Chapter 1
Introduction to Sun™ ONE Instant Messaging Software

This chapter explains the Sun™ ONE Instant Messaging components, architecture, and configuration information.

The chapter contains the following sections:

Sun ONE Instant Messaging Components
Sun ONE Instant Messaging Deployment Configurations
Configuration Files and Directory Structure
Using SSL in Sun ONE Instant Messaging
Sun ONE Privacy, Security, and Site Policies

---

Sun ONE Instant Messaging Components

Instant Messaging server enables end users to participate in real-time interactive messaging and discussions. Sun ONE Instant Messaging allows end users to participate in Instant Messaging and chat sessions, send alert messages to each other, and share group news instantly. It is suitable for both intranets and the Internet.

The components used to provide the Sun ONE Instant Messaging service to end users vary depending on the type of deployment.

Basic Deployment Scenarios

The Sun ONE Instant Messaging server can be deployed in any one of the following scenarios:

As a server connected only to an LDAP server.
As a server connected to Sun ONE Identity Server.
As a server connected to Sun ONE Identity Server and Sun ONE Portal Server. Sun™ ONE Instant Messenger is made available to end users on the Portal Server Desktop.

Quick Reference of Core Instant Messaging Components

The core Instant Messaging components are the same, regardless of which of the preceding deployment methods you use. The Instant Messaging components are:

Sun ONE Instant Messenger Resources. This is the set of files that make up the Sun ONE Instant Messenger client.
Sun ONE Instant Messenger. This is a Java Instant Messaging applet. It is the Java-based Sun ONE Instant Messenger client that is invoked through the web, using Java^TM Web Start or the Java^TM Plug-in.
Sun ONE Instant Messaging Server. The Instant Messaging server serves the presence information to the messenger clients, allows end users to establish Instant Messaging sessions, and enforces policies.
Instant Messaging Multiplexor. A scalability component that consolidates multiple messenger connections into one Transmission Control Protocol (TCP) connection to the server. The Instant Messaging multiplexor is also referred to as the multiplexor.
Sun ONE Identity Server Instant Messaging Service Definition. This component can be installed only if the Identity Server or the Identity Server SDK is installed in the system.

Quick Reference of Instant Messaging Related Components

The following software components work with Sun ONE Instant Messaging server, but they are installed separately:

Web server: Portal deployments use the web server that ships with Sun ONE Portal Server. The LDAP deployments need to install a web server, such as Sun ONE Application Server SE (Standard Edition). In both cases, the Instant Messenger resources must reside on the web server host machine.
LDAP directory server: Instant Messaging uses an LDAP server, such as Sun ONE Directory Server, for end user authentication and end user search. In a portal deployment, the LDAP server that is used by the Portal Server is used by the Instant Messaging server to search end users.
(Optional) SMTP server: Sun ONE Messaging Server or some other SMTP server is used to forward instant messages for end users who are offline.
(Optional) Sun ONE Portal Server: Sun ONE Portal Server is installed for portal deployments.
(Optional) Sun ONE Identity Server: Sun ONE Identity Server is installed for adding the Instant Messaging service.

Deployment Overview: LDAP-Only Deployment

Figure 1-1 illustrates the interaction of the software components in the authentication process of an LDAP-only configuration of Sun ONE Instant Messaging. The focus is on the flow of authentication requests, where the protocols used for requests are indicated above the arrows. The IM protocol is a proprietary protocol. The term MUX is an abbreviation for multiplexor. An explanation of the steps in this process follow the figure.

Figure 1-1  Flow of Authentication Requests in an LDAP-Only Configuration

The key difference between a Sun ONE Instant Messaging LDAP-only deployment and a Sun ONE Instant Messaging deployment that uses Sun ONE Identity Server is the authentication process. The authentication process in an Instant Messaging LDAP-only deployment works as follows:

End user accesses the Sun ONE Instant Messenger applet URL from a browser
The browser invokes Java Web Start or the Java Plug-in.
Java Web Start or the Java plug-in downloads the necessary Sun ONE Instant Messenger resource files and starts the Instant Messenger.
The log-in window is displayed and the end user enters the log-in name and password. This data is sent to the Instant Messaging server via the multiplexor.
The Sun ONE Instant Messaging server communicates with the LDAP server to authenticate the end user and to request end-user information.

End users should set their preferences to have alerts forwarded as email when they are offline.

