How to reanimate your Sametime environment (after failed upgrade)

I already upgraded many customer environments from IBM Sametime 8.5.2 to 8.5.2 IFR1 without any hitches but this time I tried it on our own internal production environment and failed miserably.

Don’t ask me why but the upgrade of the SSC  failed and my system was left in an “unstable state”
-> #StuffIBMTechnotesSay
Definition of unstable = I can’t install the upgrade, SSC is not working, I can’t reinstall 8.5.2

Fortunately I found a Technote which rescued me out of this unstable state and helped me to go one step forward
Upgrading Sametime System Console to 8.5.2 IFR 1 fails during installation

But still the upgrade failed and by searching for errors inside the logs (yes, there are many, many logs and it will take a while to find useful infos) I found a possible credential problem. I remembered an upgrade preparation step
Updating Installation Manager if the administrator name or password has changed
which I ignored because I never changed the admin account or password.
I checked the encoded wasadmin password in the installregistry.xml file and surprise, surprise, it was not the current admin password.
After changing the password the upgrade worked as expected.

Remember
1. Always check the wasadmin password, even when you didn’t change anything
2. Download the iscmod_uninstall.py from the technote, it will be a good friend if anything goes wrong

Happy upgrading!

How to enable Online Awareness in your Lotus Notes Client after Sametime upgrade

Many customers are upgrading their pre 8.5 Sametime environments to 8.5.x Versions and therefore have to change the directory lookups to LDAP.
(If you already used LDAP lookups just ignore this post.)

Unfortunately online awareness for hierarchical names will not work anymore in the Lotus Notes Client (still works for email addresses):

This is because the hierarchical name is not a “standard” lookup field. If you use Domino as LDAP server the displayname field will be your hierarchical name and you have to add it to the LDAP lookup.

To do this open up your Notes Client with the Sametime Admin ID and connect to the Sametime configuration DB (stconfig.nsf).
Now open up the LDAP config doc and add (displayname=%s*) to the user search filters:

Save the file, restart you community server and recheck online awareness in your Notes Client. Now you should see online awareness for hierarchical names working again.

Comments/remarks very welcome.

Native iPhone App für IBM Sametime 8.5.2 erschienen – IFR1 released

Seit dem 22.11. steht der Intermediate Feature Release (IFR) 1 für Sametime 8.5.2 zum Download bereit.
Hauptziel dieses Releases war es, neben Produkt Bugfixing weitere Funktion für Sametime zu implementieren, ohne das man auf einen neuen Punktrelease warten muss. Die wohl meist erwartete Neuerung stellt die native iPhone/iPad Applikation dar, welche alles bietet, was man sich von einer iOS5 App vorstellt (Notifications, Picture uploads…). Der Client soll es auch ermöglichen SUT (Sametime Unified Telephony) Anrufe direkt vom iOS Gerät aus zu initiieren. Link zum Appstore.

Genauere Details werde ich hier vorstellen, sobald ich die App in der Tiefe testen konnte.
Eine weitere sehnlichst erwartete Neuerung ist die Erweiterung der unterstützen Plattformen:

- Browser : Neu wird auch der der IE 9 (neben 6-8) unterstützt sowie Firefox 6&7 (neben 3.6)

- Server: Domino 8.5.3 wird nun offiziell als Applikationsserver unterstützt

- OS: Neu wird auch Apple OS 10.7 unterstützt

Eine sehr wichtige Neuerung gibt es auch bei Sametime Unified Telephony. Neu ist es möglich die Server virtualisiert zu betreiben, ohne das eine spezifische HW vorausgesetzt wird. Dies ermöglicht eine erhebliche Konsolidierung der Infrastruktur und eine sehr grosse Kosteneinsparung, wenn man weltweit mit mehreren verteilten SUT Servern arbeitet.

Insgesamt bin ich positiv überrascht was der IFR1 alles Neues bereitstellt und bin gespannt auf meine ersten Update Erfahrungen.

Customizing the Sametime Meeting Center UI

I really like the new Sametime Meeting Room Center UI, nice blue/green/grey screen.
Nevertheless our CI colors are more like purple and so I had to try to change the UI accordingly. Sametime Meeting Center is a pure Websphere application so customizing means find the app resource files and you are almost done.

So the magic path is :
$WAS_INSTALL_PROFILES_MEETING\installedApps\$CELL\Sametime Meeting Server.ear\stmeetings.webclient.war\static-20110517-1459\oneui\common\styles

To change UI from

to

was pretty easy.
For this example I just changed 7 images (btnActionBkgd.png, LotusSametime.png, STiconHomepageLarge.gif, titlebarLeft.png, titlebarMid.png, titlebarRight.png, welcomeBkgd.png) and did some CSS changes in defaultTheme.css

Using SSL in Sametime 8.5.x for LDAP connections Part 2

Took me a little bit longer as expected but here is now part 2, how to enable SSL for LDAP connections on the community server.

