A customer was having a problem with notifications sent to someone using a mobile device logged into an STProxy server. The name of the server was not “Server” as it is normally but rather a random other server. There were two approaches, continue fixing it or remove the “Server” name and replace it with the name of the recipient which personally sounded a far better option.

The (always) helpful Cormac O’Leary from the Sametime PMR team assisted and liaised with L3 and provided me with a new cumulative hot fix. Once installed I had to add  to edit stproxyconfig.xml, located in AppServer/profiles/<Profile_Name>/config/cells/<Cell_Name>/nodes/<Node_Name>/servers/STProxyServer/stproxyconfig.xml

Add the following values to the <configuration> element. If a <mobile> element is already present, add the <disableSystemNoficiations> element to that existing element.

<mobile>

<disableSystemNotifications>true</disableSystemNotifications>

</mobile>

Now when an IM is sent to a using on a mobile device the name of the announcement is not “Server” as it is currently but rather the recipient’s name.

new STProxy announcement

Following on from Sametime on iPhone – APNS test application I was sent another APNs test application during troubleshooting another STProxy/iPhone problem. This time you can return the certificate being used and also resend notifications to the device. The application can be obtained here.

Running the following will provide you with the details of the certificate being used which can be checked against Apple’s documentation.

/opt/IBM/WebSphere/AppServer/java/bin/java -jar apnstest.jar
Testing using default key
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete
CN=gateway.push.apple.com, OU=iTMS Engineering, O=Apple Inc., L=Cupertino, ST=California, C=US
CN=Entrust Certification Authority – L1C, OU=”(c) 2009 Entrust, Inc.”, OU=www.entrust.net/rpa is incorporated by reference, O=”Entrust, Inc.”, C=US
Successfully Connected to APNS

To resend notifications, first of all you need to change the format of the APNs trace output to something meaningful such as Base-64. To do that you need to backup and then replace stproxyservices.jar with the edited version here. The location of the file is /AppServer/profiles/STPAppProfile/optionalLibraries/stproxy/stproxyservices.jar

Now add *=info:  com.ibm.rtc.stproxy.*=all: com.ibm.collaboration.realtime.*=all to the STProxyServer.

You will see that within trace.log that the text is now viewable with the Base-64 encoding. You will need to find the notification sent which will start with “sendMessageAPNS-B64″

[04/01/13 11:03:27:966 GMT] 0000003e APNSService   3   sendMessageAPNS-B64 (******************************************hB8+OIzkdBjW0wJEAaHsiYXBzIjp7ImFsZXJ0Ijp7I***************************************ZSI6MSwic291bmQiOiJkZWZhdWx0In19)

Using the same jar you can replay this notification with the following command.

/opt/IBM/WebSphere/AppServer/java/bin/java -jar ./apnstest.jar ******************************************hB8+OIzkdBjW0wJEAaHsiYXBzIjp7ImFsZXJ0Ijp7I***************************************ZSI6MSwic291bmQiOiJkZWZhdWx0In19
Testing using default key
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete
CN=gateway.push.apple.com, OU=iTMS Engineering, O=Apple Inc., L=Cupertino, ST=California, C=US
CN=Entrust Certification Authority – L1C, OU=”(c) 2009 Entrust, Inc.”, OU=www.entrust.net/rpa is incorporated by reference, O=”Entrust, Inc.”, C=US
Successfully Connected to APNS
About to send message…
Parsed message:  ◄?q??T?j?$?0?qa?#9↔♠5??h{“aps”:{“alert”:{“loc-key”:”NEW_CHAT_MESSAGE”,”loc-args”:["Ben  Williams"]},”badge”:1,”sound”:”default”}}
Sent message to APNS

All of the above was run on Linux.

Having upgraded a customers deployment of Sametime to 8.5.2.1 we found that notifications were not appearing on the devices when the device was in a “paused” state.

How this works is that User A (Notes client) sends an IM to User B (using iPhone application) and the IM is received instantly. The iPhone is registered with the APNS and is assigned a device token which has been sent that same device token to STProxy.

If the iPhone is locked the Sametime application is running in the background in a “paused” state. The application sends to STProxy the “pause” command and it then goes to the back ground. After 10 minutes the application goes into “APNS mode” before then IM’s will be received via a direct connection with STProxy.

User A sees User B’s Sametime status as “Away” and on sending an IM User A receives an announcement in his Notes client (configurable) that User B is on a mobile device and the message may be delayed. At this point STProxy knows the user is in a paused state and stores the IM in a database.

