at the time a user
accesses an individual database on the Lotus Sametime server. You can configure
Chapter 1. Configuring
377
Lotus Sametime so that all HTTP traffic (including passwords and authentication
tokens) that passes over the connection between the web browser and the HTTP
server is encrypted using the Secure Sockets Layer (SSL).
Note: References to the Sametime Meeting Center and to the web browser
connection do not apply to Sametime Entry servers.
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Anonymous access and database ACLs
You can set a database ACL to allow anonymous access.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Related tasks
Setting up anonymous access in a database Access Control List (ACL)
To allow anonymous access to a database, you can add the Anonymous entry to
the ACL and assign an access level to the Anonymous entry.
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
Using database ACLs for identification and authentication:
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
For each database on the server, you can set the ACL to allow:
v Anonymous access
or
v
Basic password authentication
The settings in the database ACLs work together with the "Maximum Internet
name & password" setting for each database to control the level of access that web
browser users have to a database on the Sametime server.
Using database ACLs
The database ACL defines user access to the content of the database. Before you set
up basic password authentication or anonymous access to a database, you should
be familiar with how to add users to a database ACL and the available settings
within the ACL. For more information, see:
v Adding a name to a database ACL
v Database ACL settings
Maximum Internet name & password setting
The "Maximum Internet name & password" setting on the Advanced panel of each
database ACL specifies the maximum level of access to the database that is
allowed for web browser clients. This setting overrides individual levels set in the
ACL.
378
Lotus Sametime: Installation and Administration Guide Part 2
Generally, administrators should not need to change the "Maximum Internet name
& password" settings for databases on the Sametime server. The default settings
should function adequately in most cases.
Adding a name to a database Access Control List (ACL):
Use the Sametime Administration Tool to add a name to a database Access Control
List.
Procedure
1. From the Sametime server home page, click Administer the Server to open
the Sametime Administration Tool.
2. If you are using a Domino Directory with the Sametime server, select Domino
Directory - Domino. If you are using an LDAP directory with the Sametime
server, select LDAP Directory.
3. Select Access Control.
4.
5.
6.
7.
Select a database from the list.
Click Access. The database ACL displays.
Click Add.
In the dialog box, type the exact user name from a Person document or the
group name from a Group document. Click OK.
When entering a user name for a user with a Person document in the Domino
Directory on the Sametime server, type the name exactly as it appears in the
topmost entry of the "User name" field in the user's Person document.
When entering the names of users or groups registered in an LDAP directory
in a Sametime database ACL, use the fully qualified Distinguished Name, but
use forward slashes (/) as delimiters instead of commas. For example, if the
Distinguished Name for the user in the LDAP directory is:
v uid = Joe Waters, ou=West, o=Example
enter the name in the Sametime database ACL as follows:
v uid = Joe Waters/ou=West/o=Example
You can also use asterisks for wildcards when entering names from an LDAP
directory or a Domino Directory in an ACL. For example, entering
*/ou=West/o=Example is equivalent to entering all users in the
ou=West/o=Example branch of the directory to the ACL.
Note It is possible to enter entities other than user and group names in an
ACL. For more information about the types of entries that can exist in an
ACL, see User type - ACL settings.
8. Click the name entered in the previous step so that the name is selected
(highlighted).
9. In the User Type box, select the type of user (Unspecified, Person, Server,
Person Group, Server Group, or Mixed Group). For more information, see
User type - ACL settings.
10. In the Access Box, assign an access level for the user (Manager, Designer,
Editor, Author, Reader, Depositor, or No Access). For more information, see
Access level - ACL settings.
11. Edit the privileges if necessary. For more information, see Privileges - ACL
settings.
12. Click Submit.
Chapter 1. Configuring
379
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Database ACL settings:
A database Access Control List (ACL) contains a list of users and defines user
access to the contents of the database.
For each user in the database ACL, you can specify the following ACL settings:
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Related tasks
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
User type - ACL settings:
When you add a user or group to an ACL, you specify a user type for the entry in
the ACL. A user type identifies whether a name in the ACL is for a person, server,
group, or other entity. You assign a user type to a name to specify the type of ID
required for accessing the database with that name.
You can designate an entry in the ACL as any of the following user types:
Unspecified
Select the Unspecified user type if you want to enable the name you are
entering to access the database with any type of ID (Person, Server, or
Group). The Default entry in an ACL is always assigned the Unspecified
user type. IDs used to sign agents, such as Sametime Development/Lotus
Notes Companion Products, are also assigned the Unspecified user type
when entered in a database ACL.
Person
Select the Person user type if the name you are entering belongs to a user
who has a Person document containing a user name and Internet password
in the Directory on the Lotus Sametime server or if the user has a Person
entry in an LDAP directory on a third-party server.
Server
Select the Server user type if the name you are entering belongs to another
server in the Domino domain. When multiple servers are installed in a
Domino environment, it might be necessary for a server to access data
within the database or to replicate a database. Server names are frequently
added to the pre-existing LocalDomainServers and OtherDomainServers
server groups. The Server user type is generally used only if you have
380
Lotus Sametime: Installation and Administration Guide Part 2
installed Lotus Sametime in a Domino environment. This user type
performs the same function as it does on a Domino server.
Mixed Group
Select the Mixed Group user type if the name you are entering belongs to a
group that consists of both Server and Person names.
Person Group
Select the Person Group user type if you are entering the name of a group
that contains only people. You can enter a group from the Directory on the
Lotus Sametime server, or you can enter a group stored in an LDAP
directory on a third-party server in the ACL of a database.
Server Group
Select the Server Group user type if the name you are entering belongs to a
group that consists of only servers.
Access level - ACL settings:
Access levels are the database ACL settings that control the type of actions a user
can perform on the contents of a database and on the database itself.
Access levels range from No Access, which prevents a user from opening a
database, to Manager, which lets a user read, create, and edit the ACL and all
documents in the database.
Users that are listed both individually and in one or more groups in the ACL
might be assigned different levels of access. The access level granted in an
individual entry takes precedence over the access level granted through a group
entry. If a user is in multiple groups, the user is granted the access level of the
group with the highest level of access.
If a user or group has one level of access in the ACL and another level of access in
a database component (such as a Read or View access list), the database
component access level takes precedence over the user or group access level.
The following access levels are listed from lowest to highest. A higher access level
has all the privileges granted to lower access levels. For example, Authors can
perform all of the functions of a Depositor and a Reader.
No Access
No Access prevents a user from accessing the database. For example, if you
assign No Access as the Default access for a database, only a user who has
a Person document in the Address Book and is listed in the ACL can
access the database.
Depositor
Depositor access allows a user to create documents but not view any
documents in the database, including the documents created by the user.
This access level is not generally used for Lotus Sametime databases. This
ACL type is most frequently used for automatic agents to write documents
into a database for Domino workflow applications.
Reader
Reader access allows a user to read documents in a database, but not
create or edit documents. For example, you can assign Reader access in the
Meeting Center (stconf.nsf) ACL to users who are allowed to attend but
not start meetings.
Chapter 1. Configuring
381
Note: If you assign a user the Reader access level in the Meeting Center
(stconf.nsf), the user can attend listed meetings but cannot attend unlisted
meetings in the Meeting Center. To enable a user with Reader access to
also attend unlisted meetings, you must select the "Write public
documents" check box for that user in the ACL.
Author
Author access allows a user to create and edit documents. Users with
Author access can edit documents they have created themselves, but they
cannot edit documents created by other users.
Assign Author access in the Meeting Center ACL to allow users to create
meetings in the Lotus Sametime Meeting Center. Meeting Center users
with Author access can modify the meetings they create, but they cannot
modify meetings created by other users. To create a meeting, the user must
have Author access and the Write Public Documents privilege selected.
Editor Editor access allows users to read, create, and edit all documents in the
database, including those created by other users.
Assign Editor access in the Meeting Center ACL to users who are allowed
to modify meetings they create and meetings that are created by other
users. Editors can also start meetings in the Meeting Center. To create
meetings, the user must also have the Write Public Documents privilege
selected.
Designer
Designer access allows a user to create full-text indexes, modify all
database design elements, and read, create, and edit all documents in the
database. This access level is primarily for programmers and database
developers.
Manager
Manager access allows a user to read, create, and edit the ACL and all
documents in a database, modify ACL settings, and delete the database.
Modifying the ACL and deleting databases are tasks permitted by no other
access level. This access level is usually assigned to Lotus Sametime
administrators and is not recommended for general users.
Each database must have at least one Manager. Generally, the Manager
access level is provided in each database to the person specified as the
administrator during the Lotus Sametime installation and setup procedure.
You should assign Manager access to two people in case one manager is
unavailable. For information about granting other users administrative
privileges, see Allowing others to use the Sametime Administration Tool.
Privileges - ACL settings:
The database Access Control List (ACL) defines privileges for users.
Depending on the access level assigned to a user, some ACL permissions are
granted, denied, or optional. Privileges listed in the ACL are:
Create documents
This privilege allows users to create documents in a database. This
privilege is:
v Permanently granted to Managers, Designers, Editors, and Depositors
v Permanently denied to Readers
v Optionally granted to Authors
382
Lotus Sametime: Installation and Administration Guide Part 2
Delete documents
This privilege allows users to delete documents from a database. This
privilege is:
v Permanently denied to Readers and Depositors
v Optionally granted to Managers, Designers, Editors, and Authors
Create personal agents
This privilege allows an Lotus Notes developer or user to create agents
that perform automated procedures in a database. This privilege is:
v Permanently granted to Managers and Designers
v Optionally granted to Editors, Authors, and Readers
Clear this option on server databases to prevent certain users from creating
personal agents that take up server disk space and processing time. Use
the Agent Restrictions settings in the Security tab of the Server document
in the Directory to prevent users from running personal agents on a server,
even if the "Create personal agents" permission in a server database ACL is
selected.
Create personal folders/views
This privilege is:
v Permanently granted to Managers and Designers
v Permanently denied to Depositors
v Optionally granted to Editors, Authors, and Readers
Personal folders and views created on a server are more secure and are
available on multiple servers. Also, administrative agents can operate only
on folders and views stored on a server. If this permission is not selected,
users can still create personal folders and views that are stored on their
local workstations. Clear this option to save disk space on a server.
Create shared folders/views
This privilege is:
v Permanently granted to Managers and Designers
v Permanently denied to Authors, Readers, and Depositors
v Optionally granted to Editors
Deny this privilege to Editors to save disk space on a server and maintain
tighter control over database design.
Create LotusScript®
This privilege is:
v Permanently granted to Managers
v Permanently denied to Depositors
v Optionally granted to Designers, Editors, Authors, and Readers
Clear this option on server databases to prevent certain users from running
restricted and unrestricted LotusScript agents that take up server disk
space and processing time. Use the Agent Restrictions settings in the
Security tab of the Server document in the Directory to prevent users from
running restricted and unrestricted LotusScript agents on a server, even if
the "Create personal agents" permission in a server database ACL is
selected.
Read Public Documents
Chapter 1. Configuring
383
This privilege is:
v Permanently granted to Managers, Designers, Editors, Authors, and
Readers
v Optionally granted to Depositors
Write Public Documents
This privilege is:
v Permanently granted to Managers, Designers, and Editors
v Optionally granted to Authors, Readers, and Depositors
Public documents, such as the meeting details document in the Sametime
Meeting Center, are designed to be accessed by a wide audience. Users
with the Write Public Documents permission can read, create, edit, and
delete public documents from a database. To create a meeting in the
Sametime Meeting Center, a user must have the Author access level with
the Write Public Documents privilege selected.
A user must also have the Write Public Documents privilege selected to
attend unlisted meetings on the Sametime server.
Users without the Write Public Documents privilege are prompted for a
password when accessing a database with public documents. After
entering the user name and Internet password, the user is given the
Default access level to the database.
Roles - ACL settings:
Database Access Control List (ACL) roles grant access to individual database
components, such as forms or views.
You can use ACL roles to delegate authority for managing specific documents in a
database. You can create up to 75 roles in a database. For example, you can assign
the roles of UserCreator and UserModifier in the Directory (Address Book) ACL to
the administrator who has the responsibility for creating and maintaining Person
documents.
ACL roles are optional in most databases. You can choose to rely on a broader
access level and not use roles.
For more information on roles available in important Sametime databases, see
Roles in Sametime databases ACLs.
Anonymous access and database ACLs:
You can set a database ACL to allow anonymous access.
Anonymous access has the following characteristics:
v Users are not identified or authenticated when they access databases and
applications on the server.
v Data sent between the user and the Sametime server is not encrypted.
v Anonymous users are not identified in the maintenance log files. All anonymous
user activity is recorded under the name "Anonymous."
The anonymous access level requires the least maintenance from the administrator,
but it is the least secure. You should only allow anonymous access when you do
not need to know the identity of users accessing your server. For example, use
384
Lotus Sametime: Installation and Administration Guide Part 2
anonymous access if the Sametime server is behind your firewall and you plan to
allow only trusted intranet users to access it.
Setting up anonymous access in a database Access Control List (ACL):
To allow anonymous access to a database, you can add the Anonymous entry to
the ACL and assign an access level to the Anonymous entry.
About this task
Note: Alternatively, you can remove the Anonymous entry from the ACL and
assign an access level to the Default entry in the ACL. When the Anonymous entry
is removed from the ACL, anonymous users receive the access level and privileges
assigned to the Default entry in the database ACL.
