ibm sametime 8.5.2 ifr1 implementation - from zero to mobile - make your boss happy

© 2009 IBM Corporation

Social Business

IBM Collaboration Solutions

IBM Sametime 8.5.2 IFR1 Installation”From Zero to Mobile” Make your boss happy

Frank Altenburg | SME for Sametime IBM Collaboration SolutionsMail to:[email protected]

Feb. 16. 2012

2 © 2010 IBM CorporationSocial Business

Agenda

● Introduction

● Requirements for a IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server

● Architecture of a IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server deployment

● The 10 steps to a IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server deployment


Introduction● This document describes how to implement, in a very fast way, the infrastructure to

access your IBM Sametime Community environment from mobile iOS and Android devices.

● It is designed for a Proof of Concept, Proof of Technology or a small test pilot deployment only.

● It does not contain information how to implement a high available infrastructure.

● You can start with this document just to "make your bosses happy". But to make the system available for a larger number of users, it is recommended to invite IBM Services to plan and implement a clustered Sametime Proxy infrastructure in your organization that is fully supported.

● If you already have a Sametime 8.5.x environment with the Sametime System Console in place, then it is recommended to use this SSC to implement your Sametime Proxy Server environment in your DMZ.

● The Author has tested this scenario with all Sametime releases down to version 7.5.1. But officially supported is IBM Sametime version 8.0.2 and newer only.

● You need Sametime Standard licenses for all mobile clients who want to access the system.


New Sametime Mobile Instant Messaging

● Instant Messaging Client for Android● Released with Sametime 8.5.2 ● Runs on Android 2.0 and greater● Available on the Google Market and downloadable from ST

server

● Instant Messaging client for iOS● Released with 8.5.2 IFR● Runs on iOS 4.3 and greater on iPhone® and iPad® ● Available on the Apple App Storesm


Sametime Mobile Features

● Contact List● QuickFind● Search corporate directory● Favorites● Presence● Chat history● 1 to 1 and group chat● Announcements● Emoticons● Business card ● Sametime Unified Telephony

*currently Android only

● Send photos● Text to speech notification

and chats*● GPS-based location* ● Click to call using carrier

number or SUT● Background message

notification


Native presence and IM on Android phones


Native presence and IM on the iPhone


Native presence and IM on the iPad


Support for Apple® Push Notification


Getting Sametime Mobile iOS clients

● iOS client is distributed through the Apple App Store and uses the standard iOS update mechanisms to maintain currency

● Client must be configured to point to the Sametime Proxy server

─ You can play with it on Greenhouse– Server:

st85meetingsp.lotus.com– Port: 9444– Secure Connection: On– Connection Type: Direct

Connection


Getting Sametime Mobile Android Client

● The Android client can be loaded from the Android Market, or from the Sametime proxy server

● If loaded from Market, the standard Market update mechanism is used● To get from the Sametime proxy server, the loads it from the following web address from

their device: <proxy server addr>:<proxy port>/stmobile/Sametime.html● The automatic update feature from the proxy server (Lotus Mobile Installer, LMI)

- Enter the ST proxy server address:port- Enter credentials- Select Next and it logs you into Sametime- As new Sametime client become available, you are notified via an Android notification. You can select it to install


Agenda

● Introduction





IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server Prerequisites

● IBM Sametime Community Server lowest release that works is 7.5.1. But supported is only 8.0.2 and newer releases.

● You need Hardware or a VM in the DMZ for the server● You need Network and DNS configuration● NAT between your DMZ and the internet works fine● You need Port openings to/from Internet● You need Port openings to/from Intranet● You need to download the required installation files from

Passport Advantage● You need 2 special administrative user accounts● (optional) You need a trusted certificate● Native client on iOS or Android device


IBM Sametime Community Server

This deployment is tested by the author of this document with all IBM Sametime Community Servers releases starting Version 7.5.1.A Sametime Community Server 7.0 or below does not work and cant be used for this IBM Sametime Mobile Access Server deployment.

Officially supported is only IBM Sametime release 8.0.2 or newer. All older Sametime releases are already out of support.

It works if the IBM Sametime Community Server uses Domino Directory authentication or LDAP authentication connected to one of the supported LDAP Servers. No other requirements to the LDAP server is required.

If you have several IBM Sametime Community Servers or IBM Sametime Community Clusters running in a Sametime community configuration, then this IBM Sametime Mobile Access Server needs to connect to all servers in your community.


