Creating an LTPA Token – Without WAS Network Deployment Server

Recently I was installing an HCL Sametime 11 environment from scratch. I always tend to implement a single LTPA Token across the Domino, Sametime and/or Connections environment. It is also a very good idea to use only the LTPA Token version 2, as it is more secure, but this also means that the LTPA Token has to be created by a WebSphere server.

Usually this is not a problem, because most of my customers have HCL Connections or an older version of Sametime already deployed, which means that they are also using WebSphere Application Server Network Deployment.

But this customer only had Domino, and a new installation of the WAS Network Deployment Server, solely to create a new LTPA Token and scrap it afterwards would take me too much time.

My friend Herwig W. Schauer gave me tip that the same could be done with WebSphere Liberty server, which is a lot faster.

Just download the latest version of WebSphere Application Liberty Server, which is free, from the IBM Website, I used the ZIP Install Package for Windows OS.

Just extract the downloaded package to the directory of your choice and open the “server.xml” file, which can be found under “<was_liberty_package>\wlp\usr\servers\defaultServer”, in text editor. At the line number 17, inside the “<ltpa>” tag, edit the “keyFileName” and “keysPassword” parameter, as shown in the screenshot below:

Afterwards, just start the WAS Liberty by executing the “server.bat” script.

“<was_liberty_package>\wlp\bin>server.bat start“

Just as in the screenshot below:

As soon as you get the server fired up, a new LTPA token will be generated in “<was_liberty_package>\wlp\usr\servers\defaultServer” directory, with the name and password you specified in the “server.xml” file.

That’s it, you can take the newly generated LTPA token and import it to Domino.

Advertisement

HCL Sametime 11 – WebClient stuck on Loading

If you experience the issue with HCL Sametime 11 Proxy, where the WebClient just loads endlesly after a user logs in, and the following error is present in “catalina.out” log file (of the Sametime Proxy component):

CLFRX0049E: Failed to query the user info: <username>, reason 80000005

Check the “UserInfoConfig.xml” file, on the Sametime Community Server, for Syntax Errors. In my case the “Username” variable, inside the “<storageDetails>” tag, needed to be moved in front of the “Password” variable (this formatting is default in Sametime 11 FP1 version). Afterwards the “<storageDetails>” tag should reassemble something like the following:

<StorageDetails BaseDN=”DC=test,DC=com” HostName=”dc.test.com” UserName=”CN=SVC_Test,OU=Service Accounts,OU=test,DC=test,DC=com” Password=”xxxxxxx” Port=”389″ Scope=”2″ SearchFilter=”(&amp;(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(pager=%s)(mail=%s*)(samAccountName=%s*)(sn=%s*)(displayName=%s*)(distinguishedName=%s)(objectguid=%s)))” SslEnabled=”false” SslPort=”636″ /> 

HCL Sametime – Creating a Name Change Task without Sametime System Console

In the HCL Sametime version 11 there is no System Console, which means that the Name Change tasks have to be created directly in the “stnamechange.nsf” database.

This process is not documented. After trying to reinvent the wheel and failing gloriously, I decided to write a blog post about it. 🙂

Just open the “stnamechange.nsf”, with a user which has manager access on the database, click on “Create” and create a new “Name Change” document.

After that just choose the name of the document, “Description” is optional. Under “Location” enter the DN of your Sametime Community Server, “CN=<server_name>/O=<organisation_name>”. “File” is a richtext field, and here you have to upload the CSV file you want to use. You can read the details about creating the CSV file in the official documentation.

In the end the document should look like the following:

After that just run the stnamechange.cmd/.sh as you normally would with HCL Sametime version 10 or earlier.

If you are on Windows OS, open CMD as administrator, navigate to the Domino program directory and start stnamechange.cmd or stnamechange.sh respectively with the following parameters:

stnamechange.cmd <domino_program_directory> <domino_data_directory>

For example:

stnamechange.cmd c:\HCL\Domino c:\HCL\Domino\Data

That should be it. If you run into any problems, you can take a look at the log, every time you run the command, a log file is created in the “Trace” directory of the Sametime server. You can even set verbose logging.

I hope this helps and saves you some time.

Peculiar File Transfer related error in HCL Sametime 11 FP1

After going through the HCL Sametime 11 FP1 Community Server logs, I found the following error:

CLMONGO, ChatResource::readSrvMsgFlags ERROR: empty UCM_LOCAL_IP

Like in the Screenshot bellow:

I am not sure if this error affects the any functionality of the System, but to solve it I simply added the “UCM_LOCAL_IP” parameter to the sametime.ini file, inside the “[Connectivity]” section. The Value of the “UCM_LOCAL_IP” parameter should be set to the local IP Address of the Sametime Community Server.

I hope this helps.

HCL Sametime 11 FP1 – Send Push Notifications via Web Proxy

As of today, with the current version of HCL Sametime Proxy Server, there is no supported Sametime configuration which will enable you to send APNs or GCM push notifications via Web Proxy server. This feature will be implemented in future releases.

Keep that in mind when planing your Sametime Deployment.

HCL Traveler and HCL Connections support this functionality, as documented in official documentation:

HCL Traveler – Push messaging through a proxy

HCL Connections – Mobile configuration properties for HCL Connections 5.5

HCL Connections – Configure access for the Tiny Editors Services through HTTP proxy

HCL Sametime 11 & SSO via Sametime Embedded Client in Notes Basic Client

On a customer site I had to make sure that users are able to authenticate via HCL Sametime Embedded Clients, inside of HCL Notes 9.0.1 Basic Client, using Domino SSO (LTPA).

