Over the years I have always struggled to get to grips with business cards and particularly photos mainly because I do it for a customer, forget about it and then have to do it again six months later. I have a Sametime 9 build coming up and I wanted to revisit business cards and for once write a conclusive guide which I have decided to share in case it helps anyone else out there.

Note – I have not looked at (yet) the mobile applications and how business cards and photos are obtained from them. I believe that the mobile application needs to have a direct connection to the photo i.e. it needs to be resolvable from the internet, outside your fire wall. There may be a way around this buy using the STProxy setting “The URL where stproxy downloads users’ photos.” This writes to stproxyconfig.xml and instructs STProxy where to obtain photos from so only STProxy needs access to the photos and not the mobile clients in the internet.

I am running the following:

  • IBM Sametime 9 HF1 with latest patch.
  • IBM Domino 9x LDAP.
  • All servers sit on CentOS 6.4.

Where to store your photos?

You have three options although there is only really two:

  1. In your LDAP which is the Domino directory in my case.
  2. Web server.
  3. Domino database.

Option 1 is really a no go. Increasing the size of names.nsf is a no no and can lead to administration problems going forward especially if you have a large user base. So the remaining options are discussed as follows.

Web server

Pretty simple really. Remember though that you cannot force authentication to the web server so anyone can access it but it can be behind a firewall (see notes above). For ease I put my photos on the Community server in /opt/ibm/dominodata/domino/html/sametime/photos/

Domino database

I like this approach for the following reasons:

  • You can build in checks for file size, name and case when attaching an image.
  • You can control the ACL.
  • You could offer a means of bulk uploading files.
  • Replicate the database to a server that is accessible to users.
  • Stop abuse by only allowing users to edit their own photo.
  • Allow a URL template to be followed so all photos are obtainable from a URL such as http://abc.collaborationben.com/bcard.nsf/Ben.Williams@collaborationben.com.jpg. Changing the email address for each user.

I have been using a basic database provided by IBM for my testing purposes so all the good stuff above has been verified by a developer as doable.

Things to remember

  • The case of the photo must be as follows, Ben.Williams@collaborationben.com. Mindful of the capital “B” and “W.”
  • The size of the file should be small, ideally under 10kb though some Technotes say under 64kb. Smaller is better in this case.
  • If you need to clear the cache then delete the following directories (taken from a standalone Connect client on Windows 7).
    • C:\Users\ben williams\AppData\Roaming\IBM\Sametime\.metadata\.plugins\com.ibm.collaboration.realtime.people.impl\PersonCache
    • C:\Users\ben williams\AppData\Roaming\IBM\Sametime\.metadata\.plugins\com.ibm.rcp.bizcard\Cache
  • I do not have a database available which does what I want i.e. provide a URL template so I have to fudge it in my steps but you should get the idea.
    • The URL template is really only required for meetings BUT it makes sense to keep all the values the same.

Photos using a database

Notes client

Create a form in bcard.nsf attaching the image and adding your email address. The email address is used to look up your image.

form

Update your person document with the URL to your photo. Ideally this will use a URL template but for my purposes I have used the fixed URL

persondoc1

Stop your Community server and locate UserInfoConfig.xml. Make a back up of the file and then edit it.

Add your bind username and password whihc will be removed and encrypted automatically later. Importantly add the text in bold.

<?xml version =”1.0″ encoding=”UTF-8″ ?>
<!– ***************************************************************** –>
<!–                                                                   –>
<!– IBM Confidential                                                  –>
<!–                                                                   –>
<!– OCO Source Materials                                              –>
<!–                                                                   –>
<!– (C) Copyright IBM Corp. 2006                                      –>
<!–                                                                   –>
<!– The source code for this program is not published or otherwise    –>
<!– divested of its trade secrets, irrespective of what has been      –>
<!– deposited with the U.S. Copyright Office.                         –>
<!–                                                                   –>
<!– ***************************************************************** –>

<UserInformation>
<Resources>
<Storage type=”LDAP”>
<StorageDetails  HostName=”****.collaborationben.com” Port=”389″  UserName=”” Password=”” UserEncodedAuth=”*****************************” SslEnabled=”false”  SslPort=”636″ BaseDN=””  Scope=”2″ SearchFilter=”(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))”/>
<!– Add another StorageDetails tag to support another ldap server. The listing order implies the searching order –>

<!– Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE–>
<SslProperties KeyStorePath=””  KeyStorePassword=””/>
<Details>
<Detail Id=”MailAddress” FieldName=”mail” Type=”text/plain”/>
<Detail Id=”Name”  FieldName=”cn” Type=”text/plain”/>
<Detail Id=”Title”  FieldName=”title” Type=”text/plain”/>
<Detail Id=”Location”  FieldName=”postalAddress” Type=”text/plain”/>
<Detail Id=”Telephone”  FieldName=”mobile,telephoneNumber” Type=”text/plain”/>
<Detail Id=”Company” FieldName=”ou” Type=”text/plain”  />
jpeg”  />
</Details>
</Storage>

