Escolar Documentos
Profissional Documentos
Cultura Documentos
Sametime 7.5.1
Best Practices for Enterprise
Scale Deployment
Building and deploying an Enterprise
Architecture
System administration
and maintenance
George Lambie
Charles Price, Jr.
Jim Puckett
Vineet Rohatgi
Stephen Shepherd
Jennifer Wales
Jeff Pinkston
Rob Fox
ibm.com/redbooks
International Technical Support Organization
September 2007
SG24-7410-00
Note: Before using this information and the product it supports, read the information in
“Notices” on page xi.
This edition applies to IBM Lotus Sametime 7.5 and subsequently Sametime 7.5.1.
© Copyright International Business Machines Corporation 2007. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Special acknowledgement to the following team members for their contributions
to this project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Additional Contributors to this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Contents v
6.3.7 Testing the business card setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
6.4 Notes Client integration with Sametime . . . . . . . . . . . . . . . . . . . . . . . . . 353
6.4.1 How instant messaging works using a Notes Client . . . . . . . . . . . . 353
6.4.2 Add a Domino canonical name to LDAP Directory . . . . . . . . . . . . . 355
6.4.3 Add LDAP’s Domino Canonical Name field to resolve filter . . . . . . 356
6.4.4 Configure Notes Client to pass full canonical name format . . . . . . 358
6.4.5 Enable awareness in Notes Client . . . . . . . . . . . . . . . . . . . . . . . . . 360
6.5 Domino Web Access integration with Sametime. . . . . . . . . . . . . . . . . . . 365
6.6 Install Domino and register the DWA users . . . . . . . . . . . . . . . . . . . . . . 366
6.6.1 Install Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
6.6.2 Register users in Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
6.7 Configure DWA for awareness and chat . . . . . . . . . . . . . . . . . . . . . . . . . 383
6.7.1 How instant messaging works in DWA . . . . . . . . . . . . . . . . . . . . . . 383
6.7.2 Synchronize the directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
6.7.3 Configure SSO between DWA and Sametime . . . . . . . . . . . . . . . . 401
6.7.4 Configure DWA server document for awareness and chat . . . . . . . 406
6.7.5 DWA user settings to enable awareness and chat . . . . . . . . . . . . . 409
6.7.6 Change how names are passed to Sametime for awareness status413
6.8 QuickPlace integration with Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . 421
6.9 Install QuickPlace and configure Security . . . . . . . . . . . . . . . . . . . . . . . . 421
6.9.1 Install Domino for QuickPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
6.9.2 Install QuickPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
6.9.3 Configure QuickPlace Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
6.10 Configure QuickPlace for awareness, chat, and meetings . . . . . . . . . . 447
6.10.1 How instant messaging works in QuickPlace . . . . . . . . . . . . . . . . 448
6.10.2 How online meetings work in QuickPlace . . . . . . . . . . . . . . . . . . . 450
6.10.3 Configure SSO between QuickPlace and Sametime . . . . . . . . . . 451
6.10.4 Configure QuickPlace for awareness and chat . . . . . . . . . . . . . . . 460
6.10.5 Configure QuickPlace for online meetings . . . . . . . . . . . . . . . . . . 464
6.11 WebSphere Portal Integration with Sametime . . . . . . . . . . . . . . . . . . . 474
6.12 Install WebSphere Portal and configure Security . . . . . . . . . . . . . . . . . 474
6.12.1 Install WebSphere Portal v6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
6.12.2 Enable security with realm support . . . . . . . . . . . . . . . . . . . . . . . . 478
6.13 Configure WebSphere Portal for awareness, chat, and meetings . . . . 485
6.13.1 How instant messaging works in WebSphere Portal . . . . . . . . . . 486
6.13.2 How online meetings work in WebSphere Portal . . . . . . . . . . . . . 488
6.13.3 Configure SSO between Portal and Sametime . . . . . . . . . . . . . . . 489
6.13.4 Enable awareness and chat in WebSphere Portal . . . . . . . . . . . . 499
6.13.5 Configure Sametime to trust Portal for the Sametime Contact List
portlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
6.13.6 Configure the Web Conferencing Portlet . . . . . . . . . . . . . . . . . . . 512
6.14 Lotus Sametime 7.5.1 and Microsoft Office integration. . . . . . . . . . . . . 521
6.14.1 Install MS integration with Sametime . . . . . . . . . . . . . . . . . . . . . . 523
Contents vii
8.2.7 Sametime Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
8.3 Sametime Client deployment considerations . . . . . . . . . . . . . . . . . . . . . 668
8.3.1 Deployment phase 1: planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
8.3.2 Client employment phase II: implementation . . . . . . . . . . . . . . . . . 671
8.3.3 Sametime Meeting Room Client, Sametime Recorded Meeting Client.
684
8.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Contents ix
Load Balancer overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Dispatcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Content Based Routing (CBR) Component . . . . . . . . . . . . . . . . . . . . . . . 830
Site Selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Cisco CSS Controller and Nortel Alteon Controller . . . . . . . . . . . . . . . . . . 831
Server affinity in Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Stickyness to source IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Cross port affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
Passive cookie affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
Active cookie affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
URI affinity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
SSL session ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information about the products and services currently available in your
area. Any reference to an IBM product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
PostScript, and Portable Document Format (PDF) are either registered trademarks or trademarks of Adobe
Systems Incorporated in the United States, other countries, or both.
EJB, Java, JDBC, JNI, JRE, JVM, J2EE, J2SE, Solaris, Sun Java, and all Java-based trademarks are
trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Active Directory, Excel, Internet Explorer, Microsoft, Outlook, PowerPoint, Windows Mobile, Windows NT,
Windows Server, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United
States, other countries, or both.
Intel, Pentium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks
of Intel Corporation or its subsidiaries in the United States, other countries, or both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
With the release of IBM® Lotus Sametime® 7.5 and subsequently Sametime
7.5.1, IBM provides a family of enterprise-class collaboration products providing
real-time awareness, communication, screen-sharing capabilities, and IP
audio/video services. Lotus Sametime brings the flexibility and efficiency of
real-time communication to the enterprise by interconnecting employees,
customers, business partners, and suppliers.
Preface xv
experience with Linux®, Mac OS X, WebSphere, DB2®, Single Sign-On,
Domino, and a host of other core technologies.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
Preface xvii
We want our Redbooks to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at:
ibm.com/redbooks
Send your comments in an email to:
redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
In this opening chapter, we summarize the new features of Lotus Sametime 7.5;
distinguish between the core services provided for instant messaging, presence,
and online meetings; and provide an overview of the methods used to achieve
scalability and high-availability in the enterprise environment.
IBM's own internal deployment of Lotus Sametime serves more than 400,000
users including more than 320,000 employees across 65 countries. At the time of
writing there are an average daily number of one thousand online meetings per
day, with IBM involving more than four thousand meeting participants. The
average peak concurrency was almost 300 meetings involving 1,250
participants. Sixteen percent of all IBM online meetings involve external
participants including customers and business partners. Over 4 million instant
messages are sent each day within IBM, and there is a peak daily load of over
200,000 concurrent connections.
Apr, 2007
Lotus Sametime software 7.5.1 Lotus Sametime 7.5.1
History and Market Leadership Aug, 2006
7.5
Lotus Sametime 7.5
Widest and largest enterprise deployments 7.0
Aug, 2005
Has had almost 16 million corporate IM users Lotus Sametime 7.0
6.5.1 March, 2004
Proven deployments to 25 companies with
Lotus IMWC 6.5.1
100,000-350,000+ user deployments
Lotus Sametime now uses audio integration from leading teleconferencing and
telecommunications providers to offer a single interface to both audio and Web
conferencing, as well as click-to-call functionality directly from the Lotus
Sametime Connect client.
Community services and online meeting services are summarized in the sections
that follow.
Figure 1-2 illustrates the new Tabbed Chat feature provided in Sametime 7.5.1.
Once users are aware of who is online, they can initiate interaction simply by
sending an instant message. A user might start an instant message, an online
meeting, or a telephone call — whatever suits the task at hand. For example, an
instant message is an efficient, low-bandwidth medium for the quick clarification
of an idea, but to explain the details of a design specification, a phone call may
be a more appropriate medium. Of course, nobody wants to be available for
spontaneous communication — read interruption — all the time. For this reason,
Sametime gives each user full control over their availability. Levels of
participation include active (online and available), away (offline or otherwise
unavailable), in a meeting, and do not disturb (online but unavailable).
The Sametime Community Services support all presence (or awareness), text
chat, and file transfer activity in a Sametime community. Any Sametime client
that contains a presence list must connect to the Community Services. The
Community Services clients include the Sametime Connect client, Participant
Sametime allows any user to share any program from his or her desktop, such as
presentations, spreadsheets, and project management software. Other
participants are not required to have the same software in order to participate
and see what’s being shared. When appropriate, users can also pass control of
the application back and forth as necessary. The initiator can reassert control at
any time. Sametime’s shared whiteboard is the online equivalent of a typical
whiteboard in an office or classroom. Users can draw on it, show presentations,
and annotate documents on it. Sametime also converts popular file types into
pages for convenient display during whiteboard sessions.
The Meeting Services include the T.120 multipoint communications software that
supports screen sharing and the shared whiteboard, and the starting, stopping,
and deletion of meetings. Meeting Services also support connections for the
interactive audio/video components of the Sametime Meeting Room Client.
For more information about using the Eclipse framework to develop plug-ins for
Sametime see the see the IBM Redbooks publication Extending Sametime 7.5
Building Plug-ins for Sametime, SG24-7346:
http://www.redbooks.ibm.com/abstracts/sg247346.html?Open
Business partners in the specialist audio and video areas are today working with
Sametime 7.5’s extensible Eclipse framework to integrate audio, video, and
PC-based collaboration tools. Supporting IBM in this area are a number of
industry leaders, such as Avaya, Avistar Communications Corporation, Nortel,
Polycom, PhoneSoft, Premiere Global Services, Siemens, and Tandberg.
1.5.1 Scalability
This book is written specifically with enterprise-scale deployments of IBM Lotus
Sametime in mind. By enterprise deployment we generally think in terms of
organizations involving collaboration between thousands or tens of thousands of
people, or more. Where these large-scale deployments differ from smaller scale
implementations is typically in the areas of the complexity, systems performance,
and availability. These aspects are less likely to be encountered within a small
enterprise environment. This is not to say that performance and availability are
not important to smaller organizations; patently they are, but these requirements
are more readily achieved for smaller user populations without the need for
complex architectures.
In the later chapters of this book we discuss how the Community Services
Multiplexor can be best deployed to provide improved scalability and efficiency
for Sametime Community Services.
In later chapters of this book we discuss in detail best practices for clustering
Sametime Community Services and also describe how the performance and
capacity of the infrastructure supporting the Sametime Meeting Services can be
improved by using an Invited Server Model and distributing users over multiple
regional servers. A specific chapter of this book is also dedicated to describing
how high availability can be achieved for Sametime Meeting Services by using
the IBM Lotus Enterprise Meeting Server (EMS).
1 2 3
User Directory
Finally, the following appendices deal with specific considerations for other
directories.
Appendix A, “Directory considerations for Active Directory” on page 751.
Appendix B, “Directory considerations for Domino LDAP” on page 799.
This chapter discusses the issues you should consider while planning your
Sametime deployment.
These seem like pretty basic questions, but they often get overlooked, or not
properly considered until too late in the planning process. Through out this book
we describe and make reference to our fictitious company ITSO Corp. We
introduced ITSO in Chapter 1, “Lotus Sametime 7.5.1 in the Enterprise” on
page 1, and continue to discuss the details of our company to better demonstrate
the reasons behind our deployment strategy. The examples we provide make it
easier to understand how this can be applied to many other types of
deployments.
Always keep the following sentence in mind when you are going through this
book, and even write it out on your whiteboard where everyone can see it: There
is no single best deployment option when it comes to Sametime. Why? Each
company has its own specific needs and business considerations. It is as simple
as that. Sametime is an extremely flexible product and offers many different
types of integration points. This makes the product very simple and also complex
for often the exact same reasons. One useful way to get started is to think in
terms of what Sametime functions you will be supporting for your deployment,
and estimate the number of users that will need those functions at any given time
(concurrent usage).
For ITSO Corp, for example, we would look at this chart and go through the
following thought process in our planning stage.
By the nature of our business, we can expect that nearly all of our 120,000
employees are in the potential for Sametime usage. However, for our planning
We also want to think of the groups that would be the heaviest users of
Sametime chat and On-line Meetings. We expect that the sales team,
executives, and outside sales would fall into this category. Our help desk is also
using Sametime On-line Meetings to assist in working on many different types of
problems. If your help desk personnel are not already using Sametime in this
manner, start thinking about it now.
Therefore, our estimates of Sametime usage at ITSO Corp would look like in
Table 2-2.
Table 2-2 Classifications of users - types and population within ITSO Corporation
ITSO Corp Americas Europe Asia Pacific
Projected number
of Basic Chat users
Projected number
of Power Chat
users
Projected number 60 35 15
or peak
concurrency of
scheduled
meetings
You will see later in this chapter that our Europe and Asia Pacific numbers will
need to be merged. We show the deployment option we chose, and how it works
for our current needs, and how this approach makes it very easy for us to scale
the deployment to support a larger capacity, as our company grows in both of
those regions.
Sametime does not use a peer-to-peer network model that some other
conference tools do, so all communications must be routed through a Sametime
Note that even low-speed connections function very well for online status and
text IM functions. Instant message data transmissions are usually measured in
mere bytes (far less than 1 K per message), and any lag encountered usually
occurs because of routing delays rather than the time required to actually
transmit the data.
At ITSO Corporation, the North American users and European users are mostly
using fast network connections, while Asia Pacific is connected via a relatively
slow connection (see Figure 2-1).
We also have a large group of users that are in the field. Sales personal will
often be working from home offices, customer sites, or even WI-FI hot spots. Will
this work for Sametime? Of course. Our experience to date has shown that text
IM is the single most popular function of Sametime, and the lightest one in terms
of impact on your network. Therefore, you should have no reluctance
implementing IM clients at the end of even the slowest network connection or for
users on wireless networks.
For meetings, the Sametime 7.5.1 Meeting Room Client (MRC) has been
improved to better handle slower connections. It does this in part by making
re-connection attempts behind the scenes, so that there is no need for an
interaction from the user, unless the re-connect fails three times in a row. During
It is also important to note that setting prioritization for Sametime traffic on your
networks could have a big performance improvement for your users that are
coming across slow links, or already crowded connections. In a later section you
will see which ports Sametime uses. This information will be useful for you if you
need to discuss prioritization or firewall configurations with your network team.
2.3.2 Client PC
Desktops and mobile computers are the primary means that your users will use
to interact with the Sametime server. These machines need to have enough
power to support the demands placed on them by Sametime and any of the other
applications that are deployed for your users. If using Sametime Meetings, they
also need to download and execute the signed Java Applets. For the Meeting
Room Client (MRC), the user no longer has to have administrator rights to the
local machine. Many of the pop-up style windows have also been removed so
that the MRC is much easier to install and use for your end users.
The Sametime software and hardware requirements for the client PC are fairly
modest. But with the number of new features, functions, and other products that
your client machines may need to host, it is best to have machines that are
above the system requirement minimum specs. If you are planning to have A/V
integration or make use of many of the new plug-ins for the clients (in Sametime
7.5.1 or in Notes 8) you will find that 1 GB of RAM is more of the minimum
configuration for an improved end-user experience. See 2.9, “Ports used by the
Sametime server” on page 70, for full system requirements. And also keep in
mind that the third-party plug-ins that are now available for Sametime 7.5 and
Sametime 7.5.1 may have separate recommendations posted by the vendors.
When planning for capacity of your Sametime environment, you must first decide
what functions the server will provide. Will the server be dedicated to a single
function or will the server be providing a combination of both Chat and Meeting
Services?
Another consideration when planning your Sametime environment for chat is the
usage patterns of your end users. Basic users who have a modest size buddylist
and utilize only the core chat functions of online awareness and chatting have
less of an impact on the Sametime server than an advanced user who, in
addition to the basic functions, will make frequent use of features such as
voice/video chat, file transfer, and inline images.
Be sure to consider how Sametime will be utilized when deciding how many
simultaneous chat connections you will plan to support on a single server.
When an end user is creating a Sametime meeting, he does not have a choice
for presentation or application sharing mode. However, the tools that are chosen
have a direct impact on server capacity.
Tip: Be sure to educate your users about the available meeting modes and
the performance implications of their choices to ensure that they have the best
possible user experience.
For example, in your environment, you may require only 20,000 basic
Sametime 7.5.1 connections for your chat users. Using the information in
Figure 2-1 on page 26, you can see that 20,0000 users equals 20,000 points and
that you will have 10,000 capacity points remaining that can be used for
additional client connections or meeting users.
Keep in mind that these are guidelines to help you plan for capacity in your
environment. With capacity planning, you cannot simply set it and forget it. You
must monitor and continue to tune your environment to ensure that you are
achieving acceptable performance levels. In addition, these guidelines assume a
dedicated Sametime server. While it is possible to install Sametime on top of
other Domino servers (such as a mail or application server already installed), we
do not recommend this practice.
It goes without saying that a single Sametime server has no redundancy. If you
require high availability for your Chat or Meeting Services, you will have to plan
for chat clustering or Enterprise Meeting Servers (EMS). We discuss these
advanced topics later in this book. For chat clustering, see 4.3, “Deploy clustered
chat servers” on page 133. For EMS, see Chapter 10, “Enterprise Meeting
Server” on page 703.
When designing your Sametime infrastructure, you may decide to configure your
servers in a dedicated fashion, handling only chat or scheduled meetings, but not
both. By dedicating servers to a particular function, you can more accurately plan
for and scale the environment because the workload is consistent and
predictable.
For example, in your environment, you may require your Sametime environment
to support 30,000 chat connections and 1,000 concurrent meeting users. Rather
than having two individual full service Sametime servers to handle the planned
load, you could instead set up your servers to be dedicated to chat or meetings,
as shown in Figure 2-2.
Chat Meeting
Server Server
Server 1 Server 2
Consider this example: Let us suppose that you are planning a Sametime
environment for 20,000 7.5.1 users and a nominal amount of meetings. In the
United States (U.S.) you have roughly two-thirds of the population across 15
cities that are connected with high-speed connections. The remaining one-third
of the users reside in Asia Pacific (AP) with high-speed connections from their
home country to the AP hub site.
From a capacity standpoint, you could easily support this entire load on a single
server in the U.S., but in this configuration, 7,000 AP users would be required to
maintain individual chat and meeting connections across the WAN. In this
scenario, you may want to consider deploying a full Sametime server in AP
instead, as shown in Figure 2-3.
Instant Instant
Messaging Messaging
Users Users
Multiplexer Multiplexer
Community Services
1516 Community Services
1503
Meeting Services 1352 Meeting Services
Positioning the Sametime servers this way allows the 7,000 AP users to connect
locally to server 2, thus condensing traffic between the regions over very few
TCP/IP connections.
The other benefit to this model is that it insulates the AP location from outages
that are caused by the Wide Area Network. In the event of a network outage
between the U.S. and AP, both sites would continue to have Sametime services,
although they would not have awareness between the regions. This model also
allows each region to be able to perform scheduled maintenance without
impacting the entire community.
Meeting Services
Meeting Services 1503 Meeting Services
Domino
Sametime 7.5 1352 Sametime 7.5
Server1 Server2
Meeting servers function a bit differently than Community Servers do. They can
be set up to be isolated or connected together depending on your business
requirements. Isolated servers are best for a group of users who rarely need to
collaborate with users outside of their group. Connecting servers together in a
fashion known as inviting gives you additional flexibility, allowing a meeting to be
dynamically shared across all meeting servers for access by a large population
across different locations. The invitation process can be configured for all
meetings or individually set at meeting creation time, as shown in Figure 2-5.
Using Meeting Services in this way allows you the flexibility to support both local
and global meetings and preserves the WAN bandwidth by providing a local
entry point to Meeting Services for all users.
Europe
10,000 Users
Instant
North America Messaging
Asia Pacific
13,000 Users Users 7,000 Users
Instant Instant
Messaging Messaging
Users Users
Multiplexer
Community Services
Meeting Services
Multiplexer Multiplexer
Community Services
1516 Community Services
1503
Meeting Services
1352 Meeting Services
Figure 2-6 A case where users are concentrated in three regional locations
Each of these three sites operates a local Sametime server. They are linked
together via the WAN. Each server provides Sametime community and meeting
services for the local population, and relays any required connections or meeting
data over the WAN to remote users. Should a WAN link be broken, local services
would not be affected. Users would still have access to chat and meeting
services within their region. Any remote meeting attendees or chat sessions
would, of course, be lost until the links are re-established.
As you get into larger Sametime deployments, the options and setup naturally
grow more complex, but by keeping the essentials in mind, you should be able to
design a system that will fit your network’s strengths.
In an environment where the SA mux is broken out from the Sametime server, all
chat clients connect directly to the SA mux. The SA mux in turn connects to
Sametime over a single TCP/IP connection over port 1516. By handling the client
connections, the SA mux reduces the overall load on the Sametime server, which
allows for greater overall capacity, as you will see in the upcoming examples.
Sametime Sametime
MUX1 MUX2
1516 1516
Multiplexer
Using SA muxes with Sametime has several benefits for large communities, but
the most notable is one of capacity. Earlier we said that a single dedicated
Sametime server can provide sufficient capacity to support chat for between
25,000 and 30,000 connections. When adding one or more SA muxes to the
environment, our formula changes. Because the SA mux only handles client
connections and none of the other Sametime services, it can handle significantly
more client connections (30,000–50,000).
Note: Sametime multiplexing services are transparent to the client PC. They
provide the active port for a client to connect to, and then channel the data
down a single IP port to the server. The servers still perform all community
and meeting services. If a server goes offline, the multiplexers can do nothing
on their own.
Note: Plan for no more than two SA muxes to a single Sametime server.
Instant Instant
Messaging Messaging
Users Users
Multiplexer
Community Services Sametime
1516 MUXServices
Community
Meeting Services
Sametime 7.5
Server 1
In Sametime, there are two primary methods for providing redundancy to your
Sametime environment: Community Services clustering and the Enterprise
Meeting Server.
Community Services clustering is a configuration option that allows the joining
of dedicated chat servers in to a logical cluster for the purposes of providing
redundancy and scalability for Sametime instant messaging and presence
functionality.
The Enterprise Meeting Server (EMS) provides failover and load balancing for
the Sametime Meeting Services infrastructure. EMS is a separately
purchased product that runs on WebSphere Application Server. The EMS
and dedicated meeting or room Sametime servers operate together to
provide failover and load balancing for Sametime online meetings, including
screen-sharing/whiteboard meetings, interactive audio/video meetings, and
recorded meetings.
Load
EMS
Balancer
Note: Round-robin works by responding to DNS requests with a list of the chat
server IP addresses. It is not considered the best choice for load balancing
since it merely alternates the order of the addresses each time a query is
made. There is no consideration for the actual status of the back-end
Sametime server. If a server in the chat cluster goes down, the round-robin
DNS will continue to hand out the address, and clients will attempt to reach
the dead service.
For example, earlier we said that a single Sametime server can provide sufficient
capacity to support chat for between 25,000 and 30,000 connections. Without
redundancy, this could be handled with a single Sametime server. To add
redundancy for a user group of this size, you would add an additional chat
server, as shown in Figure 2-10, to ensure that adequate capacity is available in
the event of a server outage.
Instant
Messaging
User
Load
Balancer
For example, let us assume that you are architecting a redundant Sametime
environment for chat only (no meetings) for approximately 100,000 total users.
Figure 2-11 shows an environment that can support your requirements. This is a
highly redundant architecture that could support 100,000 Sametime chat-only
users while sustaining a multiple service outage where both a SA mux and a chat
server were temporarily unavailable.
Instant
Messaging
User
Load
Balancer
COMMUNITY SERVICES
CLUSTER
The two-server chat cluster is front-ended with three SA muxes that will handle
the client connections. The servers are properly sized and dedicated to chat only
(no instant meetings). The environment can support 90,000 –150,000 chat
You can see from this example that we have planned approximately one-third
more capacity then needed to ensure that the environment is highly available. By
using SA muxes in conjunction with Community Services clustering, Sametime
can easily be expanded to support a large number of users with multiple levels of
redundancy for high availability.
Figure 2-12 B2B instant messaging - connecting directly to the other company's Lotus Sametime Gateway
For communications with external contacts who do not have their own
organization's Sametime service, the recommended approach is for the
company to implement the Lotus Sametime Gateway and to direct external users
to make use of public instant messaging such as AOL Instant Messenger,
Yahoo!, or GoogleTalk. Sametime customers can use the AOL IM Clearinghouse
for federation with other enterprise IM users (see http://www.aol.com/aimpro).
This arrangement is depicted in Figure 2-13.
AOL Messenger®
User
RTC Yahoo!®
Internal
Company A Internet User
Server
Community
Lotus Sametime
Gateway
GoogleTalk®
Internal Firewall External Firewall User
Sametime 7.5
Chat Server
External
SIP
Sametime 7.5
Connector
Chat Server
Figure 2-14 Online meetings and instant messaging - Sametime servers in the DMZ
Note: For additional security, consider housing the External LDAP directory in
the protected zone (Intranet) or optionally including another external firewall.
Finally, for organizations that wish to provide connectivity for their employees to
participate in instant messaging and online meetings via the Internet, then the
recommended approach would be to make use of a virtual private network (VPN)
and securely access their organization’s Sametime services as they would do if
the were connecting via an internal network.
Load
Balancer
(Primary)
Load
Balancer
(Backup)
ST 7.5
Meeting
Sametime
MUX1
Sametime
MUX3
Sametime
MUX3
Server
Sametime Sametime
7.5 7.5
Server Server
ST
CLUSTER
Directory
Load Load
Balancer Balancer
(Primary) (Backup)
Advantages
This is the most secure option for external meeting services, as there is no
external access to the internal corporate directory.
ST 7.5
Meeting
Server
Figure 2-16 Separate external Sametime Meeting environment in DMZ with selective directory replication
Advantages
Unlike the previous example, this solution avoids the issue of internal users
requiring you to have two identities (internal and external). Directory records
for the selected internal users are replicated through the internal firewall to
the replica directory in the DMZ.
ST 7.5 ST 7.5
Meeting Meeting
Server Server
Internal External
Directory Invited Meeting Server Model Directory
Figure 2-17 Internal and external meeting servers using invited meeting server model and separate
directories
Advantages
This avoids the issue of internal users being required to have two identities
(internal and external) and avoids the necessity to establish and maintain
selective replication between internal and external directory replicas.
Disadvantages
The main disadvantage of this approach is the administrative overhead that is
necessary to manage two Sametime meeting server communities and two
separate directories.
External
ST Reverse
Meeting Proxy
Server
Figure 2-18 Isolated external Sametime meeting environment and using reverse proxy access
Advantages
It is secure because there is no external access to the internal corporate
directory.
It reduces the number of ports required to be open on the external firewall. It
allows access to clients from external communities where client connectivity
is restricted to port TCP/IP 80 traffic.
