Customizing the Sametime Meeting Center UI

I really like the new Sametime Meeting Room Center UI, nice blue/green/grey screen.
Nevertheless our CI colors are more like purple and so I had to try to change the UI accordingly. Sametime Meeting Center is a pure Websphere application so customizing means find the app resource files and you are almost done.

So the magic path is :
$WAS_INSTALL_PROFILES_MEETING\installedApps\$CELL\Sametime Meeting Server.ear\stmeetings.webclient.war\static-20110517-1459\oneui\common\styles

To change UI from

to

was pretty easy.
For this example I just changed 7 images (btnActionBkgd.png, LotusSametime.png, STiconHomepageLarge.gif, titlebarLeft.png, titlebarMid.png, titlebarRight.png, welcomeBkgd.png) and did some CSS changes in defaultTheme.css

Using SSL in Sametime 8.5.x for LDAP connections Part 2

Took me a little bit longer as expected but here is now part 2, how to enable SSL for LDAP connections on the community server.

In part 1 described how you can enable SSL for LDAP connections on the WAS servers.

You can find some information on this topic in the Sametime Wiki but I found it rather confusing and misleading.

First of all I had to set up iKeyman and the GSKit on the community server to support Cryptographic Message Syntax (CMS) and create the Keystore DBs. We need 3 different Keystore databases:

- CMS Keystore key.kdb -> used by different Sametime server components to connect securely to LDAP server

- Java Keystore stkeys.jks -> used by the userinfo servlet (Business Card) to connect securely to LDAP server

- Keyring File sametime85.kyr -> used by the Domino server (directory assistance) to connect securely to LDAP server

Install GSKit

- Go to the folder where you extracted the Sametime Standard Server Installation files. In there you find a folder “GSKit” – “Win32″. Run gsk8crypt32.exe as Admin

- Use standard values for installation wizard

- Run gsk8ssl32.exe as Admin and use standard values for installation wizard

- Add you Domino java folder as JAVA_HOME system variable

Update iKeyman to support CMS

- copy gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC) server to the community server and replace the older ones. You can find these files in the C:\WAS_INSTALL_DIR\WebSphere\UpdateInstaller\java\jre\lib\ext\ folder. Copy them to C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\ext\ folder.

- Edit the file java.security in folder C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\security\

- after security.provider.5=com.ibm.security.sasl.IBMSASL add following line:
security.provider.6=com.ibm.security.cmskeystore.CMSProvider 

Create CMS and Java Keystore files

- Start iKeyman (double click ikeyman.exe) which you can find in C:\DOMINO_INSTALL_DIR\ibm-jre\jre\bin\ folder

- Check the “Help” – “About iKeyman”, you should see

If you see an older Version# check if you copied  gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC)

- Now create a new CMS database by clicking on “Key Database file” – “New”. Choose CMS as type, name it key.kdb (has to be exactly this name!) and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Define a password and activate “Stash password to a file”

- Go to the “Signer Certificates” and click on “Add”

- Click “Browse” and open the Root.cer file (which you have create before on the SSC Server in Part 1)

- Enter a Label for the Certificate (i.e. GeoTrust Root Certificate)

- Do the same for the Intermediate Certificate

- You should now see 2 Signer Certificates in your keyDB

- Now create a new JKS database by clicking on “Key Database file” – “New”. Choose JKS as type, name it stkeys.jks and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Repeat all steps to import the root certificate and the intermediate certificate

Create the Domino Keyring file

- open the Server Certificate Admin DB (certsrv.nsf) on your Community Server with your Notes Client

- click on “1. Create Key Ring” to create a new keyring file

- fill in a name and a password and define your key size

- fill in your server name as Common Name, add your Organization/State/Country and click “Create Key Ring”

- you will see a confirmation window

- now import your Root Certificate, click on “3. Install Trusted Root Certificate…” and fill in a Label/Source/File Name and choose the appropriate file format

- click on “Merge Trsuted Root Certificate…” and fill in the password for the key ring file

- you will see a success window, click on “OK”

- import your intermediate certificate with same steps

- copy your keyring file and stash file to the data directory of your Community Server

