New Way To Learn

Deploying Instant Messaging For Mobile Devices

Gabriella DavisTechnical DirectorThe Turtle Partnershipgabriella@turtlepartnership.com

Who Am I?

Adminofallthingsandespeciallyquitecomplicatedthingswherethefunis

Workingwithsecurity,healthchecks,singlesignon,designanddeploymentofDomino,ST,Connec>onsandthingsthattheytalkto

Stubbornandrelentlessproblemsolver

LivesinLondonabouthalfofthe>megabriella@turtlepartnership.comtwiDer:gabturtle

AwardedthefirstIBMLife>meAchievementAwardforCollabora>onSolu>ons

Architecture

DB2❖ Licensed as part of Sametime Communicate or Complete

❖ Used to store data for the Apple push notification activity

❖ If you aren’t using iOS devices then the DB2 database for STProxy isn’t being used

❖ In default mode when coming out of the IM or Meeting application on iOS it is remains backgrounded and you remain logged in and available to other users

❖ Backgrounding can be disabled as a server setting

Sametime System Console

❖ The SSC is used to manage all the Sametime components

❖ It must be aware of all servers in order to integrate their services

❖ It also manages all policies

❖ A Sametime Proxy server doesn’t have to be installed as part of the SSC Cell

Domino❖ Sametime 9.0.1 still requires Domino and is still a 32bit application

❖ You must first install Domino before you can install the 32bit Community Server using it

Community Server❖ Installs on top of Domino

❖ Is a subtask of the HTTP server

❖ load staddin

❖ Create a deployment plan in the SSC and install using that so it’s federated

❖ All the other servers need to know about it

❖ Using Domino’s proprietary directory standard is no longer support for any components, you must use LDAP

❖ Using Domino as LDAP is supported

Sametime Proxy Server❖ The Sametime Proxy server is a HTTP proxy which connects to the

Sametime Community Server

❖ By default it will attempt to consume any server in the domain

❖ Any server document with “Is Sametime Server” set to “yes”

❖ The Sametime Proxy server is used by

❖ Web clients

❖ Web meetings

❖ Mobile applications

❖ Awareness in applications

❖ Connections integration

Sametime System ConsoleDeployment PlanSametime Server

Server ConfigurationServer Policies

DB2SSC Policies (STSC)STProxy for iOS push

Sametime Proxy ServerWeb Proxy

Sametime Community Server

Client Mobile Request

Request access for chat or meetings over port 443

Request is passed to the Community server for

validation

LDAP Server Community server authenticates credentials

Policies are applied

Policies are read

Mobile Access Architecture

Client Mobile

Request

InternalMobile DMZ

DB2SSC Policies (STSC)STProxy for iOS push

Sametime System ConsoleDeployment PlanSametime Server

Server ConfigurationServer Policies

LDAP Server

Sametime Community Server

Sametime Proxy Server

Request is passed to the Community

server for validation

Community server authenticates credentials

443

1516

Mobile Access and Security

Configuration

Create A Proxy Database❖ Create a DB2 database to be used by iOS applications

❖ createProxyDb STPROXY db2admin

script to create the database

database schema

It can take a few minutes to run but when complete

you should see this message

Add It To The SSC

db2 server hostname & port

Newly created db name

stdb.turtlehost.net

Create A Deployment Plan

Only visible to administrators not

users

Create A Deployment Plan

Each cluster can only have one primary node

Each cell can only have one cluster of

each server type

Adding A Primary Node To The SSC

Add the new node to the existing Cell (the

System Console)

Create A Deployment Plan

One option is to install additional Sametime Proxy Servers in their

own cells

Hostname for the install

WebSphere credentials for the install. If the server is federated

into an existing cell these are removed

Confirming The Install

Verifying SSC-Proxy

host and credentials the SSC uses to open the proxy

server

If this page opens successfully you have

confirmed the routing from SSC to Proxy

Installing Standalone

❖ The Sametime Proxy server can only be federated into the SSC as a single cluster

❖ When WAS servers are clustered horizontally with a primary and several secondary nodes , they are all considered “equal”

❖ Horizontal clusters are not suitable if you want to manage access by location

Virtual Hosts❖ Create a specific virtual host for all the hostname:port

combinations your Sametime Proxy Server will use

❖ These should be unique within your cell as they tell WebSphere how to route traffic to the application

❖ avoid using wildcard hostnames

application ports

Mapping Virtual Hosts❖ Once our virtual host is created we need to map the modules

associated with the application to use it instead of “default_host”

Proxy Server Configuration

how a web meeting is started.

