HCL Sametime 11 – SSO between ST WebClient and iNotes/Verse on-Premises

You can integrate HCL iNotes and/or HCL Verse on-Premises, with Sametime 11 via ST Proxy server, the same way the integration was done with Sametime Version 9.0.1.

But before you can integrate the products mentioned above, you have to configure Single-Sign-On between Sametime WeClient and iNotes/VoP.

With Sametime version 9.0.1, you would export the LTPA Token from Websphere Application Server and import it in the Domino “Web SSO Configuration” document of the iNotes/VoP server and Sametime Community Server. Thus making sure that all components involved are using the same LTPA Token.

But in the Sametime Version 11, we do not have any WebSphere components. So, you just have to make sure that the Sametime Community and iNotes/VoP servers are using the same LTPA Token. Either export the LTPA Token from the old Sametime environment or any other existing WebSphere server and import it in the relevant Domino “Web SSO Configuration” documents. After restarting all components involved, the SSO should be working and you can proceed with integrating Sametime with iNotes and/or Verse on-Premises.

HCL Sametime 11 – Limited Use vs. Standard License

I found that there is a lot of confusion going around which Sametime features are covered in Limited Use License, although I could not find a document or a matrix chart covering this in detail, the following article provides some important insights:

Excerpt of the article:

HCL Sametime 11 Limited Use prohibits the use of the following components:

- File transfer
- Screen capture - Multiple communities - External user - Built-in audio / video function - Integration with external meetings - To ensure compliance with the Limited Use terms, these features must be disabled in policy settings.

Before deploying Sametime 11 Limited Use, make sure that the features important for you are covered in the license. And if one or another function is not working, check with support if it is covered in the Limited Use license in the first place, it might save you some time spent troubleshooting.

UPDATE

My friend, Roberto Boccadoro found the official licensing agreement, thank you very much! You can Access it via the following URL:

Excerpt of the document:

Notwithstanding any provision in the Agreement, Licensee is not authorized to use any of the following components or functions of the Program:

  • Access to File Transfer (of HCL Sametime)
  • Screen Capture (of HCL Sametime)
  • Multiple Communities (of HCL Sametime)
  • External users (of HCL Sametime)
  • Embedded Audio/Video features (of HCL Sametime)
  • External conferencing integration (of HCL Sametime)

HCL Sametime 11 – ST Proxy Server & DNS

Obviously, when deploying any application, DNS is important and the needed DNS entries need to be set.

Before deploying the HCL Sametime 11 Proxy Server you need to make sure that the MongoDB and the Sametime Community Servers are reachable via FQDNs and hostnames.

If you have to work with a “host” file, in DMZ for example, make sure to create separate entries for hostnames and FQDNs mentioned. If you are using a separate DNS Alias to access the Sametime Community server, other than the “real” FQDN and Hostname, make sure to create the entries for the “real” FQDN and Hostname of the Community server, even if you have not used them during the ST Proxy installation. During one deployment I ran into this issue. After enabling the debugging on the ST Proxy Server, I got the following errors:

FINE [White Rabbit (Timer). 2] com.ibm.rtc.stproxy.cluster.ServerLogin.connect Connecting to ST server: Server name: CN=domino-server-name/O=domino-organization, Cluster name: CN=domino-server-name/O=domino-organization, Server URL: domino-community-server.domain.local, serverID: null, Sametime session: null

WARNING [Chuck the postman’s dispatching thread.4] com.ibm.rtc.stproxy.cluster.ServerLogin.loggedOut CLFRX0011W: Unable to log in to the Sametime community server CN=domino-server-name/O=domino-organization. Error message is 80000207

After editing the host file of the ST Proxy server, on which the error was produced, the Sametime Webclient was working as desired and there were no errors in the log file.

IBM Sametime Update and STCore.jar File

Recently I have updated IBM Sametime Community Server from 9.0 HF1 to 9.0.1 FP1.  Before starting the update Process I would usually backup, and replace after upgrade, the following files:

  • vpuserinfo.nsf
  • names.nsf
  • STRunTimeDebugTool.jar
  • Stconfig.nsf
  • sametime.ini

And STCore.jar file, which is not stated in the official documentation, but most of the time in the past I needed to replace this file so that the community Server could be started after the upgrade.

This time, after the upgrade, not all Sametime Services could be started after the upgrade, “ST Presence Subscriptions” and “ST Presence Compatibility” would not start.

In the “STPresenceCompatibility” log file I got the following error:

[ 13:26:45.245 | 04.05.2018 | SEVERE | 13 ] : STThrowableReporterListener : notifyThrowableCaught : a toolkit throwable was caught, preparing for system exit[ 13:26:45.245 | 04.05.2018 | SEVERE | 13 ] : STThrowableReporterListener : notifyThrowableCaught : a toolkit throwable was caught, preparing for system exitjava.lang.NoSuchMethodError: com/ibm/sametime/stjavautils/utils/STUtils.belongToSameServer(Lcom/lotus/sametime/core/types/STId;Lcom/lotus/sametime/core/types/STId;)Z (loaded from file:/D:/IBM/Domino/STCore.jar by sun.misc.Launcher$AppClassLoader@f932dcd2) called from class com.ibm.sametime.buddylist.bc.channelHandler.BcToCommunityEventHandler$BLServiceAvailableListenerImpl (loaded from file:/D:/IBM/Domino/BLBackwardCompatibilitySA.jar by sun.misc.Launcher$AppClassLoader@f932dcd2). at com.ibm.sametime.buddylist.bc.channelHandler.BcToCommunityEventHandler$BLServiceAvailableListenerImpl.handleServicesAvailable(BcToCommunityEventHandler.java:192) at com.ibm.sametime.stjavautils.listener.STServiceAvailableListener.servicesAvailable(STServiceAvailableListener.java:50) at com.lotus.sametime.communityevents.CommunityEventsComp.snapshotServices(Unknown Source) at com.lotus.sametime.communityevents.CommunityEventsComp.processSTEvent(Unknown Source) at com.lotus.sametime.core.comparch.STCompPart$STCompPartSTEventListener.processSTEvent(Unknown Source) at com.lotus.sametime.core.comparch.MessageDispatcher.dispatch(Unknown Source) at com.lotus.sametime.core.comparch.MessageDispatcher.flush(Unknown Source) at com.lotus.sametime.core.comparch.MessageDispatchingThread.run(Unknown Source) at java.lang.Thread.run(Thread.java:785)[ 13:26:45.245 | 04.05.2018 | SEVERE | 13 ] : BLThrowableReporterListenerImpl : handleNotifyThrowableCaught : com/ibm/sametime/stjavautils/utils/STUtils.belongToSameServer(Lcom/lotus/sametime/core/types/STId;Lcom/lotus/sametime/core/types/STId;)Z (loaded from file:/D:/IBM/Domino/STCore.jar by sun.misc.Launcher$AppClassLoader@f932dcd2) called from class com.ibm.sametime.buddylist.bc.channelHandler.BcToCommunityEventHandler$BLServiceAvailableListenerImpl (loaded from file:/D:/IBM/Domino/BLBackwardCompatibilitySA.jar by sun.misc.Launcher$AppClassLoader@f932dcd2).[ 13:26:45.245 | 04.05.2018 | SEVERE | 13 ] : BLShutdownManager : BLShutdownManager : time has come for system exit. EXITING!!! return code: 101

I replaced the backed up “STCore.jar” file with the new one, created by the update process, and all was well. All Sametime Services started and there were no problems.

Sametime Community Server – LTPA Token Name

If you are planning on changing the LTPA Token on a Sametime Community Server, save yourself a lot of pain by using the existing LTPA Document and keeping the default name “LtpaToken”. You may not get any errors on the console but the SSO using LTPA just won´t work.

If you want to enable Internet Sites on the Community Server, you should read the instructions in the following article:

http://www-01.ibm.com/support/docview.wss?uid=swg21157740

Integrating Verse On-Premises with Sametime

Sametime and Verse On-Premises integration is very nice and works well. It is also very easy to accomplish, so it is a shame not to try it out.

Verse & SametimeVerse Rich Client

First of all, you need Verse On-Premises 1.0.2 or newer and iNotes and Sametime integration set up.

After that just add the following “Notes.ini” parameters:

VOP_GK_sametime=1
VOP_GK_sametime_rich_client=1

And restart the Domino HTTP task.

“VOP_GK_sametime” enables Verse and Sametime integration and “VOP_GK_sametime_rich_client” is optional, it enables Sametime rich client integration.

If you enable rich client Integration, users may get a security prompt to trust the SSL certificate if it is not a official one.

Verse Sametime cert

 

Photos missing in Sametime Webclient

Recently I tried to configure Sametime Proxy Server to show profile photos from IBM Connections in Sametime web client business cards. SSO through LTPA was setup between Sametime, 9.0.1 version, and Connections, 5.5 CR2 version, environment and the configuration needed was done on the Sametime Proxy server. But after synchronization and restart of the ST Proxy, the photos would still not show up in the web client.

Video showing this error.

As you can see the browser just tries to load the photo and there are no errors in GUI. With Chrome and Fiddler I managed to catch HTTP 403 error, I could also see the HTTP 403 error in the IBM HTTP Server log, rather than that there were no other errors. I think it is also important to mention that with IE and Fiddler I could not catch the HTTP 403 error, the IE would not even stop trying to load the photo.

The solution was to set “allowJsonpJavelin” to “true” in the “profiles-config.xml” file.

<allowJsonpJavelin enabled=”true”/> 
After that just synchronize the nodes and restart Connections Applications, most likely it will be enough just to restart the “Profiles” application.
Big thanks to Martin Leyrer and Dave Fleetham for helping me solve this one, I hope this will show up soon in the Knowledge Center. 🙂
This configuration change is needed only if you upgrade Connections to 5.0 CR4 or later.
There is also a blog post from Tom Bosmans about this matter.

 

“Pitfall” when implementing Sametime Awareness in IBM Connections

If you are implementing Sametime Awareness in IBM Connections through Sametime Proxy server, as described in the official documentation, make sure that “isConnectClient” attribute, in “LotusConnections-config.xml” file, is set to “false”.  The example in the Documentation shows otherwise:

2016-07-18 22_18_29-IBM Knowledge Center - Adding Sametime awareness through the Sametime server - A

If you set the “isConnectClient” attribute to “true”, and the rest of the configuration is OK, the connection to the Sametime Proxy server will work, but the loading of the Homepage after the login will take significantly longer, some users may even get warning messages stating that they are unable to log in to Sametime.

This problem especially impacts the Firefox Browser, for some reason Chrome is much less affected and the issue is not that easy notice.

A big thanks to Martin Leyrer for sharing this. 🙂