Having a full set of Sametime features available on mobile devices has been a priority for IBM so if you are deploying, whether it’s the complete feature set including meetings audio and video or just instant messaging you can extend the functionality using IBM Connections Chat and IBM Connections Meetings applications which are available for most mobile platforms. In this session we will review both the backend server configuration and the features available via the mobile applications and discuss usability, bandwidth and security implications
4. DB2
❖ Licensed as part of Sametime Communicate or Complete
❖ Used to store data for the Apple push notification activity
❖ If you aren’t using iOS devices then the DB2 database
for STProxy isn’t being used
❖ In default mode when coming out of the IM or
Meeting application on iOS it is remains backgrounded
and you remain logged in and available to other users
❖ Backgrounding can be disabled as a server setting
5. Sametime System Console
❖ The SSC is used to manage all the Sametime
components
❖ It must be aware of all servers in order to integrate
their services
❖ It also manages all policies
❖ A Sametime Proxy server doesn’t have to be installed as
part of the SSC Cell
6. Domino
❖ Sametime 9.0.1 still requires Domino and is still a 32bit application
❖ You must first install Domino before you can install the 32bit
Community Server using it
7. Community Server
❖ Installs on top of Domino
❖ Is a subtask of the HTTP server
❖ load staddin
❖ Create a deployment plan in the SSC and install using that so it’s federated
❖ All the other servers need to know about it
❖ Using Domino’s proprietary directory standard is no longer supported for any
components, you must use LDAP
❖ Using Domino as LDAP is supported
8. Sametime Proxy Server
❖ The Sametime Proxy server is a HTTP proxy which connects to the
Sametime Community Server
❖ By default it will attempt to consume any server in the domain
❖ Any server document with “Is Sametime Server” set to “yes”
❖ The Sametime Proxy server is used by
❖ Web clients
❖ Web meetings
❖ Mobile applications
❖ Awareness in applications
❖ Connections integration
9. Sametime System Console
Deployment Plan
Sametime Server
Server Configuration
Server Policies
DB2
SSC Policies (STSC)
STProxy for iOS push
Sametime Proxy Server
Web Proxy
Sametime Community
Server
Client Mobile Request
Request access for chat or
meetings over port 443
Request is passed to the
Community server for
validation
LDAP Server Community server
authenticates credentials
Policies are applied
Policies are read
Mobile Access Architecture
10. Client
Mobile
Request
InternalMobile DMZ
DB2
SSC Policies (STSC)
STProxy for iOS push
Sametime System Console
Deployment Plan
Sametime Server
Server Configuration
Server Policies
LDAP Server
Sametime Community Server
Sametime Proxy
Server
Request is passed
to the Community
server for validation
Community server authenticates
credentials
443
1516
Mobile Access and Security
12. Create A Proxy Database
❖ Create a DB2 database to be used by iOS applications
❖ createProxyDb STPROXY db2admin
script to create the database
database schema
13. It can take a few minutes
to run but when complete
you should see this
message
14. Add It To The SSC
db2 server
hostname & port
Newly created db
name
stdb.turtlehost.net
23. If this page opens
successfully you have
confirmed the routing from
SSC to Proxy
24. Installing Standalone
❖ The Sametime Proxy server can only be federated into
the SSC as a single cluster
❖ When WAS servers are clustered horizontally with a
primary and several secondary nodes , they are all
considered “equal”
❖ Horizontal clusters are not suitable if you want to
manage access by location
25. Virtual Hosts
❖ Create a specific virtual host for all the hostname:port
combinations your Sametime Proxy Server will use
❖ These should be unique within your cell as they tell WebSphere
how to route traffic to the application
❖ avoid using wildcard hostnames
application
ports
26. Mapping Virtual Hosts
❖ Once our virtual host is created we need to map the modules
associated with the application to use it instead of “default_host”
27. Proxy Server Configuration
how a web
meeting is started.
Servers should share a
LtpaToken
specific
community clusters by
name to use or specific
community servers
31. Meeting Server Configuration
❖ There are additional settings that can be force users to
upgrade their mobile clients if they are using versions
older than X
❖ That’s a very specific, and potentially painful, admin
use case
❖ mobile.Android.currentVersion / mobile.Android.minVersion
❖ mobile.iOS.currentVersion / mobile.iOS.minVersion
32. Clustering
❖ Each cluster must be managed by a deployment manager
❖ That deployment manager can be, but does not have to be, the SSC
❖ There can be only one primary node in a cluster
❖ Deployment plans can only be created for one cluster of Sametime
Proxy Servers
❖ but a different cluster can be added manually
❖ Servers in the same cluster are considered the same for serving user
requests and users could be directed to any available member
34. Reverse Proxies
❖ A reverse or authenticating proxy can provide secure
access through a DMZ to your meeting servers
❖ For larger deployments you may want to keep the
Sametime Proxy and Meeting Servers on the internal
network and use a reverse proxy in the DMZ
❖ These proxies will authenticate with the LDAP servers
directly before passing the authorisation through to the
application servers
35. Deploying A SSL Certificate
❖ Never deploy to mobile clients without SSL
❖ A trusted SSL certificate is particularly important when
deploying mobile clients
❖ Both the Chat and Meeting applications allow users to
accept untrusted SSL certificates
❖ You can turn that off in the server configuration
❖ Replace the installed internal SSL certificate with one
you have purchased
36. Adding A New SSL Certificate
❖ Under Security - SSL Certificates and Key Management
❖ We want to import the trusted roots of the CA into the Trust Store
❖ In this example GoDaddy suppled a CRT bundle that I simply “Added”
37. Adding A New SSL Certificate
❖ I then had the IBM signer created during install and the
GoDaddy signer that will be used to create my certificate
38. Creating A CSR
❖ The simplest method of getting a certificate into WebSphere is to create the CSR
there
❖ Then you can simple “receive” the new certificate into the DefaultKeyStore
BEWARE!!