Use the following procedure to allow anonymous users to access a database:
Procedure
1. From the Sametime server home page, click the "Administer the Server" link to
open the Sametime Administration Tool.
2. If you are using a Domino Directory with the Sametime server, select Domino
Directory - Domino. If you are using an LDAP directory with the Sametime
server, select LDAP Directory.
3. Select Access Control.
4. Select a database from the list.
5. Click the Advanced button.
6. Set the "Maximum Internet name & password" access to Manager, which is the
maximum access level.
Note The "Maximum Internet name & password" setting on the advanced panel
of each database Access Control List (ACL) specifies the maximum database
access level granted to web browser clients. This setting overrides higher
individual access levels set in the ACL. For example, if you set the "Maximum
Internet name & password" to Author, and assign Editor access to the
Anonymous entry in the database ACL, anonymous users will only have
Author access to the database. Alternatively, if you set the "Maximum Internet
name & password" to Manager, and assign Reader access to the Anonymous
entry in the database ACL, anonymous users will only have Reader access to
the database.
7. Click the Access button.
If the Anonymous entry exists in the ACL, select the Anonymous entry and
assign an access level (for example, Author). Edit the default privileges if
necessary.
If the Anonymous entry does not exist in the ACL, users who access the
database anonymously receive the access level and privileges assigned to the
Default entry in the ACL.
Note If the Anonymous entry does not exist in the ACL, the administrator also
has the option to create an Anonymous entry and assign an access level and
privileges. In this case, users receive the access level associated with the
Anonymous entry instead of the Default entry.
8. Click Submit.
Chapter 1. Configuring
385
What to do next
If you set the ACL of the Sametime Meeting Center database to allow anonymous
access, you should ensure that users are required to enter a display name when
accessing the database. To ensure that users will be required to enter a display
name to appear in the Participant List of the Sametime Meeting Room during a
scheduled meeting, make sure that the "Users of Sametime or Sametime
applications can specify a display name so that they do not appear online as
'anonymous'" setting is selected in the Sametime Servers → Sametime Community
Servers → deployment_name → Anonymous setting of the Sametime System
Console.
Basic password authentication and database ACLs:
You can set a database ACL to require basic password authentication.
Basic password authentication has the following characteristics:
v Users are identified or authenticated when they access databases and
applications on the server.
v A web browser user must have a user name and an Internet password stored in
the user's Person document to access databases. Only users with these
credentials can access a database that requires basic password authentication.
v Data transmitted between the user and the Lotus Sametime server (including the
name and password) is not encrypted.
v Users are identified in the maintenance log files.
Basic password authentication identifies users, but it does not prevent
unauthorized users from listening to network transmissions or gaining server
access by guessing passwords. For information on using Secure Sockets Layer
(SSL) to encrypt the data that passes over the web browser connection to the IBM
Lotus Sametime server, see Configuring Sametime to use SSL encryption.
Using the Default entry or individual names in database ACLs
When basic password authentication is enabled for a database, browser clients are
authenticated when they attempt to open a database. For example, a web browser
user might be authenticated when selecting the "Attend a Meeting" link from the
Lotus Sametime server home page to access the Sametime Meeting Center database
(stconf.nsf).
The Lotus Sametime server challenges the user to supply a valid name and
password and then verifies that the user's response matches the information stored
in the user's Person document in the Domino Directory (or LDAP directory if you
have configured Lotus Sametime to operate with an LDAP directory).
Authentication succeeds if the user name and password provided by the user
matches the user name and password in the directory and:
v The user is listed individually or as a member of a group in the database ACL.
or
v The Anonymous entry is set to No Access while an access level is specified for
the Default entry in the ACL. Using this method allows you to require users to
authenticate but prevents you from having to add individual entries for every
user and group in the ACL.
386
Lotus Sametime: Installation and Administration Guide Part 2
When the Anonymous entry in the database ACL is set to No Access, users are
presented with a logon prompt when they attempt to access the database.
Users must enter the user name and Internet password at the logon prompt. Users
that are successfully authenticated are then provided with the access level that is
specified for the Default entry in the database ACL.
If both the Anonymous entry and the Default entry in the database ACL are set to
No Access, a user must be listed in the ACL individually or as part of a group to
access the database. Setting the Anonymous and Default entries to No Access
provides the strictest control over access to the database because only users and
groups that are listed in the ACL are allowed to access the database.
An individual name receives precedence over the Default entry. If a user's name is
entered in a database ACL and provided with an access level, the user receives the
access level assigned to the user name entry in the database. Only users who are
not listed individually in the database ACL receive the Default access level.
Note: If the Anonymous entry does not exist in the database ACL, the Default
entry in the ACL must be set to "No access" to require basic password
authentication to the database. When the Anonymous entry does not exist in the
database ACL, anonymous users can access the database and receive the access
level assigned to the Default entry in the database. If the Anonymous entry exists
in the ACL and is assigned the "No access" access level, users are authenticated
when accessing the database and receive the access level specified for the Default
entry in the ACL.
Related concepts
Database ACL settings
A database Access Control List (ACL) contains a list of users and defines user
access to the contents of the database.
Related tasks
Setting up basic password authentication in a database Access Control List (ACL)
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
Setting up basic password authentication in a database Access Control List (ACL):
You can require users to specify a valid name and password when accessing a
database on the Sametime server.
About this task
Follow these steps to set up basic password authentication for a database.
Procedure
1. From the Sametime server home page, click Administer the Server to open
the Sametime Administration Tool.
2. If you are using a Domino Directory with the Sametime server, select Domino
Directory → Domino. If you are using an LDAP directory with the Sametime
server, select LDAP Directory.
3. Select Access Control.
4. Select a database from the list.
5. Click Advanced.
Chapter 1. Configuring
387
6. Set the "Maximum Internet name & password" access to Manager, which is
the maximum access level.
Note The "Maximum Internet name & password" setting on the advanced
panel of each database Access Control List (ACL) specifies the maximum
database access level granted to web browser clients. This setting overrides
higher individual access levels set in the ACL. For example, if you set the
"Maximum Internet name & password" to Author and assign Manager access
to the Anonymous entry in the database ACL, anonymous users will only
have Author access to the database. Alternatively, if you set the "Maximum
Internet name & password" to Manager and assign Reader access to the
Anonymous entry in the database ACL, anonymous users will only have
Reader access to the database.
7. Click Access.
8. Select the Anonymous entry, and then select No Access in the Access box.
If the Anonymous entry does not exist, you must create it. Use the following
procedure to create an Anonymous entry and assign the No Access level to
the entry:
v Click Add.
v Type Anonymous in the dialog box and click OK.
v Select the Anonymous entry, and then select No Access in the Access box.
9. Select the Default entry. You can either set an access level for the Default
entry, or set the Default entry to No Access.
v If you specify an access level for the Default entry other than No Access, all
users are required to authenticate when accessing the database. Each
authenticated user receives the access level you have specified for the
Default entry. It is not necessary to enter individual names or groups in the
ACL. After selecting an access level for the Default entry, click Submit. You
have finished the procedure required to set up basic password
authentication in a database ACL. Skip the remaining steps.
v If you select No Access for the Default entry, you must enter individual
user names or group names in the ACL. Only the names and groups you
enter can access the database. Complete steps 10 and 11 to add users to the
ACL.
10. Click Add to add user names or group names to the ACL. Click OK after
adding each name.
11. Click Submit.
Related concepts
Using database ACLs for identification and authentication
Identification and authentication is the process of determining the name of a user
and verifying that users are who they say they are. You can use database Access
Control Lists (ACLs) to control access to individual databases on the server.
Basic password authentication and database ACLs
You can set a database ACL to require basic password authentication.
Database ACL settings
A database Access Control List (ACL) contains a list of users and defines user
access to the contents of the database.
Setting up single sign on authentication:
IBM Lotus Sametime single sign-on (SSO) authentication allows web users to log in
once to a Domino or WebSphere server, and then access any other Domino or
WebSphere server in the same DNS domain that is enabled for single sign-on (SSO)
388
Lotus Sametime: Installation and Administration Guide Part 2
without having to log in again. In a multiple server environment, it is possible that
one or more servers in your Domino domain are already configured for Domino
SSO, and the Domino Directory already contains a Domino Web SSO configuration
document. When you install Lotus Sametime, it creates a Web SSO configuration
document called LtpaToken unless one already exists in the Domino Directory. If
an LtpaToken configuration document already exists, Lotus Sametime does not
attempt to alter it.
About this task
In some cases, it may be necessary to alter the default configuration of the Domino
SSO feature following the Sametime server installation. For instructions, see
“Altering the Domino Web SSO configuration following the Lotus Sametime server
installation” on page 356.
Configuring the Domino Server for Web SSO
Complete the steps in this section if your Domino server is not configured for Web
SSO, and you want to use the Web SSO document that Lotus Sametime creates to
configure it.
Procedure
1. From the Domino Administrator or a Lotus Notes client, click File → Database →
Open. Browse to the Domino server and type names.nsf in the Filename field.
Click Open.
2.
3.
4.
5.
Note: If you attempt to open this document from Domino Administrator
Configurations tab, Web - web Configurations view, the Web SSO Configuration
document will not display.
Expand the list of Web SSO Configurations.
Double click the "Web SSO Configuration for LtpaToken" document to open it
in edit mode.
Update these fields as necessary:
v Configuration name -- Enter LtpaToken.
v DNS Domain -- make sure this is the fully qualified domain suffix of the
Sametime server. For example, if the server's fully qualified name is
server.domain.com, the .domain.com should be entered in this field. Ensure
that the leading period (.) is present in front of the domain suffix.
v Organization -- Leave this field blank.
v Participating servers -- Add the Sametime server and other servers that
belong to the SSO realm to the list.
After entering the information, select Keysand do one of the following:
v Create a Domino SSO Key
v If WebSphere is participating in SSO, the Domino SSO key created by the
install program should be replaced by the WebSphere LTPA key to allow
both Domino and WebSphere to have an identical key for token validation
and generation. Do this by importing the LTPA key from WebSphere to
Domino. For more information, see “Setting up SSO between Sametime
Meeting Server and Sametime Community Server” on page 359.
Note: When adding servers to the Participating servers field, click the arrow
and choose the name from an Address Book when possible. If this is not
Chapter 1. Configuring
389
possible, make sure that you use the full hierarchical name when you add a
server (for example, Server1/Example where CN=Server/O=Org).
Configuring Sametime for SPNEGO single sign-on:
IBM Lotus Sametime has a token-based single sign-on (SSO) feature that uses the
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). This feature
requires the integration of several distinct components that when completed,
allows Sametime users to log in and authenticate only once at their desktop and
thereafter automatically authenticate with the Sametime server.
Before you begin
Note: The SPNEGO feature replaces Microsoft Windows Single Sign-On; you
should use SPNEGO instead because Lotus Sametime will no longer support the
Microsoft Windows SSO feature.
Required components
v Sametime Connect client
v Sametime server pointing to an Microsoft Active Directory LDAP server
v WebSphere server
v Microsoft Windows Active Directory Domain Controller and associated Kerberos
Key Distribution Center (KDC)
v Microsoft Windows domain member
Follow these steps to configure Sametime for SPNEGO single sign-on:
Procedure
1. Configure Sametime to use Active Directory.
2. Configure WebSphere for SPNEGO single sign-on,
a. Connect WebSphere to Active Directory.
b. Enable the WebSphere SPNEGO feature.
c. Establish the secured resource URL to be used by the Sametime client.
For detailed information, see SPNEGO Web authentication enablement in the
WebSphere Application Server information center.
3. Enable single sign-on for Domino and WebSphere application servers.
Once WebSphere has been configured for SPNEGO single sign-on, the Domino
server must import WebSphere's LTPA key to allow single sign-on between
WebSphere and Sametime. For more information, see the Domino
Administrator Help topic "Multi-server session-based name-and-password
authentication for web users (single sign-on)."
4. Validate the SPNEGO configuration.
390
Lotus Sametime: Installation and Administration Guide Part 2
Related concepts
“Sametime SPNEGO login sequence”
After logging into the Active Directory domain on a Microsoft Windows desktop,
the user starts the IBM Lotus Sametime Connect client. When Log In is clicked, a
two phase login operation begins.
Related tasks
“Configuring the Sametime Connect client for token login” on page 362
Single sign-ons for HTTP requests using the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for
WebSphere Application Server allow IBM Lotus Sametime users to log in and
authenticate only once at their desktop and receive automatic authentication from
the WebSphere Application Server.
Related information
Single sign-on for HTTP requests using SPNEGO
Sametime SPNEGO login sequence:
After logging into the Active Directory domain on a Microsoft Windows desktop,
the user starts the IBM Lotus Sametime Connect client. When Log In is clicked, a
two phase login operation begins.
When Log In is clicked, a two phase login operation begins. Note that there is no
user interface or user intervention required in this process. In phase 1, the client
executes an HTTP request for a protected URL on the IBM WebSphere server. This
request is processed by the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) trust association interceptor (TAI), which triggers the SPNEGO
negotiation between the client machine and WebSphere. Once trust is established,
an LtpaToken is sent to the client in the HTTP response. In phase 2, the client
securely logs into the Sametime server using the LtpaToken.
The following picture shows the Lotus Sametime SPNEGO login sequence.
Chapter 1. Configuring
391
Configuring Sametime to use Active Directory:
Before you can configure IBM Lotus Sametime to use SPNEGO single sign-on, you
must configure the Sametime server to use the Microsoft Windows Active
Directory.
