The document details the deployment of instant messaging for mobile devices, focusing on integration with IBM's Sametime systems, including server setup, configuration, and management using the Sametime System Console (SSC). Key topics covered include proxy servers, database configurations, security settings, mobile access, and troubleshooting common issues related to trusted IPs and media traffic. Several technical instructions and best practices for SSL certificate deployment and system clustering are also outlined.

1. Deploying Instant
Messaging For Mobile
Devices
Gabriella Davis
Technical Director
The Turtle Partnership
gabriella@turtlepartnership.com

2. Who Am I?
Admin of all things and especially quite
complicated things where the fun is
Working with security , healthchecks,
single sign on, design and deployment of
Domino, ST, Connec>ons and things that
they talk to
Stubborn and relentless problem solver
Lives in London about half of the >me
gabriella@turtlepartnership.com
twiDer: gabturtle
Awarded the first IBM Life>me
Achievement Award for Collabora>on
Solu>ons

3. Architecture

4. DB2
❖ Licensed as part of Sametime Communicate or Complete
❖ Used to store data for the Apple push notification activity
❖ If you aren’t using iOS devices then the DB2 database
for STProxy isn’t being used
❖ In default mode when coming out of the IM or
Meeting application on iOS it is remains backgrounded
and you remain logged in and available to other users
❖ Backgrounding can be disabled as a server setting

5. Sametime System Console
❖ The SSC is used to manage all the Sametime
components
❖ It must be aware of all servers in order to integrate
their services
❖ It also manages all policies
❖ A Sametime Proxy server doesn’t have to be installed as
part of the SSC Cell

6. Domino
❖ Sametime 9.0.1 still requires Domino and is still a 32bit application
❖ You must first install Domino before you can install the 32bit
Community Server using it

7. Community Server
❖ Installs on top of Domino
❖ Is a subtask of the HTTP server
❖ load staddin
❖ Create a deployment plan in the SSC and install using that so it’s federated
❖ All the other servers need to know about it
❖ Using Domino’s proprietary directory standard is no longer supported for any
components, you must use LDAP
❖ Using Domino as LDAP is supported

8. Sametime Proxy Server
❖ The Sametime Proxy server is a HTTP proxy which connects to the
Sametime Community Server
❖ By default it will attempt to consume any server in the domain
❖ Any server document with “Is Sametime Server” set to “yes”
❖ The Sametime Proxy server is used by
❖ Web clients
❖ Web meetings
❖ Mobile applications
❖ Awareness in applications
❖ Connections integration

9. Sametime System Console
Deployment Plan
Sametime Server
Server Configuration
Server Policies
DB2
SSC Policies (STSC)
STProxy for iOS push
Sametime Proxy Server
Web Proxy
Sametime Community
Server
Client Mobile Request
Request access for chat or
meetings over port 443
Request is passed to the
Community server for
validation
LDAP Server Community server
authenticates credentials
Policies are applied
Policies are read
Mobile Access Architecture

10. Client
Mobile
Request
InternalMobile DMZ
DB2
SSC Policies (STSC)
STProxy for iOS push
Sametime System Console
Deployment Plan
Sametime Server
Server Configuration
Server Policies
LDAP Server
Sametime Community Server
Sametime Proxy
Server
Request is passed
to the Community
server for validation
Community server authenticates
credentials
443
1516
Mobile Access and Security

11. Configuration

12. Create A Proxy Database
❖ Create a DB2 database to be used by iOS applications
❖ createProxyDb STPROXY db2admin
script to create the database
database schema

13. It can take a few minutes
to run but when complete
you should see this
message

14. Add It To The SSC
db2 server
hostname & port
Newly created db
name
stdb.turtlehost.net

15. Create A Deployment Plan
Only visible to
administrators not
users

16. Create A Deployment Plan
Each cluster can only have one primary node
Each cell can only
have one cluster of
each server type

17. Adding A Primary Node To The SSC
Add the new node to
the existing Cell (the
System Console)

18. Create A Deployment Plan
One option is to install additional
Sametime Proxy Servers in their
own cells

19. Hostname for the install
WebSphere credentials for the
install. If the server is federated
into an existing cell these are
removed

21. Confirming The Install

22. Verifying SSC-Proxy
host and credentials
the SSC uses to open the proxy
server

23. If this page opens
successfully you have
confirmed the routing from
SSC to Proxy

24. Installing Standalone
❖ The Sametime Proxy server can only be federated into
the SSC as a single cluster
❖ When WAS servers are clustered horizontally with a
primary and several secondary nodes , they are all
considered “equal”
❖ Horizontal clusters are not suitable if you want to
manage access by location