When the end-user authentication is complete, the Sun ONE Instant Messaging main window is displayed with the contact list for the end user. The end user can now start and participate in Sun ONE Instant Messaging sessions with the other end users.

Deployment Overview: Identity Server and Portal Server in a Single Sign-On Environment

Figure 1-2 illustrates authentication process of the Sun ONE Instant Messaging software in collaboration with the Sun ONE Portal Server and Sun ONE Identity Server components in a Single Sign-On environment. As with Figure 1-1, this figure focuses on the flow of authentication requests. An explanation of the steps in this process follows the figure.

Figure 1-2  Flow of Authentication Requests in a Portal Server & Identity Server Configuration.

The authentication process of the Sun ONE Instant Messaging server in a Sun ONE Identity Server and Portal Server deployment within a single sign-on environment works as follows:

The end user logs in to the Sun ONE Portal Server by entering the URL in a web browser.
The Sun ONE Identity Server software authenticates the end user and returns a session token and the Sun ONE Portal Server downloads Portal Server Desktop for the end user. Portal Server Desktop is displayed in the end user’s browser. See Step 6 for an explanation of the session token.
The end user clicks the Sun ONE Instant Messenger URL link from the Instant Messaging channel on the Portal Server Desktop.
The browser invokes Java Web Start or the Java Plug-in.
Java Web Start or the Java plug-in downloads the necessary Sun ONE Instant Messenger resource files and starts the Instant Messenger.
Sun ONE Instant Messenger requests authentication to the Sun ONE Instant Messaging server using the session token.

The session token is what enables single sign-on to work. This token is provided as an applet parameter and is used throughout the authentication process. End users are not asked for their credentials again as long as the session token is present.

Sun ONE Instant Messaging server asks Sun ONE Identity Server to validate the session token. If the session is valid, Sun ONE Instant Messenger displays the end user’s contact list and the end user can use Sun ONE Instant Messenger services: chat, alerts, polls, etc.
Sun ONE Instant Messaging server must query LDAP directly to get or set end-user information, such as contact lists or subscriptions.

For more information on deploying Sun ONE Instant Messaging in the portal environment, see the Sun ONE Instant Messaging Deployment Guide.

The Role of the Instant Messaging Components

Sun ONE Instant Messenger

The Java-based Sun ONE Instant Messenger is Instant Messaging’s client that can be configured to be a browser-based applet using Java Plug-in, or an application independent of a browser using Java Web Start.

To run the Sun ONE Instant Messenger client on Solaris, you must use Java Web Start. On Microsoft Windows you can run Instant Messenger as an applet or a Java Web Start application. It is recommended that you run Sun ONE Instant Messenger as a Java Web Start application.

For more information on customizing Sun ONE Instant Messenger, see "Managing Sun™ ONE Instant Messenger".

Sun ONE Instant Messenger provides the following modes of communication:

Chat - Sun ONE Instant Messenger’s version of Instant Messaging conferences is called chat. Chat is a real-time conversation capability that enables end users to complete projects, answer customer queries, and complete other time-critical assignments. Chat sessions (two or more participants) are held in chat rooms created on a need basis.
Conference Rooms - Conference rooms are persistent chat rooms that work similarly to regular chat sessions, but offer:
Access Control
Moderated Chats
Alerts - Alerts enable information delivery and response to end users through the Instant Messenger interface. Alerts can deliver time-critical information to the end user. The sender of the alert message is notified when the message is delivered, and read by the recipient. If the alert message requires a response, choose the Chat option from the Tools menu to chat with the sender.
Poll - The polling function enables you to ask end users for their response to a question. You can send a question and possible answers to poll recipients, and the recipients can respond with their selected answer. When recipients respond to your poll, you can view their answers in a status window. The summary of results can also be viewed in the status window.
News - News channels are forums for posting and sharing information. End users can subscribe to news channels of interest to see updates using the URL of the news channels or view the news channel updates through static messages. Administrators control news channel access by assigning end users to the channels they need, and deciding who can see or post information to the channels.

Note	The instant messages can contain embedded URLs, such as http://stocks.yahoo.com?id=sunw. If you are using proxy servers, it might be necessary to have clients using Java Web Start modify their proxy configuration for resolving such URLs. For more information on configuring the proxy settings manually, see Modifying Sun ONE Instant Messenger Proxy Settings.