About this task
Procedure
1. On the Sametime server home page, click Administer the Server.
2. Expand the LDAP Directory.
3. Enter values in the LDAP Directory that are appropriate for your site, and click
Update when you are finished. See the example in the following table.
Example
Tab
Field
Example
Connectivity
Host name or IP address of
the LDAP server
yourserver.yourdomain.yourcompany.com
Administrator distinguished cn=administer,ou=Users,ou=Company,
name
ou=Division,o=Group1,dc=floor5,
dc=market,dc=ourcompany,dc=com
392
Lotus Sametime: Installation and Administration Guide Part 2
Tab
Basics
Field
Example
Administrator password
mypassword
People - Where to start
searching for people (Base
object for person entries)
OU=Company,O=Group,DC=floor5,
DC=market,DC=ourcompany,DC=com
People - The attribute of the CN
person entry that defines
the person's name (for
example, cn or mail)
People - The object class
used to determine if an
entry is a person (for
example,
organizationalPerson)
organizationalPerson
Groups - Where to start
searching for groups (Base
object for group entries)
OU=Company,O=Group,DC=floor5,
DC=market,DC=ourcompany,DC=com
Groups - Attribute of the
group that defines the
group name (for example,
cn or mail)
CN
groupofnames
Groups - The group object
class used to determine if
an entry is a group (for
example, groupOfNames or
groupOfUniqueNames)
Authentication
(&(objectclass=organizationalPerson)(|
Search filter to use when
resolving a user name to a (cn=%s)(sn=%s)(sAMAccountName=%s)
(mail=%s)))
distinguished name
(Modifying this field affects
the name people use to
authenticate.)
Searching
Search filter for resolving
person names
(&(objectclass=organizationalPerson)(|
(cn=%s)(sn=%s)(sAMAccountName=%s)
(mail=%s)))
Search filter for resolving
group names
(&(objectclass=groupofnames)(cn=%s*))
Group Contents
Attribute in the group
member
object class that has the
names of the group
members (for example,
member or uniqueMember)
Validating the SPNEGO configuration:
Before using the IBM Lotus Sametime Connect client, you can validate the Simple
and Protected GSS-API Negotiation Mechanism (SPNEGO) configuration.
Procedure
1. Log in to the Active Directory domain on the Microsoft Windows client
machine.
2. Configure the client browser to use SPNEGO. See "Configuring the client
browser to use SPNEGO" in the in the IBM WebSphere information center.
Chapter 1. Configuring
393
3. Using a browser, request the protected URL from the WebSphere server. This
action triggers the TAI interceptor. Instead of being challenged with a form
authentication dialog, you will be authenticated automatically – the browser
simply loads the secured page. If this is successful, then WebSphere has been
configured for SPNEGO single sign-on correctly.
4. In the same browser window, enter the address of the Sametime Meetings
center (http://hostname.stcenter.nsf). When the page loads, you should be
logged in automatically. If you are successful, single sign-on between Sametime
and WebSphere has been configured correctly
Configuring the Sametime Connect client for token login:
Single sign-ons for HTTP requests using the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for
WebSphere Application Server allow IBM Lotus Sametime users to log in and
authenticate only once at their desktop and receive automatic authentication from
the WebSphere Application Server.
About this task
You must configure the Lotus Sametime Connect client must be configured to use
the SPNEGO SSO feature. Configuration can be established in a silent installation
or done manually by the user.
Silent installation
The settings for token-based login can be pre-configured using the silent installer.
In the silentinstall.ini file found on the Lotus Sametime Connect compact disk,
include the following settings:
v STAUTHSERVERURL=<WebSphere Authentication URL>
v STLOGINBYTOKEN=true
v STUSEAUTHSERVER=true
Manual configuration
To configure the Sametime Connect client manually for SPNEGO single sign-on,
follow these steps:
Procedure
1. In the Log in to Sametime dialog box, enter your fully qualified host server
name and your user name.
2. Click Connectivity.
3. Select the Use token based single sign on box.
4. Enter the URL for your authentication server in the Authentication server URL
box. For example, http://authenserverurl.com.
5. Click OK.
6. In the Log in to Sametime dialog box, click Log In.
Configuring Sametime Meeting Server for secure access to a
LDAP repository
Configure secure access to a Lightweight Directory Access Protocol (LDAP)
repository used by the IBM Lotus Sametime Meeting Server
394
Lotus Sametime: Installation and Administration Guide Part 2
Before you begin
Ensure that the enterprise LDAP server is running.
About this task
If the LDAP server is using a public certificate, then you need to obtain the public
root CA and import it. If your LDAP server is using a self-signed certificate, then
you simply import the self-signed certificate.
Procedure
1. Import the certificate:
a. Log in to the Integrated Solutions Console for the Lotus Sametime Meeting
Server.
b. Select Security → SSL Certificate and key management → Key stores and
certificates → CellDefaultTrustStore → Signer certificates.
c. Click Add.
d. In the Alias field, type a description for the certificate, whether it's
self-signed or a public CA.
e. In the File name field, type the path to the certificate file. For example,
c:\ldap.cer.
f. Click Apply and then Save.
g. Restart all WebSphere Application Server processes for the change to take
effect.
2. Enable SSL between the Lotus Sametime Meeting Server and the LDAP
repository.
a. Log in to the Integrated Solutions Console for the Lotus Sametime Meeting
Server.
b. Select Security → Global security.
c. Click Configure.
d. In Repositories in the realm table select the LDAP server identifier.
e. In the Port field type 636. For some LDAP servers, you can specify a
different port for a SSL connection.
f. Click Require SSL communications.
g. Click Apply and then Save.
h. Restart the Lotus Sametime Meeting Server for the change to take effect.
Configuring security for the Lotus Sametime Media Manager
Configuring the IBM Lotus Media Manager SIP Proxy and Registrar component to
use SIP authentication and authorization requires some additional steps.
About this task
Follow the instructions in this section to configure Transport Layer Security (TLS)
if you chose it as the encryption protocol and to set up user authentication.
Chapter 1. Configuring
395
Enabling ports for Transport Layer encryption for an upgraded
Lotus Sametime Media Manager
After upgrading an IBM Lotus Sametime Media Manager, edit settings in the
stavconfig.xml file to specify secure ports for TLS encryption. Do this only if all
clients are running 8.5.1 or later; otherwise older clients cannot connect to the
upgraded Media Manager.
Before you begin
Make a note of the values you need to transfer to stavconfig.xml from the
SIP/Proxy Registrar, Conference Manager, and Packet Switcher servers. Open the
WebSphere Application Server Integrated Solutions Console for each server and
click Application servers → STMediaServer → Ports.
Find the values for a non-clustered or clustered environment.
Non-clustered environment
v SIP/Proxy Registrar
SIP_ProxyRegHOST/SIP_ProxyRegSECURE
v Conference Manager
SIP_DEFAULTHOST/SIP_DEFAULTHOST_SECURE port
v Packet Switcher
SIP_DEFAULTHOST/SIP_DEFAULTHOST_SECURE port
Clustered environment
v SIP/Proxy Registrar
SIP_ProxyRegHOST/SIP_ProxyRegSECURE
(Clustered node) WebSphere Application Server proxy host
(Clustered node) WebSphere Application Server proxy secure port
v Conference Manager
SIP_DEFAULTHOST/SIP_DEFAULTHOST_SECURE port
(Clustered node) WebSphere Application Server proxy host
(Clustered node) WebSphere Application Server proxy secure port
v Packet Switcher
SIP_DEFAULTHOST/SIP_DEFAULTHOST_SECURE port
About this task
The default settings in the stavconfig.xml file specify non-secure ports and must
be modified for use with TLS encryption. Edit the stavconfig.xml files on the
Conference Manager and Packet Switcher to reflect this update by changing the
non-secure ports to secure ports. Follow these steps on both machines. This file is
not used by the SIP Proxy and Registrar.
Follow these steps to update the stavconfig.xml file for every instance of the Media
Manager components. When multiple profiles are installed on the same computer,
each profile uses its own copy of the file and requires the updates.
Procedure
1. Log in to the Integrated Solutions Console for the machine.
396
Lotus Sametime: Installation and Administration Guide Part 2
2. On the server hosting the Conference Manager, Packet Switcher, or SIP Proxy
and Registrar, navigate to the following directory:
dm_install_root/config/cells/cell_name/nodes/node_name/servers/server_name
3. In a text editor, open the stavconfig.xml file.
4. Modify the following settings:
v The ConferenceServerPort setting should contain the
SIP_DEFAULTHOST_SECURE port value from the Conference Manager
server.
v The SIPProxyServerPort setting should contain the SIP_ProxyRegSECURE
port value from the SIP Proxy/Registrar server.
The port setting in the [packetswitches] section should contain the
SIP_DEFAULTHOST_SECURE port value from the Packet Switcher server.
v Clustered environment only: Change the SIPProxyServerTransportProtocol
setting value to TLS.
5. (Packet Switcher only) Add these three attributes if they are missing.
v
<configuration lastUpdated="1226425838277" name="IsEncryptedConferenceEnabled"
value="false"/>
<configuration lastUpdated="1226425838277" name="AudioRTCPEnabled" value="false"/>
<configuration lastUpdated="1226425838277" name="VideoRTCPEnabled" value="true"/>
Note: If you have Sametime 8.5.0 clients in your environment, set the third
attribute for "VideoRTCPEnabled" to "false" instead.
6. (Clustered environment only)
Make these additional changes in the file if you are configuring on a clustered
node server.
Conference Manager node
v SIPProxyServerHost field
SIP Proxy/Registrar WAS proxy host
v SIPProxyServerPort field
SIP Proxy/Registrar WAS proxy secure port
Packet Switcher node
v SIPProxyServerHost field
SIP Proxy/Registrar WebSphere Application Server proxy host
v SIPProxyServerPort field
SIP Proxy/Registrar WebSphere Application Server proxy secure port
v ConferenceServerHost field
Conference Manager WebSphere Application Server proxy host
v ConferenceServerPort field
Conference Manager WebSphere Application Server proxy secure port
7. Close and save the updated file.
8. Synchronize all nodes in the Deployment Manager that manages the
component.
a. In the Deployment Manager's Integrated Solutions Console, click System
Administration → Nodes.
b. Click Full Resynchronize.
Chapter 1. Configuring
397
Results
Communications will now take place over the secure ports. If you later switch
back to (nonencrypted) TCP or UDP transport protocol, you must change the port
settings back to their original values. For SIP transport, you should use either TLS
or TCP transport protocols.
Distributing certificates for Transport Layer encryption to all
Media Manager components
If you installed Media Manager components on separate machines or as separate
cell profiles, you must extract the signed security certificate from the SIP Proxy and
Registrar server. Then add the certificate to all Conference Manager and Packet
Switcher servers. This step does not apply if you installed all components of the
media manager on the same cell profile.
Before you begin
Extract the certificate used by the SIP Proxy and Registrar and copy it to a location
from which each Media Manager component can copy the file.
1. Log in to the IBM WebSphere Application Server Integrated Solutions Console
on the server that has the SIP Proxy and Registrar certificate.
2. Click Security → SSL certificate and key management → Key stores and
certificates → NodeDefaultKeyStore → Personal certificates.
v In a non-clustered environment, the certificate is on the same machine as the
SIP Proxy and Registrar component.
v In a clustered environment, the certificate is on the WebSphere Application
Server proxy used by the SIP Proxy and Registrar.
3. Select the Alias default if you used a self-signed certificate or select the
appropriate signed certificate you want to share and click Extract.
4. Type a unique file name for the signed certificate.
5. Copy the extracted certificate to a location from which the Media Manager
component can retrieve the file.
About this task
Follow these steps to add a signed certificate to each Media Manager component.
Procedure
1. Log in to the Media Manager component's Integrated Solutions Console.
2. Click Security → SSL Certificates and key management → Key stores and
certificates → CellDefaultTrustStore → Signer certificates.
3.
4.
5.
6.
7.
398
Note: If CellDefaultTrustStore is not in the table then choose
NodeDefaultTrustStore.
Click Add.
In the Alias field, type a description for the certificate. Include information
about what kind of certificate it is, such as an internal self-signed certificate, a
public self-signed certificate or a public Certificate Authority.
In the File name field, type the path to the certificate file; for example:
c:\sip-pr.cer
Click OK.
Click Save.
Lotus Sametime: Installation and Administration Guide Part 2
8. Restart the server.
9. Repeat these steps for each Media Manager component.
Distributing certificates for Transport Layer encryption to the SIP
Proxy and Registrar
If you installed the SIP Proxy and Registrar on a separate machines or as separate
cell profile from the IBM Lotus Sametime Media Manager, you must extract the
signed security certificate from the Conference Manager and Packet Switcher
components. Add the certificates to the SIP Proxy and Registrar. This step does not
apply if you installed all components of the Sametime Media Manager and SIP
Proxy and Registrar on the same cell profile.
Before you begin
Extract the certificate used by each Conference Manager and Packet Switcher
component and copy it to a location from which the SIP Proxy and Registrar can
copy the file.
1. Log in to the IBM WebSphere Application Server Integrated Solutions Console
on the server that has the Conference Manager certificate.
2. Click Security → SSL Certificates and key management → Key stores and
certificates → NodeDefaultKeyStore → Personal certificates.
v In a non-clustered environment, the certificate is on the same machine as the
Sametime Media Manager component (Conference Manager or Packet
Switcher)
v In a clustered environment, the certificate is on the WebSphere Application
Server proxy used by the Conference Manager.
