Previous      Contents      Index      Next
Sun Java System Calendar Server Administration Guide

Chapter 1
Overview

Sun Java™ System Calendar Server 6 2004Q2 (Calendar Server), formerly Sun™ ONE Calendar Server, is a scalable, Web-based solution for centralized calendaring and scheduling for enterprises and service providers. Calendar Server supports personal and group calendars for both events and tasks as well as calendars for resources such as conference rooms and equipment.

For information about basic configuration scenarios, see the Sun Java System Calendar Server 6 2004Q2 Deployment Planning Guide at:

http://docs.sun.com/coll/CalendarServer_04q2

This chapter includes the following information:

Calendar Server Configurations
Single-Server Minimal Configuration
Network Front-End/Database Back-End Server Configuration
Multiple Front-End/Back-End Server Configuration
Calendar Server Installation
Post Installation Configuration
Calendar Server Administrators
Calendar Server End User Administration
Calendar Server Data
Calendar Access Control
Calendar Server Internal Subsystems
Calendar Server Services
Calendar Server APIs and SDKs

---

Calendar Server Configurations

Calendar Server configurations can vary depending on a site’s specific requirements. This section describes the following three basic configurations:

Single-Server Minimal Configuration
Network Front-End/Database Back-End Server Configuration
Multiple Front-End/Back-End Server Configuration

 

This chapter provides an overview of these configurations. For more information, see Configurations for the CLD Plug-in.

Single-Server Minimal Configuration

In a single-server minimal configuration (shown in Figure 1-1), all Calendar Server services (processes) run on the same server, either in the same CPU (processor) or across multiple CPUs. The directory server and Sun Java System Identify Server processes can run on the same server or on different servers. A single-server minimal configuration includes the following components.

Calendar Server

A Calendar Server instance on a single server includes the following services:

Administration service (csadmind process) provides support for administration functions such as commands to start or stop Calendar Server, create or delete calendar users or resources, or fetch and store calendars.
HTTP service (cshttpd process) handles incoming SHTML and WCAP requests.
Event Notification Service (enpd and csnotifyd processes) handles event (email) notifications, if you want Calendar Server to send event notifications.

For a description of Calendar Server services, see Calendar Server Services.

The Database Wire Protocol (DWP) service (csdwpd process), which provides networking capability when the calendar database is not on the same server as the cshttpd process, is not required for a minimal configuration because the database is on the same server.

Directory Server

Calendar Server requires that a calendar user entry be stored in a directory server. Calendar Server then uses the directory server for user authentication and for the storage and retrieval of user preferences. Calendar Server default installation supports users defined in an LDAP directory, such as the Sun Java System Directory Server, which can reside on the same machine as Calendar Server, or on a remote server.

If your users are already stored in an LDAP directory, you can simply upgrade your directory server to Directory Server, which supports the schema extensions that allow users to access Calendar Server. For information about Directory Server, see the following documentation Web site:

http://docs.sun.com/coll/DirectoryServer_04q2

However, if you prefer, you can use the Calendar Server API (CSAPI) to write a plug-in to use a non-LDAP directory server. This API is described in the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Sun Java System Identify Server

Sun Java System Identify Server (release 2003Q4 (6.1) or later) provides the following functions:

commadmin utility–Use this CLI utility to provision and manage hosted (virtual) domains, users, groups, organizations, resources, and roles for Sun Java System communications servers, including Calendar Server.

For information about the commadmin utility, see the Sun Java System Communications Services 6 2004Q2 User Management Utility Administration Guide.

Single sign-on (SSO)–You can implement SSO for Sun Java Enterprise System servers, including Calendar Server and Messaging Server, using Identity Server. Identity Server serves as the SSO gateway for the Sun Java Enterprise System servers. Users log in to Identity Server and then can access other the servers, as long as all servers are configured properly for SSO.

Note that you can also implement SSO through Messaging Server using trusted circle technology. For more information on both implementations, see Chapter 8, "Configuring Single Sign-on".

Sun LDAP Schema 2 – Identity Server (release 2003Q4 or later) is required if you want to use Schema 2.

For more information about Sun LDAP Schema 1 and 2, see the Sun Java Enterprise System Technical Overview at:

http://docs.sun.com/

Identify Server can run on the same server where Calendar Server is running or on a remote server.