● 1 Server for the IBM DB2 Server, IBM Sametime 8.5.2 IFR1 Proxy ServerQuad CPU, 8GB RAM or more, 100GB disk space or more, 64 Bit OS1 GBit Network Interface with 1 IP addresses an DNS Alias entry.

● Supported OS are:- Windows Server 2003 or 2008- Linux Enterprise Server RHEL or SLES- AIX- Solaris- iSeries

This document describes how to install the components on a Windows 2008 platform.

Hardware required for this Pilot Example Deployment

With such a configuration you can host up to ● 3000 concurrent mobile devices *● 3000 concurrent web client users *

* Ask you IBM representative for more detailed sizing information in a defined environment


OS and Network requirements

● Make sure that all servers you want to use can be resolved in DNS.

● If DNS is not available then list all full qualified server names and IP addresses from all servers in the hosts file and publish this file to all servers.

● If you use Windows 2008 as Operating System, then you need to start all installations and configurations in „Administrative mode“.

● You need a Alias entry in your Intranet DNS server pointing to the IP address of your Sametime Proxy (Mobile Access) Server. This should be the same host name as in the internet.

● You need a Alias entry in the public Internet DNS pointing to the external IP address of your Sametime Proxy (Mobile Access) Server. This should be the same host name if possible as in the intranet.

● If on your external firewall NAT is in place (IP address translation) this works fine. But your Firewall team needs to forward incoming traffic on ports 80 and 443 to your DMZ Sametime Proxy (Mobile Access) Server address.


Ports to be opened in the firewalls

● From your IBM Sametime Proxy (Mobile Access) Server in the DMZ to all your IBM Sametime Community Servers in the intranet you need to open the IBM Sametime Community Server VP port 1516.

● From all clients in the intranet to the IBM Sametime Proxy (Mobile Access) Server you need to open the HTTP and HTTPS ports 80 and 443.

● From all clients in the internet to the public IP address of your IBM Sametime Proxy (Mobile Access) Server you need to open the HTTP and HTTPS ports 80 and 443.

● From your IBM Sametime Proxy (Mobile Access) Server to the apple notification services in the internet you need to open the ports 2195 and 2196 . This service is available on the DNS addresses “gateway.push.apple.com” and “feedback.push.apple.com”. Both addresses have an IP address pool. If you cant open to the DNS alias name then you need to find out what IP addresses are behind this load balanced pool.


For a Windows installation you need to download these files from Passport Advantage:

CZYG1ML.zip IBM DB2 9.7 32Bit Limited Use for SametimeCZYE6ML.zip IBM Sametime 8.5.2 Proxy ServerCI3YCML.zip IBM Sametime 8.5.2 IFR1 Proxy Server

Create a directory, for example “C:\Install”, on the servers where you want to install. Then unpack the downloaded files into this directory. Just unpack the files required for your deployment architecture on the particular server.

If you want to connect your Sametime Proxy Server to a Community using Domino Directory authentication and you have Web only users, then you need to install a small Proxy Server update. For a small pilot or POC / POT environment you can download the updated application from the IBM page here:Link to the EAR FileIf the link does not work use this:https://www-304.ibm.com/files/form/anonymous/api/library/e0a58c07-3700-4d59-a4e4-c2ba50b5535a/document/014a464b-a345-453e-a0af-e1421d01be2f/media/SametimeProxy WebSphere Application 8.5.2 IFR1 with Hotfix.ear

If you want to use this server in a production environment and need this update, then it is required to open a PMR in IBM Support to request the latest cumulative hotfix for the IBM Sametime 8.5.2 IFR1 Proxy Server.

Required files for a deployment on Windows

https://www-304.ibm.com/files/form/anonymous/api/library/e0a58c07-3700-4d59-a4e4-c2ba50b5535a/document/014a464b-a345-453e-a0af-e1421d01be2f/media/SametimeProxy%20WebSphere%20Application%208.5.2%20IFR1%20with%20Hotfix.ear


Required technical users for IBM Sametime 8.5.2

IBM Sametime requires some technical users for components to communicate in an authenticated mode. All of this users should be configured so that the password never expires and never needs to be changed.

db2admin This user is created during installation of the DB2 server in the Operating System. Do not create this user in advance. It is the user for all IBM Sametime related components using DB2 to access their databases. Be sure to match the password policy requirements of the OS.

wasadminThis is the user to access the IBM WebSphere components and to administer the system. This user must not exist in your LDAP directory. It is created during WebSphere installation in a local file repository. You can use the same user name and password for all components (makes it easier) or different names and passwords. But again, it does not work when this user exists in the LDAP.


