Query results for : Sametime
Register Community Server at Sametime System Console - Error AIDSC0898E Premature end of file- 2 June 2015 - (0) Comments
Thomas Hampel
2 June 2015Recently I was trying to registering a Sametime Community Server at the Sametime System Console (SSC) using
Unfortunately the registration failed with this error
AIDSC0898E: The sax exception occurred.Premature end of file.
Analysis
Taking a look into the log file [DominoData]/Console/logs/ConsoleUtility0.log did not show anything obvious, just the same error over and over again. One error for each attempt to register the community server.
com.ibm.sametime.console.deployment.client.util.SCSaxParser parse AIDSC0898E: The sax exception occurred.Premature end of file.
The script is getting input from two files, both located in the same directory [DominoData]/Console/
- "productConfig.properties" is used to set the Community server name and the server display name for SSC
- "console.properties" is used to define the connection properties like hostname, port, username and password
From your Community Server it was possible to access the Sametime System Console by using the following URL
http://SystemConsoleServer.YourDomain.tld:9080/stpolicy/policy/all
Logging in with the WAS credentials defined in the console.properties file worked fine.
Next step is to make sure your ST Community server responds to the following URL, depending on your configuration either HTTP on port 80 or HTTPS on port 443
http://CommunityServer.YourDomain.tld:80/servlet/auth/scs?xpath
Which also worked fine.
While reviewing the configuration I noticed the console.properties was configured not to use SSL.
SSCSSLEnabled=false
While the Domino community server was configured to redirect TCP traffic to SSL
Redirect TCP to SSL was enabled while I had set SSCSSLEnabled=false, so Domino was requesting to authenticate via SSL.
At least it was worth trying to streamline this setting - and guess what, it worked.
Solution
There are two options to fix this problem
Either use SSL by setting SSCSSLEnabled=true and specify the correct SSL port number in the file [DominoData]/Console/console.properties
or (less secure) disable usage of SSL by changing Redirect TCP to SSL to "No" on your Domino server.
References:
- Technote 1612553 - Manual registration of Sametime Community Server fails
- Registering the Sametime Community Server with the Sametime System Console on AIX, Linux, or Windows
Sametime community must be set as your default server community- 28 May 2015 - (0) Comments
Thomas Hampel
28 May 2015If you are working in a support organization it might be requried to connect to multiple Sametime environments at once, e.g. your own environment and the customers Sametime environment.
By default a Sametime Community is configured so that you can not add it as a secondary community. Users will get the following error message when they try to connect to it:
"To log into the [ServerName] server community, it must be set as your default server community. Either reset user to login directly or contact your system administrator"
Your system administrator will have to disable the setting "User must set this community as the default server community (IC)" within your Sametime System Console.
If you have been reading my previous blog post about policies.user.xml parameters, you will know that you can change this setting even when you dont have a Sametime System Console in place.
The attribute in question is this one:
Attribute Group "imserver.policygroup.chat" | policy-attribute id | current-value |
User must set this community as the default server community (IC) | im.2019 | 0 |
So all your system administrator needs to do is to update this parameter on the Sametime Community server by editing the file [DominoData]\policies.user.xml and change the policy attribute "im.2019" from "1" to "0"
After saving changes and restarting the staddin task on your Sametime Communtiy server, you can add this community as a secondary community in your Sametime client.
Display Photo in Sametime Business Cards- 27 May 2015 - (0) Comments
Thomas Hampel
27 May 2015After upgrading a Sametime Community server from 8.5.x to 9.0 the business card in Sametime does no longer show the picture of a person.
Although pictures have been imported to the Domino Directory they were not showing up. It looks like the upgrade has overwritten the configuration we used before.
Since version 9.0 the business card can be configured in the Sametime System Console under "Sametime Servers" by selecting the Sametime Community Server which you want to configure.
This configuration is being written to the Sametime Community server into the file [DominoData]\UserInfoConfig.xml
Some time ago Mikkel Heisterberg published a wonderful description of the Sametime business card configuration secrets (PDF)
Looking into our server the file [DominoData]\UserInfoConfig.xml looked like this
As you can see the above configuration does not contain an attribute name for the photo. By adding it UserInfoNotesBB will to return a user image from the Domino Directory.
Saving the file and restarting the staddin task resolved the problem... pictures are displayed again.
When starting the Community server the UserInformation service initially loads the configuration from UserInfoConfig.xml and then receives configuration updates from the Sametime System Console.
