Sametime photos served up by IHS

Between customer work I have been working on replacing our internal Sametime servers with shiny new 9.0.1 servers using AD instead of Domino LDAP.

The final piece of the puzzle is photos. Anyone who knows Sametime knows that something as simple as a photo is not made simple by the applications. The Sametime Proxy requires an LDAP attribute (PhotoURL) to be used which points STProxy to the image retrieving it for the client. Meetings doesn’t use the same approach, grr. It can use a binary object saved in LDAP or offload the retrieval to a web server like PhotoURL for STProxy but uses a “string” where all photos must be named Confusing? Yep.

I was about to roll over and say it’s not possible but it seems that it is possible to cover all use cases.

  1. Notes/Sametime clients using ImagePath URL
  2. STProxy web client using PhotoURL
  3. Meetings off loading to a web server
  4. Stop external access to photos

The nice thing STProxy does is that it will “proxy” the photos so the web browser doesn’t need direct connectivity to the jpgs. That is great because I can put the photos on an internal facing web server. The STProxy then calls the URL specified in the user’s LDAP entry (PhotoURL), caches it locally and then serves it up. Brilliant, I can lock the photos away so that no one can browse them from the internet if they know our email addresses.

You’ll need to update stproxyconfig.xml adding proxyServerURL otherwise it will not work. Don’t forget to sync and restart STProxy.


Ah, the Meeting server doesn’t follow the same logic. Clients (thick or web browser or mobile) need direct access to the photo to render it in the client. This means I’m back to square one….

Let’s jump back a step. How do we get the photos up to a web server?

Photos from Connections

At present our Sametime and Connections servers are using different LDAPs so SSO is not possible and even if it was retrieving photos from Connections via is not possible for guests because the photos require authentication so using the Connections business card for STProxy and Meetings is a show stopper.

Luckily in the Connections TDISOL there is an AL we can use called dump_photos_to_files. I won’t go into too much details about this but you can copy and paste the AL and then alter it. I altered it to return all user’s email addresses as well as UID and then dump the photos in the format of emailaddress.jpg which is the format needed by the Meeting server.

You may find the email addresses are capitalised. If so you will need to add some JavaScript to the lookup_user process to get it all in lower case


Once you have the photos in the correct format you need to get them from the server running TDI to a web server.

Web server

The logical way to serve the photos is using IHS in front of Connections. To get the files there I needed to scp them from the TDI server to IHS. I had to create ssh-keygens detailed in so I could scp the files wrapped in a shell script. Incidentally , the shell script called the AL and then scp’d the photos to the IHS server. Then add the shell script to cron so it is called on a schedule.

I wanted to lock down access to the photos so that people couldn’t browse to them. This is a little difficult to do but you can use IP ranges for all your internal offices and/or VPNs so that they are allowed to access the photos. The problem is guests who are truly external.

I created a new virtual host in httpd.conf with the following details.

# Sametime photos
<VirtualHost *:80>
DocumentRoot “/opt/IBM/HTTPServer/photos”
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !LtpaToken2=.*$ [NC]
RewriteCond %{HTTP_COOKIE} !LtpaToken=.*$ [NC]
RewriteCond %{HTTP_COOKIE} !STPluginActivePage=stMeetingroom [NC]
# Old subnets and staff VPN
RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.(x[x-x]|x[x-x])\.([x-x]|[x-x][x-x]|x([x-x][x-x])|x([x-x][x-x]|x[x-x]))$
# UK
RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.(x[x-x]|x[x-x])\.([x-x]|[x-x][x-x]|x([x-x][x-x])|x([x-x][x-x]|x[x-x]))$
# India
RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.(x[x-x]|x[x-x])\.([x-x]|[x-x][x-x]|x([x-x][x-x])|x([x-x][x-x]|x[x-x]))$
# Sametime Proxy
RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.xx\.xxx$ [NC]
RewriteRule ^(.*)$ [R,L]

In a nutshell this allows all clients on certain IP range s to access photos. It also allows any web browser whether it is internal or on the internet to access photos IF it has either one of three cookies, LtpaToken/LtpaToken2 which is provided to the browser when someone authenticates or the cookie STPluginActivePage which the browser stores when you enter a meeting room. STPluginActivePage is in the browser whether you are a guest or an authenticated user, you just need to enter a meeting room.

I included both LtpaToken and LtpaToken2. I found the Sametime client was sending only LtpaToken with the HTTP GET for the photos. This may be due to the fact that I allow both LtpaToken and LtpaToken2 in the Domino web SSO configuration document. If you only allow LtpaToken2 then you may find that the client sends LtpaToken2 with the GET.

If you are a web browser outside of the IP ranges and you do not have any of the three cookies then you will be redirected to You could change this to a static html page of your choice.