Native client on iOS or Android device

● Getting the mobile Clients ● iOS on App Store● Android now in Android Market®, also as part of server installation for download


Agenda

● Introduction





Different ways to a IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server deployment

It is possible to place all the new components into the Intranet and use a Reverse Proxy in the DMZ to access the system from the mobile devices through the Internet.

This requires less ports to be opened in the firewalls. But 2 connections from the server in the Intranet through your DMZ to the APNS system in the Internet. This is mostly a security issue and not allowed.

The Database to cache the chat messages sent to iOS devices can be implemented in the Intranet. But then a box (Hardware or virtual machine) is required for this server and the small database who only caches text messages. And the DB2 port needs to be opened from the IBM Sametime Proxy server in the DMZ to this DB2 Server in the Intranet.

Because the use of the DB2 database is small and it does not store any really important information, this database can be implemented easily on the same machine as the IBM Sametime Proxy Server.

A Backup of the system is required only once when the server is installed and all features are working fine. There is no changing data that needs to be backed up regularly. Only if you do any modification in the configuration a new full backup is recommended.


IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server our pilot deployment architecture recommendation

DB2 9.5 Server

Sametime Proxy Server

Sametime Community

Server

Port 1516

Inbound Ports

80 443Outbound

Ports2195 2196

Apple Notification Server (APNS)

gateway.push.apple.comfeedback.push.apple.com

Intranet DMZ

Internet


For the APNS to work there are some requirements:

● The IBM Sametime Proxy Server must be able to connect to the APNS Servers “gateway.push.apple.com” on port 2195, and “feedback.push.apple.com” on Port 2196.

● You should open this ports in your firewalls and test with telnet that you can reach the servers.

● The device must be able to reach the IBM Sametime Proxy Server with http or https protocol. You can use a reverse proxy in your DMZ. NAT is no problem.

● The APNS service must be able to send a notification to your device.

● If your device is connected to your intranet using Wireless LAN, it mostly can not be notified from the apple systems. Talk to your firewall Admins to open the notification service for your Wifi LAN.


Agenda

● Introduction





The 10 steps to a Sametime 8.5.2 IFR1 Proxy environment

1.Prepare your machine and the network2.Configure the community server(s) to trust the Mobile Access Server3.Install the Sametime Proxy Server 8.5.2 without SSC as a Cell profile4.Update the Sametime Proxy Server to IFR15.Post Install Tasks6.Install the DB2 database server7.Create the Proxy Server DB2 Database8.Configure the Proxy Server to use the DB2 Database9.Configure the Apple Notification System10.Configure SSL in the Proxy Server and deploy the certificate


STEP ONE: Prepare your machine and the network

Summary

Before you can install your IBM Sametime Proxy (Mobile Access) Server environment, some things needs to be checked and prepared.


The machine on that you run the IBM Sametime 8.5.2 IFR1 Proxy (Mobile Access) Server and the DB2 Database Server can be a virtual machine or a hardware box. Both works.

It is possible to use Linux as OS, but this document describes how to install on Windows.

If you use Linux you can use most parts of this document and the most installation instructions and screen shots are identically. Mostly the paths are different.In Linux it is recommended to have the graphical system installed for this installation and then use a x-server on our client.

This instruction works with Windows Server 2008, and Windows Server 2003. You can use the 32Bit or 64Bit version. And you can use the R2 Version of any of the supported OS.

Be sure that your Firewall Admin has opened all ports in the firewalls. Test all connections using the telnet command in a CMD line window.

Be sure your used host names or DNS alias is listed in the DNS and can be used and resolved in the internet and in your intranet.


More information can be found in the official IBM Sametime Documentation at this URL:

http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product Documentation

The IBM Sametime 8.5.2 Installation – From Zero To Hero documentations can be found here:

https://www-304.ibm.com/connections/blogs/sametimeguru/?lang=en_us

http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation

http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation




STEP TWO: Configure the IBM Sametime Community server(s) to trust the IBM Sametime Proxy (Mobile Access) Server

Summary

This step adds the IP address of your IBM Sametime Mobile Access Server to the “Trusted IPS” list in your Sametime Community Server.


There are several ways to configure your Sametime Community Servers to trust other servers.

The most used way in a Sametime 8.5 environment is to use the Sametime System Console – Sametime Servers – Sametime Community Servers. There in the configuration page of your Community Servers on the bottom you can add the trusted IP addresses and save the changes.