Note: The Packet Switcher does not run in a cluster.
3. Select the Alias default if you used a self-signed certificate or select the
appropriate signed certificate you want to share and click Extract.
4. Type a unique file name for the signed certificate.
5. Copy the extracted certificate to a location from which the SIP Proxy and
Registrar component can retrieve the file.
6. Repeat this procedure for the Packet Switcher.
About this task
Follow these steps to add the Conference Manager and Packet Switcher signed
certificates to the SIP Proxy and Registrar. You must perform this procedure twice.
Once for the Conference Manager and once for the Packet Switcher.
Procedure
1. Log in to the SIP Proxy and Registrar component's Integrated Solutions
Console.
2. Click Security → SSL Certificates and key management → Key stores and
certificates → CellDefaultTrustStore → Signer certificates.
Note: If CellDefaultTrustStore is not in the table then choose
NodeDefaultTrustStore.
3. Click Add.
4. In the Alias field, type a description for the certificate. Include information
about what kind of certificate it is, such as an internal self-signed certificate, a
public self-signed certificate or a public Certificate Authority.
Chapter 1. Configuring
399
5. In the File name field, type the path to the certificate file; for example:
c:\cm-pr.cer or c:\ps-pr.cer
6. Click OK.
7. Click Save.
8. Restart the server.
9. Repeat these steps for each Media Manager component.
Exchanging certificates between the Packet Switcher and the
Conference Manager
The Packet Switcher component of the IBM Lotus Sametime Media Manager opens
a TLS connection to the Conference Manager, so you need to exchange certificates
between the Packet Switcher and the Conference Manager. You must extract the
certificate used by the Conference Manager and then add this certificate to the
Packet Switcher.
Before you begin
Extract the certificate used by the Conference Manager component and copy it to a
location from which the Packet Switcher component can copy the file.
1. Log in to the IBM WebSphere Application Server Integrated Solutions Console
on the server that has the Conference Focus certificate.
2. Click Security → SSL certificate and key management → Key stores and
certificates → NodeDefaultKeyStore → Personal certificates.
v In a non-clustered environment, the certificate is on the same machine as the
Conference Manager component.
v In a clustered environment, the certificate is on the WebSphere Application
Server proxy used by the Conference Manager.
3. Select the Alias default if you used a self-signed certificate or select the
appropriate signed certificate you want to share and click Extract.
4. Type a unique file name for the signed certificate.
5. Copy the extracted certificate to a location from which the Packet Switcher
component can retrieve the file.
About this task
Follow these steps to add a signed certificate to the Packet Switcher.
Procedure
1. Log in to the Packet Switcher component's Integrated Solutions Console.
2. Click Security → SSL Certificates and key management → Key stores and
certificates → CellDefaultTrustStore → Signer certificates.
Note: If CellDefaultTrustStore is not in the table then choose
NodeDefaultTrustStore.
3. Click Add.
4. In the Alias field, type a description for the certificate. Include information
about what kind of certificate it is, such as an internal self-signed certificate, a
public self-signed certificate or a public Certificate Authority.
5. In the File name field, type the path to the certificate file; for example:
c:\conf-focus.cer
6. Click OK.
400
Lotus Sametime: Installation and Administration Guide Part 2
7. Click Save.
8. Restart the server.
Adding trusted IP addresses to the Media Manager SIP Proxy
and Registrar
The Lotus Sametime SIP Proxy and Registrar accepts connections from the Lotus
Sametime Media Manager components – Conference Manager and Packet Switcher.
To ensure that the SIP Proxy and Registrar trusts these components when they
establish a connection, you must add a custom SIP container property that uses the
IP address or fully qualified domain name for these trusted components as its
value.
About this task
Complete these steps for each server in a Lotus Sametime SIP Proxy and Registrar
cluster or for every SIP Proxy/Registrar in a multiple-server deployment.
Procedure
1. Log in to the Sametime Media Manager's Integrated Solutions Console.
If you installed the SIP Proxy/Registrar component on a separate server, log
in to the SIP Proxy and Registrar's Integrated Solutions Console.
2. Click Servers → Server Types → WebSphere Application Servers.
3. Click the name of the Media Manager server.
In a clustered environment, click the name of a cluster member.
4. Under Container settings, click SIP Container Settings → SIP container.
5. Click Custom Properties.
6. Add this new property:
com.ibm.ws.sip.security.trusted.iplist
7. Add the Conference Manager and Packet Switcher as trusted IP addresses.
Use commas to separate multiple values if you are using multiple servers.
In a non-clustered environment, use the servers' IP addresses or fully qualified
domain names.
Note: If the Conference Manager operates in a cluster, use the IP address or
fully qualified domain name for the WebSphere Application Server proxy used
by the Conference Manager cluster instead.
8. Click OK.
9. Click Save.
10. Restart the Sip Proxy and Registrar server.
Configuring secure access to a LDAP repository
Configure secure access to a Lightweight Directory Access Protocol (LDAP)
repository used by the IBM Lotus Sametime SIP Proxy and Registrar server.
Before you begin
Ensure that the enterprise LDAP server is running.
About this task
If the LDAP server is using a public certificate, then you need to obtain the public
root CA and import it. If your LDAP server is using a self-signed certificate, then
Chapter 1. Configuring
401
you simply import the self-signed certificate.
Procedure
1. Import the certificate:
a. Log in to the Integrated Solutions Console for the SIP Proxy and Registrar.
b. Select Security → SSL Certificate and key management → Key stores and
certificates → CellDefaultTrustStore → Signer certificates.
c. Click Add.
d. In the Alias field, type a description for the certificate, whether it's
self-signed or a public CA.
e. In the File name field, type the path to the certificate file. For example,
c:\ldap.cer.
f. Click Apply and then Save.
g. Restart all WebSphere Application Server processes for the change to take
effect.
2. Enable SSL between the SIP Proxy and Registrar server and the LDAP
repository.
a. Log in to the Integrated Solutions Console for the SIP Proxy and Registrar.
b. Select Security → Global security.
c. Click Configure.
d. In Repositories in the realm table select the LDAP server identifier.
e. In the Port field type 636. For some LDAP servers, you can specify a
different port for a SSL connection.
f. Click Require SSL communications.
g. Click Apply and then Save.
h. Restart the SIP Proxy and Registrar server for the change to take effect.
Importing an SSL certificate from Lotus Sametime Unified
Telephony
If you plan to configure telephony services in your deployment using IBM Lotus
Sametime Unified Telephony, import the Telephony Application Server's SSL
certificate into the Lotus Sametime Proxy Server's truststore.
Before you begin
Secure Socket Layer (SSL) encryption is required for telephony services. You must
import the telephony server's SSL certificate into the Lotus Sametime Proxy
Server's truststore before you enable SSL between Lotus Sametime Proxy Server
and Lotus Sametime Unified Telephony.
Procedure
1. Copy the SSL certificate from Lotus Sametime Unified Telephony:
a. On the Telephony Application Server, log in to the IBM WebSphere
Application Server Integrated Solutions Console as the WebSphere
administrator.
b. Click Security → SSL certificate and key management → Key stores and
certificates → NodeDefaultTrustStore → Signer certificates.
c. Select the Alias default_signer or the appropriate one, if you customized,
and click Extract.
402
Lotus Sametime: Installation and Administration Guide Part 2
d. Type a file name for storing the signer certificate. The Telephony
Application Server WebSphere Application Server console displays the
location of the extracted certificate. For example:
/opt/IBM/WebSphere/AppServer/profiles/<AppSrvxx>/etc/<file>
Note this location because you need to copy the file to the live names proxy
server in the following step.
2. Move the file from the previous step to the etc/ directory under the
Deployment Manager for the Live Names Proxy cell. For example:
/opt/IBM/WebSphere/AppServer/profiles/<xxxxSTPDMProfilex>/etc/<file>
3. Now import the SSL certificate into the Lotus Sametime Proxy Server's
truststore:
a. On the Lotus Sametime Proxy Server, log in to the WebSphere Application
Server Integrated Solutions Console as the WebSphere administrator.
b. Click Security → SSL certificate and key management → Key stores and
certificates → CellDefaultTrustStore → Signer certificates.
c. Click Add.
Type an alias for the certificate; for example, "SUT".
Type the name of the file where you stored the SSL certificate.
Click Apply.
Save the imported certificate by clicking Save in the "Messages" box at the
top of the page.
h. Restart the Lotus Sametime Proxy Server.
d.
e.
f.
g.
Chapter 1. Configuring
403
404
Lotus Sametime: Installation and Administration Guide Part 2
Chapter 2. Administering
IBM Lotus Sametime administrators set up and maintain users and their ability to
use Lotus Sametime features. They also maintain and monitor the servers.
This section contains information about user registration and policies and the tools
that you can use to administer the server.
Command reference for starting and stopping servers
You may use a command window to start and stop Sametime components running
on WebSphere Application Server. To stop servers, you will supply the WebSphere
Application Server administrator password that was established when you
installed the server.
Sequence for starting and stopping servers
Follow the sequence below when starting or stopping servers associated with a
Sametime server.
Start server sequence
1. Start the Deployment Manager.
If you installed a server in a cell profile, the Deployment Manager is on the
same machine as the Sametime server. If you installed a server in a cluster, the
Deployment Manager is probably not on the same machine unless you are
running on IBM i.
2. Start the node agent.
3. Start the Sametime server.
Stop server sequence
1. Stop the Sametime server.
2. Stop the node agent.
3. Stop the Deployment Manager.
If you installed a server in a cell profile, the Deployment Manager is on the
same machine as the Sametime server. If you installed a server in a cluster, the
Deployment Manager is probably not on the same machine unless you are
running on IBM i.
Note: Before uninstalling WebSphere Application Server, you must stop the
application server. If the server belongs to a cluster, you will also need to stop all
node agents in the cluster, and then stop the Deployment Manager. Finally, close
all browsers and command windows that may have been accessing the WebSphere
Application Server.
Server command directories
Run the commands from a command window on the machine where the server is
installed and navigate to the appropriate bin directory shown in the following
table.
© Copyright IBM Corp. 1996, 2010
405
Table 34. Server command directories
Type
Profile /bin directory
Sametime System Console
stSSC_profile_root/bin
Meeting Server
stM_profile_root/bin
Proxy Server
stP_profile_root/bin
Media Manager
stMS_profile_root/bin
Sametime Gateway
stgw_profile_root/bin
AIX, Linux, or Solaris
Note: The Deployment Manager must be running for the cell before starting a
server. Also note that the server name is case sensitive.
Table 35. Start server commands for AIX, Linux, or Solaris
Type
Commands
Sametime System Console
./startNode.sh
./startServer.sh STConsoleServer
Meeting Server
./startNode.sh
./startServer.sh STMeetingHttpProxy
./startServer.sh STMeetingServer
Proxy Server
./startNode.sh
./startServer.sh STProxyServer
Media Manager
Linux only:
./startNode.sh
./startServer.sh STMediaServer
Sametime Gateway
./startNode.sh
./startServer.sh RTCGWServer
Note: Stop the Deployment Manager last after you have stopped the server. Also
note that the server name is case sensitive.
Table 36. Stop server commands for AIX, Linux, or Solaris
Type
Commands
Sametime System Console
./stopServer.sh STConsoleServer
-username username -password password
./stopNode.sh -username username
-password password
Meeting Server
./stopServer.sh STMeetingServer
-username username -password password
./stopServer.sh STMeetingHttpProxy
-username username -password password
./stopNode.sh -username username
-password password
406
Lotus Sametime: Installation and Administration Guide Part 2
Table 36. Stop server commands for AIX, Linux, or Solaris (continued)
Type
Commands
Proxy Server
./stopServer.sh STProxyServer -username
username -password password
./stopNode.sh -username username
-password password
Media Manager
./stopServer.sh STMediaServer -username
username -password password
./stopNode.sh -username username
-password password
Sametime Gateway
./stopserver.sh RTCGWServer -username
username -password password
./stopNode.sh -username username
-password password
Windows
The Start Programs menu is also a convenient way to start and stop Sametime
servers running on WebSphere Application Server.
Note: The Deployment Manager must be running for the cell before starting a
server. Also note that the server name is case sensitive.
Table 37. Start server commands for Windows
Server
Commands
Sametime System Console
startNode.bat
startServer.bat STConsoleServer
Meeting Server
startNode.bat
startServer.bat STMeetingHttpProxy
startServer.bat STMeetingServer
Proxy Server
startNode.bat
startServer.bat STProxyServer
Media Manager
startNode.bat
startServer.bat STMediaServer
Sametime Gateway
startNode.bat
startServer.bat RTCGWServer
Note: Stop the Deployment Manager last after you have stopped the server. Also
note that the server name is case sensitive.
Chapter 2. Administering
407
Table 38. Stop server commands for Windows
Server
Commands
Sametime System Console
stopServer.bat STConsoleServer -username
username -password password
stopNode.bat -username username
-password password
Meeting Server
stopServer.bat STMeetingServer -username
username -password password
stopServer.bat STMeetingHttpProxy
-username username -password password
stopNode.bat -username username
-password password
Proxy Server
stopServer.bat STProxyServer -username
username -password password
stopNode.bat -username username
-password password
Media Manager
stopServer.bat STMediaServer -username
username -password password
stopNode.bat -username username
-password password
Sametime Gateway
stopserver.bat RTCGWServer
stopNode.bat -username username
-password password
IBM i
Note: The Deployment Manager must be running for the cell before starting a
server. Also note that the server name is case sensitive.
