St802 Entry

Lotus Sametime Entry Version 8.0.
Version 8.0.2
Lotus Sametime Entry

Installation and Administration Guide
SC23-8758-02
Lotus Sametime Entry Version 8.0.2
Version 8.0.2
Lotus Sametime Entry

Installation and Administration Guide
SC23-8758-02
Note Before using this information and the product it supports, read the information in Notices on page 505.
Edition notice This edition applies to version 8.0.2 of IBM Lotus Sametime Entry (product number 5724-T65) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2007, 2009. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Chapter 1. Sametime Server Installation 1 Chapter 2. Verifying system requirements . . . . . . . . . . . . 3 Chapter 3. Downloading Lotus Sametime files for installation . . . . . . . . . . 5 Chapter 4. Preparing for a new Sametime installation . . . . . . . . . 7
Planning for your Sametime installation . . . . . 7 Preparing the AIX, Solaris, or Linux environment . . 9 Preparing the TCP/IP Environment on i5/OS . . . 10 Verifying host table entries for i5/OS . . . . . 10 Verifying configuration of existing i5/OS Domino servers . . . . . . . . . . . . . . . 10 Selecting a TCP/IP address for your i5/OS Sametime server . . . . . . . . . . . . 11 Adding a TCP/IP address on i5/OS . . . . . 11 Updating the host table on i5/OS . . . . . . 12 Updating the Domain Name Server for i5/OS . . 13 Updating the configuration of existing i5/OS Domino servers . . . . . . . . . . . . 14 Updating the HTTP server configuration on i5/OS . . . . . . . . . . . . . . . 15 Installing from a wizard . . . . . . . . Silently installing Sametime server on AIX, Linux, Windows, or Solaris . . . . . . . Installing Sametime using the console on AIX, Linux, Windows, or Solaris . . . . . . . Installing Sametime server on i5/OS . . . . . Verifying authority to install and set up Sametime on i5/OS. . . . . . . . . . Pre-accepting the Lotus Sametime software agreements on i5/OS . . . . . . . . . Installing or upgrading Sametime on i5/OS . Verifying your i5/OS library list . . . . . Adding Sametime to an i5/OS Domino Server. Completing the upgrade process . . . . . . Upgrading the vpuserinfo.nsf template . . . Migrating user privacy information . . . . Verifying the Sametime Server Installation . . . . 36 . 44 . 45 . 46 . 46 . . . . . . . . 47 48 49 50 52 53 54 57
Chapter 8. Configuring Sametime . . . 61

Configuring support for IPv6 addressing with Lotus Sametime . . . . . . . . . . . . . . . Configuring Lotus Domino for IPv6 . . . . . Editing the ststart script on a Linux SuSE server Configuring the Community Services for IPv6 . . Configuring the Meeting Services for IPv6 . . . Configuring a stand-alone Community Mux for IPv6 . . . . . . . . . . . . . . . . Configuring the directory. . . . . . . . . . Configuring Sametime to access LDAP . . . . Populating the Domino Directory . . . . . . Setting up single sign on authentication . . . . . Accessing Sametime Instant Messaging from Lotus Notes . . . . . . . . . . . . . . . . 61 61 69 70 72 74 76 76 77 78 79
Chapter 5. Installing a Domino server and clients . . . . . . . . . . . . . 17

Planning your Domino configuration . . . . . Registering a server to an existing Domino domain Installing a Domino server . . . . . . . . Installing a Domino server on Windows . . . Installing a Domino server on AIX, Linux, or Solaris . . . . . . . . . . . . . . Installing a Domino server on i5/OS . . . . Installing the Notes client and Domino administrative client . . . . . . . . . . Verifying your Lotus Domino environment . . . Verifying the Domino Server document settings Verifying the Domino server is accessible . . . 17 18 . 18 . 19 . 19 . 21 . 24 . 25 25 . 28
Chapter 9. Installing Sametime Integration for Microsoft Office . . . . 81

Installing Office Integration . . . . . . . . Troubleshooting Microsoft Office integration . Installing the Meeting Integrator . . . . . . Setting up Office SharePoint integration . . . . Setting up the Office SharePoint Server . . . Verifying the Office SharePoint integration setup Troubleshooting Office SharePoint integration . . . . . . 82 84 86 87 87 91 . 92
Chapter 6. Preparing to upgrade an existing Sametime environment . . . . 29

Before upgrading . . . . . . . . . . Backing up your server data. . . . . . Summary of upgrade considerations by release Upgrading from Instant Messaging Limited Use Entry to Sametime Standard on i5/OS . . . . . . or . . 29 . 30 . 31 . 32
Chapter 10. Preparing the Sametime client . . . . . . . . . . . . . . . 95

Before deploying the Sametime Connect client. . . 95 Installing the Sametime Connect client from a CD 97 Installing the Sametime Connect client from CD on Windows . . . . . . . . . . . . . 97 Installing the Sametime Connect client from CD on Linux . . . . . . . . . . . . . . 100 Installing the Sametime Connect client from CD on Mac OS X . . . . . . . . . . . . 101
Chapter 7. Installing Sametime . . . . 35

Verifying you are prepared to install Sametime . Installing a Sametime server on Windows, AIX, Linux or Solaris . . . . . . . . . . . .
Copyright IBM Corp. 2007, 2009
. 35 . 36
iii
Automatically upgrading Sametime Connect 8.0 clients . . . . . . . . . . . . . . . . Differences between update sites and manifests How the manifest update works . . . . . . Enabling automatic upgrades for Sametime Connect 8.0 clients . . . . . . . . . . Making the client installation files available for download . . . . . . . . . . . . . . Installing the Sametime Connect client from the network . . . . . . . . . . . . . . Installing optional client features . . . . . . . Enabling optional features in the base client install . . . . . . . . . . . . . . . Adding optional features to the client after install . . . . . . . . . . . . . . . Installing client updates from a secured site . . .
102 102 103 105 107 108 109 109 111 114
Chapter 11. Uninstalling a Sametime server. . . . . . . . . . . . . . . 117

Uninstalling Sametime server on Windows . . . 117 Uninstalling Sametime server on AIX, Linux, or Solaris . . . . . . . . . . . . . . . . 118 Removing Sametime from an i5/OS Domino Server 118
Chapter 12. Sametime Server Administration . . . . . . . . . . . 121 Chapter 13. What is Lotus Sametime Entry? . . . . . . . . . . . . . . 123
Sametime Administration Tool. . . . . . . . Sametime services . . . . . . . . . . . . Domino Services . . . . . . . . . . . Community Services . . . . . . . . . . Basic networking concepts . . . . . . . . . Configuring the mixed environment . . . . . . The mixed environment on i5/OS . . . . . Integrating the Limited Use and Entry offerings with Sametime Standard . . . . . . . . Assign users to an appropriate home Sametime server . . . . . . . . . . . . . . . Preventing instant messaging-only users from creating or attending meetings . . . . . . End user issues in a mixed environment . . . 124 125 125 126 126 127 128 129 131 131 134
Overview of the Sametime Administration Tool features . . . . . . . . . . . . . . . Sametime Administration Tool. . . . . . . Monitoring the Sametime server . . . . . . Logging Sametime activity . . . . . . . . Managing users and Domino Directories . . . Managing users and LDAP directories . . . . Configuring ports and network connectivity . . Configuring Community Services . . . . . Additional administrative tasks . . . . . . . Deploying multiple Sametime servers . . . . Managing users and LDAP directories . . . . Managing security. . . . . . . . . . . Server Overview feature. . . . . . . . . Message From Administrator feature . . . . Adding a new Sametime administrator . . . . . Create a Person document for the administrator Create an Administrators Group document . . Add the Administrators Group document to Sametime database ACLs . . . . . . . . Modifying the Server document of the Sametime server . . . . . . . . . . . Adding and removing names from an Administrators Group document . . . . . . Roles in Sametime database ACLs . . . . . . Roles in the Sametime Configuration database (stconfig.nsf) . . . . . . . . . . . . Roles in the Domino Directory (names.nsf) . . Roles in the Domino Web Administration database (webadmin.nsf) . . . . . . . . Skills the Sametime Administrator needs . . . .
158 160 161 161 162 162 163 163 164 164 164 165 166 166 166 167 168 169 171 172 172 173 173 174 175
Chapter 16. Special Considerations for Running Sametime on AIX, Linux, and Solaris . . . . . . . . . . . . 179
Setting up AIX or Solaris to run a Sametime server 179 Running a Sametime server as a background process in AIX . . . . . . . . . . . . . 179 Considerations for AIX, Linux, and Solaris . . . 181
Chapter 17. Managing Sametime users 183

Setting up the Domino Directory . . . . . . Benefits of using a Domino directory . . . The primary Domino directory . . . . . Directory views used by Sametime . . . . Using multiple Domino directories . . . . Using Directory Assistance . . . . . . . Sharing directory information with Extended Server Directory Catalogs . . . . . . . Register users in the Domino Directory. . . Create groups in the Domino Directory. . . Setting up an LDAP directory . . . . . . . Set up an LDAP connection . . . . . . Replace the Domino Directory with an LDAP directory . . . . . . . . . . . . . Replace the Domino Directory with an LDAP directory for i5/OS . . . . . . . . . Solve token authentication problems . . . Manage buddy lists and privacy lists . . . . . . . . . . . . . . 183 183 184 184 184 184 185 186 188 189 190
Chapter 14. Starting and stopping the Sametime server . . . . . . . . . . 137

Starting and stopping a Windows . . . . . Starting and stopping a Linux, or Solaris . . Starting and stopping a Restart Chart . . . Sametime server on . . . . . . . . . . 137 Sametime server on AIX, . . . . . . . . . . 138 Sametime server on i5/OS 139 . . . . . . . . . . 140
Chapter 15. Using the Sametime Administration Tool. . . . . . . . . 157

Starting the Sametime Administration Tool . . User name and password requirements. . . Details: Starting the Sametime Administration Tool . . . . . . . . . . . . . . . 157 . 157 . 158
. 211 . 224 . 225 . 228
iv
Lotus Sametime Entry: Installation and Administration Guide
Use Java classes to customize LDAP directory searches . . . . . . . . . . . . . . Setting user policy with Sametime . . . . . . What's covered in Sametime Policy . . . . . About Policy assignment . . . . . . . . Configuring the server for Policy . . . . . . Policy search filters . . . . . . . . . . Policy setting table . . . . . . . . . . Settings for server community (default policy) Settings for Instant Messaging only (default policy). . . . . . . . . . . . . . . Setting new policy for groups . . . . . . . Assign users or groups to existing policy groups Policy for anonymous users . . . . . . . Policy and LDAP . . . . . . . . . . . Allowing file transfers . . . . . . . . . Changing user names . . . . . . . . . . Changing names with AdminP . . . . . . Changing names . . . . . . . . . . .
228 237 237 238 238 239 239 242 243 245 245 246 247 247 248 248 256
Chapter 18. Configuring Sametime Connectivity . . . . . . . . . . . . 269

Ports used by the Sametime server . . . . . Configuring Sametime "Networks and Ports" settings . . . . . . . . . . . . . . Proxy support for Sametime clients . . . . . Networks and Ports settings . . . . . . . HTTP Services settings . . . . . . . . Community Services Network settings . . . Community Services connectivity and the home Sametime server . . . . . . . . . . . Changing the IP address of an i5/OS Sametime server . . . . . . . . . . . . . . . Changing the host name of an i5/OS Sametime server . . . . . . . . . . . . . . . . 269 . . . . . 272 273 274 276 277
Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf) Allow or disallow virus scanning. . . . . . Anonymous Access Settings for Community Services . . . . . . . . . . . . . . . Anonymous users can participate in meetings or enter virtual places . . . . . . . . . . Users of Sametime applications can specify a display name so that they do not appear online as "anonymous." . . . . . . . . . . . Directory Searching and Browsing options. . . Prohibiting logins from non-secure clients to the server . . . . . . . . . . . . . . . . Specifying the security level (minimum allowed client version) . . . . . . . . . . . . Allowing logins from clients that do not conform to the security level . . . . . . . Configuring the server to send instant messages to clients that do not conform to the security level . . . . . . . . . . . . . . . Specifying the name to display in the title bar of instant messages sent by the server . . . . . Deploying a Community Services multiplexer on a separate machine . . . . . . . . . . . . Installing and setting up a separate Community Services multiplexer . . . . . . . . . .
301 302 303 304
305 306 307 308 310
311 313 313 315
Chapter 21. Business Card
. . . . . 321
. . . . . . . . . . . . . . . . . . . . . . . . . 321 321 322 323 324 326
. 283 . 285 . 286
Chapter 19. Configuring Lotus Sametime for mobile users . . . . . 289

Configuring the Lotus Domino server for Lotus Sametime Mobile support . . . . . . . . . 289
Chapter 20. Configuring the Community Services . . . . . . . . 291

About the Community Services . . . . . . . Writing custom messages for clients . . . . . . Managing client types and logins. . . . . . . The single login type . . . . . . . . . . Configuring the preferred login list . . . . . Forcing users to connect to a home server . . . Client cooperation with the proxy . . . . . Community Services server configuration settings Number of entries on each page in dialog boxes that show names in the directory . . . . . . How often to poll for new names added to the Sametime Community directory . . . . . . How often to poll for new servers added to the Sametime Community . . . . . . . . . Maximum user and server connections to the Community server . . . . . . . . . . 291 292 294 294 295 296 296 297 298 299 299 300
Setting up the business card . . . . . . Elements available for Business Card . . Edit Business Card Attribute values . . . Using repositories . . . . . . . . . . Using the single repository with Domino . Using the single repository with LDAP . . Using the dual repository with Domino and LDAP . . . . . . . . . . . . . Using the dual repository with Domino and custom . . . . . . . . . . . . Using the dual repository with LDAP and Domino Notes . . . . . . . . . . Using the dual repository with LDAP and custom . . . . . . . . . . . . Troubleshooting Business Cards . . . . Domino LDAP special configuration data . . About the User Information servlet application UserInfoConfig Debug tracing . . . . . . Configuring the photo for Business Card . . Photos in the LDAP directory . . . . Photos in the Domino directory . . . . Additional configurations for black boxes . . Retrieving data from a customized database
. 329 . 332 . 335 . . . . . . . . . . 341 345 347 348 348 349 349 350 351 351
Chapter 22. Monitoring the Sametime server . . . . . . . . . . . . . . 355

Accessing the Monitoring General server status . . Logins. . . . . . . Miscellaneous . . . . charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 356 357 357
Contents
Chapter 23. Using the Sametime logging features . . . . . . . . . . 359

Server community logins/logouts Server community statistics. . . Community Events . . . . . Domino log . . . . . . . . NSD log . . . . . . . . . Sametime log settings . . . . General log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 362 363 363 366 366 366
Chapter 24. Working with Sametime security . . . . . . . . . . . . . . 369

Getting started with Sametime security . . . . . The required fully-qualified server name . . . Basic password authentication and authentication by token . . . . . . . . . User requirements for basic password authentication . . . . . . . . . . . . Changing a user's password . . . . . . . Ensuring Sametime servlet access when Domino requires SSL for all connections . . . . . . Domino security and the Web browser connection Using database ACLs for identification and authentication . . . . . . . . . . . . . Adding a name to a database Access Control List (ACL) . . . . . . . . . . . . . Database ACL settings . . . . . . . . . Anonymous access and database ACLs . . . . Basic password authentication and database ACLs . . . . . . . . . . . . . . . Authentication by token using LTPA and Sametime tokens . . . . . . . . . . . . . . . . Authentication by token using the Domino Single Sign-On (SSO) feature . . . . . . . Altering the Domino Web SSO configuration following the Sametime server installation. . . Manually enabling the Domino SSO feature . . Using the Sametime custom logon form for SSO Authentication by token using Secrets and Tokens databases . . . . . . . . . . . Configuring Sametime for SPNEGO single sign-on Sametime SPNEGO login sequence . . . . . Configuring Sametime to use Active Directory Validating the SPNEGO configuration . . . . Configuring the Sametime Connect client for token login . . . . . . . . . . . . . Configuring Sametime to use SSL encryption . . . Enabling encryption for Lotus Sametime Services, and between Lotus Sametime and Web browsers . . . . . . . . . . . . . . Enabling encryption between Lotus Sametime and the LDAP server . . . . . . . . . . 370 370 370 371 374 375 375 376 377 378 382 384 386 387 388 391 394 396 398 398 399 401 401 402
Installing a Sametime server into an existing Sametime community . . . . . . . . Configuring ports for server-to-server connections . . . . . . . . . . . . Synchronizing the Sametime server with other Sametime servers . . . . . . . . . . Extending Sametime to Internet users . . . . Positioning a Sametime server in the network DMZ . . . . . . . . . . . . . . Opening ports on the internal firewall . . . Opening ports on the external firewall . . . Extending a single Sametime community across multiple Domino domains . . . . . . . . Example of extending a single Sametime community across two Domino domains . .
. 438 . 442 . 442 . 444 . 445 . 446 . 449 . 452 . 453
Chapter 26. Setting up a Community Services cluster without clustering the Meeting Services . . . . . . . . 463
Community Services cluster setup procedures . . Community Services clustering preparations . . Deploying an LDAP directory server . . . . Installing the Sametime servers for the Community Services cluster . . . . . . . Creating a Domino server cluster . . . . . . Setting up replication of Sametime databases (Optional) Deploying separate Community Services multiplexers . . . . . . . . . . Set up the load-balancing mechanism (rotating DNS or Network Dispatcher) . . . . . . . Creating a cluster document in the Configuration database (stconfig.nsf) . . . . Copying a cluster document to other Sametime servers in the community . . . . . . . . Configuring client connectivity for the Community Services cluster . . . . . . . Adding a server to the Community Services cluster Creating multiple Community Services clusters in a single Sametime community . . . . . . . . Rotating DNS Limitations with cached DNS resolve requests . . . . . . . . . . . . 463 464 465 466 466 468 470 476 478 479 480 484 485 486
Chapter 27. Using the StdebugTool.exe utility . . . . . . . 489

Running the StdebugTool.exe utility . . Trace file location . . . . . . . Step-by-step example of running the StdebugTool.exe utility . . . . . . . . . . . . . . . 489 . 490 . 490
402 422
Chapter 28. Configuring SiteMinder for the Lotus Sametime server . . . . 493
Creating configuration objects for Sametime . Configuring realms for Lotus Sametime . . Installing and configuring the SiteMinder Web Agent . . . . . . . . . . . . . . Add the DSAPI filter file name to the Domino Directory . . . . . . . . . . . . . Enabling SiteMinder for Lotus Sametime . . . . . . . . 493 . 494 . 496 . 498 . 498
Chapter 25. Deploying multiple Sametime servers . . . . . . . . . 437

About Sametime server clusters . . . . . . Advantages of using multiple Sametime servers Integrating a Sametime server into an existing Sametime community . . . . . . . . . . 437 437 . 438
vi
Chapter 29. Troubleshooting . . . . . 499 Chapter 30. Glossary . . . . . . . . 501 Notices . . . . . . . . . . . . . . 505
Trademarks .
. 507
Index . . . . . . . . . . . . . . . 509
Contents
vii
viii
Chapter 1. Sametime Server Installation

Sametime Server Installation provides information where you can find system requirements, installation, configuration, upgrade, and administration information.
Chapter 2. Verifying system requirements

Before installing IBM Lotus Sametime, install the supported hardware and software.
Before you begin

System requirements for Release 8.0.2 of the Lotus Sametime family of products is maintained as an IBM Tech Note at the following Web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg27013765
Chapter 3. Downloading Lotus Sametime files for installation

IBM enables users to download IBM Lotus Sametime installation kits from the Passport Advantage Web site.
Before you begin

You must have a Passport Advantage account with IBM to use this facility. For more information on using Passport Advantage, see the following Web address:
www.ibm.com/software/howtobuy/passportadvantage/paocustomer/docs/en_US/ecare.html
About this task

The Sametime 8.0.2 Download document contains a complete listing of required and optional parts for this release. Locate the components you need in the document's listing, and download the packages labelled with the corresponding part numbers. You can view the Download document at the following Web address:
www.ibm.com/support/docview.wss?rs=477&uid=swg24020732
Chapter 4. Preparing for a new Sametime installation

Prepare your environment for a new Sametime installation.
Planning for your Sametime installation

The following IBM Lotus Sametime features should be considered prior to installing Lotus Sametime.
Directory Type
You can configure IBM Lotus Sametime to use the Domino directory or to connect to an LDAP directory on a third-party server. The install procedure and the information you need to know are different depending on the type of directory you select. When Lotus Sametime is configured to connect to an LDAP directory, Sametime users are managed in an LDAP directory on another server. If you plan to use an LDAP directory, consult with your LDAP administrator before installing Sametime. Be prepared to specify at least the information necessary to connect to your LDAP server. For more details, see Verifying you are prepared to install Sametime. If you decide to use a Domino Directory, you need to consider whether you will set up a new Domino server in a new Domino domain or whether you will set up a new Domino server and add it to an existing Domino domain. Refer to Planning your Domino configuration on page 17
Domino server dedicated to Sametime

It is always recommended that you set up a new Domino server for running Sametime. The server should only be used for Sametime. For AIX, Solaris, Linux and i5/OS, you can use a new partitioned Domino server running on the same server computer with existing Domino servers.
Clustering Community Services

If you have a large number of Sametime users, you can install multiple Sametime servers and cluster the Community Services for load balancing and to reduce network usage. However, you must install one Sametime server at a time. For example, if you have three Domino servers installed and you want to install Lotus Sametime on all three Domino servers, you would have to do three separate Sametime installs. For more information, see Setting up a Community Services cluster without clustering the Meeting Services.
Clustering Meeting Services

If you have a large number of Sametime servers and want to cluster Meeting Services, you can use the IBM Lotus Sametime Enterprise Meeting Server to provide load balancing and failover support for meetings (Web conferences). The Sametime Enterprise Meeting Server is the central component of a Sametime Meeting Services cluster, providing the end-user interface, administration tool, and meeting management functionality for all Sametime servers in the Meeting Services
cluster. You install the Sametime Enterprise Meeting Server on a separate computer and then add each of your Sametime servers to the Meeting Services cluster. Note: The Sametime Enterprise Meeting Server is not a component of Sametime; it is distinct product that must be purchased from IBM separately. For more information, see Sametime Enterprise Meeting Server.
Sametime Conversion Services

This feature converts files to slides for display in a meeting. Conversion services can run as an integrated function of your Sametime server or on a standalone Windows server. If you plan to make extensive use of Sametime Conversion Services, it is preferable to run this feature on a standalone Windows server. A remote conversion server provides more robust performance, and better-quality rendering of slides for non-Windows Sametime servers. Even for Windows Sametime servers, remote conversion has the advantage of off-loading the workload associated with file conversion. For additional information refer to About Sametime Conversion Services.
Network performance
For optimal performance, the Sametime server should be placed at a centrally-located network backbone to reduce the number of network hops between clients and the server. Ideally, there should be no more than one WAN hop for every possible client to server connection. Clients that make multiple WAN hops to connect to the server will experience slower performance than clients connecting through a LAN or making one WAN hop to the server. For organizations that have large networks, it may be necessary to install multiple Sametime servers to reduce the number of WAN hops for clients. For more information about working with multiple Sametime servers, see Deploying Multiple Sametime servers.
National language considerations

You do not need to select a language when installing Sametime. The language displayed for Sametime interfaces is primarily determined by the individual user's language settings. However, it is recommend that you install the Domino language pack that corresponds to the language used by the majority of your Sametime users. If no language pack exists for your language on your preferred platform, see the Technotes, available at http://www.ibm.com/software/support, for information on how to localize the Domino server.
Installing Sametime Entry or Sametime Instant Messaging Limited Use

The installation procedures described here apply to all versions of Sametime: Sametime Standard, Sametime Instant Messaging Limited Use, and Sametime Entry. If you plan to use a mixture of these different Sametime server types in your environment, there are special configuration requirements to ensure that each of your users can access only the Sametime features they are entitled to use. See Configuring the mixed environment.
Installing in an environment with other Sametime servers

Even if you have decided not to cluster your Lotus Sametime servers, there are special considerations when installing Sametime in an environment with other
Sametime servers. When multiple Sametime servers are installed, you must synchronize the Sametime servers to operate as a single community. See Deploying multiple Sametime servers.
Preparing the AIX, Solaris, or Linux environment

Set up the environment on a computer running IBM AIX, Linux, or Sun Solaris before installing IBM Lotus Domino and IBM Lotus Sametime.
About this task

Before you attempt to install IBM Lotus Domino and Lotus Sametime on a computer, you must set up the environment as described below. 1. You must log in as root to install the Lotus Domino and Lotus Sametime server. 2. You must have a designated OS user that is used to start the Sametime server, and this user must be a part of a designated OS group. The default user is "notes" and the default group is also "notes," but any non-root username and group can be used. To verify that the designated OS user is part of the OS group, type the following, where dominoUserName is the name of the notes user. groups dominoUserName For example, if you type groups notes and get the return value of notes, this indicates that the user name "notes" is a part of the group "notes". 3. Verify the amount of disk space you have. Make sure that the file system has at least 1GB of disk space. Type the following command: type "df -k" Note: If you are installing from a downloaded image rather than a CD, you must also consider the disk space required for the *.tar install files and the unpacked install files, which needs approximately 2GB of disk space. 4. (AIX only) The Input Output Completion Protocol (IOCP) must be installed and configured. If not, it will not allow the Domino setup to begin, and you will get the following error: 5. (Linux RHEL only) Disable SELinux on any RedHat operating system: a. Open the /etc/selinux/config file for editing. b. Locate the SELINUX setting. c. Change its value to either disabled or permissive. d. Save and close the file. e. Restart the Linux server. 6. Additional preparation is necessary if you plan to install Sametime on a partitioned Domino server on AIX, Linux or Solaris: a. Ensure that each partitioned server has a unique IP address. You can map multiple IP addresses to one network card using the ifconfig command:
ifconfig device alias new_IP_address netmask subnet
Your system is not configured with I/O Completion Ports. I/O Completion Ports must be installed
For example:
ifconfig en0 alias 9.3.187.209 netmask 255.255.255.128
b. Ensure that each partitioned server has a DNS name that maps to its unique IP address.
If a DNS name can be resolved to multiple IP addresses, be sure to read the "multi-homed" notes in Installing partitioned Domino servers on AIX, Linux or Solaris. c. It is recommended (but not required) that each partitioned server be run by a unique user account. Create a new UNIX Notes user for each partitioned server that you plan to install. You can use a single notes group for all partitions
Preparing the TCP/IP Environment on i5/OS

Your IBM Lotus Sametime server must be configured to use one or more specific TCP/IP addresses so that it will not attempt to share TCP/IP ports with any other HTTP servers on your system.,
About this task

This section guides you through the process of verifying your TCP/IP configuration, making changes if necessary to resolve conflicts between servers, and gathering the TCP/IP information that you will need to configure your Sametime server.
Results
Verifying host table entries for i5/OS

IBM Lotus Sametime provides a list of host table entries that are already defined on your server.
About this task

To verify your host table entries, follow these steps: 1. From any i5/OS command line, type the following command and press Enter:
CFGTCP
2. On the Configure TCP/IP display, select option 10 to work with TCP/IP Host Table entries. 3. Record each host name and the corresponding TCP/IP address as you may need this information later.
Results
Verifying configuration of existing i5/OS Domino servers

IBM Lotus Sametime provides which TCP/IP addresses are currently being used by your Domino servers.
About this task

Note: If you do not have any Domino servers configured on your system, you can skip this section. To determine which TCP/IP addresses are currently being used by your Domino servers, follow these steps: From an i5/OS command interface, sign on to your server.
10
Results
Note: The following steps assume that your Domino servers are already started. 1. Verify the current TCP/IP addresses for each Domino server by entering the following command:
WRKDOMCSL servername
2. From the Domino Console display, type the following command and press Enter:
sh port tcpip
3. Press F5 to refresh the screen. v If the server is using only one TCP/IP address, you will see a specific TCP/IP Local Address listed using port 1352. For example, 10.1.2.3:1352. v If the server is using all active TCP/IP addresses, you will see *:1352 displayed as the Local Address rather than a particular TCP/IP address. 4. Record the results for each Domino server, as you will use this information later.
Selecting a TCP/IP address for your i5/OS Sametime server

Determine which TCP/IP addresses are already defined on your system and decide which address you will use for your IBM Lotus Sametime server. You will also need to determine whether you need to define additional TCP/IP addresses to avoid conflicts between servers.
About this task

1. Determine which TCP/IP addresses are currently defined for your system: v From any i5/OS command line, type the following command and press Enter:
CFGTCP
v On the Configure TCP/IP display, select option 1 to Work with TCP/IP interfaces and display a list of the currently defined TCP/IP interfaces. 2. Verify that each of the TCP/IP addresses you recorded when you looked at the Host Table or ran the 'sh port tcpip' command is currently defined. 3. Verify that the system has enough TCP/IP addresses defined so that you can assign at least one for the exclusive use of each of the following: v Your Sametime server v Each existing Domino server 4. 5. 6. 7. v Each instance of the IBM HTTP server running on your system Contact your network administrator to assign additional TCP/IP addresses and host names if needed. Ensure that the new host names are also added to your Domain Name Server (DNS). Select the TCP/IP address you will assign to your Sametime server. Decide which TCP/IP addresses should be assigned to each existing Domino server and each instance of the IBM HTTP server. Record this information, as you will use it later to ensure that existing servers are properly bound to specific IP addresses so that their port usage does not conflict with your Sametime server.
Adding a TCP/IP address on i5/OS

To configure an additional TCP/IP address for i5/OS, complete this task.
11
About this task

If you did not need to assign additional TCP/IP addresses, you can skip this topic. 1. From any i5/OS command line, type the following command and press Enter:
CFGTCP
2. Select option 1 to work with TCP/IP interfaces. 3. On the Work with TCP/IP Interfaces display, type a 1 in the Opt column and press Enter to add a TCP/IP interface. 4. On the Add TCP/IP Interface display, enter the following information:
Field Internet Address Description Specify the TCP/IP address you want to add. For example, enter 10.1.2.4. Specify the name of the line description for your LAN adapter. For example, enter TRNLINE. Specify the subnet mask that is appropriate for your interface. For example, enter 255.255.255.0.
Line Description
Subnet Mask
5. Press Enter to add the new interface and return to the Work with TCP/IP Interfaces display. 6. To start an interface, type a 9 beside it and press Enter.
Updating the host table on i5/OS

Add an entry in the i5/OS host table for your IBM Lotus Sametime server.
About this task

To add a host table entry for your Sametime server, follow these steps: 1. From any i5/OS command line, type the following command and press Enter:
CFGTCP
2. Type 10 and press Enter to work with TCP/IP host table entries. 3. If one of the TCP/IP addresses that you selected is not listed in the Host Table, follow these steps to add a new entry: v Type a 1 in the Opt column next to the blank Internet Address and press Enter to add a Host Table Entry. v When the Add TCP/IP Host Table Entry display appears, enter the following information:
Field Internet Address Description Enter the TCP/IP address that you assigned to the Domino server. For example, enter 10.1.2.4. Enter the fully qualified name of the Domino server as the host name. For example, enter stdom1.acme.com.
Host name
12
Note: Although you can add multiple host names for the same IP address, make sure you list the fully qualified name for your Domino server first, before any alternative short names. v Press Enter to create the Host Table Entry. 4. Follow these steps to update an existing Host Table Entry: Note: If the TCP/IP address you want to use is listed in the table, but the corresponding Domino server is not listed as one of the possible host names for that address, you must update the existing host table entry to include the additional host name. v Type a 2 in the Opt column next to the Internet Address and press Enter to change the Host Table Entry. v When the Change TCP/IP Host Table Entry display appears, you may need to Page Down to view the currently defined list of host names. v When you have displayed the last host name, enter a '+' in the '+ for more values' prompt and press Enter. v When the Specify More Values for Parameter HOSTNAME display appears, replace an existing host name or one of the *SAME entries with the fully qualified name of your Domino server (for example, stdom1.acme.com). Note: The fully qualified name of your Domino server must be listed first in this table. v Press Enter to update the host name. Press Enter again to change the Host Table Entry. Note: You can remove a host name for an Internet Address by following the above steps to update the Host Table Entry and replacing the host name with *BLANK.
Results
Updating the Domain Name Server for i5/OS

If you defined any additional host names, work with your TCP/IP administrator to ensure that the new host names are added to your Lotus Domain Name Server (DNS).
About this task

If you have configured TCP/IP to search the DNS before searching the host table, you may need to make additional changes in your configuration. Follow these steps to check your TCP/IP Configuration Properties: 1. From any i5/OS command line, type the following command and press Enter:
CFGTCP
2. On the Configure TCP/IP display, type 12 and press Enter to change the TCP/IP domain information. 3. On the Change TCP/IP Domain (CHGTCPDMN) display, look for the "Host name search priority" setting. If the value is *REMOTE, either change this value to *LOCAL or verify with your network administrator that the fully qualified host name is the first value listed in the DNS for the IP address associated with your Sametime server. The fully qualified host name must be listed before any short names in order for your Sametime server to function correctly.
13
If the value of this field is *LOCAL, you do not need to take any further action. You already ensured that the fully qualified host name was listed first in your local host table in an earlier step. CAUTION: If you change the "Search order" you must stop and restart TCP/IP in order for the change to take effect. 4. Press F3 to exit.
Results
Updating the configuration of existing i5/OS Domino servers

Ensure your existing Lotus Domino servers are correctly bound to the specific fully qualified host names that you have assigned to them. This will prevent them from conflicting with your IBM Lotus Sametime server. If necessary, you will modify the existing Lotus Domino server settings to enable partitioning and specify a unique fully qualified host name.
About this task

Even if you changed your server's fully qualified host name by modifying the server's notes.ini file, the change may not have occurred in the server document. This procedure updates both the server document and the notes.ini file. 1. Using a profile with the authorities listed in Chapter 1, end the Domino server, if it is active, by typing the following command and pressing Enter:
ENDDOMSVR DOM1
where DOM1 is the name of the Domino server. Note: Ending the Domino server may take a few minutes. 2. Change the Domino server settings by typing the following command and pressing F4:
CHGDOMSVR DOM1
where DOM1 is the name of the Domino server. 3. In the Advanced services field, you should see *PARTITION or *ALL. If neither value is specified, then specify *PARTITION. 4. In the Internet Address field, enter the fully qualified host name for this Domino server. 5. Press Enter. If the changes to the server settings were successful, the following message is displayed:
Command CHGDOMSVR ended successfully.
6. Restart the Domino server by typing the following commands and pressing Enter:
STRDOMSVR DOM1
Where DOM1 is the name of the Domino server. Note: Starting the Domino server may take a few minutes. 7. Using a Domino Administrator Client, edit the server settings in the Server Document so that the Domino HTTP server binds to the specific host name. v Select the Configuration tab. v In the left pane, click Server and select All Server Documents.
14
v Open the server document for the Domino server and click the Edit Server button. v Select the Internet Protocols tab, and then select the HTTP tab. v In the Host name(s) field, verify the DNS name for the TCP/IP address that you specified in the Change Domino Server command. v In the Bind to host name field, select Enabled. v Select the Ports tab, then select the Internet Ports tab, then select the Web tab. v Verify in the HTTP settings that the TCP/IP port has a port number specified. The default port number is 80. v Click Save and Close. 8. Stop and restart the Domino server. 9. When the Domino server has restarted, access it through a Notes client or a Web browser to make sure it is still accessible using TCP/IP.
Results
Updating the HTTP server configuration on i5/OS

Your IBM Lotus Sametime server will use the Lotus Domino HTTP server. It is possible that you may have already configured IBM HTTP Server for i5/OS on your system for other applications. If so, then you must verify that each instance of the HTTP server is bound to a specific TCP/IP address. This will prevent it from conflicting with your Lotus Sametime server.
About this task

To change the HTTP server settings using commands, follow these steps: 1. If the HTTP server is currently running, type the following command on any i5/OS command line and press Enter to end it:
ENDTCPSVR SERVER(*HTTP)
2. Start the HTTP Administration server by typing the following command and pressing Enter:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
3. Open the IBM HTTP server configurations page. v Start your Web browser. v Enter the following URL: http://mysystem:2001 where mysystem is the name of your system. v Click IBM Web Administration for i5/OS. v Select the Manage tab. v Select the HTTP Servers tab. 4. Select a configuration from the menu at the top of the screen, and complete the following items for each configured instance of the HTTP server: v From the list on the left pane, select General Server Configuration. v In the right pane, find the IP address and port table in the section called Server IP address and ports to listen on. v If one of the rows in the table has an asterisk (*) in the IP Address column, then the server is listening on all IP addresses. Select that row. Replace the asterisk (*) with the IP address for this server and click Continue.
15
v When finished updating the server IP address table, click Apply to save your changes. 5. When each instance of the HTTP server is configured to use a specific IP address, restart the HTTP servers by typing the following command and pressing Enter:
STRTCPSVR SERVER(*HTTP)
Results
16
Chapter 5. Installing a Domino server and clients

Provides general instructions for installing and setting up an IBM Lotus Domino server that you will use to run Lotus Sametime.
Before you begin

If you have never installed and set up a Domino server, it is strongly recommended that you refer to the Lotus Domino documentation to get a full understanding of how to install and set up a Domino server.
About this task

For general instructions, click any of the following topics for information on installing and setting up a Domino server:
Planning your Domino configuration

Your IBM Lotus Sametime server will run on a Lotus Domino server. Consider the following before installing the Lotus Domino server you will use for Lotus Sametime. v You must install the Lotus Sametime server on a Lotus Domino server. For information on supported releases of Lotus Domino, refer to the Detailed Requirements tech note for the current Lotus Sametime release at the following Web address:
http://www.ibm.com/support/docview.wss?rs=477&uid=swg27013765
v Lotus Sametime uses the directory, security, and replication features of the Domino server. The Sametime server should be completely dedicated to supporting the real-time, interactive communication services of Lotus Sametime. Therefore, it is highly recommended that you create a new Domino server for running Sametime and do not use the Sametime server for other high-demand Domino services such as mail storage and routing, application and database storage, or centralized directory and administration services. IBM AIX, Linux, Sun Solaris and IBM i (the new name for IBM i5/OS) can run multiple partitioned Domino servers on the same system. For these server platforms, you can create a new Domino server on the same system as your existing production server. (For i5/OS, adding Sametime to an existing production server is not supported.) v If you already have a Domino server configured in the environment where you will install Sametime, you have the option of setting up the Sametime environment in one of the following ways: Install a new Domino server in a new Domino domain for running Sametime. Add a new Domino server to the existing Domino domain for running Sametime. If you do not have any Domino servers configured in the environment where you plan to install Sametime, then you will install a new Domino server in a new Domino domain. Using a new Lotus Domino server in a new domain for running Lotus Sametime
17
When you install a new Domino server in a new Domino domain for running Sametime: v The Sametime server is in its own Domino domain and additional configuration is required to access Domino servers outside the domain. v No users are in the Domino Directory at the time the server is created, other than the server administrator. Therefore, if you select the Domino Directory as the user repository for your Sametime server, you will need to add all of your Sametime users to the Domino Directory. See Populating the Lotus Domino directory. Using a new Lotus Domino server in an existing Lotus Domino domain for running Lotus Sametime When you use a new Domino server in an existing Domino domain for running Sametime: v The Domino Directory is shared by all of the servers in the domain. Users can see all members registered in the Domino Directory and determine if they are online. v Domino Directory as the user repository, you will not need to add these users to the directory. However, before a user can use Sametime, the user's directory entry must be updated with the name of a home Sametime server and an Internet password. See Populating the Lotus Domino directory. v If you are choose to add a server to an existing Domino domain for use as a Lotus Sametime server, you need to register the server before installing Domino. See Registering Domino server with an existing Domino domain.
Registering a server to an existing Domino domain

To register a server to an existing IBM Lotus Domino domain for use as an IBM Lotus Sametime server.
About this task

If you are adding a server to an existing Domino domain for use as a Sametime server, you need to register the server before you can install Domino. When you do so, make sure to specify the following settings during registration: 1. Store the server ID file that is created during registration somewhere on the system your server where you will configure the Sametime server. Record the path name; you will need to specify it when you configure the Sametime server. 2. Use the same network name as the first Domino server in the Domino domain.
What to do next
The registration process creates a Server document in the Domino Directory.
Installing a Domino server

IBM Lotus Sametime runs on a IBM Lotus Domino server. After reviewing the steps for Planning your Domino server configuration, install a Domino server by completing the process for your server platfom:
18
Installing a Domino server on Windows

Step-by-step instructions for installing the IBM Lotus Domino server as the first server in a Lotus Domino domain are provided. These steps describe a basic Lotus Domino server installation that can support IBM Lotus Sametime.
About this task

To install Lotus Domino on a Windows platform, follow these steps. 1. Run the install program (setup.exe), which is on the Domino server installation CD. 2. Read the Welcome screen, and click Next. Then read the License Agreement and click Yes. 3. Enter the administrator's name and the company name. Do not elect to install Lotus Domino on partitioned servers. 4. Choose the program and data directory in which to copy the software. Make note of the locations you provide for the Domino program and data directories. You will need this information when you install Lotus Sametime. Click Next. 5. Select "Domino Enterprise Server" as the server type. 6. Click Next to accept all components. 7. Specify the program folder or accept Lotus Applications as the program folder that will contain the software. 8. Click Finish to complete the install program. 9. Choose Start - Programs - Lotus Applications - Lotus Domino Server to start the Server Setup program.
What to do next
Using the Domino Server Setup Program Locally: After installing Domino, the first time you start the server, the Domino Server Setup Program launches. The Server Setup program asks a series of questions and guides you through the setup process.
Installing a Domino server on AIX, Linux, or Solaris

If you are installing a new IBM Lotus Domino server for your IBM Lotus Sametime server, use these general directions.
About this task

The Lotus Domino installation programs for all versions of UNIX are simply scripts that ask for configuration information and then install the software in the appropriate directories. The instructions below are provided to remind you of the necessary steps to install Lotus Domino; this procedure assumes that you have a working knowledge of Domino administration. To install Lotus Domino: 1. Place the CD in the CD-ROM drive. 2. Become the root user by logging in as the root user or using the "su" command. Open Operations Navigator. 3. Mount the Lotus Domino CD for your server platform (AIX, Solaris or Linux) to make it available. You can mount the CD using the SMIT utility or the appropriate version of the following command: mount -r -v -cdrfs /dev/cd0 /cdrom
19
4. Using the above example, change to the /cdrom directory and start the installation script using the following command: ./install 5. Follow the directions on each panel of the script, making sure to retain the information you provide for the location of the Domino executable directory and the Domino data directory. You will need this information when you install Lotus Sametime.
What to do next
If you are installing partitioned Domino servers, see Installing partitioned Domino servers on AIX, Linux or Solaris. After you have installed the Domino server, you must start and stop the Domino server at least once before installing the Sametime server. This allows certain files to be created that Lotus Sametime needs in order to install correctly.
Installing partitioned Domino servers on AIX, Linux or Solaris

To install and configure partitioned IBM Lotus Domino servers on AIX, Linux, or Solaris, you need to perform several additional steps.
About this task

When installing Lotus Domino 1. When prompted to install more than one Lotus Domino server on this computer, click Yes. 2. When prompted for the location of the data directory and the Notes user account, be sure to specify a unique location for the data directory and the appropriate user name for each partitioned server. After installation completes, configure the Lotus Domino servers 1. Configure each server using the notes user account. For example, log in as notes and run /opt/lotus/bin/server to configure the first server. Then log out, log in as notes2 and configure the second server, and so on. 2. During configuration, make sure that any field referring to the server's name or IP address is set up properly. By default, the IP address and server name fields for each configuration contain the IP address and server name of the first server. For each additional server, you must update these fields so that they are appropriate for that partition. 3. After configuration for each server is complete, complete the following steps for each partitioned Lotus Domino server: v Start the Lotus Domino server v Open a browser and go to server's Lotus Domino Directory (usually names.nsf). v Open the Server document for this particular Lotus Domino server v Choose Internet Protocols / HTTP tab and fill in the Host name with the fully qualified name of the server, and then enable Bind to host name. For Multi-homed, do not enter the Host name; instead enter all IP addresses into the Host name field. v Save and close the server document. v Open the notes.ini file and add the following field: TCPIP_TcpIpAddress=0,(server_ip):1352
20
After configuring the Lotus Domino servers 1. Start each partitioned Lotus Domino server, one at a time 2. Verify each server has successfully started 3. Verify no errors are reported 4. Stop each Lotus Domino server.
Installing a Domino server on i5/OS

Follow these steps to set up a Lotus Domino server in a new Lotus Domino domain. If you are not installing Lotus Domino in a new Lotus Domino domain, see Adding a Domino server to an existing Domino domain on i5/OS. 1. Launch the appropriate Domino wizard, depending on whether or not you have already installed Domino: v If you have not already installed Domino, launch the Domino InstallShield Wizard from a Windows workstation by running the setup.exe file located on the Domino product CD-ROM. Once you complete the installation, you are given the option to launch the Domino Server Setup Wizard to configure a Domino server. v If you have already installed Domino, launch the Domino Server Setup Wizard from a Windows workstation by running the domwzd.exe file located on the Domino product CD-ROM. 2. Follow the instructions on each wizard display to configure the new Domino server. Be sure to specify that you are configuring a Domino server in a new domain. If you need help with a particular setting, click Help. 3. Configure the Domino server with the following settings: Note: This chapter only documents settings that directly apply to this Sametime installation. For settings that are not documented below, you can enter your own values.
Display Server Name Description Enter the name of the new Domino server where you will add Sametime. For example, specify STDOM1. Specify Yes for Enable server partitioning to allow multiple Domino servers to run on the same system. Enter the name of the Domino domain. For example, enter Acme. Specify the Domino administrator's name. This administrator will also be the Sametime server administrator. Specify a password for the Domino Administrator.
Advanced server settings
Domain Name
Administrator's Name and Password
21
Display Internet Services
Description Select Web Browsers (HTTP services). Sametime requires that you use the Domino HTTP server. Deselect Directory Services (LDAP services). Even if you plan to use an LDAP directory, you should not run it on the same server where you run Sametime.
Domino Network Settings
Click Customize to view the Advanced Network Settings. Click the checkbox associated with the IP address for this server. Ensure that only one checkbox is selected. You must edit the Host Name field and replace the IP address with the fully qualified Internet host name for this server. Type over the IP address displayed in the Host Name column and replace it with the fully qualified host name for the server. For example, STDOM1.ACME.COM. You must press Enter for the change to take effect. Also, type the fully qualified host name in the field at the bottom of the display. When finished, click OK and continue until Domino server setup is complete.
Advanced Network Settings
4. Start the Domino server if it is not already started.
Adding a Domino server to an existing Domino domain on i5/OS

To add a Lotus Domino server to an existing Lotus Domino domain, follow these steps: 1. Register the additional server for your normal operating environment. You must specify the following settings during registration: v Store the server ID file that is created during registration somewhere on the system where you will configure the Sametime server. Record the path name; you will need to specify it when you configure the Sametime server. v Change the owner of the ID file to Qnotes by right-clicking the file in iSeries Navigator and selecting Permissions. v Use the same network name as the first Lotus Domino server in the Lotus Domino domain. 2. Launch the appropriate Domino wizard, depending on whether or not you have already installed Domino: v If you have not already installed Domino, launch the Domino InstallShield Wizard from a Windows workstation by running the setup.exe file located
22
on the Domino product CD-ROM. Once you complete the installation, you are given the option to launch the Domino Server Setup Wizard to configure a Domino server. v If you have already installed Domino, launch the Domino Server Setup Wizard from a Windows workstation by running the domwzd.exe file located on the Domino product CD-ROM. 3. Follow the instructions on each wizard display to complete the addition of the new Domino server. Be sure to specify that you are configuring an additional Domino server in an existing domain. If you need help with a particular setting, click Help. 4. Configure the Domino server with the following settings: Note: This chapter only documents settings that directly apply to this Sametime installation. For settings that are not documented below, you can enter your own values.
Display Registered Name Description Provide the registered name of the additional Domino server where you will add Sametime. For example, specify Sales1/Acme. Specify Yes for Enable server partitioning to allow multiple Domino servers to run on the same system. Select Web Browsers (HTTP services). Sametime requires that you use the Domino HTTP server. Deselect Directory Services (LDAP services). Even if you plan to use an LDAP directory, you should not run it on the same server where you run Sametime. Domino Network Settings Click Customize to view the Advanced Network Settings.
Advanced server settings
Internet Services
23
Display Advanced Network Settings
Description Click the checkbox associated with the IP address for this server. Ensure that only one checkbox is selected. You must edit the Host Name field and replace the IP address with the fully qualified Internet host name for this server. Type over the IP address displayed in the Host Name column and replace it with the fully qualified host name for the server. For example, STDOM1.ACME.COM. You must press Enter for the change to take effect. Also, type the fully qualified host name in the field at the bottom of the display. When finished, click OK and continue until Domino server setup is complete.
Results
Installing the Notes client and Domino administrative client

Use the IBM Lotus Domino software that shipped with IBM Lotus Sametime to install and configure the Domino Administrator and IBM Lotus Notes clients on the administration workstation.
Before you begin

To administer the Domino server, you must install and configure at least one Microsoft Windows PC as the administration workstation.
About this task

Note: Before you can install the Domino and Lotus Notes clients, you must install and set up the Domino server. To install and configure the Domino Administrator and Lotus Notes clients: 1. Insert the Lotus Notes Client CD into the PC you plan to use as the administrator's workstation. 2. Follow the instructions on each panel of the Lotus Notes installation wizard, selecting to install both the Domino Administrator and Lotus Notes clients. 3. Copy the certifier ID and administrator ID files from the Domino data directory of your Domino server to the Lotus Notes data directory of the Administrator workstation. You can use File Transfer Protocol (FTP) or another method, or you can let the initial communications between the server and administration workstation copy the files for you automatically. 4. If necessary, start the Domino Server. 5. Open Lotus Notes. 6. Follow the instructions in the setup wizard to configure the Lotus Notes client. If you have moved the certifier and administrator ID files to the PC you have designated as your administration workstation, indicate the correct location
24
when asked. If you have not copied the ID files, simply provide the user administrator name you specified during HTTP setup. You will be prompted for the password for this ID. The ID files will be copied and stored on your administration workstation for you automatically.
What to do next
When you have set up the Domino Administrator and Lotus Notes clients, you are ready to begin preparing the Domino server for Lotus Sametime installation
Verifying your Lotus Domino environment

Verify your Lotus Domino server environment.
Verifying the Domino Server document settings

After installing the Lotus Domino server and before installing IBM Lotus Sametime, you should edit the Lotus Domino server document to make sure the fields are completed as described below.
About this task

1. Start the Domino server. The steps for starting and stopping a Domino server are the same as for starting and stopping a Sametime server. See the following for more information: v Starting and stopping a Sametime server on Windows v Starting and stopping a Sametime server on AIX, Linux or Solaris v Starting and stopping a Sametime server on i5/OS Note: Starting the Domino server may take a few minutes. 2. Open the Domino Administrator client and click the Configuration tab. 3. Expand the Server section and then click All Server Documents. 4. Open the Server document for the Domino server on which you are installing Lotus Sametime. Use the table below to verify the appropriate values for the fields in the Server document. Make changes to the document if necessary.
Server Document Basics tab Fully qualified Internet host name This field is completed during the Domino server install, and should contain the fully qualified host name as known by the DNS server. In a test environment, the local hosts table can be used as well as DNS. Note: This CANNOT be a numeric IP address. Load Internet configurations from Server\Internet Sites documents Directory assistance database name Disabled If a Directory Assistance database does not already exist on the server, Sametime will create one during server installation and this field will be set to da.nsf Values
25
Server Document Directory Type
Values Make sure this field says "Primary Domino Directory." If this field contains "Configuration Directory," shutdown the Domino server and replicate names.nsf from a master server. Master servers have a Directory Type of Primary Domino Directory. If you are unsure about a server, check the Directory Type field in the Server document.
Security tab Administrators This field is completed during the Domino server install, and should contain the name of the Sametime administrator. If not, click the arrow to select a name from an address book. Default is "Fewer name variations with higher security", the recommended setting for tighter security. Select More name variations with lower security if Domino Directory authentication is being used and you want users to be able to use short names. Access server Leave this field blank if possible. If you do include entries, you must add the following to the list of trusted directories: Sametime Development/Lotus Notes Companion Products Run unrestricted methods and operations After you install the Sametime server, this field should include these entries: v The name of the server v The name of the administrator v Sametime Development/Lotus Notes Companion Products Note: If you have signed agents with an additional signature, include that name here as well. Ports - Notes Network Ports tab Port TCPIP Note: This must be typed exactly as shown in all uppercase letters or you will not be able to add Lotus Sametime to this server. TCP
Internet authentication
Protocol
26
Server Document Net Address
Values The fully qualified host name for the Domino server as known by the DNS server. This should match both of the following: v The fully qualified Internet host name on the Basics tab above v The Host Name on the Internet Protocols-HTTP tab specified below. Commonly: computername.internetdomain.com For example, stdom1.acme.com. Note: This CANNOT be a numeric IP address.
Ports - Internet Ports - Web tab TCP/IP port number TCP/IP port status Name & password Anonymous Internet Protocols - HTTP tab Host name The fully qualified host name of the Domino server as known by the DNS server. This should match both of the following: v The fully qualified Internet host name on the Basics tab above v The Net Address on the Ports - Notes Network Ports tab tab above Commonly: computername.internetdomain.com For example: stserver1.acme.com Note: Normally, this CANNOT be a numeric IP address. For AIX, Linux or Solaris servers with multiple valid IP addresses (multi-homed), enter all of the IP addresses instead of the host name. Bind to Host name Disable -- for Microsoft Windows servers; also for IBM AIX, Linux, and Solaris servers when not using partitioned Domino servers Enable -- for i5/OS servers; also for IBM AIX, Linux, and Solaris servers when using partitioned Domino servers 80 (or 8088 if tunneling is being used) Enabled Yes Yes
27
Server Document Allow HTTP clients to browse databases
Values Yes (enable) for portals, otherwise, not necessary This field is set to "stcenter.nsf" during Lotus Sametime installation. If this field is set to NDOLEXTN (Domino Offline Services), remove the value and leave this field blank.
Home URL
DSAPI filter file names
Internet Protocols - Domino Web Engine tab Session Authentication This field is set to Multiple Servers (SSO) during Sametime installation. If single sign on (SSO) is not being used, you can change this to single-server. Web SSO Configuration Java servlet support This field is set to LtpaToken during Sametime installation. Domino Servlet Manager
5. Click Save and Close, if you made changes 6. Stop and restart the Domino server for the changes to take effect.
Verifying the Domino server is accessible

Before installing IBM Lotus Sametime, verify that the IBM Lotus Domino server is accessible from client workstations.
About this task

Test client access (using HTTP) to a Lotus Notes database hosted on your Lotus Domino server. Start a Web browser on the workstation and attempt to access names.nsf (or some other convenient database) by entering the following address into the location bar: If you have set names.nsf to be inaccessible from clients, test with a database that clients can access.
http://hostname.yourco.com/names.nsf
If you can sign on using the server administrator ID and internet password to view the contents of names.nsf, the Domino server is accessible and ready for installation of Sametime.
28
Chapter 6. Preparing to upgrade an existing Sametime environment

If you are upgrading an IBM Lotus Sametime installation to any version of Lotus Sametime 8.0.2 (Standard, Entry or Instant Messaging Limited Use), this section contains information that you need to know.
Before upgrading
Before upgrading to IBM Lotus Sametime 8.0.2, determine whether you need to additionally upgrade your Lotus Domino and your operating system releases, and decide whether to preserve your existing Lotus Sametime data. Different releases of Lotus Sametime support different upgrade paths: v IBM Lotus Sametime 8.0.2 supports upgrades of Lotus Sametime 3.1, 6.5.1, 7.x, and 8.x. If your current version is installed on a version of Domino earlier than 7.0, you must upgrade the Domino server to at least 7.0 before upgrading your current installation of Lotus Sametime to 8.0.2. v For Lotus Sametime versions prior to 3.1, either uninstall the earlier version before installing Lotus Sametime 8.0.2, or first upgrade to 3.1, 6.5.1, 7.x, or 8.x before upgrading to Sametime 8.0.2. v If you are upgrading a Sametime server that is managed by the IBM Lotus Sametime Enterprise Meeting Server, you must remove the Sametime server from the Enterprise Meeting Server before performing the upgrade. Once the upgrade is complete, add the Sametime server back in to the Enterprise Meeting Server. v When upgrading Lotus Sametime on Microsoft Windows, IBM AIX, Linux or Solaris, the install program provides the option of preserving your existing Lotus Sametime data, which includes meeting information, contact lists and configuration settings, or overwriting this information. v For IBM i5/OS Sametime servers: The i5/OS installation program always preserves the Lotus Sametime data on existing servers. If you do not want to preserve the Lotus Sametime data, remove Lotus Sametime from the server (RMVLSTDOM command) and then add it to the server again (ADDLSTDOM command). V5R3 or later is required; V6R1 is required for IPv6 addressing. You must upgrade to at least V5R3 before installing Lotus Sametime 8.0.2. Lotus Sametime releases prior to Lotus Sametime 3.1 are not supported on i5/OS V5R3 or later; if you are running a release of Lotus Sametime prior to 3.1, consider upgrading to Lotus Sametime 3.1 or 6.5.1 (on Lotus Domino 6.0.3/6.5.0 or later) before upgrading the operating system. Consider other Lotus Domino servers and related Lotus products that may be running on the same system in your upgrade plans. Make sure that your currently installed server releases are all supported on the new operating system level. For the most up to date and detailed information about the combinations of Domino, Sametime, and other Lotus Domino related product releases that are supported on current i5/OS releases, see the Lotus Software for i5/OS Compatibility Guide on the Web at: http://www.ibm.com/systems/i/ software/domino/pdf/releasesupport.pdf
29
If your current Lotus Sametime servers are running on a Lotus Domino release that is not supported by Lotus Sametime 8.0.2, your Lotus Sametime servers must be upgraded to a supported Lotus Domino release before installing Lotus Sametime 8.0.2. Lotus Sametime servers that are running a multiversion-capable Lotus Domino release are not updated automatically when you install a new release of Lotus Domino. You must update manually your Lotus Sametime servers to the newer Lotus Domino release by running the UPDDOMSVR command before installing Lotus Sametime 8.0.2. If you neglect to upgrade an existing Lotus Sametime server to a supported level of Lotus Domino before upgrading to Lotus Sametime 8.0.2, the upgrade will fail for that server. To correct this problem, you must update the server to a supported level of Lotus Domino and then install Lotus Sametime again.
Backing up your server data

Before installing IBM Lotus Sametime, you should back up all important server data.
About this task

v names.nsf - This is optional if you can replicate from another Domino server. v notes.ini - Back up this file for possible reference after upgrade. v da.nsf - Back up this file if you are using directory assistance. v vpuserinfo.nsf - This contains user storage and privacy information, such as buddylists. v meetingserver.ini, sametime.ini, stconfig.nsf (It is not necessary to backup these files on i5/OS as they are saved automatically during the upgrade process) v All recorded meeting files (.rap) v All customized data files, templates or applications (.ntf, .mdm, .scr, .bmp, .mac, .smi, .tbl) v All ID files, desktop.dsk, and pubnames.ntf.
30
Summary of upgrade considerations by release

The following table summarizes considerations for upgrading to IBM Lotus Sametime from previous releases.
Upgrading from release Sametime 8.0.1 or earlier Considerations v Carefully verify that your system satisfies all of the Sametime 8.0.2 system requirements. Sametime 8.0.2 requires Lotus Domino 7.0 or later. v For i5/OS: During upgrade to standard Sametime 8.0.2, web conferencing is enabled on all existing Sametime servers, even if it had been previously disabled. If necessary, run the CHGLSTDOM command to disable web conferencing on selected servers after upgrade. See "Enabling or disabling Web Conferencing for an i5/OS Sametime server".
v For servers with Web Conferencing capability: If you are currently using a remote slide conversion server, upgrading to Sametime 8.0.2 Conversion Services is recommended. For information about upgrading Conversion Services from previous Sametime releases, see "About Sametime Conversion Services". Sametime 7.5.1 or earlier v All considerations listed above.
v For servers with Web Conferencing capability: If you are currently running Sametime Conversion Services on a separate system, you must upgrade to an 8.0.x version of Sametime Conversion Services. Sametime 8.0.2 servers cannot use a release of Sametime Conversion Services prior to 8.0; Sametime 8.0.2 Conversion Services is recommended. For information about upgrading Conversion Services from previous Sametime releases, see "About Sametime Conversion Services". v For i5/OS: Installation of a Language Pack is no longer required in order to run Sametime in languages other than English.
Sametime 7.5 or earlier
v All considerations listed above. v For servers with Web Conferencing capability: Sametime 7.5.1 introduced a new option for running slide conversion services natively on your AIX, Solaris or i5/OS Sametime server. For all server platforms, the method for configuring slide conversion services changed in 7.5.1. See "About Sametime Conversion Services" for more information.
31
Upgrading from release Sametime 7.0 or earlier
Considerations v All considerations listed above. v The format for storing privacy information changed in Sametime 7.5. When upgrading to Sametime 8.0.2 from Sametime 7.0 or earlier, stored privacy information appears to be lost. A utility is available that you can run after upgrading your server to migrate the privacy information to the new format. See "Migrating user privacy information". v All considerations listed above. v The format of the Key Store used for SSL changed in Sametime 7.0. See "Using SSL with Sametime."
Sametime 6.5.1 or earlier
Upgrading from Instant Messaging Limited Use or Entry to Sametime Standard on i5/OS
IBM Lotus Sametime for IBM i5/OS allows you to easily upgrade from the Instant Messaging Limited Use or Entry version of Lotus Sametime to the same release of Lotus Sametime Standard. Because upgrading to Lotus Sametime Standard only requires installing an additional product option (option 1), you can perform the upgrade with minimal disruption to your existing environment.
Before you begin

This topic applies only if you are upgrading the feature set of your Lotus Sametime server not the release number itself. If you are upgrading the release (for example, from 8.0.1 to 8.0.2), follow the standard upgrade instructions detailed elsewhere in this section. Note: If you are upgrading an Entry or Instant Messaging Limited Use version of Sametime 8.0.1 or earlier to Lotus Sametime Standard 8.0.2, this section is not applicable. When upgrading to 8.0.2 from any previous release, whether Entry, Limited Use or Sametime Standard, simply follow the standard upgrade instructions detailed elsewhere in this section.
About this task

If you are already using the Instant Messaging Limited Use or Entry version of Lotus Sametime 8.0.2, then you have already performed many of the tasks necessary to support Lotus Sametime Standard. This topic provides the remaining steps necessary to upgrade an existing environment where only the *BASE product option is installed, to a Lotus Sametime Standard environment featuring the Web Conferencing capabilities of product option 1. Note: When upgrading to Lotus Sametime Standard, all existing Instant Messaging Limited Use or Entry servers are automatically upgraded to Lotus Sametime Standard servers. If you want to change any of the servers back to Instant Messaging Limited Use or Entry servers, see Enabling or disabling Web Conferencing for an i5/OS Sametime server.
32
To upgrade to Lotus Sametime Standard, follow the steps below. 1. Verify that the following software is installed on your system: i5/OS - Portable Application Solutions Environment (PASE), 5722SS1 or 5761SS1, option 33. 2. To upgrade by installing only option 1, you must use the downloaded image of Sametime Standard 8.0.2 for i5/OS. The CD-ROM media always installs both product options of Lotus Sametime, 5724J23, *BASE and option 1, so it is not suitable for this procedure. The downloaded image for Lotus Sametime Standard contains instructions for installing both product options, *BASE and option 1. Complete only the steps that pertain to installing from the savefile called Q5724J23WC which contains option 1. 3. Start the server and complete the steps in Verifying the Sametime Server installation to verify the Web conferencing capabilities of your server.
33
34
Chapter 7. Installing Sametime

These instructions are appropriate for all types of IBM Lotus Sametime server installations, including:
Before you begin

v New Sametime installation v Upgrade to existing Sametime installation v All versions of Sametime: Standard, Entry and Instant Messaging Limited Use
Verifying you are prepared to install Sametime

Before starting the IBM Lotus Sametime installation verify that you are prepared to do so.
Before you begin

Make sure you have completed the following: v Reviewed the Sametime Release Notes for last-minute changes or additions that may impact the server install. v Verified that the required hardware and software components are in place and working. v Verified that your Domino server is properly configured and you can access it from a web browser using the server administrator ID and internet password. See Verifying your Domino environment. v Backups are complete. See Backing up your server data. Make sure you have the following information about your Domino server: v The fully qualified host name v The location of the Domino data directory v For Windows, AIX and Solaris: the location of the Domino program directory Make sure you know the type of directory (Domino Directory or LDAP directory) that you are going to use. v If your organization uses LDAP directories, you should select LDAP as the directory type during the server installation. v For Windows, AIX, Linux and Solaris, the installation program allows you to specify all of the information necessary to fully configure the connection and access to a single LDAP server. For i5/OS, you can specify basic LDAP connection information when adding Sametime to your Domino server. For all server platforms you can complete or change the LDAP configuration using the Sametime Administration tool after installing your Sametime server. v If you select LDAP directory, be prepared to specify at least the following information during server installation: Fully qualified host name of the LDAP server IP Port number that Sametime will use to connect to the LDAP server. Bind distinguished name (DN) is the name that the Sametime server will use when binding to the LDAP directory. If not specified, the LDAP server must allow anonymous access from the Sametime server.
35
Bind password is the password associated with the Bind distinguished name Administrator name (DN) is the distinguished name of an LDAP administrator with authority to browse the LDAP directory. This is used when configuring policies and may be the same as the Bind distinguished name. Note: If you do not know this information, contact your LDAP administrator. If the Sametime server cannot connect to the LDAP server, the server will not start. For AIX, Linux and Solaris: v Make sure that the Domino server was installed as root. See Preparing the AIX, Linux, or Solaris Environment for additional information. v Verify that neither the lotus bin directory (by default /opt/ibm/lotus/bin) nor the Domino program directory is in your $PATH environment variable. The default Domino program directory is: AIX: /opt/ibm/lotus/notes/latest/ibmpow Linux: /opt/ibm/lotus/notes/latest/linux Solaris: /opt/ibm/lotus/notes/latest/sunspa
Note: The server install will not run if either directory is in your $PATH. For the server computer where you plan to install Sametime: v Temporarily disable any screen savers and turn off any virus-detection software. v Turn off any virus-detection software. v For Windows, AIX, Solaris and Linux servers: Complete any pending reboot actions you may have from installing other applications. Make sure that all applications on the server computer (including the Domino Server Administrator and the Web browser) are closed. All Domino services must be stopped. Otherwise, you might corrupt any shared files and the installation program might not run properly. v For i5/OS servers: shut down any existing Sametime servers.
Installing a Sametime server on Windows, AIX, Linux or Solaris

This section describes the various methods for installing an IBM Lotus Sametime server on Windows, AIX, Linux or Solaris servers.
Installing from a wizard

Launch the interactive install wizard on the server to install a IBM Lotus Sametime server from a CD-ROM or a downloaded image.
About this task

This section describes the most common method for installing a Sametime server.
Running the Sametime installation wizard on Windows

Follow the steps in this section to run the interactive IBM Lotus Sametime installation wizard from a Windows server. This should be the same computer where your IBM Lotus Domino server is located (for a new Sametime installation) or where an existing Sametime server is located (for a Sametime upgrade).
36
About this task

Note: If you get the message "Lotus Sametime Server Requires IBM Lotus Domino" during installation, that means a supported Domino server version was not found. Click Cancel, install the appropriate version of IBM Lotus Domino, and then restart the installation. To install Lotus Sametime on Microsoft Windows: 1. Make sure you have read and completed the steps in Verifying you are prepared to install Sametime. 2. For a new Lotus Sametime installation, shut down the Domino server. If upgrading Lotus Sametime, shut down the Lotus Sametime server. 3. Insert the Lotus Sametime installation CD in the CD-ROM drive for the system. The CD loads and the main dialog box displays. (If you are installing from an image that you have downloaded, extract the image and double click Server\setupwin32.exe.) 4. Select the language to be used for the install wizard. 5. When the Welcome page is displayed, click Next. 6. Read and accept the License agreement and then click Next. 7. Specify the Lotus Domino data directory where Lotus Sametime should be installed. This should be the data directory specified when you installed the Lotus Domino server. 8. If this is a new installation, choose Install a new instance. If you are upgrading from a previous version, choose how to upgrade your current version: v Install a new instance - Select this option to remove all Sametime data from the existing Sametime server (including meeting information, contact lists and configuration settings) and begin with a clean installation of Sametime. v Upgrade existing instance - Select this option to preserve your existing data and upgrade the existing installation of Lotus Sametime. 9. If the Lotus Domino server ID is password protected, enter the password and click Next. 10. For new Lotus Sametime server installations and upgrades from Instant Messaging Limited Use or a Sametime version prior to 7.5.1, specify the server to use for slide conversion. If upgrading from Lotus Sametime 7.5.1, this prompt is not shown and the existing slide conversion configuration is preserved. See About Sametime conversion services for more information. v Use this Lotus Sametime server - Select this option if you prefer to run the slide conversion services natively on your Sametime server or if you are not prepared to configure a separate conversion server at this time. You can choose to configure a remote conversion server at a later time. v Use Lotus Sametime slide conversion server - Select this option if you prefer to use a remote conversion server and are prepared to provide the Host name and port at this time. When finished, click Next. Note: If you are upgrading a server, the directory type and tunneling options in the following steps are not presented, and the current configuration is preserved.
37
11. Select the type of directory to use for your user repository: Domino directory or LDAP directory. If you select Domino directory, click Next and proceed to Step 12. If you select LDAP directory, specify the following: v Fully qualified host name of the LDAP server. v IP Port number that Sametime will use to connect to the LDAP server. To specify settings for the Sametime server to use to access the LDAP directory, select Advanced LDAP Configuration and click Next. When you select Advanced LDAP Configuration, six additional panels are displayed. It is recommended that you at least specify how Lotus Sametime will bind to the LDAP directory. If you do not specify this information, Lotus Sametime may not be able to connect to the LDAP server and the server will not start until you take corrective action. On the first of the six Advanced LDAP Configuration panels, select Anonymous access or Authenticated access. If you select Authenticated access, you must also specify the following: v Bind distinguished name (DN) - the name that Sametime will use when binding to the LDAP directory v Bind password: Password associated with the Bind distinguished name. Click Next to review the remaining LDAP configuration panels and update the configuration if necessary. If you are not certain of the settings to use at this time, the settings can be modified later using the Sametime Administration Tool. 12. For the field Enable HTTP tunneling, specify how you will connect to the Sametime server, and then click Next: v Check this box -- to allow HTTP tunneling on a Lotus Sametime server with a single IP address. Lotus Sametime services will listen on port 80 and Lotus Domino HTTP services will listen on port 8088. For more information see About HTTP Tunneling. v Uncheck this box -- if you prefer not to use HTTP tunneling. See Ports used by the Sametime server for more information. 13. Review the summary information, and then click Install if satisfied. 14. An information box informs you that the installation was successful. Click Finish to complete the installation and exit the install wizard.
Running the Sametime installation wizard on AIX, Linux or Solaris

Follow the steps in this section to run the interactive IBM Lotus Sametime installation wizard from a Unix server. This should be the same computer where your IBM Lotus Domino server is located (for a new Sametime installation) or where an existing Sametime server is located (for a Sametime upgrade).
About this task

Note: v UNIX commands are case sensitive; type them exactly as shown. v If you get the message "Lotus Sametime Server Requires IBM Lotus Domino" during installation, that means a supported Domino server version was not found. Click Cancel, install the appropriate version of IBM Lotus Domino, and then restart the installation. v For partitioned servers, specify the Lotus Domino server data directory and user account for the first partitioned server. After the installation is complete for the
38
first partitioned server, install Lotus Sametime on each additional Lotus Domino partitioned server, substituting the correct Lotus Domino data directory and user account for each server. To install Lotus Sametime on a UNIX system: 1. Make sure you have read and completed the steps in Verifying you are prepared to install Sametime. 2. For a new Lotus Sametime installation, shut down the Lotus Domino server. If upgrading Lotus Sametime, shut down the Lotus Sametime server. 3. If you are using a downloaded image, extract the files to a temporary directory and proceed to Step 5. Otherwise, insert the Lotus Sametime installation CD in the CD-ROM drive for the system and mount the CD on your server. 4. Change to the directory of the installation programs on the CD, using the following command, where /cdrom is your actual mount point: cd /<cdrom>/Server 5. Start the installation process with this command, where platform is aix, linux, or solaris: ../setup<platform>.bin Example... ./setupaix.bin 6. Select the language to be used for the install wizard. 7. When the Welcome page is displayed, click Next. 8. Read and accept the License agreement and then click Next. 9. Specify the Lotus Domino data directory where Lotus Sametime should be installed. 10. If this is a new installation, choose Install a new instance. If you are upgrading from a previous version, choose how to upgrade your current version: a. Install a new instance - Select this option to remove all Lotus Sametime data from the existing Lotus Sametime server (including meeting information, contact lists and configuration settings) and begin with a clean installation of Lotus Sametime. b. Upgrade existing instance - Select this option to preserve your existing data and upgrade the existing instance of Lotus Sametime. 11. Specify the following Lotus Domino server information: a. Domino UNIX User Name - default is notes b. Domino UNIX Group - default is notes c. Fully Qualified Domino Server Host name - for example sametime.acme.com 12. If the Lotus Domino server ID is password protected, enter the password and click Next. 13. For new Lotus Sametime server installations and upgrades from Instant Messaging Limited Use or a Lotus Sametime version prior to 7.5.1, specify the server to use for slide conversion. If upgrading from Lotus Sametime 7.5.1, this prompt is not shown and the existing slide conversion configuration is preserved. See About Sametime conversion services for more information. v Use this Lotus Sametime server - Select this option if you prefer to run the slide conversion services natively on your Sametime server or if you are not prepared to configure a separate conversion server at this time. You can choose to configure a remote conversion server at a later time. v Use Lotus Sametime slide conversion server - Select this option if you prefer to use a remote conversion server and are prepared to provide the Host name and port at this time.
39
When finished, click Next. Note: If you are upgrading a server, the directory type and tunneling options in the following steps are not presented, and the current configuration is preserved. 14. Select the type of directory to use for your user repository: Lotus Domino directory or LDAP directory. If you select Domino directory, click Next and proceed to Step 15. If you select LDAP directory, specify the following: v Fully qualified host name of the LDAP server. v IP Port number that Lotus Sametime will use to connect to the LDAP server. To specify settings for the Sametime server to use to access the LDAP directory, select Advanced LDAP Configuration and click Next. When you select Advanced LDAP Configuration, six additional panels are displayed. It is recommended that you at least specify how Lotus Sametime will bind to the LDAP directory. If you do not specify this information, Lotus Sametime may not be able to connect to the LDAP server and the server will not start until you take corrective action. On the first of the six Advanced LDAP Configuration panels, select Anonymous access or Authenticated access. If you select Authenticated access, you must also specify the following: v Bind distinguished name (DN) - the name that Sametime will use when binding to the LDAP directory v Bind password: Password associated with the Bind distinguished name. Click Next to review the remaining LDAP configuration panels and update the configuration if necessary. If you are not certain of the settings to use at this time, the settings can be modified later using the Sametime Administration Tool. 15. For the field Enable HTTP tunneling, specify how you will connect to the Sametime server, and then click Next: v Check this box -- to allow HTTP tunneling on a Lotus Sametime server with a single IP address. Lotus Sametime services will listen on port 80 and Lotus Domino HTTP services will listen on port 8088. For more information see About HTTP Tunneling. v Uncheck this box -- if you prefer not to use HTTP tunneling. See Ports used by the Sametime server for more information. 16. Review the summary information, and then click Install if staisfied. 17. An information box informs you that the installation was successful. Click Finish to complete the installation and exit the install wizard. Note: If you are using partitioned Lotus Domino servers, repeat the above steps to install Lotus Sametime on each partitioned server. When finished, complete the steps in Configuring Sametime for partitioned Domino servers on AIX, Linux or Solaris. Configuring Sametime for partitioned Domino servers on AIX, Linux or Solaris: To configure IBM Lotus Sametime in a IBM Lotus Domino partitioned server environment on Unix, you need to perform several additional steps to configure your Lotus Sametime installation.
40
About this task Note: Installing Lotus Sametime in a Microsoft Windows environment on a partitioned server is not supported. Broadcast Server - Bind to All IPs By default the Broadcast Server binds only to a single IP address and port. If multiple IP addresses resolve to the same DNS name, you need to either configure a specific IP address to use, or specify that the broadcast server bind all IP addresses. Use one of these procedures: Configure a specific IP address to use: 1. Start the Lotus Sametime server. Go to the Sametime Welcome page and click Administer the Server. 2. Click Configuration > Connectivity. 3. For the field Broadcast gateway address for client connections, enter the specific IP Address you wish to use for Broadcast connections. Broadcast Server - Bind to All IPs 1. Start the Lotus Sametime server. Go to the Sametime Welcome page and click Administer the Server. 2. Click Configuration > Connectivity. 3. For the field Broadcast gateway address for client connections, enter the specific IP Address you wish to use for Broadcast connections. Specify the broadcast server bind to ALL IP addresses on the server: 1. Open the meetingserver.ini file. 2. Under [SOFTWARE\Lotus\Sametime\BroadcastGateway\DBNL] change the entry IPBindAll=0 to IPBindAll=1. Sametime Configuration - Trusted IPs When the Lotus Sametime server installations are complete, you must configure Lotus Sametime so that the IP addresses associated with all network interfaces on the server that hosts the partitioned Sametime servers are known as trusted IP addresses by each Lotus Sametime server that operates on each partition. To configure Lotus Sametime, complete the steps below for each partitioned server: 1. Edit the sametime.ini file. 2. Under [CONFIG] add:
VPS_TRUSTED_IPS=<comma-separated list of IP addresses for all server network interfaces>.

For example:
VPS_TRUSTED_IPS=5.55.251.231,6.66.251.232,7.77.251.233,8.88.251.234,9.99.251.238
3. Using a Lotus Notes client, open the Lotus Sametime Configuration database (stconfig.nsf) of the Sametime server. 4. Modify Community Trusted IPS to equal the comma-separated list of the dotted IPv4 addresses for all network interfaces on this server. Sametime Configuration - Connectivity To configure Lotus Sametime connectivity, complete the steps below for each partitioned server:
41
Start the Lotus Sametime server. On the Sametime Welcome page, click Administer the Server. Click Configuration > Connectivity. Enter the fully qualified Domain name for this partition in each Host name field. (See the table below for reference.) Multi-homed - For the fields, Address for client connections and Address for HTTP tunneled client connections, specify a dotted IPv4 Address to which your fully qualified Domain name resolves. 5. Change the Event Server port and the Token Server port for each additional partition that you install. Ensure that the values are unique and that they are not in use by another Sametime server or process. It is recommended that you use ports above 9098. (See the table below for reference.) 6. Click the Update button and restart the Sametime server for the changes to take effect. 1. 2. 3. 4.
Field Community Services Network > Address for server connections > Host name Community Services Network > Address for client connections > Host name Description Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves. Community Services Network > Address for HTTP-tunneled client connections > Host name Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves. Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves. Meeting Services Network > Address for HTTP-tunneled client connections > Host name Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves. Enter a unique port number for this value. The port you enter must not be used by any other Lotus Sametime server on this computer or by any other process running on this computer for any purpose. This port should be used only as the Event server port by one Lotus Sametime server running on one Domino partition. IBM Lotus software recommends using Ports above 9098.
Meeting Services Network > Address for server connections > Host name Meeting Services Network > Address for client connections > Host name
Meeting Services Network > Event server port
42
Field Meeting Services Network > Token server port
Description Enter a unique port number for this value. This port must not be used by any other Lotus Sametime server on this computer or by any other process running on this computer. This port should be used only as the Token server port by one Sametime server running on one Domino partition. IBM Lotus software recommends using Ports above 9098. Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves. Enter the fully qualified DNS name of the Lotus Sametime server on this partition.
Broadcast Services Network > Broadcast gateway address for client connections > Host name
Broadcast Services Network > Broadcast gateway address for control connections > Host name Broadcast Services Network > Address for HTTP-tunneled client connections > Host name
Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves.
Interactive Audio/Video Network > H.323 Enter the fully qualified DNS name of the server communication address > Host name Lotus Sametime server on this partition. Interactive Audio/Video Network > TCP tunneling address for client connections > Host name Enter the fully qualified DNS name of the Lotus Sametime server on this partition. Multi-homed - enter an IP address to which the fully qualified DNS name resolves. Enter the fully qualified DNS name of the Lotus Sametime server on this partition.
Interactive Audio/Video Network > Multimedia control address > Host name
Results
Running the Sametime installation wizard from a remote system

You can run the IBM Lotus Sametime installation wizard to install Lotus Sametime on a remote Windows, AIX, Linux or Solaris system. Complete the steps in this section to ensure your environment is set up correctly. Installing from a remote Windows machine: To install IBM Lotus Sametime from a remote Microsoft Windows workstation, you must install the X-Windows Environment on the remote workstation. 1. Install cygwin from www.cygwin.com 2. Select and install the X11 packages during the cygwin installation a. Launch the cygwin bash shell b. In the bash shell that is launched, type the following: startx

43
3. Make sure the X-Windows session is running: a. Launch the cygwin bash shell b. In the bash shell that is launched, type the following: startx c. In the X-Windows session that is created when you type this command, type: xhost + Installing from a remote AIX, Linux, or Solaris machine: To run the installation wizard from a remote IBM AIX , Linux, or Sun Solaris system, you must verify that the DISPLAY environment variable is set (this is required for a remote installation). Before you begin To do so, type the following:
echo $DISPLAY

This should return the IP address of the remote workstation. Example

> echo $DISPLAY > 9.41.113.167:0.0
To set the DISPLAY environment variable, use the IP address of the workstation followed by :0.0. Example
> DISPLAY=9.41.113.167:0.0 > export DISPLAY
Silently installing Sametime server on AIX, Linux, Windows, or Solaris

Use the IBM Lotus Sametime silent server installation to install servers without any intervention during the installation process. In a typical (non-silent) install you provide input in dialog boxes during installation. However, silent (automated) server install does not prompt you for input. Instead, an options file provides the information for the install process. There is no need to monitor the installation or to provide additional input.
About this task

There are two steps to running a silent server install. First, you must edit the options file that is provided to create a new options file customized to your environment and servers. Then run the silent install by referencing the options file. Creating an options file and launching a silent installation An options file provides the literal values that are used during the install process. The Sametime server CD and the Web download image both contain one options file for Windows and another options file for UNIX. These files contain some of the default installation options and paths; however you must customize the install options for your environment. To perform a silent installation, configure the appropriate file and invoke the installation launcher for your server platform by following these steps:
44
1. Open the options file that is appropriate for your operating system: Note: If installing from CD, copy the options file for your server operating system from the CD to a local, writable directory so you can modify it. v Windows: options-windows.txt v AIX, Linux or Solaris: options-unix.txt 2. Update the options file for your environment. The options file contains instructions for modifying each of the available options. It is best to use a new name for the saved file so that the original options file is not modified. 3. Change to the directory where the Sametime install launch programs are located. 4. Run the launch command for your operating system specifying the -silent and -options parameters, as well as the full path to the options file. The format for the launch command is as follows: <InstallLauncher> -silent -options <optionsfilename> Where: InstallLauncher - is the launch command for the platform on which you are installing Lotus Sametime: v Windows: .\setupwin32console.exe v AIX: ./setupaix.bin v Linux: ./setuplinux.bin v Solaris: ./setupsolaris.bin Optionsfilename - is the name of the options file you updated earlier. Specify the full path name if the options file is not located in the same directory as the install launch program. \setupwin32console.exe -silent -options options-windows-update.txt Note: UNIX commands are case sensitive. Determining if the silent install was successful The launcher program indicates whether the silent install was successful by providing an exit status and logging errors in the stsetup.log and SametimeInstall.log files. If the exit status of the launcher and the contents of stsetup_exit_status.txt are both 0, the installation was successful. If either of these values are anything other than 0, the install was not successful and you should check the stsetup.log and SametimeInstall.log files in the server data directory for information. Note: For some previous versions of Lotus Sametime, the install log filename was called log.txt.
Installing Sametime using the console on AIX, Linux, Windows, or Solaris

Use the IBM Lotus Sametime console server installation to install servers at the console keyboard without using the installation program's graphical user interface.
45
About this task

During a typical install, a series of dialog boxes prompt you for input, which you provide by making selections in the dialog boxes. During a console server install, the graphical interface is replaced with text-only versions of each installation screen; type your answers at the keyboard. As you run the console-based installation, note that: v The default value for each question is enclosed in square brackets. v If your answer is a number, such as 1 or 2, then after you type your number selection, type 0 to move to the next question. v Pressing 5 cancels your current answer and re-displays the question so that you can provide a new answer. 1. Download the installation program to the server. 2. Navigate to the directory containing the installation program. 3. To perform a console install, run the installation program using the -console parameter as shown: v IBM AIX
./setupaix.bin -console
v Linux
./setuplinux.bin -console
v Microsoft Windows
setupwin32Console.exe -console
v Solaris
./setupsolaris.bin -console
Installing Sametime server on i5/OS

To install IBM Lotus Sametime server on i5/OS perform the following.
Verifying authority to install and set up Sametime on i5/OS

The administrator who installs and sets up IBM Lotus Sametime must sign on to the system with a user profile that has the required authorities.
About this task

To install the Lotus Sametime software, your user profile must have the following special authorities: v All object access (*ALLOBJ) v Security administration (*SECADM) To add Lotus Sametime to an IBM Lotus Domino server, your user profile must have the following special authorities: v All object access (*ALLOBJ) v System configuration (*IOSYSCFG) v Job control (*JOBCTL) Checking your user profile The IBM i5/OS security officer has the required authorities to install and set up Lotus Sametime. If you are not the security officer, use the Display User Profile
46
(DSPUSRPRF) command to determine if your user profile has the required authorities. To check your user profile, follow these steps: 1. Type the following i5/OS command:
DSPUSRPRF user_id
2. Press the PAGE DOWN key and look for the special authority field to display the special authorities for the user profile. If your user profile does not have the required authorities, either ask the security officer to either install and set up the Lotus Sametime server or add the required authorities to your user profile.
Pre-accepting the Lotus Sametime software agreements on i5/OS

If you are installing IBM Lotus Sametime from CD-Rom, it is highly recommended that you display and accept the Lotus Sametime software agreements before starting the installation. If you do not pre-accept the software agreements, the installation process will restore the product to the system, but then stop and wait for you to accept the agreements before completing the installation. Skip this step if installing from a downloaded image.
About this task

1. Insert the Lotus Sametime CD into the optical drive of your system. 2. Enter the following command on an i5/OS command line:
GO LICPGM
The Work with Licensed Programs display appears. 3. From the Work with Licensed Programs (LICPGM) menu, select option 5 (Prepare for install) and press Enter. The Prepare for Install display appears. 4. Type 1 in the option field next to Work with software agreements. Press Enter. When the Work with Software Agreements display appears, you see all IBM licensed programs that require software agreement acceptance and whether the agreement has been accepted. Only licensed programs that are not yet installed appear on this display. The software agreements for Lotus Sametime will not appear in the list until you restore them from the CD in a later step. 5. Press F22 (shift-F10) to restore the Software Agreements from the Lotus Sametime CD. For the Device parameter, specify the name of your optical drive (For example, OPT01). Press Enter to restore the Sametime software agreements to the system. 6. Once the Software agreements are restored from the Sametime CD, the following message is displayed:
Waiting for reply to message on message queue QSYSOPR.
You can sign on to another session to respond to the message or ask the system operator to respond. To view and respond to the message from another session: v Enter the following command on an i5/OS command line: WRKMSGQ QSYSOPR v Select option 5 to display the messages in the QSYSOPR message queue. v Locate the following message in the queue: Load the next volume in optical device OPT01. (X G) v The Lotus Sametime software agreements have already been restored. If you want to restore more software agreements from another CD, insert the next
47
CD and respond with G. When the software agreements have been restored from the next CD, the message is issued again. When you are done, respond to the message with X. 7. The Work with software agreements display should now show the restored licenses for products that are not yet installed. v If you are using the CD for the Instant Messaging Limited Use or Entry version of Lotus Sametime, you will see an entry for Licensed Program 5724J23, option *BASE. v If you are using the CD for Lotus Sametime Standard, you will see two entries for Licensed Program 5724J23: one entry for *BASE and another entry for Option 1. 8. For each entry for Licensed Program 5724J23, type 5 in the option field and press Enter to display the Software Agreement. Then press F14 (Accept) to accept the terms of the software agreement. Note: In some unusual situations, the following message may be issued when you attempt to display the Software Agreement: CPDB6D6 - Software agreement documents are missing. If this occurs, repeat step 5 to restore the Software Agreements again and continue with the remaining steps in this procedure.
Installing or upgrading Sametime on i5/OS

To install IBM Lotus Sametime on your system, follow these steps. 1. Make sure you have backed up the recommended files to a directory outside of your Sametime directory structure or to a physical media before proceeding. 2. Sign on to your server with a user profile that has the appropriate IBM i5/OS authorities. 3. Stop the IBM Lotus Domino server where you will add Sametime. If you are upgrading from an earlier Lotus Sametime release, stop all existing Lotus Sametime servers. Note: If any Lotus Sametime servers have not yet been upgraded to a Lotus Domino version supported by Sametime 8.0.2, run the UPDDOMSVR command to upgrade them now. If you do not upgrade Lotus Domino to a supported version before installing Lotus Sametime, the upgrade will fail for that server. To correct this problem, you would have to upgrade the Lotus Domino server and then install Lotus Sametime again. 4. If installing from a download image, follow the instructions in the Readme included with the download to transfer the images from your client workstation to i5/OS savefiles on your system. Then install Sametime from the savefiles using the RSTLICPGM command. For Lotus Sametime Standard, two images are provided and you must install both of them. For the Instant Messaging Limited Use or Entry version of Lotus Sametime, just one image is provided and installed. If installing from CD or DVD, insert the Lotus Sametime disk in your server's optical drive and complete the steps below. 5. Using the i5/OS command interface, such as a 5250 emulator window, type the following command and then press F4:
LODRUN
6. On the "LODRUN" panel, type the following value in the Device field and then press Enter:
*opt
48
7. In the Directory field, type the following value and press Enter:
/os400
The system loads the Lotus Sametime programs to the appropriate libraries and /QIBM directories. You will see status messages as the system installs the software.
Results
If you are upgrading from an earlier Lotus Sametime release, all of your existing Lotus Sametime servers are upgraded during the install process. Check the job log to verify that all of your Lotus Sametime servers were upgraded successfully. You should see the following message for each Lotus Sametime server that was successfully upgraded on your system:
Upgrade successful for Lotus Sametime server server_name
In addition, you may need to refresh the design of your Lotus Sametime databases. Normally the design of each of the databases is refreshed by the nightly Design server task. Alternatively, you can force an immediate database design refresh by completing these steps after starting the Lotus Sametime server: 1. On any i5/OS command line, type the following command and press Enter:
WRKDOMCSL
2. On the "Work with Domino Console" display, type the name of your Lotus Sametime server and press Enter. 3. At the command prompt, type the following Lotus Domino subcommand and press Enter:
LOAD DESIGN
Verifying your i5/OS library list

While a single version of IBM Lotus Sametime supports multiple languages, the Lotus Sametime language feature for the Sametime licensed program is packaged using the English language feature code.
About this task

If the primary language of your system is not English, follow these steps to verify that QSYS2924 is in your library list: Note: If the primary language of your system is English, you do not need to modify your library list. 1. From an i5/OS command line, type the following command and press Enter:
WRKSYSVAL QSYSLIBL
2. On the Work with System Values display, type a 2 next to QSYSLIBL and press Enter. 3. On the Change System Value display, check whether QSYS2924 is included in the list. If it is listed, press F3 to exit. If it is not listed, proceed to step 4. 4. Type QSYS2924 next to Sequence Number 0 and press Enter. 5. Press F3 to exit. 6. If you changed the library list, sign off the system and sign back on to activate the new library list.
49
Results
Adding Sametime to an i5/OS Domino Server

If you are configuring a new IBM Lotus Sametime server, complete these steps to add Lotus Sametime to your Lotus Domino server.
About this task

Note: If you are upgrading from a previous version of Lotus Sametime, your existing Lotus Sametime servers were automatically upgraded when you installed the new release of Lotus Sametime. To add Lotus Sametime to a Lotus Domino server follow these steps: 1. Stop the Lotus Domino server. 2. On any i5/OS command line, type the following command and press F4:
ADDLSTDOM
3. In the Domino server name field, type the name of the Domino server where you will add Sametime. 4. In the Directory type field, type either *DOMINO or *LDAP and press Enter to select which type of directory Sametime will use. v If you chose *DOMINO, skip to step 5. v If you chose *LDAP, the following fields are displayed:
Field Name Description Enter the name of the LDAP server that Sametime will use. Note: It is also possible to specify the TCP/IP address, but this is not recommended. Enter the IP port that Sametime will use. The default IP port for LDAP connections is 389. Enter the distinguished name of the LDAP directory entry that the Sametime server will use when binding to the LDAP directory. This is an optional parameter. If not specified, ensure the LDAP server is configured appropriately for anonymous access from a Sametime server. If you specified a Bind distinguished name (DN), enter the password associated with it. Enter the distinguished name of an LDAP administrator who has authority to browse the LDAP directory. It is used when configuring policies. This parameter is optional and defaults to the same value as the Bind distinguished name.
Port
Bind distinguished name (DN)
Bind password Administrator name (DN)
5. In the HTTP Tunneling field, type either *YES or *NO and press Enter to display additional parameters.
50
Note: This option enables Sametime clients that operate behind restrictive firewalls to connect to the Sametime server and use the presence, chat, screen-sharing, whiteboard, and broadcast features of Sametime. 6. Complete the following fields: (you may need to press the Page Down key to view these fields):
Field HTTP server port Description If you chose to allow HTTP tunneling, specify the port number on which the HTTP server will listen. The default is 8088. Enter the port on which the Event Server service for this Sametime server should listen. Note: If you have more than one Sametime server installed on the same logical partition (LPAR) of your server, make sure the Event Server port is unique for each Sametime server. Enter the port on which the Authentication Server service for this Sametime server should listen. Note: If you have more than one Sametime server installed on the same logical partition (LPAR) of your system, make sure the Token server port is unique for each Sametime server. Refer to the technote "Verifying each Sametime for i5/OS server on system uses unique ports" for information on determining which Sametime ports are already in use. The technote is available at the following url http://www-1.ibm.com/ support/docview.wss?rs=203 &uid=swg21212892.
Event server port
Token server port
51
Field Remote slide conversion
Description When files are attached to a meeting, Sametime Conversion Services is a feature that automatically provides a bitmap rendering so they can be shared in a meeting as slides. Accept the default of *NONE if you prefer to run Conversion services as an integrated function of your Sametime server or if you plan to configure remote slide conversion at a later time. Note: Running integrated conversion services on i5/OS requires that the following products be installed: v Portable Application Solutions Environment (PASE), 5722SS1 or 5761SS1, option 33 v OS/400 - Additional Fonts, 5722SS1 or 5761SS1, option 43 If you are ready to provide connection information for a remote slide conversion server, specify the fully qualified host name or IP address of the Windows system where you will install Sametime Conversion Services.
7. Press F10 for additional parameters, then complete the following fields.
Field Slide conversion port Description If you specified the name of a remote slide conversion server, specify the port on which the conversion server should listen for connections from the Sametime server. Specify whether or not you want to have this Sametime server start when the set up is complete.
Start Domino server
8. Press Enter to run the command. As Sametime is added to the Domino server, you will see a console screen that shows the progress of adding Sametime to a Domino server. When a message is displayed that the addition of Sametime is complete, press Enter. 9. If you did not choose to start the server during set up, start the Sametime server now. See Starting and stopping a Sametime server on i5/OS.
Completing the upgrade process

To complete the upgrade process from a previous release of IBM Lotus Sametime to IBM Lotus Sametime 8.0.2. Review the following information.
52
About this task

v For servers with Web Conferencing capability: If you are currently running Sametime Conversion Services on a separate system, you must upgrade to an 8.0.x version of Sametime Conversion Services. Sametime 8.0.2 servers cannot use a release of Sametime Conversion Services prior to 8.0; Sametime 8.0.2 Conversion Services is recommended. For information about upgrading Conversion Services from previous Sametime releases, see "About Sametime Conversion Services". v If you are upgrading a Sametime server that is managed by the IBM Lotus Sametime Enterprise Meeting Server, add the Sametime server back in to the Enterprise Meeting Server. v Migrate privacy information if necessary If you are migrating to Sametime 8.0.2 from Sametime 7.x, or an earlier release, and your users have stored privacy information ("Who can see me") from the earlier release, then you need to migrate this information by running a utility after upgrading. Privacy information from the earlier release will not be used unless it is migrated. If you are upgrading to Sametime 8.0.2 from Sametime 7.5.1, and you already ran the 7.5.1 version of the utility, then there is no need to run it again on 8.0.2. If you are upgrading to 8.0.2 from 8.0 or 8.0.1, then privacy information is already in the proper format. v If your Sametime server uses an LDAP directory, you may need to use the Sametime Administration Tool to modify your configuration for new or modified features such as Policy settings. v The format of the Key Store used for SSL changed in Sametime 7.0. If you are upgrading from a release prior to Sametime 7.0 and your Sametime server is configured for SSL, you will need to perform some additional steps. Sametime 6.5.1 and earlier releases used a .pfx file for the key store; Sametime 7.0 and later releases use a .jks file. After upgrading Sametime, you must import your CA Trusted Root or Server certificate into StKeys.jks. If you had changed the keystore name or password, you must also update the sametime.ini file. See Using SSL with Sametime. v For i5/OS Sametime servers: If you upgraded from a mixed environment that included both Sametime Standard servers and Instant Messaging Limited Use or Entry servers on the same system, web conferencing was enabled on all of your Sametime servers during upgrade. To change these servers back to Instant Messaging Limited Use or Entry, see Enabling or disabling Web Conferencing on an i5/OS Sametime server. The original versions of several files are saved during the upgrade process in case you need to examine them after the upgrade completes. The original meetingserver.ini file is saved in the server data directory as meetingserver.bak. The sametime.ini and stconfig.nsf files are saved in a subdirectory of the server data directory. The name of the subdirectory is ST previous_versionBU. For example, the subdirectory name is ST751BU if you upgraded from Sametime 7.5.1, and ST80BU if you upgraded from Sametime 8.0.
Upgrading the vpuserinfo.nsf template

As part of upgrading IBM Lotus Sametime, you will need to replace the design of the vpuserinfo.nsf database.
53
About this task

As part of a product upgrade, you will need to replace the design of the vpuserinfo.nsf with the stuserin.ntf template, following one set of the steps below: 1. On the Lotus Sametime server, start the Lotus Notes client. 2. Click File Database Replace Design.. 3. Select the current Sametime server as the template server, click the Show advanced templates option to locate the "Sametime User Information" (stuserin.ntf) template. 4. Click Replace to update the database's design to match the template. 5. When you have finished, you can exit the Lotus Notes client.
Migrating user privacy information

A utility is available that you can run after upgrading your server to IBM Lotus Sametime 7.5.1 to migrate privacy information to the new format. An optional parameter allows you to migrate privacy data for only a specified subset of your Lotus Sametime users.
Before you begin

Note: The format for storing privacy information changed in Sametime 7.5. If you are upgrading to Sametime 8 from Sametime 7.0 or an earlier release and your users have stored privacy information ("who can see me"), this information appears to be lost after upgrading. There is no need to run this utility unless you have upgraded from Lotus Sametime 7.0 or earlier and your users have stored privacy data from the earlier release. v If you are upgrading from Sametime 7.5.x and you already ran the 7.5.x version of the utility, then there is no need to run it again on Sametime 8.0.2. If you never ran the 7.5.x version, then your users may have stored privacy information in both the old format (pre-7.5) and the new format. In this case, it is not predictable which privacy record will be used. If some users are having problems with their privacy data, you can run the upgrade utility for those users and then manually delete one of their privacy records from vpuserinfo.nsf. v If you have multiple Sametime servers within a single Sametime Community (but have not configured them as a Community Services cluster), each of the servers maintains a separate version of vpuserinfo.nsf. It is highly recommended that you run the upgrade utility on each of the Sametime servers in the community immediately after upgrading each one to Sametime 8.0.2. v If you delay running the utility, users may create additional privacy data on the upgraded server. In this situation, the new data is stored in addition to the existing data and it is not predictable which privacy record will be used. Running the upgrade utility will not solve the problem. If necessary, the administrator can manually delete one of the privacy records from vpuserinfo.nsf. v If you have multiple Sametime servers operating as a Sametime Community Services server cluster to support server failover and load balancing, it is best to upgrade all of the servers to Sametime 8.0.2 at the same time if possible. Then you should immediately run the upgrade utility on just one of the Sametime servers in the cluster and allow the vpuserinfo.nsf updates to replicate to the other servers.
54
v If it is not possible to upgrade all of the servers in the cluster at the same time, consider advising your users to avoid creating additional privacy data until all of the servers have been upgraded. If users who are connected to a server running a release prior to 7.5 create new privacy data, it will be stored in the older format. This may conflict with privacy data that has already been migrated to the newer format. More than one privacy record for a user and conflicts between the records can cause unexpected results. Running the upgrade utility again will not solve the problem. If necessary, the administrator can manually delete one of the privacy records from vpuserinfo.nsf. v The time required to run the utility depends on the size of vpuserinfo.nsf . For example, running the utility for a 2G vpuserinfo.nsf file may take 30 minutes. v When the utility runs, two files are created in the Sametime server data directory: vpuserinfo.nsf (time stamp): backup copy of vpuserinfo.nsf before it was modified by the utility vpuserinfo.nsf.log (time stamp): log of activity which occurred when the utility ran v Running the privacy migration utility on Windows: A utility is available to migrate user privacy information that was stored on a Windows server prior to Sametime 7.5 to the new format. v Running the privacy migration utility on AIX, Linux or Solaris: A utility is available to migrate user privacy information that was stored on an AIX, Linux or Solaris server prior to Sametime 7.5 to the new format. v Running the privacy migration utility on i5/OS: A utility is available to migrate user privacy information that was stored on an i5/OS server prior to Sametime 7.5 to the new format.
Running the privacy migration utility on Windows

Run the privacy migration utility to migrate user privacy information that was stored prior to IBM Lotus Sametime 7.5 to the new format. An optional parameter allows you to migrate privacy data for only a specified subset of your Lotus Sametime users.
Before you begin