Disadvantages
The reverse proxy is Sametime's worst-performing connectivity method
(HTTP polling). Reverse proxies introduce very significant latency. If the client
has to negotiate a proxy on its side then performance may drop to a
near-unusable level. This solution may not scale up.
External
ST Reverse
Meeting Proxy
Server
Selective replication
of internal users
to external directory
Figure 2-19 Separate external Sametime meeting server with selective directory replication and using
reverse proxy access
Advantages
Reverse proxy reduces the number of ports required to be open on the
external firewall and allows access to clients from external communities
where client connectivity is restricted to port TCP/IP 80 traffic.
Internal External
ST ST Reverse
Meeting Meeting Proxy
Invited Meeting
Server Server
Server Model
Figure 2-20 Separate external Sametime meeting server using invited meeting server model with separate
directories and using reverse proxy access
ITSO Corp. planned Sametime Services for its global user population of 120,000
users across three regions (U.S. - 75,000, EMEA - 30,000, and AP - 15,000).
ITSO Corp. required an infrastructure that could support both instant messaging
and scheduled meetings across all regions. Instant messaging should be highly
available and be able to withstand a multi-system failure. Finally, ITSO Corp.
planned the infrastructure to support the current needs of today with ample
headroom in the configuration for growth over the next few years.
(Community Services)
(Community Services)
Load Load Load Load Load Load
Balancer Balancer Balancer Balancer Balancer Balancer
(Primary) (Backup) (Primary) (Backup) (Primary) (Backup)
Directory
Balancer Balancer Balancer Balancer
(Primary) (Backup) (Primary) (Backup)
LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server
1 2 1 2 1
LDAP Replication LDAP Replication
Meeting Services
Meeting Services
The server hardware supporting community services for ITSO Corp. across the
regions are roughly similar. Three standalone multiplexors were used in the U.S.
to support the 75,000 users with ample headroom for failover and growth. Two
standalone multiplexors were used in both EMEA and AP, primarily for
redundancy. A single mutiplexor in each location could have easily handled the
existing client load but would lack the headroom required for automatic failover
as well as future growth.
Instant
Messaging
User
Load Load
Balancer Balancer
(Primary) (Backup)
ST
CLUSTER
Load Load
Balancer Balancer
(Primary) (Backup)
Sametime 7.5.1 testing was done with the following directories servers:
IBM Directory Server V5.1, V5.2
Tivoli Directory Server V6.0
Lotus Domino V6.5.x - Native
Lotus Domino V7.0.x - Native
Lotus Domino V6.5.x - LDAP server
Lotus Domino V7.0.x - LDAP server
Microsoft Active Directory® 2003, except i5/OS®
Sun ONE Directory 5 (iPlanet 5.1, 5.2), except i5/OS
Sametime also supports any V3-compliant LDAP Directory Server. Refer to RFC
2251 - Light weight directory access protocol version 3 for more information.
Each of the above applications utilize one or more directories. In the ideal world it
would be nice if all the applications that need to collaborate used the same
There is one rule to whatever directory you chose: namely, both QuickPlace and
Sametime must use the same directory for Chat and Meeting Services.
Authentication
When Sametime needs to know who you are, it asks you to log in with your name
and password. This is called being challenged for credentials. Once your name
and password are entered, then Sametime queries the directory to obtain the
user objects that match the name entered. For each name Sametime attempts to
determine whether the password entered matches. How it does this depends on
whether Sametime is using an LDAP Directory Server on native Domino. Once
the password matches you are authenticated. If there is no match you will be
challenged again to enter credentials.
Authorization
Once authenticated, Sametime may need to determine whether you are
authorized to perform the task you are trying to do. This consists of getting your
unambiguous name and any groups you belong to. It then checks either the
Searching
Searching consists of looking up objects to get unique names and attributes
value associated. Searching occurs during the authentication phase as well as
the authorization. It also occurs once authenticated and authorized to get
additional attribute values depending on what Sametime components you are
using.
The collection of objects and their respective attributes is call the schema.
Schema can be extended to include additional attributes. We discuss schemas
and extending schema in Chapter 5, “Deployment phase I - implementing
Meeting Services” on page 281.
Group considerations
Sametime, as well as all applications based on Sametime technology, often use
groups within a directory. A group is an object that contains a list of members. So
in Sametime you can add a directory group as a single entry your buddy list and
then the group is expandable to show the members. This is clearly much more
desirable than explicitly adding all the members. Similarly, when using the
Meeting Service it is nice to be able to restrict the meeting to a group or groups.
There are some things you need to consider when using groups. During the
authorization process Sametime queries the directory to find all groups that the
authenticated user belongs to. If the authenticated user is a member of a large
number of groups and nested groups are being used, another search is
conducted to identify which sub-groups containing the authenticated user are
associated with the parent group. This then happens and again until are all of the
searches return no results.
So you can see that there could be performance considerations when using
groups and nested groups. We discuss groups in more detail in Chapter 5,
“Deployment phase I - implementing Meeting Services” on page 281.
2.7.5 Security
There are several things that you need consider when it comes to security:
What information do you want to be visible on the Internet?
What information do you want to be visible on the intranet?
Are you encrypting the information being transmitted over the wire?
Who is accessing the directory, servers, or clients (and most likely all)?
Windows platform
Video requirements Video card installed. The Video card installed. The
setting must be higher than setting must be higher than
256 colors. 256 colors. Recommended
video display color setting
is 16-bit color.
AIX® platform
Video requirements Video card installed. The Video card installed. The
setting must be higher than setting must be higher than
256 colors. 256 colors. Recommended
video display color setting
is 16-bit color.
i5/OS
CPU IBM eServer™ iSeriesTM, IBM eServer iSeriesTM,
IBM eServerTM i5, or IBM IBM eServerTM i5, or IBM
System i5TM server System i5TM server
models capable of running models capable of running
IBM i5/OS V5R3. IBM i5/OS V5R3.
Swap
Video requirements
Solaris™
Video requirements The setting must be higher Video card installed. The
than 256 colors. setting must be higher than
256 colors. Recommended
video display color setting
is 16-bit color.
Linux x86
CPU Intel Pentium III 800 MHz. Four 2 Ghz or better CPUs
(4 cores total).
Video requirements The setting must be higher Video card installed. The
than 256 colors. setting must be higher than
256 colors. Recommended
video display color setting
is 16-bit color.
Windows/Linux platforms
Macintosh
Video requirements Higher than 256 colors Higher than 256 colors
required by Tiger required by Tiger
a. This is Java 1.5 and may have already been acquired through the MacOS auto
update. It is also available at:
http://developer.apple.com/java/download/SWT
Compatibility Libraries for J2SE 5.0 Release 4. These are available through
http://developer.apple.com/ for people registered on the Apple Developer site.
Log in and select Downloads → Java from the menu on the right. Java for Mac
OS X 10.4, Release 5 Developer Preview 2.
Windows
Linux
Mozilla 1.7.12 RedHat Enterprise Linux 4.0, and Novell Linux Desktop 9.0
Firefox 1.5 on RedHat Enterprise Linux 4.0, SUSE Linux Enterprise Desktop 10
Firefox 2.0
Client JDK/JRE:
IBM or Sun JRE 1.4.2 and 1.5 for Web conferencing - RedHat Enterprise Linux 4.0
and Novell Linux Desktop 9.0
Macintosh
Important: Both the Solaris and Linux platforms require a hotfix for correct
operation. Reference SPR #IDEA6W6SSS for Solaris and IDEA6ZRNYB for
Linux when calling support.
Windows platform
CPU Single Intel Pentium III 800 Two 2 Ghz or better CPUs
MHz or higher (2 cores total)
Memory 1 GB 2 GB recommended
AIX Platform
Memory 1 GB 2 GB recommended
Solaris
Linux x86
CPU Intel Pentium III 800 MHz Two 2 Ghz or better CPUs
(2 cores total)
Table 2-7 Ports used by Sametime HHTP, Domino Application, and LDAP Services
Default port Purpose
Port 389 If you configure the Sametime server to connect to an LDAP server,
the Sametime server connects to the LDAP server on this port.
Port 443 The Domino HTTP server listens for HTTPS connections on this port
by default. This port is used only if you have set up the Domino HTTP
server to use Secure Sockets Layer (SSL) for Web browser
connections.
Port 1352 The Domino server on which Sametime is installed listens for
connections from Notes clients and Domino servers on this port.
Port 9092 The Event Server port on the Sametime server is used for
intraserver connections between Sametime components. This port
cannot be used by other applications on the server.
Port 9094 The Token Server port on the Sametime server is used for
intraserver connections between Sametime components. This port
cannot be used by other applications on the server.
Port 1516 The Community Services listen for direct TCP/IP connections from
the Community Services of other Sametime servers on this port. If
you have installed multiple Sametime servers, this port must be open
for presence, chat, and other Community Services data to pass
between the servers.
The communications that occur on port 1516 also enable one
Sametime server to start a meeting on another server (or invite the
other server to the meeting).
Port 1533 The Community Services listen for direct TCP/IP connections and
HTTP-tunneled connections from the Community Services clients
(such as Sametime Connect and Sametime Meeting Room Clients)
on this port.
Note that the term direct TCP/IP connection means that the
Sametime client uses a unique Sametime protocol over TCP/IP to
establish a connection with the Community Services.
The Community Services also listen for HTTPS connections from the
Community Services clients on this port by default. The Community
Services clients attempt HTTPS connections when accessing the
Sametime server through an HTTPS proxy server. If a Community
Services client connects to the Sametime server using HTTPS, the
data on this connection is not encrypted.
Port 8082 When HTTP tunneling support is enabled, the Community Services
clients can make HTTP-tunneled connections to the Community
Services multiplexer on port 8082 by default. Community Services
clients can make HTTP-tunneled connections on both ports 80 and
8082 by default.
Port 8082 ensures backward compatibility with previous Sametime
releases. In previous releases, Sametime clients made
HTTP-tunneled connections to the Community Services only on port
8082. If a Sametime Connect client from a previous Sametime
release attempts an HTTP-tunneled connection to a Sametime 7.5.1
server, the client might attempt this connection on port 8082.
Port 8081 The Meeting Services listen for Sametime protocol over TCP/IP
connections from the Sametime Meeting Room Client on this port.
The screen-sharing, whiteboard, send Web page, and
question-and-answer polling components of the Sametime Meeting
Room Client exchange data with the server over this connection.
For AIX/Solaris, if you are specifying a DNS name for the host name
in “Address for client connections” and in “Address for
HTTP-tunneled client connections,” you must specify a dotted IPv4
address that your fully qualified domain name resolves to.
Steps: Start the Sametime server, log in, and click Administer the
server. Choose Configuration -Connectivity. Enter the dotted IPv4
in the corresponding text fields.
The Meeting Room Client can make the TCP/IP connection directly
to the Meeting Services or through a SOCKS proxy server.
Note that the term direct TCP/IP connection means that the
Sametime client uses a unique Sametime protocol operating over
TCP/IP to establish a connection with the Meeting Services.
Port 1503 The Meeting Services listen for T.120 connections from the Meeting
Services of other Sametime servers on this port. If you have installed
multiple Sametime servers, this port must be open between the two
servers for the servers to exchange screen-sharing, whiteboard, and
other Meeting Services data.
Port 554 The Recorded Meeting Broadcast Services listen for Real-Time
Streaming Protocol (RTSP) call control connections over TCP/IP on
this TCP/IP port. (RTSP uses TCP as the transport service.) The
Recorded Meeting client can make the RTSP TCP/IP connection
directly to the Recorded Meeting Broadcast Services or through a
SCOKS proxy server. This port is specific to AIX/Solaris. By default,
the Broadcast server will bind only to a single IP address and port. If
multiple IP addresses resolve to the same DNS name, then you will
need to configure a specific IPv4 dotted IP address to use.
Dynamic UDP The Recorded Meeting Broadcast Services streams meeting data in
Ports RTP format from the server to the client over UDP ports. The specific
UDP ports are chosen randomly by the Recorded Meeting client and
cannot be controlled by the administrator.
Note that the Recorded Meeting Broadcast Services can also stream
audio and video data to Recorded Meeting clients. A meeting might
include three separate streams (one each for audio, video, and
screen-sharing/whiteboard data). If the client or server network, or
any network between the Sametime server and the client, does not
allow UDP traffic, the Recorded Meeting Broadcast Services tunnels
the streamed data over the initial RTSP TCP/IP control connection
that occurs on port 554.
Port 8083 The Recorded Meeting Broadcast Services use this port for internal
control connections between Recorded Meeting Broadcast Services
components. You should change this port only if another application
on the Sametime server is using port 8083.
1–65535 (UDP The Recorded Meeting Broadcast Services can take advantage of
ports for the bandwidth efficiency provided by multicast-enabled networks. If
multicast) your network supports multicast, the Recorded Meeting Broadcast
Services transmit multicast data over UDP ports within the 1 to 65535
range.
49252–65535 The Sametime Audio/Video Services listen for inbound audio and
(dynamic UDP video streams from Sametime Meeting Room Clients on a range of
port range) UDP ports specified by the administrator. The UDP ports are selected
by the Sametime Audio/Video Services dynamically from within the
range of ports specified by the administrator.
Port 8084 If UDP is unavailable between a Sametime Meeting Room Client and
a Sametime server, Sametime uses this TCP port when attempting
to tunnel the RTP audio and video streams using the TCP transport.
Port 9093 The Interactive Audio/Video Services use this port for internal control
connections between Interactive Audio/Video Services components.
You should change this port only if another application on the
Sametime server is using port 9093.
For more information about ports used by the Sametime server Services, see the
Sametime 7.5.1 Administrators Guide:
http://www-10.lotus.com/ldd/notesua.nsf/find/sametime
Note: If you are using a different LDAP Directory than IBM Tivoli Directory
Server, namely Active Directory or Domino LDAP, refer to one of the following
appendices:
Appendix A, “Directory considerations for Active Directory” on page 751
Appendix B, “Directory considerations for Domino LDAP” on page 799
Information describing the various users, applications, files, printers, and other
resources accessible from a network is often collected into a special database
that is sometimes called a directory. As the number of different networks and
applications has grown, the number of specialized directories of information has
also grown. This growth results in islands of information that are difficult to share
and manage. If all of this information could be maintained and accessed in a
consistent and controlled manner, it would provide a focal point for integrating a
distributed environment into a consistent and seamless system.
LDAP is an open industry standard that has evolved to meet these needs. LDAP
defines a standard method for accessing and updating information in a directory.
LDAP is gaining wide acceptance as the directory access method of the Internet
and is therefore also becoming strategic within corporate intranets. It is being
supported by a growing number of software vendors and is being increasingly
incorporated into applications. For example, the two most popular Web
browsers, Netscape Navigator/Communicator and Microsoft Internet Explorer,
support LDAP as a base feature.
The terms white pages and yellow pages are sometimes used to describe how a
directory is used. If the name of an object (such as a person or printer) is known,
its characteristics (such as phone number or pages per minute) can be retrieved.
This is similar to looking up a name in the white pages of a telephone directory. If
the name of a particular individual object is not known, the directory can be
searched for a list of objects that meet a certain requirement. This is like looking
up a listing of hairdressers in the yellow pages of a telephone directory.
However, directories stored on a computer are much more flexible than the
yellow pages of a telephone directory because they can usually be searched by
specific criteria, not just by a predefined set of categories.
Because directories must be able to support high volumes of read requests, they
are typically optimized for read access. Write access might be limited to system
administrators or to the owner of each piece of information. A general-purpose
database, on the other hand, needs to support applications, such as airline
reservations and banking applications, with relatively high-update volumes.
Because directories are meant to store relatively static information and are
optimized for that purpose, they are not appropriate for storing information that
changes rapidly. For example, the number of jobs currently in a print queue
probably should not be stored in the directory entry for a printer because that
information would have to be updated frequently to be accurate. Instead, the
directory entry for the printer can contain the network address of a print server.
The print server can be queried to get the current queue length if desired. The
Each object class has mandatory and optional attributes. Examples of some
common attributes are:
cn - common name
givenname - first name
sn - last name
uid - user ID
The collection of objects and their respective attributes is called the schema. The
schema can be extended to include additional objects and attributes. We discuss
schemas and extending schema to include additional attributes in the following
sections:
“Schema” on page 111
“Extending the LDAP schema” on page 115
Sametime 7.5.1 testing was done with the following directories servers:
IBM Directory Server V5.1, V5.2
Tivoli Directory Server V6.0
Lotus Domino V6.5.x - Native
Lotus Domino V7.0.x - Native
Lotus Domino V6.5.x - LDAP server
Lotus Domino V7.0.x - LDAP server
Microsoft Active Directory 2003, except i5/OS
Sun ONE Directory 5 (iPlanet 5.1, 5.2), except i5/OS
Sametime also supports any V3-compliant LDAP Directory Server. Refer to RFC
2251 - Light weight directory access protocol version 3 for more information.
Each of the above applications utilizes one or more directories. In an ideal world
it would be nice if all the applications that needed to collaborate used the same
directory type. This clearly would be recommended if you are building your entire
infrastructure from scratch. The reality is that the world is not so simple, and
there may already be more than one type of application and directory deployed.
Authentication
When Sametime needs to know who you are, it asks you to log in with your name
and password. This is called being challenged for credentials. Once your name
and password are entered, Sametime queries the directory to obtain the user
objects that match the name entered. For each user object returned, Sametime
attempts to determine whether the password entered matches. How it does this
depends on whether Sametime is using an LDAP Directory Server on a native
Domino directory. Once the password matches for a returned user object you are
authenticated. If there is no match you will be challenged again to enter
credentials.
Authorization
Once authenticated, Sametime may need to determine if you are authorized to
perform the task you are trying to do. This consists of getting your unambiguous
name and any groups you belong to. It then check either the policies or the ACL
of the resource. If you are not authorized an error is displayed to you saying you
are not authorized.
Searching
Searching consists of looking up objects to get unique names and attributes
value associated. Searching occurs during the authentication phase as well as
the authorization. It also occurs once authenticated and authorized to get
There are some things you need to consider when using groups. During the
authorization process Sametime queries the directory to find all groups the
authenticated user belongs to. If that user belongs to a large number of groups
and nested groups are being used, each group that the authenticated user
belongs to produces another search to find out what group that group belongs.
This happens and again until are all the searches return no results.
So you can see that there could be performance considerations when using
groups and nested groups. We discuss groups in more detail in Chapter 5,
“Deployment phase I - implementing Meeting Services” on page 281.
3.2.5 Security
There are several things you need to consider when it comes to security:
What information do you want to be visible from the Internet?
What information do you want to be visible from the intranet?
Are you encrypting the information being transmitted over the wire?
Who is accessing the directory, servers, or clients (most likely all)?
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/
com.ibm.IBMDS.doc/toc.xml
We now install Tivoli Directory Server Version 6.0. Refer to the appendices for
Microsoft Active Directory and Domino LDAP information (Appendix A, “Directory
considerations for Active Directory” on page 751, and Appendix B, “Directory
considerations for Domino LDAP” on page 799).
10.Click the Create button to create the Directory Server instance (Figure 3-8).
12.Enter the user name, installation location, encryption string, and an instance
description. The user name is a user account and must exist, and that
account has to be a member of the administration group. See Figure 3-10.
16.Enter the Administrator’s distinguished name (DN) and password. Make sure
that the DN is entered in LDAP DN format. Click Next to continue. See
Figure 3-14.
18.Chose the location and accept the character set. Click Next to continue. See
Figure 3-16.
2. Locate the two services mentioned above, and if not started right-click and
chose Start.
3. Now start the embedded WebSphere Application server. Open a command
prompt window and navigate to the bin directory under the appsrv
subdirectory (that is, c:\IBM\LDAP\appsrv\bin).
5. Open a Web browser and enter the URL and press Enter.
In the case of our environment, the URL to the Web admin tool is:
http://tds.cam.itso.ibm.com:12100/IDSWebApp/IDSjsp/Login.jsp
11.Select Logout in the left-hand navigation pane and return to the Web
Administration login page.
Domain Suffix:
dc=itso, d=com
objectclass=domain
cn=users cn=groups
objectClass=container objectClass=container
uid=jbergland
objectClass=inetOrgPerson
cn: Sales
uniquemember:
uid=sshepherd,cn=users,dc=itso,dc=com
uniquemember:
uid=jwales uid=cprice,cn=users,dc=itso,dc=com
objectClass=inetOrgPerson objectclass: groupOfUniqueNames
3.6 Suffixes
Before any information can be added to the Tivoli Directory Server at least one
suffix must be defined. A suffix (also known as a naming context) is a DN that
identifies the top entry in a locally held directory hierarchy. Because of the
relative naming scheme used in LDAP, this DN is also the suffix of every other
entry within that directory hierarchy. A Directory Server can have multiple
suffixes, each identifying a locally held directory hierarchy, for example,
Adding a suffix
To add the base suffix:
1. Using the Directory Server Web Administration Tool, pull down the list in the
LDAP hostname field, select the Directory Server instance, and enter the
Administator’s LDAP DN in the username field and corresponding password,
as shown in Figure 3-28.
4. Enter the suffix and then scroll down and click the Add button.
5. Restart the Directory Server.
dn: cn=users,dc=itso,dc=com
cn: users
objectClass: container
objectClass: top
dn: cn=groups,dc=itso,dc=com
cn: groups
objectClass: container
objectClass: top
dn: uid=sshepherd,cn=users,dc=itso,dc=com
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: ePerson
givenname: Stephen
sn: shepherd
cn: Stephen Shepherd
uid: sshepherd
userPassword: password
dn: uid=wpsadmin,cn=users,dc=itso,dc=com
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: ePerson
givenname: wps
dn: cn=wpsadmins,cn=groups,dc=itso,dc=com
objectclass: top
objectclass: groupOfUniqueNames
objectclass: ibm-appuuidaux
cn: wpsadmins
uniquemember: uid=wpsadmin,cn=users,dc=ibm,dc=com
3.8 Schema
All the objects and attributes with their characteristics are defined in schemas.
The schema specifies what can be stored in the directory. Schema-checking
ensures that all required attributes for an entry are present before an entry is
stored. Schema-checking also ensures that attributes not in the schema are not
stored in the entry. Optional attributes can be filled in at any time. A schema also
defines the following:
Inheritance
Subclassing of objects
Where in the DIT structure (hierarchy) objects may appear
Information about the IBM Tivoli Directory Schema schema can be found at:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSschema52/en_US/HTML/
schema.html
It is beyond the scope of this document to discuss in detail the Tivoli Directory
Server schema, but we discuss groups (in particular, nested groups).
The TDS 6.0 Info Center was used as a basis for the following:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/
com.ibm.IBMDS.doc/toc.xml
dn: cn=Level1,cn=groups,dc=itso,dc=com
objectclass: GroupofUniqueNames
objectclass: ibm-nestedGroup
objectclass: top
cn: Level1
description: Group composed of static and nested members
uniquemember: uid=sshepherd,cn=users,dc=itso,dc=com
uniquemember: uid=vrohatgi,cn=users,dc=itso,dc=com
ibm-memberGroup: cn=Level2,cn=groups,dc=itso,dc=com
dn: cn=level3,cn=groups,dc=itso,dc=com
objectclass: GroupofUniqueNames
objectclass: top
cn: Level3
uniquemember: uid=jbergland,cn=users,dc=itso,dc=com
uniquemember: uid=cprice,cn=users,dc=itso,dc=com
uniquemember: uid=jpuckett,cn=users,dc=itso,dc=com
uniquemember:
dn: cn=level3,cn=groups,dc=itso,dc=com
objectclass: GroupofUniqueNames
To further illustration, look at the following two LDAP searches (Example 3-3 and
Example 3-4).
cn=Level1,cn=groups,dc=itso,dc=com
uniquemember=uid=sshepherd,cn=users,dc=itso,dc=com
uniquemember=uid=vrohatgi,cn=users,dc=itso,dc=com
If the search uses attribute ibm-allmembers, then all members including the
members of the nested groups are returned in one search, as shown in
Example 3-4.
cn=Level1,cn=groups,dc=itso,dc=com
ibm-allmembers=uid=sshepherd,cn=users,dc=itso,dc=com
ibm-allmembers=uid=vrohatgi,cn=users,dc=itso,dc=com
ibm-allmembers=uid=glambie,cn=users,dc=itso,dc=com
ibm-allmembers=uid=jwales,cn=users,dc=itso,dc=com
ibm-allmembers=uid=ahiggins,cn=users,dc=itso,dc=com
ibm-allmembers=uid=jbergland,cn=users,dc=itso,dc=com
ibm-allmembers=uid=cprice,cn=users,dc=itso,dc=com
ibm-allmembers=uid=jpuckett,cn=users,dc=itso,dc=com
When setting up Sametime, you can use ibm-allmembers as the attribute in the
group object class that has the names of the group members.
Another feature in the Tivoli Directory Server is the ability to get all the groups
that a particular user belongs to by using the ibm-allgroups attribute. Consider
the following groups (Example 3-5).
Example 3-5 LDIF nested groups to illustrate searching for attribute ibm-allgroups
dn: cn=Sales,cn=groups,dc=itso,dc=com
objectclass: GroupofUniqueNames
objectclass: ibm-nestedGroup
objectclass: top
cn: Sales
uniquemember: uid=sshepherd,cn=users,dc=itso,dc=com
uniquemember: uid=cprice,cn=users,dc=itso,dc=com
dn: cn=Marketing,cn=groups,dc=itso,dc=com
objectclass: GroupofUniqueNames
objectclass: ibm-nestedGroup
objectclass: top
cn: Marketing
uniquemember: uid=glambie,cn=users,dc=itso,dc=com
uniquemember: uid=jwales,cn=users,dc=itso,dc=com
uniquemember: uid=ahiggins,cn=users,dc=itso,dc=com
uid=sshepherd,cn=users,dc=itso,dc=com
ibm-allgroups=cn=Level1,cn=groups,dc=itso,dc=com
ibm-allgroups=cn=Sales,cn=groups,dc=itso,dc=com
ibm-allgroups=cn=Sales and Marketing,cn=groups,dc=itso,dc=com
Sametime integration with an LDAP Directory Server requires you to modify the
schema if there is not an available attribute to use in your LDAP directory for the
home server. (Note that this is not necessary if the Domino LDAP server is being
used by Sametime.) The attributes that need to be added depend on what
additional applications are being deployed. We cover all the attributes that need
to be added to our Tivoli Directory Server LDAP schema.
Note: If you are using Domino LDAP, you do not need to add these attributes
to the LDAP schema.
4. You may need to scroll down. Click OK to add the SametimeServer attribute
to the schema.
7. Click Attributes in the left pane of the Edit object class frame (Figure 3-36).
Note: Do not add the attribute as a required attribute if the directory has
already been populated with inetOrgPerson objects, as this will cause a
schema violation.
9. This field now needs to be populated with the value specified in the cluster
name specified in the cluster information document in stconfig, as shown in
Figure 3-37.
14.Scroll down and click the OK button at the bottom of the frame.
TDS already supports the attributes mailfile and mailserver. These are optional
attributes for the eDominoAccount object. Therefore, you do not need to add
those attributes to the schema. All you have to do is add those attributes to the
inetOrgObject Class.
