Everybody likes when software performs well and feels “snappy”, guided by that mantra I’ve found that with the help of one “sametime.ini” parameter for LDAP tuning, you can improve the “login” performance of the clients and the time it takes to load Sametime Business Cards considerably.
By setting the “ST_DB_LDAP_CONNECTIONS_NUMBER” parameter, to a value greater than one, you can increase the maximum number of the LDAP connections HCL Sametime components can use to access the LDAP repository. Per default, every HCL Sametime module, which needs LDAP access, will use one connection to access the repository (“StAuthentication.dll” is the exception, as it uses two connections). Details about that can be read from the official documentation.
In most Sametime environments I’ve deployed, I have set the parameter “ST_DB_LDAP_CONNECTIONS_NUMBER” to two or three, depending on the Sametime Community server and LDAP server hardware. This led, at least subjectively, to 40-60% faster login times and about the same faster response when loading the Sametime Business Cards.
Make sure to monitor the hardware utilization and the performance of both the HCL Sametime Community server(s) and of the LDAP server(s), as changing this parameter will have a direct impact on it. Also, consider that setting the value too high can have negative effects.
If you are planning to deploy HCL Sametime Community service in a cluster or HA architecture, setting a Community ID is a must.
Ideally, this should be an FQDN used for accessing the Community servers, something which is easy to remember, and your users can relate to. So, think ahead and use a name that can be used to access the service externally and internally, I would never use the hostname of the Sametime Community server, in most cases, this is hard to remember and can’t be used to access the service over the internet. A “nice” and simple DNS alias like “chat.company.com” is generally the best way to go.
This is especially important when setting up an HA environment, in this case, you also must make sure that the FQDN used, points to the Load Balancer. The consequences for not doing this, in a HA environment, can be catastrophic. In an event of the failover, the Sametime Embedded or Connect client may recognize the server failing over to, as a member of a different community. This would result, among other issues, in not displaying the user’s Sametime contact list.
The Community ID can be set via “sametime.ini” and the process is quite simple, as described in the official product documentation.
I needed to set a new HCL Sametime policy just for a handful of users, so I have decided to do this via an explicit Sametime policy, assigned to the users via a new user group in LDAP user repository.
This process is simple and very well documented, check out the official documentation if you have to do this:
After creating, setting the policy and restarting the HCL Sametime Community server, I ran into a problem, the settings in the newly created policy didn’t have any impact on the Sametime clients.
In order to find the cause for the problem, I have set the following debug settings in the “sametime.ini” (in the [Debug] section) file:
POLICY_DEBUG_LEVEL=5
ST_POLICY_NOTES_GROUPS=1
“POLICY_DEBUG_LEVEL” can be set to ‘1’, ‘3’ or ‘5’, depending on the log information you want, ‘5’ being the most verbose.
After setting the debug level I found the following Entries in the Log:
[ 08:36:02.756 | 15.04.2021 | INFO | 15 ] : FilterSyntaxAdapter : replaceSubStrings : replaceSubStringsInFilter replacing %s with <dominounid> result is :(&(objectclass=inetOrgPerson)(|(mail= <dominounid> )(cn= <dominounid> )(uid= <dominounid> )))
[ 08:36:02.758 | 15.04.2021 | INFO | 15 ] : DirLdapBlackBox : getContextFromPool : A context has been retrieved from the conection pool for LDAP server
[ 08:36:02.758 | 15.04.2021 | SEVERE | 15 ] : DirLdapBlackBox : groupSearchByName : searchFilterGenerator is null, returning empty group list
Seeing this, the solution for the issue was pretty straightforward. The Sametime Internal User ID was set to “dominounid”, and it this parameter was missing from the LDAP Search filter used when resolving the user distinguished name to Sametime internal username. In order to solve this I had to modify the value of the LDAP search filter, used for resolving usernames to distinguished names, to include the “dominounid” parameter.
This can be done in the “stconfig.nsf” database, you just need to restart the HCL Community Server afterwards. Take a look at the screenshot after the configuration change:
The screenshot displayed above shows the LDAP Filter configuration change.
After that the HCL Sametime policy mechanism could be used as intended. Please do note that the issue was not a software defect, but rather the environment specific circumstances which ultimately resulted in a configuration error.
Configuring HCL Sametime Community Server to access the user directory over LDAPs is straightforward and usually fairly simple. In order to configure the access to Microsoft Active Directory for example, over LDAPs, you have to do the following:
Configure LDAPs for the Domino Directory Assistance document used by HCL Sametime.