This example assumes the default Domino installation directory (c:\Program Files\Lotus\Domino).
Example
1. If you intend to migrate privacy information for only a specified subset of your Sametime users, create a text file containing the names of the users. For example, create a text file called upgrade_util_filter.txt and save it in the Domino installation directory or another accessible location. The file should have each user specified on a separate line in the following format:
CN=John Smith/O=Acme CN=Jane Doe/O=Acme CN=Sally Brown/O=Acme
2. Stop the Sametime server 3. Open a Windows command prompt 4. Run the following commands:
55
c:\program files\lotus\Domino> upgrade_util.cmd <sametime_server_data_directory> [<upgrade_util_filter_file>] (where "c:\program files\lotus\Domino" is the directory where the Domino server is installed). v If you do not specify the server data directory (the first parameter shown above), the SametimeDirectory entry in the sametime.ini file is used. v If you do not specify the upgrade util filter file (the second parameter shown above), the UpgradeUtilFilter entry in the sametime.ini file is used. v If there is no such entry in the sametime.ini, no filter will be used, meaning migrating privacy information of all Sametime users. Note: If you intend to use the <upgrade_util_filter_file> parameter, it should be the second parameter, meaning you should also specify the <sametime_server_data_directory> parameter. 5. Check the vpuserinfo.nsf.log file which has the latest time stamp to verify that the utility ran successfully.
Running the privacy migration utility on AIX, Linux or Solaris

Run the privacy migration utility to migrate user privacy information that was stored prior to IBM Lotus Sametime 7.5 to the new format. to migrate privacy information from AIX, Solaris, or Linux to the new format. An optional parameter allows you to migrate privacy data for only a specified subset of your Lotus Sametime users.
Example
To run the utility after upgrading to Sametime 8, follow these steps: 1. If you intend to migrate privacy information for only a specified subset of your Sametime users, create a text file containing the names of the users. For example, create a text file called upgrade_util_filter.txt and save it in the server data directory or another accessible location. The file should have each user specified on a separate line in the following format:
2. Change directory to the data directory. 3. Make the script executable by running the following command.
- chmod u+x upgrade_util.sh
4. Stop the Sametime server. 5. Run the upgrade utility as the user defined for your Domino and Sametime deployment, typically "notes": upgrade_util.sh <domino_program_directory> <sametime_server_data_directory> [ <upgrade_util_filter_file> ] v The first two parameters should be specified, and the last parameter is optional. v If you do not specify the upgrade util filter file (the third parameter shown above), the UpgradeUtilFilter entry in the sametime.ini file is used. v If there is no such entry in the sametime.ini, no filter will be used, meaning migrating privacy information of all Sametime users. 6. Check the vpuserinfo.nsf.log file which has the latest time stamp to verify that the utility ran successfully.
56
Running the privacy migration utility on i5/OS

Run the privacy migration utility to migrate user privacy information that was stored prior to IBM Lotus Sametime 7.5 to the new format. An optional parameter allows you to migrate privacy data for only a specified subset of your Lotus Sametime users.
About this task

To run the privacy information migration utility after upgrading Lotus Sametime, follow these steps: 1. If you intend to migrate privacy information for only a specified subset of your Sametime users, create a text file containing the names of the users. For example, create a text file called upgrade_util_filter.txt and save it in your Sametime server data directory or another accessible location. The file should have each user specified on a separate line in the following format:
2. Stop the Sametime server. 3. From any i5/OS command line, start the QShell Interpreter:
QSH
4. Run the following shell command:

cd <sametime_server_data_directory>
5. To migrate privacy information for all of your Sametime users, run the following shell command:
upgrade_privacy <sametime_server_data_directory>
To migrate privacy information for a specified subset of your Sametime users, run the following shell command:
upgrade_privacy <sametime_server_data_directory> <upgrade_util_filter_file>
6. Check the vpuserinfo.nsf<time_stamp>.log file that has the latest time stamp to verify that the utility ran successfully. You can exit the QShell session and browse for the file, or run the following shell command to display the contents:
cat vpuserinfo*.log
Verifying the Sametime Server Installation

Once the server is set up, use the following procedures to ensure that IBM Lotus Sametime server is functioning properly.
About this task

Verifying the Sametime server installation Follow these steps to perform basic verification of your Sametime server installation before proceeding: 1. If v v v you have not already started the Sametime server, start it now: Starting and stopping a Sametime server on Windows Starting and stopping a Sametime server on AIX, Linux or Solaris Starting and stopping a Sametime server on i5/OS
Note: If you chose LDAP as the directory type during server installation but did not specify the correct LDAP connection information, the Sametime server
57
will not start. See Configuring Sametime to access LDAP to correct this before proceeding to verify the Sametime installation. 2. When the server has started, access the Sametime server by starting your Web browser and entering the following URL: http://hostname.yourco.com/ stcenter.nsf where hostname.yourco.com is the fully qualified host name of the Sametime server. Note: Make sure you specify the servers fully qualified host name. If do not use the fully qualified host name, you will be able to access the Sametime Welcome Page, but you will not be able to log in. v For Sametime Standard and Sametime Entry servers, the Sametime Welcome page is displayed. Click on Administer the Server and you will be prompted to login. v For Sametime Instant Messaging Limited Use servers, you are immediately prompted to login (the Sametime Welcome page is not shown). 3. When the login prompt appears, specify the server administrator ID and password, and press Enter The Sametime Administration tool is displayed. Validating meetings for Sametime Standard servers For Sametime Standard servers, use the following procedures to ensure that Web Conferencing is functioning properly. Note: In most cases, you do not need to authenticate to the Sametime server when following the procedures in this section. If you are prompted to login and the Sametime server is configured to use the Domino directory, use your server administrator ID and password. If the Sametime server is configured to use an LDAP directory, login with a user ID from that directory. See Configuring Sametime to access LDAP if you have not yet fully configured LDAP. Testing browser settings for meetings To test whether your browser is set up properly for running meetings 1. From the Sametime Welcome page, click Schedule a Meeting or Attend a Meeting. 2. From the left navigation panel, click Test Meeting. 3. Review the information on the page that displays. 4. Click Test My Browser to launch a test meeting. The meeting launches in a new browser window. 5. Click any of the tabs, such as Sharing or Whiteboard, to test these capabilities. 6. Click Help > Help Topics from the test meeting menu for more information about meetings 7. When finished, click File-Leave Meeting. Creating a meeting Use this procedure to create a new meeting. For more detailed information. Click the Help icon 1. From the Sametime Welcome page, click Schedule a Meeting. 2. On the New Meeting form, specify a name for the meeting. 3. For When, check Start Now.
58
4. Click the People tab. If you are logged in, your name should be in the Chair field. 5. Click Save and wait for the meeting to start. 6. Once the meeting has started, the Meeting Details page is updated. Click Attend Meeting. Note: If the Meeting Details page displays and the meeting does not begin, click the Refresh button in your browser. The meeting starts in a separate browser window. 7. When finished, click File-End Meeting.
59
60
Chapter 8. Configuring Sametime

Can choose between LDAP as the directory type, where you will configure the IBM Lotus Sametime server so that it has access to the LDAP directory or you can select the IBM Lotus Domino Directory as the user repository for your Sametime server
Before you begin About this task
Configuring support for IPv6 addressing with Lotus Sametime

Enabling support for IPv6 addressing on an IBM Lotus Sametime server involves configuring settings for all of the server components.
Before you begin

Install and configure Lotus Sametime 8.0.2; previous versions of the Lotus Sametime server do not support IPv6 addressing.
About this task

Enable IPv6 addressing on the Lotus Sametime server by configure settings for following server components:
Configuring Lotus Domino for IPv6

The IBM Lotus Sametime server is hosted on IBM Lotus Domino. When you enable support for IPv6 addressing in Lotus Sametime, you must additionally ensure that the underlying Lotus Domino server also supports IPv6.
Before you begin

Lotus Sametime 8.0.2 supports IPv6 addressing only with Lotus Domino 8.0 or later. If you use an earlier release of Lotus Domino, you must upgrade it to release 8.x before you can configure it for IPv6 addressing.
About this task

The steps to enabling IPv6 support in Lotus Domino vary with the operating system:
Configuring Lotus Domino for IPv6 on AIX

Before an IBM Lotus Sametime server can support IPv6 addressing on IBM AIX, you must configure IPv6 support for the IBM Lotus Domino server on which it is hosted.
Before you begin

61
About this task

In Lotus Domino, IPv6 support is disabled by default. Configuring Lotus Domino to support IPv6 involves modifying both the Lotus Sametime Server document within the Lotus Domino Administrator interface, and adding configuration settings to the notes.ini file on that server. For information on supporting IPv6 with Lotus Domino, see "IPv6 and Lotus Domino" in the Lotus Domino Administration information center:
publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/ DOC/H_IPV6_AND_DOMINO_OVER.html
Note: This address has been formatted for readability. 1. To support both IPv4 and IPv6 addressing, update the Server document for the Sametime server so that both formats will be accepted: If you will only support IPv6 addressing, skip this step. a. On the Lotus Domino/Lotus Sametime server, start the Domino Administrator program. b. In the Domino Administrator, navigate to the Server pane and double-click your server's name to select it. c. In the "Server" document, navigate to the Internet Protocols HTTP tab. d. Update the HTTP hostname field by entering the host name followed by the explicit IPv4 and IPv6 IP addresses for this server. Attention: When you fill out this field, you must enter the values using the following format: v The first value in the field must a fully qualified DNS. v The second and third values must be the explicit IP addresses (using IPv4 dot notation or IPv6 colon notation) that correspond to the specified host name; the order of these two IP addresses does not matter. v Separate values with a carriage return by pressing the ENTER key before adding another value. e. Save and close the Server document. f. Restart the HTTP service on the Lotus Domino server by running the following command in the console:
tell http restart
2. Enable support for IPv6 addresses by adding the following settings to the notes.ini file, located in the Lotus Domino server data directory:
tcp_enableipv6=1 DONT_USE_REMEMBERED_ADDRESSES=1
In the next statement, zone is the default zone; this information can be obtained by running the ifconfig -a command.
tcp_defaultzone=zone
3. Restart the Lotus Domino server so your changes can take effect.
Configuring Lotus Domino for IPv6 on i5/OS

Before an IBM Lotus Sametime server can support IPv6 addressing on IBM i5/OS, you must configure IPv6 support for the IBM Lotus Domino server on which it is hosted.
62
About this task

In Lotus Domino, IPv6 support is disabled by default. Configuring Lotus Domino to support IPv6 involves several steps, including adding configuration settings to the notes.ini file for the server. The steps for enabling only IPv6 support are different from the steps for enabling support for both IPv4 and IPv6; follow the instructions in the appropriate topic: Configuring Lotus Domino to support both IPv4 and IPv6 addressing on i5/OS: If your IBM Lotus Sametime server will support both IPv4 and IPv6 addressing, you must first configure the underlying IBM Domino server to accept both addressing protocols. Before you begin Lotus Sametime 8.0.2 supports IPv6 addressing only with Lotus Domino 8.0 or later. If you use an earlier release of Lotus Domino, you must upgrade it to release 8.x before you can configure it for IPv6 addressing. About this task In Lotus Domino, IPv6 support is disabled by default. Configuring Lotus Domino to support IPv6 involves several steps, including adding configuration settings to the notes.ini file for the server. For information on supporting IPv6 with Lotus Domino, see "IPv6 and Lotus Domino" in the Lotus Domino Administration information center 1. Enable support for both IPv4 and IPv6 addresses in Lotus Domino by adding the following settings to the notes.ini file:
2. If you want to be able to use a Lotus Notes client to access the server using IPv6 addressing, add the IPv6 information to the Domino server configuration by running the CHGDOMSVR command as follows: a. On any IBM i5/OS command line, type CHGDOMSVR and press F4 to display the command prompt. b. Specify the Domino server name and press Enter to display additional parameters. Then page down to display the TCP/IP port options prompt. c. Type a plus sign (+) in the entry field that follows the prompt (as shown below) and press Enter.
Log client session events . . . *SAME TCP/IP port options: + Communications port . . . . . *SAME
This displays the current TCP/IP port options. d. Page down to display a second section where you can enter information for the additional TCP/IP port. Specify the following settings:
Communications port: Internet address: specify the explicit IPv6 address. Enable port: TCPIPV6 Do not specify the host name. *YES
63
For the remaining parameters, specify the options of your choice, and then press Enter. e. Now press Enter to run the command. f. Verify that the port options were updated in the notes.ini file to look like this:
Ports=TCPIP,TCPIPV6 TCPIP=TCP,0,15,0,,12288 TCPIPV6=TCP,0,15,0,,12288 TCPIP_TcpIPaddress=0,your_explicit_IPv4_address TCPIPV6_TcpIPaddress=0,your_explicit_IPv6_address
3. Verify that you have completed the steps in "Configuring an i5/OS server for IPv6" to update the server host table and the Domain Name Server with the IPv6 address. Both the IPv4 and IPv6 address should map to the same host name. 4. Restart the Lotus Domino server so your changes can take effect. 5. Determine which IP address must be added to the HTTP hostname field in the server document: The choice of IP address depends on how the Domain Name Server resolves the host name. To determine which IP address to add to the server document, attempt to access the Lotus Sametime server from a Web browser using an IPv4 client:
http://sametime_server_hostname
v If you are able to access the server with the IPv4 client, update the server document by adding the IPv6 address (see next step) v If you cannot access the server with the IPv4 client, update the server document by adding the IPv4 address (see next step). 6. Update the HTTP hostname field in the server document: a. On the Lotus Domino/Lotus Sametime server, start the Domino Administrator program. b. In the Domino Administrator, navigate to the Server pane and double-click your server's name to select it. c. In the "Server" document, navigate to the Internet Protocols HTTP tab. The fully qualified host name of the Lotus Sametime server should already appear in the HTTP hostname field. d. Update the HTTP hostname field by pressing Enter (used as a delimiter) and then adding the appropriate IP address as determined in the previous step. Attention: Do not add both the IPv6 and the IPv4 addresses. e. Save and close the Server document. 7. Restart the HTTP service on the Lotus Domino server by running the following command in the console:
tell http restart
8. Verify that you can access the Lotus Sametime server using either an IPv4 or an IPv6 client with the following URL:
Configuring Lotus Domino to support only IPv6 addressing on i5/OS: Before an IBM Lotus Sametime server can support IPv6 addressing on IBM i5/OS, you must configure IPv6 support for the IBM Lotus Domino server on which it is hosted.
64
Before you begin Lotus Sametime 8.0.2 supports IPv6 addressing only with Lotus Domino 8.0 or later. If you use an earlier release of Lotus Domino, you must upgrade it to release 8.x before you can configure it for IPv6 addressing. About this task In Lotus Domino, IPv6 support is disabled by default. Configuring Lotus Domino to support IPv6 involves several steps, including adding configuration settings to the notes.ini file for the server. For information on supporting IPv6 with Lotus Domino, see "IPv6 and Lotus Domino" in the Lotus Domino Administration information center. 1. Enable support for IPv6 addresses in Lotus Domino by adding the following settings to the notes.ini file:
2. Update the Domino TCP/IP port settings in the notes.ini file so they only specify the IPv6 address, like this:
Ports=TCPIPV6 TCPIPV6=TCP,0,15,0,,12288 TCPIPV6_TcpIPaddress=0,your_explicit_IPv6_address
3. Update the stcommsrvrtk.jar file in the Lotus Domino installation directory: To support IPv6only addressing for a Lotus Sametime server running on i5/OS, you must replace the stcommsrvrtk.jar file with a newer version. Run the following command, where "8xx" is the version of Lotus Domino that you are using for your Lotus Sametime server:
CPY OBJ('/QIBM/ProdData/LOTUS/sametime/stcommsrvrtk.jar') TODIR('/QIBM/ProdData/LOTUS/domino8xx') REPLACE(*YES) OWNER(*KEEP)
For example, if your Sametime server is running on a Domino 8.0.2 server, run this command:
CPY OBJ('/QIBM/ProdData/LOTUS/sametime/stcommsrvrtk.jar') TODIR('/QIBM/ProdData/LOTUS/domino802') REPLACE(*YES) OWNER(*KEEP)
4. Verify that you have completed the steps in "Configuring an i5/OS server for IPv6" to update the server host table and the Domain Name Server with the IPv6 address. Both the IPv4 and IPv6 address should map to the same host name. 5. Restart the Lotus Domino server so your changes can take effect. 6. Determine whether you need to add the IPv6 address to the HTTP hostname field in the server document: This depends on how the Domain Name Server resolves the host name. To determine whether you need to add the IPv6 address to the server document, attempt to access the Lotus Sametime server from a Web browser using an IPv6 client:
v If you do need to add the IPv6 address, continue with step 7; otherwise, skip to step 8. 7. To add the IPv6 address to the HTTP hostname field in the server document, complete the following: a. On the Lotus Domino/Lotus Sametime server, start the Domino Administrator program.
65
b. In the Domino Administrator, navigate to the Server pane and double-click your server's name to select it. c. In the "Server" document, click Internet Protocols HTTP. The fully qualified host name of the Lotus Sametime server should already appear in the HTTP hostname field. d. Update the HTTP hostname field by pressing Enter (used as a delimiter) and then adding the IPv6 address to the field. e. Save and close the Server document. f. Restart the HTTP service on the Lotus Domino server by running the following command in the console:
tell http restart
8. Verify that you can access the Lotus Sametime server from a Web browser using an IPv6 client:
Configuring Lotus Domino for IPv6 on Linux

Before an IBM Lotus Sametime server can support IPv6 addressing on Linux, you must configure IPv6 support for the IBM Lotus Domino server on which it is hosted.
Before you begin

About this task

Note: This address has been formatted for readability. 1. To support both IPv4 and IPv6 addressing, update the Server document for the Sametime server so that both formats will be accepted: If you will only support IPv6 addressing, skip this step. a. On the Lotus Domino/Lotus Sametime server, start the Domino Administrator program. b. In the Domino Administrator, navigate to the Server pane and double-click your server's name to select it. c. In the "Server" document, navigate to the Internet Protocols HTTP tab. d. Update the HTTP hostname field by entering the host name followed by the explicit IPv4 and IPv6 IP addresses for this server.
66
Attention: When you fill out this field, you must enter the values using the following format: v The first value in the field must a fully qualified DNS. v The second and third values must be the explicit IP addresses (using IPv4 dot notation or IPv6 colon notation) that correspond to the specified host name; the order of these two IP addresses does not matter. v Separate values with a carriage return by pressing the ENTER key before adding another value. e. Save and close the Server document. f. Restart the HTTP service on the Lotus Domino server by running the following command in the console:
tell http restart
2. Enable support for IPv6 addresses by adding the following settings to the notes.ini file in the Lotus Domino server data directory:
Configuring Lotus Domino for IPv6 on Solaris

Before an IBM Lotus Sametime server can support IPv6 addressing on Solaris, you must configure IPv6 support for the IBM Lotus Domino server on which it is hosted.
Before you begin

About this task

Note: This address has been formatted for readability. 1. To support both IPv4 and IPv6 addressing, update the Server document for the Sametime server so that both formats will be accepted: If you will only support IPv6 addressing, skip this step. a. On the Lotus Domino/Lotus Sametime server, start the Domino Administrator program. b. In the Domino Administrator, navigate to the Server pane and double-click your server's name to select it. c. In the "Server" document, navigate to the Internet Protocols HTTP tab. d. Update the HTTP hostname field by entering the host name followed by the explicit IPv4 and IPv6 IP addresses for this server.
67
Attention: When you fill out this field, you must enter the values using the following format: v The first value in the field must a fully qualified DNS. v The second and third values must be the explicit IP addresses (using IPv4 dot notation or IPv6 colon notation) that correspond to the specified host name; the order of these two IP addresses does not matter. v Separate values with a carriage return by pressing the ENTER key before adding another value. e. Save and close the Server document. f. Restart the HTTP service on the Lotus Domino server by running the following command in the console:
tell http restart
In the next statement, zone is the default zone; this information can be obtained by running the ifconfig -a command.
Configuring Lotus Domino for IPv6 on Windows

Before an IBM Lotus Sametime server can support IPv6 addressing on Microsoft Windows, you must configure IPv6 support for the IBM Lotus Domino server on which it is hosted.
Before you begin

About this task

Note: This address has been formatted for readability. 1. To support both IPv4 and IPv6 addressing, update the Server document for the Sametime server so that both formats will be accepted: If you will only support IPv6 addressing, skip this step. a. On the Lotus Domino/Lotus Sametime server, start the Domino Administrator program. b. In the Domino Administrator, navigate to the Server pane and double-click your server's name to select it.
68
c. In the "Server" document, navigate to the Internet Protocols HTTP tab. d. Update the HTTP hostname field by entering the host name followed by the explicit IPv4 and IPv6 IP addresses for this server. Attention: When you fill out this field, you must enter the values using the following format: v The first value in the field must a fully qualified DNS. v The second and third values must be the explicit IP addresses (using IPv4 dot notation or IPv6 colon notation) that correspond to the specified host name; the order of these two IP addresses does not matter. v Separate values with a carriage return by pressing the ENTER key before adding another value. e. Save and close the Server document. f. Restart the HTTP service on the Lotus Domino server by running the following command in the console:
tell http restart
In the next statement, zone is the defaultzone; this information can be obtained by running the ifconfig /all command.
This set of statements creates one port for IPv4 addressing (TCPIP) and one port for IPv6 (TCPIPV6):
TCPIP=tcp,0,15,0 TCPIPV6=tcp,0,15,0 tcpip_tcpipaddress=0,Your_IPv4_address TCPIPV6_tcpipaddress=0,Your_IPv6_address ports=tcpip,tcpipv6
Editing the ststart script on a Linux SuSE server

By default, support for IPv6 addressing is disabled in the version of IBM Lotus Sametime that runs on Linux SuSE operating systems; you must specifically enable IPv6 support in the "ststart" script used by Lotus Sametime on a Linux SuSE server.
Before you begin

Previous releases of Lotus Sametime did not support IPv6 addressing. Because the Linux SuSE operating system already supported IPv6 by default, it was necessary to specifically disable IPv6 for Lotus Sametime on those servers. If you now use Lotus Sametime 8.0.2 on a Linux SuSE server, you must re-enable support for IPv6 by modifying the ststart script. 1. On the Lotus Sametime server, open a command window and navigate to the Lotus Sametimedata directory (for example, /local/notesdata). 2. Open the ststart script so you can edit it. 3. Comment out the following statements by inserting the # character at the beginning of each line:
69
if [ -f /etc/SuSE-release ]; then IBM_JAVA_OPTIONS=-Djava.net.preferIPv4Stack=true export IBM_JAVA_OPTIONS fi
The statements should then look like this:

#if [ -f /etc/SuSE-release ]; then # IBM_JAVA_OPTIONS=-Djava.net.preferIPv4Stack=true # export IBM_JAVA_OPTIONS #fi
4. Save and close the file. 5. Restart the Lotus Sametime server.
Configuring the Community Services for IPv6

Configure settings to establish connectivity and resolve addresses when using IPv6 on the IBM Lotus Sametime server's Community Services component to support awareness and instant messaging.
Before you begin

All versions of the Lotus Sametime server (Standard, Entry, and Instant Messaging Limited Use) support the Community Services, which provides presence and instant messaging features. To support IPv6, you must configure settings for the Community Services component of the Lotus Sametime server.
About this task

Follow the steps below to configure Community Services settings for IPv6 support on the Lotus Sametime server. 1. Stop the Lotus Sametime server. 2. Locate the sametime.ini file in the Lotus Sametime server's data directory, and open the file so you can edit it. 3. In the [Connectivity] section, add (or modify) the following statements:
UCM_RESOLVE_PREFERRED_IP_VER=IPv4_or_IPv6_selection VPS_HOST=Explicit_IP_address_of_this_server UCM_LOCAL_IP=Explicit_IP_address_of_this_server VPHMX_HTTP_SERVER_IP=IP_address_of_Domino_HTTP_server VPHMX_HTTP_SERVER_PORT=Domino_HTTP_port
where: v UCM_RESOLVE_PREFERRED_IP_VER specifies which type of addresses should be preferred when a domain name resolves to multiple addresses of both protocols: If you support only IPv6 addressing, set this to "6" to disallow IPv4formatted addresses. If you support both IPv4 and IPv6 addressing, set this to "4" to allow both protocols but attempt to resolve addresses using IPv4 protocol first. v VPS_HOST specifies the explicit IP address of this Community Services server. Use the IP address that matches the setting in UCM_RESOLVE_PREFERRED_IP_VER. For example, if you set that value to "4" then specify an IPv4format address, but if you set that value to "6" then specify an IPv6format address. v UCM_LOCAL_IP specifies the explicit IP address of this Community Services server. Use the IP address that matches the setting in
70
UCM_RESOLVE_PREFERRED_IP_VER. For example, if you set that value to "4" then specify an IPv4format address, but if you set that value to "6" then specify an IPv6format address. v VPHMX_HTTP_SERVER_IP specifies the IP address of the Lotus Domino HTTP server where Lotus Sametime is running. v VPHMX_HTTP_SERVER_PORT specifies the port used by the Lotus Domino HTTP server where Lotus Sametime is running; normally port 80. 4. In the [Config] section, add (or modify) the following statement:
STLINKS_HOST=Explicit_IP_address_of_this_server
where STLINKS_HOST specifies the explicit IP address of this Community Services server. Use the IP address that matches the setting in UCM_RESOLVE_PREFERRED_IP_VER. For example, if you set that value to "4" then specify an IPv4format address, but if you set that value to "6" then specify an IPv6format address.
Table 1. Accepted values for STLINKS_HOST Type of address IPv4 explicit address (dot notation) IPv6 explicit address using colon notation IPv6 explicit address using double-colon notation IPv6 explicit address using IPv4suffix notation IPv4 "any" (four zeroes) IPv6 "any" (a double colon) Example 9.42.127.134 2002:92a:8f7a:200:9:42:127:134 3ef0::bee7:994:2e66 3ef0::bee7:9.148.46.102 0.0.0.0 ::
5. Add (or modify) the following statements in the [Debug] section within the sametime.ini file: v If this Lotus Sametime server will support both IPv4 and IPv6 addressing:
VPMX_DISABLE_CONFIGURATION_UPDATE=1 VPMX_HOSTNAME=::,0.0.0.0 VPMX_PORT=1533 VPHMX_HOSTNAME=::,0.0.0.0 VPHMX_PORT=8082
Where: VPMX_DISABLE_CONFIGURATION_UPDATE=1 requires all four of the statements that follow it. VPMX_HOSTNAME specifies the addresses where the multiplexer on this server handles Lotus Sametime client communications.
Table 2. Accepted values for VPMX_HOSTNAME Type of address IPv4 explicit address (dot notation) IPv6 explicit address using colon notation IPv6 explicit address using double-colon notation IPv6 explicit address using IPv4suffix notation IPv4 "any" (four zeroes) IPv6 "any" (a double colon) Example 9.42.127.134 2002:92a:8f7a:200:9:42:127:134 3ef0::bee7:994:2e66 3ef0::bee7:9.148.46.102 0.0.0.0 ::
71
For example, set this to ::,0.0.0.0 to accept "any" address using either IP protocol. VPMX_PORT specifies the port on which the multiplexer on this server listens for client connections, normally port 1533. VPHMX_HOSTNAME specifies the addresses where the multiplexer on this server handles HTTP client communications.
Table 3. Accepted values for VPHMX_HOSTNAME Type of address IPv4 explicit address (dot notation) IPv6 explicit address using colon notation IPv6 explicit address using double-colon notation IPv6 explicit address using IPv4suffix notation IPv4 "any" (four zeroes) IPv6 "any" (a double colon) Example 9.42.127.134 2002:92a:8f7a:200:9:42:127:134 3ef0::bee7:994:2e66 3ef0::bee7:9.148.46.102 0.0.0.0 ::
For example, set this to ::,0.0.0.0 to accept "any" address using either IP protocol. VPHMX_PORT specifies the port on which the multiplexer on this server listens for HTTP client connections, normally port 8082. v If this Lotus Sametime server will support only IPv6 addressing:
[Debug] VPMX_DISABLE_CONFIGURATION_UPDATE=1 VPMX_HOSTNAME=:: VPMX_PORT=1533 VPHMX_HOSTNAME=:: VPHMX_PORT=8082
6. i5/OS only: If you will support both IPv4 and IPv6 addressing, replace all of the remaining Lotus Sametime server host names in the sametime.ini file with the correct IPv4 or IPv6 address, based on your address preference as specified with the UCM_RESOLVE_PREFERRED_IP_VER setting. For example: v If the setting is "6", change every occurrence of stserver1.acme.com to 2001:db8:85a3:0:0:8a2e:370:7334 (the corresponding IPv6 address). v If the setting is "4", change every occurrence of stserver1.acme.com to 9.42.127.134 (the corresponding IPv4 address). 7. Save and close the file. 8. Start the Lotus Sametime server.
What to do next
If you also want to enable IPv6 for Lotus Sametime meetings, additional changes to the sametime.ini file are required; these are described in the topic "Configuring the Meeting Services for IPv6".
Configuring the Meeting Services for IPv6

Configure settings to establish connectivity and resolve addresses when using IPv6 on the IBM Lotus Sametime server's Meeting Services component to support Web conferences.
72
Before you begin

To support IPv6 addressing for Web conferences, you must configure settings for the Meeting Services component of the Lotus Sametime server. Note: Although the Meeting Services is hosted on the same Lotus Sametime server as the Community Services, you can enable or disable IPv6 support independently for these components. For example, even if you disable IPv6 support for the Community Services, you can enable it for the Meeting Services. The Meeting Services can also be configured for IPv6 support independently of Lotus Domino, since they do not depend on Lotus Domino features.
About this task

Follow the steps below to configure Meeting Services settings for IPv6 support on the Lotus Sametime server. 1. Make sure the Lotus Sametime server is running. 2. Define Meeting Services connectivity settings: a. Log in to the Administration Tool as a Lotus Sametime Administrator. b. In the navigation pane, expand the Configuration section. c. Under "Configuration," click Connectivity. d. In the "Configuration - Connectivity" page, click the Networks and Ports tab. e. On the "Networks and Ports" tabbed page, complete the following fields by doing one of the following: v Leave the field blank if you want Lotus Sametime processes to bind to all IP addresses on the server. v Enter a fully qualified host name instead of a IP address if you want Lotus Sametime processes to bind only to the specified host. On i5/OS, this is the recommended setting and values will be filled in by default. Fields to complete: v Address for server connections v Address for client connections v Address for HTTP tunneled client connections v Broadcast gateway address for client connections v Broadcast gateway address for control connections v TCP tunneling address for client connections f. Save your changes and close the Administration Tool. 3. Locate the sametime.ini file in the Meeting Services server's data directory, and open the file so you can edit it. 4. In the Config section of the file, add (or modify) the following settings:
MeetingServer_IPv4_IPv6_Enabled = MeetingServer_AddressFallbackEnabled =
where: v MeetingServer_IPv4_IPv6_Enabled determines whether your deployment supports only IPv4 addressing, both IPv4 and IPv6 addressing, or only IPv6 addressing. On servers with dual IPv4/IPv6 stacks, an IPv6 socket may still
73
listen on an IPv4 address (this is determined by the IP configuration of the operating system and the Lotus Sametime server). Possible settings are as follows:
Value 1 2 Description (Default value) Support IPv4 addresses only. Support both IPv4 and IPv6 addresses, and automatically enable the MeetingServer_AddressFallbackEnabled setting. Note: In this case, the MeetingServer_AddressFallbackEnabled setting in the sametime.ini file is ignored because the use of fallback addresses is enabled automatically to support both addressing protocols. Support IPv6 addresses only.
v MeetingServer_AddressFallbackEnabled determines whether fallback addresses can be used in the event that an attempt to access a specified address fails. Possible settings are as follows:
Value 0 Description (Default value) Disabled: Requires the DNS server to specify the order in which IP addresses are attempted. Enabled: Allows the of use multiple IP addresses if the attempted address fails (provided the additional addresses are resolved).
Note: If you enabled the MeetingServer_IPv4_IPv6_Enabled setting, then MeetingServer_AddressFallbackEnabled is automatically enabled and the value you set here is ignored. 5. Save and close the file. 6. Restart the Lotus Sametime server.
Configuring a stand-alone Community Mux for IPv6

Configure settings to establish connectivity between an IBM Lotus Sametime server and a stand-alone Lotus Sametime Community Mux when using IPv6 addressing.
About this task

Each Lotus Sametime server contains a local Community Services multiplexer component. The multiplexer handles and maintain connections from Lotus Sametime clients to the Community Services on the Lotus Sametime server. If your multiplexer is hosted on the same server as Community Services, it was already enabled for IPv6 support when you configured the Community Services. If you installed a stand-alone Community Mux (hosted on a separate server), you can enable IPv6 support as described below. 1. Stop the multiplexer. 2. Locate the sametime.ini file in the Sametime Community Mux installation directory, and open the file so you can edit it. 3. Add (or modify) the following statements to the [Connectivity] section within the file:
74
Note: The first three settings must match the values used for the Lotus Sametime server where Community Services are hosted; these values must use the same IP protocol as well.
UCM_RESOLVE_PREFERRED_IP_VER=IPv4_or_IPv6_selection VPS_HOST=Explicit_IP_address_of_Sametime_server UCM_LOCAL_IP=Explicit_IP_address_of_Community_Mux VPHMX_HTTP_SERVER_IP=IP_address_of_Domino_HTTP_server VPHMX_HTTP_SERVER_PORT=Domino_HTTP_port
where: v UCM_RESOLVE_PREFERRED_IP_VER specifies which type of addresses should be preferred when a domain name resolves to multiple addresses of both protocols: If you support both IPv4 and IPv6 addressing, set this to "4" to allow both protocols but attempt to resolve addresses using IPv4 protocol first. If you support only IPv6 addressing, set this to "6" -- this will still allow both protocols, but will attempt to resolve addresses using IPv6 protocol first in case your operating system is enabled for both IP protocols. v VPS_HOST specifies the explicit IP address of the Lotus Sametime server to which this Community Services multiplexer connects. This value must use the format specified in UCM_RESOLVE_PREFERRED_IP_VER; for example if you entered a "4" for that setting, then you must provide an IPv4format IP address here. v UCM_LOCAL_IP specifies the explicit IP address of the Community Mux machine (using dot notation for IPv4 protocol or colon notation for IPv6 protocol). This value must use the format specified in UCM_RESOLVE_PREFERRED_IP_VER; for example if you entered a "4" for that setting, then you must provide an IPv4format IP address here. v VPHMX_HTTP_SERVER_IP specifies the IP address of the Lotus Domino HTTP server where Lotus Sametime is running. v VPHMX_HTTP_SERVER_PORT specifies the port used by the Lotus Domino HTTP server where Lotus Sametime is running; normally port 80. 4. Add (or modify) the following statements in the [Debug] section within the sametime.ini file: v If this Lotus Sametime server will support both IPv4 and IPv6 addressing:
VPMX_DISABLE_CONFIGURATION_UPDATE=1 VPMX_HOSTNAME=::,0.0.0.0 VPMX_PORT=1533 VPHMX_HOSTNAME=::,0.0.0.0 VPHMX_PORT=8082
Where: VPMX_DISABLE_CONFIGURATION_UPDATE=1 requires all four of the statements that follow it. VPMX_HOSTNAME specifies the addresses where this multiplexer serves Lotus Sametime client communications.
Table 4. Accepted values for VPMX_HOSTNAME Type of address IPv4 explicit address (dot notation) IPv6 explicit address using colon notation IPv6 explicit address using double-colon notation Example 9.42.127.134 2002:92a:8f7a:200:9:42:127:134 3ef0::bee7:994:2e66
75
Table 4. Accepted values for VPMX_HOSTNAME (continued) Type of address IPv6 explicit address using IPv4suffix notation IPv4 "any" (four zeroes) IPv6 "any" (a double colon) Example 3ef0::bee7:9.148.46.102 0.0.0.0 ::
For example, set this to ::,0.0.0.0 to accept "any" address using either IP protocol. VPMX_PORT specifies the port on which this multiplexer listens for client connections, normally port 1533. VPHMX_HOSTNAME specifies the addresses where this multiplexer serves HTTP client communications.
Table 5. Accepted values for VPHMX_HOSTNAME Type of address IPv4 explicit address (dot notation) IPv6 explicit address using colon notation IPv6 explicit address using double-colon notation IPv6 explicit address using IPv4suffix notation IPv4 "any" (four zeroes) IPv6 "any" (a double colon) Example 9.42.127.134 2002:92a:8f7a:200:9:42:127:134 3ef0::bee7:994:2e66 3ef0::bee7:9.148.46.102 0.0.0.0 ::
For example, set this to ::,0.0.0.0 to accept "any" address using either IP protocol. VPHMX_PORT specifies the port on which the stand-alone Community Mux listens for HTTP client connections, normally port 8082. v If this Lotus Sametime server will support only IPv6 addressing:
[Debug] VPMX_DISABLE_CONFIGURATION_UPDATE=1 VPMX_HOSTNAME=:: VPMX_PORT=1533 VPHMX_HOSTNAME=:: VPHMX_PORT=8082
5. Save and close the file. 6. Restart the Community Mux so your changes can take effect.
Configuring the directory

Managing users in IBM Lotus Sametime requires a user directory.
Configuring Sametime to access LDAP

If you have chosen to use a supported third-party LDAP directory to manage IBM Lotus Sametime users, you must ensure that Lotus Sametime can connect to the LDAP server, search the LDAP directory and authenticate Lotus Sametime users.
76
Before you begin

v Configuring LDAP Connection Information v Configuring LDAP Directory settings Configuring LDAP Connection Information The information that Sametime needs in order to connect to an LDAP server is normally provided during Sametime server installation when you select LDAP as the directory type. This information is stored in a Directory Assistance database on the server. This database is normally created by Sametime installation and named da.nsf. If a Directory Assistance database already exists on the server, then Sametime does not create it and the database may be named something else. If you are unable to locate it, check the server document (Basics tab) for the name of the Directory Assistance database. A Directory Assistance document in the database contains the information that enables Sametime to connect to the LDAP server to authenticate Web browser users. The information stored in the Directory Assistance document includes the fully qualified host name of the LDAP server, the IP Port number that Sametime will use for the connection, the Bind distinguished name (DN) to use when binding to the LDAP directory (unless anonymous access is allowed) and the Bind password associated with the Bind distinguished name. If you did not provide the connection information during installation or if the information was incorrect, your Sametime server will be unable to connect to the LDAP server and Sametime will not start. Usually, the underlying Domino server will start with errors but you can still access the directory assistance database to make the necessary changes. See Alter the Directory Assistance document for the LDAP directory for information about updating the LDAP connection information. Once you have corrected the LDAP connection information, restart the server. Note: If the Sametime startup failures cause a more serious problem and you are not able to access the Directory Assistance database, remove "staddin" or "staddin2" (on i5/OS) from the "Tasks" list in the Sametime server's notes.ini file, and restart the server. After making the necessary configuration changes, put "staddin" or "staddin2" back in the "Tasks" list and restart the Sametime server. Configuring LDAP Directory settings Once your Sametime server can connect to the LDAP server, the Sametime server uses information provided by the LDAP directory settings to search the LDAP directory and authenticate Sametime users. The installation program for Windows, AIX, Linux, and Solaris provides the opportunity to fully configure all of the LDAP directory settings for a single LDAP server. If you chose not to update the settings during installation, if you are running Sametime on i5/OS, if you need to configure additional LDAP directories, or if the settings are not correct, use the Sametime Administration Tool to configure the LDAP Directory settings.
Populating the Domino Directory

If you selected the IBM Lotus Domino Directory as the user repository for your Sametime server, you may need to add a new person documents to the directory for your Lotus Sametime users or add information to the existing person documents.
77
About this task

If you selected the Domino Directory as the user repository and added the Domino server to an existing Domino Domain, then the directory contains entries for all of the users that were already defined in the domain. However, you may need to add additional information to the existing Person document for each of your Sametime users. To add a new Sametime user to the Domino Directory, create a Person document for the user in the directory that includes (at minimum) a Last Name, a User Name and an Internet password. In some cases, the Person document must also include a home Sametime server. You can use any of the following tools to populate the Domino Directory: 1. An IBM Lotus Notes client 2. A Lotus Domino Administrator client 3. The Sametime server self-registration feature.
Results
For detailed information about adding Sametime users to the Domino Directory, see Registering users in the Domino Directory.
Setting up single sign on authentication

IBM Lotus Sametime single sign-on (SSO) authentication allows Web users to log in once to a Domino or WebSphere server, and then access any other Domino or WebSphere server in the same DNS domain that is enabled for single sign-on (SSO) without having to log in again. In a multiple server environment, it is possible that one or more servers in your Domino domain are already configured for Domino SSO, and the Domino Directory already contains a Domino Web SSO configuration document. When you install Lotus Sametime, it creates a Web SSO configuration document called LtpaToken unless one already exists in the Domino Directory. If an LtpaToken configuration document already exists, Lotus Sametime does not attempt to alter it.
About this task

In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Sametime server installation. See Altering the Domino Web SSO configuration following the Sametime server installation. Configure the Domino Server for Web SSO Complete the steps in this section if your Domino server is not configured for Web SSO, and you want to use the Web SSO document that Lotus Sametime creates to configure it. 1. From the Domino Administrator or a Lotus notes client, File - Database - Open. Browse to the Domino server and type names.nsf in the Filename field. Click Open. Note: If you attempt to open this document from Domino Administrator Configurations tab, Web - Web Configurations view, the Web SSO Configuration document will not display. 2. Expand the list of Web SSO Configurations.
78
3. Double click the "Web SSO Configuration for LtpaToken" document to open it in edit mode. 4. Update these fields as necessary: v Configuration name -- Enter LtpaToken. v DNS Domain -- make sure this is the fully qualified domain suffix of the Sametime server. For example, if the server's fully qualified name is server.domain.com, the .domain.com should be entered in this field. Ensure that the leading period (.) is present in front of the domain suffix. v Organization -- Leave this field blank. v Participating servers -- Add the Sametime server and other servers that belong to the SSO realm to the list. 5. After entering the information, select Keys and do one of the following: v Create a Domino SSO Key v If you are using WebSphere in your environment, select Import WebSphere LTPA Keys, and then enter the LTPA Token password. Note: When adding servers to the Participating servers field, click the arrow and choose the name from an Address Book when possible. If this is not possible, make sure that you use the full hierarchical name when you add a server (for example, Server1/Acme where CN=Server/O=Org). Note: If you import a WebSphere LTPA Token, a field displays the LDAP server name and port. Make sure that there is a backslash (\) before the port number. For example, ldap.domain.com\:389.
Results
Accessing Sametime Instant Messaging from Lotus Notes

For the Instant Messaging Limited Use version of IBM Lotus Sametime, your primary means of accessing Lotus Sametime is through your Lotus Notes client.
About this task

Several settings in your Location document are used to specify the connection to your Sametime server v Servers tab: IBM Lotus Sametime server (use the fully qualified host name) v Instant Messaging tab: Port and protocol (connection method) When these settings are defined during Lotus Notes installation, the same settings are written to all Location documents. You can also update individual Location documents at any point during a Notes session. For more information on the instant messaging settings, refer to the Notes Help topic "Connecting to a Lotus Sametime server." For more information about using the Notes client for Instant Messaging, see the Notes Help section "Instant Messaging."
Results
79
80
Chapter 9. Installing Sametime Integration for Microsoft Office

IBM Lotus Sametime integration with Microsoft Office allows you to collaborate, create meetings, and chat with coworkers through Microsoft Office applications. Lotus Sametime integration with the Microsoft Office SharePoint Server allows similar collaboration features with coworkers who use Office SharePoint Server as their instant messaging application.
About this task

You can integrate Lotus Sametime with Microsoft Office to enable users to collaborate directly within Office applications. You can additionally integrate Lotus Sametime with the Office SharePoint Server to enable Lotus Sametime users to communicate with Office SharePoint Server users from a SharePoint site. Note: Always remember that when applying Office Integration fixes, you must ensure that no Office or Outlook processes are running at the time of the install. For more information, see the IBM Tech Note 1307607 at:
Office integration Integrating Lotus Sametime with Microsoft Office allows Lotus Sametime users to collaborate directly within Office products by providing awareness and messaging capabilities within each application. All users must be hosted on Lotus Sametime servers. Lotus Sametime Office Integration features require the following applications: v Microsoft Office version 2000, XP, 2003, or 2007 v Microsoft Windows version 2000, XP or Vista Note: SmartTags functions were introduced by Microsoft beginning with Office XP, so no SmartTag functions are available in Office 2000. Office SharePoint Server integration Integrating Lotus Sametime with Microsoft Office SharePoint Server extends collaboration capabilities by providing awareness and instant messaging among users whose names appear on a SharePoint site. Any Office SharePoint Server user's live name that can be resolved using the standard email address field will be recognized and will display its presence status to a user who is logged into Lotus Sametime. Clicking on an active SharePoint user displays a contextual Lotus Sametime menu. During a chat, the Lotus Sametime user is presented with the complete feature set of Lotus Sametime and its third-party plug ins, including emoticons, file sharing, image captures, multiway chats, audio, video, telephony, screen sharing, and chat history. Integration with Office SharePoint Server is achieved using documented interfaces from Microsoft Corporation. Deploying this feature requires modifying two template files on the Office SharePoint Server. In addition, Lotus Sametime Connect users will need to upgrade their installed client software.
81
Lotus Sametime integration with the Microsoft Office SharePoint Server requires the following applications: v Microsoft Office versions 2003, 2007 v Microsoft Internet Explorer browser, version 6 or higher v Microsoft Office SharePoint Server versions 2003, 2007 v Lotus Sametime 8.0.2 client with the Lotus Sametime Connect Integrator for Microsoft Office v Lotus Sametime server, release 8.0.2 or higher The Office SharePoint feature requires only a Lotus Sametime client; other Office Integration features need not be installed at all, or may be present in any combination. Complete the tasks below according to the features you wish to install:
Installing Office Integration

IBM Lotus Sametime with Microsoft Office, allows you to collaborate, create meetings, and chat with co-workers from Microsoft Office.
About this task

Be sure to complete the installation of Lotus Sametime servers and clients before beginning the Microsoft Office integration. Note: Always remember that when applying Office Integration fixes, you must ensure that no Office or Outlook processes are running at the time of the install. For more information, see the IBM Tech Note 1307607 at:
Installing the Office Integration features The following should be performed after the installation of (or upgrade to) Lotus Sametime connect client on each machine. See Installing optional client features on page 109 for detailed instructions on installing Lotus Sametime Integration with Microsoft Office. The following features are available: v v v v Sametime Connect integrator for Microsoft Office Microsoft Outlook calendar availability Sametime Connect integrator for Microsoft Outlook Sametime meeting integrator for Microsoft outlook
Additional installation 1. Setting the Calendar Form Start Outlook, and in the Calendar Properties dialog set the entry for "When posting to this folder, use" to ST OnlineMeeting (or ST OnlineMeeting RTL for Arabic or Hebrew). 2. Enabling SmartTags The Sametime Office Integration feature set adds the SmartTag recognizer which will start on either the names from the user's local buddy list or from internet-style email addresses, for example "jdoe@acme.com".
82
Note: These are in addition to the Lotus Sametime menu items contributed to Person Name (English) from Lotus Sametime 7.5.1. v To enable SmartTags, select the Person (Lotus Sametime) entry from the AutoCorrect SmartTag dialoge. v The use of automatic hyperlinks in Office documents will interfere with the new SmartTag's ability to recognize email addresses -- you can regain the SmartTag function by disabling auto-hyperlinking: Uncheck the "Internet and network paths with hyperlinks" option in "AutoFormat As You Type" tab from the Tools->Auto-Correct Options menu. Known issues v The Meeting Integrator feature can support Sametime meeting servers that require SSL by modifying the syntax of the server name specified in the Sametime Meeting properties: if SSL is required, include the protocol portion of the server URL, for example "https://sametime.mycompany.com". The syntax shown in the dialog example, "sametime.mycompany.com", is correct for servers that are accessible by ordinary, non-SSL http. v If the default email fields read by the Outlook Toolbar are not the appropriate fields for a customer's enterprise, the Toolbar can be redirected to use other fields instead by modifying the file CustomProperties.ini in the Sametime install folder. The intent is that such modifications would be made by IT experts and the ini file (text) be distributed to end users. If this optional file is not present, Toolbar uses its default field settings. Limitations v The local Outlook user email address must be resolvable in Sametime for the MyStatus button to properly display status. v The Meeting Integrator feature is not included in a meeting request that begins from Outlook's "Plan A Meeting" dialog. v In a meeting which includes a Sametime meeting, if the Sametime meeting password is changed after the initial invitation is sent, then the message body will show more than one password -- the most recent password assignment is displayed last. v Use of Office Integration features in Outlook 2000 can cause macro warning dialogs to be displayed. Third Party Limitations v Microsoft Outlook will cache and retain forms despite the uninstall if the form is designated to be used. To fully uninstall and eliminate the ST OnlineMeeting, ST OnlineMeetingRTL, and STContact custom forms, the user must be sure to set Calendar and Contact "When posting..." properties back to IPM.Appointment and IPM.Contact respectively. v Microsoft Outlook permits multiple user profiles but is designed to operate under one profile at a time, which must be selected at Outlook's launch. Some Lotus ametime features must keep the Outlook process running for their operation, which has implications when a user wants to select or switch profiles. Outlook can be configured to always use one default profile, or to prompt at start-up; if you later want to use Outlook with a different profile, you must exit Outlook, launch it again, and then select the new profile. If the Lotus Sametime client has been configured to use Outlook for either the Calendar AutoStatus feature or as the storage location for Chat History, and Outlook is not already running, Lotus Sametime will silently launch Outlook to
83
access those features, and then keep it running as a background process with no user interface. If the user has multiple profiles with no default selected and Lotus Sametime executes this silent launch, a "Use Profile" dialog box will be provided by Outlook and will be used by the background process. When the user later starts Outlook, the profile chosen earlier during the Lotus Sametime start-up will automatically be used; if the user wants to change the profile, he or she must exit both Outlook and the Lotus Sametime client (which in turn stops the Outlook process running in the background).
Troubleshooting Microsoft Office integration

If the Microsoft Office integration does not work properly in your IBM Lotus Sametime deployment, you may need to adjust the Lotus Sametime server configuration.
Troubleshooting the Lotus Sametime Integrator for Microsoft Outlook

The Lotus Sametime Integrator for Microsoft Outlook (or Outlook toolbar) works by asking Lotus Sametime to process an identifier phrase in the Outlook case, the phrase is an email address. The key to getting full functionality from the Outlook toolbar is to configure the Lotus Sametime server to resolve the email "phrases" found by the toolbar. The most common symptom of resolution problems is that the Target Contact button is not updated to show the Lotus Sametime display name and status, but instead continues to show an email address, such as jsmith@acme.com or JSMITH (a CN portion of an X.400 address). There will always be emails from external parties that will remain unresolved, but addresses for Lotus Sametime user should resolve. Troubleshooting has four steps, described in more detail below: enable logging, find the resolution request, check the phrase, and, if necessary, adjust the Lotus Sametime server configuration.
Enabling Logging
Begin troubleshooting this problem by enabling the log files in the Lotus Sametime client. As any new email address is encountered, an XML message is sent from the Outlook toolbar to the Lotus Sametime client for lookup processing. These messages can be echoed into the client logs. The configuration information for a user is stored in a workspace under the user's Documents and Settings folder, under the path Documents and Settings\User\Application Data\Lotus\Sametime\ .config. The rcpinstall.properties file located here is processed on each launch of the client. Open this and add the following line to the end of the file:
com.ibm.collaboration.realtime.brokerbridge.level=FINE
On all subsequent launches, the XML traffic between the Lotus Sametime client and the Office Integration features will be logged to the trace-log-N.xml files in the Application Data\Lotus\Sametime\logs folder. A few tips will simplify using these logs:
84
v Focus the troubleshooting effort on just one Office application so avoid opening other Office applications or SharePoint pages, because their message traffic will overlap the Outlook messages and make the logs larger. v The Lotus Sametime client usually needs to be exited to complete the writing of the logs the easiest approach is to start Lotus Sametime, click a few problem emails, then exit the client and examine the logs. v The logs are designed to be opened in a browser from the Application Data\Lotus\Sametime\logs folder, which contains formatting files to create tables of output.
Finding the Resolution Request

Once the trace log is opened, use the browser's function to search for text in the page and search for the phrase liveNameResolve. This XML message is the type used by Outlook toolbar to request resolutions because email addresses map uniquely to one person, the toolbar is using the lookup service which returns only unique matches. Once the table row containing a liveNameResolve is found, the target phrase is located in the lookupName section this in turn is an array of one or more phrases, in stringArray\data nodes. As a concrete example, an email within the STOIDEV enterprise from user John Doe might cause a liveNameResolve like this one:
<?xml version="1.0" encoding="utf-8" ?> <messageSet version="1.0" signed="false"> <liveNameResolve typeVersion="1.0"> <lookupNames valueType="stringArray"><stringArray length="1"> <data><!<CDATA<CN=John Doe,CN=Users,DC=stoidev,DC=com>>></data> </stringArray> </lookupNames></liveNameResolve><signature /> </messageSet>
This example has been formatted for this page it may appear as a single line in the logs. So the email address phrase here is CN=John Doe,CN=Users,DC=stoidev,DC=com. Note that in this example (from a real Exchange test set-up) this particular format of the email address is NOT ordinarily displayed to the Outlook user instead, the end user sees John Doe or jdoe@stoidev.com displayed in Outlook documents and dialogs.
Checking the Phrase

A quick check for resolution results can be accomplished by starting the Lotus Sametime client and clicking Add Contact. Then, paste the phrase from the liveNameRequest (CN=John Doe,CN=Users,DC=stoidev,DC=com in this example) into the User name field of the "New Contact" dialog box, and click Lookup. If the phrase returns a unique result, then the toolbar should likewise get that result and operate fully for that target contact. If there are no results, or if there are multiple results, then the toolbar resolution will not be able to display a Lotus Sametime user for that address.
Adjusting the Server Configuration

Both the Lotus Sametime client and the Outlook toolbar (working within the Lotus Sametime client), rely on the Lotus Sametime server to associate a particular phrase with a user. No other communications to directories are in use if the Lotus Sametime server cannot establish the association, the Outlook toolbar can
85
only assume that none exists. However, the Lotus Sametime server has great flexibility and can be directed to use any of the directory fields at its disposal when doing this processing. The exact setting used by the Lotus Sametime server is described in "Table 6, Authentication settings for the LDAP directory" in the LDAP directory settings on page 193 topic within this information center. The first table entry, called "Search filter to use when resolving a user name to a distinguished name", dictates the query that is used. Notice that "mail=%s" is a recommended setting, and will be successful when the ID phrase is the SMTP email address "ajones@acme.com". For cases like the example above, the default settings for many Exchange deployments will have this address phrase, in its entirety, within an attribute called legacyExchangeDN so a query term (legacyExchangeDN=%s) would typically be added as an addition to the (mail=%s) and others present in the filter string. Other cases could require inspecting available directory attributes to find a suitable match. One final detail is that the Lotus Sametime server, by default, will skip over attribute values that are in LDAP canonical format as a single field, but it offers an override this override would be required in the legacyExchangeDN case, for example. To establish the override behavior, edit the Lotus Sametime server's sametime.ini configuration file and add this line:
ST_DB_LDAP_ALLOW_SEARCH_ON_DN=1
to the section labeled [Directory]. If there is no such section already, create one by appending the two lines at the end of the ini file:
[Directory] ST_DB_LDAP_ALLOW_SEARCH_ON_DN=1
Installing the Meeting Integrator

IBM Lotus Sametime Meeting Integrator allows you to use the Calendar feature within Microsoft Office even though you do not have the Sametime Client installed.
Before you begin

Note: Always remember that when applying Office Integration fixes, you must ensure that no Office or Outlook processes are running at the time of the install. For more information, see the IBM Tech Note 1307607 at:
To install IBM Lotus Sametime Meeting Integrator (sametime-outlook-integrator8.0.exe) launch the installer and work through the screens from install to license. After completing the installation, you will need to set the Calendar Form. To set the Calendar Form 1. Start Outlook 2. In the Calendar Properties dialog set the entry for "When posting to this folder, use" to ST OnlineMeeting (or ST OnlineMeeting RTL for Arabic or Hebrew). Known issues The Meeting Integrator feature can support Sametime meeting servers that require SSL by modifying the syntax of the server name specified in the Sametime Meeting
86
properties: if SSL is required, include the protocol portion of the server URL, for example "https://sametime.mycompany.com". The syntax shown in the dialog example, "sametime.mycompany.com", is correct for servers that are accessible by ordinary, non-SSL http. Limitations The Meeting Integrator feature is not included in a meeting request that begins from Outlook's "Plan A Meeting" dialog. In a meeting which includes a Sametime meeting, if the Sametime meeting password is changed after the initial invitation is sent, then the message body will show more than one password -- the most recent password assignment is displayed last. Use of Office Integration features in Outlook 2000 can cause macro warning dialogs to be displayed.
Setting up Office SharePoint integration

Integrating IBM Lotus Sametime with Microsoft Office SharePoint Server extends collaboration capabilities by providing awareness and instant messaging between Lotus Sametime users who are using an Office SharePoint site. End users add these new capabilities by installing the optional client feature called "Sametime Connect integrator for SharePoint" -- the topic "Installing optional client features", in this information center, has detailed instructions for such installs. In addition, system administrators set up this feature by modifying template files on the Microsoft Office SharePoint Server, and then verifying the setup, as described below.
About this task

Complete the tasks below to set up Office SharePoint integration:
Setting up the Office SharePoint Server

Set up integration with Microsoft Office SharePoint by modifying template files on the Microsoft Office SharePoint Server with which you want IBM Lotus Sametime to communicate.
Before you begin

The end-user plugin called "Sametime Connect integrator for SharePoint" is the client feature that responds to the server modifications described here. That feature can be installed on the client at any time, but it will remain dormant until Internet Explorer views a SharePoint Web page from a server that has been modified as described in this topic. Likewise, the web pages from a modified server can be viewed from any client, but the extended functions will only be available on a client that is running Lotus Sametime Connect and the integrator for SharePoint plugin. The Office SharePoint Server integration feature is an optional feature and is not necessary for enabling integration with Office applications. On the client, the Lotus Sametime Connect integrator for SharePoint plugin can be installed independently of other Office Integration features. Note: Microsoft Communicator must not be configured to run against the Office SharePoint Server.
87
About this task

Setting up the SharePoint integration feature requires copying files to the Office SharePoint Server, using them to modify template files, and then restarting the server, as described below. Note: Always remember that when applying Office Integration fixes, you must ensure that no Office or Outlook processes are running at the time of the install. For more information, see the IBM Tech Note 1307607 at:
The files that you copy to the Office SharePoint Server in this procedure are available with the Lotus Sametime package. For details on downloading parts from the kits, see the Sametime 8.0.2 Download document at:
1. Copy the following files from the Lotus Sametime client packages to a temporary location on the Office SharePoint Server: These files are stored in the folder called sametimesharepoint: v SharePointImages.zip v EnsureIMNControl.js v Copy the appropriate version of this file for your oversion of SharePoint:: IMNGetStatusImage_SharePoint2003.js IMNGetStatusImage_SharePoint2007.js 2. Open the folder called Common Files\Microsoft Shared\web server extensions\12\TEMPLATE. For most machines, the path will be: C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE. You will work in this folder for the remaining steps. 3. Extract the contents of the SharePointImages.zip file to the \IMAGES subfolder. For example: C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\IMAGES. 4. Now open the folder called Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS\Language_ID. For example, an English installation will have the Language_ID 1033, and the path will be: C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS\1033. 5. Make back-up copies of the Init.js and OWS.js template files. In each of these files, you will replace two functions with newer versions that support integration with Lotus Sametime, and modify two other functions to correctly support the presence icon. 6. Replace the EnsureIMNControl function in the Init.js file as follows: a. Open the Init.js file for editing. b. Open the EnsureIMNControl.js file that you copied to the server back in step 1. c. Copy the EnsureIMNControl function from this file (leave the file open for now). d. Back in the Init.js file, search for its own version of the EnsureIMNControl function, delete that, and paste the newer version in its place. 7. Now replace the IMNGetStatusImage function in the same manner:
88
a. Open the IMNGetStatusImage200x.js file that you also copied in step 1. b. Copy the IMNGetStatusImage function from this file (you can also leave this file open for now). c. Back in the Init.js, search for its own version of the IMNGetStatusImage function, delete that, and paste the newer version in its place. 8. Make two changes to the IMNRC(name, elem) function within the Init.js file as follows: a. Locate the function called IMNRC(name, elem). b. Locate the following statement (approximately 30 lines into the function):
if (typeof(IMNDictionaryObj[id])=="undefined")
c. Change the assignment from IMNDictionaryObj[id]=1 to IMNDictionaryObj[id]=0 so the "if" statement looks like this:
if (typeof(IMNDictionaryObj[id])=="undefined") { IMNDictionaryObj[id]=0; }
d. At the bottom of the same IMNRC(name, elem) function, there is a section that looks like this:
if (fFirst) { var objRet=IMNGetOOUILocation(obj); objSpan=objRet.objSpan; if (objSpan) { objSpan.onmouseover=IMNShowOOUIMouse; objSpan.onfocusin=IMNShowOOUIKyb; objSpan.onmouseout=IMNHideOOUI; objSpan.onfocusout=IMNHideOOUI; } }
e. Add the following statement as the last assignment within that section:
objSpan.tabIndex=0;
Now that section should look like this (make sure you inserted the statement in the right place):
if (fFirst) { var objRet=IMNGetOOUILocation(obj); objSpan=objRet.objSpan; if (objSpan) { objSpan.onmouseover=IMNShowOOUIMouse; objSpan.onfocusin=IMNShowOOUIKyb; objSpan.onmouseout=IMNHideOOUI; objSpan.onfocusout=IMNHideOOUI; objSpan.tabIndex=0; } }
9. Finally, modify the IMNIsOnlineState function as explained here: a. Locate the IMNIsOnlineState function. b. Change the condition from state==1 to state==0 so that the function looks like this:
function IMNIsOnlineState(state){ if (state==0) {
89
return false; } return true; }
10. Save and close the Init.js file. Next you will make similar changes to the OWS.js file. 11. Replace the EnsureIMNControl function in the OWS.js file as follows: a. Open the OWS.js file for editing. b. Open the EnsureIMNControl.js file that you copied to the server back in step 1. c. Copy the EnsureIMNControl function from this file (leave the file open for now). d. Back in the OWS.js file, search for its own version of the EnsureIMNControl function, delete that, and paste the newer version in its place. e. Close the EnsureIMNControl.js file. 12. Now replace the IMNGetStatusImage function in the same manner: a. Open the IMNGetStatusImage200x.js file that you also copied in step 1. b. Copy the IMNGetStatusImage function from this file (you can also leave this file open for now). c. Back in the OWS.js, search for its own version of the IMNGetStatusImage function, delete that, and paste the newer version in its place. d. Close the IMNGetStatusImage.js file. 13. Make two changes to the IMNRC(name, elem) function within the OWS.js file as follows: a. Locate the function called IMNRC(name, elem). b. Locate the following statement (approximately 30 lines into the function):
if (typeof(IMNDictionaryObj[id])=="undefined")
c. Change the assignment from IMNDictionaryObj[id]=1 to IMNDictionaryObj[id]=0 so the "if" statement looks like this:
if (typeof(IMNDictionaryObj[id])=="undefined") { IMNDictionaryObj[id]=0; }
d. At the bottom of the same IMNRC(name, elem) function, there is a section that looks like this:
if (fFirst) { var objRet=IMNGetOOUILocation(obj); objSpan=objRet.objSpan; if (objSpan) { objSpan.onmouseover=IMNShowOOUIMouse; objSpan.onfocusin=IMNShowOOUIKyb; objSpan.onmouseout=IMNHideOOUI; objSpan.onfocusout=IMNHideOOUI; } }
e. Add the following statement as the last assignment within that section:
objSpan.tabIndex=0;
Now that section should look like this (make sure you inserted the statement in the right place):
90
if (fFirst) { var objRet=IMNGetOOUILocation(obj); objSpan=objRet.objSpan; if (objSpan) { objSpan.onmouseover=IMNShowOOUIMouse; objSpan.onfocusin=IMNShowOOUIKyb; objSpan.onmouseout=IMNHideOOUI; objSpan.onfocusout=IMNHideOOUI; objSpan.tabIndex=0; } }
14. Finally, modify the IMNIsOnlineState function as explained here: a. Locate the IMNIsOnlineState function. b. Change the condition from state==1 to state==0 so that the function looks like this:
function IMNIsOnlineState(state){ if (state==0) { return false; } return true; }
15. Save and close the OWS.js file. 16. Restart the Office SharePoint Server.
Verifying the Office SharePoint integration setup

Use the IBM Lotus Sametime Connect client with the Lotus Sametime Connect integrator for SharePoint to verify that the Microsoft Office SharePoint integration feature is working correctly.
Before you begin

Set up the Office SharePoint Server by modifying template files as described in the previous topic. 1. On the client machine, install Lotus Sametime Connect 8.0.2 and the Lotus Sametime Connect integrator for SharePoint. 2. Open the client and navigate to a SharePoint site. 3. Now test your SharePoint integration by looking for Lotus Sametime presence icons next to user names on this page: When a Web page like the My Site page is loaded, the Lotus Sametime SharePoint control will display a presence icon for names on the page that represent online Lotus Sametime users (for example, a green square indicates a online user whose status is Available). No icon appears when a name is unresolved or a user is offline. Check for the following situations: v Online users are displaying appropriate Lotus Sametime presence icons. In this case, integration is correctly configured and you have finished. Skip the remainder of this topic. v Names on this page are missing icons entirely; you know that a particular name should have a presence icon but only displays it when you mouse-over the name.
91
In this case, the client control is loading and resolving the name, but the icon update within the page is not complete. The most likely cause is incorrect editing of the template files; return to the previous topic and verify that you made the changes properly. v Names are missing icons and a mouse-over shows the control but always as the gray "X". In this case, the client control is loading but is not receiving positive resolutions for the person data being set by the page. Verify that the Lotus Sametime Connect client is running and logged into the Lotus Sametime server. If the problem persists, check the following topic, "Troubleshooting Office SharePoint integration". v A mouse-over does not show any change in the presence icon; not even the gray "X". In this case, either: The Lotus Sametime Connect integrator for SharePoint feature was not installed. Install it now and repeat this procedure to verify that integration is working correctly. the JavaScript library edits have not been applied on the server hosting this Web page. Return to the previous topic and apply the template changes directly on the Office SharePoint Server where the page being tested is hosted. 4. Once you have the integration working correctly, this task is complete.
Troubleshooting Office SharePoint integration

If the Microsoft Office SharePoint integration does not work properly in your IBM Lotus Sametime deployment, you may need to modify how Lotus Sametime processes the identifier phrase being used by the Office SharePoint Server.
Lotus Sametime and Office SharePoint user directories

In some enterprises, the Office SharePoint integration may function immediately with no additional configuration updates besides the JavaScript library changes described in "Setting up Office SharePoint Server integration". The most likely scenario to encounter this immediate functionality is one where Lotus Sametime and Office SharePoint have both been configured to use the same Active Directory, sharing this one LDAP for their backend directory. However, sharing a common LDAP is not a prerequisite for success with the Lotus Sametime SharePoint integration. Enterprises where the Lotus Sametime server uses a different directory server are workable, even in cases where Lotus Sametime is configured to use IBM Lotus Domino and Office SharePoint is configured to use Active Directory. The key to the functionality is the concept of Lotus Sametime "resolving" a phrase to match a Lotus Sametime user. The Office SharePoint Server creates and delivers Web pages to the local browser, and the live names on the page include JavaScript code that initializes names with presence controls.
Ensuring that Lotus Sametime can resolve an Office SharePoint server phrase
In Office SharePoint 2007, the function that provides a Lotus Sametime user name with a presence icon is called IMNRC. This function will appear in the page source wherever Office SharePoint intends to place a presence icon. The IMNRC function is passed an identifier phrase, typically an SMTP-format email address for the user;
92
so alongside the name "Alice Jones" will be a presence initializer like IMNRC( "ajones@acme.com"). The Lotus Sametime control that is loaded into the browser will be passed this ID (the "ajones@acme.com" string). The primary requirement for successful use of the Lotus Sametime SharePoint integration is that the ID phrase be uniquely resolvable by the Lotus Sametime server. Lotus Sametime does not require the Office SharePoint Server to use a particular data field as its ID for users, but you must configure the Lotus Sametime server to recognize the field you choose. The exact setting used by the Lotus Sametime server is described in the "Table 6, Authentication settings for the LDAP directory" in the LDAP directory settings topic within this information center. The first table entry, called "Search filter to use when resolving a user name to a distinguished name", dictates the query that is used. Notice that "mail=%s" is a recommended setting, and will be successful when the ID phrase is the SMTP email address "ajones@acme.com". To summarize, the user data that is configured as an ID for presence by Office SharePoint Server must be made available to the Lotus Sametime server (even if in a second directory), and then specified in the "Search filter... when resolving a user name" field. A quick troubleshooting check is to take the ID phrase found in the presence initializing function, and paste it into the Lookup text field of the "Add Contact" dialog in the Lotus Sametime Connect Client. If it is a unique match, the ID phrase will resolve in the proper Office SharePoint integration.
93
94
Chapter 10. Preparing the Sametime client

This section describes what you will need to know before deploying the IBM Lotus Sametime Connect client to your users and how users can install the Connect client from the standalone client installer CD or corresponding downloaded image. It also, provides the instructions necessary to make the network client installer available for installation, if you want to allow your users to download and install the Connect client themselves from the Sametime Welcome page.
Before deploying the Sametime Connect client

There are several things you need to know before deploying the IBM Lotus Sametime Connect client to your users.
About this task

The Lotus Sametime Connect client must be installed on a user's workstation by someone with administrative privileges on that computer. Before installing the client, review the following changes for this release: v Using Lotus Expeditor to install the Sametime client If you will use Lotus Expeditor to push the client onto user workstations, be aware of the following restrictions: Do not use non-ASCII characters in the name of the installation directory. Do not use long paths (instead create a profile that uses short paths). Do not use paths containing non-ISO-8859-1 characters. These restrictions are discussed in the Lotus Expeditor information center. v Internet passwords required Internet passwords are required to log on to IBM Lotus Sametime connect. Before using Lotus Sametime Connect, each user must have an Internet password in their Person Document in the Domino Directory or stored in the LDAP Directory. You may need to inform users of their Internet passwords. v Client packaging for Sametime 8.0.2 Prior to release 8, the client installer consisted of a fully self-contained executable for each supported platform; the installer packaging changed in Lotus Sametime 8. Now, Lotus Sametime 8.0.2 uses the same client packaging methodology as Sametime 8 with these minor updates: The name of the RPM file that launches the 8.0.2 Linux client installer has changed to sametime-connect-8.0.2-1.i386.rpm. Customization of the Linux client installer from the deploy directory is not supported in Sametime 8.0.2. You may customize the RPM install by modifying the install.xml and plugin_customization.ini files found in the deploy directory and copying them to /etc/ibm/sametime-connect. If the install.xml and plugin_customization.ini files are found in the /etc/ibm/sametime-connect directory, they will take precedence over the information in the rpm. When using the 8.0.2 client installer to upgrade an 8.0 client, the 8.0.2 install manifest is merged with the existing 8.0 or 8.0.1 manifest and the 8.0.2 features are provisioned from the appropriate update site. v Spell checker dictionaries
95
The U.S. English spell check dictionary is installed automatically, but you can install spell checker dictionaries for additional languages. The additional dictionaries are provided as an update site on the client CD and downloaded image in the optional-components/optional-components-update.zip file. See Adding optional features to the client after install on page 111. v Feature history size Note: By default after upgrading to 8.0.2, the previous 8.0 or 8.0.1 features remain intact (except on Linux). The preference "com.ibm.rcp.provisioning/ feature.history.size" controls whether or not the old versions of the plugins are maintained. If multiple users will use Sametime from a single workstation, the "com.ibm.rcp.provisioning/feature.history.size" preference must be left at its default setting of "-1". The default setting ensures that all feature versions are kept, thereby allowing each user to move from the old features to the new at different times. If a Sametime installation will only be used by a single user, and you do not wish to maintain older feature versions, the "com.ibm.rcp.provisioning/ feature.history.size" preference can be changed to "0". In this case, only a single version of a feature will be maintained. Note that this setting also takes effect when installing new features from an update site in general. For example, if you have feature acme.com_1.0.0 and then install acme.com_1.0.1, after restarting the client, acme.com_1.0.0 will be deleted. If you wish to change the default "com.ibm.rcp.provisioning/feature.history.size setting" of -1 (multi user) to 0 (single user), it must be done before upgrading. If upgrading by CD, define the preference in the plugin_customization.ini file found in the deploy directory of the installation media, before distributing the installer. If upgrading using the manifest update mechanism, define the preference in a plugin_customization.ini and copy it to the automatic update site, next to the site.xml file. The client will locate the remote plugin_customization.ini file and merge the property into the local plugin_customization.ini before handling any manifest updates. v Preferences The location of the workspace does not change for 8.0.1. The location is the same as 8.0, therefore there is no special preference migration required when upgrading from 8.0 to 8.0.2.
Platform Path Windows user.home/Application Data/Lotus/Sametime Linux Mac user.home/Lotus/Sametime user.home/Lotus/Sametime Example C:/Documents and Settings/joe/ Application Data/Lotus/Sametime /home/joe/Lotus/Sametime /Users/joe/Lotus/Sametime
Upgrading the Connect client on Windows When using the Sametime 8.0.2 installer to upgrade an 8.0 or 8.0.1 client, the existing install location is presented as a read-only text box. The only option is to upgrade the client instance to 8.0.2. When installing on a Windows machine that already has an existing 7.5.x version of Sametime Connect installed, the existing program directory for 7.5.x should not be used for the 8.0.2 installation. The default installdir location for 8.0.x is different from the default location used for 7.5.x. Do not manually change the installdir location to install into an existing 7.5.x location. This will result in a nonfunctioning installation, because the 8.0.x installer will by default
96
attempt to remove 7.5.x at the end of the install. When 7.5.x is removed, its installdir location is cleaned up, which will also remove the newly installed 8.0.x files. v Upgrading the Connect client on Linux When using the Sametime 8.0.2 installer to upgrade an 8.0 or 8.0.1 client, the rpm command first installs the 8.0.2 client and then uninstalls the older client. v Upgrading the Connect client on Mac OS X When using the Sametime 8.0.2 installer to upgrade an 8.0 or 8.0.1 client, the installer will replace the older client.
Installing the Sametime Connect client from a CD

Users can install the IBM Lotus Sametime Connect client from the standalone client installer CD or corresponding downloaded image.
About this task
Installing the Sametime Connect client from CD on Windows

Users can install the IBM Lotus Sametime Connect client from the standalone client installer CD or corresponding downloaded image on a Microsoft Windows client.

Note: Unlike previous releases, the client installer for Windows is not packaged as a single self-contained executable. If you want to copy the Windows client installer to another location, copy the Windows-Linux directory and its entire contents to ensure the installer will run correctly. To install the Sametime Connect client on a Windows client, perform the following: 1. If the Sametime Connect client is running, shut it down before attempting to install the newer version. 2. Important: Make a back-up copy of the directory where the earlier version of the client is installed. 3. Navigate to the Windows-Linux directory on the client CD or downloaded image. 4. Double-click setup.exe to begin the installation. Note: By default, the Lotus Sametime 8.0 Connect client installer will silently uninstall an existing Lotus Sametime 7.5.x version. If necessary, you can avoid uninstalling the earlier client by running the installer from a command line and setting a property flag, as follows: setup.exe /v"STUNINST75FLAG=0" The default installation directory for the Sametime 8.0 client is different from earlier versions so even if you choose to keep an earlier version of the client installed, you probably can accept the default installation directory. 5. Enter the required information when prompted. 6. When the installation completes, launch the Sametime Connect client; by default Sametime Connect is installed to C:\Program Files\IBM\Sametime.
97
Configuring the silent install for Connect client

You can enable the silent installation of the IBM Lotus Sametime Connect Client on Windows using two files that are provided on the client standalone installer CD and the associated downloaded image.
Before you begin

Copy the setup.bat and the silentinstall.ini files from the Windows-Linux directory and then update them to tailor the installer to your requirements.
About this task

Updating the setup.bat file The batch file (setup.bat) contains several different commands that can be used to perform different installation functions. Some of the commands are commented out by default but can be un-commented and updated if the function is needed. Detailed explanations are included in the setup.bat file. v Uninstalling older, pre-7.5.x Sametime Connect clients Three commands are provided to shutdown, uninstall, and cleanup an older, pre-7.5.x installation of the connect client. These commands are commented-out by default. If this functionality is needed, uncomment these lines and configure the paths to the old Sametime install directory as needed for your environment. v Installing Microsoft Integraton features Uncomment the lines in this section of the file if you are installing the Microsoft Integration features. v Several sample commands are provided for different methods of executing the silent install. The first option executes the installer silently and uses a silentinstall.ini file to preconfigure connection settings. This is the default. If you choose to use one of the other methods, comment out this command. The second option executes the MSI version of the installer silently, using a silentinstall.ini to preconfigure the connection settings. If you choose to use this method, uncomment this command. The third option executes the installer silently and migrates the connection settings from an existing, earlier (pre-7.5) version of Sametime. This option does not use the silentinstall.ini file. If you choose to use this method, uncomment this command. The commands in the setup.bat file contain several configuration parameters:
Table 6. Sametime Connect command line parameters parameter install.log description The name of the log file created by the installer. The file is created in the same directory as the installer. Full path to the desired installation directory Name of the silentinstall.ini file Must be TRUE for silent execution
INSTALLDIR={path} STSILENTINIFILE={name} STSILENTINSTALL=TRUE
98
Table 6. Sametime Connect command line parameters (continued) parameter STMIGRATESETTINGSPRE75CHK description Instructs the installer to migrate connection settings from an existing pre-7.5 version of Sametime. Set to YES to indicate acceptance of the license agreement. This must be specified on the command-line when the silentinstall.ini file is not used. When silentinstall.ini is used, LAPAGREE is set in that file.
LAPAGREE=
Updating the silentinstall.ini file The silentinstall.ini file contains configuration parameters for the Lotus Sametime Connect client. The settings are used to pre-populate the community-config.xml file with server connection information and other parameters required by the installer for silent execution. More information is available in Configuring Sametime Connectivity.
Table 7. silentinstall.ini file parameter LAPAGREE=NO description/value You must change this parameter to YES to indicate acceptance of the license agreement.
STSERVERNAME=stservername.domain.com Fully qualified host name of the Sametime server. Normally this should be the same as the home Sametime server specified in the person document. STCOMMUNITYNAME=YourCommunityName Community name STSERVERPORT=1533 STSENDKEEPALIVE=true STKEEPALIVETIME=60 Sametime Server IP Port number Flag for sending keep alive signal. Default is 60 seconds. Indicates how often to check the connectivity between the client and server, allowing timely notification if disconnected. Connection type Proxy host name (leave blank if not used) Proxy port number (leave blank if not used) Proxy resolves local flag (TRUE/FALSE) Proxy user name (leave blank if not used) Proxy password (leave blank if not used)
STCONNECTIONTYPE75=direct STPROXYHOST=Proxy port number (leave blank if not used) STPROXYPORT= STRESOLVELOCALY75= STPROXYUSERNAME= STPROXYPASSWORD=
99
Table 7. silentinstall.ini file (continued) parameter STCOUNTRYLANG=en description/value Specify one of the Language codes listed below to set the language used by the Sametime Connect client. If not specified, the client machine's default language will be used. v cs - Czech v da - Danish v de - German v el - Greek v en - English v es - Spanish v fi - Finnish v fr - French v hu - Hungarian v it - Italian v ja - Japanese v ko - Korean v nl - Dutch v no - Norwegian v pl - Polish v pt - Portuguese (Portugal) v pt_BR - Portuguese (Brazil) v ru - Russian v sv - Swedish v tr - Turkish v zh_CN - Chinese (simplified) v zh_TW - Chinese (traditional) STAUTHSERVERURL= Specifies the URL of the Auth Server for SSO Token Login (leave blank if not used) See Configuring the Sametime Connect client for token login for additional information. STLOGINBYTOKEN=false STUSEAUTHSERVER=false STLOGINATSTARTUP=false STUNINST75FLAG=1 Login By Token flag. TRUE/FALSE Use Auth Server flag. TRUE/FALSE Login at startup flag. TRUE/FALSE Uninstall Sametime 7.5.x client flag. 1=uninstall 7.5.x client if found. 0=leave 7.5.x client installed.
Installing the Sametime Connect client from CD on Linux

Users can install the IBM Lotus Sametime Connect client from the client CD or downloaded image on a Linux client. Users can also upgrade from the previous client with this program.
100
Before you begin

If you are upgrading from release 8.0, the rpm upgrade command (-U) removes the 8.0 version of the client automatically; there is no option to retain the 8.0 version of the features.
About this task

To install the Lotus Sametime Connect client on a Linux client, perform the following steps: 1. Log in to the workstation as the root user. 2. (RHEL only) Disable SELinux on any RedHat operating system: a. Open the /etc/selinux/config file for editing. b. Locate the SELINUX setting. c. Change its value to either disable or permissive. d. Save and close the file. e. Restart the workstation. 3. (RHEL only) Install the compat runtime library by running the following command: v RHEL 4.0
rpm -ivh rpm -ivh compat-libstdc++-33-3.2.3-47.3.i386.rpm
v RHEL 5.x
rpm -ivh compat-libstdc++-33-3.2.3-61.i386.rpm
Note: There may be a later release of the compat library for your release. 4. (RHEL 4 only) Use the Update Manager to upgrade to the latest version of glibc: a. Run one of the following commands: v /usr/bin/up2date v /usr/sbin/up2date b. Follow the update instructions to download a newer version of glibc. 5. Navigate to the Windows-Linux directory on the client CD or downloaded image. 6. Run the following install program: v Install:
rpm -i sametime-connect-8.0.1-1.i386.rpm
v Upgrade:
rpm -u sametime-connect-8.0.1-1.i386.rpm
7. Launch the Sametime Connect client using the "Lotus Sametime Connect 8" desktop launcher in the Office category. Alternatively, use the following command:
/usr/bin/sametime
Installing the Sametime Connect client from CD on Mac OS X

Users can install the IBM Lotus Sametime Connect client from the client CD or downloaded image on a Mac OS X client.
101
About this task

To install the Lotus Sametime Connect client on a Mac OS X client, perform the following: 1. If an earlier version of the Lotus Sametime Connect client is installed, exit it and drag it to the Trash before installing the newer version. 2. Navigate to the MacOSX directory on the client CD or downloaded image. 3. Double-click sametime-connect.mpkg to begin the installation. By default the connect client will be installed to the Applications folder on Mac HD. 4. Enter the required information when prompted. 5. When the installation completes, launch Lotus Sametime Connect by double-clicking on Sametime.
Automatically upgrading Sametime Connect 8.0 clients

For upgrading IBM Lotus Sametime Connect 8.0 clients, automatic upgrade provides an alternative to the Lotus Sametime 8.0.1 installer. The automatic upgrade feature, referred to here as the "manifest update feature", allows the administrator to deploy new provisioning manifests to Sametime Connect clients. The client checks for remote provisioning manifest updates each time it is started. When a new manifest update is located, it is merged with the existing manifest and the user is prompted to restart the client. Upon restart, the platform provisions the features specified in the new manifest. The process of locating the manifest updates occurs within the client's existing automatic update routine, which begins approximately 100 seconds after the first log in event. The routine only runs once per session. The client first checks for new features on the admin update site. If no new features are found, the client checks for a provisioning manifest descriptor file (manifest-updates.xml) in a well known location. The manifest-updates.xml file contains one or more manifest updates. Each manifest update includes metadata about the provisioning manifest to be merged, including a unique ID, a link to a provisioning manifest file, an OS match rule, a target client match rule, and either an update site URL or a link to an update site package. When the client finds a manifest update that is applicable, the update site package is downloaded if specified, the provisioning manifest is located and merged with the existing manifest, and the manifest update is added to a locally maintained list of manifest updates. After processing the manifest update, the user is alerted that a restart is needed. Upon restart, the merged manifest is processed and any new features are installed from either a locally downloaded update site package, or from a remote update site. As mentioned, the manifest update feature only works in deployments where the end users have write access to the Sametime installation directory. Otherwise, the manifest update check returns silently. The manifest update approach therefore is not well suited to locked down environments (such as Linux deployments) where write access to the Sametime installation directory is prohibited. Regardless, customers with appropriate deployment environments may find this mechanism useful.
Differences between update sites and manifests

Installation manifests and update sites work differently; understanding how they differ will help you choose the best upgrade solution for your users.
102
The manifest update mechanism enables the provisioning of features into the managed IBM Lotus Sametime client platform. This entails the merging of new features into the platform's provisioning manifest (install.xml), followed by the installation of the features listed therein. The administrator update site mechanism, on the other hand, only installs new features for the current user. The platform provisioning manifest (install.xml) is not updated and other users in a multi-user installation do not get the features that are installed in this manner. Additionally, should the workspace be lost for any reason, or new user workspace instances created, features installed by the administrator update site mechanism would not be enabled when the new workspace is created. The administrator update site mechanism is useful for pushing a small set of features or feature patches to a client, but is not a viable means for provisioning a new version of the client. In summary, the administrator update site mechanism does not support multi-user installations, does not provide recovery support, and is not viable for provisioning large numbers of features.
Item Manifest Update Mechanism Administrator Update Site Mechanism No No No No
Features are installed for Yes all users Provisioning manifest is updated Supports multi-user Ideal for large numbers of features Yes Yes Yes
How the manifest update works

The manifest update feature works by modifying the list of files (the "manifest") that the installation program will install onto a client computer. After applying the manifest update feature, the client will check the for a file named "manifest-updates.xml" in a "manifest-updates" folder relative to the admin update site. For example, if the automatic update site URL is "http://acme.com/ sametime/updates/required", the client will check for the manifest-updates.xml file using the URL "http://acme.com/sametime/updates/required/manifest-updates/ manifest-updates.xml". Manifest-updates can either specify a remote update site url or an update site package. If the update site URL is specified, the client simply merges the remote manifest, registers the update site URL with the platform, and restarts. When provisioning occurs during the restart, the new features are provisioned from the remote update site. If the update site package is specified, the client first downloads the package to a temporary location, registers the local update site URL with the platform, then merges the manifest update. When provisioning occurs during the restart, the new features are provisioned from the local update site package. The manifest update is marked as needing cleanup so that when the client is restarted at a later time, the local update site package will be deleted. The use of update site packages is recommended over the use of remote update sites, since network interruptions can prevent the client from successfully downloading remote features. The update site package guarantees that the features are present locally before they are installed, and provides a much better user experience, since provisioning from a local update site is much faster. The format of the manifest-updates.xml is as follows:
103
<!DOCTYPE MANIFEST-UPDATE [ <!ELEMENT manifest-update (updateSitePkg)> <!ATTLIST manifest-update id CDATA #REQUIRED os (windows|linux|mac) manifest CDATA #REQUIRED coreBundleVersion CDATA #IMPLIED match (perfect,equivalent,compatable,greaterOrEqual) perfect updateSiteUrl CDATA #IMPLIED>
This element is used to define a manifest update, where: v id - a unique identifier for this manifest update. Each manifest update must be uniquely identified so that the client can keep track of the updates. The recommended naming convention is description.date.install.xml. For example sametime802.10272008.install.xml. v os - the target OS for this update. Can be any combination of windows, linux, or mac. v manifest - the name of the manifest file to be merged. The file must be located in the same directory as the manifest-update.xml. v coreBundleVersion - optional core bundle version specification that allows a manifest update to be targeted to a given client version. The core bundle version refers to the version of the "com.ibm.collaboration.realtime.core" bundle found in the client. This is basically equivalent to the Sametime client release. For example, in Sametime 8.0 the core bundle version is "8.0.0", in Sametime 8.0.2, the core bundle version is "8.0.2". v match - optional matching rule (case sensitive). Valid values and processing are as follows: if coreBundleVersion attribute is not specified, the match attribute, if specified, is ignored. if coreBundleVersion attribute is specified, the match attribute, if not specified, is "perfect". perfect - core bundle version must match exactly the specified version. equivalent - core bundle version must be at least at the version specified, or at a higher service level (major and minor version levels must equal the specified version). compatible - core bundle version must be at least at the version specified, or at a higher service level or minor level (major version level must equal the specified version). greaterOrEqual - core bundle version must be at least at the version specified, or at a higher service, minor or major level. v updateSiteUrl - optional URL specifying the update site containing the features specified in the manifest. In general should not be used. Use the updateSitePkg element instead.
<!ELEMENT updateSitePkg EMPTY> <!ATTLIST updateSitePkg checkSum CDATA #IMPLIED url CDATA #REQUIRED downloadDelayRange CDATA #IMPLIED>
This element is used to define an optional update site package, where: v url - the URL of the update site package.
104
v downloadDelayRange - optional value representing the range, in minutes, the client will wait before beginning to download the update site package. For example, if the value is 5, the client will wait anywhere from 0-5 minutes before downloading the file. Note: There should only be one updateSitePkg element inside a manifest-update element. This example shows a manifest update which will only be downloaded by the 8.0 version of the Windows Sametime client. After the manifest is merged, the client will restart and provision the new features from the specified remote update site.
<manifest-updates> <manifest-update id="acme-update-11.12.2008" os="windows" manifest="acme-update-11.12.2008.install.xml" coreBundleVersion="8.0.2" updateSiteUrl="http://acme.com/sametime/updates/acme-update-11.12.2008.updateSite"/> </manifest-updates>
This example shows a manifest update which will be downloaded by any 8.x version of the Windows Sametime client. Once the update site package is downloaded and the manifest is merged, the client will restart and provision the new features from the local update site package.
<manifest-updates> <manifest-update id="acme-update-11.12.2008" os="windows" manifest="acme-update-11.12.2008.install.xml" coreBundleVersion="8.0.2" match="compatable"> <updateSitePkg url="http://acme.com/sametime/updates/acme-update-11.12.2008.updateSite.zip </manifest-update> </manifest-updates>
The following table shows examples of coreBundleVersion match rules:

Table 8. Examples showing match results for differing rules and plugin versions corePluginVersion match rule 8.0.0 perfect 8.0.0 perfect 8.0.0 equivalent 8.0.0 equivalent 8.0.0 compatable 8.0.0 compatable 8.0.0 greaterOrEqual Actual core plugin version 8.0.0 8.0.2 8.0.2 8.5.0 8.5.0 9.0.0 9.0.0 Result match no match match no match match no match match
Enabling automatic upgrades for Sametime Connect 8.0 clients

For upgrading IBM Lotus Sametime Connect 8.0 clients, automatic upgrade provides an alternative to the Sametime 8.0.2 installer.
Before you begin

This approach should only be used in deployments where end users have administrative privileges.
105
About this task

The following steps outline how to automatically upgrade the 8.0 client to 8.0.2. When upgrading to 8.0.2, the manifest update should use an update site package rather than a remote update site. The reason is that the 8.0.2 update site is large, approximately 110 MB, increasing the chances that network errors may occur while provisioning features from a remote update site. If network errors occur during provisioning, the platform would most likely become invalid and unusable. On the other hand, if network errors interrupt the download of the update site package, platform will not be effected, and the client will simply try again. Manifest updates should avoid using remote update site URLs in general. 1. Establish the automatic update site policy URL. 2. Extract the sametime.802.upgrade.patch.update.site.zip file to the upgrade site's directory. For example:
...updates\required\site.xml ...updates\required\features\... ...updates\required\plugins\...
The 8.0 clients will automatically install the 8.0.2 upgrade patch. The sametime.802.upgrade.patch.update.site.zip file can be found in the following location:
CD11/upgrade/sametime.802.upgrade.patch.update.site.zip
3. Create a manifest-updates folder on the automatic update site. For example, if your automatic update site is:, create
http://acme.com/sametime/updates/required
you should create a folder like this:

http://acme.com/sametime/updates/required/manifest-updates/
4. Copy the 8.0.2 install.xml to the manifest-update folder. The 8.0.2 install.xml should be renamed to something descriptive such as "801..install.xml" since other provisioning manifests may eventually exist in this folder. 5. Copy the 8.0.2 update site package to a Web server and put it in the ...updates\required directory. v Mac: CD11/upgrade/MacOSX-update.site.zip v Windows: CD11/upgrade/Windows-Linux-update.site.zip 6. Create the manifest-updates.xml file in the manifest-updates folder. 7. Add an 8.0.2 manifest-update entry to the manifest-updates.xml file. For example:
<manifest-update id="st802" os="windows" manifest="st802.install.xml" coreBundleVersion="8.0.0"> <updateSitePkg url="http://acme.com/sametime/updates/st802.updateSite.zip"/> </manifest-update>
8. Restart the client and wait 100 seconds. Note: After upgrading, the Mac client will not restart automatically; the end user must manually start the Lotus Sametime Connect application by clicking its icon three times. On the third try, the client will start.
106
What to do next
To troubleshoot issues with the automatic upgrade, isolate the upgrade logging output as follows. In the rcpinstall.properties file (located in the C:/Documents and Settings//Application Data/Lotus/Sametime/.config directory on Windows) add the line:
com.ibm.collaboration.realtime.update.level=ALL
Making the client installation files available for download

After completing the installation of IBM Lotus Sametime server, perform the following steps to make the network client installer available for installation from the Sametime Welcome page.
About this task

Note: If you want to include any optional Sametime components in the base install for all of your users, see Enabling optional features in the base client install on page 109. 1. Copy the entire contents of the network-install directory from the Lotus Sametime Connect Network Install Client CD or downloaded image to the following location on the Sametime server: <server_data_directory>\domino\html\sametime\network-install Note: There are place-holder files in the directory; you must replace them with the real ones. v The default location on a Windows server is:
c:\program files\lotus\domino\data\domino\html\sametime\network-install
v The default location for AIX, Linux, and Solaris is:

/local/notesdata/domino/html/sametime/network-install
For i5/OS, there is no default data directory but the name may be similar to this:
/STserver/domino/html/sametime/network-install
2. (Optional) Set default preferences in the plugin_customization.ini file located in the deploy directory: v \network-install\install\deploy v \network-install\install.mac\deploy 3. Update the installer URL information v Open the \domino\html\sametime\network-install\applet\ download.properties file in a text editor v Set the value of the installer.root.base property to match the correct URL for the network-install directory on your Sametime server. For example, if your Sametime server host name is stserver.com:
installer.root.base=http://stserver.com/sametime/network-install
v Save your changes 4. Generate the installer archive zips. The ArchiveCreator scripts create platform specific installer zip files. These zip files only include the base installer with the Expediter/Eclipse platform and the install manifest which can be customized for your environment. This allows the user to download the zip file, extract it, and run the installer which provisions
107
the Lotus Sametime features from the update site included with the network-install directory. The zip files are approximately 25 mb instead of over 200 mb as they are on the CD. v For Windows and Unix Open a console window to the \domino\html\sametime\network-install\ bin directory Run the ArchiveCreator tool (ArchiveCreator.bat for Windows, ArchiveCreator.sh for UNIX). v For i5/OS Run the following commands:
QSH cd /<server_data_directory>/domino/html/sametime/network-install/bin ArchiveCreator_i5OS.sh
Press F3 to Exit QSH. Note: The network client installer does not currently support installing over the network when the Domino HTTP server has been configured to use SSL with a self-signed test certificate. 5. Verify that you have copied the files correctly by Installing the Sametime Connect client from the network.
Installing the Sametime Connect client from the network

To install the IBM Lotus Sametime connect client files from your network. 1. Linux, Mac only: If you share a computer and another user already installed the Connect client, remove temporary files left by the previous installation: a. Log on the computer as the root user. b. Run the following command to remove the temporary files: v Linux
rm -rf /tmp/deploy /tmp/sametime-connect-*.rpm /tmp/install.sh
v Mac
rm -rf /tmp/deploy /tmp/sametime-connect.mpkg.zip /tmp/setupmac.sh
2. (Optional) Set default preferences in the plugin_customization.ini file located in the deploy directory: v \network-install\install\deploy v \network-install\install.mac\deploy 3. (Linux only) Install the compat runtime library by running the following command: v RHEL 4.0
rpm -ivh compat-libstdc++-33-3.2.3-47.3.i386.rpm
v RHEL 5.x
rpm -ivh compat-libstdc++-33-3.2.3-61.i386.rpm
Note: There may be a later release of the compat library for your release. 4. Using a Web browser, open the Sametime Welcome page on your Sametime server. For example, if the fully qualified host name of your Sametime server is stserver.com, you open http://stserver.com/. 5. Click Download Lotus Sametime Connect 8.0.2 Client to display the "Welcome to the IBM Lotus Sametime Connect 8.0.2 Client Download Site" page.
108
6. Click Install Now to begin the download and installation process. Once all files have been downloaded, the actual client installer will start: v Windows: Follow the instructions in the installer and enter the required information to complete the installation. v Mac: Follow the instructions in the installer and enter the required information to complete the installation. v Linux: The RPM installer runs automatically.
What to do next
Saving the installer for use later If there are problems running the network client installer applet, or if you want to install at a later time, you can select the Save from the "Welcome to the IBM Lotus Sametime Connect 8.0.2 Client Download Site" page. This will bring you to a downloads page where you can select the operating system of the installer you wish to save. The downloads page includes instructions for downloading the installer for later use.
Installing optional client features

IBM Lotus Sametime ships with a number of optional client features that are not included in the default base install. These features provide additional functionality to the core client.
Before you begin

For example; v MS Office Integration Features v E-mail Integration Features v Spell Checker Dictionaries It is left up to the administrator to decide what features to make available to clients, and how to do that. The following sections explain the available options in more detail.
Enabling optional features in the base client install

With the method described in this section, the administrator determines which optional features will be installed with the IBM Lotus Sametime client and the user is not required to make any decisions. Additional alternatives are available for Adding optional features to the client after install
Before you begin

The local and network-client installs include an install manifest that lists all of the features shipped with Lotus Sametime but the optional features are commented out. The following sections explain the options in more detail.
About this task

Installing from the Client Standalone Installer CD or downloaded image 1. Copy the contents of the CD or downloaded image to a local directory. Use this local directory to make the edits in the next steps.
109
2. Open <CD>\sametimeclient\Windows-Linux\deploy\install.xml in a text editor. 3. Optional features are commented out using XML style comments, uncomment any you wish to include in the install. (See example below). 4. Save the file. 5. Repeat Steps 3 and 4 for the Mac install manifest located at: <CD>\sametimeclient\MacOSX\deploy\install.xml 6. Test a base install. 7. Repackage the CD or download image (if necessary) before distributing to your users.
Example
Here's an example of features that are commented out in the install manifest: Note: The commented section begins with "".
What to do next

id="com.ibm.collaboration.realtime.oi.webConfTab.feature" version="8.0.0.20071013-0057" matc id="com.ibm.collaboration.realtime.oi.toolbar.feature" version="8.0.0.20071013-0057" match=" id="com.ibm.collaboration.realtime.oi.smarttags.feature" version="8.0.0.20071013-0057" match id="com.ibm.collaboration.realtime.notes.connector.feature" version="8.0.0.20071013-0057" ma id="com.ibm.collaboration.realtime.notes.connector.feature" version="8.0.0.20071013-0057" ma
Here's an example after uncommenting the three MS Office Integration features: Note: Always remember that when applying Office Integration fixes, you must ensure that no Office or Outlook processes are running at the time of the install. For more information, see the IBM Tech Note 1307607 at:
The commented section now ends before the list of Office Integration features. The other two features are still commented out in this example. 
<feature <feature <feature 
id="com.ibm.collaboration.realtime.oi.webConfTab.feature" version="8.0.0.20071118-1819" matc id="com.ibm.collaboration.realtime.oi.toolbar.feature" version="8.0.0.20071118-1819" match=" id="com.ibm.collaboration.realtime.oi.smarttags.feature" version="8.0.0.20071118-1819" match calendar availability features for Lotus Notes and MS Outlook are still commented out. id="com.ibm.collaboration.realtime.notes.connector.feature" version="8.0.0.20071118-1819" ma
Note: The MS Office Integration features require special installation processing on MS Windows clients. If you are installing the MS Office Integration features automatically during installation, then you must instruct users to invoke the oi_setup.bat script instead of setup.exe. This script will take care of all the necessary preprocessing that the MS Office Integration features require. Installing from the Network 1. Configure the network client install as instructed in the "Making the network client installer available" topic
110
2. Open both the Windows / Linux and the Mac OS X install manifests in the network-install directory on the Sametime server: v The default location on a Windows server is: Windows/Linux: c:\program files\lotus\domino\data\domino\html\ sametime\network-install\install\deploy\install.xml Mac OS X: c:\program files\lotus\domino\data\domino\html\ sametime\network-install\install.mac\deploy\install.xml v The default location for AIX, Linux, and Solaris is: Windows/Linux: /local/notesdata/domino/html/sametime/networkinstall/install/deploy/install.xml Mac OS X: /local/notesdata/domino/html/sametime/network-install/ install.mac/deploy/install.xml v For i5/OS, there is no default data directory but the name may be similar to this: Windows/Linux: /STserver/domino/html/sametime/network-install/ install/deploy/install.xml Mac OS X: /STserver/domino/html/sametime/network-install/ install.mac/deploy/install.xml 3. Edit both manifests and uncomment any optional features you wish to include in the install. See the example in the Standalone installer section above. 4. Save the files Note: The MS Office Integration features require special installation processing on MS Windows clients. If you are installing the MS Office Integration features automatically during installation then perform the following additional steps: 1. Open the download.properties file in the network-install/applet directory on the Sametime server. 2. Comment out the following two properties by inserting a pound sign (#) at the beginning of each line
#win32.downloads.files=setup.exe,deploy/plugin_customization.ini #win32.downloads.execute=setup.exe
3. Locate the section relating to the Office Integration features and uncomment the win32.downloads.files and win32.downloads.execute properties in that section by removing the pound signs (#) at the beginning of each line:
### *** NOTE: The ST Office Integration features require special handling during installation ### *** Some MS specific files must be installed prior to running the Sametime installer ### *** If you are installing the Office Integration features, comment out the two properties a ### *** (win32.downloads.files and win32.downloads.execute) and uncomment these two properties: win32.downloads.files=oi_setup.bat,setup.exe,deploy/plugin_customization.ini win32.downloads.execute=oi_setup.bat
4. Save the file This will allow the additional files required for the Office Integration features to be downloaded and executed properly during a network install.
Adding optional features to the client after install

The IBM Lotus Sametime client can be easily updated at any time after the initial installation.
Before you begin

There are several reasons to install an update, including:
111
v To install optional features. Sametime ships with several optional features - these are provided with the release but are not automatically installed. v To install a new feature that you have purchased from a 3rd party or developed yourself using the Sametime SDK. v To install an update that Lotus has provided to fix an existing client feature. A basic Eclipse update site is provided in the optional-components directory of the standalone client install CD and downloaded image. It includes all of the optional features distributed with Sametime, including Microsoft integration features and spell checker dictionaries for various languages. You can make updates to this site yourself to remove features you do not plan to distribute, to add your own features, or to add fixes. Three options are available for delivering updates to Sametime Connect client users: v Automatic Updates: Administrators can provision new or updated Sametime features to their clients in a "push" mode so that all clients use the same set of features. The push method enables the client to receive updates automatically whenever he or she logs in to Sametime. v Optional Updates: Administrators can also provide new Sametime features to their clients as an option. With the optional method, the user is notified that optional updates are available when logging in to Sametime. The user selects which updates to install, if any. Note: The optional update feature is the recommended approach for any updates that are not required. If the optional site is configured before the initial client install, it provides a seamless initial install experience. A user installs the client, and is presented with a prompt to select optional features at first log in. It requires less communication and manual interaction than the manual update method. v Manual Updates: Administrators either distribute update sites (zips / jars) to users or they post them to a web server, and provide the users with instructions for manually installing the updates using the tools in the connect client.
About this task

Setting up automatic updates To set up your server so that required client updates are installed automatically, specify the "Sametime update site URL" on each of your Sametime servers. From the Sametime Administration Tool, select Policies. Update each of the appropriate policies: 1. Locate the "Sametime update site URL" setting in the Instant Messaging section of the policy. 2. Specify the URL for the update site where you will post required updates. Updates of features from this site are required and will be installed automatically; the client is not provided a choice. For Lotus Sametime 8.0 connect clients, you can specify more than one URL by separating them with semi-colons or commas. When the user logs in from the client, the client checks the Sametime update site URL setting for the appropriate policy on the default Sametime server.
112
Note: If the URL has not been specified or the setting is not found, the client will search the preferences.ini file located in the update plugin (com.ibm.collaboration.realtime.update\preferences.ini) root directory for the adminUpdatePolicyURL value. (The policy setting was not available prior to Sametime 7.5.1.) When the client logs in and connects to the specified update site, it silently downloads all updated features it finds and installs them. Once installation is complete, the user receives a textbox announcing that new updates have been installed and that the user should restart the Sametime client. The user can click the restart button or press a five-minute delay button. If the user is involved in chats with other users, he or she can continue to delay restart for as long as he wishes by continuing to press the restart button at five-minute intervals. After the restart, the client checks again to see if there are more updates, and if it finds none, the user is not interrupted again. This update process takes place each time the user restarts his client and logs in. Setting up optional updates To set up your server so that your users are presented with a selection of optional updates, specify the "Sametime optional add-on site URLs" on each of your Sametime servers. From the Sametime Administration Tool, select Policies. Update each of the appropriate policies: 1. Locate the "Sametime optional add-on site URLs" setting in the Instant Messaging section of the policy. 2. Specify one or more URLs for update sites where you will post optional updates. When the user logs in from the client, the client checks the "Sametime optional add-on site URLs" policy on the default Sametime server. When the user logs in from the client, the client checks the "Sametime optional add-on site URLs" policy on the default Sametime server. Note: If the URL has not been specified or the setting is not found, the client will search the preferences.ini file located in the update plugin (com.ibm.collaboration.realtime.update\preferences.ini) root directory for the optionalUpdatePolicyURL value. (The policy setting was not available prior to Sametime 8.0.) When the client logs in, it scans all of the optional update sites listed to find any available updates that match the client configuration. If any updates are found, the client displays a message alerting the user that updates are available with an option to open the Update Manager (which is pre-populated with the list of sites defined in the policy). The alert also allows the user to disable further checking on startup. (This preference can also be set in the Contact List preferences). From the Update Manager, the user can select which updates (if any) they would like to install, then follow the instructions in the update panels to accept the license(s) and complete the install. If any updates are installed, the client will prompt the user to restart. Manually installing updates In Sametime Connect, the user can manually install updates by choosing Tools > Plug-ins > Install plug-ins. The user can then: 1. Select Search for new features to install, and then click Next.
113
2. Add an update site: v If remote, select Add Remote Location..., specify a name for the update site and provide the URL for the site. v If a local directory, select Add Folder Location..., and select the directory where the update site exists. v If a local archive, select Add Zip / Jar Location... and select the update site archive. For example, if you have access to the Standalone client install CD or downloaded image, you can click New Archive Site.... Then navigate to the optional-components directory and select optional-components-updatesite.zip. 3. Click OK to add the new update site, and then click Finish. After a short time, the Update window appears 4. Expand the update site and select the updates you wish to install from the available list. Then click Next. 5. You must agree to the license terms to continue. 6. In the next window, click Finish to install. Verify by clicking Install. 7. Restart the Client.
What to do next
Installing client updates from a secured site

Within IBM Lotus Sametime update sites may be secured using HTTPS. HTTPS uses a Secure Socket Layer (SSL) to transfer encrypted HTTP data. If a client update site is posted on a web server that has been secured, then the following steps must be performed by clients before they can download and install updates.
About this task

If the site requires authentication, create an account: 1. Log into the Sametime client and choose File - Preferences. 2. Select the Accounts preference page from the list on the left of the preferences dialog. 3. Click New Account. 4. Give the new account a unique name to identify it from other accounts. The description field is optional. 5. Choose HTTP / HTTPS from the Type drop-down. 6. Enter the server name. Note: This is the basic URL to the server, not the full update site URL. For example, https://stserver.com 7. Enter credentials in the Log in information section if the secured site needs to be authenticated 8. Change the authentication type in the advanced properties section if the site is secured with something other than HTTP Basic. 9. Click OK twice to save the account and leave the preferences page. Public Certificates
114
If the secured site uses a certificate from a publicly trusted certificate authority, then no other action is required. Users can then enter the secured site into the Install Updates user interface as normal. For example, https://stserver.com/sametime/updateSite/site.xml and install without any additional actions. Self-signed Certificates If the secured site uses a self-signed certificate, the following actions must be taken to install the certificate into the JVM the Sametime client uses: 1. Locate the JVM plugin for the client and open a command prompt to it: <ST_Client>/rcp/eclipse/plugins/com.ibm.rcp.jcl.desktop.win32.x86_/jre For example, C:\Program Files\rcp\eclipse\plugins\ com.ibm.rcp.jcl.desktop.win32.x86_6.1.1.200710091116\jre 2. Set the JAVA_HOME environment variable to the following directory. For example, set JAVA_HOME="C:\Program Files\rcp\eclipse\plugins\ com.ibm.rcp.jcl.desktop.win32.x86_6.1.1.200710091116\jre" 3. Import the certificate into the Sametime JVM keystore using the JVM's keytool. Note: The certificate must be supplied to clients by the administrator. For example, keytool -import -trustcacerts -alias -keystore %JAVA_HOME%\..\ lib\security\cacerts -file Note: When prompted for a password, enter the password of the JVM's keystore. If you have not changed this yourself, the default password is: changeit Once the client is started, the secured update site can be used. Note: v Configuring your web server for HTTPS and creating / obtaining a certificate is out of the scope of this topic. Please see the documentation for your web server. v The Expeditor VM Sametime uses is configured by default to support SSL using the VM's cacerts keystore file. To reconfigure the default configuration, see the Configuring SSL for the platform in the Expeditor InfoCenter.
115
116
Chapter 11. Uninstalling a Sametime server

To uninstall IBM Lotus Sametime from a IBM Lotus Domino server using the Sametime uninstall program, all Lotus Sametime files that were added to the Domino installation are removed with the exception of files that were created while running Lotus Sametime. Updates that were made to the address books (including person documents, server documents, and changes to the Access Control List) are not removed.
Before you begin

Before you uninstall the Lotus Sametime server, it is always good practice to back up any important files.
About this task

To completely remove Lotus Sametime, you must uninstall Domino as well, and also both the Lotus directory and the Notes data directories. Note: Removing Domino will not be necessary if you plan to reinstall Lotus Sametime on the Domino server.
Uninstalling Sametime server on Windows

To uninstall IBM Lotus Sametime from a IBM Lotus Domino server on a Windows platform using the Sametime uninstall program, all Lotus Sametime files that were added to the Domino installation are removed with the exception of files that were created while running Lotus Sametime. Updates that were made to the address books (including person documents, server documents, and changes to the Access Control List) are not removed.
Before you begin

Before you uninstall the Lotus Sametime server, it is always good practice to back up any important files.
About this task

To completely remove Lotus Sametime, you must uninstall Domino as well, and also both the Lotus directory and the Notes data directories. 1. Stop the Domino (Sametime) server. 2. From the Microsoft Windows Start menu, select Settings > Control Panel > Add/Remove Programs. 3. Select IBM Lotus Sametime 8.x from the list and click Add/Remove. Click Yes when prompted to remove the Sametime server. 4. When the Windows uninstall program completes, click OK to exit the uninstall program.
117
Uninstalling Sametime server on AIX, Linux, or Solaris

To uninstall IBM Lotus Sametime from a IBM Lotus Domino server on an AIX, Linux, or Solaris platform using the Sametime uninstall program, all Lotus Sametime files that were added to the Domino installation are removed with the exception of files that were created while running Lotus Sametime. Updates that were made to the address books (including person documents, server documents, and changes to the Access Control List) are not removed. 1. Stop the Domino (Sametime) server. 2. Switch to the root user 3. Change to the following directory: a. <datadir>/_uninstst 4. Start the uninstall using the following command: a. ./uninstaller.bin
Removing Sametime from an i5/OS Domino Server

You can remove IBM Lotus Sametime from a Lotus Domino server without deleting the Lotus Sametime software from your system.
About this task

When you remove Sametime from a Domino server, all files related to Sametime that were added to the Domino server data directory or were created while running Sametime components are removed. Updates that were made to the Domino Directory, including person documents, server documents and changes to the ACL are not removed. To remove Sametime from a Domino server, follow these steps: 1. End the Domino server where you plan to remove Sametime. 2. On any i5/OS command line, type the following command and press F4:
RMVLSTDOM
3. Enter the name of the Domino server where you want to remove Sametime and press Enter. 4. When prompted, type a "g" to complete the Remove Sametime from a Domino server command. A message will appear indicating that Sametime has been removed. 5. Using the Domino Administrator Application, modify the Domino server document by changing the Is this a Sametime server? field to No. 6. Delete any Sametime Connection documents between this Sametime server and other Sametime servers. 7. Optional: If the Sametime server was using an LDAP directory, an LDAP document for that server exists in the Directory Assistance database. You may want to remove this and any other unnecessary documents from the Directory Assistance database.
Results
The server is once again a Domino server. If you want to delete the Sametime software from the system, remove Sametime from your servers and then run the DLTLICPGM (Delete Licensed Program) command.
118
v For Sametime Standard, delete 5724J23 option 1 and then delete 5724J23 *BASE. v For Sametime Instant Messaging Limited Use or Sametime Entry, delete 5724J23 *BASE.
Chapter 11. Uninstalling a Sametime server
119
120
Chapter 12. Sametime Server Administration

Sametime Server Administration describes how to configure the Sametime server for your network, how to cluster servers for failover, and how to maintain and monitor the server. It includes information on security, network connectivity, policies for users, and the tools that you can use to administer the server.
121
122
Chapter 13. What is Lotus Sametime Entry?