25. Virtual Hosts
❖ Create a specific virtual host for all the hostname:port
combinations your Sametime Proxy Server will use
❖ These should be unique within your cell as they tell WebSphere
how to route traffic to the application
❖ avoid using wildcard hostnames
application
ports

26. Mapping Virtual Hosts
❖ Once our virtual host is created we need to map the modules
associated with the application to use it instead of “default_host”

27. Proxy Server Configuration
how a web
meeting is started.
Servers should share a
LtpaToken
specific
community clusters by
name to use or specific
community servers

28. Mobile Configuration
server -wide settings
to determine client
behaviour

29. Meeting Server Configuration

30. Server-Wide Mobile Security Settings

31. Meeting Server Configuration
❖ There are additional settings that can be force users to
upgrade their mobile clients if they are using versions
older than X
❖ That’s a very specific, and potentially painful, admin
use case
❖ mobile.Android.currentVersion / mobile.Android.minVersion
❖ mobile.iOS.currentVersion / mobile.iOS.minVersion

32. Clustering
❖ Each cluster must be managed by a deployment manager
❖ That deployment manager can be, but does not have to be, the SSC
❖ There can be only one primary node in a cluster
❖ Deployment plans can only be created for one cluster of Sametime
Proxy Servers
❖ but a different cluster can be added manually
❖ Servers in the same cluster are considered the same for serving user
requests and users could be directed to any available member

33. Security

34. Reverse Proxies
❖ A reverse or authenticating proxy can provide secure
access through a DMZ to your meeting servers
❖ For larger deployments you may want to keep the
Sametime Proxy and Meeting Servers on the internal
network and use a reverse proxy in the DMZ
❖ These proxies will authenticate with the LDAP servers
directly before passing the authorisation through to the
application servers

35. Deploying A SSL Certificate
❖ Never deploy to mobile clients without SSL
❖ A trusted SSL certificate is particularly important when
deploying mobile clients
❖ Both the Chat and Meeting applications allow users to
accept untrusted SSL certificates
❖ You can turn that off in the server configuration
❖ Replace the installed internal SSL certificate with one
you have purchased

36. Adding A New SSL Certificate
❖ Under Security - SSL Certificates and Key Management
❖ We want to import the trusted roots of the CA into the Trust Store
❖ In this example GoDaddy suppled a CRT bundle that I simply “Added”

37. Adding A New SSL Certificate
❖ I then had the IBM signer created during install and the
GoDaddy signer that will be used to create my certificate

38. Creating A CSR
❖ The simplest method of getting a certificate into WebSphere is to create the CSR
there
❖ Then you can simple “receive” the new certificate into the DefaultKeyStore
BEWARE!!

39. Adding A Personal Certificate
❖ If you can’t do that, then a P12 works well
❖ You must have the private key component of the
certificate you want to add

40. Replacing The Default Certificate
❖ In my environment I have purchased a wildcard turtlehost.net certificate I want each
server to use
❖ Rather than individually change each server, I can replace the default certificate with
my new wildcard once it’s imported
❖ Select the “default” certificate and choose “Replace”

41. Or..Apply To EndPoints
❖ If I want to apply different certificates to different servers
I can do this by mapping the server endpoints to each one

42. You MUST map both the inbound and outbound
endpoints , sync and restart the servers

43. Beware! 4096 Certificates
❖ WebSphere Application Server does not support 4096
certificates out of the box
❖ Previously if you attempted to add one you would get
an error “RSA Premaster Secret” and it would refuse to
add
❖ Now you don’t get the error, it does add
❖ It just doesn’t work
❖ There’s an easy fix

44. Unrestricted Java Policy Files
❖ Downloaded the unrestricted java policy files from IBM Fix Central
❖ There are two files local_policy.jar and US_export_policy.jar that overwrite those in
❖ <websphere install directory>/java/jre/lib/security
❖ Shutdown your servers
❖ Replace the files
❖ Start the servers
❖ Not doing this and deploying 4096 certificates will lead to
❖ servers being unable to talk to each other
❖ you being unable to stop your servers cleanly
❖ audio and video not working

45. Chat Policies

46. Meeting Policies
❖ There are no specific policy settings for mobile users in
Meeting Rooms
❖ Mobile specific settings are in the Meeting server
configuration itself as they apply to all users
❖ Meeting policies apply to a user whether they are on a
mobile device or not