STProxy knows that User B is in a “paused” state so sends the device token to the APNS and requests that a push notification be sent to the device. APNS sends this push notification and the device displays a notification that there is an IM waiting to be read.

When User B views the notification it brings the application on the iPhone to the foreground and connects to STProxy and sends a command to it to retrieve messages.

STProxy then sends the queued IMs which were stored in the database to the device. The IMs are then removed from the database.

Looking at STProxy’s SystemOut.log and trace.log (if enabled) you can see output similar to:

[10/10/12 17:32:51:786 BST] 0000002a APNSService   W com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService startAPNS CLFRX0079W: Unable to establish an SSL connection to the APNS service Connection timed out
[10/10/12 17:32:51:790 BST] 0000002a APNSService   W com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService startAPNS CLFRX0080W: Unable to send message to the APNS: null ssl socket
[10/10/12 17:44:22:038 BST] 00002e89 APNSService   W com.ibm.collaboration.realtime.stproxy.services.APNS.APNSService monitorFeedbackService CLFRX0081W: Unable to establish an SSL connection to the APNS feedback service Connection timed out

This could be explained by Updated security certificate for Push Notifications (iOS) but I know that is not the case as I applied the patch during the upgrade.

I tried using telnet but couldn’t connect so asked the customer to check with networks whether the ports had actually been opened.

# telnet gateway.push.apple.com 2195
Trying 17.172.238.214…

# telnet feedback.push.apple.com 2196
Trying 17.172.238.216…

It turns out the ports have not been opened but IBM did send me a useful test application which you can use to test connection to APNS. You can download apnstest.jar and follow the instructions below.

Windows
——-
From a command prompt in the directory to which the above file was copied, run the following commands:
(Replace C:\IBM\WebSphere\AppServer with the path to the AppServer directory)
C:\IBM\WebSphere\AppServer\java\bin\java -jar apnstest.jar

(Replace <ST Proxy Cell> with the cell name which ST Proxy is deployed to. Replace <ST Proxy Node Name> with the name of the node which ST Proxy is deployed on)
C:\IBM\WebSphere\AppServer\java\bin\java -jar apnstest.jar “C:\IBM\WebSphere\AppServer\profiles\STPAppProfile\config\cells\<STProxy Cell Name>\nodes\<ST Proxy Node Name>\apns-prod.pkcs12″

Linux
—–
From a terminal in the directory to which the above file was copied, run the following commands:
(Replace /opt/IBM/WebSphere/AppServer with the path to the AppServer directory)
/opt/IBM/WebSphere/AppServer/java/bin/java -jar apnstest.jar

(Replace <ST Proxy Cell> with the cell name which ST Proxy is deployed to. Replace <ST Proxy Node Name> with the name of the node which ST Proxy is deployed on)
/opt/IBM/WebSphere/AppServer/java/bin/java -jar apnstest.jar “/opt/IBM/WebSphere/AppServer/profiles/STPAppProfile/config/cells/<ST Proxy Cell Name>/nodes/<ST Proxy Node Name>/apns-prod.pkcs12″

This should produce output similar to the following:

Testing using default key
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete
Successfully Connected to APNS

A while ago I worked with Frank Altenburg of ISSL on a customer engagement and one of the many titbits of information he gave me was how to change the context root so that users could enter http://server.company.com or http://server.company.com/chat for example and be redirected to http://server.company.com/stwebclient/index.jsp automatically.

I used this approach in a proof of concept environment whilst deploying Sametime 8.5 some time ago for a customer and worked well for redirecting the URL for the Proxy.

You can get the war file here.

In Sametime 8.5.1 the Meeting Server already has this application and does not need this war any more.

Log into the SSC.

Stop the Sametime Proxy.

Change to applications.

Install a new application.

Browse in the “Local file system” if you have the war locally on your workstation (from where you have started the browser and accessed the SSC).
Use “Remote file system” if you have already copied the war file to the Proxy server’s OS.

Select the “proxy.server.root.war” file and select Next.

Select the default “Fast Path” and click “Next.”

Accept the default and click “Next.”

If you are installing in a single node just accept the defaults and click the “Next” button. If you are installing in a Cluster, then change the setting In the “Cluster and services” select the node / server or Cluster (the Proxy Cluster) you want to install the application to. Then check the “Select” check box. Then click the “Apply” button. Then click the “Next” button.