Sun ONE Portal Server

Portal Server Desktop

Sun ONE Instant Messenger installed on the Portal Server environment can be launched from the Instant Messaging channel that available to end users on Portal Server Desktop.

Sun ONE Portal Server, Secure Remote Access

Sun ONE Portal Server, Secure Remote Access enables remote end users to securely access their organizations network and its services over the Internet for Solaris-based or Windows-based systems. The end user can access Secure Remote Access by logging in to the web-based Portal Server Desktop through the portal gateway. The authentication module configured for Sun ONE Portal Server authenticates the end user. The end-user session is established with Sun ONE Portal Server and the access is enabled to the end user’s Portal Server Desktop.

In the Sun ONE Portal Server environment, you can configure Sun ONE Instant Messenger in either secure or non-secure mode. In the secure mode, communication is encrypted through the Sun ONE Portal Server Netlet. When you are accessing Sun ONE Instant Messenger in the secured mode, a lock icon appears in the Status area of the Instant Messenger. In the non-secure mode, the Sun ONE Instant Messenger session is not encrypted. For more information on Netlet, see Sun ONE Portal Server, Secure Remote Access Administrator’s Guide

Sun ONE Identity Server

Sun ONE Identity Server provides end user and service management, authentication and single sign-on services. It also provides policy management, logging service, debug utility, the admin console, and client support interfaces.

Instant Messaging Server

The Instant Messaging server handles tasks such as controlling Instant Messenger privileges and security, enabling Sun ONE Instant Messenger clients to communicate with each other by sending alerts, initiating chat conversations, and posting messages to the available news channels.

The Instant Messaging server supports the connection of a multiplexor that consolidates connections over one socket. For more information on the multiplexor, see "Instant Messaging Multiplexor".

Access control files and Sun ONE Identity Server policies are used for administration of end users, news channels, and conference rooms.

Instant Messaging Multiplexor

The Instant Messaging multiplexor component connects multiple instant messenger connections into one TCP (Transmission Control Protocol) connection, which is then connected to the backend Instant Messaging server. The multiplexor reads data from the Sun ONE Instant Messenger and writes it to the server. Conversely, when the server sends data to Sun ONE Instant Messenger, the multiplexor reads the data and writes it to the appropriate connection. The multiplexor does not perform any end user authentication or parse the client-server protocol (IM protocol).

You can install multiple multiplexors based on your deployment requirements. For more information, see "Sun ONE Instant Messaging Deployment Configurations".

Web Server

Instant Messaging requires a web server to serve the Instant Messenger resources. The Instant Messenger resource files include:

The index.html file, provided by Sun ONE Instant Messenger, or a home page with a link to invoke Sun ONE Instant Messenger.
Sun ONE Instant Messenger jar files (messenger.jar, imres.jar, imbrand.jar, imdesktop.jar, imnet.jar, and imjni.jar).
The Sun ONE Instant Messenger Online Help.

You must install Instant Messenger resources on the same host where the web server is installed. In an Identity Server deployment, Sun ONE Instant Messenger can be installed on the Sun ONE Identity Server host or on a different web server host. In most cases, the Instant Messenger resources will be installed on the same host where you installed the Instant Messaging server software. It is possible to locate the Instant Messenger resources on a host other than the Instant Messaging server or multiplexor. For more information on this, see Sun ONE Instant Messaging Installation Guide.

Note	Install the web server before installing Sun ONE Instant Messaging. If you are using Sun ONE Portal Server, you can use the web server that is shipped with the product. You need not install a separate web server for Instant Messaging.

LDAP Directory Server

The Sun ONE Instant Messaging server requires an LDAP directory server to perform end user authentication, search for end users, and access end user and group information.

The Sun ONE Instant Messaging server does not store the Instant Messenger end-user information; instead, the Instant Messenger end-user information is stored in the LDAP server. For performing end-user searches in the LDAP server, the Instant Messaging server uses the LDAP cn and uid attributes.

The Sun ONE Instant Messaging server relies on common end-user attributes to search for end-user and group information. The configuration allows the system administrator to specify attribute names and search folders used by the server. Sun ONE Instant Messaging properties (Sun ONE Instant Messenger properties and subscriptions) can be stored in files on the Sun ONE Instant Messaging server or in the LDAP server.

Sun ONE Instant Messaging supports end users that are defined and maintained in an LDAP directory, such as Sun ONE Directory Server.