Table 39. Start server commands for IBM i
Server
Commands
Sametime System Console
startNode
startServer STConsoleServer
Meeting Server
startNode
startServer STMeetingHttpProxy
startServer STMeetingServer
Proxy Server
startNode
startServer STProxyServer
Media Manager
Not supported on IBM i
Sametime Gateway
startNode
startServer RTCGWServer
Note: Stop the Deployment Manager last after you have stopped the server. Also
note that the server name is case sensitive.
408
Lotus Sametime: Installation and Administration Guide Part 2
Table 40. Stop server commands for IBM i
Server
Commands
Sametime System Console
stopServer STConsoleServer -username
username -password password
stopNode -username username -password
password
Meeting Server
stopServer STMeetingServer -username
username-password password
stopServer STMeetingHttpProxy -username
username -password password
stopNode -username username -password
password
Proxy Server
stopServer STProxyServer -username
username -password password
stopNode -username username -password
password
Media Manager
Not supported on IBM i
Sametime Gateway
stopServer RTCGWServer -username
username -password password
stopNode -username username -password
password
Chapter 2. Administering
409
Lotus Sametime component URLs
This section lists the URLs for IBM Lotus Sametime severs and components.
The following table lists the URLs for logging in to Lotus Sametime:
Table 41. Lotus Sametime URLs
Sametime component
URL
Logging in
Lotus Sametime System
Console
http://consoleserverhost
name.domain:8700/ibm/
console
Log in with your WebSphere
Application Server User ID
and password. Click
Sametime System Console →
Sametime Servers.
A single Integrated Solutions
Console URL is only
applicable if you deploy a
cluster and choose to use the
Lotus Sametime System
Console as the Deployment
Manager for all Sametime
products.
The default port is 8700 for
all platforms except IBM i.
For IBM i, the port number
may not be 8700. Use the
port that was listed in the
Sametime System Console
installation results summary.
To check the port, open the
AboutThisProfile.txt file for
the Sametime System
Console Deployment
Manager Profile and use the
setting specified for the
"Administrative console
port." For the default profile
name (STSCDmgrProfile), the
file is located here:
/QIBM/UserData/
Websphere/AppServer/V7
/SametimeWAS/profiles
/STSCDmgrProfile/logs
/AboutThisProfile.txt
410
Lotus Sametime: Installation and Administration Guide Part 2
Table 41. Lotus Sametime URLs (continued)
Sametime component
URL
Logging in
Lotus Sametime Gateway
http:/
gatewayserverhostname.
domain:port/ibm/console
Log in with your WebSphere
Application Server User ID
and password.
The default port is 9060 for
all platforms except IBM i.
For IBM i, the port number
may not be 9060. To check
the port, open the logs/
AboutThisProfile.txt file for
the Websphere Application
Server profile that is running
the ISC for your Gateway
server and use the setting
specified for the
"Administrative console
port."
If you have installed a single
Sametime Gateway server,
this will be the one Sametime
Gateway profile you have. If
you have a cluster setup, this
profile will be the
Deployment Manager profile
that your Sametime Gateway
server has been clustered
with.
Chapter 2. Administering
411
Table 41. Lotus Sametime URLs (continued)
Sametime component
URL
Logging in
Sametime web client
http://
proxyserverhostname.
domain:port/stwebclient/
index.jsp
Log in with your user name
and password.
To verify the port number
being used by the Lotus
Sametime Proxy Server, log
in the Lotus Sametime
System Console. In the
WebSphere Application
Server administrative
console, click Servers WebSphere application
servers - STProxyServer ports -WC_defaulthost to
find the port number.
For IBM i, to verify the
HTTP port number being
used by the Lotus Sametime
Proxy Server, open the
AboutThisProfile.txt file for
the Sametime Proxy
Application Server Profile
and use the setting specified
for the HTTP transport port.
The default profile name is
STPAppProfile. On IBM i,
look for the
AboutThisProfile.txt file in
the following location:
/QIBM/UserData/
Websphere/AppServer/
V7/SametimeWAS
/profiles/STPAppProfile
/logs/AboutThisProfile
412
Lotus Sametime: Installation and Administration Guide Part 2
Table 41. Lotus Sametime URLs (continued)
Sametime component
URL
Logging in
Meeting Room Center
http://meetingserver
hostname.domain:port/
stmeetings
Log in with your user name
and password.
To verify the HTTP port
number being used by the
Lotus Sametime Meeting
Server, open the
AboutThisProfile.txt file for
the Sametime Meeting
Application Server Profile
and use the setting specified
for the HTTP transport port.
The default profile name is
STMAppProfile.For IBM i,
look for the
AboutThisProfile.txt file in
the following location:
/QIBM/UserData/Websphere
/AppServer/V7/SametimeWAS
/profiles/STMAppProfile
/logs/
AboutThisProfile.txt
Lotus Sametime Community http://communityserver
Server Administrator Tool
hostname.domain:port/
stcenter.nsf Specify the
port number if it is not the
default port number 80.
Log in with your Domino
administrator's name and
password. Under
Administrator Tools, click
Administer the server.
Adding administrators
Add yourself or others as administrators for the WebSphere Application
Server-based IBM Lotus Sametime components.
About this task
You must give yourself and users that you designate as administrators the same
roles as the wasadmin in order to manage Sametime using the Sametime System
Console. The wasadmin ID is the WebSphere Application Server User ID and
password that you created when you installed Lotus Sametime System Console.
Procedure
1. From a browser, enter the URL for the Sametime System Console.
2. Enter the WebSphere Application Server User ID and password that you
created when you installed Lotus Sametime System Console.
3.
4.
5.
6.
The default name is wasadmin.
Click Applications → Enterprise Applications .
Click Lotus Sametime System Console.
Under Detail Properties, click Security role to user/group mapping.
Note the roles for wasadmin. For information on the access level of the roles
see "Administrative roles" in the WebSphere Application Server information
center.
Chapter 2. Administering
413
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rsec_adminroles.html
7. Assign yourself and other designated administrators to the Administrator and
Admin Security Manager roles, and other roles as necessary.
Note: An administrator cannot map users and groups to the administrator
roles without having the adminsecuritymanager role.
Changing the administrator password
The following topics explain how to change your administrator passwords.
Updating your DB2 administrator password
If you change your administrator password in IBM DB2, you must update your
password in the IBM Lotus Sametime Meetings Server and the Lotus Sametime
System Console. If you do not update your password, IBM Lotus Sametime stops
working.
Procedure
1. Log in to the Integrated Solutions Console for the Lotus Sametime System
Console.
2. Click Resources → JDBC → Data sources
3. Click the data source in the table.
4. Under Related Items, click JAAS - J2C authentication data
5.
6.
7.
8.
Click your DB2 administrator alias.
Under General Properties, type your new password.
Click Apply and then click OK.
Repeat this procedure for the Lotus Sametime Meetings Server.
Updating your WAS administrator password
You can change your WebSphere Application Server administrator password.
About this task
You can change your WebSphere Application Server administrator (wasadmin)
password on the following WebSphere-based Sametime servers. If you change the
wasadmin password on any of these servers, then you must also update the
wasadmin password for that server that is stored in the Lotus Sametime System
Console.
v Sametime Media Manager
v Sametime Meeting Server
v Sametime Proxy Server
v Sametime Gateway Server
v SIP Proxy and Registrar
v FIPS Proxy Server
The complete Sametime Media Manager installations are listed under both the
Media Manager and the SIP Proxy and Registrar administration listings. There is
only one entity and changing the connection properties in one place is reflected in
the other.
414
Lotus Sametime: Installation and Administration Guide Part 2
A FIPS Proxy Server uses the same credentials as the Sametime Proxy Server on
which it was installed. Changing the credentials in either location affects both
administrative connections. The FIPS Proxy Server list depends on a valid server
connection, so if the connection information is not correct, the FIPS Proxy server is
not be listed. You can correct this by editing the connection properties in the
Sametime Proxy Server listing.
Procedure
1. Change the wasadmin password of the WebSphere-based Sametime application
server.
a. Log in to the Integrated Solutions Console on the WebSphere-based
Sametime application server.
b. Click Users and Groups → Manage Users.
c. Under Search for Users, select User ID in the Search by field, and then
enter wasadmin in the Search for field. Click Search.
d. Click wasadmin in the results dialog.
e. Enter a new password in the Password and Confirm Password fields.
f. Click Apply and then click OK.
2. Update the wasadmin password that you changed in the previous step on the
Lotus Sametime System Console.
a. Log in to the Integrated Solutions Console for the Lotus Sametime System
Console.
b. Click Sametime System Console → Sametime Servers.
c. Click the Sametime application server that has the wasadmin password that
you changed in step 1.
d. Locate the deployment name and click Edit under Connection Properties.
e. Enter a new password.
f. Click Save and then click Done.
Managing users with policies
All IBM Lotus Sametime users are automatically assigned to default policies.
Sametime Instant Messaging, Meetings, and Media Services each has a default
policy to be applied to users. You can create additional user policies, and assign
users and groups to these policies.
About this task
When a user authenticates, Lotus Sametime applies a default policy if no other
policy can be found for that user. You can create new policies that grant or limit
access to features, and assign users to these policies. Users can be assigned to more
than one policy. If a user belongs to more than one policy, then Lotus Sametime
uses the policy weight to determine policy precedence. Custom policies can be
designed for specific groups in the company, and the default policy can be
inherited or assigned. Meetings policy changes take effect immediately, while
Instant Messaging and Media Services policy changes take effect within an hour.
There is also an anonymous policy that is assigned by default to users who have
not authenticated, and unauthenticated users always receive this policy.
Note: If your deployment includes the Lotus Sametime System Console, you must
manage policies there because all settings made in the legacy Sametime
Chapter 2. Administering
415
Administration Tool (STCenter.nsf) are ignored. This includes the override all
feature, as well. Moreover, there is no automatic migration of policies from the
Sametime Administration Tool to the Lotus Sametime System Console. You must
do this manually because Sametime Administration Tool policies do not map
one-to-one to policies in the Lotus Sametime System Console.
Do use the ampersand character (&) in the policy's name or in any one of the
values of policy attributes.
Finding policies associated with a user
You can find all the policies associated with a user for all the IBM Lotus Sametime
products to which the user has access.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console.
3. Click Manage Policies.
4. Click any user Lotus Sametime component. It does not matter which
component that you select, because your search results display all the policies
for all the Sametime components to which the user has access.
v Instant Messaging
v Meetings
v Media Manager
5. Click Find Active Policies.
6. Select the criterion for the user for which you want to find the associated
policies in the Search by field.
v User ID
v Name
v E-mail address
7. Enter the entire or partial user ID, email address, or name of the user or
group in the Search for field If you enter partial information, use an asterisk
as a wild card character for missing or incomplete information. For example,
type sm* for all names starting with sm.
8. Select the number of listings in the search results in the Maximum results
field.
9. Click Search. The results display the users that match your search criteria.
10. Select a name in the results table, and then click Find Active Policies to show
the policies for that user.
11. Click Done.
Creating new user policies
You can create user policies, and assign users and groups to these policies.
About this task
You can set policy for users to have access to specific IBM Lotus Sametime
features, depending upon their level of need. For example, the maximum size for a
file being transferred is set by default at 1 megabyte to help manage traffic over
the server(s); however, if you have a group that routinely transfers large files for
business reasons, you can create a new policy specifically for those users and set
the maximum size of files that they can send to a much higher number.
416
Lotus Sametime: Installation and Administration Guide Part 2
Note: When you create a new policy, it uses the default policy settings as the base
settings in the new policy. You can update these settings.
Procedure
1.
2.
3.
4.
Log in to the Integrated Solutions Console.
Click Sametime System Console.
Click Manage Policies.
Click the Lotus Sametime product for which you want to create a policy.
v Instant Messaging
v Meetings
v Media Manager
5. Click New.
6. Enter a name to use to identify the policy in the Policy Name field.
Note: Do not use the following special characters in the policy's name or in
any one of the values of policy attributes:
v Ampersand (&)
v Apostrophe (')
v Quotation mark (")
v Greater than character (>)
v Less than character (<)
7. Specify the features that you want to enable or disable for the users or groups
that you will assign to this policy. Some instant messaging features are flagged
with IC characters after the field label. This flag indicates that a feature is only
available for installed clients. The feature is not available to browser clients.
8. Click OK.
Results
Tip: You can follow these same basic steps to delete or edit a policy. Delete a
policy by selecting the policy and then click the Delete button. Edit a policy by
clicking the policy name. You cannot delete the anonymous or default policies, but
you can edit them. If you edit a policy, you cannot change the policy ID. To do
this, you must make a copy of the policy by selecting it and clicking Duplicate,
then you can enter a new ID in the copy. Before you delete the original, be sure to
reassign the users and groups to the copy and give it the proper policy weight.
What to do next
You can now assign users and groups to this policy.
Assign users and groups to policies
You can assign users and groups to specific user polices to grant or limit access to
features in IBM Lotus Sametime.
About this task
You cannot assign users to the default or anonymous policies. Authenticated users
are automatically assigned to the default policies. Unauthenticated users are
assigned to anonymous policies.
Chapter 2. Administering
417
Procedure
1.
2.
3.
4.
Log in to the Integrated Solutions Console.
Click Sametime System Console.
Click Manage Policies.
Click the Lotus Sametime component with the policy to which you want to
assign a user or a group.
v Instant Messaging
v Meetings
v Media Manager
5. Select a policy name from the list, and click Assign.
6. Click Add Users or Add Groups.
At this point you could remove a user from a policy, by selecting the user in
the list and then clicking Remove.