1. Edit the inetOrgPerson object, as shown in Figure 3-35 on page 121.
2. Click Attributes, as shown in Figure 3-36 on page 121.
3. Find mailfile in the available attributes list and click Add to optional.
For now, we walk through building the community services portion of ITSO
Corp.’s base Sametime environment. Additionally, we address the issue of load
balancing.
Keep in mind that each enterprise has its own specific business requirements.
However, the basics of a Sametime infrastructure remain the same across all
types of environments. Sametime’s basic building blocks, in which we go into in
great detail, provides the best in terms of stability, availability, and scalability for
your collaboration infrastructure. Throughout this chapter we identify specific
points of interest that can be used for the decision-making process in regards to
how to best optimize Sametime for your own environment.
Instant
Messaging
User
Load
Balancer
1516 1516
1352
1516
Sametime 7.5 Sametime 7.5
Server Server
ST
CLUSTER
Load
Balancer
1 2 3
Deploy
Deploy Deploy
WebSphere
Clustered Stand-Alone
Edge
Chat servers MUX servers
Load Balancer
(Community Services)
(Community Services)
Directory
Directory
LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server
1 2 1 2 1
LDAP Replication LDAP Replication
Meeting Services
Meeting Services
Figure 4-3 Overall corporate Sametime global architecture for ITSO Corporation
To take advantage of these great benefits, we have to start from the beginning:
setting up the chat servers.
Section overview
In this section we describe the step-by-step process of setting up and deploying
the clustered Sametime servers for the ITSO Corporation’s chat environment.
ST
CLUSTER
The following steps are taken to set up ITSO Corporation’s clustered chat
servers:
1. Install/configure the first chat server.
2. Install/configure the second chat server.
3. Create a Domino cluster.
4. Create a Sametime cluster.
Install Domino
To install Lotus Domino on a Windows platform, follow these steps:
1. Run the install program (setup.exe), which is on the Domino server
installation CD.
2. On the Welcome to the InstallShield Wizard for Lotus Domino screen, click
Next.
3. On the Software License Agreement screen, select the I accept the terms in
the license agreement option and click Next.
Configure Domino
To configure Domino:
1. Select Start → Programs → Lotus Applications → Lotus Domino Server.
2. Select Start Domino as a Windows service and click OK (Figure 4-10).
5. On the Provide a server name and title screen, fill in the fields, as shown in
Table 4-1.
7. On the Choose your organization name screen, fill in the fields, as shown in
Table 4-2.
Organization password
Certifier Password
9. On the Choose the Domino domain name screen, enter the name for the
Domino domain and click Next to continue. (In general, the Domino domain
name is set to the same value as the Domino organization name. In our case,
it is ITSO.)
10.On the Specify an Administrator name and password screen, fill in the fields
as in Table 4-3.
Administrator password
password
13.On the "What Internet services should this Domino Server provide" screen, do
the following:
a. Check Web Browsers (HTTP services).
b. Uncheck Directory services (LDAP services).
14.Then click Customize and uncheck the following Domino server tasks:
– Mail Router
– Calendar Connector
– Schedule Manager
– DOLS Domino Off Line Services
– Rooms and Resources Manager
Tip: Only the following Domino server tasks should still be checked:
Database Replicator
Agent Manager
Administration Process
HTTP Server
Figure 4-15 What Internet services should this Domino server provide
Figure 4-17 The ping test should reply back with the correct IP
Make sure that you have an Internet password. You must have an Internet
password in order to access the Lotus Sametime components of the server
during installation.
Make sure that you know the name of the Domino server. If you do not know
the Domino server name, you can find it in the Server document. Verify that
the Domino server has a fully qualified host name, for example,
chat1.cam.itso.ibm.com.
Make sure that the client computers can ping the Sametime server using the
fully qualified name. This ensures that the computer is registered in DNS or
the name is in a hosts file. For example, from a command prompt execute the
following command:
ping sametime.itso.com
Make sure that you know the location of the Domino program and data
directories.
Install Sametime
To install Lotus Sametime on Microsoft Windows:
1. Shut down the Domino server.
2. Insert the Sametime installation CD. If the autorun program does not start, run
demo32.exe to start the installation program.
3. Select the language to install and click OK.
4. At the Welcome screen click Next.
5. Read and accept the license agreement and then click Next.
6. Select LDAP Directory and fill in the fields as shown in Table 4-4.
Note: For more information about HTTP tunneling see 7.6, “HTTP
tunneling” on page 609.
[Config]
SametimeCluster=CN=chat1/O=ITSO
SametimeDirectory=C:\Lotus\Domino\data
ConfigurationPort=80
ConfigurationHost=chat1.cam.itso.ibm.com
SametimeEventServerPort=9092
ConfigurationChangeListener.count=1
ConfigurationChangeListener.classname.1=com.lotus.sametime.config
uration.EventPublisherConfigurationChangeListener
ConfigurationChangeNotifier.count=1
ConfigurationChangeNotifier.classname.1=com.lotus.sametime.config
uration.EventListenerConfigurationChangeNotifier
Locale=en
Note: The Sametime servlets that will load on server startup are:
Domino Bootstrap Servlet
Domino Configuration Servlet
Access Control Servlet
Domino Admin XPath Request Servlet JAXP
MMAPI Servlet
Notes Calendar Servlet
File Upload Servlet
RAP File Servlet
Statistics Servlet
Conversion Servlet
Policy Servlet
Name Change Servlet
Meeting Servlet
Telephony Servlet
UserInfo Servlet
Configure Sametime
To configure Sametime:
1. Launch a Lotus Notes client and log in using the Sametime administrator ID.
Field Value
Field Value
Security
Administrators LocalDomainAdmins
On this tab with a fresh install, you should only have one line item. The fields
and respective values are listed below.
Port TCPIP
Protocol TCP
Enabled Enabled
Field Value
Ports/Internet ports
Anonymous.
Internet Protocols/HTTP
Access Manager
i. From the Notes menu bar, select File → Database → Access Control.
j. Verify that the administrative group (LocalDomainAdmins) is listed in the
ACL with manager access. If not, add the group as needed with the
settings given in Table 4-9.
Access Manager
Field Value
Field Value
Search order 1
Enabled Yes
LDAP
Hostname tds.cam.itso.ibm.com
Provide the host name of the LDAP server.
Username cn=root
Provide a valid LDAP account that will be
used by Domino to bind to the LDAP
server. This account will make requests
on behalf of the Domino server to perform
Web authentication.
Password password
The password for the account listed
above.
18.When the Domino server is back up, we update Sametime’s LDAP settings
via the Sametime administration interface:
a. Launch an Internet browser and point it to:
http://chat1.cam.itso.ibm.com/stcenter.nsf
b. Click Administer the server.
c. Enter the user name and password for the LDAP account that you
specified in the LocalDomainAdmins group.
d. Expand LDAP Directory → Connectivity and fill in the fields as shown in
Table 4-11.
Port 389
Use SSL to authenticate and encrypt the (Leave blank for now)
connection between the Sametime server
and the LDAP server
Base Membership
k. Click Update.
l. Expand LDAP Directory → Group Contents and fill in the fields as
shown in Table 4-15.
m. Click Update.
Tip: This step provides the administrator with the ability to monitor the
Sametime Meeting server’s start up process. From a troubleshooting
perspective, we recommend enabling this. By allowing the service to
interact with the desktop, the next time the server is started, you will see
three console windows:
Lotus Domino server console
Sametime Meeting server console (../nstmeetingserver.exe)
This console window shows the startup process for the Sametime
Meeting server and its services.
Sametime Gateway service console (STGWService.exe)
This console window will appear but will remain blank. Do not close this
window because if you do it will terminate the process improperly. This
is not the same as the new 7.5.1 Sametime product known as
Sametime Gateway.
5. Using your favorite text editor, open the notes.ini configuration file located in
the Domino program directory (that is, c:\Lotus\Domino\notes.ini).
6. Add STAddin back to the ServerTasks notes.ini parameter and save the
notes.ini configuration file.
7. Start the Lotus Domino Server (LotusDominodata) service from the Windows
services panel.
8. As the Sametime server loads, you should expect to see three console
windows, as previously described. If you do not see three console windows,
then the Sametime Meeting services most likely failed to load. For more
information about how to resolve that, see the following technote:
http://www.ibm.com/support/docview.wss?rs=899&uid=swg21159758
9. Verify that all of the Sametime-related services are running:
a. Launch an Internet browser and direct it to:
http://chat1.cam.itso.ibm.com/
d. On the Server-Overview page, you will see a complete list of all the
Sametime services and their respective statuses. Verify that all of the
Sametime services are running.
Domino setup
In this section we discuss the Domino setup.
8. Enter the password for the certifier ID file and click OK.
10.On the Register Servers dialog window, confirm that the registration server
(chat1/ITSO) and certifier (/ITSO) are correct. Click Continue to proceed.
12.Click Set ID File and browse to the location of where the ID file should be
stored (that is, C:\Lotus\Domino\data\ids\servers\chat2.id).
You have successfully registered the second Sametime server. Proceed to the
next section.
Install Domino
To install Lotus Domino on a Windows platform, follow these steps:
1. Run the install program (setup.exe), which is on the Domino server
installation CD.
2. On the Welcome to the InstallShield Wizard for Lotus Domino screen, click
Next.
3. On the Software License Agreement screen, select the I accept the terms in
the license agreement option and click Next.
Configure Domino
To configure Domino:
1. Select Start → Programs → Lotus Applications → Lotus Domino Server.
2. Select Start Domino as a Windows service and click OK.
Figure 4-40 Where is the ID file for this additional Domino server?
6. On the Provide the registered name of this additional Domino server screen
click Next.
Tip: Only the following Domino server tasks should still be checked:
Database Replicator
Agent Manager
Administration Process
HTTP Server
Figure 4-41 What Internet services should this Domino server provide?
13.On the Specify the type of Domino directory for this server screen, select Set
up as a primary Domino Directory and click Next.
14.On the Secure your Domino Server screen, uncheck “Prohibit Anonymous
access to all databases and templates” and click Next.
15.On the Please review and confirm your chosen server setup options screen,
confirm the options you have selected and then click Setup to initiate the
Domino Server setup process.
16.Once completed, a Setup Summary screen will be displayed. Click Finish to
complete the setup process.
Important: The above steps are mandatory prior to installing Sametime. If the
Domino server is not properly initialized the Sametime installation could result
in a failure.
Figure 4-43 The ping test should reply back with the correct IP
c. In the same command prompt window, you should also enter the following
command and verify that your server is listening on the correct IP address:
ipconfig
2. Verify that the Domino HTTP server starts successfully.
Make sure that the Domino server has the HTTP server task enabled.
Make sure that you have an Internet password. You must have an Internet
password in order to access the Lotus Sametime components of the server
during installation.
Make sure that you know the name of the Domino server. If you do not know
the Domino server name, you can find it in the server document. Verify that
the Domino server has a fully qualified host name, for example
chat1.cam.itso.ibm.com.
Make sure that the client computers can ping the Sametime server using the
fully qualified name. This ensures that the computer is registered in DNS or
the name is in a hosts file. For example, from a command prompt execute the
following command:
ping sametime.itso.com
Make sure that you know the location of the Domino program and data
directories.
Install Sametime
To install Lotus Sametime on Microsoft Windows:
1. Shut down the Domino server.
2. Insert the Sametime installation CD. If the autorun program does not start, run
demo32.exe to start the installation program.
3. Select the language to install and click OK.
4. At the Welcome screen click Next.
5. Read and accept the license agreement and then click Next.
6. Select LDAP Directory and fill in the fields as shown in Table 4-18.
9. Uncheck the Enable HTTP tunneling field blank and click Next.
Note: For more information about HTTP tunneling see 7.6, “HTTP
tunneling” on page 609
[Config]
SametimeCluster=CN=chat2/O=ITSO
SametimeDirectory=C:\Lotus\Domino\data
ConfigurationPort=80
ConfigurationHost=chat2.cam.itso.ibm.com
SametimeEventServerPort=9092
ConfigurationChangeListener.count=1
ConfigurationChangeListener.classname.1=com.lotus.sametime.config
uration.EventPublisherConfigurationChangeListener
ConfigurationChangeNotifier.count=1
ConfigurationChangeNotifier.classname.1=com.lotus.sametime.config
uration.EventListenerConfigurationChangeNotifier
Locale=en
Note: The Sametime servlets that will load on server startup are:
Domino Bootstrap Servlet
Domino Configuration Servlet
Access Control Servlet
Domino Admin XPath Request Servlet JAXP
MMAPI Servlet
Notes Calendar Servlet
File Upload Servlet
RAP File Servlet
Statistics Servlet
Conversion Servlet
Policy Servlet
Name Change Servlet
Meeting Servlet
Telephony Servlet
UserInfo Servlet
ii. Verify that the Domino HTTP server starts successfully. Launch an
Internet browser on the server machine and point it to the Domino
server (that is, http://chat2.cam.itso.ibm.com). You should see the
default Domino home page.
Configure Sametime
To configure Sametime:
1. Launch a Lotus Notes client and log in using the Sametime administrator’s ID.
Field Value
Field Value
Security
Administrators LocalDomainAdmins
Port TCPIP
Protocol TCP
Enabled Enabled
Field Value
Ports/Internet ports
Anonymous.
Internet Protocols/HTTP
10.From the action bar, click Keys → Create Domino SSO Key.
11.You will be prompted with a warning dialog with the following message:
This Web SSO Configuration has already been in initialized. Creating
new keys will overwrite existing SSO keys. Continue?
Click OK to continue.
13.Click Save & Close to save the LtpaToken Web SSO document.
14.Confirm administrative access to the Sametime server for the LDAP account
that will be used to administer the server.
a. Click the Groups view.
b. Double-click the LocalDomainAdmins group.
c. In the Members field, enter the distinguished name (DN) of the LDAP
account that will be used to administer the Sametime server. See
Table 4-7 on page 161 for examples on how to enter the DN into the
Members field.
Access Manager
i. From the Notes menu bar, select File → Database → Access Control.
Access Manager
Field Value
Search order 1
Enabled Yes
LDAP
Hostname tds.cam.itso.ibm.com
Username cn=root
Field Value
Password password
Tip: Never use the restart server command to restart the Sametime
server. It does not provide enough time for all of the Sametime processes
to shut down cleanly before the Domino server attempts to start back up.
This can cause many problems that we would like to avoid. In order to
restart the Sametime server, we recommend splitting the process: 1) quit
the server first, and then 2) start it back up.
19.When the Domino server is back up, we update Sametime’s LDAP settings
via the Sametime administration interface.
a. Launch an Internet browser and point it to:
http://chat2.cam.itso.ibm.com/stcenter.nsf
b. Click Administer the server.
c. Enter the user name and password for the LDAP account that you
specified in the LocalDomainAdmins group.
d. Expand LDAP Directory → Connectivity and fill in the fields as shown in
Table 4-24.
Port. 389
Use SSL to authenticate and encrypt the (Leave blank for now.)
connection between the Sametime server
and the LDAP server.
Base Membership
k. Click Update.
m. Click Update.
20.Shut down the Domino server.
Tip: This step provides the administrator with the ability to monitor
Sametime Meeting server’s startup process. From a troubleshooting
perspective, we recommend enabling this. By allowing the service to
interact with the desktop, the next time the server is started, you will see
three console windows:
Lotus Domino server console
Sametime Meeting server console (../nstmeetingserver.exe)
This console window shows the startup process for the Sametime
Meeting server and its services.
Sametime Gateway service console (STGWService.exe)
This console window appears but remains blank. Do not close this
window because if you do, it will terminate the process improperly. This
is not the same as the new 7.5.1 Sametime product known as
Sametime Gateway.
7. Start the Lotus Domino Server (LotusDominodata) service from the Windows
services panel.
8. As the Sametime server loads, you should expect to see three console
windows, as previously described. If you do not see three console windows,
then the Sametime Meeting services most likely failed to load. For more
information about how to resolve that, see the following technote:
http://www.ibm.com/support/docview.wss?rs=899&uid=swg21159758
9. Verify that all of the Sametime-related services are running.
a. Launch an Internet browser and direct it to:
http://chat2.cam.itso.ibm.com/
7. On the Cluster Name dialog, select *Create new Cluster and click OK.
11.Manually replicate the changes between the chat servers by issuing the
following commands on chat2’s Domino server console window:
replicate chat1/ITSO names.nsf
replicate chat1/ITSO admin4.nsf
12.Within a few minutes, the cluster-related processes initiates and creates the
databases necessary to facilitate cluster replication between these two chat
servers.
After completing this test and verifying that the Domino cluster is working, we can
proceed with creating the Sametime cluster.
Tip: Never use the restart server command to restart the Sametime
server. It does not provide enough time for all of the Sametime processes
to shut down cleanly before the Domino server attempts to start back up.
This can cause many problems that we would like to avoid. In order to
restart the Sametime server, we recommend splitting the process: 1) quit
the server first, and then 2) start it back up.
1 2 3
Deploy
Deploy Deploy
WebSphere
Clustered Stand-Alone
Edge
Chat servers MUX servers
Load Balancer
To configure:
1. Using your favorite text editor, open up sametime.ini (by default, located at
c:\Lotus\SametimeMux\sametime.ini).
2. Update the following fields:
– VPMX_CAPACITY=80000
This increases the max capacity of the stand-alone mux to 80,000 TCP
connections. While a mux can comfortably handle 40,000 to 60,000
connections, it is important to allow each stand-alone mux to handle
potential influx of connections if a mux server faults.
For example, let us suppose that there are two mux servers, where mux1
has 20,000 connections and mux2 has 30,000 connections. Because of
some hardware-related problem, mux2 goes down. Mux1 needs to be able
to handle the influx of 30,000 connections. This is why the capacity on a
Attention: For more information about other commonly used scenarios in the
Edge Load Balancer, including a high-availability scenario, NAT scenario, or
how to use sample custom advisors, see Chapter 5 in the IBM Redbooks
publication WebSphere Application Server V6 Scalability and Performance
Handbook, SG24-6392, at:
http://www.redbooks.ibm.com/abstracts/sg246392.html?Open
http://www-1.ibm.com/support/docview.wss?uid=pub1gc31685801
http://www-306.ibm.com/software/webservers/appserv/was/library/index
.html
Each of these servers contains only one standard Ethernet network interface
card (NIC).
We then set up another IP address for this LAN segment in the DNS.
Table 4-32 shows the address that everyone will use to access our chat
cluster.
Figure 4-66 Install the hardware that I manually select from a list
Now that the loopback adapter in installed, configure the adapter to accept
requests for the cluster (imcluster.cam.itso.ibm.com) IP address (9.33.85.78).
4. Click OK.
8. Click OK.
9. Click OK on Local Area Connection Properties.
10.Close the Network Connections window.
Note that after the loopback adapter was added, the system also added three
extra routes to the routing table. Now there are three sets of routes to the
same destination using two different gateways: first, the cluster IP address
that was added to the loopback (10.20.10.100), and second the Ethernet
adapter IP address (10.20.10.103).
From the three sets of repeated routes, the one that may cause routing
problems is the one that was created for the local network, using the cluster
IP address as the gateway:
10.20.10.0 255.255.255.0 10.20.10.100 10.20.10.100 1
Note: Due to a characteristic of the operating system, this batch file added
to the run registry entry will only run after a user logs in.
In order to have this batch file run after a reboot even if no user logs in, you
need to create a Windows service for it. Refer to the operating system
documentation for more information about how to create services.
Complete the same steps for any additional mux servers in your environment.
Windows IP Configuration
Host Name . . . . . . . . . . . . : lb
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : .cam.itso.ibm.com
5. Click OK.
6. Close the Local Area Connection Properties window.
At this point the ipconfig command should show the server listening on both the
load balancer non forwarding IP address (9.33.85.68 in our environment), as well
as the cluster IP address (9.33.85.78 in our environment).
Windows IP Configuration
You are now ready to install and configure the WebSphere Edge Network
Dispatcher Component.
We describe the installation on a Windows 2003 server using the wizard. Before
starting the installation, refer to Load Balancer Administration Guide Version 6.0,
GC31-6858, for the prerequisites and supported operating systems:
http://www-1.ibm.com/support/docview.wss?uid=pub1gc31685801
Important: Before starting with the installation, you should have Java Runtime
(V1.4.2 or later) installed on your system.
9. At the end of the installation, you have the option to reboot the server. Make
sure you do so before using the product.
Instant
Messaging
User
Configuring this
load balancer
and ports
Load
Balancer
1516 1516
1352
1516
Sametime 7.5 Sametime 7.5
Server Server
ST
CLUSTER
Load
Balancer
4. A pop-up window is displayed, prompting you for the load balancer server that
you want to connect to. Select the host name of the load balancer server, as
shown in Figure 4-97.
After connecting to the load balancer server, a new entry is added to the GUI
window in the left pane, containing the host name of the selected server. All
the configuration we perform from now on is added to this element in a tree
structure.
Tip: For every action you perform, you can see a message in the bottom
pane of the GUI window that confirms whether the action was performed
successfully.
6. The next thing we need to do is to add our cluster. In our scenario, we have a
cluster called imcluster.itso.ibm.com (9.33.85.78), and this cluster contains
two mux servers, mux1 (9.33.85.66) and mux2 (9.33.85.67).
Although these fields are optional, IBM support recommends that you provide
them. Otherwise, load balancer uses the default values, which may not be
correct for your system.
Note: If you have only one Ethernet card in your machine, the interface
name will be en0. Likewise, if you have only one Token Ring card, the
interface name will be tr0. If you have multiple cards of either type, you will
need to determine the mapping of the cards. Use the following steps: Click
Start → Run and run regedit. Expand HKEY_LOCAL_MACHINE →
Software → Microsoft → Windows NT® → Current Version →
NetworkCards.
The network interface adapters are listed under Network Cards. Click each
one to determine the interface type. The type of interface is listed in the
Description column. The names assigned by the executor configure
command map to the interface types. For example, the first Ethernet
interface in the list is assigned to en0, the second to en1, and so on. The
first Token Ring interface is assigned to tr0, the second to tr1, and so on.
The ports that we are adding refer to the port that the clients will access. In
our scenario, we use port 8082 for STLinks clients (WebSphere Portal, Lotus
QuickPlace, and Domino Web Access) and 1533 for Connect clients
(Sametime Connect client, Lotus Notes client, and Java Connect client).
STMobile can use either port 1533 or 8082.
Fill in the number of the port in the Port number field and select MAC Based
Forwarding in the Forwarding method field, as shown in Figure 4-105.
The next window prompts you for the information of the first server. Fill in the
host name of your mux server in the Server field and enter its IP address in
the Server address field, as shown in Figure 4-108.
The first server we add in our scenario is mux1.cam.itso.ibm.com, and its IP
address is 9.33.85.166.
Note that the Network router address check box is disabled because we
selected MAC Based Forwarding and this forwarding method does not allow
load balancing to remote servers. Click OK. The server should then appear
under port 1533 in the left pane of the GUI.
The load balancing part of the configuration is done. All the information that
Dispatcher needs to provide load balancing for our cluster is now configured. But
we also need the Manager component because we want to work with dynamic
weight values and failure detection.
2. A window is displayed in which you can select the name of the Manager log
file and the metric port, as shown in Figure 4-111. We chose the default
options. Click OK.
You can also choose a specific cluster with which to associate this advisor.
By leaving the optional Cluster to advise on field blank, this advisor is
automatically associated with all clusters that are load balancing port 1533.
If you want to specify a log file name for this advisor, type in the desired name
in the Log filename field. Click OK to close.
Again, we enter Connect in the Advisor name field and port 8082 in the Port
number field, as seen in Figure 4-115.
We have configured the cluster and advisors, and now we need enable sticky
affinity across both Sametime ports in the cluster.
We have completed setting up the environment. Now we simply need to save the
configuration.
2. A pop-up window is displayed. In the Filename field, you can either select an
existing configuration file (which will be overwritten) or you can enter a new
file name.
The file name default.cfg is the default name for load balancer. This means
that when you start the Dispatcher server (dsserver), it will look for the file
default.cfg and, if it exists, it will load it. default.cfg is stored in
<LB_install_path>/servers/configurations/dispatcher
(C:\IBM\edge\lb\servers\configurations\dispatcher in our environment).
The resulting configuration file is shown in Example 4-14. Note that each
individual command has to be one line in the configuration file. However,
because of size limitations, some lines might be printed on two lines in our
examples.
If you do not want to use the load balancer GUI to configure the scenario
described here, you can copy the commands shown in Example 4-14 on
page 278 into your own default.cfg file, and when you run dsserver, it will
automatically be loaded.
You can also type those commands into the operating system prompt, one by
one.
Note that in either case, you need to change the host names and IP addresses
shown here to the appropriate ones for your environment.
Instant
Messaging
User
Load Load
Balancer Balancer
(Primary) (Backup)
ST
CLUSTER
Load Load
Balancer Balancer
(Primary) (Backup)
5. In the Choose a Certifier dialog window, click the Server button and enter the
Domino name of the first server in your Domino domain (that is, chat1/ITSO).
6. Choose the Supply certifier ID and password option, click the Certifier ID
button, and browse to the certifier ID file (cert.id).
8. Enter the password for the certifier ID file and click OK (Figure 5-4).
10.On the Register Servers dialog window, confirm that the registration server
(chat1/ITSO) and certifier (/ITSO) are correct (Figure 5-6). Click Continue to
proceed.
12.Click Set ID File and browse to the location where the ID file should be stored
(that is, C:\Lotus\Domino\data\ids\servers\meeting1.id).
You have successfully registered the Sametime meeting server. Proceed to the
next section.
Install Domino
To install Lotus Domino on a Windows platform, follow these steps:
1. Run the install program (setup.exe), which is on the Domino server
installation CD.
2. On the Welcome to the InstallShield Wizard for Lotus Domino screen, click
Next.
3. On the Software License Agreement screen, select the I accept the terms in
the license agreement option and click Next.
Configure Domino
To do this:
1. Select Start → Programs → Lotus Applications → Lotus Domino Server.
2. Select Start Domino as a Windows service and click OK (Figure 5-14).
Figure 5-16 Where is the ID file for this additional Domino server?
6. On the Provide the registered name of this additional Domino server screen,
click Next.
Tip: Only the following Domino server tasks should still be checked:
Database Replicator
Mail Router
Agent Manager
Administration Process
Calender Connector
Schedule Manager
HTTP Server
Rooms and Resources Manager
Figure 5-17 What Internet services should this Domino server provide?
13.On the Specify the type of Domino directory for this server screen, select Set
up as a primary Domino Directory and click Next.
14.On the Secure your Domino Server screen, uncheck “Prohibit Anonymous
access to all databases and templates” and then click Next.
15.On the Please review and confirm your chosen server setup options screen,
confirm the options you have selected, and then click Setup to initiate the
Domino Server setup process.
16.Once completed, a Setup Summary screen will be displayed. Click Finish to
complete the setup process.
http://doc.notes.net/domino_notes/7.0/help7_admin.nsf
Important: The above steps are mandatory prior to installing Sametime. If the
Domino server is not properly initialized the Sametime installation could result
in a failure.
Figure 5-19 The ping test should reply back with the correct IP
c. In the same command prompt window, you should also enter the following
command and verify that your server is listening on the correct IP address:
ipconfig
Make sure that the Domino server has the HTTP server task enabled.