I described the steps needed in the previous post how to do this.
2. Restart the Sametime Community Server and make sure you can still login into Sametime.
If this is not the case, then you have a problem with the configuration done in step 1. Only if you can log in successfully at this point, proceed to the next step.
3. Install GSKit provided with the Sametime Community Server setup.
Within the HCL Sametime Community Server setup, two executables for GSKit are provided, “gsk8crypt64.exe” and “gsk8ssl64.exe” (on Windows platforms), install both.
4. Add the directory of the installed GSKit to the “PATH” environment variable.
If your HCL Sametime Community Server is running on Windows, then the “Path” definition should look similar to the screenshot above.
If you are running Sametime Community on Linux and you are using the Domino Start-Script by Daniel Nashed to start the HCL Domino Server, you will need to modify the script to include the GSKit in the “Path” environment variable.
5. Create a trust store for verifying the target server authenticity.
You can either create the trust store in either “.p12” or “.jks” format. I usually go with “.p12”, for this you can use OpenSSL or even the “Certificates” Snap-In of the MMC console on a Windows client. Just make sure it contains the personal and the CA certificate of the LDAP target server. One of the both certificates, personal or CA certificate, should suffice, but I usually add both, just to be on the safe side. After you have created the Trust store, copy it to the Domino server.
6. Choose and define the TLS Scope.
As described in the official documentation, choose for which TLS Scope you want to configure. I just wanted to configure LDAPs and I have created a trust store for this solely purpose, so I only configured the individual TLS scope for LDAP. Therefore, I just added the following “Sametime.ini” settings:
7. Enable LDAPs in the Sametime Community Server configuration
Access the “stconfig.nsf” database on the Sametime Community Server using HCL Notes Administrator Client and open the LDAP Connection document. In the LDAP Settings set “SSLEnabled” parameter to “true”. If you are using other SSL Port than the default 636, you will also have to change “SSL Port” setting to reflect that.
Excerpt from the LDAP configuration in the “stconfig.nsf” Domino database.
If you want to use LDAPs for accessing the Sametime Business Card Information, then you will need to modify the “UserInfoConfig.xml” file and enable LDAPs. In order to do that, open “UserInfoConfig.xml” and locate “SslEnabled” parameter and set it to “true”. Also, make sure that the port number defined in the “SslPort” parameter is correct, per default that is 636.
That’s it, just restart the server and verify the configuration by logging into Sametime and accessing the Sametime Business Card Information.
Troubleshooting
If you have any issues logging in and you start getting the following error:
HCL Sametime Client – Login failed
Login failed – Reason: The log in information you entered cannot be verified at this time. Contact your help des or system administrator. Error details: Directory is unreachable.
Try setting the following debug parameters in the “sametime.ini”:
After that, restart the Sametime Community server, reproduce the issue and check the “STPolicy” as well as the general Sametime log as those files should provide more information about the authentication process failing.
On a customer site I had to make sure that users are able to authenticate via HCL Sametime Embedded Clients, inside of HCL Notes 9.0.1 Basic Client, using Domino SSO (LTPA).
After installing the HCL Sametime 11 Community Server, and applying the standard configuration, the login via Domino SSO for Sametime embedded clients inside of HCL Notes standard or eclipse clients worked without any issues. But we had to make some configuration changes in the “sametime.ini” file to make the same work for ST Embedded clients inside the HCL Notes basic clients.
We had to change the “VP_SECURITY_LEVEL” parameter value from the default “7000” to “0”. Furthermore, we added the value “1216” to the “VPS_PREFERRED_LOGIN_TYPES” parameter. If the “VPS_ALLOWED_LOGIN_TYPES” parameter is used in your environment, then you will have to add “1216” value to this parameter as well.
After saving the “sametime.ini” file and restarting the Sametime Community server, the Sametime embedded clients, inside the Notes basic clients, should be able to login via Domino SSO Mechanism.
I found that there is a lot of confusion going around which Sametime features are covered in Limited Use License, although I could not find a document or a matrix chart covering this in detail, the following article provides some important insights:
HCL Sametime 11 Limited Use prohibits the use of the following components:
- File transfer - Screen capture
- Multiple communities
- External user
- Built-in audio / video function
- Integration with external meetings
- To ensure compliance with the Limited Use terms, these features must be disabled in policy settings.
