Sametime 11 with Proxy Server -- installation notes
by Richard Pajerski
Posted on Thursday March 19, 2020 at 04:39PM in Technology
HCL Sametime 11 has been out for a few months now and brought important technical changes that, when used in conjunction with the Sametime 11 Proxy Server, make it a more compelling offering than previous versions released by IBM.
The most fundamental change is the streamlined installation that removes the DB2 and Websphere dependencies needed for the proxy server. Those components have been replaced by MongoDB and a Tomcat-based proxy server respectively, both of which are indeed simpler to install and configure. It's been rumored that an .nsf storage option will be offered in the next release and that should further smooth out the installation process.
That being said, getting everything up and running is more difficult than it should be. One notable problem is the documentation. The language is at times too informal (even ambiguous), the formatting could use some tidying up (unclear headings/inconsistent fonts for samples, etc.) and a URL for details on setting up SSL/TLS sends you to the wrong version (10) -- apparently, no version 11-specific documentation is available. More importantly, if this is a fresh Sametime installation (which is the only supported option), what's *left out* of the documentation might lead to broken communication between the proxy and the Sametime server.
After successfully completing the Windows installation, I attempted to log in to the proxy from a browser and was greeted with "Sametime is temporarily unavailable":
The problem wasn't immediately obvious because in the proxy's logs I found entries like "Sametime Proxy server is successfully connected to the Sametime community, ...". But digging further into the logs, I found "generateTokenFailed reason: 80000000". So network communication was there but
SSO wasn't working.
PRO TIP: Get more verbose logging on the proxy by uncommenting these two lines in Tomcat's logging.properties file (sametimeproxy\conf directory):
com.ibm.level=FINE
com.ibm.handlers = 2localhost.org.apache.juli.AsyncFileHandler
During the Sametime server installation, the installer creates a Web/SSO document in the Domino Directory called "LtpaToken", sets the Session authentication field to "Multiple Servers (SSO)" (in the Domino server document) and correctly references the Web/SSO document. However, on this fresh installation, the DNS Domain name field of the Web/SSO document was blank:
That's going to leave you with "HTTP Server: Error loading Web SSO Cookie Name Configuration 'LtpaToken' for Web Site ..." on the Domino server and will prevent Sametime from properly creating an SSO token to send to the proxy server.
Adding the DNS domain name (in my case, .testlab.com) to the Web/SSO document should fix the login problem for most installations. But in my Windows installation, there was a further complication that kept producing "Sametime is temporarily unavailable". It turns out the fully-qualified hostname for the Sametime server was not being passed to the proxy. From the proxy's logs:
serverFQDN: S1
cluster: CN=S1/O=TestLab
serverURL: 192.168.0.102
The fix for this was to enter the fully-qualified domain name for the Sametime server in the Net Address field of the Domino Server document (Ports > Notes Network Ports tab). After that, the login worked and the proxy reported:
serverFQDN: s1.testlab.com
cluster: CN=S1/O=TestLab
serverURL: 192.168.0.102
Conclusion
So what's *left out* of the documentation is any reference to the Web/SSO and LtpaToken configuration on the Sametime server. Whether or not the blank DNS Domain name field is an "out-of-the-box" configuration error, some mention of the Web/SSO details back on the Sametime server would be a helpful addition to the documentation.
How are your Sametime 11 installations coming along?