HCL Sametime -Access User Directory over LDAPs

Configuring HCL Sametime Community Server to access the user directory over LDAPs is straightforward and usually fairly simple. In order to configure the access to Microsoft Active Directory for example, over LDAPs, you have to do the following:

  1. Configure LDAPs for the Domino Directory Assistance document used by HCL Sametime.

I described the steps needed in the previous post how to do this.

2. Restart the Sametime Community Server and make sure you can still login into Sametime.

If this is not the case, then you have a problem with the configuration done in step 1. Only if you can log in successfully at this point, proceed to the next step.

3. Install GSKit provided with the Sametime Community Server setup.

Within the HCL Sametime Community Server setup, two executables for GSKit are provided, “gsk8crypt64.exe” and “gsk8ssl64.exe” (on Windows platforms), install both.

4. Add the directory of the installed GSKit to the “PATH” environment variable.

If your HCL Sametime Community Server is running on Windows, then the “Path” definition should look similar to the screenshot above.

If you are running Sametime Community on Linux and you are using the Domino Start-Script by Daniel Nashed to start the HCL Domino Server, you will need to modify the script to include the GSKit in the “Path” environment variable.

5. Create a trust store for verifying the target server authenticity.

You can either create the trust store in either “.p12” or “.jks” format. I usually go with “.p12”, for this you can use OpenSSL or even the “Certificates” Snap-In of the MMC console on a Windows client. Just make sure it contains the personal and the CA certificate of the LDAP target server. One of the both certificates, personal or CA certificate, should suffice, but I usually add both, just to be on the safe side. After you have created the Trust store, copy it to the Domino server.

6. Choose and define the TLS Scope.

As described in the official documentation, choose for which TLS Scope you want to configure. I just wanted to configure LDAPs and I have created a trust store for this solely purpose, so I only configured the individual TLS scope for LDAP. Therefore, I just added the following “Sametime.ini” settings:

STLDAP_TLS_TRUST_STORE_TYPE=p12
STLDAP_TLS_TRUST_STORE_FILE=C:\HCL\Domino\<trust_store_filename>.p12
STLDAP_TLS_TRUST_STORE_PASSWORD=<trust_store_password>

7. Enable LDAPs in the Sametime Community Server configuration

Access the “stconfig.nsf” database on the Sametime Community Server using HCL Notes Administrator Client and open the LDAP Connection document. In the LDAP Settings set “SSLEnabled” parameter to “true”. If you are using other SSL Port than the default 636, you will also have to change “SSL Port” setting to reflect that.

Excerpt from the LDAP configuration in the “stconfig.nsf” Domino database.

If you want to use LDAPs for accessing the Sametime Business Card Information, then you will need to modify the “UserInfoConfig.xml” file and enable LDAPs. In order to do that, open “UserInfoConfig.xml” and locate “SslEnabled” parameter and set it to “true”. Also, make sure that the port number defined in the “SslPort” parameter is correct, per default that is 636.

That’s it, just restart the server and verify the configuration by logging into Sametime and accessing the Sametime Business Card Information.

Troubleshooting

If you have any issues logging in and you start getting the following error:

HCL Sametime Client – Login failed

Login failed – Reason: The log in information you entered cannot be verified at this time. Contact your help des or system administrator. Error details: Directory is unreachable.

Try setting the following debug parameters in the “sametime.ini”:

POLICY_DEBUG_LEVEL=5
POLICY_TOOLKIT_DEBUG_LEVEL=5
ST_TLS_DEBUG=1
VP_TRACE_ALL=1

After that, restart the Sametime Community server, reproduce the issue and check the “STPolicy” as well as the general Sametime log as those files should provide more information about the authentication process failing.

I hope this helps! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s