So if your Community server is being managed from a Sametime System Console -which is the only supported configuration- then modifications applied to this file will be overwritten.
Configuration updates from SSC can be disabled by adding the following tag to UserInfoConfig.xml before the
ReadStConfigUpdates value="false"
Source: IBM Infocenter - Configuring business cards using a native Domino Directory
References:
- Mikkel Heisterberg - Sametime business card configuration secrets (PDF)
- How to configure Businss Card Service
- Troubleshooting Business Cards (8.0.2)
- Troubleshooting Business Cards (9.0)
- Technote 1244204 - How to setup Business Card photos using the Domino LDAP
Configure Sametime Community Server Policies without System Console - Policies.User.XML parameters explained- 24 May 2015 - (2) Comments
Thomas Hampel
24 May 2015Upgrading Sametime Community Servers from 8.5.x to 9.0.x requires installing a Sametime System Console Server (SSC) where policies can be configured.
Although you can follow this perfect documentation to set up your environment, it might take some time and resources to complete.
Is there a way to run a Community server without SSC ?
Yes, there is --- but keep in mind a configuration without an SSC is officially not supported by IBM. It works fine with default policies, even configuration changes can be applied when you know how to configure policies manually
How it works:
Policies are stored/cached in a file called "policies.user.xml" located in the Domino Program directory. When installing a Sametime Community Server from scratch, this file will be created with default parameters.
You can register a Community server in a SSC later on by running "registerSTServerNode.bat" (or .sh) located in the folder DominoData/Console .
Hint: For Linux, specify the Notes.ini path without a trailing slash, e.g. "/local/notesdata"
When the Sametime 9.0 Community Server is registered at an SSC the Community server reads the policy configuration from the SSC during startup and then every hour (details can be configured).
Later on the community server can start and run even if the SSC is not available.
So even without a Sametime System Console, you can modify policies just by editing the file policies.user.xml in the Domino Program directory.
Please make sure to modify this file with an editor which keeps the formating in place. DO NOT USE "Notepad" in Windows , and restart the staddin task for changes to take effect.
Policies.user.xml
The following tables describe the parameters in the file "policies.user.xml" which can be found in the Domino Program directory
Chat
Attribute Group "imserver.policygroup.chat" | policy-attribute id | current-value |
User must set this community as the default server community (IC) | im.2019 | 0 |
Allow user to add multiple server communities (IC) | im.2011 | 1 |
Allow user to add external users using Sametime gateway communities | im.2001 | 0 |
Allow user to save chat transcripts (IC) | im.2002 | 1 |
Automatically save chat transcripts (IC) Valid only if "Allow user to save chat transcripts" is checked. | im.2004 | 1 |
Maximum days to save automatically saved chat transcripts (IC): Set this field to zero to allow users to save chat transcripts for an unlimited time. | im.2006 | 365 |
Limit contact list size | im.2014 | 0 |
Max. Number of Contacts Valid (and required) if "Limit contact list size" is checked. | im.2015 | 500 |
Enable organization tree view for this user (for Sametime Advanced users only) | im.enableOrganizationTreeView | 0 |
Allow user to send offline messages (for Sametime Advanced users only) | im.enableOfflineMessages | 0 |
Allow all Sametime Connect features to be used with integrated clients (IC) Use this setting if the Sametime Connect Client is enabled and licensed to work with another product's client. | im.3000 | 1 |
Allow mobile client Sametime update site URL (IC): | im.2010 | 1 |
Sametime update site URL (IC): | im.2012 | "" |
Image
Attribute Group "imserver.policygroup.image" | policy-attribute id | current-value |
Allow custom emoticons (IC) | im.2008 | 1 |
Allow scren capture and images (IC) | im.2009 | 1 |
Set maximum image size for custom emoticons, screen captures, and inline images (IC) | im.2020 | 0 |
Maximum Size Valid only if "Set maximum image size" is checked | im.2021 | 500 |
File Transfer
Attribute Group "imserver.policygroup.filetransfer" | policy-attribute id | current-value |
Allow user to transfer files through server (IC) | im.1 | 1 |
Maximum individual file transfer size, in Kilobytes, for files sent through the server (IC): | im.2 | 10000 |
Use exclude file types transfer list, for files sent through the server (IC) | im.3 | 0 |
Types to exclude from transfer. Type the three-letter extension of each file type, separated by a comma or semicolon (IC) Valid only if "Use exclude file types transfer list" is checked. | im.4 | exe,com,bat |