- open the server document of your community server and go to “Ports” – “Internet Ports” and fill in your keyring file name

- save the document and close it

Encrypt the UserInfoServlet

- open UserInfoConfig.xml (in D:\IBM\Lotus\Domino)

- change SslEnabled to true and ensure SslPort is 636

- in the SslProperties tag add the path to your stkeys.jks file and insert your password for the keystore

Configuring Directory Assistance for SSL& Connect Sametime Community Server through SSL

- open the Directory Assistance DB (da.nsf) on your community server with your notes client and change the LDAP settings

- Click “Save and Close” and close the DB

- Now open the Sametime Community Server webpage and login as Sametime Admin and click on “Administer the Server”

- go to “LDAP Directory” > “Connectivity” and enable the use of SSL for LDAP and ensure that the used SSL port is 636

- Click on “Update”

(Optional) If you want to improve performance, you may choose to loosen security and encrypt only user credentials as follows:

- Open the sametime.ini file (in D:\IBM\Lotus\Domino)

- Locate the [Directory] section within the file and add the following setting:

ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1

- Save and close the file

- Restart your Community Server

That’s it, now you Security Officer is your friend again!

Using SSL in Sametime 8.5.x for LDAP connection Part 1

Securing a connection to a LDAP server sounds pretty easy but doing this for a Sametime 8.5 deployment, especially the community server, is far away from easy.

Documentation (Infocenter, Sametime Wiki) is not very clear on this topic and has some conflicting infos.

These are the steps which worked for me.

Configure WAS Servers for secure access to LDAP server

This is pretty easy and is well documented in the Sametime Wiki, you just have to import the public root CA of the LDAP server certificate. In my case I only had the .pfx file of the LDAP server and first hat to export the CA’s root and intermediate certificates.

- Export the certificate as “DER encoded binary”
- Choose a file name and a location where to save the file on the server

- Click on “Signer certificates” and “Add”

I will describe what I had to change on the community server in part 2, stay tuned.

Installation / Upgrade IBM Sametime 8.5.2

Nachdem ich jetzt schon mehrere IBM Sametime Server auf 8.5.2 aktualisiert habe will ich meine ersten Erkenntnisse gerne mitteilen.

Generell war ich sehr erstaunt, dass der Upgrade Prozess auf allen Systemen von 8.5.1 auf 8.5.2 kein Problem war. Keine Fehlermeldungen, keine zerschossenen Installationen, nichts, einfach klick, klick, klick.
Vorgegangen bin ich wie unter Upgrading Sametime im Wiki beschrieben. Aber so perfekt ging dann doch nicht alles, hier ein paar Punkte, welche mir aufgefallen sind:

Upgrade DB2 von 9.5 auf 9.7
Die Aktualisierung lässt sich nicht mit dem IBM Installation Manager vornehmen, da das angegebene Download Package CZ1HKML nur den “normalen” DB2 Installer hat, aber keine repository für den Installation Manager darstellt. Bevor ich die Aktualisierung trotzdem durchführte, wurden noch die DBs kontrolliert, ob sie sich auf DB2 9.7 aktualisieren lassen:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=/com.ibm.db2.luw.admin.cmd.doc/doc/r0002028.html
Sehr unschön ist, dass nach der Aktualisierung der IBM Installation Manager nichts von der neuen Version 9.7 weiss, sondern immer noch davon ausgeht, dass Version 9.5 installiert ist. Ich hoffe, IBM stellt bald das korrekte Download Package bereit. Als letztes mussten noch die zwei Datenbanken aktualisiert werden, damit sie mit Version 9.7 funktionieren (wie auch im Sametime Wiki beschrieben wird). Dieses Problem kann man aber auch umgehen, indem man mit DB2 9.5 weiter arbeitet. Ich habe erst später bemerkt, dass auch die Version 9.5 noch unterstützt wird.

Einbindung des TURN Servers
Nachdem der Media Server erfolgreich aktualisiert wurde, liess sich der TURN Server aber nicht wie beschrieben über die SSC einbinden. Die Standardfelder für TURN Server in den Media Server settings in der SSC waren leer. Dieses Problem wurde auch schon im Sametime Forum besprochen.