Make sure that you have an Internet password. You must have an Internet
password in order to access the Lotus Sametime components of the server
during installation.
Make sure that you know the name of the Domino server. If you do not know
the Domino server name, you can find it in the Server document. Verify that
the Domino server has a fully qualified host name, for example,
meeting1.cam.itso.ibm.com.
Make sure that the client computers can ping the Sametime server using the
fully qualified name. This ensures that the computer is registered in DNS or
Install Sametime
To install Lotus Sametime on Microsoft Windows:
1. Shut down the Domino server.
2. Insert the Sametime installation CD. If the autorun program does not start, run
demo32.exe to start the installation program.
3. Select the language to install and click OK.
4. At the Welcome screen click Next.
5. Read and accept the license agreement and then click Next.
8. Uncheck Enable HTTP tunneling and click Next. For more information about
HTTP tunneling see 7.6, “HTTP tunneling” on page 609.
9. Review the summary information and then click Install.
10.Once completed, click Finish to exit the installation wizard.
[Config]
SametimeCluster=CN=meeting1/O=ITSO
SametimeDirectory=C:\Lotus\Domino\data
ConfigurationPort=80
ConfigurationHost=meeting1.cam.itso.ibm.com
SametimeEventServerPort=9092
ConfigurationChangeListener.count=1
ConfigurationChangeListener.classname.1=com.lotus.sametime.config
uration.EventPublisherConfigurationChangeListener
ConfigurationChangeNotifier.count=1
ConfigurationChangeNotifier.classname.1=com.lotus.sametime.config
uration.EventListenerConfigurationChangeNotifier
Locale=en
Note: The Sametime servlets that will load on server startup are:
Domino Bootstrap Servlet
Domino Configuration Servlet
Access Control Servlet
Domino Admin XPath Request Servlet JAXP
MMAPI Servlet
Notes Calendar Servlet
File Upload Servlet
RAP File Servlet
Statistics Servlet
Conversion Servlet
Policy Servlet
Name Change Servlet
Meeting Servlet
Telephony Servlet
UserInfo Servlet
Configure Sametime
To do this:
1. Launch a Lotus Notes client and log in using the Sametime administrator’s ID.
Field Value
Field Value
Security
Administrators LocalDomainAdmins
Port TCPIP
Protocol TCP
Enabled Enabled
Field Value
Ports/Internet Ports
Anonymous.
Internet Protocols/HTTP
10.From the action bar, click Keys → Create Domino SSO Key.
11.You will be prompted with a Warning dialog with the following message
(Figure 5-24):
This Web SSO Configuration has already been initialized. Creating
new keys will overwrite existing SSO keys. Continue?
Click OK to continue.
13.Click Save & Close to save the LtpaToken Web SSO document.
14.Confirm administrative access to the Sametime server for the LDAP account
that will be used to administer the server:
a. Click the Groups view.
b. Double-click the LocalDomainAdmins group.
c. In the Members field, enter the distinguished name (DN) of the LDAP
account that will be used to administer the Sametime server. See
Table 5-5 for examples of how to enter the DN into the Members field.
Access Manager
i. From the Notes menu bar, select File → Database → Access Control.
j. Verify that the administrative group (LocalDomainAdmins) is listed in the
ACL with manager access. If not, add the group as needed with the
following settings (see Table 5-7).
Access Manager
Field Value
Search order 1
Enabled Yes
LDAP
Hostname tds.cam.itso.ibm.com
Username cn=root
Password password
Field Value
Tip: Never use the restart server command to restart the Sametime
server. It does not provide enough time for all of the Sametime processes
to shut down cleanly before the Domino server attempts to start backup.
This can cause many problems that we would like to avoid. In order to
restart the Sametime server, we recommend splitting out the process: 1)
quit the server first, and then 2) start it back up.
19.When the Domino server is back up, update Sametime’s LDAP settings via
the Sametime administration interface:
a. Launch an Internet browser and point it to:
http://chat2.cam.itso.ibm.com/stcenter.nsf
b. Click Administer the server.
c. Enter the user name and password for the LDAP account that you
specified in the LocalDomainAdmins group.
d. Expand LDAP Directory → Connectivity and fill in the fields as shown in
Table 5-9.
Port 389
Use SSL to authenticate and encrypt the (Leave blank for now.)
connection between the Sametime server
and the LDAP server
Base Membership
k. Click Update.
l. Expand LDAP Directory → Group Contents and fill in the fields shown in
Table 5-13.
m. Click Update.
Tip: This step provides the administrator with the ability to monitor
Sametime Meeting server’s startup process. From a troubleshooting
perspective, we recommend enabling this. By allowing the service to
interact with the desktop, the next time the server is started, you will see
three console windows:
Lotus Domino server console
Sametime Meeting server console (../nstmeetingserver.exe)
This console window shows the startup process for the Sametime
Meeting server and its services.
Sametime Gateway service console (STGWService.exe)
This console window appears but remains blank. Do not close this
window because if you do, it will terminate the process improperly. This
is not the same as the new 7.5.1 Sametime product known as
Sametime Gateway.
5. Using your favorite text editor, open the notes.ini configuration file located in
the Domino program directory (that is, c:\Lotus\Domino\notes.ini).
6. Add STAddin back to the ServerTasks notes.ini parameter and save the
notes.ini configuration file (Example 5-4).
8. As the Sametime server loads, you should expect to see three console
windows, as previously described. If you do not see three console windows,
then the Sametime Meeting Services most likely failed to load. For more
information about how to resolve that, see the following technote:
http://www.ibm.com/support/docview.wss?rs=899&uid=swg21159758
9. Verify that all of the Sametime-related services are running:
a. Launch an Internet browser and direct it to:
http://chat2.cam.itso.ibm.com/
d. On the Server-Overview page, you will see a complete list of all the
Sametime services and their respective status. Verify that all of the
Sametime services are indeed running.
The chapter is written as though you have not completed each main topic above
it. (Connect client, Notes Client, Domino Web Access, QuickPlace, WebSphere
Portal, and Microsoft products). There you can pick can chose what sections
from this chapter you want to use, and only complete those sections. For
example, if you only want to add Sametime capabilities to the Connect client,
Domino Web Access, and WebSphere Portal, you can simply complete those
sections.
There is one exception to this. No matter what business applications you chose
to integrate, everyone should read 6.2, “Case fixes” on page 331, to make
Sametime case insensitive for easier integration with the rest of the products.
Important: everyone should read 7.1, “Case Fixes” on page 297, to make
Sametime case insensitive for easier integration with the rest of the products.
Update sametime.ini
To do this:
1. Open Sametime.ini from all chat servers in a text editor (located in
C:\Lotus\Domino\ in our test environment).
2. In the [Config] section add the following flag:
AWARENESS_CASE_SENSITIVE=0
3. In the [STLINKS] section append -DAWARENESS_CASE_SENSITIVE=0 to
the STLINKS_VM_ARGS as follows:
STLINKS_VM_ARGS=-Xmx128m -Xgcpolicy:optavgpause
-DAWARENESS_CASE_SENSITIVE=0
The sametime.ini from our test environment after making these changes is
shown in Example 6-2
[STLinks]
STLINKS_MAX_USERS=2500
STLINKS_VM_ARGS=-Xmx128m -Xgcpolicy:optavgpause
-DAWARENESS_CASE_SENSITIVE=0
STLINKS_MAX_OPEN_CONNECTION_TIME=600000
[Policy]
POLICY_DB_BB_IMPL=com.ibm.sametime.policy.databasebb.notes.DbNotesBlack
Box
POLICY_ADAPTER_IMPL=com.ibm.sametime.policy.calculateservice.PolicyDefa
ultAdapter
POLICY_DIRECTORY_BB_IMPL=com.ibm.sametime.policy.directorybb.ldap.DirLd
apBlackBox
POLICY_UNIQUE_TRACE_FILES=1
POLICY_MAX_THREADS=5
POLICY_VM_ARGS=-Xmx128m -Xgcpolicy:optavgpause
Update stlinks.js
To do this:
1. Open stlinks.js in all chat servers in a text editor (located in
C:\Lotus\Domino\data\domino\html\sametime\stlinks in our test environment).
2. In the variable section set the variable STlinksCaseSensitive to false:
var STlinksCaseSensitive=false;
var STlinksCaseSensitive=false;
//flag that indicates if the Web page need to pass the reverse proxy
for using the sametime
//server - do not change this variable.
var isRProxy=false;
2. To view user B’s business card information, user A’s Connect client sends an
HTTP request to the UserInfo servlet on user A’s home Sametime server:
http://[hostname]/servlet/UserInfoServlet?paramX=value...
3. The UserInfo servlet parses the request and instantiates a UserInfo black box
(BB) to search for the requested user’s details within the available storage
repositories. The UserInfo BB is essentially a search engine designed to find
users within the available storage repositories.
4. The UserInfo BB search results are provided back to the UserInfo servlet,
which then responds back to the requesting client in an XML format.
Business cards display information about users, but where exactly does this
information come from? The information is retrieved from storage repositories.
Example 6-6 Data spread across two storage repositories (Domino/custom database)
Primary Storage (Sametime directory) type: Domino directory
Secondary Storage type: Custom Notes Database
9. Click Browse, and browse to the JPG picture that you want to import
(Figure 6-12).
11.You will see the message File uploaded. Click Close (Figure 6-14).
13.In the jpegPhoto field, you will now see Binary data 1 (Figure 6-16).
14.Click OK at the bottom of the screen to complete the process (Figure 6-17).
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
Tip: To test the UserInfo servlet, we have to construct an HTTP request (that
is, a URL) to request the business card details for the user we just set up. The
HTTP request consists of four components:
Protocol
Host name
Path to servlet
Parameters
In order to compose a request for business card details just like the Connect
client would, we have to provide three parameters:
An operation ID that identifies the type of service required from the servlet.
The Connect client uses an operation ID of 3 in the retrieval of business
card data. Therefore, so do we.
A unique user ID whose details are being queried for in the data sources.
The user’s distinguished name is provided (example user DN =
{uid=cprice,cn=users,dc=itso,dc=com}).
A set ID that identifies a predefined set of user details for which to retrieve
values. To get business card data, the Connect client uses the predefined
set with an ID of 1. Therefore, in testing we use the same (example set =
{name, address, phone, photo}).
Everyone should read 6.4.1, “How instant messaging works using a Notes Client”
on page 353, to understand how the Notes Client will interact with your
Sametime infrastructure.
At the end of that section we go into more detail on what sections you will need to
complete depending on the directory Sametime authenticates against.
Note: This option only works when Sametime authenticates against Native
Domino or Domino LDAP.
This option uses your user.id file for the client to open a request to the
Domino server that Sametime is running on. Domino verifies the ID with the
person document in names.nsf, and generates an LTPA token that is passed
back to the Notes Client. The Notes client then sends this to Sametime to log
the user in.
If, however, you authenticate against a Domino LDAP directory, the full canonical
format will work best for you. You will need to complete the following sections to
configure instant messaging in the Notes clients:
6.4.4, “Configure Notes Client to pass full canonical name format” on
page 358
6.4.5, “Enable awareness in Notes Client” on page 360
This field was populated with full canonical format of the Domino distinguished
name. So for the person records in our test environment for John Bergland, we
set the notescon field to the following:
notescon: CN=John Bergland/O=itso
Now the person record in TDS is updated. You will need to add the LDAP
Domino Canonical Name field (notescon) to the Sametime filter used to resolve
users’ distinguished names.
To update the resolve filter in Sametime to include the notescon field complete
the following:
1. On each chat cluster server open the Sametime Configuration database
(stconfig.nsf) in a Notes client.
2. Open the LDAP document, as shown in Figure 6-20.
Sametime is now able to resolve the full Notes name in LDAP, and awareness is
ready to work in a Notes Client.
Figure 6-23 Use canonical name for instant messaging status lookup
5. Click OK.
The Notes client will now send the correct format in our test environment (full
canonical name) to build awareness for users in your awareness-enabled
databases. The end users now need to tell the Notes client what Sametime
server to connect to, and enter the user name and password.
Figure 6-28 Enter your instant messaging user name and password
Note: If you already have Domino installed and users on the DWA
template, you can skip the install and register section and move to 6.7,
“Configure DWA for awareness and chat” on page 383.
http://www-128.ibm.com/developerworks/lotus/documentation/domino/
Or see the Redpaper Lotus Notes and Domino 7 Enterprise Upgrade Best
Practices, REDP-4120:
http://www.redbooks.ibm.com/abstracts/redp4120.html?Open
5. In the Choose a Certifier dialog window, click the Server button and enter the
Domino name of the first server in your Domino domain (that is, chat1/ITSO).
6. Choose the Supply certifier ID and password option, click the Certifier ID
button, and browse to the certifier ID file (cert.id).
8. Enter the password for the certifier ID file and click OK (Figure 6-32).
10.On the Register Servers dialog window, confirm that the registration server
(chat1/ITSO) and certifier (/ITSO) are correct. Click Continue to proceed
(Figure 6-34).
12.Click Set ID File and browse to the location where the ID file should be stored
(that is, C:\Lotus\Domino\data\ids\servers\dwa.id).
13.Click the green check mark button to add the server to the registration queue.
14.Highlight the new server, and click the Register button to complete the server
registration.
15.Click Done to close the Register New Server(s) dialog window.
You have successfully registered the second Domino server. Proceed to the next
section to install the Domino server.
Install Domino
To install Lotus Domino on a Windows platform:
1. Run the install program (setup.exe), which is on the Domino server
installation CD.
2. On the Welcome to the InstallShield Wizard for Lotus Domino screen, click
Next.
3. On the Software License Agreement screen, select the I accept the terms in
the license agreement option and click Next.
Configure Domino
To do this:
1. Select Start → Programs → Lotus Applications → Lotus Domino Server.
2. Select Start Domino as a Windows service and click OK (Figure 6-40).
5. On the Where is the ID file for this additional Domino server screen, select the
location of the server ID file and click Next.
Note: In previous steps we stored the DWA’s server ID on chat1’s local file
system and not in the Domino directory. For this step within the setup
program, DWA’s server ID needs to be made accessible. We could map a
drive to chat1 or simply copy the file from chat1 to DWA. For this step, we
will copy DWA’s server ID from chat1’s local file system onto the desktop of
DWA.
6. On the Provide the registered name of this additional Domino server, click
Next.
Figure 6-42 What Internet services should this Domino server provide
12.On the Specify the type of Domino directory for this server screen, select Set
up as a primary Domino Directory and click Next.
13.On the Secure your Domino Server screen, uncheck “Prohibit Anonymous
access to all databases and templates” and then click Next.
14.On the Please review and confirm your chosen server setup options screen,
confirm the options that you have selected, and then click Setup to initiate the
Domino Server setup process.
15.Once completed, a Setup Summary screen will be displayed. Click Finish to
complete the setup process.
http://doc.notes.net/domino_notes/7.0/help7_admin.nsf
At the end of that section we go into more detail on what sections you will need to
complete depending on the directory Sametime authenticates against.
You may want to also read through and decide what name format to use
(discussed in 6.7.6, “Change how names are passed to Sametime for awareness
status” on page 413).
If, however, Sametime authenticates against a Domino LDAP directory, the full
canonical or full LDAP canonical format will work best for you. You will need to
complete the following sections to configure instant messaging in DWA:
6.7.3, “Configure SSO between DWA and Sametime” on page 401
6.7.4, “Configure DWA server document for awareness and chat” on
page 406
6.7.5, “DWA user settings to enable awareness and chat” on page 409
You may want to also read through and decide what name format to use,
discussed in 6.7.6, “Change how names are passed to Sametime for awareness
status” on page 413.
You may want to also read through and decide what name format to use, as
discussed in 6.7.6, “Change how names are passed to Sametime for awareness
status” on page 413.
The DWA users are registered in Domino and resolve to the Domino canonical
name from the person document for that user. Figure 6-44 shows a sample
person document from our test environment.
From this figure, DWA resolves the user as CN=Charlie Price/O=ITSO, the
canonical name of Charlie Price/ITSO, if your organization uses organizational
units (Charlie Price/Atlanta/ITSO - the canonical name would be CN=Charlie
Table 6-4
DWA distinguished name Sametime distinguished name
When integrating DWA with Sametime it is necessary for DWA to pass the
Sametime distinguished name to Sametime when logging in the user.
To configure DWA to pass the distinguished name used by Sametime (the TDS
LDAP distinguished name) to Sametime, we must synchronize the directories.
Meaning, we need to do one of the following:
Add the Domino distinguished names as an attribute in the user’s person
record of Tivoli Directory Server.
Add the Tivoli Directory Server distinguished name to the user’s person
document in Domino.
Important: You do not need to add names into both directories. These steps
are for updating the Tivoli Directory Server directory. If you prefer to update
Domino go to “Add LDAP DN to Domino person document” on page 397.
Now that the person record in TDS is updated, we need to tell DWA what server
to go to find the LDAP distinguished name needed to pass to Sametime. To do
that we configure directory assistance.
Now that the directory assistance database is set up and configured, you need to
tell the server to use this database.
Any time you make changes to the server document here or the directory
assistance database you will need to restart the Domino server for the changes
to take effect. We wait at this point to restart, however, as we will make additional
changes to the server document, and just restart when all are complete.
Cprice.nsf ACL 4
Writestlinksapplet(uid=cprice,
1
Charlie Price/ITSO cn=users, dc=itso,dc=com;
<LTPAToken>); Sametime Server
2 Filter:
3 Return:
notesDN= uid=cprice,cn=users,
CN=Charlie Price, dc=itso,dc=com
O=ITSO
Important: You do not need to add names into both directories. These steps
are for updating the Domino directory. If you prefer to update the Tivoli
Directory Server go to “Add Domino DN to Tivoli Directory Server” on
page 386.
Adding the Tivoli Directory Server distinguished name into the Domino directory
should be done in two places:
Add LDAP DN to user name field.
Add LDAP DN to LTPA user name field.
Note: You can add this Tivoli Directory Server distinguished name to the
username or shortname field. How to do this in the username field is
described below, but either is acceptable.
Note: This cannot be one of the first two entries of the username field. The
first is reserved for the Domino distinguished name, and must stay Charlie
Price/ITSO in this example. The second is reserved for the user’s common
name in Domino (Charlie Price in this example).
Do not save and close the person document yet. We need to add the
distinguished name to one more field in the person document, described in the
next section.
How it works
Once this is complete, when you log into Domino and access your Domino Web
Access mail file, DWA will authenticate you as CN=Charlie Price/O=ITSO.
1. As it goes to log you into Sametime DWA will recognize that the distinguished
name it contains is not the correct name.
cprice.nsf ACL
1
Charlie Price/ITSO
4
Writestlinksapplet(
uid=cprice,cn=users,
3
Return: dc=itso,dc=com;
2
Charlie Price/ITSO uid=cprice,cn=users,
dc=itso,dc=com
<LTPAToken>);
Sametime Server
Domino Directory
UserName:
Charlie Price/ITSO
Charlie Price
uid=cprice/cn=users/dc=itso/dc=com
LTPA UsrNm:
uid=cprice/cn=users/dc=itso/dc=com
Normally, you would replicate this change out to the DWA server and restart the
server before SSO will work with Sametime. However, there is one additional
step in the Domino directory that we need to complete to get awareness and chat
working in DWA, so we will not replicate and restart at this point, but move on to
the next section.
Note: If you set this to enabled you need to copy the stlinks folder from
the Sametime server to the Domino Web Access folder, located in the
<Domino_Data>\domino\html\sametime directory.
At this point all server settings are complete. You should replicate these changes
to the DWA server, and restart the DWA server.
Note: If you synchronized the directories by adding the Domino Name into
the Tivoli Directory Server, the user can sign in with her IDS name and
password. If you added the TDS DN into Domino, you will need to sign in
with your Domino name and password from the Internet password field in
the person document.
If administrators would prefer to have Enable Instant messaging set by default for
the users, there are some customizations you can make to the mail template to
accomplish this. Section 5.5.8 of the Domino Web Access 7 Customization
Redpaper gives excellent examples of how this can be accomplished. You can
find the redpaper here:
http://www.redbooks.ibm.com/abstracts/redp4188.html?Open
All users in Table 6-5 used Notes to send messages to Charlie Price. The inbox,
therefore, has the following set in the from field (Table 6-5).
So from here we have two John Bergland’s in our company, one in marketing,
the other in sales. Therefore, sending just the common name to sametime would
resolve to two users (uid: jbergland,cn=users,dc=itso,dc=com and uid:
jbergland2,cn=users,dc=itso,dc=com). Sametime will be unable to uniquely
determine which users you need status for, and so will show the user as offline.
To resolve this you should use one of the other available formats.
This field should be populated with LDAP canonical format of the Domino
distinguished name. So for the person document in our test environment, John
Bergland/ITSO, we set the NotesDN field to the following:
NotesDN: CN=John Bergland,O=itso
Now that the person record in TDS is updated, we need to tell DWA what server
to go to find the LDAP distinguished name needed to pass to Sametime.
Syntax: iNotes_WA_SametimeNameFormat=value
For example:
iNotes_WA_SametimeNameFormat=1011
where the following values apply:
First digit (left most) -- controls the format of the name passed to
Sametime to determine awareness status for users in who column:
0 = Abbreviated canonical format (for example, John Bergland/ITSO)
1 = Full canonical format (for example, CN=John Bergland/O=ITSO)
2 = Full LDAP canonical format (for example, CN=John Bergland,O=ITSO)
3 = Use only the common name (for example, John Bergland)
4th digit -- a debug aide that when the users hovers over a link, the
name that displays is identical to the name sent to Sametime. Use any
character in the fourth position to enable this.
In our test environment, we are using non-Domino LDAP. Using the setting
above iNotes_WA_SametimeNameFormat=314 we will interact with Sametime
using the following settings:
Login user to Sametime: (3rd digit - 4) use non-Domino LDAP format.
Generate awareness for who column: (1st digit - 3) common name.
If you wanted to pass the full canonical format (CN=John Bergland/O=ITSO) you
would use:
iNotes_WA_SametimeNameFormat=114
You will need to restart the DWA server for this change to take effect.
To update the resolve filter in Sametime to include the NoteDN field complete the
following:
1. On each chat cluster server open the Sametime Configuration database
(stconfig.nsf) in a Notes client.
4. If you used the full LDAP canonical format, add the following to the
sametime.ini to force Sametime to try to resolve the name:
[Directory]
ST_DB_LDAP_BROWSE_BY_RESOLVE_FILTER=1
ST_DB_LDAP_ALLOW_SEARCH_ON_DN=1
5. Restart the Sametime server for the changes to take effect.
http://www-10.lotus.com/ldd/notesua.nsf/find/quickplace
Register a server
To do this:
1. Launch the Domino Administrator client.
2. From the menu bar, select File → Open Server and enter in the host name of
the first server that was set up (in our case (chat1.cam.itso.ibm.com)), and
click OK.
3. Click the Configuration tab.
4. On the right-hand side, select Tools → Registration → Server (Figure 6-72).
5. In the Choose a Certifier dialog window, click the Server button and enter the
Domino name of the first server in your Domino domain (that is, chat1/ITSO).
8. Enter the password for the certifier ID file and click OK.
10.On the Register Servers dialog window (Figure 6-76), confirm that the
registration server (chat1/ITSO) and certifier (/ITSO) are correct. Click
Continue to proceed.
Server name qp
12.Click Set ID File and browse to the location of where the ID file should be
stored (that is, C:\Lotus\Domino\data\ids\servers\qp.id).
13.Click the green check mark button to add the server to the registration queue.
14.Highlight the new server and click the Register button to complete the server
registration.
15.Click Done to close the Register New Server(s) dialog window.
You have successfully registered the second Domino server. Proceed to the next
section to install the Domino for the QuickPlace machine.
Install Domino
To install Lotus Domino on a Windows platform:
1. Run the install program (setup.exe), which is on the Domino server
installation CD.
2. On the Welcome to the InstallShield Wizard for Lotus Domino screen, click
Next.
3. On the Software License Agreement screen, select the I accept the terms in
the license agreement option and click Next.
Configure Domino
To do this:
1. Select Start → Programs → Lotus Applications → Lotus Domino Server.
2. Select Start Domino as a Windows service and click OK (Figure 6-82).
Note: In previous steps, we stored the qp’s server ID on chat1’s local file
system and not in the Domino directory. For this step within the setup
program, qp’s server ID needs to be made accessible. We could map a
drive to chat1 or simply copy the file from chat1 to qp. For this step we
copy qo’s server ID from chat1’s local file system onto the desktop of qp.
Figure 6-84 Where is the ID file for this additional Domino server?
6. On the Provide the registered name of this additional Domino server screen,
click Next.
7. On the What Internet services should this Domino Server provide screen, do
the following:
a. Check Web Browsers (HTTP services).
b. Uncheck Directory services (LDAP services).
Figure 6-85 What Internet services should this Domino server provide
10.On the Domino network settings screen, click Customize and do the
following:
a. Uncheck NetBIOS over TCP/IP.
b. For the TCP/IP Notes Port Driver, enter in the fully qualified host name for
the Domino server in the Host Name (Editable) field (qp.cam.itso.ibm.com
in our test environment).
c. In the text field on the bottom of the screen, enter in the same fully
qualified host name for the Domino server (qp.cam.itso.ibm.com).
11.Click OK and then Next to continue.
13.On the Specify the type of Domino directory for this server screen, select Set
up as a primary Domino Directory and click Next.
14.On the Secure your Domino Server screen, uncheck “Prohibit Anonymous
access to all databases and templates” and then click Next.
15.On the Please review and confirm your chosen server setup options screen,
confirm the options you have selected, and then click Setup to initiate the
Domino Server setup process.
16.Once completed, a Setup Summary screen will be displayed. Click Finish to
complete the setup process.
http://doc.notes.net/domino_notes/7.0/help7_admin.nsf
Shut down the Domino Server prior to installing QuickPlace in the following
section.
5. On the Specify name and password screen, specify a local QuickPlace user
who will be used to administer QuickPlace.
Note: This user should not exist in the LDAP directory you will configure
QuickPlace with.
The following sections show the configuration changes and explanations done
for our example. For more detailed explanations for all of the settings in the
QuickPlace administration place and qpconfig.xml file, see the IBM Lotus Team
Workplace Administrator’s Guide, available at:
http://www.lotus.com/ldd/notesua.nsf/find/quickplace
Note: After clicking Next, you should see your user directory along with OK
with Anonymous access, as shown in Figure 6-92 on page 444. If you see
Not OK, click Change Directory and correct the incorrect settings until you
see OK with Anonymous access.
Important: When changing the object class, make sure that the value you
use is the exact same case as that saved in your LDAP directory. For
example, in our example, the object class for users is inetOrgPerson.
Setting this value to inetorgperson will cause problems in QuickPlace.