After installing the HCL Sametime 11 Community Server, and applying the standard configuration, the login via Domino SSO for Sametime embedded clients inside of HCL Notes standard or eclipse clients worked without any issues. But we had to make some configuration changes in the “sametime.ini” file to make the same work for ST Embedded clients inside the HCL Notes basic clients.

We had to change the “VP_SECURITY_LEVEL” parameter value from the default “7000” to “0”. Furthermore, we added the value “1216” to the “VPS_PREFERRED_LOGIN_TYPES” parameter. If the “VPS_ALLOWED_LOGIN_TYPES” parameter is used in your environment, then you will have to add “1216” value to this parameter as well.

After saving the “sametime.ini” file and restarting the Sametime Community server, the Sametime embedded clients, inside the Notes basic clients, should be able to login via Domino SSO Mechanism.

HCL Sametime 11 – SSO between ST WebClient and iNotes/Verse on-Premises

You can integrate HCL iNotes and/or HCL Verse on-Premises, with Sametime 11 via ST Proxy server, the same way the integration was done with Sametime Version 9.0.1.

But before you can integrate the products mentioned above, you have to configure Single-Sign-On between Sametime WeClient and iNotes/VoP.

With Sametime version 9.0.1, you would export the LTPA Token from Websphere Application Server and import it in the Domino “Web SSO Configuration” document of the iNotes/VoP server and Sametime Community Server. Thus making sure that all components involved are using the same LTPA Token.

But in the Sametime Version 11, we do not have any WebSphere components. So, you just have to make sure that the Sametime Community and iNotes/VoP servers are using the same LTPA Token. Either export the LTPA Token from the old Sametime environment or any other existing WebSphere server and import it in the relevant Domino “Web SSO Configuration” documents. After restarting all components involved, the SSO should be working and you can proceed with integrating Sametime with iNotes and/or Verse on-Premises.

HCL Sametime 11 – Limited Use vs. Standard License

I found that there is a lot of confusion going around which Sametime features are covered in Limited Use License, although I could not find a document or a matrix chart covering this in detail, the following article provides some important insights:

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0076585

Excerpt of the article:

HCL Sametime 11 Limited Use prohibits the use of the following components:

- File transfer
- Screen capture
- Multiple communities
- External user
- Built-in audio / video function
- Integration with external meetings
- To ensure compliance with the Limited Use terms, these features must be disabled in policy settings.

Before deploying Sametime 11 Limited Use, make sure that the features important for you are covered in the license. And if one or another function is not working, check with support if it is covered in the Limited Use license in the first place, it might save you some time spent troubleshooting.

UPDATE

My friend, Roberto Boccadoro found the official licensing agreement, thank you very much! You can Access it via the following URL:

https://www.hcltechsw.com/wps/wcm/connect/9443eb61-da56-48d0-82ad-2e1f742c445f/HCL+Notes+Domino+Complete+Collaboration+11.0+License+2019_12_16.pdf?MOD=AJPERES&CONVERT_TO=url&CACHEID=ROOTWORKSPACE-9443eb61-da56-48d0-82ad-2e1f742c445f-mZoIfnD

Excerpt of the document:

Notwithstanding any provision in the Agreement, Licensee is not authorized to use any of the following components or functions of the Program:

• Access to File Transfer (of HCL Sametime)
• Screen Capture (of HCL Sametime)
• Multiple Communities (of HCL Sametime)
• External users (of HCL Sametime)
• Embedded Audio/Video features (of HCL Sametime)
• External conferencing integration (of HCL Sametime)

HCL Sametime 11 – ST Proxy Server & DNS

Obviously, when deploying any application, DNS is important and the needed DNS entries need to be set.

Before deploying the HCL Sametime 11 Proxy Server you need to make sure that the MongoDB and the Sametime Community Servers are reachable via FQDNs and hostnames.

If you have to work with a “host” file, in DMZ for example, make sure to create separate entries for hostnames and FQDNs mentioned. If you are using a separate DNS Alias to access the Sametime Community server, other than the “real” FQDN and Hostname, make sure to create the entries for the “real” FQDN and Hostname of the Community server, even if you have not used them during the ST Proxy installation. During one deployment I ran into this issue. After enabling the debugging on the ST Proxy Server, I got the following errors:

FINE [White Rabbit (Timer). 2] com.ibm.rtc.stproxy.cluster.ServerLogin.connect Connecting to ST server: Server name: CN=domino-server-name/O=domino-organization, Cluster name: CN=domino-server-name/O=domino-organization, Server URL: domino-community-server.domain.local, serverID: null, Sametime session: null

WARNING [Chuck the postman’s dispatching thread.4] com.ibm.rtc.stproxy.cluster.ServerLogin.loggedOut CLFRX0011W: Unable to log in to the Sametime community server CN=domino-server-name/O=domino-organization. Error message is 80000207

After editing the host file of the ST Proxy server, on which the error was produced, the Sametime Webclient was working as desired and there were no errors in the log file.

HCL Sametime 11 – ST Proxy Server Troubleshooting

If you run in any issues with Sametime 11 Proxy server, you may want to enable debugging. In order to do this, just open “logging.properties” file found in “conf” folder and uncomment the last to lines. As shown in the screenshot below:

After that just restart the Sametime Proxy Server and you should see additional information in the logs.