End Users

End users connect to Calendar Server from client machines by using one of the two Web user interfaces (UIs), that is, either Sun Java System Calendar Express, or Sun Java System Communications Express. For information on either user interface, refer to the respective interface’s online Help. Communications Express also has an Administration Guide that can be found at: http://docs.sun.com/coll/CalendarServer_04q2

Figure 1-1  Single-Server Minimal Calendar Server Configuration

 

Network Front-End/Database Back-End Server Configuration

Calendar Server supports scalability by distributing a configuration over multiple front-end and back-end servers. On each server, Calendar Server services (processes or daemons) can also be distributed across multiple CPUs (or processors).

In network front-end/database back-end configuration (shown in Figure 1-2), users log in to a front-end server and connect to a back-end server using the Database Wire Protocol (DWP) service (csdwpd process). The calendar database is connected only to the back-end servers.

Calendar Server

Calendar Server processes run on both the front-end and back-end servers as follows:

Users log in only to a front-end server, so each front-end server requires these services:
Administration service (csadmind process)
HTTP service (cshttpd process)
Each back-end server is connected to a calendar database, so each back-end server requires these services:
Administration service (csadmind process)
Event Notification Service (enpd and csnotifyd processes)
Database Wire Protocol (DWP) service (csdwpd process) to provide networking capability to the front-end servers for the calendar database

In this configuration, users do not log in to the back-end servers, so the HTTP service (cshttpd process) is not required.

For a description of Calendar Server services, see Calendar Server Services.

Directory Server

A scalable Calendar Server configuration requires a Directory Server to authenticate users and to store user preferences.

Sun Java System Identify Server

You can use Identify Server (release 6.1 (release 6 2003Q4) or later) to implement single sign-on (SSO), and to use Sun LDAP Schema 2. To provision and manage hosted (virtual) domains, users, groups, organizations, resources, and roles use the User Management Utility, commadmin, which is built upon the Identity Server SDK.

End Users

End users connect from client machines to a front-end server by using one of the two Web user interfaces (UIs), that is, either Sun Java System Calendar Express (the old UI), or Sun Java System Communications Express (the new unified Web client).

For information on either user interface, refer to the respective interface’s online Help. Additional documentation for Communications Express is available at:

http://docs.sun.com/coll/CalendarServer_04q2

Figure 1-2  Network Front-End/Database Back-End Server Configuration

 

Multiple Front-End/Back-End Server Configuration

In a multiple front-end/back-end server configuration (shown in Figure 1-3), users log in to a specific server, and each server is connected to a calendar database. This configuration allows calendars to be geographically distributed, with each calendar residing on the server where its owner logs in to Calendar Server.

Calendar Server

Each front-end/back-end server requires all Calendar Server services: Administration service (csadmind process), HTTP service (cshttpd process), Event Notification Service (enpd and csnotifyd processes), and Database Wire Protocol (DWP) service (csdwpd process).

For a description of Calendar Server services, see Calendar Server Services.

Directory Server

A multiple front-end/back-end server configuration requires a Directory Server to authenticate users and to store user preferences.

Identify Server

You can use Identify Server (release 6.1 (release 6 2003Q4) or later) to implement single sign-on (SSO), and to use Sun LDAP Schema 2. To provision and manage hosted (virtual) domains, users, groups, organizations, resources, and roles use the User Management Utility, commadmin, which is built upon the Identity Server SDK.

End Users

An end user connects from the client machine to a front-end server by using one of the two Web user interfaces (UIs), that is, either Sun Java System Calendar Express (the old UI), or Sun Java System Communications Express (the new unified Web client). For information on either user interface, refer to the respective interface’s online Help. Additional documentation for Communications Express can be found at:

http://docs.sun.com/coll/CalendarServer_04q2

Figure 1-3  Multiple Front-End/Back-End Server Configuration

 

---

Calendar Server Installation

The installation and configuration of Calendar Server has significantly changed from earlier Calendar Server releases (pre-2003Q4 versions). There is no longer a standalone installer for Calendar Server.