IBM Lotus Sametime Entry is the entry-level offering of Lotus Sametime that helps organizations get started with instant messaging. With Lotus Sametime Entry, organizations can provide presence and instant messaging support in the Lotus Sametime Connect desktop client or in a Sametime-enabled Microsoft Outlook client. The full offering of Lotus Sametime, IBM Lotus Sametime Standard, provides Web conferencing, as well as more features in the Lotus Sametime Connect client, such as integrated VoIP, point-to-point video, mobile clients, a gateway for federation with external chat communities and supported public IM networks, and additional features such as geographic location, screen capture, and the ability to transfer file. The IBM Lotus Sametime Connect and Microsoft Outlook clients interact with the Community Services on the Sametime server to access presence (who is logged in) and instant messaging functionality. Community Services supports all the presence and instant messaging capabilities of Sametime. Lotus Sametime Entry installs on a Domino server and uses the HTTP Services, Domino Web Application Services, and Domino directory provided with the Domino server. Lotus Sametime Entry can be configured to operate as a client to a Lightweight Directory Access Protocol (LDAP) server containing an LDAP directory. You can use an LDAP directory as your community user repository if LDAP directories are used in your environment. Managing the directory, ensuring that Sametime clients can connect to the Sametime server, configuring the Sametime services, and monitoring the server are some of the primary administrative tasks associated with the Sametime server. Lotus Sametime Entry also provides an administrative tools interface that assists the administrator in managing the server. Lotus Sametime Entry also supports the concept of Community Services clustering. A Community Services cluster consists of multiple Sametime servers that are configured to operate together to support server failover and user load balancing for large user populations.
Presence
Lotus Sametime presence technology enables members who have logged in to the Lotus Sametime server to see all other members who are online (logged in). The names of online users display in contacts lists in the Sametime Connect client. From these lists, members of the community can converse through instant messaging sessions.
Microsoft Office Integration with Lotus Sametime

Lotus Sametime Entry integrates with Microsoft Office through the Sametime client. Lotus Sametime Entry can be used with Microsoft Office applications on the Windows platform only. The following features are available in this release of Lotus Sametime Entry: v Sametime task menu in Microsoft Office Smart Tags - A chat can be initiated instantly from within a Word, Excel, or Power Point document, with any
123
Sametime user name that appears in the document, provided that the name corresponds to a Sametime user. The Sametime client must be running concurrently. v Sametime Toolbar in Microsoft Outlook - Users can chat with coworkers through Lotus Sametime from Microsoft Outlook. The user must start Lotus Sametime first, then Microsoft Outlook. The name of the sender of a highlighted message in Microsoft Outlook appears on the Contacts button of the Sametime Toolbar. The icon on the button shows the availability of that person. Choosing the "Chat" button or selecting the "Chat" command from the drop down initiates a Sametime chat.
Upgrading
You can expand your real-time collaboration capabilities by purchasing the full version of Lotus Sametime server, IBM Lotus Sametime Standard, which adds Web conferencing capabilities and a richer Lotus Sametime Connect client to your environment. The Lotus Sametime Standard server includes all of the capabilities of the Lotus Sametime Entry, and offers these additional features: v Online meetings- The Lotus Sametime Standard server enables users to collaborate in real-time meetings using features such as screen sharing, a shared whiteboard, IP audio/video, instant messaging and presence. Online meetings can either by scheduled in advance from a Meeting Center application on the Sametime server or started on the spur of the moment from a presence list in a Sametime client. v Richer Sametime Connect client- The Lotus Sametime Connect client for Lotus Sametime Standard supports instant messaging and presence and includes a richer feature set than the Lotus Sametime Connect client provided with the Lotus Sametime Entry. A user can download the Lotus Sametime Connect from the home page of the Sametime server. Additional plug-ins are available for Lotus Sametime Connect, and audio-video and telephony features are also available. v Mobile Clients - Lotus Sametime Standard includes access to mobile clients that can be deployed on a wide variety of devices and mobile operating systems. v Lotus Sametime Gateway - Lotus Sametime Standard includes at no additional charge a gateway that can be used to federate with other instant messaging communities and supported Public IM networks.
Sametime Administration Tool

The Sametime Administration Tool is an HTML and XML based application that runs in a Web browser. You open the Sametime Administration Tool by typing http://<hostname>/ into your browser's url field, and then clicking the Administer the Server link. The Sametime Administration Tool is the primary administration tool for the Sametime server. For more information about the Sametime Administration Tool, see Starting the Sametime Administration Tool on page 157. During the Sametime installation, one user is specified as the administrator of the Sametime server. This administrator has access to the Sametime Administration Tool and all of its administrative features. The administrator specified during the installation can provide other administrators with access to the Sametime Administration Tool as needed.
124
The Sametime Administration Tool should be used to perform all administrative procedures on the Sametime server with the following exceptions: v Replication and creation of new Lotus Notes databases - If a Sametime procedure requires you to replicate a database or create a new database, you must use a Lotus Notes or Domino Administrator client. The Sametime Administration Tool does not provide the functionality required to create one-time replicas (replica stubs) or other new databases, or set up replication schedules. v Managing LDAP users - If you have configured Sametime to operate as a client to an LDAP server, you cannot use the Sametime Administration Tool to add or delete users in the LDAP directory on the LDAP server. Use the software provided with the LDAP server for management of the LDAP directory. Note: Although you cannot use the Sametime Administration Tool to manage users in an LDAP directory on a third-party server, you must use the Sametime Administration Tool to configure the Sametime server forConfiguring the LDAP directory settings on page 222 on the third-party LDAP server. v Setting up Secure Sockets Layer (SSL) on the Sametime server - If you want to configure the Sametime server so that all Web browser clients use the SSL protocol when connecting to the Sametime server, you must use a Lotus Notes client or the Domino Administrator client to Setting up SSL to encrypt connections with Sametime. v Creating Community Services clusters - A Community Services cluster consists of multiple Sametime servers configured to operate together, providing failover and load balancing for the Sametime instant messaging and presence functionality. For more information seeCreating a cluster document in the Configuration database (stconfig.nsf) on page 478. v Starting or stopping Sametime services -Starting or stopping Sametime services - To stop services on Windows, use Control Panel - Administrative tools - Services. Note: There is no provision for stopping services on UNIX-run platforms.
Sametime services
End users can engage in chat and presence activities through the interactions of the IBM Lotus Sametime Connect client or Sametime-enabled Microsoft Outlook client with the services on the Lotus Sametime server. This section briefly describes the Domino Services and Sametime Community Services that support chat and presence.
Domino Services
Sametime uses the infrastructure and services of the Domino server on which it is installed. The following are the primary Domino services used by a Sametime server: v Web server v Directory v Security v Replication v Database storage Note: For information about the version of Domino on which Sametime must be installed, see "Sametime Server Installation."
125
The Domino server on which Sametime is installed should not be used as a Domino mail or application server. If Sametime is installed on its own Domino server, the real-time, interactive communication services of Sametime will not compete for resources with other high-demand Domino services. In this documentation, the term "Sametime server" refers to the server that includes both Domino and Sametime.
Community Services
The Lotus Sametime Community Services support all presence (or awareness) and text chat activity in a Lotus Sametime community. Any Lotus Sametime client that contains a presence list must connect to the Community Services. Basic functionality supported by the Community Services includes: v Handling client login requests. v Handling connections from clients that access the Sametime server through a direct TCP/IP connection, or through HTTP, HTTPS, or SOCKS proxy servers. v Providing directory access for user name search and display purposes. v Providing directory access to compile lists of all Sametime servers and users in the community. v Dissemination of presence and chat data to all users connected to Community Services. v Maintenance and storage of privacy information, user preference settings, and presence lists for online users. v Handling connections from the Community Services on other Sametime servers when Chapter 25, Deploying multiple Sametime servers, on page 437. Server-to-server connections for the Community Services occur on default TCP/IP port 1516. v Logging of Community Services events to the General log settings on page 366 (stlog.nsf).
Basic networking concepts

Sametime relies upon networks to function. If you need more information about basic network topics such as: Using Ping, Telnet, Netstat and IPConfig to verify that tunneling is set up correctly on the network and in DNS. Using ipconfig (at the DOS command prompt) to determine: v the gathering of pertinent information for troubleshooting general TCP/IP network problems v troubleshooting IP issues on DHCP clients. Using Netstat to determine: v if an application other than a Domino server task is bound to a specific port v if there is a network connectivity problem at the network interface or with the physical media of the network v if the local network segment might be overloaded. Using Traceroute to determine the physical layout of a network or internetwork. Using the Ping utility to:
126
v test connectivity to a host v gather information for troubleshooting connectivity problems. Use the Telnet utility to connect to a Domino server and check the status of an application on a well-known port. Use the the NotesConnect utility to determine: v services running on a machine v network configuration problems v if the target host name can be resolved to its IP address. See About Basic Networking Concepts at http://compnetworking.about.com/od/ basicnetworkingconcepts/.
Configuring the mixed environment

A mixed environment of Lotus Sametime Standard, Lotus Sametime Limited Use, or Lotus Sametime Entry users must be configured for two types of users.
Before you begin

A mixed environment of Lotus Sametime users creates two types of users fully-licensed users (users who have access to all the features of Lotus Sametime Standard), and instant messaging-only users (Lotus Sametime Entry, Lotus Sametime Limited Use, or other offerings of Lotus Sametime that do not include Web conferencing).
About this task

An instant messaging-only user should have the Lotus Sametime Entry or Lotus Sametime Limited Use server listed as his or her home Sametime server. A fully licensed user should have the Sametime Standard server listed as his or her home Sametime server. To configure the server support of the mixed environment, follow these steps: 1. Create a group for your fully-licensed Lotus Sametime Standard users (Web conferencing users). 2. Change the access control list (ACL) of stsrc.nsf to give anonymous users 'no access,' and then add the Web conferencing users group to the ACL with 'Author' access. 3. Change the ACL of stcenter.nsf to give anonymous users 'no access,' and then add the web conferencing users group to the access control list with 'Author' access. 4. Change the ACL of stconf.nsf to give anonymous users 'no access,' and then add the web conferencing users group to the ACL with 'Author' access. 5. For mixed environments that include Lotus Sametime Limited Use, set the Embedded_client_full_access policy to numeral 1 for the web conferencing users group in stpolicy.nsf. Note: This configuration will prevent the instant messaging-only user from being invited to meetings and from joining meetings, but it also will force all users to authenticate when they create or join a meeting; therefore, Web conferencing users will authenticate twice. It is the policy that will determine if
127
user can invite others. Users will authenticate with their Sametime Connect client and with the Domino server when they join a meeting and launch their web browser. If the instant messaging-only user tries to attend a meeting, the user receives a message saying he or she is not authorized to join the meeting. If a Web conferencing user tries to invite an instant messaging-only user to an instant meeting, both the Web conferencing user and the instant messaging-only user receive an invitation, but the instant messaging-only user cannot join, receiving a message that he or she is not authorized. The Web conferencing user who initiated the meeting receives no indication that the instant messaging-only user is unable to attend. Using the Sametime policy service, the groups can be added to a policy that determines whether a user can create instant meetings. If the user does not have this enabled in their policy, they cannot initiate an instant meeting.
The mixed environment on i5/OS

The i5/OS operating system supports multiple Sametime servers running on the same System i server. Also, it is possible to configure a mixture of IBM Lotus Sametime Standard, Lotus Sametime Entry, and Lotus Sametime Limited Use servers all on the same system. This capability requires a unique method of product packaging and installing Sametime on i5/OS. For i5/OS platforms, the Lotus Sametime Standard offering (5724J23) is packaged and delivered to you in two different pieces: a BASE product option and Option 1. v Customers of Lotus Sametime Limited Use and Lotus Sametime Entry receive and install only the BASE option of 5724J23. When only the BASE option is installed, all the settings that apply to Lotus Sametime Limited Use or Lotus Sametime Entry are properly pre-set to run Sametime Limited Use or Sametime Entry instant messaging. v Customers who are entitled to Lotus Sametime Standard receive and install both the BASE and Option 1 of 5724J23. The Option 1 installation changes the Lotus Sametime Limited Use or Lotus Sametime Entry settings to the defaults for the Lotus Sametime Standard installation. v Customers who want to create a mixture of i5/OS Sametime servers on the same system must install both the BASE and Option 1 packages. Whenever a new server is configured, that server defaults to the settings appropriate for a Lotus Sametime Standard server. The CHGLSTDOM command provides the capability for you to change the server settings for a particular Sametime server to those that are appropriate for a Lotus Sametime Limited Use or Lotus Sametime Entry server. See Enabling or disabling Web Conferencing for an i5/OS Sametime server. v When you install a new release of Lotus Sametime Standard (both BASE option and option 1), any Limited Use or Entry servers on the system are changed to Lotus Sametime Standard. Use the CHGLSTDOM command to change selected servers back to Limited Use or Entry. Note: Option 1 cannot be installed unless the BASE option is installed first.
Enabling or disabling Web Conferencing for an i5/OS Sametime server

About this task
Use the Change Sametime on Domino (CHGLSTDOM) command to enable or disable Web Conferencing on an i5/OS Sametime server. The CHGLSTDOM
128
command can also be used to change an existing server from IBM Lotus Sametime Standard to Lotus Sametime Instant Messaging Limited Use, or Lotus Sametime Entry, and vice-versa. Note: In order to specify the Web Conferencing parameter to change the characteristics of a Sametime server, the Sametime Standard offering (product options *BASE and 1) must be installed on your system. See "The Mixed Environment on i5/OS" for more information To use the CHGLSTDOM command, follow these steps: 1. End the i5/OS Sametime server. 2. On any i5/OS command line, type the following and press F4:
CHGLSTDOM
3. On the Change Sametime on Domino display, select one of the following options for the Web Conferencing parameter: v *NO to disallow Web Conferencing on a Sametime Standard server. All of the clients that are supported for Sametime Standard servers can still access the server, except for the Meeting Room client. v *YES to change a Sametime Instant Messaging Limited Use or Sametime Entry server to a Sametime Standard server, or to allow Web Conferencing on a Sametime server for which you had previously disallowed Web Conferencing. v *IMLU to change a Sametime server to a Sametime Instant Messaging Limited Use server. In addition to disallowing Web Conferencing, a Sametime Instant Messaging Limited Use server restricts access to Lotus Domino and Notes clients. v *ENTRY to change a Sametime server to a Sametime Entry server. In addition to disallowing Web Conferencing, a Sametime Entry server restricts access to specific types of clients. 4. Press Enter to run the command. 5. Start the i5/OS Sametime server.
Results
Integrating the Limited Use and Entry offerings with Sametime Standard
In some organizations, IBM Lotus Sametime deployment includes a mixed environment of different offerings of the Lotus Sametime server.
About this task

v Lotus Sametime Limited Use servers and Lotus Sametime Standard servers. v Lotus Sametime Entry servers and Lotus Sametime Standard servers v Lotus Sametime Entry servers, Lotus Sametime Limited Use servers, and Lotus Sametime Standard servers v Lotus Sametime Standard servers and other offerings of Lotus Sametime servers where Web conferencing is not supported Lotus Sametime Limited Use and Lotus Sametime Entry include instant messaging and presence, but not Web conferencing. To ensure that users of the Lotus Sametime Limited Use and Lotus Sametime Entry offerings of Lotus Sametime do not use features of the Lotus Sametime Standard
129
servers for which they are not licensed, you must assign users to an appropriate home Sametime server and prevent instant messaging only users from creating and attending meetings.
Licensed features for Sametime Entry (compared)

The following table compares the features of Lotus Sametime Entry and Lotus Sametime Standard.
Capability Presence Instant Messaging chat N-way (group) chat Sort contact list Show short names Show those online only Time stamps on chats Chat history Rich text Emoticons Emoticon palettes Business card display Contact type ahead Spell check in chat Standalone Sametime Connect client Microsoft Office integration Web conferences and instant meetings Sametime toolkits including embedded IM through STlinks Available with Sametime Entry yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes no no Available with Sametime Standard yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes
Sametime gateway (to public no IM) Sametime mobile access Selective 'who can see me' Alerts setting File transfer Telephony (with 3rd party) Voice chat Video chat (native point-to-point) Multiple communities Geographic locating Screen capture tool Selective do-not-disturb status no no no no no no no no no no no
yes yes yes yes yes yes yes yes yes yes yes yes
130
Capability Sametime plug-ins
Available with Sametime Entry no
Available with Sametime Standard yes
Assign users to an appropriate home Sametime server

About this task
Assigning users to an appropriate home Sametime server is one of two configurations you must perform when the Instant Messaging Limited Use or the Entry version of the Sametime server is deployed in the same community as theSametime Standard server. Use the following guidelines to assign users to appropriate home Sametime servers: v Each user who is licensed only for the Instant Messaging Limited Use version of Sametime must have an Instant Messaging Limited Use server assigned as the home Sametime server. v Each user who is licensed only for the Entry version of Sametime must have a Sametime Entry server assigned as the home Sametime server. v Each user who is licensed for the Sametime Standard server must have a standard Sametime Standard server assigned as the home Sametime server. A Sametime instant messaging client user is authenticated by the home Sametime server. The default configuration of the IBM Lotus Instant Messaging Limited Use version of Sametime ensures that only the clients supported by that server can be authenticated by that server. The default configuration of the Sametime Entry ensures that only the clients supported by that server can be authenticated by that server. Assigning users to an appropriate home Sametime server ensures that users can only use the instant messaging clients for which they are licensed. To assign a user to a home Sametime server, you edit the user's Person record in the Domino or LDAP directory. For more information about the home Sametime server, see Community Services connectivity and the home Sametime server on page 283 Next: Preventing instant messaging-only users from creating or attending meetings
Results
Preventing instant messaging-only users from creating or attending meetings

About this task
Preventing instant messaging-only users from creating or attending meetings is the last of two configurations you must perform in an environment that includes the Sametime Standard server and versions of the Sametime server that do not support web conferencing such as the Instant Messaging Limited Use and Sametime Entry.
131
This configuration prevents users who are licensed only for the Instant Messaging Limited Use or Entry versions of Sametime from creating or attending meetings on the Sametime Standard servers. To prevent these users from creating or attending meetings on a Sametime Standard server, you must perform these procedures: Disable Anonymous access and Default access in the ACLs of the Sametime Meeting Center database (stconf.nsf). 2. Create directory Groups for the standard Sametime server users. 1. 3. Add the Groups of standard Sametime server users to the database ACLs.
Results
Each of these procedures is described in this section.
Disable Anonymous access and Default access in the ACL of the Sametime Meeting Center database
About this task
Disabling Anonymous access and Default access in the ACL of the Sametime Meeting Center database is the first of three procedures required to prevent instant messaging-only users from creating or attending meetings on standard Sametime servers. Users must have access to the Sametime Meeting Center database to create scheduled meetings. This is the first of three procedures needed to ensure that only standard Sametime server users can access this database. Use the following procedure to disable Anonymous access and Default access in the stconf.nsf database. 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Select Set Access Control. 4. From the Databases list, select Sametime Online Meeting Center (stconf.nsf). 5. Click the Access button. 6. Select the Anonymous entry. 7. In the Access Box, select the "No access" level for the Anonymous entry. 8. Select the Default entry. 9. In the Access Box, select the "No access" level for the Default entry. 10. Click Submit.
Results
Note: You must perform this procedure on each standard Sametime server in your environment. Next step: Create directory Groups for the standard Sametime server users
132
Creating Groups for the standard Sametime users

About this task
Creating directory Groups for the standard Sametime server users is the second of three procedures required to prevent instant messaging-only users from creating or attending meetings on standard Sametime servers. In this procedure, you must create groups in the Sametime community directory that include all users licensed to use your standard Sametime servers. Use the following guidelines when creating these groups: v If you want all users licensed to use the standard Sametime servers to have the ability to both create and attend meetings, you can include all standard Sametime server users in a single group. If you have a large Sametime community, you can create multiple groups for this purpose. For example, you might create groups named "Meeting Creator Group 1" and "Meeting Creator Group 2." v If you want some standard Sametime users to have the ability to both create and attend meetings while limiting other standard Sametime servers to attender-only privileges, you must create a minimum of two groups. One group must contain the users who can both create and attend meetings and the other group must contain users who can attend meetings but not create them. For example, you might create two groups: one named "Meeting Creators" and one named "Meeting Attenders." If you have a large Sametime community, you can create multiple groups for each purpose. For example, you can create two separate groups that contain users who can create and attend meetings and two separate groups that contain users who can only attend meetings. These groups might be named as follows: Meeting Creator Group 1 Meeting Creator Group 2 Meeting Attender Group 1 Meeting Attender Group 2 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. Choose Domino Directory Domino. 3. Choose Manage Groups. 4. Click Add Group. 5. Enter a name for the group in the Group name field (for example, Meeting Creator Group 1). 6. Select a Group type. 7. List the members of the group in the Members field. Make sure to enter a name exactly as it is entered in the top line of the User name field of the user's Person document. 8. Select the Administration link at the top of the Group document. 9. Enter the names of the group owners in the Owners field. Generally, the group owner is the administrator creating the group. " 10. Click Save and Close.
133
Results What to do next

For information about creating groups in an LDAP directory, see the documentation provided with your LDAP directory.
Adding groups to the Sametime Meeting Center database ACL

About this task
In this procedure, you add the group(s) of standard Sametime server users to the ACL of the Sametime Meeting Center database. When you add the group names to the database ACL, the access level that you provide to each group determines whether that group can both attend and create meetings or only attend meetings. 1. From the Sametime server home page, click the Administer the Server link to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Select Access Control. 4. Select stconf.nsf from the list. Click the Access button. The database ACL displays. 5. Click Add. 6. In the dialog box, type the exact group name from a Group document. Click OK. 7. Click the name entered in the previous step so that the name is selected. 8. In the User Type box, select the type of user. 9. In the Access Box, assign an access level for the user. v Meeting Creators: Assign the Author access level with the Write Public Documents privilege to the group names that you are allowing to create, modify, and attend meetings on the server. v Meeting Attender-only: Assign the Reader access level to the group names that you want to have attendee-only access to the Sametime Meeting Center. These users can attend meetings but cannot create them. v If you want a group with the Reader access level to attend unlisted meetings, you must also select the Write Public Documents privilege for the group. 10. Click Submit.
Results
End user issues in a mixed environment

The administrator should be aware of the following end user issues that may occur in a mixed environment that includes both instant messaging only offerings of IBM Lotus Sametime (including Lotus Sametime Limited Use and Lotus Sametime Entry) and the Sametime Standard server. v If an instant messaging only Lotus Sametime user accesses the Lotus Sametime Meeting Center on a Sametime Standard server and clicks the "Attend a Meeting" or a "Schedule a Meeting" link, the user receives a message that they
134
are not authorized to perform that action. The ACL settings of the Meeting Center database (stcenter.nsf) prevent the user from performing these actions. v A standard Sametime server user can add Lotus Sametime Limited Use and Lotus Sametime Entry users to the contact list of a Lotus Sametime Connect client and exchange instant messages with these users or invite these users into chat conferences involving more than two users. The standard Sametime server user receives no indication that the user added to the contact list is an Lotus Sametime Limited Use or Lotus Sametime Entry user. If the Sametime Standard server user invites an Lotus Sametime Limited Use or Lotus Sametime Entry user to an instant meeting, both of these users will receive a meeting invitation on the desktop. The Sametime Standard server user can successfully enter this instant meeting but receives no message indicating the Lotus Sametime Limited Use or Lotus Sametime Entry user cannot join the meeting. The Lotus Sametime Limited Use and Lotus Sametime Entry users can click the Respond button on the meeting invitation to tell the meeting initiator that they do not have Web conferencing capabilities. If the Lotus Sametime Limited Use or Lotus Sametime Entry user attempts to join this meeting, the user sees a message indicating the Sametime Meeting Room is being prepared but is never allowed to join the meeting. The user must manually close this window. v The Lotus Sametime Connect for browsers client that loads from the Limited Use or Entry offerings of Sametime may include user interface options that indicate the user can start instant meetings. For example, a user may be able to right-click on a name in the Contact list and select a "Collaborate" option to attempt to start an instant meeting. The Lotus Sametime Connect for browser client user receives an error message when selecting any user interface option to start an instant meeting.
135
136
Chapter 14. Starting and stopping the Sametime server

The IBM Lotus Sametime server is configured as a set of services that start and stop automatically when the Domino server is stopped or started.
Starting and stopping a Sametime server on Windows

IBM Lotus Sametime is installed on an IBM Lotus Domino server; therefore, when you start or stop the Domino server, you are starting and stopping the Lotus Sametime server as well.
Starting a Sametime server

Follow the these instructions to start a Sametime server that is running on a Windows server. 1. Select Start - Administrative Tools - Component Services. 2. In the Services dialog box, select Services (Local). 3. Right-click "Sametime server" and select start.
Stopping a Sametime server

Follow the these instructions to stop a Sametime server that is running on a Windows server. 1. 2. 3. Select Start - Administrative Tools - Component Services. In the Services dialog box, select Services (Local). Right-click "Sametime server" and select Stop.
Note: This assumes that the Sametime/Domino server has been installed as a service.
Starting and stopping a Sametime server without starting and stopping Domino
You can start and stop a Sametime server and without starting and stopping the Domino server from running. For example, you might need to shut down Sametime services while you make configuration changes on the Sametime server, but you need to leave the Domino server running so you can access Domino databases on the server. 1. Open the Domino server console on the Sametime/Domino server. 2. In the Domino server console, choose one of the following actions: a. To start the Sametime server from a Domino server that is already running type this command:
Load STADDIN
b. To stop the Sametime server without stopping the Domino server type this command:
Tell STADDIN Quit
137
Starting and stopping a Sametime server on AIX, Linux, or Solaris

About this task
IBM Lotus Sametime is installed on an IBM Lotus Domino server. Once you set up the Domino server to launch Lotus Sametime automatically, then whenever you start or stop the Domino server, you are starting and stopping the Lotus Sametime server as well. Refer to Running Sametime on AIX, Linux, and Solaris. Starting a Sametime Server To start a Sametime server on IBM AIX, Linux, or Sun Solaris: 1. Log in to the system as the default Domino user. Make sure the default path and environment are set correctly. 2. Start the Sametime server by issuing the following server command. Note that starting the Sametime server might take a few minutes.
./ststart
3. The "ststart" script file sets some important environment variables before launching the server executable (/opt/ibm/lotus/bin/server).
Example
Note: You can set up the Domino server to launch Sametime automatically. .
What to do next
Stopping a Sametime Server To stop a Sametime server, you shut down the Domino server on which Lotus Sametime is installed. 1. Return to the terminal session where Domino was started. 2. If the prompt character > is not present, press the Enter key once to be presented with a prompt character. Then type either exit or quit and press the Enter key. Starting and stopping the Sametime server without starting and stopping Domino You can start and stop the Sametime server and keep the Domino server running. For example, you might need to shut down Sametime services while you make configuration changes on the Sametime server, but you need to leave the Domino server running so you can access Domino databases on the server. 1. Open the Domino server console on the Sametime/Domino server. 2. In the Domino server console, choose one of the following actions: a. To start the Sametime server from a Domino server that is already running type this command:
Load STADDIN
b. To stop the Sametime server without stopping the Domino server type this command:
Tell STADDIN Quit
138
Starting and stopping a Sametime server on i5/OS

About this task
IBM Lotus Sametime is installed on an IBM Lotus Domino server; therefore, when you start or stop the Domino server, you are starting and stopping the Lotus Sametime server as well. Starting a Sametime server To start a Sametime server on i5/OS, follow these steps: 1. From any i5/OS command line, run the following command:
WRKDOMSVR
2. On the Work with Domino Servers display, start the server by typing 1 in the Opt column next to the Domino server where you added Sametime and press Enter. 3. Press Enter to confirm your server selection. 4. Periodically press F5 to refresh your screen and wait for the Domino server status to be *STARTED. To confirm that all Sametime components have started, type 5 in the Opt column next to the server and press Enter to display the Domino console. On the Display Domino Console display, look for the message "Sametime: Server startup successful" which indicates that all Sametime components have started. You may need to press F5 periodically to refresh the screen until this message is displayed.
Results
Note: You can also use iSeries Navigator to start the Sametime server by selecting Network - Servers - Domino. Right-click on the Domino server where you added Sametime and select Start.
Example
.
What to do next
Stopping a Sametime server To stop a Sametime server on i5/OS, follow these steps: 1. From any i5/OS command line, run the following command:
WRKDOMSVR
2. On the Work with Domino Servers display, stop the server by typing 6 in the Opt column next to the Domino server where you added Sametime and press Enter. 3. Press Enter to confirm your server selection. 4. Periodically press F5 to refresh your screen and wait for the Domino server status to be *ENDED. Note: You can also use iSeries Navigator to start the Sametime server by selecting Network - Servers - Domino. Right-click on the Domino server where you added Sametime and select Stop.
139
Starting and stopping the Sametime services without starting and stopping Domino You can start and stop the Sametime services and without starting and stopping the Domino server from running. For example, you might need to shut down Sametime services while you make configuration changes on the Sametime server, but you need to leave the Domino server running so you can access Domino databases on the server. 1. On any i5/OS command line, enter the Work with Domino Console command and press F4:
WRKDOMCSL
2. Enter the server name and press Enter. 3. In the Domino server console, choose one of the following actions: a. To start the Sametime service on a Domino server that is already running, type this command:
load STADDIN2
b. To stop the Sametime services without stopping the Domino server, type this command:
tell STADDIN2 Quit
4. Periodically press F5 to refresh your screen and look for a message to confirm that Sametime has started or stopped.
Restart Chart
Below is a set of situations of an administrative server functions, their subfunctions, details and applicable switches referenced to whether the server requires restarting for the settings to take effect.
Main Function in Admin Logging
Sub Function Settings
Details Setting General
Switches Enable logging to a Domino database. (STLog.nsf) Remove history after (days).
Required restart No
Comments
Yes
General
Enable logging to a text file. Path to log text file
No
140
Main Function in Admin
Sub Function
Details Setting Sametime Statistics
Switches
Required restart
Comments
Yes Write statistics to the log every 60 minutes. This includes Community Services logging of people and chats, and Meeting Services logging of meeting, duration, and participants
Community Successful Server Events logins to Log Failed logins Community server events and activities
Yes
Failed meeting Meeting Server Events authentications to Log Meeting Client Connections Connections to other meeting servers in this community Meeting Events Meeting server events and activities
Yes
141
Sub Function
Details Setting Capacity Warnings Sharing in Instant Meetings
Switches Number of active screen sharing/ whiteboard meetings exceeds Number of people in all screen sharing/ whiteboard meetings exceeds Number of people in one active screen sharing/ whiteboard meeting exceeds
Required restart No
Comments
Logging
Settings
Capacity Warnings Sharing in Scheduled Meetings
Number of active screen sharing/ whiteboard meetings exceeds Number of people in all screen sharing/ whiteboard meetings exceeds Number of people in one active screen sharing/ whiteboard meeting exceeds
No
Directory
Domino/ LDAP
User Registration
Allow people to No register themselves in the Domino Directory
142
Main Function in Admin Config.
Sub Function Connectivity
Details Setting HTTP Services
Switches
Required restart
Comments It belongs to Domino feature
Community services network
Address for server connections Host name (if empty, service will bind to all host names on server) Port number Address for client connections Host name (if empty, service will bind to all host names on server) Port number (default 1533) Address for HTTPS tunneled client connections Host name (if empty, service will bind to all host names on server) Port number
Yes
Enable the Yes Meeting Room client to try HTTP tunneling to the Community Server after trying other options
143
Sub Function
Details Setting
Switches Address for HTTP tunneled client connections Host name (if empty, service will bind to all host names on server) Port number (default 8082 or 80)
Required restart Yes
Comments
Meeting Services network
Address for server connections Host name (if empty, service will bind to all host names on server) Port number Address for client connections Host name (if empty, service will bind to all host names on server) Port number (default 1503) Address for HTTPS tunneled client connections Host name (if empty, service will bind to all host names on server) Port number (default 8081)
Yes
144
Sub Function
Details Setting
Switches
Required restart
Comments
Yes Enable the Meeting Room client to try HTTP tunneling to the Community Server after trying other options
Address for HTTP tunneled client connections Host name (if empty, service will bind to all host names on server) Port number (default 8081 or 80)
Yes
Event server port (default 9092)
Yes
Token server port (default 9094)
Yes
Broadcast Services Network
145
Sub Function
Details Setting Interactive Audio/Video Network
Switches TCP tunneling address for client connections Host name (if empty, service will bind to all host names on server) Port number (default 8084)
Comments
Multimedia Processor (MMP) UDP port numbers start at :49252 Multimedia Processor (MMP) UDP port numbers end at :65535
Yes
Multimedia control address Host name (if empty, service will bind to all host names on server) Port number (default 9093)
Yes
146
Sub Function
Details Setting Reverse Proxy Support
Switches
Required restart
Comments
Enable Reverse Yes Proxy Discovery on the client Server Alias (this is what the Reverse Proxy is using to forward HTTP(S) messages to this server)
Connectivity
Connecting Meeting Servers
Yes Connecting Meeting Servers To allow meeting participants to attend a meeting on more than one server, you must create a connection record from each source server to each destination server. Once you do that, the destination servers are automatically included in a meeting when end users schedule a meeting and click the appropriate check boxes on the Location tab.
147
Sub Function Community services
Details Setting General
Switches
Required restart
Comments .
Yes Number of entries on each page in dialog boxes that show names in the Directory :(100) How often to poll for new names added to the Sametime Community Directory (minutes) : (60) How often to poll for new servers added to the Sametime Community (minutes): (60) Maximum user and server connections to the Community server: (20000)
Yes Allow users to authenticate using either LTPA or Sametime Token (stauths.nsf and stautht.nsf). The server uses LTPA if this item is unchecked. (The item is checked by default.)
General
Display the No "Launch Sametime Connect for the desktop" link on the Sametime Home page.
148
Sub Function
Details Setting
Switches Allow users to transfer files to each other. Maximum file size allowed (KB):1000
Comments
Server Features
Allow users to send announcements (unencrypted one-way messages).
Yes
Sametime Connect for Browsers
No Allow Connect users to save their user name, password, and proxy information (automatic login).
No Display the "Launch Sametime Connect for browsers" link on the Sametime Home page (stcenter.nsf).
149
Sub Function
Details Setting Display Name Settings for Anonymous Access to Meetings or other Virtual Places
Switches
Required restart
Comments
Yes Anonymous users can participate in meetings or enter virtual places. Their name appears as user1, user2, and so on. Users of Sametime applications (databases such as stconf.nsf or Web sites) can specify a display name so that they do not appear online as "anonymous." This does not authenticate users. (Databases must also allow anonymous access in the ACL.) Default domain for anonymous users:Guest Default name: User
150
Sub Function Community Services
Details Setting
Switches
Required restart No
Comments
Directory Users cannot Searching and browse or search the Browsing Directory. Users can type names (resolve users and groups) to add them to an awareness list. Users can browse the directory (see a list of names) or type names (resolve users and groups). Users can browse the directory to see group content and names, or type names (resolve user and groups).
Meeting services
General
No Automatically extend meetings beyond scheduled end time when there are still people in the meeting. After a meeting, add the names of participants to the meeting document
151
Sub Function
Details Setting When people start or schedule a meeting
Switches
Required restart
Comments
Allow people to No choose the Screen Sharing tool in meetings: Participants can share their screen, view a shared screen, or control a shared screen if the moderator permits. Participants can share their screen if the moderator permits or view a shared screen. Participants can view the shared screen only.
Force Screen Sharing to use 8-bit color.
No
Allow people to No choose the whiteboard tool in meetings Allow people to save whiteboard annotations as attachments to the meeting.
Allow people to No enable the "Send Web Page" tool in meetings
152
Sub Function
Details Setting
Switches
Required restart
Comments
Allow people to No choose the Polling tool in meetings
Allow people to No record meetings for later playback (scheduled meetings only). Save recorded meetings in the following location Stop recording when this much disk space is left (MBytes) (an error is written to the log.):300
When People Start an Instant Meeting or Schedule a Meeting
Allow people to No schedule Recorded Meeting Broadcast meetings.
Security
Encrypt all Sametime meetings
No
It does work in Meeting center, but doesn't affect the instant meeting.
Require all scheduled meetings to have a password
No
153
Sub Function Meeting Services
Details Setting Connection Speed Settings
Switches Meetings with modem users Meetings with LAN/WAN users
Comments
Audio/video
When People Schedule a Meeting
Allow people to No choose Sametime IP Audio (in addition to or instead of telephone) in meetings. Allow people to choose Sametime IP Video in meetings.
Switching
Time to wait for silence before switching to next speaker (100 - 500 ms): 250 Time to wait before switching to next video (500 - 4000 ms): 2000
Recorded Meeting Broadcast Meetings Connection Speed Settings
154
Sub Function
Details Setting
Switches
Required restart
Comments
Set a maximum Yes number of interactive audio connections for all instant meetings on this server. :100
Usage Limits and Denied Entry for Instant Meetings
Set a maximum Yes number of interactive video connections for all instant meetings on this server. Each video connection requires an audio connection. Ensure that there are at least as many audio connections allowed as video.:100
Set a maximum Yes number of interactive audio connections for all instant meetings on this server.:100
155
Sub Function
Details Setting Usage Limits and Denied Entry for Scheduled Meetings
Switches
Required restart
Comments
Set a maximum Yes number of interactive video connections for all instant meetings on this server. Each video connection requires an audio connection. Ensure that there are at least as many audio connections allowed as video.:100
Audio/Video
Usage Limits and Denied Entry for Recorded Broadcast Meetings
156
Chapter 15. Using the Sametime Administration Tool

This section describes the administrative features of the IBM Lotus Sametime server administration tool (or Sametime Administration Tool) and includes instructions for giving other administrators access to the Sametime Administration Tool. This section also lists the skills the Administrator needs to administer the Sametime server and the attendant tools, servers, and functions. Note: For Lotus Sametime Entry and other Sametime offerings that do not support Web conferencing, access the server page by typing http://<hostname>/ into a browser URL field where <hostname> is the fully qualified name of your Sametime server.
Starting the Sametime Administration Tool

About this task
The Sametime Administration Tool is an HTML and XML based application that enables you to administer the Sametime server using a Web browser. You must enable Java applets and JavaScript or ActiveX Controls in your browser to use the Sametime Administration Tool. To start the Sametime Administration Tool: 1. Enter the URL for the Sametime server:
http://hostname
where hostname is the fully qualified Domain Name Service (DNS) name or the IP address of the Sametime server you want to administer. 2. From the Sametime server home page (Sametime Welcome page), click "Administer the Server." 3. Enter the administrator name and password specified during the Sametime server installation. The Sametime Administration Tool opens in its own Web browser window.
Results
User name and password requirements

About this task
To access the Sametime Administration Tool, an administrator enters the user name and the Internet password specified on the administrator's Person document in the Domino Directory on the Sametime server. The installation automatically creates a Person document containing a user name and Internet password for the person specified as the administrator. The administrator specified during the installation can provide other administrators with access to the Sametime Administration Tool. To allow other users to access the Sametime Administration Tool, see Adding a new Sametime administrator.
157
Details: Starting the Sametime Administration Tool

About this task
To run the Sametime Administration Tool in Microsoft Internet Explorer, make the following changes in your browser. You must make these changes regardless of whether Microsoft Internet Explorer is installed on a client or server computer. 1. Select Tools - Internet Options. 2. Select the Advanced tab. 3. Clear the check mark from the "Use HTTP 1.1" option.
Results
Set the default font in your browser to a small font size to ensure that all Command Group and Command names display in the space provided in the Sametime Administration Tool. To view multiple versions of the Sametime Administration Tool at the same time (for example, to simultaneously monitor Community Services and Meeting Services connections), start additional copies of the browser and open the Sametime Administration Tool in each copy of the browser. Arrange the windows so all copies display on the screen.
Overview of the Sametime Administration Tool features

The Sametime Administration Tool includes seven command groups: Server Overview, Message From Administrator, Monitoring, Logging, Directory, Policies, and Configuration. You can use the command groups to perform a variety of administrative tasks. The basic command groups and their features are briefly described below. Note: Audio/video and Meeting services features are not included in Lotus Sametime Entry and Lotus Sametime Limited Use.
Server Overview
Use the Server Overview feature to ensure that the Sametime services are functioning as expected. For more information, see Server Overview feature.
Message From Administrator

The Message From Administrator command group enables the Sametime administrator to send a message to all users who are currently logged in to the Community Services from a Sametime client. For more information, see Message From Administrator feature.
Monitoring
The Sametime server includes charts that allow you to monitor current Sametime server statistics. The monitoring charts provide up-to-the-second information about Community Services, Meeting Services, Recorded Meeting Broadcast Services, Audio/Video Services, Web statistics, and free disk space on the server. For more information, see Monitoring the Sametime server.
158
Logging
The Sametime logging command group enables the Sametime administrator to log information about Sametime activity to a database on the server or to a text file. The administrator can also configure logging parameters to determine the types of events and activities that are recorded in the Sametime log. For more information, see Logging Sametime activity.
Directory
The available Directory group features depend on whether the Sametime server uses a Domino Directory or an LDAP directory on an LDAP server. Person and Group Documents If the Sametime server is using a Domino Directory, the Directory features enable the administrator to manage users by creating, editing, and deleting Person and Group documents in the Domino Directory on the Sametime server. The administrator can also open the Access Control Lists (ACLs) of databases on the Sametime server from the Domino Directory settings of the Sametime Administration Tool. The ACLs are used to manage security for databases on the Sametime server. For more information about using the Domino Directory, see Managing Users and Domino Directories. For more information about ACLs and Sametime security, see Managing Security. If the Sametime server is operating in an LDAP environment, the administrator can use the LDAP Directory settings of the Sametime Administration Tool to configure the Sametime server to operate as a client to an LDAP server. In this environment, the Sametime users are managed in an LDAP directory on an LDAP server. The Sametime server establishes a connection to the LDAP server and accesses LDAP directory entries to perform search and authentication operations on behalf of Sametime clients. The administrator can also open the Access Control Lists (ACLs) of databases on the Sametime server from the LDAP Directory settings of the Sametime Administration Tool. For more information, see Managing Users and LDAP Directories.
Policies
The Policies selection allows you to set varied levels of access to features on the server depending upon the user's level of need. You can set the size and types of files the user can transfer, if allowed, and general access to Meeting and Community Tools and capabilities.
Configuration
The Configuration command group allows the Sametime administrator to control the operation of the Sametime services and the connection ports and processes of Sametime clients. The Configuration features include: v Connectivity - The Connectivity configuration settings control the ports on which the Sametime services listen for connections from clients. The Connectivity settings also provide features that enable Sametime clients to connect to the Sametime server through restrictive firewalls and proxy servers. For more information, see Configuring Sametime connectivity.
159
The Connectivity configuration settings also include "Servers in this Community" settings. These settings are used when you install multiple Sametime servers. For more information, see Advantages of using multiple Sametime servers. v Community Services - The Community Services configuration settings enable the administrator to ensure that the Community Services receive timely updates from the Directory. These updates are necessary to ensure that Community Services have recent information concerning new users and servers that have been added to the Directory. The administrator can specify the time intervals in which the Community Services receive updates from the Directory. The Community Services settings also enable the administrator to control whether the Windows or Web browser version of Sametime Connect is available to end users and whether end users are allowed to use the automatic login feature of Sametime Connect. The administrator also uses the Community Services configuration settings to set the maximum number of connections to Community Services, to allow or prevent end users from using Sametime to transfer files to one another, to set the maximum size allowed for file transfers, and to allow or prevent users from sending announcements (one-way unencrypted instant messages). The Community Services Anonymous Access settings force a name entry dialog box to appear when anonymous access is allowed to a Sametime database by the database ACL. This name entry dialog box enables the user to enter a name so that the user can be individually identified in presence lists. (Normally, a name entry dialog box does not appear when the ACL settings of a database allow anonymous access.) The Community Services Anonymous Access settings also determine whether anonymous users can search and browse the Directory. For more information, see Anonymous Access Settings for Community Services. Connection Speed Settings control the rates at which recorded meeting streams and interactive audio/video streams are transmitted on the network for modem and LAN/WAN users. Business Card setup - This feature of Sametime allows you to set attributes such as name, title, photo, e-mail address for display in the Chat window for users' contact lists. See the chapter on Business Card for more information.
Sametime Administration Tool

The Sametime Administration Tool is an HTML and XML based application that runs in a Web browser. You open the Sametime Administration Tool by clicking "Administer the Server" on the Sametime server home page. The Sametime Administration Tool is the primary administration tool for the Sametime server. For more information about the Sametime Administration Tool, see Overview of the Sametime Administration Tool features. During the Sametime installation, one user is specified as the administrator of the Sametime server. This administrator has access to the Sametime Administration Tool and all of its administrative features. The administrator specified during the installation can provide other administrators with access to the Sametime Administration Tool as needed. The Sametime Administration Tool should be used to perform all administrative procedures on the Sametime server with the following exceptions: v Replication and creation of new Lotus Notes databases - If a Sametime procedure requires you to replicate a database or create a new database, you must use a Lotus Notes or Domino Administrator client. The Sametime
160
Administration Tool does not provide the functionality required to create one-time replicas (replica stubs) or other new databases, or set up replication schedules. v Managing LDAP users - If you have configured Sametime to operate as a client to an LDAP server, you cannot use the Sametime Administration Tool to add or delete users in the LDAP directory on the LDAP server. Use the software provided with the LDAP server for management of the LDAP directory.
Note: Although you cannot use the Sametime Administration Tool to manage users in an LDAP directory on a third-party server, you must use the Sametime Administration Tool to configure the Sametime server to access the LDAP directory on the third-party LDAP server. v Setting up Secure Sockets Layer (SSL) on the Sametime server - If you want to configure the Sametime server so that all Web browser clients use the SSL protocol when connecting to the Sametime server, you must use a Lotus Notes client or the Domino Administrator client to set up SSL on the server. v Enabling a IBM Lotus Sametime Gateway and deploying a SIP Connector - If you want to allow users in your Sametime community to communicate with users in other instant messaging communities that support the SIP/SIMPLE protocol, see the separate guide to the IBM Lotus Sametime Gateway. Creating Community Services clusters - A Community Services cluster consists of multiple Sametime servers configured to operate together, providing failover and load balancing for the Sametime instant messaging and presence functionality. For more information see Overview of Community Services clustering.
Starting or stopping Sametime services - To stop services on Windows, use Control Panel - Administrative tools - Services. There is no provision for stopping services on UNIX-run platforms.
Monitoring the Sametime server

Sametime includes a variety of monitoring tools that provide up-to-the-second information about server activity and statistics. The Sametime monitoring tools display information about: v General server status v Logins For more information on the Sametime Monitoring tools, see Monitoring tools.
Logging Sametime activity

Sametime provides a variety of logging capabilities that enable the administrator to record information about Sametime server activity and statistics. You can record the following information in the Sametime log: v Community Logins/Logouts v Community Statistics v Community Events v Place Login Failures In standard Sametime, you can also view the Domino log from the Sametime Administration Tool. Use the Domino log to monitor: v Available server disk space v Available server memory
161
v Server load v Server performance v Databases that need maintenance You can determine the format for the Sametime log and the content of the log in the logging settings. For more information about the Sametime log, see Using the Sametime logging features.
Managing users and Domino Directories

Sametime uses the Domino Directory of the Domino server on which it is installed. Sametime can also use Domino Directory Assistance or the Domino Extended Server Directory Catalog feature to access secondary Domino Directories in the Domino environment. To ensure that Sametime can successfully access the Domino Directory or Directories and interoperate in the Domino domain, review the following topics: Managing the Domino Directory.
Managing users and LDAP directories

Sametime can be configured to connect to a third-party LDAP server and access an LDAP directory on the LDAP server. This capability enables you to integrate Sametime into an environment in which LDAP servers are already operating. The Sametime LDAP Directory Settings ensure that the Sametime server can access the LDAP directory (or directories) on behalf of Sametime clients. Note: For information on using LDAP with a Sametime server that operates on a platform other than Windows (such as the IBM i5/OS or IBM pSeries servers), see "Sametime Server Installation."
Sametime Administration Tool and LDAP environments

If the Sametime server is configured to operate as a client to an LDAP server, Sametime administrators are authenticated using Person documents in the Domino Directory. Note: In the LDAP environment, only Sametime administrators (or users that access the Sametime Administration Tool) are authenticated against the Domino Directory. All other users are authenticated against an LDAP directory on a third-party server. If you have configured Sametime to operate in an LDAP environment, you must maintain Person documents in the Domino Directory on the Sametime server for the administrators. When accessing the Sametime Administration Tool, the administrator must enter the last name or user name and the Internet password from the administrator's Person document in the Domino Directory. For information on adding administrators in the LDAP environment, see Adding a new Sametime administrator. When operating in an LDAP environment, administrators cannot use the Sametime Administration Tool to add or modify users and groups in the LDAP directory on the third-party server. User accounts must be added and modified using the software and procedures required by the LDAP directory on the third-party server.
162
Configuring ports and network connectivity

If you have installed the Sametime server behind a firewall and all clients that will access the server are also behind the firewall, configuring network ports and connectivity might not be an issue. However, if clients are required to cross firewalls or access the Sametime server through proxy servers, you might need to make adjustments to the Sametime Networks and Ports settings available from the Configuration - Connectivity options of the Sametime Administration Tool. Note: Meetings do not apply to Sametime Entry, Sametime Limited Use, or versions of Sametime where web conferencing is unsupported. Audio/Video does not apply to Sametime Entry or Sametime Limited Use. Sametime provides a variety of features that enable clients to connect through restrictive firewalls and proxy servers. Some of these features include: v HTTP tunneling of Community Services, Meeting Services, and Recorded Meeting Broadcast Services data on port 80 v Reverse HTTP proxy support for the Sametime server For detailed information about the ports used by the Sametime server and how Sametime clients connect through firewalls and proxy servers, review the list of topics in About Sametime Connectivity. For additional information about connectivity, see Extending Sametime to Internet users.
Configuring Community Services

The Sametime Administration Tool includes several features that enable the administrator to control the behavior of the Community Services. The Community Services administration features enable the administrator to: v Configure the number of user names that appear on a page when users search or browse the Directory. v Configure the time intervals at which the Community Services receive updates from a Domino or LDAP Directory. The Community Services must receive updates from the Directory at periodic intervals to ensure that users recently added to the directory can be displayed in presence lists. The Community Services must also maintain an updated list of all Sametime servers operating in the community. v Configure the maximum number of client and server connections to Community Services. v Allow users to authenticate using either Lightweight Third Party Authentication (LTPA) or Sametime tokens. v Determine whether the links that enable users to access the Java version of Sametime Connect (Sametime Connect for browsers) and the Windows version of Sametime Connect (Sametime Connect for the desktop) are available. v Allow users to transfer files to each other, set a maximum file size for transfers, and exclude certain file types. v Allow users to send announcements (unencrypted one-way instant messages). v Determine whether end users can use the automatic login feature of Sametime Connect.
163
v Configure Anonymous Access: Allow anonymous users to participate in meetings and enter virtual places. Force a name entry dialog box to appear when anonymous access is allowed to a Sametime database by the database ACL. This name entry dialog box enables the user to enter a name so that the user can be individually identified in presence lists. Set the default name that appears for anonymous users who do not use the name entry dialog box. Determine the level of access that anonymous users have to the Directory. For more information about the Community Services configuration settings, see Community Services configuration settings. For information about connecting to the Community Services, see Community Services Network settings.
Additional administrative tasks

The following administrative tasks require you to use a combination of command groups in the Sametime Administration Tool or to use tools other than the Sametime Administration Tool. Note: If a Sametime procedure requires you to replicate a database or create a new database, you must use a Lotus Notes or Domino Administrator client. The Sametime Administration Tool does not provide the functionality required to create one-time replicas (replica stubs) or other new databases or set up replication schedules.
Deploying multiple Sametime servers

A Sametime community can include more than one Sametime server. If you have a large number of Sametime users, you can install multiple Sametime servers for load balancing and to reduce network bandwidth usage. You can also install multiple Sametime servers to securely allow Internet clients to attend meetings conducted on servers inside your firewall. Before adding another Sametime server to your Sametime community, you should review the information in the Deploying multiple Sametime servers section of this documentation. This documentation contains information about: v Installing multiple Sametime servers v Synchronizing multiple Sametime servers to operate as a single community v Techniques that can be used to extend a single Sametime community across multiple Domino domains For more information, see Advantages of using multiple Sametime servers.
Managing users and LDAP directories

Sametime can be configured to connect to a third-party LDAP server and access an LDAP directory on the LDAP server. This capability enables you to integrate Sametime into an environment in which LDAP servers are already operating. The Sametime LDAP Directory Settings ensure that the Sametime server can access the LDAP directory (or directories) on behalf of Sametime clients.
164
Note: For information on using LDAP with a Sametime server that operates on a platform other than Windows (such as the IBM i5/OS or IBM pSeries servers), see "Sametime Server Installation."
Sametime Administration Tool and LDAP environments

If the Sametime server is configured to operate as a client to an LDAP server, Sametime administrators are authenticated using Person documents in the Domino Directory. Note: In the LDAP environment, only Sametime administrators (or users that access the Sametime Administration Tool) are authenticated against the Domino Directory. All other users are authenticated against an LDAP directory on a third-party server. If you have configured Sametime to operate in an LDAP environment, you must maintain Person documents in the Domino Directory on the Sametime server for the administrators. When accessing the Sametime Administration Tool, the administrator must enter the last name or user name and the Internet password from the administrator's Person document in the Domino Directory. For information on adding administrators in the LDAP environment, see Adding a new Sametime administrator. When operating in an LDAP environment, administrators cannot use the Sametime Administration Tool to add or modify users and groups in the LDAP directory on the third-party server. User accounts must be added and modified using the software and procedures required by the LDAP directory on the third-party server.
Managing security
After you have installed and set up the Sametime server, you might want to review the available security features and default security settings of the Sametime server. Sametime offers several features to enhance security. Some of the administrative tasks associated with enhancing security include: v Administering the Domino Single Sign-On (SSO) feature - The Domino SSO feature is enabled by default during a Sametime installation. The authentication tokens created by this feature are required to authenticate client connections to the Sametime services. In some cases, it may be necessary for the administrator to perform additional configurations following the Sametime server installation to ensure the Domino SSO feature is configured correctly. For more information, see Authentication by token using LTPA and Sametime tokens. v Enabling the SametimeSecretsGenerator Agent - For added protection against hackers or other outside attacks, the administrator can enable the SametimeSecretsGenerator in the Secrets database. Before taking this step, the administrator should review Authentication by token using LTPA and Sametime tokens. v Setting up SSL - The Secure Sockets Layer (SSL) can be used to encrypt information passing over the initial connection between the Web browser and the Sametime server. This information includes the user names and Internet passwords that members of the Sametime community use to access Sametime Connect and protected databases on the server. A Lotus Notes client is required to set up SSL for the initial Web browser connection. For more information, see About SSL and Sametime.
165
Server Overview feature

Use the Server Overview feature to ensure that the Sametime services are functioning as expected.
Services Status
The Services Status list includes all Sametime services and their current status: Running or Not Running. You cannot start or stop any Sametime service from the Sametime Administration Tool. Use the Services settings in the Windows Control Panel or Windows Administrative Tools to start or stop a Sametime service. The names of the services in the Control Panel or Administrative Tools are identical to the names of the services in the Sametime Administration Tool. Refresh your browser to get current statistics. The Overview lists do not update until you click Refresh. The date and time of the last update are listed above the Services Status table. To access the Server Overview feature, click Server Overview in the Sametime Administration Tool.
Message From Administrator feature

About this task
Use the Sametime Administration Tool to simultaneously send a single message to all users currently logged in to Community Services from any Lotus Sametime client. To 1. 2. 3. send a message to all users currently logged in to Community Services: From the Sametime server home page, click "Administer the Server." Select Message From Administrator. Enter the message in the text box provided.
4. Click Send. You receive a confirmation that your message was sent.
Results
Adding a new Sametime administrator

A Sametime administrator name and password is specified during the Sametime installation and setup process. The administrator specified during the Sametime server installation and setup can access all features of the Sametime Administration Tool and can provide other administrators with access to the Sametime Administration Tool. The recommended method for adding new administrators is to create an Administrators Group document. Add this Administrators Group to the ACLs of the appropriate Sametime databases and to the appropriate fields in the Server document of the Sametime server. After you have added the Administrators Group document to the appropriate database ACLs and the appropriate fields on the Server document, you can add or remove an administrator by adding or removing a name from the Administrators Group document.
166
This is the procedure for adding an administrator in Domino, but is not the same for LDAP/Adding an administrator.
Allowing others to access the Sametime Administration Tool

To allow others to access the Sametime Administration Tool, perform the following tasks: 1. Create a Person document for the administrator (if necessary). 2. Create an Administrators Group document. 3. Add the Administrators Group document to Sametime database ACLs. Generally, you provide the Administrators Group with the Manager access level in the ACL of all Sametime databases, and provide the Administrators Group with all roles available in the database ACL. 4. Modify the Server document of the Sametime server. You must add the Administrators Group to the "Administrators" and "Run unrestricted methods and operations" fields in the Server document of the Sametime server. 5. Edit the Administrators Group document to allow or revoke access to the Sametime Administration Tool.
Note: If the new administrator uses Microsoft Internet Explorer to access the Sametime Administration Tool, the administrator must disable the "Use HTTP 1.1" setting in the Tools - Internet Options - Advanced tab of the Web browser. Note: If your Sametime server is configured for LDAP, then you must create the new administrator using your LDAP Directory tools.
Using individual names instead of an Administrators Group

You can also use the instructions in steps 1, 3 and 4 above to add individual user names to the database ACLs and the fields of the Server document. Note: If the Sametime server is configured to use SSL for Web browser connections to the HTTP server, you must use the individual names of administrators in the database ACLs. If SSL is enabled, and the administrator is listed only as a member of a group in database ACLs, the administrator will be unable to log in to the Sametime Administration Tool. If you use individual names instead of a Group document, you must repeat steps 1, 3, and 4 for each user. This is a more cumbersome method of providing access for administrators, but it allows you to use database roles to control the types of administrative tasks that each administrator can perform. If you use a Group document, every administrator entered in the Administrators Group document will have the same level of access to the Sametime Administration Tool.
Create a Person document for the administrator

About this task
This procedure is the first of five required when adding a new Sametime administrator. In this procedure, you create a Person document in the Domino Directory for the Sametime administrator. If the administrator whom you are adding already has a Person document that contains a last name, user name, and Internet password, skip this procedure. To create a Person document from the Sametime Administration Tool:
167
1. From the Sametime server home page, click "Administer the Server." 2. From the Sametime Administration Tool: v If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. v If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Choose "Add Sametime Administrators - Create a record for each person who will be an administrator." 4. Choose Add Person. 5. In the Person document, select the Basics tab. 6. Enter the user's first, middle, and last name in the appropriate fields. Only the last name is required. 7. Enter a name for the user in the User Name field. An entry in this field is required for the user to authenticate with the Sametime server. You can use any of the following characters in a user name: A - Z, 0 - 9, ampersand (&), dash (-), period (.), underscore (_), apostrophe ('), and space. Using other characters can cause unexpected results. 8. Enter an Internet password for the person in the "Internet password" field. An entry in this field is required for the user to authenticate when accessing the Sametime Administration Tool. There are no restrictions on the number of characters used in the Internet password. 9. Click "Save & Close." The Person document is added to the Directory.
Results
Note: If your Sametime server is configured for LDAP, then you must create the new administrator using your LDAP Directory tools.
Next step
After creating the Person document for the administrator, create an Administrators Group document.
Results
Create an Administrators Group document

About this task
This procedure is the second of five required when adding a new Sametime administrator. In this procedure, you create a group document to hold the names of Sametime administrators. To create an Administrators Group document: 1. From the Sametime server home page, click "Administer the Server." 2. From the Sametime Administration Tool: v If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. v If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Choose "Add Sametime Administrators -Create a group for the administrators."
168
4. Click Add Group. 5. Enter a name for the group in the "Group name" field (for example, "Administrators" or "Sametime Administrators"). 6. For group type, select Multipurpose. 7. Optional: Enter a description of the group in the Description field. 8. In the Members field, list the names of users you want to access the Sametime Administration Tool. Make sure to enter the name exactly as it is entered in the topmost entry of the "User name" field of a user's Person document. 9. Select Administration at the top of the Group document. 10. Enter the names of the group owners in the Owners field. Generally, the group owner is the administrator creating the group. Only the administrator listed in the Owners field can modify this Group document. If the Owners field is blank, any administrator can modify this Group document. 11. Click "Save & Close."
Results Next step

After creating the Administrators Group document, add the Administrators Group document to the ACLs of the appropriate Sametime databases.
Results
Add the Administrators Group document to Sametime database ACLs

About this task
This procedure is the third of five required when adding a new Sametime administrator. In this procedure, you add the Administrators Group document (or the name of an individual user) to Sametime database Access Control Lists (ACLs) and provide the Manager access level to the Group (or individual user). In addition to ACL access levels, you must also specify the ACL privileges and roles that the Administrators Group (or an individual user) has in each database. Generally, for an Administrators Group, select all ACL privileges and roles available when adding the Group to a Sametime database ACL. Selecting all ACL privileges and roles provides any administrator listed in the Administrators Group document with access to the full range of administrative features available from the Sametime Administration Tool. Note: If you are adding individual user names to Sametime database ACLs instead of a group name, database roles can be used to prevent or allow access to specific features of the Sametime Administration Tool. For more information, see Roles in Sametime database ACLs. Add the Administrators Group to the ACLs of the following Sametime databases. v Sametime Configuration (stconfig.nsf) - Stores the configuration parameters that are set from the Sametime Administration Tool. v Domino Directory or Address Book (names.nsf) - Stores Person and Group documents, ACL settings, and other configuration information for the Domino/Web Application Services.
169
v v
Sametime Log (stlog.nsf) - Stores logging information. Domino Web Administration (webadmin.nsf) - Contains the Domino Web Administration client, which includes monitoring features for the HTTP Services and free disk space. This is the full Domino Web Administration client that is included with Domino servers.
Follow the instructions below to add the Administrators Group document (or an individual user's name) to the ACLs of the Sametime databases and make the appropriate ACL settings in each database. 1. From the Sametime Administration Tool: v If you are using the Domino Directory with the Sametime server, choose Domino Directory - Domino. v If you are using an LDAP Directory with the Sametime server, choose LDAP Directory. 2. Choose "Add Sametime Administrators -Give the administrator group Manager access for all appropriate databases, such as stconf.nsf and stcenter.nsf." The Access Control options appear. 3. From the Databases list, select Sametime Configuration (stconfig.nsf). Note: The database filename appears below the Databases list. 4. Click the Access button. 5. Click the Add button. Enter the Administrators Group document name in the dialog box (for example, "Administrators" or "Sametime Administrators"). If you are adding individual user names, enter the person's user name in the dialog box. Enter the name as it is entered in the top entry of the "User name" field on the user's Person document. 6. Click OK. 7. Select the Administrators Group name (or individual person's name) from the list in the Database Security window. 8. In the User Type drop-down list, select Group (or Person if you are adding an individual user's name). 9. In the Access drop-down list, select Manager. 10. Make sure that all ACL privileges, such as "Create documents" and "Delete documents," are selected. 11. Click the Roles button. 12. If you want the Administrators Group to have access to the full range of administrative functions, select all roles. Click OK. The roles determine which administration tasks the members of the group can perform. If you are adding individual user names to the ACLs, you can use the roles to control the administrative features that are available to individual administrators. For more information, see Roles in Sametime databases ACLs. 13. Click Submit. 14. After adding the Administrators Group to the ACL of the Sametime Configuration database (stconfig.nsf), repeat steps 4 through 14 to add the Administrators Group to the ACL of each of the Sametime databases listed below: v Domino Address Book or Domino Directory (names.nsf) v Sametime Online Meeting Center (stconf.nsf) v Sametime Log (stlog.nsf) v Sametime Self Registration (streg.nsf)
170
v Domino Web Administration (webadmin.nsf) If you are adding an Administrators Group document, for each of the databases above, be sure to select the Manager access level and all ACL privileges and roles as described in steps 9 through 12. If you are adding individual user names, you can specify different roles for each user.
Results Next step

After adding the Administrators Group document (or individual user names) to the database ACLs, you must modify the Server document of the Sametime server.
Results
Modifying the Server document of the Sametime server

About this task
This procedure is the fourth of five required when adding a new Sametime administrator. In this procedure, you add the Administrators Group document (or the name of an individual user) to two fields on the Server document. The two fields are the "Administrators" field and "Run unrestricted methods and operations" field in the Security section of the Server document. To add users to the fields on the Server document of the Sametime server: 1. From the Sametime Administration Tool: v If you are using the Domino Directory with the Sametime server, choose Domino Directory - Domino. v If you are using an LDAP Directory with the Sametime server, choose LDAP Directory. 2. Choose "Add Sametime Administrators - Edit the Server document." 3. Click Security. 4. In the "Administrators" field of the Administrators section, type the name of the Administrators Group (or enter the name of an individual user). Note: Type a group name exactly as it appears in the Group document. If you are entering an individual user name in this field, type the user name exactly as it is entered in the topmost entry of the "User name" field on the Person document. Separate multiple entries in the "Administer the server from a browser" field with commas. 5. In the "Run unrestricted methods and operations" field of the Programmability Restrictions section, type the Administrators Group name (or an individual user's name). Separate multiple entries in this field with commas. 6. Click "Save & Close."
Results Next step

The fifth procedure explains how to edit the Administrators Group document (add or remove a user's name from the Group document) to allow or revoke access to the Sametime Administration Tool.
171
Results
Adding and removing names from an Administrators Group document

About this task
This procedure is the last of five required when adding a new Sametime administrator. If you created an Administrators Group document to provide others with access to the Sametime Administration Tool, you can control access to the Sametime Administration Tool by editing the Group document. Adding a user's name to the Administrators Group document provides the user with access to the Sametime Administration Tool. Removing a user's name from the Group document revokes the user's access to the Sametime Administration Tool. To add or remove a user's name from the Administrators Group document: 1. From the Sametime server home page, click "Administer the Server." 2. From the Sametime Administration Tool: v If you are using the Domino Directory with the Sametime server, choose Domino Directory - Domino. v If you are using an LDAP Directory with the Sametime server, choose LDAP Directory. 3. Choose "Add Sametime Administrators - Create a group for the administrators." 4. Double-click a group name. 5. Select Edit Group. 6. In the Members field, add or remove a user's name from the Group document. If you add a user's name, the user must have a Person document in the Domino Directory that contains a last name, user name, and Internet password. Make sure to enter the name exactly as it is entered in the top entry of the "User name" field of a user's Person document. The user must enter a last name or user name and the Internet password from the Person document to access the Sametime Administration Tool. 7. Click "Save & Close."
Results
Roles in Sametime database ACLs

Roles provide a way to define the access an administrator has to the features and settings of the Sametime Administration Tool. For example, the Sametime Configuration database (stconfig.nsf) ACL contains three roles: ServerMonitor, ServerAdmin, or DatabaseAdmin. If you assign only the ServerMonitor role to an administrator, the administrator can monitor server memory, disk space, and other server statistics but cannot perform any other administrative functions. Assign all roles to an administrator if you want the administrator to have full access to all administrative functions. Access Control List (ACL) roles are defined in the following Sametime databases: v Sametime Configuration database (stconfig.nsf) v Domino Directory or Address Book (names.nsf) v Domino Web Administration (webadmin.nsf)
172
Roles in the Sametime Configuration database (stconfig.nsf)

The Sametime Configuration database (stconfig.nsf) stores the values for parameters that are available from the Sametime Administration Tool. The roles in this database affect the administrative tasks that an administrator can perform from the Sametime Administration Tool. The following table lists the commands and features available with the Sametime Administration Tool and the roles that an administrator must be assigned in the stconfig.nsf database to use the Sametime Administration Tool commands and features. If an administrator does not have the appropriate roles, the Sametime Administration Tool does not display the command. Note: The SametimeAdmin role allows the administrator to perform all tasks in the Sametime Administration Tool.
Command Group Command or feature Role required None
Message From Administrator Sends message to all users logged into Community Services Monitoring All monitoring features
[ServerMonitor] or [SametimeAdmin] [ServerMonitor] or [SametimeAdmin] [SametimeAdmin] or [DatabaseAdmin] [DatabaseAdmin] or [SametimeAdmin] [SametimeAdmin] or [ServerMonitor] A user with the ServerMonitor role can view settings available from these commands but cannot change the settings. No roles required
Logging
All logging features
Directory
Add Users, People, Groups
Directory
Access Control Lists (ACL)
Configuration
Connectivity, Community Services, Meeting Services, Audio/Video Services
Help
Online help for administrators
Note: The Domino server cannot resolve the user if given the internet address in the person entry that defines the internal ID of a Sametime user. The mail attribute is not supported in this field. The field may be left blank.
Roles in the Domino Directory (names.nsf)

The Domino Directory (or Address Book) contains the Person and Group documents that you create and edit when you use the Sametime Administration
173
Tool. The roles in the Domino Directory determine who can create or edit a particular type of document in the Directory. The Domino Directory also contains the Server document that you access to provide another user with administrative privileges to the Sametime Administration Tool. Note: If you use Sametime in a Domino environment, the Domino Directory roles function the same as they do on Domino servers. The Domino Directory contains eight roles. The privileges for each role are listed in this table:
Role UserCreator Description Allows an administrator to create Person documents in the Domino Directory Allows an administrator to edit all Person documents in the Domino Directory Allows an administrator to create Group documents in the Domino Directory Allows an administrator to edit all Group documents in the Domino Directory Allows an administrator to create Server documents in the Domino Directory Allows an administrator to edit all Server documents in the Domino Directory Not used by Sametime Not used by Sametime
UserModifier
GroupCreator
GroupModifier
ServerCreator
ServerModifier
NetCreator NetModifier
Roles in the Domino Web Administration database (webadmin.nsf)

The Domino Web Administration database is available on the Sametime server to enable administrators to monitor the HTTP server and access logging information about the Domino Application Services. The following table defines the roles in the Domino Web Administration database:
Role ServerAdmin Description A Sametime administrator requires this role to access the Server document when providing other users with access to the Sametime Administration Tool.
174
Role ServerMonitor
Description A Sametime administrator requires this role to access the Monitoring - Miscellaneous functions of the Sametime Administration Tool. These monitoring functions enable the administrator to monitor HTTP commands and requests, server memory usage, and free disk space. The Sametime administrator also requires this role to access the Logging Domino Log functions of the Sametime Administration Tool, which report information about the Domino Application Services. A Sametime administrator requires this role to change database ACLs from the Sametime Administration Tool. This feature provides access to the Configuration - System Files (read-only) command of the Domino Web Administration Tool. This feature is usually not used with Sametime. This feature provides access to the Configuration - System Files (read/write) command. This feature is usually not used with Sametime.
DatabaseAdmin
FileRead
FileModify
Skills the Sametime Administrator needs

There are a variety of knowledges and skills the Sametime Administrator needs. To help you prepare or to prepare other administrators, this general overview of needed capabilities is provided. 1. Domino server knowledge and skills Domino is required for Sametime. The Administrator should know: v Notes/Domino basics (what they are, how used, etc). v Installation and setup of Notes and Domino. v How to monitor the Domino server tasks (logs, alerts, etc..) v Basic Domino networking (setup/configuration). v Security (levels, including how ACLs work, server security, etc.) v Server tasks (what are they, how to change, how used, access). v Administrator client (how to use, accessing from the web, etc). v How to set up, configure, and manage users and groups in a Domino directory. http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/ dominohomepage 2. Basic networking knowledge and skills
175
Sametime relies on networking to "work" as does Domino. Use Ping, Telnet, Netstat and IPConfig to verify that tunneling is set up correctly on the network and in DNS. Use Ipconfig (at the DOS or command prompt) to: v gather pertinent information for troubleshooting general TCP/IP network problems v troubleshoot IP issues on DHCP clients. Use Netstat to determine: v if an application other than a Domino server task is bound to a specific port v if there is a network connectivity problem at the network interface or with the physical media of the network v if the local network segment might be overloaded. Use Traceroute to determine the physical layout of a network or internetwork. Use the Ping utility to: v test connectivity to a host v gather information for troubleshooting connectivity problems. Use the Telnet utility to connect to a Domino server and check the status of an application on a well-known port. Use the the NotesConnect utility to determine: v v v v services running on a machine network configuration problems if the target host name can be resolved to its IP address The link below is provided as a reference.
http://compnetworking.about.com/od/basicnetworkingconcepts/ 4. Sametime TCSPI knowledge and skills This skill list is ONLY for Service Providers. There is a separate TCSPI Enterprise beta. v Install, set up, and configure the TCSPI on the server. v Install, set up, and configure a working Eclipse development environment using the TCSPI. v Modify and use programs supplied as part of the TCSPI to fit programming specifications. v Given a list of requirements, suggest changes or uses for various components within the TCSPI that could be used to meet requirements. v Debug using Eclipse, setting breakpoints as necessary. v Define the boundaries of the TCSPI (what it can/cannot do). v Provide and demonstrate an example of using the TCSPI and the Mock Service Provider. The link below is provided as a reference.
176
http://www-128.ibm.com/developerworks/lotus/library/st-telephony/
177
178
Chapter 16. Special Considerations for Running Sametime on AIX, Linux, and Solaris
IBM Lotus Sametime can be installed on IBM AIX, Linux, and Sun Solaris platforms. These topics are covered in this section: v Setting up AIX or Solaris to run a Sametime server v Considerations for AIX, Linux, and Solaris on page 181 v Running a Sametime server as a background process in AIX
Setting up AIX or Solaris to run a Sametime server

About this task
Use the following steps to set up AIX, Solaris, or Linux to run a Sametime server: 1. Log in as the Notes user. 2. Change to the Domino Data directory (default /local/notesdata). 3. Issue the command "./ststart". This will start Domino with the proper environment settings for Sametime, and create a Domino console. 4. Open the ststart script located in the data directory, and copy exported variables from ststart to your script or profile. 5. To stop Sametime enter "quit" on the Domino Console
Results
Running a Sametime server as a background process in AIX

If you use IBM Lotus Sametime on an IBM AIX server, you can run Sametime as a background process.
Before you begin

The operating system's IBM Lotus Domino user actually runs the background process, and must have permission to run the script and write files to the Domino Data Directory.
About this task

To run the Sametime server as a background process, complete the following steps: 1. Open the ststart script located in the data directory, and copy the two sections below into the .profile of the Domino user that will run Sametime as a background process:
# Define variables BINDIR=/opt/lotus/notes/latest/ibmpow/ LOTUSDIR=/opt/lotus/bin # Export paths for notes user
179
LIBPATH=${LIBPATH}:$BINDIR export LIBPATH PATH=${PATH}:$BINDIR export PATH
Note: The PATH environment variable cannot contain the /lotus/bin directory, which defaults to /opt/lotus/bin. 2. Set up the Virtual Frame Buffer, and verify that it is running. 3. Set the DISPLAY environment variable to the host name:
DISPLAY=machine:1 export DISPLAY
4. From the command prompt, run the following command, which enables you to manage the server only through the IBM Lotus Notes Administration Client:
nohup /opt/lotus/bin/server < /dev/null > /dev/null 2>&1 &
5. If you want to use text files for stin and stout, use the following: a. Create the following script on the server:
#!/usr/bin/sh DOMINO_PROGRAM_DIR=/opt/lotus DOMINO_DATA_DIR=/local/notesdata export DOMINO_PROGRAM_DIR export DOMINO_DATA_DIR cd $DOMINO_DATA_DIR if [ -f st.in ] ; then rm st.in fi if [ -f st.out ] ; then mv st.out st.out.bak fi touch st.in $DOMINO_PROGRAM_DIR/bin/server <st.in >st.out 2>&1 & cd -
Note: If /usr/bin/sh does not exist, change the path for sh at the top of the script. If the default installation settings are not used, modify the DOMINO_DATA_DIR and DOMINO_PROGRAM_DIR environment variables at the top of the script. b. Save the script on the AIX server. c. Use the cd command to navigate to the folder where the script was saved. d. Launch the script by typing:
./script_name
where script_name is the file name of the script.
Results
Once the server is running, you can interact with the server console by using the Administrator Client Server console. Alternatively, you can view the console in a telnet session by issuing the following commands:
> cd DOMINO_DATA_DIR > tail -f st.out
To enter commands at the server console, do the following:

> cd DOMINO_DATA_DIR > echo {command} >>st.in
where
180
DOMINO_DATA_DIR is be the value for the Domino Data directory; for example, /local/notesdata, and {command} is a Domino Server console command such as "Show Tasks"; for example:
> echo show tasks >>st.in
Considerations for AIX, Linux, and Solaris

If you install IBM Lotus Sametime on an IBM AIX, Linux, or Sun Solaris server, you should be aware of some special behaviors. v You must not have /opt/ibm/lotus/bin in your PATH, otherwise Sametime will not function correctly. v If you start Sametime from a telnet session, exiting the telnet session also terminates the Domino Console and Sametime.
Chapter 16. Special Considerations for Running Sametime on AIX, Linux, and Solaris
181
182
Chapter 17. Managing Sametime users

Managing users in IBM Lotus Sametime requires a user directory. Sametime supports two types of user directory: v Domino Directory If your organization already uses Domino and has a Domino Directory in place, you can take advantage of it by using the same directory to manage your Sametime users. v LDAP directory If your organization already uses a supported third-party LDAP directory to manage users, you can configure Sametime to work with it for user management.
Setting up the Domino Directory

IBM Lotus Sametime takes advantage of several features provided by the IBM Lotus Domino Directory that is hosted on the same server. Every Domino server has one or more Domino Directory files, which contains user and server information. When Sametime is hosted on the Domino server, Sametime uses these directories for server and user information. Even if you use an LDAP server as your user directory, a Domino Directory must exist on the Sametime server to store Domino server configuration information. The Sametime administrator must have a "Person Document" stored in the Domino Directory for authentication when accessing the Sametime Administration Tool. For information about using Sametime in an LDAP environment, see Setting up an LDAP directory on page 189. You can take advantage of the following Domino Directory features for managing Sametime servers and users: v Benefits of using a Domino directory v The primary Domino directory on page 184 v Directory views used by Sametime on page 184 v Using multiple Domino directories on page 184 v Using Directory Assistance on page 184 v Sharing directory information with Extended Server Directory Catalogs on page 185
Benefits of using a Domino directory

Using a Domino Directory as your user directory has some advantages: v Domino user directories are hosted on the same server as Sametime, making them easily accessible. v Using a Domino directory as your user directory lets you take advantage of existing user information that is already maintained in Domino. Changes to user information only need to be made in one place but are reflected in both products.
183
The primary Domino directory

Every Domino server has a primary Directory in which the server itself is registered. Sametime uses the primary directory of the Domino server on which it is hosted, to support authentication. If you have multiple Sametime servers integrated into a single community, you can distribute the users across servers by assigning "home" servers in each Sametime server's primary Domino Directory. The home server stores a user's Community Services preferences and other data; the user always logs in to this server to access Community Services presence and chat functionality. For more information, see Connecting to the Home Sametime server.
Directory views used by Sametime

Online presence for individual users and users listed in groups requires the use of specific views in the Domino Directory. Each Directory in the Sametime community must contain the views listed in the table that follows; if a particular view does not already exist, you will need to create it. For information on creating views in a Domino database such as the Domino Directory, see the Domino Administration information center.
Sametime feature Expand a group to list all of its unique members Determine which groups a user is a member of Views used $People $VIMGroups $MailGroups $People $ServerAccess $Servers $Users $PeopleGroupsFlat
Determine which servers are Sametime servers Authenticate a user Browse the Domino Directory for users and groups
Using multiple Domino directories

If the Sametime server is installed into a Domino environment that uses multiple Directories, you should replicate the primary Directory to the Sametime server. Note: The presence of multiple Domino directories generally indicates a large or geographically distributed user population. It might be necessary to install multiple Sametime servers to adequately support a large or distributed user population. For more information, see Advantages of using multiple Sametime servers. To access additional Domino Directories of interest in the environment, use either Directory Assistance or an Extended Directory Catalog features described below.
Using Directory Assistance

To access other Directories of interest in the Domino environment, the administrator can set up Directory Assistance on the Sametime server. The Sametime server can use Directory Assistance to obtain all needed Directory information in environments that include multiple Domino Directories. Ideally, the Directory Assistance database should point to a Directory server that is dedicated to providing Directory services. However, a Directory server is not required in a Sametime community that includes multiple Sametime servers.
184
For information about setting up Directory Assistance, see your Domino server administration documentation, that is provided with the Domino server. You can also access the Domino server administration documentation at http://www.lotus.com/ldd/doc.
Sharing directory information with Extended Server Directory Catalogs

You can use an Extended Server Directory Catalog to share Directory information when the Sametime server operates in an environment that includes multiple Directories. Follow the procedures in the Lotus Domino Administration Help to set up an Extended Server Directory Catalog for the Sametime server. This documentation is available at http://www.lotus.com/ldd/doc and also provided with the Domino server. When setting up the Extended Server Directory Catalog to use with Sametime, note the following: v If you only want to use the Directory documents that Sametime requires, you can use a selection formula to specify the documents. The Advanced tab of the Configuration document provides a "Selection formula (do not include form)" field that enables you to specify a selection formula that ensures only the Directory documents required by Sametime are used when the Dircat task creates the Directory Catalog. To select selecting only those documents required by Sametime, use the following formulas:
(Type = "Person") | (Type = "Group") | (Type = "Server" and Sametime = "1")
Note: The (Type = "Server" and Sametime = "1") selection criteria select Server documents that have the "Is this a Sametime server?" field set to Yes. v You must include the following fields in the "Additional fields to include" list on the Configuration document:
Field Name ServerName ServerTitle Domain ServerBuildNumber Administrator ServerPlatformDisplay Sametime Port_0 - Port_7 Description "Server name" field in the Basics section of the Server document. "Server title" field in the Basics section of the Server document. "Domain name" field in the Basics section of the Server document. "Server build" number field in the Basics section of the Server document. "Administrator field" in the Basics section of the Server document. "Operating system" field in the Basics section of the Server document. "Is this a Sametime server?" field in the Basics section of the Server document. Ports fields in the Ports - Notes Network Ports section of the Server document. The Port_0 field is required. For completeness it is recommended that you list seven port fields (for example Port_0, Port_1, Port_2, and so on ).
185
Field Name Protocol_0 - Protocol_7
Description Protocol fields in the Ports - Notes Network Ports section of the Server document. For completeness, it is recommended that you list seven protocol fields (for example, Protocol_0, Protocol_1, Protocol_2 and so on). Notes Network fields in the Ports - Notes Network Ports section of the Server document. For completeness, it is recommended that you list seven Notes Network fields (for example, NetName_0, NetName_1, NetName_2, and so on. Net Address fields in the Ports - Notes Network Ports section of the Server document. The NetAddr_0 field is required. For completeness, it is recommended that you list seven Net Address fields. Enabled fields in the Ports - Notes Network Ports section of the Server document. The Enabled_0 field is required. For completeness, it is recommended that you list seven Enabled fields. "Sametime server" field in the Administration section of the Person document.
NetName_0 - NetName_7
NetAddr_0 - NetAddr_7
Enabled_0 - Enabled_7
Sametime Server
Register users in the Domino Directory

Every IBM Lotus Sametime user must have a Person record stored in the IBM Lotus Domino Directory to enable authentication with Sametime.
Before you begin

Every Domino server has a "primary" Directory in which the host server is registered. When you install Sametime on a Domino server, Sametime uses Person documents in that primary Directory for user authentication. After installing the Sametime server, register users by creating a "Person Document" for every Sametime user, unless you have configured the Sametime server to operate with an LDAP directory. When the authentication process uses an LDAP directory, Domino Person documents are not needed. For more information, see Using LDAP with the Sametime server.
About this task

Follow the steps below to manually create Person documents for Sametime users. 1. Open the primary Domino Directory for the current Sametime server, using one of these methods: v From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. v Launch the IBM Lotus Notes client, and open the Domino Directory database. 2. Click People . 3. Click Add Person. 4. Fill in at least the following fields:
186
Option User name
Description This field appears on the Basics tab. Type the user's first name, middle name, and last name in the appropriate fields; user names are case-sensitive. Only the last name is required, but an entry in this field is necessary for the user to authenticate with the Sametime server. You can also enter multiple names here, for example if a user has a nickname or has changed his or her name and you want to reference both the old name and the new name. If you enter multiple names, ensure that each name appears on a separate line by pressing Enter after typing each name.
Internet password
This field appears on the Basics tab. Internet passwords are case-sensitive. An entry in this field is required for the user to authenticate with the Sametime server; the user is prompted for this password when logging in to Sametime Connect or accessing any database on the Sametime server that requires basic password authentication. Note: Write down the Internet passwords as you assign them. After it is entered the first time, the Internet password is encrypted on the Person document and cannot be viewed.
Sametime server
This field appears on the Advanced tab. This field is required if you use multiple Sametime servers and integrate them into a single community. This "home" Sametime server stores a user's Community Services preferences and other data; the user always logs in to this server to access Community Services presence and chat functionality. For more information, see Connecting to the Home Sametime server
5. Click Save & Close.
Results
When you add users manually, a small refresh interval must pass before the user's Person Document name is visible in the Domino Directory. Also, a recently added user cannot appear in a Sametime presence list until the Community Services receive an updated list of users from the Domino Directory.
What to do next
For more information on creating Person Documents in the Domino Directory, see the Domino Server Administration information center. Note: If you change user names or group names in the Domino directory, you must run the Name Conversion Utility to ensure these same name changes are
187
made in the buddy lists and privacy lists that display in the Sametime Connect client. The buddy list and privacy list names are stored in a Domino database (vpuserinfo.nsf) that is managed separately from the Domino Directory.
Create groups in the Domino Directory

Create Group Documents in the IBM Lotus Domino Directory to manage groups of IBM Lotus Sametime users.
About this task

A "Group Document" contains a list of multiple users who are somehow related, perhaps because they perform the same job or report to the same manager. Each Group Document appears as a single entry in the Domino Directory. Using Group documents simplifies administrative tasks that affect multiple users by allowing you to work with the group instead of individual users. In addition, Sametime Connect users can add these groups to their buddy lists rather than recreating them manually. Note: Generally, Sametime Connect cannot use a Group document that contains more than 400 members. To ensure that Sametime Connect users can use a large group in their buddy lists, create a Group document that contains other Group documents instead of individual members; each of those groups should contain a subset of users. 1. Open the Domino Directory. 2. Click Groups. 3. Click Add Group. 4. Enter a name for the group in the "Group name" field (for example, Administrators or Meeting Creators). 5. Select a group type (Multipurpose, Access Control List, Deny List, Mail Only, and Servers Only). Select Multipurpose if you are creating a Public Group that users will add to the Sametime Connect client presence list or a group that will serve more than one purpose. Note You can also select the Mail Only group type when creating Public Groups that users will add to the Sametime Connect client presence list. Select Access Control List if the purpose of the group is to allow or deny access to databases on the Sametime server. Do not select the Access Control List, Deny List, or Servers Only group types when creating Public Groups for Sametime Connect users. The Sametime Connect client does not display the contents of groups that have a group type of Access Control List, Deny List, or Servers Only. Deny List groups are usually used only when you have integrated Sametime into a Domino environment. 6. Optional: Enter a description of the group in the Description field. 7. List the members of the group in the Members field. Make sure to enter a name exactly as it is entered in the top line of the "User name" field of the user's Person document. For example, assume a person's name is listed in the "User name" field of the Person document as: Tom Smith/West/AcmeTom Smith When adding the person's name to the Members field of the Group document, you should enter the name as Tom Smith/West/Acme because this name appears in the top line in the "User name" field of the Person document. If the name entered in the Members field of the Group document is not identical to the name in the top line in the "User name" field of the Person document, the
188
user will always appear to be off line when the Group document is opened in a Sametime client presence list. For example, the user will always appear off line in the group if you enter Tom Smith instead of Tom Smith/West/Acme. Note: Each user that you add to a group document must have a Person document that contains information in the "Last name," "User name," and "Internet password" fields in the Domino Directory on the Sametime server. 8. Select the Administration link at the top of the Group document. 9. Enter the names of the group owners in the Owners field. Generally, the group owner is the administrator creating the group. 10. Click "Save and Close."
What to do next
Note: If you change group names in the Domino directory, you must run the Name Conversion Utility to ensure these same name changes are made in the buddy lists and privacy lists that display in the Sametime Connect client. The buddy list and privacy list names are stored in a Domino database (vpuserinfo.nsf) that is managed separately from the Domino Directory.
Using Group Documents to control access to Sametime meetings

About this task
One way you can use Group documents is to define lists of users who are authorized to create Sametime meetings. If you create this group, you will also need to create one that lists people who are authorized to attend meetings, but not create them. Create these groups by completing the following steps: 1. In the Domino Directory, create a Group document called "Meeting Creators" that lists all users who are authorized to create meetings in the Sametime Meeting Center. 2. Create another Group document called "Attendees" that lists all users that you want to attend meetings, but not be able to create them. 3. In the Sametime Meeting Center database, disable anonymous access by editing the Access Control List (ACL) and setting the Anonymous and -Default- entries to No Access. 4. Add the Meeting Creators group to the ACL with the Author access level and the "Write public documents" option selected. Users listed in the Meeting Creators group can now create and attend meetings in the Meeting Center 5. Add the Attendees group to the ACL with the Reader access level. Users listed in the Attendees group can attend ("read") meetings but cannot create them.
Results
Now you can add or remove user names from the Group documents to assign or revoke meeting creator and attendee privileges in the Sametime Meeting Center.
Setting up an LDAP directory

IBM Lotus Sametime allows you to use a third-party LDAP directory as your user repository.
189
Using LDAP directories with the Sametime server allows you to integrate Sametime into an environment in which other LDAP-compliant servers and directories are already deployed. Sametime can be used with LDAPv2 and LDAPv3. Sametime users and groups can be maintained in an existing LDAP directory on an LDAP server. When Sametime users and groups are maintained in an existing LDAP directory, it is not necessary to populate the Domino Directory on the Sametime server with every user and group in the organization. To use Sametime in an LDAP environment, you must configure the Sametime server to connect to an LDAP server. When connected to an LDAP server, Sametime can search and authenticate against the LDAP directory on that server. Note: Once users are registered with Lotus Sametime, a copy of their user name is stored on the Lotus Sametime server. If you modify the user's name in the LDAP directory, you will need to use the Name Change feature to update the Lotus Sametime user registry and ensure continued access to Lotus Sametime. When choosing an LDAP field for authentication with Lotus Sametime, you should choose a field that will change infrequently. In addition, you should use a field that requires a unique value for each user (such as an e-mail address), or else additionally specify a field that can be used to disambiguate among users with similar names. This section includes the following topics related to using Sametime with an LDAP directory: v Set up an LDAP connection v Using SSL to encrypt connections between the Sametime and LDAP servers v Replace the Domino Directory with an LDAP directory on page 211 v Use Java classes to customize LDAP directory searches on page 228 v Solve token authentication problems on page 225
Set up an LDAP connection

Configure a connection between your LDAP directory and the Sametime server.
Before you begin

During the installation and configuration of the Sametime server, you selected the type of user repository (either an IBM Lotus Domino Directory or an LDAP directory). Windows, AIX, Linux and Solaris servers: After selecting the "LDAP Directory" as your user repository, you should have filled in the following information: v LDAP Server Name - The fully qualified DNS name or IP address of the LDAP server. v Port Number for LDAP - Specify the TCP/IP port number on which the LDAP server listens for LDAP connections. The default port number for LDAP connections is port 389. If you did not select these options during the installation, either reinstall the Sametime server and select the appropriate LDAP options during the reinstallation,
190
or perform the procedures described in Setting up an LDAP connection after selecting the Domino directory during the server installationbefore attempting to set up your LDAP connection. i5/OS servers: You should have provided connection information for the LDAP server when you configured your Sametime server using the ADDLSTDOM command. If you originally configured your Sametime server to use a Domino directory but now want to use a LDAP directory, follow the instructions in Setting up an LDAP connection after selecting the Domino directory during the server installation before attempting to set up your LDAP connection.
About this task

Once you have specified an LDAP directory as the user repository for Sametime, complete the tasks below to set up a connection from Sametime to the LDAP server: 1. Disable case sensitivity for user and group names 2. Modify the Directory Assistance document on page 192 3. Configure the LDAP Directory settings on page 193
Disable case sensitivity for user and group names

Edit the sametime.ini file to process user and group names without checking case during authentication with an LDAP directory.
Before you begin