<base_dn>
<group>cn=groups,dc=itso,dc=com</group>
</base_dn>
<schema>
<object_class>objectClass</object_class>
<user>
<object_class_value>inetOrgPerson</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<first_name>givenname</first_name>
<last_name>sn</last_name>
<email>mail</email>
<phone>telephoneNumber</phone>
</user>
<group>
<object_class_value>groupOfUniqueNames</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<member>uniqueMember</member>
<attribute_in_person_record>ibm-allgroups</attribute_in_person_record>
</group>
<secondary_cn_component enabled="true"/>
<search_filters>
<authentication>
<![CDATA[
(|(cn={0})(uid={0}))
]]>
</authentication>
<user_lookup>
<![CDATA[
(&(objectclass=person)(sn={0})(givenname={1}))
]]>
</user_lookup>
<group_lookup>
<![CDATA[
(&(objectclass=groupOfUniqueNames)(cn={0}))
]]>
</group_lookup>
<group_membership>
<![CDATA[
(&(objectclass=groupOfUniqueNames)(uniqueMember={0}))
]]>
</group_membership>
</search_filters>
<member_lookup_ui>
<column_name>
<person>sn, givenname</person>
</column_name>
<column_disambiguate>
<person>dn</person>
</column_disambiguate>
</member_lookup_ui>
<search_ui_hint>
<![CDATA[
( enter <B>last name, first name</B>)
]]>
</search_ui_hint>
<search_ui_index>sn</search_ui_index>
4. After these changes have been made, restart the HTTP task in Domino for
Team Workplace to recognize them by issuing the following commands on
the Domino console:
tell http q
load http
First, test the search functionality by signing into the QuickPlace administration
place as the local QuickPlace administrator. Select Server Settings → Security.
Under either Who can create new place on this server? or Who can administer
this server?, click the Add button. Next click the Directory button and search for
a user and group from your LDAP directory. If an expected user or group is not
returned, double check the directory settings in the Administration Console and
the qpconfig.xml file as previously documented.
Ensure that the DN listed is correct for your environment. If it is not, single
sign-on will not work, and you need to double check the settings in the
Administration Console and the qpconfig.xml file as previously documented.
At this point you are ready to configure QuickPlace to work with your Sametime
server.
Note: You can Configure QuickPlace for awareness, chat, or meetings (or all
of these). You do not have to set up QuickPlace for both awareness and
meetings. However, whatever combination of awareness, chat, and meetings
you decide on, you must configure SSO between QuickPlace and Sametime
as the initial step to integrating the products.
7. Click the Internet Protocols - Domino Web Engine tab and set:
– Session authentication: Multiple Servers (SSO)
– Web SSO Configuration: LtpaToken (same as Configuration Name field in
Web SSO document, as shown in Figure 6-97). If the configuration name
is anything other than LtpaToken, you must set this field.
Multiple Server SSO is not configured on the QuickPlace server. After setting up
Multiple Server SSO, you need to update the login form to work correctly with
QuickPlace.
c. Click OK.
d. Open the newly created Web Server Configuration database.
e. Click Add Mapping.
If you do not see Logged in as <your name>, and instead you see Log on to
Sametime, then SSO is failing between QuickPlace and Sametime, and one of the
above steps was done incorrectly. You will need to correct this before continuing.
You should now be ready to configure QuickPlace for awareness, chat, and
online meetings. If you only want to configure QuickPlace to create meetings in
Sametime, skip the next section and move on to 6.10.5, “Configure QuickPlace
for online meetings” on page 464.
Example 6-16 The qpconfig.xml file for the Online Meetings section
<sametime local_users=”false” ldap=”true”>
<meetings invite_servers=”true”>
<tools>
<audio enabled=”true”/>
<video enabled=”true”/>
</tools>
<credentials>
<dn>cn=domino admin/o=itso</dn>
<password>passw0rd</password>
</credentials>
</meetings>
</sametime>
Click Administer the Server. For the user name and password that you
enter here, you will need to enter the Domino canonical user name and
password into the credentials section of the qpconfig.xml file.
8. Click Next.
9. Restart the Team Workplace server for the changes to take effect.
If you see an error stating that the meeting was not created, see the Technote
Knowledge Collection: QuickPlace Issues Related to Sametime, 1115409, to
help you troubleshoot the problem, available at:
http://www.ibm.com/support/docview.wss?rs=0&uid=swg21115409
http://www.redbooks.ibm.com/abstracts/sg247387.html?Open
http://www-128.ibm.com/developerworks/websphere/zones/portal/proddoc.html#1
7. Enter the:
– Cell Name: wps in our test environment
– Node name: wps in our test environment
Note: The cell and node name should be four characters or less.
14.WebSphere should begin installing. This can take up to four hours depending
on the processor speed and amount of memory.
WasUserid The distinguished name in the LDAP directory for the WebSphere
Application Server administrator. This can be the same name as the
WebSphere Portal server administrator (PortalAdminId).
Example: uid=wasadmin,cn=users,dc=itso,dc=com
Database properties
Example: uid=wpsadmin,cn=users,dc=itso,dc=com
PortalAdminGroupIdShort The short form of the WebSphere Portal server administrators group
name.
Example: wpsadmins
LTPAPassword The password used to encrypt and decrypt the LTPA keys.
Example: password
Example: 120
SSORequiresSSL Indicates whether single sign-on is enabled only for HTTPS Secure
Socket Layer (SSL) connections. Type false.
If you want to configure SSL, do so only after you have enabled LDAP
security and verified the LDAP directory configuration.
Example: False
Example: cam.itso.ibm.com
useDomainQualifiedUserNames Indicates whether to qualify user names with the security domain
within which they reside (true or false). The default value (false) is
recommended for most environments.
Example: false
cacheTimeout Timeout for the security cache. The default value (600) is
recommended for most environments.
Example: 600
LDAP properties
LookAside You can either install with LDAP only or with LDAP using a Lookaside
database. The purpose of a Lookaside database is to store attributes
that cannot be stored in your LDAP server. This combination of LDAP
plus a Lookaside database is needed to support the database user
registry.
Value type:
* true - LDAP + Lookaside database
* false - LDAP only
Default value: false
Example: true
Note: Set to true to use CPP portlets.
LDAPHostName The host name for your LDAP server.
Example: tds.cam.itso.ibm.com
LDAPPort The LDAP server port number. Typically, you type 389. Do not type
636, the port typically used for SSL connections. If you want to
configure an SSL port for LDAP, do so after you have enabled LDAP
security and verified the LDAP directory configuration.
Example: 389
LDAPAdminUId The distinguished name in the LDAP directory that WebSphere Portal
server and WebSphere Member Manager use to bind to the directory.
The level of access given this name determines the level of access
that Workplace Collaboration Services has to the directory. This
name does not have to contain a uid attribute.
Note: Give this account read-only access to prevent users from using
the Sign-up link to register accounts in the directory and from using
the Edit My Profile link to change attributes in the directory, such as
their e-mail addresses.
Example: cn=root
LDAPAdminPwd The password for the name assigned to the LDAPAdminUId property.
Example: password
LDAPSuffix The LDAP suffix for your Directory Server. This property determines
the naming context at which to begin directory searches for users and
groups. Tip: For Domino as LDAP this value is typically empty.
Example: dc=itso,dc=com
LDAPUserPrefix The leftmost attribute of user names in the directory. Type the value
in lowercase characters.
Example: uid
LDAPUserSuffix The naming context at which to begin searches for user names in the
directory.
Example: cn=users
LDAPGroupPrefix The leftmost attribute of group names in the directory. Type the value
in lowercase characters.
Example: cn
LDAPGroupSuffix The naming context at which to begin searches for group names in
the directory. Tip: For Domino as LDAP this value is typically empty.
Example: cn=groups
Example: inetOrgPerson
Example: groupOfUniqueNames
Example: uniqueMember
LDAPUserFilter The filter used to search for user accounts. The filter must include the
following text: (&(|(<userprefix>=%v)(mail=%v))(objectclass=
<userobjectclass>)), where <userprefix> is the value specified for the
LDAPUserPrefix property and <userobjectclass> is the value
specified for the LDAPUserObjectClass property.
Example: (&(|(uid=%v)(mail=%v))(objectclass=inetOrgPerson))
LDAPGroupFilter The filter used to search for groups accounts. The filter must include
the following text:
(&(<groupprefix>=%v)(objectclass=<groupobjectclass>)), where
<groupprefix> is the value specified for the LDAPGroupPrefix
property and <groupobjectclass> is the value specified for the
LDAPGroupObjectClass property.
Example: (&(cn=%v)(objectclass=groupOfUniqueNames))
LDAPsearchTimeout Value in seconds for the amount of time the LDAP server has to
respond before canceling a request.
Example: 120
LDAPreuseConnection Indicates whether LDAP connections are reused (true or false). If your
environment uses a front-end server to spray requests to multiple
back-end LDAP Directory Servers, type false.
6. Import the contents of the helper file into the wpconfig.properties file by
issuing this command from C:\ibm\WebSphere\PortalServer\config:
WPSconfig -DparentProperties="<full_path_to_helper_file>"
-DSaveParentProperties=true
WPSconfig
-DparentProperties="C:\ibm\WebSphere\PortalServer\config\helpers\sec
The following sections describe how to configure Portal and Sametime so users
have the ability to create online meetings within Portal:
6.13.3, “Configure SSO between Portal and Sametime” on page 489
6.13.6, “Configure the Web Conferencing Portlet” on page 512
Note: If you have not configured WebSphere Portal with a database other
than Cloudscape™, you will need to stop WebSphere Portal before you
start server1. Otherwise, you will be unable to log in to the WAS admin
console. To stop Portal run the following command:
C:\IBM\WebSphere\AppServer\bin>stopserver WebSphere_Portal -user
wasadmin -password password
Tip: Remember this password, because you must enter it when you import
the LTPA key into the Domino server and when you create LTPA junctions
in Tivoli Access Manager.
4. Click OK on the This Web SSO Configuration has already been initialized
warning pop-up.
6. Enter the password for the LTPA key and click OK.
7. Click OK in the message window that states that the key import is successful.
8. On the Basics tab you should now see WebSphere Information below the
Participation Servers section of the document.
10.Set the expiration (minutes) to the same number of seconds you set
WebSphere Portal to (120 by default), as shown in Figure 6-126.
11.Click Save and Close.
At this point SSO should work between WebSphere Portal and Sametime.
http://www-1.ibm.com/support/docview.wss?uid=21158269
#
# Required settings
#
CS_SERVER_SAMETIME.enabled=true
CS_SERVER_SAMETIME_1.hostname=imcluster.cam.itso.ibm.com
CS_SERVER_SAMETIME_1.version=7.5.1
# The protocol and port that the ST server uses
# to serve up HTML, CSS and JavaScript files, etc.
CS_SERVER_SAMETIME_1.protocol=http
CS_SERVER_SAMETIME_1.port=8082
#
# Optional advanced settings
#
# Specify whether to use the LTPA token for logging into Sametime from
the browser.
# If the CS_SERVER_CUSTOM_CRED is enabled and the ssoTokenAttrib is
specified,
# it will be used instead of the LTPA token.
# This option should only be turned on if your Sametime server supports
tokens
# produced by the portal server.
# By default an LTPA token is enabled (preferred).
CS_SERVER_SAMETIME_1.useLTPAToken=true
Note: This is the port used by Portal to connect to the Sametime server to get
a user’s buddy list.
Note: This is how names are passed from the People Finder to the STLinks
applet to determine status. dn provides the best performance.
If the Portlet still fails for you, try restarting WebSphere Portal to reset the
connection to Sametime, and try these steps again.
6. Click the pencil (Edit parameter) icon and configure the following parameters:
– SametimeServerName1: Set to your Sametime meeting server
(meeting1.cam.itso.ibm.com in our test environment).
– SametimeUserName1: Set to Sametime administrator (Sametime
Admin/ITSO in our test environment).
Click Administer the Server. For the user name and password that
you enter here, you will need to enter the Domino canonical user name
and password into the credentials section of the qpconfig.xml file.
The portlet should now be ready to allow users to create, search for, and attend
meetings through the portlet. We will use wpsadmin to ensure that the portlet is
configured correctly.
Figure 6-147 Smart tag integration based on name Miles Montgomery in word document
vcredist_x86.exe /Q
The file VCREDIST_x86.exe is to be found with this script in the same directory
as the Sametime clients. Running this script enables the second and main part of
Office integration to be installed (that is, the Toolbar, Web conferencing, and
Smart Tags).
Install process
In this install, the files were copied to a temporary directory on the Outlook user's
PC and then the file "sametime751_OI_setup.bat" was run from within that
temporary directory (Figure 6-148).
After pressing Enter and after a couple of informational pop-up screens, the
following screen appears (Figure 6-149).
Click Next.
Figure 6-153 on page 527 illustrates where you choose which of the three MS
integration options you wish to install. You can choose as many as you like. Then
click Next and you are presented with a screen with the size requirements and
the Install button. Click Install and the client will install.
Smart Tags
The MS recognizer technology within Office recognizes various names
depending on the application. In Word, it fires on an English person name.
Sametime is plugged in as a recipient of the name recognition event and uses
the same technology as Quickfind to locate the name and provide the Sametime
options in the right-click drop-down menu.
In Excel, the name recognizer fires on an e-mail address, and if the e-mail
address is in the Outlook Contact address book, then the same recognition event
is fired and Sametime uses this. The also happens in PowerPoint.
MS Outlook
Figure 6-155 is the Outlook client with the toolbar showing presence awareness.
Additionally, note the Sametime transcripts folder that contains the chats that can
be saved to the Outlook folder by a Sametime preferences option (see
Figure 6-157).
Figure 6-161 illustrates the additional tab and the interface for launching an
online meeting.
7.2 Security
To secure a Sametime implementation we initially discuss the basic Sametime
security and then SSL. SSL can be is used to encrypt LDAP communications,
Sametime Community Server communications, and Meetings Services.
Saved passwords
The Sametime client password is stored in the connect.ini file if the user chooses
to have the password remembered. Deleting this line in the connect.ini file
prompts the user for his password. The password is encrypted in connect.ini
using the RSA RC2 block cipher, with an encryption key that is 40 bits long. The
encryption process also uses unique information about every machine, thereby
preventing the file from being used on another workstation.
File transfers
File transfers are automatically encrypted. This encryption uses the RSA RC2
block cipher with a 128-bit key. This encryption algorithm will not work outside of
the Sametime Connect client.
Instant meetings
For instant meeting security initiated from the client, you need to select the
Secure meeting option to ensure that your meeting is encrypted. Encryption
ensures that no one outside your meeting can read your messages.
Buddy list
The Sametime user’s buddy list is saved in the vpuserinfo (vpuserinfo.nsf)
database. This database is one of the three databases that are created at
installation time and used for deploying Sametime applications. The VPUserInfo
database is responsible for storing a user’s saved buddy list. It also stores the
user-defined settings in the Connect client on information used to restrict who
can see your current status and initiate messaging.
It is important to note that the information in the buddy list is not encrypted when
sent to the server.
Even though Sametime encrypts the information being exchanged between the
server and client it is highly desirable and recommended to set up SSL to the
LDAP server. If SSL is not used, realize that LDAP data is being transmitted in
the clear. Even though your LDAP server is within your intranet, protected from
the outside Internet by firewalls, information could still be intercepted by
someone with your organization. Communicating to an LDAP server by an
unencrypted channel exposes passwords along with other highly confidential
information.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/
com.ibm.IBMDS.doc/toc.xml
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.
IBMDS.doc/admin_gd.pdf
1. Insert the Tivoli Directory Server installation CD. From the start menu, click
Run. Navigate to the GSKit subdirectory. Enter the following command:
D:\GSKit\Setup.exe policydirector
2. Click Run (Figure 7-1).
4. Accept the default installation directory or change. Click Next to continue and
the GSKit software will be installed (Figure 7-3).
6. Install IBM JVM Version 1.4.2. See the following URL to download the JVM:
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=
lenovo&lndocid=MIGR-56888
4. Enter the stash password and the confirm password and click the check box
to store the stash password in a file (Figure 7-9 on page 547). Then click OK.
Modify sametime.ini
Open the sametime.ini file and add the following lines to the [Config] section
(Example 7-2).
5. Click Connect.
7. Click OK (Figure 7-26). The Internet cross certificate will now have been
added to the primary Domino directory names.nsf.
A Domino certificate authority (CA) server hosts the Domino Certificate Authority
application. Most organizations need only a single Domino CA server. We use
our DWA Server dwa.cam.itso.ibm.com to host this application. To set up a
Domino CA server:
1. From the console on the DWA server, check to see whether http is running by
issuing the command show tasks and look for the http task in the list shown in
Figure 7-30.
d. Make a backup copy of the certificate authority key ring file, and store it in
a secure location.
4. Configure the CA profile to specify the key ring and mail settings.
The Domino Certificate Authority application profile identifies the CA's key
ring file and specifies the name of the CA server. Domino adds a link to the
CA server when you send a message to clients and server administrators
who request certificates. The clients and server administrators use this
information to determine where to pick up certificates.
a. Click Configure Certificate Authority Profile.
b. If necessary, enter the CA key ring path and file name in the CA Key File
field. By default, Notes looks for the key ring file on the local hard drive.
You can also specify a network drive accessible to other administrators.
c. Enter the TCP/IP DNS name of the server that runs the CA application in
the Certificate Server DNS Name field (kingston.isto.austin.ibm.com in our
example). Domino uses this name to indicate where to pick up signed
certificates in the messages sent to administrators and clients.
Note: If you did not name the key file keyfile.kyr, you can change the name
the Domino server looks for by opening the Server document in the Name
and Address book. Click the Ports → Internet Ports tab and update the
SSL key file name field.
Now the Domino Certification Authority server is configured and it will listen for
HTTP requests over port 443 only.
The following section discusses using GSKit to create a new CMS key.kdb file on
TDS.
3. Highlight the entire certificate and copy it to the clipboard using Crtl+C. Run
Notepad and paste the certificate into the file, as shown in Figure 7-40.
5. Click Add on the left-hand side to add a new trusted root authority. Enter the
file name and location of the itso.arm file, as shown in Figure 7-42.
7. Click OK and the trusted root will be added to the key.kdb file, as shown in
Figure 7-44.
14.Click OK to add the server certificate to the key.kdb, as shown in Figure 7-51.
15.Exit IKeyMan.
Figure 7-52 Enter key file database path and file name
Install GSKit
Refer to “Install GSKit on the Sametime servers” on page 554.
3. Click OK and then enter the certificate’s label, as shown in Figure 7-59.
Modify sametime.ini
Refer to “Modify sametime.ini” on page 558.
2. Click Merge Trusted Root Certificate into the Key Ring and then enter the
key ring file password, as shown in Figure 7-65.
4. Click OK to accept the certificate to be merged, and the dialog box shown in
Figure 7-67 will be displayed.
Figure 7-68 View key ring file with trusted root ITSO trusted root authority
4. Make sure that the SSL key file name is correct. You do not need to specify
the path to the key file if that file is in the Domino data directory. If the key file
name is not correct, edit the value and save the document.
How can we secure our Sametime server when extending it to the extranet? A
firewall, of course. When placing any server externally (that is, on the Internet),
most if not all enterprises will protect it from hackers by deploying firewalls. The
same requirement goes for Sametime. Due to most common security practices, it
is almost inevitable that a firewall will be placed in front of an external-facing
Sametime server. Therefore, one must make sure that the ports used by
Sametime remain accessible to allow Sametime to continue functioning for
external users as it does for internal users.
Port 389 If you configure the Sametime server to connect to an LDAP server,
the Sametime server connects to the LDAP server on this port.
Port 443 The Domino HTTP server listens for HTTPS connections on this port
by default. This port is used only if you have set up the Domino HTTP
server to use Secure Sockets Layer (SSL) for Web browser
connections.
Port 1352 The Domino server on which Sametime is installed listens for
connections from Notes clients and Domino servers on this port.
Port 9092 The Event Server port on the Sametime server is used for
intraserver connections between Sametime components. This port
cannot be used by other applications on the server.
Port 9094 The Token Server port on the Sametime server is used for
intraserver connections between Sametime components. This port
cannot be used by other applications on the server.
Summary note: For the HTTP Services, Domino Services, LDAP Services,
and Sametime intraserver ports, the following ports should be accessible via
the firewall to allow direct access from an external client to the Sametime
server: 80, 443, and 1352.
Port 1516 The Community Services listen for direct TCP/IP connections from
the Community Services of other Sametime servers on this port. If
you have installed multiple Sametime servers, this port must be open
for presence, chat, and other Community Services data to pass
between the servers.
Port 1533 The Community Services listen for direct TCP/IP connections and
HTTP-tunneled connections from the Community Services clients
(such as Sametime Connect and Sametime Meeting Room Clients)
on this port.
Note that the term direct TCP/IP connection means that the
Sametime client uses a unique Sametime protocol over TCP/IP to
establish a connection with the Community Services.
The Community Services also listen for HTTPS connections from the
Community Services clients on this port by default. The Community
Services clients attempt HTTPS connections when accessing the
Sametime server through an HTTPS proxy server. If a Community
Services client connects to the Sametime server using HTTPS, the
data on this connection is not encrypted.
Port 8082 When HTTP tunneling support is enabled, the Community Services
clients can make HTTP-tunneled connections to the Community
Services multiplexer on port 8082 by default. Community Services
clients can make HTTP-tunneled connections on both ports 80 and
8082 by default.
Port 8081 The Meeting Services listen for Sametime protocol over TCP/IP
connections from the Sametime Meeting Room Client on this port.
The screen-sharing, whiteboard, send Web page, and
question-and-answer polling components of the Sametime Meeting
Room Client exchange data with the server over this connection.
For AIX/Solaris, if you are specifying a DNS name for the host name
in “Address for client connections” and in “Address for
HTTP-tunneled client connections,” you must specify a dotted IPv4
address that your fully qualified domain name resolves to.
Steps: Start the Sametime server, log in, and click Administer the
server. Choose Configuration -Connectivity. Enter the dotted IPv4
in the corresponding text fields.
The Meeting Room Client can make the TCP/IP connection directly
to the Meeting Services or through a SOCKS proxy server.
Note that the term direct TCP/IP connection means that the
Sametime client uses a unique Sametime protocol operating over
TCP/IP to establish a connection with the Meeting Services.
Port 1503 The Meeting Services listen for T.120 connections from the Meeting
Services of other Sametime servers on this port. If you have installed
multiple Sametime servers, this port must be open between the two
servers for the servers to exchange screen-sharing, whiteboard, and
other Meeting Services data.
Port 554 The Recorded Meeting Broadcast Services listen for Real-Time
Streaming Protocol (RTSP) call control connections over TCP/IP on
this TCP/IP port. (RTSP uses TCP as the transport service.) The
Recorded Meeting client can make the RTSP TCP/IP connection
directly to the Recorded Meeting Broadcast Services or through a
SCOKS proxy server. This port is specific to AIX/Solaris. By default,
a broadcast server will bind only to a single IP address and port. If
multiple IP addresses resolve to the same DNS name, then you will
need to configure a specific IPv4 dotted IP address to use.
Dynamic UDP The Recorded Meeting Broadcast Services stream meeting data in
ports RTP format from the server to the client over UDP ports. The specific
UDP ports are chosen randomly by the recorded meeting client and
cannot be controlled by the administrator.
Note that the Recorded Meeting Broadcast Services can also stream
audio and video data to recorded meeting clients. A meeting might
include three separate streams (one each for audio, video, and
screen-sharing/whiteboard data). If the client or server network, or
any network between the Sametime server and the client, does not
allow UDP traffic, the Recorded Meeting Broadcast Services will
tunnel the streamed data over the initial RTSP TCP/IP control
connection that occurs on port 554.
Port 8083 The Recorded Meeting Broadcast Services use this port for internal
control connections between Recorded Meeting Broadcast Services
components. You should change this port only if another application
on the Sametime server is using port 8083.
1–65535 (UDP The Recorded Meeting Broadcast Services can take advantage of
ports for the bandwidth efficiency provided by multicast-enabled networks. If
multicast) your network supports multicast, the Recorded Meeting Broadcast
Services transmit multicast data over UDP ports within the 1 to 65535
range.
49252–65535 The Sametime Audio/Video Services listen for inbound audio and
(Dynamic UDP video streams from Sametime Meeting Room Clients on a range of
port range) UDP ports specified by the administrator. The UDP ports are selected
by the Sametime Audio/Video Services dynamically from within the
range of ports specified by the administrator.
Port 8084 If UDP is unavailable between a Sametime Meeting Room Client and
a Sametime server, Sametime uses this TCP port when attempting
to tunnel the RTP audio and video streams using the TCP transport.
Port 9093 The Interactive Audio/Video Services use this port for internal control
connections between Interactive Audio/Video Services components.
You should change this port only if another application on the
Sametime server is using port 9093.
For more information about ports used by the Sametime server services, see the
Sametime 7.5.1 Administrators Guide:
http://www-10.lotus.com/ldd/notesua.nsf/find/sametime
In general, there is only one reason why a Sametime server should enable HTTP
tunneling: to provide restricted clients with the ability to communicate with an
external-facing server. When extending the Sametime infrastructure to the
extranet, there a few security constraints that when enforced may restrict how
clients are able to communicate with the server, such as:
End users who are external to the Sametime network may be restricted by
their own internal environments such that they are prohibited from making
any outbound requests on any port other than 80 (for example, proxy servers
may enforce this type of restriction).
Corporate security policies may mandate that the Sametime infrastructure is
protected by a reverse proxy server.
Corporate security policies may mandate that only a single port be opened on
the firewall to allow for HTTP traffic (default port 80).
With these potential security constraints in mind, one realizes that they do not
have total control over how their environment can be accessed by the outside
world. If you have no control or are not certain what security constraints may be
enforced on external users who may access your Sametime server, then we
recommend that you enable HTTP tunneling.
The following is a high-level overview of the sequence of events that take place
when a user attends a meeting:
1. The MRC applet is downloaded and displayed in an Internet browser on an
end user’s workstation. See Figure 7-71 for an example MRC.
Note: This method is always the first one attempted by the MRC
because it is is the best in terms of performance. Even if HTTP
tunneling is enabled on the server, the client will try the direct connect
method first. If the client is unable to connect directly to Sametime’s
default ports, then it will try the next available connection method.
b. HTTP tunneling:
This connection method is:
• Only available to clients when the server has enabled it
• The second method used by the MRC to connect to the server if the
direct connect method fails.
If the MRC resorts to this method in order to connect to the server, all of
the Sametime-related traffic (Community, Meeting, and Recorded
Meeting) is encapsulated within HTTP headers and forwarded to the
Sametime server through a single port (80 by default).
In Sametime 7.5.x, the data flow follows the basic HTTP tunneling
connection model as in older Sametime releases. However, the
communication or, more accurately, the dialect between the client and
In summary, the HTTP tunneling method is available to all Sametime clients only
when the Sametime server is configured to allow it. When configured, it is the
second method utilized by the client to connect to the server. The HTTP
tunneling method is only provided as a fallback option for when the direct
connect method fails. We highly recommend allowing all clients (internal and
external) to connect directly to the Sametime server for optimal performance
(that is, do not force users to use the HTTP tunneling method by blocking access
to Sametime’s default ports).
Within a meeting (MRC), there are a variety of tools that users can use to
collaborate with each other. For the most part, these tools rely heavily on the
network and its ability to handle the amount of data being communicated
between the clients and the server. Examples of some tools are:
Audio/video
Application sharing
Screen sharing
Slides/whiteboard
Group chat/user polling
Client Request
Server Response
The following sequence describes the flow of information within the tunnelling
process (refer to the sequence numbers in Figure 7-72).