The context root path normally is “/.” This means that when a user enters “http://server.company.com&#8221; it will be automatic redirected to “http://server.company.com/stwebclient/index.jsp.&#8221; If you want the users accessing the system with “http://server.company.com/chat&#8221; then enter in this field just “/chat.” Then click the “Next” button.

I read with interest Carl Tyler’s recent blog entry Sametime Proxy in which he talks about the Sametime Proxy. I agree with Carl that the Proxy is a great piece of technology and a great replacement for STLinks.

I demo’d in my blog entry Sametime Proxy in iNotes – death of STLinks? how the Proxy can be used to replace STLinks in iNotes which should be supported in Sametime 8.5.2 (from what I was told last)…..

Not being of a development mindset I do not fully appreciate it as a toolkit but I do appreciate it from an infrastructure and functionality standpoint and the customers who have adopted it appreciate it’s features.

I look forward to Carl’s forthcoming blog entries so keep an eye on his blog.

I noticed that a white paper from Andy Yiu was released two weeks ago focusing on the architecture of Sametime 8.5x. There is some good information in there and I’d recommend that anyone working with the technology should read it. It’s good to see that information is continuing to be released.

developerWorks article

An IBM’er dropped me an email this afternoon about a portlet which has been released for Portal 7 which integrates with the STProxy. This looks to replace the out dated Sametime Contact List portlet and remove STLinks from Portal.

Now, I haven’t had the chance to try it out but I will soon and post more information.

If someone gets the chance to deploy it please let me know how you get on.

You can get it from the Greenhouse

More information has  become available this morning and a Wiki article has been written.

An updated version of the Sametime 7.5 Redbook has been released which is great news.

The information is extremely useful and even a skim through has uncovered a few useful titbits of information I wasn’t aware of.

http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Redbooks%3A%20Sametime%208.5%20Enterprise%20Scale%20Deployment

PDF version will appear soon.

I was chatting with an IBM’er at the Exceptional Web Experience – IBM Portal Excellence Conference 2010 in Düsseldorf and asked him when Lotus products would start using the Sametime Proxy for awareness thus replacing the need to use STLinks. He told me it was coming soon. Not long afterwards a Developerworks article was  released detailing exactly how to do this.

The results are impressive and broadens the consistent UI between the Notes client, Proxy web client and now iNotes and most importantly it loads quickly.

This is not supported yet but is planned to be available in Sametime 8.5.2.

In this technology preview you also need to be running Domino 8.5.2 (iNotes) and Sametime 8.5 (not 8.5.1 or 8.5.1.1). You will need to make some changes to you Notes.ini and replace your STProxyServer application via the SSC with the version provided in the article.

One thing I did notice, I got errors in IE8 when accessing iNotes but it works perfectly in Firefox.

The death of STLinks? I hope so.

I set up for a customer a Sametime 8.5.1 proof of concept environment consisting of two Linux servers hosting all the WAS components, Domino LDAP and a Windows Sametime Community server. This install was the “Cell Profile” which means that all components run with their own Deployment Manager and Node Agent and you can install multiple components on the same physical server.

Having been bitten in the early days by the Base DN issue I installed all components with a blank base DN because I was using a Domino directory as my LDAP repository. All components installed fine and when accessing the individual DM’s ISC’s and navigating to Users and Groups – Manage Users/Manage Groups I could search and return those users/groups I wanted.

The problem I came across is after enabling integration with the Meeting server and the Proxy server to power awareness in Meetings, awareness just didn’t work.

I enabled debugging on the Community server and found output such as the following in STUsers*.txt which shows that it is appending C=US to the dn which means that the Community server cannot resolve the name and hence why awareness is not working. I also found that SSO worked only in the one direction, Meetings –> STCenter.