Though Sametime is shipped with the naming convention for LDAP set to case sensitive, you can change this feature by editing the sametime.ini file. If you want to integrate Sametime with other IBM products such as QuickPlace, WebSphere Portal, Domino Web Access, Quickr, and Lotus Connections, or with Microsoft Office, you should disable case sensitivity of names to ensure there is no disruption to the name display in Instant Messaging contact list. You should also disable case sensitivity when using a Domino LDAP or a third-party LDAP directory.
About this task

The stage needs to be set just so. 1. Make the following changes to the sametime.ini file: a. under [Config] add AWARENESS_CASE_SENSITIVE=0 b. under [STLINKS] append -DAWARENESS_CASE_SENSITIVE=0 to STLINKS_VM_ARGS For example: STLINKS_VM_ARGS=-Xmx128m -Xms128m -Xgcpolicy:optavgpause -DAWARENESS_CASE_SENSITIVE=0 2. Make the following change to the stlinks.js file in the data directory: Set the STlinksCaseSensitive variable to false. For example: var STlinksCaseSensitive=false;
191
Example
For example, assume a user signs into a portal server as user with mixed case in the distinguished name, as in: CN=Test 1User,CN=Users,DC=ibm,DC=com. The portal will write the stlinks applet with all lower case letters, resulting in the following message in the java console: queueing: appletLoggedIn('cn=test 1user,cn=users,dc=ibm,dc=com','Test 1Manager') on: main71265 When the user goes to a portlet that uses the resolve task to generate awareness, awareness will not appear for that user, because the resolve in Sametime finds the user as CN=Test 1User,CN=Users,DC=ibm,DC=com. When this finding is passed to the Buddy List task to determine awareness, the case-sensitive comparison with the current names signed into Sametime will treat CN=Test 1User,CN=Users,DC=ibm,DC=com and cn=test 1user,cn=user,dc=ibm,dc=com as two different users and authentication will fail. According to the LDAP protocol request for comments (RFCs), distinguished names should be compared case-insensitively. Also, attributeTypes are defined to be case insensitive, so many server implementations expect conformity in the case on add/modify operations. You can enable Sametime for case insensitivity.
Modify the Directory Assistance document

The Directory Assistance document enables IBM Lotus Sametime to connect to the LDAP server while authenticating Web browser users.
About this task

You must ensure the "Base DN for search" setting in this Directory Assistance document is set appropriately for the LDAP directory used in your environment. To alter the "Base DN for search" setting in the Directory Assistance document: 1. From a Lotus Notes client, open the Directory Assistance database on the Sametime server. v Click File Database Open. v Select the Local server. v Select the Directory Assistance database (da.nsf). v Click Open. 2. Double-click the name of the Directory Assistance document that represents the LDAP server. 3. Click the LDAP tab. 4. In the Base DN for Search field, make one of the following entries, depending on the type of LDAP directory used in your environment: v Domino directory - An example value is "O=DomainName," where "DomainName" is the Lotus Notes domain (for example O=Acme). Microsoft Exchange 5.5 directory - An example value is "CN= recipients, OU=ServerName,O=NTDomainName," where ServerName is the Windows server name and NTDomainName is the Windows NT Domain (for example, CN=recipients,OU=Acmeserver1,O=NTAcmedomain). v The Microsoft Exchange 5.5 example above assumes that the directory is using the default directory schema. If you have changed the schema of the Microsoft Exchange 5.5 directory, the entry in the "Base DN for Search" field must reflect the new schema. v
192
Microsoft Active Directory - An example value is "CN=users, DC=DomainName, DC=com." v Netscape LDAP directory - Use the format O= followed by the organizational unit that was specified during the Netscape server setup. If you are uncertain about this entry, use the administrative features of the Netscape server to determine the appropriate entry. v IBM SecureWay directory - An example value is "DC=DomainName, DC=com." 5. Click Save & Close. v
Configure the LDAP Directory settings

Specify the LDAP Directory settings that enable the Sametime server to search the LDAP directory on the LDAP server and authenticate Sametime users against entries in the LDAP directory.
Before you begin

Configuring the LDAP Directory settings requires previous experience with LDAP; in particular you will need to know the following information:. v The structure (directory tree) of the LDAP directory the Sametime server will access v The schema of Person and Group entries in the LDAP directory v How to construct LDAP search filters to access the attributes of Person and Group entries in the LDAP directory
About this task

You must configure the LDAP Directory settings on the LDAP document in the Configuration database to ensure that the Sametime server can search and authenticate against entries in the LDAP directory. Use the Sametime Administration Tool to enter LDAP Directory settings; the tool then writes the values to the LDAP document in the Sametime Configuration database (stconf,nsf). Note: Once users are registered with Lotus Sametime, a copy of their user name is stored on the Lotus Sametime server. If you modify the user's name in the LDAP directory, you will need to use the Name Change feature to update the Lotus Sametime user registry and ensure continued access to Lotus Sametime. When choosing an LDAP field for authentication with Lotus Sametime, you should choose a field that will change infrequently. In addition, you should use a field that requires a unique value for each user (such as an e-mail address), or else additionally specify a field that can be used to disambiguate among users with similar names. To configure the LDAP settings using the Sametime Administration Tool: 1. In the Sametime server home page, click Administer the server. 2. Click LDAP Directory. 3. Enter the settings to enable your LDAP directory to access Sametime servers. For descriptions of the settings, see LDAP directory settings 4. Click Save & Close. 5. Restart the Sametime server to enable your settings. LDAP directory settings:
193
Specify settings that determine how IBM Lotus Sametime interoperates with your LDAP directory. The Sametime Administration Tool includes the LDAP Directory settings that enable the Sametime server to operate as a client to an LDAP server. These settings enable the Sametime server to search the LDAP directory on the LDAP server and authenticate Sametime users against entries in the LDAP directory. Note: After changing any LDAP settings, restart the Sametime server. Connectivity settings The Connectivity settings enable the administrator to provide the IP address and ports the Sametime server uses when connecting to the LDAP server, and to specify whether the Sametime server binds to the LDAP server as an anonymous or authenticated user. These settings also enable the Sametime server to connect to multiple LDAP servers, and to use SSL when connecting to the LDAP server.
Table 9. Connectivity settings for the LDAP directory Field Host name or IP address of the LDAP server Position of this server in the search order Description Select the IP address (or fully qualified DNS name) of the LDAP server for which you want to change settings. If you have configured the Sametime server to connect to multiple LDAP servers, use this setting to specify the order in which Sametime will connect to the LDAP servers by clicking a number to indicate the priority of the currently selected LDAP server. Specify the port over which the Sametime server connects to the specified LDAP server; use the port number on which the LDAP server listens for TCP/IP connections. If you want the Sametime server to bind to the LDAP server as an anonymous user, leave these fields empty. If you want the Sametime server to bind to the LDAP server as an authenticated user, specify the Distinguished name of an LDAP directory entry that the Sametime server uses when binding to the LDAP directory, and then enter the password associated with that user. The default port for LDAP access and recommended setting is TCP/IP port 389. Comments
Port
Administrator distinguished name, Administrator password
When designating an authenticated user, IBM Lotus software recommends that you create a unique directory entry that is used only for the purpose of authenticating connections from the Sametime server to the LDAP server. After creating the directory entry, you must ensure this directory entry has at least read access to the attributes of the LDAP directory entries. For more information on binding the Sametime server to the LDAP server, see Ways to bind the Sametime server to the LDAP server on page 209.
194
Table 9. Connectivity settings for the LDAP directory (continued) Field Use SSL to authenticate and encrypt the connection between the Sametime server and the LDAP server Adding another LDAP server Port Description For tighter security, use SSL to encrypt the connections between the Sametime and LDAP servers. Comments If you choose to enable SSL, you have several additional options, each of which requires additional tasks. For more information, see Using SSL to encrypt connections between the Sametime and LDAP servers. If you add an LDAP server, you must additionally specify the following settings: v a position for the server in the search order in the Position of this server in the search order field v the LDAP directory settings in described in this topic v a Directory Assistance document that enables the Sametime server to access the LDAP server If you no longer want the Sametime server to access an LDAP server, you can remove the LDAP server from the list of available servers in the Host name or IP address of the LDAP server field.
Sametime can connect to multiple LDAP servers and can access one LDAP directory on each LDAP server to which it connects. To add an LDAP server, enter its host name or IP address in this field, and the port on which you want to connect to the new LDAP server.
Basics settings The Basics settings enable the administrator to specify the basic LDAP parameters required to conduct searches for people, and for groups, in an LDAP directory. Some of these parameters are also necessary for displaying the names of users in Sametime user interfaces. The Basics settings include parameters that specify the level of a directory from which a search begins, the scope of a search, and the attributes of LDAP directory entries that define person and group names.
Table 10. Basics settings for the LDAP directory Field Person settings: Description Comments
195
Table 10. Basics settings for the LDAP directory (continued) Field Where to start searching for people Description Specify the base object of the directory (or level of the directory) from which to start a search for person entries in the LDAP directory. Comments
The default setting of "" begins the search from the root of the directory. Before accepting this default setting, be aware that some LDAP directory servers allow the "" value only for searching the LDAP directory root The default setting of "" begins DSE (Directory Server Entry, or entry the search from the root of the with directory server properties) and directory. only when the Scope for searching for a person (discussed in the next Also, searching from the root of row) is confined to One level below an LDAP directory generally this setting. results in a less efficient search than specifying a specific base object such as ou=west, o=acme. Suggested values for this setting are: v Microsoft Active Directory: cn=users, dc=domain, dc=com v Netscape Directory: o=organizational unit (the computer name) v Microsoft Exchange 5.5 Directory: cn=Recipients, ou=computername, o=domain v Domino Directory: o=organizational unit v SecureWay Directory: dc=domain, dc=com
196
Table 10. Basics settings for the LDAP directory (continued) Field Scope for searching for a person Description Specify how many LDAP directory levels below the Where to start searching for people setting to search when resolving a search for a person entry. There are two available settings: v Recursive (default value) Search the entire subtree of directory entries beneath the Where to start searching for people setting (or the base object of the search). v One level Search only the level immediately below the Where to start searching for people setting. Comments Recursive: Assume theWhere to start searching for people setting has the value "ou=west, o=acme" and the Scope for searching for a person setting has the value "recursive." Now assume the user searches on the name "John Smith." The search begins at the ou=west, o=acme directory level and searches the entire subtree of the directory beneath that level. Such a search might return the following names, depending on the organization of the directory: v cn=John Smith, ou=managers, ou=marketing, ou=west, o=acme v cn=John Smith, ou=engineering, ou=west, o=acme v cn=John Smith, ou=west, o=acme The search would fail to turn up the following directory entries because the Where to start searching for people setting in this example begins the search at the ou=west, o=acme level of the directory: v cn=John Smith, o=acme v cn=John Smith, ou=engineering, ou=east, o=acme One level: For example, assume the Where to start searching for people setting has the value ou=west, o=acme and the Scope for searching for a person" setting has the value "one level." Now assume the user searches on the name "John Smith." The search begins at the ou=west, o=acme level and searches only one directory level beneath that level. Such a search might return the following names, depending on the organization of the directory: v cn=John Smith, ou=west, o=acme v cn=John Smithson, ou=west, o=acme The search would fail to find the following directory entries because the entries are either more than one level below the Where to start searching for people setting, or are not beneath that setting at all: v cn=John Smith, ou=marketing, ou=west, o=acme v cn=John Smith, ou=engineering, ou=east, o=acme
197
Table 10. Basics settings for the LDAP directory (continued) Field The attribute of the person entry that defines the person's name Description Specify the attribute of an LDAP directory person entry that is used to display a user's name in the Sametime end-user interfaces (as the result of a search or in a privacy or presence list). The value of this setting can be any attribute of the LDAP directory person entry, such as cn (common name), sn (surname), givenname, or mail (e-mail address). Comments Consider an LDAP person entry containing the following attributes: v cn: James Lock v givenname: James v sn: Lock v mail: jlock@acme.com
In this example, if the The attribute of the person entry that defines the person's name setting is "cn," the search result displays the user's name as James Lock. If the setting is "mail", the user's name displays as The suggested value for jlock@acme.com. Microsoft Exchange 5.5 Note: You can also write a Java class Directory, Microsoft Active to control the format of user names Directory, Netscape Directory, returned from LDAP directory Domino Directory servers, and searches. This capability is useful if SecureWay servers is cn. you want user names to display in a Note: Once users are registered format that is not specified by an with Lotus Sametime, a copy of LDAP directory entry attribute. For their user name is stored on the more information, see Using Java Lotus Sametime server. If you classes to customize LDAP directory modify the user's name in the searches. LDAP directory, you will need to use the Name Change feature to update the Lotus Sametime user registry and ensure continued access to Lotus Sametime. When choosing an LDAP field for authentication with Lotus Sametime, you should choose a field that will change infrequently. In addition, you should use a field that requires a unique value for each user (such as an e-mail address), or else additionally specify a field that can be used to disambiguate among users with similar names.
198
Table 10. Basics settings for the LDAP directory (continued) Field Attribute used to distinguish between two similar person names Description Specify the attribute of a person entry that is used to differentiate between two users that have the same common name (cn) attribute. Comments
This setting can specify any attribute of a person entry that can differentiate one person from another person with the same name. An example value for this setting is the mail attribute, which contains the Suggested values for this setting e-mail address of an LDAP directory are: person entry. v Microsoft Exchange 5.5 Directory, Netscape Directory, To illustrate, assume that a search on Domino Directory, SecureWay the name John Smith returns two person entries with the common Directory: mail name (cn) John Smith. Since the two v Microsoft Active Directory: John Smiths will have different e-mail user principal name addresses, the mail attribute can be displayed to enable the user to determine which John Smith is the correct one. Sametime assumes that individual users are represented by entries with a unique object class. Sametime compares the name of the object class specified in this setting to the object class values of each entry to decide whether the entry is a person or a group. Enter the object class attribute used for people in the LDAP schema of the LDAP directory in your environment. This setting is required by components of the Sametime server that use the Session Initiation Protocol (SIP), such as the Sametime Gateway to connect to other instant messaging services. SIP entities are identified by their e-mail addresses.
Specify the attribute of a The object class used to determine directory entry that identifies the entry as a person. if an entry is a person The suggested value for Microsoft Exchange 5.5 Directory, Microsoft Active Directory, Netscape Directory, Domino Directory, and SecureWay Directory is organizationalPerson. Specify the attribute of a person Attribute of a person entry that entry that contains the user's defines a person's e-mail address. e-mail address Suggested values for this setting are: v Microsoft Exchange 5.5 Directory, Netscape Directory, Domino Directory, SecureWay Directory: mail v Microsoft Active Directory: user principal name Group settings:
199
Table 10. Basics settings for the LDAP directory (continued) Field Where to start searching for groups Description Specify the base object of the directory (or level of the directory) from which to start a search for group entries in the LDAP directory. Comments
Before accepting the default setting (""), be aware that some LDAP Directory servers allow the "" value only for searching the LDAP directory root DSE (Directory Server Entry, or entry with directory server The default setting of "" begins properties) and only when the search the search from the root of the scope is confined to One level below directory. the Where to start searching for groups setting. Also, searching from Suggested values for this setting the root of an LDAP directory are: generally results in a less efficient v Microsoft Active Directory : search than setting a specific base cn=users, dc=domain, dc=com object (such as ou=west, o=acme) for the search. v Netscape Directory: o=organizational unit (the The extent of the search for group computer name) entries is further controlled by the v Microsoft Exchange 5.5 Scope for searching for groups Directory: cn=Recipients, setting, described in the next row. ou=computername, o=domain v v Domino Directory: o=organizational unit SecureWay Directory: dc=domain, dc=com
200
Table 10. Basics settings for the LDAP directory (continued) Field Scope for searching for groups Description Specify how many levels below the Where to start searching for groups setting to search for a group entry in the LDAP directory. There are two available settings: v Recursive (default value) Search the entire subtree of directory entries beneath the Where to start searching for people setting. v One level Search only the level immediately below the Where to start searching for people setting. The Search filter for resolving group names setting (in the Search settings on page 204 section) provides the search filter that resolves the user's input (Marketing) to a specific group entry in the LDAP directory. Comments Recursive: Assume the Where to start searching for groups setting has the value ou=west, o=acme, and the Scope for searching for groups setting has the value "recursive." Now assume the user searches on the name "Marketing." The search begins at the ou=west, o=acme level and searches the entire subtree of the directory beneath that level. Such a search might return the following group names, depending on the organization of the directory: v cn=Marketing, ou=Los Angeles, ou=west, o=acme v cn=Marketing, ou=San Diego, ou=west, o=acme v cn=Marketing, ou=west, o=acme The search would fail to turn up directory entries such as: v cn=Marketing, o=acme v cn=Marketing, ou=Pittsburgh, ou=east, o=acme One level: Assume the "Where to start searching for groups" setting has the value ou=west, o=acme, and the "Scope for searching for groups" setting has the value "one level." Now assume the user searches on the name Marketing. The search begins at the ou=west, o=acme level and searches only one level beneath that level. Such a search might locate a group entry such as: cn=Marketing, ou=west, o=acme The search would fail to turn up a directory entry such as: cn=Marketing, ou=Los Angeles, ou=west, o=acme
201
Table 10. Basics settings for the LDAP directory (continued) Field Attribute used to distinguish between two similar group names Description Specify the attribute of a group entry that is used to differentiate between two groups that have the same common name (cn) attribute. Comments
An example of a value for this setting is the "info" attribute of an LDAP group entry. In many LDAP directories, the "info" attribute contains descriptive information about a group. For example, assume Suggested values for this setting that a search on the name are: "Marketing" returns two group entries with the common name Marketing. v Microsoft Exchange 5.5 The information contained in the info Directory: info v Netscape Directory, Domino attribute (such as "West region" or "East region") of the group entry can Directory, Microsoft Active be used to distinguish between the Directory, SecureWay two groups. Directory: description In some situations, Sametime must determine whether a directory entry returned by a search is a person or group entry. Sametime assumes that Enter the objectclass attribute groups are represented by entries used for groups in the LDAP with a unique object class. Sametime schema of the LDAP directory compares the name of the object class in your environment. specified in this setting to the object class values of each entry to decide Suggested values for the setting whether the entry is a group or a are: person. v Microsoft Active Directory: group Specify the attribute of a directory entry that identifies the entry as a group. v v Netscape Directory: groupOfUniqueNames Microsoft Exchange 5.5 and Domino Directories: groupOfNames SecureWay Directory: groupOfUniqueNames
The group object class used to determine if an entry is a group
Authentication settings The Authentication settings ensure that Sametime users can be authenticated against entries in an LDAP directory. The administrator must specify an LDAP search filter that can resolve a name provided by a user to a Distinguished Name (DN) in an LDAP directory. The Authentication settings also enable the administrator to specify the field in the LDAP directory person entries that contains the name of each user's home Sametime server. Note: The administrator must add a field to the person entries in the LDAP directory to hold the name of each user's home Sametime server, or use an existing field in the person entries for this purpose.
202
Table 11. Authentication settings for the LDAP directory Field Search filter to use when resolving a user name to a distinguished name Description Specify the filter to use when resolving the name (or text string) provided by a user to a distinguished name for authentication purposes. The specific search filter used for this setting must be based on the schema of the LDAP directory the Sametime server is accessing. The default value is: &(objectclass= organizationalPerson) (|(cn=%s)(givenname=%s)(sn=%s) (mail=%s*))) This filter is the suggested value for Microsoft Exchange 5.5, Microsoft Active Directory, Netscape Directory, Domino Directory, and SecureWay Directory servers. Note: In some cases, for Microsoft Active Directory it may be necessary to substitute (user principal name=%s*) for (mail=%s*) . Comments To authenticate a user, Sametime must know the distinguished name of the user's person entry in the LDAP directory. Consider the following default search filter in which the value "%s" is substituted for the string provided by the user when logging in : &(objectclass= organizationalPerson) (|(cn=%s)(givenname=%s) (sn=%s)(mail=%s*))) Note: You can find detailed information on the syntax and formatting of search filters at the following Web site: http:// developer.netscape.com/docs/ manuals/directory/41/ag/ find.htm#1046960 This filter first performs a search for all entries of the type (or object class) organizationalPerson. The search filter then looks for an exact match with either the common name (cn), given name, or surname (sn) attribute of the person entry. If the search locates a person entry with an attribute value that matches the text string provided by the user, the Sametime server accesses the person entry with that distinguished name when authenticating the user.
203
Table 11. Authentication settings for the LDAP directory (continued) Field Home Sametime server Description Specify the name of the field within the LDAP person entries that contains the name of each user's home Sametime server. Comments The home Sametime server is the Sametime server on which the preferences and data of a Community Services user are saved. Users connect to the home Sametime server for presence and chat functionality. If you have installed multiple Sametime servers, each user's person entry in an LDAP directory must contain a field in which a user's home Sametime server can be specified. You can either: v Add a new field to the LDAP directory to hold the name of each user's home Sametime server. This added field must appear in the person entry of every Sametime user in the LDAP directory. v Use a field that already exists in the person entries of each Sametime user (such as the e-mail address) for this purpose.
Search settings The Searching setting enables the administrator to specify the search filters required to resolve the names of people and groups to specific entries in an LDAP directory. Note: There are two methods for searching groups; performance will vary based on the method you implement. For more information, see Ways to search groups on page 210.
204
Table 12. Searching settings for the LDAP directory Field Search filter for resolving person names Description Comments
To search for a user name, a Specify the filter to use when matching a name to person entries in Sametime end user enters a text string in the user interface of a the LDAP. Sametime client. This setting The default value is: defines the LDAP search filter responsible for selecting a user (&(objectclass= name from the LDAP directory. organizationalPerson)(|(cn=%s*) (givenname=%s)(sn=%s)(mail=%s*))) The search filter matches the text string provided by the user to information contained within the The Where to start searching for people and Scope for searching for attributes of LDAP directory person entries. a person settings in the Basics settings on page 195 section define Consider the following default the level of the directory tree from search filter in which the value which the search begins and how "%s" represents the text string much of the directory is searched. provided by the user: (&(objectclass= organizationalPerson) (|(cn=%s*)(givenname=%s) (sn=%s)(mail=%s*))) Note: You can find detailed information on the syntax and formatting of search filters at the following Web site: http://developer.netscape.com/ docs/manuals/directory/41/ag/ find.htm#1046960 The default search filter first looks for entries whose type (or object class) is organizationalPerson. The search filter looks for a prefix match (%s*) with an entry's common name, a complete match with an entry's given name, or a complete match with the entry's surname attribute. Using the default search filter, a search on the person name "James" might return the following directory entries (provided that each directory entry is of the objectclass organizationalPerson). v Jameson Sanders v James Lock v James Clark v Henry James
205
Table 12. Searching settings for the LDAP directory (continued) Field Search filter for resolving group names Description Specify the filter to use when matching a name to group entries in the LDAP. The default value is: (&(objectclass=groupOfNames) (cn=%s*)) The search filter used for resolving group names must be based on the schema of your LDAP directory. The suggested value for Microsoft Exchange 5.5 and Domino directory servers is the default search filter. The other suggested values for this setting are: v Microsoft Active Directory: (&(objectclass=group)(cn=%s*)) Comments To search for a group name, a Sametime end user enters a text string in the user interface of a Sametime client. This setting defines the LDAP search filter responsible for selecting the group name from an LDAP directory. The search filter matches the text string provided by the user to values listed for the attributes of the LDAP directory group entries. Note: You can find detailed information on the syntax and formatting of search filters at the following Web site: http://developer.netscape.com/ docs/manuals/directory/41/ag/ find.htm#1046960
v Netscape Directory and SecureWay The default search filter first Directory: looks for directory entries of the (&(objectclass= type (or object class) groupOfUniqueNames)(cn=%s*)) groupOfNames. The search filter then looks for a prefix match The Where to start searching for people and Scope for searching for (%s*) with the common name (cn) attribute of the a person settings in the Basics settings on page 195 section define groupOfNames entries. the level of the directory tree from which the search begins and how much of the directory is searched. Using the default search filter, a search on the name "Market" might return the following group entries from the directory (provided that each entry also has the groupOfNames object class attribute): v Marketing v Marketers v Markets Note: If a single search filter is not adequate to resolve group searches in your environment, you can create a custom Java class that refines the group search capabilities. This capability is useful in environments with complex LDAP directory schemas. For more information, see Using Java classes to customize LDAP directory searches.
206
Table 12. Searching settings for the LDAP directory (continued) Field Policy search filters Description Specify a search filter to use when resolving a user's or group's membership in a policy, to determine access right during authentication. For Domino, you can use an empty string ("") if you don't want to create a filter. The IBM Directory Server requires a non-empty value here; for example: dc=teamspace,dc=com Comments A policy allows you to restrict access to certain features of Sametime when you use either the Domino LDAP or IBM Directory Server for user management. The filters for searching for people and groups in Policy are similar to those used for searching for people and groups in LDAP but are designed to draw on information stored in Domino or IBM Directory Server.
Group Content settings The Group Contents setting enable the administrator to specify the attribute of a group entry that contains the names of group members.
Table 13. Group Contents settings for the LDAP directory Field Attribute in the group object class that has the names of the group members Description Specify the name of the attribute in the group entry that contains that names of invidual people or subgroups. Suggested values for this setting are: v Microsoft Active Directory, Microsoft Exchange 5.5 Directory, and Domino Directory: member Netscape Directory and IBM Secureway Directory: UniqueMember If an end user adds a group to a presence list, privacy list, or a list that restricts meeting attendance, Sametime must obtain the list of members within the group so that individual members of the group can be displayed. The "Attribute in the group object class that has the names of the group members" setting defines the attribute within an LDAP directory group entry that holds the names of all members of the group. This setting assumes that the LDAP directory schema uses a single directory entry to represent a group, and that names of group members are held in one attribute that contains multiple values. This assumption is true for Microsoft Exchange 5.5, Microsoft Active Directory, Netscape Directory, and Domino environments.
Add Administrator settings The Add Administrator settings are used to enable additional administrators to access the Sametime Administration Tool.
207
Note: Although you can use the Sametime Administration Tool to configure LDAP settings, you must use the LDAP tool itself to person and group entries.
Table 14. Add Administrator settings for the LDAP directory Field Administrator Description Specify the user name name of each Sametime Administrator. Comments Only users that are entered in the LDAP directory on the LDAP server can authenticate with the Sametime server. A Sametime administrator must have a Person document in the Domino Directory on the Sametime server to access the Sametime Administration Tool. The Administrator can authenticate with the Sametime Administration Client whether he or she is in the Domino or in the LDAP directory. However, if the server is configured for LDAP, then the Administrator has to be registered in the LDAP directory to receive access to the Assign Users function of the User Policy.
Access Control settings The Access Control settings enable the administrator to work with Access Control Lists.
Table 15. Access Control settings for the LDAP directory Field User or Group Name Description Specify the name of a person or group entry in the LDAP directory that should have access to Sametime servers. When entering names in this field: v Use the fully qualified distinguished name of the user or group, but use forward slashes (/) as delimiters instead of commas (,). For example, use: cn=John Smith/ou=managers/ ou=marketing/ou=west/o=acme instead of: cn=John Smith, ou=managers, ou=marketing, ou=west, o=acme v You can use an asterisk (*) as a wildcard character when entering names. For example, entering */ou=West/o=Acme is equivalent to entering all users in the ou=West, o=Acme branch of the directory to the ACL. Comments Registering groups in the Access Control List is more efficient than listing individual users because you can include more users in less time, and can easily update the individual group listings later.
208
Ways to bind the Sametime server to the LDAP server: The Sametime server can bind to the LDAP server as either an anonymous user or as an authenticated user. When the Sametime server connects to the LDAP server, the "Administrator distinguished name" and "Administrator password" settings determine whether the Sametime server binds to the LDAP server as an anonymous user or as an authenticated user. Binding to the LDAP server as an anonymous user If the "Administrator distinguished name" and "Administrator password" settings do not contain entries, the Sametime server binds to the LDAP server as an anonymous user. In this case, you must ensure the LDAP server is configured appropriately for anonymous access from a Sametime server. The LDAP server must allow anonymous binding and allow anonymous access to the attributes of the LDAP directory entries as described in "Required LDAP directory access," below. Note: If you are using SSL to encrypt connections between the Sametime and LDAP servers, and you want to encrypt only the passwords transmitted between the Sametime and LDAP servers, you must allow Sametime to bind to the LDAP server as an anonymous user. For more information, see Using SSL to encrypt connections between the Sametime and LDAP servers. Binding to the LDAP server as an authenticated user If you want the Sametime server to bind to the LDAP server as an authenticated user, you must enter an appropriate user name and password in the "Administrator distinguished name" and "Administrator password" fields. The Sametime server will transmit this user name and password to the LDAP server when making its initial connection to the LDAP server. The LDAP server verifies this user name and password against an entry in the LDAP directory to authenticate the connection from the Sametime server. After creating the directory entry, you must ensure this directory entry has the appropriate access rights on the LDAP server. This directory entry must have at least read access to the attributes of the LDAP directory entries. For more information on the level of LDAP directory access required for the Administrator distinguished name directory entry, see "Required LDAP directory access" below. Required LDAP directory access When accessing the LDAP directory, the Sametime server must have access to specific attributes of the LDAP directory entries. If you leave the "Administrator distinguished name" and "Administrator password" settings blank to allow anonymous binding to the LDAP directory, the Sametime server must be able to access the LDAP directory entry attributes listed below as an anonymous user. If you place entries in the "Administrator distinguished name" and "Administrator password" fields to enable authenticated binding to the LDAP server, the "Administrator distinguished name" directory entry you specify must be able to access LDAP directory entry attributes as described below.
209
For Person entries, the Sametime server must have access to the following attributes v person name v person description v home Sametime server v e-mail address v location v telephone number v v v v title photo (if used for Business Card) ObjectClass Any LDAP directory entry attribute that is specified in any search filter defined in the LDAP Directory Settings in the Sametime Administration Tool (or on the LDAP document in the Configuration database on the Sametime server)
For Group entries, the Sametime server must have access to the following attributes: v group name v group description (if this setting is not empty) v group members v ObjectClass v Any LDAP directory entry attribute that is specified in any search filter defined in the LDAP Directory Settings in the Sametime Administration Tool (or on the LDAP document in the Configuration database on the Sametime server) Ways to search groups: Choose the method to be used when searching for groups. When the user signs in to the Sametime Connect Client, the Sametime server attempts to determine what groups the user is a member of, so the policy for the user can be assigned. This Group search can be performed in one of two ways: v By searching the Person document for the group membership field. v By filtering through all the groups in which the user is a member. Searching the Person document for the group membership field If your chosen LDAP server contains an attribute in the Person record of all the groups a user belongs to, then Sametime Policy can perform one search, retrieving all the group names containing the user's name that are stored under the attribute. This method, which provides performance enhancements, should be used whenever possible. To configure this option, set: Base membership to an empty string. GroupMembership retains the attribute name. The name should not include the mandatory filter symbols (= or %). The attribute name depends upon the LDAP type. For example:
210
v In the Microsoft Active Directory, the attribute in the Person record is memberOf, so you set the the name as: GroupMembership:memberOf v In the IBM Directory Server, the attribute in the Person record is ibm-allgroups, so you set the name as: GroupMembership:ibm-allgroups
memberOf attribute for IBM Directory Server ibm-allgroups Empty string ("") memberOf attribute for Microsoft Active Directory memberOf Empty string ("")
Field name GroupMembership BaseMembership
Filtering through all the groups in which the user is a member This type of search is performed in the LDAP Directory to find the list of groups that a given user or group belongs to. The settings depend upon your LDAP configuration. Pertinent information includes the object class used by all groups and the attribute which contains the members in all groups. Typical settings are: v Domino: GroupMembership: (&(objectclass=groupofnames)(member=%s)) BaseMembership: may be empty v IBM Directory Server GroupMembership: (&(objectclass=groupofuniquenames)(uniqueMember= %s)) BaseMembership: dc=teamspace,dc=com v Active Directory GroupMembership: (&(objectcategory=group)(member=%s)) BaseMembership: dc=teamspace,dc=com
Field name GroupMembership IBM Directory Server (&(objectclass= groupofuniquenames) (uniqueMember=%s)) Must not be an empty string (""); for example, could be: dc=teamspace,dc=com Domino (&(objectclass= groupofnames) (member=%s)) Empty string ("") accepted
BaseMembership
Replace the Domino Directory with an LDAP directory

About this task
During the Sametime server installation, you must specify the directory type (either Domino or LDAP) used in your Sametime community. If you select the Domino directory during the installation, and later decide you want to configure Sametime to connect to an LDAP server, use the procedure below to set up the LDAP connection to the LDAP server. For i5/OS, see Replace the Domino Directory with an LDAP directory for i5/OS on page 224. Note: Using this procedure prevents you from having to reinstall the Sametime server and specify the LDAP directory type during the server installation to connect to the LDAP server.
211
These procedures are associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation: 1. Shut down the Sametime services but keep the Domino services active. 2. Set up a Directory Assistance database on the Sametime server. 3. Identify the Directory Assistance database on the Sametime server. 4. Create a Directory Assistance document in the Directory Assistance database that enables the Sametime server to access the LDAP server. 5. Create an LDAP document in the Configuration database (stconfig.nsf) on the Sametime server. 6. Copy and rename .DLL files, edit the Notes.ini file, or edit the Sametime.ini file. 7. Run the name change task 8. Configure the LDAP Directory settings in the LDAP document. (You can use either a Lotus Notes client or the Sametime Administration Tool to configure these settings.) 9. Update the Sametime.ini file for Policy 10. Reconfiguring the UserInfo servlet after switching from Domino to LDAP 11. Restart the Sametime services on your Domino server.
Results Shut down the Sametime services but keep the Domino services active
About this task
This procedure is the first of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. In this procedure, you must shut down the Sametime services while you make configuration changes on the Sametime server. You must leave the Domino server running so you can access Domino databases on the server. To shut down the Sametime services: 1. Open the Domino server console on the Sametime/Domino server. 2. In the Domino server console, type the following command: For Windows, AIX, Linus, and Solaris servers:
Tell STADDIN Quit
For IBM i5/OS servers:

Tell STADDIN2 Quit
Results
Next step: Set up a Directory Assistance database
212
Results
Set up a Directory Assistance database

About this task
This procedure is the second of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. Because Sametime uses Directory Assistance to access an LDAP server, you must ensure that a Directory Assistance database exists on the Sametime server. Setting up Directory Assistance enables Web browser users to authenticate against entries in the LDAP directory when accessing databases on the Sametime server that require basic password authentication. Note: The Sametime Connect client does not require Directory Assistance to authenticate against the LDAP directory or perform name and group lookups in the LDAP directory. You can either create a new Directory Assistance database on the Sametime server or replicate an existing Directory Assistance database to the Sametime server. Use the same process to set up Directory Assistance for a Sametime server as you would for a Domino server without Sametime. If you have already created a Directory Assistance database for the Domino environment in which Sametime is installed, you can replicate the existing Directory Assistance database to the Sametime server instead of creating a new Directory Assistance database.
Results
Creating a new Directory Assistance database: About this task To create a new Directory Assistance database: 1. Open a Lotus Notes client. 2. Choose File - Database - New. 3. Select the Sametime server (or select the Local server if you are running Sametime on a Windows server and you opened the Notes client on the server). 4. Create the Directory Assistance database on the server using the template DA50.NTF. Provide a database name and file name (for example, da.nsf) for the Directory Assistance database. Results Replicating an existing Directory Assistance database: To replicate an existing Directory Assistance database, follow the normal Domino procedure for replicating a database. First create a new replica of the Directory Assistance database on the Sametime server, and then create a Connection document to schedule replication of the database. See your Domino server administration documentation for information on these procedures.
213
Results Next step: After you have ensured that a Directory Assistance database exists on the Sametime server, you must identify the Directory Assistance database on the Sametime server. Results
Identify the Directory Assistance database on the Sametime server

About this task
This procedure is the third of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. After you have ensured that a Directory Assistance database exists on the Sametime server, you must identify the Directory Assistance database on the Sametime server. Enter the database filename in the "Directory Assistance database name" field in the Basics section of the Sametime server Server document. 1. From a Notes client, choose File - Database - Open. 2. Select the Sametime server (or select the Local server if you are running Sametime on a Windows server and you opened the Notes client on the server). Select the Domino directory (names.nsf) and click Open. Select Server - Servers to open the Servers view. Double-click the name of the Sametime server to open the Server document. If necessary, select the Basics tab of the Server document. Click Edit Server. In the "Directory Assistance database name" field, enter the filename (for example, da.nsf) of the Directory Assistance database. 9. Click Save and Close. 3. 4. 5. 6. 7. 8.
Results
Next step: After you have identified the Directory Assistance database on the Sametime server, create a Directory Assistance document that enables the Sametime server to access the LDAP server. Results
Create a Directory Assistance document that enables the Sametime server to access the LDAP server
About this task
This procedure is the fourth of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation.
214
The Directory Assistance database on the Sametime server must contain a Directory Assistance document that enables the Sametime server to access the LDAP server. The procedure below explains how to create the Directory Assistance document for the LDAP server and provides suggested values for the fields in the Directory Assistance document. You can change the suggested values as required by your environment. To create the Directory Assistance document: 1. From the Notes client open the Directory Assistance database (usually named da.nsf) on the Sametime server. 2. Click "Add Directory Assistance". 3. In the Basics tab, make these settings:
Setting Domain type Domain name Value Select LDAP. Enter any descriptive name; the name must be different from any other in Directory Assistance. Do not use the Domino domain name. Enter the name of your company. The suggested value is 1. The search order specifies the order this directory is searched relative to other directories in Directory Assistance. Both Notes clients and LDAP clients choices are checked by default The suggested setting is Yes. This setting enables Directory Assistance to examine the contents of groups in the LDAP directory. This capability is necessary if you enter the name of a group defined in the LDAP directory in the ACL of a database on the Sametime server. The suggested setting is Yes. This setting enables Directory Assistance to examine the content of an LDAP directory group that is a member of another LDAP directory group. This capability is also used when an LDAP directory group name is entered in the ACL of a database on the Sametime server. Set to Yes to enable Directory Assistance for the LDAP Directory.
Company name Search order
Make this domain available to:
Group authorization
Nested group expansion
Enabled
4. Select the Naming contexts (Rules) tab. Configure Rule 1 as needed for your Domino environment. The suggested values for Rule 1 are as follows: v The OrgUnit1, OrgUnit2, OrgUnit3, OrgUnit4, Organization, and Country fields should all contain an asterisk. Using all asterisks in this setting ensures that all entries in the LDAP directory can be searched and authenticated. v The "Enabled" and "Trusted for Credentials" fields should both be set to "Yes." 5. Select the LDAP tab. The LDAP tab contains the following settings:
215
Setting Hostname
Value The host name for the LDAP server (for example, ldap.acme.com). Binding parameters to the LDAP server. If entries exist in the "Administrator distinguished name" and "Administrator password" fields in the LDAP Directory-Connectivity settings of the Sametime Administration Tool, the Sametime server binds to the LDAP server as an authenticated user. If there are no entries in the "Administrator distinguished name" or "Administrator password" fields, the Sametime server binds to the LDAP server as an anonymous user.
Optional Authentication Credential:
Username
Complete this field if you want your Sametime server to bind to the LDAP server as an authenticated user. Otherwise, leave this field empty. Suggested values for Microsoft Active Directory server are: cn=qadmin, cn=users, dc=ubq-qa, dc=com Complete this field if you want your Sametime server to bind to the LDAP server as an authenticated user. Otherwise, leave this field empty. Enter the password for the Username specified above.
Password
216
Setting Base DN for search
Value Specify a search base. A search base defines where in the directory tree a search should start. Suggestions for this setting are: Domino directory - An example value is "O=DomainName," where "DomainName" is the Lotus Notes domain (for example O=Acme). Microsoft Exchange 5.5 directory - An example value is "CN= recipients, OU=ServerName,O=NTDomainName," where ServerName is the Windows server name and NTDomainName is the Windows NT Domain (for example, CN=recipients,OU=Acmeserver1, O=NTAcmedomain). The Microsoft Exchange 5.5 example above assumes that the directory is using the default directory schema. If you have changed the schema of the Microsoft Exchange 5.5 directory, the entry in the Base DN for search field must reflect the new schema. Microsoft Active Directory - An example value is "CN=users, DC=DomainName, DC=com." Netscape LDAP directory - Use the format O= followed by the organizational unit that was specified during the Netscape server setup. If you are uncertain about this entry, use the administrative features of the Netscape server to determine the appropriate entry.
Channel encryption
Select None. For information on using Secure Sockets Layer (SSL) to encrypt the connection between the Sametime server and the LDAP server, see Use SSL to authenticate and encrypt the connection between the Sametime server and the LDAP server. Enter the port number used to connect to the LDAP server. The default setting is port 389. Choose the option that suits your environment Choose the option that suits your environment Choose the option that suits your environment'
Port Accept expired SSL certificates SSL protocol version Verify server name with remote server's certificate Advanced options Timeout
The suggested setting is 60 seconds. This setting specifies the maximum number of seconds allowed for a search of the LDAP directory.
217
Setting
Value
Maximum number of entries returned The suggested setting is 100. This setting specifies the maximum number of names the LDAP server will return for the name searched. If the LDAP server also has a maximum setting, the lower setting takes precedence. De-reference alias on search Preferred mail format Attribute to be used as Notes Distinguished Name Type of search filter to use Choose the option that suits your environment, usually set to 'Never." Depends upon the directory; the options are Internet mail address and Notes mail address Should always be blank Options are standard, Active Directory or custom; depends upon your directory. Most often 'standard' is used. If you use Active Directory, choose AD, and if you want complete control over how directory assistance searches the directory, choose 'custom.' There is additional 'hover-over' help with each option: custom, AD, and standard.
6. Click "Save and Close." The warning message notifies you that your connection does not include SSL settings; you can ignore the warning and continue with the procedure.
Results
After you create the Directory Assistance document that enables the Sametime server to access the LDAP server, you must create an LDAP document in the Configuration database on the Sametime server
Create an LDAP document in the Configuration database

About this task
This procedure is the fifth of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. The Configuration database (stconfig.nsf) stores administration settings made from the Sametime Administration Tool. These administration settings are stored on individual documents within the Configuration database. You must use a Lotus Notes client to create an LDAP document in the Configuration database on the Sametime server. The LDAP document you create will hold the LDAP Directory settings that enable Sametime to search and authenticate against entries in the LDAP directory. To create an LDAP document in the Configuration database: 1. Use a Lotus Notes client to open the Sametime Configuration database (stconfig.nsf) on the Sametime server. 2. Select Create - LDAPServer. A document opens that contains the LDAP administration settings. You can configure these settings using either the Sametime Administration Tool or a
218
Lotus Notes client. If you want to use the Lotus Notes client, leave the document open and continue to the next procedure (see "Next step" below). If you want to use the Sametime Administration Tool to configure the LDAP settings, choose File - Save to save the LDAP document. Close the LDAP document and close the Lotus Notes client.
Results
Next step: After you have created an LDAP document in the Configuration database, you must copy and rename the .DLL files or edit the Notes.ini file. Results
Copy and rename the .DLL files, edit the Notes.ini file, or edit the Sametime.ini file
About this task
This procedure is the sixth of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. These files are generally copied and renamed during the install process except in the case of iseries. The procedure you perform at this point depends on whether your Sametime server runs on the Windows, AIX/Solaris/Linux, or IBM i5/OS operating system. v If your Sametime server runs on the Windows operating system, you must copy and rename some .DLL files from the C:\Program Files\Lotus\Domino\ Directory BB\Ldap directory to the C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino. v If your Sametime server runs on the AIX/Solaris operating system, you must edit the Sametime.ini file. v If your Sametime server runs on the IBM i5/OS operating system, you must edit the Notes.ini file. Follow the procedure below that is appropriate for your environment.
Results
Copying and renaming the DLL files (Windows only): About this task If your Sametime server runs on the Windows operating system, perform this procedure: 1. On the Sametime server, create a working directory to copy files to so that you can rename them. 2. Copy the "STAuthenticationLdap.dll" from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to the working directory. 3. In the working directory, rename the "STAuthenticationLdap.dll" file to "STAuthentication.dll." 4. Copy the renamed "STAuthentication.dll" file to the C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino.
219
Note Copying the "STAuthentication.dll" file to the C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino will overwrite an existing file of the same name. 5. Copy the file "STGroupsLdap.dll" from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to the working directory. 6. Rename the "STGroupsLdap.dll" file to "STGroups.dll." 7. Copy the renamed STGroups.dll file to the C:\Sametime directory. Note Copying the "STGroups.dll" file to the C:\Sametime directory will overwrite an existing file of the same name. Copy the file "STResolveLdap.dll" from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to the working directory. Rename the "STResolveLdap.dll" file to "STResolve.dll." Copy the renamed "STResolve.dll" file to the C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino. Note Copying the "STResolve.dll" file to the C:\Sametime directory will overwrite an existing file of the same name. Copy the "StBrowseLdap.dll" file from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to the working directory. Rename the "StBrowseLdap.dll" file to "StBrowse.dll." Copy the renamed STBrowse.dll file to the C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino. Copy the "StDirectoryListLDAP.sym" file from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to the working directory. Rename the "StDirectoryListLDAP.sym" file to "StDirectoryList.sym."
8. 9. 10.
11. 12. 13. 14. 15. 16.
Copy the renamed StDirectoryList.sym file to the C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino. 17. Copy the "StLdap.dll" file from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino. 18. Copy the "stLdap.ini" file from the directory C:\Program Files\Lotus\Domino\Directory BB\Ldap to C:\Program Files\Lotus\Domino or $installeddir\Lotus\Domino. Results Editing the Sametime.ini file (AIX/Solaris only): About this task If your Sametime server runs on the AIX/Solaris operating system, perform this procedure to edit the Sametime.ini file in the Sametime server installation directory. You must change the DirectoryType parameter from "Domino" to "LDAP" in the Sametime.ini file. 1. Use a text editor to open the Sametime.ini file located in the Sametime server installation directory (for example, <root>/lotus/domino). 2. In the [CONFIG] section of the Sametime.ini file edit the DirectoryType= parameter so that it specifes LDAP as shown below:
DirectoryType=LDAP
3. Save and close the Sametime.ini file.
220
Results Editing the Sametime.ini file (IBM i5/OS only): About this task If your Sametime server runs on the IBM i5/OS operating system, perform this procedure to change the Directory Type parameter from from "Domino" to "LDAP" in the Sametime.ini file: 1. Use a text editor to open the sametime.ini file located in the Sametime server data directory 2. In the [Directory] section of the sametime.ini file, edit the DirectoryType= parameter so that it specifes LDAP as shown below:
DirectoryType=LDAP
3. Save and close the sametime.ini file. Results Next step: After you have copied and renamed the .DLL files, you must run the Name Change task. See Changing names on page 256. Results
Run the Sametime Name Change Task

About this task
This procedure is the seventh of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. You must run the Lotus Sametime Name Change Task to ensure that the user and group names that are stored in the vpuserinfo.nsf database on the Sametime server are converted from the native Domino directory name format to the LDAP directory format. Users create buddy lists and privacy lists from the Sametime Connect client by selecting user names and group names from the directory accessed by the Sametime server. If the Sametime Connect client users in your environment have created buddy lists and privacy lists by selecting names from the Domino directory, the user and group names in these lists are stored in the vpuserinfo.nsf database on the Sametime server in the native Domino directory format. You must run the Sametime Name Change Task to convert the names in the vpuserinfo.nsf database to the LDAP directory format. The distribution of the changed names is done throughout the cluster through Domino replication. Name Conversion is available from the Sametime 7.5.x server's Administration Tool. For more information on using the Name Change Task, see the topic "Changing names on page 256."
221
Results
Next step: After you have run the Sametime Name Change Task, you must configure the LDAP directory settings. Results
Configuring the LDAP directory settings

About this task
This procedure is the eighth of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. This procedure is described in Configure the LDAP Directory settings earlier in this section.
Results
Update the Sametime.ini file for Policy

About this task
In order to switch from the Domino directory to the LDAP Directory Configuration, the following policy settings must be updated in the Sametime.ini file: If the Sametime server is running, using the Services application: 1. STOP the Sametime Policy service. 2. In the Policy section of the sametime.ini file, 3. replace the key:
POLICY_DIRECTORY_BB_IMPL=com.ibm.sametime.policy.directorybb.notes.DirNotesBlackBox
4.
with this key:

POLICY_DIRECTORY_BB_IMPL=com.ibm.sametime.policy.directorybb.ldap.DirLdapBlackBox
5. Save the Sametime.ini file.
Results
Setting policy search settings in LDAPServer document of stconfig.nsf: About this task 1. Make sure the LDAP Server document holds the proper value for BaseMembership and GroupMembership fields. For details see "Setting policy search filters" in User Policy in this documentation. 2. Save stconfig.nsf. 3. Using the "tell http restart" command in the Domino console, restart the Domino HTTP server. 4. Restart the Sametime Policy service. Results Next step: Reconfiguring the UserInfo servlet after switching from Domino to LDAP
222
Reconfiguring the UserInfo servlet after switching from Domino to LDAP

About this task
The UserInfo servlet must be reconfigured after switching from Domino to LDAP to enable the Business Card to work. To reconfigure the UserInfo servlet, follow these steps: 1. Open UserInfoConfig.xml in a text editor and replace all its contents with the following:
<UserInformation> <ReadStConfigUpdates value="true"/> <Resources> <Storage type="LDAP"> <StorageDetails HostName="hera.haifa.ibm.com" Port="389" UserName="" Password="" SslEnabled="false" SslPort="636" BaseDN="" Scope="2" SearchFilter=" (&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s) (mail=%s)))"/>   <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="mail" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/> <Detail Id="Company" FieldName="ou" Type="text/plain" /> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg" /> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5" /> </BlackBoxConfiguration> </UserInformation>
2. Open the Sametime server home page and log in as administrator. v Click Administer the Server. v Click Configuration - Business Card. v Type in the appropriate attribute values according to "Attribute names for Business Card." v Click Update. 3. Restart Domino.
Results
Restart the Sametime services on your Domino server

About this task
This procedure is the last of eleven associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation. In this procedure, you restart the Sametime services on the Domino server. You can either stop the server and restart it, or just restart the Sametime services by following these steps: 1. Open the Domino server console on the Sametime/Domino server. 2. In the Domino server console, type the following command:
223
For Windows, AIX, and Solaris servers:

Load STADDIN
For IBM i5/OS servers:

Load STADDIN2
Results
Replace the Domino Directory with an LDAP directory for i5/OS

About this task
During the Sametime server installation, you must specify the directory type (either Domino or LDAP) used in your Sametime community. If you select the Domino directory during the installation, and later decide you want to configure Sametime to connect to an LDAP server, use the procedure below to set up the LDAP connection from an i5/OS Sametime server to the LDAP server. Note: Using this procedure prevents you from having to remove Sametime from the server and rerun the ADDLSTDOM command to specify the LDAP directory type and LDAP connection information. These procedures are associated with enabling Sametime to connect to an LDAP server if you have selected the Domino directory during the server installation: 1. Shut down the Sametime services but keep the Domino services active. See Starting and stopping a Sametime server on i5/OS.
2. Run CHGLSTDOM command to specify LDAP connection information. 3. Start the Sametime server. See "Starting and stopping a Sametime server on i5/OS." 4. Run the name change task 5. Configure the LDAP Directory settings in the LDAP document. (You can use either a Lotus Notes client or the Sametime Administration Tool to configure these settings.)
Note: The Connectivity section should already be completed. Verify that the information in the other sections is correct: Basics, Authentication, Searching, and Group Contents. If necessary, complete them based on your LDAP directory 6. Restart the Sametime server. See "Starting and stopping a Sametime server on i5/OS."
Run CHGLSTDOM command to specify LDAP connection information

About this task
Follow these steps to re-configure an i5/OS Sametime server to connect to an LDAP directory instead of a Domino directory: 1. On any i5/OS command line, type the following and press F4:
CHGLSTDOM
2. On the "Change Sametime on Domino" display, set Directory Type to *LDAP and press Enter. 3. Complete the following fields describing your LDAP server:
224
Option Name
Description Enter the name or TCP/IP address of the LDAP server that Sametime will use. It is also possible to specify the TCP/IP address, but this is not recommended. Enter the IP port that Sametime will use. The default IP port for LDAP connections is 389. Enter the distinguished name of the LDAP directory entry that the Sametime server will use when binding to the LDAP directory. This is an optional parameter. If not specified, you must ensure the LDAP server is configured appropriately for anonymous access from a Sametime server. If you specified a Bind distinguished name (DN), enter the password associated with it. Enter the distinguished name of an LDAP administrator who has authority to browse the LDAP directory. It is used when configuring policies. This parameter is optional and defaults to the same value as the Bind distinguished name.
Port
Bind distinguished name (DN)
Bind password Administrator name (DN)
4. Press Enter to run the command. Note: If your server is enabled for both IPv4 and IPv6 addressing, you must manually update the sametime.ini file so that "VPS HOST=" is set to an explicit IP address, rather than the host name, after running the CHGLSTDOM command. See Configuring the Community Services for IPv6 for detailed instructions.
Solve token authentication problems

When an IBM Lotus Sametime server is deployed in the same environment as an application server that issues authentication tokens, authentication problems may occur.
About this task

The problem occurs when the Sametime server and the server issuing the authentication tokens use different LDAP directories to authenticate users. Several Sametime Java applet clients present an authentication token to the Sametime server when connecting to the server. These clients include the Sametime Connect for browsers client, the Sametime Meeting Room client, and Sametime Links clients. If a Web browser user first authenticates to a portal server, and then later attempts to connect to the Sametime server using one of the Sametime Java applet clients, the Sametime client connection may fail. This problem occurs because the Sametime client sends the authentication token it received from the portal server to authenticate the connection to the Sametime server. The portal server creates this authentication token by gathering user credentials from the LDAP directory that it accesses. When the Sametime server receives this token, it extracts these user credentials and compares them to user
225
credentials in the different LDAP directory that it accesses. The authentication fails because the user credentials do not match. To further illustrate this token authentication problem, consider an example environment in which all of the following are true: v A portal server is deployed and connected to a Netscape LDAP directory. In the Netscape LDAP directory, the user Victor Lazlow has a distinguished name entry of cn=Victor Lazlow,ou=People,dc=Acme,dc=com. v A Sametime server is deployed and connected to a Domino LDAP directory. In the Domino LDAP directory, the user Victor Lazlow has a distinguished name entry of cn=Victor Lazlow,o=Acme. v An application using Sametime Links is deployed on the portal server. The sequence of events below illustrates the token authentication problem. 1. Victor Lazlow accesses the portal server with a Web browser and enters his user name and password. The portal server authenticates this user name and password against Victor's person entry in the Netscape LDAP directory. 2. The portal server sends a Lightweight Third Party Access (LTPA) token to Victor's Web browser. This LTPA token contains Victor's user name as specified in the Netscape LDAP directory (cn=Victor Lazlow,ou=People,dc=Acme,dc=com). 3. Victor Lazlow accesses the Sametime Links application on the portal server. 4. The Sametime Links client applet loads to Victor's Web browser and connects to the Sametime server. To authenticate this connection, the client transmits the LTPA token obtained from the portal server to the Sametime server. 5. The Sametime server extracts the user name from the LTPA token (cn=Victor Lazlow,ou=People,dc=Acme,dc=com) and compares the user name to Victor's person entry in the Domino LDAP directory (cn=Victor Lazlow,o=Acme). 6. Since the name extracted from the token is not an identical match with the name obtained from the LDAP directory, the authentication fails and Victor cannot use the Sametime Links application.
Solving the token authentication problem

About this task
Sametime 7.5 contains logic designed to solve the token authentication problem. This solution, and its configuration, is discussed below. When the user accesses Sametime Links on the portal server, the Sametime client sends an authentication by token request to the Sametime server. This authentication by token request contains two parameters: v The Sametime user name (cn=Victor Lazlow, o=acme in this example). This name is known by the portal server and passed to the client from the portal server. v The LTPA token containing the user name from the directory accessed by the portal server (cn=Victor Lazlow, ou=People, dc=Acme, dc=com in this example). Upon receiving the authentication by token request, the Sametime 7.5 server can do the following: 1. Extract the text string "Victor Lazlow" from the cn=Victor Lazlow, ou=People, dc=Acme, dc=com user name provided in the LTPA token. 2. Search the Domino directory accessed by the Sametime server to locate a directory entry containing the same user name text string (Victor Lazlow).
226
3. Sametime then takes the Domino user ID from the Domino directory entry it locates (cn=Victor Lazlow, o=acme in this example) and compares this user ID with the Sametime user name that was received as a parameter in the authentication by token request from the client. If this comparison produces a match, the authentication by token is successful. To configure this logic, the administrator must add two parameters to the Notes.ini file on the Sametime/Domino server. These two parameters are used by the Sametime logic to extract the user name text string ("Victor Lazlow" in this example) from the full canonical user name provided in the LTPA token. The two Notes.ini parameters are: v ST_UID_PREFIX= v ST_UID_POSTFIX= Sametime uses the value of the ST_UID_PREFIX= parameter to strip out the characters that precede the user name text string that you want to extract. In this example, those characters are "cn=". Sametime uses the value of the ST_UID_POSTFIX= parameter to identify the first character that follows the user name text string that you want to extract. In this example, that character is a comma (,) The correct configuration for the Notes.ini parameters in the example scenario described earlier is shown below: v ST_UID_PREFIX=cn= v ST_UID_POSTFIX=, When configured in this way, Sametime extracts the user name by first stripping the prefix of cn= from the cn=Victor Lazlow, ou=People, dc=Acme, dc=com user name to produce the text string Victor Lazlow, ou=People, dc=Acme, dc=com. Sametime then locates the postfix character (,) and strips that character and all characters that follow it from the user name string. In this example, Sametime would strip the text string ,ou=People, dc=Acme, dc=com from the user name to produce the text string of "Victor Lazlow." Sametime then searches the directory it accesses and performs the authentication by token as discussed earlier. Notes: v If the ST_UID_PREFIX= and ST_UID_POSTFIX= parameters do not exist in the Notes.ini file, Sametime compares the user name taken from the LTPA token (cn=Victor Lazlow, ou=People, dc=Acme, dc=com in this example) to the user name it receives as a parameter in the authentication by token request (cn=Victor Lazlow, o=Acme in this example). v In some complex directory environments, or in environments in which the token authentication logic is customized, the out-of-the-box solution provided with Sametime 7.5 may not be adequate for the authentication to succeed as discussed above. In these environments, it is possible to create a custom DLL to compare the name received in an LTPA authentication token to the name received as a parameter in the authentication by token request.
227
Manage buddy lists and privacy lists

If you make changes to user names or group names in the LDAP directory, you must run the Name Conversion Utility to ensure these same name changes are made in the buddy lists and privacy lists that display in the Sametime Connect client. The buddy list and privacy list names are stored in a Domino database (vpuserinfo.nsf) and must be managed separately from the names in the LDAP directory. For more information, see the section on Changing names on page 256 later in this document.
Results
Use Java classes to customize LDAP directory searches

About this task
This section explains how you can write Java classes that provide greater control over how the Sametime server conducts user name and group name searches of an LDAP directory. You can also write a Java class that controls how user names returned from LDAP directory searches are formatted. This section includes these topics: v Using a Java class to control directory searches for people and groups v Using a Java class to control the format of user names returned by directory searches
Results Controlling directory searches for people and groups using a Java class
In some LDAP directory environments, the LDAP directory schema may be too complex to use a single search filter to select user names (or group names) from the LDAP directory. Writing a Java class can ensure that the search capability functions exactly as needed for a particular directory schema. The "Search filter for resolving person names" and the "Search filter for resolving group names" settings in the LDAP directory settings of the Sametime Administration Tool define the LDAP directory search filters responsible for selecting user and group names from the LDAP directory. If a single search filter is not adequate to resolve user name (or group name) searches, you can write a Java class containing a method that specifies exactly how directory searches are conducted. This Java class can invoke different LDAP seach filters depending on the search criteria entered by the end user. The following example illustrates the extent to which you can control searching behavior when you use a Java class for this purpose. This example assumes that three different users want to add the user Victor Lazlow to their Sametime Connect buddy lists. Each of the three users searches for Victor Lazlow in a different way. The logic of the Java class dictates the results of these three user searches. v User 1 enters "Victor L*" into the Sametime client user interface to add Victor Lazlow to the buddy list. This search attempt returns an error because the Java class is programmed to return an error when the user enters a text string that includes an asterisk. v User 2 enters "Victor_Lazlow@acme.com" into the Sametime client interface. This search attempt succeeds and returns the value "Victor_Lazlow@acme.com"
228
(Victor Lazlow's e-mail address) from the LDAP directory. The search attempt succeeds in this way because the Java class is programmed to return an LDAP search filter that can resolve an LDAP directory search to a user's e-mail address. The Java class returns this e-mail address search filter if the search text string entered by the end user includes the "at" character (@). v User 3 enters "Victor L" into the Sametime client interface. This search attempt succeeds and returns the common name (cn) directory attribute of "Victor Lazlow." The search attempt succeeds in this way because the Java class is programmed to return an LDAP search filter that can resolve an LDAP directory search to a user's common name (cn). The Java class returns this common name search filter if the search text string entered by the end user does not include either an asterisk or "at" (@) character. When using a Java class to control the directory searching behavior, you write the Java class so that it provides the searching behavior desired for your particular LDAP directory schema. The search behavior is not limited to the behavior described in the example above; the behavior is controlled by the code you write. Attention: When you use this feature on IBM AIX, Linux, or Solaris, there are two limitations: v Your Sametime server must be hosted on Lotus Domino release 8.0 or later. v You must compile your class using Java 1.5 or later (earlier versions are not supported). To use a custom Java class to control the LDAP directory searching behavior, you must perform the following procedures: Write a Java source code file containing the Java class and method that defines the searching behavior. 2. Compile the source code file and copy the resulting Java class file to the Sametime server computer. 3. Update the Sametime.ini file parameters. 4. Enter the Java class and method name in the Sametime Administration Tool. 1. Each of these procedures is described below.
Writing a Java source code file containing the Java class and method that defines the searching behavior
Writing a Java source code file containing the Java class and method that defines the searching behavior is the first of four steps required to use a Java class to control LDAP directory searches for people and groups. The specific source code that you write to support customized LDAP searches is entirely dependent on your environment. This section provides a code sample to help you understand how to write the Java class appropriate for your environment. Note: The Java code that you write must be compatible with the Java Run-Time Environment (JRE 1.4.2). In this example, you write a Java class consisting of a Java method that invokes different LDAP directory search filters based on the text string that is entered into
229
the Sametime user interface by an end user. The search filters invoked by the method are dependent on the directory schema and the search behavior needed for the environment. The code sample below shows the Java source code that produces the search behavior described in the example of the three different user searches discussed earlier in this section. This code creates a Java class named "StLdapCustomized" that includes the "peopleResolveFilter" method. The if statements in the peopleResolveFilter method examine the text string entered by the user in the Sametime client user interface and return the appropriate LDAP search filter based on this text string. The comments in the source code explain the purpose of each if statement. public class StLdapCustomized { /** * Generates a search filter for finding a user, given the user's * name. * * @param name The user's name as provided by the Sametime client. * @return The search filter, or null if the name is invalid. */ public static String peopleResolveFilter (String name) { // prevent users from adding their own wildcards if (name.indexOf('*') != -1) return null; // if name looks like e-mail, do not search with wildcards if (name.indexOf('@') != -1) return "(&(objectclass=person)(mail=" + name + ")) "; // otherwise, search as CN with wildcard return "(&(objectclass=person) (cn=" + name + "*))"; } } If you also want to customize searches for groups, you must write a similar java source code file that contains the logic you want to employ for group searches. Note: You do not have to write Java classes to control the search behavior for both users and groups. You can use a Java class to control the search behavior for users while using a single LDAP search filter to control the search behavior for groups, or vice versa.
230
Compiling the source file and copying the Java class file to the Sametime server computer
Compiling the source file and copying the Java class file to the Sametime server computer is the second of four steps required to use a custom Java class to control LDAP directory searches for people and groups. To complete this step, perform these procedures: 1. Compile the Java source code file to produce the Java class file. AIX, Linux, Solaris: You must use Java 1.5, available in Lotus Domino 8.0 and later. This example assumes that you compile the sample source code from the previous step to produce a Java class file named "StLdapCustomized.class." 2. Copy the compiled class file (StLdapCustomized.class) to the "java" subdirectory of the Sametime server installation directory. In a default Sametime server installation, the correct directory path for the class file is:
c:\Lotus\Domino\java.
Note: You should copy the Java class file to the C:\Lotus\Domino\java location because this is the default class path specified for the Meeting Services in the Windows registry settings. Copying the class file to this location ensures that LDAP directory searches conducted from both Meeting Services clients and Community Services clients will return user names in the programmed format.
Linux: Limiting the number of open files

Note: This step is required; it loads the JVM library for Custom Java classes for the Sametime server. After 1000 or more users log in to the Linux server, the following exception may appear in the SystemOut.log, and no more users can log in:
[3/3/08 11:09:46:701 EST] 0000109d exception E com.ibm.ws.wim.adapter.ldap. LdapConnection getDirContext CWWIM4520E The 'javax.naming.CommunicationException: pir02pc27.westford5.notesdev.ibm.com:389 [Root exception is java.net .SocketException:Too many open files]' naming exception occurred during processing. [3/3/08 11:09:46:738 EST] 0000109d exception E com.ibm.ws.wim.adapter.ldap. LdapConnection getDirContext com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.CommunicationException: pir02pc27.westford5. notesdev.ibm.com:389 [Root exception is java.net.SocketException: Too many open files]' naming exception occurred during processing.
This problem is caused when a high number of concurrent users get a connection to the Lotus Sametime server. Java opens many files and Lotus Sametime uses a lot of file descriptors. Eventually, the server runs out of file descriptors. You can fix this by editing the file descriptor limit in the limits configuration file in Linux as follows. 1. Use a text editor and open /etc/security/limits.conf. 2. Add the following lines:
soft hard nofile nofile 65535 65535
3. Save the file. 4. Restart the server.
231
Updating the sametime.ini file parameters

Updating the Sametime.ini file Java parameters is the third of four steps required to use a custom Java class to control LDAP directory searches for people and groups. In this procedure, you update the ST_JAVA_CLASS_PATH parameter and the ST_JAVA_JVM_PATH parameters in the Sametime.ini file on the Sametime server. This step ensures that the Sametime Community Services class path and JVM location settings are configured appropriately for the environment. The ST_JAVA_CLASS_PATH parameter must specify the location of the Java class file copied in the previous step (c:\Lotus\Domino\java\StLdapCustomized.class in this example). The ST_JAVA_JVM_PATH parameter should specify the location of the jvm.dll file used by the Sametime Meeting Services. By default, the Meeting Services use the jvm.dll file located at c:\Lotus\Domino\ibm-jre\jre\bin\classic\jvm.dll. To update the Sametime.ini file: 1. Use a text editor to open the Sametime.ini file located in the C:\Lotus\Domino directory. 2. In the [Config] section of the Sametime.ini file, ensure that the ST_JAVA_CLASS_PATH parameter specifies the "java" subdirectory of the Sametime server installation directory (default C:\Lotus\Domino\java), as shown in the example below.
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\StConfig.jar;C:\Lotus\Domino\StConfigXml.jar; C:\Lotus\Domino\xerces.jar;C:\Lotus\Domino\java
3. Still in the [Config] section, ensure that the ST_JAVA_CUSTOM_PATH parameter specifies the location of the custom class (default C:\Lotus\Domino\java), as shown in the example below.
ST_JAVA_CUSTOM_PATH=C:\Lotus\Domino\java
4. Also in the [Config] section, ensure that the ST_JAVA_JVM_PATH parameter specifies the directory path to the jvm.dll file on the Sametime server that is used by the Meeting Services. For example, on Windows the recommended setting for the ST_JAVA_JVM_PATH parameter is:
ST_JAVA_JVM_PATH=C:\Lotus\Domino\ibm-jre\jre\bin\classic\jvm.dll
On Solaris, the recommended setting for this parameter is:

ST_JAVA_JVM_PATH=ibm-jre/lib/sparc/server/libjvm.so
Note The Community Services loads the JVM specified by the ST_JAVA_JVM_PATH parameter in the Sametime.ini file. In some circumstances, the Meeting Services may load the JVM before the Community Services does. Specifying the same JVM for both of these services ensures consistent searching behavior for both Community Services and Meeting Services clients, regardless of which service loads the JVM. 5. (AIX only) If your Lotus Sametime Community server is hosted on IBM AIX, add this statement to the same section of the file:
ST_JAVA_CUSTOM_JVM_PATH=java_jvm_install_path/lotus/notes/80020/ibmpow/jvm/bin/classic/libjvm.so
where java_jvm_install_path indicates the path where the Java JVM is installed. 6. Save and close the Sametime.ini file.
232
Enter the Java class and method name in the Sametime Administration Tool
Entering the Java class and method name in the Sametime Administration Tool is the last of four steps required to use a custom Java class to control LDAP directory searches for people and groups. In this procedure, you enter the Java class name and method name into the "Search filter for resolving person names" setting in the LDAP directory settings of the Sametime Administration Tool. Use the format "Classname.methodname()" when entering the java class name and method name into the "Search filter for resolving person names" setting. Following our earlier example, you would enter "StLdapCustomized.peopleResolveFilter()" in the "Search filter for resolving person names" setting. Follow the instructions below: 1. From the Sametime server home page, click Administer the Server to open the Sametime Administration Tool. 2. Choose LDAP Directory Searching. 3. In the "Search settings for server" drop-down list, select the LDAP server that contains the LDAP directory for which you want to modify the "Search filter for resolving person names" setting. 4. In the "Search filter for resolving person names" setting, enter the class name and method name in the format "Classname.methodname()." Following our earlier example, you would enter StLdapCustomized.peopleResolveFilter() in the "Search filter for resolving person names" setting. 5. If you have also created a Java class to define the group search behavior, enter the "Classname.methodname()" for group searches in the "Search filter for resolving group names" setting. 6. Click Update and restart the server for the changes to take effect.
Using a Java class to control the format of user names returned in LDAP directory searches
About this task
You can write a Java class to control the format of user names returned in LDAP directory searches. In a typical Sametime deployment, the "The attribute of the person entry that defines the user's name" setting in the LDAP Directory settings of the Sametime Administration Tool controls the format of the user name that is returned by an LDAP directory search. In most environments, the value of the "The attribute of the person entry that defines the user's name" setting can specify a common LDAP directory attribute, such as cn (common name) or mail (e-mail address). When configured in this way, the search returns the value assigned to a user's cn or mail directory attribute and displays this value in the Sametime client user interface. Some environments may require LDAP directory searches to return a user name in a format that is not available in an LDAP directory entry attribute. In this case, you can write a Java class that manipulates existing information in the LDAP directory to produce the user name in the desired format. For example, you might write a Java class that combines the values of two LDAP directory attributes to
233
produce the user name in a desired format. Or, you can write a Java class that edits the information in a single LDAP directory attribute to produce the user name in a format that is different than the value specified by the attribute. Attention: When you use this feature on IBM AIX, Linux, or Solaris, there are two limitations: v Your Sametime server must be hosted on Lotus Domino release 8.0 or later. v You must compile your class using Java 1.5 or later (earlier versions are not supported). To illustrate this feature, consider an example environment in which all of the following are true: v LDAP searches must return a user name in the format LastName, FirstName (for example: Smith, John) v None of the LDAP directory attributes specify the user name in the LastName, FirstName format. v The LDAP directory attribute sn specifies each user's last name. v The LDAP directory attribute givenName specifies each user's first name. In this example, you can write a Java class that takes values from the sn and givenName directory attributes and combines these values into a single display name in the format of LastName, FirstName. You can then configure the Sametime server to use this Java class to return the names in that format when the LDAP directory is searched. To use a custom Java class to control the LDAP directory searching behavior, you must perform the following procedures. Note: These procedures are very similar to the procedures discussed in the Using a custom Java class to control LDAP directory searches for people and groups topic earlier in this chapter. 1. Write the Java source code file that returns the user name. 2. Compile the source code file and copy the resulting Java class file to the Sametime server. 3. Update the Sametime.ini file. 4. Enter the Java class and method name in the Sametime Administration Tool LDAP directory settings.
Results
Each of these procedures is described below. Writing the Java source code file that returns the user name: About this task Writing the Java source code file that returns the user name is the first of four steps required to use a custom Java class to control the format of user names returned in LDAP directory searches. The specific source code that you write to support customized LDAP searches is entirely dependent on the user name requirements of your environment. This section provides a code sample to help you understand how to write the Java class appropriate for your environment.
234
Note: The Java code that you write must be compatible with the Java Run-Time Environment (JRE 1.4.2). This code sample below shows the code you might use to combine values stored in the sn and givenName LDAP directory entry attributes into a single display name in the format of LastName, FirstName. public class StLdapCustomizedAttributes { public static String displayName (String givenName, String sn) { String result = sn + ", " + givenName; return result; } } Compiling the source file and copying the Java class file to the Sametime server: About this task Compiling the source file and copying the Java class file to the Sametime server is the second of four steps required to use a Java class to control the format of user names returned in LDAP directory searches. To complete this step, perform these procedures: 1. Compile the Java source code file to produce the Java class file. This example assumes you compile the source code file example from the previous procedure to produce a Java class file named "StLdapCustomizedAttributes.class." 2. Copy the compiled class file (StLdapCustomizedAttributes.class) to the "java" subdirectory of the Sametime server installation directory. In a default Sametime server installation, the correct directory path for the class file is:
c:\Lotus\Domino\java.
Note: You should copy the Java class file to the C:\Lotus\Domino\java location because this is the default class path specified for the Meeting Services in the Windows registry settings. Copying the class file to this location ensures that LDAP directory searches conducted from both Meeting Services clients and Community Services clients will return user names in the programmed format. Update the Sametime.ini file: About this task Updating the Sametime.ini file is the third of four steps required to use a custom Java class to control the format of user names returned in LDAP directory searches. In this procedure, you update the ST_JAVA_CLASS_PATH and the ST_JAVA_JVM_PATH parameters in the Sametime.ini file on the Sametime server.
235
This step ensures that the Sametime Community Services class path and JVM location settings are configured appropriately for the environment. The ST_JAVA_CLASS_PATH parameter must specify the location of the Java class file copied in the previous step (c:\Lotus\Domino\java\ StLdapCustomizedAttributes.class in this example). The ST_JAVA_JVM_PATH parameter should specify the location of the jvm.dll file used by the Sametime Meeting Services. By default, the Meeting Services use the jvm.dll file located at c:\Lotus\Domino\ibm-jre\jre\bin\classic\jvm.dll. To update the sametime.ini file: 1. Use a text editor to open the Sametime.ini file located in the C:\Lotus\Domino directory. 2. (AIX, Linux, Solaris only) In the [Config] section, add the following statement:
ST_JAVA_CUSTOM_PATH=path_to_custom_class
where is the path to the directory where the customized class can be found; this defaults to the /lotus/domino/data/java directory. 3. Still in the [Config] section, ensure that the ST_JAVA_CLASS_PATH parameter specifies the java subdirectory of the Sametime server installation directory (default C:\Lotus\Domino\java), as shown in the example below:
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\StConfig.jar;C:\Lotus\Domino\StConfigXml.jar; C:\Lotus\Domino\xerces.jar;C:\Lotus\Domino\java
4. Also in the [Config] section, ensure that the ST_JAVA_JVM_PATH parameter specifies the directory path to the jvm.dll file on the Sametime server that is used by the Meeting Services. The recommended setting for the ST_JAVA_JVM_PATH parameter is:
ST_JAVA_JVM_PATH=C:\Lotus\Domino\ibm-jre\jre\bin\classic\jvm.dll
Note: The ST_JAVA_JVM_PATH parameter specifies the path to the JVM loaded by the Community Services. Either the Community Services or the Meeting Services can load the JVM. Specifying the same JVM for both of these services ensures consistent searching behavior for both Community Services and Meeting Services clients, regardless of which of these services loads the JVM. 5. Save and close the Sametime.ini file. Enter the Java class and method name in the Sametime Administration Tool LDAP Directory settings: About this task Entering the Java class and method name in the Sametime Administration Tool LDAP Directory settings is the last of four steps required to use a Java class to control the format of user names returned in LDAP directory searches. In this procedure, you enter the Java class and method name into "The attribute of the person entry that defines the user's name" setting in the LDAP Directory settings of the Sametime Administration Tool. Use the format "Classname.methodname()" when entering the Java class name and method name in the Sametime Administration Tool setting. Following our earlier example, you would enter the class name and method name as "StLdapCustomizedAttributes.displayName(givenName, sn)."
236
Follow the instructions below: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. Choose LDAP Directory - Basics. 3. In the "Search settings for server" drop-down list, select the LDAP server that contains the LDAP directory for which you want to modify the "The attribute of the person entry that defines the user's name" setting. 4. In the "The attribute of the person entry that defines the user's name" setting, type the class name and method name in the format classname.methodname(). For example:
StLdapCustomizedAttributes.displayName(givenName, sn)
5. Click Update and restart the server for the change to take effect.
Setting user policy with Sametime

The IBM Lotus Sametime Connect Client is a Java application that uses the Eclipse-based IBM Lotus Expeditor which provides features and extensibility to allow partners, independent software vendors and IBM developers to integrate additional features that extend Lotus Sametime's capabilities. The provision of many features in Sametime Instant Messaging and Instant Meetings means you, as administrator, can set policy for users to have access to these features, depending upon their level of need. For example, maximum size for a file being transferred is set by default at 1 megabyte to help manage traffic over the server(s); however, if you have a group that routinely transfers large files for business reasons, you can set the maximum size of files they send much higher.
What's covered in Sametime Policy

All users are assigned to a default Sametime Policy which allows users to transfer files. You, as administrator, can define the default policy to be applied to all the users and all the servers in the Sametime community. On the Default policy page, check the checkboxes under "Override setting for all policies" to quickly apply new settings to all existing policies. Policies work in conjunction with settings on the Configuration - Community Services page of the Administration Tool. What's covered in this section: v About Policy assignment v v v v v v v v Configuring the server for Policy Policy search filters Settings for Community Services Policy setting table Setting new Policy for specific groups Assigning users and groups to Policy/Groups Policy and LDAP
Note: Policy changes take effect after the Policy service is restarted or after a configurable timeout. The changes should be replicated to all servers in the Sametime community.
237
About Policy assignment

Users and groups can be assigned to a user policy. Default policy settings have no user or group assignment. When the Sametime Policy service calculates policy for a specific user, it applies to that user the Default policy if no other policy can be found for that user. To access the Policy page, log in as Administrator, select Administer the server, and select Policy in the left-hand contents pane. All users are automatically assigned to a default policy. You, as Administrator, can create non-default user policies, and assign users and groups to these policies. Users can be assigned to more than one policy. If a user belongs to more than one policy, follow the policy setting table for specifics. Custom policy settings can be designed for specific groups in the company, and default policy can be inherited or assigned. Policy changes take effect after the Policy service is restarted or after a configurable timeout. The changes should be replicated to all servers in the Sametime community. Note: The policies for users work in conjunction with settings on the Configuration - Community Services page of the Administration tool.
Configuring the server for Policy

The Sametime Policy service provides user policy information to client and server applications through the Sametime Community system. Policy includes a mechanism for calculating user policies of authorized users (who have a record in the organization Directory database) according to group membership in the Directory. As Administrator, you can define a set of mandatory policy attributes which are assigned to all Sametime users by default (if no other policy is found). To allow different permissions for some users and groups, you can generate the number of sets that hold the same policy attributes with different values and to assign them to Sametime users and public groups. Policy governs what features are available to users in both Community Services and in Meeting Services. Some of these features include: v Instant video meetings v IP telephony v File transfer v v v v v File types that cannot be transferred Instant messaging gateways with hostname and port Scheduling online meetings IP audio for instant meetings IP video for instant meetings
v IP telephony for meetings v Polling
238
There are two basic types of policy: the default policy to which all users are initially assigned and a new policy, which you can name and custom-define for users or groups, depending upon what kinds of features they need to carry out their jobs. Meeting services features are not included in Lotus Sametime Entry, Lotus Sametime Limited Use, and Sametime offerings that do not support web conferencing.
Policy search filters

About this task
Search filters are available from the LDAP Directory - Searching page. These filters use information about people and groups that is held in the Domino Lightweight Directory Access Protocol (LDAP) or in the IBM LDAP. The filters for searching for people and groups in Policy are similar to those used for searching for people and groups in LDAP. To access the Policy search filters, follow these steps: 1. Log in as "Administrator." 2. Click Administer the Server. 3. In the left-hand Navigation pane, click LDAP Directory Searching .
Results
These actions bring you to LDAP Directory - Searching. On this page, the top two search filter settings are for LDAP, and the lower two search filter settings are for Policy. The most effective policy search through the LDAP Directory may be using a memberOf attribute. In this case, the Policy filter field contains this attribute name, so if your LDAP Server provides the memberOf attribute, you should know how to configure the use of this feature.
Policy setting table

Below is a table that shows how a user's access to features may behave if he or she is assigned to more than one policy. Sametime Policy calculates the user's effective policy according to the policy assignment and according to his or her public group membership in the organization Directory. Sametime Policy can resolve policy conflicts when two or more policies are applied to the same user. In this case, Policy uses a "strict" approach following the rules in the Policy Setting Table. Certain attributes should be regarded as pairs. They require a specific policy conflict-resolving algorithm; for example, the File Transfer result value depends upon the File Transfer Allowed value: if File Transfer is disallowed, the resolved File Transfer size is zero, regardless of the Policy A and Policy B file transfer size. Excluded file types depends upon the 'Use excluded file types list' flag. In addition, the common strict algorithm should not concern Use Excluded File Types List. This flag resolves as false only if all the policies maintain a false value for this attribute. In the case of an unknown attribute, a merge occurs by type:
239
v Lists are combined to a union of all values. v Booleans and AND merged. v Numerics resolve to the value with the least magnitude. For excluded file types, Policy follows the union of rights. The policy for exclusion of file types is as follows: User A has in his policy A list the excluded file extension of exe and with policy B, file types gif, jpg, png, and bmp extensions, so, in this case, the user has a union of exe, gif, jpg, png, and bmp for file types he or she is unable to send. Note: The policy attribute, "Must set this community as the default community," has a default value of enabled. This setting will prevent you from connecting to multiple communities. Disable this policy attribute if you want to allow your clients to connect to multiple communities. If you connect to only one community, the default should remain enabled. When a user is assigned to more than one policy, the table below shows how the ensuing conflicts are resolved.
Policy A Must set this community as default community Allow file Transfer yes Policy B no User access yes
no
yes yes; 30
no 30 days
no Auto-save chat transcripts; days to save history Use excluded file types list Excluded file types Use excluded file types list yes
no
yes
exe yes
yes
exe (union) yes
Excluded file types Allow telephony for contact lists, instant messaging, and instant meetings
exe no
gif, jpg, png, bmp yes
exe, gif, jpg, png, bmp (union) no
Allow users to create instant meetings and breakout sessions
yes
no
depends upon policy of the user in the meeting
Allow Sametime IP audio and video for instant meetings and breakout sessions Allow participation in meeting room chats
no IP audio only
IP audio only IP audio and video
no IP audio only
yes
no
Depends upon policy of user in meeting
240
Policy A Allow screen sharing Allow screen sharing Allow user to control another user's shared screen Allow to save chat transcripts Allow to automatically save chat transcripts; days Allow client-to-client voice call Entire screen No No
Policy B Application only Entire screen Yes
User access Application only No No
yes
no
no
yes; 60
yes, 365
60
yes No
no No 20832
no No not applicableforced to inherit default policy setting yes no 32 NA not applicableforced to inherit default policy setting no
Set UDP port for voice chat
20830
Allow client-to-client video call
yes no
yes no 32 32 20832
Video bit rate kilobits per second
64 NA
Set UDP port for video chat Allow custom emoticons Allow screen captures and images Set maximum image size for custom emoticons, screen captures, and in-line images Allow connections from mobile clients Allow user to add multiple communities
20830
no
yes
yes yes; 500 kb
no yes; 300 kb
no 300 kb
yes yes
no no no
no no no
Allow user to connect yes to external communities Sametime update site URL Allow user to install plug-ins Limit contact list size in names updates. sametime.ibm.com yes yes300 limit yes500 limit
updates.st.lotusibm.com
not applicableuser is forced to inherit default policy setting no no yes300
no no yes300
241
Policy A Allow all Sametime Connect features to be used with integrated clients. Allow Telephony Allow changes to preferred numbers Allow changes to the permanent call routing rule Allow use of Offline status in call routing rules yes
Policy B no
User access no
yes yes yes
no no no
no no no
yes
no
no
*The existing save chat option in the Policy page under Instant Messaging (ALLOW_SAVE_CHAT) is the master switch that turns off ALL user ability to save chats automatically. The new policy "Auto Save Chats" ( AUTO_SAVE_CHAT) can be turned on or off but is relevant only if the master switch is on. If it is turned off, then no chats are saved automatically, and all chats must be saved manually.
Settings for server community (default policy)

About this task
This section includes default settings that affect both Instant Messaging and Instant Meetings. You, as Administrator, can grant or limit access to features in meetings and instant messaging by enabling or disabling various policies for users. To change the settings for users in Messaging services: 1. Log in to Sametime as Administrator. 2. Click the "Administer the server" link. 3. Click "Sametime Default Policy." 4. Set default server community: If a user has multiple server communities, a particular one has to be the default server community. With this enabled, a user must be logged in to his or her default server community before logging in to other server communities. 5. Allow client-to-client file transfer: If you do not want users to transfer files during instant messaging, or during instant meeting or scheduled meeting activities, click the "Allow file transfer" box to un-check it. File transfer checkbox is checked by default. Default size of transferred files is 1000 kilobytes. Set the maximum size of files that can be transferred in kilobytes. 6. A client can transfer a file of up to 1,000 kilobytes directly to another client without its going through the server; hence, there is no additional load on the server. If you want the user to have the ability to transfer files directly to another user, click the box next to 'Yes' to allow client-to-client file transfer. 7. The default for excluded file types is blank. Check the checkbox for 'Yes' if you want to exclude certain file types, such as .exe or .bat. Fill in the text field with file types to be excluded, separated by a comma or a semicolon. 8. If you want to allow users to have access to internet protocol (IP) telephony features for contact lists, instant messaging, and instant meetings, click the checkbox for 'Yes.' The default is de-selected.
242
9. Click the checkbox for each selection under "Override setting for all policies" if you want to quickly apply a setting to all existing policies. 10. Approve all changes by clicking OK, or cancel all changes by clicking Cancel.
Results
Note: Policy changes take effect after the Policy service is restarted or after a configurable timeout. The changes should be replicated to all servers in the Sametime community. Note: Policy settings work in tandem with the settings in Configuration Community Services.
Settings for Instant Messaging only (default policy)

About this task
You, as Administrator, can grant or limit access to features in meetings and instant messaging by enabling or disabling various policies for users. This section includes settings that affect instant messaging only. 1. Log in as Administrator. 2. Click the "Administer the server" link. 3. Click "Policies" in the left-hand contents pane. 4. Click the link for "Sametime Default Policy." 5. To allow users to save their chat transcripts on their own computers, leave 'Yes' selected. To disallow, clear the checkbox. 6. Allow user to automatically save chats: When this is unchecked, the user does not see preferences for chat history or the chat history viewer in his/her Sametime Connect. The default is enabled. If the Maximum number of days to save automatically-saved chat transcripts is checked, a value must be defined. The default value is 365 days. The impact to the client is that the user cannot make this date longer than 30 days in the "delete saved transcripts after this number of days." 7. To allow client-to-client voice chats, leave the checkbox selected to 'Yes.' 8. Set UDP port for voice chat: The default setting for client-to-client voice chat is enabled. Voice chat (voice-over-IP) requires user datagram protocol (UDP) ports. The default on your Sametime server is set at 20830, and the Inherit default policy settings box is checked so this port is used regardless of other policy 9. Allow client-to-client video calls: This is enabled by default. The video bit rate is pre-set to 512 kilobits per second. You can change this setting to anything between 32 kilobits per second and 512 kilobits per second. The default UDP port setting is 20832. This feature works with IBM proprietary point-to-point video or with third-party products that can be implemented with a software development kit. 10. Client-to-client file transfer: When this setting is checked, users can transfer files directly without using the server. These files are not logged. Default is unchecked. 11. Save chat transcripts/length of time: To allow users to automatically save their chat transcripts, leave the checkbox at 'Yes." Users can save their transcripts for a pre-determined number of days, set by you. The default is 365 days. Dependencies: Allow save chat policy under Instant Messaging must be on. The policy/server file transfer size applies.
243
12. The default setting for client-to-client voice call is enabled. Voice chat (voice-over-IP) requires user datagram protocol (UDP) ports. The default on your Sametime server is set at 20830, and the Inherit default policy settings box is checked so this port is used regardless of other policy settings. 13. The Set UDP port for video chat option is pre-set at 20832. 14. Allow custom emoticons: This policy allows the user to add emoticons to his or her palette in Sametime Connect, and allows the user to send emoticons in text messages. Default is enabled. 15. Allow screen captures and images: default is enabled. This allows the user to capture screens and images and add them to the pallette. This provision includes images pasted INLINE through the palletteemoticons, images that are cut and pasted, screen captures, and alt-print-screen-captured images. It does not include images sent through file transfer. 16. The option to set maximum image size for custom emoticons, screen captures and inline images is not enabled by default, but if you choose to enable it, the default is set to 500 kilobytes. 17. The option to allow users to employ mobile clients is enabled. To disable this capability, un-check the corresponding box. 18. Allowing users to add multiple communities in their Sametime Connect clients is enabled. 19. Allowing users to connect through the Sametime Connect Client to external communities such as AIM, Yahoo, and Google Talk is not enabled by default. 20. Sametime update site URL: Provides a URL where users can retrieve updates to features for the Lotus Sametime Connect client. This is not enabled by default. 21. Allow users to install plug-ins: Default is unchecked. This policy defines where and if the user can add plug-ins beyond the core set of plug-ins delivered with the Sametime installation. 22. Limit the size of the user's Sametime Connect contact list. Default is unselected, meaning there is no limit to the number of contacts a user may include in a contact list. If you choose to enable this feature, a size of 500 contacts is offered, although you may change this limit, and the user begins to receive warning messages at the level of ten contacts short of the limit. 23. Integrated Sametime Connect (Allow all Sametime Connect features to be used with integrated clients): This feature defines whether Sametime Connect is enabled and licensed to work with other products' clients. When you have the full Sametime license, you can enable this policy to run all the features of Sametime inside Notes 8.
Results
Note: The policy attribute "Must set this community as the default community" has a default value of enabled. This setting will prevent you from connecting to multiple communities. Disable this policy attribute if you want to allow your clients to connect to multiple communities. If you connect to only one community, the default should remain enabled. Note: Neither anonymous policy nor meetings apply to Lotus Sametime Entry or Lotus Sametime Limited Use. See the Policy setting table on page 239 to determine how conflicts in policies are resolved.
244
Note: Policy changes take effect after the Policy service is restarted or after a configurable timeout. The changes should be replicated to all servers in the Sametime community. Note: VoIP service for chats is unrelated to VoIP service for meetings In VoIP for chats, the user initiates a call for selected users or for everyone in the chat. The initiating user's PC mixes the audio streams for all the participants in the chat. Voice chat uses GIPS iSAC audio codec through peer-to-peer connection, if possible, and through the server, otherwise. Third parties can replace IBM implementation.
Setting new policy for groups

About this task
You can assign a standard policy for a group; for example, Marketing. The Policy name is the Group name; for example, Policy name for the Marketing group is Marketing. On this page, you can create new Policy/Marketing, delete Policy/Marketing, Assign users to Policy/Marketing, and View the details of Policy/Marketing. To establish a new set of policies for a group, follow these steps: 1. On the main Policy page, click New. 2. Fill in the name of the Policy. 3. Add a description for the newly-created policy. The default size of the text entry field is a maximum of 200 characters. 4. Select the policy attributes you want to update, and click OK, or click Cancel to cancel all new policy settings for the group. 5. Click Assign Users. 6. On the Assign Users page, select a directory to add users and groups. Search or type the user or group names to find them, and add them to the policy. Add as many names and groups to the list as needed. 7. Select OK to return to the policy list page. 8. To delete the Group/Policy settings, click Delete.
Results
Note: Policy changes take effect after the Policy service is restarted or after a configurable timeout.. The changes should be replicated to all servers in the Sametime community. Once the policy for the group is defined, the policy is held with others such as Default policy on a View page. The Default policy cannot be deleted. The only setting turned on by default in the Default policy is file transfer with a setting of 1 megabyte. The ordering of any additional policies is alphabetical.This page shows the numbers of groups and users assigned to a specific policy. You can select and assign new users to any of the policy groups.
Assign users or groups to existing policy groups

About this task
On the Policy page, you can click on Assign users to add or remove users from Policy.
245
Steps: 1. Log in as Administrator. 2. Choose 'Policies' from the left-hand navigation pane of the Administration Tool. 3. Select a directory from which to choose users and groups. 4. You can search for a user's name by typing the name into the search field, and clicking Search. 5. Highlight the desired name. 6. Click Add. To remove a name, click Remove. 7. When you have finished adding new names to the Policy/Group, click OK to confirm the settings.
Results
Note: Policy changes take effect after the Policy service is restarted or after a configurable timeout. The changes should be replicated to all servers in the Sametime community.
Policy for anonymous users

As Administrator, you can define a set of mandatory policy attributes which are assigned to all Sametime users by default. To allow different permissions for some users and groups, you can generate the number of sets that hold the same policy attributes with different values and to assign them to Sametime users and public groups. Since Sametime allows users to log in anonymously, the policy service must also address the anonymous state of the user. The administrator may want to define a policy stricter than the default to disallow anonymous users from performing operations permitted to the authorized Sametime user. Users can log in to Sametime anonymously, but the only policy governing these users is the enabling of client-to-client chat in the Meeting Room. Client-to-client functionality in this case means the anonymous user can chat with another user who is attending the meeting through the group chat feature of the Meeting Room. These chats are channeled through the server, and are not strictly client-to-client as the name suggests. Configuration The anonymous policy set is provided to restrict the anonymous user. This set is organized as an Anonymous policy value set (PVS) document and is embedded into the stpolicy.ntf template. This set includes the same attributes as any other specific policy. During Sametime server installation, a stpolicy.nsf, based on the policy template, is generated. The resulting data storage includes two built-in policy documents, Default and Anonymous, that represent the corresponding Default and Anonymous policy sets. A policy value set is a set of user policies and their values; each policy document in stpolicy.nsf is named PVS. Administration Using the Policy application program interface (API), the Administrative user interface application reads the policy rules and assignments from the stpolicy.nsf and shows them on the policy page. Anonymous and Default policies have no user or group assignments. How Anonymous policy is applied to a user
246
The STPolicy server application detects an anonymous policy request and retrieves the Anonymous policy for the corresponding user. If you want to apply no specific policy to an anonymous user, you can set all the anonymous policy attributes as inherited from the Default policy, providing all the default policies to the anonymous user. 'Anonymous' effect when all policies are overridden If you set an attribute in the Default policy as "Override all policies," this same attribute in the Anonymous policy derives its own policy value. Anonymous policy is designed to be stricter than any other policy, including the Default policy. Note: The Anonymous policy is NOT overridden by checking 'override all policies.' This is a security feature of Sametime.
Policy and LDAP

When the Sametime server is configured to work with the LDAP Directory that has a SSL connection, Policy must use the SSL LDAP settings to establish the appropriate connection to the LDAP server. Two parameters (SSL enabled/disabled flag and SSL port number) are kept in LDAP Server document of stconfig.nsf. The other parameters (The SSL LDAP secure database path and password) are stored under [Config] section of sametime.ini. When configuring Sametime for SSL, the following parameters have to be defined: javax.net.ssl.keyStore=stkeys.jks javax.net.ssl.keyStorePassword=sametime javax.net.ssl.trustStore=stkeys.jks javax.net.ssl.trustStorePassword=sametime javax.net.ssl.keyStore and javax.net.ssl.trustStore key's can include either absolute or relative path to secure key database.
Allowing file transfers

You can specify whether users can transfer files to one another by setting user policies.