Diese Probleme sowie die Möglichkeit, den Deployment Manager von SSC für alle Komponenten nutzen zu können führte mich dann zur Entscheidung, Teile von Sametime 8.5.1 zu deinstallieren, Deployment Pläne anzupassen und dann Version 8.5.2 neu zu installieren. Damit man aber nicht alles neu konfigurieren muss, empfehle ich folgendes Vorgehen:

- DB2 auf Version 9.5 belassen

- System Console -> Upgrade

- Community Server -> Upgrade

- Media Server/Meeting/Proxy -> Uninstall -> Deployment Plan anpassen, First Node, SSC DM -> Install

Auf diese Weise muss ich weder die DB Verbindung, noch LDAP oder sonstige Einstellungen nochmals erstellen. Der grosse Vorteil ist auch, dass ich SSO zwischen SSC und Community Server einmal konfigurieren muss und dann automatisch auch gleich für alle anderen WAS Komponenten zieht. Dies ist sehr wichtig, da man mit Version 8.5.2 und Audio/Video im Browser ein SSO über fast alle Server zwingend benötigt.

UPDATE: Nachdem ich doch einige komische Phänomene beobachten musste (SIP Proxy Administration geht nicht, Instant Meetings direkt über Webinterface geht nicht) würde ich doch empfehlen, lediglich die Datenbank zu übernehmen aber auch die SSC und Community Server neu zu installieren

Change Sametime Client 8.5.x settings after deployment through managed-settings.xml

There are many possibilities to change you Sametime Clients settings before and after a client rollout i.e. by changing/adding some lines to plugin_customization.ini (direct or indirect through Notes policies).

Unfortunately changing plugin_customization.ini through Notes policies is not really bulletproofed an often doesn’t work at all. So I searched for some alternatives and found following in Sametime Infocenter:
Automatically updating client preferences with the managed-settings.xml file

The Infocenter does not go into too much details so I will give you an example how you can use it within your environment. In this example I will change two settings on the clients:

- Contact List Synchronization -> Force this setting, even if user has changed it and lock it
- Chat Window – Partner Status Updates View -> Change setting but do not lock it

First you have to point your Sametime Clients to an Update Site:

1. Open your Sametime System Console (SSC) and go to “Manage Policies”
2. Edit the “Instant Messaging” policy of the user group (or default policy)
3. Scroll down to “Sametime update site URL” and fill in your Sametime Communtiy Server URL and add “/update” as folder name

4. Click “OK” to save your changes
5. It can take up to an hour to refresh the settings on your Sametime Community Server and on your clients. To speed up things restart your Community Domino Server.

During your server restart you can create the needed managed-setings.xml file in your Domino http/update folder:
1. Access you Community Server and create a subfolder “update” inside your Domino http folder (data directory/domino/html)

2. Create a file called “managed-settings.xml”.

3. Open up the file with an editor and add following lines:

<ManagedSettings>
<settingGroup name=”com.ibm.collaboration.realtime.imhub”>
<setting name=”showBuddyListConflictDialog” value=”false” isLocked=”true”/>
<setting name=”buddyListConflictPref” value=”replaceLocal” overwriteUnlocked=”true” isLocked=”true”/>
</settingGroup>
<settingGroup name=”com.ibm.collaboration.realtime.chatwindow”>
<setting name=”showstatusupdates” value=”true” isLocked=”false”/>
</settingGroup>
</ManagedSettings>

4. Before you save the file check your actual settings in your Sametime Client

-> partner status updates are not displayed

-> Client will ask you what to do if contact list falls out of sync

5. Now save the managed-settings.xml file and try to access the file in your browser http://yourcommunityserver.ch/update/managed-settings.xml. You should see your added lines if you look at the HTML page source:

6. Restart your Sametime Client twice (first restart it picks up the updates site configuration via policy, the second time it will pick up the settings inside the managed-settings.xml file)
7. Open up your Sametime client settings:

-> Setting is changed to “Replace the local copy…” and locked

-> Display of partner status updates is enabled but NOT locked

Et voilà, you’re now able to change almost every Sametime client setting centrally.

You can find a complete list of Client settings (8.5.1) here or in the Sametime Wiki here.