<Storage type=”NOTES_CUSTOM_DB”>
<StorageDetails DbName=”bcard.nsf” View=”viewPerson”/>
<Details>
jpeg”/>
</Details>
</Storage>

</Resources>

<ParamsSets>
<Set SetId=”0″ params=”MailAddress,Name,Title,Location,Telephone,Photo,Company”/>
<Set SetId=”1″ params=”MailAddress,Name,Title,Location,Telephone,Photo,Company”/>
</ParamsSets>
<BlackBoxConfiguration>
<BlackBox  type=”LDAP” name=”com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB”  MaxInstances=”5″ />
<BlackBox type=”NOTES_CUSTOM_DB” name=”com.ibm.sametime.userinfo.userinfobb.UserInfoNotesCustomBB” MaxInstances=”4″/>

</BlackBoxConfiguration>

</UserInformation>

Save and close and in the SSC (Sametime System Console – Sametime Servers – Sametime Community Servers – Deployment Identifier – Business Card) configure the following in line with the image.

ssc1

Note: The photo value is “user defined” and blank to ensure it is retrieved from the secondary repository (the Notes application) and not from the primary repository, which is the LDAP directory.

mobile,telephoneNumber

I added two values here so that both my office and mobile numbers appear on the same line in the business card. You can read more here.

At this point I hit a snag and a photo wasn’t appearing in my client. I added the following to the sametime.ini.

[Debug]
USERINFO_DEBUG_LEVEL=5

After restarting the Community server I got the following in STUserInfoSA*.txt in the Trace directory.

[ 11:23:27.664 | 19.08.2014 | INFO | 22 ] : ImageExtractor : extractImage : export field to XML is now completed.
[ 11:23:27.678 | 19.08.2014 | SEVERE | 22 ] : ImageExtractor : extractImage : extractImage Exception:
com.ibm.sametime.userinfo.userinfobb.ImageExtractor$ImageNotFoundException: Image file type not supported: williams@collaborationben.com.jpg
at com.ibm.sametime.userinfo.userinfobb.ImageExtractor$ImageParsingHandler.handleFileDataTag(ImageExtractor.java:240)
at com.ibm.sametime.userinfo.userinfobb.ImageExtractor$ImageParsingHandler.startElement(ImageExtractor.java:188)

I changed the file name and attached it to my form in bcard.nsf again and the photo appeared.

A good test at this point is to call the UserInfoServlet from a web browser. The URL will be something like http://communityserver.collaborationben.com/servlet/UserInfoServlet?operation=3&userId=CN=ben%20williams,O=Collaborationben&setid=1

You should see the xml data that makes up the business card. Most importantly you want to see the binary data where the photo should be.

servlet

If you see “UNAVAILABLE” or similar then enable trace.

You should see.

client_bizcard

Sametime Proxy

Open UserInfoConfig.xml and add the values in bold.

<Detail Id=”Location”  FieldName=”postalAddress” Type=”text/plain”/>
telephoneNumber” Type=”text/plain”/>
<Detail Id=”Company” FieldName=”ou” Type=”text/plain”  />
jpeg”  />
PhotoURL” FieldName=”PhotoURL” Type=”text/plain”/>
</Details>
</Storage>

<Storage type=”NOTES_CUSTOM_DB”>
<StorageDetails DbName=”bcard.nsf” View=”viewPerson”/>
<Details>
jpeg”/>
</Details>
</Storage>

</Resources>

<ParamsSets>
<Set SetId=”0″ params=”MailAddress,Name,Title,Location,Telephone,Photo,PhotoURL,Company”/>
<Set SetId=”1″ params=”MailAddress,Name,Title,Location,Telephone,Photo,PhotoURL,Company”/>
</ParamsSets>

Restart the Community server and Sametime Proxy.

What is odd is why the address doesn’t appear in the STProxy web client but it does in the thick client. Hmm..

stproxy2

Photos in meetings using web server

The meeting server uses a different approach and does not use the PhotoURL value in you person document. I guess this is because they do not want VMM from having to lookup to LDAP and then follow the URL to another source. So, with this in mind it uses a URL template which I mentioned previously.

Since my database doesn’t allow for anything fancy I have had to cheat and copy the image that is attached to my form in bcard.nsf to /opt/ibm/dominodata/domino/html/sametime/photos/ and save it Ben.Williams@collaborationben.com.jpg. The case matters. It may matter because I am using Linux or it could be because Java cares too.

In the SSC go to (Sametime System Console – Sametime Servers – Sametime Meeting Servers – Deployment Identifier) and change the values as follows:

userInfoImageAttr – You can enter anything here, it doesn’t matter.
userInfoRedirect – true
userInfoUrlTemplate – http://communityserver.collaborationben.com/sametime/photos/{0}.jpg

Explanation:

userInfoImageAttr – this will use an LDAP attribute and is ignored if userInfoRedirect is set to true. This is used when you have uploaded your image to LDAP.
userInfoRedirect – set to true so that the userInfoUrlTemplate is used. Set to false and userInfoImageAttr is used.
userInfoUrlTemplate – This is a URL template where you will store your images.

meetingserver_ssc

Apply and OK the changes and restart the meeting server.