You can allow two types of file transfers: files can be transferred through the Lotus Sametime server, and files can be transferred client-to-client without passing through the Sametime server. Files passed client-to-client are not logged. 1. Log in to Lotus Sametime as an administrator. 2. Click "Administer the server." 3. Click Policies 4. Click the user policy whose members you want to allow file transfers.
247
5. The "Allow file transfer" box is checked by default. This allows file transfers to pass through the Sametime server. If you do not want to allow it, click the "Allow file transfer" box to deselect it. If you enable this option, the server setting must also be set to allow the feature. To verify that a Sametime server allows file transfer, click Configuration - Community Services, and verify that "Allow users to transfer files to each other" has been enabled. 6. Set the maximum size of files that can be transferred. Default size of transferred files is 1000 kilobytes. 7. Click "Allow client-to-client file transfer" to allow file transfers that do not pass through the Sametime server. Note: If you enable "Allow client-to-client file transfer" and two users are unable to transfer files client-to-client, the file transfer does not automatically change to file transfer through the Sametime server. The file does not get transferred. 8. Click OK.
What to do next
Changing user names

After users have been registered in IBM Lotus Sametime, you can change their names.
About this task

You can change user names with the AdminP integration feature, or with the Name Conversion utility:
Changing names with AdminP

This feature allows IBM Lotus Sametime to synchronize name change updates made to the IBM Lotus Domino directory via the Domino Administration Process (AdminP) with updates to Sametime User Information database (vpuserinfo.nsf). Prior to Lotus Sametime 8.0.1, when a Lotus Domino Administrator executed name changes through the Lotus Domino Administrator client and the AdminP process, the users' names were changed automatically in the Lotus Domino Directory but were not changed in the corresponding Lotus Sametime records. The administrator had to manually generate a CSV text file that contained the renaming information, and run the Lotus Sametime name change utility on one or more servers, depending on the configuration. In Lotus Sametime 8.0.1, this process is enhanced, allowing Lotus Sametime to update VPUserInfo.nsf and add a new CSV text file to stnamechange.nsf whenever a change is made in the Domino Directory. Note: It is still necessary to manually run the name conversion utility even when AdminP integration code is working. The Name Change Integration with AdminP feature creates a new Name Change task and only partially updates vpuserinfo.nsf. For example, it does not update the contact lists that include the old name. For a full update, the Name conversion utility must be executed.
248
In addition, the AdminP functionality is only available for Lotus Sametime servers that use Lotus Domino authentication running on Lotus Domino 8.0.2 or later. If the Lotus Sametime server is using LDAP authentication, or if you are using a version of Lotus Domino earlier than 8.0.2, you cannot use the AdminP feature to change names.
AdminP integration components

The following components contain the code for the Name change integration with AdminP feature. These components are located under the Domino program directory (by default \Lotus\Domino in Windows): v StUpdateAdminP.dll -- the code loaded by the AdminP process. This dll receives notifications from Domino regarding renaming operations. We will refer to it as the AdminP add-in. v AdminpUpdate.jar -- the java code executed by the StUpdateAdminP.dll v NameChangeUtils.jar -- a library that provides services of updating the different Sametime databases. called by AdminUpdate.jar to perform the actual change in vpuserinfo.nsf and stnamechange.nsf
Known issues with AdminP integration

Please note the following issues concerning AdminP integration with Lotus Sametime: v This feature is supported starting in Domino 6.0, but is currently not available with Domino 8.0.1. v In Lotus Sametime, this feature is supported starting with release 8.0.1. v Only name updates are handled; deletions and additions are not supported by AdminP. v To complete the name change process, you must still execute the name change application (AdminP integration simplifies the process but does not replace it) v When Lotus Sametime databases are being updated as a result of the AdminP operation, warning messages are seen on the Domino console. These messages are not an indication of any issue with the process and should be ignored.
Enabling AdminP integration

The name change AdminP integration will run on one Sametime server in each cluster, is part of a Sametime server installation, and is disabled by default.
Before you begin

The name change AdminP integration functionality is only available for Lotus Sametime 8.0.1 servers hosted on Microsoft Windows and configured to use IBM Domino Directory for authentication. If your deployment uses an LDAP directory, you must use the Name Conversion utility as in previous releases. For information on the Name Conversion utility, see the topic, "About the Name Conversion utility" in this Sametime information center.
About this task

Enable the AdminP integration for your Lotus Sametime environment by completing the following steps: 1. Remove the comment marker from the following statement in the notes.ini file:
EXTMGR_ADDINS=StUpdateAdminP.dll
249
If there are multiple servers in one community, only perform this step on one server. 2. Using a text editor, open sametime.ini and confirm that the following flags are set as follows:
ST_JAVA_CLASS_PATH=C:\Lotus\Domino\java;C:\Lotus\Domino\StConfig.jar;C:\Lotus\Domino\StConfigXml. ST_JAVA_JVM_PATH=C:\Lotus\Domino\ibm-jre\jre\bin\classic\jvm.dll ST_JAVA_LIB_PATH=C:\Lotus\Domino
The paths may be different based on your deployment. Note: Ensure ST_JAVA_CLASS_PATH contains the full path of the AdminpUpdate.jar file (the default path is \Lotus\Domino\ AdminpUpdate.jar). 3. If the Sametime community consists of more than one Sametime server, ensure that the following databases are replicated among all of the servers in the community: names.nsf, admin4.nsf. A Domino administrator can configure Connection documents to ensure these databases are replicated on a defined schedule. For more information on how to create Connection documents, see the "Scheduling server-to-server replication" topic in the Domino Administrator Help information center. Now the environment is setup properly for Sametime to capture name changes carried out by the AdminP. 4. Run the stnamechange.cmd as described in the topic, "Running Name Change Tasks on Sametime servers in a community" in this Sametime information center. Specifying an administration server for databases: AdminP uses administration servers to manage administrative changes that apply to IBM Domino databases. Either the administrator or the database manager can specify the administration server for a database. Perform this procedure on an as-needed basis. Before you begin To change the administration server for a Domino database, you must have Manager access to the database or be designated as a Full access administrator on the Security tab of the Server document. About this task The stage needs to be set just so. 1. From the IBM Lotus Domino Administrator, open the domain containing the server with the database for which you are setting an administration server. 2. From the Servers pane, select the server containing the database you are setting as an administration server. 3. Click the Files tab and then select the database to which you are assigning an administration server. 4. From the "Tools" pane, click Tools Database Manage ACL. 5. Click Advanced. 6. Complete these fields and then click OK:
250
Field Administration Server
Enter Choose one of these: v None -- If you do not want an administration server assigned for the database. v Server -- Select a server from the list. Choose one of these according to whether you want modifications to the indicated fields to occur during a rename group, rename user, or rename server action; or during a delete server, delete group, or delete user action: v Do not modify Names fields -- Names fields are not updated during any of the above rename and delete actions. v Modify all Readers and Authors fields -Reader and Author fields are updated during the rename and delete actions listed above. v Modify all Names fields -- All names fields are updated during any of the rename or delete actions listed above.
7. If you will be processing administration requests across domains, complete the procedure in the topic "Creating a Cross-domain Configuration document" in the Domino Administration information center. Sample configurations: AdminP operates with various configurations of the IBM Lotus Sametime server and IBM Domino. Lotus Sametime and the Domino Directory are hosted on the same machine The Sametime and Domino directory are on the same server. When a rename is made the AdminP addin is notified and the callback updates the relevant databases. After the Name Change Utility is run all users can see each other's updated names.
251
Two or more Domino servers, each hosting Lotus Sametime and a Domino Directory The Domino directories are replicated between all servers. Names.nsf and admin4.nsf are replicated on all servers. A name change executed on either one of these servers will trigger the AdminP process on both servers. Each AdminP process updates only the database that their administration server matches. This setting avoids replication conflicts.
Domino Directory hosted remotely from Lotus Sametime but within the same Domino domain One or more Lotus Sametime servers and Domino directory are in the same domain. Each Lotus Sametime server accesses the Domino Directory through the directory assistance feature. Since all are in the same domain and the remote directory is accessed through da.nsf, updates are done on the remote directory and are received on the Lotus Sametime server. The Lotus Sametime server triggers the update of the databases that set their administration server to be the local server and activate the callback in the AddIns.
Domino Directory hosted remotely from Lotus Sametime, in a different Domino domain This time, the Lotus Sametime servers and the Domino directory are in different domains. For rename updates to go from the Domino directory on Domain A to
252
the Lotus Sametime servers on Domain B, a cross domain configuration should be applied on these domains. When a name is updated on the directory in domain B, a mail message is sent to domain A (assuming cross domain configuration is applied). This mail message is treated as a request for the AdminP and is added to the admin4.nsf which logs the request for the AdminP process. Refer to the Domino Administration guide for additional information on cross-domain configuration.
Domino Directory hosted remotely from Lotus Sametime, in a different Domino domain, and not serving as primary directory The Sametime servers and Domino directory are in different domains, and the Domino directory is not the primary directory for the deployment. As In the previous configuration, the Cross Domain Configuration should be applied and the da.nsf on the Sametime servers should point to the required NAB in the remote Domino server (instead of names.nsf).
253
Two or more Domino Directories on remote servers, replicated with one or more Lotus Sametime servers The Lotus Sametime servers and the Domino directories are in different domains. A Cross Domain Configuration should be applied and the da.nsf on each Lotus Sametime server should point to the required NAB in the remote Domino cluster. One server in the Domino environment (domain B) should be defined as the Administration server of the Primary address book for the Domino Domain. The da.nsf of each Lotus Sametime server should point to the NAB on this server.
Changing a person's name with AdminP

You can use the AdminP feature to change a user's name in IBM Lotus Sametime.
About this task

To change a name in an environment with the AdminP add-in enabled: 1. From the IBM Lotus Domino Administrator, click the People & Groups tab. 2. In the left-hand column, choose People under the selected directory. 3. Select the name that you want to change; for example, "Sara Lester". 4. On the right-hand side, select the People tab and choose Rename. 5. In the "Rename selected HTTP, POP3, and IMAP people" dialog box, specify the time frame allowed for a user to login with both the old and the new names and click Next. 6. Now select a user name, fill in information in the appropriate fields to change the name, and click Next. For example, to change Sara's last name from "Lester" to "Webster," type Webster in the Last Name field. Domino processes these name changes periodically (every 60 minutes by default). When the process is complete, the changes are reflected in vpuserinfo.nsf and stnamechange.nsf as follows: v In vpuserinfo.nsf, the storageUserId of the renamed user is changed to the new name. For example, "Sara" storageUserId is changed from "CN=Sara Lester" to "CN=Sara Webster".
254
v In stnamechange.nsf, a new name change task is created, containing a csv file that describes the name change. An adminp.csv file containing your changes is then attached to the newly created task. For example, the adminp.csv file for changing Sara's last name looks like this:
ID, "CN=Sara Lester/O=AcmeCorp", "CN=Sara Webster/O=AcmeCorp", "Sara Webster/AcmeCorp"
7. Run the stnamechange.cmd to complete the name change process. For more information, refer to the topic "Running Name Change Tasks on Sametime servers in a community" in this Lotus Sametime Information Center. Additional information is available in the Tech Note "NameChange administration tasks in Lotus Sametime 8" at the following Web address:
http://www.ibm.com/support/docview.wss?&uid=swg21290627
Troubleshooting AdminP integration

If your AdminP integration does not work properly, use the information below to help resolve issues. The AdminP feature is not working 1. Ensure the AdminP name change add-in is enabled by the following line in the notes.ini:
EXTMGR_ADDINS=StUpdateAdminP.dll
2. Turn on the trace files flags, rename in the directory, and analyze the trace files. The trace files indicate that the JNI does not find the java class 1. Ensure the following files are located in the program directory: v nadminp.exe v StUpdateAdminP.dll v AdminpUpdate.jar v NameChangeUtils.jar v stnamechange.jar 2. Ensure the following directory flags in sametime.ini have the correct values: v ST_JAVA_CLASS_PATH v ST_JAVA_JVM_PATH v ST_JAVA_LIB_PATH Working with trace files: Put your short description here; used for first paragraph and abstract. The Trace flags are located in the [Debug] section of sametime.ini:
VP_ADMINP_UPDATE_TRACE=1 ADMINP_ADDIN_DEBUG_LEVEL=5
The trace files will be located in the trace directory:

Drectory Contains
StUpdateAdminP_080608_1046_2508_000.txt C trace files stupdateJava_080608_1122.txt.0 Java code trace files for the AdminP name change addin and Name Change API together
255
Validation Do the following to validate that a name change worked: 1. Rename a user in the Domino directory. 2. On the Domino console, type:r tell adminp process all (this will process all the AdminP requests immediately). 3. Verify that a new task with the correct name change was added to stnamechange.nsf. 4. Verify that the users StorageUserId value was renamed. Updated trace information Verify that the StUpdateAdminP_080624_1451_3192_000.txt trace file contains a line similar to the following:
080624_145626,INF,DEBUG , jni call completed for name = CN=Sara Lester/O=AcmeCorp
Verify that the stupdateJava_080624_1456.txt.0 trace file contains lines similar to the following:
Jun 24, 2008 2:56:23 PM com.ibm.sametime.stupdate.StUpdateDBs updateDb FINE: from java method old name is CN=Sara Lester/O=AcmeCorp newName = CN=Sara Webster/O=AcmeCorp Jun 24, 2008 2:56:23 PM com.ibm.sametime.namechangeutils.NameChangeUtils createChangeNameTask INFO: completed. Jun 24, 2008 2:56:23 AM com.ibm.sametime.namechangeutils.NameChangeUtils updateInfoUserID INFO: changing from="CN=Sara Lester/O=AcmeCorp" Jun 24, 2008 2:56:23 AM com.ibm.sametime.namechangeutils.NameChangeUtils updateInfoUserID INFO: changing to="CN=Sara Webster/O=AcmeCorp" Jun 24, 2008 2:56:23 AM com.ibm.sametime.namechangeutils.NameChangeUtils updateInfoUserID INFO: completed.
Changing names
When you change user or group names in the directory, the change is not reflected in Lotus Sametime databases. In order to synchronize the directory names with the names in the Sametime server databases, you must run the name conversion utility.
About this task

Running the name conversion utility updates Lotus Sametime user or group names with the latest directory changes. The name conversion utility uses a comma-separated value list that you compile to change names, delete names, or convert all names from Domino to Domino LDAP formatted names. Users create a contact list, a privacy list, and an alert-me-when list in the IBM Lotus Sametime Connect client by selecting user names or group names from the Domino or Domino LDAP directory that is used with the Sametime server. These contact, privacy, alert-me-when lists are stored in the user information database
256
(vpuserinfo.nsf) on Sametime servers. When a user starts the Lotus Sametime Connect client, the lists are downloaded from the database to update the lists stored on the client's local computer. You do not need to run the name conversion utility when you add new users or groups to the Domino or LDAP directory. Run the name conversion utility manually on a standalone Sametime server, or on a server in a cluster which will replicate the change throughout the cluster. Note: Be sure to stop the Domino server before you run the name conversion utility.
Preparing for changing names

Before you can run the name conversion utility, you need to perform the following tasks:
About this task

1. Set up machines (one time only) 2. Create a CSV File 3. Create a Name Change task You do not need to use the name conversion utility if you add new users or groups to the Domino or LDAP directory. Use the name conversion utility only if you change user names or group names that exist in the directory. Setting up machines for name changes - one time only: You must prepare your Sametime servers to change names using the name conversion utility. You only need to do this once. About this task This section covers setting up UNIX and i5/OS machines for name changes. There are no special setup instructions for Windows machines. Preparing UNIX for name changes: Preparing to run the Name Change task on UNIX requires editing the sametime.ini file. Before you begin 1. Add VP_NCSA_TRACE=1 () to the Debug section of the sametime.ini file. This creates a debug log file. 2. Add NC_LOCAL_CONVERSION=1 to the Config section of the sametme.ini file. Preparing i5/OS for name changes: Before you can run the Name Change task on i5/OS, complete the following step. Add VP_NCSA_TRACE=1 to the Debug section of the sametime.ini file. This parameter creates debug log file. Creating a comma separated value file:
257
A comma-separated value (CSV) file created in a text editor provides the name conversion utility with the information it needs to make a name change to user contact, privacy, and alert-me-when lists. The CSV file includes the type of change (ID, ORGANIZATION, LDAP, DELETE) and typically provides details such as the old name and the new name, and optionally, the display name. 1. Use a text editor to create a comma-separated file. 2. Create a CSV for only one type of change: ID, ORGANIZATIONAL, DELETE, or LDAP. You cannot mix name change types in the same CSV. 3. Name and save the file with an extension of .csv in a directory accessible by the Sametime server. Comma-separated value files: A CSV file created in a text editor provides the server with the information it needs to make a name change to user contact lists or privacy lists. The CSV file includes the type of change (ID, ORGANIZATION, LDAP, DELETE) and typically provides details such as the old name and the new name, and optionally, the display name. You can create the CSV text file using any text editor. Some spreadsheet programs also allow you to export spreadsheet values to a CSV file. The CSV file should include only the list of comma-separated oldname, newname pairs that reflect the changes you have made to the directory. Do not include any header information in your CSV file. Name the file at your discretion. After you create the CSV file, store it in a network location that is accessible from the Sametime server. You must browse to this file to import it when you create the Name Change Task from the Administrator's tool in Sametime. When you create a CSV file, you must format it correctly following the syntax rules below. CSV files are case-sensitive and sensitive to spaces. You can create multiple CSV files. The CSV file can include only one descriptor:
Descriptor ID ORGANIZATION LDAP Purpose Change specified first names, last names, display names, or group names. Change the organization name for all users. Change all contact list information from Domino directory format to LDAP format (users/public group/domino to ldap/organization name). Remove specified individual contact names from contact lists and privacy lists.
DELETE
The second part of the CSV file includes one line for each change that includes the old name, the new name, and, optionally, the new display name. Changing the user and group IDs.
258
CSV File Syntax ID "old ID", "new ID"[,"new display name"] . . . where the [ ] indicate that the new display name is optional but if you use it, you must precede it with a comma as in the first example (where "Maria Brown" is the new display name), and the new display name must immediately follow the comma (if you leave a blank space between the comma and the new display name, the conversion will not work).
Example Sample CSV showing changes from a Domino directory: Note: These examples have been formatted for spacing issues; make sure your syntax adheres to any restrictions noted in the text. ID "CN=Maria Smith/OU=Sales/O=IBM", "CN=Maria Brown/OU=Sales/O=IBM", "Maria Brown" "CN=John/OU=New York/O=IBM", "CN=John/OU=Texas/O=IBM" "52e811 85256500/Old Group", "52e811 85256500/New Group Name", "New Group Name" Note that "52e811 85256500" in the example above is replica ID of Domino Directory. Be sure to change the colon in the replica ID to a space. For example: "52e811:85256500" should be "52e811 85256500". Sample CSV showing changes from an LDAP directory: ID "CN=Maria Smith,OU=Sales,O=IBM", "CN=Maria Brown,OU=Sales,O=IBM", "Maria Brown" "CN=John,OU=New York,O=IBM", "CN=John,OU=Texas,O=IBM" "CN=Old Group,OU=groups,O=IBM", "CN=New Group Name,OU=groups,O=IBM", "New Group Name"
Changing the organization name.

CSV File Syntax ORGANIZATION "oldOrg","newOrg" Example Sample CSV showing changes from a Domino or LDAP directory: ORGANIZATION "lotus","ibm"
Change all contact list information from Domino directory format to LDAP format (users/public group/domino to ldap/organization name).
CSV File Syntax LDAP Example Sample CSV: LDAP You cannot change the format from LDAP to Domino.
Delete specified users and groups.
259
CSV File Syntax DELETE uid . . .
Example Sample CSV: DELETE uid=John Deere,ou=sametime,dc=ibm,dc=com uid=Marta Smith,ou=sametime,dc=ibm,dc=com cn=portaladminid,o=example.com
Creating a Name Change task: Create a Name Change task on the Sametime server. Before you begin Before you begin, create a comma-separated value (CSV) file of the name changes in the Sametime directory. About this task A Name Change task is not actually a scheduled program; its timestamp merely indicates when the task was created and not when it will be run. The list of tasks is ignored until you run the stnamechange.cmd program, which then operates on all of the tasks in the list, using the .CSV files specified in the "Administer the Server" page. Follow the steps below to create a Name Change task. 1. In the Sametime Administrative Client, click Administer the Server. 2. In the Navigation panel of the Administration page, select LDAP DirecotryName Change Tasks. Note that the Name Change task must be configured in one sitting. There is no save as draft functionality. 3. Click New. 4. Enter a name in the Name field. The name is at your discretion. By default, the name is the date the task is created. 5. (Optional) Enter a description for the task. 6. Select All Servers to run the task on all servers in the cluster, or select the specified server. 7. Browse for the CSV file you want to use, and then click OK. 8. The Name Change task appears in the list of scheduled tasks. All Tasks listed here will be performed when the stnamechange.cmd is run. 9. Create the task once. 10. Click the name of the scheduled task to edit the Name Change task. 11. To Delete a Name Change task, on the Name Change Task List page, select the task, and then click Delete. 12. If any name changes are not entered correctly, you can click the Back arrow button on the browser and correct the information from the previous screen by importing a new CSV file. 13. After you have completed these steps on one Sametime server, it may be necessary to repeat this process on other home Sametime servers in your environment. If you are using Enterprise Meeting Server (EMS), the change is
260
made on all servers. If you are not using EMS, you must replicate the nsf file to all the Sametime servers so all are included, regardless of the server on which it was defined. Results When you are done setting up the task, name changes are saved to stnamechange.nsf. This file is used by Domino to replicate the name changes throughout the server cluster. Domino will pick up all valid Name Change tasks in the stnamechange.nsf file. You choose the servers or cluster on which the Name Change task runs on a regular basis using general scheduling tools. The application does not run by default; you must run the task manually.
Running the name conversion utility

To run a Name Change task, start the name conversion utility. The name conversion utility uses the CSV file to update user contact and privacy lists with the latest directory changes.
Before you begin

Before you begin, create a comma-separated value file with name changes, and then create a Name Change task. IBM recommends running the name conversion utility at off-peak hours, and stopping the Domino server before you begin.
About this task

Starting the name conversion utility starts the Name Change task. You can create many tasks, but name change conversion utility executes only one task at a time. You can have only one Name Change task scheduled or in progress. If a Name Change task is scheduled or in progress, you cannot create another Name Change task until the existing Name Change task completes. It is not necessary to run the name change conversion utility on every Sametime server in a cluster. For clusters, the task should run once on one server and then replicated to other servers in the cluster. Note that the All servers option on the Name Change task page in the Administration tool does not work because of the procedure for replicating across all servers. If you create a Name Change task and select All servers, only the server you are logged on to contains the task--other servers do not. This is viewable in stnamechange.nsf through the Notes client. The correct procedure is to create the Name Change task on all the servers in the community. Running the name conversion utility on Windows: Follow these steps to run the name conversion utility on Microsoft Windows: 1. Temporarily stop the Sametime server. 2. Type the following command:
stnamechange.cmd
261
3. When the Name Change task completes, restart the Sametime server. Restart all Lotus Sametime servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Running the name conversion utility on UNIX: Follow these instructions to run the name conversion utility on a UNIX operating system. 1. Temporarily stop the Sametime server. 2. Open a new shell and change to the domino data directory.
cd /domino/notesdata
3. Type the following command:

./stnamechange.sh domino_bin_directory domino_data_directory
For example:
./stnamechange.sh /domino/opt/lotus/notes/80020/linux /domino/notesdata
4. When the Name Change task completes, restart the Lotus Sametime server. Restart all Lotus Sametime servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Running the name conversion utility on i5/OS: Follow these instructions to run the name conversion utility on a UNIX operating system. 1. Make sure the CSV file is in the Domino\data directory. 2. Stop the Sametime server, but leave the Domino server running by running TELL STADDIN2 QUIT from the Domino console. 3. Once the Sametime jobs have ended, go to the OS/400 command line, and enter the following command: "QSH" This opens up a command line where the Name Change task is run. 4. Type the following commands:
cd <data directory> stnamechange <data directory>
5. View the NameConversion**** log file starting with located in the Sametime server directory/trace folder. The asterisks in the file name are variable characters. 6. Restart the Sametime server by running LOAD STADDIN2 from the Domino console.
262
Restart all Lotus Sametime servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Changing names with an older version of Domino: The IBM Lotus Sametime name change utility for IBM i5/OS now includes an optional parameter that allows you to specify that the command should use a level of IBM Lotus Domino other than the latest installed version. About this task The name conversion utility for i5/OS servers was updated in Lotus Sametime 8.0.1. In previous releases, an error would occur if the Lotus Sametime server was using a level of Lotus Domino that was not the latest installed version. To execute the Lotus Sametime 8.0.1 version of the name change task on i5/OS manually, prepare by following these steps: 1. Add VP_NCSA_TRACE=1 (this will create debug log file) to Debug section of the sametime.ini file. 2. Launch the Sametime server, and create the Name Change tasks through the Administration tool. 3. Shut down the Lotus Sametime server, but leave the Lotus Domino server running by running TELL STADDIN2 QUIT from the Lotus Domino console. 4. Once the Lotus Sametime jobs have ended, go to the i5/OS command line, and enter the following command: "QSH" This opens up a pase command line where the name change utility is run. Enter the following commands:
CD server_data_directory stnamechange server_data_directory domino_bin_directory
where domino_bin_directory is an optional parameter. (The default is /qibm/proddata/lotus/notes which causes the command to use the latest installed version of Lotus Domino.) Refer to the list below to specify a different level of Lotus Domino:
Table 16. Lotus Domino version used by Lotus Sametime server Domino 7.0.0 Domino 7.0.1 Domino 7.0.2 Domino 7.0.3 Domino 8.0.0 Domino 8.0.1 Associated domino_bin_directory /qibm/proddata/lotus/domino700 /qibm/proddata/lotus/domino701 /qibm/proddata/lotus/domino702 /qibm/proddata/lotus/domino703 /qibm/proddata/lotus/domino800 /qibm/proddata/lotus/domino801
For example, if the Lotus Sametime server is using Domino 7.0.2:

stnamechange server_data_directory /qibm/proddata/lotus/domino702
5. Press F3 to exit QSH. 6. View the log file starting with NameConversion****, located in the Sametime_server_directory/trace folder. 7. Restart Lotus Sametime by running LOAD STADDIN2 from the Domino console.
263
Restart all Lotus Sametime servers in your deployment so they can detect the modified name. If your deployment includes Lotus Sametime Unified Telephony, restart all Telephony Application Servers as well. Name Change task replication: When you create a Name Change task, the task is saved in a file called stnamechange.nsf, and this file is replicated to all Sametime home servers so that updates can be made to each server's vpuserinfo.nsf database. The file vpuserinfo.nsf is the Sametime user information database that contains contact lists and privacy lists. Set up a Domino replication task to replicate stnamechange.nsf among all servers. By default, stnamechange.nsf is replicated to all servers in a cluster, but not between clusters. This step makes it unnecessary to add future tasks to each stnamechange.nsf database in the environment. When a new task is added, all servers get the new information as a result of the replication procedure. Note that the All servers option on the Name change task page in the Administration tool does not work because of the procedure for replicating across all servers. If you create a Name Change task and select All servers, only the server you are logged on to contains the task--other servers do not. This is viewable in stnamechange.nsf through the Notes client. The correct procedure is to create the Name Change task on all the servers in the community. If several Sametime servers operate as a Community Services cluster, create a Name Change task on only one Sametime server in the cluster. The vpuserinfo.nsf database replicates in real-time among the servers in the cluster. When the Name Change task changes the vpuserinfo.nsf database on one server, the changes are automatically replicated to the vpuserinfo.nsf databases on all other servers in the cluster. Declaring the task in one cluster can populate all the clusters because you set replica information for the stnamechange.nsf between all the clusters. Sample deployments The examples below illustrate how you might run Name Change tasks in different Sametime server deployments. Example Deployment 1 In this example, the Sametime community has the following characteristics: Three Sametime servers are deployed. None of the servers are clustered. With this deployment, you must create and run the Name Change task three times--one on each server. Though you create the task only once, you run it three times, and the run can be scheduled automatically. Example Deployment 2 In this example, the Sametime community has the following characteristics: Eight Sametime servers are deployed.
264
Three Sametime servers operate as Community Services cluster 1. Three Sametime servers operate as Community Services cluster 2. Two Sametime servers operate as home Sametime servers but are not part of a Community Services cluster. With this deployment, you must run the Name Change task four times. You can schedule the tasks to run automatically on one Sametime server in Community Services cluster 1, on one Sametime server on Community Services cluster 2, and on each of the two Sametime servers that operate as home Sametime servers but are not part of a cluster. Example Deployment 3 In this example, the Sametime community has the following characteristics: v Six Sametime servers are deployed v Three Sametime servers operate as a Community Services cluster v Two Sametime servers operate as home Sametime servers but are not part of a Community Services cluster v One Sametime server is not used as a home Sametime server and is not part of a Community Services cluster With this deployment, you must create the Name Change task three times. Create the Name Change task on one of the Sametime servers in the Community Services cluster and on each of the two Sametime servers that operate as home Sametime servers but are not part of a cluster. You do not need to create the Name Change Task on the Sametime server that is not part of a cluster. Example Deployment 4 In this example, you are making name changes on the Enterprise Meeting Server: With this deployment, you have one option: All servers. The name change is created once, and then is run on each cluster. You choose the server in the cluster on which to run the task. You can schedule the task to run automatically. Name Change task status: This topic describes the status of the Name Change tasks, and how to view tasks in progress, and how to delete a Name Change task. After you create a Name Change task, the task defaults to the Scheduled status. A scheduled task begins executing on the Sametime server at the time specified in the server setting on the Configuration Community Services page. You cannot edit a Name Change task that has the Scheduled status. The only way to change a scheduled task is to delete the task and then create a new task in its place. Once a task begins executing, its status changes from Scheduled to In Progress if any of the servers have the Name Change task with the status that is in progress or scheduled. You cannot delete a task that is scheduled or in progress. If all the servers have tasks that are marked Check error log or Disabled, the Name Change task can be marked Finished. Finished means the task has completed the name change successfully. At this status level, you can add or delete any task.
265
Check error log means there were errors incurred while the task was running. At this stage, you can add or delete a task. Note: The status column provides only the status of the task running on the server being used; it does not provide a summary of the task across servers and clusters of servers. You can have only one Name Change task scheduled or in progress on a Sametime server. If a Name Change task is scheduled or in progress, you cannot create another Name Change task on the Sametime server until the existing Name Change task completes. You cannot delete a task that is marked Scheduled or In Progress. You can delete a task that is marked Finished or that is marked Check log status. There is a log file on the server that collects failures in Name Conversion v A user name that is changed in the directory but is not yet changed in the vpuserinfo.nsf database will appear as offline in the contact list and privacy list of another user until the Name Change task executes on the other user's home Sametime server. v All members of a changed group appear as offline in the contact list and privacy list of a user until the Name Change task executes on the user's home Sametime server. You can view the status of the names being changed. The vpuserinfo.nsf database includes a view for Name Change tasks. The task you are running is not marked complete. If several Sametime servers operate as a Community Services cluster, you view the status of a Name Change task on only one Sametime server in the cluster. The database replicates in real-time among the servers in the cluster. When the Name Change task changes the vpuserinfo.nsf database on one server, the changes are automatically replicated to the vpuserinfo.nsf databases on all other servers in the cluster. Below is an example of viewable statuses. In the example, Servers X, Y, and Z are not clustered, and servers A, B, and C are clustered.
Servers Server X Server Y task is created on Server X task appears in Name Change Status page task does NOT appear in Name Change Status page, but it is in the log file task does NOT appear in Name Change Status page, but it is in the log file task does NOT appear in Name Change Status page, but it is in the log file task does NOT appear in the Name Change Status page, and it does NOT appear in the log file task does NOT appear in the Name Change Status page, and it does NOT appear in the log file
Server Z
Server A
Server B
Server C
266
Note: Turn on the Sametime.ini flag if you are working locally: NC_LOCAL_CONVERSION = |
267
268
Chapter 18. Configuring Sametime Connectivity

Read this chapter to learn how to configure the network and port settings for the Community Services, Meeting Services, Recorded Meeting Broadcast Services, and Audio/Video Services. Proper configuration of the Sametime server Networks and Ports settings ensures that IBM Lotus Sametime clients can connect to the appropriate services on the Sametime server. Sametime includes connectivity features that enable clients to connect to the server through restrictive firewalls and proxy servers.
Ports used by the Sametime server

IBM Lotus Sametime uses a number of ports on the server. This topic lists the default ports and their uses. You can use the Sametime Administration Tool to configure the ports on which the Sametime services listen for connections from clients. The port settings for all services can be accessed from the Configuration Connectivity Networks and Ports options of the Sametime Administration Tool.
HTTP Services, Domino Services, LDAP Services, and Sametime intraserver ports
The following ports are used by the Sametime HTTP Services, IBM Lotus Domino Application Services, and LDAP Services.
Default Port Port 80 Purpose If the administrator allows HTTP tunneling on port 80 during the Sametime installation, the Community Services multiplexer on the Sametime server listens for HTTP connections from Web browsers, Sametime Connect clients, Sametime Meeting Room clients, and Sametime Recorded Meeting clients on port 80. If the administrator does not allow HTTP tunneling on port 80 during the Sametime installation, the Domino HTTP server listens for HTTP connections on this port.
269
Default Port Alternate HTTP port (8088)
Purpose If the administrator allows HTTP tunneling on port 80 during the Sametime installation (or afterward), the Domino HTTP server on which Sametime is installed must listen for HTTP connections on a port other than port 80. The Sametime installation changes the Domino HTTP port from port 80 to port 8088 if the administrator allows HTTP tunneling on port 80 during a Sametime server installation. Note: If the administrator allows HTTP tunneling on port 80 during the Sametime installation, Web browsers make HTTP connections to the Community Services multiplexer on port 80, and the Community Services multiplexer makes an intraserver connection to the Sametime HTTP server on port 8088 on behalf of the Web browser. This configuration enables the Sametime server to support HTTP tunneling on port 80 by default following the server installation.
Port 389
If you configure the Sametime server to connect to an LDAP server, the Sametime server connects to the LDAP server on this port. For more information, see Setting up an LDAP directory on page 189. The Domino HTTP server listens for HTTPS connections on this port by default. This port is used only if you have set up the Domino HTTP server to use Secure Sockets Layer (SSL) for Web browser connections. To configure the Sametime HTTP server to use SSL for Web browser connections, see About SSL and Sametime.
Port 443
Port 1352
The Domino server on which Sametime is installed listens for connections from Notes clients and Domino servers on this port. The Event Server port on the Sametime server is used for intraserver connections between Sametime components. Make sure that this port is not used by other applications on the server. The Token Server port on the Sametime server is used for intraserver connections between Sametime components.
Port 9092
Port 9094
Community Services ports

The following ports are used by the Sametime Community Services. Most of these ports are configurable.
270
Default Port Port 1516
Purpose Community Services listens for direct TCP/IP connections from the Community Services of other Sametime servers on this port. If you have installed multiple Sametime servers, this port must be open for presence, chat, and other Community Services data to pass between the servers. The communications that occur on port 1516 also enable one Sametime server to start a meeting on another server (or "invite" the other server to the meeting).
Port 1533
The Community Services listen for direct TCP/IP connections and HTTP-tunneled connections from the Community Services clients (such as Sametime Connect and Sametime Meeting Room clients) on this port. Note: The term "direct" TCP/IP connection means that the Sametime client uses a unique Sametime protocol over TCP/IP to establish a connection with the Community Services. The Community Services also listen for HTTPS connections from the Community Services clients on this port by default. The Community Services clients attempt HTTPS connections when accessing the Sametime server through an HTTPS proxy server. If a Community Services client connects to the Sametime server using HTTPS, the HTTPS connection method is used, but the data passed on this connection is not encrypted. If the administrator does not allow HTTP tunneling on port 80 during the Sametime installation, the Community Services clients attempt HTTP-tunneled connections to the Community Services on port 1533 by default.
Port 80
If the administrator allows HTTP tunneling on port 80 during the Sametime installation, the Community Services clients can make HTTP-tunneled connections to the Community Services multiplexer on port 80. Note: When HTTP tunneling on port 80 is allowed during the Sametime installation, the Community Services multiplexer listens for HTTP-tunneled connections on both port 80 and port 1533. The Community Services multiplexer simultaneously listens for direct TCP/IP connections on port 1533.
271
Default Port Port 8082
Purpose When HTTP tunneling support is enabled, the Community Services clients can make HTTP-tunneled connections to the Community Services multiplexer on port 8082 by default. Community Services clients can make HTTP-tunneled connections on both ports 80 and 8082 by default. Port 8082 ensures backward compatibility with previous Sametime releases. In previous releases, Sametime clients made HTTP-tunneled connections to the Community Services only on port 8082. If a Sametime Connect client from a previous Sametime release attempts an HTTP-tunneled connection to a Sametime server, the client might attempt this connection on port 8082.
Configuring Sametime "Networks and Ports" settings

Sametime connectivity settings are available from the "Networks and Ports" tab of the Sametime Administration Tool. To access the "Networks and Ports" tab, open the Sametime Administration Tool and select Configuration-Connectivity"Networks and Ports." The settings on the "Networks and Ports" tab define the host names and ports on which the Sametime services listen for connections from clients and control other aspects of connectivity, such as HTTP-tunneling functionality. Changing these settings can affect the connection processes of clients. The connectivity options available from the "Networks and Ports" tab include: v HTTP Services settings - These settings specify the ports on which the Domino HTTP server listens for HTTP connections from Web browsers. If the administrator allows HTTP tunneling on port 80, the Sametime Community Services multiplexer listens for HTTP connections on port 80, and the Domino HTTP server must listen on a different port to prevent a port conflict. For more information, see HTTP Services settings. v Community Services Network settings - These settings specify the Community Services host names and ports and affect the connection processes of Community Services clients, including the client HTTP-tunneling functionality. Community Services supports all presence and chat features of Sametime. The Community Services clients include Sametime Connect, the Sametime Meeting Room client (participant list and chat components), and the Community Services of other Sametime servers. For more information, see Community Services Network settings. Meeting Services Network settings - These settings specify the Meeting Services host name and ports and affect the connection processes of Meeting Services clients, including the client HTTP-tunneling functionality. The Meeting Services support the starting and stopping of meetings, screen-sharing, whiteboard, polling, send Web page, and other T.120 activity. The Meeting Services clients include the Sametime Meeting Room client (screen-sharing, whiteboard, polling, and send Web page components) and the Meeting Services of other Sametime servers.
272
Recorded Meeting Broadcast Services Network settings - These settings specify the Recorded Meeting Broadcast Services host name and ports and affect the connection processes of the Sametime Recorded Meeting clients, including the client HTTP-tunneling functionality. The Recorded Meeting Broadcast Services support the playback of all recorded meetings. Recorded meetings can also include audio and video. When a recorded meeting includes audio/video, the Recorded Meeting Broadcast Services are responsible for transmitting the audio/video streams to the Recorded Meeting clients. Interactive Audio/Video settings - These settings specify the Audio/Video Services ports and affect the connection processes of the Sametime Meeting Room client to the Audio/Video Services. The Audio/Video Services support all interactive IP audio and video activity on the Sametime server. Reverse Proxy Support - These settings enable a Sametime server to be deployed behind a reverse proxy server. The administrator must configure these settings to ensure that Sametime clients can communicate with a Sametime server through the reverse proxy server. About HTTP Tunneling - During installation, the administrator can allow HTTP tunneling on port 80 for all clients except audio/video clients. This capability enables the Sametime Connect client, Sametime Meeting Room client, and Sametime Recorded Meeting clients to connect to the Sametime server using HTTP over port 80. The Sametime server can support HTTP tunneling on port 80 for all clients when only one IP address is assigned to the server. The administrator can also manually assign separate IP addresses to each of the Sametime services to accommodate the HTTP tunneling on port 80 functionality. Using multiple IP addresses to support the HTTP tunneling on port 80 functionality is more efficient than using the a single IP address to support this functionality. Assigning IP addresses to multiple Sametime servers installed on a single server machine - If you are operating Sametime on an IBM i5/OS or IBM pSeries server, you can install multiple Sametime servers on a single server machine. In this scenario, each instance of a Sametime server operates in a separate partition of the single physical server. When multiple servers are operating in separate partitions of a single machine, it is important for each server to be assigned a separate IP address.
Proxy support for Sametime clients

Clients can connect to an IBM Lotus Sametime server using several different types of proxies. The table below shows the client-side proxy types through which clients can connect to the Sametime server. Note: The term "client-side" proxy refers to a proxy server that is deployed in the client's network. To access other machines on the Internet, the client connects to the client-side proxy and the proxy sends requests to the Internet on behalf of the client. Before sending these requests, the client-side proxy substitutes its IP address for the address of client. This substitution hides the IP addresses of internal clients and makes it appear as if all outbound network traffic originates from a single address (the proxy server). Hiding internal addresses in this way makes it more difficult for attackers to gain knowledge of your internal networks. A client-side proxy is sometimes called a "forward" proxy. A Sametime server can be deployed behind a reverse HTTP proxy server (or "server-side" proxy).
273
Sametime client SOCKS 4 proxy Sametime Connect Sametime Mobile Sametime Meeting Room screen-sharing/ whiteboard components Sametime Meeting Room participant list/chat components Sametime Meeting Room interactive audio/video components Sametime Recorded Meeting client supported not supported supported
SOCKS 5 proxy supported not supported supported
HTTP proxy supported supported supported
HTTPS proxy supported supported not supported
supported
not supported
supported
not supported
supported
not supported
not supported
not supported
supported
not supported
supported
not supported
* Sametime Meeting Room clients can make HTTP connections through an HTTPS proxy. However, Sametime Meeting Room clients cannot make HTTPS connections through the HTTPS proxy. Sametime Connect supports a special feature of HTTPS proxies (called CONNECT) that enables the Sametime Connect client to maintain a persistent, asynchronous connection through an HTTPS proxy. The Meeting Room client does not support CONNECT.
Networks and Ports settings

IBM Lotus Sametime connectivity settings are available from the Configuration Connectivity Networks and Ports tab of the Sametime Administration Tool. The settings on the Networks and Ports tab define the host names and ports on which the Sametime services listen for connections from clients and control other aspects of connectivity, such as HTTP-tunneling functionality. Changing these settings can affect the connection processes of clients. The connectivity options available from the Networks and Ports tab include: HTTP Services settings These settings specify the ports on which the IBM Lotus Domino HTTP server listens for HTTP connections from Web browsers. If the administrator allows HTTP tunneling on port 80, the Sametime Community Services multiplexer listens for HTTP connections on port 80, and the Domino HTTP server must listen on a different port to prevent a port conflict. For more information, see HTTP Services settings. Community Services Network settings These settings specify the Community Services host names and ports and affect the connection processes of Community Services clients, including the client HTTP-tunneling functionality.
274
Community Services supports all presence and chat features of Sametime. The Community Services clients include Sametime Connect, the Sametime Meeting Room client (participant list and chat components), and the Community Services of other Sametime servers. For more information, see Community Services Network settings. Meeting Services Network settings These settings specify the Meeting Services host name and ports and affect the connection processes of Meeting Services clients, including the client HTTP-tunneling functionality. The Meeting Services support the starting and stopping of meetings, screen-sharing, whiteboard, polling, send Web page, and other T.120 activity. The Meeting Services clients include the Sametime Meeting Room client (screen-sharing, whiteboard, polling, and send Web page components) and the Meeting Services of other Sametime servers. Recorded Meeting Broadcast Services Network settings These settings specify the Recorded Meeting Broadcast Services host name and ports and affect the connection processes of the Sametime Recorded Meeting clients, including the client HTTP-tunneling functionality. The Recorded Meeting Broadcast Services support the playback of all recorded meetings. Recorded meetings can also include audio and video. When a recorded meeting includes audio/video, the Recorded Meeting Broadcast Services are responsible for transmitting the audio/video streams to the Recorded Meeting clients. Interactive Audio/Video settings These settings specify the Audio/Video Services ports and affect the connection processes of the Sametime Meeting Room client to the Audio/Video Services. The Audio/Video Services support all interactive IP audio and video activity on the Sametime server. Reverse Proxy Support These settings enable a Sametime server to be deployed behind a reverse proxy server. The administrator must configure these settings to ensure that Sametime clients can communicate with a Sametime server through the reverse proxy server. About HTTP Tunneling During installation, the administrator can allow HTTP tunneling on port 80 for all clients except audio/video clients. This capability enables the Sametime Connect client, Sametime Meeting Room client, and Sametime Recorded Meeting clients to connect to the Sametime server using HTTP over port 80. The Sametime server can support HTTP tunneling on port 80 for all clients when only one IP address is assigned to the server. The administrator can also manually assign separate IP addresses to each of the Sametime services to accommodate the HTTP tunneling on port 80 functionality. Using multiple IP addresses to support the HTTP tunneling on port 80 functionality is more efficient than using the a single IP address to support this functionality. Assigning IP addresses to multiple Sametime servers installed on a single server machine If you are operating Sametime on an IBM i5/OS or IBM pSeries server, you can install multiple Sametime servers on a single server machine. In this scenario, each instance of a Sametime server operates in a separate
275
partition of the single physical server. When multiple servers are operating in separate partitions of a single machine, it is important for each server to be assigned a separate IP address.
HTTP Services settings

IBM Lotus Sametime installs on an IBM Lotus Domino server and uses the HTTP server provided with Domino .
About this task

During a Sametime installation, the administrator can allow HTTP tunneling on port 80. To support the HTTP tunneling on port 80 functionality, the Community Services multiplexer on the server listens for HTTP connections from clients (including Web browsers) on port 80. A Web browser connects to the Community Services multiplexer on port 80, and the Community Services multiplexer makes an intraserver connection to the Domino HTTP server on behalf of the Web browser. If the administrator allows HTTP tunneling on port 80 during the Sametime installation, the Domino HTTP server must listen for HTTP connections on a port other than port 80. In this scenario, the Sametime server installation programmatically changes the HTTP port of the Domino HTTP server to port 8088 during the Sametime installation process. It is not necessary to manually change the setting. If the administrator does not allow HTTP tunneling on port 80 during the Sametime installation, the Domino HTTP server listens for HTTP connections on port 80 by default. On some platforms, you can configure Sametime to operate using a Microsoft IIS HTTP server or IBM WebSphere HTTP server. For information on setting up Sametime to use a different HTTP Web server, see "Sametime Server Installation." Follow these instructions if you need to change the HTTP port of the Domino HTTP server: 1. Open the Sametime Administration Tool. 2. Select Configuraton Connectivity Networks and Ports. 3. Select Configure HTTP Services on a Web page in its own window. 4. Select Ports. 5. Select Internet Ports. If the Domino server is set up for HTTP connections from Web browsers, you can change the TCP/IP port number setting, located under the Web (HTTP/HTTPS) column of the settings. To change the port used by the HTTP server, change the port associated with the TCP/IP port number field. (For example, if you are enabling HTTP tunneling on port 80 on a Sametime server that includes a single IP address, you may want to change the HTTP port from port 80 to 8088.) 6. Select Internet Protocols. 7. Select Domino Web Engine. 8. Under the Generating References to this server section, make the following changes: If the HTTP server uses HTTP for Web browser connections: v In the Protocol setting, select http.
276
v In the Port number field, enter the same port entered in the TCP/IP port number setting in Step 5. 9. Click Save and Close to save the Server document. 10. Change the port number in the stconvservices.properties file to match, as the HTTP port is pulled from this setting. 11. Restart the Domino server for the change to take effect.
Community Services Network settings

The Community Services Network settings control the host names and ports on which the IBM Lotus Sametime Community Services multiplexer listens for connections from clients. The administrator can also enable or disable the HTTP tunneling functionality from the Community Services Network settings. Access the Community Services Network settings from the Sametime Administration Tool by selecting Configuration Connectivity Networks and Ports. The Community Services multiplexer (or "mux") is the component of the Community Services that handles connections from clients. The Community Services multiplexer handles TCP/IP connections to the Community Services. The Community Services multiplexer is particularly important to connectivity. In addition to handling TCP/IP connections to the Community Services, the Community Services multiplexer can also handle HTTP-tunneled connections to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services. The Community Services Network settings include: v v v v Address Address Address Address for for for for server connections client connections HTTPS-tunneled client connections HTTP-tunneled client connections (Community Services)
Address for server connections (Community Services)

The Community Services Network Address for server connections settings control the IP addresses or DNS names and the ports on which the Community Services listen for connections from the Community Services of other Sametime servers. The Address for server connections setting includes these fields: v Host name v Port number Host name The Host name field allows an administrator to specify the IP addresses or DNS names (for example, www.sametime.com) on which the Community Services multiplexer listens for connections from the Community Services of other Sametime servers. If this field is blank, the Community Services multiplexer listens for the Community Services server-to-server connections on all IP addresses or DNS names assigned to the machine on which the server is installed.
277
If only one IP address or DNS name is assigned to the Sametime server, IBM recommends leaving this field blank. If you enter one or more IP addresses or DNS names in the Host name field, the Community Services multiplexer listens for server-to-server connections only on the IP addresses or DNS names specified in the "Host name" field. When entering multiple IP addresses or DNS names in this field, separate each entry with a comma. Note: If you are running Sametime on an IBM i5/OS, Linux, Sun Solaris, or IBM AIX server, you can run multiple Sametime servers on a single machine. In this case, use the Host name field to ensure that each of the multiple servers is assigned a separate IP address. If you change this setting, click the Update button and then restart the server for the changes to take effect. Port number The Port number setting specifies the TCP/IP port (default 1516) on which the Community Services multiplexer listens for connections from the Community Services of other Sametime servers. Community Services server-to-server connections are direct TCP/IP connections that cannot occur through a proxy server. This port is also used by the Community Services for intraserver connections to other components of the Community Services. For example, the Community Services multiplexer can listen for connections from Community Services clients on port 1533 and port 80. The Community Services multiplexer connects to other components of the Community Services on port 1516. For more information about working with multiple Sametime servers, see: v v Integrating a Sametime server into an existing Sametime community Extending Sametime to Internet users
If you change this setting, click the Update button and then restart the server for the changes to take effect.
Address for client connections (Community Services)

The Community Services Network "Address for client connections" settings control the IP addresses or DNS names and the ports on which the Community Services multiplexer listens for TCP/IP connections, HTTP-tunneled connections, and HTTPS-tunneled connections from clients. Note: The Community Services multiplexer contains a connectivity agent that enables the multiplexer to simultaneously listen for connections that use different protocols (HTTP, HTTPS, or TCP/IP) on a single port. This feature enables Community Services clients to establish connections to the Sametime server in a wide variety of network environments. Note: The term "TCP/IP connection" means that the clients and server use a unique Sametime protocol operating over TCP/IP to establish a connection. The client can make this TCP/IP connection directly to the Community Services on the Sametime server or through a SOCKS proxy. A direct TCP/IP connection provides the best performance. The direct TCP/IP connection is also called a "Direct connection using Sametime standard protocol" in the Sametime Connect client Sametime Connectivity settings.
278
The "Address for client connections" setting includes these fields: v Host name v Port number
Host name
The "Host name" field allows an administrator to specify the IP addresses or DNS names (for example, www.sametime.com) on which the Community Services multiplexer listens for TCP/IP connections, HTTP-tunneled connections, and HTTPS-tunneled connections from clients. If the "Host name" field is blank, the Community Services multiplexer listens for these connections on all IP addresses or DNS names assigned to the machine on which the Sametime server is installed. If only one IP address or DNS name is assigned to the server, Lotus software recommends leaving the "Host name" field blank. If you enter one or more IP addresses or DNS names in the "Host name" field, the Community Services multiplexer listens for TCP/IP connections only on the IP addresses or DNS names specified in the "Host name" field. When entering multiple IP addresses or DNS names in this field, separate each entry with a comma. Note: If you are running Sametime on an IBM i5/OS, Solaris, or IBM IBM AIX server, you can run multiple Sametime servers on a single machine. In this case, use the "Host name" field to ensure that each of the multiple servers is assigned a separate IP address. If you change the "Host name" setting, click the Update button and restart the server for the change to take effect.
Port number
The "Port number" setting allows an administrator to specify the ports (default 1533) on which the Community Services multiplexer listens for TCP/IP connections, HTTP-tunneled connections, and HTTPS-tunneled connections from Community Services clients, such as the Sametime Connect client and the Sametime Meeting Room client. If multiple ports exist in the "Port number" field, the Community Services multiplexer listens for these connections on all ports specified in the field. For example, if the administrator enters ports 1533 and 1522 in this field, the Community Services multiplexer listens for TCP/IP, HTTP-tunneled, and HTTPS-tunneled connections on both ports 1533 and 1522. When entering multiple ports in this field, separate each entry with a comma. The Meeting Room client automatically attempts a direct TCP/IP connection to the Community Services multiplexer on these ports after loading in the user's Web browser. The Sametime Connect client can attempt a TCP/IP connection, an HTTP-tunneled connection, or an HTTPS-tunneled connection to the Community Services on this port. The type of connection the Sametime Connect client attempts is dependent on
279
the connectivity setting that is specified in the Options-Preferences-Sametime Connectivity tab of the Sametime Connect client. If you change the "Port number" setting, click the Update button and restart the server for the change to take effect.
Address for HTTPS-tunneled client connections (Community Services)

The Community Services Network "Address for HTTPS-tunneled client connections" settings control the IP addresses or DNS names and the ports on which the Community Services multiplexer listens for HTTPS-tunneled connections from the Sametime Connect client. Only the Sametime Connect client can attempt HTTPS-tunneled connections to the Community Services. The "Address for HTTPS-tunneled client connections" setting includes these fields: v Host name v Port number
Host name
The "Host name" field allows an administrator to specify the IP addresses or DNS names (for example, www.sametime.com) on which the Community Services multiplexer listens for HTTPS-tunneled connections from Sametime Connect clients. If the "Host name" field is blank, the Community Services multiplexer listens for HTTPS-tunneled connections on all IP addresses or DNS names assigned to the machine on which the Sametime server is installed. If only one IP address or DNS name is assigned to the server, Lotus software recommends leaving the "Host name" field blank. If you enter one or more IP addresses or DNS names in the "Host name" field, the Community Services multiplexer listens for HTTPS-tunneled connections only on the IP addresses or DNS names specified in the "Host name" field. When entering multiple IP addresses or DNS names in this field, separate each entry with a comma. Note: If you are running Sametime on an IBM i5/OS, Linux, Sun Solaris, or IBM IBM AIX server, you can run multiple Sametime servers on a single machine. In this case, use the "Host name" field to ensure that each of the multiple servers is assigned a separate IP address. If you change the "Host name" setting, click the Update button and restart the server for the changes to take effect.
Port number
The "Port number" setting allows an administrator to specify the ports (default 1533) on which the Community Services multiplexer listens for HTTPS-tunneled connections from Sametime Connect clients. If multiple ports exist in the "Port number" field, the Community Services multiplexer listens for HTTPS-tunneled connections on all ports specified. For example, if the administrator enters ports 1533 and 443 in this field, the Community Services multiplexer listens for
280
HTTPS-tunneled connections on both ports 1533 and 443. When entering multiple ports in this field, separate each entry with a comma. The Sametime Connect client attempts HTTPS-tunneled connections through an HTTPS proxy when the Use Proxy and "Use HTTPS proxy" options are selected in the Sametime Connect client Sametime Connectivity settings. Many organizations have firewall or network configurations that prevent HTTPS connections on the default port of 1533. For the Sametime Connect clients to connect to the Community Services multiplexer, you might need to specify port 443 as the "Address for HTTPS client connections" port. If you specify port 443 as a Community Services HTTPS-tunneled client connection port, note the following: v The Sametime Connect clients must have the "Use proxy" and "Use HTTPS proxy" options selected in the Sametime Connectivity settings. v The "Community port" setting in the Sametime Connect client Sametime Connectivity settings must match the Community Services Network-Address for HTTPS client connections-"Port number" setting in the Sametime Administration Tool. If you specify port 443 as the Community Services Network-Address for HTTPS client connections-"Port number" setting, the "Community port" setting in the Sametime Connect clients must also specify port 443. v Sametime Connect client establishes an HTTPS connection but this HTTPS connection is not encrypted with SSL. To secure chat messages, users should select the "Secure messages I start" option in the Options-Preferences-Messages settings of the Sametime Connect client. Note: The HTTPS connection method is implemented to enable the Sametime Connect client to pass data through the HTTPS proxy. However, the data passing over this HTTPS connection is not encrypted. v If you have configured the Domino HTTP server to use SSL for Web browser connections, the Domino HTTP server listens for HTTPS connections on port 443. In this case, you cannot specify port 443 as the Community Services Network-Address for HTTPS client connections-"Port number" setting unless you assign multiple IP addresses to the Sametime server machine. This configuration would cause both the Community Services multiplexer and the Domino HTTP server to listen for HTTPS connections on the same port number and IP address. For more information on this issue, see the "Things you need to know" section of the Sametime Release Notes. If you change the HTTPS Tunneled Client Connections Port setting, click the Update button and restart the server for the changes to take effect.
Address for HTTP-tunneled client connections (Community Services)

The Community Services Network Address for HTTP tunneled client connections settings control the IP addresses or DNS names and the ports on which the Community Services multiplexer listens for HTTP-tunneled connections from clients. The fields included with this setting are: v Host name v Port number Host name
281
The Host name field allows an administrator to specify the IP addresses or DNS names (for example, www.sametime.com) on which the Community Services multiplexer listens for HTTP-tunneled connections from clients. If the Host name field is blank, the Community Services multiplexer listens for HTTP-tunneled connections on all IP addresses or DNS names assigned to the machine on which the Sametime server is installed. If only one IP address or DNS name is assigned to the server, IBM recommends leaving this field blank. If you enter one or more IP addresses or DNS names in the Host name field, the Community Services multiplexer listens for HTTP-tunneled connections only on the IP addresses or DNS names specified in the "Host name" field. When entering multiple IP addresses or DNS names in this field, separate each entry with a comma. Note: If you are running Sametime on an IBM i5/OS, Linux, Sun Solaris, or IBM AIX server, you can run multiple Sametime servers on a single machine. In this case, use the Host name field to ensure that each of the multiple servers is assigned a separate IP address. The Host name field can also be used if you decide to use multiple IP addresses to support the HTTP tunneling functionality. If you change the Host name setting, click the Update button and then restart the server for the changes to take effect. Port number The Port number field allows an administrator to specify the ports on which the Community Services multiplexer listens for HTTP-tunneled connections from Sametime clients. The default port numbers are dependent on the Allow HTTP tunneling on port 80 option available to the Sametime administrator during the Sametime server installation. v If the administrator chooses the Allow HTTP tunneling on port 80 option during the Sametime server installation, the default port number is port 80. v If the administrator does not choose the Allow HTTP tunneling on port 80 option during the Sametime server installation, the default port numbers are ports 1533 and 8082. If multiple ports exist in this Port number field, the Community Services multiplexer listens for HTTP-tunneled connections on all ports specified. For example, when ports 80 and 8082 are entered in this field, the Community Services multiplexer simultaneously listens for HTTP-tunneled connections on both ports 80 and 8082. When entering multiple ports in this field, separate each entry with a comma. Note: The Community Services multiplexer will also listen for HTTP-tunneled connections on the Community Services Network Address for client connections Port number (default 1533). The Sametime Meeting Room client, the Sametime Connect client, and the Sametime Recorded Meeting client can make HTTP-tunneled connections to the Community Services multiplexer. These HTTP-tunneled connections are discussed below.
282
Sametime Connect client connection

The Sametime Connect client can attempt an HTTP-tunneled connection to the Community Services multiplexer when any of the following options are selected in the Sametime Connectivity tab of the Sametime Connect client: v Use my Internet Explorer HTTP settings (Sametime Connect for the desktop only) v Direct connection using HTTP protocol v Use Proxy and Use HTTP proxy v Use my Java Plug-in settings (additionally, an HTTP proxy server must be specified in the Java Plug-in settings) The Sametime Connect client will use the port specified as the Community port (default 1533) in the Options Preferences Sametime Connectivity tab of the Sametime Connect client to establish an HTTP-tunneled connection with the Community Services multiplexer. To enable the Sametime Connect client to successfully establish an HTTP-tunneled connection to the Community Services, the Community port setting in the Sametime Connect client must match one of the port numbers on which the Community Services multiplexer listens for HTTP-tunneled connections. Note that the Community Services multiplexer will listen for HTTP-tunneled connections on these ports: v The Port number setting under Address for client connections in the Community Services Network settings of the Sametime Administration Tool v The Port number setting under Address for HTTP tunneled client connections in the Community Services Network settings of the Sametime Administration Tool Note: If the Sametime Connect client must connect to the Sametime server through a firewall that allows only HTTP connections on port 80, the Community port setting on the Sametime Connect client must specify port 80, and one of the Community Services Network administration settings listed above must also specify port 80 to enable the client to establish an HTTP-tunneled connection to the server. Note: The port 8082 setting in the Port number field under Address for HTTP tunneled client connections in the Community Services Network settings ensures backward compatibility with previous Sametime releases, where Sametime clients made direct TCP/IP connections to the Community Services on port 1533 and HTTP connections on port 8082. If a Sametime Connect client or Sametime Meeting Room client from a previous Sametime release attempts an HTTP-tunneled connection to a Sametime server, the client might attempt this connection on port 8082 by default. Listing port 8082 in the HTTP Tunneling port setting ensures that these clients can establish HTTP-tunneled connections with the Community Services on the Sametime server. If you change the Port number setting, click the Update button and then restart the server for the changes to take effect.
Community Services connectivity and the home Sametime server

The "home" server plays an important part in client connectivity to the IBM Lotus Sametime Community Services.
283
Sametime includes the concept of a "home" Sametime server. If your environment includes multiple Sametime servers or you have deployed other applications enabled with Sametime technology on IBM Lotus Domino servers, it is mandatory that every user be assigned to a "home" Sametime server. To assign a user to a home Sametime server, you must enter the name of the Sametime server in the Sametime server field of the user's Person document in the Domino Directory. Note: Sametime supports Community Services server clustering that enables users to receive Community Services functionality from any of a group of clustered Sametime servers. In this scenario, each user can be assigned to a home Sametime server cluster instead of a home Sametime server. For more information, see Creating Community Services server clusters. The concept of the home Sametime server is important to Community Services connectivity for the following reasons: v Users need a single place to store their Community Services preferences - The home server is the Sametime server to which each user logs in to appear in a presence list in a Sametime client or a database enabled with Sametime technology. The home Sametime server stores a user's Community Services preferences settings, contact lists, privacy information, and information about the availability of audio/video hardware on the user's computer. This information is stored in the Notes database vpuserinfo.nsf on the user's home Sametime server. The client must retrieve this information each time the user logs in to the Community Services. In multiple server environments, this information must be stored on a single server. If this information were stored on multiple servers and the user changed the Community Services preferences settings while logged in to one Sametime server, the user could receive different Community preferences settings when logging in to a different Sametime server. For this reason, the user is always required to log in to the same home Sametime server. v Users can only log in to one Sametime server at a time - A user's presence can only be registered to the Community Services on one Sametime server at a time. When multiple Sametime servers are integrated into a single community, the Community Services will not allow a single user to simultaneously log in to the Community Services on two separate Sametime servers. If a user attempts to do so, the first connection to the Community Services is disconnected. The home Sametime server setting ensures that a user always connects to a single Sametime server to receive the Community Services functionality. For example, assume a user's home Sametime server setting on the Person document is set to Sametime server A. The user starts the Sametime Connect client and connects to Sametime server A. The user then attends a meeting on Sametime server B that includes presence, chat, and whiteboard functionality. The Meeting Room client launches on the user's machine and receives the whiteboard data from Sametime server B but is directed to Sametime server A for presence and chat functionality. The home Sametime server setting ensures that the user is always directed to Sametime server A for the Community Services functionality regardless of how many different Sametime clients they are using. If no home Sametime server is specified for a user and the user attempts to connect to the Community Services on two different Sametime servers, all connections to the Community Services are disconnected. Note: Another characteristic of the Community Services is that a user's presence can originate from only one machine (or IP address) at a time. A user who has two machines can only log in to the Community Services from one of the machines. If the user attempts to log in to the Community Services from Sametime clients on two separate machines, the client that logged in to the
284
Community Services first is disconnected. Although the home Sametime server concept does not solve this issue, the administrator should be aware of this Community Services characteristic if the user population includes many users with multiple machines.
Sametime Connect and the home Sametime server

The Sametime Connect client includes settings that enable any user to specify the Sametime server to which the Sametime Connect client will connect. The user specifies a particular Sametime server from the Options Preferences Sametime Connectivity settings on the Sametime Connect client. IBM recommends that the Sametime Connectivity settings of the Sametime Connect client and the Sametime server setting on a user's Person document specify the same home Sametime server. If these settings specify different home Sametime servers, the client connects to the server specified in the Sametime Connectivity settings of the client, but the connection is then redirected to the server specified in the Sametime server field of the Person document, rendering connectivity slightly less efficient than if the redirect is avoided. Logging in to Community Services occurs on the Sametime server specified in the user's Person document.
Assigning users to a home Sametime server

To assign a user to a home Sametime server, enter the Sametime server name in the Sametime server field in the Administration section of a user's Person document in the Domino Directory. You can enter the name of the Sametime server in the Domino hierarchical name format (for example, sametime/west/acme), and the field automatically converts the name to the full canonical name format. For example, if you enter sametime/west/acme/, the name is stored as cn=sametime/ou=west/o=acme. You can also use the full hierarchical name format when entering the server name. Note: Community Services reads the server name from the Servers view ($Servers) of the Domino Directory, so the name entered in the Sametime server field on the Person document must match it. If you are using an agent to populate the Sametime server field for several different users, ensure that the agent specifies the full canonical name of the server. For information about assigning users to a home Sametime server when Sametime is configured to access an LDAP directory, see Setting up an LDAP directory.
Changing the IP address of an i5/OS Sametime server

About this task
Your i5/OS Sametime server should be set up so that it uses host names and does not refer directly to IP addresses. This allows you to change the IP address for your i5/OS Sametime server by simply updating the host table and DNS. To change the IP address for your i5/OS Sametime server, follow these steps: 1. Update your host table so that the new IP address is associated with the appropriate host name. Make sure that the fully qualified host name is listed
285
first among the entries for your i5/OS Sametime server, before any short names. For more information, see "Updating the host table on i5/OS on page 12." 2. Likewise, update your DNS entries so that the new IP address is associated with the appropriate host name. Check whether your server is configured to search the Domain Name Server (DNS) before the host table. If it is, you must also make sure that the fully qualified host name of your i5/OS Sametime server is listed first in the DNS. To check the configured search order, see "Updating the Domain Name Server for i5/OS on page 13." 3. Stop and restart the i5/OS Sametime server for the changes to take effect.
Results
For detailed information about verifying and changing these values, see "Preparing the TCP/IP Environment on i5/OS on page 10."
Changing the host name of an i5/OS Sametime server

About this task
The i5/OS command CHGLSTDOM simplifies the process for changing the host name setting of an i5/OS Sametime server. The procedure described in this section can also be used to correct problems with the configuration of your i5/OS Sametime server. For example, if your TCP/IP host table did not correctly list the fully qualified host name first at the time that you setup your i5/OS Sametime server, many elements of your Sametime server configuration may be incorrect. You can correct this type of server configuration problem by following this procedure to change the host name. To change the host name, follow these steps: 1. Update your host table so that the new host name is associated with the appropriate IP address. Make sure that the fully qualified host name is listed first among the entries for your i5/OS Sametime server, before any short names. For more information, see "Updating the host table on i5/OS on page 12." 2. Likewise, update your DNS entries so that the new host name is associated with the appropriate IP address. Check whether your server is configured to search the Domain Name Server (DNS) before the host table. If it is, you must also make sure that the fully qualified host name of your i5/OS Sametime server is listed first in the DNS. To check the configured search order, see "Updating the Domain Name Server for i5/OS on page 13." 3. End the i5/OS Sametime server. 4. Update the host name for the Domino server using the CHGDOMSVR command. For detailed information on changing the configuration of a Domino server, refer to "Updating the configuration of existing i5/OS Domino servers on page 14." 5. On any i5/OS command line, type the following and press F4:
CHGLSTDOM
6. On the Change Sametime on Domino display, specify the following and then press Enter: v The name of the i5/OS Sametime server where you want to make this change (for example, stdom1).
286
v The new fully qualified host name for the i5/OS Sametime server (for example, stdom1.acme.com). Updates the Ports - Notes Network Ports - Net Address field in the Server document. Adds the host name to the Internet Protocols - HTTP - Host name field in the Server document. Updates Sametime files that reference the host name. Note: If your server is enabled for both IPv4 and IPv6 addressing, you must manually update the sametime.ini file so that "VPS HOST=" is set to an explicit IP address, rather than the host name, after running the CHGLSTDOM command. See Configuring the Community Services for IPv6 for detailed instructions. 7. Start the i5/OS Sametime server. 8. Open the Domino directory (names.nsf) on your i5/OS Sametime server and edit the Server document. Look at the Internet Protocols - HTTP tab in the Server document and locate the Basics - Host name(s) field. 9. The Basics - Host name(s) field may contain more than one name. If any of the names are incorrect or not needed, delete them. Make sure that the correct fully qualified host name is listed first in the field. Note: If your server is configured for both IPv4 and IPv6 addressing, there are additional considerations when updating the Host name field. See Configuring Lotus Domino for IPv6 on i5/OS for detailed instructions. 10. Save and close the Server document. 11. If you are using HTTP Tunneling with multiple IP addresses, then additional configuration updates are required. See "Updating the host names when using HTTP Tunneling with multiple IP addresses" later in this section. 12. Stop and restart the i5/OS Sametime server for the changes to take effect.
What to do next
Updating the i5/OS host names when using HTTP Tunneling with multiple IP addresses If you are using HTTP Tunneling with multiple IP addresses, then you must update your configuration manually after using the CHGLSTDOM command to change the i5/OS server host name. If you are not using HTTP Tunneling with multiple IP addresses then this step is not applicable. The CHGLSTDOM command placed the new host name in the tunneling host name fields, but did not preserve the required prefixes, such as community-, meeting- and broadcast-, in the Sametime configuration. Use the Sametime Administration tool to update the host names in the following fields in the "Connectivity" section: v Community Services Network settings -> Address for client connections-Host name should have prefix of communityv Community Services Network settings -> Address for HTTP tunneled client connections-Host name should have prefix of communityv Meeting Services Network settings -> Address for HTTP tunneled client connections-Host name should have prefix of meetingv Broadcast Services Network settings -> Broadcast Gateway address for HTTP tunneled client should have prefix of broadcastChapter 18. Configuring Sametime Connectivity
287
288
Chapter 19. Configuring Lotus Sametime for mobile users

Configure IBM Lotus Sametime with Lotus Sametime Mobile to provide connectivity for users with support mobile devices.
About this task

Configuring Lotus Sametime for mobile users involves the following tasks:
Configuring the Lotus Domino server for Lotus Sametime Mobile support
To enable support for IBM Lotus Sametime Mobile on the IBM Lotus Domino server, you need to create a Web Site Rule document in the Domino Directory and establish a URL redirection.
About this task

Complete the following steps to enable support for Lotus Sametime Mobile on the Lotus Domino server. 1. Create a Web Site Rule document in the Domino Directory and establish a URL redirection. The URL redirection enables users to download the Lotus Sametime Mobile application to their mobile devices using the simplified URL http://yoursametimeserver.yourcompany.com/mobile, as described in the Sametime Mobile Help. a. In the Domino Directory, open the Server document for the Lotus Domino server that hosts the Lotus Sametime server. b. Click the Create Web - URL Mapping/Redirection button. c. In the Basics tab, select URL Redirection URL. d. Click the Mapping tab and enter the following information: v In the Incoming URL path field, enter /mobile/* . v In the Redirection URL string field, enter stcenter.nsf/ WebMobileDownloads?OpenView . e. Click Save & Close. 2. Configure MIME type support on the Lotus Domino server. a. With a text editor, open the file httpd.cnf, located in the Domino data directory. b. Add the following lines to the file at the end of the section "other application formats" but before the section "Fallback MIME types":
AddType AddType AddType AddType AddType AddType AddType .jad text/vnd.sun.j2me.app-descriptor .jar application/java-archive .alx application/octet-stream .cod application/octet-stream .sisx application/octet-stream .cab application/vnd.ms-cab-compressed .cfg text/Sametime
c. Save and close the modified file. 3. Restart the HTTP task on the server.
289
What to do next
After these steps are completed, the Sametime server can be used with the Sametime Mobile client; however, before allowing users to download Lotus Sametime Mobile, you should provision the client with appropriate server details by completing the configuration steps explained in Configuring Sametime Mobile for client downloads. This simplifies the end-user experience and prevents the user from entering incorrect connectivity details.
290
Chapter 20. Configuring the Community Services

This section describes the IBM Lotus Sametime Community Services, explains the Community Services configuration settings that are available from the Sametime Administration Tool, and describes how to deploy a Community Services multiplexer on a separate machine. The topics discussed include: About the Community Services Community Services configuration settings Anonymous Access Settings for Community Services Deploying a Community Services multiplexer on a separate machine Managing client types and logins on page 294 Note: For additional information on using LDAP with a Sametime server that operates on a platform other than Windows (such as the IBM i5/OS, Solaris, Linux and pSeries servers), see "Sametime Server Installation." Note: If your users have stored privacy information ("who can see me") from your earlier release of Sametime, then you need to migrate this information by running a utility after upgrading. Privacy information from the earlier release will not be used unless it is migrated. For more information, see the Technote "Migrating privacy data after upgrading to Sametime." This Technote is available at http://www.ibm.com/software/support.
About the Community Services

The IBM Lotus Sametime Community Services supports all presence (or awareness) and text chat activity in a Lotus Sametime community. Any Lotus Sametime client that contains a presence list must connect to Community Services. Note: The Community Services clients include the Sametime Connect client and the Participant List and chat components of the Sametime Meeting Room client. Using Lotus Sametime Gateway which replaces the Session Initiation Protocol (SIP) Gateway that accompanied Lotus Sametime 7.0, Instant Messaging users can connect through SIP or other protocols outside the corporate firewall to communities using AOL's AIM, Yahoo! Messenger and Google Talk to see presence status and to exchange text-based instant messages. Note: Lotus Sametime Entry and Lotus Sametime Limited Use provide no file transfer, screen capture, voice or video chat, telephony, Lotus Sametime Gateway or meetings. Other features include: integrated VoIP (voice chat) and video,rich text formatting, a feature which provides the user with the ability to alter the appearance of fonts in size, type and color in text communications and the ability to transfer documents created under different operating systems and with different software applications among those operating systems and applications, and prepared emoticons, or emotional icons, devised to convey feelings and reactions, Quick
291
Find, which allows the user to type in a few letters to select the desired name from a list, and other features. In addition, users can set their own preferences in status, settings for the Chat window such as font, emoticons, chat partner's status, 12-hour or 24-hour timestamp on chats, alert notifications, status messages, privacy settings, managing chats, and audio/video settings. Users can send files, uniform resource locators (URLs), or portions of their screen (with the screen capture tool). Basic functionality supported by the Community Services includes: v Handling client login requests. v Handling connections from clients that access the Sametime server through a direct TCP/IP connection, or a HTTP, HTTPS, or SOCKS proxy server. Community Services clients connect to the Community Services multiplexer component, which can be deployed on a separate machine from the core Sametime server. v Providing directory access for user name search and display purposes. v Providing directory access to compile lists of all Sametime servers and users in the community. v Dissemination of presence and chat data to all users connected to Community Services. v Maintenance of privacy information for online users. v Handling connections from the Community Services on other Sametime servers when multiple servers are installed. Server-to-server connections for the Community Services occur on default TCP/IP port 1516. Note: Port 1516 is also used by the Meeting Services. In a multiple server environment, port 1516 must be open between two Sametime servers to enable a single Sametime meeting to be simultaneously active on both Sametime servers. This functionality is sometimes called "invited servers." For more information, see Advantages of a single meeting on multiple servers. v Logging of server community events to the Sametime log (stlog.nsf). v Enabling the administrator to force a name entry prompt to appear when the ACL settings of the Sametime Meeting Center database (or any other database that includes Sametime technology) allow anonymous access. This name entry prompt ensures that the presence list in the Sametime database can display a unique name for the user.
Writing custom messages for clients

The Sametime Administrator can write custom messages to appear in the Sametime client's login (under "Welcome to Sametime") or in the "add new contact" screens. These messages can be created with Eclipse plug-in programs.
Before you begin

As Sametime Administrator, you can create a branding plug-in with a stbranding extension that takes a NLS-based class in Eclipse. This branding plug-in can exhibit a custom message in the user's Sametime instant messaging "add contact" screen or in the login screen. For example, when you are creating a message for the add contact dialog, if you connect a particular community to a public instant messaging network, you may want to tell the users which community to use to add a contact from that public network. This branding feature accepts text only. For information on creating plug-ins, or on using wizards to create plug-ins, see
292
http://help.eclipse.org/help32/index.jsp. For the wizard, select Plug-in Development Environment > Tools > New Project Creation Wizards. Note: Before you can build plug-ins, you must install: v the Sametime software development kit v Eclipse IDE (integrated development environment) version 3.2 v the JCL Desktop custom run time environment for Windows and Linux v the Eclipse J9 JDT launching plug-in for Windows and Linux v a standard Java Runtime Environment (1.4.2 or higher version) v Windows XP, Linux, or Mac operating system supported by Sametime 7.5. or later For comprehensive information on setting up the integrated development environment, and building and providing plug-ins to clients, see the IBM redbooks publications at http://www.redbooks.ibm.com/abstracts/sg247346.html.
About this task

The plug-in you create this way is pushed to the client just as Sametime updates are pushed. See the following examples for a template. This is a sample branding plugin:
<plugin> <extension id="com.ibm.collaboration.realtime.notes.branding" point="com.ibm.collaboration.realtime.ui.stbranding"> <stbranding id="mypackage.messages" name="Custom Sametime Messages"> <messages class="mypackage.Messages"/> </stbranding> </extension> </plugin>
Below are some Sample Messages.java: import org.eclipse.osgi.util.NLS;

private static final String BUNDLE_NAME = "messages";//$NON-NLS-1$ // Login dialog message public static String com_ibm_collaboration_realtime_login_strings_messages $enter_credentials_for; // Add Contacts dialog message for single community public static String com_ibm_collaboration_realtime_imhub_strings_messages $singleCommunityDefMsgArea; // Add Contacts dialog message for multiple communities public static String com_ibm_collaboration_realtime_imhub_strings_messages $multiCommunityDefMsgArea; static { NLS.initializeMessages(BUNDLE_NAME, Messages.class);}}
Below are Sample resourcebundle messages.properties

com_ibm_collaboration_realtime_login_strings_messages$enter_credentials_for= Customize me: Please enter your username and password for the default Sametime community. com_ibm_collaboration_realtime_imhub_strings_messages$singleCommunityDefMsgArea= Customize me: Add a new contact by entering a name below. com_ibm_collaboration_realtime_imhub_strings_messages$multiCommunityDefMsgArea=
293
Customize me: Add a new contact by selecting the community where the contact exists. Enter the user's name (or e-mail address if adding an external contact.)
What to do next
After you have created the plug-in by following these examples, provision the messages to the Sametime clients, and the customized messages will appear in login or "add contact" screens.
Managing client types and logins

The manner and order of client logins to Sametime can be managed by the Administrator. You may want to manage the way your users log in from various clients to keep instant messaging running properly for users. There are three topics in this section that deal with ordering clients in the log in process. These are: v The single login type v Configuring the preferred login list on page 295 v Forcing users to connect to a home server on page 296 v Client cooperation with the proxy on page 296
The single login type

The single login type mode of Sametime means that only one login per user is allowed unless the user is logging in from a trusted IP address that is listed on your list of excluded (from single login) client types.
Before you begin

When the Sametime server is set to single login type, the user can log in only once. When a user tries to log in through a client, the server performs a check to determine if there are already any logins from that user, and, if so, to disconnect that user. This behavior applies only to those users who are logging in through clients that are not listed on the server's client exclusion list in the sametime.ini file. To enable the single login function and to authorize the excluded client list, two new flags have been added to the sametime.ini file: v VP_ONLY_SINGLE_LOGIN_ALLOWED=1 --> If this flag is set in the 'Config' section, the "single client login" mode is activated v VPS_EXCLUDED_LOGIN_TYPES --> Comma-separated list of client types. These types will not be considered as "logins" when the server checks whether to accept or disconnect clients. You can modify the list of excluded clients. For example, in the following configuration, the single client login mode is activated, but the logins originating from clients of type 0x1002 and 0x1304 do not qualify for disconnection; therefore, the server does not disconnect them, and when they are connecting, this action does not disconnect any other clients. Client types:
294
v v v v v
1002 - C++ client 1003 - Java client 100A - ST Links 1100 - Notes Hannover Client 1304 - Unified instant messaging client
Configuring the preferred login list

A preferred login list, configurable by the Administrator, allows you to define the order used by applications to handle interactions from other clients.
Before you begin

If a user is already connected to Sametime through several different clients, and another user attempts to initiate an instant messaging session with the logged-in user, Sametime is uncertain as to which client should receive the instant messaging session. The default implementation on the Sametime server depends upon the hard-coded list of client types, each of which has a pre-defined weight. Login order for each user depends upon the login-type weight. The first log in type, having minimal weight, is the one provided for the incoming IM session. This type may be inappropriate for the IM session. Default order of log-in types on Sametime:: 0x1304, 0x1100, 0x1003, 0x1002, 0x1000, 0x1001 For example, in the sametime.ini file, you might have this configuration: [Config] VPS_PREFERRED_LOGIN_TYPES=1002, 1304 A scenario might be: User A is logged in to Sametime with two clients: 1304 (Sametime client) and 1002, a C++ client. User B connects to User A, and begins a chat. According to the default list, the instant messaging client should display in the Sametime IM chat dialogue window, but, because of the order in the preferred login types list, the chat goes to the C++ client, instead. List of Client Types: v 1000 - C++ toolkit v 1001 - Java toolkit v 1002 - C++ client v 1003 - Java client v 100A - ST Links v 1100 - Notes Hannover Client v 1304 - UIM client A new capability in Sametime allows you to change the order of the default login types. Refer to the VPS_PREFERRED_LOGIN_TYPES flag in the sametime.ini file to provide an additional list of login types. The login types from this list are superior to the default login types. This list of preferred login types should be comma-separated, and should contain the client types in hexadecimal format, but without the leading "0x".
295
Related topics:
Forcing users to connect to a home server

When you are deploying security applications such as FaceTime, you want to ensure that your users connect to their home IBM Lotus Sametime Community servers or home clusters. Preventing users from connecting to remote servers is done by specifying trusted IP addresses and rejecting forwarded logins during the login process.
About this task

For users that must log in through FaceTime or similar proxies, the Lotus Sametime Community Server should allow them to connect through the home server only. The Lotus Sametime Community Mux Server should accept connections that come from Facetime IP addresses only. You must dedicate a specific Mux to a specific server, and limit users to connecting to that Mux through FaceTime only. 1. Use a text editor to open the sametime.ini file located in the Lotus Sametime Community Server installation directory (for example, root/lotus/domino). 2. In the Connectivity section, add or create a comma-separated list of trusted IP addresses of proxies. VPMX_TRUSTED_CLIENT_IPS=IPaddress1, IPaddress2This setting controls which clients are allowed to connect by assigning a comma separated list of IP addresses. An empty list of trusted addresses (default) means the feature is turned off, and that clients from all IP addresses can connect. 3. Create or edit the VP_REJECT_FORWARDED_LOGINS setting so that forwarded logins are rejected. VP_REJECT_FORWARDED_LOGINS=1When that setting is set to 1, user are forced to connect to their home servers. This is essential when users must connect through FaceTime. 4. Save the sametime.ini file.
Client cooperation with the proxy

Users can be forced to connect to a given multiplexer (MUX) through a proxy server or a list of proxy servers through a simple configuration in the sametime.ini file.
Before you begin

You can force users to log in to a Sametime multiplexer through a given proxy server by adding a configuration to the sametime.ini file.
About this task

To edit the sametime.ini for client login to a given MUX: 1. Open the sametime.ini file 2. In the [Connectivity] section, add to the VPMX_TRUSTED_CLIENT_IPS a comma-separated list of trusted IP addresses of the proxy servers.
What to do next
An empty list (which is the default) means this feature is turned off, and clients from all IP addresses can connect.
296
Community Services server configuration settings

Community Services server community configuration settings support all online presence (or awareness), instant messaging, and chat features and activities available with Sametime. Presence, instant messaging, location awareness and chat features exist in the Sametime Connect client and the Sametime Meeting Room client Participant List. Developers can also use the Sametime toolkits to implement presence and chat features in custom applications. The Community Services server configuration settings control the interaction of the Community Services with a Domino or LDAP directory and the maximum number of Community Services users allowed on the server. The Community Services server configuration settings also enable the administrator to control whether the Java or Windows version of Sametime Connect is available to end users. The Java version of Sametime Connect is called "Sametime Connect for browsers" in the end user interface while the Windows version is called "Sametime Connect for the desktop." The administrator also controls whether the automatic login feature of Sametime Connect for browsers is available to end users. Note: You can also create a cluster of community servers to support failover and load balancing for the Community Services or to enable the IBM Lotus Sametime Gateway functionality to support instant messaging between two different SIP-enabled communities. For more information, see Creating Sametime server clusters or the freestanding IBM Lotus Sametime Gateway guide that ships with Sametime. Note: You can access the Community Services server configuration settings from the Sametime Administration Tool by selecting Configuration - Community Services. The three types of Community Services server configuration settings are:
General settings
The General settings allow the administrator to: v Control the number of entries on each page in the dialog boxes that show names in the directory. v Control how often to poll for new names added to the Sametime server community directory. v Control how often to poll for new servers added to the Sametime server community. v Control the maximum number of user and server connections to the server community. v Allow users to authenticate using either LTPA or Sametime Tokens.
Server community connectivity settings

For information about the ports used by the Community Services and the available connectivity options, see Community Services Network settings.
297
Server community clusters

You can create a cluster of community servers to support failover and load balancing for a large community of Community Services users. For more information on creating a cluster of community servers, see Overview of Community Services clustering.
Number of entries on each page in dialog boxes that show names in the directory
About this task
The "Number of entries on each page in dialog boxes that show names in the directory" setting controls the number of user and group names that display when a user browses the Domino Directory on the Sametime server. Note: If you have configured the Sametime server to connect to an LDAP server, see Setting up an LDAP directory for information about using directory search features with an LDAP directory. An end user can browse the names and groups listed in the Domino Directory on the Sametime server (or Domino Directories available through Directory Assistance) when performing the following operations: v Adding users or groups to the contact list (or presence list) in the Sametime Connect client v Adding users or groups to a privacy list (or Who Can See If I Am Online list) in the Sametime Connect client v Restricting meeting attendance when creating a meeting in the Sametime Meeting Center When an end user browses the names and groups in the directory, the directory entries (names and groups) are listed on "pages" in a dialog box. The "Number of entries on each page in dialog boxes that show names in the directory" setting controls the number of entries that appear on each of these pages in the dialog box. The end user can select entries from these pages when adding users to the contact list, a Privacy list, or meeting attendance Restrictions list. The default is 100 entries per page, the minimum is five entries, and the maximum is 1440 entries. It is best to use a setting between 100 and 200 entries. Higher settings cause more data to be transmitted on the network when a user browses the Domino Directory. To change the number of directory entries that appear on each page in the end-user dialog boxes: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. Choose Configuration. 3. Choose Community Services. 4. In the "Number of entries on each page in dialog boxes that show names in the directory" field, enter the number of entries that you want to appear on each page. 5. Click the Update button and restart the server for the change to take effect.
298
Results
How often to poll for new names added to the Sametime Community directory
About this task
The Sametime Community Services maintains a cache that contains information about the users and groups in the community. The user information that is stored in this cache is gathered from the Domino or LDAP directory. This cache must be updated (or refreshed) periodically to ensure that users who have recently been added to a directory can be displayed in the presence lists of all Sametime clients. The "How often to poll for new names added to the Sametime Community directory" setting controls how frequently the cache of user names maintained by Community Services is updated with new information from the Domino or LDAP directory. The update occurs only if changes are made to the directory during the update interval. The default setting is 60 minutes, the minimum setting is 5 minutes, and the maximum setting is 1440 minutes. Note: Low settings result in frequent updates from the directory and can adversely affect the performance of the server. Lower settings also cause more data to be transmitted on the network. To change how frequently the Domino or LDAP directory is polled for new user names (and how often the cache is updated): 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. Choose Configuration. 3. Choose Community Services. 4. In the "How often to poll for new names added to the Sametime Community directory" field, specify a new number to control the time interval (in minutes) in which polling (and updates, if necessary) will occur. 5. Click the Update button and restart the server for the change to take effect.
Results
How often to poll for new servers added to the Sametime Community
About this task
If you have installed more than one Sametime server, the Community Services on each Sametime server must maintain a list of all other Sametime servers in the Sametime Community. Community Services uses this list to ensure that users who have different home Sametime servers or different home clusters can see each other in presence lists and communicate through instant messaging and chat. Note: For more information on multiple Sametime server environments, see Advantages of using multiple Sametime servers. For more information about Community Services clusters, see Overview of Community Services clustering. Before installing a Domino server, you must register the Domino server by creating a Server document for it in the Domino directory. Each Server document includes an "Is this a Sametime server?" field that identifies the server as a Sametime server.
299
Community Services uses these fields to build a list of Sametime servers in the domain (or community). The Sametime Administration Tool includes a setting that allows the administrator to control the time interval in which the Community Server receives an updated list of all Sametime servers from the Domino Directory. The default setting is 60 minutes, the minimum setting is five minutes, and the maximum setting is 1440 minutes. To change how frequently the Domino Directory is polled to detect a new Sametime server: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. Choose Configuration. 3. Choose Community Services. 4. In the "How often to poll for new servers added to the Sametime Community" field, specify the time interval in minutes in which polling (and updates, if necessary) will occur. 5. Click the Update button and restart the server for the change to take effect.
Results
Maximum user and server connections to the Community server

About this task
The administrator can specify the maximum number of connections allowed to Community Services. The connections include both Sametime client connections and Sametime server-to-server connections. A client connection (or Community Services login) occurs when a user starts the Sametime Connect client or joins a meeting with the Sametime Meeting Room client. The limit is 20,000 connections. Generally, a server that meets the minimum system requirements can support 8,000 TCP/IP connections. To support limits higher than 8,000 connections, use servers with high-level processing capabilities of at least 512 MB of RAM, a 10 MB or 100 MB network card, and dual processors. Note: You can deploy a Community Services multiplexer on a separate machine from the Sametime server. In this scenario, you cannot use the "Maximum user and server connections to the Community server" field in the Sametime Administration Tool to specify the maximum number of connections to the Community Services. When a Community Services multiplexer is deployed on a different machine than the Sametime server, you must use the VPMX_CAPACITY= setting in the Sametime.ini file on the multiplexer machine to specify the maximum number of connections. For more information, see Deploying a Community Services multiplexer on a separate machine. Server-to-server connections occur when the administrator has installed multiple Sametime servers and different home Sametime servers are specified for users. When users have different home Sametime servers, two users can be connected to Community Services on two different Sametime servers. A server-to-server connection must be established to enable these users to see each other in presence lists and chat with each other.
300
To change the maximum user and server connections to the Community Services: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. Choose Configuration. 3. Choose Community Services. 4. In the "Maximum user and server connections to the Community server" field, specify the maximum number of connections allowed to the Community Server. 5. Click the Update button and restart the server for the change to take effect.
Results
Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)
About this task
When the "Allow users to authenticate using either LTPA or Sametime Tokens" option is selected in the Community Services-Configuration settings of the Sametime Administration Tool, the Sametime server accepts authentication tokens generated by both the Domino Single-Sign On (SSO) feature and the Secrets and Tokens databases on the Sametime server. This option is selected by default. When the "Allow users to authenticate using either LTPA or Sametime Tokens" option is not selected, the Sametime server accepts authentication tokens generated only by the Domino SSO feature (LTPA tokens). The "Allow users to authenticate using either LTPA or Sametime Tokens" option must be selected when you require basic password authentication to the Sametime Meeting Center and the Sametime 8.0 server and Sametime 2.0 or 2.5 servers function as part of a single Sametime community. The "Allow users to authenticate using either LTPA or Sametime Tokens" option can be disabled when you require basic password authentication to the Sametime Meeting Center and all Sametime servers in your environment are Sametime 3.0 servers or higher. Note: By default, anonymous access is allowed to the Sametime Meeting Center and authentication by token is not enforced on the Sametime server. Note: If the Sametime client sends a lightweight third-party authentication (LTPA) token with the organization parameter set to "null", the user will fail to log into the server. Instead, send the token with the organization parameter as defined in the ST_ORG_NAME flag of the Notes.ini file. This parameter should contain the organization name as defined in the Web Single Sign-On (SSO) document. After you add the organization name to the SSO document, and add the flag ST_ORG_NAME=<name of organization of Web site that appears in Web SSO document>, then restart the server, the user can then input the UserID and password to log in.
301
Results
Allow or disallow virus scanning

About this task
Sametime provides for the Administrator to allow or disallow virus scanning of files that are transferred by users in Instant Messaging. To configure virus-checking of files, follow these steps: 1. 2. 3. 4. Log in to Sametime as Administrator Click Administer the server. Click Configuration - Community Services. Under Server features, at the sub-topic "Virus scan files before transferring," you can select the radio button next to: v Always (strict mode) v When available (relax mode) v Never (off mode).
Results
In the strict mode, if scanning cannot be done, the file is not transferred. In case the Virus Scanning mode is Always, a Virus Scanning dll must be installed on the Sametime server. If a Virus Scanning dll is not available in this mode, the File Transfer Server Application (FTSA) fails to start. In relax mode, the file is sent with a message that the file was not scanned, allowing the user to decide how to handle the file, or it is not sent if scanning reveals a virus. In case the Virus Scanning mode is WhenAvailable, the Virus Scanning dll is used to scan for viruses in case it is installed. If it is not available, the file is transferred without virus scanning. In the off mode, files are not scanned. In case the Virus Scanning mode is Never, the FT SA does not use the Virus Scanning dll to scan for viruses, and the file is transferred without scanning. Enforcing Strict mode: In order to completely disable the File Transfer option when virus scanning is not available, the following steps should be made: 1. Log in to Sametime as Administrator. 2. Click Administer the server. 3. Click Configuration - Community Services. 4. Under Server features, at the sub-topic "Virus scan files before transferring," you can select the radio button next to: The setting should be always. 5. In stconfig.nsf, under Configure - CommunityServices - Capture Service Type, set the value to 0x00000038 The change to StConfig.nsf ensures that the end user will not be able to transfer a file in case of failures of the File Transfer Server Application. Client side--end user
302
On the client side, file transfer functionality is disabled in case the mode is Always, and the Virus Scanning dll is not available. In case the mode is When Available and the Virus Scanning dll is available, the client displays an indication that the file is scanned for viruses. In other cases (Never or When Available without dll), the client displays an indication that the file is NOT scanned for viruses. Note: In Sametime 7.5.x, there is no valid virus scan dll. The default and suggested value for this mode is 'When Available' to maintain policy enforcement, statistics-gathering, and event logging. If strict mode is submitted, File Transfer will not run. If Off mode is submitted, policy is enforced; however, no statistics or log events are collected.
Anonymous Access Settings for Community Services

Anonymous access is allowed to the Sametime Meeting Center database (stconf.nsf) on the Sametime server by the default Access Control List (ACL) settings of the database. When the ACL settings of a database allow anonymous access, a user is not authenticated and is not required to enter a user name and Internet password when accessing the database. Note: The "Anonymous users can participate in meetings or enter virtual places" setting in the Configuration - Community Services - Anonymous Access settings of the Sametime Administration Tool must also be selected to allow an anonymous user to enter the Sametime Meeting Center. This setting is selected by default. The Community Services Anonymous Access Settings in the Sametime Administration Tool allow the administrator to force a name entry dialog box to appear when anonymous access is allowed by the ACL settings of the Sametime Meeting Center (or any other database that includes Sametime technology). The name entry dialog box accepts any name the user provides and has no security functions. The name entered by the user is for presence list display purposes only. The display name serves to uniquely identify the user in any presence list in the Sametime Meeting Center or other database enabled with Sametime technology. If you allow anonymous access to the Sametime Meeting Center (or other Sametime database that includes a presence list), and you do not force this name entry dialog box to appear, every user present in the meeting or database is listed as "Anonymous" in the presence list. Note: To force users to authenticate (enter a user name and password that is verified against entries in a directory) when accessing a database, change the database ACL settings. For more information, see Using database ACLs for identification and authentication and Basic password authentication and database ACLs. The administrator can also specify the level of access that anonymous users have to the directory. These administrative settings control an anonymous user's ability to search for entries in a directory or browse a list of all entries in the directory. The Anonymous Access settings include: v Anonymous users can participate in meetings or enter virtual places.
303
v Users of Sametime applications (databases such as stconf.nsf or Web sites) can specify a display name so that they do not appear online as "Anonymous." Default domain for anonymous users Default name v Directory Searching and Browsing options. Users cannot search or browse the Directory Users can type names (resolve users and groups) to add them to an awareness list. Users can browse the directory (see a list of names) or type names (resolve users and groups). Users can browse the directory to see group content and names, or type names (resolve users and groups).
Anonymous users can participate in meetings or enter virtual places

The "Anonymous users can participate in meetings or enter virtual places" setting must be selected to enable an anonymous user to attend a meeting in the Sametime Meeting Center (stconf.nsf) or access any other database that includes Sametime functionality (such as a presence list). Note: The ACL settings of the Sametime Meeting Center (stconf.nsf) must also allow anonymous access to enable anonymous users to attend meetings in the Sametime Meeting Center. When the "Anonymous users can participate in meetings or enter virtual places" setting is selected, the administrator can use the following settings in the Configuration - Community Services - Anonymous Access tab of the Sametime Administration Tool to control how the anonymous users enter display names when accessing the Sametime Meeting Center. v Users of Sametime applications (databases such as stconf.nsf or Web sites) can specify a display name so that they do not appear online as anonymous. v Default domain name for anonymous users. v Default name. Note: The settings listed above do not take effect unless the "Anonymous users can participate in meetings or enter virtual places" setting is selected.
About "virtual places"

A "virtual place" is a programming concept. An example of a virtual place is an online meeting. Users can enter a virtual place and have awareness of other users in the same virtual place. For example, a user can enter a Sametime meeting and use the Participant List of the Meeting Room client to have awareness of other users who are attending the same meeting (or who are in the same "virtual place"). This capability is sometimes called "Place-based awareness." Place-based awareness differs from "Community-wide awareness." In the example above, the Participant List in the Sametime Meeting Room client displays the names of users who are attending the meeting, but does not display members of the Sametime community who are online, but not attending the meeting. With Community-wide awareness, users can have awareness of any user in the
304
Community (any user entered in the directory) who is online. Sametime Connect provides users with Community-wide awareness functionality. Anonymous users are not allowed to have Community-wide awareness in any Sametime clients. The Sametime Software Development Kit provides developers with the capability to build programs that create virtual places. The "Anonymous users can participate in meetings or enter virtual places" setting also controls the ability of anonymous users to enter virtual places created by custom-built applications created with the Sametime Software Development Kit. For more information on virtual places, see the the IMWC Directory and Database Access Toolkit documentation available from IBM DeveloperWorks (http://www.ibm.com/developerworks/lotus/downloads/toolkits.html.
Users of Sametime applications can specify a display name so that they do not appear online as "anonymous."
The "Users of Sametime applications can specify a display name so that they do not appear online as anonymous" setting enables an anonymous user to enter a unique display name when accessing a database or application (such as the Sametime Meeting Center) that includes a Sametime presence list. This display name allows the anonymous user to be individually identified in any presence lists in the Sametime application. The following conditions are required to allow anonymous users to access a Sametime application or database. Both of these conditions exist by default following a Sametime server installation: v The ACL settings of the database (for example, the Sametime Meeting Center) must allow anonymous access. v The "Anonymous users can participate in meetings or enter virtual places" setting in the Configuration - Community Services - Anonymous Access settings of the Sametime Administration Tool must be selected. When both of the above conditions are true, you can select the "Anonymous users of Sametime applications can specify a display name so that they do not appear online as anonymous" setting to force a name entry dialog box to appear when an anonymous user enters the Sametime Meeting Center (or other Sametime database that includes a presence list). The name entry dialog box that appears enables a user to enter a name so that the user can be individually displayed in the Sametime Meeting Room Participant List (or any other presence list in a Sametime database). The name entry dialog box accepts any name that the user enters; the name is for display purposes only in the presence list. The user is not authenticated. If the ACL settings of a Sametime database allow anonymous access and the "Anonymous users of Sametime applications can specify a display name so that they do not appear online as anonymous" setting is not selected, users are not required to enter a user name when attending a meeting. Every meeting participant is displayed as "Anonymous" in the Sametime Meeting Room Participant List (or other presence list). Meeting participants will be unable to distinguish one participant from another in the presence list. If the "Users of Sametime applications can specify a display name" setting is selected, you can also edit the "Default domain for anonymous users" and "Default name" settings described below.
305
Default domain for anonymous users

If the "Users of Sametime applications can specify a display name so that they do not appear online as anonymous" setting is selected, you are forcing a name entry dialog box to appear when a user accesses a Sametime database (such as stconf.nsf) that has ACL settings that allow anonymous access. The "Default domain for anonymous users" setting enables a domain name to be automatically appended to the name entered by the user at the name entry dialog box. For example, if the "Default domain for anonymous users" setting contains the entry "/Guest," and a user enters "John Smith" at the name entry dialog box, the user's name appears as "John Smith/Guest" in the Meeting Room Participant List.
Default name
If the "Users of Sametime applications can specify a display name so that they do not appear online as anonymous" setting is selected, you are forcing a name entry dialog box to appear when a user accesses a Sametime database (such as stconf.nsf) that has ACL settings that allow anonymous access. The "Default name" setting enables you to specify a name to appear by default in the name entry dialog box. For example, if the "Default name" setting contains the entry "User," the first person entering a meeting sees "User" displayed by default in the user name field of the name entry dialog box. If the person accepts the default and enters the meeting, the person is identified as "User 1" in any Participant List or presence list in the database. For each person who accepts the default name, the number that follows the default name is incremented by one. For example, the next two users who accept the default name setting in the name entry dialog box are identified as "User 2" and "User 3" in any Participant List or presence list in the database.
Directory Searching and Browsing options

In some cases, the administrator might need to specify the level of access that an anonymous user of a database enabled with Sametime technology has to the directory. For security purposes, the administrator can limit an anonymous user's ability to view names in the directory. The "Directory Searching and Browsing" options might be used to prevent anonymous users from browsing all names in a directory or searching for names in the directory. Also, applications that are custom-built by Sametime developers using the Sametime Software Development Kit might require specific Community Services "Directory Searching and Browsing" settings configurations to enable the custom applications to function properly. Note: The term "anonymous user" refers to a user who is not authenticated when accessing a database enabled with Sametime technology. The ACL settings of the database determine whether a user is authenticated or allowed to access the database anonymously. The four "Directory Searching and Browsing" options are described below.
306
Users cannot search or browse the directory

If this option is selected, anonymous users cannot search or browse the directory.
Users can type names (resolve users and groups) to add them to an awareness list
If this option is selected, anonymous users can type text in an end-user search interface to search for person or group entries in the directory. However, users cannot view (or browse) a list containing all entries in the directory. Users might perform such searches to add users to a presence list. Users can still browse the directory when scheduling meetings in the Sametime Meeting Center. This setting does not affect a user's ability to browse the directory when creating a meeting in the Sametime Meeting Center.
Users can browse the directory (see a list of names) or type names (resolve users and groups)
If this option is selected, anonymous users can type text in an end-user search interface and search for group or person entries in the directory. Anonymous users can also browse lists that contain all entries in the directory. When this option is selected, anonymous users can see all group and name entries in the directory, but cannot see the content of a group entry (the list of names within a group entry). Note: If Sametime is configured to connect to an LDAP server, users cannot browse the LDAP directory on the LDAP server. Users can browse the directory when scheduling meetings in the Sametime Meeting Center. This setting does not affect a user's ability to browse the directory when creating a meeting in the Sametime Meeting Center.
Users can browse the directory to see group content and names, or type names (resolve users and groups)
If this option is selected, anonymous users have all searching and browsing privileges described for the "Users can browse the directory (see a list of names) or type names (resolve users and groups)" setting above. In addition, users can search and browse within group entries in the directory and access the user and group names that are specified within group entries in the directory. Users can browse the directory and examine the contents of groups in the directory when scheduling meetings in the Sametime Meeting Center. This setting does not affect a user's ability to browse the contents of groups when creating a meeting in the Sametime Meeting Center.
Prohibiting logins from non-secure clients to the server

Earlier versions of the Sametime client contain security vulnerabilities which could result in exposure of user credentials or message data. To ensure that information exchanged between Sametime clients and the server remain confidential, the server requires clients connecting to the server to be running the security level of a minimum client version. The server prevents logins from clients running Sametime versions earlier than the minimum version. By default, this minimum client version is set to Sametime 2.5. You can retain this default behavior, or change the security level to match a different client version.
307
In most cases it is best to prohibit earlier client versions from logging in to the server. If all clients connecting to the server are running Sametime 6.5.1 or higher, increasing the default security level to 6510 ensures that all information exchanged between client and server after the handshake is encrypted. By prohibiting logins from earlier versions of the Sametime client you ensure that all connections are encrypted. However, if you must support older versions of the client, decrease the security level to enable logins from these earlier client versions. Setting a security level less than 6510 allows the server to accept non-encrypted connections. To control how servers respond to login requests from different client versions, the sametime.ini and STsecurity.ini files provides settings that enable you to perform the following tasks: v Specify the security level (minimum client version) for the server v Enable or disable logins from clients running versions that do not conform to the security level v Configure the server to generate instant messages automatically in response to login requests from clients that do not conform to the security level v Specify the text of the message that the server sends in response to login requests from clients that do not conform to the security level v Specify sender's name to display on the title bar of instant messages sent by the server
Specifying the security level (minimum allowed client version)

Each server is configured to allow logins from a minimum client version, which defines the security level of the server. By default, the server allows logins from Sametime 2.5 and later clients. To specify a different security level, you must change the value of the VP_SECURITY_LEVEL setting in the sametime.ini file. You can specify a minimum client version of 3.1 or later, 3.0 or later, 2.5 or later, and so forth. After you specify a minimum version, you can then specify other settings to control how the server responds to login requests from client versions earlier than the specified minimum version.
Results To specify the security level for the server

About this task
1. Open the sametime.ini file in a text editor. By default the file is located in the Sametime installation folder, for example, C:\Lotus\Domino\Sametime.ini. 2. In the [Config] section of the sametime.ini file, specify the minimum Sametime client version that can log in to the server by providing one of the following values for the VP_SECURITY_LEVEL setting:
Value 0<no zeros> Description Select this option to disable security filtering and allow logins from all clients regardless of version level.
308
Value 20<no zeros>
Description Select this option to set the minimum client level to Sametime 2.0 clients and later. To determine the client level, the server detects whether the client uses the Diffie-Hellman public key agreement protocol to encrypt the user's password. Any client that does not authenticate using the Diffie-Hellman method is determined to be a 1.5 client. (Default) Select this option to set the minimum client level to Sametime 2.5. To determine the client level, after the client logs in using the Diffie-Hellman method, the server attempts to create a chat channel to the client. If the server successfully creates the chat channel, the client version is determined to be 2.5 or later. Select this option to set the minimum client level to Sametime 3.0. The server determines the client version from information that the client sends during the handshake. Select this option to set the minimum client level to Sametime 3.1. The server determines the client version from information that the client sends during the handshake. Select this option to set the minimum client level to Sametime 6.5.1. The server determines the client version from information the client sends during the handshake. Select this option to set the minimum client level to Sametime 7.5. The server determines the client version from information the client sends during the handshake. Select this option to set the minimum client level to Sametime 7.5.1. The server determines the client version from information the client sends during the handshake. Select this option to set the minimum client level to Sametime 8.0. The server determines the client version from information the client sends during the handshake.
25<no zeros>
30<no zeros>
31<no zeros>
6510<no zeros>
75<no zeros>
7510<no zeros>
80<no zeros>
3. Save and close the file.
309
Results
Effect of security level settings on server connections