An other way is to edit the Sametime Configuration file “SAMETIME.INI” located in the Domino Program directory. There in the [Configuration] section just add the parameter “VPS_TRUSTED_IPS=ww.xx.yy.zz” where ww.xx.yy.zz is your IP address of the Sametime Proxy Server box.

The next way is to use the Lotus Notes client and access the Community Connectivity document in your Sametime Configuration database and add the IP address what the server must trust, there. This method is explained in the next slides.


Start your Lotus Notes client with that you can access and administer your Sametime Community servers. Then open the “Sametime Configuration” database “STConfig.nsf” on the Sametime Community Server.


Open the “CommunityConnectivity” document.


Add the IP address of your new IBM Sametime Proxy (Mobile Access) Server in the “Community Trusted IPS” field. Then save and close the document and the database.


Now restart the Sametime Community Server by entering the command „restart server“ in the Domino Console window. Never use this command in a production Sametime server because it can happen that not all Sametime tasks are stopped before the domino server restarts. This can cause massive problems for starting the Sametime Services. Stop your Domino Server using the “Quit” command or by stopping the “Lotus Domino Service”. Wait until all ST... Tasks disappeared in your TaskManager. Then restart the Domino Server again.

It takes up to 5 Minutes until the Sametime Community Server is completely restarted and all 41 Sametime tasks are again active.


STEP THREE: Install the Sametime Proxy Server 8.5.2 without SSC as a Cell profile

Summary

This step installs the IBM Sametime Proxy Server 8.5.2.


Navigate to the Installation Directory and start the launchpad installer. We use a Windows CMD command window and enter the commands: „cd \Install\SametimeProxyServer“ and just „launchpad“


The Sametime Proxy Launchpad Installer is loading. Click the link „Install IBM Lotus Sametime Proxy Server“


Now click the link „Launch IBM Lotus Sametime proxy Server 8.5.2 Installation“


The Installation Manager is starting up


Click the “Next” button to continue.


Accept the terms in the license agreement and click the “Next” button to continue


Remove “Program Files\” and click the “Next” button to continue

We recommend to use path names without spaces (as some scripts may require this) and also shorten the path name so that the typical limits of some operating systems and applications for path + file name length are avoided.


Click the “Install” button to install the Installation Manager.


The installation Manager is now installing


If you are using Windows 2003 R2 or Windows 2008 R2, it can be possible thatyou run into a JAVA heap memory overflow during the next installation step. To preventthis issue change a parameter in The “IBMIM.INI” configuration file of the SametimeInstall Manager. See the next 2 slides how to do this.


Open your File Explorer and navigate to your Install Manager's eclipse directory “C:\IBM\Install Manager\eclipse”. Then open the configuration file “IBMIM.ini” in notepad.


Add he parameter “-Xmx1024m” at the end. Then save and close the file.This parameter is case sensitive.Click “File” and “Save” to save the changes. Then click “File” and “Exit” to close the editor.


Now you can click the „Restart Installation Manager“ button to continue.


The IBM Installation Manager is loading.


To Install the Sametime Proxy Server click the „Install“ icon.


Check the „IBM Sametime Proxy server“ and „Version 8.5.2“ entries. They are unchecked by default. Then click the „Next“ button.


Accept the terms in the license agreement and click the „Next“ button.


Remove “Program Files\” and click the “Next” button to continue.



Enter the correct path (remove „Program Files\“ and click the „Next“ button to continue.

The Package group is the installation destination for the IBM Lotus WebSphere base files. The first installation requires the creation of a new package group. If you install more WebSphere based applications on the same hardware (like the Sametime Proxy Server and the Sametime Meeting Server) they can use the existing package group. Then you cannot change the installation path.


We do not want to use a predefined Deployment Plan from the Sametime System console. Uncheck the “Use Lotus Sametime System Console to Install” option and click the „Next“ button to continue.


With IBM Sametime 8.5.2 it is possible to install Sametime on top of an existing WebSphere 7.0.0.15 Server. We don't want to do this in this pilot deployment.Just click “Next” to continue.


Leave the default setting “Standalone (Deployment Manager and Primary Node)”. Fill the full qualified Host Name and add a password for your wasadmin user twice. Then click the “Next” button.


Enter the host name of your IBM Sametime Community Server. Then click the “Validate” button.


When the connection was successfully tested the text in the button changes to “Validated”. Then click the “Next” button to continue.,


Check your settings again and then click the „Next“ button to continue.