In part 1 described how you can enable SSL for LDAP connections on the WAS servers.

You can find some information on this topic in the Sametime Wiki but I found it rather confusing and misleading.

First of all I had to set up iKeyman and the GSKit on the community server to support Cryptographic Message Syntax (CMS) and create the Keystore DBs. We need 3 different Keystore databases:

- CMS Keystore key.kdb -> used by different Sametime server components to connect securely to LDAP server

- Java Keystore stkeys.jks -> used by the userinfo servlet (Business Card) to connect securely to LDAP server

- Keyring File sametime85.kyr -> used by the Domino server (directory assistance) to connect securely to LDAP server

Install GSKit

- Go to the folder where you extracted the Sametime Standard Server Installation files. In there you find a folder “GSKit” – “Win32″. Run gsk8crypt32.exe as Admin

- Use standard values for installation wizard

- Run gsk8ssl32.exe as Admin and use standard values for installation wizard

- Add you Domino java folder as JAVA_HOME system variable

Update iKeyman to support CMS

- copy gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC) server to the community server and replace the older ones. You can find these files in the C:\WAS_INSTALL_DIR\WebSphere\UpdateInstaller\java\jre\lib\ext\ folder. Copy them to C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\ext\ folder.

- Edit the file java.security in folder C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\security\

- after security.provider.5=com.ibm.security.sasl.IBMSASL add following line:
security.provider.6=com.ibm.security.cmskeystore.CMSProvider 

Create CMS and Java Keystore files

- Start iKeyman (double click ikeyman.exe) which you can find in C:\DOMINO_INSTALL_DIR\ibm-jre\jre\bin\ folder

- Check the “Help” – “About iKeyman”, you should see

If you see an older Version# check if you copied  gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC)

- Now create a new CMS database by clicking on “Key Database file” – “New”. Choose CMS as type, name it key.kdb (has to be exactly this name!) and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Define a password and activate “Stash password to a file”

- Go to the “Signer Certificates” and click on “Add”

- Click “Browse” and open the Root.cer file (which you have create before on the SSC Server in Part 1)

- Enter a Label for the Certificate (i.e. GeoTrust Root Certificate)

- Do the same for the Intermediate Certificate

- You should now see 2 Signer Certificates in your keyDB

- Now create a new JKS database by clicking on “Key Database file” – “New”. Choose JKS as type, name it stkeys.jks and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Repeat all steps to import the root certificate and the intermediate certificate

Create the Domino Keyring file

- open the Server Certificate Admin DB (certsrv.nsf) on your Community Server with your Notes Client

- click on “1. Create Key Ring” to create a new keyring file

- fill in a name and a password and define your key size

- fill in your server name as Common Name, add your Organization/State/Country and click “Create Key Ring”

- you will see a confirmation window

- now import your Root Certificate, click on “3. Install Trusted Root Certificate…” and fill in a Label/Source/File Name and choose the appropriate file format

- click on “Merge Trsuted Root Certificate…” and fill in the password for the key ring file

- you will see a success window, click on “OK”

- import your intermediate certificate with same steps

- copy your keyring file and stash file to the data directory of your Community Server

- open the server document of your community server and go to “Ports” – “Internet Ports” and fill in your keyring file name

- save the document and close it

Encrypt the UserInfoServlet

- open UserInfoConfig.xml (in D:\IBM\Lotus\Domino)

- change SslEnabled to true and ensure SslPort is 636

- in the SslProperties tag add the path to your stkeys.jks file and insert your password for the keystore

Configuring Directory Assistance for SSL& Connect Sametime Community Server through SSL

- open the Directory Assistance DB (da.nsf) on your community server with your notes client and change the LDAP settings

- Click “Save and Close” and close the DB

- Now open the Sametime Community Server webpage and login as Sametime Admin and click on “Administer the Server”

- go to “LDAP Directory” > “Connectivity” and enable the use of SSL for LDAP and ensure that the used SSL port is 636

- Click on “Update”

(Optional) If you want to improve performance, you may choose to loosen security and encrypt only user credentials as follows:

- Open the sametime.ini file (in D:\IBM\Lotus\Domino)

- Locate the [Directory] section within the file and add the following setting:

ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1

- Save and close the file

- Restart your Community Server

That’s it, now you Security Officer is your friend again!