7. Select the criterion for searching for the user or group that you want to add to
the policy in the Search by field.
v User ID
v Name
v E-mail address
8. Enter user ID, email address, or name or partial name with wildcard
characters (asterisks) of the user or group in the Search for field
9. Select the number of listings on each search results page in the Maximum
results field.
10. Click Search. The results display the DN, display name, and email address of
the users that matched your search.
11. Select a user and click Assign.
12. Click Done.
Sametime Instant Messaging user policy settings
You can grant or limit access to features in IBM Lotus Sametime Instant Messaging
by enabling or disabling various policies for users. Instant Messaging policy
changes take effect in 60 minutes by default.
You can change the default time that Instant Messaging and Media Manager
policies take affect by editing the REFRESH_RULES_INTERVAL setting in the
sametime.ini file.
All unauthenticated users have the anonymous policy, Sametime Instant Messaging
Anonymous Policy, applied to them. For authenticated users, the Lotus Sametime
searches for a user ID or group match, and then applies the highest weighted
policy. If there is no match, then the default policy, Sametime Instant Messaging
Default Policy, is applied.
418
Lotus Sametime: Installation and Administration Guide Part 2
Table 42. Chat
Sametime Instant Messaging
Default Policy
Sametime
Instant
Messaging
Anonymous
Policy
Setting
Purpose
User must set this
community as the
default server
community
Users must log in to Selected
this community
before they can log in
to other
communities. This
setting does not
apply to browser
users.
Allow user to add
multiple server
communities
If this is checked,
community
preferences and
menus are available
to users. This setting
does not apply to
browser users.
Allow user to add
external users using
Sametime Gateway
communities
Not selected
Allowing users to
connect to external
communities such as
AIM, Yahoo, OCS,
and Google Talk. If
this policy is not
allowed, the check
box and text for
adding external users
by email address is
not available in
clients.
Not selected
Allow user to save
chat transcripts
Selected
If this is enabled,
users see the
File-Save option in
the chat window.
Chat history
capabilities are
available. This setting
does not apply to
browser users.
Not selected
Automatically save
chat transcripts
This is not valid
unless Allow user to
save chat transcripts
is selected. If this is
not selected, then
users do not see
preferences for chat
history or the chat
history viewer in
their clients. This
setting does not
apply to browser
users. This setting
does not apply to
browser users.
Selected
Not selected
Selected
Selected
Not selected
Chapter 2. Administering
419
Table 42. Chat (continued)
Setting
Purpose
Maximum days to
save automatically
saved chat
transcripts:
If Allow to
automatically save
chat transcripts is
selected , then a
value must be
entered in this field.
Users cannot set a
larger value in their
clients than the one
specified here. This
setting does not
apply to browser
users.
Limit contact list size This limits the
number of contacts
that users can enter
in their contact lists.
Sametime Instant Messaging
Default Policy
Sametime
Instant
Messaging
Anonymous
Policy
365
0
Not selected
Not selected
Contacts
500
If Limit contact list
size is selected, then
a value must be
entered in this field.
Specify the number
of contacts that users
can enter in their
contact lists.
500
Allow all Sametime
Connect features to
be used with
integrated clients
If this is not selected, Not selected
some Lotus
Sametime Connect
features do not
display when Lotus
Sametime is
integrated with other
products. This setting
does not apply to
browser users.
Not selected
Allow mobile client
This feature lets
users deploy Lotus
Sametime awareness
and chat features
mobile device.
Selected
Sametime update site Provides a URL
updates.sametime.ibm.com
URL:
where users can
retrieve updates to
features for the Lotus
Sametime Connect
client. This setting
does not apply to
browser users.
420
Lotus Sametime: Installation and Administration Guide Part 2
Selected
Blank
Table 43. Image Settings
Sametime Instant
Messaging Default
Policy
Sametime Instant
Messaging
Anonymous Policy
Setting
Purpose
Allow custom
emoticons
Allows all actions on
the preferences
palette: new, import,
export, add picture,
add palettes. This
setting does not
apply to browser
users.
Selected
Not Selected
Allow screen capture
and images
Selected
Allows pasting and
right- click copying
of image and screen
captures. This setting
does not apply to
browser users.
Not Selected
Set maximum image
size for custom
emoticons, screen
captures, and inline
images
This setting Includes
images pasted inline
through the palette
emoticons, cut and
paste, screen
captures, and print
screen. It does not
include images sent
through file transfer.
This setting does not
apply to browser
users.
KB
500
If Set maximum
image size for
custom emoticons,
screen captures, and
inline images is
selected, then a value
must be entered in
this field. Users sees
a message if the they
attempt to send a file
that is larger than the
specified size. This
setting does not
apply to browser
users.
Not selected
Not Selected
0
Table 44. File Transfer
Setting
Purpose
Allow user to
transfer files
Allows user to
transfer files to other
users. This setting
does not apply to
browser users.
Sametime Instant
Messaging Default
Policy
Sametime Instant
Messaging
Anonymous Policy
Selected
Not selected
Chapter 2. Administering
421
Table 44. File Transfer (continued)
Sametime Instant
Messaging Default
Policy
Sametime Instant
Messaging
Anonymous Policy
Setting
Purpose
Maximum file
transfer in Kilobytes
Limits the size of the 1000
file that can be
transferred by the
specified value. In
kilobytes. This setting
does not apply to
browser users.
Allow client-to-client
file transfer
Allows users to
transfer files without
passing the files
through the Lotus
Sametime server.
These files are not
logged. This setting
does not apply to
browser users.
Selected
Not selected
Use exclude file
types transfer list
Limits the types of
files that users can
transfer. This setting
does not apply to
browser users.
Not selected
Not selected
Types to exclude
from transfer. Type
the three-letter
extension of each file
type, separated by a
comma or semicolon:
exe, com, bat
If Use exclude file
types transfer list is
selected , then a
value must be
entered in this field.
Type the three-letter
extension of each file
type, separated by a
comma or semicolon.
Accepts bmp, gif, txt,
pdf, sxi, sxc, sxw file
extensions. Comma
separated, values,
and spaces are
acceptable. This
setting does not
apply to browser
users.
0
Blank
Table 45. Plugin Management
422
Setting
Purpose
Allow user to install
plug-in
Allows users to
install plugins and
updates from the
Lotus Sametime
Connect Tools →
Plug-ins menu. This
setting does not
apply to browser
users.
Lotus Sametime: Installation and Administration Guide Part 2
Sametime Instant
Messaging Default
Policy
Sametime Instant
Messaging
Anonymous Policy
Selected
Selected
Table 45. Plugin Management (continued)
Setting
Purpose
Sametime optional
plug-in site URLs.
Type the URLs
separated by a
comma or semicolon:
If no value is
specified, then the
Check for Optional
Features item on the
Tools → Plug-ins
menu not valid. This
setting does not
apply to browser
users.
Sametime Instant
Messaging Default
Policy
Sametime Instant
Messaging
Anonymous Policy
Blank. Type the URLs Blank
separated by a
comma or semicolon
Meetings user policy settings
You can grant or limit access to features in meetings by enabling or disabling
various policies for users. Policy changes take effect immediately.
All unauthenticated IBM Lotus Sametime users have the anonymous policy,
Sametime Meetings Anonymous Policy, applied to them. For authenticated users,
Lotus Sametime searches for a user ID or group match, and then applies the
highest weighted policy. If there is no match the default policy, Sametime Meetings
Default Policy is applied.
Lotus Sametime does not allow anonymous users to create meeting rooms.
Therefore, any policy that is related to authenticated users or the ability to create
meeting rooms, does not apply to anonymous users.
Note: Although Lotus Sametime Classic meetings are still managed on the server
itself, you can set user policy for Sametime Classic meetings on the Meetings
policy tab in the Sametime Classic Meetings section.
Table 46. General Meeting Settings
Sametime Meetings
Default Policy
Setting
Purpose
Maximum persistent
meeting rooms this
user can own
Users are limited to
100
creating this number
of meeting rooms per
user. When this limit
is reached or set to
zero, users cannot
create more meeting
rooms.
Allow user to create
instant
(nonpersistent)
meeting rooms
If not selected, user
does not see the
capabilities for
creating instant
meetings. User can,
still see the
capabilities for using
an existing room.
Selected
Sametime Meetings
Anonymous Policy
0
Not selected
Chapter 2. Administering
423
Table 46. General Meeting Settings (continued)
424
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
Setting
Purpose
Automatically
connect to meeting
server when logging
into Sametime
Connect
Selected
If not selected the
user must manually
connect to each
meeting room server
to view the meetings
there. This setting is
stored with the client,
so that changes in the
policy do not take
effect until after the
next time the user
logs in to the server.
This setting does not
apply to browser
users.
Not selected
Allow searching of
meeting rooms
If not selected, users Selected
can attend meeting
rooms only with a
direct URL. The
meeting room
manager interface
never shows. Only
affects browser users.
Not selected
Allow searching of
hidden meeting
rooms
Not selected
If selected, the
interface allows the
user to explicitly
search for hidden
meeting rooms by
exact name. If not
selected, the interface
for searching for
hidden meeting
rooms does not
appear, and hidden
meeting rooms are
never returned in
search results.
Not selected
Show "Scheduled
Meetings" view
Determines whether Selected
to show the
"Scheduled Meetings"
view in the shelf.
This setting does not
apply to browser
users.
Not selected
Allow meetings to be Allows users to
recorded
record meetings for
rooms they have
created. This setting
does not apply to
browser users.
Selected
Not selected
Allow meeting
content to be
downloaded
Selected
Selected
Allow users to
download content
from the meeting
library.
Lotus Sametime: Installation and Administration Guide Part 2
Table 46. General Meeting Settings (continued)
Setting
Purpose
Meeting room group
chats
Hidden - Users
cannot see or create
group chats.
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
Interactive
Interactive
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
Read-only - Users
can only read what
others have typed
into the group chat.
Interactive - Users
can type and read
group chats.
Table 47. Meeting Room Library
Setting
Purpose
Maximum file upload Maximum file upload 50
size, in Megabytes
size in megabytes.
Users cannot upload
a larger file into the
library.
Maximum total size
of library in
Megabytes
0
200
Maximum total size
in megabytes of all
files that library can
hold . If the size limit
is reached, or if the
value is zero, then
users can not upload
files to library
0
Table 48. Screen Sharing
Feature list
Purpose
Allow screen sharing
Disabled - Users
cannot share screens
or applications.
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
Entire screen, frame,
and applications
Entire screen, frame,
and applications
Share an application
- Users can share a
specific application.
No other applications
or their desktops are
shared.
Entire screen, frame,
and applications Users share their
whole screen
including any
applications that they
open on their
screens.
Chapter 2. Administering
425
Table 48. Screen Sharing (continued)
Feature list
Purpose
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
Selected
Allow user to control Allow others to
another user's shared control a user's
screen
shared screen. Any
participant can make
changes to the shared
information. This
setting does not
apply to browser
users.
Not selected
Selected
Not selected
Allow peer-to-peer
application sharing
Whenever this user
hosts screen sharing,
peer-to-peer can be
used by any viewers
that support it.
Enforce bandwidth
limitations.
Not selected
Any time the user
hosts sharing, the
experience is limited
by the value
specified in the
Maximum bandwidth
size
Maximum bandwidth This is not used
size, in Kilobytes per unless "Enforce
bandwidth
second:
limitations" is
selected.
Not selected
500
500
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
Selected
Not selected
Table 49. Sametime Classic Meetings.
Feature list
Purpose
Allow users to create Lets users start a
instant meetings and meeting from the
breakout sessions.
contact list, from an
existing chat, and
from within a
meeting (breakout
session).
426
Lotus Sametime: Installation and Administration Guide Part 2
Table 49. Sametime Classic Meetings (continued).
Feature list
Purpose
Allow Sametime IP
audio and video in
instant meetings and
breakout sessions.
No Does not allow
use of Sametime
Internet Protocol
audio and video in
instant meetings and
breakout sessions.
Sametime Meetings
Default Policy
Sametime Meetings
Anonymous Policy
No
No
IP audio only Allow
use of Sametime
Internet Protocol
audio but not video
in instant meetings
and breakout
sessions.
IP video only Allows
use of Sametime
Internet Protocol
video but not audio
in instant meetings
and breakout
sessions.
Allow participation
in meeting room
chats.
Selected
Allows participants
in the meeting to use
the chat window to
communicate with
any other participant
in the meeting.
Allow screen sharing
No - Users cannot
share screens or
applications.
Not selected
Entire screen, frame,
and applications
Application only Users can share a
specific application.
No other applications
or their desktops are
shared.
Entire screen, frame,
and applications Users share their
whole screen
including any
applications that they
open on their
screens.
Allow user to control Allow others to
Selected
another user's shared control a user's
screen
shared screen. Any
participant can make
changes to the shared
information. This
setting does not
apply to browser
users.
Not selected
Chapter 2. Administering
427
Media Manager user policy settings
You can grant or limit access to media features in by enabling or disabling various
policies for users. Media Manager policy changes take effect in 60 minutes by
default..
You can change the default time that Instant Messaging and Media Manager
policies take affect by editing the REFRESH_RULES_INTERVAL setting in the
sametime.ini file.
All unauthenticated users will have the anonymous policy, Media Manager
Anonymous Policy, applied to them. For authenticated users, Lotus Sametime
searches for a user ID or group match, and then applies the highest weighted
policy. If there is no match for the default policy, Media Manager Default Policy is
applied.