If you do not already have Calendar Server 2003Q4 (6.0) installed, you must use the Sun Java Enterprise System installer to get the 2004Q2 version. With this installer, you can also install other Sun component products and packages. For information about the Java Enterprise System installer, refer to the Sun Java Enterprise System 2004Q2 Installation Guide.

If you want to upgrade from Calendar Server 6 2003Q4 to Calendar Server 6 2004Q2, the upgrade process is described in “Upgrading from Java Enterprise System 2003Q4” in the Sun Java Enterprise System 2004Q2 Installation Guide.

For information about migrating from older versions of Calendar Server, refer to the information in Chapter 4, "Migration Utilities."

---

Post Installation Configuration

After you install Calendar Server 6 2004Q2, you must configure it. This step was previously performed as part of the installation process, but has now been separated out of the installer.

After you install Calendar Server, you must configure Calendar Server as follows:

Run the Directory Server Setup script (comm_dssetup.pl) to configure Sun Java System Directory Server 5.x (if the script has not already been run).
Run the Calendar Server configuration program (csconfigurator.sh) to configure your site’s specific requirements and to create a new ics.conf configuration file. For a description of the parameters in the ics.conf file, see Appendix E, "Calendar Server Configuration Parameters"

Both comm_dssetup.pl and csconfigurator.sh are located in the following directory: /opt/SUNWics5/cal/sbin

For information about running comm_dssetup.pl and csconfigurator.sh, see Chapter 10, "Administering Calendar Server."

---

Calendar Server Administrators

Administrators for Calendar Server include:

Calendar Server Administrator (calmaster)
Calendar Server User and Group
Superuser (root)
Proxy Administrator Logins

Calendar Server Administrator (calmaster)

The Calendar Server administrator is a specific user name with its associated password that can manage Calendar Server. For example, a Calendar Server administrator can start and stop Calendar Server services, add and delete users, create and delete calendars, and so on. This user has administrator privileges for Calendar Server but not necessarily for the directory server.

The default user ID for the Calendar Server administrator is calmaster, but you can specify a different user during Calendar Server configuration, if you prefer. After installation you can also specify a different user in the service.admin.calmaster.userid parameter in the ics.conf file.

The user ID you specify for the Calendar Server administrator must be a valid user account in your directory server. If the Calendar Server administrator user account does not exist in the directory server during configuration, the configuration program can create it for you.

Table 1-1 describes the Calendar Server administrator configuration parameters in the ics.conf file.

Table 1-1  Calendar Server Administrator Configuration Parameters 

Parameter	Description
service.admin.calmaster.userid	User ID of the person designated as the Calendar Server administrator. You must provide this required value during Calendar Server installation. The default is "calmaster".
service.admin.calmaster.cred	Password of the user ID specified as the Calendar Server administrator. You must provide this required value during installation.
caldb.calmaster	Email address of the Calendar Server administrator. The default is "root@localhost".
service.admin.calmaster.overrides.accesscontrol	Indicates whether the Calendar Server administrator can override access control.The default is "no".
service.admin.calmaster.wcap.allowgetmodifyuserprefs	Indicates whether the Calendar Server administrator can get and set user preferences using WCAP commands.The default is "no".
service.admin.ldap.enable	Enables the LDAP server for user authentication of the user specified in service.admin.calmaster.userid. The default is “yes”.

Calendar Server User and Group

On Solaris Operating Systems, these special accounts are the user ID and group ID under which Calendar Server runs. Unless there are overriding reasons not to, use the default values, icsuser and icsgroup, which are automatically created by the configuration program, if they do not exist.

If you prefer, however, you can specify values other than icsuser and icsgroup when you run the Calendar Server configuration program. These values are stored in the local.serveruid and local.servergid parameters, respectively, in the ics.conf file.

Superuser (root)

On Solaris Operating Systems, you must log in as or become superuser (root) to install Calendar Server. You can also run as superuser to manage Calendar Server using the command-line utilities. For some tasks, however, you should run as icsuser and icsgroup (or the values you have selected) rather than superuser to avoid access problems for Calendar Server files.