Allow client-to-client file transfer (IC) | im.2005 | 1 |
Allow transferring multiple files and folders (for Sametime Advanced users only) Valid only if "Allow client-to-client file transfer" is checked. | im.allowTransferringMultipleFilesAndFolders | 0 |
Allow transferring files to participants in an n-way session (for Sametime Advanced users only) Valid only if "Allow client-to-client file transfer" is checked. | im.allowTransferringFilesToNwayParticipants | 0 |
Maximum number of users to receive a single file in one file transfer session: Valid only if "Allow transferring files to participants in an n-way session" is checked. | im.maxNumberUsersToReceiveSingleFileInOneFileTransferSession | 10 |
Plugin Management
Attribute Group "imserver.policygroup.plugin" | policy-attribute id | current-value |
Allow user to install plug-ins (IC) | im.2013 | |
Sametime optional plug-in site URLs. Type the URLs separated by a comma or semicolon (IC): | im.2022 |
Mobile
Attribute Group "imserver.policygroup.mobile" | policy-attribute id | current-value |
Allow location reporting When set, a user has the choice to share their location with other users. City level location information is appended to a user's status message that others see. For example, I am available @ Austin, TX. When not set, a user is not able to share location information. | im.2035 | 1 |
Enable offline access When set, a user can enter the Sametime client without logging in. This allows users to perform some tasks such as view chat history when offline. When not set, offline access is not allowed. | im.2036 | 1 |
Offline access password minimum length: When set, a user can enter the Sametime client without logging in. This allows users to perform some tasks such as view chat history when offline. When not set, offline access is not allowed. | im.2037 | 8 |
Offline access password expiry days: When set, this is the number of days until a password expires. When left blank or set to zero, the password never expires. | im.2026 | 0 |
Offline access prompt delay : When set, this is the number of minutes for which a user can re-enter offline mode without entering a password again. When left blank or set to zero, a user must always enter a password. | im.2027 | 30 |
Disable untrusted SSL When set, this policy prohibits a user from logging in to a server that does not have a certificate trusted by the device. When not set, a user can log in to a Sametime server that has a certificate not trusted by the device. | im.2028 | 0 |
Disable URL dialer When set, OpenScape is not displayed as a click-to-call choice even if OpenScape is installed on the device. When not set, a user is able to choose OpenScape as a method of making calls from Sametime if OpenScape is installed on the device. | im.2029 | 0 |
Minimum force logout duration: When set, this is the amount of minutes a user can stay logged in before being automatically logged out. When left blank or set to zero, a user is logged out after the amount of time they configure on their device. | im.2030 | -1 |
Disable chat history When set, this policy prohibits users from saving chat history on the device. When not set, a user has the option to save or not. | im.2031 | 0 |
Disable password save When set, this policy prohibits users from saving their password on the device. A user must always enter a password when connecting to the server. When not set, a user can choose to save their password or not. | im.2032 | 0 |
Allow contact export When set, this policy enables users to export Sametime contact information to a native contact application on the device. When not set, a user is not allowed to export Sametime contact information. | im.2033 | 1 |
Offline access password required When set, this policy requires a user to enter a password to enter the Sametime client without logging in. This policy is applicable only when Enable Offline Access is set. When not set, a user does not need to enter a password to access the client in offline mode. | im.2034 | 1 |
Audio/Video
Attribute Group "avserver.policygroup" | policy-attribute id | current-value |
Allow access to third-party service provider capabilities from contact lists, instant messages, and meetings | av.allowAccessToTPartyFromCListAndIM | 0 |
Allow changes to preferred numbers When checked, allows users to manage a list of devices for calls. | av.allowChangesToPrefNumbers | 1 |
Voice and video capabilities available through the Sametime Media Server: 0=None 1=Audio only 2=Audio and video | av.avCapAvailableThroughSMS | 2 |
Allow Audio/Video use in the web browser When checked, users will be allowed to use audio/video capabilities in Sametime Meetings from a web browser. | av.allowWebClient | 1 |