47. Media Policies
❖ The line rate will affect how much video data is broadcast
to the mobile client

48. Client Behaviour

49. Apple Push Notification Service
❖ To enable push notifications for iOS devices you must allow traffic outbound
❖ gateway.push.apple.com 2195
❖ feedback.push.apple.com 2196
❖ find the file apns-prod.pkcs12 which is on the Proxy server node
❖ <websphere profile>/config/cells/cellName/nodes/
stproxyPNNodename/apns-prod.pkcs12
❖ Copy it to the Node directory for any Sametime Proxy server under the
Deployment manager e.g.
❖ /STSCDMgrProfile/config/cells/balticcell/nodes/stproxynodename
❖ Always check fix central for an updated version of this certificate which needs to
be deployed

50. Google Cloud Messaging
❖ Used for Sametime notifications on Android devices
❖ Use “Retrieve from port” in the Trust Store to bring the
Google certificate into your deployment manager

51. Google Cloud Messaging

52. Tablet
Phone

53. Tablet
Phone

54. Tablet
Contact list
audio & video if you are
both able
Recent audio and
video calls

55. iOS Meetings
Phone - add files
Phone

56. Tablet
Screen sharing with
pointer activity
Conference
dial in

57. Phone
landscape mode
Phone
portrait mode

58. Creating A Meeting
❖ Shared files are commonly URLs or Photos
❖ The mobile application can’t access the mobile file system

59. Whiteboard Meeting on the iPad

60. Video Meeting on the iPad
click to
call via phone
(not my number :-))

61. Pre-Configuring Clients
❖ Create a custom URL for users that will provision their mobile chat
client
❖ sametime://@stproxy.turtlehost.net:443/?
AddCommunity&ssl=true
❖ creates a new community for the server stproxy.turtlehost.net
using the secure 443 port and prompts the user for their name
❖ Other optional parameters include
❖ savePassword (true/false)
❖ communityName (if you want to give it a specific name)

62. Sharing Meeting Server Configuration
Sharing options
also available on
Android devices

63. Troubleshooting

64. Trusted IPs
Long time bug.
When WAS writes the
Trusted IPs as a string
rather than a list
Until this is
fixed by saving the
document in
stconfig.nsf nothing
will work

65. Trusted IPs
❖ This has been a recurring problem since 8.5.2
❖ With this bug if you change the Trusted IPs in
WebSphere the next time the Community server is
restarted, they will be broken
❖ On 9.0.1 I’ve also seen an error where a single trusted ip
is listed with a “.” at the end, causing it to fail

66. Routing To The Correct Server
❖ Regardless which Community server you configure the Sametime
Proxy server to use in its deployment plan
❖ It can and will connect to any server in the Domino domain
configured as a “Sametime” server
❖ Edit the Sametime Proxy configuration to force routing to a
specific server, servers or cluster
❖ Check the SystemOut.log on the Sametime Proxy server to
determine which server it is trying to connect to
❖ Check the sametimexxx.log in the DominoTrace directory to
verify if connections are being refused and why

67. This is left empty on
install so by default all domain
Sametime servers can be
consumed

68. Re-Mapped Virtual Host
❖ During fix updates or patches it’s common for the
Virtual Hosts of each application to be reset to
“default_host” instead of the specific one we created
❖ If you get an error 500 or “SRVE0255E: A WebGroup/
Virtual Host to handle /mapping has not been defined”
these are commonly associated with an incorrect virtual
host

69. Bandwidth
❖ The largest consumption of resource for a Sametime
Proxy Server is the network
❖ If the server is virtualised, make sure the network card
assigned isn’t shared
❖ Monitor the network traffic to the server
❖ Audio and Video streams on mobile services are sent
via the Sometime Proxy server which was probably not
designed for media traffic

70. Mobile Bandwidth
❖ There is a maximum number of video feeds that are
supported for a Meeting on mobile devices
❖ the setting (which can’t be changed) is 4 + you
❖ This can be further limited if bandwidth goes beyond
the configured allowable amount

71. Media Using The Wrong Server
❖ Random media errors can be the result of the Conference Manager
attempting to connect to the wrong Community Server
❖ If everything else appears started with no errors, verify the SystemOut.log
of the Conference Manager for any errors relating to other servers
❖ If a server exists in the domain (Domino Directory) and has “Is This A
Sametime Server?” field marked as “yes” it will be consumed by the
servers in the SSC

72. Questions?