If you do not have an LDAP directory installed, you must install one. For more information, see Sun ONE Instant Messaging Installation Guide.

SMTP Server

Instant Messaging uses an SMTP server to forward alerts as emails to end users who are offline and are therefore unable to receive alerts.

The SMTP server is not shipped with Instant Messaging. If you do not have an SMTP server installed, you must install one. For more information, see Sun ONE Instant Messaging Installation Guide.

---

Sun ONE Instant Messaging Deployment Configurations

You can install and configure Sun ONE Instant Messaging server to meet your site’s requirements. The following are some of the Instant Messaging deployment scenarios:

Sun ONE Instant Messaging deployment with separate web server host
Sun ONE Instant Messaging deployment with multiple multiplexor hosts
Sun ONE Instant Messaging deployment with multiple Instant Messaging server hosts

Note	The configuration details described in this section are for LDAP deployments of Instant Messaging server. For information on configuring Instant Messaging server on a portal deployment, see Sun ONE Instant Messaging Deployment Guide.

The Web Server and the Instant Messenger Resources Installed on a Different Host

Figure 1-3 shows a configuration where the Instant Messaging server and multiplexor are installed on the same host, and the web server is installed on a separate host. The Instant Messenger resources are also present on the web server host. Use this configuration when there is an existing instance of a web server and an LDAP server, and you do not want to install other applications on these hosts.

Figure 1-3  The web server and the Instant Messenger installed on a separate host.

Multiple Multiplexor Hosts

Figure 1-4 shows a configuration of two multiplexors installed on separate hosts, and the Instant Messaging server on a different host. This configuration enables you to place a multiplexor outside your company’s firewall. Installing multiplexors on multiple hosts distributes the load of the Instant Messaging server across multiple systems.

Note	The multiplexor can be resource-intensive, so putting it on a separate host can improve the overall performance of the system. Windows supports only one multiplexor instance per host.

Figure 1-4  Instant Messaging Multiplexors Installed on Two Different Hosts.

Federation of Multiple Instant Messaging Deployments

Figure 1-5 shows a configuration consisting of two Instant Messaging servers. This configuration is used when the site contains multiple administrative domains. The server configuration on each Instant Messaging server host has to be set up so that end users on one Instant Messaging server can communicate with end users on other Instant Messaging servers. For more information on federating multiple Instant Messaging deployments, see "Federating Deployment of Multiple Instant Messaging Servers".

Figure 1-5  Multiple Instant Messaging server hosts.

---

Configuration Files and Directory Structure

This section describes the Instant Messaging server directory structure and the properties files used to store Instant Messaging operational data and configuration information.

Instant Messaging server Directory Structure

Table 1-1 shows the platform-specific directory structure for the Instant Messaging server.

Table 1-1  Instant Messaging server directories  

Description	Solaris Location	Windows Location
Programs Files These files include the native executable files, the library files in bin or lib directory, the shell scripts in sbin directory, the java classes in classes directory, and templates files in lib directory.	instant-messaging-installation-directory/SUNWiim The default value for the instant-messaging-installation directory is /opt	instant-messaging-installation-directory The default value for the instant-messaging-installation directory is c:\Program Files\Sun\InstantMessaging
Server Configuration files These files are in the instant-messaging-configuration directory and include the iim.conf file and a subdirectory which contains all the server-wide access control files.	By default, the instant-messaging-configuration directory is located at: /etc/opt/SUNWiim/default/config Note: The installer creates a symbolic link from /etc/opt/SUNWiim/default/config to instant-messaging-installation-directory/SUNWiim/config.	instant-messaging-installation-directory\config
Instant Messaging Server Data. These files include the configurable directory for the files generated by the server at runtime. It includes the end user data in the instant- messaging-database directory, which contains information such as the user and news channels directory. It also contains the server and multiplexor log files, in the log directory.	instancevardir/default The default value for instancevardir is /var/opt/SUNWiim	instant-messaging-installation-directory\
Instant Messenger resources. These files contain HTML documents and jar files used by Sun ONE Instant Messenger. The top-most directory contains the locale-independent resources, and the locale-specific directories contain the localized resources.	instant-messaging-resource directory The default value for this resource directory is: /opt/SUNWiim/html	instant-messaging-resource directory

Note	On Linux, the primary server package name is soim, and all the above Solaris Location paths mentioned in Table 1-1 should be replaced by soim. For example, replace SUNWiim with soim.