On joining your meeting room you will see the following written to the SystemOut.log.

[8/19/14 15:31:27:797 BST] 0000010b ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [Sametime Meeting Server] [/userinfo] [ImageServlet]: Initialization successful.
[8/19/14 15:31:27:802 BST] 0000010b ImageServlet  I   UserInfo template URL changed from[] to[http://communityserver.collaborationben.com/sametime/photos/{0}.jpg], flushing cache

You will see an image but if you initiate the business card that will use STProxy.

meetingserver_browser

In the client the image will be taken from client via UserInfoServlet and the normal client based business card.

meetingserver_client

Finally, if you do not want to use a Domino database and put all your images on a web server then take a look at what follows.

Web server

Edit UserInfoConfig.xml as follows. Take notice of the bold test.

<?xml version =”1.0″ encoding=”UTF-8″ ?>
<!– ***************************************************************** –>
<!–                                                                   –>
<!– IBM Confidential                                                  –>
<!–                                                                   –>
<!– OCO Source Materials                                              –>
<!–                                                                   –>
<!– (C) Copyright IBM Corp. 2006                                      –>
<!–                                                                   –>
<!– The source code for this program is not published or otherwise    –>
<!– divested of its trade secrets, irrespective of what has been      –>
<!– deposited with the U.S. Copyright Office.                         –>
<!–                                                                   –>
<!– ***************************************************************** –>

<UserInformation>
<ReadStConfigUpdates value=”false”/>
<Resources>
<Storage type=”LDAP”>
<StorageDetails  HostName=”ldap.collaborationben.com” Port=”389″  UserName=”” Password=”” UserEncodedAuth=”Y249c3Q5LWJpbmQsbz1jb2xsYWJvcmF0aW9uYmVuOnBhc3N3MHJk” SslEnabled=”false”  SslPort=”636″ BaseDN=””  Scope=”2″ SearchFilter=”(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))”/>
<!– Add another StorageDetails tag to support another ldap server. The listing order implies the searching order –>

<!– Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE–>
<SslProperties KeyStorePath=””  KeyStorePassword=””/>
<Details>
<Detail Id=”MailAddress” FieldName=”mail” Type=”text/plain”/>
<Detail Id=”Name”  FieldName=”cn” Type=”text/plain”/>
<Detail Id=”Title”  FieldName=”title” Type=”text/plain”/>
<Detail Id=”Location”  FieldName=”postalAddress” Type=”text/plain”/>
telephoneNumber” Type=”text/plain”/>
<Detail Id=”Company” FieldName=”companyname” Type=”text/plain”  />
PhotoURL” FieldName=”PhotoURL” Type=”text/plain”/>
ImagePath” FieldName=”PhotoURL” Type=”text/plain”/>
</Details>
</Storage>

</Resources>

<ParamsSets>
<Set SetId=”0″ params=”MailAddress,Name,Title,Location,Telephone,PhotoURL,ImagePath,Company”/>
<Set SetId=”1″ params=”MailAddress,Name,Title,Location,Telephone,PhotoURL,ImagePath,Company”/>
</ParamsSets>
<BlackBoxConfiguration>
<BlackBox  type=”LDAP” name=”com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB”  MaxInstances=”5″ />

</BlackBoxConfiguration>

</UserInformation>

You’ll notice that the custom database (bcard.nsf) has been removed. There’s no need for it now we are using a web server to host the images.

<ReadStConfigUpdates value=”false”/>
This setting, when set to false, will force the STUserInfo SA to use the configuration information stored in UserInfoConfig.xml rather than the settings in the SSC (Sametime System Console – Sametime Servers – Sametime Community Servers – Deployment Identifier – Business Card). Without setting this value as false you would not be able to add ImagePath which is what the Notes client needs to display the URL based jpg.

PhotoURL
This value will be used by STProxy and is linked in the UserInfoConfig.xml to PhotoURL on the user’s person document.

ImagePath
This is used by the Notes client to find the image from the web server.

Make the changes and restart the Community server and probably STProxy and meetings for good measure. Remember you have already set the URL template for meetings.

The results are the same as in my previous screen shots.

The web server approach can be used for populating images from Connections and there are a number of good Technotes and blogs from others as to what URL template to use. You can even configure STProxy to use the Connections business card which provide Profiles, Blogs and more data in the business card. I haven’t yet populated it with my Connections 5 business card but will get around to it soon.

UPDATE

Cormac O’Leary (Team Lead of Sametime PMR team in Dublin) pinged me an email and suggested that I add the DisplaySeparator detailed here. The documentation says to use…

FieldName=”telephoneNumber,mobile” Type=”text/plain” DisplaySeparator=”/”/>

This didn’t work for me but Cormac’s example had additional spaces which are not documented in the Knowledge Center.