Before deploying Sametime 11 Limited Use, make sure that the features important for you are covered in the license. And if one or another function is not working, check with support if it is covered in the Limited Use license in the first place, it might save you some time spent troubleshooting.
UPDATE
My friend, Roberto Boccadoro found the official licensing agreement, thank you very much! You can Access it via the following URL:
Obviously, when deploying any application, DNS is important and the needed DNS entries need to be set.
Before deploying the HCL Sametime 11 Proxy Server you need to make sure that the MongoDB and the Sametime Community Servers are reachable via FQDNs and hostnames.
If you have to work with a “host” file, in DMZ for example, make sure to create separate entries for hostnames and FQDNs mentioned. If you are using a separate DNS Alias to access the Sametime Community server, other than the “real” FQDN and Hostname, make sure to create the entries for the “real” FQDN and Hostname of the Community server, even if you have not used them during the ST Proxy installation. During one deployment I ran into this issue. After enabling the debugging on the ST Proxy Server, I got the following errors:
FINE [White Rabbit (Timer). 2] com.ibm.rtc.stproxy.cluster.ServerLogin.connect Connecting to ST server: Server name: CN=domino-server-name/O=domino-organization, Cluster name: CN=domino-server-name/O=domino-organization, Server URL: domino-community-server.domain.local, serverID: null, Sametime session: null
WARNING [Chuck the postman’s dispatching thread.4] com.ibm.rtc.stproxy.cluster.ServerLogin.loggedOut CLFRX0011W: Unable to log in to the Sametime community server CN=domino-server-name/O=domino-organization. Error message is 80000207
After editing the host file of the ST Proxy server, on which the error was produced, the Sametime Webclient was working as desired and there were no errors in the log file.
The reason why this post is not carrying the title “Day One”, is because I flew over to Brussels already at Monday to attend the Champions Day Europe. The Champions Day event was interesting, I had a lot a fun to talking with fellow IBM Champions and finally meeting some of them in person. Besides, there were some really cool sessions like:
App Modernization – by James Baldwin
Managing Developers – by Bill Malchisky
Make a Convincing Argument for IBM Tech – by Keith Brooks
Bill’s Session completely blew me away, the Tips are simple yet very powerful. I think that everyone working on larger projects should hear this one out. Beside that, we found out that HCL is going to start its own program “HCL Masters”, which is going to be similar to the “IBM Champions” program. A big thanks to Libby, Alan and Stuart for making the Champions Day in Europe possible.
Today, at Autoworld, the first day of Engage officially started. I have no idea how Theo does it, but again the venue is just amazing. I am sure that there is no other event who can boast with such good venues.
At the Keynote Session, we got some interesting information, like that the Panagenda is working on a MarvelClient for iOS (which is at Private Beta stage) and Android Next, and the best part, it will be completely FREE!
The HCL also confirmed that they are working on a better integration between the existing Collaboration Products, across all platforms.
In the following I will list the Sessions I visited today and briefly add the Information I find to be most important.
Let’s Dive Into Sametime 10 – by Pat Galvin and Tony Payne
Sametime Limited Use v10 is going to run on either Domino 9 32-bit or Domino 10 64-bit, it also going to be fully compatible with Sametime 9.0.1 FP1. It will allow users to be online concurrently from multiple clients, desktop, mobile and browser. The mobile App is going to support SAML from the start. We saw a demo of a new Web Client, and the Client looks awesome, it is fast and it has a modern, sleek design. We also got an overview of the features which are going to be implemented in the future, more on that, and some other slides, in the gallery below.
Dealing with Users Complaints – Round Table – by Keith Brooks
A very cool Session, Keith showed us how to make unhappy users happy and some insight on how to argument in certain situations.
HCL Masters – Round Table – by Tim Clark
Valuable insights and discussion about the new HCL Masters program. HCL Masters program is looking very promising, members are going to most likely get direct L3 Support Access and unlimited Access to the Software Download Catalog. A big thumbs up!
Domino 11 – What’s coming – by Mike Gagnon
The version 11 will probably have an active License Checking, based on Flexera technology, and the license model is going to be much simpler. Notes and Domino 11 Language Packs will be shipped simultaneously with the new version of the software, so there is not going to be a delay between the release of the new version and the language packs. With version 11 we will have a possibility to implement “Two tiered DAOS”. We may also get Active Directory and Domino Directory Synchronization as well as “HTTP Authentication via ID Vault“. Some slides from the session:
Thoughts about HCL Connections, Domino and Sametime 