Servers should share a LtpaToken

specific community clusters by name to use or specific

community servers

Mobile Configuration

server -wide settings to determine client

behaviour

Meeting Server Configuration

Server-Wide Mobile Security Settings

Meeting Server Configuration

❖ There are additional settings that can be force users to upgrade their mobile clients if they are using versions older than X

❖ That’s a very specific, and potentially painful, admin use case❖ mobile.Android.currentVersion / mobile.Android.minVersion

❖ mobile.iOS.currentVersion / mobile.iOS.minVersion

Clustering❖ Each cluster must be managed by a deployment manager

❖ That deployment manager can be, but does not have to be, the SSC

❖ There can be only one primary node in a cluster

❖ Deployment plans can only be created for one cluster of Sametime Proxy Servers

❖ but a different cluster can be added manually

❖ Servers in the same cluster are considered the same for serving user requests and users could be directed to any available member

Security

Reverse Proxies❖ A reverse or authenticating proxy can provide secure

access through a DMZ to your meeting servers

❖ For larger deployments you may want to keep the Sametime Proxy and Meeting Servers on the internal network and use a reverse proxy in the DMZ

❖ These proxies will authenticate with the LDAP servers directly before passing the authorisation through to the application servers

Deploying A SSL Certificate❖ Never deploy to mobile clients without SSL

❖ A trusted SSL certificate is particularly important when deploying mobile clients

❖ Both the Chat and Meeting applications allow users to accept untrusted SSL certificates

❖ You can turn that off in the server configuration

❖ Replace the installed internal SSL certificate with one you have purchased

Adding A New SSL Certificate❖ Under Security - SSL Certificates and Key Management

❖ We want to import the trusted roots of the CA into the Trust Store

❖ In this example GoDaddy suppled a CRT bundle that I simply “Added”

Adding A New SSL Certificate

❖ I then had the IBM signer created during install and the GoDaddy signer that will be used to create my certificate

Creating A CSR❖ The simplest method of getting a certificate into WebSphere is to create the CSR

there

❖ Then you can simple “receive” the new certificate into the DefaultKeyStore

BEWARE!!

Adding A Personal Certificate❖ If you can’t do that, then a P12 works well

❖ You must have the private key component of the certificate you want to add

Replacing The Default Certificate❖ In my environment I have purchased a wildcard turtlehost.net certificate I want each

server to use

❖ Rather than individually change each server, I can replace the default certificate with my new wildcard once it’s imported

❖ Select the “default” certificate and choose “Replace”

Or..Apply To EndPoints❖ If I want to apply different certificates to different servers

I can do this by mapping the server endpoints to each one

You MUST map both the inbound and outbound endpoints , sync and restart the servers

Beware! 4096 Certificates❖ WebSphere Application Server does not support 4096

certificates out of the box

❖ Previously if you attempted to add one you would get an error “RSA Premaster Secret” and it would refuse to add

❖ Now you don’t get the error, it does add

❖ It just doesn’t work

❖ There’s an easy fix

Unrestricted Java Policy Files❖ Downloaded the unrestricted java policy files from IBM Fix Central

❖ There are two files local_policy.jar and US_export_policy.jar that overwrite those in

❖ <websphere install directory>/java/jre/lib/security

❖ Shutdown your servers

❖ Replace the files

❖ Start the servers

❖ Not doing this and deploying 4096 certificates will lead to

❖ servers being unable to talk to each other

❖ you being unable to stop your servers cleanly

❖ audio and video not working

Chat Policies

Meeting Policies

❖ There are no specific policy settings for mobile users in Meeting Rooms

❖ Mobile specific settings are in the Meeting server configuration itself as they apply to all users

❖ Meeting policies apply to a user whether they are on a mobile device or not

Media Policies❖ The line rate will affect how much video data is broadcast

to the mobile client

Client Behaviour

Apple Push Notification Service❖ To enable push notifications for iOS devices you must allow traffic outbound

❖ gateway.push.apple.com 2195

❖ feedback.push.apple.com 2196

❖ find the file apns-prod.pkcs12 which is on the Proxy server node

❖ <websphere profile>/config/cells/cellName/nodes/stproxyPNNodename/apns-prod.pkcs12

❖ Copy it to the Node directory for any Sametime Proxy server under the Deployment manager e.g.