1. After the direct connect method fails, the Meeting Room Client resorts to the
HTTP tunneling method (again, only when tunneling is available).
2. All Sametime-related traffic is encapsulated within HTTP headers and
directed to the Sametime server over the tunneled port (80 is the default port).
3. Sametime’s ST mux server component receives the request and strips the
HTTP encapsulation wrapper.
From the diagram above, you can get an idea as to how much overhead the
HTTP tunneling introduces compared to the direct connection method. If the
situation is just right, this additional overhead can be enough to negatively affect
the end-user experience within meetings.
Note that HTTP tunneling does not affect all environments equally. As stated
before, there are so many different variables that can affect the network, which in
turn can affect the end-user experience. Therefore, if you plan to force the usage
of the HTTP tunneling method for external users (that is, block access to
Sametime’s default ports other than port 80 via a firewall), we recommend that
you fully test the performance of meetings before rolling out to production. With
all the different variables, there are many ways to tweak and optimize the
performance of the HTTP Tunneled connections.
When extending Sametime to the extranet, you typically have no control over
external users’ internal environments and/or security constraints. For example,
one of ITSO Corporations’s business requirements requires the ability for internal
ITSO Corporation employees to collaborate with business partners, contractors,
mobile employees, and other external users. Because ITSO Corporation has no
control over how these users can gain access to the Internet, we must configure
ITSO Corporation’s environment to allow for all types of users (restricted or not)
to gain access to our Sametime infrastructure. To do this we follow these basic
guidelines:
Do not force users to use the HTTP tunneling method by blocking direct
access to Sametime’s default ports. From a performance perspective, you
should allow non-restricted clients to connect directly if they can.
For external-facing Sametime servers, enable the HTTP tunneling feature to
allow access for restricted users.
Even though the firewall must open additional ports to allow for direct
connections to Sametime, all the Sametime traffic is encrypted by a 128-bit
RC2 encryption algorithm. In addition, 7.5.x Sametime servers include logic to
prevent denial of service-type attacks.
Before getting too deep in this section, let us point out one important thing:
Sametime traffic (not including HTTP traffic) cannot be encrypted with SSL.
Well then, what about HTTP tunneling? Can I enable HTTP tunneling and
HTTPS at the same time? In short, the answer is yes. However, to get a better
understanding of how that can be done, let us go over the following points:
Sametime traffic cannot be encrypted with SSL, and therefore it is not
designed to understand SSL-encrypted traffic.
In the most simple of configurations when HTTP tunneling is enabled and
utilized, the ST mux component front ends all traffic including HTTP traffic.
To encrypt HTTP traffic with SSL, you must set up SSL on the Domino Web
server on which the Sametime server resides.
If HTTPS is enabled and you attempt to tunnel Sametime traffic, the ST mux
component will receive SSL-encrypted HTTP traffic (that is, HTTPS traffic).
Because Sametime is not designed to understand SSL-encrypted traffic, ST
mux will not understand how to handle the traffic and therefore this
configuration will not work.
The following sections explain how to configure Sametime and the Reverse
proxy once tunneling is configured:
7.7.1, “Chat and awareness considerations with reverse proxies” on page 618
7.8, “Introduction to the IBM Edge Server caching proxy” on page 620
7.8.1, “Reverse proxy (IP forwarding)” on page 620
7.8.2, “Using multiple caching proxy servers” on page 623
Before we configure the servers, there are some limitations that you need to be
aware of when working with reverse proxies and Sametime.
WebSphere
Portal
Reverse
Internet QuickPlace
Proxy
Browser
Sametime
If you only want users to use awareness and chat from their client, a better
environment would be to remove the reverse proxy from protecting Sametime,
and use an STmux in the DMZ to act as the reverse proxy for Sametime. This
can be seen in Figure 7-74.
WebSphere
Portal
Reverse
Proxy
QuickPlace
Internet
Browser
MUX
Sametime
To create this configuration, you would simply place the load balancer and mux
server in the DMZ, and the Sametime server in the corporate intranet. If,
however, you decide to protect your Sametime chat and meeting servers with a
reverse proxy (as shown in Figure 7-73 on page 619), the following section
explains how to do this with the WebSphere Edge caching proxy.
The caching proxy, when configured as a reverse proxy server, acts on behalf of
one or many back-end servers. A reverse caching proxy intercepts client
requests arriving from the Internet, forwards them to the appropriate back-end
server content hosts, caches the returned data (if requested to), and delivers that
data to clients across the Internet. The cached data can satisfy a request for the
same pages at a later time. In this manner, a reverse proxy can reduce the
amount of traffic and processing that a back-end server must perform to satisfy
duplicate Internet requests for data, while at the same time improving the
response time for those requests
Internet
80
443
Firewall
Caching Proxy
Reverse Proxy
Firewall
80
Load
Balancer
1516 1516
1352
1516
Sametime 7.5 Sametime 7.5
Server Server
ST
CLUSTER
ReversePass http://meeting2.cam.itso.ibm.com/st03/*
http://rp.cam.itso.ibm.com/st03/*
ReversePass http://meeting2.cam.itso.ibm.com/st03*
http://rp.cam.itso.ibm.com/st03*
ReversePass http://meeting2.cam.itso.ibm.com/*
http://rp.cam.itso.ibm.com/st03*
Add corresponding entries in the Proxy section and restart the caching proxy. If
you want users to access the reverse proxy over SSL, then HTTP to the
Sametime server, use the settings shown in Example 7-4.
Lotus Sametime now uses audio integration from leading teleconferencing and
telecommunications providers to offer a single interface to both audio and Web
conferencing, as well as click-to-call functionality directly from the Lotus
Sametime Connect client.
Figure 8-1 illustrates the new tabbed chat feature provided in Sametime 7.5.1.
Lotus Sametime 7.5.1 runs on Microsoft Windows 2000, XP, Vista, Linux, and
Apple's Mac OS X Version 10.4, and also serves as the instant messaging client
for a future release of IBM Workplace Collaboration Services. It provides an
extensive list of new out-of-the-box functionality that ultimately leads to a much
richer user experience. Some of these features include:
New status settings
Click to call
Click to dial
Location awareness
Rich text
Ability to send links, graphics, and screen captures to chat partners
Time stamps
Emoticons
Spell check
Type-ahead name searching
Area for virtual business cards
Corporate branding
For more information about the new client features, read Taking a tour of the new
features and technology in IBM Lotus Sametime 7.5 on developerWorks® at:
http://www-128.ibm.com/developerworks/lotus/library/sametime75/
Note: Tabbed chat functionality was introduced with Sametime 7.5.1 and is
not available in Sametime 7.5.
Figure 8-4 illustrates the tabbed chat feature for multiple chat window sessions.
Depending on how you configure your specific user preferences, you may define
the tabs to be either vertical or horizontal. In Figure 8-4, we illustrate the vertical
tab option for multiple chats.
Figure 8-5 N-way chat with the chat sessions presented in a tabbed chat format
Figure 8-7 illustrates the ability to send links, graphics, and screen captures to
chat partners.
Figure 8-7 Send links, graphics, and screen captures to chat partners
Alternatively, the user can right-click the misspelled word for detailed drop-down
options from the chat menu, as shown in Figure 8-11.
Users within
Primary Contacts
Send as email
Multi-chat
sections
For more information about the new client features, read Taking a tour of the new
features and technology in IBM Lotus Sametime 7.5 on developerWorks at:
http://www.ibm.com/developerworks/lotus/library/sametime75/
Lotus Sametime Connect 7.5 offers more than simple instant messaging and
presence features. Because it is built on Eclipse, a variety of plug-ins that
expand the functionality of Lotus Sametime Connect are shipped with the
product, and third parties can build additional plug-ins.
Figure 8-19 highlights some of the features that can be extended from the Lotus
Sametime Connect client.
While Figure 8-19 on page 650 and Figure 8-20 illustrate the extension points
from an user graphical user interface perspective, Extending Sametime 7.5
Building Plug-ins for Sametime, SG24-7346, provides and in-depth look at the
underlying code framework, explaining how and where Sametime can be
extended. This book can be downloaded via:
http://www.redbooks.ibm.com/abstracts/sg247346.html?Open
http://www.ibm.com/support/docview.wss?rs=203&uid=swg21139237
With this version you are able to use many of the features and functions that
were available to the pre-7.5 release of Sametime Connect clients.
Time
stamp Option to prompt for
transcript
There are a lot of good features and functions that can be taken advantage of
with the Notes 7.0.2 version of Notes IM. There are also very important
considerations about server load when using the Notes IM clients. Most of the
load considerations are not relevant against a Sametime 7.5.1 Server back end,
but we do not want to assume what your environment currently looks like, or
what your upgrade strategy looks like, so for more information about this see TN
1222797 “Server load considerations for Notes Instant Messaging”:
http://www.ibm.com/support/docview.wss?rs=203&uid=swg21222797
Note: The pre-Notes 8 versions are compatible with a Sametime 7.5.1 server,
but most of the new features of the 7.5 Connect client are not available.
Note: Note that all figures and features for this section on Notes 8 refer to the
beta 2 release of Lotus Notes and Domino 8, and may not accurately
represent the features available in the final release.
Features are subject to change, and screen captures are subject to change.
Refer to the Release Notes supplied with the software for the most up-to-date
information.
To access the Lotus Notes and Domino 8 beta software, and for information
about trial versions of available complementary software, see:
http://www.ibm.com/lotus/nd8
The Sametime Client that is deployed with the Notes 8 initial release will be the
7.5.1 version of Sametime Connect. Since it is also the same Eclipse-based
program, any of the plug-in or update options that you have set up for your
Sametime 7.5.1 Connect client will work seamlessly.
There are similar functions for Notes IM in Notes 8 as were shown in the Notes
7.0.2 client in the previous section. It has just been improved.
Figure 8-31 Tabbed chat functionality for Sametime from directly within the Notes Client
Now that the Sametime experience is the same, your end users will no longer be
confused about what options they do or do not have. This saves time in training
and in help desk calls. In short, the integration process is finally complete.
Important: Remember that if your users are logging into multiple clients, then
they are being counted for each of those clients in your concurrent user count.
Let us start with what the users will see first. Gone is the old yellow page, and
now there is an informative UI (Figure 8-32).
Figure 8-32 New UI for the Sametime Web Conferencing Welcome page
Figure 8-34 Sametime 7.5.1 provides a page with useful information about what is happening
As the meeting client is loaded and the user enters the meeting, the status of the
connection is displayed at the bottom of the browser window (Figure 8-35).
Common actions
on the toolbar Tabs for different
tools
Resizable
Sections
Updated status
bar
Note: New to Sametime 7.5.1, the mobile client files are installed during the
Sametime 7.5.1 Server installation.
http://www-128.ibm.com/developerworks/lotus/documentation/sametime/
Attention: For detailed information about configuring the Domino Server for
Sametime Mobile Support see:
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp?
topic=/com.ibm.help.sametime.install.doc/st_inst_cfg_stmobile_on_
dom_t.html
For information about Configuring Sametime Mobile for client downloads, see:
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp?
topic=/com.ibm.help.sametime.install.doc/st_inst_cfg_stmobile_on_
dom_t.html
Once the client has initially been deployed, it can be further provisioned and
updated via an update site.
There is no longer the Sametime Client packager that was provided in some of
the previous versions for Sametime Connect or the Secure Desktop Installer for
Java connect and the other applets. For the Sametime 7.5 Connect client we do
offer a new approach. There is the silent install option or the
plugin_customization.ini that can be pre-configured to set up many of the client
preference values. For 7.5.1 (but not in 7.5) there is also included the
Sametime-connect-win-7.5.1.msi. We explain more about these options later in
the chapter.
With Sametime 7.5.1 providing the msi file, customers can now use this option to
configure settings.
You can select one, both, or none of the options at the install time.
Note: At this time, if you re-run the install to correct any problems, the installer
will automatically perform the options.
The first option is helpful if you do not need any changes and want the new client
to connect to the same server as before. This makes things easier on your users.
The second option to clean up older versions is good for you as an administrator.
What would an optional plug in be? The SDK that is provided comes with a few
samples that might help in this area. These might be of interest to some of your
users, but not all. Also, depending on business needs, you may have custom
plug-ins created that only some users would need. Policies will also help you in
controlling the use of plug-ins, but so will the plugin_customization.ini file. For
more information about Sametime Plug-ins, see Extending Sametime 7.5:
Building Plug-ins for Sametime:
http://www.redbooks.ibm.com/abstracts/sg247346.html?Open
The Sametime 7.5.1 Connect client is not automatically installed into the client
download directory during the Sametime 7.5.1 server installation. If you want to
make the Sametime 7.5.1 Connect client available for download from the
STcenter.nsf home page you need to copy it over to the proper directory. Below
are the steps to follow.
The links for the clients are already configured by default. You only have to copy
over the client install files to the correct directory and remove the links for any of
the three clients that you do not want your users to access.
Once you have the client files (located on CD4), use the information below to
place the files in the proper location on the server.
For example:
c:\lotus\domino\data\domino\html\sametime\sametimeclient
With the files now in place, users can begin to download the clients directly from
the Sametime server (Figure 8-42).
Note: The silent installation still requires that the end user must still copy
and/or run the sametime-connect-win-7.5.1.exe, setup.bat, and silentinstall.ini
files.
You can edit both of these files to tailor the installer to your specific requirements.
Tip: All of the connection-related settings are used to set values in the
community-config.xml file.
plugin_customization.ini
In cases where you do not have locked-down desktop policies, but you still want
to cover the configuration options for your users, Sametime 7.5.1 includes new
options for this. In order to provide a consistent user experience throughout the
environment, many administrators will want to preset the client-side preferences
per company guidelines. This can be accomplished via the
plugin_customization.ini file.
Many of the preferences can be pre-configured for the end users by making use
of a file called the ‘plugin_customization.ini’.
By default, when the 7.5.1 client is installed, the file is configured as shown in
Figure 8-44.
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
Tip: If you have a file this is used to set defaults. When users call your help
desk with problems, this could be used as any easy way to get users back to
the supported or default values. This could aid in resolving end-user problems
faster.
Complete the instructions below that are appropriate for your installation and
server platform.
Figure 8-46 Extracting the downloaded zip file to a directory on your server
For AIX and Solaris Sametime servers, run the following command (substitute
the user and group logins for your Domino and Sametime deployment if
different):
chown -R notes:notes
<server_data_directory>/domino/html/sametime/javaconnect
chmod -R 755
<server_data_directory>/domino/html/sametime/javaconnect
The installation of the Sametime Meeting Room Client has been redesigned so
that users that do not have administrator rights to the local machine. Figure 8-55
is an example of an account created with only user access rights on the local
machine.
Figure 8-55 Example of an account created with only user access rights on the local machine
To replay a recorded meeting, the scenario is very much the same as for that of
the Meeting Room Client applet install.
8.4 Conclusion
This chapter provided a comprehensive overview of the latest Sametime 7.5.1
Client features and recommended strategies for planning and executing your
enterprise deployment. In addition to the information contained here, we strongly
recommend that you also refer periodically to the Sametime product page
(http://www-142.ibm.com/software/sw-lotus/sametime), as well as to the
Sametime 7.5.1 Information Center for additional information beyond the scope
of what is covered here:
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
All monitoring charts are available from the Monitoring menu in the Sametime
Administration Tool. The charts that are available from the Miscellaneous link in
the Monitoring menu are part of the Domino Web Administration Tool. These
charts provide information about Web statistics, server memory, and disk space.
Note: To view the status of the Sametime services since the last server
restart, click the Overview link in the Sametime Administration Tool. See the
Server Overview topic for more information. Also note that the time of day that
is listed in the monitoring charts is calculated according to the browser’s time
zone, not the server’s time zone.
General Server Status Allows you to see the status of the Sametime server at
a glance. Use this chart to keep track of the types of
meetings on the server, the types of connections to the
server, and Community Services activity on the server
at a particular moment.
Meetings and Participants Reports the names of all active meetings on the server
and the number of participants in each meeting.
You can determine the format for the Sametime log (a database or a text file) and
the information contained in the log in the log settings, which are available when
you select Logging - Settings in the Sametime Administration Tool. You can also
use the log settings to determine the information that is recorded in the log. How
you view the log depends on the format that you choose to record server
information.
Dates and times
Dates and times listed in the log reflect the time zone of the Sametime server
time zone, not the client's time zone.
Viewing the log as a text file
If you record information in a text file, open the file in your preferred text editor
to view the log information. You cannot view the text file log from the
Sametime Administration Tool. You can specify a location for the text file in
the database or text file settings.
Note: If you record information in a text file, the text file does not include
information about the Domino log. You must log information to a database
and then choose Logging - Domino Log in the Sametime Administration
Tool to view the Domino log.
Table 9-2 lists and describes the available options in the Logging menu of the
Sametime Administration Tool.
For more information about setting up logging, refer to Chapter 15 “Using the
Sametime Logging features” of the Sametime 7.5 Administration guide. This can
be downloaded at:
http://www-128.ibm.com/developerworks/lotus/documentation/sametime/
Tip: You can administer the Domino system using the Domino Administrator
client or optionally via the Web interface accessible at:
http://yoursametimeservername.yourdomain.com/webadmin.nsf
http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/
Main?OpenFrameSet
Platform statistics
Platform performance statistics can be directly retrieved from the Domino server
console, mailed, or displayed in the Domino Administrator clients. You can also
use Monitoring Configuration and Monitoring Results databases for both
real-time and historical statistics.
Lotus Domino 7 includes platform statistics for the following Sametime platforms:
Windows 2000/2003/XP on Intel
AIX
OS400
Solaris
There is a full range of platform statistics that can be monitored, but the most
essential ones to monitor for Sametime are:
CPU utilization
Memory utilization
Disk utilization
Network utilization
For more detailed information about Domino statistics, including other platforms,
see Domino Server Performance Troubleshooting Cookbook at:
http://www-1.ibm.com/support/docview.wss?uid=swg21234550
Set space savers on the databases that We recommend setting the following
will grow large over time like log.nsf and purge interval for:
stlog.nsf. To enable space savers, see the
document titled “Limiting the contents of a log.nsf - 7 days
replica” in the Domino Administrator help stlog.nsf - 30 days
guide. You will need to enable the
“Remove documents not modified in the
last x days” setting on the Space Savers
panel.
Periodically, the sametime.log file should Every 3–4 weeks this file should be
be archived or deleted. deleted unless you are troubleshooting a
specific issue.
Periodically, the contents of the trace The frequency of this is dependant on how
directory (\lotus\domino\trace) should be much space you have available on your
purged. hard drive and how fast the trace files are
growing. If you are not troubleshooting a
specific issue, we recommend purging this
every 3–4 weeks. You may need to
increase the frequency depending on how
much hard disk space you have available
and how much tracing you have enabled.
Create Domino program documents to run The following commands should be run
scheduled database maintenance weekly via a program document while the
(compact and updall) on the following server is up and running:
databases:
stconf.nsf updall [database.nsf] -r
vpuserinfo.nsf compact [database.nsf] -B
stlog.nsf
Note: In order for a copy-style compact to
For an example on how to create a occur on these databases, they must not
program document, see the help be opened by any user. Therefore, we
document titled “Setting a schedule for recommend following these maintenance
Updall in a Program document” in the suggestions with the server shut down as
Domino Administrator help guide. well.
In the cases where the above databases This should be done every two weeks.
cannot be compacted due to open
sessions, shut down the server and run
maintenance on the same databases
above.
On Sametime meeting servers, enable the We recommend setting the purge agent to
purge agent on stconf.nsf. For more purge every 30 days.
details on how to enable the purge agent,
see the help document titled “Maintaining
the Sametime Meeting Center” in the
Sametime Admin help guide.
One other important difference is the home URL. A typical Sametime server
looks like:
http://servername.domain.com/stcenter.nsf
See how they look very similar? The idea is for the users to not worry about the
back end. If they are trained with Sametime then they will see little difference
when they use EMS. Fundamentally, there is no difference between Sametime
and EMS other than that the EMS server is handling all of the meeting booking,
and under the covers it determines which Sametime Room Servers meetings go
on.
EMS is designed for high availability and load balancing, meaning that Sametime
room servers are almost always available for meeting use, and they are
scheduled across available boxes. This does not mean that EMS can handle
high concurrency in a meeting beyond what a single Sametime server can do. So
EMS is not the ideal solution for high concurrent meeting use (enabling multicast
and using record and playback might be a better route). EMS can handle the
configuration and administrative management of room servers assigned to do
meetings only, and Sametime servers in a cluster assigned to do IM only.
However, EMS is not necessary to handle large amounts of concurrent IM users.
Now you should have a good idea of when to deploy EMS and when not to.
First of all, let us define a room server. A room server is simply a managed
Sametime server. A managed server simply means that there is centralized
configuration and centralized logging and monitoring. The room server provides
both Sametime Meeting and Community Services, and only uses the Domino
HTTP service in a very limited fashion for servlets that report health, create
meetings, and so on. All HTML and Web interfaces are handled by the IBM
HTTP Server (IHS) talking to the EMS application.
Figure 10-1 illustrates EMS graphically. As you can see, the Enterprise Meeting
Server is the center of attention, with your multiple room servers using 2-way
communication reporting health and stats, and starting and ending meetings.
You can also have as many room servers as you need to accommodate your
company’s meeting habits. If you see an increase in meeting server usage, it is
easy to add additional room servers that will inherit your configuration and can all
be administered in one centralized location.
Enterprise Meeting
Server
Chat
Server
WebSphere IBM
DB2 Application HTTP
Server Server
Chat
Sametime EMS
Server
Figure 10-2 EMS within the context of Meeting Room Servers and an IM Cluster
Meeting Server
Meeting Server
Meeting Cluster
DB
MUX IM Server
IP Sprayer
MUX IM Server
IM Cluster
Managed means:
Centralized configuration
Centralized logging/monitoring
At the core of EMS are two general rules for achieving high availability:
It is designed such that there are no single points of failure.
There is minimized end-user perceived down time.
Key points
Different model between Community and Meeting Services:
– Different scale factors
– Different usage model between chat and scheduled meetings
Allow for different management strategies for the two service offerings.
Room servers report usage and resources to EMS via the Java Message
Service. Health messages, which are simply JMS messages sent back and forth
between the EMS and room servers, verify things like the number of meetings
and users are on a server, and make sure that the server and all services are up
and running. EMS performs the load balancing of scheduled meetings based on
stats it receives from all of its room servers.
Failover is automatic — if users are in a meeting and that particular room server
goes down, the meeting and all data saved up to that point will automatically be
transferred to another room server, and all users browsers will auto-refresh to the
new server. This is possible because the URL to join a meeting does not point to
a specific room server. It points to the EMS server, which then redirects to the
appropriate server.
Users do not need to know or care exactly what room server their meeting will
appear on, eliminating confusion. Should the need arise where there is more
meeting activity than server capacity, additional room servers can be added
quickly and easily, and will inherit the configuration from the other added room
servers.
Key points
EMS may be horizontally cloned in a WebSphere environment.
Room servers report usage and resources to EMS.
EMS performs load balancing of scheduled meetings.
Automatic failover.
Users never need to know which server.
Add room servers as needed.
As meetings go active, the least loaded server gets the meeting. Least loaded is
dependent on current and future numbers of participants and meetings. Keep in
mind that limits are not strictly enforced for active meetings, so users will never
be denied entry into a meeting. When any capacity is exceeded, an alert is
logged and booking will be routed to a different server. Also, meetings are not
booked on one server until its capacity is filled and then switched to another.
EMS is smart enough to spread meetings across all servers efficiently. A failed
server results in the meeting getting immediately placed on a different server.
You can set a specific number of instant meetings, and if that number is
exceeded, a managed server will direct the activity to another server. Lastly, you
can have an unlimited number of instant meetings. Even though there is no hard
limit imposed, instant meetings are still load balanced among all servers
supporting them. Of course, the EMS administrator can decide how they want to
align machines to services.
STServer
The STServer server handles meeting creation, scheduling, updating status,
load balancing, statistics, and all important meeting server tasks. Each room
server has servlets running that provide services, and this service is what talks to
a number of these servlets. For example, STServer creates meetings on the
room servers by talking to the MMAPI servlet that schedules meetings on a
Sametime server.
STCenter
The STCenter server is responsible for the Sametime 7.5.1 look and feel. It
provides the easy-to-use GUI and runs the interface with advanced HTML
techniques and Java Server Pages (JSPs).
EMS Applications -
port 9060/9043 handed DB2 traffic - port 50000
to port 80 via IHS
EMS DB2
Note: In a pilot deployment you can run HTTP and DB2 all on the same
box, but if you separate out each of those servers you will have higher
redundancy if a box goes down. Also keep in mind that EMS can point to a
cluster of DB2 servers or be horizontally cloned itself since it is a WAS
application.
4. On the other side we see connections to the LDAP server via port 389, or 636
if you are using the secure encrypted port. The EMS sever and all room
servers connect to the LDAP server, and use its directory for authentication
and user name lookups. Because of this, it is important for both the EMS
server and each room server to have the same LDAP configuration so that
authentication and user lookups will be consistent between all servers. If the
base DN (or base objects in the Sametime LDAP configuration document),
search filters, and binding names (optional unless using Active Directory) do
not match, the resulting entries returned may not be consistent, causing (to
be as technical as possible) things to break. Also, EMS and all of the room
servers use SSO, so you are not prompted to reauthenticate between looking
at the meeting page and attending a meeting. If you are logging in with one ID
on EMS but the room server expects a differently formed ID based on its
LDAP configuration, or it cannot find your ID at all, then SSO breaks and you
will not be able to attend a meeting. The key here is consistency.
Important: The following installation was based, for the purposes of this book,
on a Single Server Setup using WAS 6.0.2.9.
Before deploying EMS, the J2EE environment must be installed and configured.
Once this environment is ready, installing the EMS application is straightforward.
For this workspace, the administrator name is db2admin. We configure
WebSphere to point to DB2 to use as its datastore, and then we must enable
security by pointing to our appropriate LDAP server. Finally, we create the
application servers for EMS to use and then begin the EMS installation.
For each room server, we must install Domino 7.0.2. Once installed, we
configure single sign-on for the WebSphere, IBM HTTP, and Domino servers.
10.8.1 Prerequisites
You are required to:
1. Install LDAP. This can be any Version 3 compliant LDAP server, but we
recommend IBM Tivoli Directory Server 5.3.
2. Install DB2. 8.2.x should be fine.
3. Install WebSphere 6.0.0.1, making sure that you use an administrator
account with the correct permissions. Update to WAS V6.0 Refresh Pack 2
and then to WAS V6.0.2 Cumulative Fix 9. When you install the base
WebSphere 6, make sure to select the following components:
– IBM HTTP Server 6.0
– Web server plug-ins for WebSphere Application Server
Note: You will be redirected to https and will now need to log in using the
WAS/EMS admin user name and password you entered in the previous
steps.
Note: All application servers must be restarted for the change to take affect.
We are done with the WAS/EMS server for now. Next we install the Domino
infrastructure on a separate box that will eventually become our Sametime room
server.
11.In the newly created document, enter the following fields. Note that all fields
must be identical to the information in WebSphere.