About this task
The security level that you set on the server also determines the server versions from which the server accepts connections. When a Sametime server receives a connection request from another server, it uses information sent as part of the server handshake to determine the security level of the requesting server. To prevent older clients from logging in to a Sametime server by way of less secure servers running earlier versions of Sametime, the server blocks incoming connections from Sametime servers running versions earlier than the defined security level, and from Sametime servers that do not have a defined security level. By default, there is no security level defined for Sametime servers earlier than version 3.1. To ensure interconnectivity with Sametime 3.0 and earlier servers, install the Sametime CF1 patch on these servers and configure the security level on all servers to a value consistent with the earliest version server in the community. For example, if the environment includes Sametime 2.0 servers, after you apply the CF1 patch on all version 3.0 and earlier servers, set the value of the VP_SECURITY_LEVEL setting on all servers to 20. Later, if you upgrade the 2.0 servers to a later version, increase the value of the setting to match the version of the upgraded servers. If you choose not to apply the CF1 patch on Sametime 3.0 and earlier servers and want to allow earlier versions of the Sametime server to connect to a Sametime 7.5 server, disable security level checking on the 7.5 server by setting the value of VP_SECURITY_LEVEL to 0.
Results
Allowing logins from clients that do not conform to the security level
About this task
By default, the server automatically logs out users who attempt to connect from clients of versions earlier than the specified minimum. To allow users with earlier clients to continue to access the server during the transition to the new server version, you can configure the server to allow logins from client versions earlier than the specified minimum. Maintaining a flexible login policy is especially important in environments that include a large number of older Sametime clients. In such an environment, immediately enforcing a minimum client version can result in a high volume of help desk calls. To avoid locking users out of Sametime, give users several weeks to upgrade and use the VP_SECURITY_ALLOW_USER setting to enable servers to continue to accept logins from earlier client versions. After the deadline for upgrading passes, change the value of the setting to block logins from clients that do not meet the minimum security level.
310
Results To specify whether the server allows logins from clients that do not conform to the security level
About this task
1. Open the sametime.ini file in a text editor. By default the file is located in the Sametime installation folder, for example, C:\Lotus\Domino\Sametime.ini. 2. In the [Config] section of the sametime.ini file, specify whether to allow logins from clients earlier than the minimum allowed version by providing one of the following values for the VP_SECURITY_ALLOW_USER setting:
Value 0<nozeros> Description (Default) Reject login attempts from clients of versions earlier than allowed by the VP_SECURITY_LEVEL setting. Allow logins from all clients, regardless of version.
1<nozeros>
Results
Configuring the server to send instant messages to clients that do not conform to the security level
About this task
You can use the VP_SECURITY_MESSAGE setting in the STSecurity.ini file to provide additional information to users who attempt to log in to the server from Sametime clients running versions earlier than what is allowed by the specified security level. This setting configures the server to automatically respond to login requests from clients that do not conform to the server's security level by sending an instant message containing specified text. The message you specify functions as either a warning message or a disconnection notification, depending on whether the value of the VP_SECURITY_LEVEL setting allows logins from earlier clients. If the VP_SECURITY_LEVEL setting allows logins, use the text of the message to warn users that they need to upgrade and to explain how to obtain and install the client upgrade. If the VP_SECURITY_LEVEL setting does not allows logins, use the text of the message to explain why login was denied. Note the following before you configure the settings in the STSecurity.ini file: v All platforms - Double-byte characters are not allowed in the message text or sender name. v All platforms - If you want to use accented characters (for example, ,,,) in the message text or sender name, you should use Notepad on a Windows client or server to edit the file. When you finish making your changes with Notepad, save the STSecurity.ini file as a UTF-8 file (select File-Save As And specify UTF-8 as the Encoding option, then save the file). v IBM i5/OS platform only - It is recommended that you map a network drive to make the STSecurity.ini file on the server accessible from your workstation. Then you can run Notepad from your workstation and update the file directly on your ibm i5/OS server. (By default, the file is located in the Sametime installation folder, for example, C:\Lotus\Domino\STSecurity.ini).
311
Alternatively, you can copy the file from the ibm i5/OS server to your client workstation using any convenient means (for example, dragging and dropping from ibm i5/os Navigator or FTP), edit the file on your workstation using Notepad, and then copy the updated file back to the server. v IBM i5/OS platform only - When you have updated the file on your IBM i5/OS server, ensure that the file is owned by QNOTES. To update the file ownership, run the following command:
CHGOWN OBJ('server_data_directory/stsecurity.ini') NEWOWN(QNOTES)
Use the following procedure to configure the server to send an instant message to users who attempt to log in from client versions earlier than the specified minimum.
Results To configure the server to send messages to clients that do not conform to the security level
About this task
1. Use a text editor to open the STSecurity.ini file. By default the file is located in the Sametime installation folder, for example, C:\Lotus\Domino\STSecurity.ini.
Value null text Description (Default) Do not send an instant message. Specifies the text of the instant message that is sent in response to login requests from clients that do not conform to the server's security level. If the VP_SECURITY_ALLOW_USER setting is set to 0 (reject logins from client versions earlier than the specified minimum), the text you provide serves as a disconnection notification. The server sends the specified text to the client as an instant message and then disconnects the client. If the VP_SECURITY_ALLOW_USER setting is set to 1 (allow logins from client versions earlier than the specified minimum), and you provide a value for VP_SECURITY_MESSAGE, the text you provide serves as a warning message. The server allows the login and then sends the specified text. You can use the message to provide users with information on upgrading. For example, you can include an address that specifies the location of a download site. After receiving the instant message with the address link, users can click the address link to open the link location. To include non-ASCII characters in the message text, save the STSecurity.ini file in UTF-8 format.
312
Results
Specifying the name to display in the title bar of instant messages sent by the server
By default, when the server generates an instant message in response to a login from a client older than the minimum defined version, the instant message window does not identify the sender. Use the following procedure to specify the name to display in the title bar of the instant message window.
Results To specify the name to display in the title bar of the instant message window
About this task
1. Use a text editor to open the STSecurity.ini file. By default the file is located in the Sametime installation folder, for example, C:\Lotus\Domino\STSecurity.ini.
Value null Description (Default) When the server sends an instant message in response to a login request from an older client, the title bar of the instant message window does not display a user name. Specifices the user name to display in the title bar of the instant message window when the server sends an instant message in response to a login request from a client that does not conform to the server's security level.
name
Results
Deploying a Community Services multiplexer on a separate machine

This section discusses the performance advantages and procedures associated with deploying a Community Services multiplexer on a separate machine from the Sametime server. Note: This section discusses deploying a separate multiplexer in front of a Sametime server machine (or machines) that does not operate as part of a Community Services cluster. If you want to deploy a separate Community Services multiplexer to handle connections for a Community Services cluster, do not use the procedures in this section. To deploy a separate Community Services multiplexer in front of a Community Services cluster, see Deploying separate Community Services multiplexers (optional) in the Setting up a Community Services cluster without clustering the Meeting Services chapter of this documentation.
313
Each Sametime server contains a Community Services multiplexer (or MUX) component. The function of the Community Services multiplexer is to handle and maintain connections from Sametime clients to the Community Services on the Sametime server. During a normal Sametime server installation, the Community Services multiplexer is installed with all other Sametime components on the Sametime server machine. The Sametime server CD provides an option to install only the Community Services multiplexer component. This option enables the administrator to install the Community Services multiplexer on a different machine than the Sametime server. When the Sametime Community Services multiplexer is installed on a different machine than the Sametime server: v The Sametime Connect clients connect to the Community Services multiplexer machine, not the Sametime server. This configuration frees the Sametime server from the burden of managing the live client connections; the multiplexer machine is dedicated to this task. v The Community Services multiplexer maintains a single IP connection to the Sametime server. The data for all Community Services clients is transmitted over this single IP connection to the Community Services on the Sametime server. In this scenario, the Community Services connection-handling load is removed from the Sametime server. The Sametime server does not need to employ system resources to maintain thousands of client connections. Removing the connection-handling load from the Sametime server ensures these system resources can be dedicated to other Community Services processing tasks. The Community Services multiplexer machine dedicates its system resources to handling client connections but does not perform other Community Services processing. Distributing the Community Services workload between multiple servers in this way enables the Community Services on the Sametime server to handle a larger number of connections (users) and to function more efficiently.
Performance improvements with a separate multiplexer

If the Community Services multiplexer operates on the same machine as the Sametime server, the Sametime server can handle approximately 8,000 to 10,000 Community Services connections and also perform other Community Services processing tasks adequately. However, if the Sametime server is not required to expend system resources to maintain client connections, the server can service approximately 100,000 connections. (The Sametime server is capable of processing the Community Services data that is passed over 100,000 connections if it does not have to maintain the connections themselves.) Note: This estimate of 100,000 connections assumes that the Meeting Services and Recorded Meeting Broadcast Services are not in use. If the Sametime server is simultaneously supporting interactive meetings, it will support fewer Community Services users. When a Sametime Community Services multiplexer is installed on a separate machine, the Community Services multiplexer can support approximately 20,000
314
live IP port connections. You can also deploy multiple Community Services multiplexers in front of a Sametime server. To summarize the performance benefits of a separate multiplexer deployment, consider the following example: v You can install three separate Community Services multiplexers in front of a single Sametime server. If each Community Services multiplexer handles 20,000 connections, as many as 60,000 users can be connected to a single Sametime server at one time. v If the Sametime server is capable of servicing 100,000 connections, the server performance will not degrade under the load produced by 60,000 connections. v If the multiplexer operates on the Sametime server instead of being deployed separately, the Sametime server can service a maximum of 10,000 users. By deploying three separate multiplexers in front of a single Sametime server, you can service 50,000 more users (assuming one connection per user) than if the multiplexer operates on the same machine as the Sametime server. v If you deploy separate multiplexers in the manner described above, you can also implement a rotating DNS system, or IBM WebSphere Edge Server, in front of the multiplexers to load balance connections to the separate multiplexers. To deploy separate Community Services multiplexers in your Sametime environment, see Installing and setting up a separate Community Services multiplexer.
Installing and setting up a separate Community Services multiplexer

Installing and setting up a separate Community Services multiplexer involves the following considerations an procedures: 1. Community Services multiplexer preinstallation considerations. 2. Install the Community Services multiplexer. 3. Configure security settings in the Configuration database on the Sametime server. 4. Configure settings in the Sametime.ini file on the multiplexer machine. 5. Configure client connectivity to the multiplexer machine. 6. (Optional) Dynamically load balancing connections to the multiplexers.
Community Services multiplexer preinstallation considerations

Considering the requirements of the Community Services multiplexer machine is the first of six procedures associated with installing and setting up a separate Community Services multiplexer. Consider the following before installing a Community Services multiplexer on a separate machine: v Community Services multiplexer installation files are available for Windows, AIX, Linux and Solaris. A separate Community Services multiplexer cannot be installed on an IBM System i server (i5/OS). However, Sametime on i5/OS supports the use of a separate multiplexer installed on a Windows system. v The minimum system requirements for the Community Services multiplexer machine are the same as the system requirements for the core Sametime server. For more information, see "Sametime Server Installation." A machine that meets the minimum system requirements should be able to handle approximately 20,000 simultaneous client connections.
315
Testing indicates that machines with dual 1133 MHz CPUs and 2 GB of RAM can handle approximately 30,000 simultaneous client connections. v TCP/IP connectivity must be available between the Community Services multiplexer machine and the Sametime server. Port 1516 is the default port for the connection from the Community Services multiplexer machine to the Sametime server.
Next step:
Install the Community Services multiplexer machine
Install the Community Services multiplexer

About this task
Installing the Community Services multiplexer machine is the second of six procedures associated with installing and setting up a separate Community Services multiplexer. To install the Community Services multiplexer: 1. Insert the Sametime CD into the Community Services multiplexer machine and choose the option to install the Community Services multiplexer (or MUX). 2. Follow the instructions on the installation screens. Ensure that you enter the DNS name or IP address of the Sametime server to which the multiplexer will connect. The DNS name or IP address of the Sametime server is the only significant parameter you must enter during the Community Services multiplexer installation 3. You can repeat these steps to install additional Community Services multiplexers on other machines.
Results
Next step:: Configure security settings in the Configuration database on the Sametime server. Results
Configure security settings in the Configuration database on the Sametime server

About this task
Configuring security settings in the Configuration database is the third of six procedures associated with installing and setting up a separate Community Services multiplexer. After you have installed the Community Services multiplexer on a separate machine, you must configure the Sametime server to accept connections from the Community Services multiplexer. A Sametime server only accepts connections from a Community Services multiplexer that is listed in the stconfig.nsf database on the Sametime server. Specifically, the Community Services multiplexer machine must be listed in the "CommunityTrustedIps" field of a "CommunityConnectivity" document in the stconfig.nsf database. This security setting prevents a Community Services multiplexer on unauthorized machines from connecting to the Sametime server.
316
To enable the Sametime server to accept connections from the Community Services multiplexer(s): 1. Use a Lotus Notes client to open the stconfig.nsf database on the Sametime server. 2. Open the CommunityConnectivity document in the stconfig.nsf database by double-clicking on the date associated with the document. If the CommunityConnectivity document does not exist in the stconfig.nsf database, you must create it. To create the CommunityConnectivity document, choose Create-CommunityConnectivity from the menu bar in the stconfig.nsf database. 3. In the "CommunityTrustedIps" field, enter the IP addresses of the Community Services multiplexer machine(s). If you enter multiple addresses, separate each address with a comma. Note The IP addresses of SIP Connector machines associated with a Sametime community are also entered in this field. 4. Save and close the CommunityConnectivity document.
Results
Next step:: Configure settings in the Sametime.ini file on the multiplexer machine. Results
Configure settings in the Sametime.ini file on the multiplexer machine

Configuring settings in the Sametime.ini file is the fourth of six procedures associated with installing and setting up a separate Community Services multiplexer. When the multiplexer is installed on a separate machine, the configuration of the multiplexer is controlled by the settings in the Sametime.ini file on the multiplexer machine. In most cases, it is not necessary to change any of the settings in the Sametime.ini file but you should review the information below to be sure. The configuration parameters in the Sametime.ini file include: v The host name (VPS_HOST) of the Sametime server to which the Community Services multiplexer connects (specified during the Community Services multiplexer installation and in the stconfig.nsf database as discussed in the previous procedure). v The port (VPS_PORT) the Community Services multiplexer uses to establish the connection with the Sametime server (default port 1516). v The maximum number of simultaneous connections allowed to the multiplexer. To specify a maximum number of simultaneous connections, use the VPMX_CAPACITY= parameter of the Sametime.ini file. The default value is 20,000 connections (for example, VPMX_CAPACITY=20000). Notes about the VPMX_CAPACITY= setting: The Sametime Administration Tool contains a Configuration-Community Services-Maximum user and server connections to the Community Server setting that controls the maximum number of Community Services connections allowed to the Sametime server. When the Community Services multiplexer is installed on a separate machine, Community Services users do
317
not connect to the Sametime server and the "Maximum user and server connections to the Community Server" setting cannot be used to control the maximum number of connections allowed. Use the VPMX_CAPACITY= parameter in the Sametime.ini file to control the maximum number of connections instead of the setting in the Sametime Administration Tool. Multiplexer machines that meet the minimum system requirements can successfully handle 20,000 connections. This value may vary depending on the processing capabilities of the multiplexer machine. Multiplexer machines that have dual 1133 MHz CPUs and 2GB of RAM can successfully handle as many as 30000 connections. If it is necessary to modify the settings above, open the Sametime.ini file on the Community Services multiplexer machine with a text editor, alter the setting, and save the Sametime.ini file.
Next step:
Configuring client connectivity to the Community Services multiplexer machine.
Configuring client connectivity to the Community Services multiplexer machine

About this task
Configuring client connectivity to the Community Services multiplexer machine is the fifth of six procedures associated with installing and setting up a separate Community Services multiplexer. After you have installed and configured the Community Services multiplexer, you must ensure that Sametime Connect clients are configured to connect to the Community Services multiplexer instead of the Sametime server. A Sametime Connect client attempts to connect to the network address specified in the Options-Preferences-Sametime Connectivity-Host setting available on the Sametime Connect client. To ensure that Sametime Connect clients connect to the Community Services multiplexer machine instead of the Sametime server machine, each user in the Sametime community must enter the DNS name or IP address of the Community Services multiplexer machine in the "Host" field of the Sametime Connect clients. For example, each user may need to perform this procedure: 1. Open Sametime Connect. 2. Choose Options-Preferences-Sametime Connectivity. 3. In the Host field enter the DNS name of the Community Services multiplexer machine. If you have deployed multiple Community Services multiplexers, your user community should connect to these multiplexers in a balanced fashion. For example, if you have deployed two Community Services multiplexers, half of your users should configure the Sametime Connect client to connect to multiplexer 1 and the other half of the users should configure Sametime Connect to connect to multiplexer 2.
Results
Notes about configuring client connectivity: v
318
v The next topic discusses an optional configuration you can employ to provide a more dynamic form of connection load balancing across multiple Community Services multiplexer machines than is discussed above. If you dynamically load balance connections to the multiplexers, the Host field in the Sametime Connect client must contain the DNS name or IP address of the load balancing mechanism, not the multiplexer machine as described above. Next step:: Dynamically load balancing client connection to the multiplexers. Results
(Optional) Dynamically load balancing client connection to the multiplexers

Dynamically load balancing connections to multiple Community Services multiplexers is the last of six procedures associated with installing and setting up a separate Community Services multiplexer. Dynamically load balancing connections is an optional procedure. Also, this procedure is only valid when you have installed multiple Community Services multiplexers. To dynamically load balance client connections to multiple Community Services multiplexers, you can do one of the following: v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to associate the IP addresses of the Community Services multiplexer machines to a single DNS name. For example, associate the IP address of Community Services multiplexer machine 1 (11.22.33.44) and Community Services multiplexer machine 2 (11.22.33.55) to the DNS name cscluster.sametime.com. v Set up an IBM WebSphere Edge Server (Network Dispatcher) in front of the Sametime servers that you intend to cluster. Use the WebSphere Edge Server Network Dispatcher to distribute connections to the Community Services multiplexer machines. See the documentation for the IBM WebSphere Edge Server for more information. Notes about dynamically load balancing client connections to the multiplexers: v The topic Set up the load-balancing mechanism (rotating DNS or Network Dispatcher) in the "Setting up a Community Services cluster without clustering the Meeting Services" chapter of this documentation illustrates a rotating DNS system set up in front of a separate multiplexer deployment. Note that the deployment shown in that topic illustrates multiple multiplexers in front of a Community Services server cluster instead of a single, non-clustered Sametime server. v For information about rotating DNS limitations, see Rotating DNS Limitations with cached DNS resolve requests.
319
320

The IBM Lotus Sametime Business Card allows the administrator, using the user information in the lightweight directory access protocol (LDAP) directory, Domino directory, or Black Box configuration, to set up the user and business information that will display in the chat window (using hover-over technology) and in the contact list. The application that runs the Business Card is an HTTP servlet called UserInfo. As administrator, you can configure the Business Card, and the client presents to the user only those details available from the Administration tool. To set up the Business Card, choose the fields that represent the information that you want to display in the Business Card. To reorder the list, select an entry in the list and use the up or down buttons to raise or lower the element in the hierarchy of information. (If the photo feature is used, Photo should be the first item in the selected list.)

Setting up the business card

To set up a business card, use the Administration tool. The main Business Card page allows you to choose the elements of information about a user that can be displayed in hover-over mode in the chat window and in the user's list of contacts. To select fields you want to make available to users, follow these steps. The windows display these elements as selections of the information type available as defaults from either the LDAP directory or the Domino directory in the left pane, and the default list of these fields on the right. Under Business card user information there are two windows: a 'select' window and a "selected window." Information elements are photo, name, company, title, telephone, e-mail address, and address. Whatever elements you select to add to the 'selected' window will show up in the user's business card in hover-over mode in the Sametime Instant Messaging chat window and in the user's buddy, or contact, list. 1. Log in to the Sametime server. 2. Select "Administer the server." 3. 4. 5. 6. Select Configuration, and then select Business Card Setup. Select to highlight the desired fields or elements and select Add. Remove elements by clicking Remove. Select Update to apply the changes or select Cancel to cancel the assignments. When all changes have been made, restart the Domino server to apply the changes.
Elements available for Business Card

There are seven pieces of information that you, as Administrator, can choose to include in the user's Business card for Instant Messaging (Community Services). All this information, once it is configured for a user, appears in the chat window. The names of these elements are listed on the main screen of the Business Card Setup page that can be selected from the Administration page in the contents pane under Configuration. Attributes available for Business Card
321
The Business Card configuration allows you to select which information users will display in their Business Card in Instant Messaging. Attributes available are: v Photo v Name v Company v v v v E-mail address Telephone Address or location Title
You can set up or change the details you want to retrieve by changing the values for these attribute names on the main Business Card setup page.
Edit Business Card Attribute values

About this task
You can also edit values for information drawn for attribute names from directories used for the Business Card. The values are slightly different for LDAP and Domino directories. To edit mappings, follow these steps. 1. Log in to the Sametime server as Administrator. 2. Click Administer the Server. Click Configuration - Business Card. Select and type in the appropriate attribute value, depending upon the type of directory where the information is held. 5. Click Update to apply, or click Cancel to cancel the assignments. 3. 4.
Domino style attribute value FirstName, MiddleInitial, LastName JobTitle Location OfficePhoneNumber InternetAddress
Attribute name Name
LDAP style attribute value cn
Title Address Telephone E-mail address Photo Company
title postalAddress telephoneNumber mail jpegPhoto
CompanyName
ou
Results
Note: OU refers to Organizational Units, such as divisions or regional offices, and O relates to the Organization name
322
Using repositories
There are three different types of storage repositories, or databases, where information about users is stored. Business card can access user information from any of three types of storage repositories: the Domino directory, the LDAP directory, or a custom Notes database. Each repository stores user information differently, so to facilitate user searches, Sametime provides a search engine, called a black box, for each storage type. Terms used with repositories Black box (search engine) Since there are three different storage types, Sametime provides three different black boxes to search for user information (one per storage type). These are: v Notesused to search a Domino directory v LDAPused to search a LDAP directory v Notes_custom_dbused to search a customized Notes database Sametime directoryThe directory used by Sametime to authenticate users (this is either a Domino directory or a LDAP directory) Primary storageThe first storage repository search by the UserInfo application to retrieve user information; must always be the Sametime directory. Secondary storagethe second storage repository searched by the UserInfo application to retrieve user information. Note: The primary storage can never be of the same type as the second repository; for example, the primary and secondary storage cannot both be a Domino directory. There are a variety of ways you can use storage repositories. Single repositories: The single repository with Domino The single repository with LDAP Dual repositories: The dual repository with Domino/LDAP directories The dual repository with LDAP/Domino directories The dual repository with Domino/Custom Notes databases The dual repository with LDAP/Custom Notes databases Select the topic in the left contents pane that corresponds to the type(s) of repository(ies) you want to set up to store and retrieve user data for the Business Card.
323
Using the single repository with Domino

This task demonstrates how to configure the Business Card using the Domino directory.
Before you begin

Prerequisites: v Domino and Sametime are installed and configured to run v Sametime authentication is configured to use a Domino directory v The Sametime server is running 1. Open an Internet browser and enter this URL into the URL-locater field: http://sametime.austin.ibm.com/stcenter.nsf, substituting the hostname sametime.austin.ibm.com with your server's actual hostname. 2. Click Administer the server, and then log in as Administrator. 3. Click the plus sign next to Configuration to expand the contents, and then click 'Business Card Setup.'
4. In the User Information section, highlight the entry you want displayed in users' business cards, and then click the add button to move the entry to the right-side list box. To remove pre-selected entries, click the entry(ies) and click remove. In most cases, the bottom section requires no modification; however, if the information you want displayed in the users' business cards is not mapped
324
to the default fields provided by the users' person documents, then you may need to update the bottom section. For example, the XYZ corporation stores users' job title information in the occupation title field which is not the default field provided by Notes/Domino to store users' job title information. So, to display the proper information for users' job titles in the business card, the mapping for the title must be updated. In XYZ's case, the value for the title attribute is modified from job title to occupation title. 5. Click update to save the changes. To display user information, the business card feature uses a server-side application called UserInfo which is designed to fetch and deliver user information for each incoming client request (a request from a client to view a specific user's business card). To ensure this application is configured properly to search the proper data storage, confirm the settings as defined in UserInfo.xml.
6. Open the UserInfoConfig.xml file in a text editor. The file is located in the Domino program directory (\\lotus\domino\UserInfoConfig.xml). Here is a section of the UserInfoConfig file edited for XYZ's scenario: <UserInformation> <Resources> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Location" FieldName="Location" Type="text/plain"/> <Detail Id="Title" FieldName="OccupationTitle" Type="text/plain"/> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> <Detail Id="Company" FieldName="CompanyName" Type="text/plain"/> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation>
325
Using the single repository with LDAP

This section describes how to configure the Business Card using an LDAP directory as a repository.
Before you begin

These directions assume the following: v Domino & Sametime have already been installed & configured to run properly v Sametime authentication is configured to use an LDAP directory v The LDAP server is running and accessible by the Sametime server v All LDAP attributes needed by Business Card are accessible for query via anonymous connection or by using a specific bind account/password v The Sametime server is running
About this task

The stage needs to be set just so. 1. Open an internet browser and enter the following URL into the address bar: http://sametime.austin.ibm.com/stcenter.nsf. Note: Update the hostname sametime.austin.ibm.com to reflect your server's actual hostname. 2. Click Administer the server and log in as Administrator. 3. Click the plus sign next to Configuration to expand the contents, and then select Business Card setup.
326
4. In the User Information section on the left side, highlight the entry you want displayed in users' business cards, and then click the Add button to move the selected entry into the right-side list box. If you do not want to display any pre-selected information, highlight each entry, and then click Remove.
327
5. If the information you want displayed in user's business cards is not mapped to the appropriate LDAP attributes as defined by your LDAP schema, you might need to update the bottom section of the Business Card page. For example, the XYZ corporation stores users' e-mail addresses in the e-mail attribute on the LDAP directory. The e-mail attribute is not the default attribute used by many LDAP directories; therefore to display the proper information for users' e-mail addresses inside the business card, the mapping for the e-mail address must be updated accordingly. In XYZ's case, the value for the e-mail address attribute is modified from mail to e-mail (see graphic below).
Note: Each LDAP directory has its own naming schema, so be sure to confirm that each attribute value selected for display is mapped to the correct LDAP attribute as defined by your LDAP schema. 6. When you have finished modifications, click Update to effect the changes. 7. To display user information, the Business Card uses a server-side application called UserInfo, a feature designed to fetch and deliver user information for each incoming client request (an end-user request to view a user's Business Card). To ensure UserInfo is configured properly to search for the appropriate data storage, confirm by opening UserInfoConfig.xml in a text editor (find this file in the Domino program directory (\lotus\domino\UserInfoConfig.xml). When you use an LDAP directory as the only data source to store user information, the UserInfoConfig.xml should look like this: <UserInformation> <Resources> <Storage type="LDAP"> <CommonField CommonFieldName="MailAddress"/> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson)(|(cn= %s)(givenname=%s)(sn=%s)(mail=%s)))"/>   <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="email" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/>
328
<Detail Id="Company" FieldName="ou" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> </BlackBoxConfiguration> </UserInformation> 8. Restart the Sametime server (including the Domino server) to effect all the changes.
What to do next
You have successfully configured the Business Card to display data that is stored in a single data repositoryan LDAP directory.
Using the dual repository with Domino and LDAP

You can configure Business Card with the use of two (dual) repositoriesDomino and LDAP. The primary storage repository is the Domino directory, and the secondary storage is the LDAP directory.
Before you begin

These directions assume the following: v Domino & Sametime have been installed and configured to run properly v Sametime authentication is configured to use a Domino directory v The LDAP server is running and is accessible by the Sametime server v All LDAP attributes needed by Business Card are accessible for query via anonymous connection or by using a specific bind account/password v The Sametime server is running v Business card information can be retrieved from your Sametime directory
About this task

Enter this URL in the address window of a browser: http://hostname/, using your server's actual hostname. 1. Click Administer the server, and then log in as Administrator. 2. Expand the plus sign next to Configuration, and then select Business Card setup.
329
3. In the User Information section on the left side, highlight the entry you want displayed in users' business cards, and click the Add button to move the selected entry into the right side list box. If you did not want to display any of the pre-selected information (as listed on the right-hand side), highlight the entry, and then click Remove 4. In the bottom section of the page where the table of Attribute names and values are defined, remove the attribute values for the attributes that will be retrieved from the secondary storage. In our example, we'll be pulling users' Telephone information from the LDAP directory; so delete the value for the Telephone attribute, and then click Update to save the changes. Removing attributes here insures they are pulled from secondary storage, and not first storage.
330
5. Using a text editor (Notepad or Wordpad), open the file called UserInfoConfig.xml, a file that contains information the server uses to display user information for Business Card. The UserInfo application is designed to fetch & deliver user information for each incoming client request, an end-user request to view a specific user's business card. To ensure this application is configured properly to search the correct data storages, confirm the settings as defined in UserInfoConfig.xml. 6. When Domino is primary storage and LDAP is secondary storage, make the following modifications: a. Add the following LDAP <storage> tag within the <Resources> tag:
<Storage type="LDAP"> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson) (|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))"/>   <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="Telephone" FieldName="telephonenumber" Type="text/plain"/> </Details> </Storage>
Note: Update the <storage details> tag with the appropriate settings for your LDAP directory. Note: The <details> section defines the attributes that Sametime will retrieve from the corresponding storage repository. In this example, we are pulling the telephonenumber attribute from the LDAP directory. b. To ensure the telephone number is retrieved from LDAP, and not from Domino, remove the following from the <details> tag of the (Domino) Notes storage type:<Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> After you have made
331
these changes, the UserInfoConfig.xml file should look like the below:<UserInformation> <Resources> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Location" FieldName="Location" Type="text/plain"/> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain"/> <Detail Id="Company" FieldName="CompanyName" Type="text/plain"/> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="LDAP"> <StorageDetails HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="( &(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn= %s)(mail=%s)))"/>   <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="Telephone" FieldName="telephonenumber" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> </BlackBoxConfiguration> </UserInformation> c. So the UserInfo application can retrieve data for a user from multiple data sources, a common field must be shared among the storage repositories; this field must be unique for its corresponding directory. By default, users' e-mail address are used as the common attribute; consequently, users must be uniquely identified by their e-mail addresses. If another attribute is preferred, the following line must be updated to reflect the field for that attribute: <CommonField CommonFieldName="MailAddress"/> 7. Restart your Sametime server and the Domino server to effect all the changes.
Using the dual repository with Domino and custom

For retrieving Business Card information, you can set up a dual repository of a Domino directory and a custom database.
Before you begin

This section describes how to configure the Business Card using two storage repositories: Domino with a custom Notes repository. Here, we describe how you can set up Domino as the primary storage, and a custom Notes database as the second storage. These directions assume the following: v Domino and Sametime have already been installed and configured to run properly v Business card information can be retrieved from your Sametime directory
332
v A custom Notes application database based upon any template has been created and contains user records for each corresponding person document defined in the Sametime directory. (In our example, this custom database is named bcardstorage.nsf). v To use a custom Notes database as a secondary repository, each user record in the custom database must have a common field whose unique value matches the value of the same field for the person in the Sametime directory. By default, the common field that is used is the internet e-mail address). 1. Open an Internet browser and enter http://hostname/stcenter.nsf into the URL field, and then click Administer the server. 2. Click the plus sign next to Configuration to expand the list. Choose Business card setup. 3. In the user information section on the left side, highlight the entry you want displayed in the users' business cards, and click the Add button to move the entry to the right side list box. To remove pre-selected entries, highlight them, and click Remove. 4. In the bottom attributes section, if the information you want displayed in users' business cards is not mapped to the appropriate attributes used in your company, then you may need to update it. 5. To prepare attributes for use by the secondary storage, in the attribute name/attribute value section, remove the values for the attributes that are to be retrieved from the secondary storage. In this example, we are retrieving the Telephone information from the custom Notes database; therefore, you should delete the value for the Telephone attribute, and then click Update to save the changes. These values are removed to ensure the appropriate values are retrieved from the secondary data repository, and not the first.
6. Modify the UserInfoConfig.xml file located in the Domino program directory (\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo application fetches and delivers user information for each incoming client request (an end-user's request to view a particular user's business card.
333
a. Add the following NOTES_Custom_DB <Storage> tag inside the <Resources> tag:<Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName=" bcardstorage.nsf " View="persons"/> <Details> <Detail Id="Telephone" FieldName="telephone" Type="text/plain"/> </Details> </Storage> Note: In the <StorageDetails> tag, the following settings are specified: v DbName = database_path Filename of the custom Notes database (relative path to the domino data directory) v View = view_name The name of the Notes view that displays the documents containing the user records v The <Details> section defines the attributes that will be retrieved by Sametime from the corresponding storage repository. In this example, we are pulling the telephone attribute from the custom Notes application database</Details> b. Since the Telephone number must come from the custom Notes application, ensure the information is not retried from the Domino directory by removing the following information from the <Details> tag of the Notes storage: <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> c. Add the following information to the <BlackBoxConfiguration> section. The Notes blackbox must come first since the listed order defines the search order: <BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/> Note: The Sametime directory must be configured as the primary storage so it can be searched first by the UserInfo application. In this example, the Domino directory is the Sametime directory; therefore, the NOTES_CUSTOM_DB blackbox is listed AFTER the Notes blackbox. Now the UserInfoConfig.xml should look like this: <UserInformation> <Resources> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Location" FieldName="Location" Type="text/plain"/> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain"/> <Detail Id="Company" FieldName="CompanyName" Type="text/plain"/> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName=" bcardstorage.nsf " View="persons"/> <Details> <Detail Id="Telephone" FieldName="telephone" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> <BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/></BlackBoxConfiguration></UserInformation>
334
7. So the UserInfo application can retrieve data for a single user from multiple sources, a common field must be shared among the storage repositories. By default (though any unique value may be used), the user's e-mail address is the common attribute, so in both storage repositories, users must be uniquely identified by their e-mail addresses. If you want to use a different attribute, you must update this line to show which attribute you plan to use: <CommonField CommonFieldName="MailAddress"/> 8. Restart the Sametime server and the Domino server to effect all the changes.
What to do next
You have successfully configured the business card to display information for a single user from dual storage repositories: the Domino directory and a custom Notes application database.
Using the dual repository with LDAP and Domino Notes

For retrieving Business Card information, you can set up a dual repository of a LDAP directory and a Domino Notes directory.
Before you begin

This section describes how to configure the Business Card using two storage repositories: LDAP directory as the primary storage, and the Domino directory as the secondary storage.
About this task

These directions assume the following: v Domino & Sametime have already been installed & configured to run properly v Sametime authentication is configured to use an LDAP directory v The LDAP server is running and accessible by the Sametime server v All LDAP attributes needed by Business Card accessible for query via anonymous connection or using a specific bind account/password v The Sametime server is running v Business card information can be retrieved from your Sametime directory v A Notes database based off of the Domino directory template (pubnames.ntf) has been created and contains person documents for each corresponding user account defined in the Sametime directory. (In our example, this database is named bcardstorage.nsf; and the user accounts correspond to the accounts in the Sametime directory by users' e-mail address. 1. Using Lotus Notes, open your Directory Assistance database (typically da.nsf). If such a database does not exist, you must create one based upon the Directory Assistance template. 2. Click Add Directory Assistance to add an additional directory assistance document, and then specify the secondary storage. See the sample Directory Assistance document for the bcardstorage.nsf below:
335
Naming contexts (Rules) tab Note: For Business Card purposes, the secondary storage does NOT have to be trusted for credentials.
Replicas tab
336
3. Once you have completed the changes, save and close the document. The resultant Directory Assistance database may show the following:
Note: The directory assistance database must be listed on the Basics tab of the Sametime server document in the Directory assistance database name field. If it is not listed, fill in the field, and restart the Sametime server to effect that change. 4. Open an Internet browser, and then enter the following URL in the address field: http://hostname/stcenter.nsf where hostname is the actual hostname of your server. Click Administer the server, and then log in as Administrator. 5. Click the plus sign next to Configuration to expand the list. Choose Business Card setup.
337
6. In the User Information section on the left side, highlight the entry you want displayed in users' business cards, and click the Add button to move the selected entry into the right side list box. To remove pre-selected entries, highlight them, and click Remove
338
7. Usually, the bottom section needs no modification, but if the information you want displayed in users' business cards is not mapped to the appropriate LDAP attributes as defined by your LDAP schema, then you may need to update this section. For example: The XYZ corporation stores users' e-mail addresses in the e-mail attribute on the LDAP directory. In many LDAP directories, the e-mail attribute is not the default, so the the mapping for the e-mail address may have to be modified to work with Business Card. For example, In XYZ's case, the value for the e-mail address attribute is modified from mail to email (see screen shot below).
Note: Each LDAP directory has its own schema; be sure that each entry selected for display is mapped to the appropriate LDAP attribute as define by your LDAP schema. 8. In the same section where the table of attribute names and values are specified, remove the attribute values for the attributes that will be retrieved from the secondary storage. In our example, we are retrieving users' Telephone and Title information from the Domino directory; therefore, delete
339
the values for the Telephone & Title attributes, and then click Update to save the changes
Note: These values are removed to ensure they are retrieved from the secondary repository (the Domino Notes directory) and not from the primary repository, Sametime, which, in this case is the LDAP directory. 9. Modify the UserInfoConfig.xml file located in the Domino program directory (\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo application fetches and delivers user information for each incoming client request (an end-user's request to view a particular user's business card). When you are using an LDAP directory as primary storage and a Domino Notes directory as secondary storage, make these modifications:11. Add an additional <Storage> tag of Notes type within the <Resources> tag: <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage></Resources></Storage> Note that the <Details> section defines the attributes that will be retrieved by Sametime from the corresponding storage repository. In this example, we are retrieving Title and Telephone information from Domino. 10. To ensure Telephone and Title fields come from Domino, remove the following from the <Details> tag of the LDAP storage type: <Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/> 11. 13. Add the following to the <BlackBoxConfiguration> section. Make sure it is listed after the LDAP blackbox as the order defines the search order: <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/></BlackBoxConfiguration> Note: Since Sametime is the storage to be searched first by the UserInfo application, and the LDAP directory is the Sametime directory, the NOTES black box must be listed after the LDAP black box. 12. Once these changes are made, the UserInfoConfig.xml looks like this: <UserInformation> <Resources> <Storage type="LDAP"> <StorageDetails
340
HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson)(|(cn= %s)(givenname=%s)(sn=%s)(mail=%s)))"/>   <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="email" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Company" FieldName="ou" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="NOTES"> <CommonField CommonFieldName="MailAddress"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> <BlackBox type="NOTES" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation> 13. UserInfo must have a common field shared among the various storage repositories to retrieve data for a single userfrom multiple sources. By default, the user's e-mail address is the common attribute, but any unique value may be used. If you prefer to use a different attribute, update the following field:<CommonField CommonFieldName="MailAddress"/> 14. Restart your Sametime and Domino servers to effect the changes.
Results
You have successfully configured the business card to display information for a single user from dual storage repositories:, an LDAP directory and the Domino directory. To test the configuration, see the Help document entitled "Testing Business Cards."
Using the dual repository with LDAP and custom

For retrieving Business Card information, you can set up a dual repository of a LDAP directory and a custom database.
Before you begin

This section describes how to configure the Business Card using two storage repositories: LDAP with a custom Notes repository. Here, we describe how you can set up LDAP as the primary storage, and a custom Notes database as the second storage. These directions assume the following: v Domino and Sametime have already been installed and configured to run properly
341
v v v v
Sametime authentication is configured to use a Domino directory The Sametime server is running Business card information can be retrieved from your Sametime directory A custom Notes application database based upon any template has been created and contains user records for each corresponding person document defined in the Sametime directory. (In our example, this custom database is named bcardstorage.nsf).
v To use a custom Notes database as a secondary repository, each user record in the custom database must have a common field whose unique value matches the value of the same field for the person in the Sametime directory. By default, the common field that is used is the internet e-mail address).
About this task

1. Open an Internet browser and enter http://hostname/stcenter.nsf into the URL field, and then click Administer the server. 2. Click the plus sign next to Configuration to expand the list. Choose Business card setup.
3. In the user information section on the left side, highlight the entry you want displayed in the users' business cards, and click the Add button to move the entry to the right side list box. To remove pre-selected entries, highlight them, and click Remove.
342
4. 5. In the bottom section of the page where the table of Attribute names and values are defined, remove the attribute values for the attributes that will be retrieved from the secondary storage. In the bottom attributes section, if the information you want displayed in users' business cards is not mapped to the appropriate attributes used in your company, then you may need to update it. For example, the XYZ corporation stores users' e-mail addresses in the e-mail attribute on the LDAP directory. Since the e-mail attribute is not the default attribute used by many LDAP directories, the mapping for the e-mail address must be updated so the information for users' e-mail addresses can be displayed in the Business Card. In XYZ's case, the value for the E-mail address attribute is modified frommail to e-mail. Note: These attribute values are removed to ensure data is retrieved from the secondary data repository (LDAP) rather than the primary repository, which, in this case, is Domino.
5. In the Attribute names and values section, remove the attribute values for the attributes that will be retrieved from the secondary storage. In our example, we are retrieving users' Telephone and Title information from the custom Notes application database, so delete the values for the Telephone and Title attributes, and then click Update to save the changes. The section now has no values for Telephone and Title.
343
6. Modify the UserInfoConfig.xml file located in the Domino program directory (\lotus\domino\UserInfoConfig.xml) using a text editor. The UserInfo application fetches and delivers user information for each incoming client request (an end-user's request to view a particular user's business card). When you are using an LDAP directory as primary storage and a custom Notes database as secondary storage, make these modifications: a. Add the following NOTES_CUSTOM_DB <storage> tag inside the <Resources> tag:<Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName="bcardstorage.nsf " View="$BCardView"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage> Note: In the <StorageDetails> tag, the following settings are specified: v DbName = database_path Filename of the custom Notes database (relative path to the domino data directory) v View = view_name The name of the Notes view that displays the documents containing the user records. v The <Details> section defines the attributes that will be retrieved by Sametime from the corresponding storage repository. In this example, we are pulling the telephone attribute from the custom Notes application database b. The attributes Title and Telephone must come from the custom Notes application rather than from LDAP, so remove the following information from the <details> tag of the LDAP storage: <Detail Id="Title" FieldName="title" Type="text/plain"/> <Detail Id="Telephone" FieldName="telephoneNumber" Type="text/plain"/> c. Add the following information to the <BlackBoxConfiguration> section. Make sure it is listed after the LDAP blackbox as the list order defines the search order:<BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/></BlackBoxConfiguration> d. The UserInfoConfig.xml now looks like this: <UserInformation> <Resources> <Storage type="LDAP"> <CommonField CommonFieldName="MailAddress"/> <StorageDetails
344
HostName="ldap.austin.ibm.com" Port="389" UserName="username" Password="password" SslEnabled="false" SslPort="636" BaseDN="o=ibm" Scope="2" SearchFilter="(&(objectclass=organizationalPerson)(|(cn= %s)(givenname=%s)(sn=%s)(mail=%s)))"/>   <SslProperties KeyStorePath="" KeyStorePassword=""/> <Details> <Detail Id="MailAddress" FieldName="email" Type="text/plain"/> <Detail Id="Name" FieldName="cn" Type="text/plain"/> <Detail Id="Location" FieldName="postalAddress" Type="text/plain"/> <Detail Id="Company" FieldName="ou" Type="text/plain"/> <Detail Id="Photo" FieldName="jpegPhoto" Type="image/jpeg"/> </Details> </Storage> <Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName="bcardstorage.nsf" View="$BCardView"/> <Details> <Detail Id="Title" FieldName="JobTitle" Type="text/plain"/> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain"/> </Details> </Storage> </Resources> <ParamsSets> <Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> <Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,Photo,Company"/> </ParamsSets> <BlackBoxConfiguration> <BlackBox type="LDAP" name="com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB" MaxInstances="5"/> <BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB" MaxInstances="4"/> </BlackBoxConfiguration> </UserInformation> e. UserInfo must have a common field shared among the various storage repositories to retrieve data for a single userfrom multiple sources. By default, the user's e-mail address is the common attribute, but any unique value may be used. If you prefer to use a different attribute, update the following field:<CommonField CommonFieldName="MailAddress"/> 7. Restart the Sametime server and the Domino server to effect the changes.
What to do next
You have successfully configured the Business Card to display information for a single user from dual storage repositories: an LDAP directory and a custom Notes database. To test the configuration, see the help document entitled "Testing Business Cards."
Troubleshooting Business Cards

If the Business Card is not displaying user information as expected, you have a couple of options to try to identify the root cause of the failure.
Options
Before trying these options, check and validate the configuration as shown in Business Card configuration in the Sametime Information Center. In most cases, invalid configurations are the root cause of problems with the Business Card. If, after you have validated that the configuration is correct, the Business Card still does not appear to be working, you might want to try the options described below. In general, there are two points of failure for Business Cards (There could be more depending upon your configuration, but in terms of troubleshooting, we'll focus on two components involved with the Business Card feature.)
345
1. Connect clientOne potential point of failure is at the Sametime Connect client. To display Business Card information, the Connect client depends upon the UserInfo servlet to provide the requested details. If you have confirmed that the UserInfo servlet is providing the right details (see below), then you must enable client-side tracing to determine what is happening at the client-side. To enable client-side tracing, you can follow these instructions: 1. Open the sametime.properties file in your favorite text editor from the Sametime client's program directory: \Documents and Settings\user name\Application Data\Lotus\Sametime\.config\rcpinstall.properties 2. Locate the line that is starts with ".level=" 3. Change the value to ALL. The value now looks like: .level=ALL 4. The output for this additional tracing is logged to sametime.log.0. This file is located in: v For 7.5/7.5 CF1 clients: C:\Documents and Settings\<user>\Application Data\Sametime\</user> v For 7.5.1 or later clients: C:\Documents and Settings\<user>\IBM\RCP\ Sametime\</user> 2. UserInfo servletthe second potential point of failure. As described above, the main purpose of the UserInfo servlet is to receive/respond to client requests, so the servlet must provide the requested details for Business Card to display them. To determine if the servlet is responding correctly, use the following technique: 1. Determine the distinguished name (DN) of the user whose Business Card you want to view. Here are sample DNs of the various directory types: v Domino directory: cn=sametime User/O=IBM v Active directory: cn=Sametime User, cn=users,dc=austin,dc=ibm,dc=com v TDS directory: uid=Sametime user,ou=Austin,o=IBM 2. Compose a URL to simulate the HTTP request that the client makes to retrieve details for Business Card: v [protocol]://[hostname]/servlet/UserInfoServlet?operation=3&setid=1 &UserId=[User DN] v [protocol] = {http, https} v [hostname] = {Fully qualified hostname of the Sametime server] v [User DN ] = {The full distinguished name of the user for whose information you are seeking} Examples: v Domino Directory: v Active Directory: v TDS Directory:
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime User/O=
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=Sametime User,cn=
http://sametime.ibm.com/servlet/UserInfoServlet?operation=3&setid=1&userId=cn=uid=Sametime user
Note: v Do not use spaces in the URL for the UserInfo servlet operation. A space is translated into %20 in the URL, and the servlet will not produce a result; for example: http://sametime.ibm.com/servlet/ UserInfoServlet?operation=3&setid=1&userId=cn=Sametime User/O=IBM is translated to: http://sametime.ibm.com/servlet/
346
UserInfoServlet?operation=3&setid=1&userId=cn=Sametime%20User/O=IBM. The characters "%20" are inserted before the word "User" to represent the space. v The name "UserInfoServlet" is case sensitive. v Do not use apostrophes or quotation marks in the URL. 3. Enter the URL you've composed into a Web browser's address field, and view the result. You should see the details you are expecting to see. If you do not, then you will need to enable tracing for the userInfo servlet. See section below. Note: If you receive an UNKNOWN error for the "user id," this means the user ID specified could not be located. This could happen for a variety of the reasons, but the most common are: 1. 2. an incorrect user distinguished name has been specified the directory in which the user is located is not reachable/searchable
Enabling traces on the UserInfo servlet 1. Copy [Domino program directory]\data\domino\html\sametime\stlinks\ debug\DebugLevel.class.5 to the [Domino program directory] (i.e. C:\Lotus\Domino\) 2. Rename 'DebugLevel.class.5' to 'DebugLevel.class' 3. Restart the entire Sametime (including the Domino server as well) The trace information is written to the file Userinfo_<data>_<hour>.txt, which can be found in the [Domino program directory] \Trace directory.
Particulars
Listed below are some particulars that, if they are not correct in the Business Card, can cause problems: v Photos must be less than 64 kilobytes (recommended: 10 kb) v Business Card photo requires .jpg or .gif v Using the jpegPhoto LDAP attribute to store photos requires the inetOrgPerson objectClass Note: Active Directory 2000 native/mixed mode does not provide inetOrgPerson objectClass by default v When you are using more than one storage type to store user information, the secondary storage repository cannot be of the same TYPE as the primary storage (the directory used by Sametime for authentication). For example, if Sametime is configured to use the Domino directory, then the secondard storage CANNOT be a Domino directory.
Domino LDAP special configuration data

To allow anonymous users to access required user details, you can edit the <All Servers> document in names.nsf. Under the LDAP tab, all LDAP attributes that you want to be retrieved by anonymous users should be added to the list of "Anonymous Users Can Query."
347
In Domino LDAP, the Name and Address Book does not contain the postalAddress field. The value retrieved for this LDAP attribute is the concatenation of City, State/Province, and Country The Name and address Book contains a hidden field for the LDAP attribute "ou." This field cannot be set through the Name and Address Book. A third-party LDAP management tool can be used to add a value to the "ou" attribute
About the User Information servlet application

The Business Card requires information about users to display in hover-over mode in the business card feature of the Sametime client. This information is retrieved by the UserInfo application which serves both as an HTTP servlet running on the Domino server and as a Sametime service. The servlet reads its configuration parameters from the UserInfoConfig.xml on the Domino server and from a local database where your administrator updates are written. The UserInfoConfig.xml file, generated during the installation, contains an LDAP section if, during install, the server is configured to work with LDAP, and a Notes section if it is configured to work with a Domino directory. The UserInfoConfig.xml file contains user information fields, and also contains such data as host, port, and the LDAP or NOTES "black box" which retrieves data from the directory that Sametime is configured to work with. The UserInfo component contains two default implementations for black boxes, one for Domino which retrieves details and photos from the Domino directory, and one for LDAP, which retrieves details and photos from the LDAP directory. In the out-of-the-box configuration, UserInfo servlet works with one black box which is configured upon installation. Sametime also supports retrieval of user information from multiple LDAP hosts. UserInfo supports data retrieval from more than one data resource by activating several black box types. It is important to note that the first black box specified in UserInfoConfig.xml should always be the one that retrieves data from the same directory that the Sametime server is configured to work with. The client uses the DN (distinguished name) that is received from this directory during queries to the service; therefore, the first black box being searched must contain the distinguished name. For complete information on using the various storage repositories available, select the topic entitled "Using repositories" in the left contents pane under Business Card.
UserInfoConfig Debug tracing

If additional information is need to trace a problem, tracing information can be collected. Trace information is written to the file Userinfo_<date>_<hour>.txt, which can be found in the Trace folder. To enable trace collection, a debugLevel.class file compiled to level 3 and higher should be added to the folder that contains the UserInfo.jar file. Follow these steps: 1. Copy DebugLevel.class.5 from the stlinks\debug directory, and paste it into the Domino program directory. 2. Rename the file from DebugLevel.class.5 to DebugLevel.class.
348
3. Restart the Domino Sametime server, and the output will be in the trace directory.
Configuring the photo for Business Card

When the Sametime server is installed, your configuration choices provide the server with information that is needed to generate a UserInfoConfig.xml file. This .xml file is placed in the Lotus/Domino or Program folder on the corresponding Windows or UNIX server. User Information is a servlet application designed to retrieve users' attributes from one or more data storage sources. The servlet is run by the Domino servlet engine, and can be accessed through the HTTP protocol or through Sametime channels. The servlet uses a file with an extensible markup language (.xml ) extensionUserInfoConfig.xmlto store its configuration settings. The UserInfo service can retrieve photos from the Sametime directory (LDAP or Domino ) if the photos are already in the directory. These photos are presented by the client in the business card, in the chat window or when hovering over a contact name. The service can retrieve photos that have been added to the directory. To make the photo available, the Administrator fills in the person entries in the data repository with the required details and photos. A photo stored in the directory should be no larger than 64 kilobytes (KB). The photo attribute can be changed, as can any attribute, by your typing the name of the photo field into the corresponding text field on the main Business Card page. To reach this page: v Select "Administer the server." v Expand the plus sign next to Configuration in the contents pane. v Select Business Card setup. .
Photos in the LDAP directory

LDAP provides a standard attribute for photos--.jpegPhoto. If an entry in the LDAP directory has the objectclass of inetOrgPerson, its attribute is .jpegPhoto. This attribute is set by default on the server as the field name mapped to the Photo detail if the Sametime server is configured with LDAP.
Supported file types for retrieval from LDAP directory

The supported file type for LDAP is .jpeg. Storing and retrieving photos from Domino LDAP requires additional steps. For more information, see the topic "Configuring photos in DominoLDAP."
Configuring photos in Domino LDAP

In order to properly store photos in Domino LDAP and enable UserInfo to retrieve them, please follow the steps below. Note: A third-party LDAP management tool is required for adding a JPEG Photo field to Domino LDAP. Most LDAP V3-compliant tools will work.
349
1. Using the LDAP tool, connect to the Domino LDAP server and bind as a Domino Administrator. 2. Once a successful connection is made, select a user and add an Attribute. Note: The Attribute name should be specified as: "jpegphoto;binary" and the type should be selected as binary. Please note the name being used for the attribute. If you use just "jpegPhoto" or "Photo" as the name, you will not be able to store images in the field. The ";binary" is required for Domino LDAP to understand the binary data. 1. Use the third-party LDAP tool to import the JPEG photo into the new field. 2. Next, open the LDAP server's Domino Directory (names.nsf) in a Notes Client. 3. Expand the Server Folder and select the Configurations view. Select the document for [All Servers]. Open this document in Edit mode and select the LDAP tab. 4. Click the button labeled "Choose Fields that Anonymous Users Can Query via LDAP." 5. 6. Click the New button in the center of the window that pops up. Type jpegphoto in the field and click OK to save the value; click OK again to close the pop-up window. The field "jpegphoto" appears in the list of query fields. 7. Save and close the document, and then restart the LDAP server. (From the server console, type "tell ldap quit" and then "load ldap.") 8. Use ldapsearch to test the settings. 9. Using the Sametime Administration Tool, set the text field for Photo as jpegPhoto;binary, then click Update and re-start Sametime server. Note The ldapsearch tool is provided with most Domino and Notes installations, and is located in the Domino or Notes application directory. An example for testing Domino LDAP photo settings:
ldapsearch -h <hostname> -b <search base> "cn=<test user>"or, more specifically: ldapsearch -h domldap.ibm.com -b o=ibm "cn=Mytest User"
The results should contain an entry for "jpegphoto;binary::" Be sure you search for the user to which you added the jpegphoto attribute. This information and additional information is located in a Tech Note at http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21176248
Photos in the Domino directory

The Domino directory does not have a standard field for photo, but photos can be retrieved from the Domino Name and Address Book (NAB) as follows: 1. Add a rich text field or rich-text lite field to the Person form of the Name and Address Book in Domino. a. Open names.nsf in Domino Designer. b. Open the Person form. c. Click the section where you want to add the field. A sub-form will open. d. In the sub-form, click where you want to add the field. e. Select Create > field from the menu, and edit the field's properties.
350
2.
3. 4.
5.
f. Add the name to the field and select Rich Text as the type. g. Save the form. To store photo information in the newly-added rich-text field, choose either: v Import--click on the rich text field and choose Create > Picture. This adds the file contents to the field. v Attach--save the image file in the rich text field as an attachment. Using the Sametime Administration tool, go to the Business Card Attribute page. In the text box for the Photo attribute, type the name of the rich text field that you added to the Name and Address Book, above, matching the case, then click Update. Restart the Sametime server.
Photo types used by Domino are .jpeg and .gif.
Additional configurations for black boxes

Though Sametime ships with two black boxes or special implementations already present for configuring with LDAP or Domino, additional black boxes can be configured to retrieve data from more than one resource. A special configuration can be used to designate NOTES as its first box, if Sametime is configured with Domino, and with LDAP as its second black box. For a Sametime installation that is configured to work with Domino but that can also retrieve data from Domino LDAP, Notes would be listed as the first black box, and LDAP as the second. Each of these special configurations requires manual settings in the UserInfoConfig.xml file. This version of Sametime includes an additional black box that enables data retrieval from a separate Notes database (other than the Domino directory). This black box should be applied as a part of a special configuration designated to retrieve data from the Sametime directory and from an additional Notes database that contains users' business card details. See the topic Retrieving data from a customized database for more information on how to configure data retrieval from the additional Notes database. A newly-written black box or special implementation can be used to retrieve data from any selected data resource. The black box should be implemented and configured according to the Application Programming Interface (API) and to the instructions published with the Sametime Software Development Kit (SDK). For additional help with these special configurations, please contact Support.
Retrieving data from a customized database

For the user data included in the Business Card, Administrators can retrieve details about the user from separate Notes databases that are dedicated to storing user details and that function independently of the Domino directory that is used for Sametime.
About this task

Retrieving user data from customized Notes databases allows you to:
351
v Retrieve some details from the Sametime Domino directory and the rest from a customized Notes database (Domino) v retrieve some details from the LDAP directory Sametime is configured to work with and the rest of the details from an additional Notes database. An additional black box, which functions as a customized special implementation, is provided to enable data retrieval from the customized Notes database. This 'customized' black box should always be preceded by a call to the black box that handles the Sametime directory. A CommonField tag is used for synchronization between the black boxes. If the common field is defined as MailAddress, then the value retrieved for MailAddress from the first storage (LDAP or Domino) is used as the ID to query for in the customized database. The application first queries the database using the userID received as a parameter; if no record is found, it queries the database again, using the value retrieved for the CommonFieldName as userID. To use the customized database feature: v Perform the following manual steps: 1. Open UserInfoConfig.xml and update the CommonField tag in the first 'storage' section to hold the ID property of a Detail tag that represents the same detail in the different storage types. This detail tag is assigned a different field name in each storage section, but the value in each of these fields should be identical for the specific user. The default value for the Common field tag is "MailAddress." The attributes holding the e-mail address for a user should have the same value in both storages. 2. Using the Administrator's Tool, update the Business Card attribute page with the values to be retrieved from the Sametime directory, leaving blank the field name for items required from the customized database. 3. Remove the Detail tags of the fields you left blank in the set-up page from the first 'storage' section in the UserInfoConfig.xml file. 4. Add an additional 'storage' section to the UserInfoConfig.xml as the second storage. This storage section is a new section added specifically for this feature; it differs from the standard Notes storage section through the additional parameters specified below:
<Storage type="NOTES_CUSTOM_DB"> <StorageDetails DbName="" View="$users" /> - <Details> <Detail Id="Location" FieldName="Location" Type="text/plain" /> <Detail Id="Title" FieldName="JobTitle" Type="text/plain" /> <Detail Id="MailAddress" FieldName="InternetAddress" Type="text/plain" /> <Detail Id="Telephone" FieldName="OfficePhoneNumber" Type="text/plain" /> <Detail Id="Company" FieldName="CompanyName" Type="text/plain" /> <Detail Id="Name" FieldName="FirstName,MiddleInitial,LastName" Type="text/plain" /> </Details> </Storage>
5. In the newly-added "storage" section, delete the Detail tags of the items that you do not want to retrieve from this database, and update: a. The DbName property, including the full path b. The view name (if needed) c. The mapping of the "Detail" tag so each item is mapped to the correct field name of the new database 6. Add a BlackBox tag to the BlackBoxConfiguration section in UserInfoConfig.xml as a second record:
<BlackBox type="NOTES_CUSTOM_DB" name="com.ibm.sametime.userinfo.userinfobb. UserInfoNotesCustomBB" MaxInstances="4" />
7. Restart StConfiguration and the HTTP task.
352
What to do next
Note: For complete information on how to use these "black boxes" and on how to use all the storage repositories for LDAP, Sametime, and Domino, see the section in Business Card entitled "Using repositories." This section provides detailed information on how to store and retrieve user data contained in both single and dual repositories.
353
354
Chapter 22. Monitoring the Sametime server

The IBM Lotus Sametime monitoring charts allow you to monitor Sametime server statistics by providing up-to-the-second information about Community Services, Meeting Services, Recorded Meeting Broadcast Services, Audio/Video Services, Web statistics, and free disk space on the server. Note: Meetings and audio/video are not available for Lotus Sametime Entry, Lotus Sametime Limited Use, and meetings are unavailable for versions of Lotus Sametime that do not support Web conferences. All monitoring charts are available from the Monitoring menu in the Sametime Administration Tool. The charts that are available from the Miscellaneous link in the Monitoring menu are part of the Domino Web Administration Tool. These charts provide information on Web statistics, server memory, and disk space. Note: To view the status of the Sametime services since the last server restart, click the Overview link in the Sametime Administration Tool. See the Server Overview topic for more information. Also note that the time of day that is listed in the monitoring charts is calculated according to the browser's time zone, not the server's time zone. The table below describes the monitoring charts.
Monitoring Tool General Server Status Description Allows you to see the status of the Sametime server at a glance. Use this chart to keep track of the types of meetings on the server, the types of connections to the server, and Community Services activity on the server at a particular moment. Displays the number of Community Services logins. You can view: v Total logins, including multiple logins from the same user v Unique logins, where each user is counted only once Miscellaneous Reports current information about HTTP requests, HTTP commands, and free disk space. This monitor is part of the Domino Web Administration Tool. You must have access to the Domino Web Administration Tool before using the Miscellaneous Monitoring chart.
Logins
355
Accessing the Monitoring charts

About this task
To 1. 2. 3. access the monitoring charts: Open the Sametime Administration Tool. Select Monitoring. Select the appropriate chart for monitoring: v v v General Server Status Logins Miscellaneous
Results
General server status

The tables in the General Server Status monitoring chart allow you to see the status of the Sametime server at a glance. Use this chart to keep track of the types of meetings on the server, the types of connections to the server, and the Community Services logins to the server at a particular moment. Note: Meeting connections do not apply to Lotus Sametime Limited Use, Lotus Sametime Entry or versions of Sametime that do not support Web conferencing.
Total Community Logins

Community Services clients include the Sametime Connect and the Participant List component of the Sametime Meeting Room. A user can be logged in to the Community Services from more than one client. The Total Community Logins chart displays current information about: v Total Community Logins - The total number of logins to Community Services on the Sametime server that you are monitoring. The Total Community Logins chart includes multiple logins from the same user. For example, if a user is logged in from both the Sametime Connect client and the Participant List component of the Meeting Room, this chart records two logins for that user. v Total Unique Logins - If a user is simultaneously logged in from multiple Community Services clients, the Total Unique Logins chart records only one login for that user. A user logged in from multiple clients is considered a single "unique" login. Use this chart to determine the current number of Community Services users. v Total 2-way Chats - The total number of 2-person chats taking place on the Sametime server. This chart only includes chats that were started from the Sametime server you are monitoring. For example, if you are monitoring Sametime server A and a user who has specified Sametime server A as her home server starts a chat with another user, that chat will be counted in the "Total 2-way Chats" chart. You will not see chats that were started by users who have specified a server other than Sametime server A as their home server. v Total n-way Chats - The total number of multi-person chats taking place on the Sametime server. This chart only includes chats that were started from the Sametime server you are monitoring. For example, if you are monitoring Sametime server A and a user who has specified Sametime server A as her home server starts a chat with two other users, that chat will be counted in the "Total
356
n-way Chats" chart. You will not see chats that were started by users who have specified a server other than Sametime server A as their home server. v Total Number of Active Places - The "Total Number of Active Places" chart lists the combined number of n-way Chats and active meetings. Both n-way Chats and online meetings are counted as "Active Places;" 2-way Chats are not counted in this chart. Note: Use the Total Community Logins portion of the General Server Status Monitoring chart to determine current login information. For detailed information about logins over a longer period of time (such as several minutes) choose Monitoring - Total Logins.
Logins
Sametime Community Services clients include the Sametime Connect client and the Participant List component of the Sametime Meeting Room. A user can be logged in to the Community Services from more than one client. The Logins chart displays: v Community Server Total Logins - The total number of logins to Community Services, including multiple logins from the same user. For example, if a user is logged in from both the Sametime Connect client and the Participant List component of the Meeting Room, this chart records two logins for that user. Internal components of the Community Services also log in to the Community Services. These are intraserver connections between Community Services components that occur as part of the normal operations of the Community Services. These logins are also counted in the total logins chart. v Community Server Total Unique Logins - If a user is simultaneously logged in from multiple Community Services clients, this chart records only one login for that user. A user logged in from multiple clients is considered a single "unique" login. Use this chart to determine the current number of Community Services users. Note: Use the Logins chart to determine detailed information about logins over a longer period of time (such as several minutes). For up-to-the-second login information, choose Monitoring - General Server Status and view the Total Community Logins chart. The Logins chart updates at the time interval specified in the Polling Interval field (in seconds). Enter a new interval to change the rate at which the chart updates. To update the chart immediately, click Refresh. To access the Logins chart, open the Sametime Administration Tool and select Monitoring - Logins.
Miscellaneous
The Miscellaneous charts are part of the Lotus Domino Web Administration pages. To access the Domino Web Administration pages, choose Monitoring Miscellaneous in the Sametime Administration Tool, and then click the link that appears at the bottom: "You can view the Lotus Domino Web Administration pages in a new browser window." The Domino Web Administration pages launch in a new browser window.
Chapter 22. Monitoring the Sametime server
357
358
Chapter 23. Using the Sametime logging features

The IBM Lotus Sametime server logs information to the Sametime log. You can determine the format for the Sametime log (a database or a text file) and the information contained in the log in the log settings, which are available when you select Logging - Settings in the Sametime Administration Tool. You can also use the log settings to determine the information that is recorded in the log. How you view the log depends on the format that you choose to record server information. Dates and times listed in the log reflect the time zone of the Sametime server time zone, not the client's time zone.
Viewing the Log as a text file

If you record information in a text file, open the file in your preferred text editor to view the log information. You cannot view the text file log from the Sametime Administration Tool. You can specify a location for the text file in the Database or text file settings. Note: If you record information in a text file, the text file does not include information about the Domino log. You must log information to a database and then choose Logging - Domino Log in the Sametime Administration Tool to view the Domino log.
Viewing the log as a database

If you log Sametime information to the Sametime log database (stlog.nsf), you can view information in the Sametime log from the Sametime Administration Tool. To view the Sametime log, open the Sametime Administration Tool and select Logging, and then select a choice in the Logging menu. Tip: When viewing information in the log, you can click an item to see additional information about it. For example, click a meeting name in the Meeting Events section of the log to view details about the meeting, such as the collaborative activities (tools) used in the meeting. The following table lists and describes the available options in the Logging menu of the Sametime Administration Tool.
Menu option Community Logins/Logouts Description Login and logout information for each user who logs in to Community Services. Also includes information about failed login attempts.
359
Menu option Community Statistics
Description The total and peak number of users, logins, chats, and places accessing the Community Services. The number of users differs from the number of logins if some users are logged in to Community Services from more than one location or application. Information about the status of Community Services applications. Failed user attempts to: v Authenticate with Community Services when entering an online place or meeting v Enter a password when accessing a password-protected place or meeting
Community Events
Place Login Failures
Server Connections
Connections and disconnections between Sametime servers. Additional information about the Sametime server, including available disk space and server memory. The Domino log is separate from the Sametime log; the administrator cannot use the Sametime log settings or the Sametime Administration Tool to determine what is recorded in the Domino log. Options to determine the format and content of the Sametime log.
Domino Log
Settings
Note: If you select a link and do not see any information recorded in the log, check the log settings in the Sametime Administration Tool. These settings control the information that is recorded in the Sametime log.
Server community logins/logouts

The server community Logins/Logouts section of the Sametime log displays successful user logins to Community Services and failed user attempts to log in to Community Services. If a single user is logged in to Community Services from more than one client, each login for that user is recorded in the log. A user can be logged in to Community Services from Sametime Connect and from the Participant List component of the Sametime Meeting Room. You can view login and logout information in the following ways: v Login/Logout by Time: Login and logout times for each user who logged in to Community Services, sorted by time. This option only appears if the Successful logins option in the Community Server Events to Log settings is selected.
360
Login/Logout by User: Login and logout times for each user who logged in to Community Services, sorted by user name. This option only appears if the Successful logins option in the Community Server Events to Log settings is selected. v Failed Logins by Time: Failed attempts to log in to Community Services, sorted by time. This option only appears if the "Failed logins" option in the Community Server Events to Log settings is selected. v
Community Login/Logout information

Each of the options listed above contains some or all of the following information about user attempts to log in to a Sametime community: v User ID - A Lotus Notes User ID (canonical name, such as cn=John Smith, ou=West, o=Acme), a User Name as specified in the Person document of the Sametime directory, or a Distinguished Name from an LDAP directory. Anonymous users are identified by numbers. v Time - The date and time that a user logged in or logged out. v Event Type - The type of event being logged: Community Login, Community Logout, or Failed Login. v IP Address - The IP address of the user's computer. v Application Type - The type of application from which a user logged in: Connect: Sametime Connect for the desktop. Indicates a user is authenticated. Connect for browser: Sametime Connect for browsers. Indicates a user is authenticated. Web: The Sametime Meeting Room, the Sametime Meeting Center, the Sametime Administration Tool, or an application created with the Sametime Java Software Development Kit. Sametime links: An application created with the Sametime Links Software Development Kit. DB: An application created with the C++ Software Development Kit. Unknown type: Appears when the Application Type cannot be determined. Client Version - The user's client version.If "Pre V3.1" or "Post 3.1" appears in this field, then the precise version of the client could not be detected. v Connectivity - The connectivity method used by the client: v Direct HTTP polling
HTTP tunneling v Failure Reason - The reason a login failed. v Reason - The reason a login failed. Also indicates if a user was able to log out normally.
The administrator can use the "Successful logins" and "Failed logins" options in the Community Server Events to Log settings to record information in the Community Logins/Logouts section of the log. To access the Community Logins/Logouts section of the Sametime log, select Logging - Community Logins/Logouts in the Sametime Administration Tool.
361
Server community statistics

The Server community statistics section of the Sametime log displays information about the peak and total number of Community Services users and logins, as well as the peak and total number of chats and places created on the server. If a user is logged in to Community Services from more than one client, each login for that user is recorded in the Total Logins category. A user can log in to Community Services from Sametime Connect and from the Participant List component of the Sametime Meeting Room. You can view Community Statistics in the following ways: v Users and Logins by Day v Users and Logins by Week v Users and Logins by Month v Users and Logins by Year v v v v Chats and Places by Day Chats and Places by Week Chats and Places by Month Chats and Places by Year
Community Statistics information

Each of the options listed above contains some or all of the following information: v Date/Week Beginning/Month Beginning/Year Beginning - The heading depends upon the Community Statistics view chosen from the drop-down menu. The date that users accessed Community Services. v Peak Users - - The number of users accessing Community Services when server usage is at its highest. v Peak User Time -The time when the peak number of users occurs. Total Users - The number of new users that accessed Community Services during the selected date range. Users who accessed Community Services prior to the selected date range are not included in this number. v Peak Logins - The number of logins to Community Services when server usage is at its highest. v Peak Login Time - The time when the peak number of logins occurs. v Total Logins - The number of new Community Services logins during the selected date range. Users who logged in prior to the selected date range are not included in this number. v v Peak 2-Way Chats - The maximum number of 2-way chats that existed during the selected date range, regardless of when the chats were started. v Peak 2-Way Chat Time - The time when the peak number of 2-way chats occurs. v Total 2-Way Chats - The number of new 2-way chats created during the selected date range. Chats that were started prior to the selected date range are not included in this number. v Peak n-Way Chats - The maximum number of n-way chats that existed during the selected date range, regardless of when the chats were started. v Peak n-Way Chat Time - The time when the peak number of n-way chats occurs.
362
Total n-Way Chats - The number of new n-way chats created during the selected date range. Chats that were started prior to the selected date range are not included in this number.
Peak Places - The maximum number of places that existed during the selected date range, regardless of when the places were created. v Peak Place Time - The time when the peak number of places occurs. v Total Places - The number of new places that were created during the selected date range. Places that were created prior to the selected date range are not included in this number. The administrator can use the Sametime Statistics settings to record information in the Community Statistics section of the Sametime log. To view information about Community Services statistics, select Logging Community Statistics in the Sametime Administration Tool.
Community Events
The administrator can use the Community Events section of the Sametime log to view information about Community Services on the Sametime server. For example, you can view the name and status (started or stopped) of the service. You can view community events in the following ways: v Community Server Events by Date -Community Services events listed by date v Community Server Events by Name -Community Services events listed by event name
Community Events information

Each of the options above contains some or all of the following information: v Date - The date the service was startedor stopped v v v v Time -The time the service was started or stopped Application Name -The name of the Community Service Description -The status of the service (Started or Stopped) Reason - The reason that the Community Service was stopped
The administrator can use the Community server events and activities option in the Community Server Events to Log settings to record Community server events in the Community Events section of the log. To access information about Community events, select Logging - Community Events in the Sametime Administration Tool.
Domino log
An administrator can view additional information about the Sametime server in the Domino log database (log.nsf). The Domino log database records server activity information related to the Domino server and Domino databases, including databases used by the Sametime server (such as the Sametime Meeting Center). During setup, the Domino log database is automatically created and the server is assigned Manager access in the database's Access Control List (ACL). The default access for all other users is Reader.
363
The Domino log database records information about all server activities, such as database size and usage, server events, calls made to and from the server, and billing for server services. Check the Domino log to monitor: v v v v v Available server disk space Available server memory Server load Server performance Databases that need maintenance
Note: The Domino log is only available from the Sametime Administration Tool. If you record Sametime log information in a text file, the text file does not include information about the Domino log.
Content of the Domino log

The administrator cannot use the Sametime log settings or the Sametime Administration Tool options to determine what appears in the Domino log. The Domino log records information about the activities of the Domino server on which Sametime is installed. Generally, the default settings should provide an adequate record of server activity. However, you can record additional information in this log file by altering settings in the Notes.ini file. Recording this additional information might be necessary to troubleshoot a specific system problem. For more information, see the Maintenance section of the Domino R5 Administration documentation.
Views in the Domino log

The Domino log includes many views that do not apply to Sametime. Use the table below to determine which views are relevant for Sametime.
View Database-Sizes Description Lists the size of the database, the percentage of the database's disk space in use, and the weekly usage for all databases on the server. Use this view to check unused views, database size, and unused space in a database. Note: The stconf.nsf database grows in size depending on the number of meetings that have been created. You can archive this database frequently to prevent it from growing too large. Database-Usage Lists the date and time the database was accessed, the type of access, and the name of the user accessing the database for all databases on the server. Use this view to check unused views and unused space in a database. Mail Routing Events Not used by the Sametime server.
364
View Miscellaneous Events
Description Shows Sametime events and error messages not contained in other views. Messages are sorted in order of occurrence. Use this view to check for Sametime error messages, server crashes, and corrupted databases.
NNTP Events Object Store Usage Passthru Connections Phone Calls-By Date Phone Calls-By User Replication Events Sample Billing
Not used by the Sametime server. Not used by the Sametime server. Not used by the Sametime server. Not used by the Sametime server. Not used by the Sametime server. Not used by the Sametime server. Shows the same information provided in the Usage views, but the information is not categorized. The information in this view can be easily exported to a spreadsheet. Use this view for billing purposes, such as Meeting Center usage, network usage, and database usage.
Usage-By Date
Shows Sametime user transactions sorted by date. Transactions are operations such as starting meetings, attending meetings, opening documents, and updating documents. Each record lists the date and time of the transaction, the user name, the minutes of usage, the number of read operations, the number of write operations, the size of the database, and the total number of transactions. Use this view to check database use on a specific date and users' transactions with the server.
Usage-By User
Shows Sametime user transactions by user name. Transactions are operations such as starting meetings, attending meetings, opening documents, and updating a document. Each record lists the user name, the date and time of the transaction, the minutes of usage, the number of read operations, the number of write operations, the size of the database, and the total number of transactions. Use this view to check a particular user's transactions on a database.
To access the Domino log, choose Logging - Domino Log in the Sametime Administration Tool, and then click the link that appears on the right. The Domino log launches in a new browser window.
365
NSD log
When an IBM Lotus Sametime Community Services process crashes, an NSD log is created with the relevant information about the crash. The log contains information about the tasks which were running when the process crashed, as well as general system information that may help determine the cause of the crash. The log is stored in the server's .\data\trace directory. Important: The date in the NSD log file's name is not its creation date, but rather the date when the crashing process was first executed. To find the date when the NSD log was produced, look inside the log or use the file creation date based on the operating system information.
Sametime log settings

Sametime uses log settings: v General settings - Allow you to specify the format and content of the Sametime log. To access the log settings, choose Logging - Settings in the Sametime Administration Tool.
General log settings

The General log settings allow you to specify the format for the Sametime log and to control the information that the log records. The four types of General log settings are: (Note that meeting server events do not apply to Sametime Limited Use.) v Database or text file settings - Allow you to specify the format for the log and to automatically remove information from the log. v Sametime statistics settings - Allow you to control whether to log statistics related to chats, meetings, and users. v Server community events to log settings - Allow you to control which Community Services events are recorded in the Sametime log.
Database or text file settings

The "database or text file" settings allow you to specify the format for the log and to automatically remove old information from the log.
Enable logging to a Domino database (STLog.nsf)

Select this setting to record Sametime Meeting Services and Community Services data in the Sametime log database (stlog.nsf). During setup of the Sametime server, the Sametime Log database is automatically created, and the administrator specified during setup is assigned Manager access in the database Access Control List (ACL). The server is also assigned Manager access to the database so that it can write information to the log. The default access for all other users is Reader. When this option is selected, a Sametime administrator can view all of the information in the Sametime log by opening the Sametime Administration Tool and selecting Logging. The links available from the Logging menu display different views of the Sametime log database. For more information, see Viewing the Sametime log.
366
When this option is selected, you can use the "Remove history after (days)" setting to prevent the Sametime log from growing too large. If the "Enable logging to a Domino database" option is not selected, Sametime activity is not recorded in the Sametime database, and the links beneath the logging option in the Sametime Administration Tool do not appear. If you select this option, you cannot select the "Enable logging to a text file" option; it is not possible to record Sametime activity in both database and text file format. After selecting this option, click Update and restart the server for the setting to take effect.
Remove history after (days)

Select this setting to automatically remove old information from the Sametime log database (stlog.nsf). In the field provided, specify the age (in days) of information that is automatically removed from the database. The default setting is 60 days. This setting only applies to the Sametime log database; it does not remove Sametime log information stored in text files. You must manually delete old text files. After selecting this option, click Update and restart the server for the setting to take effect.
Enable logging to a text file

Select this setting to record Sametime log information in a text file. When this option is selected, a new Sametime log text file is created every day. By default, the name of each text file contains the date on which the file was created (for example, log_23_Mar_2009.txt). After you select this option, specify a path and file name for the log flie in the "Path to log text file" field; for example, in Microsoft Windows: d:\notesdata\chatlogs\txtfiles\log.txt To view the file, open it in your preferred text editor. You cannot view the text file log from the Sametime Administration Tool. If you log Sametime activity to a text file: v Sametime activity is not recorded in the Sametime log database, and the links beneath the logging option in the Sametime Administration Tool do not appear. You cannot access the Domino log when you log to a text file. v You must manually delete the text files from the server hard drive periodically to conserve hard disk space. If you select this option, you cannot simultaneously select the "Enable logging to a Domino database" option; it is not possible to record Sametime activity in both database and text file format. After selecting this option, click Update and restart the server for the setting to take effect. To access the "Database or text file" settings, open the Sametime Administration Tool , select Logging - Settings, and click the General tab.
367
Sametime Statistics
About this task
The Sametime Statistics log settings allow you to record statistics related to chats, meetings, and users. These statistics appear in the Server community statisticssection of the Sametime log. To record these statistics, select the Sametime Statistics option. Sametime statistics are recorded every 60 minutes. After selecting this option, click Update and restart the server for the settings to take effect. To access the Sametime Statistics settings, open the Sametime Administration Tool, select Logging - Settings, and click the General tab.
Results
Community Server Events to Log

The Community Server Events to Log settings allow you to control which Community Services events are recorded in the Sametime log. After selecting any of these options, click Update for the settings to take effect. Note: The settings take effect within a reasonable time period. The longest time period you will wait for these settings to take effect is the time interval specified for the "How often to poll for new servers added to the Sametime community" setting in the Configuration - Community Services settings of the Sametime Administration Tool. The default time interval for that setting is 60 minutes.
Successful logins
Select this setting to record information about successful Community Services logins and logouts in the Community Logins/Logouts section of the Sametime log. This option is selected by default.
Community server events and activities

Select this setting to record information about Community Services events in the Community Events section of the Sametime log. For example, you can view the name and status of each service. To access the Community Server Events to Log settings, open the Sametime Administration Tool, select Logging - Settings, and click the General tab.
368
Chapter 24. Working with Sametime security

The IBM Lotus Sametime server uses the Internet and intranet security features of the Domino server on which it is installed to authenticate Web browser users who access Domino databases on the server. These databases include the Sametime Center database (stcenter.nsf), which contains the Sametime server home page, and the Sametime Meeting Center database (stconf.nsf). Sametime also uses authentication-by-token features to authenticate connections from Sametime clients to the Sametime server. The authentication-by-token features include the Secrets and Tokens databases supported by all previous Sametime releases and the Domino Single Sign-On (SSO) authentication feature that is supported by Sametime 3.0 and higher-version servers. Sametime also provides security features that enable users to encrypt meetings and specify meeting-specific passwords. The Security section includes the following topics: v Getting started with Sametime security - This section discusses basic password authentication and authentication by token, the Web browser and Sametime Connect client user requirements for basic password authentication, how to change a user's password, and the implications of allowing anonymous access to the Sametime Meeting Center. (Anonymous access is allowed to the Sametime Meeting Center by default after installation of the server.) v About Sametime security - This section provides an overview of the Domino Access Control Lists (ACLs), the Sametime Secrets and Tokens authentication system, and the Domino Single Sign-On authentication feature. v Domino security and the Web browser connection - This section describes how database ACLs are used to authenticate Web browser connections to the Sametime server. v Using database ACLs for identification and authentication - This section provides detailed information on the functioning of a database ACL and the settings within the ACL. Step-by-step procedures explain how to set up a database ACL to allow anonymous access or require basic password authentication. v Authentication by token - This section discusses the Domino Single Sign-On (SSO) authentication feature and the Sametime Secrets and Tokens authentication databases. The Domino SSO feature must be enabled on the Sametime server. If your Sametime environment includes Sametime servers that interoperate with servers from releases earlier than Sametime 3.0, the Sametime server must support both the Domino SSO feature and the Sametime Secrets and Tokens databases. v - All meetings in Sametime are automatically encrypted. The administrator can require a meeting-specific password to be specified for every new meeting created in the Sametime Meeting Center. v About SSL and Sametime - The Secure Sockets Layer (SSL) protocol can be used to encrypt Web browser connections to the Domino server on which Sametime is installed or to encrypt connections between a Sametime server and an LDAP server
369
v Ensuring Sametime servlet access when Domino requires SSL for all connections - If you configure the Domino HTTP server to require SSL for all connections, you must perform the procedures in this section to enable the Sametime clients to access the Sametime server servlets.
Getting started with Sametime security

This section includes basic security information to help you get started with Sametime security. This section discusses: v The required fully qualified server name v Basic password authentication and authentication by token v User requirements for basic password authentication v Changing a user's password
The required fully-qualified server name

The end user must enter the fully qualified DNS name of the Sametime server (for example, sametimeserver.meetings.acme.com) in the Web browser URL locator when accessing the Sametime server to authenticate with a Sametime server. The Domino Single Sign-On (SSO) feature must be enabled on the Sametime server. The Domino SSO feature requires the user to enter the fully qualified DNS name of the server for a successful authentication. For more information, see Authentication by token using LTPA and Sametime tokens.
Basic password authentication and authentication by token

Sametime uses two types of authentication: v Basic password authentication v Authentication by token
Basic password authentication

Sametime uses basic password authentication to authenticate Web browser connections and Sametime Connect client connections. Sametime uses the same Internet and intranet security features as a Domino server to authenticate the Web browser connections. These features include Domino database Access Control Lists (ACLs) and security settings in the Server document of the Domino server on which Sametime is installed. The Domino security features also allow you to configure databases for anonymous access. When a database is configured for anonymous access, the user is not authenticated when accessing the database. The following topics in this section discuss basic password authentication: v User requirements for basic password authentication v v v Using database ACLs for identification and authentication Basic password authentication and database ACLs Setting up basic password authentication in a database Access Control List (ACL)
370
Authentication by token
After a Web browser user authenticates using basic password authentication, Sametime Java applet clients (such as the Meeting Room client, Recorded Meeting client, and Sametime Connect for browsers client) load in a user's Web browser. These Sametime clients make connections to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services when a user attends a meeting. Sametime uses "authentication by token" to authenticate the connections from these Sametime clients to the Sametime services. Note: Connections from the Sametime clients to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services are authenticated only if the Sametime Meeting Center database (stconf.nsf) requires basic password authentication. If the Sametime Meeting Center allows anonymous access, these connections are not authenticated. When the Sametime Meeting Center requires basic password authentication, authentication by token is supported on the Sametime server using the Domino Single Sign-On (SSO) authentication feature. If your environment includes only Sametime 3.0 (or higher) servers, it is only necessary to enable the Domino SSO feature on the Sametime servers. Note: Sametime TeamRoom and Discussion databases were available with previous Sametime releases but are no longer included in the Sametime product. The Sametime server must support both the Domino SSO feature and the Secrets and Tokens database authentication system if your environment includes Sametime 3.0 (or higher) servers that interoperate with Sametime servers from releases earlier than Sametime 3.0. The following topics discuss authentication by token: v Authentication by token v v Authentication by token using the Domino Single Sign-On (SSO) feature Authentication by token using Secrets and Tokens databases
User requirements for basic password authentication

When accessing the Sametime server with a Web browser, a user must enter a user name and Internet password to access any protected database on the Sametime server. A protected database is a database that has its Access Control List (ACL) set to require basic password authentication. If the ACL settings of a database allow anonymous access, the user is not authenticated (prompted for a user name and Internet password) when accessing the database. Note: It is important for a user to enter a name when accessing a Sametime database so that the user's name can be displayed in any presence list within the database. If the ACL settings of a database allow anonymous access, a user is not prompted for a name unless the "Users of Sametime applications can specify a display name so that they do not appear online as anonymous" setting is selected in the Configuration-Community Services-Anonymous Access settings of the Sametime Administration Tool. When this option is selected, it forces a name entry prompt to appear when an anonymous user attends a scheduled meeting. From this name entry prompt, the user can enter a name for display purposes in a
371
presence list. The server accepts any name entered by the user at the name entry prompt; the user is not authenticated. For more information, see Users of Sametime applications can specify a display name. A Sametime Connect user must also be authenticated each time the user starts the Sametime Connect client and connects to the Community Services on the Sametime server. Sametime Connect users must enter the user name and Internet password from the Person document in the Domino Directory when logging on to Sametime Connect. Note: If you have configured Sametime to operate with an LDAP directory, Sametime authenticates users based on the user names and passwords stored in the person entries of the LDAP directory.
Person document, User names, and Internet passwords in the Domino Directory
This section discusses the requirements for basic password authentication when Sametime is installed to operate with a Domino Directory. You must choose either the Domino Directory or an LDAP directory during the Sametime installation. Each member of the Sametime community must have a Person document in the Domino Directory to authenticate with the Sametime server. The names and password that a user can enter when accessing a Sametime server are maintained in the Basics tab of a Person document in the Domino Directory. To access a Person document, open the Sametime Administration Tool and select Domino Directory-Domino-Manage People. Double-click a person's name to open that user's Person document. The table below shows a sample entry in the Basics section of a user's Person document. The text that follows the table explains how these entries are used in the Web browser and Sametime Connect client password authentication processes.
Sample settings in the Basics section of a Person document

Field First name Middle initial Last name User name Ollerman Gary Ollerman/Community GOllerman Note: The Community (or domain) name is appended to the first entry in the user name field by default. Alternate name This field is optional. Entry Gary Comment This field is optional. This field is optional. This field is required. This field is required.
372
Field Short name/UserID Generational qualifier Internet password
Entry
Comment This field is optional. This field is optional.
(FCF5F3960B0A289D3)
This field is required.
The following fields on the Person document are used by the authentication process: v First name - This field is optional. Web browser - If an entry exists in the "First name" field in the Basics tab of the Person document, the user can enter just this name at the User Name prompt that appears when accessing a protected database on the Sametime server with a Web browser. The user must also enter the Internet password to access the database. (A protected database is a database that has its ACL set to require basic password authentication.) Sametime Connect - The first name is not a valid entry at the User Name prompt that appears when logging on to the Sametime Connect client. v Last name - This field is required. An entry must exist in the "Last name" field of the Basics tab of a Person document. The last name can be entered in the User Name prompt that appears when accessing a protected database on the Sametime server with a Web browser. The last name can also be used when logging on from the Sametime Connect client. A user must also enter the Internet password to complete the authentication process. Note: If both the "First name" and "Last name" fields contain entries, the user can enter the first and last names at the User Name prompt that appears when accessing the Sametime server. v User name - This field is required. An entry must exist in the "User name" field in the Basics tab of a Person document. Generally, it is good practice to use a user's first and last name in the "User name" field. The "User name" field can contain multiple entries. In our example, the User name field contains both Gary Ollerman/Community and GOllerman. (Each entry must be separated by a semicolon or a carriage return in the "User name" field of the Person document.) A user can enter any name that appears in the "User name" field of the Person document when logging on to the Sametime server from the Sametime Connect client or a Web browser. For example, the user could enter Gary Ollerman/Community or GOllerman at a Sametime Connect or Web browser User Name prompt. The name entered by the user is resolved to the topmost name (Gary Ollerman/Community in the example) in the "User name" field. The topmost name in the "User name" field is the name that is displayed in the presence lists of all Sametime clients. Note: If you want a user's e-mail address to display in presence lists, enter the user's e-mail address as the topmost name in the "User name" field of the Person document. If the e-mail address is included in the User name field, the user can also enter the e-mail address at the "User name" prompt when logging in from a Sametime Connect client or Web browser.
373
Sametime uses the topmost name in the "User name" field to validate a user in a database ACL. If you require basic password authentication for a database and you enter the names of individual users in the ACL of a database, enter the topmost name that appears in the "User name" field of the Person document in the database ACL. Although the user can enter "GOllerman" when logging on, Sametime uses "Gary Ollerman/Community" to validate the user in the database ACL. Therefore, "Gary Ollerman/Community" must be the name that appears for this user in database ACLs. v Internet password - This field is required. Users must enter the Internet password to authenticate with the Sametime server using a Web browser or the Sametime Connect client. In the example, the Internet password is "sametime." The password displays as a series of random characters because Internet passwords are encrypted on the Person document.
LDAP
If you have configured the Sametime server to operate with an LDAP directory on a third-party server, the authentication process uses the user names and passwords stored in the LDAP directory. It is not necessary to create Person documents containing separate user names and passwords in the Domino Directory on the Sametime server. For more information, see Using LDAP with the Sametime server.
Changing a user's password

About this task
When accessing the Sametime server from any Sametime client, the user might be prompted for a user name and password. The password is specified in the Internet password field on the user's Person document in the Domino Directory on the Sametime server. To change a user's password, open the user's Person document and enter a new password in the "Internet password" field. Note: If you have configured the Sametime server to operate with an LDAP directory on an LDAP server, the authentication process uses the passwords specified in the LDAP directory. Use the administrative tools provided with the third-party LDAP server to access the LDAP directory and make password changes for individual users. You cannot change passwords stored in an LDAP directory from the Sametime Administration Tool. To change a user's Internet password in the Domino Directory on the Sametime server: 1. From the Sametime server home page, open the Sametime Administration Tool. 2. Select Domino Directory. 3. Select Domino. 4. Select Manage People. 5. Double-click the name of the user whose password you want to change. 6. Click Edit Person. 7. Enter the new password in the "Internet password" field of the Person document. You might want to write the new password down before closing and saving the Person document. After you close and save the Person document, the Internet password is encrypted and you cannot view it. 8. Select "Save and Close."
374
Results
Ensuring Sametime servlet access when Domino requires SSL for all connections
About this task
A Sametime server installs on a Domino server and relies on the Domino HTTP server to handle all HTTP traffic to the Sametime server. To encrypt Web browser access to the Sametime Meeting Center with SSL, the administrator must configure the Domino HTTP server to support SSL. When setting up a Domino HTTP server to support SSL, the administrator can force all connections to the Domino server to use SSL. The administrator forces all HTTP connections to use SSL by performing either of the following configurations in the Ports-Internet Ports-Web section of the Domino Server document during the Domino HTTP server SSL set up procedure: v Setting the Web HTTP "TCP IP port status" setting to "Disabled" and setting the Web HTTP "SSL port status" to "Enabled." v Setting the Web HTTP "TCP IP port status" to "Redirect to SSL." If you force all HTTP connections to use SSL, you must also configure the Sametime server to support SSL for HTTP connections to its servlets. If you do not configure the Sametime server to support SSL for connections to its servlets, users will be unable to access the Sametime server. To ensure access to the Sametime servlets when Domino requires SSL for all connections, complete the following steps: 1. Set up the Domino server to support SSL 2. Import the SSL trusted room or SSL server certificate into the key store database on the Sametime server 3. Modify the Sametime configuration for SSL
Results
You can use these procedures regardless of whether your Sametime server operates on the Windows, AIX, Solaris, Linux or IBM i5/OS operating system. Note: It is possible to configure a Domino server to allow unencrypted HTTP connections on port 80 and simultaneously allow SSL-encrypted HTTP (or HTTPS) connections on port 443. This configuration enables you to encrypt connections to databases containing sensitive data while allowing unencrypted connections to databases that do not contain sensitive data. Since the Domino server on which Sametime is installed is dedicated to supporting only Sametime, it is unlikely that such a configuration would be implemented on a Domino/Sametime server.
Domino security and the Web browser connection

To attend a meeting on the Sametime server, a user first connects to the Sametime HTTP server with a Web browser. By default, the user is not authenticated when accessing the Sametime server over this port and is able to access the Sametime server home page database (stcenter.nsf) without entering a user name and password.
375
By using the Access Control List (ACL) settings of individual databases, the Sametime administrator can force users to authenticate using basic password authentication when they attempt to access the databases on the server. Generally, the first database that a user accesses when connecting to the Sametime server is the Domino database that contains the Sametime server home page (stcenter.nsf). By default, the ACL settings of the stcenter.nsf database allow anonymous access so users can access the Sametime server home page without being authenticated (entering a user name and password that is verified against entries in a directory). After accessing the home page, a user selects links to access other databases on the Sametime server. Most users will access the Sametime Meeting Center (stconf.nsf). The Sametime Administrator can alter the ACLs of these databases to force users to authenticate at the time they select the link that accesses the database. The databases on the Sametime server that are accessible from the Sametime server home page include: v Sametime Meeting Center (stconf.nsf) - An end user accesses the Sametime Meeting Center database when selecting the "Attend a Meeting" or "Schedule a Meeting" link from the Sametime server home page. The ACL settings of the Sametime Meeting Center database (stconf.nsf) allow anonymous access by default. Any anonymous user who accesses the Sametime server home page can select the "Attend a Meeting" or "Schedule a Meeting" link and access the Sametime Meeting Center database. These anonymous users can create meetings and attend any meeting on the server. If you change the ACL of the Meeting Center to require basic name and password authentication, users are required to enter a user name and Internet password when selecting the "Attend a Meeting" or "Schedule a Meeting" link. Note: The Domino SSO authentication feature must be enabled on the Sametime server. For more information, see Authentication by token using the Domino Single Sign-On (SSO) feature. v Server Administration - You must add users to the ACLs of several Sametime databases when allowing other users to have administrative privileges on the Sametime server. For more information about controlling access to the Sametime Administration Tool, see Adding a new Sametime administrator v Note: References to the Sametime Meeting Center and to the web browser connection do not apply to Sametime Limited use servers.
Using database ACLs for identification and authentication

Identification and authentication is the process of determining the name of a user and verifying that users are who they say they are. You can use database Access Control Lists (ACLs) to control access to individual databases on the server. For each database on the server, you can set the ACL to allow: v Anonymous access or v Basic password authentication
376
The settings in the database ACLs work together with the "Maximum Internet name & password" setting for each database to control the level of access that Web browser users have to a database on the Sametime server.
Using database ACLs

The database ACL defines user access to the content of the database. Before you set up basic password authentication or anonymous access to a database, you should be familiar with how to add users to a database ACL and the available settings within the ACL. For more information, see: v Adding a name to a database ACL v Database ACL settings
Maximum Internet name & password setting

The "Maximum Internet name & password" setting on the Advanced panel of each database ACL specifies the maximum level of access to the database that is allowed for Web browser clients. This setting overrides individual levels set in the ACL. Generally, administrators should not need to change the "Maximum Internet name & password" settings for databases on the Sametime server. The default settings should function adequately in most cases.
Adding a name to a database Access Control List (ACL)

About this task
To add a name to a database Access Control List: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Select Access Control. 4. 5. 6. 7. Select a database from the list. Click the Access button. The database ACL displays. Click Add. In the dialog box, type the exact user name from a Person document or the group name from a Group document. Click OK. When entering a user name for a user with a Person document in the Domino Directory on the Sametime server, type the name exactly as it appears in the topmost entry of the "User name" field in the user's Person document. When entering the names of users or groups registered in an LDAP directory in a Sametime database ACL, use the fully qualified Distinguished Name, but use forward slashes (/) as delimiters instead of commas. For example, if the Distinguished Name for the user in the LDAP directory is: v uid = Joe Waters, ou=West, o=Acme enter the name in the Sametime database ACL as follows: v uid = Joe Waters/ou=West/o=Acme
377
You can also use asterisks for wildcards when entering names from an LDAP directory or a Domino Directory in an ACL. For example, entering */ou=West/o=Acme is equivalent to entering all users in the ou=West/o=Acme branch of the directory to the ACL. Note It is possible to enter entities other than user and group names in an ACL. For more information about the types of entries that can exist in an ACL, see User type - ACL settings. 8. Click the name entered in the previous step so that the name is selected (highlighted). 9. In the User Type box, select the type of user (Unspecified, Person, Server, Person Group, Server Group, or Mixed Group). For more information, see User type - ACL settings. 10. In the Access Box, assign an access level for the user (Manager, Designer, Editor, Author, Reader, Depositor, or No Access). For more information, see Access level - ACL settings. 11. Edit the privileges if necessary. For more information, see Privileges - ACL settings. 12. Click Submit.
Results
Database ACL settings

A database Access Control List (ACL) contains a list of users and defines user access to the contents of the database. For each user in the database ACL, you can specify the following ACL settings: v User Type v Access Level v v Privileges Roles
User type - ACL settings

When you add a user or group to an ACL, you specify a user type for the entry in the ACL. A user type identifies whether a name in the ACL is for a person, server, group, or other entity. You assign a user type to a name to specify the type of ID required for accessing the database with that name. You can designate an entry in the ACL as any of the following user types: Unspecified Select the Unspecified user type if you want to enable the name you are entering to access the database with any type of ID (Person, Server, or Group). The Default entry in an ACL is always assigned the Unspecified user type. IDs used to sign agents, such as Sametime Development/Lotus Notes Companion Products, are also assigned the Unspecified user type when entered in a database ACL. Person Select the Person user type if the name you are entering belongs to a user who has a Person document containing a user name and Internet password in the Directory on the Sametime server or if the user has a Person entry in an LDAP directory on a third-party server. Server Select the Server user type if the name you are entering belongs to another server in the Domino domain. When multiple servers are installed in a
378
Domino environment, it might be necessary for a server to access data within the database or to replicate a database. Server names are frequently added to the pre-existing LocalDomainServers and OtherDomainServers server groups. The Server user type is generally used only if you have installed Sametime in a Domino environment. This user type performs the same function as it does on a Domino server. Mixed Group Select the Mixed Group user type if the name you are entering belongs to a group that consists of both Server and Person names. Person Group Select the Person Group user type if you are entering the name of a group that contains only people. You can enter a group from the Directory on the Sametime server, or you can enter a group stored in an LDAP directory on a third-party server in the ACL of a database. Server Group Select the Server Group user type if the name you are entering belongs to a group that consists of only servers.
Access level - ACL settings

Access levels are the database ACL settings that control the type of actions a user can perform on the contents of a database and on the database itself. Access levels range from No Access, which prevents a user from opening a database, to Manager, which lets a user read, create, and edit the ACL and all documents in the database. Users that are listed both individually and in one or more groups in the ACL might be assigned different levels of access. The access level granted in an individual entry takes precedence over the access level granted through a group entry. If a user is in multiple groups, the user is granted the access level of the group with the highest level of access. If a user or group has one level of access in the ACL and another level of access in a database component (such as a Read or View access list), the database component access level takes precedence over the user or group access level. The following access levels are listed from lowest to highest. A higher access level has all the privileges granted to lower access levels. For example, Authors can perform all of the functions of a Depositor and a Reader. No Access No Access prevents a user from accessing the database. For example, if you assign No Access as the Default access for a database, only a user who has a Person document in the Address Book and is listed in the ACL can access the database. Depositor Depositor access allows a user to create documents but not view any documents in the database, including the documents created by the user. This access level is not generally used for Sametime databases. This ACL type is most frequently used for automatic agents to write documents into a database for Domino workflow applications. Reader Reader access allows a user to read documents in a database, but not
379
create or edit documents. For example, you can assign Reader access in the Meeting Center (stconf.nsf) ACL to users who are allowed to attend but not start meetings. Note: If you assign a user the Reader access level in the Meeting Center (stconf.nsf), the user can attend listed meetings but cannot attend unlisted meetings in the Meeting Center. To enable a user with Reader access to also attend unlisted meetings, you must select the "Write public documents" check box for that user in the ACL. Author Author access allows a user to create and edit documents. Users with Author access can edit documents they have created themselves, but they cannot edit documents created by other users. Assign Author access in the Meeting Center ACL to allow users to create meetings in the Sametime Meeting Center. Meeting Center users with Author access can modify the meetings they create, but they cannot modify meetings created by other users. To create a meeting, the user must have Author access and the Write Public Documents privilege selected. Editor Editor access allows users to read, create, and edit all documents in the database, including those created by other users. Assign Editor access in the Meeting Center ACL to users who are allowed to modify meetings they create and meetings that are created by other users. Editors can also start meetings in the Meeting Center. To create meetings, the user must also have the Write Public Documents privilege selected. Designer Designer access allows a user to create full-text indexes, modify all database design elements, and read, create, and edit all documents in the database. This access level is primarily for programmers and database developers. Manager Manager access allows a user to read, create, and edit the ACL and all documents in a database, modify ACL settings, and delete the database. Modifying the ACL and deleting databases are tasks permitted by no other access level. This access level is usually assigned to Sametime administrators and is not recommended for general users. Each database must have at least one Manager. Generally, the Manager access level is provided in each database to the person specified as the administrator during the Sametime installation and setup procedure. You should assign Manager access to two people in case one manager is unavailable. For information about granting other users administrative privileges, see Allowing others to use the Sametime Administration Tool.
Privileges - ACL settings