101021_134743.595,INF,Users   ,got a request to get the home cluster for CN=Ben Williams,O=ACME
101021_134743.595,INF,LDAP Aut,getting tokens for [CN=Ben Williams,O=ACME]
101021_134743.595,INF,Token Au,get tokens – userId: CN=Ben Williams,O=ACME
101021_134743.595,INF,Token Au,getTokenFromDomino: getting tokens for: CN=Ben Williams,O=ACME
101021_134743.704,INF,Token Au,SECTokenListGenerate returned with status <0>
101021_134743.704,INF,Token Au,LTPA token was successfully generated
101021_134743.704,INF,LDAP Aut,stGetTokens returned [0]
101021_134743.704,FTL,LDAP Aut,authenticating user by tokens
101021_134743.704,INF,LDAP Aut,Starting auth by tokens for [CN=Ben Williams,O=ACME] in org[]
101021_134743.704,FTL,LDAP Aut,checking LDAP format….
101021_134743.704,INF,Token Au,Received token with type <1>
101021_134743.704,INF,Token Au,Validating LTPA/LTPA2 tokens
101021_134743.704,INF,Token Au,Created token entry of type <1>
101021_134743.704,INF,Token Au,SECTokenListValidate returned with status (0)
101021_134743.704,INF,Token Au,User ID extracted from the token is – CN=Ben Williams/O=ACME
101021_134743.704,INF,Token Au,Verify LTPA/LTPA2 token succeeded
101021_134743.704,INF,Token Au,getUserIdSubStrAccordingToConfig: full userId is CN=Ben Williams/O=ACME
101021_134743.704,INF,Token Au,getUserIdSubStrAccordingToConfig: the userId extracted according to uid_prefix and uid_postfix is CN=Ben Williams/O=ACME
101021_134743.704,INF,Token Au,authentication returned code ST_DDA_API_OK for name: CN=Ben Williams/O=ACME
101021_134743.704,INF,LDAP Aut,token for user user [CN=Ben Williams/O=ACME] was successfully verified
101021_134743.704,INF,LDAP Aut,AuthTokenContext::operationBeforeDirSearch verifyTokenAndExtractUserId has returned successfully.
Original login name – <CN=Ben Williams,O=ACME>, extracted user id – <CN=Ben Williams/O=ACME>.
Using the extracted user id.
101021_134743.704,INF,LDAP    ,Entering to isChild
101021_134743.704,INF,LDAP    ,dn = CN=Ben Williams,O=ACME, base =
101021_134743.704,INF,LDAP Aut,Looking up [req -1] [CN=Ben Williams,O=ACME] in [acmeldap.acme.com]
101021_134743.704,INF,ASYNC   ,VpUsrAuthenticate::getUserDetail: pass to authentication BB
101021_134743.704,INF,CRASH   ,ReqMgr::addAuthReq: got new reqId <0xffffffff>
101021_134743.704,INF,LDAP Aut,—- Thread ID: 2844
101021_134743.704,INF,LDAP Aut,Looking up CN=Ben Williams,O=ACME
101021_134743.704,INF,CRASH   ,—- Thread ID: 6128
101021_134743.704,INF,CRASH   ,ReqMgr::addAuthReq:added
101021_134743.704,INF,LDAP Aut,—- Thread ID: 636
101021_134743.704,INF,LDAP Aut,User CN=Ben Williams,O=ACME looked up
101021_134743.704,INF,LDAP Aut,user [CN=Ben Williams/O=ACME] successfully authenticated by token
101021_134743.704,INF,LDAP Aut,Async auth done. [req -1]