Start the installation by clicking the „Install“ button.


The Sametime Proxy Server is now installing. This step takes approximately 30 to 45 minutes because you are installing the first WebSphere instance on a Server.


Important to know...

The Sametime Proxy Server:● does not need a LDAP connection● is just a Web Interface for browser access to the Sametime Community Services● is a Web based Sametime Connect Client● supplies the new Web API for Web based application integration● can be implemented with or without the SSC● can be connected to existing older Sametime Servers● can be connected to a community cluster

You can have one or more Proxies in your organizationYou can implement one or more Proxies and cluster them

● using the WebSphere Cluster Method (Network Deployment)● individual Proxies with a Load Balancer or RRDNS in front of them

By default the Sametime Proxy Server installs to use Port 9080 and 9443 (SSL).If you want to use Port 80 and 443 you need to enter the Sametime Proxy ISC on Port 8600 and change the port settings in the Application Server. Detailed instructions can be found later in this documentation.


When the Sametime Proxy Server has installed successfully just click the „Finish“ button. Then exit the Installation Manager and the Launchpad.


STEP FOUR: Update the Sametime Proxy Server to IFR1

Summary

Use this procedure to apply the Interim Feature Release to the IBM Sametime 8.5.2 Proxy Server.


The installation in the previous step started all the components of the IBM Sametime Proxy server. For the upgrade to IFR1 it is required to stop all of this tasks first. But because they are started before the Services are created, the services do not reflect the running tasks.


Open a CMD line Window and navigate to the directory:“cd \IBM\WebSphere\AppServer\profiles\STPAppProfile\bin”.Then enter the command: “stopServer STProxyServer -username wasadmin -password passw0rd”.


When the Sametime Proxy Server has stopped stop the nodeagent next with the command “stopServer nodeagent”.


Now change to the DMGR profile with the command “cd ..\..\STPDMgrProfile\bin”. Then enter the command “stopServer dmgr -username wasadmin -password passw0rd”.


Open a new CMD Line window in Admin mode. Then enter the command “cd \Install\IBM Sametime Proxy Server” and press the “Enter” key. If you have unpacked the zip file to a different directory, then navigate to your directory where you can find the update.bat file.


Enter the command “update.bat” and press the “Enter” key.


The IBM Installation Manager is starting up.


Now click the “Update” button to continue.


Select the Product you want to upgrade. Here we select “IBM Sametime Server Platform”. Then click the “Next” button to continue


Click the “Next” button to continue


We are sure that all WebSphere Servers are shut down. Just click the “Next” button to continue.


Click the “Update” button to install the IBM Sametime Proxy Server IFR1.


The IBM Sametime Proxy Server IFR1 Update is now installing. This step takes approximately 20 to 25 minutes.


Important to know...A new main feature in Sametime 8.5.2 IFR1 Proxy Server is the Apple iOS integration using an App that can be installed for free from the Apple App store.

This app then connects to your Sametime proxy Server through the Internet. That this can work, your Sametime Proxy Server must be accessible from the Internet.This means you need to set it up in your DMZ or configure a reverse proxy in your DMZ and forward the traffic to your Sametime Proxy in the intranet. But the recommended way is to implement your Sametime Proxy Server in your DMZ.

Another recommendation is that your Sametime proxy Server can communicate with the Apple notification service. For this to work you need to open 2 ports in your firewall to this servers in the internet. These ports are 2195 to the Apple notification server and port 2196 to the Apple feedback server.


When the installation has finished successfully, click the „Finish“ button to close the Installer.


Click “File” and then “Exit” to quit the Installation Manager.


STEP FIVE: Post Install Tasks for the IBM Sametime Proxy Server

Summary

This procedure is only required if you run into the Warning message after the installation as described in the step before.


Open your preferred browser and enter the URL “http://webchat.renovations.com:8600/admin”.

Login to the WebSphere Integrated Solutions Console of your Sametime Proxy Server using the wasadmin username and its password.


Click on “Servers” - “Server Types” and then on “WebSphere application servers”.


Click your “STProxyServer” now.


Click the “Ports” link.


Click the “WC_defaulthost” link.


Change the port to “80” and click the “OK” button.


Now click the “WC_defaulthost_secure” link


Change the port to “443” and click the “OK” button.


Click the “Save” link to save your last changes.


You have now successfully changed the your Sametime Proxy Server to listen on Ports 80 and 443.