The database Access Control List (ACL) defines privileges for users. Depending on the access level assigned to a user, some ACL permissions are granted, denied, or optional. Privileges listed in the ACL are: Create documents This privilege allows users to create documents in a database. This privilege is: v Permanently granted to Managers, Designers, Editors, and Depositors
380
v Permanently denied to Readers v Optionally granted to Authors Delete documents This privilege allows users to delete documents from a database. This privilege is: v Permanently denied to Readers and Depositors v Optionally granted to Managers, Designers, Editors, and Authors Create personal agents This privilege allows an Lotus Notes developer or user to create agents that perform automated procedures in a database. This privilege is: v Permanently granted to Managers and Designers v Optionally granted to Editors, Authors, and Readers Clear this option on server databases to prevent certain users from creating personal agents that take up server disk space and processing time. Use the Agent Restrictions settings in the Security tab of the Server document in the Directory to prevent users from running personal agents on a server, even if the "Create personal agents" permission in a server database ACL is selected. Create personal folders/views This privilege is: v Permanently granted to Managers and Designers v Permanently denied to Depositors v Optionally granted to Editors, Authors, and Readers Personal folders and views created on a server are more secure and are available on multiple servers. Also, administrative agents can operate only on folders and views stored on a server. If this permission is not selected, users can still create personal folders and views that are stored on their local workstations. Clear this option to save disk space on a server. Create shared folders/views This privilege is: v Permanently granted to Managers and Designers v Permanently denied to Authors, Readers, and Depositors v Optionally granted to Editors Deny this privilege to Editors to save disk space on a server and maintain tighter control over database design. Create LotusScript This privilege is: v Permanently granted to Managers v Permanently denied to Depositors v Optionally granted to Designers, Editors, Authors, and Readers Clear this option on server databases to prevent certain users from running restricted and unrestricted LotusScript agents that take up server disk space and processing time. Use the Agent Restrictions settings in the Security tab of the Server document in the Directory to prevent users from
381
running restricted and unrestricted LotusScript agents on a server, even if the "Create personal agents" permission in a server database ACL is selected. Read Public Documents This privilege is: v Permanently granted to Managers, Designers, Editors, Authors, and Readers v Optionally granted to Depositors Write Public Documents This privilege is: v Permanently granted to Managers, Designers, and Editors v Optionally granted to Authors, Readers, and Depositors Public documents, such as the meeting details document in the Sametime Meeting Center, are designed to be accessed by a wide audience. Users with the Write Public Documents permission can read, create, edit, and delete public documents from a database. To create a meeting in the Sametime Meeting Center, a user must have the Author access level with the Write Public Documents privilege selected. A user must also have the Write Public Documents privilege selected to attend unlisted meetings on the Sametime server. Users without the Write Public Documents privilege are prompted for a password when accessing a database with public documents. After entering the user name and Internet password, the user is given the Default access level to the database.
Roles - ACL settings

Database Access Control List (ACL) roles grant access to individual database components, such as forms or views. You can use ACL roles to delegate authority for managing specific documents in a database. For example, you can assign the roles of UserCreator and UserModifier in the Directory (Address Book) ACL to the administrator who has the responsibility for creating and maintaining Person documents. ACL roles are optional in most databases. You can choose to rely on a broader access level and not use roles. For more information on roles available in important Sametime databases, see Roles in Sametime databases ACLs. Note: You can create up to 75 roles in a database.
Anonymous access and database ACLs

You can set a database ACL to allow anonymous access. Anonymous access has the following characteristics: v Users are not identified or authenticated when they access databases and applications on the server. v Data sent between the user and the Sametime server is not encrypted. v Anonymous users are not identified in the maintenance log files. All anonymous user activity is recorded under the name "Anonymous."
382
The anonymous access level requires the least maintenance from the administrator, but it is the least secure. You should only allow anonymous access when you do not need to know the identity of users accessing your server. For example, use anonymous access if the Sametime server is behind your firewall and you plan to allow only trusted intranet users to access it.
Setting up anonymous access in a database Access Control List (ACL)

About this task
To allow anonymous access to a database, you can add the Anonymous entry to the ACL and assign an access level to the Anonymous entry. Note: Alternatively, you can remove the Anonymous entry from the ACL and assign an access level to the Default entry in the ACL. When the Anonymous entry is removed from the ACL, anonymous users receive the access level and privileges assigned to the Default entry in the database ACL. Use the following procedure to allow anonymous users to access a database: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. 3. Select Access Control. 4. Select a database from the list. 5. Click the Advanced button. 6. Set the "Maximum Internet name & password" access to Manager, which is the maximum access level. Note The "Maximum Internet name & password" setting on the advanced panel of each database Access Control List (ACL) specifies the maximum database access level granted to Web browser clients. This setting overrides higher individual access levels set in the ACL. For example, if you set the "Maximum Internet name & password" to Author, and assign Editor access to the Anonymous entry in the database ACL, anonymous users will only have Author access to the database. Alternatively, if you set the "Maximum Internet name & password" to Manager, and assign Reader access to the Anonymous entry in the database ACL, anonymous users will only have Reader access to the database. 7. Click the Access button. If the Anonymous entry exists in the ACL, select the Anonymous entry and assign an access level (for example, Author). Edit the default privileges if necessary. If the Anonymous entry does not exist in the ACL, users who access the database anonymously receive the access level and privileges assigned to the Default entry in the ACL. Note If the Anonymous entry does not exist in the ACL, the administrator also has the option to create an Anonymous entry and assign an access level and privileges. In this case, users receive the access level associated with the Anonymous entry instead of the Default entry. 8. Click Submit.
383
Results
Note: If you set the ACL of the Sametime Meeting Center database to allow anonymous access, you should ensure that users are required to enter a display name when accessing the database. To ensure that users will be required to enter a display name to appear in the Participant List of the Sametime Meeting Room during a scheduled meeting, make sure that the "Users of Sametime or Sametime applications can specify a display name so that they do not appear online as 'anonymous'" setting is selected in the Configuration-Community Services-Anonymous Access settings of the Sametime Administration Tool. For more information, see Anonyous Access settings for Community Services
Basic password authentication and database ACLs

You can set a database ACL to require basic password authentication. Basic password authentication has the following characteristics: v Users are identified or authenticated when they access databases and applications on the server. v A Web browser user must have a user name and an Internet password stored in the user's Person document to access databases. Only users with these credentials can access a database that requires basic password authentication. v Data transmitted between the user and the Sametime server (including the name and password) is not encrypted. v Users are identified in the maintenance log files. Basic password authentication identifies users, but it does not prevent unauthorized users from listening to network transmissions or gaining server access by guessing passwords. For information on using Secure Sockets Layer (SSL) to encrypt the data that passes over the Web browser connection to the Sametime server, see About SSL and Sametime.
Using the Default entry or individual names in database ACLs

When basic password authentication is enabled for a database, browser clients are authenticated when they attempt to open a database. For example, a Web browser user might be authenticated when selecting the "Attend a Meeting" link from the Sametime server home page to access the Sametime Meeting Center database (stconf.nsf). The Sametime server challenges the user to supply a valid name and password and then verifies that the user's response matches the information stored in the user's Person document in the Domino Directory (or LDAP directory if you have configured Sametime to operate with an LDAP directory). Authentication succeeds if the user name and password provided by the user matches the user name and password in the directory and: v The user is listed individually or as a member of a group in the database ACL. or v The Anonymous entry is set to No Access while an access level is specified for the Default entry in the ACL. Using this method allows you to require users to authenticate but prevents you from having to add individual entries for every user and group in the ACL. When the Anonymous entry in the database ACL is set to No Access, users are presented with a logon prompt when they attempt to access the database.
384
Users must enter the user name and Internet password at the logon prompt. Users that are successfully authenticated are then provided with the access level that is specified for the Default entry in the database ACL. If both the Anonymous entry and the Default entry in the database ACL are set to No Access, a user must be listed in the ACL individually or as part of a group to access the database. Setting the Anonymous and Default entries to No Access provides the strictest control over access to the database because only users and groups that are listed in the ACL are allowed to access the database. An individual name receives precedence over the Default entry. If a user's name is entered in a database ACL and provided with an access level, the user receives the access level assigned to the user name entry in the database. Only users who are not listed individually in the database ACL receive the Default access level. Note: If the Anonymous entry does not exist in the database ACL, the Default entry in the ACL must be set to "No access" to require basic password authentication to the database. When the Anonymous entry does not exist in the database ACL, anonymous users can access the database and receive the access level assigned to the Default entry in the database. If the Anonymous entry exists in the ACL and is assigned the "No access" access level, users are authenticated when accessing the database and receive the access level specified for the Default entry in the ACL.
Setting up basic password authentication in a database Access Control List (ACL)

About this task
To require users to specify a valid name and password when accessing a database on the Sametime server: 1. From the Sametime server home page, click the "Administer the Server" link to open the Sametime Administration Tool. 2. If you are using a Domino Directory with the Sametime server, select Domino Directory - Domino. If you are using an LDAP directory with the Sametime server, select LDAP Directory. Select Access Control. Select a database from the list. Click the Advanced button. Set the "Maximum Internet name & password" access to Manager, which is the maximum access level. Note The "Maximum Internet name & password" setting on the advanced panel of each database Access Control List (ACL) specifies the maximum database access level granted to Web browser clients. This setting overrides higher individual access levels set in the ACL. For example, if you set the "Maximum Internet name & password" to Author and assign Manager access to the Anonymous entry in the database ACL, anonymous users will only have Author access to the database. Alternatively, if you set the "Maximum Internet name & password" to Manager and assign Reader access to the Anonymous entry in the database ACL, anonymous users will only have Reader access to the database. 7. Click the Access button. 8. Select the Anonymous entry, and then select No Access in the Access box. 3. 4. 5. 6.
385
If the Anonymous entry does not exist, you must create it. Use the following procedure to create an Anonymous entry and assign the No Access level to the entry: v Click Add. v Type Anonymous in the dialog box and click OK. v Select the Anonymous entry, and then select No Access in the Access box. 9. Select the Default entry. You can either set an access level for the Default entry, or set the Default entry to No Access. v If you specify an access level for the Default entry other than No Access, all users are required to authenticate when accessing the database. Each authenticated user receives the access level you have specified for the Default entry. It is not necessary to enter individual names or groups in the ACL. After selecting an access level for the Default entry, click Submit. You have finished the procedure required to set up basic password authentication in a database ACL. Skip the remaining steps. v If you select No Access for the Default entry, you must enter individual user names or group names in the ACL. Only the names and groups you enter can access the database. Complete steps 10 and 11 to add users to the ACL. 10. Click the Add button to add user names or group names to the ACL. Click OK after adding each name. 11. Click Submit.
Results
Authentication by token using LTPA and Sametime tokens

Sametime uses authentication by token to authenticate connections that occur after a user has authenticated to Domino once using password authentication. Authentication by token prevents a user from having to re-enter authentication credentials when accessing different servers or using Sametime Web clients or Domino applications that connect to a Sametime server. The Sametime server includes two separate security features capable of generating the authentication token used by Sametime: v Domino Single Sign-On (SSO) authentication feature - The Domino SSO feature must be enabled on a Sametime server. If the Domino SSO feature is not enabled on the Domino server when you install Sametime, the Sametime installation automatically enables and configures the Domino SSO feature. In some environments, you might need to alter the default SSO configuration provided by the Sametime installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation. The end user must enter the fully qualified domain name of the Sametime server (for example, sametimeserver.meetings.acme.com) in the Web browser URL locator when accessing the Sametime server to authenticate successfully using SSO. If your Sametime environment includes only Sametime 3.0 (or higher) servers, and you do not use Sametime TeamRoom or Discussion databases that were available with earlier Sametime server releases, only the Domino SSO feature is required to support authentication by token. If your Sametime environment includes Sametime 3.0 (or higher) servers that interoperate with Sametime servers from releases earlier than Sametime 3.0, both
386
the Domino SSO feature and the Secrets and Tokens databases must be supported on the Sametime server to enforce authentication by token. Sametime includes a custom logon form for the SSO feature. This custom logon form can be used in place of the default SSO logon form. The custom logon form is presented to the user the first time the user accesses a database on the server that requires basic password authentication. Note: Notes client integration with Sametime (and therefore SSO with Sametime) is not supported if the Sametime server is configured to use Internet sites, as the Notes client protocol (NRPC) for obtaining an SSO token does not work in concert with the use of Internet Sites. For more information on how to configure SSO with a Web Configuration document, see the topic "Altering the Domino Web SSO configuration" later in this chapter. v Secrets and Tokens authentication databases - Sametime server releases earlier than Sametime 3.0 used only the Secrets and Tokens authentication databases to create authentication tokens. When Sametime 8.x operates in environments that include servers from Sametime releases earlier than Sametime 3.0, the Sametime 8.x server supports both the Domino SSO feature and the Secrets and Tokens authentication databases. A Sametime 8.x server supports Secrets and Tokens authentication by default. The following are required to support Secrets and Tokens authentication: The Secrets and Tokens databases must be present on the server following a Sametime server installation. The "Allow users to authenticate using either LTPA token or Sametime Token (stauths.nsf and stautht.nsf)" option must be selected in the Configuration-Community Services-General settings of the Sametime Administration Tool. Both conditions above exist on a Sametime server following the server installation, so no additional procedures are required to support Secrets and Tokens authentication following the installation. However, if you have enhanced security by enabling the SametimeSecretsGenerator agent in one Secrets database on one Sametime server in your community, you must ensure that this Secrets database is replicated to all Sametime servers in the community. For more information, see Replicating the Secrets database (optional).
Authentication by token using the Domino Single Sign-On (SSO) feature

The Domino Single Sign-On (SSO) feature must be enabled on the Sametime server. This feature creates Lightweight Third Party Authentication (LTPA) tokens that enable Web browser users to log in a single time to access multiple Sametime, Domino, or IBM WebSphere servers that are in the same DNS domain. This capability is called "single sign-on." Sametime also uses LTPA tokens to authenticate connections from Sametime clients to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services on the Sametime server. These clients are Java applets and include the Meeting Room client, and Recorded Meeting client. Note: Sametime also requires users to present an authentication token when attending an instant meeting. Client applications generate this token from the user's home Sametime server. Users with Sametime 2.5 (or earlier) home Sametime servers will present Sametime tokens (generated from the Secrets and Tokens databases) when connecting to instant meetings started on a Sametime 8.x server. For this reason, Sametime 8.x servers operating in Sametime environments that
387
include Sametime servers from previous releases must also support the Secrets and Tokens databases for authentication by token. Authentication by LTPA token occurs after a user has already authenticated once using password authentication. For example, authentication by token on a Sametime server might occur as follows: 1. A user accesses a Sametime Meeting Center database that requires authentication or clicks the "Log onto Sametime" link in the Sametime Meeting Center. Note To successfully authenticate, the end user must enter the fully qualified domain name of the Sametime server (for example, sametimeserver.meeting.acme.com) in the Web browser URL locator when accessing the Sametime server. 2. An SSO logon form appears, and the user enters a valid user name and password from the Domino Directory (or LDAP directory) to authenticate. Note Sametime provides a custom Sametime SSO logon form that can be enabled by the administrator. If the custom logon form is not enabled, the standard Domino SSO logon form displays to the user. 3. After a successful authentication, the Domino Single Sign-On (SSO) feature generates an LTPA token containing the user's authentication information and passes the token to the user's Web browser in a cookie. The user's Web browser must have cookies enabled to accept the LTPA token. 4. The user attends a meeting, and the Meeting Room client loads in the user's Web browser. 5. The Meeting Room client connects to the Meeting Services and Community Services and passes the LTPA token to Sametime. The Meeting Services and Community Services connections are authenticated using the LTPA token. The user is not required to re-enter authentication credentials to authenticate these connections. The same LTPA token described above can be used to authenticate the user when the user accesses other Sametime, Domino, or WebSphere servers in the same DNS domain during a single Web browser session. The other Sametime, Domino, or WebSphere servers must also support the SSO feature (that is, the servers must accept LTPA tokens). If the Domino SSO feature is not enabled when you install Sametime, the Sametime installation automatically enables and configures the Domino SSO feature. In some environments, it may be necessary to alter the SSO configuration following the Sametime server installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation.
Altering the Domino Web SSO configuration following the Sametime server installation
The Sametime installation automatically enables and configures the Domino SSO feature on the Domino server. In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Sametime server installation. Note: This topic discusses the following issues pertaining to the Sametime installation and the Domino SSO feature:
388
SSO configurations performed by the Sametime installation - This section explains how the Sametime installation configures the Domino Web SSO feature. You can use this information to determine if it is necessary to alter the default SSO configuration following a Sametime server installation. v Altering the SSO configuration - This section explains the most common reasons for altering the SSO configuration following the Sametime server installation. In multiple Sametime server environments, it is frequently necessary to add the Domino server names of Sametime servers to the Domino Web SSO Configuration document. v Viewing and editing the Domino Web SSO configuration document - This section explains how to edit the Domino Web SSO configuration document in the Domino Directory. This document contains the parameters for the Web SSO configuration that you may need to change. v Sametime includes a custom SSO logon form. See Using the Sametime custom logon form for SSO for information about enabling this form following the Sametime server installation. Note: If for some reason it is necessary to manually enable the Domino SSO feature, you can use the procedures described in Manually enabling the Domino SSO feature. You can also review these procedures to understand all configurations that are required to support SSO for the Sametime server.
SSO configurations performed by the Sametime installation

The Sametime installation enables the Domino SSO feature and performs the SSO configurations described below. The Sametime installation: v Generates an LTPA token named LtpaToken. This token (or cookie) is used to authenticate Web browser and Sametime client connections to the Sametime server. v Creates a Web SSO Configuration document and populates the following fields in the Web SSO Configuration document: DNS Domain - To populate the DNS Domain field, the installation determines the fully-qualified domain name of the Sametime server machine and then subtracts the hostname value from the fully-qualified domain name. For example, if the installation determines the fully qualified name of the Sametime server is "Sametimeserver.east.acme.com," the installation writes ".east.acme.com" in the DNS Domain field. The LTPA token is then valid for the servers that belong to the DNS domain specified in the DNS Domain field. Expiration (minutes) - This field specifies the length of time for which the LTPA token is valid. This value is 30 minutes by default. You may want to provide a longer value for the token expiration. Lotus software recommends a setting of 120 minutes. Domino Server Names: Each Domino/Sametime server that can accept the SSO token must be listed in the Domino Server Names field. By default, the installation writes only the name of the Domino server on which Sametime is installed in this field. It may be necessary to add the names of all other Domino/Sametime servers in the community to this field. For more information, see Altering the SSO configuration. v Alters the Sametime/Domino server Server document. The installation changes the Internet Protocols-Domino Web Engine-Session authentication field in the Server document to the value "Multiple servers (SSO)." The Server authentication field must have the "Multiple servers (SSO)" value even if your Sametime
389
community uses only one Sametime server. If the "Multiple server (SSO)" value is not selected, the SSO feature will not function properly for Sametime. v Automatically configures the Sametime server to use the Sametime custom logon form for SSO. To enable the custom logon form, the Sametme installation: Creates a Domino Configuration database named domcfg.nsf in the root data directory of the Domino server. Note: If a domcfg.nsf database already exists on the Domino server when Sametime is installed, the Sametime installation overwrites the existing domcfg.nsf database. Creates a "Mapping a Login Form" document in the domcfg.nsf database. Populates the following fields in the Mapping a Login Form document: Target database filename - This field is set to the value "stcenter.nsf." Target form name - This field is set to STLogonForm.nsf. The configurations described above ensure that the custom logon form named "STLogonForm.nsf" displays to users when users authenticate with the server.
Altering the SSO configuration

The default configuration outlined above meets the basic requirements necessary for a Sametime server to support SSO. In some cases, it may be necessary for the administrator to alter the "DNS Domain" field or the "Domino Server Names" field of the Domino Web SSO Configuration document following the Sametime server installation. v Altering the DNS Domain field - The Sametime installation may not always accurately detect the fully-qualified domain name of the Sametime server machine. If this problem occurs, the DNS Domain field may not specify the appropriate DNS domain. The administrator might need to manually edit the Domino Web SSO Configuration document to add the appropriate entry in the DNS Domain field of the Domino Web SSO Configuration document. Follow the instructions in "Viewing and editing the Domino Web SSO Configuration document" below to manually edit the document. v Altering the Domino Server Names field - If the Sametime community consists of multiple Sametime/Domino servers, the Domino server names of all of the Sametime/Domino servers in the Sametime community must exist in the "Domino Server Names" field of the Domino Web SSO Configuration document. By default, the installation writes only the name of the Domino server on which Sametime is installed to this field. If you have multiple Sametime servers, it may be necessary to manually open the Domino Web SSO configuration document and enter the names of the Domino/Sametime servers in the "Domino Server Names" field. For example, if you have Sametimeserver1/East/Acme and Sametimeserver2/East/Acme in your Sametime community, and you install Sametimeserver3/East/Acme, only Sametimeserver3/East/Acme is written to the Domino Server Names field during the Sametime installation. The administrator may need to open the Domino Web SSO Configuration document and manually enter the names Sametimeserver1/East/Acme and Sametimeserver2/East/Acme in the "Domino Server Names" field on the Domino Web SSO Configuration document on Sametimeserver3/East/Acme to ensure that all servers in the community are entered in this field. To manually open the Domino Web SSO Configuration document, see "Viewing and editing the Domino Web SSO Configuration document" below. Note that in multiple server environments, the Domino Directory may already be replicated to the Domino server at the time the Sametime server is installed.
390
If the Domino Directory already exists on the server and contains a Domino Web SSO configuration document, the Sametime installation will not attempt to alter the existing configuration in any way. In this case, the existing Domino Web SSO configuration document may already contain the names of the existing servers in the community and it may be necessary to add the name of the newly installed Sametime server to the Domino Web SSO configuration document. For example, the names Sametimeserver1/East/Acme and Sametimeserver2/ East/Acme may already exist in the Domino Web SSO configuration document in the Domino Directory on the server reserved for the Sametimeserver3/East/ Acme installation. Since the Sametimeserver3/East/Acme installation does not alter an existing SSO configuration, that server name will not appear in the Domino Web SSO Configuration document following the Sametime server installation. In this scenario, it is necessary to open the Domino Web SSO configuration document in the Domino Directory on Sametimeserver3/East/ Acme and manually enter "Sametimeserver3/East/Acme" in the "Domino Server Names" field. All other parameters in the existing Web SSO Configuration document should be valid for the newly-added server.
Viewing and editing the Domino Web SSO Configuration document

To view or edit the Web SSO configuration document that is created by the Sametime installation, do the following: 1. From a Lotus Notes client, open the Domino Directory on the Sametime server. 2. Choose the Configuration - Web - Web Configurations view. 3. In the right-hand pane, select the twistie to display the document under "Web SSO Configurations." 4. Double-click on the document titled "Web SSO Configuration for LtpaToken" to open the Domino Web SSO Configuration document. 5. Click the Edit button to put the document in edit mode. 6. Edit the appropriate field (for example, the DNS Domain or Domino Server Names field). 7. Click Save and Close after editing the document.
Manually enabling the Domino SSO feature

About this task
If your environment requires you to manually enable the Domino SSO feature instead of using the default configuration provided by the Sametime installation, you can use the steps in this section to manually enable the Domino SSO feature. This procedure is identical to the procedure used to enable the SSO feature on a Domino server. After manually enabling the feature, you can configure the server to use the Sametime custom SSO logon form. Generally, the Domino SSO feature will be enabled by default during the Sametime installation and it is not necessary to manually enable the feature. For more information, see Altering the Domino Web SSO feature following the Sametime server installation. To enable the Domino SSO feature on the Sametime server: 1. 2. 3. Create a Web SSO Configuration document in the Domino Directory. Enable SSO and Name & Password authentication in the Server document. Start the HTTP task on the SSO-enabled server.
391
Results Using the custom Sametime SSO logon page

After enabling the Domino SSO feature, follow the procedure described in Using the custom Sametime SSO logon page to use the custom Sametime SSO logon form.
Results
Create the Web SSO Configuration document in the Domino Directory

About this task
This procedure is the first of three required to manually enable the Domino SSO authentication feature on a Sametime server. In this procedure you create a Web SSO document that specifies the servers participating in the shared authentication, the time-out value for the cookie containing the LTPA access token, and the encrypted secret used to create the cookie. Note: The 'Organization' field of the Web SSO Configuration document should be empty; otherwise, the LPTA token will not work with Sametime. 1. Using a Lotus Notes client, open the Domino Directory on the Sametime server. 2. Select Configuration - Servers - All Server Documents. 3. Select the Web pull-down menu button from the task bar. 4. Select Create Web SSO Configuration. 5. In the document, select the Keys pull-down menu button. 6. Select Create Domino SSO Key. Note The Import WebSphere LTPA Keys option is usually used to enable a WebSphere server to communicate with a Domino server. To enable a WebSphere server to communicate with a Domino server, you must export the LTPA keys from the WebSphere server and import the LTPA keys to the Domino server. See the WebSphere Information Center documentation for details. 7. Configure the Token Expiration field. Note that a token does not expire based on inactivity; it is valid only for the number of minutes specified from the time of issue. The token is also valid only for a single browser session. Lotus software recommends an expiration value of 120 minutes. Note Generally, the expiration value should reflect the average length of a Sametime meeting in your environment. Setting a high value may create a security risk. If the LTPA token is intercepted by an attacker, the attacker may use the token to illegally gain access to the Sametime server until the token expires. Setting up the Domino server to support SSL for Web browser connections makes provides the highest level of security against attempts to intercept LTPA tokens. 8. In the DNS Domain field, enter the DNS domain (for example, lotus.com or meetings.acme.com) for which the tokens will be generated. The servers enabled for SSO must all belong to the same DNS domain. This field is required.
392
When users access the Sametime server, they must enter the fully qualified domain name of the Sametime server for authentication to be successful (for example, sametimeserver/meetings/acme/com). 9. In the Server Names field, enter the servers that will be participating in SSO. Generally, this field should contain the Domino hierarchical names of all Sametime servers in your environment. You can browse and select the server names from the Domino Directory. Note Groups and wildcards are not allowed in the field. 10. Select "Save and Close" to save the Web SSO Configuration document. The document will appear in the Web Configurations view. This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Server Names field.
Results
Next step Next, enable SSO and "Name & Password" authentication in the Server document.
Enable SSO and "Name & Password" authentication in the Server document
About this task
This procedure is the second of three required to manually enable the Domino SSO authentication feature on a Sametime server. Use this procedure to enable SSO and "Name & Password" authentication in the Server document of the Sametime server for which you are enabling the Domino SSO feature. 1. In the Configuration - Servers - All Server Documents view of the Domino Directory, double-click the name of the Sametime server to open the Server document. 2. 3. 4. 5. 6. 7. 8. 9. Select Edit Server to put the Server document in edit mode. Select the Ports tab. Select the Internet Ports tab. Select the Web tab (if it is not displayed by default). For the HTTP TCP/IP port Authentication Options, select Yes in the "Name & Password" field. Select the Internet Protocols tab. Select the Domino Web Engine tab. In the "HTTP Sessions" section, select "Multiple server (SSO)" in the "Session authentication" field. Note You must select the "Multiple server (SSO)" value even if your environment includes only a single Sametime server. Click "Save and Close" to save the Server document.
10.
Results
Next step Next, start (or restart) the HTTP task on the SSO-enabled server.
393
Start (or restart) the HTTP task on the SSO-enabled server

About this task
This procedure is the last of three required to manually enable the Domino SSO authentication feature on a Sametime server. To start the HTTP task on the SSO-enabled server: 1. Open the Domino console. 2. Start the HTTP server, or stop and restart the HTTP server if it is already running. v Use the Tell HTTP Quit command to stop the HTTP server. v Use the Load HTTP command to start the HTTP server. 3. On the Domino console, the following message should appear: HTTP: Successfully loaded Web SSO Configuration 4. If a server enabled for SSO cannot find a Web SSO Configuration document or is not included in the Server Names field (and thus cannot decrypt the document), then the following message should appear on your server's console. HTTP: Error Loading Web SSO configuration. Reverting to single server session authentication.
Results
Next step Next, Lotus software recommends using the custom Sametime SSO logon form. If you do not use this logon form, users will see the default Domino SSO logon form the first time they access a database on the server that requires authentication. Note: Authentication by token does not occur if you allow anonymous access to the Sametime server and all its databases. To configure the Sametime server to use the custom Sametime SSO logon form, see Using the Sametime custom logon form for SSO.
Using the Sametime custom logon form for SSO

The Sametime installation automatically configures the Sametime server to use the Sametime custom logon form for SSO. The Sametime installation performs the following configurations to enable the custom logon form. The Sametime installation: 1. Creates a Domino Configuration database named domcfg.nsf in the root data directory of the Domino server on which Sametime is installed. This database is created from the domcfg5.ntf template available with the Domino server. 2. Creates a "Mapping a Login Form" document in the domcfg.nsf database. 3. Populates the following fields in the Mapping a Login Form document: v Target database filename - This field is set to the value "stcenter.nsf." v Target form name - This field is set to STLogonForm.nsf. The configurations described above ensure that the custom logon form named "STLogonForm.nsf" displays to users when users authenticate with the server.
394
If a database named domcfg.nsf exists on the Sametime server when Sametime is installed, the administrator must manually enable the custom logon form. This procedure is described below.
Manually enabling the custom logon form

Follow the procedure below to manually enable the Sametime custom logon form for SSO. The custom logon form displays when the user accesses the first database on the server that requires authentication or selects the "Log on to Sametime" link in the Sametime Meeting Center. Note: The custom logon form exists in the Sametime server home page database (stcenter.nsf). If you want to require users to authenticate when accessing the server, you should allow anonymous access to the Sametime server home page (stcenter.nsf) and require authentication to the Sametime Meeting Center database (stconf.nsf). With this arrangement, users access the server home page anonymously and are presented with the SSO logon form when attempting to create or attend a meeting. To use the Sametime custom logon form for SSO, you must configure settings in the Domino Configuration database (domcfg.nsf) provided with the Domino server on which Sametime is installed. To use the Sametime custom logon form for SSO: 1. Verify that the Sametime server has a Domino Configuration database named domcfg.nsf. Note If your server includes an existing domcfg.nsf database, but you do not want to use that database you can delete the existing domcfg.nsf database and create a new one. To create a new domcfg.nsf database, use the Domino Configuration (R5) template (domcfg5.ntf) available with a Domino server. When creating the new database, you must select the "Show advanced templates" option to access the domcfg5.ntf template. 2. If necessary, copy the domcfg.nsf Domino Configuration database to the root data directory of the Domino server on which Sametime is installed (for example C:\Lotus\Domino\Data directory). 3. From a Lotus Notes client, open the Domino Configuration database. 4. Choose Add Mapping. 5. Under Site Information, accept the default of All Web Sites/Entire Server. 6. In the "Target database filename" field, enter stcenter.nsf. 7. In the "Target form name" field, enter STLogonForm.
Required ACL settings for the Sametime Center database (stcenter.nsf)

The Sametime Center database (stcenter.nsf) must meet the following ACL requirements for the custom logon form to operate properly. v In the Advanced options of the stcenter.nsf ACL settings, the "Maximum Internet name & password" field must allow at least Reader access. If either Depositor or No Access are selected, the logon form will not appear. v In the Basics options of the stcenter.nsf ACL settings, anonymous users must have an access level of Reader or higher. If the access level provided for anonymous users is less than Reader, the logon form will not appear. The "Write public documents" and "Read public documents" options should also be selected.
395
Authentication by token using Secrets and Tokens databases

To authenticate by token, the Sametime server can accept an authentication token created by the Secrets and Tokens authentication databases, the Domino Single Sign-On (SSO) feature, or both. The Sametime server can also generate tokens using the Secrets and Tokens authentication databases or the Domino SSO feature. If the Sametime server is operating in an environment that includes Sametime servers from releases earlier than Sametime 3.0, or if Domino databases enabled with Sametime technology (such as the Sametime Discussion and TeamRoom databases that were available with earlier releases) are used in your environment, the Sametime server must support both the Secrets and Tokens authentication databases and the Domino SSO authentication feature. The Sametime server is set up to support Secrets and Tokens authentication by default. The basic requirements for this authentication system are: v The Secrets (stauths.nsf) and Tokens (stautht.nsf) databases must exist on the Sametime server. These databases are created during the Sametime server installation. v The "Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" option must be selected in the Sametime Administration Tool. (This option is selected by default.) Note that previous releases of Sametime allowed an administrator to enhance the level of security provided by the Secrets and Tokens databases by enabling the SametimeSecretsGenerator agent in one Sametime Secrets database (stauths.nsf) on one Sametime server in the Sametime community. If you enable the SametimeSecretsGenerator agent on one Secrets database on one Sametime server, that Secrets database must be replicated to all Sametime servers in the community. If your environment includes Sametime servers from previous releases and you are currently replicating a Secrets database to all of the servers in your environment, you must also replicate that Secrets database to the Sametime servers. There are two procedures associated with ensuring the Secrets and Tokens authentication databases on the Sametime server are functioning properly: 1. If necessary, select the "Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" option in the Sametime Administration Tool. (This option is selected by default.) 2. Replicating the Secrets and Tokens databases (optional) - This step is necessary only if you have deployed Domino databases enabled with Sametime technology (such as Sametime TeamRoom and Discussion databases) or if you have enhanced security by enabling the SametimeSecretsGenerator agent in the Secrets database.
Selecting the "Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" option
About this task
This procedure is the first of two associated with setting up the Secrets and Tokens authentication system on a Sametime server. Note: This procedure might not be necessary as the "Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" setting is enabled by default following the server installation.
396
The "Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" setting must be enabled in the Sametime Administration Tool to enable the Sametime server to accept both the LTPA and Sametime Tokens. This setting must be set consistently on all Sametime 8.x, 7.x, 6.5.1, 3.x servers in your environment; if you enable this setting on one Sametime server, you must enable it on all Sametime servers in your environment. If you disable it on one Sametime server, you must disable it on all Sametime servers in the environment. To enable this setting: 1. From the Sametime server home page, click the Administer the server link to open the Sametime Administration Tool. 2. Choose Configuration. 3. Choose Community Services. 4. Select the "Allow users to authenticate using either LTPA or Sametime Tokens (stauths.nsf and stautht.nsf)" option. 5. Click the Update. 6. Next step
Results
You have the option of replicating the Secrets database to enhance security.
What to do next
You must restart the server for the setting to take effect.
Replicating the Secrets and Tokens databases (optional)

About this task
This topic discusses the second of two procedures associated with setting up the Secrets and Tokens authentication system on a Sametime server. The Secrets and Tokens databases exist on every Sametime server. If you have installed multiple Sametime servers, you can enable the SametimeSecretsGenerator agent in the Secrets database. Enabling the SametimeSecretsGenerator agent is an optional procedure that increases security against outside attacks. If you enable the SametimeSecretsGenerator agent, only one Secrets database should be used for all Sametime servers in the environment. You should replicate the Sametime Secrets database in which you have enabled the SametimeSecretsGenerator agent to all Sametime servers in the environment. Create a replication schedule for the Secrets database in which you have enabled the SametimeSecretsGenerator agent to ensure it replicates at regular intervals. Delete all other copies of the Secrets database from all Sametime servers in the environment. For more information, see "Integrating a Sametime server into an existing Sametime community" Do not replicate the Tokens database to the other Sametime servers. The replicated Secrets database can work with the Tokens database that exists on each Sametime server by default following the server installation. If you do not enable the SametimeSecretsGenerator agent in any Secrets database on any Sametime server, it is not necessary to replicate the Secrets database. If you do not enable the SametimeSecretsGenerator agent, administration is simpler
397
because no replications or replication schedules are required, but the security level is not as high.
Results
Configuring Sametime for SPNEGO single sign-on

IBM Lotus Sametime has a token-based single sign-on (SSO) feature that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). This feature requires the integration of several distinct components that when completed, allows Sametime users to log in and authenticate only once at their desktop and thereafter automatically authenticate with the Sametime server.
Before you begin

Note: The SPNEGO feature replaces Microsoft Windows Single Sign-On; you should use SPNEGO instead because Lotus Sametime will no longer support the Microsoft Windows SSO feature. Required components v Sametime Connect client v Sametime server pointing to an Microsoft Active Directory LDAP server v WebSphere server v Microsoft Windows Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC) v Microsoft Windows domain member Follow these steps to configure Sametime for SPNEGO single sign-on: 1. Configure Sametime to use Active Directory. 2. Configure WebSphere for SPNEGO single sign-on, a. Connect WebSphere to Active Directory. b. Enable WebSphere security. c. Enable the SPNEGO TAI. d. Establish the secured resource URL to be used by the Sametime client. For more detailed information on setting up the SPNEGO see "Creating a single sign-on for HTTP requests using the SPNEGO TAI" in the IBM WebSphere information center. 3. Enable single sign-on for Domino and WebSphere application servers Once WebSphere has been configured for SPNEGO single sign-on, the Domino server must import WebSphere's LTPA key to allow single sign-on between WebSphere and Sametime. See the technote "Enabling Single Sign-on for Domino and WebSphere Application Servers." 4. Validate the SPNEGO configuration.
Sametime SPNEGO login sequence

After logging into the Active Directory domain on a Microsoft Windows desktop, the user starts the IBM Lotus Sametime Connect client. When Log In is clicked, a two phase login operation begins. Note that there is no user interface or user intervention required in this process. In phase 1, the client executes an HTTP request for a protected URL on the IBM WebSphere server. This request is processed by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI), which triggers the SPNEGO
398
negotiation between the client machine and WebSphere. Once trust is established, an LtpaToken is sent to the client in the HTTP response. In phase 2, the client securely logs into the Sametime server using the LtpaToken. The following picture shows the Lotus Sametime SPNEGO login sequence.
Configuring Sametime to use Active Directory

Before you can configure IBM Lotus Sametime to use SPNEGO single sign-on, you must configure the Sametime server to use the Microsoft Windows Active Directory.

1. On the Sametime server home page, click "Administer the Server." 2. Expand the LDAP Directory. 3. Enter values in the LDAP Directory that are appropriate for your site, and click Update when you are finished. See the example in the following table.
399
Example
Tab Connectivity Field Host name or IP address of the LDAP server Example yourserver.yourdomain.yourcompany.com
Administrator distinguished cn=administer,ou=Users,ou=Company, name ou=Division,o=Group1,dc=floor5, dc=market,dc=ourcompany,dc=com Administrator password Basics People - Where to start searching for people (Base object for person entries) mypassword OU=Company,O=Group,DC=floor5, DC=market,DC=ourcompany,DC=com
People - The attribute of the CN person entry that defines the person's name (for example, cn or mail) People - The object class used to determine if an entry is a person (for example, organizationalPerson) Groups - Where to start searching for groups (Base object for group entries) Groups - Attribute of the group that defines the group name (for example, cn or mail) organizationalPerson
OU=Company,O=Group,DC=floor5, DC=market,DC=ourcompany,DC=com member
Group Groups - The group object class used to determine if an entry is a group (for example, groupOfNames or groupOfUniqueNames) Authentication (&(objectcategory=person)(|(cn=%s*) Search filter to use when resolving a user name to a (givenname=%s*)(sn=%s*)(mail=%s*))) distinguished name (Modifying this field affects the name people use to authenticate.) Search filter for resolving person names Search filter for resolving group names Group Contents (&(objectcategory=person)(|(cn=%s*) (givenname=%s*)(sn=%s*)(mail=%s*))) (&(objectcategory=group)(cn=%s*))
Searching
member Attribute in the group object class that has the names of the group members (for example, member or uniqueMember)
400
What to do next
Validating the SPNEGO configuration

Before using the IBM Lotus Sametime Connect client, you can validate the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) configuration using the following test. 1. Log in to the Active Directory domain on the Microsoft Windows client machine. 2. Configure the client browser to use SPNEGO. See "Configuring the client browser to use SPNEGO" in the in the IBM WebSphere information center. 3. Using a browser, request the protected URL from the WebSphere server. This action triggers the TAI interceptor. Instead of being challenged with a form authentication dialog, you will be authenticated automatically the browser simply loads the secured page. If this is successful, then WebSphere has been configured for SPNEGO single sign-on correctly. 4. In the same browser window, enter the address of the Sametime Meetings center (http://<hostname>.stcenter.nsf). When the page loads, you should be logged in automatically. If you are successful, single sign-on between Sametime and WebSphere has been configured correctly
Configuring the Sametime Connect client for token login

Single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server allow IBM Lotus Sametime users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server.
About this task

You must configure the Lotus Sametime Connect client must be configured to use the SPNEGO SSO feature. Configuration can be established in a silent installation or done manually by the end user. Silent installation The settings for token-based login can be pre-configured using the silent installer. In the silentinstall.ini file found on the Lotus Sametime Connect compact disk, include the following settings: v STAUTHSERVERURL=<WebSphere Authentication URL> v STLOGINBYTOKEN=true v STUSEAUTHSERVER=true Manual configuration To configure the Sametime Connect client manually for SPNEGO single sign-on, follow these steps: 1. In the Log in to Sametime dialog box, enter your fully qualified host server name and your user name.
401
2. Click Connectivity. 3. Select the Use token based single sign on box. 4. Enter the URL for your authentication server in the Authentication server URL box. For example, http://authenserverurl.com. 5. Click OK. 6. In the Log in to Sametime dialog box, click Log In.
Configuring Sametime to use SSL encryption

Configure IBM Lotus Sametime to use SSL (Secure Socket Layer) for its services; and configure HTTPS when communicating with Web clients or enable LDAPS (LDAP over SSL) with LDAP server.
About this task

You can encrypt communications for Lotus Sametime Services and the communication between Lotus Sametime and Web browsers. You can also encrypt communications between an LDAP server and the Lotus Sametime server with the LDAPS protocol. You can set up either, or both, of these protocols independently:
Enabling encryption for Lotus Sametime Services, and between Lotus Sametime and Web browsers
Configure SSL encryption for IBM Lotus Sametime Services and enable HTTPS for Web browsers.
About this task

Enabling SSL encryption with the HTTPS (browser-based) protocol involves the following tasks:
Preparing Lotus Domino to use SSL

Because IBM Lotus Sametime resides on an IBM Lotus Domino server, you must enable the Lotus Domino server's HTTP component to support Secure Socket Layer (SSL) before you can configure the Lotus Sametime server to encrypt communications.
About this task

Follow the steps in the Lotus Domino Administrator information center to set up a Lotus Domino server to support SSL for HTTP connections:
publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_ABOUT_SETTIN
Preparing Lotus Sametime to use SSL

Set up SSL encryption on the IBM Lotus Sametime server by importing the SSL certificate used by IBM Lotus Domino and configuring the Lotus Sametime server to use it.
About this task

Install the GSKit and use the IKeyMan program to create a keystore on the Lotus Sametime server before you import the Lotus Domino server's SSL certificate and
402
complete configuration changes to enable support for SSL. Complete the following tasks in the sequence shown: Setting up a keystore for the SSL certificate used by Lotus Domino: Install the IBM GSKit with the IBM IKeyMan utility and then create a keystore file to hold the IBM Lotus Domino server's SSL certificate. About this task Lotus Sametime on IBM i5/OS already includes a keystore file called stkeys.jks, so you can skip this procedure and proceed directly to obtain and import a copy of the SSL certificate from the Lotus Domino server into the Lotus Sametime server. On IBM AIX, Linux, Solaris, and Microsoft Windows, you must create the keystore file yourself by completing the following tasks: Installing GSKit and IKeyMan on the Lotus Sametime server: The IBM IKeyMan utility is contained in the GSKit program, so you must install both on the IBM Lotus Sametime server before you can set up a keystore file. About this task The Lotus Sametime server must store a copy of the IBM Lotus Domino server's SSL trusted root certificate to complete the SSL handshake when making an SSL connection to a browser-based client. Before you can import the SSL certificate from the Lotus Domino server, user the GSKit and IKeyMan utility to create a keystore file on the Lotus Sametime server for storing the certificate. Notes: v On IBM i5/OS, Lotus Sametime comes with the IKeyMan utility already installed, but you must install DCM software instead; the instructions are in this section. v You only need to install GSKit and IKeyMan once. If you have already installed these programs during an earlier procedure, you can skip this task. The instructions for installing DCM, or the GSKit and the IKeyMan utility, vary according to your server's operating system; use the instructions in the appropriate topic: Installing GSKit and IKeyMan on AIX: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on IBM AIX. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on AIX, follow the steps below: Log on to the Lotus Sametime server as the root user. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server.
403
Information on downloading packages for Lotus Sametime is located in the Download document:
4. Navigate to your server's copy of the GSKit directory and open a command prompt. 5. Install GSKit using the System Management Interface Tool (SMIT) utility to install the gskak.rte package. The package name is "version AIX Certificate and SSL Base ACME Runtime Toolkit". 6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ security directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
security.provider.5=com.ibm.spi.IBMCMSProvider
The example below illustrates this line added to the java.security file (notice that the preference numbers must be in sequence):
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #
d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/
Installing GSKit and IKeyMan on Linux: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Linux. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on Linux, follow the steps below: 1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Navigate to your server's copy of the GSKit directory and open a command prompt.
404
5. Install the GSkit RPM. Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm
6. Edit the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows:
d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME
Installing GSKit and IKeyMan on Solaris: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Solaris. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Solaris, follow the steps below: Log on to the Lotus Sametime server as the root user. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Navigate to your server's copy of the GSKit directory and open a command prompt. 5. Install GSKit as follows:
405
Note: The examples show release 6 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Uncompress and untar the gsk6bas.tar.Z file. b. Use one of the following methods to install GSKit: v Use the admintool application. v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider#
d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/sunspa/ibm-jre/export JAVA_HOME
Installing GSKit and IKeyMan on Windows: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Windows. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Microsoft Windows, follow the steps below: Log on to the Lotus Sametime server as the Windows administrator. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Open a command prompt and navigate to your server's copy of the GSKit directory. 5. Install GSKit and IKeyMan by running the following command:
406
setup.exe GSKit Sametime_install_root -s -f1setup.iss
For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss
This command performs a silent installation of the IKeyMan program into the Lotus Sametime installation directory. 6. Verify that the installation is successful: Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime installation directory. b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on the server. 7. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory: a. From the Windows desktop, right click on the My Computer icon and select System Properties. b. In the "System Properties" dialog box, select the Advanced tab. c. Click the Environment Variables button. d. In the "New System Variable" dialog box, click the New button under the "System Variables" list, and enter the following information:
Table 17. Defining the new JAVA_HOME environment variable Variable name JAVA_HOME Variable value Sametime_install_root\ibm-jre\jre For example:C:\Lotus\Sametime\ibm-jre\jre
e. Click OK to close the "New System Variable" dialog box. f. Click OK to close the "Environment Variables" dialog box. g. Click OK to close the "System Properties" dialog box. 8. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the Sametime_install_root\ibm-jre\jre\lib\security directory. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\security
b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
## List of providers and their preference orders (see above)# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #
407
9. Navigate to the Sametime_install_root\ibm-jre\jre\lib\ext directory, and delete the gskikm.jar file. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar
Creating a keystore file: Use the IBM IKeyMan utility and to create a keystore file on the IBM Lotus Sametime server, which will be used for storing a copy of the IBM Lotus Domino server's SSL certificate. About this task On IBM AIX, Linux, and Solaris, create a keystore file is called keys.jks; on Microsoft Windows, call it stkeys.jks. Note: On IBM i5/OS, the keystore already exists; skip this procedure. To create a key store file on the Sametime server: 1. Open a command prompt and navigate to the /jvm/bin directory of your Lotus Sametime installation: v AIX /opt/ibm/lotus/notes/latest/ibmpow/jvm/bin v Linux /opt/ibm/lotus/notes/latest/linux/jvm/bin v Solaris/opt/ibm/lotus/notes/latest/sunspa/jvm/bin v Windows C:\Program Files\Lotus\Domino\jvm\bin 2. Start the IKeyMan program by running the following command:
java com.ibm.gsk.ikeyman.Ikeyman
3. Click Key Database File New. 4. In the "New" dialog box, complete these fields and then click OK:
Option Key database type File name Description Accept the default of jks. Enter a file namefor the key database: v AIX, Linux, Solaris: keys.jks v Windows: stkeys.jks Location Choose the directory in which the "stkeys.jks" file will be stored. The examples in this documentation assume the file is stored in the Sametime_install_root/jvm/ bin directory.
5. In the "Password" dialog box, complete these fields and then click OK:
Option Password Description Type the password that you will use to access the keystore. You will need this password later in the procedure. Type the password again to confirm it.
Confirm password
408
Option Set expiration time?
Description Click this option to enable it and type the number of days for which the password will remain valid. If you do not want the password to expire, leave this option disabled.
Obtaining a copy of the SSL certificate used by Lotus Domino: When the IBM Lotus Domino server is configured to use SSL, an SSL server certificate is received from a Certification Authority (CA) and merged into the Lotus Domino Server Certificate Admin database. When you configure SSL for IBM Lotus Sametime, you import a copy of this certificate to the Lotus Sametime server. About this task There are two versions of the SSL certificate that you can use: Obtaining the SSL certificate directly from the Lotus Domino server: When configuring SSL for IBM Lotus Sametime, you can import a copy of the SSL certificate directly from the IBM Lotus Domino server. About this task When the Lotus Domino server was configured to use SSL, an SSL server certificate was received from a Certification Authority (CA) and merged into the Lotus Domino Server Certificate Admin (certsrv.nsf) database. In this procedure, you export a copy of that certificate and save it as a file so that you can import it into Lotus Sametime in a later task. 1. Open a browser and navigate to the Lotus Domino server where you enabled SSL. Note: The steps below use the Microsoft Internet Explorer browser; steps for your own browser may differ. You can locate the Lotus Domino server by navigating to the Lotus Sametime server that is hosted on the same computer, using an address similar to the following (replace Sametime.acme.com with your fully qualified Internet host name):
https://Sametime.acme.com
2. Install the SSL certificate in Microsoft Internet Explorer to ensure it is available for export: a. When prompted to "select the certificate to use when connecting," click OK. b. At the "Security Alert" dialog box, click View Certificate. c. At the "Certificate" dialog box, click Install Certificate. d. At the "Certificate Manager Import Wizard" screen, click Next. e. Click the Automatically select the certificate store based on the type of certificate option, and then click Next. f. Back at the "Certificate Manager Import Wizard" screen, click Finish.
409
g. When the message indicating that the SSL server certificate was imported successfully appears, click OK repeatedly until you have closed all of the dialog boxes. 3. Now export the SSL certificate from Internet Explorer and save it as a file. a. From the browser, click Tools Internet Options. b. Click the Contents tab. c. Click the Certificates button. d. Click the Other People tab. e. Scroll down the list of certificates and select the server certificate that you imported earlier in this procedure. The certificate name should provide some indication that the certificate is associated with the Domino server from which it was imported. For example, if the certificate was imported from a server named Sametime.acme.com, the certificate might be issued to "Sametime" or to "Acme." f. Click the Export button. g. At the "Certificate Manager Export Wizard" screen, click Next. h. At the "Certificate Export File" screen, select Base64 encoded X.509 (.CER), and then click Next. i. At the "Export File Name" screen, provide a name for the file, select the Lotus Sametime server's data directory as the location where you want to store the file, and then click Next. For example, on Windows, you might enter SSLservercertificate.cer as the file name. and select C:\Lotus\Domino\data as the location. Note: On i5/OS, save the file directly to your server if you have mapped to the server drive. Otherwise, save the file on your client workstation and transfer it to your i5/OS server later. j. When the message appears indicating the export was successful, click OK. Obtaining a copy of the trusted root certificate: If you are unable to obtain a copy of the IBM Lotus Domino server's SSL certificate, you can request a trusted root certificate from a CA or export a trusted root certificate from your Web browser. About this task If you need to obtain a trusted root certificate, you must obtain the same trusted root certificate that is used by the Domino server to sign the Domino SSL server certificate. For example, if the VeriSign Class 4 Public Primary Certification Authority trusted root certificate is used to sign the Domino SSL server certificate, you must either export this certificate from your Web browser or request a VeriSign Class 4 Public Primary Certification Authority trusted root certificate from VeriSign. There are two ways to obtain a copy of the trusted root certificate: Obtaining a trusted root certificate from the Web browser:
410
When configuring SSL for the IBM Lotus Sametime server, you can import a copy of the trusted root certificate that was used for signing the IBM Lotus Domino server's own SSL certificate from a Web browser, and then import it in the Lotus Sametime server's key store. About this task Rather than obtaining a copy of the Lotus Domino server's own SSL certificate, you may choose to obtain a copy of the trusted root certificate that was used for signing the Lotus Domino server's certificate. The easiest way to obtain a trusted root certificate is to export one from your Web browser. Web browsers include many different SSL trusted root certificates by default. If your Web browser contains a trusted root certificate that corresponds with the Lotus Domino server's trusted root certificate that was used to sign the Lotus Domino SSL server certificate, you can export it from the browser and save it as a file. Note: You must use the same trusted root that signed the Lotus Domino server's own SSL certificate. The procedure below illustrates how you can export a trusted root certificate from a Microsoft Internet Explorer Web browser: 1. From the browser, click Tools Internet Options. 2. Click the Contents tab. 3. Click the Certificates button. 4. 5. 6. 7. Select the Trusted Root Certification Authorities tab. Select the appropriate trusted root certificate from the list. Click the Export button. At the "Certificate Manager Export Wizard" screen, click Next.
8. At the "Certificate Export File" screen, select Base64 encoded X.509 (.CER), and then click Next. 9. At the "Export File Name" screen, provide a name for the file, select the Lotus Sametime server's data directory as the location where you want to store the file, and then click Next. For example, on Windows, you might enter SSLservercertificate.cer as the file name. and select C:\Lotus\Domino\data as the location. Note: On i5/OS, save the file directly to your server if you have mapped to the server drive. Otherwise, save the file on your client workstation and transfer it to your i5/OS server later. 10. When the message appears indicating that the export was successful, click OK. Obtaining a trusted root certificate from the Certification Authority: When configuring SSL for the IBM Lotus Sametime server, you can obtain a copy of the trusted root certificate used for signing the IBM Lotus Domino server's SSL certificate from the original Certificate Authority.
411
About this task If you are unable to obtain a copy of the Lotus Domino server's SSL server certificate, you can request a copy of the trusted root certificate from a CA. Normally, you request a certificate from a CA by browsing to the CA's web site. For example, follow these steps to request a certificate from VeriSign: 1. Open a browser and navigate to the VeriSign site:
www.verisign.com
2. Follow the instructions on the Web site to request a certificate. Once the certificate request is approved, you will receive an email explaining how to pick up the certificate. 3. Pick up the certificate as instructed (for example, by browsing to the Web site and copying it from a field on the specified page). You can provide a file name for the certificate when receiving it from the CA and then store it in the Lotus Sametime server's data directory. Importing the Lotus Domino server's SSL certificate into the keystore: After you obtain a copy of either the IBM Lotus Domino server's own SSL certificate, or the trusted root certificate that was used to sign it, import your copy into the IBM Lotus Sametime server's keystore. About this task The procedure for importing the SSL certificate depends on your operating system: Importing an SSL certificate on AIX, Linux, Solaris: To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or Solaris, import the IBM Lotus Domino server's SSL certificate into the keystore. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server's data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore on the Lotus Sametime server: 1. Verify that the ikeyman.sh file's SAMETIME_HOME variable specifies the correct path for your server's installation directory, modifying it as needed. The default installation directories for Lotus Sametime are as follows: v AIX: /opt/ibm/lotus/notes/latest/ibmpow v Linux: /opt/ibm/lotus/notes/latest/linux v Solaris: /opt/ibm/lotus/notes/latest/sunspa 2. Make sure the ikeyman.sh file has execute privileges. 3. Start the ikeyman.sh utility.
412
The ikeyman.sh utility requires a graphical interface. If you run it in a text-only terminal, be sure to redirect the display to an x-windows session. 4. Click the Add button. 5. In the "Add CAs certificate from a File" dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the "Data type". b. Set the Certificate file name to the name of the text file (for example, CA.txt) into which you copied the certificate. c. Set the Location to the location to which you transferred the CA.txt file in the previous procedure (for example, /local/notes/data). d. Click OK. 6. Close IKeyMan after the file is imported successfully. Importing an SSL certificate on i5/OS: To enable SSL between IBM Lotus Sametime running on IBM i5/OS, import the IBM Lotus Domino server's SSL certificate into the keystore. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server's data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore on the Lotus Sametime server: 1. From an i5/OS command line, run the following command to start qshell:
strqsh
2. From qshell, run the following keytool command:

keytool -import -alias certificate_name -file certificate_filename -storepass keystore_password -keystore keystore_path_and_filename
Where: v certificate_name is CA.txt v certificate_filename is also CA.txt v keystore_password is "sametime." Note: On i5/OS versions of Sametime, stkeys.jks is provided by default and uses "sametime" as the default password v keystore_path_and_filename is stserver/data/stkeys.jks Example:
keytool -import -alias stserver1cert -file /stserver/data/CA.txt -storepass sametime -keystore /stserver/data/stkeys.jks
3. After you have imported the certificate, use the following command to view the list of certificates in the stkeys.jks file and verify that the certificate was imported successfully:
413
keytool -list -storepass keystore_password -keystore keystore_path_and_filename
Example:
keytool -list -storepass sametime -keystore /stserver/data/stkeys.jks
4. Press F3 to exit qshell. Importing an SSL certificate on Windows: To enable SSL between IBM Lotus Sametime running on Microsoft Windows, import the IBM Lotus Domino server's SSL certificate into the keystore. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server's data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore on the Lotus Sametime server: 1. Open a command prompt and navigate to the Sametime_install_root\IBM\ gsk6\bin directory. The default installation path for Lotus Sametime is C:\Lotus\Domino. 2. 3. 4. 5. Start the IKeyMan utility by running the gsk6ikm.exe program. Browse to and select the stkeys.jks key store file. Enter the password required to access this file. In the "Key database content" area, select Signer certificates.
6. Click the Add button. 7. In the "Add CAs certificate from a File" dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the "Data type" b. Browse to and select the SSL certificate you want to import. c. Click OK. 8. In the "Enter a Label" dialog box, do the following: a. Type a label for the certificate. This label identifies the certificate in the Signer Certificates list of the IBM IKeyMan program. b. Click OK. The new certificate's label appears in the list of Signer Certificates. 9. Close the stkeys.jks keystore file . 10. Close the IKeyMan utility. Modifying the Lotus Sametime server configuration for SSL: Modify the configuration of the IBM Lotus Sametime server to encrypt connections for Lotus Sametime servlets and the STPolicy.
414
About this task Modify the Lotus Sametime server's configuration by making changes to the sametime.ini file. The necessary changes vary with your operating system: Modifying the Lotus Sametime configuration on AIX, Linux, Solaris: Modify the IBM Lotus Sametime server's sametime.ini file on IBM AIX, Linux, or Solaris to support Secure Socket Layer (SSL) encryption. About this task To modify the Sametime configuration for i5/OS, complete the following steps: 1. Stop the Lotus Sametime server. 2. Use a text editor to open the sametime.ini file. This is located in the Lotus Sametime installation directory. 3. Locate the ConfigurationPort= setting. Make sure that it specifies the port on which the Lotus Domino HTTP server listens for SSL connections (by default, this is port 443), modifying the setting if necessary. For example:
ConfigurationPort=443
4. If these settings are not present in the [Config] section at the bottom of the sametime.ini file, manually type them in:
[Config] ConfigurationSSLEnabled=true javax.net.ssl.keyStore=/local/notesdata/key.jks javax.net.ssl.trustStore=/local/notesdata/key.jks javax.net.ssl.keyStorePassword=keystore_password javax.net.ssl.trustStorePassword=truststore_password
Note: Specify the complete path name of the key.jks file for both the javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings. Specify the password that you provided for key.jks when you created it for both the javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword settings. 5. If these two lines appear in the sametime.ini file, remove them:
javax.net.ssl.trustStoreType=JKS javax.net.ssl.keyStoreType=JKS
6. Save and close the sametime.ini file. 7. Restart the Lotus Sametime server. Modifying the Lotus Sametime Configuration on i5/OS: Modify the IBM Lotus Sametime server's sametime.ini file on IBM i5/OS to support Secure Socket Layer (SSL) encryption. About this task To modify the Sametime configuration for i5/OS, complete the following steps: 1. 2. Stop the Lotus Sametime server. Use a text editor to open the sametime.ini file. This is located in the Lotus Sametime server's data directory.
415
3.
Locate the ConfigurationPort= setting. Make sure that it specifies the port on which the Lotus Domino HTTP server listens for SSL connections (by default, this is port 443), modifying the setting if necessary. For example:
4. If these settings are not present in the [Config] section at the bottom of the sametime.ini file, manually type them in:
[Config] ConfigurationSSLEnabled=true javax.net.ssl.keyStore=stkeys.jks javax.net.ssl.trustStore=stkeys.jks javax.net.ssl.keyStorePassword=sametime javax.net.ssl.trustStorePassword=sametime
Note: By default, the password for the stkeys.jks file is "sametime." If you change the password for stkeys.jks, you must change the setting of both javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword to match the new password. The full path for the stkeys.jks file is not needed for the i5/OS version of Sametime. 5. Save the sametime.ini file. 6. Restart the Lotus Sametime server. Modifying the Lotus Sametime configuration on Windows: Modify the IBM Lotus Sametime server's sametime.ini file on Microsoft Windows to support Secure Socket Layer (SSL) encryption. About this task To modify the Sametime configuration for Windows, complete the following steps: 1. Stop the Lotus Sametime server. 2. Use a text editor to open the sametime.ini file, which is located in the Sametime server installation directory (for example: C:\Program Files\lotus\domino). 3. Verify that the "ConfigurationPort=" setting specifies the port on which the Lotus Domino HTTP server listens for SSL connections (default port is 443). For example:
4. Verify that the [Config] section contains the following settings (or modify as needed):
[Config] ConfigurationSSLEnabled=true javax.net.ssl.keyStore=c:\program files\lotus\domino\jvm\stkeys.jks javax.net.ssl.trustStore=c:\program files\lotus\domino\jvm\stkeys.jks javax.net.ssl.keyStorePassword=passw0rd javax.net.ssl.trustStorePassword=passw0rd
Where: v For the javax.net.ssl.keyStore and the javax.net.ssl.trustStore settings, you specify the complete path name for the stkeys.jks file. v For the javax.net.ssl.keyStorePassword and the javax.net.ssl.trustStorePassword settings, you specify the password that you provided for the stkeys.jks file when you created it. 5. Save and close the sametime.ini file. 6. Start the Lotus Sametime server.
416
Encrypting conversion services in Lotus Sametime: When you configure IBM Lotus Sametime to use SSL encryption, you must also modify the server's configuration to encrypt the conversion services, which convert files into bitmaps for sharing in a Web conference on the Meeting Server. Before you begin If you use an integrated conversion server, skip this procedure. If you use one or more remote conversion servers, then you should make sure they are properly configured before beginning this procedure. See the topic, "About Sametime Conversion Services" in this information center. About this task The IP address and port used by the conversion services are controlled by the stservicemonitor.ini file, located in the Conversion Services install directory. Modify these values as shown: 1. Update the stservicemonitor.ini file to use the appropriate IP address and port for encrypting conversion services: a. On the server where the conversion services are hosted, open a command prompt and navigate to the Conversion Services installation directory, C:\Program Files\Lotus\STConversion. b. Open the stservicemonitor.ini file for editing. c. Locate the following statement (which may be formatted differently from what you see here), and change the IP_Address and Port_Number values to the ones you want to use for encrypting conversion services:
JAVA_Executable ClassPath -DSametimeDiagnostics.filepath= SametimeDiagnostics_CS.properties -Dipaddr="IP_Address" -Dipport="Port_Number" com.lotus.sametime.conversionservlet.ConversionServer
d. If you want to configure this conversion server to run multiple processes, copy the statement in substep c for each additional process, and assign each a different IP address and Port number combination. If your deployment uses multiple Lotus Sametime servers, creating multiple processes for conversion services allows all of the Lotus Sametime servers to share the same remote Windows conversion server; each Lotus Sametime server will connect to a different process. e. Save and close the file. 2. Now edit the stconvservices.properties file (located in the same directory) to make it reference the same port: a. Open the stconvservices.properties file for editing. b. Look for the RemoteConversionURL= statement, which will look like one of the following examples (although it may be formatted differently): v No remote conversion servers If the remote conversion server statement is commented out as shown here, you are using an integrated conversion server:
#RemoteConversionURL=http://conversions1.ibm.com:8081; http://conversions2.ibm.com:8081/servlet/stconversion
For an integration conversion server, leave this setting alone.

417
v One remote conversion server When one remote conversion server is configured, the # is absent at the start of the line, the server name is correct, and everything between the semicolon and the end of the line is deleted. For example:
RemoteConversionURL=http://stconv.acme.com:80/servlet/stconversion
v Multiple remote conversion servers If more than one conversion server is configured, there is no # sign, and a URL appears for each conversion server (URLs are separated by semicolons). For example:
RemoteConversionURL= http://conversions1.acme.com:80/servlet/stconversion; http://conversions2.acme.com:80/servlet/stconversion
c. Locate the port value (shown in bold in the examples, but the actual value may vary) and replace it with the value you used in the stservicemonitor.ini file. Remember that you should not change any settings for an integrated conversion server. d. Save and close the file. 3. Restart the Lotus Sametime Conversion Service so the changes can take effect. 4. If you created multiple Conversion Service processes in step 2d, do the following: a. Edit the stconvservices.properties file on each of your Lotus Sametime servers and match it to one of those processes. For best performance, each Lotus Sametime server should be assigned to a different Conversion Services process by referencing one of the IP address and Port number cominations that you specified in step 2d. b. Restart each Lotus Sametime server.
Tunneling through the firewall when SSL is enabled

Configure an IBM Lotus Sametime server to allow clients to tunnel through a firewall when SSL is enabled.
Before you begin

Lotus Sametime Connect clients communicate with the Lotus Sametime server by directing messages to the HTTP server, which listens on port 80. When SSL is enabled, port 443 is normally used for sending encrypted messages; however, the Lotus Domino server (which hosts Lotus Sametime) is already listening on port 443 for encrypted Web-based communications. If Lotus Sametime Connect clients also send messages to the HTTP server on port 443, a conflict arises. You can work around this conflict by configuring clients to access the Lotus Sametime server by tunneling to its Community Services multiplexer with an HTTPS proxy. In this type of configuration, both the Lotus Sametime Community Server and the Lotus Domino server listen for connections on port 443 but they use different addresses to avoid conflicts. You set up this type of connection by assigning an additional IP address to the Lotus Sametime server, and then configuring both the Community Services multiplexer and your clients to use that address when communicating on port 443. The following picture shows an example of this type of connection:
418
Restriction: This connection is not encrypted. In addition, clients using this connection will not have access to the Meeting Server and the Web Server, so Meeting services, as well as audio and video services, are not supported in this configuration.
About this task

If you want to allow clients to tunnel to the Community Services multiplexer on port 443 when SSL is enabled, complete the following tasks: Binding the base DNS to the HTTP server: Before assigning an additional IP address to an IBM Lotus Sametime server, avoid potential conflicts by binding the server's base DNS to the HTTP server where it listens for communications. This ensures that the IBM Lotus Domino server hosting Lotus Sametime (and using this HTTP server) still receives all communications intended for it. About this task Bind the server's base DNS to the HTTP server by completing the following steps: 1. On the Lotus Sametime server, open the Sametime Administration Tool. 2. Click Configuration Connectivity Networks and Ports. 3. On the "Networks and Ports" page, click Configure HTTP services on a Web page in its own window. The "HTTP" section of the Lotus Domino Directory's Server document opens in a separate window. 4. Locate the Host name field. 5. Under the "Basics" heading, type the base DNS for the HTTP server (for example: sametime1.acme.com). 6. Still in the same field, type a comma and the following IP address: 127.0.0.1 so it looks like this:
sametime1.acme.com,127.0.0.1
This additional entry is required for enabling the Sametime Administration Tool to operate in this configuration. 7. Click the Save & Close button at the top of the Server document. 8. After the document closes, close the "Server-Servers" view of the Domino Directory. Adding a new IP address to the Lotus Sametime server:
419
Assign an additional IP address to an IBM Lotus Sametime server. Before you begin To add a new IP address to a Lotus Sametime server, you can either install an additional Network Interface Card (NIC) or assign multiple IP addresses to a single NIC. For additional information, see IBM Tech Note #1181387, "Forcing a Sametime server with multiple NICs to bind to the correct IP address," at: www.ibm.com/support/docview.wss?rs=899&uid=swg21181387 About this task To assign multiple IP addresses to a single NIC on server running Microsoft Windows: 1. Open the Windows Control Panel. 2. Click the Protocols tab. 3. Click TCP/IP Protocols Properties Specify an IP Address. 4. Click the Advanced tab. 5. Use the "Advanced IP Addressing" page to assign multiple IP addresses to a single NIC. 6. Save your changes and close all of the dialog boxes. Mapping the IP address and DNS for Community Services: Configure an IBM Lotus Sametime server to map an IP address to the specific DNS and port used by Lotus Sametime Community Services. Before you begin You must have already assigned the IP address to the Lotus Sametime server. Set up your DNS server to map the new IP address to a new DNS name for the Lotus Sametime server's Community Services. To avoid confusion, it is recommended that your new DNS for the Community Services use the old DNS name plus "community-" as a prefix. For example, if your base DNS for the server is sametime1.acme.com, use the following name for the new DNS:
community-sametime1.acme.com
Configuring HTTPS tunneling settings for clients using port 443: Configure the IBM Lotus Sametime Community Services to listen for client communications using the new DNS and port 443. Before you begin You must have already assigned an additional IP address to the Lotus Sametime server, then mapped a new DNS to it for use by the Community Services. 1. On the Lotus Sametime server, open the Sametime Administration Tool. 2. Click Configuration Connectivity Networks and Ports. 3. On the "Networks and Ports" page, click Community Services Network Address for HTTPS-tunneled client connections and fill in the following fields:
420
Option Host name
Description community-base_DNS For example, if your base DNS for the server is sametime1.acme.com, type the following name for the new DNS: community-sametime1.acme.com
Port
443
4. Restart the Lotus Sametime and Lotus Domino servers. 5. Close the Sametime Administration Tool. Results With this configuration, the Lotus Sametime Community Services multiplexer will listen for HTTPS-tunneled connections using host name communitysametime1.acme.com on port 443. Connecting clients to the new Community Services DNS: Configure an IBM Lotus Sametime Connect client to communicate with a Lotus Sametime server that is listening for HTTPS connections using the host name (DNS) and port that you specified in the HTTPS tunneling settings for the server. About this task Every Lotus Sametime Connect client located outside of the firewall requires this configuration to tunnel through the firewall to the Lotus Sametime Community Services. For each Lotus Sametime Connect client, configure the following settings in the "Sametime Connectivity" tab:
Option Host Description Type the new DNS that you mapped to the IP address that will be used for the Community Server. For example, if your base DNS for the server is sametime1.acme.com, it was recommended that you use the following name for the new DNS: community-sametime1.acme.com That is the name you should type here. Community port Use proxy Use HTTPS proxy Host name Port 443 Select this setting. Select this setting and enter the host name (community-sametime1.acme.com) and port (443) on which the Lotus Sametime Connect clients connect to the HTTPS proxy.
421
Enabling encryption between Lotus Sametime and the LDAP server

Configure SSL encryption between an IBM Lotus Sametime server and an LDAP server by enabling the LDAPS protocol.
About this task

When you enable this protocol, you can choose whether to encrypt only the data used for authenticating users in Lotus Sametime, or to encrypt all data that is transmitted between the two servers. Note: If you are using an IBM Lotus Domino Directory and it is not configured as an LDAP directory, this section does not apply to you. You can skip these procedures. Enabling SSL encryption for an LDAP server involves the following tasks:
Enabling SSL on the LDAP server

You must enable SSL on your LDAP server before you can configure the IBM Lotus Sametime server to encrypt its communications with the LDAP directory.
About this task

Note: If you are using a Domino Directory and Lotus Sametime is not configured with an LDAP directory, this section does not apply to you and you should skip these procedures. The procedure for enabling SSL depend on the LDAP directory that you use: Setting up a Lotus Domino LDAP directory to use SSL: You must enable the IBM Lotus Domino server's LDAP component to support SSL before you can configure the IBM Lotus Sametime server to encrypt its communications with the Lotus Domino LDAP Server. About this task Follow the steps in the Lotus Domino Administrator information center to set up a Lotus Domino server to support SSL for LDAP connections:
publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_ABOUT_SETTIN
Enabling third-party LDAP servers to use SSL: You must enable the LDAP server to support SSL before you can configure the IBM Lotus Sametime server to encrypt communications to the LDAP directory hosted on that server. About this task Refer to the documentation provided by the LDAP directory's vendor for instructions on enabling SSL.
422
Setting up a keystore for the SSL certificate used by the LDAP server
On IBM AIX, Linux, Microsoft Windows, and Sun Solaris, install the GSKit program and the IBM IKeyMan utility so you can store a copy of the LDAP server's SSL certificate. On IBM i5/OS, install the DCM (Digital Certificate Manager) program instead.
About this task

The Lotus Sametime server must store a copy of LDAP Server's SSL trusted certificate to complete the SSL handshake when making an SSL connection to that LDAP server. Before you can import the SSL certificate from the LDAP Server, you will use the GSKit program and IKeyMan utility (the DCM program on i5/OS) to create a keystore file on the Lotus Sametime server for storing the certificate. Note: You only need to install these programs once; If you have already installed these programs during an earlier procedure, you can skip this task. The instructions for installing GSKit and IKeyMan, or DCM, vary according to your server's operating system. Use the instructions in the appropriate topic: Installing and setting up Digital Certificate Manager on i5/OS: Install and set up the DCM (Digital Certificate Manager) program on an IBM i5/OS server hosting IBM Lotus Sametime, and ensure that Lotus Sametime trusts the LDAP server's SSL certificate. About this task Set up DCM and ensure that Lotus Sametime trusts the LDAP server by completing the following tasks: Installing Digital Certificate Manager: Install the DCM (Digital Certificate Manager) program on an IBM i5/OS server that hosts IBM Lotus Sametime. About this task On i5/OS, SSL certificates are managed using the integrated DCM program. You must install and set up DCM before you can establish SSL encryption for communications between the i5/OS server's LDAP client and the deployment's LDAP server. All of the following software must be installed on the i5/OS server where your Lotus Sametime server is located: v 5722-SS1 Option 34, Digital Certificate Manager v 5722-DG1, IBM HTTP Server v 5722-AC3, Crypto Access Provider 128-bit If you need more detailed information about setting up and using DCM in order to complete the steps in this section, see the iSeries information center at:
www.ibm.com/as400/infocenter
After selecting the appropriate i5/OS release and your preferred language, select the "Digital Certificate Manager" topic in the "Security" section.
423
Ensuring that the LDAP client trusts the LDAP server's certificate: Ensure that the IBM i5/OS LDAP client trusts the SSL certificate used by the LDAP server with which it communicates. About this task IBM Lotus Sametime for i5/OS uses the LDAP client included with the IBM Directory Server that is installed as part of the i5/OS operating system. Enable the LDAP client to trust the LDAP server by importing the server's SSL certificate into the store on the client (the i5/OS server) and then adding the Cetificate Authority to the trust list. 1. Use the DCM (Digital Certificate Manager) program to determine whether the CA Certificate that signed the LDAP directory server's certificate is already included in the DCM *SYSTEM certificate store. Well-known public Internet Certificate Authorities (CA) that most Web browsers can recognize readily, such as VeriSign, are already included in the DCM. If the appropriate CA is included in the certificate store, you have finished this task; skip the remaining steps. If the CA used by your LDAP server's certificate does not appear in the DCM *SYSTEM certificate store, import it now by completing the remaining steps in this procedure. 2. Import the LDAP directory server's certificate into the DCM *SYSTEM certificate store. 3. Use DCM to add the CA Certificate to the trust list of the IBM Directory Server LDAP client application. The application ID is QIBM_GLD_DIRSRV_CLIENT. Ensuring that Lotus Sametime has access to the *SYSTEM certificate store: Assign IBM Lotus Sametime access to the IBM I5/OS *SYSTEM certificate store. About this task Lotus Sametime must be able to access certificates located in the DCM *SYSTEM certificate store when connecting to an LDAP server using SSL. The DCM *SYSTEM certificate store is located in the /qibm/userdata/icss/cert/server directory on an i5/OS server. QNOTES is an i5/OS user profile created by IBM Lotus Domino and used by Lotus Sametime. By default, the QNOTES user profile does not have access to the DCM *SYSTEM certificate store or the /qibm/userdata/icss/cert/server directory, although the higher level directories usually have *PUBLIC *RX authority which allows QNOTES to access those directories. Provide Lotus Sametime with access to the *SYSTEM certificate store by completing the following step: 1. Run the following command from any i5/OS command line to view the contents of the /qibm/userdata/icss/cert/server directory and verify the name of the certificate store: By default, the certificate store is named default.kdb and uses "sametime" as the password.
WRKLNK '/QIBM/USERDATA/ICSS/CERT/Server/*'
424
2. Run the following commands from any i5/OS command line to ensure QNOTES has the necessary authority to the DCM *SYSTEM certificate store and associated directory:
CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server') USER(QNOTES) DTAAUT(*RX) CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.RDB') USER(QNOTES) DTAAUT(*RX) CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.KDB') USER(QNOTES) DTAAUT(*RX)
In this example: v QNOTES is the user receiving access v default.kdb is the name of the certificate store Setting up GSKit, IKeyMan, and the key database on AIX, Linux, Solaris, Windows: Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Solaris and then use IKeyMan to create a key database for storing the LDAP server's SSL certificate. About this task Install the programs and create the key database by completing the following tasks: Installing GSKIt and IKeyMan: Install the GSKit program and the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Solaris. About this task Install GSKit and IKeyMan by following the steps in the appropriate topic for your operating system: Installing GSKit and IKeyMan on AIX: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on IBM AIX. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To install GSKit and IKeyMan on AIX, follow the steps below: 1. Log on to the Lotus Sametime server as the root user. 2. Stop the Lotus Domino and Lotus Sametime server. 3. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Navigate to your server's copy of the GSKit directory and open a command prompt. 5. Install GSKit using the System Management Interface Tool (SMIT) utility to install the gskak.rte package.
425
The package name is "version AIX Certificate and SSL Base ACME Runtime Toolkit". 6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ security directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/ibmpow/ibm-jre/
Installing GSKit and IKeyMan on Linux: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Linux. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Linux, follow the steps below: Log on to the Lotus Sametime server as the root user. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Navigate to your server's copy of the GSKit directory and open a command prompt. 5. Install the GSkit RPM. Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. For example:
rpm -i gsk7bas-7.0-3.31.i386.rpm
426
6. Edit the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows:
d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME
Installing GSKit and IKeyMan on Solaris: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Solaris. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Solaris, follow the steps below: Log on to the Lotus Sametime server as the root user. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Navigate to your server's copy of the GSKit directory and open a command prompt. 5. Install GSKit as follows: Note: The examples show release 6 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Uncompress and untar the gsk6bas.tar.Z file. b. Use one of the following methods to install GSKit: v Use the admintool application. v Use the pkgadd command; for example:
pkgadd -d /var/spool/pkg gsk6bas
427
6. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ security/ directory. b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider#
d. Save and close the file. 7. Navigate to the /opt/ibm/lotus/notes/latest/sunspa/ibm-jre/jre/lib/ext directory, and delete the gskikm.jar file. 8. Set the JAVA_HOME environment variable to the java VM installed under the Lotus Sametime binaries directory:
JAVA_HOME=/opt/ibm/lotus/notes/latest/sunspa/ibm-jre/export JAVA_HOME
Installing GSKit and IKeyMan on Windows: Install the GSKit with the IKeyMan utility on an IBM Lotus Sametime server that runs on Windows. About this task IBM Lotus Domino also ships with a version of GSKit, but for this task you must use the version included with Lotus Sametime. To 1. 2. 3. install GSKit and IKeyMan on Microsoft Windows, follow the steps below: Log on to the Lotus Sametime server as the Windows administrator. Stop the Lotus Domino and Lotus Sametime server. Download the GSKit directory to a temporary location on the server. Information on downloading packages for Lotus Sametime is located in the Download document:
4. Open a command prompt and navigate to your server's copy of the GSKit directory. 5. Install GSKit and IKeyMan by running the following command:
setup.exe GSKit Sametime_install_root -s -f1setup.iss
For example:
setup.exe GSKit C:\Program Files\Lotus\Domino -s -f1setup.iss
This command performs a silent installation of the IKeyMan program into the Lotus Sametime installation directory. 6. Verify that the installation is successful:
428
Note: The examples show release 7 of GSKit, but this program is periodically updated in the Lotus Sametime kits, so you may find that a newer version of GSKit was installed on your server. a. Verify that a folder called ibm\gsk7 now exists under the Lotus Sametime installation directory. b. Verify that the HKLM\Software\ibm\gsk7 registry key has been created on the server. 7. Set the JAVA_HOME environment variable to the Java VM installed under the Lotus Sametime binaries directory: a. From the Windows desktop, right click on the My Computer icon and select System Properties. b. In the "System Properties" dialog box, select the Advanced tab. c. Click the Environment Variables button. d. In the "New System Variable" dialog box, click the New button under the "System Variables" list, and enter the following information:
Table 18. Defining the new JAVA_HOME environment variable Variable name JAVA_HOME Variable value Sametime_install_root\ibm-jre\jre For example:C:\Lotus\Sametime\ibm-jre\jre
e. Click OK to close the "New System Variable" dialog box. f. Click OK to close the "Environment Variables" dialog box. g. Click OK to close the "System Properties" dialog box. 8. Use a text editor to add com.ibm.spi.IBMCMSProvider to the list of providers in the java.security file as follows: a. Navigate to the Sametime_install_root\ibm-jre\jre\lib\security directory. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\security
b. Open the java.security file. c. In the java.security file, and add the following statement to the list of security providers as shown:
## List of providers and their preference orders (see above)# security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.spi.IBMCMSProvider #
9. Navigate to the Sametime_install_root\ibm-jre\jre\lib\ext directory, and delete the gskikm.jar file. For example:
C:\Program Files\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar
Creating a keystore database for the LDAP server's SSL certificate:
429
Use the IBM IKeyMan utility on IBM AIX, Linux, Microsoft Windows, or Sun Solaris to create a key database on the IBM Lotus Sametime server; the key database will store a copy the LDAP server's SSL certificate. Note that you do not need to create a key database on IBM i5/OS. Before you begin Note: This procedure does not apply to IBM i5/OS because the keystore database is not used by Lotus Sametime on i5/OS. The keystore database that you create for storing the LDAP server's SSL certificate is different from the keystore file used for storing the Lotus Domino server's SSL certificate and must use a different file name. About this task Create the keystore database by completing the following steps: 1. Start the IBM IKeyMan utility: a. Open a command prompt and navigate to the Sametime_install_root/IBM/ gsk6/bin directory. The default installation path for Lotus Sametime is as follows: v AIX: /opt/ibm/lotus/notes/latest/ibmpow v Linux: /opt/ibm/lotus/notes/latest/linux v Solaris: /opt/ibm/lotus/notes/latest/sunspa v Windows: C:\Lotus\Domino b. Run the gsk6ikm program. 2. From the IKeyMan utility's menu, click Key Database File New. 3. In the "New" dialog box, fill in the following fields and click OK:
Option Key database type Description CMS key database file Note: You will not be able to select the CMS key database unless you have added com.ibm.spi.IBMCMSProvider to the java.security file, as you were instructed to when you installed GSKit and IKeyMan. key.kdb Note: If you enabled the HTTPS protocol, make sure that this keystore database's file name is different from that file name, to avoid conflicts. Enter the path to the Sametime_install_root (shown in Step 1)
File name
Location
4. In the "Password" dialog box, fill in the following fields and click OK:
Option Password Confirm password Stash the password to a file? Description Enter the password you will use for accessing this keystore database. Confirm the password by typing it again. Click this option to enable it.
430
A message appears, indicating that the password is encrypted and saved in the location Sametime_install_root/key.sth.
Importing a copy of the LDAP server's trusted root certificate

Import a copy of the LDAP server's trusted root SSL certificate into the keystore database on the IBM Lotus Sametime server to encrypt communications between Lotus Sametime and the LDAP server.
Before you begin

When the key.kdb database is created, it contains several trusted root (or "signer") certificates by default. If a trusted root certificate used by the LDAP server exists in the key.kdb database by default, then you can skip this procedure. If the key.kdb database does not contain an appropriate trusted root certificate by default, you must obtain a trusted root certificate from the appropriate CA and add it to the key.kdb database.
About this task

The procedure for importing the trusted root certificate depends on your operating system: Importing a trusted root certificate on AIX, Linux, Solaris: To enable SSL between IBM Lotus Sametime running on IBM AIX, Linux, or Solaris and an LDAP server, import the server's trusted root certificate into the key database. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server's data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the key database on the Lotus Sametime server: 1. Verify that the ikeyman.sh file's SAMETIME_HOME variable specifies the correct path for your server's installation directory, modifying it as needed. The default installation directories for Lotus Sametime are as follows: v AIX: /opt/ibm/lotus/notes/latest/ibmpow v Linux: /opt/ibm/lotus/notes/latest/linux v Solaris: /opt/ibm/lotus/notes/latest/sunspa 2. Make sure the ikeyman.sh file has execute privileges. 3. Start the ikeyman.sh utility. The ikeyman.sh utility requires a graphical interface. If you run it in a text-only terminal, be sure to redirect the display to an x-windows session. 4. Click the Add button. 5. In the "Add CAs certificate from a File" dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the "Data type".
431
b. Set the Certificate file name to the name of the text file (for example, CA.txt) into which you copied the certificate. c. Set the Location to the location to which you transferred the CA.txt file in the previous procedure (for example, /local/notes/data). d. Click OK. 6. Close IKeyMan after the file is imported successfully. Importing a trusted root certificate on i5/OS: To enable SSL between IBM Lotus Sametime running on IBM i5/OS and an LDAP server, import the server's trusted root certificate into the keystore file. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server's data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the keystore file on the Lotus Sametime server: 1. From an i5/OS command line, run the following command to start qshell:
strqsh
2. From qshell, run the following keytool command:

keytool -import -alias certificate_name -file certificate_filename -storepass keystore_password -keystore keystore_path_and_filename
Where: v certificate_name is CA.txt v certificate_filename is also CA.txt v keystore_password is "sametime." Note: On i5/OS versions of Sametime, the keystore is called "stkeys.jks" and uses "sametime" as the default password v keystore_path_and_filename is stserver/data/stkeys.jks Example:
keytool -import -alias stserver1cert -file /stserver/data/CA.txt -storepass sametime -keystore /stserver/data/stkeys.jks
3. After you have imported the certificate, use the following command to view the list of certificates in the stkeys.jks file and verify that the certificate was imported successfully:
keytool -list -storepass keystore_password -keystore keystore_path_and_filename
Example:
keytool -list -storepass sametime -keystore /stserver/data/stkeys.jks
4. Press F3 to exit qshell.
432
Importing a trusted root certificate on Windows: To enable SSL between IBM Lotus Sametime running on Microsoft Windows and an LDAP server, import the server's trusted root certificate into the key database. Before you begin Make sure you have copied one of the following certificates from the server into the Lotus Sametime server's data directory: v CA.txt (the trusted root certificate) v Server.txt (the SSL server certificate) About this task Follow the steps below to import the SSL certificate into the key database on the Lotus Sametime server: 1. Open a command prompt and navigate to the Sametime_install_root\IBM\ gsk6\bin directory. The default installation path for Lotus Sametime is C:\Lotus\Domino. 2. Start the IKeyMan utility by running the gsk6ikm.exe program. 3. Browse to and select the key.kdb key database. 4. Enter the password required to access this file. 5. In the "Key database content" area, select Signer certificates. 6. Click the Add button. 7. In the "Add CAs certificate from a File" dialog box, do the following: a. Verify that Base64-encoded ASCII data is selected as the "Data type" b. Browse to and select the SSL certificate you want to import. c. Click OK. 8. In the "Enter a Label" dialog box, do the following: a. Type a label for the certificate. This label identifies the certificate in the Signer Certificates list of the IBM IKeyMan program. b. Click OK. The new certificate's label appears in the list of Signer Certificates. 9. Close the key database. 10. Close the IKeyMan utility.
Configuring Directory Assistance for SSL

Modifying the IBM Lotus Domio Directory Assistance document is required when you use SSL to encrypt data transmitted between the IBM Lotus Sametime and the LDAP server.
About this task

In this procedure, you modify the Directory Assistance document for the LDAP server to ensure that the connection between the Sametime server and the LDAP server is encrypted using SSL. 1. From a Lotus Notes client, open the Directory Assistance database da.nsf. a. Click File Database Open. b. For the Server, select Local.
433
2. 3. 4. 5. 6. 7.
c. Select the Directory Assistance database (da.nsf). d. Click Open. In the Directory Assistance database, double-click the Directory Assistance document for the LDAP server to open the document. Click Edit Directory Assistance. Next, click the Basics tab. In the Make this domain available to: field, select Notes Clients & Internet Authentication/Authorization. Now click the LDAP tab. Fill in the following fields
Description Select SSL. Specify the same port that appears in the LDAP SSL port field of the "LDAP Directory - Connectivity" options in the Sametime Administration Tool This port is the one on which the LDAP server listens for SSL connections; the default is port 636.
Option Channel encryption Port
Accept expired SSL certificates
Select Yes (the default setting) to accept a certificate from the LDAP directory server, even if the certificate has expired. For tighter security, select No to require the Sametime server to check certificate expiration dates. If the certificate presented by the LDAP server has expired, the connection is terminated.
SSL protocol version
Select the version number of the SSL protocol to use. The choices are: v V2.0 only - This setting allows only SSL 2.0 connections. v V3.0 handshake - This setting attempts an SSL 3.0 connection. If this connection attempt fails but Sametime detects that SSL 2.0 is available on the LDAP server, Sametime attempts the connection using SSL 2.0. v V3.0 only - This setting allows only SSL 3.0 connections. v V3.0 and V2.0 handshake - This setting attempts an SSL 3.0 connection, but starts with an SSL 2.0 handshake that displays relevant error messages. This setting is used to receive V2.0 error messages when trying to connect to the LDAP server. These error message might provide information about any compatibility problems found during the connection. v Negotiated - This setting allows SSL to determine the handshake and protocol version required.
434
Option Verify server name with remote server's certificate
Description Select Enabled (the default setting) to verify the server name with the remote server's certificate. If Enabled is selected, the Sametime server verifies the name of the LDAP server with the remote server's certificate. If the names do not match, the connection is terminated. For more relaxed security, select Disabled (the server name is not verified with the certificate).
8. Click Save and Close to close the Directory Assistance document. 9. Close the Directory Assistance database.
Connecting Lotus Sametime to the LDAP server

Enable SSL encryption for connections between IBM Lotus Sametime and the LDAP server. 1. Configure LDAP connectivity settings in the Sametime Administration Tool as follows: a. From the Lotus Sametime server's home page, click the Administer the Server link to open the Sametime Administration Tool. b. Click LDAP Directory Connectivity. c. In the Host name or IP address of the LDAP server list, select the name of the LDAP server. d. Click the option called Use SSL to authenticate and encrypt the connection between the Sametime server and the LDAP server. e. In the LDAP SSL port field, specify the port on which the LDAP server is listening for SSL LDAP connections (the default is port 636). f. Click Update. g. Close the Sametime Administration Tool. At this point, you have enabled SSL encryption for all data that is transmitted between the Lotus Sametime server and the LDAP server. 2. (Optional) To improve performance, you may choose to loosen security and encrypt only user credentials as follows: a. Open the sametime.ini file (located in the Lotus Sametime installation directory). b. Locate the [Directory] section within the file. c. Add the following setting:
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1
d. Save and close the file. 3. Restart the Lotus Sametime server
Encrypting the UserInfo servlet

If your IBM Lotus Sametime deployment uses SSL encryption when communicating with the LDAP server, you can additionally choose to encrypt the UserInfo servlet.
435
About this task

This configuration is necessary to enable the Business Card feature when you have chosen to encrypt all data transmitted between the Lotus Sametime server and the LDAP server, where the Business Card data is stored. 1. Open a command prompt and navigate to the following directory: v AIX, i5/OS, Linux, Solaris: the Lotus Sametime server's data directory v Windows: the Lotus Sametime server's installation directory 2. Open the UserInfoConfig.xml file in an editor and make the following changes: a. Locate the <ReadStConfigUpdates> tag and set to value="false". The statement should look like this:
<ReadStConfigUpdates value="false"/>
If this statement is not in the file, add it now; place it between the <UserInformation> and <Resources> tags so that it looks like this:
<UserInformation> <ReadStConfigUpdates value="false"/> <Resources>
b. Locate the <StorageDetails> tag and set the following values:

SslEnabled="true" SslPort="636"
Use the value of the port that your LDAP server listens on for SSL communications (the default is port 636). c. In the <SslProperties> tag, set the following values:
KeyStorePath="C:\Lotus\Domino\jvm\bin\key.jks_OR_stkeys.jks" KeyStorePassword="password" </SslProperties> </SslProperties> </SslProperties>
Where: v KeyStorePath indicates the path to where the keystore database is stored. On Windows and i5/OS, the file is named stkeys.jks; on AIX, Linux, and Solaris, the file is named keys.jks. v KeyStorePassword indicates the password you created for accessing the keystore database. 3. Save and close the file
436
Chapter 25. Deploying multiple Sametime servers

This topic provides an overview of issues related to deploying multiple IBM Lotus Sametime servers. To support a large or geographically distributed community of IBM Lotus Sametime server users, it is usually necessary to deploy multiple Sametime servers. This section discusses the issues associated with deploying multiple Sametime servers, including: About Sametime server clustering Advantages of using multiple Sametime servers Installing a Sametime server into an existing Sametime community Synchronizing the Sametime server with other Sametime servers Extending Sametime to Internet users Extending a single Sametime community across multiple Domino domains
About Sametime server clusters

This topic discusses deploying multiple IBM Lotus Sametime servers without clustering them. Sametime includes the concept of Sametime server clustering. You can create Sametime Community Services server clusters to support server failover and load balancing for large populations of Community Services users and Sametime Meeting Services clusters to support server failover and load balancing for large populations of Meeting Services users. Creating a Meeting Services cluster requires you to deploy an application called the IBM Lotus Enterprise Meeting Server. This chapter discusses how to deploy multiple Sametime servers without creating Sametime server clusters. If you are interested in creating a multiple server environment in which the Sametime servers are clustered, see Introduction to Sametime Server Clusters and the Enterprise Meeting Server.
Advantages of using multiple Sametime servers

This topic discusses the advantages of using multiple IBM Lotus Sametime servers in a deployment. You can install multiple Sametime servers to: v Spread the load of a large user population among multiple servers. v Reduce network usage and improve server performance when you have significant user populations in remote or distributed locations. When multiple Sametime servers are installed, you can synchronize the Sametime servers to operate as a single Sametime community.
437
v You can specify different home Sametime servers for members of the Sametime community.
Advantages of multiple "home" Sametime servers

If you install multiple Sametime servers, you can assign different "home" Sametime servers for users in the community. Specifying different home Sametime servers for Sametime community members allows you to spread the load of a large number of users among the Community Services of multiple Sametime servers. The "home" Sametime server is the server to which each user connects for the online presence (or awareness) and chat functionality supported by the Community Services. After installing a new Sametime server, you can assign specific users to the new server by entering the name of the new Sametime server in the Sametime server field in each user's Person document. All users in the community will have presence and chat capabilities with all other users, even though they connect to different "home" Sametime servers to get this functionality. Server-to-server connections among the Community Services of the multiple Sametime servers ensure that all users in the community have presence and chat capabilities with all other users. For more information on the purpose of the "home" Sametime server, see Connecting to the home Sametime server. Note: Sametime also provides a Community Services clustering solution to support large populations of Community Services users. For more information, see Community Services cluster setup procedures.
Integrating a Sametime server into an existing Sametime community

This topic provides an overview of the tasks involved in integrating a new IBM Lotus Sametime server into an existing Sametime community. The basic processes and issues involved with integrating a new Sametime server into an existing Sametime community include: v Installing a Sametime server into an existing Sametime community Managing administration settings for multiple Sametime servers v Configuring ports for server-to-server connections v Synchronizing the Sametime server with other Sametime servers Directory management for multiple Sametime servers Assigning users to the new Sametime server (setting the home Sametime server)
Installing a Sametime server into an existing Sametime community

Installing the IBM Lotus Sametime server software is the first procedure you must perform when integrating a new Sametime server into an existing Sametime community. Before you install the new Sametime server, decide whether you want the server to be accessed by Internet and intranet clients or intranet clients only. If you want the server to be accessed by both Internet and intranet clients, you should install the
438
Sametime server software on a computer that is located in the network DMZ (outside the firewall that protects the corporate intranet). For more information, see Extending Sametime to Internet users.
Managing administration settings for multiple Sametime servers

When you have a multiple IBM Lotus Sametime server environment, there are specific administration settings that must be kept consistent across all Sametime servers in the Sametime community. The administrator can use the Sametime Administration Tool on each Sametime server to manually configure the settings on each Sametime server so that the settings specify the same values on all servers in the community. Attention: Do not replicate the entire Configuration database (stconfig.nsf) among the Sametime servers. Some documents in the Configuration database contain the IP address or host name of a Sametime server. Replication of these parameters to a different Sametime server will prevent that server from functioning properly. The administration settings that must have the same values on all Sametime servers in the community are listed below. It is mandatory that some of these settings are consistent on all Sametime servers in the community. For others, it is recommended (but not mandatory) that you keep consistent settings across all Sametime servers in the community.
Administration settings that must be consistent on all Sametime servers in a community

It is mandatory that the administration settings below have the same values on all Sametime servers in a community. If these settings are not consistent across all servers, the servers may not function properly or end users may experience unexpected behavior when attending meetings on invited servers.
Community Services settings

In the Configuration-Community Services tab of the Sametime Administration Tool, the following settings must specify the same values on all Sametime servers in the community: v Number of entries on each page in dialog boxes that show names in the directory v How often to poll for new names added to the directory v How often to poll for new servers added to the community v How often to poll for new servers added to the Sametime community v Maximum user and server connections v Allow users to authenticate v Allow users to transfer files to each other v Allow users to send announcements For more information on the settings above, see Community Services configuration settings. In the Configuration Community Services Anonymous Access tab of the Sametime Administration Tool, the following settings must specify the same values on all Sametime servers in the community: v Anonymous users can participate in meetings or enter virtual places
439
v Users of Sametime applications (databases such as stconf.nsf or Web sites) can specify a display name so that they do not appear online as "anonymous" Default domain name for anonymous users Default name Accepting default name v Users cannot browse or search the Directory v Users can type names (resolve users and groups) to add them to an awareness list v Users can browse the directory (see a list of names) or type names (resolve users and groups) v Users can browse the directory to see group content and names, or type names (resolve users and groups) For more information on the settings above, see Anonymous Access Settings for Community Services.
LDAP Directory settings

If your community of users is defined in an LDAP directory (or directories), all LDAP Directory configuration settings must be consistent on all Sametime servers in the community: v LDAP Directory - Connectivity settings v LDAP Directory - Basics settings v LDAP Directory - Authentication settings v LDAP Directory - Searching settings v LDAP Directory - Group Content settings v LDAP Directory - Add Administrator v LDAP Directory - Access Control v LDAP Directory - Name Change Tasks For more information on these settings, see LDAP directory settings.
Administration settings that should be consistent on all Sametime servers in a community

If the settings below are not consistent on all Sametime servers in the community, the servers will continue to function. Although it is not mandatory to keep these settings consistent among servers, is recommended that you do so, to ensure consistency of end-user functionality and logging functions across all servers in your Sametime community.
Community Services settings

In the Configuration Community Services tab of the Sametime Administration Tool, the following settings should be consistent on all Sametime servers in the community: v Allow Connect users to save their user name, password, and proxy information (automatic login) v Display the "Launch Sametime Connect for browsers" link on the Sametime home page
440
v Display the "Launch Sametime Connect for the desktop" link on the Sametime home page v Allow authenticated users to transfer files to each other v Allow users to send announcements For more information on the settings above, see Community Services configuration settings.
Logging settings
Note: Logging settings for Meetings do not apply to Sametime Entry or Sametime Limited Use. In the Logging Settings General tab of the Sametime Administration Tool, the following settings should be consistent on all Sametime servers in the community: v Community Server events to log Successful logins Failed logins Community Server events and activities File transfers v Meeting Server events to log Failed meeting authentications Client connections Connection to other meeting servers in this community Meeting events Meeting server events and activities For more information on the settings above, see General log settings on page 366. In the Logging Settings Capacity Warnings tab of the Sametime Administration Tool, the following settings should be consistent on all Sametime servers in the community: v Capacity Warnings - Sharing in Instant Meetings Number of active screen sharing/whiteboard meetings exceeds Number of people in all screen sharing/whiteboard meetings exceeds Number of people in one active screen sharing/whiteboard meetings exceeds v Capacity Warnings - Sharing in Scheduled Meetings Number of active screen sharing/whiteboard meetings exceeds Number of people in all screen sharing/whiteboard meetings exceeds Number of people in one active screen sharing/whiteboard meetings exceeds Next step" After you ensure that the administrative settings are consistent for the new Sametime server, verify that the appropriate ports are open for communication between the two servers. See Configuring ports for server-to-server connections.
441
Configuring ports for server-to-server connections

When multiple IBM Lotus Sametime servers are installed in an IBM Lotus Domino environment, the Sametime servers must be able to communicate on specific ports. Note: If you are deploying a Sametime server in the network DMZ for access by Internet users, see Extending Sametime to Internet users for more information about the firewall configurations required to support communications between the two servers.
Ports required for communication between Sametime servers

Note: Ports for Meetings do not apply to Sametime Entry, Sametime Limited Use, or versions of Sametime that do not support web conferencing. The table below lists the ports on which Sametime servers communicate with each other. When these ports are open, Community Services and Meeting Services data can pass between the two servers, and one Sametime server can invite the other to a meeting.
Port Port 1503 Description Port 1503 is the default "Meeting Server port for server connections." This port is configurable from the Configuration Connectivity - Network and Port Settings Meeting Services Network options in the Sametime Administration Tool. The "Meeting Server port for server connections" setting must be set to the same port number for the Sametime servers. The servers must communicate on TCP/IP port 1503 to exchange Meeting Services data. Port 1516 The Community Services listen for direct TCP/IP connections from the Community Services of other Sametime servers on this port. If you have installed multiple Sametime servers, this port must be open for presence, chat, and other Community Services data to pass between the servers. The communications that occur on this port also enable one Sametime server to start a meeting on another server (or "invite" the other server to the meeting). Port 1352 The servers must be able to communicate on port 1352 for replication to occur between the Sametime servers. This is the port used for Notes and Domino Remote Procedure Calls (RPCs).
Synchronizing the Sametime server with other Sametime servers

When multiple Sametime servers are installed, you must synchronize the Sametime servers to operate as a single community.
442
About this task

Synchronizing multiple Sametime servers to operate as a single community involves the following tasks: v Directory management for multiple Sametime servers v Assigning users to the new Sametime server (setting the home Sametime server)
Results Domino Directory management for multiple Sametime servers