I updated my UserInfoConfig.xml and changed my person document so you don’t know my mobile and home address as follows.

<?xml version =”1.0″ encoding=”UTF-8″ ?>
<!– ***************************************************************** –>
<!–                                                                   –>
<!– IBM Confidential                                                  –>
<!–                                                                   –>
<!– OCO Source Materials                                              –>
<!–                                                                   –>
<!– (C) Copyright IBM Corp. 2006                                      –>
<!–                                                                   –>
<!– The source code for this program is not published or otherwise    –>
<!– divested of its trade secrets, irrespective of what has been      –>
<!– deposited with the U.S. Copyright Office.                         –>
<!–                                                                   –>
<!– ***************************************************************** –>

<UserInformation>
<ReadStConfigUpdates value=”false”/>
<Resources>
<Storage type=”LDAP”>
<StorageDetails  HostName=”ldap.collaborationben.com” Port=”389″  UserName=”” Password=”” UserEncodedAuth=”Y249c3Q5LWJpbmQsbz1jb2xsYWJvcmF0aW9uYmVuOnBhc3N3MHJk” SslEnabled=”false”  SslPort=”636″ BaseDN=””  Scope=”2″ SearchFilter=”(&amp;(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))”/>
<!– Add another StorageDetails tag to support another ldap server. The listing order implies the searching order –>

<!– Scope: 0=OBJECT_SCOPE 1=ONELEVEL_SCOPE 2=SUBTREE_SCOPE–>
<SslProperties KeyStorePath=””  KeyStorePassword=””/>
<Details>
<Detail Id=”MailAddress” FieldName=”mail” Type=”text/plain”/>
<Detail Id=”Name”  FieldName=”cn” Type=”text/plain”/>
<Detail Id=”Title”  FieldName=”title” Type=”text/plain”/>
<Detail Id=”Location”  FieldName=”officestreetaddress,l,st,postalcode,c” DisplaySeparator=” / ” Type=”text/plain”/>
<Detail Id=”Telephone”  FieldName=”mobile,telephoneNumber” DisplaySeparator=” / ” Type=”text/plain”/>
<Detail Id=”Company” FieldName=”companyname,department” DisplaySeparator=” / ” Type=”text/plain”/>
<Detail Id=”PhotoURL” FieldName=”PhotoURL” Type=”text/plain”/>
<Detail Id=”ImagePath” FieldName=”PhotoURL” Type=”text/plain”/>
</Details>
</Storage>

</Resources>

<ParamsSets>
<Set SetId=”0″ params=”MailAddress,Name,Title,Location,Telephone,PhotoURL,ImagePath,Company”/>
<Set SetId=”1″ params=”MailAddress,Name,Title,Location,Telephone,PhotoURL,ImagePath,Company”/>
</ParamsSets>
<BlackBoxConfiguration>
<BlackBox  type=”LDAP” name=”com.ibm.sametime.userinfo.userinfobb.UserInfoLdapBB”  MaxInstances=”5″ />

</BlackBoxConfiguration>

</UserInformation>

I opted for a forward slash to use as the display separator, you could use pipes or whatever, see what works.

The results are as follows and they look better.

client_bizcard2

stproxy3

One thing you might want to consider is if you are using a telephony solution like SUT which relies on telephone numbers in the business cards for click to call. Having various numbers on the same Detail Id may cause problems but it’s something to test.

I have seen this problem a couple of years ago but didn’t follow it up with IBM through a PMR. For another customer I found the following happened after I applied the latest Sametime Proxy 8.5.2.1 (STProxy) patch available on Fix Central.

After applying the update the stproxyconfig.xml was changed and the bespoke values that were previously there removed. This was odd in itself but after applying the values again through the SSC the values sticked.

The values that were removed are as follows.

Before update:

<appleNotificationHostName>gateway.push.apple.com</appleNotificationHostName>
<appleNotificationPort>2195</appleNotificationPort>
<appleFeedbackHostName>feedback.push.apple.com</appleFeedbackHostName>
<appleFeedbackPort>2196</appleFeedbackPort>

<meeting>
<host>stmeeting.collaborationben.com</host>
<port>80</port>
<type>2</type>
<isSecure>true</isSecure>
</meeting>

After update:

<appleNotificationHostName>gateway.push.apple.com</appleNotificationHostName>
       <appleNotificationPort>2196</appleNotificationPort>
<appleFeedbackHostName>feedback.push.apple.com</appleFeedbackHostName>
<appleFeedbackPort>2196</appleFeedbackPort>

<meeting>
        <host/>
        <port/>
        <type>0</type>
<isSecure>true</isSecure>
</meeting>

After I corrected the Meeting server URL and the appleNotificationPort I synced the node and restarted STProxy.

It wasn’t until making a change to the userTimeout value and applying the change in the SSC I noticed that the value for appleNotificationPort was changed (again) from 2195 to the incorrect value of 2196.

I logged a PMR and was told that the problem with saving the STProxy configuration in the SSC and it changing the appleNotificationPort value was reported in SPR #DMWR8UCR58 and APAR  LO69429.