Allow access to internal service provider for audio and video conferences. When checked, users can make audio video calls using internal service provider for audio and video conferences | av.allowMultipointCalls | 1 |
av.enableSVC | 1 | |
Enable encryption for client: 0=Off 1=On 2=Auto | av.enableClientEncryption | 2 |
Video resolution: | av.videoResolution | CIF 352x288@15fps 384kbps |
Custom video resolution: Setting a custom video resolution will override the selected video resolution and should only be used if instructed to do so by a 3rd party MCU provider | av.customVideoResolution | |
Client line rate (kbps): When checked, users will be allowed to set line rate | av.clientLineRate | 384 |
av.ConferenceTemplateList | av.ConferenceDefaultTemplate |
Sametime Unified Telephony
Attribute Group "sut.policyGroup" | policy-attribute id | current-value |
Allow changes to the permanent call routing rule | sut.2024 | 1 |
Allow use of "Offline" status in call routing rules | sut.2025 | 1 |
Attribute Group "sutlite.policyGroup" | policy-attribute id | current-value |
av.allowSIPTrunking |
Mobile Audio Video Policy
Attribute Group "av.mobilePolicy" | policy-attribute id | current-value |
AV Policy for Mobile: 0=None 1=Audio Only 2=Audio and Video | av.allowMobileClient | 2 |
Allow Mobile Client Video on WiFi only | av.allowMobileWiFiOnly | 0 |
Call Line Rate for Mobile Client: | av.mobileLineRate | 384 |
Allow call history to be stored on Mobile Client | av.mobileAllowCallHistory | 1 |
Default audio video template
Attribute Group "av.ConferenceDefaultTemplate" | policy-attribute id | current-value |
Enabled | av.isGroupEnabled | 0 |
Default audio video template | av.ConferenceTemplateName_Default | Default Audio Video Template |
Cascaded Conference : 0= None 1=Bandwidth 2=Large conference | av.allowCascadedConference_Default | 0 |
Conference mode: | av.conferenceMode_Default | Mixed AVC and SVC |
Conference mode experience: | av.conferenceModeExperience_Default | Optimized for mobile devices |
Conference Line Rate: Sets the maximum allowed line rate for this conference template | av.ConferenceLineRate_Default | 384 |
Encryption: Allows user to choose the encryption type for this conference template 0=Encrypt all 1=Encrypt when possible 2=No encryption | av.allowConferenceEncryption_Default | 1 |
Video quality: Allows user to set video quality | av.videoQuality_Default | Sharpness |
References:
Sametime Missing single sign on token - again- 23 March 2015 - (3) Comments
Thomas Hampel
23 March 2015Once again a customer ran into an issue with Missing Single Sign On Token - I have blogged about it before
The Problem:
Initial authentication is working fine, but when disconnecting the network cable + reconnecting again, users see "Missing SingleSignOn Token", or authentication does not work at all without any error message.
The problem can be resolved by restarting the client. However, this is not an acceptable solution.
Analysis
As mentioned earlier, authentication via Domino SingleSignOn is working fine at the first Notes Client logon On the client, the configuration pretty much looks like that:
I've enable the following debug parameters as described here in the file rcpinstall.properties which is located in the folder
com.ibm.rcp.accounts.level=FINEST
org.apache.commons.httpclient.level=FINE
com.ibm.workplace.internal.notes.security.auth.level=FINEST
com.lotus.sametime.community.level=FINEST
com.ibm.collaboration.realtime.community.level=FINEST
com.ibm.collaboration.realtime.im.community.level=FINEST
com.ibm.collaboration.realtime.login.level=FINEST
com.ibm.rcp.internal.security.auth.module.level=FINEST
com.ibm.rcp.internal.security.level=FINEST
com.ibm.rcp.security.level=FINEST
org.apache.commons.httpclient.level=FINE
com.ibm.workplace.internal.notes.security.auth.level=FINEST
com.lotus.sametime.community.level=FINEST
com.ibm.collaboration.realtime.community.level=FINEST
com.ibm.collaboration.realtime.im.community.level=FINEST
com.ibm.collaboration.realtime.login.level=FINEST
com.ibm.rcp.internal.security.auth.module.level=FINEST
com.ibm.rcp.internal.security.level=FINEST
com.ibm.rcp.security.level=FINEST
Restarted the Notes client and started testing to reproduce the problem. Looking at the error log
Within the error log file of the client which is located in
Further down in the log there is even more information about this exception.
Solution
It seems like the LtpaToken requires an hierarchical name of a server in order to be validated correctly. This can be done either by specifying the hierarchical name in the field "Host server" of your connection preferences, but doing so willl show an alert that you should use a fully qualified DNS name in this field.
So better put the hierarchical name in the Authentication server field as shown here:
This can be any server which shares the same LtpaToken with the Sametime server, of course you can also specifiy the Domino name of the Sametime server here.