Table 50. Telephony, Audio, and Video
Media Manager
Anonymous Policy
Purpose
Allow access to
third-party service
provider capabilities
from contact lists,
instant messages, and
meetings
Allows outside
Not selected
vendors to provide
audio and video for
instant messages and
instant meetings.
This setting does not
apply to browser
meetings.
Not selected
Allow changes to
preferred numbers
Selected
If not selected, user
cannot add telephony
devices. This gives
the administrator
control over the
devices that can
make or receive calls
in the system. "Allow
access to third-party
service provider
capabilities from
contact lists, instant
messages, and
meetings" must be
selected to specify
this setting.
Selected
Voice and video
capabilities available
through the
Sametime Media
Server:
Audio and video
Allows users to use
computer audio and
video in instant
messages and instant
meetings. Choices
are:
Audio and video
v None
v Audio only
v Audio and video
This setting does not
apply to browser
users.
428
Media Manager
Default Policy
Setting
Lotus Sametime: Installation and Administration Guide Part 2
Table 51. Sametime Unified Telephony
Media Manager
Default Policy
Media Manager
Anonymous Policy
Selected
Selected
Allow use of
Allows users to add Selected
"Offline" status in call their own devices to
routing rules.
make and receive
calls. "Allow access
to third-party service
provider capabilities
from contact lists,
instant messages, and
meetings" must be
selected to specify
this setting.
Selected
Setting
Purpose
Allow changes to the If this setting is not
permanent call
selected a lock
routing rule
appears next to this
rule in the user's
preferences. "Allow
access to third-party
service provider
capabilities from
contact lists, instant
messages, and
meetings" must be
selected to specify
this setting.
This setting does not
apply to browser
users.
This setting does not
apply to browser
users.
Changing a user policy's weight
IBM Lotus Sametime products implement user policies that have higher weights
over policies with lower weights. You can change the weight of policies.
About this task
User policies in Lotus Sametime have weights. A policy's weight determines
whether or not its attributes take precedence over the attributes of other policies.
For a given user or group assigned two or more policies, Lotus Sametime
implements the policy with the highest weight. Anonymous policies always have
the lowest weight; default policies have the next lowest weight. For authenticated
users, Lotus Sametime searches for an exact ID match, and then applies the highest
weighted policy. If there is no match for the user ID in any policy, the Lotus
Sametime applies the highest weighted group match. If no group matches are
found, the default policy applied. You can change the weight of policies by moving
them up and down the policy list of a Lotus Sametime product.
Procedure
1. Log in to the Integrated Solutions Console.
2. Click Sametime System Console.
Chapter 2. Administering
429
3. Click Manage Policies.
4. Click the Lotus Sametime component with the policy with the weight that you
want to change.
v Instant Messaging
v Meetings
v Media Manager
5. Select a Policy ID from the list, and click Move Up or Move Down. Moving the
policy up increases its wight; moving the policy down decreases its weight. You
cannot change the weight of a default or and anonymous policy.
Administering a Lotus Sametime System Console
This section describes how to manage the IBM Lotus Sametime System Console.
Backing up the console database
The IBM Lotus Sametime System Console database stores information about all the
Sametime servers that are connected to it.
About this task
Back up the database regularly to protect the server data and to minimize
downtime if you need to restore lost or corrupted data. Follow the instructions in
the DB2 information center:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp
Starting the Lotus Sametime System Console
When started, the Lotus Sametime System Console runs as a task in the WebSphere
Application Server administrative console.
Before you begin
Verify that the Deployment Manager is running for the cell.
Procedure
1. Open a command window (on IBM i, run QSH command).
2. Navigate to the local app_server_root/profiles/STSCAppProfile profile directory
and change to the bin directory.
3. Run the following command. Note that the name of the server is case sensitive:
AIX, Linux, or Solaris
./startNode.sh
./startServer.sh STConsoleServer
Windows
startNode.bat
startServer.bat STConsoleServer
IBM i
startNode
startServer STConsoleServer
430
Lotus Sametime: Installation and Administration Guide Part 2
Administering a Lotus Sametime Community Server
This section describes how to manage an IBM Lotus Sametime Community Server
About this task
Use the instructions in this section to manage connectivity, community services,
anonymous access, and business cards on the Lotus Sametime Community Server.
Managing administrator access and roles
Manage administrator access and roles using the Sametime Administration Tool.
Starting the Sametime Administration Tool
You administer Sametime through a web browser application. You must enable
Java applets and JavaScript or ActiveX Controls in your browser to use the
Sametime Administration Tool.
About this task
To start the Sametime Administration Tool:
Procedure
1. Enter the URL for the Sametime server:
http://hostname/stcenter.nsf
where hostname is the fully qualified Domain Name Service (DNS) name or the
IP address of the Sametime server you want to administer.
Note: For versions of Lotus Sametime that do not support web conferencing,
enter the following URL in your browser: http://hostname.
Note: For Lotus Sametime Entry and other Sametime offerings that do not
include web conferencing, access the server page by typing http://hostname/
into a browser URL field where hostname is the fully qualified name of your
Sametime server.
2. From the Sametime server home page (Sametime Welcome page), click
Administer the Server.
3. Enter the administrator name and password specified during the Sametime
server installation. The Sametime Administration Tool opens in its own web
browser window.
Related concepts
User requirements for basic password authentication
When accessing the Lotus Sametime server with a Web browser, a user must enter
a user name and Internet password to access any protected database on the Lotus
Sametime server.
Adding a new Sametime administrator
Use the Domino Directory to give a group of administrators access to the
Sametime Administration Tool.
Adding a Sametime administrator in Domino LDAP
Use the Domino Directory to give a group of administrators access to the
Sametime Administration Tool.
A Sametime administrator name and password is specified during the Sametime
installation and setup process. The administrator specified during the Sametime
Chapter 2. Administering
431
server installation and setup can access all features of the Sametime Administration
Tool and can provide other administrators with access to the Sametime
Administration Tool.
This is the procedure for adding an administrator in Domino. If your Sametime
server is configured for LDAP, then you must create the new administrator using
your LDAP Directory tools.
Creating a Person document for the administrator:
Administrators must have a Person document in the Domino Directory.
About this task
Follow these steps to create a Person document using the Sametime Administration
Tool. If the administrator whom you are adding already has a Person document
that contains a last name, user name, and Internet password, skip this procedure.
Procedure
1. From the Sametime server home page, click Administer the Server.
2. From the Sametime Administration Tool, click LDAP Directory:
3. Choose Add Person.
4. In the Person document, select the Basics tab.
5. Enter the user's first, middle, and last name in the appropriate fields. Only the
last name is required.
6. Enter a name for the user in the User Name field. An entry in this field is
required for the user to authenticate with the Sametime server.
You can use any of the following characters in a user name: A - Z, 0 - 9,
ampersand (&), dash (-), period (.), underscore (_), apostrophe ('), and space.
Using other characters can cause unexpected results.
7. Enter an Internet password for the person in the "Internet password" field. An
entry in this field is required for the user to authenticate when accessing the
Sametime Administration Tool. There are no restrictions on the number of
characters used in the Internet password.
8. Click Save & Close. The Person document is added to the Directory.
Creating an Administrators Group document:
Create a group document to hold the names of Sametime administrators.
About this task
Use the Sametime Administration Tool to create an Administrators Group
document.
Procedure
1. From the Sametime server home page, click Administer the Server.
2. From the Sametime Administration Tool:
v If you are using a Domino Directory with the Sametime server, select
Domino Directory - Domino.
v If you are using an LDAP directory with the Sametime server, select LDAP
Directory.
432
Lotus Sametime: Installation and Administration Guide Part 2
3. Choose "Add Sametime Administrators - Create a group for the
administrators."
4. Click Add Group.
5. Enter a name for the group in the "Group name" field (for example,
"Administrators" or "Sametime Administrators").
6. For group type, select Multipurpose.
7. Optional: Enter a description of the group in the Description field.
8. In the Members field, list the names of users you want to access the Sametime
Administration Tool.
Make sure to enter the name exactly as it is entered in the topmost entry of
the "User name" field of a user's Person document.
9. Select Administration at the top of the Group document.
10. Enter the names of the group owners in the Owners field. Generally, the
group owner is the administrator creating the group. Only the administrator
listed in the Owners field can modify this Group document. If the Owners
field is blank, any administrator can modify this Group document.
11. Click Save & Close.
Adding the Administrators Group document to Sametime database ACLs:
Add the Administrators Group document to Sametime database Access Control
Lists (ACLs) and provide the Manager access level to the group.
About this task
In addition to ACL access levels, you must also specify the ACL privileges and
roles that the Administrators Group (or an individual user) has in each database.
Generally, for an Administrators Group, select all ACL privileges and roles.
Note: If you are adding individual user names to Sametime database ACLs instead
of a group name, database roles can be used to prevent or allow access to specific
features of the Sametime Administration Tool.
Add the Administrators Group to the ACLs of the following Sametime databases.
Sametime Configuration (stconfig.nsf) - Stores the configuration parameters
that are set from the Sametime Administration Tool.
v Domino Directory or Address Book (names.nsf) - Stores Person and Group
documents, ACL settings, and other configuration information for the
Domino/Web Application Services.
v
v
v
Sametime Log (stlog.nsf) - Stores logging information.
Domino Web Administration (webadmin.nsf) - Contains the Domino Web
Administration client, which includes monitoring features for the HTTP Services
and free disk space. This is the full Domino Web Administration client that is
included with Domino servers.
Procedure
1. From the Sametime Administration Tool:
v If you are using the Domino Directory with the Sametime server, choose
Domino Directory - Domino.
v If you are using an LDAP Directory with the Sametime server, choose
LDAP Directory.
Chapter 2. Administering
433
2. Choose "Add Sametime Administrators - Give the administrator group
Manager access for all appropriate databases, such as stconf.nsf and
stcenter.nsf." The Access Control options appear.
3. From the Databases list, select Sametime Configuration (stconfig.nsf).
Note: The database filename appears below the Databases list.
4. Click Access.
5. Click Add. Enter the Administrators Group document name in the dialog box
(for example, "Administrators" or "Sametime Administrators").
If you are adding individual user names, enter the person's user name in the
dialog box. Enter the name as it is entered in the top entry of the "User name"
field on the user's Person document.
6. Click OK.
7. Select the Administrators Group name (or individual person's name) from the
list in the Database Security window.
8. In the User Type drop-down list, select Group (or Person if you are adding an
individual user's name).
9. In the Access drop-down list, select Manager.
10. Make sure that all ACL privileges, such as "Create documents" and "Delete
documents," are selected.
11. Click Roles.
12. If you want the Administrators Group to have access to the full range of
administrative functions, select all roles. Click OK.
The roles determine which administration tasks the members of the group can
perform. If you are adding individual user names to the ACLs, you can use
the roles to control the administrative features that are available to individual
administrators. For more information, see Roles in Sametime databases ACLs.
13. Click Submit.
14. After adding the Administrators Group to the ACL of the Sametime
Configuration database (stconfig.nsf), repeat steps 4 through 14 to add the
Administrators Group to the ACL of each of the Sametime databases listed
below:
v Domino Address Book or Domino Directory (names.nsf)
v Sametime Online Meeting Center (stconf.nsf)
v Sametime Log (stlog.nsf)
v Sametime Self Registration (streg.nsf)
v Domino Web Administration (webadmin.nsf)
Modifying the Server document of the Sametime server:
Add the Administrators Group document (or the name of an individual user) to
two fields on the Server document.
Procedure
1. From the Sametime Administration Tool:
v If you are using the Domino Directory with the Sametime server, choose
Domino Directory - Domino.
v If you are using an LDAP Directory with the Sametime server, choose LDAP
Directory.
2. Choose "Add Sametime Administrators - Edit the Server document."
434
Lotus Sametime: Installation and Administration Guide Part 2
3. Click Security.
4. In the "Administrators" field of the Administrators section, type the name of the
Administrators Group (or enter the name of an individual user).
Note: Type a group name exactly as it appears in the Group document. If you
are entering an individual user name in this field, type the user name exactly
as it is entered in the topmost entry of the "User name" field on the Person
document. Separate multiple entries in the "Administer the server from a
browser" field with commas.
5. In the "Run unrestricted methods and operations" field of the Programmability
Restrictions section, type the Administrators Group name (or an individual
user's name). Separate multiple entries in this field with commas.
6. Click Save & Close.
Adding and removing names from an Administrators Group document:
Control access to the Sametime Administration Tool by editing the Group
document.
About this task
Adding a user's name to the Administrators Group document provides the user
with access to the Sametime Administration Tool. Removing a user's name from
the Group document revokes the user's access to the Sametime Administration
Tool.
Procedure
1. From the Sametime server home page, click Administer the Server.
2. From the Sametime Administration Tool:
v If you are using the Domino Directory with the Sametime server, choose
Domino Directory - Domino.
v If you are using an LDAP Directory with the Sametime server, choose LDAP
Directory.
3. Choose "Add Sametime Administrators - Create a group for the
administrators."
4. Double-click a group name.
5. Select Edit Group.
6. In the Members field, add or remove a user's name from the Group document.
If you add a user's name, the user must have a Person document in the
Domino Directory that contains a last name, user name, and Internet password.
Make sure to enter the name exactly as it is entered in the top entry of the
"User name" field of a user's Person document.