I have tested on a Sametime 9 Proxy with the latest patch and cannot reproduce the behaviour.

It’s something to be aware of when updating STProxy and making changes in the SSC.

Yesterday I moved a customers single Sametime 8.0.2 server to a new 8.5.2.1 server. The planning and execution went well apart for pesky iNotes integration with STLinks. The customer isn’t huge so going Sametime 9 with SSC and DB2 really didn’t warrant increased consultancy and support costs and certainly not a Sametime Proxy.

Anyway, the problem I had (which wasn’t happening with 8.0.2) was that in IE awareness wouldn’t appear. The buddy list would load and show users added to local groups and show the public groups but not the public groups content. Firefox and Chrome worked fine.

I enabled the Java console and saw errors when the browser tries to download STLinks from the Community server. The URL the browser was trying to use was prepended with HTTPS but the Community server has not been configured for SSL whilst iNotes has.

I then found the following draft Technote in IBM’s knowledge base which gave me two options, 1) to configure SSL on the Community server or 2) to use STLinks on the iNotes server instead thus meaning that SSL can be used.

I followed the instructions and after restarting HTTP on the two iNotes servers awareness and chat in IE worked.

Problem
sametime connection issue with INotes when SSL is used

Cause
There should be the internet hostname of the sametime server, not the domino name, update the Domino name and restart the inotes server.

Solution
A.  configure SSL on the sametime server

OR

B.  Make the following changes to download all stlinks files from the inotes server, but have the applet continue to contact sametime over http.

On the inotes servers please make the following changes.

1.  In the notes.ini set the following parameter:
iNotes_WA_STLinksCodebase=/sametime/stlinks

2.  Backup the stlinks directory on teh inotes server, replace it with the stlinks directory from the Sametime server

3.  In the hostInfo.js make sure you have the following set:

var HTTP_TUNNELING_PORT=8082;                 ** Note this may also be 80, it depends on the st config, either should be fine, just leave it as it’a already set **
var TUNNELING_ADDRESS=””;

4.  In the stlinks.js
set the following variable to the hostname of the sametime server:
var STHost=”sametime.moi.gov.kw”;

NOTE:  this variable already exists in the file, you simply need to update the value it’s set to.

4.  use the signed stlinks.jar
backup the existing stlinks.jar in lotus/domino/data/domino/html/sametime/stlinks
copy signed/stlinks.jar to the stlinks folder

5.  restart inotes to pick up all the changes
on the client you are testing with delete all temp internet and jvm files (control panel – java) and test inotes again.

During an install of Connections 4.5 I came across a problem when Configuring the IBMConnectionsMetricsAdmin role on Cognos which required me to disable anonymous access in the Cognos Configuration tool (Local Configuration -> Security -> Authentication -> Cognos to set Allow anonymous access? -> False) and save.

On saving I was getting the following error in the client.

2014-03-19_101919

I had previously applied 10.1.1 FP001 and believed something had happened during the upgrade.

Googling came up with some suggestions all around cryptography with How to Regenerate Cryptographic Keys seemingly the best way to try and get this working. The problem was that I couldn’t export a copy of the configuration.

I tried various approaches including configuring cogstartup.xml manually removing the encryption variables so no password was set, nothing worked.

The more I Googled and researched IBM/Cognos forums the more Java was mentioned. After burning the best part of a day I started to look at what version of Java was being used.

I have installed on CentOS (not supported I know) and the version of java is as follows.

[root@cognos ~]# java -version
java version “1.7.0_09-icedtea”
OpenJDK Runtime Environment (rhel-2.3.4.1.el6_3-x86_64)
OpenJDK 64-Bit Server VM (build 23.2-b09, mixed mode)

This is reading it from /usr/bin/java.

I didn’t set JAVA_HOME when installing Connections which installs Cognos so what version of Java is it using? I looked at the WebSphere SystemOut.log for the application server and noted that it is using the IBM JRE (/opt/IBM/WebSphere/AppServer/java).

After setting export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java I could save my settings in the Cognos Configuration client.

When testing audio and video via a web browser of mobile phone I would see the following error in a browser when trying to use audio and video in a meeting. Using the thick client worked.

st2

Looking at the SIP Proxy Registrars SystemOut.log I saw the following exceptions.

[2/11/14 18:08:43:660 GMT] 000000a7 LdapPasswordS I LdapPasswordServer  CWSCT0359I: Hashed Credential attributes not found.
[2/11/14 18:08:43:661 GMT] 000000a7 SIPDigestServ E SIPDigestService  CWSCT0340E: Error – cannot retrieve password attribute.

I enabled trace on the SIP PR ( *=info:com.ibm.ws.security.*=all:com.ibm.ws.sip.*=all) and found that the LtpaToken was “undefined.”