39. Adding A Personal Certificate
❖ If you can’t do that, then a P12 works well
❖ You must have the private key component of the
certificate you want to add
40. Replacing The Default Certificate
❖ In my environment I have purchased a wildcard turtlehost.net certificate I want each
server to use
❖ Rather than individually change each server, I can replace the default certificate with
my new wildcard once it’s imported
❖ Select the “default” certificate and choose “Replace”
41. Or..Apply To EndPoints
❖ If I want to apply different certificates to different servers
I can do this by mapping the server endpoints to each one
42. You MUST map both the inbound and outbound
endpoints , sync and restart the servers
43. Beware! 4096 Certificates
❖ WebSphere Application Server does not support 4096
certificates out of the box
❖ Previously if you attempted to add one you would get
an error “RSA Premaster Secret” and it would refuse to
add
❖ Now you don’t get the error, it does add
❖ It just doesn’t work
❖ There’s an easy fix
44. Unrestricted Java Policy Files
❖ Downloaded the unrestricted java policy files from IBM Fix Central
❖ There are two files local_policy.jar and US_export_policy.jar that overwrite those in
❖ <websphere install directory>/java/jre/lib/security
❖ Shutdown your servers
❖ Replace the files
❖ Start the servers
❖ Not doing this and deploying 4096 certificates will lead to
❖ servers being unable to talk to each other
❖ you being unable to stop your servers cleanly
❖ audio and video not working
46. Meeting Policies
❖ There are no specific policy settings for mobile users in
Meeting Rooms
❖ Mobile specific settings are in the Meeting server
configuration itself as they apply to all users
❖ Meeting policies apply to a user whether they are on a
mobile device or not
47. Media Policies
❖ The line rate will affect how much video data is broadcast
to the mobile client
49. Apple Push Notification Service
❖ To enable push notifications for iOS devices you must allow traffic outbound
❖ gateway.push.apple.com 2195
❖ feedback.push.apple.com 2196
❖ find the file apns-prod.pkcs12 which is on the Proxy server node
❖ <websphere profile>/config/cells/cellName/nodes/
stproxyPNNodename/apns-prod.pkcs12
❖ Copy it to the Node directory for any Sametime Proxy server under the
Deployment manager e.g.
❖ /STSCDMgrProfile/config/cells/balticcell/nodes/stproxynodename
❖ Always check fix central for an updated version of this certificate which needs to
be deployed
50. Google Cloud Messaging
❖ Used for Sametime notifications on Android devices
❖ Use “Retrieve from port” in the Trust Store to bring the
Google certificate into your deployment manager
60. Video Meeting on the iPad
click to
call via phone
(not my number :-))
61. Pre-Configuring Clients
❖ Create a custom URL for users that will provision their mobile chat
client
❖ sametime://@stproxy.turtlehost.net:443/?
AddCommunity&ssl=true
❖ creates a new community for the server stproxy.turtlehost.net
using the secure 443 port and prompts the user for their name
❖ Other optional parameters include
❖ savePassword (true/false)
❖ communityName (if you want to give it a specific name)
64. Trusted IPs
Long time bug.
When WAS writes the
Trusted IPs as a string
rather than a list
Until this is
fixed by saving the
document in
stconfig.nsf nothing
will work
65. Trusted IPs
❖ This has been a recurring problem since 8.5.2
❖ With this bug if you change the Trusted IPs in
WebSphere the next time the Community server is
restarted, they will be broken
❖ On 9.0.1 I’ve also seen an error where a single trusted ip
is listed with a “.” at the end, causing it to fail
66. Routing To The Correct Server
❖ Regardless which Community server you configure the Sametime
Proxy server to use in its deployment plan
❖ It can and will connect to any server in the Domino domain
configured as a “Sametime” server
❖ Edit the Sametime Proxy configuration to force routing to a
specific server, servers or cluster
❖ Check the SystemOut.log on the Sametime Proxy server to
determine which server it is trying to connect to
❖ Check the sametimexxx.log in the DominoTrace directory to
verify if connections are being refused and why
67. This is left empty on
install so by default all domain
Sametime servers can be
consumed
68. Re-Mapped Virtual Host
❖ During fix updates or patches it’s common for the
Virtual Hosts of each application to be reset to
“default_host” instead of the specific one we created
❖ If you get an error 500 or “SRVE0255E: A WebGroup/
Virtual Host to handle /mapping has not been defined”
these are commonly associated with an incorrect virtual
host
69. Bandwidth
❖ The largest consumption of resource for a Sametime
Proxy Server is the network
❖ If the server is virtualised, make sure the network card
assigned isn’t shared
❖ Monitor the network traffic to the server
❖ Audio and Video streams on mobile services are sent
via the Sometime Proxy server which was probably not
designed for media traffic
70. Mobile Bandwidth
❖ There is a maximum number of video feeds that are
supported for a Meeting on mobile devices
❖ the setting (which can’t be changed) is 4 + you
❖ This can be further limited if bandwidth goes beyond
the configured allowable amount
71. Media Using The Wrong Server
❖ Random media errors can be the result of the Conference Manager
attempting to connect to the wrong Community Server
❖ If everything else appears started with no errors, verify the SystemOut.log
of the Conference Manager for any errors relating to other servers
❖ If a server exists in the domain (Domino Directory) and has “Is This A
Sametime Server?” field marked as “yes” it will be consumed by the
servers in the SSC