❖ /STSCDMgrProfile/config/cells/balticcell/nodes/stproxynodename

❖ Always check fix central for an updated version of this certificate which needs to be deployed

Google Cloud Messaging❖ Used for Sametime notifications on Android devices

❖ Use “Retrieve from port” in the Trust Store to bring the Google certificate into your deployment manager

Google Cloud Messaging

Tablet

Phone

TabletPhone

Tablet

Contact list

audio & video if you are both ableRecent audio and

video calls

iOS Meetings

Phone - add files

Phone

Tablet

Screen sharing with pointer activity

Conference dial in

Phone landscape mode

Phone portrait mode

Creating A Meeting❖ Shared files are commonly URLs or Photos

❖ The mobile application can’t access the mobile file system

Whiteboard Meeting on the iPad

Video Meeting on the iPad

click to call via phone

(not my number :-))

Pre-Configuring Clients❖ Create a custom URL for users that will provision their mobile chat

client

❖ sametime://@stproxy.turtlehost.net:443/?AddCommunity&ssl=true

❖ creates a new community for the server stproxy.turtlehost.net using the secure 443 port and prompts the user for their name

❖ Other optional parameters include

❖ savePassword (true/false)

❖ communityName (if you want to give it a specific name)

Sharing Meeting Server Configuration

Sharing options also available on Android devices

Troubleshooting

Trusted IPsLong time bug.

When WAS writes the Trusted IPs as a string

rather than a list

Until this is fixed by saving the

document in stconfig.nsf nothing

will work

Trusted IPs

❖ This has been a recurring problem since 8.5.2

❖ With this bug if you change the Trusted IPs in WebSphere the next time the Community server is restarted, they will be broken

❖ On 9.0.1 I’ve also seen an error where a single trusted ip is listed with a “.” at the end, causing it to fail

Routing To The Correct Server❖ Regardless which Community server you configure the Sametime

Proxy server to use in its deployment plan

❖ It can and will connect to any server in the Domino domain configured as a “Sametime” server

❖ Edit the Sametime Proxy configuration to force routing to a specific server, servers or cluster

❖ Check the SystemOut.log on the Sametime Proxy server to determine which server it is trying to connect to

❖ Check the sametimexxx.log in the \Domino\Trace directory to verify if connections are being refused and why

This is left empty on install so by default all domain

Sametime servers can be consumed

Re-Mapped Virtual Host

❖ During fix updates or patches it’s common for the Virtual Hosts of each application to be reset to “default_host” instead of the specific one we created

❖ If you get an error 500 or “SRVE0255E: A WebGroup/Virtual Host to handle /mapping has not been defined” these are commonly associated with an incorrect virtual host

Bandwidth❖ The largest consumption of resource for a Sametime

Proxy Server is the network

❖ If the server is virtualised, make sure the network card assigned isn’t shared

❖ Monitor the network traffic to the server

❖ Audio and Video streams on mobile services are sent via the Sometime Proxy server which was probably not designed for media traffic

Mobile Bandwidth

❖ There is a maximum number of video feeds that are supported for a Meeting on mobile devices

❖ the setting (which can’t be changed) is 4 + you

❖ This can be further limited if bandwidth goes beyond the configured allowable amount

Media Using The Wrong Server❖ Random media errors can be the result of the Conference Manager

attempting to connect to the wrong Community Server

❖ If everything else appears started with no errors, verify the SystemOut.log of the Conference Manager for any errors relating to other servers

❖ If a server exists in the domain (Domino Directory) and has “Is This A Sametime Server?” field marked as “yes” it will be consumed by the servers in the SSC

Questions?