REGISTER sip:prcf.collaborationben.com;transport=tls SIP/2.0
Content-Length: 0
Expires: 1800
Max-Forwards: 70
Cookie: LtpaToken=”undefined”
Supported: path, outbound
User-Agent: Sametime-ST9.0-Softphone
Contact: <sip:WebAVClient-Ben.Williams%40collaborationben.com@**********:54303;transport=tls>;methods=”INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER”;reg-id=1;+sip.instance=”<urn:uuid:********************>”
Call-ID: *****************@192.0.1.58
CSeq: 1 REGISTER
To: sip:WebAVClient-Ben.Williams%40collaborationben.com@prcf.collaborationben.com
From: WebAVClient-Ben.Williams%40collaborationben.com <sip:WebAVClient-Ben.Williams%40collaborationben.com@prcf.collaborationben.com>;tag=BCF17103-85B0EEA0
Via: SIP/2.0/TLS 192.0.1.58:54303;branch=z9hG4bK42f99901F8B8AD8E

I also saw that when I logged in as an LDAP user the trace showed my file system administrative user.

user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm

The LtpaToken must be working because the SIP PR is in the same cell as the majority of the other application servers and awareness works which means SSO must be working but the above shows that it isn’t. Odd.

I also noticed that if I authenticated with the Community server first and then switched to the meeting server URL, audio and video worked. It was the LtpaToken being provided by the WAS application server that was a problem.

I tried a couple of things such as changing the realm name to match the LDAP server as opposed to the default (defaultWIMFileBasedRealm) but this did not work.

Thankfully Khalid arranged a call with development and he asked me to uncheck “Set security cookies to HTTPOnly to help prevent cross-site scripting attacks.”

st3

After I resynchronised and stopped and started all the application servers and proxies I could then use audio and video in my clients!

This should be making its way into a Technote soon.

 

We all know that LDAP is the biggest threat to Sametime, don’t we? Are we all aware of how that impacts audio and video through business cards?

Well, a customer logged a problem yesterday after audio and video failed on their 8.5.2.1 infrastructure. What made this more difficult to troubleshoot was the fact that last week and we had other problems relating to audio and video which was “taken out” after a network change the weekend prior. With last weeks problem clouding my judgement I went down the route of checking for network and synchronisation issues (last weeks problem) that I failed to look at LDAP.

It wasn’t until I spent some hours checking that last weeks problem hadn’t reared it’s head again that I looked at client side trace and saw the following exception.

CLFRB1232W: When processing the softphone configuration encountered an error: com.ibm.collaboration.realtime.telephony.exception.TelephonyRuntimeException: Required directory or missing required configuration information. Voice and video services are not available. Please contact the administrator.

The error in the client was:

1

These errors indicate that the UserInfo service isn’t providing the email address to the client’s business card. Audio and video requires the email address to function. This was detailed in a Technote which now seems to be broken http://www-01.ibm.com/support/docview.wss?uid=swg21447891

I also checked the registered bindings in the SSC and saw people connected to the SIP Proxy Registrar with audio and video working for some. Business cards were not showing the email address and in the client trace there was further signs of UserInfo problems.

User attribute search returned 0 attributes for person CN=Joe Bloggs,OU=London,O=ACME (chat01.acme.com)

New DirectoryLookupThread created for [CN=Joe Bloggs,OU=London,O=ACME]
java.lang.Throwable
at com.ibm.collaboration.realtime.people.internal.DirectoryLookupThread.<init>(Unknown Source)
at com.ibm.collaboration.realtime.people.internal.PeopleCacheMgr.loadPersonData(Unknown Source)
at com.ibm.collaboration.realtime.people.internal.PeopleCacheMgr.loadPersonData(Unknown Source)
at com.ibm.collaboration.realtime.people.internal.PeopleCacheEventHandler.handlePartnerInteraction(Unknown Source)
at com.ibm.collaboration.realtime.people.internal.PeopleCacheEventHandler.handleBuddySelected(Unknown Source)
at com.ibm.collaboration.realtime.people.internal.PeopleCacheEventHandler.handleMessageEvent(Unknown Source)
at com.ibm.collaboration.realtime.magiccarpet.MessageEventHandlerProxy.handleMessageEvent(Unknown Source)
at com.ibm.collaboration.realtime.magiccarpet.MessageEventAdapter.processEvent(Unknown Source)
at com.ibm.collaboration.realtime.magiccarpet.messageprocessor.WorkItemRunnable.run(Unknown Source)
at com.ibm.collaboration.realtime.magiccarpet.messageprocessor.WorkThread.run(Unknown Source)

Calling the servlet via a web browser returned the correct results chat01.acme.com/servlet/UserInfoServlet?operation=3&userId=cn=Joe%20Bloggs,ou=London,o=Acme&setid=1.