[user CN=Ben Williams,O=ACME] [name Ben Williams] [home ] [organization ]
101021_134743.767,INF,Users   ,VpUsrAuthenticate::handleCheckUser: authenticating user with loginName=Ben.Williams@acme.com by a single token
101021_134743.767,FTL,LDAP Aut,authenticating user by tokens
101021_134743.767,INF,LDAP Aut,Starting auth by tokens for [Ben.Williams@acme.com] in org[]
101021_134743.767,INF,Token Au,Received token with type <0>
101021_134743.767,INF,Token Au,Validating LTPA/LTPA2 tokens
101021_134743.767,INF,Token Au,Created token entry of type <0>
101021_134743.767,INF,Token Au,SECTokenListValidate returned with status (0)
101021_134743.767,INF,Token Au,User ID extracted from the token is – CN=Ben Williams/O=ACME/C=US
101021_134743.767,INF,Token Au,Verify LTPA/LTPA2 token succeeded
101021_134743.767,INF,Token Au,getUserIdSubStrAccordingToConfig: full userId is CN=Ben Williams/O=ACME/C=US
101021_134743.767,INF,Token Au,getUserIdSubStrAccordingToConfig: the userId extracted according to uid_prefix and uid_postfix is CN=Ben Williams/O=ACME/C=US
101021_134743.767,INF,Token Au,authentication returned code ST_DDA_API_OK for name: CN=Ben Williams/O=ACME/C=US
101021_134743.767,INF,LDAP Aut,token for user user [CN=Ben Williams/O=ACME/C=US] was successfully verified
101021_134743.767,INF,LDAP Aut,AuthTokenContext::operationBeforeDirSearch verifyTokenAndExtractUserId has returned successfully.
Original login name – <Ben.Williams@acme.com>, extracted user id – <CN=Ben Williams/O=ACME/C=US>.
Using the extracted user id.
101021_134743.767,INF,LDAP    ,Entering to isChild
101021_134743.767,INF,LDAP    ,dn = CN=Ben Williams,O=ACME,C=US, base =
101021_134743.767,INF,LDAP Aut,Looking up [req -2] [CN=Ben Williams,O=ACME,C=US] in [acmeldap.acme.com]
101021_134743.767,INF,ASYNC   ,VpUsrAuthenticate::authenticateByToken: pass to authentication BB reqId <0xfffffffe>
101021_134743.767,INF,CRASH   ,ReqMgr::addAuthReq: got new reqId <0xfffffffe>
101021_134743.767,INF,LDAP Aut,—- Thread ID: 2844
101021_134743.767,INF,LDAP Aut,Looking up CN=Ben Williams,O=ACME,C=US
101021_134743.767,INF,CRASH   ,—- Thread ID: 6128
101021_134743.767,INF,CRASH   ,ReqMgr::addAuthReq:added
101021_134743.767,FTL,LDAP Aut,—- Thread ID: 636
101021_134743.767,FTL,LDAP Aut,Failed looking up [CN=Ben Williams,O=ACME,C=US]. Trying directory-wide search
101021_134743.767,INF,LDAP Aut,—- Thread ID: 2844
101021_134743.767,INF,LDAP Aut,Searching [base ] [filter (&(objectclass=organizationalPerson)(|(mail=CN=Ben Williams/O=ACME/C=US)(cn=CN=Ben Williams/O=ACME/C=US)(uid=CN=Ben Williams/O=ACME/C=US)))] [scope Subtree]
101021_134743.767,INF,LDAP Aut,—- Thread ID: 636
101021_134743.767,INF,LDAP Aut,Search of [CN=Ben Williams/O=ACME/C=US] failed because the user was not found
101021_134743.767,INF,LDAP Aut,AuthContext::changeConversionFlagIfSearchAllowed()=> all the attempts to search for a LDAP record of [CN=Ben Williams,O=ACME,C=US] has been finished
101021_134743.767,INF,LDAP Aut,AuthContext::nextDir – done dir = acmeldap.acme.com
101021_134743.767,INF,LDAP Aut,Async auth failed. [req -2]

With a bit of help from IBM we were able to resolve the issue by making the following changes.

Make the following changes to the Meeting server DM as well as the SSC and remember to ensure that you make a backup of the wimconfig.xml and that you synchronise after each change and restart.

Log into the ISC
Go to Global Security –> Federated Repositories –>

for the Domino Federated Repository -

1.)Setting – Distinguished name of a base entry that uniquely identifies this set of entries in the realm  – to match the Domino org.

2.)Setting – “Distinguished name of a base entry in this repository” – to blank (empty)

3.) Edit the DM’s wimconfig.xml file under the profile_root/config/cells/cell_name/wim/config directory as follows (this example changes the mapping to “externalName”);

From:
<config:uniqueUserIdMapping propertyForInput=”uniqueName” propertyForOutput=”uniqueName”/>

To:
<config:uniqueUserIdMapping propertyForInput=”externalName” propertyForOutput=”externalName”/>

This is the key piece to prevent the appending of the O=ACME to the value in the token generated by WAS.

And then synchronise and restart the nodes and deployment manager.

Please note – if you make subsequent changes to the Global Security Federated Repository area using the ISC – Step 3 may need to be redone as changes may be lost.

What this does -

Step 1.) Insures that the username in the LTPA token created from Domino map to an existing repository in WAS – If there is no match, you get the “user not in defined realm” error in the logs.

Step 2.) Insures that Domino Flat groups can be found for policies

Step 3.) Insures that the username in the  LTPA token that WAS generates is resolvable by the Sametime Community Server. In general, Domino does not validate the username contained within the LTPA token, it grants the user “default” level access to the database based on the validity of the token.

The above has found it’s way into an APAR and should feature in a Technote soon and future releases of 8.5 should be configured this way out of the box.

Again, much thanks to IBM for assisting in fixing this.

Follow

Get every new post delivered to your Inbox.

Join 46 other followers