I’m no whiz when it comes to Apache but I have tested this quite a bit and it seems pretty secure and should cover most bases. Of course it doesn’t stop a meeting guest from guessing email addresses and browsing other people’s photos but since you have invited them to a meeting, provided them with the meeting room password there is an element of familiarity that should stop them from being malicious in this way. If you back this up with changing the meeting room passwords often you should be in a strong position to keep these photos relatively secure.

If anyone has any thoughts on the httpd.conf I am all ears as I would like to tie it down further if it needs it.


I found that my original RewriteCond  for the IP addresses were not working. I was originally using the following method because it seemed nice and easy to just enter the CIDR but reading further the following approach only works with Apache 2.4 and IHS is using 2.2.8. You can find out by running apachectl -V.

RewriteCond expr “-R ‘xxx.xx.xx.0/xx'”

So regex was the only way to go and trying to work it out was going to be a headache. To my rescue came to convert the CIDR to all the IP addresses (well the first and last) and then I put these values into to give me the regex.

Sametime Proxy web client to web client audio and video

In a recent New Way To Learn session hosted by Frank Altenburg he gave us the changes necessary to enable this feature but my brief testing has been mixed.

To enable it you change stproxyconfig.xml in /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/SametimeSSCCell/nodes/*******/servers/STProxyServer/ for Linux adding “<onetoonefeature>true</onetoonefeature>”


Sync the nodes and then restart the Sametime Proxy server.

When you log into Sametime Proxy you’ll see that you need to install the WebPlayer plugin if you haven’t already as shown by the stars next to the two new icons.



You’ll need to accept some pop ups allowing the plugin to run.

My brief testing was mixed. I was testing on two Windows laptops and hadn’t restarted them after the plugin was installed not that it stopped me from using AV in a meeting. In most cases I saw “Call unavailable for Selected Contact” even though they were both web clients with the plugin installed.


I’ll test some more over the weekend. Let me know if anyone gets better results.

Remember this is a technology preview and may not be ready for production use!

New Sametime Proxy APNs test application

I have written a couple of posts on this because I find the application extremely helpful in diagnosing network related issues with connection to APNs (Apple Push Notification service) so that iOS devices can receive IMs when the application is “backgrounded.”

Here is the application which includes a text file providing you with the correct syntax to us which would go something like this, for Windows.

D:\support\apnstest>d:\IBM\WebSphere\AppServer\java\bin\java.exe -jar apnstest.jar -k D:\IBM\WebSphere\AppServer\profiles\xxxxSTPPNProfile1\config\cells\xxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12
APNS Test ScriptVersion: 2.0.0
Testing using key: D:\IBM\WebSphere\AppServer\profiles\xxxxxSTPPNProfile1\config\cells\xxxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12
Testing using server:
Testing using port: 2195
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete, O=Apple Inc., L=Cupertino, ST=California, C=US
CN=Entrust Certification Authority – L1C, OU=”(c) 2009 Entrust, Inc.”, is incorporated by reference, O=”Entrust, Inc.”, C=US
Successfully Connected to APNS
Test notification will not be sent

D:\support\apnstest>d:\IBM\WebSphere\AppServer\java\bin\java.exe -jar apnstest.jar -k D:\IBM\WebSphere\AppServer\profiles\xxxxxSTPPNProfile1\config\cells\xxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12 -s -p 2196
APNS Test ScriptVersion: 2.0.0
Testing using key: D:\IBM\WebSphere\AppServer\profiles\xxxxSTPPNProfile1\config\cells\xxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12
Testing using server:
Testing using port: 2196
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete, O=Apple Inc., L=Cupertino, ST=California, C=US
CN=Entrust Certification Authority – L1C, OU=”(c) 2009 Entrust, Inc.”, is incorporated by reference, O=”Entrust, Inc.”, C=US
Successfully Connected to APNS
Test notification will not be sent

Sametime meetings not working in STProxy web client

I found that for a customer the meetings icons in the STProxy web client wasn’t bringing up the user’s meeting rooms. After a bit of debugging server trace showed that an LtpaToken was being generated but the browser wasn’t getting an LtpaToken returned to it. It drove me made because the STProxy doesn’t need to have SSO enabled for it to work like the Meeting server does, regardless of that, SSO worked in all directions between the Community server and the Meeting server and the STProxy is in the same cell as the Meeting server so SSO should work!

I raised a PMR and IBM asked me to add the following to the stproxyconfig.xml. After a sync and a restart of STProxy all is well.


(replace with your domain)

I’m not sure whether this is missing from the patch they are running which is CKEY-9L9JM5 which is not the latest patch released a couple of weeks ago BPAS-9QSNS7.