The next configuration step is only required if your Sametime Community servers use Domino Directory authentication and if you have created WEB users with flat user names in the FullName field.If you have this kind of user records then the update of the SametimeProxy application is required. See page 19 how to get this update.

In a small Pilot, POC or POT environment you can update the SametimeProxy application using the steps described in the next slides.

If you use this Sametime Proxy Server in your production environment and have requested the latest hotfix from IBM Support, then you need to update the complete server in the same way as described in the “STEP FOUR: Update the Sametime Proxy Server to IFR1” on page 65 in this document.


Now click on “Applications” - “Application Types” - “WebSphere enterprise applications”.


Select your “SametimeProxy” application and click the “Update” button.


If you have copied the SametimeProxy.ear file (downloaded from the Web Site) to your Proxy Server, then click “Remote file system” and then the “Browse” button.


Navigate to the directory to where you have copied the file and select it. Then click the “OK” button.


Click the “Finish” button to continue.


To check that your application is updated, click the “SametimeProxy” application.


Click on “Application binaries” now.


You can see the application version 8.5.2.1 from 31. Jan. 2012, 13:50


Summary

This step installs the IBM DB2 9.7 Server.

We like to use a CMD command line window to enter some of the commands and start the installers. For that we have created a short cut in our fast start section.You can use the Windows Explorer as well to navigate to the destination directory and double click the installation file (launchpad.exe)

STEP SIX: Install the DB2 database server


Enter the command “cd \Install\SametimeDB2” and press the “Enter” key.

Enter the command “Launchpad” and press the “Enter” key.

Do not copy and paste any commands from this document into your CMD line. This does not work because this would copy some special characters.


Just click the “Install IBM DB2” link.


And again click the “Install IBM DB2” link.


The Installation Manager is starting up


Now click the „Install“ icon to continue.


Select „DB2 – Version 9.7.0.0“ and click the „Next“ button to continue.


Accept the terms in the license agreement and click the “Next” button to continue.


Again remove “Program Files\” and click the “Next” button to continue.



Enter the DB2 Administrator Username (we use the default “db2admin”) and enter the DB2 Administrator Password twice. Then click the “Next” button to continue

If you use Windows 2008, be sure to enter a password that meets the password policy. The DB2 Admin User password should not be longer then 8 characters. Change the local security policy to allow passwords with 8 characters length. This db2admin user will be created as a local user or as a Active Directory User. This can not be done if the user already exists. Same with the 2 groups that the DB2 Installer adds.


Click the “Install” button to install the DB2 Server


The Installation Manager installs the IBM DB2 Server now. This step takes approximately 10 to 15 minutes.


Important to know...

Your DB2 Database Server is a sensitive component in your Sametime Environment.It stores all the predefined configuration data and holds the information how to communicate with your servers for administration and maintenance.

We highly recommend to make regularly a backup of your DB2 database using a DB2 aware backup software, or export data and backup the exported data.

It is possible to implement your DB2 Server for high availability and load balancing using DB2 methods.

For more information check into the DB2 InfoCenter, or download and read the RedBook „High Availability and Disaster Recovery Options for DB2 on Linux, UNIX, and Windows“

The steps to create a DB2 database need the database name as a command line parameter. We would recommend using a CMD command line window to enter this commands.


When the installation has finished successfully, click the „Finish“ button and then close the Installation Manager and the Launchpad.


Before we can continue with the next step, you need to restart the CMD-Line window under Windows 2003.

Under Windows 2008 it is required to log out and re login with your db2admin user.


Summary

This step is to create and configure the DB2 Database for the Sametime Proxy Server. This database is required to cache the Sametime messages sent to iOS mobile devices.

STEP SEVEN: Create the DB2 Database for the Sametime Proxy Server


Next is to create the database in the DB2 Server. If your DB2 Server is on a separate machine or on another machine, then you need to copy the database creation script files to this server first. Copy the files “createProxyDb.bat” and “proxyServer.ddl” to a directory on your DB2 Server. Open a CMD window and navigate to this directory. In this Zero to Hero example we use just “C:\Install\IBM Sametime Proxy Server\DatabaseScripts”.


Run the database creation script with the command: “createProxyDb.bat STPR db2admin”. The term “STPR” is the name of the database and “db2admin” is the DB2 Database Server Administrator.


Be sure that you see the “...command completed successfully” message after all commands.


Summary

In this step you manualy register the Sametime Meeting Server upgrade with the Sametime System Console if you are running into the warning message during the installation. Then you need to fix the virtual_hosts configuration.