The user must enter a last name or user name and the Internet password from
the Person document to access the Sametime Administration Tool.
7. Click Save & Close.
Sametime database default ACL settings
See the following tables to determine the default ACL settings for Sametime
databases.
Chapter 2. Administering
435
Table 52. stconfig.nsf database default ACL settings
Attribute
Setting
Access
No Access
Create documents
Delete documents
Create private agents
Create personal folders/views
Create shared folders/views
Create LotusScript/Java agents
Read public documentsY
Selected
Write public documents
Selected
Replicate or copy documents
Selected
Table 53. stconf.nsf database default ACL settings
Attribute
Setting
Access
Author
Create documents
Selected
Delete documents
Selected
Create private agents
Selected
Create personal folders/views
Selected
Create shared folders/views
Create LotusScript/Java agents
Selected
Read public documentsY
Selected
Write public documents
Selected
Replicate or copy documents
Selected
Table 54. names.nsf database default ACL settings
Attribute
Setting
Access
Author
Create documents
Delete documents
Create private agents
Create personal folders/views
Create shared folders/views
Create LotusScript/Java agents
Read public documentsY
Selected
Write public documents
Replicate or copy documents
Selected
Table 55. stpolicy.nsf database default ACL settings
436
Attribute
Setting
Access
No Access
Lotus Sametime: Installation and Administration Guide Part 2
Table 55. stpolicy.nsf database default ACL settings (continued)
Attribute
Setting
Create documents
Delete documents
Create private agents
Create personal folders/views
Create shared folders/views
Create LotusScript/Java agents
Read public documentsY
Selected
Write public documents
Selected
Replicate or copy documents
Selected
Table 56. stlog.nsf database default ACL settings
Attribute
Setting
Access
Reader
Create documents
Delete documents
Create private agents
Selected
Create personal folders/views
Selected
Create shared folders/views
Create LotusScript/Java agents
Selected
Read public documents
Selected
Write public documents
Selected
Replicate or copy documents
Selected
Table 57. stnamechange.nsf database default ACL settings
Attribute
Setting
Access
Manager
Create documents
Selected
Delete documents
Selected
Create private agents
Selected
Create personal folders/views
Selected
Create shared folders/views
Selected
Create LotusScript/Java agents
Selected
Read public documents
Selected
Write public documents
Selected
Replicate or copy documents
Selected
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and
settings of the Sametime Administration Tool.
Chapter 2. Administering
437
For example, the Sametime Configuration database (stconfig.nsf) ACL contains
three roles: ServerMonitor, ServerAdmin, or DatabaseAdmin. If you assign only the
ServerMonitor role to an administrator, the administrator can monitor server
memory, disk space, and other server statistics but cannot perform any other
administrative functions. Assign all roles to an administrator if you want the
administrator to have full access to all administrative functions.
Access Control List (ACL) roles are defined in the following Sametime databases:
Roles in the Sametime Configuration database (stconfig.nsf):
The Sametime Configuration database (stconfig.nsf) stores the values for
parameters that are available from the Sametime Administration Tool. The roles in
this database affect the administrative tasks that an administrator can perform
from the Sametime Administration Tool.
The following table lists the commands and features available with the Sametime
Administration Tool and the roles that an administrator must be assigned in the
stconfig.nsf database to use the Sametime Administration Tool commands and
features. If an administrator does not have the appropriate roles, the Sametime
Administration Tool does not display the command.
Command Group
Command or feature
Role required
Message From Administrator Sends message to all users
logged into Community
Services
[ServerMonitor] or
[SametimeAdmin] or
[DatabaseAdmin]
Monitoring
All monitoring features
[ServerMonitor] or
[SametimeAdmin] or
[DatabaseAdmin]
Logging
All logging features
[ServerMonitor] or
[SametimeAdmin] or
[DatabaseAdmin]
Directory
Add directory features
[ServerMonitor] or
[SametimeAdmin] or
[DatabaseAdmin]
Configuration
Connectivity, Community
Services, Meeting Services,
Audio/Video Services
[ServerMonitor] or
[SametimeAdmin] or
[DatabaseAdmin]
Help
Online help for
administrators
No roles required
Note: The Domino server cannot resolve the user if given the internet address in
the person entry that defines the internal ID of a Sametime user. The mail attribute
is not supported in this field. The field may be left blank.
Roles in the Domino Directory (names.nsf):
The Domino Directory (or Address Book) contains the Person and Group
documents that you create and edit when you use the Sametime Administration
438
Lotus Sametime: Installation and Administration Guide Part 2
Tool. The roles in the Domino Directory determine who can create or edit a
particular type of document in the Directory.
The Domino Directory also contains the Server document that you access to
provide another user with administrative privileges to the Sametime
Administration Tool.
Note: If you use Sametime in a Domino environment, the Domino Directory roles
function the same as they do on Domino servers.
The Domino Directory contains eight roles. The privileges for each role are listed in
this table:
Role
Description
UserCreator
Allows an administrator to create Person
documents in the Domino Directory
UserModifier
Allows an administrator to edit all Person
documents in the Domino Directory
GroupCreator
Allows an administrator to create Group
documents in the Domino Directory
GroupModifier
Allows an administrator to edit all Group
documents in the Domino Directory
ServerCreator
Allows an administrator to create Server
documents in the Domino Directory
ServerModifier
Allows an administrator to edit all Server
documents in the Domino Directory
NetCreator
Not used by Sametime
NetModifier
Not used by Sametime
Related reference
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and
settings of the Sametime Administration Tool.
Roles in the Sametime Meeting Center (stconf.nsf):
The Sametime Meeting Center database contains only the Sametime Admin role.
Chapter 2. Administering
439
Role
Description
Sametime Admin
Allows an administrator to see hidden
meetings displayed in the All Meetings view
of the Meeting Center.
Allows an administrator to see the Hidden
Meetings view in the Meeting Center. This
view displays only hidden meetings.
Allows the administrator to alter the
meeting details of any meeting. For example,
the administrator can delete or change the
end time of a meeting that the administrator
did not create.
Allows an administrator to see and use the
"Delete the Recording," "Export the
Recording," "Replace the Recording," and
Import Recording options in the Meeting
Center forms. These features enable the
administrator to manage the recorded
meeting files if the administrator makes the
Record and Playback feature available on
the Sametime server.
Note: The Domino server cannot resolve the user if given the internet address in
the person entry that defines the internal ID of a Sametime user. The mail attribute
is not supported in this field. The field may be left blank.
Related reference
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and
settings of the Sametime Administration Tool.
Roles in the Domino Web Administration database (webadmin.nsf):
The Domino Web Administration database is available on the Sametime server to
enable administrators to monitor the HTTP server and access logging information
about the Domino Application Services.
The following table defines the roles in the Domino Web Administration database:
440
Role
Description
ServerAdmin
A Sametime administrator requires this role
to access the Server document when
providing other users with access to the
Sametime Administration Tool.
Lotus Sametime: Installation and Administration Guide Part 2
Role
Description
ServerMonitor
A Sametime administrator requires this role
to access the Monitoring - Miscellaneous
functions of the Sametime Administration
Tool. These monitoring functions enable the
administrator to monitor HTTP commands
and requests, server memory usage, and free
disk space. The Sametime administrator also
requires this role to access the Logging Domino Log functions of the Sametime
Administration Tool, which report
information about the Domino Application
Services.
DatabaseAdmin
A Sametime administrator requires this role
to change database ACLs from the Sametime
Administration Tool.
FileRead
This feature provides access to the
Configuration - System Files (read-only)
command of the Domino Web
Administration Tool. This feature is usually
not used with Sametime.
FileModify
This feature provides access to the
Configuration - System Files (read/write)
command. This feature is usually not used
with Sametime.
Related reference
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features and
settings of the Sametime Administration Tool.
Domino log
To access the Domino log, choose Logging - Domino Log in the Sametime
Administration Tool, and then click the link that appears on the right. The Domino
log launches in a new browser window.
Updating Sametime Community Server connection properties
on the console
You can update connection setting information that the IBM Lotus Sametime
System Console uses to connect to the Lotus Sametime Community Server.
About this task
Any changes that you make to the credential and connection information on the
Connection Properties page does not change the actual settings on the Lotus
Sametime Community Server. These settings are only used by the Sametime
System Console to connect to the Sametime Community Server.
If you are configuring the Lotus Sametime Community Server to use SSL (Secure
Socket Layer), make sure the server's Domino CA certificate has been added to the
Sametime System Console's trust store using the Integrated Solutions Console
(Security → SSL certificate and key management → SSL configurations →
CellDefaultSSLSettings → Key stores and certificates → CellDefaultTrustStore →
Signer certificates). See the WebSphere Application Server information center for
more information on adding certificates to a trust store.
Chapter 2. Administering
441
Follow these steps to update connection setting information.
Procedure
1. Log in the Integrated Solutions Console.
2. Click Sametime System Console → Sametime Servers → Sametime Community
Servers.
3. In the Sametime Community Servers list, click the Edit next to the deployment
name of the server with the connection information that you want to change.
4. Under Connection Properties, enter the administrator's User name and
Password for connecting to the Lotus Sametime Community Server.
5. Enter the HTTP port (typically 80) and HTTPS port (typically 443).
6. By default, the Lotus Sametime Community Server trusts other Lotus Sametime
components. If you want to change this setting, then select Do not auto-accept
SSL certificate.
7. Click Save.
8. If you enabled SSL, then you must restart the Lotus Sametime System Console
for the changes to take effect.
Configuring Sametime Community Server connectivity
Define the host names and ports for Community Services on the IBM Lotus
Sametime Community Server.
About this task
Community Services supports all presence (or awareness) and text chat activity in
a Lotus Sametime community. Any Lotus Sametime client that contains a presence
list must connect to Community Services on the Lotus Sametime Community
Server.
Community Services includes:
v Client login requests
v Connections from clients that access the Sametime server through a direct
TCP/IP connection, or a HTTP, HTTPS, or SOCKS proxy server. Community
Services clients connect to the Community Services multiplexer component,
which is deployed on a separate machine from the Lotus Sametime Community
Server.
v Directory access for user name search and display.
v Directory access to compile lists of all servers and users in the community.
v Dissemination of presence and chat data to all users connected to Community
Services.
v Maintenance of privacy information for online users.
v Connections from the Community Services on other Lotus Sametime Community
servers when multiple servers are installed.
v Logging of server community events to the Sametime log (stlog.nsf).
This must be completed separately for each server within a Lotus Sametime
Community Server cluster.
Procedure
1. Log in to the Integrated Solutions Console.
442
Lotus Sametime: Installation and Administration Guide Part 2
2. Click Sametime System Console → Sametime Servers → Sametime
Community Servers.
3. In the Sametime Community Servers list, click the deployment name of the
server with the connectivity information that you want to change.
4. Click the Connectivity tab.
5. Under Server Connections, type the fully qualified Host Name and Port for
the internal Sametime processes to communicate with one another.
Community Services listens for direct TCP/IP connections from Community
Services of other Lotus Sametime Community Servers on this port. If you
have installed multiple Sametime servers, this port must be open for presence,
chat, and other data to pass between the servers.
6. Under Client Connections, type the fully qualified Host Name and Port from
which Community Services listen for direct TCP/IP connections and
HTTP-tunneled connections from the Community Services clients. A direct
TCP/IP connection occurs when the Sametime client uses a unique Sametime
protocol over TCP/IP to establish a connection with the Community Services.
7. Under HTTP Tunneled Client Connections, type the fully qualified Host
Name and Port from which Community Services clients can make
HTTP-tunneled connections to the Community Services multiplexer.
Community Services clients can make HTTP-tunneled connections on both
ports 80 and 8082 by default. Port 8082 ensures compatibility with previous
Sametime releases. In previous releases, Sametime clients made
HTTP-tunneled connections to the Community Services only on port 8082. If a
Sametime Connect client from a previous Sametime release attempts an
HTTP-tunneled connection to a Sametime server, the client might attempt this
connection on port 8082.
8. If you will be using previous version of the Sametime Meeting Room client,
click Enable pre 8.5 releases of the Meeting Room client to try HTTP
Tunneling to the Community Server after trying other options.
9. Under HTTPS Tunneled Client Connections, type the fully qualified Host
Name and Port from which the Community Services clients attempt HTTPS
connections when accessing the Sametime Community Server through an
HTTPS proxy server. If a Community Services client connects to the Sametime
Community server using HTTPS, the HTTPS connection method is used, but
the data passed on this connection is not encrypted.
10. Click OK.
11. Restart the Lotus Sametime Community Server for settings to take effect.
Managing trusted IP addresses
Whenever you install a server that communicates with an IBM Lotus Sametime
Community Server, you must add the new server's IP address to the Community
Server's settings.
About this task
The Lotus Sametime Community Server accepts connections from the Lotus
Sametime Media Manager, the Lotus Sametime Gateway, the Lotus Sametime
Community Mux, and the Lotus Sametime Proxy Server, as well as other servers
that are listed in the Community Services page. To ensure that the Lotus Sametime
Community Server trusts these components when they establish a connection, you
must add the trusted server's IP address to the Lotus Sametime Community Server.
Chapter 2. Administering
443
If you are installing a cluster of Lotus Sametime Media Manager servers, Lotus
Sametime Gateway servers, or Lotus Sametime Proxy Servers, be sure to complete
include the IP address of the Primary Node as well as every Secondary Node in
the cluster (you do not need to include the Deployment Manager).
You do not need to add the Lotus Sametime System Console's IP address because
it is added automatically when you ins