– DNS Domain: domain.com
– Expiration: 120
– Domain Servers: Use the directory to select all servers that will be listed in
the community.
Note: Make sure that there is a backslash before the :389 (for example,
\:389).
We are finished with installing the environment. Now let us begin the actual
installation of EMS and Sametime.
Attention: This step is only needed when using remote DB2 database.
To do this:
1. Open the DB2 Client Configuration Assistant (Start → > Programs → IBM
DB2 → Client Configuration Assistant).
2. Select Add.
To do this:
1. Open a command prompt on the EMS/WAS server and stop the STCenter,
STServer, and STAdmin application servers (or verify that they are stopped).
Only server1 should be running. You can issue the command 'serverStatus
-all' to determine the server status of all.
2. Go to the WebSphere Administrator Console by opening a Web browser and
entering the https://localhost:9043/ibm/console/logon.jsp and log in.
3. Navigate to Applications → Install New Applications.
4. Select Local Path and click Browse (if you are running the browser from the
WAS/EMS server). Or select Server Path and enter the server path (if you
are not working local).
5. In the C:\WebSphere\AppServer\installableApps folder, select the .ear file
STAdmin, STServer or STCenter.ear from the list and click Open.
6. Click Next.
7. Check the box labeled Generate Default Bindings.
8. Select Override Existing Bindings.
9. Check the radio button Use default virtual host name for Web modules.
Note: This step updates the Web server to know where to find pages on the
EMS server. This step assumes that IBM HTTP Server is running on the same
machine as EMS in a pilot environment.
To do this:
1. In the WAS Admin console go to Servers/Web servers.
2. Check the box next to webserver1 and click the Generate Plug-in button.
3. Check the box again and click the Propagate Plug-in button. The Web
plug-in will be pushed to your HTTP server directory correctly.
Note: If the room server has already been added, you can change the
record path in DB2. It is stored in stconfig.serverapplication. The field
name is "MTGCNTRRECORDMEETINGSPATH".
So from the top, WAS looks at the LDAP host name and port specified so that it
knows where to find this directory, and whether it is using a secure connection.
Obviously there is more to securing an LDAP connection than just changing the
port, but you get the idea — we need the correct port the LDAP service is
listening on.
For WebSphere, if the search filter is set up properly you can just use the short
name 'rfox' or however you've defined the filter (which we will get into soon).
Obviously, if the password or user is incorrect, you will not be able to bind to the
LDAP server and do look ups. WebSphere generally does not allow you to
continue with incorrect login information, but if those credentials change you
know now where to look. Again, most LDAP servers do not require a bind
account, as they have anonymous binding enabled, but do not be alarmed if the
directory at a secure customer site needs it. The next field in question is the
base DN. This is where in the tree to start looking for users. Obviously, if the
person you are trying to authenticate as is not in the same scope as your base
DN, you are not going to be located and thus not be able to log in. Softerra again
is a great tool for figuring out where a user actually is in the directory.
Note that Sametime has two places it refers to as base objects. This is the same
as the base DN.
Lastly, we look at the search filter. Whatever you typed in at the login prompt is
going to be included in the search of various attribute values. If they match, then
the user is authenticated. If you click a specific user while the Softerra LDAP
Browser is connected to an LDAP server you will see a large number of attributes
such as cn, uid, mail, and so on, with values specific to the user. Also, you will
see a few attributes called objectclass that have values such as person,
inetOrgPerson, group, groupOfUniqueName, and so on. Let us look at this
sample filter:
(&(objectclass=inetOrgPerson)(|(cn=%v)(uid=%v)(mail=%v)))
Notice the & and | symbols? They refer to AND and OR, respectively. Logically
you can look at those symbols and figure out what it is trying to do. Basically, this
filter says “Look for any entry in this directory were the objectclass is equal to
inetOrgPerson (meaning that the entry refers to a person) AND either their
unique ID (uid), OR full conotical name ('cn') OR email address ('mail') is equal to
whatever the user typed in". We can put all of this information in our LDAP
browser and replace the variables with what we typed in and make sure a user is
returned. The Softerra LDAP Browser has a directory search option, so you can
put in your base DN and put in a search filter with the variables replaced and see
if what you expect is returned, like this:
(&(objectclass=inetOrgPerson)(|(cn=Rob Fox)(uid=Rob Fox)(mail=Rob
Fox)))
Issue - you can log into EMS, but you cannot join a meeting
This can be a multitude of problems as well, so let us start at the top.
Once all of the above has occurred, WebSphere generates an LTPA token,
which is based on when you logged in, your name, the name of the server, and a
few other things. This token can be passed by the browser to other servers in the
same domain, and if they have all been configured properly the user is not
prompted for authentication. You can test SSO easily by logging into the WAS
server and then immediately typing the URL of a Sametime server in the same
SSO DNS domain. If SSO is configured correctly, you will be logged into the
other server without being prompted or typing anything in. This is not strictly a
WAS-to-Sametime server thing. If you have SSO set up between different
Domino servers like QuickPlace/Quickr or different WAS servers like Portal you
can do the same type test. If you would like to see your LTPA token, simply log in
to the main EMS page and then put this exact text in the URL (this can be done
on any Web page that generates a cookie):
javascript:alert(document.cookie)
You will see a pop up with some information in it, including the LTPA token,
which is just a lengthy string of characters. Now, when you click the Join
Meeting button from EMS, your Web browser is being redirected to an actual
room server. Since you are going to another server, you need to be
authenticated again. If SSO was set up properly, then the generated SSO token
will match what would be generated on the Sametime server, and you will be
allowed in. The token is based on a few things: a unique string generated by
WebSphere, the domain.com piece of the DNS entries of all servers involved
(this is why you cannot log into an EMS or Sametime server with just the IP or
just the short host name — they all need the fully qualified DNS names or
FQDN), the time (the clocks on all servers should be in sync and the SSO
timeouts should be the same), and the LDAP server and port used. After verifying
that these items are consistent between the WAS server and each Sametime
server, make sure that WAS generated the key file correct, and the key file was
Now that is just getting access to the Web pages themselves. What if the applet
downloads properly but the Meeting Room Client itself throws a login error?
Everything we talked about thus far only refers to the Web portion of Sametime.
We should now look at the back end piece to see how authentication is handled
there. Core Sametime LDAP configuration is not set up on the WAS security
page or the Domino da.nsf (directory assistance) database. Those are only for
Web-based authentication. Community services (and as such the MRC) are
configured for LDAP via the Sametime Web admin in the LDAP section or directly
in the LDAP document in the stconfig.nsf database. Remember, when you join a
meeting you also join a community place. This is why you cannot just cluster
meeting servers and why we need community to be configured close to WAS.
Very similar to the above, it is important for the base DN (base objects), search
filters, and LDAP servers to match. Also note that Sametime uses %s* and %s in
its filters. Use those variables instead of %v like you did for WebSphere. You can
test to see if the community is configured for LDAP by logging into the Connect
client. If that works then you are good to go. The important thing to take away
here is if you are having problems authenticating through the Web, look at
WebSphere's security page and Domino's directory assistance database. If you
are having problem entering a meeting or logging in with the Connect client, look
at the Sametime Web admin LDAP configuration (or directly at the LDAP
document in stconfig.nsf). Different pages handle the different required
authentication mechanisms, so do not go looking in da.nsf if you cannot log in
with the Connect client.
To start a room server, start the Lotus Domino Server service (do not run it as an
application, run it as a service). Domino will go through its usual start up process.
We care most about two Domino tasks — the HTTP process and the STAdmin
process. These can be found in the notes.ini under the tasks line. Remember
those servlets we talked about a while back? In order for those to start, the
Domino Servlet engine needs to be enabled in the server document for the
Sametime server. If the servlet engine is running, it then looks at the
servlet.properties files in the Domino data directory to determine which servlets
to run. There are several Sametime servlets that need to run, so if you watch the
Domino console you will see these Sametime servlets starting up and
successfully initiating.
Keep in mind that if HTTP tunneling is enabled the server document should
reflect the Domino HTTP task running on a different port like 8088, and in
sametime.ini the Sametime mux will be on port 80. Also remember if this
configuration is in place, port 80 traffic will not work until the ST mux service has
started.
The next Domino task we want to start is STAddin. This Domino task starts the
Sametime Meeting Server service (which you can see if you enabled Interact
with Desktop at the Log on tab in Windows Services), which starts a few services
before it starts the critical service, the Configuration Bridge. Now this is where the
main difference between a Sametime server and a room server becomes
obvious. In the sametime.ini you will see an entry for ConfigurationHost. For a
Sametime server that entry is usually the FQDN and port 80 or 443. The
Sametime server then proceeds to connect to the a configuration URL based on
this entry. Locally this is the scs servlet that contains all configuration for the
Sametime server. Once the Configuration Bridge reads in all of this information,
the rest of the Sametime Meeting services will kick off quickly, such as the
gateway, broadcast service, and so on. You can see what the Sametime
configuration URL looks like by typing this in your browser:
http://sametimeserver.domain.com/servlet/auth/scs?xpath=
If you are on *nix do not forget the ./ (dot slash) in front of the command. Make
sure that the three EMS servers are running, remembering that STServer does
most of the dirty work, STAdmin does all of the writing to DB2, and STCenter
makes the Web UI available. If one of these servers is not running or appears to
be acting strangely you can run these commands to start and stop them as
necessary:
startServer STWhatever
or
stopServer STWhatever -username wpsadmin -password password
Do not forget that all of these commands are case sensitive and you need proper
credentials to stop servers in WebSphere. Once STServer determines that a
room server is running everything correctly, it will change that server status to
running and then deploy meetings on it.
You will be prompted for credentials. Remember when you entered a user name
and password in the Meeting Services document for five different entries? Those
credentials are what we are looking for here. If you enter them correctly you get a
red and blue five-line piece of XML that looks like an error but it is not. When fed
the proper data, that servlet is what actively creates the meeting on a room
server, so make sure that all of the steps have been followed correctly. It is also
Important: For actual details on how to install and configure the Sametime
Gateway, refer to the Sametime Gateway Information Center, available at:
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
Sametime Gateway can enable, for example, a scenario where Alice works at
IBM and wants to talk to John, an IBM business partner who works at company
XYZ. Company XYZ has its own Sametime server. Although this server uses the
same protocol as the IBM server in Anne's unit, it can only work in the XYZ
environment because each company has its own defined users and their own
specifically defined community.
You can install one Sametime Gateway server or cluster of Sametime Gateway
servers for a local Sametime community. A local community can be made up of
one Sametime server, or a cluster of Sametime servers connected by a common
directory. Sametime Gateway does not support more than one local Sametime
community.
2 Submit provisioning
info to public IM
operator
Sametime 7.5
Provisioning AOL / Yahoo!
Application
4 Notify when
provisioning
complete
1 Request access 3 Enable
to AOL and/or customer
Yahoo! on network
5 Send email with
final instructions
Admin UI/Script
Gateway
Sametime
Server VP Management
Connector Bean User Locator
plugin
External SIP
Sametime Connectors
SIP Connectors
Server SIP Connectors Core Plugin
ST SIP Manager ACL plugin
Gateway XMPP Core
Connector
Configuration Logger
GoogleTalk plugin
SIP
SUBSCRIBE
VP Connector
mary@aol.com
Core
SUBSCRIBE
XMPP
joe@abc.com
Plugin
Plugin
Plugin
Lotus
Sametime Sametime
Community
Server Enterprises &
LDAP Public IM
Server Providers
External
users?
You can set up any or all configurations as needed. Lotus Sametime Gateway
allows selected individuals in your company to send instant messages to users
on one or more public networks, giving your users immediate access to millions
of users worldwide.
Note: When you set up a connection with AOL, you have the option of
connecting with AOL users only, or connecting with the AOL clearinghouse
community that includes AOL, ICQ, iChat, and other users from AOL
Enterprise Federation Partner communities, including external Sametime
communities. IBM recommends that you do not configure both communities,
as users served by the AOL clearinghouse are a superset of users served by
the AOL community. If you set up AOL only, and later decide to connect with
the AOL clearinghouse community, delete the AOL community first before
adding the AOL clearinghouse community to Lotus Sametime Gateway.
AIM
User
AOL
DMZ
Internet
Yahoo!
Sametime Sametime Firewall Sametime Firewall
Users Community Gateway
Server Yahoo!
Messenger
User
LDAP DB
Server Server Google Talk
User
Figure 11-4 Topology recommended for connecting to AOL, Yahoo! Messenger, and Google Talk user
communities
Company A Company B
LDAP DB DB LDAP
Server Server Server Server
DB2 can be located either on the same machine as Lotus Sametime Gateway in
the network DMZ or on a separate machine behind the firewall. Best practices
recommend running DB2 on its own machine, but if it is installed on the same
machine as Lotus Sametime Gateway, DB2 does not significantly impact
performance.
For small test configurations only, you can install Lotus Sametime Gateway on
the same machine as the Sametime server, DB2, or other applications. For a
production environment, your Sametime Community server should be installed
on a separate machine from your Lotus Sametime Gateway.
Important: Each of the detailed steps for installation and configuration are
discussed in the Sametime 7.5.1 Information Center, available at:
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
The information center contains steps for setting up a cluster, security, including
SSL, LDAP, and instructions on connecting to LDAP, a local Sametime server,
and external servers including other Sametime servers, AOL Instant Messenger,
Yahoo! Messenger, and Google Talk servers. It contains complete instructions
for setting up event logging, writing scripts to add users and new communities,
and administering Sametime Gateway on a daily basis.
Important: Each of the detailed steps for installation and configuration are
discussed in the Sametime 7.5.1 Information Center, available at:
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
5. Click Next. The installation generates the NetBIOS name for the new domain
controller. You may see the dialog shown in Figure A-5.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=
/com.ibm.itame.doc/am60_install166.html
6. Click Next. You maybe prompted to insert the Windows 2003 Components
CD.
Click Finish. The Import Certificate Import successfully message box appears,
as shown in Figure A-30.
http://support.microsoft.com/kb/321051/en-us
Create the .inf file. Example A-2 is a sample .inf file that can be used to create
the certificate request.
Signature="$Windows NT$
[NewRequest]
[EnhancedKeyUsageExtension]
;-----------------------------------------------
In our example the request.inf file looks like that shown in Example A-3 on
page 783.
[Version]
Signature="$Windows NT$
[NewRequest]
[EnhancedKeyUsageExtension]
;-----------------------------------------------
Create the request file. To do this, type the following command at the command
prompt and then press Enter:
certreq -new request.inf request.req
Highlight the entire certificate including the begin and end certificates line, and
copy the certificate to the clipboard using Ctrl+C. Run Notepad and paste the
certificate into the Notepad area. Save the file as certnew.cer.
Open a command prompt window and enter the change directory (CD) command
to change to the directory where you saved the certnew.cer file.
Accept the issued certificate. To do this, type the following command at the
command prompt, and then press Enter:
certreq -accept certnew.cer
Note: Ensure that you type the Active Directory domain server name correctly.
To open the Active Directory Schema snap-in, click Start, click Control Panel,
double-click Administrative Tools, and then double-click Active Directory
Schema.
Click Continue and fill in the fields in the Create New Attribute form as shown in
Figure A-40.
Select Sametime Server and then click OK. Return to the list of attributes for the
inetOrgPerson object class (Figure A-43 on page 796). Repeat the process for
the notesDN, notesCon, mailfile, and mailserver attributes. When the last
attribute has been selected, click OK at the list of attributes, as shown in
Figure A-43 on page 796.
To make the modification, open a command prompt window and enter the
command:
ldifde -i -f user.ldif -s qp.cam.itso.ibm.com
As opposed to:
CN=Stephen Shepherd,CN=users,DC=ITSO,dc=com
If Sametime is using native Domino Directories, then QuickPlace must also use
Native Domino Directories. If WebSphere Portal is deployed using a non-Domino
LDAP, you will see that Sametime and QuickPlace can still use the native
Domino directory.
Domino LDAP
Sametime can use a Domino LDAP server for authentication,
authorization,,community services, and Meeting Services. A separate Domino
Server is required. Do not use the Sametime server as the LDAP server even
though the LDAP server tasks can be run on the Sametime server.
If Sametime is using a Domino LDAP server than QuickPlace must use the same
Domino LDAP server. If WebSphere Portal is deployed using a non-Domino
LDAP you will see that Sametime and QuickPlace can still use a Domino LDAP
server.
Refer to “Create the Domino key file” on page 591 to install the trusted root
certificate from the certificate authority. In addition, using the Server Certificate
Admin database, you need to request a server certificate, submit the server
certificate request to the certificate authority, pick up the approved server
certificate, and install the server certificate into the key ring file. Also, make sure
that the server document is updated with the correct key file name. Refer to
“Modify server document” on page 596.
Dual directories
Customers have deployed Sametime and QuickPlace using Native Domino
directory or Domino LDAP. Then they want to integrate WebSphere Portal server
that is authenticating with a non-Domino LDAP server. The easiest
implementation has always been when all components authenticate against a
This entry should be added below the Domino canonical name, which should be
the top line of the User Name field, and common name (CN), which should be
the second line.
Then add the following to the sametime.ini file under the [Config] section:
ST_DOMINO_DUAL=1
If you also want awareness capabilities in WebSphere Portal, make the following
configuration changes to CSEnvironment.properties. You should have already
enabled Sametime in WebSphere Portal, as documented in the WebSphere
Portal Information Center.
CSEnvironment.properties:
CS_SERVER_SAMETIME_1.useLTPAToken=true
CS_SERVER_SAMETIME_1.nameFormatForResolve=dn
CS_SERVER_SAMETIME_1.dnNameSeparator=/
To configure the Sametime server to remap users' DNs when passed with an
LTPA token, set the following in the notes.ini file:
ST_UID_PREFIX=*
ST_UID_POSTFIX=*
CSEnvironment.properties:
CS_SERVER_SAMETIME_1.useLTPAToken=true
CS_SERVER_SAMETIME_1.nameFormatForResolve=dn
Save the subform. Open the subform $PersonExtendableSchema and add a rich
text field named jpegPhoto, as shown in Figure B-7.
Click Replace.
The jpeg photo can be added by many different LDAP utilities and management
programs. We used LDAP Modify, which comes with the Tivoli Directory Server.
You need to create an LDIF file similar to Example B-1.
Important: The project plan and tasks identified here apply to a generic
Sametime 7.5.x Deployment. This plan must be customized and made more
specific to your organization’s rollout.
The primary objective is to help you identify the key tasks that need to be
accomplished, understand the necessary dependencies between these tasks,
and gain a sense of relative duration and level of effort. The required duration
to accomplish these tasks depends upon your organization’s specific needs,
available resources to dedicate to the project, and finally, the level of skill
within your organization.
It is important that the scope of the project is fully understood and defined to
allow the plans to be created. The costs will be derived from the plans and
should be recorded in the business case. The other key area of the business
case is the benefits. These should be quantified and not left as intangible. Failure
to do this makes the project vulnerable to being closed down whenever the
organization experiences financial pressures.
For each value frame, a stage plan should be established and updated on a
weekly basis and fed into the overall Sametime Enterprise deployment project.
Milestones should be established to signify delivery completion and reporting
back to the project manager. Once the milestones are defined, the project plan
will be baselined and sent to the customer project manager for inclusion into
project reports.
The benefits of the IBM Sametime 7.5.1 upgrade project plan template are:
Leverage best practices from a project management perspective.
Leverage best practices and corporate knowledge for an IBM Software
Services-led effort.
Reduce the amount of effort required to perform initiation and planning
activities.
http://www.redbooks.ibm.com/abstracts/sg246392.html?Open
In the following sections we introduce the Load Balancing functions. The basic
concepts described here are used by most Load Balancing software and
hardware.
http://www.f5.com/products/bigip/index.html
For detail on how to configure BIG-IP load balancing for Sametime, visit:
http://www.f5.com/solutions/deployment/sametime_bigip45_dg.html
Scalability
Often Sametime need to scale for increasing numbers of simultaneous users on
a wide range of access devices.
Load balancer software is used to dispatch the load to the servers in the cluster.
It uses a load balancing mechanism usually known as IP spraying, which
Availability
Users must be able to reach the application regardless of failed servers. In a
clustered Sametime server environment, the load balancer monitors the
availability of the Sametime servers. If a server has failed, no more requests are
sent to it. Instead, all requests are routed to the remaining active servers. We
also recommend that you ensure high availability of the load balancer system
itself to eliminate it as a single point of failure (SPOF).
Performance
Quick response times can be provided by routing requests based on the
geographic location, user identity, or content requested and by caching the
retrieved data.
Session affinity is an option that applies to all of these components. See “Server
affinity in Load Balancer” on page 831, for details.
Dispatcher decides which server will handle a certain TCP/IP connection based
on the weight of each server in the cluster. The weight is the value that
determines the number of connections that each server receives. The weight can
be fixed in the configuration or it can be dynamically calculated by Dispatcher.
If you choose to configure the weight of the servers and set it as a fixed value, it
will not change no matter the conditions of the balanced servers, for example, if
you configure a cluster containing two servers, and you set the weight of the first
server to 1 and the weight of the second server to 2, meaning that the second
server will always receive twice the load as the first server. The only exception to
this is when an Advisor detects a failed server.
If you choose to work with dynamic weights (which is the default option, and what
we did in our test environment), Dispatcher will calculate the load of each
balanced server dynamically. In our previous example, if the response time of the
second server was slower than the response time of the first server, it would now
be possible to detect this and generate the correct weight value according to the
real conditions of each server.
For actual implementation information, refer to 4.5, “Install and configure IBM
Edge Load Balancer components” on page 224. (Specifically, see “Configure the
Manager component” on page 272.)
In order to be able to identify the packets meant for the operating system, the
administrator needs to associate an IP address to the variable NFA
(non-forwarding address). This variable contains the IP address that is used for
all connections that should not be load balanced by Dispatcher, like telneting into
the machine, connecting to the Dispatcher’s administration service, and so on. In
other words, NFA determines the IP address that the Executor will ignore as far
as load balancing is concerned.
Manager
Manager is the component responsible for providing weight values of each
balanced server to Executor, so it can make its load balancing decision. Running
this component is optional, but it is necessary for dynamic weighting of the
servers and also for identifying failed servers.
Manager uses metric values for calculating the weight value of each server:
The number of active connections being handled by that server
The number of new connections that were forwarded to that server since the
last check (The default is two seconds.)
The input from two components that gather load information about the
balanced servers:
– The Advisors
– The Metric Server
Advisors
The Advisors are lightweight clients that run on the Dispatcher server, and they
are aware of the protocol used by the back-end servers. Load Balancer provides
advisors for HTTP, HTTPS, FTP, and LDAP, among others.
Each advisor connects to a certain service running on each server of the cluster,
and submits a request that validates the health of that service. This means that
the advisor actually tests the service, not only the connectivity to the server (a
Metric server
Note: We did not configure the metric server in our test environment.
If you need to collect more information from the back-end server for load
balancing, you can also use the metric server, which is a component that is
installed and runs in each back-end server. The metric server can additionally
provide values for the server where it is running. For example, the metric server
can monitor memory and CPU usage. This information is also sent to the
manager and is used to calculate the final weight value for each server.
HTTP Server 3
Executor
Metric Server
MAC forwarding
This is the default forwarding method. When Dispatcher receives a packet and
chooses which server to send it to, it only changes the source and destination
MAC address of the packet. The IP addresses remain the same. This means that
the source IP address remains the IP address of the client machine, and the
destination IP address remains the cluster IP address.
When the balanced server receives the packet, it responds directly to the client
(because the source IP address in the packet belongs to the client).
MAC Forwarding
Client
Incoming traffic
Outgoing
traffic
Load Balancer
Incoming traffic
Backend server
This method also requires that the services running on the balanced servers be
able to accept the packets containing the cluster IP address as the destination IP
address. The easier solution is to add an IP alias to the loopback interface (so it
is not advertised in the network).
Refer to 4.5, “Install and configure IBM Edge Load Balancer components” on
page 224, or Load Balancer Administration Guide Version 6.0, GC31-6858
(http://www-1.ibm.com/support/docview.wss?uid=pub1gc31685801), for
instructions on how to add an IP alias in various operating systems.
This forwarding method allows Dispatcher to provide load balancing for remote
servers, which is not available in the MAC forwarding method.
NAT Forwarding
Client
Outgoing
traffic Incoming traffic
Load Balancer
Outgoing
Incoming traffic
traffic
Backend server
This method also allows port redirection (NAPT). This means that the port that
you configure on the cluster configuration does not need to be the same port that
the service is listening on in the balanced server. In this case, Dispatcher
changes the port information in the TCP header the same way it does with the IP
addresses in the IP header of the TCP/IP packet.
This method implies that Dispatcher needs to handle all traffic, both inbound and
outbound. It also needs one extra IP address to implement the configuration,
which is the return address.
For the HTTP protocol, the connection distribution is based on the contents of
the URL or the HTTP header. For the HTTPS protocol, the distribution is based
on the SSL session ID field of the client request.
http://www-1.ibm.com/support/docview.wss?uid=pub1gc31685801
Advisors
Advisors are lightweight clients that run on the Dispatcher machine, providing
information about the load of a given server. The product provides
protocol-specific advisors for several protocols and products, such as HTTP,
HTTPS, FTP, Telnet, DB2, DNS, LDAP, SMTP, and others.
Load Balancer also provides a generic advisor, called Connect, that can be used
in case you need to load balance a service or protocol for which there is no
dedicated advisor available. Connect opens a connection to the server using the
server port informed in the advisor configuration and closes the connection after
the TCP/IP handshake is done. As there is not an out-of-the-box advisor for
Sametime. We used the Connect advisor in our test environment.
If the server does not respond, the advisor returns a negative value (-1) for the
load. A downed server is given a weight of zero by the Executor, and packets will
not be forwarded to it until the server responds to the advisor again.
Manager obtains the load value reported by the advisor, which is available in the
Port column of the Manager report. The manager obtains these values from all of
its sources and sets proportional weight values for Executor.
Custom advisors
You can also write your own advisors for specific applications like Sametime.
These are called custom advisors, and you can write your own advisor based on
sample Java code provided with the product. The sample code is available in the
install_path/servers/samples/CustomAdvisors directory, where install_path is the
load balancer installation path (such as /opt/ibm/edge/lb on AIX, or C:\Program
Files\IBM\edge\lb on Windows).
Custom advisors run on the Dispatcher node, and must be written using Java
language and compiled with a Java compiler for the Dispatcher machine.
Important: For the Edge Components that are part of IBM WebSphere
Application Server Network Deployment V6, you need Java compiler Version
1.4.2.
Class file names must follow the form ADV_name.class, where name is the
name you choose for the advisor.
Note: The load balancer base classes, found in ibmlb.jar, must be referenced
in the classpath during compilation.
Make sure that manager is running before you try to start any advisor.