Sun ONE Instant Messaging Server Configuration File

Instant Messaging stores all configuration options in the iim.conf file. For more information on the parameters and their values stored in this file, see Instant Messaging Configuration Parameters.

Sun ONE Instant Messaging Data

Instant Messaging server stores the following data used by Sun ONE Instant Messenger in the runtime files directory, which you specified during the installation, and is indicated by the iim.instancevardir parameter in the iim.conf file:

End user properties, such as contact lists, messenger settings, subscribed news channels and access control (alternatively, these properties can be stored in LDAP).
News channel messages and access rules.
Alert Messages that are to be delivered. These messages are delivered and removed when the recipient logs in.
Public conferences. This does not involve instant messages which are not persistent, but only properties of the conference objects themselves, such as access rules.

---

Using SSL in Sun ONE Instant Messaging

Instant Messaging supports the Secure Sockets Layer (SSL) protocol, for encrypted communications and for certificate-based authentication of Instant Messaging servers. Instant Messaging server supports SSL version 3.0.

Sun ONE Instant Messaging multiplexor and Sun ONE Instant Messenger also support SSL for encrypted communication between the client and the multiplexor.

For detailed information on SSL, see Appendix B in Sun ONE Console and Administration Server 5.0 Server Management Guide.

Enabling SSL for Sun ONE Instant Messaging Server necessitates the following:

Obtaining and installing a certificate for your Instant Messaging server, and configuring the Instant Messaging server to trust the Certification Authority’s certificate.
Ensuring that each Instant Messaging server that needs to communicate using SSL with your server, obtains and installs a certificate.
Turning on SSL in the server by setting the appropriate parameters in the iim.conf file.

Enabling SSL between the multiplexor and Sun ONE Instant Messenger requires the following:

Obtaining and installing a certificate for your Instant Messaging multiplexor host, and configuring the Instant Messaging server to trust the Certification Authority's certificate.
Turning on the SSL in the multiplexor by setting the appropriate parameters in the iim.conf file.
Making sure that the end users download and use the SSL version of the Instant Messenger, such as the imssl.jnlp file or the imssl.html file.

For steps on configuring SSL, see Configuring SSL.

---

Sun ONE Privacy, Security, and Site Policies

Sun ONE Instant Messaging provides the ability to control access to Instant Messaging features and preserve end-user privacy.

Site Policies

Site policies specify end-user access to specific functionality in Sun ONE Instant Messaging. It specifies:

Ability to access the presence status of other end users
Ability to send alerts to other end users
Ability to save properties on the server
Ability to create and manage conference rooms
Ability to create and manage news channels

The Instant Messaging administrator has access to all Instant Messaging features. The administrator has MANAGE access to all conference rooms and news channels, can view presence information of any end user, and can view and modify properties such as Contact Lists and Instant Messenger Settings of any end user. The site policy settings have no impact on the administrator’s privileges.

By default, the end user is provided with the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values are not changed. These default values need to be changed when Instant Messaging is used exclusively for the pop-up functionality.

When Instant Messaging is used exclusively for the pop-up functionality, the end user will not be provided with the access privileges to presence information, chat, and news features.

Note	Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users, roles, or groups.

For more information on configuring site policies, see "Managing Instant Messaging and Presence Policies".

Conference Room and News Channel Access Controls

End users can have the following access privileges on Conference rooms and News channels:

MANAGE - full access, which includes the ability to set the conference room or the news channel privilege for other end users.
WRITE - privilege to add contents to the conference room or the news channel.
READ - privilege to read the conference room or the news channel contents.
NONE - no access privileges.

End users with the MANAGE privilege can set the default privilege level for all the other end users. These end users can also define the exception rules to grant an access level that is different from the default access level permission given to specific end users or groups.

Note	Setting the WRITE privilege, grants the end users the READ privilege.

User Privacy

End users can specify if other end users can see their presence or not. By default, all end users can access the presence information of another end user. End users can also set exceptions for denying this access to certain end user and groups.

If an end user has denied other end users from accessing the end user’s presence status, then that end user’s availability status appears as offline in others contact lists. No alerts or chat invitations can be sent to an end user whose presence status is offline.

User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Sun ONE Instant Messenger Online Help.

Previous      Contents      Index      Next

---

Copyright 2003 Sun Microsystems, Inc. All rights reserved.