STEP EIGHT: Configure the Proxy Server to use the DB2 Database


Open a File explorer and navigate to “C:\Install\IBM Sametime Proxy Server\DatabaseScripts”. If you have unpacked the install zip file to a different directory then use this one.


Open a second explorer window and navigate to the directory “C:\IBM\WebSphere\STPServerCell”. Then copy the file “proxyDBSetup.py” from the install directory to this directory.


Next is to navigate to the directory “C:\IBM\WebSphere\STPServerCell\SametimeProxyServerOffering\SametimeServer\STProxy\proxy”. In this directory open the file “proxy.properties” with Notepad or Wordpad or with your favorite text editor.


Edit the following values: * proxy.DbAppUser (db2admin) * proxy.DbAppUserPassword (db2admin password) * proxy.DataBaseServerName (host name of the DB2 server) * proxy.DataBaseServerPort (default port for DB2) * proxy.DbName (database name created earlier)

Then save and close the file.


Now it is required to configure the DB2 Database who caches messages to the iOS devices in the Sametime Proxy Server. For this a long command in a CMD line window is required. Several paths are required. To get and paste this path into a CMD-Line window it is easy to use the Windows Explorer. First navigate to the directory “C:\IBM\WebSphere\AppServer\profiles\STPAppProfile\bin”. But do not mark the full path. Mark only the part starting from “AppServer\...”. Then press the Ctrl-C to copy this path to the dashboard.


Open a CMD-Line window and navigate to the directory “C:\IBM\WebSphere\STPServerCell”.


Now start entering the command. Begin just with “..\”. Next is to paste the part from the dashboard.


Continue with “\wsadmin.bat -lang jython -user wasadmin -password passw0rd -f “”Don't forget the “ at the end because the next part is a path that needs to be in doublequotes.


Now we need the path to the file proxyDBSetup.py including the filename.


Copy and paste the path from the explorer window, add the backslash and then copy and paste the filename from the explorer window. Add a doublequote sign at the end.


Now we need the path and filename of the “proxy.properties” file that we have edited just before.


Start with blank and double quotes then paste the path. Then add the backslash and then paste the filename. Add a double quote at the end.Now the command is completed and you can confirm with the “ENTER” key.


The script is now running.


The script has finished.

After the database configuration the IBM Sametime Proxy Server needs to be restarted for the configuration changes are in effect.


Open your browser and navigate to your SSC – ISC. Login with your wasadmin user and then navigate to “Resources” - “JDBC” - “JDBC providers”. Here you should see the newly created JDBC Provider configuration for your Proxy Server.


Now click on “Resources” - “JDBC” - “Data sources”. Here you should see your newly created Data Source configuration.


Check mark the “STProxyDataSource” and click the “Test connection” button.


Be sure that the result says “successful”. The warning message can be ignored.


Summary

Use this procedure to apply the Interim Feature Release to IBM Sametime® Proxy Server, Sametime Media Manager, Sametime Meeting Server, and Sametime Advanced. Procedures for Sametime System Console, Sametime Community Server, and Sametime Gateway are explained in other topics.

STEP NINE: Apple Notification to iOS devices


Sametime for iOS Message / Notification Flow

VPN /Reverse

Proxy

SametimeProxy

DMZInternet Intranet

ApplePNS

HTTPS

TLS/SSL(push notifications only, no sensitive data)TCP port 2195 for notification connectionTCP port 2196 for error reporting connection (feedback service)

CommunityServer

HTTPS

PushNofications

iOS Device



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device

Sametime registers with APNS, getsassigned a device token



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device Sametime logs in, sending device token



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device Sametime sends 'pause' command before going to background



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device

Another user sends message to mobile user



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device

Proxy sees mobile user is Paused. Stores in database.



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device

Proxy sends device token to APNS, Requests a push notification be sent to device



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device

APNS sends push notificationto device



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device When user selects view: Sametime reconnects to server and sends command to retrieve messages.



VPN /Reverse

Proxy

SametimeProxy


ApplePNS

HTTPS


CommunityServer

HTTPS

PushNofications

iOS Device Sametime proxy sends queued message(s) to device from database


The IBM Sametime 8.5.2 IFR1 Proxy update installer copies a certificate to the server that is required to communicate with the Apple Notification Servers with SSL encryption.This certificate has to be copied to the WebSphere Application Server directories now.

Find the certificate file “apns-prod.pkcs12” in the directory “C:\IBM\WebSphere\AppServer\profiles\STPSNAppProfile\config\cells\nodes\webchatProxyNode”.