How to deploy this setting automatically?
Within the managed community settings the parameter "authServerUrl" is used for this setting.
You can use a Desktop Policy setting to push this configuration setting down to all your clients. In the Managed Settings section, just add the following:
Item : authServerUrl
Value : hierarchical name of your Domino server, e.g. DominoServer/OU/Org
Plug-in name : com.ibm.collaboration.realtime.community
And you're done :)
Remarks
- A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here
- Technote 1320442 - Collecting data for Embedded Sametime client for Notes 8.x clients
- Technote 1391284 - Pushing policy settings to the client for updating notes.ini and Eclipse preference settings
Collaborate with an IBM employee via Sametime - more details- 10 April 2014 - (1) Comments
Thomas Hampel
10 April 2014On special request of a customer, here is a description on how to chat with IBM'ers directly.
This post describes what a single user needs to do in order to chat with IBM, other options such as B2B connectiosn are available as well.
Step 1 - Get an IBM ID
If you dont already have an IBM ID, you can get one here.
An IBM ID is a username / password combination which provides access to IBM applications, services, communities, support, etc.
There is no charge for this ID.
Hint : Make sure you follow the password rules
Step 2a - Configure the Notes Client with embedded Sametime
If you have a Notes client (with embedded Sametime), configure the client to connect to IBM's external Sametime environment.
Please note, this will only work with Sametime clients of a specific version
1.) From within your Notes Client, go to File \ Preferences \ Sametime \ Server Communities
2.) Click "Add New Server Community"
3.) on the "Log In" tab, select Server community type to be "Sametime"
4.) Enter your IBM ID user name and password
5.) on the tab "Server", specifiy:
Host server - extst.ibm.com
Server community port - 80
6.) on the tab "Connection"
Deselect the option to use global connection settings
Connection type - Direct connection
7.) on the tab "Options", select 'Use this server for awareness status lookup"
8.) Log on, and add IBM users to your contact list by looking up the email address.
For details, see Step 3
Step 2b - Web Browser
If you dont have a Notes client nor have a standalone Sametime client, you can also use a web browser.
Just click this link to get started => http://extstweb.ibm.com/stwebclient/popup.jsp
Use your IBM ID to log on, and add IBM users to your contact list by looking up the email address.
Step 3 - Find the email address
Email addresses of IBM employees can be looked up on this web page, all you need to know is the last name of your contact.
http://www.ibm.com/contact/employees/us/
More information:
Sametime Missing single sign on token- 2 September 2013 - (1) Comments
Thomas Hampel
2 September 2013I've just fixed an authentication issue in a customer environment and wanted to pass along the findings.
The problem:
Sametime users can log on to via username/password, but SingleSign On isnt working as expected.
On the client, the configuration pretty much looks like that:
Authentication via Domino SingleSignOn is working fine at the first Notes Client logon. Once the client disconnects, e.g. network disconnect, computer went on standby, etc. etc. the Notes client can no longer authenitcate with the server. The error message "Missing single sign on token" is displayed.
For now, clients had to restart the Notes Client to log back into Sametime.
Root cause:
After successful authentication, the server is handing out a token (LtpaToken) to the client which seems to be bound to the DNS domain specified in this token.
The Sametime community configured at the client must be in the same DNS zone, otherwise users can only log in once but not re-logon without restarting the client.
Solution:
Check the following three places and make sure the DNS domain specified is the same.
- The LtpaToken used by the server
see Domino Directory : Web Configurations\Web SSO Configuration\LtpaToken
- The Server document
- Basics \ Fully Qualified Internet Host name
- Internet Protocols \ HTTP \ Host Name
- Notes Client Preferences \ Sametime Communities
<< obviously this screenshot shows a different Domain name than the one specified in the LtpaToken
Remarks
- Without an authentication server specified, Notes will obtain the token directly from the Sametime server configured. If the token is obtained from an authentication server, the secret key within the token of course will have to match the token configured in your Sametime server.
- A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here
Collaborate with an IBM employee via Sametime- 25 January 2011 - (0) Comments
Thomas Hampel
25 January 2011I have been asked several times how customers can talk or chat with IBM'ers directly. It still seems that people dont know that they can get access to IBM's internal Sametime environment by using the ST web client.
Collaborate with an IBM employee via Sametime... here is an explanation how to do that:
You can also take a Video Tour
If you want to find the email addresses of the people you know inside IBM, see here
http://www.ibm.com/contact/employees/us/