This topic discusses managingIBM Lotus Domino Directories for multiple IBM Lotus Sametime servers. After you have installed a new Sametime server, the administrator should determine how to manage the Directory for the Sametime community. Use these recommendations to manage Domino Directories in multiple Sametime server environments: v If the Sametime server is installed into a Domino environment that uses only a single Domino Directory, the Directory in which all Sametime servers are registered must be replicated to each Sametime server. v If the Sametime server is installed into a Domino environment that uses multiple Domino Directories, the primary Domino Directory (the Directory in which the Sametime server is registered) should be replicated to the Sametime server. Directory Assistance should be set up on the Sametime server to access the other Domino Directories of interest in the environment. The Sametime server can use Domino Directory Assistance to obtain all needed Directory information from the other Directories used in the environment. Ideally, the Directory Assistance database should point to a Directory server that is dedicated to providing Directory services. However, it is not a requirement that Directory servers be used in a Sametime community that includes multiple Sametime servers. For information on setting up Directory Assistance on the Sametime server, see your Domino server Administration documentation. Use the same procedures to set up Directory Assistance on a Sametime server that you use to set up Directory Assistance on a Domino server. The Domino Administration documentation is available from the Documentation Library at the following Internet location: http://www.lotus.com/ldd/doc (and also in the Help subdirectory of the Domino server on which Sametime is installed). v Optionally, in a Domino environment that uses multiple Domino Directories, an Extended Server Directory Catalog can be set up on the Sametime server to enable the server to access Directory information from all directories of interest in the environment. For more information on setting up an Extended Server Directory Catalog for use with Sametime, see Alternate ways to share Directory information across domains. For more information about the Directory issues relevant to extending a single Sametime community across multiple Domino domains, see Extending a single Sametime community across multiple Domino domains. Next step: After determining your directory management strategy, assign users to the new Sametime server.
443
Assign users to the new Sametime server (setting the home Sametime server)
This topic discusses how the IBM Lotus Sametime administrator can assign users to a new Sametime server, which designates that server as the user's "home" server. To assign a user to the new Sametime server, enter the Sametime server name in the Sametime server field in the Real-Time Collaboration section of a user's Person document in the Domino Directory. This field identifies the "home" Sametime server of each user. Note: Only a portion of the users in your environment should be assigned to the new Sametime server. For load balancing purposes, you should assign an equal number of users to each Sametime server in your environment. The network proximity of the user to the server is also a consideration when assigning users to a home Sametime server. Generally, you should assign the user to the closest Sametime server on the network. For more information on the home Sametime server, see Connecting to the Home Sametime server. To specify a home Sametime server, open the Domino Directory (Address Book), go to the Real-Time Collaboration section of each user's Person document, and enter the name of a Sametime server in the Sametime server field. If necessary, you can create a simple agent to automate the process of populating the Sametime server field in each user's Person document with the name of a Sametime server. When entering the name of the Sametime server in the Sametime server field on the Person document, you can enter the name of the Sametime server in the Domino hierarchical name format (for example sametime/west/acme). The Sametime server field automatically converts the name to the full canonical name format. For example, if you enter sametime/west/acme in the "Sametime server" field, the server name is stored as cn=sametime/ou=west/o=acme unless, for example, the name is populated by an agent. It is advisable to enter the server name using the full hierarchical name format. Community services reads the server name from the Servers view ($Servers) of the Domino Directory. The name entered in the Sametime server field on the Person document must match the name of the Sametime server as it appears in the Servers view of the Domino Directory. If you are using an agent to populate the home Sametime server field, ensure that the agent specifies the full canonical name of the Sametime server. Note also that a Sametime Connect client's Sametime Connectivity settings should specify the same Sametime server as the Sametime server field on that user's Person document. In the Sametime Connect client's Sametime Connectivity settings, the server name must be specified using the DNS name or IP address of the Sametime server (for example, sametime.acme.com or 111.111.111.111).
Extending Sametime to Internet users

This topic discusses extending IBM Lotus Sametime meetings to the Internet by configuring firewalls to enable connections. In some situations, you may want Internet users to attend the same Sametime meetings as users on your corporate intranet. Generally, firewall restrictions make it impossible for users from the Internet to directly access a Sametime server on your corporate intranet.
444
The recommended solution for extending Sametime meetings to Internet users involves a multiple Sametime server deployment in which a server inside your corporate firewall invites a server outside the firewall (in the network DMZ) to a meeting. This solution requires you to install a Sametime server on the corporate intranet and a Sametime server in the network DMZ, synchronize the two Sametime servers, and configure the firewalls to enable the servers and clients to establish the appropriate connections with the servers. The remaining topics in this section describe the recommended solution for extending Sametime meetings to Internet users and provide information on the firewall configurations required: v Positioning a Sametime server in the network DMZ v Opening ports on the internal firewall v Opening ports on the external firewall
Positioning a Sametime server in the network DMZ

Allowing users on a corporate intranet and users from the Internet to attend the same IBM Lotus Sametime meetings requires a multiple server deployment with a DMZ established between an internal and an external firewall. To allow users on a corporate intranet and users from the Internet to attend the same Sametime meetings, one Sametime server is installed on the corporate intranet and another Sametime server is installed in the network DMZ, as shown in the illustration below.
Note: DMZ is a networking term that comes from the military term "demilitarized zone." DMZ refers to an area of a network, usually between two firewalls, where users from the Internet are permitted limited access over a defined set of network ports and to predefined servers or hosts. A DMZ is used as a boundary between the Internet and a company's internal network. The network DMZ is the only place on a corporate network where Internet users and internal users are allowed at the same time. The two servers are installed and synchronized according to the procedures and recommendations described in Advantages of using multiple Sametime servers and
445
Synchronizing the Sametime server with other Sametime servers. Following these procedures enables one Sametime server to "invite" another Sametime server to a meeting. For example, internal users on the Acme corporate network can attend a Sametime meeting by connecting to the internal Sametime server, while Internet users can attend the same meeting by connecting to the Sametime server in the network DMZ. After you have installed and synchronized the two Sametime servers, you must make firewall configurations to both the internal firewall that protects the corporate intranet and the external firewall that separates the network DMZ from the Internet, to ensure that the servers and users can communicate through the firewalls. See the following topics for information on the firewall configurations required: v Opening ports on the internal firewall v Opening ports on the external firewall
Opening ports on the internal firewall

This topic discusses configuring an internal firewall to enable Internet users to access an IBM Lotus Sametime meeting hosted within a corporate firewall. After you have deployed a Sametime server on the corporate intranet and a Sametime server in the network DMZ, you must configure the internal firewall to enable the Sametime servers to communicate with each other and for users to communicate with the servers. The illustration below shows an internal firewall machine that separates the internal Acme corporate network from the Acme network DMZ. The firewall machine contains two Network Interface Cards (NICs). One NIC is connected to the internal network and the other NIC is connected to the network DMZ.
The table below provides port configurations for the internal firewall that will enable the clients and Sametime server inside the firewall to communicate with the Sametime server in the network DMZ.
446
Port Port 80
Explanation Open TCP port 80 on the internal firewall for outbound connections from the Acme corporate network to the Acme network DMZ. Opening port 80 enables internal users to access the Meeting Center on the Sametime server in the network DMZ with a Web browser to schedule meetings on that server when necessary. A Sametime administrator can also access the Web-based Sametime Administration Tool on the Sametime server in the network DMZ using a Web browser.
Port 1516 Open TCP port 1516 on the internal firewall for outbound/inbound connections between the Acme corporate network and the Acme network DMZ. Opening port 1516 enables the Community Services of the two Sametime servers to exchange presence and chat data and to perform directory updates. Port 1503 Open TCP port 1503 on the internal firewall for outbound/inbound connections between the Acme corporate network and the network DMZ. All Meeting Services and T.120 protocol data passes between the two Sametime servers on port 1503. Note: If you open port 1503 for outbound/inbound connections, the internal Sametime server can invite the DMZ Sametime server to a meeting and the DMZ Sametime server can invite the internal Sametime server to a meeting. If you do not want Internet users to invite the internal Sametime server to meetings, you can open port 1503 for outbound connections only from the Acme corporate network to the Acme network DMZ. Note also that a Connection document must exist between two servers to enable one server to invite another server to a meeting. If you do not create a Connection document that connects the DMZ Sametime server to the internal Sametime server, the DMZ server cannot invite the internal Sametime server to a meeting.
447
Port
Explanation
Port 8084 To allow internal users to participate in interactive audio/video meetings with users from the Internet, you must either open TCP port 8084 (the default TCP or Tunneling port for the Audio/Video Services) or a range of UDP ports through the internal firewall. UDP ports Open TCP port 8084 if the security policies of your organization do not allow UDP traffic through the internal firewall. Opening port 8084 enables users on the Acme corporate network to receive audio/video streams through TCP tunneling from the Sametime server in the network DMZ. It is only necessary to open an outbound connection from the Acme corporate intranet to the Acme network DMZ. Internal users make the outbound connection to the DMZ server using TCP and receive the audio/video streams from the DMZ Sametime server through TCP/ACK packets. Alternately, you can open a range of UDP ports through the internal firewall to enable internal users to receive audio/video streams from the DMZ Sametime server. If you choose to open UDP ports through the internal firewall, you can define the range of UDP ports that must be open from the Configuration Connectivity - Networks and Ports - Interactive Audio/Video Network Multimedia Processor (MMP) start at/end at settings of the Sametime Administration Tool on the DMZ Sametime server. (The default port range is UDP ports 49152 - 65535.) If you want users on the Acme corporate network to participate in audio/video meetings with Internet users, the audio/video meetings should be started on the Sametime server in the network DMZ. If a meeting is started on the DMZ Sametime server and the internal Sametime server is invited by the DMZ Sametime server, internal users can attend the meeting on the internal Sametime server. The internal users receive the Community and Meeting Services data from connections to the internal Sametime server, but must receive the audio/video streams from the DMZ Sametime server through TCP tunneled connections or UDP. (In an audio/video meeting that includes invited servers, a user can connect to an invited server for Community Services and Meeting Services functionality, but must always connect to the Sametime server on which the meeting was started to receive the audio/video streams.) Internet users connect to the DMZ Sametime server and receive all meeting data, including audio/video streams, from the DMZ Sametime server. If an audio/video meeting is started on the internal Sametime server, and the internal Sametime server invites the DMZ Sametime server to the meeting, Internet users will be unable to receive audio/video streams from the internal server until you open inbound connections through the firewall on port 8084 or a range of UDP ports. Opening these ports for inbound access may violate the security policies of your organization. For this reason, you may want to stipulate that all audio/video meetings that include both intranet and Internet users must be started on the Sametime server in the network DMZ. Port 1352 If you have integrated the Sametime server in the network DMZ into the same community as the internal Sametime server, you must open TCP port 1352 for outbound/inbound access through the internal firewall. Port 1352 supports Notes Remote Procedure Calls (RPCs). Opening port 1352 enables the two Sametime servers to replicate Notes databases and also allows an administrator on the internal network to access the DMZ Sametime server with a Notes client, if necessary.
448
Opening ports on the external firewall

This topic discusses configuring an external firewall to enable Internet users to access an IBM Lotus Sametime meeting hosted within a corporate firewall. The illustration below shows an external firewall machine containing two Network Interface Cards (NICs). One NIC is connected to the network DMZ; the other NIC connects to the Internet. You must configure the external firewall that protects the network DMZ to enable Internet clients to make the appropriate connections to the external Sametime server deployed in the network DMZ.
The table below provides information on port configurations for the external firewall that will enable the Internet clients to make the appropriate connections with the Sametime server in the Acme network DMZ.
449
Port Port 80
Explanation Open TCP port 80 on the external firewall for inbound TCP connections from the Internet to the DMZ Sametime server. The firewall must allow TCP/ACK packets to pass from the DMZ Sametime server to the Internet users. Opening port 80 enables a Sametime Internet user to authenticate with the Sametime HTTP server. Internet users can also access the Sametime Meeting Center database (stconf.nsf) and download Sametime clients from the Sametime server. Access to the Sametime Meeting Center database can be restricted through the ACL settings of the database. For more information, see Using database ACLs for identification and authentication. The DMZ Sametime server can also be configured so that connections to the Meeting Services, Community Services, and Recorded Meeting Broadcast Services also occur over port 80. With this configuration, it may not be necessary to open ports 1533, 8082, or 8081 as described below.
450
Port Port 1533 or Port 8082
Explanation Open either TCP port 1533 or 8082 to enable the Internet users to access the Community Services on the DMZ Sametime server. Port 1533 is the recommended port for Community Services client connections. Opening port 1533 enables Sametime clients from the Internet to access the Sametime server using a direct TCP/IP connection, a direct HTTP connection, or through an HTTP proxy server. Note: The Sametime Connect client includes a Preferences-Sametime ConnectivityCommunity Port setting that specifies the port on which the Sametime Connect client attempts connections to the Community Services. The default Community Port setting is port 1533. The Community Port setting on the Sametime Connect client must specify the port that is open through the firewall to enable a Sametime Connect client from the Internet to connect to the Sametime server in the network DMZ. For more information on Community Services connectivity, see Community Services Network settings. Some Internet clients may operate behind restrictive firewalls that block outbound connections to the Internet on port 1533 or 8082. The recommended method for enabling these clients to establish connections with the DMZ Sametime server is to enable HTTP tunneling on port 80.
Port 8081
Open port 8081 to enable the Internet users to access the Meeting Services on the DMZ Sametime server. Opening port 8081 enables Internet users to participate in Sametime meetings using the Sametime Meeting Room client. The whiteboard, and screen sharing components of the Sametime Meeting Room client connect to the Sametime server on this port. Note: Some Internet clients may operate behind restrictive firewalls that block outbound connections to the Internet on port 8081. The recommended method for enabling these clients to establish connections with the DMZ Sametime server is to enable HTTP tunneling on port 80.
451
Port Port 8084 or UDP ports
Explanation To allow Internet users to participate in interactive audio/video meetings on the DMZ Sametime server, you can either open TCP port 8084 or a range of UDP ports through the external firewall. Open TCP port 8084 if the security policies of your organization do not allow UDP traffic through the external firewall. Opening port 8084 enables users on the Internet to receive audio/video streams through TCP tunneling from the Sametime server in the network DMZ. The Internet users make a TCP connection to the Audio/Video Services on port 8084 and receive the audio/video streams from the server through TCP/ACK packets. Alternately, you can open a range of UDP ports through the external firewall to enable Internet users to receive the audio/video streams. If you open UDP ports through the external firewall, you can control the range of UDP ports that are used to transmit audio/video data from the Configuration-Connectivity-Networks and Ports-Interactive Audio/Video Network-Multimedia Processor (MMP) start at/end settings of the Sametime Administration Tool on the DMZ Sametime server. (The default port range is UDP ports 49152 - 65535.) The range of ports that you specify in this administration setting is the range of UDP ports that must be open through the external firewall. Note: If the client also operates behind a firewall, the client-side firewall must also allow communications on either port 8084 or the range of UDP ports to receive the audio/video streams. Unlike the Community Services, Meeting Services, and Recorded Meeting Broadcast Services data, the Audio/Video Services data cannot be tunneled over port 80 using HTTP.
Extending a single Sametime community across multiple Domino domains

This section provides instructions and suggestions on how to link different IBM Lotus Domino domains into a single IBM Lotus Sametime community. Read this section if your organization includes multiple Domino domains and you want users in the multiple Domino domains to belong to the same Sametime community. When separate Domino domains are linked into a single Sametime community, users in each domain can share presence and chat capabilities and participate in Sametime meetings with users in the other domain. This section includes the following topics:
452
Example of extending a single Sametime community across two Domino domains v Alternate ways to share Directory information across domains
Example of extending a single Sametime community across two Domino domains

This topic provides an example of how to connect an IBM Lotus Sametime server in an IBM Lotus Domino domain with another Sametime server within a different Domino domain.
About this task

The procedure below provides an example of how one Sametime server in a Domino domain can be linked with a different Sametime server operating in a different Domino domain. Linking the two Sametime servers extends a single Sametime community to both Domino domains. When a single Sametime community is extended to both Domino domains: v Users in one Domino domain can add users from the other Domino domain to presence lists in Sametime clients and engage in Sametime communications with users in the other domain. v Users in the Sametime community can authenticate on either of the domains to participate in Sametime meetings and communications. v The Sametime server in one Domino domain can invite the Sametime server in the other Domino domain to a meeting so that a single Sametime meeting can be attended by users in both Domino domains. Follow the procedures below to link two Sametime servers that operate in different Domino domains: 1. Set up the environment. 2. Connect the communities (share Directory information).
Setting up the environment

This is the first of three procedures that illustrate how you can extend a single IBM Lotus Sametime community across multiple IBM Lotus Domino domains.
About this task

To set up the environment, you must ensure that the two Sametime servers are cross-certified. In this example, the two Sametime servers are Sametimeserver1/East and Sametimeserver2/West. To cross-certify these servers, the West organization certifier (/West) must obtain a cross-certificate for the East organization certifier (/East) and the East organization certifier must obtain a cross-certificate for the West organization certifier. These cross-certificates are stored in the Domino Directories on the respective Sametime servers. The example below describes the simplest way to cross-certify the two Sametime servers. 1. On Sametimeserver1/East, open the IBM Lotus Notes client. From the Microsoft Windows desktop click Start Run and browse to C:\Sametime\nlnotes.exe before clicking OK.
453
2. Click File Database Open and specify the Sametimeserver2/West server. 3. When prompted for a cross-certificate, select OK. 4. Repeat steps 1 through 3, but this time use the Notes client on Sametimeserver2/West to access Sametimeserver1/East, and accept the cross-certificate from the Sametimeserver2/West server.
Results
Note: For more information about cross-certification, see the Domino Administration Help database, available in the Help directory of any Domino server. Domino administration documentation is also available from the Documentation Library at www.lotus.com/ldd/doc. Next step: Now that the servers are cross-certified, connect the communities.
Connecting the communities

This is the second of three procedures that illustrate how you can extend a single IBM Lotus Sametime community across two IBM Lotus Domino domains.
About this task

In this procedure, the administrator connects the Sametime communities by ensuring that Directory information is shared between the two Domino domains. This procedure includes the following steps: 1. Replicating the Directories 2. Setting up Directory Assistance
Results
In this example, the two Sametime servers that operate in different domains are Sametimeserver1/East and Sametimeserver2/West. Note: This example describes replicating the entire Directories of both domains. There are more efficient ways to share Directory information between two Domino domains when connecting the communities. For more information on alternate methods for sharing the Directory information, see Alternate ways to share Directory information across domains. Step 1 - Replicating the Directories: About this task This procedure provides an example of replicating Directories between two Sametime servers (Sametimeserver1/East and Sametimeserver2/West) operating in different Domino domains. 1. Using the IBM Lotus Notes client on Sametimeserver1/East, open the Directory (names.nsf) on Sametime server2/West. 2. Click File Replication New Replica. 3. Specify Local for the Server and change the filename (names.nsf) to something different, such as sametimeserver2west.nsf. 4. Select Create: Immediately to ensure that the database is created immediately, and then click OK.
454
5. Repeat steps 1 through 4, except this time create a replica of the Directory existing on Sametimeserver1/East on the Sametimeserver2/West server. Results After you have created replicas of the Directories on each Sametime server, you must create Connection Documents to ensure the Directories replicate at regular intervals. When creating the Connection Documents: v For Connection Type, select Local Area Network. v Complete the Destination Server, Source Domain, Destination Domain, and Optional Network Address fields. v For Replication Type, select Pull Push. v In the Files/Directories to Replicate field, enter names.nsf. v In the Schedule field, select Enabled. Note: Be sure to create a Connection Document on each server. One Connection Document should enable the names.nsf file on Sametimeserver1/East to replicate to the Sametimeserver1east.nsf file on the Sametimeserver2/West server. The other Connection Document should enable the names.nsf file on Sametimeserver2/West to replicate to the sametimeserver2west.nsf file on the Sametimeserver1/East server. After creating the Connection Documents, set up Directory Assistance on each of the Sametime servers to ensure that each Sametime server can locate the Directories you have just replicated. Step 2 - Setting up Directory Assistance: About this task The procedures required for setting up Directory Assistance on each of the Sametime servers are summarized below. For more information on Directory Assistance, see the Domino Server Administration Help, available in the Help directory on every Domino server, as well as at www.lotus.com/ldd/doc. To set up Directory Assistance you must: v Ensure that a Directory Assistance database is available on the Sametime server. v Identify the Directory Assistance database on the Sametime server. v Create a Directory Assistance Document within the Directory Assistance database that points to the appropriate Directory. Follow the procedures below to set up Directory Assistance: Results Ensure that a Directory Assistance database is available on each Sametime server: About this task To ensure that a Directory Assistance database is available on each Sametime server, you can either replicate an existing Directory Assistance database to the Sametime server or create a new Directory Assistance database on the Sametime server.
455
If a Directory Assistance database is already in use on Domino servers in the domain, you can replicate the existing Directory Assistance database to the Sametime server. To replicate an existing Directory Assistance database, follow the normal Domino procedure for replicating a database. First create a new replica of the Directory Assistance database on the Sametime server and then create a Connection Document to schedule replication of the database. See the Domino server Administration Help for more information on these procedures. To 1. 2. 3. create a new Directory Assistance database on each Sametime server: Start the Lotus Notes client. Click File Database New. Create the Directory Assistance database as you would any other Domino database. v Create the database on the Sametimeserver1/East server v Provide a database name and filename for the Directory Assistance database v Use the Directory Assistance template (da50.ntf) when creating the database 4. Repeat steps 1 through 3 to create a Directory Assistance database on the Sametime server in the other domain (Sametimeserver2/West in this example). 5. Perform the procedure below to identify the Directory Assistance database on each Sametime server. Identify the Directory Assistance database on each Sametime server: About this task After replicating or creating the Directory Assistance databases on the Sametime servers, you must identify the Directory Assistance databases on each server. To identify a Directory Assistance database on each Sametime server: 1. Start the Lotus Notes client. 2. Click Configuration Server All Server Documents. 3. Double-click the name of the Sametime server (Sametimeserver1/East) to open the Server document. 4. If necessary, select the Basics tab of the Server document. 5. Click Edit Server. 6. In the Directory Assistance database name field, enter the filename (for example, da.nsf) of the Directory Assistance database. 7. Click Save and Close. 8. Repeat this procedure to identify the Directory Assistance database on the Sametime server in the other domain (Sametimeserver2/West in this example). 9. Perform the procedure below to create a Directory Assistance Document in each Directory Assistance database. Create a Directory Assistance Document in each Directory Assistance database: About this task You must create a Directory Assistance Document in each Directory Assistance database on each Sametime server so that each Sametime server can access the new Directory information that has been replicated to it. To create a Directory Assistance document in the Directory Assistance database on each Sametime server: 1. From the Notes client:
456
v Click File Database Open. v Select the Sametimeserver1/East server. v Select the Directory Assistance database (default name is da.nsf). v Click Open. 2. Click Add Directory Assistance. In the Basics tab, enter these settings:
Setting Domain type Domain name Value Click Notes. Enter the name of the Domino domain associated with the secondary Directory (or Directory that was replicated from the other domain to this Sametime server). The domain name must be different from the primary Notes domain and from all other domain names configured in Directory Assistance. Enter the name of your company. A number representing the order in which this directory is searched, relative to other directories in the Directory Assistance database. The suggested setting is Yes. This setting enables Directory Assistance to examine the contents of groups in the LDAP directory. This capability is necessary if you enter the name of a group defined in the LDAP directory in the ACL of a database on the Sametime server. The suggested setting is Yes. This setting enables Directory Assistance to examine the content of an LDAP directory group that is a member of another LDAP directory group. This capability is also used when an LDAP directory group name is entered in the ACL of a database on the Sametime server. Set to Yes to enable Directory Assistance for the LDAP Directory.
Company name Search order
Group expansion
Nested group expansion
Enabled
3. Select the Rules tab and enter these settings.

Setting Rule # Value One or more rules that describe the names in the directory. By default, the first rule contains all asterisks, indicating all names in the Directory. Choose one: v No to disable a specific rule. v Yes to enable a specific rule. By default, the first rule is enabled. Trusted for Credentials Choose Yes to allow Domino to use this Directory to authenticate Web clients.
Enabled
457
4. Select the Replicas tab and do the following:

Setting Database Links Value Open the replica of the secondary directory, and then click Edit Copy As Link Database Link. Select the Database links field, and then click Edit Paste. For example, assume you are creating the Directory Assistance document in the Directory Assistance database on the Sametimeserver1/East server and you have replicated the directory file named sametimeserver2west.nsf to the Sametimeserver1/East server. In this example, you must open the sametimeserver2west.nsf file and copy the file as a Database Link. Paste this Database Link into the Database links field in the Directory Assistance Document you are creating in the Directory Assistance database on the Sametimeserver1/East server. Conversely, when creating a Directory Assistance Document on the Sametimeserver2/West server, you would open the directory file sametimeserver1east.nsf, copy the file as a Database Link, and paste the link into the Database links field.
5. You must repeat this procedure to create a Directory Assistance document in the Directory Assistance database on the Sametime server in the other domain (Sametimeserver2/West in this example).
Alternate ways to share Directory information across domains

This topic discusses the Directory information that is shared between IBM Lotus Sametime servers and describes some alternate, more efficient ways to share Directory information when connecting Sametime communities across multiple IBM Lotus Domino domains. The example procedure for extending a single Sametime community across two Domino domains earlier in this section explains how you can share Directory information to connect two Sametime communities. When extending a single Sametime community across multiple Domino domains, each Sametime server that is part of the community must have access to the following Directory information for the other domain(s): v Person documents v Group documents v Server documents - The following fields in the Server document are needed for each Sametime server to support online presence (or awareness) between servers: Server name - This field in the Basics tab of the Server document must contain the name of the Sametime server.
458
Is this a Sametime server? - This field in the Basics tab of the Server document must be set to Yes to indicate that the Server document describes a Sametime server. Port - This field in the Ports Notes Network Ports tab of the Server document must be set to TCPIP. Net Address - This field in the Ports Notes Network Ports tab must contain the TCP/IP address (for example, sametime.acme.com) of the Sametime server. To share this Directory information, each domain must replicate the information to the other domains that comprise the Sametime community. In the example scenario described in Example of extending a single Sametime community across two Domino domains, the entire Directories of two separate Domino domains are replicated between the two Sametime servers. The Domino components of Sametime provide features that you can use to replicate the Directory information in a more efficient manner. You can use either of the following alternate techniques to share Directory information across Domino domains. v Selective replication of Directory information across domains v Set up Extended Directory Catalogs to share Directory information across domains Each technique is discussed briefly below.
Selective replication of Directory information across domains

Instead of replicating the entire Domino Directory between domains, you can use selective replication to replicate only the Person, Group, and Server documents. For example, you can open the Directory database to be replicated to the other domain and use the Replication Settings to replicate a subset of the documents contained in the database. Use a selection formula, such as (Type="Person")|(Type="Group")|(Type="Server" and Sametime="1") to ensure that only the Person, Group, and Server documents (for which the Is this a Sametime server? field is set to Yes) are replicated. For more information on selective replication, see the Domino Server Administration Help, available in the Help directory on every Domino server as well as in the Documentation Library at www.lotus.com/ldd.
Using Extended Directory Catalogs to share Directory information across domains

An Extended Directory Catalog is another Domino feature that can be used to share Directory information when a Sametime community is extended across multiple Domino domains. The Extended Directory Catalog feature allows you to aggregate directory information from several different Domino directories, including directories for different Domino domains, into a single directory catalog. The servers are then configured to access the Extended Server Directory catalog for directory information. Before using this feature, the administrator should read the documentation in Domino Server Administration Help that explains the function and set up of Extended Server Directory Catalogs. This documentation is available in the Help directory on every Domino server as well as in the Documentation Library at www.lotus.com/ldd.
459
You can follow the procedures in the Domino administration documentation to set up an Extended Server Directory Catalog on the Sametime server. When setting up the Extended Server Directory Catalog to be used by Sametime, note the following when creating the Configuration document for the Extended Server Directory Catalog. v The Configuration document contains an Additional fields to include list in the Basics tab. The following field name entries must exist in the Additional fields to include list to ensure that all information needed by Sametime is available in the Extended Server Directory Catalog:
Field Name ServerName ServerTitle Domain ServerBuildNumber Administrator ServerPlatformDisplay Sametime Port_0 - Port_7 Description Server name field in the Basics section of the Server document. Server title field in the Basics section of the Server document. Domain name field in the Basics section of the Server document. Server build number field in the Basics section of the Server document. Administrator field in the Basics section of the Server document. Operating system field in the Basics section of the Server document. Is this a Sametime server? field in the Basics section of the Server document. Ports fields in the Ports Notes Network Ports section of the Server document. The Port_0 field is required. For completeness it is recommended that you list seven Ports fields (for example Port_0, Port_1, Port_2, Port_3, Port_4, Port_5, Port_6, and Port_7). Protocol fields in the Ports Notes Network Ports section of the Server document. For completeness, it is recommended that you list seven Protocol fields (for example, Protocol_0, Protocol_1, Protocol_2 and so on). Notes Network fields in the Ports Notes Network Ports section of the Server document. For completeness, it is recommended that you list seven Notes Network fields (for example, NetName_0, NetName_1, NetName_2, and so on. Net Address fields in the Ports Notes Network Ports section of the Server document. The NetAddr_0 field is required. For completeness, it is recommended that you list seven Net Address fields. Enabled fields in the Ports Notes Network Ports section of the Server document. The Enabled_0 field is required. For completeness, it is recommended that you list seven Enabled fields.
Protocol_0 - Protocol_7
NetName_0 - NetName_7
NetAddr_0 - NetAddr_7
Enabled_0 - Enabled_7
460
Field Name SametimeServer
Description Sametime server field in the Administration section of the Person document.
v The Advanced tab of the Configuration document provides a Selection formula (do not include form) setting that enables you to specify a selection formula to ensure that only the Directory documents required by Sametime are used when the "Dircat" task creates the Directory Catalog. The selection formula for selecting only the documents required by Sametime is:
(Type = "Person") | (Type = "Group") | (Type = "Server" and Sametime = "1")
461
462
Chapter 26. Setting up a Community Services cluster without clustering the Meeting Services
IBM Lotus Sametime Community Services clusters provide Community Services load balancing and failover functionality for large communities. This section provides an example of how to cluster the Community Services of a group of Lotus Sametime servers without also clustering the Meeting Services of the Sametime servers. The example in this chapter explains how to cluster the Community Services of two Sametime servers. Once you understand how to cluster the Community Services of two Sametime servers, you can easily add the Community Services of other Sametime servers to the cluster. Important: If you also want to cluster the Meeting Services of the Sametime servers, or if you want to administer the servers in the Community Services cluster from the IBM Lotus Sametime Enterprise Meeting Server (EMS), do not use the procedures in this chapter to create a Community Services cluster. In those scenarios, you must use the procedures discussed in Community Services cluster setup procedures This section includes the following topics pertaining to creating a Community Services cluster without creating a Meeting Services cluster: v Community Services cluster setup procedures v v Adding another server to a Community Services cluster Creating multiple Community Services clusters in a single Sametime community v Rotating DNS Limitations with cached DNS resolve requests For more information about the purpose of a Community Services cluster, see Overview of Community Services clustering.
Community Services cluster setup procedures

This topic discusses the procedures involved in setting up an IBM Lotus Sametime Community Services cluster without clustering the Meeting Services.
About this task

The procedures required to set up a Community Services cluster without clustering the Meeting Services are listed below. Use the information in these procedures in conjunction with your existing knowledge of your Sametime environment when clustering the Community Services of your Sametime servers. Your unique Sametime environment might require some variation from these procedures. These procedures provide an example of how to cluster the Community Services of two Sametime servers. Once you understand how to cluster the Community Services of two servers, you can easily add the Community Services of other Sametime servers to the cluster. The process of setting up a Community Services cluster without clustering the Meeting Services is described in ten steps:
463
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Community Services clustering preparations. Deploying an LDAP Directory server. Installing the Sametime servers. Creating a Domino server cluster. Setting up replication of Sametime databases. Deploying separate Community Services multiplexers. Setting up the load balancing mechanism (rotating DNS or Network Dispatcher). Creating a cluster document in the Configuration database (stconfig.nsf). Creating a cluster document on other Sametime servers in the community. Configuring client connectivity.
Results
Note: The process of setting up a Community Services cluster requires you to create an IBM Lotus Domino server cluster (as described in step 4). A maximum of six Lotus Domino servers can operate as part of a Domino server cluster. Because of this limitation, the maximum number of Sametime servers that can operate as part of a Community Services cluster is six. Generally, the largest communities can be supported with fewer than six Sametime servers operating in a cluster. In addition, each Lotus Sametime server can belong to a single cluster. Environments in which two or more clusters point to the same Sametime Server are not supported.
Community Services clustering preparations

Ensuring you have the hardware necessary to complete this example is the first of ten tasks associated with setting up an IBM Lotus Sametime Community Services cluster without clustering the Meeting Services. This example of a Community Services cluster requires the test computers listed below. v Two computers are required for Sametime server installations. v (Optional) One computer to serve as an LDAP Directory server. You can maintain your Sametime community in either an LDAP or an IBM Lotus Domino Directory. v (Optional) Two computers are required if you want to install Community Services multiplexers on separate machines. This example also requires you to set up a rotating DNS system or IBM WebSphere Edge Server (Network Dispatcher) to accomplish load balancing for the Community Services cluster. The rotating DNS system is configured on a DNS server. If you decide to use a WebSphere Edge Server for load balancing instead of rotating DNS, an additional machine is also required for the IBM WebSphere Edge Server installation. Next step: Review the information provided for deploying an LDAP Directory server.
464
Deploying an LDAP directory server

Deploying an LDAP Directory server is the second of ten tasks associated with setting up an IBM Lotus Sametime Community Services cluster without clustering the Meeting Services. Using an LDAP directory is optional. You can use the IBM Lotus Domino Directory that is on the Sametime servers that operate as part of the Community Services cluster as the directory that defines your community of users. The Domino Directory can be maintained in its native format; it is not mandatory to enable the LDAP task on the Domino servers on which Sametime is installed. If you do not want to use an LDAP directory, skip this topic and continue to the next procedure, "Installing the Sametime servers." If you use an LDAP server, it can be hosted either on a Sametime server or on another server. Deploying an LDAP directory on a separate server has the following advantages: v Using an LDAP directory on a separate server can conserve system resources for the real-time interactive services of Sametime by removing directory management tasks from the Sametime servers. v You can set up the LDAP directory server to failover to another LDAP directory server. Providing failover for the directory server improves the reliability of the Community Services cluster. After you install the Sametime servers that will be part of the Community Services cluster, you must configure all of the Sametime servers to connect to the LDAP server. This process is described in Installing the Sametime servers.
Using a Domino server as an LDAP server

In this example, you maintain the LDAP directory on a separate Domino server. This Domino server is not part of the Community Services cluster. The Domino server has the LDAP task enabled so that the Domino Directory on the server can function as an LDAP directory. Note: If you choose to use an LDAP directory with your Community Services cluster, you are not limited to using a Domino directory with the LDAP task enabled. You can also use other LDAP directories, such as Microsoft Exchange 5.5, Microsoft Active Directory, Netscape LDAP directory, or IBM SecureWay directory as the directory that defines your Sametime community. The information below summarizes how you can use a Domino server as an LDAP server. For more detailed information on this topic, see the Lotus Domino Administrator Help available from the documentation library at www.lotus.com/ldd. To use a Domino server as the LDAP directory server: 1. Install the Domino server and either replicate an existing Domino Directory to the server or populate the Domino Directory by registering users. Note: Sametime requires each user to have an Internet password on their Person document in the Domino Directory. 2. Create a full-text index for the Domino Directory on the Domino server. 3. Start the Domino server. 4. Start the LDAP task by entering load LDAP at the Domino server console.
465
Next step: Rreview the information provided for installing the Sametime servers.
Installing the Sametime servers for the Community Services cluster

Install IBM Lotus Sametime server software on each computer that will operate as part of the Community Services cluster.
About this task

Installing the Sametime servers is the third of 11 tasks associated with setting up a Community Services cluster without clustering the Meeting Services. 1. Install two Domino servers as described in the Lotus Domino Administrator Help. 2. Install a Sametime server on top of each Domino server, as described in "Sametime Server Installation." 3. Ensure that the Sametime servers will operate as part of the same Domino domain by registering them in the same Domino Directory and replicating it between the servers. Note: The Domino Directory must replicate between the Sametime/Domino servers even if you are maintaining the user community in an LDAP directory on a separate server that is not part of the Community Services cluster (replication of the Domino Directory is required for administrative purposes). The LDAP directory serves as the user repository for the members of the Sametime community; the Domino Directory is required for the proper functioning of the Domino servers on which Sametime is installed. 4. Setup up TCP/IP connectivity between the new Sametime servers using the following ports: v Port 1516: The default port for Sametime server-to-server Community Services connections and for extending meeting invitations to other Sametime servers in a community to support Sametime "invited server" functionality. v Port 1503: The default port for Sametime server-to-server Meeting Services connections. v
Port 1352: The default port for server-to-server connections between the Domino servers on which the Sametime servers are installed. 5. If you have deployed an LDAP directory on a separate server (Deploying an LDAP directory server), configure a TCP/IP connection to that LDAP directory server using port 389 (the default LDAP port for Sametime) for each Sametime server.
What to do next
Next step: Set up a connection to a Domino LDAP server on page 482
Creating a Domino server cluster

An IBM Lotus Sametime server cluster is hosted on an IBM Lotus Domino server cluster, as each Sametime server is hosted on a Domino server.
466
About this task

Creating a Domino server cluster is the fourth of ten tasks required to set up a Community Services cluster without clustering the Meeting Services. Note: This topic provides basic information on creating a Domino server cluster. If you are unfamiliar with the functioning of Domino clusters, see the Lotus Domino Administrator Help, available from the Documentation Library at www.lotus.com/ldd. To create a cluster, you must have at least "Author" access and "Delete Documents" rights specified in the Domino Directory's ACL, and at least "Author" access in the Administration Requests database ACL. To create a Domino server cluster: 1. On one of the Sametime servers, start the Domino administrator client. To start this client on a Microsoft Windows machine, click Start Run and type nlnotes.exe adminonly. 2. When the administrator client starts, make sure the Sametime server is the current server. 3. Click the Configuration tab. 4. In the Tasks pane, expand Server and click All Server Documents. 5. In the Results pane, select the servers you want to add to the cluster. Select both Sametime servers that you installed in the previous step. 6. Click Add to Cluster. 7. In the Cluster Name dialog box, click Create New Cluster, and then click OK. 8. Type the name of the new cluster and then click OK. 9. Choose Yes to add the servers to the cluster immediately. The cluster information is immediately added to the Domino Directory of the server that you used to create the cluster.
Results
If the server you used to create the Domino cluster is part of the cluster, the server immediately starts the cluster processes and replicates its Domino Directory with another server in the cluster. This process informs other servers in the cluster that they are a part of the cluster. If you did not use a cluster member to create the cluster, this process starts when the Domino Directory of the server you used to create the cluster replicates with the Domino Directory of a server in the cluster.
Verifying that a cluster was created properly

About this task
You can do the following to verify the cluster was created correctly:
Action From the Domino Administrator, expand Clusters in the Server pane. What you should see The name of the cluster followed by the names of the cluster servers.
467
Action 1. From the Domino Administrator, click the Configuration tab, expand Cluster, and then click Clusters. 2. In the Results pane, open the Server documents of the servers you added to the cluster. From the Domino Administrator, click a cluster server in the Server pane, and then click the Server - Status tab. From the Domino Administrator, click a cluster server in the Server pane, and then click the Files tab. Compare the replica IDs of the Cluster Database Directories on each cluster server.
What you should see 1. The name of the cluster followed by the names of the cluster servers displayed in the Results pane. 2. The name of the cluster in the Cluster name field on the Basics tab. CLDBDIR (the Cluster Database Directory Manager) and CLREPL (the Cluster Replicator) in the Task list. The title "Cluster Directory (R4)" and the file name "cldbdir.nsf" to show that Domino created the Cluster Database Directory. The same replica ID on each server.
What to do next
Next step: Set up replication of the Sametime databases required to support the Community Services cluster
Setting up replication of Sametime databases

Setting up replication of IBM Lotus Sametime databases is the fifth of ten tasks associated with setting up a Community Services cluster without clustering the Meeting Services. To set up real-time replication between the clustered Domino servers, you must create a new replica of each of the databases listed below on the clustered Domino servers. For example, on Sametime server 1, use an IBM Lotus Notes client to open the vpuserinfo.nsf database, click File Replication New Replica, and create a new replica of vpuserinfo.nsf on Sametime server 2. Creating the new replica is the only procedure required to set up real-time replication of the databases in the Domino server cluster. Whenever a change occurs to one of the databases, the change is automatically pushed to the replicas on the other servers in the Domino cluster. Note: By default, an IBM Lotus Domino server does not allow you to create new replicas on a server. To ensure you can create new replicas on the Sametime server, you must do the following: 1. Use a Notes client to open the Server document of the Domino server on which Sametime is installed. 2. Click the Security tab. 3. In the Server Access Create replica databases field, enter the appropriate user or group name to enable those users to create new replicas on the Domino server. To support a Community Services cluster, the following databases must replicate in real-time between the clustered Domino servers. You must create replicas of the following databases on each of the clustered Domino servers that will be part of the Community Services cluster:
468
The Privacy database (vpuserinfo.nsf) - Stores privacy information and contact lists for IBM Lotus Sametime Connect users. v The Domino Directory database (names.nsf) - Contains Domino and Sametime server configuration data. This database must be replicated to all Sametime servers in the Community Services cluster. v The Sametime Name Change database (stnamechange.nsf) - ContainsSametime Name Change tasks. Note: Real-time replication functionality is available only in a Domino server cluster. If you are unfamiliar with the functioning of Domino clusters, you should review the information in Lotus Domino Administrator Help, available from the Documentation Library at www-10.lotus.com/ldd, before creating the Domino server cluster.
Ensuring database synchronization and prompt replication

The administrator should be aware of these issues regarding replication of the Sametime databases: v To ensure that these databases remain synchronized, you should set up a scheduled replication of the databases using Domino Connection documents. You might want to schedule these replications to occur during times of low server usage to minimize their impact on server performance for the users. v The vpuserinfo.nsf database must replicate quickly. If a user makes changes to the privacy settings in the Sametime Connect client, these changes should be reflected on all servers in the Community Services cluster in the shortest time possible. If real-time replication is taking too long for these changes to be reflected on all servers in the cluster, modify the server parameter VP_OD_CACHE_AGE in the [Config] section of the Sametime.ini file on the server and set its value to the maximum interval in minutes between replication operations. This value specifies the maximum amount of time it should take for a change to the vpuserinfo.nsf database on one server to replicate to another server. The diagram below shows the server cluster at this point:
469
Next step: Deploy separate Community Services multiplexers on separate machines.
(Optional) Deploying separate Community Services multiplexers

Deploying separate IBM Lotus Sametime Community Services multiplexers is the sixth of ten tasks associated with setting up a Community Services cluster without clustering the Meeting Services.
About this task

Deploying separate multiplexers in front of a Community Services cluster is an optional configuration that increases the Community Services load-handling capabilities. Each Sametime server contains a Community Services multiplexer ("mux") component that maintains connections from Sametime clients to the Community Services on the Sametime server. During a normal Sametime server installation, the Community Services multiplexer is installed with all other Sametime components on the Sametime server computer. The Sametime server CD provides an option to install only the Community Services multiplexer component. This option enables the administrator to install the Community Services multiplexer on a different machine than the Sametime server. When the Sametime Community Services multiplexer is installed on a different computer from the Sametime server:
470
v The Sametime Connect clients connect to the Community Services multiplexer computer, not the Sametime server. This configuration frees the Sametime server from the burden of managing the live client connections; the multiplexer machine is dedicated to this task. v The Community Services multiplexer maintains a single IP connection to each Sametime server in the cluster. The data for all Community Services clients is transmitted over this single IP connection to the Community Services on the Sametime server. Installing a Community Services multiplexer on a separate computer to remove the connection-handling load from the Sametime server computer enables the Sametime server to handle a larger number of users and improves the stability of the Sametime server. For more information about deploying separate Community Services multiplexers, see: v Deploying separate multiplexers in front of Sametime servers in a Community Services cluster v Installing and configuring a Community Services multiplexer
If you do not want to deploy separate Community Services multiplexers, continue to the procedure Set up the load balancing mechanism (rotating DNS or Network Dispatcher).
Deploying separate multiplexers in front of a Community Services cluster

This topic discusses issues involved with deploying multiplexers in front of an IBM Lotus Sametime Community Services cluster. The illustration below shows separate Community Services multiplexers deployed in front of clustered Sametime servers to reduce the client connection load on the clustered servers.
In the illustration, note the following: v The Community Services multiplexers are installed on separate computers and handle the connections from the Community Services clients.
471
Note: In a subsequent step, you can set up a rotating DNS mechanism or IBM WebSphere Edge Server (Network Dispatcher) to distribute the client connections to the Community Services multiplexer machines. v Each Community Services multiplexer maintains a single IP connection to Sametime server 1, and a single IP connection to Sametime server 2. The Community Services data is passed from the multiplexer computers to the Sametime servers over these IP connections. Each Sametime server maintains only two IP connections to handle all Community Services data. v The scenario shown above can significantly increase the Community Services load-handling capabilities of the Sametime servers. The table below illustrates the advantages of deploying separate multiplexers.
Multiplexer deployment Two Sametime servers with the multiplexer installed on the same machines as the servers Number of Community Services connections Each Sametime server can handle approximately 10,000 Community Services connections, for a total of 20,000 connections.
Two Sametime servers with the multiplexers v Each Sametime server can service installed on different machines (as seen in approximately 100,000 active Community the illustration above) Services connections. Note: This estimate of 100,000 connections assumes that the Meeting Services are not in use. When the Sametime server is simultaneously supporting interactive meetings, it will support fewer Community Services users. v Each Community Services multiplexer machine can handle as many as 20,000 to 30,000 live IP port connections, for a possible total of 60,000 connections. v The machines in the illustration above might be able to handle 160,000 active connections. You can increase the load handling capability further by adding additional Community Services multiplexers in front of the two Sametime servers. For example, adding two more Community Services multiplexers to the cluster shown above might accommodate as many as 120,000 active connections (4 x 30,000 connections per Community Services multiplexer).
Note: The server capacity numbers used above are approximations meant to provide a rough estimate of the possible load-handling improvement if you deploy Community Services multiplexers on separate machines. The actual server capacity is affected by variables such as: v The average number of users in the contact lists of all Sametime clients v The number of HTTP-tunneled connections v The number of instant messages that users send
Installing and configuring a Community Services multiplexer

This topic provides instructions for installing and configuring an IBM Lotus Sametime Community Services multiplexer on a different computer from that hosting the Sametime server.
472
About this task

Review the sections below before you begin your installation. Preinstallation considerations: About this task Consider the following before installing a Community Services multiplexer on a separate machine: v The minimum system requirements for the Community Services multiplexer machine are the same as the system requirements for the core Sametime server. For more information, see "Sametime Server Installation." A machine that meets the minimum system requirements can support approximately 20,000 simultaneous client connections. Testing indicates that machines with dual 1133 MHz CPUs and 2 GB of RAM can handle approximately 30,000 simultaneous client connections. v TCP/IP connectivity must be available between the Community Services multiplexer machine and the Sametime servers in the cluster. Port 1516 is the default port for the connection from the Community Services multiplexer machine to the Sametime servers. Installing the Community Services multiplexer: About this task To install the Community Services multiplexer: 1. Insert the Sametime CD into the Community Services multiplexer computer and choose the option to install the Community Services multiplexer (or MUX). 2. Follow the instructions on the installation screens. Ensure that you enter the DNS name or IP address of one of the Sametime servers in the Community Services cluster. The DNS name or IP address of the Sametime server is the only significant parameter you must enter during the Community Services multiplexer installation. 3. Configure the settings in the Configuration database (stconfig.nsf) on the Sametime server machine and the Sametime.ini file on the Community Services multiplexer machine as described below. Configuring security settings in the Configuration database (stconfig.nsf) on the Sametime server: About this task After you have installed the Community Services multiplexers on separate machines, you must configure the Sametime servers in the Community Services cluster to accept connections from the Community Services multiplexers. A Sametime server only accepts connections from Community Services multiplexers that are listed in the stconfig.nsf database on the Sametime server. Specifically, the Community Services multiplexer machines must be listed in the "CommunityTrustedIps" field of a "CommunityConnectivity" document in the stconfig.nsf database. This security setting prevents Community Services multiplexers on unauthorized machines from connecting to the Sametime server. To enable the Sametime servers in the Community Services cluster to accept connections from the Community Services multiplexers:
473
1. Use an IBM Lotus Notes client to open the Sametime Configuration database (stconfig.nsf) on one Sametime server in the server cluster. 2. Open the CommunityConnectivity document in the stconfig.nsf database by double-clicking on the date associated with the document. If the CommunityConnectivity document does not exist in the stconfig.nsf database, you must create it by clicking Create CommunityConnectivity in the stconfig.nsf database. 3. In the CommunityTrustedIps field, enter the IP addresses of the Community Services multiplexer machines. The IP addresses of SIP Connector machines associated with a Sametime community are also entered in this field. 4. Save and close the CommunityConnectivity document. 5. Repeat this procedure on the other Sametime server in the Community Services server cluster. All servers in the Community Services cluster must contain the IP addresses of the Community Services multiplexer machines in a CommunityConnectivity document. This CommunityConnectivity document must be available in each Configuration database on each Sametime server in the cluster. You can either create the CommunityConnectivity document manually as described above, or copy the CommunityConnectivity document from the Configuration database on one Sametime server and paste it into the Configuration database on another Sametime server. Attention: Do not replicate the Configuration database between the Sametime servers in the Community Services cluster. Configuration settings available in the Sametime.ini file on the multiplexer machine: About this task The Sametime.ini file on the Community Services multiplexer machine contains all configuration parameters for the Community Services multiplexer, including: v The host name, called VPS_HOST, of the Sametime server to which the Community Services multiplexer connects (specified during the Community Services multiplexer installation and in the stconfig.nsf database as discussed above). v The port, called VPS_PORT, the Community Services multiplexer uses to establish the connection with the Sametime server (default port 1516). v The maximum number of simultaneous connections allowed for the multiplexer. To specify a maximum number of simultaneous connections, use the VPMX_CAPACITY= parameter of the Sametime.ini file. The default value is 20,000 connections (for example, VPMX_CAPACITY=20000). Note: Multiplexer machines that meet the minimum system requirements can successfully handle 20,000 connections. This value may vary depending on the processing capabilities of the multiplexer machine. Machines with dual 1133 MHz CPUs and 2GB of RAM can successfully handle as many as 30,000 connections. If it is necessary to modify the settings above because of load, open the Sametime.ini file on the Community Services multiplexer machine with a text editor, change settings as needed, and save the Sametime.ini file.
474
Results Next step: Set up the load balancing mechanism (rotating DNS or Network Dispatcher).
Configuring client connectivity for the Community Services cluster

Configuring client connectivity for the Community Services cluster is the last of ten tasks associated with setting up a Community Services cluster without clustering the Meeting Services. After you have created and named the cluster, you must make the configuration changes required to ensure that the Community Services clients can connect to the Community Services cluster. The configuration fields that affect client connectivity are: v The "Sametime server" field of the user's Person document in the Domino Directory, or a Sametime cluster field you have added to an LDAP directory. Note: Sametime uses this field to ensure that a user connects to one of the Sametime servers in the Community Services cluster. This field serves the same purpose as the "home Sametime server" field in the single-server approach to Community Services deployment that was used in previous Sametime releases. For more information, see Community Services connectivity and the home Sametime server and Differences between the clustering and single server approaches. v The "Host" field in the Sametime Connect client.
Adding the cluster name to a field in each user's Person entry in the LDAP directory
When the Sametime servers are configured to connect to an LDAP directory on an LDAP server (as in this example), the administrator can do one of the following: v Manually add a field to the LDAP directory to contain the name of the Community Services cluster. The added field must exist in the Person record of every Sametime user in the LDAP directory. For more information, see Setting up an LDAP directory. v Use an existing field in the LDAP directory to hold the name of the Community Services cluster. This field must exist in the Person record of every Sametime user in the LDAP directory. In this case, you must specify the cluster name in this field in the LDAP directory. Note: This example uses the "Sametime server" field of each user's Person document in the Domino Directory as the field that holds the Sametime cluster name. The field you select to hold the name of the Community Services cluster must be specified in the LDAP Directory-Authentication-Name of the Home Server attribute setting in the Sametime Administration Tool. In this example, the "Sametime server" field was specified when you configured the connection to the LDAP server when installing the Sametime servers. To complete the example, you can enter the cluster name in the "Sametime server" field of each user's Person document in the Domino Directory on the Domino LDAP server. Note that you defined the cluster name when creating a cluster document in the Configuration database.
475
If you used a server name as the cluster name, you can enter the server name in the Domino hierarchical name format (sametimeserver1/west/acme) when entering the name in the Sametime server field of the Person document.
Configuring the "Host" field for Sametime Connect clients

The Sametime Connect client attempts to connect to the network address specified in the Options-Preferences-Sametime Connectivity-Host field of the Sametime Connect client. The users in the Sametime community must enter the DNS name or IP address of the load-balancing mechanism for the Community Services cluster in the "Host" field of their Sametime Connect clients: v If you have set up a rotating DNS system for load balancing, users must specify the DNS name (for example, sametime.cscluster.com) of the rotating DNS system in this field. v If you have set up a WebSphere Edge Server to perform load balancing, users must enter the IP address or DNS name of the WebSphere Edge Server machine in this field.
Running the client packager application

You can run the Sametime client packager application on a Sametime server to ensure that each Sametime Connect client downloaded from a Sametime server is pre-configured with the appropriate connectivity settings for your environment, including the Host name setting required to connect to the rotating DNS system or WebSphere Edge Server. For more information, see "Sametime Server Installation."
Connectivity issues associated with a rotating DNS setup

If DNS resolve requests are cached, users might experience some problems when reconnecting following a server failure. For more information on connectivity issues associated with using a rotating DNS setup to accomplish load balancing, see Rotating DNS Limitations with cached DNS resolve requests.
Next step:
At this point, your Community Services cluster is complete.
Set up the load-balancing mechanism (rotating DNS or Network Dispatcher)

Setting up the load-balancing mechanism is the seventh of ten tasks associated with setting up an IBM Lotus Sametime Community Services cluster without clustering the Meeting Services. The way in which you set up the load-balancing mechanism varies slightly depending on whether you have deployed Community Services multiplexers on separate machines.
Without separate Community Services multiplexers

If you have not deployed Community Services multiplexers on separate machines, do one of the following to set up the load balancing mechanism: v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to associate the IP addresses of the Sametime server machines to a single DNS name.
476
For example, associate the IP address of Sametime server 1 (11.22.33.66) and Sametime server 2 (11.22.33.77) to the DNS name cscluster.sametime.com. v Set up an IBM WebSphere Edge Server (Network Dispatcher) in front of the Sametime servers that you intend to cluster. Use the WebSphere Edge Server Network Dispatcher to distribute connections to the Sametime server machines. For more information, see the WebSphere Edge Server documentation, available at the Web site www.redbooks.ibm.com (and also provided with the WebSphere Edge Server). The diagram below shows the Sametime servers with the rotating DNS system in place. Note that the WebSphere Edge Server can be used in place of the rotating DNS system.
With separate Community Services multiplexers

If you have deployed Community Services multiplexers on separate machines, do one of the following to set up the load balancing mechanism: v Set up a rotating DNS system to accomplish load balancing. Use rotating DNS to associate the IP addresses of the Community Services multiplexer machines to a single DNS name. For example, associate the IP address of Community Services multiplexer machine 1 (11.22.33.44) and Community Services multiplexer machine 2 (11.22.33.55) to the DNS name cscluster.sametime.com. v Set up a WebSphere Edge Server (Network Dispatcher) in front of the Sametime servers that you intend to cluster. Use the WebSphere Edge Server Network Dispatcher to distribute connections to the Community Services multiplexer machines. For more information, see the WebSphere Edge Server documentation, available at the Web site www.redbooks.ibm.com (and also provided with the WebSphere Edge Server). The diagram below shows the Community Services multiplexers with the rotating DNS system in place. Note that the WebSphere Edge Server can be used in place of the rotating DNS system.
477
Next step: Create a cluster document in the Configuration database (stconfig.nsf) to define the Community Services cluster.
Creating a cluster document in the Configuration database (stconfig.nsf)

The cluster document enables the servers in a cluster to operate as part of the cluster, and enables servers outside of the cluster (but still within the community) to communicate with the cluster.
About this task

Creating a cluster document in the IBM Lotus Sametime Configuration database (stconfig.nsf) is the eighth of ten tasks associated with Setting up a Community Services cluster without clustering the Meeting Services. The Sametime administrator must manually create a cluster document in the Sametime Configuration database (stconfig.nsf) on a Sametime server in the Community Services cluster. The cluster document defines the Community Services cluster. The cluster document stores the following information: v The Community Services cluster name. v The DNS name assigned to the rotating DNS system or IBM WebSphere Edge Server that performs the load-balancing operations. v A list of all servers in the Community Services cluster.
478
To create the cluster document in the Sametime Configuration database: 1. Using an IBMLotus Notes client, open the Sametime Configuration database (stconfig.nsf) that replicates between the Sametime servers in the cluster. 2. Click Create Cluster Information. 3. In the Cluster Name field, type the cluster's name. The cluster is named at your discretion. You can name the cluster after one of the servers in the cluster, but it is not mandatory. If you do name the cluster after one of the servers in the cluster, keep the following points in mind: v You might save time when you add the cluster name to the Sametime server field of each user's Person document to configure client connectivity because users will already have that server name listed in their Person documents (or LDAP directory person entries). v Use the Dominofull canonical name of the server when entering the name in the Cluster Name field (for example, cn=servername/ou=organizational unit/o=organization). 4. In the DNS Name field, enter the fully qualified DNS name for the cluster. This name must be the DNS name of the rotating DNS system or the WebSphere Edge Server Network Dispatcher that performs the load balancing operations for the clustered Community Services. 5. In the List of Servers in Cluster field, type the names of all the servers that are part of the cluster. The names must be entered in the IBM Lotus Domino full canonical name format (do not use the fully qualified DNS names in this field). Separate the server names with a semicolon and a space, as in: cn=sametimeserver1/ou=west/o=acme; cn=sametimeserver2/ou=west/o=acme 6. Save and close the cluster document. Leave the Configuration database open. In the next procedure, you will copy the new Cluster Information document to all other Sametime servers within the Sametime community.
What to do next
Next step: Copy the cluster document to all other Sametime servers in the community
Copying a cluster document to other Sametime servers in the community

Every server within an IBM Lotus Sametime community requires a copy of the community's cluster document.
About this task

Creating a cluster document on other Sametime servers in the community is the ninth of ten tasks associated with setting up a Community Services cluster without clustering the Meeting Services. You must copy the Cluster Information document to all Sametime servers that are part of the community, regardless of whether they are a part of the cluster itself. Every server in the Sametime Community must contain the Cluster Information document in its Configuration database. This procedure enables users who have a home Sametime server that is not part of the Community Services cluster to share presence and instant messaging capabilities with users who are assigned to the
479
Community Services cluster (have the cluster name listed as the home cluster in the user's Domino or LDAP directory entry). Important: Do not replicate the Configuration database. The Configuration database contains some fields that cannot be replicated to all Sametime servers in a community. To copy the Cluster Information document to all other Sametime servers in the community: 1. If necessary, open the Sametime Configuration database (stconfig.nsf) in which you created the Cluster Information document that defines the cluster. 2. Copy the Cluster Information document: a. Locate "Cluster Information" in the Form Name column of the Configuration database. b. In the Cluster Information's Last Modified Date column, right-click on the date that represents the Cluster Information document you want to copy. c. Select Copy. d. Click File Close to close the Configuration database. 3. Paste the Cluster Information document into the Configuration database on each Sametime server in the community: a. From the Lotus Notes client, click File Database Open. b. In the Server field, type the name of another Sametime server in the community. c. Click Open. d. In the Database list, select the Configuration database (stconfig.nsf). e. Click Open. f. Click Edit Paste to paste the Cluster Information document into the Configuration database on this Sametime server. The document name and date will appear in the Last Modified Date column of Form Name section in the Configuration database. g. Save and close the Configuration database. 4. Repeat step 3 for every Sametime server in the Sametime community.
What to do next
Next step: Ensure that clients can access the Community Services cluster by Configuring client connectivity for the Community Services cluster
Configuring client connectivity for the Community Services cluster

Configuring client connectivity ensures that Sametime clients have appropriate access to servers in the Community Services cluster.
Before you begin

Configuring client connectivity for the Community Services cluster is the last of ten tasks associated with setting up a Community Services cluster without clustering the Meeting Services.
480
About this task

After you have created and named the cluster, you must make the configuration changes required to ensure that the Community Services clients can connect to the Community Services cluster. The following configuration fields affect client connectivity: v The Sametime server field of the user's Person document in the IBM Lotus Domino Directory, or an IBM Lotus Sametime cluster field you have added to an LDAP directory. Sametime uses this field to ensure that a user connects to one of the Sametime servers in the Community Services cluster. This field serves the same purpose as the home Sametime server field in the single-server approach to Community Services deployment that was used in previous Sametime releases. For more information, see Community Services connectivity and the home Sametime server and Differences between the clustering and single server approaches. v The Host field in the IBM Lotus Sametime Connect client. Follow the procedure below to configure connectivity for Community Services clients: 1. Add the cluster name to a field in each user's Person entry in the LDAP directory. When the Sametime servers are configured to connect to an LDAP directory on an LDAP server (as in this example), the administrator can do one of the following: v Manually add a field to the LDAP directory to contain the name of the Community Services cluster. The added field must exist in the Person record of every Sametime user in the LDAP directory. For more information, see Setting up an LDAP directory. v Complete the following two steps: a. Use an existing field in the LDAP directory to hold the name of the Community Services cluster. This field must exist in the Person record of every Sametime user in the LDAP directory. In this case, you must specify the cluster name in this field within the LDAP directory. Note: This example uses the "Sametime server" field of each user's Person document in the Domino Directory as the field that holds the Sametime cluster name. The field you select to hold the name of the Community Services cluster must be specified in the LDAP Directory-AuthenticationName of the Home Server attribute setting in the Sametime Administration Tool. In this example, the "Sametime server" field was specified when you configured the connection to the LDAP server when installing the Sametime servers. b. Enter the cluster name in the Sametime server field of each user's Person document in the Domino Directory on the Domino LDAP server. Note that you defined the cluster name when creating a cluster document in the Configuration database. If you used a server name as the cluster name, enter that server's name (using Domino hierarchical name format, for example: (sametimeserver1/west/acme). 2. Configure the Host field for Sametime Connect clients. The Sametime Connect client attempts to connect to the network address specified in the Options Preferences Sametime Connectivity Host field of the Sametime Connect client. The users in the Sametime community must enter the DNS name or IP address of the load-balancing mechanism for the Community Services cluster in the Host field of their Sametime Connect clients:
481
v If you have set up a rotating DNS system for load balancing, users must specify the DNS name (for example, sametime.cscluster.com) of the rotating DNS system in this field. v If you have set up an IBM WebSphere Edge Server to perform load balancing, users must enter the IP address or DNS name of the WebSphere Edge Server machine in this field.
What to do next
Connectivity issues associated with a rotating DNS setup If DNS resolve requests are cached, users might experience some problems when reconnecting following a server failure. For more information on connectivity issues associated with using a rotating DNS setup to accomplish load balancing, see Rotating DNS Limitations with cached DNS resolve requests. Next step: At this point, your Community Services cluster is complete.
Set up a connection to a Domino LDAP server

You can store user information in an IBM Lotus Domino-based LDAP directory for use with an IBM Lotus Sametime deployment.
Before you begin

If you are maintaining your Sametime community in a Domino LDAP-enabled directory, you can use the information below to enable the Sametime servers to connect to the LDAP directory. If you are maintaining your Sametime community in a Domino directory in its native format (the directory is not LDAP-enabled), skip this procedure and continue to the procedure titled Create a Domino server cluster.
About this task

Installing the Sametime servers is the fourth of 11 tasks associated with setting up a Community Services cluster without clustering the Meeting Services. Note: The values used below are suggested values for a Domino Directory enabled for LDAP access and do not apply to other LDAP directories. For more information about setting up the LDAP connection and the configuration settings described below, or to configure Sametime to access an LDAP directory on a different LDAP server (such as a Microsoft, Netscape, or IBM LDAP server), see Setting up an LDAP directory and Setting up an LDAP connection. To set up a connection to a Domino LDAP server: 1. Install a Domino server as described in the Lotus Domino Administrator Help. 2. Install a Sametime server on top of the new Domino server as described in "Sametime Server Installation." 3. During the Sametime server installation, click LDAP directory when prompted for the directory type. 4. After the installation completes, open the Sametime Administration Tool on the Sametime server. 5. Select LDAP Directory Connectivity and enter the following settings:
482
Host name or IP address of the LDAP server: Specify the address of the LDAP server. v Position of this server in the search order: Suggested value is "1." v Use authenticated binding to the LDAP server (optional): For a test deployment, clear the check mark from this setting to enable the Sametime server to bind to the LDAP server as an anonymous user. v Use SSL to authenticate and encrypt the connection between the Sametime server and the LDAP server: For a test deployment, clear the check mark from this setting to prevent passwords and other directory information that is passing between the Sametime server and the LDAP server from being encrypted with SSL. 6. Click Update at the bottom of the Connectivity tab. v 7. Select LDAP Directory Basics and enter the following settings: v Where to start searching for people: Suggested value is o=servername (where servername is the name of the LDAP server). v v Scope for searching for a person: Suggested value is "recursive." The attribute of the person entry that defines the person's name: Suggested value is "cn." v Attribute used to distinguish between two similar person names: Suggested value is "mail." v The object class used to determine if an entry is a person: Suggested value is "organizationalPerson." v v v Where to start searching for groups: Leave this setting blank. Scope for searching for groups: Suggested value is "recursive." Attribute used to distinguish between two similar group names: Suggested value is "description." v The group object class used to determine if an entry is a group: Suggested value is "groupOfNames."
8. Click Update. 9. Select LDAP Directory Authentication and enter the following settings: v Search filter to use when resolving a user name to a distinguished name: Suggested value is:(&(objectclass=organizationalPerson)(|(cn= %s)(givenname=%s)(sn=%s)(mail=%s*))) v Name of the Home Server attribute: Suggested value is the attribute in the LDAP directory that holds the home Sametime server name. In a Domino Directory, this is the "Sametime Server" field of the Person document. 10. Click Update. 11. Select LDAP Directory Searching and enter the following settings: v Search filter for resolving person names: Suggested value is:(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn= %s*)(mail=%s*))) v Search filter for resolving group names: Suggested value is:(&(objectclass=groupOfNames)(cn=%s*)) 12. Click Update. 13. Select LDAP Directory Group Contents and enter the following settings: v Attribute in the group object class that has the names of the group members: Suggested value is "member." 14. Click Update. 15. Restart the server for the changes to take effect.
483
What to do next
Next step: Create a Domino server cluster
Adding a server to the Community Services cluster

Even when your Community Services cluster is controlled by the IBM Lotus Sametime Enterprise Meeting Server, you can add IBM Lotus Sametime servers to the cluster without having them controlled by the EMS.
About this task

To add a Sametime server to an existing Community Services cluster: 1. Add the Sametime server to the IBM Lotus Domino server cluster following the guidelines described in Creating a Domino server cluster. 2. Replicate the Sametime databases to the newly added Sametime server following the guidelines described in Setting up replication of Sametime databases. 3. Update the Cluster Information document and copy the updated document to all Sametime servers in the community: a. Add the name of the new Sametime server to the List of Servers in Cluster field in the Cluster Information document in the Configuration database (stconfig.nsf) on one Sametime server. Enter the server name in the Domino full canonical name format (for example, cn=servername/ou=organizational unit/o=organization). Do not use the fully qualified DNS name in this field. The list includes every Sametime server in the cluster; separate the server names with a semicolon and a space as shown in the example below: cn=sametimeserver1/ou=west/o=acme; cn=sametimeserver2/ou=west/ o=acme b. Copy the updated Cluster Information document and paste it into the Configuration database on every Sametime server in the community (both clustered servers and non-clustered servers). Note: After pasting the new Cluster Information document in the Configuration database, you can delete the previous version of the Cluster Information document. 4. Optional: You can deploy an additional Community Services multiplexer as described in Deploying separate Community Services multiplexers to ensure the connection load for your Community Services cluster is handled efficiently. However, if you do not deploy another Community Services multiplexer, the existing Community Services multiplexers can still make connections to the newly added Sametime server. If you deploy an additional Community Services multiplexer, make sure to update the Community Connectivity configuration document on every Sametime server in the cluster and include the IP address of the new Community Services multiplexer.
484
Creating multiple Community Services clusters in a single Sametime community

If you have a large IBM Lotus Sametime community consisting of many Sametime servers, it is possible to create multiple Community Services clusters within this single Sametime community.
About this task

You might want to create multiple Community Services clusters if you have users who are in the same community, but work in remote locations. For example, you might want to create a Community Services cluster for workers in your Dublin office and a separate Community Services cluster for workers in your Paris office. Creating two separate clusters enables the clusters to function more efficiently. If the servers in Dublin and the servers in Paris were part of the same Community Services cluster, it would be necessary to replicate databases in real-time across a WAN connection, which might result in inefficient performance. Note: Each Lotus Sametime server can belong to a single cluster. Environments in which two or more clusters point to the same Sametime Server are not supported. To create multiple Community Services clusters in a single community: 1. Create each Community Services cluster using the procedures described in Setting up a Community Services cluster without clustering the Meeting Services. 2. Copy the Cluster Information documents to all servers in the Sametime community.
Results
When you create a Community Services cluster, you create a Cluster Information document in the Configuration database (stconfig.nsf) on one Sametime server in the cluster and copy this Cluster Information document to the Configuration databases of every Sametime server in the community. When you create multiple Sametime server clusters in a single community, the Configuration database of every Sametime server in the community must include a Cluster Information document for every cluster in the Sametime community. In such an environment, the Configuration database on each Sametime server in the community will contain multiple Cluster Information documents. For example, if you have three Community Services clusters in your community (Cluster 1, Cluster 2, and Cluster 3), the configuration database of every Sametime server in the community must include three cluster documents (one for each cluster). This rule applies to all servers in the community, even servers that do not operate as a member of a cluster.
What to do next
For more information, see Creating a cluster document in the Configuration database (stconfig.nsf) and Creating a cluster document on other Sametime servers in the community.
485
Rotating DNS Limitations with cached DNS resolve requests

This section describes some of the limitations related to setting up a rotating DNS system to load balance connections to the IBM Lotus Sametime Community Services cluster. Ideally, as users connect to the rotating DNS system, consecutive attempts to resolve a cluster name will result in an even distribution of connections to the servers in the cluster. In practice, the DNS caching mechanism can cause Sametime Connect to repeatedly attempt connections to the same server in the cluster. If a server fails, and the DNS resolve requests are cached, IBM Lotus Sametime Connect might attempt to reconnect to the server that is down instead of failing over to a different server. The Sametime Connect client's Sametime Connectivity settings control whether the client attempts to connect to the Sametime server through a proxy server or attempts a direct connection to the Sametime server. These connectivity settings affect the failover behavior when DNS resolve requests are cached. This behavior varies for the IBM Lotus Sametime Connect for the desktop client and the IBM Lotus Sametime Connect for browsers client. The failover behavior of the Sametime Connect clients when DNS resolve requests are cached is discussed below.
Sametime Connect for the desktop

When the DNS resolve requests are cached and a server fails, Sametime Connect for the desktop automatically attempts to connect to another server in the cluster. When any of the following settings are selected on the Sametime Connectivity tab, a successful connection to the cluster depends on the client machine and its settings: v Direct connection using standard Sametime protocol v Use SOCKS4 proxy with "Resolve server name locally" checked v Use SOCKS5 proxy with "Resolve server name locally" checked v Direct connection using HTTP protocol If Sametime Connect cannot reconnect to the cluster when these settings are selected, the user can try any of the following options: v On Microsoft Windows NT and Windows 98 machines, restart the Sametime Connect client or restart the Web browser. v On Windows 2000-2003 machines, change the registry key that controls the cache time for DNS requests so the DNS requests are cached for only one second: 1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Dnscache\Parameters 2. Change the value of the registry key "MaxCacheEntryTtlLimit " to "1" v In the Sametime Connect client's Sametime Connectivity settings, change the name in the Host setting from the cluster name to the name of a specific server within the cluster. When any of the following settings are selected in the Sametime Connectivity tab, a proxy server resolves the cluster name. Resolving the cluster name depends on the settings of the proxy server. The proxy server might return a valid server name in the cluster, or it might return the address of the server that is already down.
486
v v v v
Use Use Use Use
HTTP proxy HTTPS proxy SOCKS4 proxy with "Resolve server name locally" unchecked SOCKS5 proxy with "Resolve server name locally" unchecked
If Sametime Connect cannot reconnect to the cluster when these settings are selected, check the settings on the proxy server to verify the proxy is attempting to connect to the servers within the cluster in rotating order. When Use my Internet Explorer browser settings is selected in the Sametime Connectivity tab, the behavior of the client depends on the proxy connectivity settings of the Microsoft Internet Explorer Web browser. v If the browser settings do not specify a proxy server, the client attempts a Direct connection using HTTP protocol. If the client is unable to reconnect following a server failure, the user can try any of the options listed for Direct connection using HTTP protocol above. v If the browser settings specify an HTTP proxy server, the HTTP proxy server resolves the cluster name. If the client cannot reconnect, check the settings on the proxy server to verify the proxy is attempting to connect to the servers in the cluster.
Sametime Connect for browsers

With Sametime Connect for browsers, the client resolves the cluster name when any of the following options are selected: v v v v Direct connection using standard Sametime protocol Direct connection using HTTP protocol Use SOCKS4 proxy with "Resolve server name locally" checked Use SOCKS5 proxy with "Resolve server name locally" checked
If Sametime Connect for browsers cannot reconnect to the cluster when these settings are selected, the user should do the following: v On Windows NT and Windows 98 machines, restart the Sametime Connect client or restart the Web browser. v On Windows 2000 machines, change the registry key that controls the cache time for DNS requests so thst DNS requests are cached for only one second: 1. Start the registry editor and open HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Dnscache\Parameters 2. Change the value of the registry key "MaxCacheEntryTtlLimit " to "1" v In the Sametime Connect client's Sametime Connectivity settings, change the name in the Host field from the cluster name to the name of a specific server within the cluster. When any of the following settings are selected in the Sametime Connect for browsers Sametime Connectivity tab, a proxy server resolves the cluster name. Resolving the cluster name depends on the settings of the proxy server. The proxy server might return a valid server name in the cluster, or it might return the address of the server that is already down. v Use SOCKS4 proxy with "Resolve server name locally" unchecked v Use SOCKS5 proxy with "Resolve server name locally" unchecked v Use HTTP proxy
487
v Use HTTPS proxy If Sametime Connect cannot reconnect to the cluster when these settings are selected, check the proxy settings to verify the proxy is attempting to connect to the servers in the cluster in rotating order. When Use my browser settings is selected in the Sametime Connectivity tab, the behavior of the client depends on the proxy connectivity settings of the Web browser. v If the browser settings do not specify a proxy server, the client attempts a Direct connection using standard Sametime protocol or a Direct connection using HTTP protocol. If the client is unable to reconnect following a server failure, the user can try any of the options listed for Direct connection using standard Sametime protocol and Direct connection using HTTP protocol above. v If the browser settings specify a SOCKS proxy server, and the client is unable to reconnect following a server failure, the user can try any of the options listed for the Use SOCKS4 and Use SOCKS5 proxy settings above. v If the browser settings specify an HTTP or HTTPS proxy server, the proxy server resolves the cluster name. If the client cannot reconnect, check the settings on the proxy server to verify the proxy is attempting to connect to the servers in the cluster.
488
Chapter 27. Using the StdebugTool.exe utility

You can use the StdebugTool.exe utility to produce trace files and create new trace file sets for troubleshooting purposes. These trace files contain debug messages that aid IBM Technical Support in troubleshooting IBM Lotus Sametime problems. If you have never worked with Sametime trace files before, you should use the StdebugTool.exe utility only under the guidance of IBM Technical Support. Note: The StdebugTool.exe utility is available only for Sametime servers that run on the Windows operating system. Trace file reporting on a Sametime server is controlled through settings in the Sametime.ini file. You use the StdebugTool.exe utility to change settings in the Sametime.ini file to produce specific trace files. If you use this utility to change the Sametime.ini file settings, you do not need to restart the Sametime server to begin producing the trace files. The server will begin creating these files immediately after you run the tool. You can use the StdebugTool.exe utility to change trace file settings on either a local or remote Sametime server. An administrator can also produce trace files by using a text editor to manually edit the trace file settings in the Sametime.ini file. However, if you manually edit the Sametime.ini file settings, you must restart the Sametime server before it will begin producing the trace files. For more information, see Running the StdebugTool.exe utility.
Running the StdebugTool.exe utility

About this task
To start the StdebugTool.exe utility, you enter the StdebugTool.exe command from the server command prompt. Note: If you intend to alter settings in a Sametime.ini file on a remote computer, you must append the IP address of the remote computer to the StdebugTool.exe command when starting the utility. If you want to alter settings in a Sametime.ini file on the local computer, it is not necessary to append the IP address of the local computer to the StdebugTool.exe command. A step-by-step example of running the StdebugTool.exe utility is provided below. When the utility starts, you are presented with a second command prompt. At this second command prompt, you enter a command option to direct the StdebugTool.exe utility to perform a specific action. The possible command options are described below. These options include: ?, s, I, f, p, r, q: v ? - Prints a help message v S <FLAG_NAME> <value> - Sets a value to enable or disable a trace file flag that already exists in the Sametime.ini file. The <FLAG_NAME> string is a
489
variable representing a specific trace flag. The <value> parameter is usually either "1" to enable the flag or "0" to disable it. For example, the VP_DB_TRACE flag in the Sametime.ini file is used to enable or disable all trace file reporting capabilities. The following s command option will enable the trace file reporting capabilities if the VP_DB_TRACE=0 setting already exists in the Sametime.ini file:
s VP_DB_TRACE 1
v i <FLAG_NAME> <value> - Adds a specific flag to the Sametime.ini file and sets a value to enable or disable the trace file flag. Use this option if the flag you want to use does not currently exist in the Sametime.ini file. For example, the VP_LDAP_TRACE flag controls trace file reporting for LDAP directory access operations. The following I command option will add the VP_LDAP_TRACE flag to the Sametime.ini file and enable the LDAP access trace file reporting:
I VP_LDAP_TRACE 1
v f - Prints a list of debug flags v p - Prints a list of services v r - Replaces existing trace files with new ones. Use this option to delete existing trace files, or copy over existing trace files with new ones. v q - Stops (quits) the StdebugTool.exe utility.
Results
Trace file location

If you use the StdbugTool.exe file to produce trace files, the trace files are output to the <Sametime server installation>\Trace directory (for example, C:\Lotus\Domino\Trace).
Results
Step-by-step example of running the StdebugTool.exe utility

About this task
A step-by-step example of running the StdebugTool.exe utility is provided below. Note that StdebugTool.exe utility resides in the Sametime server installation directory (default C:\Lotus\Domino\Sametime) following a Sametime server installation. You must run the StdebugTool.exe utility from the Sametime server installation directory. To run the StdebugTool.exe utility: 1. Start the server command prompt. 2. Change to the Sametime server installation directory. For example, enter the following command at the server command prompt:
Cd Lotus\Domino\Sametime
3. Enter StdebugTool.exe to start the StdebugTool.exe utility. For example, you can enter the following command to start the utility if you want to alter settings in the Sametime.ini file on the local computer:
C:\Lotus\Domino\Sametime>StdebugTool.exe
Or, you can enter the following command if you want to alter settings in the Sametime.ini file on a remote computer that has the IP address 1.2.3.5
490
C:\Lotus\Domino\Sametime>StdebugTool.exe 1.2.3.5
4. The StdebugTool command prompt displays. At this command prompt, enter the command option that you want to run. For example, if you want to display a list of all debug flags, type:
F (and press Enter)
5. After the first command completes, you can run additional commands from the StdebugTool command prompt. For example, you could enter the following command to produce a trace file with debug messages pertaining to LDAP directory access operations:
I VP_LDAP_TRACE 1 (and press Enter)
When the command above completes, you can enter another command if necessary. For example, you could enter the following command to disable general trace file reporting. This example assumes the VP_DB_TRACE=1 setting currently exists in the Sametime.ini file.
s VP_DB_TRACE 0 (and press Enter)
6. When you are finished running commands, type the letter q at the StdebugTool command prompt to quit the utility.
Results
Chapter 27. Using the StdebugTool.exe utility
491
492
Chapter 28. Configuring SiteMinder for the Lotus Sametime server

This section describes how to configure CA eTrust SiteMinder for the IBM Lotus Sametime 8 server.
About this task

You installed the Lotus Sametime 8 server as part of the process for installing IBM Lotus Sametime Advanced. The Lotus Sametime 8 server is managed with the Lotus Sametime Advanced server. When you configure SiteMinder to work the Lotus Sametime 8 server, you create a new agent object, agent configuration object, Host configuration object, realm, and sub-realms. You should use the same user directory and domain that you created when you configured SiteMinder for Lotus Sametime Advanced. Configuring the domains and realms for your Sametime Advanced environment.
Creating configuration objects for Sametime

Follow these steps to create configuration objects for IBM Lotus Sametime 8 on the CA eTrust SiteMinder Policy server.
Before you begin

Open the SiteMinder Policy Server console. 1. To create an Agent object, follow these steps. a. Click the System tab. b. Under System Configuration, right-click the Agents icon. c. In the SiteMinder Agent Dialog, type a unique value not used previously for an existing agent in the *Name field. d. Optional: Type a description such as "Sametime Agent." e. Under Agent Type, select SiteMinder. and select Web Agent from the drop-down list. f. Click OK. 2. Create a duplicate of the existing DominoDefaultSettings Agent Conf Object on the SiteMinder Policy Server and modify the duplicate as appropriate. To create an Agent Conf object for your HTTP Server: a. Under System Configuration, click the Agent Conf Objects icon. b. Right-click the DominoDefaultSettings Agent Conf object in the Agent Conf Object List on the right side of the console, and select Duplicate Configuration Object. c. In the SiteMinder Agent Configuration Object Dialog, type a unique value not used previously for an existing agent in the *Name field. d. Optional: Type a description such as "Domino Configuration Agent." e. In the Configuration Values list, set the following parameters to the values indicated or to the appropriate values for your server. Clicking each parameter, and select the Edit: v DefaultAgentName - Name given to agent created in step c. v AllowLocalConfig - Yes
493
v CssChecking - No v BadUrlChars - remove // and /.,%00-%1f,%7f-%ff,%25 from the default list of Bad Url Characters v SkipDominoAuth - No. All other parameters can be left at their default settings.. f. Click OK. 3. IBM recommends that you create a duplicate of the existing DefaultHostSettings Host Conf Object on the SiteMinder Policy Server and modify the duplicate as appropriate. To create a Host Conf object for your HTTP Server: a. Under System Configuration, click the Host Conf Objects icon. b. Right-click the DefaultHostSettings object in the Host Conf Object List on the right side of the console, and select Duplicate Configuration Object. c. In the SiteMinder Host Configuration Object Dialog, type a unique value in the *Name field. d. Optional: Type a description such as "Sametime Advanced Host." e. In the Configuration Values list, edit the #Policy Server value by removing the # from in front of the parameter name and enter the IP address of your SiteMinder Policy Server in the appropriate place in the value field. f. Click OK.
Configuring realms for Lotus Sametime

Follow these steps to configure the realms for IBM Lotus Sametime 8 on the CA eTrust SiteMinder Policy Server.
About this task

You should use the same user directory and Web Agent domain that you created when you configured SiteMinder for Lotus Sametime Advanced. See Configuring the domains and realms for your Sametime Advanced environment. 1. Open the SiteMinder Policy Server console. 2. Define the realm definition for the Web Agent domain: a. Click the Domains tab in the left side of the SiteMinder Policy Console. b. Right-click the Web Agent domain that you previously created. c. Click Create Realm. d. In the SiteMinder Realm Dialog, type a unique value in the *Name field, for example, Sametime. e. Optional: Type a description. f. Click the Resource tab. g. In the Agent field, type the name of the agent that you created for the Web Agent for Lotus Sametime 8. You can also select it using Lookup. h. Type the Resource Filter as / i. In Authentication Scheme drop-down list, select Basic. j. Under Default Resource Protection, select Protected. Leave all the other fields on the Resource, Session and Advanced tabs as their default values. k. Click OK. 3. Create sub-realms under the realm you just created. a. Click the Domains tab in the left side of the SiteMinder Policy Console..
494
b. Right-click the realm that you created in step 2. c. Click Create Realm. d. Create the following sub-realms for your configuration, with the values indicated in each dialog:
Name ST Test ST AdminConfig ST AdminPage ST Src ST Domino ST Applets ST Applet IMI Sametime ST MMAPI ST Admin CGI ST UserInfoServlet Resource Filter stlinks servlet/auth/scs servlet/auth/admin stsrc.nsf/join STDomino.nsf sametime/applets Sametime/Applet sametime/ hostAddress.xml servlet/auth/mmapi cgi-bin/ StAdminAct.exe servlet/ UserInfoServlet Authentication Scheme Basic Basic Basic Basic Basic Basic Basic Basic Basic Basic Basic Default Resource Protection Unprotected Unprotected Protected Protected Unprotected Unprotected Unprotected Unprotected Unprotected Unprotected Unprotected
4. Create rules for the protected realm (Sametime)and the two protected sub-realms (ST AdminPage and ST Src). a. Right-click the realm that was created for the Web Agent domain (for example Sametime), and select Create Rule under Realm. b. Use the SiteMinder Rule dialog to create the following rules named Rule 1 and Rule 2: Rule 1 properties v v v v v *Name - GetPost Rule Realm - Sametime Resource: * Web Agent actions - Get,Post, When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled Rule 2 properties v v v v v *Name - OnAuthAccept Realm - Sametime Resource: * Authentication events - OnAuthAccept When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled c. Right-click the ST AdminPage sub-realm , and select Create Rule under Realm. d. Use the SiteMinder Rule dialog to create the following rule named Rule 1: Rule 1 properties v *Name - GetPost Rule
495
v v v v v
Realm - Sametime.ST AdminPage Resource: * Web Agent actions - Get,Post, When this Rule fires - Allow Access Enable or Disable this Rule - Enabled
e. Right-click the ST Src sub-realm , and select Create Rule under Realm. f. Use the SiteMinder Rule dialog to create the following rules named Rule 1 and Rule 2: Rule 1 properties v *Name - GetPost Rule v Realm - Sametime.ST Src v Resource: * v Web Agent actions - Get,Post, v When this Rule fires - Allow Access v Enable or Disable this Rule - Enabled Rule 2 properties v v v v v *Name - OnAuthAccept Realm - Sametime.ST Src Resource: * Authentication events - OnAuthAccept When this Rule fires - Allow Access
v Enable or Disable this Rule - Enabled 5. Add the rules to the SiteMinder policy that you created for Lotus Sametime Advanced. a. Double-click the policy you created for Lotus Sametime Advanced, for example, STADVWAPolicy. b. Click the Rules tab, and then click Add/Remove Rules. Add all the rules you created previously for the realm and sub-realms to the current members list. Click OK.
Installing and configuring the SiteMinder Web Agent

IBM recommends that you install the latest available version of the CA eTrust SiteMinder Web Agent as well as the latest available hot fix that is certified by Computer Associates to work with the version of the HTTP server that you are using.
Before you begin

Before you begin, you must download the Siteminder V6-QMR5 W32 Web Agent installation files from the SiteMinder support site at .http://support.netegrity.com.
About this task

Refer to the SiteMinder platform support matrices for more details. These matrices can be obtained from the SiteMinder support site. You can also refer to the SiteMinder WebAgent Installation Guide for details about configuring the Web Agent to work with the HTTP server that you are using. The application agent for IBM Lotus Sametime Advanced should be v6.0 CR005 or later to ensure support of IBM WebSphere Application Server 6.1.
496
Note: To install the SiteMinder Web Agent on platforms other than Microsoft Windows, you can use the relevant Win32 instructions as a reference document. The same configuration information needs to be provided, regardless of platform. There are also additional instructions included with the Web Agent installation files that indicate platform-specific steps that are required for installing and configuring the Web Agent on a specific platform. Follow these steps to install and configure the Win32 6x Web Agent for your HTTP server. 1. If necessary, extract all the files from the ZIP file provided by SiteMinder. 2. Start the Web Agent executable. The format is nete-wa-6qmrX-platform.exe. For example:
nete-wa-6qmr5-win32.exe
The CA SiteMinder Web Agent Introduction screen appears. 3. Click Next. 4. On the License Agreement screen, scroll down and select I accept the terms of the License Agreement, and click Next. 5. Click Next on the Important Information screen. 6. On the Choose Install Location screen, accept the default location for installing the Web Agent or click Choose to select a different location, then click Next. 7. Click Next on the Choose Shortcut Folder screen. 8. Click Install on the Pre-Installation Summary screen. 9. On the Install Complete screen, accept the defaults selection and click Done. Your system restarts. 10. Click Start Programs Siteminder Web Agent Configuration Wizard to start the Web Agent Configuration Wizard. 11. On the Host Registration screen, select Yes, I would like to do Host Registration now, but do not select the Enable PKCS11 DLL Cryptographic Hardware check box. Click Next. 12. On the Admin Registration screen, type the SiteMinder administrator name and password provided by your SiteMinder contact. Do not select the Enable Shared Secret Rollover check box. Click Next. 13. On the Trusted Host Name and Configuration Object screen, type the trusted hostname and Host Conf Object provided by your SiteMinder contact. Click Next. 14. On the Policy Server IP Address screen, type the SiteMinder Policy Server IP address provided by your SiteMinder contact and click Add. Click Next. 15. On the Host Configuration file location screen, accept the default file name and location and click Next. 16. On the Select Web Server(s) screen, select the check box next to the http server that you wish to configure with the Web Agent, and then click Next. 17. On the Agent Configuration Object screen, enter the Agent Conf Object provided by the SiteMinder contact and click Next. 18. On the Web Server Configuration Summary screen, click Install. The Web Agent configuration process starts, and then the Configuration Complete screen appears. 19. Click Done to complete the configuration process.
497
Note: You can ignore messages indicating that some warnings occurred during the installation. These warnings appear by default and do not affect the functionality of the Web Agent.
What to do next
There are additional steps that must be completed to enable the Web Agent to function properly for your server. Follow the additional instructions that are provided by your SiteMinder contact in order to complete this setup.
Add the DSAPI filter file name to the Domino Directory

Your IBM Lotus Sametime server will run on a Lotus Domino server. When you integrate IBM Lotus Sametime with CA eTrust SiteMinder, the SiteMinder Web Agent is implemented as a Domino Web Server Application Programming Interface (DSAPI) filter file.
About this task

Follow these steps to add the DSAPI filter file name to the Domino Directory. 1. Open the Domino Directory (names.nsf) on the Domino server. 2. Edit the server document for the Domino server as follows: a. Click the Internet Protocols tab, then click the HTTP tab. In the DSAPI filter file names field, type the full path and name of the SiteMinder Web Agent (typically c:\Program Files\Netegrity\Siteminder Web Agent\bin\dominowebagent.dll) b. Click the Domino Web Engine tab, then set the Session authentication field to Disabled. 3. Save and close the server document.
Enabling SiteMinder for Lotus Sametime

Follow these steps to enable the CA eTrust SiteMinder Web Agent for the IBM Lotus Sametime server. 1. Locate the local Web Agent configuration file for the SiteMinder Web Agent that has been configured with your HTTP server. For example:
C:\Program Files\IBM\HTTPServer\conf\WebAgent.conf
2. Use a text editor to open the file and set the EnableWebAgent parameter to YES. 3. Restart your HTTP and Lotus Domino Servers. When you start or stop the Domino server, you are starting and stopping the Lotus Sametime server as well.
498
Chapter 29. Troubleshooting

Use the following information to troubleshoot problems with a Lotus Sametime server.
Other sources of information

Use the following links to find other hints and tips when troubleshooting a Lotus Sametime server: v Lotus Sametime wiki:
www.lotus.com/ldd/stwiki.nsf/
v Tech Notes for Lotus Sametime:

www.ibm.com/support/search.wss?q=Sametime%20Standard&rs=477&tc=SSKTXQ&dc=DB520&dtm
499
500
Chapter 30. Glossary

Terminology used in IBM Lotus Sametime:
Terms
community The community refers to all users that have access to a Sametime server (or servers) and all Sametime servers that support those users. The Lotus Sametime community can be maintained in the Domino Directory on the Sametime Server or in an LDAP Directory on a third-party LDAP-compliant server. Specifically, the Lotus Sametime community can be described as follows: v A shared directory, or set of directories, that lists the people and groups of the community v One or more Sametime servers that each have access to the shared directory or set of directories. connectivity (firewall and proxy support) To engage in collaborative activities, the Sametime clients must connect to different services on the Sametime server, as described below: v Web browsers connect to the HTTP Services on the Sametime server. v The Sametime Connect client connects to the Community Services on the Sametime server. v The Sametime-enabled Notes client connects to the Community Services on the Sametime server. The HTTP Services and Community Services on the Sametime server listen for connections from clients on different TCP/IP ports. Sametime includes specially-designed connectivity features that enable Sametime clients to establish connections with these services through firewalls and proxy servers. Generally, the Sametime connectivity features enable Sametime clients to establish connections through HTTP and SOCKS proxy servers, or by using the HTTP connection method. If necessary, Sametime can be configured to listen for HTTP connections from all clients on port 80 to enable Sametime clients behind restrictive firewalls to connect to the Sametime server. The Sametime Connect client can also establish connections to the Community Services through an HTTPS proxy server. Domino Directory The Sametime server uses the Domino Directory of the Domino server on which Sametime is installed. The Domino Directory is a database that serves as a central repository for information about Sametime users (or members of the Sametime community). The Domino Directory contains a separate Person document for each Sametime user. The Person document contains the User Name and Internet password required for authentication with the Sametime server. The Person document also contains a "Sametime server" field that is used to specify a user's home Sametime server. The home "Sametime server" is the Sametime server a user connects to when logging in to the Community Services for presence and chat activity.
501
The Domino Directory also contains Group documents that hold lists of users that perform similar tasks. Group documents also define the Public Groups that end users can add to the Sametime Connect client presence list. Other information stored in the Domino Directory includes server configuration information in the Server document, database configuration settings, and Access Control Lists (ACLs). Person and Group documents, and ACLs within the Domino Directory, can be accessed from the Sametime Administration Tool. Sametime administrators have the option of using the Domino Directory for user management or configuring Sametime to connect to an LDAP directory on an LDAP server for user management. To maintain current information about users, groups, and servers in the Sametime community, the Community Services must receive periodic updates from the Domino Directory. LDAP directory The administrator can configure the Sametime server to connect to a Lightweight Directory Access Protocol (LDAP) server. This capability enables an administrator to integrate Sametime into an environment in which LDAP servers and LDAP directories are already deployed. When Sametime is configured to connect to an LDAP server, the Sametime server searches and authenticates user names against entries in the LDAP directory on the third-party LDAP server. The LDAP directory replaces the Domino Directory as the user repository in the community. The community is defined by the users in the LDAP directory. Sametime can access LDAP directories on multiple LDAP servers. Logging The Sametime server logging tools include the Sametime log and the Domino log. The Sametime log records events in the Sametime log database (stlog.nsf). The Sametime Administration Tool includes logging settings that enable you to control whether activities are logged to a database or to text files and to determine which activities are logged. If you log Sametime information to a database, you can view the Sametime log from the Sametime Administration Tool. The Sametime Administration Tool also allows an administrator to launch the Domino Web Administration Tool to view the Domino log. The Domino log includes information about available memory and disk space, server performance, and databases that need maintenance. Monitoring The Sametime server includes charts that allow you to monitor current Sametime server statistics. The monitoring charts, which are presented as tables, provide up-to-the-second information about Community Services activity, Web statistics, and free disk space on the server. Name Conversion Utility The names that appear in Lotus Sametime Connect client buddy lists and privacy lists are stored in a Domino database (vpuserinfo.nsf) on the Sametime server. If you change the user or group names that appear in the Domino or LDAP directory accessed by the Sametime server, you must run the Name Conversion Utility to make these same user and group name changes in the vpuserinfo.nsf database on the Sametime server. Running this utility ensures that the names that appear in buddy lists and privacy lists stay synchronized with the latest changes made to the directory. reverse proxy
502
A Sametime server can be deployed behind a reverse proxy server or a portal server. When a Sametime server is deployed on an internal network behind a reverse proxy server, the reverse proxy server operates as an intermediary between the Sametime server and the Sametime clients. All Sametime data flowing between the Sametime server and its clients passes through the reverse proxy server. To accomplish its security objectives, a reverse proxy server manipulates the data that passes through it. The manipulation of Sametime data by the reverse proxy server imposes specific requirements and limitations on the use of reverse proxy servers with the Sametime server. Sametime server clusters The Sametime server supports Sametime server clustering. Sametime server clusters: v Enhance server scalability and reliability to enable Sametime to meet the demands of large user populations. v Provide load balancing and failover capabilities for Sametime Community Services instant messaging and presence functionality. StdebugTool.exe utility You can use the StdebugTool.exe utility to produce trace files and create new trace file sets for troubleshooting purposes. These trace files contain debug messages that aid IBM Technical Support in troubleshooting Sametime server problems. If you have never worked with Sametime trace files before, you should use the StdebugTool.exe utility only under the guidance of IBM Technical Support. The StdebugTool.exe utility is available only with Sametime servers that operate on the Windows platform.
Chapter 30. Glossary
503
504
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
505
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Software Interoperability Coordinator, Department 49XA 3605 Highway 52 N Rochester, MN 55901 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy,
506
modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information softcopy, the photographs and color illustrations may not appear.
Trademarks
These terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM AIX DB2 DB2 Universal Database Domino Domino Domino Designer Domino Directory i5/OS Lotus Lotus Notes Notes OS/400 Sametime WebSphere AOL is a registered trademark of AOL LLC in the United States, other countries, or both. AOL Instant Messenger is a trademark of AOL LLC in the United States, other countries, or both. Google Talk is a trademark of Google, Inc, in the United States, other countries, or both. Yahoo! is a registered trademark of Yahoo, Inc. in the United States, other countries, or both. Yahoo! Messenger is a trademark of Yahoo, Inc. in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Notices
507
Microsoft, and Windows are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Intel and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
508
Index A
access control list 117, 118 address books 117, 118 administrator ID 24 AIX 20, 41, 53, 54, 55, 56, 117, 118
T
troubleshooting Sametime server shutdown 138
U
uninstalling Lotus Domino 117, 118 Lotus Sametime 117, 118 outlook 81, 82, 86 UNIX 20, 41 URL mapping 289
C
certifier ID 24 configuring Domino servers 43, 44 Lotus Sametime 78 Configuring 17
I
installing 46 Linux 95, 97, 101 Lotus Domino 3, 7, 17, 19, 37, 38, 57, 95, 107, 108, 109, 111, 114 Lotus Sametime 3, 7, 9, 10, 11, 12, 13, 14, 15, 17, 19, 25, 28, 29, 30, 31, 32, 37, 38, 44, 46, 47, 48, 49, 50, 57, 79, 95, 97, 98, 101, 102, 107, 108, 109, 111, 114, 118 Mac client 102 Mac OS 95, 97 microsoft office 81, 82, 86 Sametime server on AIX 35, 36 Sametime server on Linux 35, 36 Sametime server on Sun Solaris 35, 36 Sametime server on Windows 35, 36 Windows 95, 97, 98 IP address 20, 41
V
vpuserinfo.nsf 53, 54, 55, 56
W
Windows 24, 53, 54, 55, 56, 117, 118
L
Linux 53, 54, 55, 56, 117, 118 Lotus Domino 29
M
MIME support 289
P
password protected 18 prerequisites Lotus Sametime 24
S
server ID file 18 shutting down Sametime server 138 silent server 44 Solaris 20, 41, 53, 54, 55, 56, 117, 118 Copyright IBM Corp. 2007, 2009
509
510
Printed in USA
SC23-8758-02

St802 Entry

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

St802 Entry

Загружено:

Авторское право:

Доступные форматы

Lotus Sametime Entry Version 8.0.

Lotus Sametime Entry

Lotus Sametime Entry Version 8.0.2

Lotus Sametime Entry

Chapter 8. Configuring Sametime . . . 61

Chapter 5. Installing a Domino server and clients . . . . . . . . . . . . . 17

Chapter 9. Installing Sametime Integration for Microsoft Office . . . . 81

Chapter 6. Preparing to upgrade an existing Sametime environment . . . . 29

Chapter 10. Preparing the Sametime client . . . . . . . . . . . . . . . 95

Chapter 7. Installing Sametime . . . . 35

Chapter 11. Uninstalling a Sametime server. . . . . . . . . . . . . . . 117

Chapter 17. Managing Sametime users 183

Chapter 14. Starting and stopping the Sametime server . . . . . . . . . . 137

Chapter 15. Using the Sametime Administration Tool. . . . . . . . . 157

. 211 . 224 . 225 . 228

Lotus Sametime Entry: Installation and Administration Guide

Chapter 18. Configuring Sametime Connectivity . . . . . . . . . . . . 269

301 302 303 304

305 306 307 308 310

311 313 313 315

Chapter 21. Business Card

. 283 . 285 . 286

Chapter 19. Configuring Lotus Sametime for mobile users . . . . . 289

Chapter 20. Configuring the Community Services . . . . . . . . 291

Chapter 22. Monitoring the Sametime server . . . . . . . . . . . . . . 355

Chapter 23. Using the Sametime logging features . . . . . . . . . . 359

Chapter 24. Working with Sametime security . . . . . . . . . . . . . . 369

. 438 . 442 . 442 . 444 . 445 . 446 . 449 . 452 . 453

Chapter 27. Using the StdebugTool.exe utility . . . . . . . 489

Chapter 25. Deploying multiple Sametime servers . . . . . . . . . 437

Lotus Sametime Entry: Installation and Administration Guide

Lotus Sametime Entry: Installation and Administration Guide

Chapter 1. Sametime Server Installation

Copyright IBM Corp. 2007, 2009

Lotus Sametime Entry: Installation and Administration Guide

Chapter 2. Verifying system requirements

Before you begin

Copyright IBM Corp. 2007, 2009

Lotus Sametime Entry: Installation and Administration Guide

Chapter 3. Downloading Lotus Sametime files for installation

Before you begin

About this task

Copyright IBM Corp. 2007, 2009

Lotus Sametime Entry: Installation and Administration Guide

Chapter 4. Preparing for a new Sametime installation

Planning for your Sametime installation

Domino server dedicated to Sametime

Clustering Community Services

Clustering Meeting Services

Sametime Conversion Services

National language considerations

Installing Sametime Entry or Sametime Instant Messaging Limited Use

Installing in an environment with other Sametime servers

Lotus Sametime Entry: Installation and Administration Guide

Preparing the AIX, Solaris, or Linux environment

About this task

Preparing the TCP/IP Environment on i5/OS

About this task

Verifying host table entries for i5/OS

About this task

Verifying configuration of existing i5/OS Domino servers

About this task

Lotus Sametime Entry: Installation and Administration Guide

Selecting a TCP/IP address for your i5/OS Sametime server