More detailed information about custom advisors, describing how they work and
how to write, compile, and test them, including examples, development
techniques, and interface methods, can be found in the Load Balancer
Administration Guide Version 6.0, GC31-6858:
http://www-1.ibm.com/support/docview.wss?uid=pub1gc31685801
More detailed information about custom advisors specifically for Sametime can
be found in the developerWorks article “Sametime Chat Network Dispatcher
Advisor”:
http://www-128.ibm.com/developerworks/lotus/library/ls-STChat_advisor/
Which includes a link to their code for the Sametime Chat Advisor from the Lotus
Developer Domain sandbox:
http://www-10.lotus.com/ldd/sandbox.nsf/cde4d8ccbe98e4868525676e0079ad3
4/670748e0f41ae33485256d18005c9205?OpenDocument
In conjunction with the caching proxy, the CBR component has the ability to
proxy HTTP and HTTPS (SSL) requests to specific servers based on the content
requested. The Dispatcher component also provides content-based routing, but
it does not require the caching proxy to be installed. Because the Dispatcher
component’s content-based routing is performed in the kernel as packets are
received, it can provide faster content-based routing than the CBR component.
For HTTP traffic the Dispatcher CBR forwarding method provides a faster
response to client requests than the CBR component. Also, the Dispatcher CBR
forwarding method does not require the installation and use of a caching proxy.
Site Selector
This component performs load balancing using a DNS round-robin approach or a
more advanced user-specified approach. Site Selector works in conjunction with
a name server to map DNS names to IP addresses. System Metrics (provided by
the metric server) should be used in addition to advisor weights to achieve a
well-balanced and accurate weighting of servers.
If the affinity feature is disabled when a new TCP/IP connection is received from
a client, load balancer chooses the correct server at that moment and forwards
the packet to it. If a subsequent connection comes in from the same client, load
balancer treats it as an unrelated connection, and again chooses the most
appropriate server at that moment.
Server affinity allows load balancing for those applications that need to preserve
state across distinct connections from a client. Maintaining state is a requirement
of many applications encountered on the Internet today, including shopping
carts, home banking, and so on.
Some options available to maintain application state based on server affinity are,
specifically the first two (Stickyness to source IP address, Cross port affinity):
Stickyness to source IP address
Cross port affinity
Passive cookie affinity
Active cookie affinity
URI affinity
SSL session ID
The passive cookie, active cookie, and URI affinity options are rules-based. They
depend on the content of the client requests.
The sticky time value represents the time out of the affinity counter. The affinity
counter is reset every time load balancer receives a client request. If this counter
exceeds sticky time, new connections from this client may be forwarded to a
different back-end server.
In Dispatcher and CBR components, you can set the sticky time in three
elements of the load balancer configuration:
Executor: Setting the sticky time for the Executor makes this value valid for all
clusters and ports in the configuration.
Cluster: You can set a specific sticky time value for each cluster.
Port: You can set a specific sticky time value for each port.
However, if you set a different sticky time for the cluster or the port (for
example, you set it to 30), then this value overrides the Executor sticky
time.
This feature applies to the Dispatcher (all forwarding methods), the CBR, and the
Site Selector components of load balancer.
Note: This affinity strategy has some drawbacks: some ISPs use proxies that
collapse many client connections into a small number of source IP addresses.
A large number of users who are not part of the session will be connected to
the same server. Other proxies use a pool of user IP addresses chosen at
random, even for connections from the same user, invalidating the affinity.
For implementation details, refer to “Configure the sticky bits” on page 276.
One example of this feature is a shopping cart application. The user browses the
products and adds them to his shopping cart using port 80 (HTTP). When he is
ready to place the order, he is redirected to a HTTPS (port 443) site, which
encrypts all communication between the browser and the server. Cross port
affinity enables Dispatcher to forward this user’s requests for both ports 80 and
443 to the same server.
Cross port affinity applies to the MAC and NAT/NAPT forwarding methods of the
Dispatcher component.
For details on implementing this feature, refer to “Configure the sticky bits” on
page 276.
If the cookie value in the client request is not found or does not match any of the
cookie values of the servers, the most appropriate server at that moment will be
chosen by Load Balancer.
This feature applies to both the CBR component and to the Dispatcher’s CBR
forwarding method.
URI affinity
URI affinity allows you to load balance Web traffic to caching proxy servers,
which allow unique content to be cached on each individual server. As a result,
you will effectively increase the capacity of your site’s cache by eliminating
redundant caching of content on multiple machines. You can configure URI
affinity at the rule level, and once it is enabled and the servers are running, then
the load balancer will forward new incoming requests with the same URI to the
same server.
URI affinity applies to the CBR component and to Dispatcher’s CBR forwarding
method.
SSL session ID
During establishment of an SSL encrypted session, a handshake protocol is
used to negotiate a session ID. This handshaking phase consumes a good deal
of CPU power, so directing subsequent HTTPS requests to the same server,
using the already established SSL session, saves processing time and increases
the overall performance of the HTTP server.
Load Balancer watches the packets during the handshake phase and holds
information about the session ID if SSL session negotiation is detected.
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this book.
IBM Redbooks
For information about ordering these publications, see “How to get IBM
Redbooks” on page 837. Note that some of the documents referenced here may
be available in softcopy only.
Extending Sametime 7.5 Building Plug-ins for Sametime, SG24-7346
Lotus Instant Messaging/Web Conferencing (Sametime): Building Sametime
Enabled Applications, SG24-7037
Lotus Sametime 2.0 Deployment Guide, SG24-6206
Online resources
These Web sites are also relevant as further information sources:
Sametime 7.5.1 Information Center
http://publib.boulder.ibm.com/infocenter/sametime/v7r5m1/index.jsp
Sametime Product Page
http://www-142.ibm.com/software/sw-lotus/sametime
Index 841
Create CA key ring file 569 SA Mux in Remote Locations 40
Create CA Server key ring example 573 Separated Community Multiplexing 38
Create Directory Server instance 95 deployment option 22, 25, 28, 30, 38, 43, 64
Create Directory server instance task completion high level overview 46
98 Deployment Option - Dedicated Sametime Servers
Create Key Ring 592 33
Create New Database 387 Deployment Option - Multiple Sametime Servers 33
Create new JKS file 558 Deployment Option - Sametime in the Extranet 46
create new meeting 468 Deployment Option - Single Sametime Server 29
Create New Self Signed Certificate 549 Deployment Options 28
Create stkeys.jks file 557 Deployment Options for High Availability 40
Create the CMS key.kdb file 555, 585 Deployment Phase 1 - Implementing Community
Create the Domino keyfile 591 Services 129
Create the Sametime cluster 218 Deployment Phase I - Implementing Meeting Servic-
Create the WebSphere LTPA key 489 es 281
Creating a database for Sametime EMS on DB2 Deployment Phase II -Integration with other Prod-
724 ucts 329
Creating Domino SSO key 161, 204, 317 Deployment Phase III - Securing the environment
Creating Domino Web Server Configuration data- 537
base 456 Deployment Phase1
Creating new Domino web SSO keys. 203, 316 Planning 668
Creating the qpconfig.xml file 444 Determining different classes of users 23
Creating the self-signed Server Certificate 545 Differences Between Sametime and EMS 704
Cross port affinity 833 direct TCP/IP connection 8, 12, 72
CSEnvironment.prop erties 806–807 call control information 74
Custom advisors 829 Directory Assistance - LDAP 165, 209, 322
Directory Assistance Basic tab 390
Directory Assistance LDAP tab 393
D Directory Assistance Naming Contexts (Rules) tab
Database location and Character set option, 97
391
DB2 Administrator 92, 97
Directory Assistant LDAP Settings 564
DB2 Administrator’s username and password 97
Directory Components 61, 83
DB2® Administrator and password 92
Directory Concepts 81
Default Domino homepage 148, 191, 304, 381, 437
Directory Consideration 59, 83
default port 70–72, 74
Directory Considerations 59
Default Security of Sametime communication and
Directory Considerations specific to Sametime 7.5
saved information
83
539
Directory Information Tree 61, 83, 106
Delete field jpegPhoto from $PersonInheritable-
Directory Information Tree (DIT) 106, 123
Schema 809
Directory location for installation 672
Deploy Clustered Chat Servers 133
Directory Management -> Manage entries 343
Deploy ITSO’s Meeting infrastructure 284
Directory Name 221
Deploy stand-alone MUX servers 220
Directory Server 79, 711, 763, 784
Deploying Sametime 7.0 Connect for Browsers on a
Directory Server Administration Tool 101
Sametime7.5.1 server managed by EMS 683
Directory Server instance - Results 99
Deploying the StAdmin, STServer, and STCenter
-Directory Server successfully added to Web Admin-
(.ear) files
istration tool 104
725
Directory Server Web Administration Tool 100, 118
Deployment Option
Directory Type used by Sametime options 417
Index 843
Enhancements to the Meeting room user interface instant messaging 48
666 instant messaging connectivity 813
Enhancements with Rich text capabilities 640 on-line meeting 51, 54
Enter Import File Name 495 external directory 48, 50
Enter key file database path and file name 584 entirely separate user record 48
Enter label for CA’s Trusted Root Certificate 586 Extracting the downloaded zip file to a directory on
Enter password from the exported certificate 551 your server 679
Enter password of the exported certificate JKCS file
556
Enter your instant messaging user name and pass-
F
Failover in Community Services clusters 43
word 364
fictitious company
Entering the SametimeServer attribute value. 125
ITSO Corp 22
Enterprise Meeting Server 703
ITSO Corporation 23
Enterprise Meeting Server (EMS) 2, 16, 32,
Field - $PersonExtendableSchema subform with
703–704
jpegPhoto field. 809
enterprise-scale deployment 1
File Transfers 539
practice framework 1
Filling in the information to add a cluster 265
Example - deploying a full Sametime Server in AP
first server 734, 822
34
response time 822
Example - servers to be dedicated to chat or meet-
For All Sametime 7.5.1 Servers
ing servers 33
678
Example Business Card 334
For all server platforms 679
Example Meeting Room Client (MRC) 610
For which environments is EMS appropriate 705
Example of a highly redundant architecture 45
Forwarding method 825–826, 828, 833
Example of an account created with only user ac-
Forwarding methods 825
cess rights on the local machine 686
Fully qualified hostname for Sametime server 222
Example of Smart tag integration based on name
"Miles Montgomery" in a word document 523
Example of the Sametime toolbar in Outlook 2003 G
521 GB minimum 65–66, 69–70
Executor 823 Generate and propogate the webserver plugin
Executor started 264 727
Expand containers 344–345 Global Architecture 56–57
Expanding a Community Services Cluster with the Google Talk 740–741
SA Mux 44 user 745
Export PKSCS12 key 551 graphical user interface (GUI) 789
Exporting the certificate 550 Group considerations 62, 86
Extend TDS Schema 386 GSKit 7 Welcome Screen 542
Extendable Applications Platform 12 GSkit 7.0 Installation Directory 542
Extending the LDAP Schema 115 GSKit Installation complete 543
Extending the Schema to add MailFile and
MailServer attributes 126
H
Extending the schema to add NotesDN and Hardware and Software Requirements for EMS
NotesCon. 125 712
Extending the schema to add SametimeServer at- Hardware Server specifications to support Chat or
tribute 116 Meeting services 64
Extension Point 650–651 High Availability Deployment Option - Community
external community 50–51, 53–54, 741 Services Clustering 43
external contact 46–47, 813
Index 845
Install trusted root certificate into key file 575 Isolated External Sametime Meeting Environment
Install WebSphere Portal and configure Security and using Reverse Proxy Access 53
474 Issue - I can log into EMS, but I can't join a meeting
Install WebSphere Portal v6 474 733
Install/Configure the first chat server 133 Issue - I can't log into the EMS server 731
Install/Configure the second chat server 172 Issue 3 - I can't add a Room Server. 734
Installation Complete 139, 183, 296, 376, 431 Issue 4 - My Room Servers won't change status
Installation confirmation window 258 from "ServerDown/Unavailable" to "Running". 735
Installation dialog 670 Issue 5 - Meetings won't go active 736
Installation was successful. 478 ITSO Corporation 16–17, 21, 56–57
Installing and configuring EMS 716 architectural overview diagram 56
Installing GSKit 584 fictitious scenario 21
Installing GSKit on the Sametime Servers 554 ITSO Corporation Geographic Regions 17
Installing GSKit on Tivoli Director Server 574 ITSO’s Sametime Community Infrastructure 130,
Installing GSKit on Tivoli Directory Server 541 283
Installing Sametime Room Server
728
Instant Meeting 29, 39, 712, 813
J
Java Control panel for our User Account 687
specific number 712
Java Message Service (JMS) 704, 711
unlimited number 712
Java Virtual Machine
Instant Meetings 539
page 721
Instant Message (IM) 3, 26, 746, 813
Java Virtual Machine (JVM) 721
Instant Messaging (B2C) – Individual External Con-
jpegPhoto - Binary data 347
tacts. AOL Instant Messenger, Yahoo!, or Google-
jpegPhoto field - Binary data 350
Talk 47
Instructions for installing the client 674
Integrated awareness with Notes Client 657 K
Integrated Sametime within the Notes Client 651 Key Concepts
Internal and External Meeting Servers using Invited Scalability, Performance and High Availability.
Meeting Server Model and Separate Directories 52 14
internal user 48, 749 Key File with Self Signed Certificate. 550
Internet Cross Certificate in Primary Address Book Key file with Server Certificate 583
562 Key Ring Created 593
Internet Cross Certificate Trust for Service 561 Key ring created confirmation Screen 570
Internet Protocal (TCP/IP) Properties 239 Key Ring File password import 594
Internet Protocol (TCP/IP) Properties 245, 247, 251 key.kdb file with signer certificates 577
intraserver connection 71, 75 key.kdb with CA’s Trusted Root Certificate 587
Introduction to Enterprise Meeting Server (EMS) Key.kdb with the imported certificate 557
704
Introduction to the Enterprise Deployment Scenario
L
16 Label for Trusted Root Certificate added to
Introduction to the IBM Edge Server Caching Proxy stkeys.kdb 589
620 Launch - Administration 513
IP address 76, 730, 823, 825 Launch - Domino Integration 510
IP spraying 16, 820, 822 LaunchPad window 254
ipconfig 242 LB Network Configuration 226
ipconfig /all 238 lbadmin 260
Isolated External Sametime Meeting Environment LDAP browser 731–732
50
Index 847
Lotus Sametime 7.5 and Microsoft Office integration MS Outlook 529
521 multiple Sametime server 12, 16, 33, 48, 710
Lotus Sametime 7.5.1 in the Enterprise 1 multiple server 8, 15, 33, 723
Lotus Sametime Connect client extension points user load 15
650 My Team page 518
Lotus Sametime Services 6
Lotus Sametime software
History and Market Leadership 3
N
names sent to STLinks for awareness 413
LTPA 719–720, 806
NAT forwarding - Network flow 827
LTPA Configuration page 492
Native Domino 48, 60, 85, 799–800
LTPA User name field 400
native Domino
LDAP Directory Server 60
M Navigating this chapter 331, 538
MAC forwarding 825 nested group 86, 112
MAC forwarding - Network flow 826 Sample LDIF 112
Mac OS X Nested groups in a schema 112
version 10.4 635 Network Adapters 231
Manage binary data 350 Network Address
Manage binary data - Import 348 Port Translation 826
Manage Console Servers 102 Translation 749, 826
Manage Object classes 120 Network Address Translation (NAT)/ Network Ad-
Manage security properties 552 dress Port Translation (NAPT) 826
Manage Server Properties 108 Network Connections 243
Manage user entries 123 network design 33, 67
Manager 823 network DMZ 745, 748
Manager options 272 Lotus Sametime Gateway 748–749
MB minimum 66, 70 Network interface 266
Meeting Created in Calendar 472 Network topology 26
Meeting Detail 473 Network Topology considerations 25
Meeting Details 520 New Certificate Authority database 566
Meeting options available in this version of Notes IM New Certificate Request 579
655 New Cluster Name 217
Meeting Room Client (MRC) 26, 28, 694, 734 New Directory Assistance database 388
meeting Service 2, 4, 29, 46, 85, 692, 694, 704, New Directory Server instance 94
735, 800 New features in Sametime 7.5 and Sametime 7.5.1
meeting service 632
load distribution solutions 704 New key file name and location 546
Meeting Services 9 New Meeting page details 470
Meeting Services Ports 74, 604 New UI for the Sametime Web Conferencing Wel-
Meetings in Outlook 533 come page 663
Members view with awareness 449 NFA 823
Menu options for Sametime functions 660 Non-forwarding address 823
Merge Trusted Root Certificate Confirmation 595 non-forwarding address (NFA) 823
Metric Server 823–824 Nortel Alteon Controller 821, 831
Modify Sametime.ini 558, 590 Notes 8 Instant Messaging 658
Modify Server Document 596 Notes Client - User Preferences... 359
Monitoring Charts available for Sametime 692 Notes Client Integration with Sametime 353
Monitoring Sametime 692 Notes IM 7.0.2 652
Index 849
Perspective - how this component fits into the overall ing Notes 8 client 659
enterprise Infrastructure 132 Primary Clients for Sametime 7.5.1 27
Pick Up Signed Certificates 580 Primary contact list 646
Planning a Sametime 7.5.1 Deployment 21 Process of building the community infrastructure.
Platform Statistics 696, 698 131
Plug-in integration points 649 Prompt for transcript 656
Plug-in integration points and extensibility for the Protecting Sametime with Reverse Proxies 618
Sametime 7.5.x Connect Client 649 Provide a server name and title 141
plugin_customization.ini 676 Provide Sametime server hostname 361
plugin_customization.ini file configuration 676 Providing the Domino server name & description
Plug-ins 10 140
Populating the Directory Server using an LDIF file.
110
Population Topology 22
Q
QuickPlace administration
Port Diagram for EMS Deployment 715
Other options 467
Port information 268
QuickPlace administration - Edit options 463
Portal is ready to install 477
QuickPlace administration - Other Options 462
Portlet Management - Portlets 514
QuickPlace administration - Server Settings 461
Ports 1533 and 8082 added 269
QuickPlace administration place 442
Ports used by Sametime through Firewalls 599
QuickPlace Integration with Sametime 421
Ports used by the Sametime Server 70
QuickPlace Server Configuration 439
Possible configuration names to pass 355,
QuickPlace SSO login screen 458
414–415
Post Domino Installation / Configuration Steps 146,
189, 302, 379, 435 R
Pre-Domino Install Checklist 134, 177, 290, 370, real-time collaboration 1, 4, 740
425 Real-Time Collaboration (RTC) 632
Prerequisite - Define JAAS Alias real-time communication 1, 7, 46
718 Real-Time Streaming Protocol (RTSP) 76–77
Prerequisite - Define WebSphere Variables Receive Certificate from a file 583
717 Recommended deployment 748
Prerequisite - Enabling LDAP Directory Access and- Recommended installation configurations 745
WebSphere Security Recommended maintenance activities 700
719 Recommended Maintenance Activities for Same-
Prerequisite - Enabling UTF-8 support time Environments 700
721 Record and Playback (RAP) 12
Prerequisite - Installing Domino on the first Room Recorded Meeting Broadcast Services ports 76,
Server 606
722 Recorded Meeting Client 688
Prerequisite - Setup Resources and Create Data Redbooks Web site 837
Source Contact us xviii
718 Referring to the Sametime Information Center for In-
Prerequisite- Creating the Application Servers stallation and Configuration 750
721 regedit 241
Prerequisites Register 2nd chat server 172
717 Register a server 422
Pre-Sametime Install Checklist 149, 192, 305 Register Domino server 172, 285, 367, 422
Pre-Sametime Installation Steps 149, 192, 305 Register meeting server 284
Preview of integrated Instant Messaging in upcom- Register New Server(s) - Add to registration queue
Index 851
Sametime Meeting Room client OK with Anonymous access 444
interactive audio/video components 11 Scalability 14, 820
public chat components 8 Scalability with Sametime Multiplexors 15
video components 74, 77 Scenario - Locked Down Desktops or Limited User
video streams 78 Rights 669
Sametime Meeting Room Client (MRC) 684–685 Scenario - Not Locked down, but can they install it ?
Sametime Meeting Room Client, Sametime Record- 669
ed Meeting Client 662, 684 Scenario - Upgrading Older Client Versions 670
Sametime Mobile 667 Scenario - Using an Update Site 671
Sametime Monitoring Charts 692 Scenario - Wide open and No Restrictions 669
Sametime Server 8, 12, 25, 27–28, 33, 38, 70, 78, Schedule a new meeting page 519
86, 116, 691–692, 704, 733, 740, 748, 800, 805, Schema 111
821, 832 Search for Charles 505
Open stconfig.nsf 806 Searching 61, 85
requirement 64 Section Overview 133
Services 29 Secure Sockets Layer (SSL) 71
Sametime server Securing the Sametime Connect client for desktops
Additional information 695 538
anothor important peice 834 Security 62, 86, 538
backward release 13 Security -- Global Security 490
Community Services 38 Security helper file properties 479
Community Services multiplexer 71 security helper file properties 479
Event Server port 71 Security warming when running GSKit setup,exe
individual capacity 39 541
IP address 77 Select $PersonInheritableSchema Subform 808
main difference 735 Select a language 221
Meeting Services 75 Select Domino Directory Template pubnames.ntf
overall load 38 810
required number 49 Select Downloads 67
schedules meetings 713 Select IP address to listen on 95
server document 735 Select Loopback Adapter 232
Token Server port 72 Select the directory to use for collaboration 151,
Sametime server document - Basics 157, 200, 313 194, 307
Sametime Server requirements 64 selected internal user
Sametime Server Setup 149 Directory records 51, 55
Sametime service 4, 6, 22, 35, 84, 692, 729, 813 Selecting a recorded meeting 689
Sametime Setup 191, 305 Selecting keywords 681
Sametime stcenter.nsf 459, 498 Selecting the Load Balancer server 262
Sametime System Requirements - Minimum re- Send links, graphics, and screen captures to chat
quirements and recommendations 63 partners 640
Sametime’s Server key.kdb file. 585 separate directory 48, 51
Sametime’s Server STKeys.jkx 588 Invited Meeting Server Model 55
Sample plugin_customization.ini 677 Separate External Sametime Meeting Environment
Sample Reverse Proxy config 619 in the DMZ with Selective Directory Replication 51
Save changes 681 Separate External Sametime Meeting Server using
Save Meeting to 471 Invited Meeting Server Model with Separate Directo-
Save the configuration 277 ries and using Reverse Proxy Access 55
Saved passwords 539 Separate External Sametime Meeting Server with
Saved user directory Selective Directory Replication and using Reverse
Index 853
Synchronization of contacts 531 tr0 266
Synchronize the directories 384 tr1 266
System Databases for Domino 188, 301, 379, 435 Troubleshooting 529
Systems Management and Maintenance 691 Troubleshooting EMS 731
Trust operation succceded 561
Trust Root Certificate Label 578
T Trusted Root Certificate 576
Tabbed Chat for multiple Sametime sessions 638
Trusted root certificate in notepad 576
Tabbed chat functionality for Sametime from directly
Type ahead name searching 645
within the Notes Client 662
Types of Directories 59, 84
Tabbed chat sessions 638
Typical LDAP DN formats 161, 204, 317
TCP/IP Address 249
TCP/IP connection 34, 72, 822
Sametime protocol 74 U
TCP/IP packet 822 UDP port 77–78
TDS Administrator’ DN and password. 96 multicast data 77
TDS features selection 91 Understanding different models and scale factors
TDS Features to install confirmation screen 93 between Community and Meeting Services 710
TDS IP Ports 96 Understanding the distinguishing features within
TDS Language Selection 87 Sametime 7.5, and Sametime 7.5.1 4, 633
TDS License 89 United State 34, 58
TDS Software installation path 90 update 5, 714–715
TDS Welcome Page 88 Update resolve filter in Sametime. 418
Test Awareness in Portal 503 Update sametime.ini 332
Test Lotus Web Conferencing portlet 517 Update stlinks.js 333
Test SSO between WebSphere Portal and Same- Update the SSO login form for QuickPlace 455
time. 498 updated resolve filter including notescon 357
Test the Sametime Contact List Portlet 509 updated resolve filter including NotesDN 420
Testing online awareness 463 URI affinity 835
Testing Online Meetings 468 URL 101, 705, 711, 828, 831
Testing single sign-on 458 Use Canonical name for instant messaging status
Testing The Business Card Setup 352 lookup 360
Testing the user directory 447 Use Case 1- business card-related information is
The Applications within EMS 713 stored inthe Sametime Directory 338
The Business Value 742 Use Case 2 - Business card-information for a single
The client authentication process 538 userspread across 2 separate and distinct storage
The meeting creation page has been modified 664 repositories 338
The ping test should reply back with the correct IP Use Case 3 - information is spread across two (2)
147, 190, 303 separateyet similar storage types 340
Time stamps and other configurable options 642 user xiii, 1, 7, 21–22, 79, 83, 149, 152, 305, 308,
Tivoli Directory Server Installation 87 331, 335, 539, 558, 631, 635, 692, 694, 710–711,
Tivoli Directory Server Web Administration Tool 740, 746, 763–764, 805–806, 815, 821, 831
342 user directory 19, 59, 61, 79, 83, 805–806
top 12, 32, 106, 110, 235, 331, 438, 635, 695, 699, User directory from QuickPlace administration place
704, 710, 763–764, 805 443
top givenname 763–764 User Filter 719
Topology recommended for connecting to the user objectclass 763–764
AOL®, Yahoo! Messenger™ and Google Talk™ User Security - People, Services 560
user communities 747 Using Multiple Caching Proxy Servers 623
Index 855
856 Sametime 7.5.1 - Best Practices for Enterprise Scale Deployment
Sametime 7.5.1
Best Practices for
Enterprise Scale Deployment
Sametime 7.5.1 - Best Practices
for Enterprise Scale Deployment
Sametime 7.5.1 - Best Practices for Enterprise Scale
Sametime 7.5.1 - Best Practices for Enterprise Scale Deployment
Sametime 7.5.1 - Best
Practices for Enterprise
Scale Deployment
Sametime 7.5.1 - Best
Practices for Enterprise
Scale Deployment
Back cover ®
Sametime 7.5.1
Best Practices for Enterprise
Scale Deployment
Building and This IBM Redbooks publication provides a best practice
deploying an framework for an enterprise-scale deployment of Sametime INTERNATIONAL
Enterprise 7.5. It covers a range of business collaboration requirements TECHNICAL
Architecture that might typically be found within many large enterprises SUPPORT
with geographically dispersed user communities and diverse ORGANIZATION
business requirements for real-time collaboration.
Integration with
Portal and Domino Specifically, we discuss how to plan, install and configure a
extended products Sametime 7.5 infrastructure that will scale to meet the needs BUILDING TECHNICAL
of a large, globally distributed enterprise. We approach the INFORMATION BASED ON
System installation and configuration of Sametime in deployment PRACTICAL EXPERIENCE
phases, beginning with implementing the community
administration and
services (chat functionality) and setting up load balancing.
maintenance IBM Redbooks are developed by
We next implement the online meeting services. Building the IBM International Technical
upon this infrastructure, we then discuss how to integrate Support Organization. Experts
Sametime functionality with other IBM/Lotus products, from IBM, Customers and
including Microsoft Office. Finally, we complete the Partners from around the world
create timely technical
environment by discussing aspects of security, information based on realistic
administration, and recommended maintenance. Other scenarios. Specific
topics covered in the book include a discussion of the recommendations are provided
Enterprise Meeting Server and the Sametime Gateway. to help you implement IT
solutions more effectively in
your environment.