The comment from IBM is “for long term the code should be fixed, dev created rtc ticket for it as well as APAR created: LO83144”



Stproxyconfig.xml is overwritten with incorrect APNs port and changed when applying an update

I have seen this problem a couple of years ago but didn’t follow it up with IBM through a PMR. For another customer I found the following happened after I applied the latest Sametime Proxy (STProxy) patch available on Fix Central.

After applying the update the stproxyconfig.xml was changed and the bespoke values that were previously there removed. This was odd in itself but after applying the values again through the SSC the values sticked.

The values that were removed are as follows.

Before update:



After update:



After I corrected the Meeting server URL and the appleNotificationPort I synced the node and restarted STProxy.

It wasn’t until making a change to the userTimeout value and applying the change in the SSC I noticed that the value for appleNotificationPort was changed (again) from 2195 to the incorrect value of 2196.

I logged a PMR and was told that the problem with saving the STProxy configuration in the SSC and it changing the appleNotificationPort value was reported in SPR #DMWR8UCR58 and APAR  LO69429.

I have tested on a Sametime 9 Proxy with the latest patch and cannot reproduce the behaviour.

It’s something to be aware of when updating STProxy and making changes in the SSC.

Android Sametime client not connecting when SSL is enabled

A customer has exposed their Sametime Proxy to the internet so that they can access it using the Sametime client on mobile devices. One step is to import SSL certificates which the customer did using the very good Zero to Hero presentations.

I queried the application of the intermediary and root Certificate Authority (CA) certificates. The Zero to Hero and all other IBM documentation tells you to import the root and intermediary certificates into the CellDefaultTrustStore. I have for the STProxy and Sametime Gateway always installed into the CellDefaultKeyStore along with the CA signed device certificate. This creates a chain of certificates.

Anyway, once the customer had imported the certificates and I had imported them to the OS (Windows) so the Windows services would work the customer could not connect using his Android Sametime client but via a web browser it worked not problems.

I asked him to enable debugging and the logs he sent me from his handset showed the following (extract):

2013/06/21 16:28:15.891    340    FINE    CommonHttpClient$QueryX509TrustManager.checkServerTrusted:928    ENTRY: Server certificate validation Trust anchor for certification path not found.
2013/06/21 16:28:15.895    340    FINE    HTTPComm.BadCertificateNotifier:579    Enter HTTPComm.BadCertificateNotifier()
2013/06/21 16:28:15.895    340    FINE    CommonHttpClient$QueryX509TrustManager.checkServerTrusted:937    Trust anchor for certification path not found. Trust anchor for certification path not found.
    at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkTrusted(
    at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(
    at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(
    at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(
    at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(
    at org.apache.http.impl.SocketHttpClientConnection.bind(
    at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(
    at org.apache.http.impl.client.DefaultRequestDirector.execute(
    at org.apache.http.impl.client.AbstractHttpClient.execute(
    at org.apache.http.impl.client.AbstractHttpClient.execute(

2013/06/21 16:28:15.895    340    FINE    CommonHttpClient$QueryX509TrustManager.checkServerTrusted:953    ENTRY: User rejected server’s certificate
2013/06/21 16:28:15.901    340    FINE    STProxy.retryComm:1773    retryComm – command = 1 retries = 20
2013/06/21 16:28:15.901    340    INFO    HTTPComm.sendURLRequest:501    _sendurlrequest: Connection rejected. req = POST, cmd = 1, exception = Trust anchor for certification path not found.

I then found the following resource which suggested that I query the customers Sametime Proxy using an OpenSSL client using the command

openssl s_client -debug -connect

The last line from the output was Verify return code: 21 (unable to verify the first certificate)

So I imported the intermediary and root certificates in to the CellDefaultKeyStore and after a restart of STProxy his device could connect.

I’m, not sure why IBM’s documentation tells me to do it the other way but I do know that for this instance my way works!!

Change who the announcement is from when sending a Sametime IM to a mobile device

A customer was having a problem with notifications sent to someone using a mobile device logged into an STProxy server. The name of the server was not “Server” as it is normally but rather a random other server. There were two approaches, continue fixing it or remove the “Server” name and replace it with the name of the recipient which personally sounded a far better option.

The (always) helpful Cormac O’Leary from the Sametime PMR team assisted and liaised with L3 and provided me with a new cumulative hot fix. Once installed I had to add  to edit stproxyconfig.xml, located in AppServer/profiles/<Profile_Name>/config/cells/<Cell_Name>/nodes/<Node_Name>/servers/STProxyServer/stproxyconfig.xml

Add the following values to the <configuration> element. If a <mobile> element is already present, add the <disableSystemNoficiations> element to that existing element.




Now when an IM is sent to a using on a mobile device the name of the announcement is not “Server” as it is currently but rather the recipient’s name.

new STProxy announcement