 <?xml version=”1.0″ encoding=”UTF-8″ ?>
– <userinfo>
– <user id=”cn=Joe Bloggs,ou=London,o=acme“>
<field name=”Name” type=”text/plain”>Joe Bloggs</field>
<field name=”Company” type=”” error=”UNAVAILABLE” />
<field name=”Title” type=”” error=”UNAVAILABLE” />
<field name=”Telephone” type=”” error=”UNAVAILABLE” />
<field name=”MailAddress” type=”text/plain”>Joe.Bloggs@acme.com</field>
<field name=”Location” type=”” error=”UNAVAILABLE” />
<field name=”Photo” type=”” error=”UNAVAILABLE” />
</user>
</userinfo>

This customer has problems with LDAP and changing the max and low pending variables has been tried before but it broke other Sametime components. Until a test environment is provisioned or it is agreed that I can fix forward in production not much can be done with regards to performance tuning.

Anyway, the Community server was restarted this morning and business cards worked and so did audio and video. For the time being.

During the build of an internal Sametime 9 environment I came across problems with video calls via a meeting room, point-to-point was fine. I was getting the error “The call was not completed due to a dialling error. AVKCS2200E: Failure response 403 received in response to invitation to CN=Ben Williams, O=collaborationben. Reason is: Unspecified Dial Failure.”

2014-01-02_115441

I’ll explain how I have it set up. As this is all run on a bulky VMWare server at home I use hosts files to control DNS. I have called my domain “collaborationben.com” which is the same as my Blog. All servers can resolve themselves and can resolve DNS to the internet.

I enabled the following trace on the CF server:

*=info: com.ibm.mediaserver.*=all: com.ibm.telephony.conferencing.spi.*=all: com.ibm.ws.sip.*=all: com.lotus.sametime.telephonymanager.*=all: com.ibm.sip.*=all: com.ibm.vmgrconnector.*=all: com.lotus.sametime.telephony.*=all

On the VMgr I enabled:

“*=info: com.polycom.proximo.*=all

The errors in the VMgr were below:

[11/27/13 15:29:15:751 GMT] 000001a6 VideoMsMonito 3 com.polycom.proximo.mcu.VideoMsMonitorSupport$Ping run Connection to 192.168.1.45:8080 took 1 milliseconds connected: true
[11/27/13 15:29:16:028 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStatusAggregateProviderImpl aggregateData Running supercluster status aggregation task.
[11/27/13 15:29:16:028 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator getSuperclusterStateOfHealth Enter getSuperclusterStateOfHealth
[11/27/13 15:29:16:028 GMT] 00000160 RemoteCommand 3 com.polycom.proximo.supercluster.RemoteCommandSupport getLocalClusterRemoteCommandProxy Generate proxy for ProximoMonitorServiceRemoteCommands to local cluster
[11/27/13 15:29:16:028 GMT] 00000160 RemoteCommand 1 com.polycom.proximo.supercluster.RemoteCommandSupport call URL from call method:
https://66.155.11.238:8444/PlcmRmWeb/remoteCommand?SuperclusterStateOfHealthAggregator_buildSuperclusterStateOfHealth_ArgsImpl
[11/27/13 15:29:16:028 GMT] 00000160 HttpUtils 1 com.polycom.proximo.util.HttpUtils makeHttpsUrlConnection Successfully established makeHttpsUrlConnection
[11/27/13 15:29:16:029 GMT] 00000160 RemoteCommand 3 com.polycom.proximo.supercluster.RemoteCommandSupport call Sending command:
https://66.155.11.238:8444/PlcmRmWeb/remoteCommand?SuperclusterStateOfHealthAggregator_buildSuperclusterStateOfHealth_ArgsImplSuperclusterStateOfHealthAggregator_buildSuperclusterStateOfHealth_ArgsImpl[]
[11/27/13 15:29:16:121 GMT] 00000160 SuperclusterS E com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator getSuperclusterStateOfHealth Unable to access server with virtual address. Using local info: Unexpected Exception
[11/27/13 15:29:16:121 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterStateOfHealth Enter buildSuperclusterStateOfHealth
[11/27/13 15:29:16:121 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterStateOfHealth Aggregating dashboard detail for cluster null.collaborationben.com
[11/27/13 15:29:16:121 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterStateOfHealth Adding dashboard detail for missing cluster 66.155.11.238
[11/27/13 15:29:16:122 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator updateActiveNodeStatus missing node detail for cluster null.collaborationben.com
[11/27/13 15:29:16:122 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator updateActiveNodeStatus missing node detail for cluster 66.155.11.238
[11/27/13 15:29:16:122 GMT] 00000160 RawClusterDat 1 com.polycom.proximo.monitor.aggregator.RawClusterDataCleaner cloneElements Sip Enabled: SipStatusDetailImpl[sipEnabled=true, defaultAddress=, sessionTimer=1800, listeningPointList=[ListeningPointImpl[address=192.0.80.250, port=5060, transport=TCP], ListeningPointImpl[address=192.0.80.250, port=5061, transport=TLS]]]
[11/27/13 15:29:16:122 GMT] 00000160 RawClusterDat 1 com.polycom.proximo.monitor.aggregator.RawClusterDataCleaner cloneElements Sip Enabled: null
[11/27/13 15:29:16:122 GMT] 00000160 Responsibilit E com.polycom.proximo.monitor.aggregator.ResponsibilityAggregator setAggregatedResponsibility NodeUID could not be determined for cluster: null.collaborationben.com
[11/27/13 15:29:16:122 GMT] 00000160 Responsibilit 1 com.polycom.proximo.monitor.aggregator.ResponsibilityAggregator setAggregatedResponsibility Cluster 66.155.11.238 uid[3b07956e-fff9-4d92-8fb0-7832ae60cd96]
[11/27/13 15:29:16:122 GMT] 00000160 Responsibilit 1 com.polycom.proximo.monitor.aggregator.ResponsibilityAggregator setAggregatedResponsibility Territory 76.74.254.120controlled[false] primary[true] backup[false] unowned[false]
[11/27/13 15:29:16:122 GMT] 00000160 Responsibilit 1 com.polycom.proximo.monitor.aggregator.ResponsibilityAggregator setAggregatedResponsibility Cluster 66.155.11.238 confRoom[INACTIVE_PRIMARY] calendaring[DISABLED] enterpriseDirectory[DISABLED]
[11/27/13 15:29:16:123 GMT] 00000160 SuperclusterS W com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterStateOfHealth Unable to determine local node name using hostname ‘vmgr.collaborationben.com’ instead
[11/27/13 15:29:16:123 GMT] 00000160 SuperclusterS W com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterSummary Unable to find cluster info for null.collaborationben.com
[11/27/13 15:29:16:123 GMT] 00000160 SuperclusterS W com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterSummary Info built for a cluster currently unreachable or in trouble.
[11/27/13 15:29:16:123 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator updateServerCounts Currently configured to connect to MCUs: [null.collaborationben.com]
[11/27/13 15:29:16:124 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStateOfHealthAggregator buildSuperclusterStateOfHealth Exit buildSuperclusterStateOfHealth
[11/27/13 15:29:16:124 GMT] 00000160 DashboardMana 1 com.polycom.proximo.monitor.DashboardManager getDashboardDetail Getting dashboard info
[11/27/13 15:29:16:124 GMT] 00000160 SuperclusterA I com.polycom.proximo.supercluster.SuperclusterAccessCommands loadJuniperConfiguration loadJuniperConfiguration returning config: JuniperConfiguration[enableSRC:false, port:8080, forceHTTPS:false, useEPAddrForSubURI:true]
[11/27/13 15:29:16:126 GMT] 00000160 SuperclusterS 1 com.polycom.proximo.monitor.aggregator.SuperclusterStatusAggregateProviderImpl aggregateData Supercluster status aggregation task complete.
[11/27/13 15:29:17:612 GMT] 00000a63 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the ‘admin’ principal name..
[11/27/13 15:29:17:614 GMT] 00000a63 LoginContextA I com.polycom.proximo.api.support.servlet.LoginContextAuthSession open Attempting to login to context: proxias-users requiring role: null, locale: en_us
[11/27/13 15:29:17:615 GMT] 00000a63 ProxiasLoginM I com.polycom.proximo.admin.login.ProxiasLoginModule initialize ProxiasLogin : Initialize …
[11/27/13 15:29:17:615 GMT] 00000a63 CustomLoginMo 1 com.polycom.proximo.admin.login.websphere.CustomLoginModuleWS initialize Initializing CustomLoginModuleWS class class com.polycom.proximo.admin.login.websphere.CustomLoginModuleWS
[11/27/13 15:29:17:616 GMT] 00000a63 ProxiasLoginM 1 com.polycom.proximo.admin.login.ProxiasLoginModule login Entering login()
[11/27/13 15:29:17:616 GMT] 00000a63 CustomLoginMo 1 com.polycom.proximo.admin.login.websphere.CustomLoginModuleWS createIdentity Inside CreateIdentity() method the Username : adminprincipalClassName value: com.ibm.security.auth.JAASPrincipal
[11/27/13 15:29:17:617 GMT] 00000a63 ProxiasLoginM I com.polycom.proximo.admin.login.ProxiasLoginModule validatePassword validating password for: LOCAL\admin
[11/27/13 15:29:17:618 GMT] 00000a63 ProxiasLoginM W com.polycom.proximo.admin.login.ProxiasLoginModule validatePassword Failed getting x509 certificate from HttpServletRequest

I highlighted a number of IP addresses all of which did not fit my internal 192.168.x.x addresses. After researching the IP addresses seen in the SystemOut.log I find links to ServerBeach and after a bit more digging I see they are associated with WordPress. Some of the other IP addresses are to WordPress themselves.

What was happening was that the host file entries were being ignored and the VMgr was resolving the domain .collaborationben.com and being directed to WordPress. I had to change the resolv.conf removing the nameserver which was router from all my Sametime 9 servers. After a reboot of all the servers video worked perfectly.

I questioned IBM as to why the host file is ignored but as yet I have not had a response. I’m aware that for the vast majority of people using Sametime 9 they will have DNS configured properly but for those who don’t…….

Follow

Get every new post delivered to your Inbox.

Join 56 other followers