Copy this certificate file “apns-prod.pkcs12” to the directory “C:\IBM\WebSphere\AppServer\profiles\STPDMgrProfile\config\cells\webchatProxyCell”.


Copy this certificate file “apns-prod.pkcs12” to the directory “C:\IBM\WebSphere\AppServer\profiles\STPDMgrProfile\config\cells\webchatProxyCell\nodes\webchatproxyNode”.


To synchronize the last changes, go into your WebSphere Integrated Solutions (Admin) Console and click on “System administration” - “Nodes”.


Select your “webchatProxyNode” server and click the “Full Resynchronize” button.


The new APNS certificate files are now synchronized to your application server.


Summary

For iOS devices to connect to the Sametime Proxy Server without any additional security settings, a trusted SSL certificate needs to be installed.

STEP TEN:

Configure SSL in the Proxy Server and deploy the certificate


In your WebSphere Integrated Solutions Console click on “Security” - “SSL certificate and key management”.


Click on “Key stores and certificates”.


Now click on “CellDefaultKeyStore”.


And now click on “Personal certificate requests”.


Now click the “New” button to create a new certificate request.


Fill the form with your data:

File for certificate request:“c:\temp\cert_req.cer”

Key label:“SSL_Cert”

Common name:(your server host name alias)“webchat.renovations.com”

Organization:Your organization or company

Locality:Your city or locality

State or province:Your province

Zip Code:Your ZIP code.

Country or region:Select your country

Then click the “OK” button.


Click on “Save” to save your last changes.


Now copy the certificate request file that you have created into your local workstation. Then request a trusted server certificate from your favorite trust center by sending the content of the file (or the complete file).


You will receive the certificate from your trust center by e-mail or as a file attachment.

Copy the certificate text starting with “-----BEGIN CERTIFICATE-----” and ending with “-----END CERTIFICATE-----” without any trailing or ending characters into a file.Copy this file to your Sametime Proxy Server to the “C:\temp” directory.

Download the Root and intermediate certificates from your trust center web site and copy this files as well to your “C:\temp” directory


Now click on “Personal certificates”.


Click the button “Receive from a certificate authority...”.


In the field “Certificate file name” enter the path and filename to your received server certificate “c:\temp\server_cert.cer”. Then click the “OK” button.


Your new server certificate is now imported successfully.


Next is to import the root and intermediate certificates. Click the “Key stores and certificates” link.


Click on “CellDefaultTrustStore”.


Click “Signer certificates”.


Click the “Add” button.


Enter an Alias for the root certificate “verisign_root” and enter the path and file name to the root certificate file. Then click the “OK” button.


Click “Save” to save your last changes.


Now you have successfully added the root certificate. Do the same steps with the Intermediate certificate.


Click the “Add” button.


Enter an Alias for the root certificate “verisign_intermediate” and enter the path and file name to the intermediate certificate file. Then click the “OK” button.


Click “Save” to save your last changes.


Now you have successfully added the intermediate certificate.


Click on “Security” - “SSL certificates and key management” and then on “Manage endpoint security configuration”.


In the “Inbound” tree open the “webchatProxyNode(nodeDefaultSSLSettings)” - “Servers”. Then click on “STProxyServer”.


Check the checkbox “Override inherited values” and then click the “Update certificate alias list” button.


In the “Certificate alias in key store” select your “ssl_cert”. Then click the “OK” button.


In the “Outbound” tree open the “webchatProxyNode(nodeDefaultSSLSettings)” - “Servers”. Then click on “STProxyServer”.


Check the checkbox “Override inherited values” and then click the “Update certificate alias list” button.In the “Certificate alias in key store” select your “ssl_cert”. Then click the “OK” button.


Save the last changes by clicking the “Save” link.


Now it is recommended to set the services of your Sametime Proxy Server “STProxyServer”, “STProxyServer_DM” and “STProxyServer_NA” to automatic. Then restart your operating system.

When the OS is restarted then you are ready to test all features.Check that your server communicates with the Sametime Community Server on port 1516 and with the Apple Notification Server.


Additional Steps after the installation:Some additional Tuning steps can be done after all components are installed. You should consult the Sametime Product Documentation in the Internet about this steps here:http://www-10.lotus.com/ldd/stwiki.nsf/dx/Tuning_st852

http://www-10.lotus.com/ldd/stwiki.nsf/dx/Tuning_st852


Legal Disclaimer

© IBM Corporation 2012. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.