Proxy Administrator Logins

To allow administrator proxy logins for Calendar Server, perform these steps:

In the ics.conf file set, the following parameter:

service.http.allowadminproxy = "yes"

Restart Calendar Server for the new value to take effect.
Verify that administrator proxy logins are working by using the following WCAP command:

http://server[:port]/login.wcap?user=admin-user
&password=admin-password&proxyauth=calendar-user

where:

server is the name of the server where Calendar Server is running.
port is the Calendar Server port number. The default port is 80.
admin-user is the Calendar Server administrator. For example, calmaster.
admin-password is the password for admin-user.
calendar-user is the calid of the Calendar Server user.

If the command is successful, Calendar Server displays the calendar for calendar-user. If problems occur, Calendar Server displays “Unauthorized”. Causes might be:

The admin-user does not have Calendar Server administrator privileges.
The admin-password is incorrect.
The calendar-user is not a valid Calendar Server user.

 

---

Calendar Server End User Administration

End users connect to Calendar Server from client machines by using one of the two Web user interfaces (UIs), that is, either Sun Java System Calendar Express, or Sun Java System Communications Express. Users must have a unique entry in the LDAP directory. Each user can have one or more calendars and can belong to one or more groups.

Administrators, with the proper permissions, can add, delete or modify users and their calendars, using the User Management Utility.

Caution	Utility programs used in pre-Java Enterprise System deployments, such as csuser, are still bundled with Calendar Server. If you are using Identity Server in your deployment, do not use these utilities for managing or provisioning users, domains or resources. In that case, unless specifically directed otherwise in this document, use the User Management Utility only. For documentation on the User Management Utility, see the Sun Java System Communications Services User Management Utility Administration Guide at: http://docs.sun.com/coll/CalendarServer_04q2

This section describes the following aspects of user and user calendar administration:

Creation of Calendar Server Users
Authentication of Calendar Server Users
Calendar Groups
Calendar Server User Preferences

Creation of Calendar Server Users

Calendar Server users are created either manually or automatically:

Manually — If the Directory Server is configured for Schema 2, an administrator can add users to the directory server using the User Management Utility and then create the users’ default calendars using the Calendar Server cscal utility.

If the Directory Server is configured for Schema 1, create both the user and the calendar at the same time using the Calendar Server csuser utility.

Automatically (auto provisioning) — If a user already exists in the directory server, Calendar Server automatically creates a default calendar the first time the user logs in.

In non-hosted domain mode, Calendar Server creates the calendar ID (calid) of the default calendar from the user ID. For example, if John Doe has a user ID of jdoe, his default calendar calid would be jdoe.

In hosted domain mode, the calid is a combination of the user ID and the user’s domain. For example, if John Doe is in domain example.com, and his user ID is jdoe, then his calid in a hosted domain environment is jdoe@example.com.

For auto provisioning to occur, the following criteria must be met:

The local.autoprovision parameter must be set to “yes” (which is the default) in the ics.conf file.
In hosted (virtual) domain mode, the domain must be calendar enabled. A domain is calendar enabled if its LDAP entry contains the icsCalendarDomain object class.

For example, suppose TChang exists in the directory server but is not yet enabled for calendaring (that is, does not have a default calendar). When TChang logs into Calendar Server for the first time, Calendar Server automatically enables TChang for calendaring and creates a default calendar with the calid TChang.

Authentication of Calendar Server Users

Calendar Server requires a directory server such Sun Java System Directory Server to authenticate users (and to store user preferences). However, To allow access for users defined in a non-LDAP directory server, Calendar Server includes the Calendar Server API (CSAPI), which you can use to write a plug-in to access a non-LDAP directory. For information about CSAPI, refer to the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Calendar Server User Preferences

Calendar Server allows users to customize their views of calendar data by setting user preferences attributes, which are stored in the directory server. User preferences (as opposed to Calendar Server configuration parameters) refer to the user interface representation of calendar data and include items such as user name, email address, and preferred colors to use when rendering calendar views.

For a list of preferences, refer to the get_userprefs and set_userprefs WCAP commands in the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Calendar Groups

A calendar group is a named list of individual calendars. Group calendars allow multiple calendars to be combined into a single calendar for viewing. For example, a user can have a calendar group consisting of a private calendar, department calendar, and company holidays calendar. Users can also use a calendar group to select a list of calendars and view them side-by-side or invite the calendar owners to an event.

For more information about Calendar Server users, see Chapter 12, "Administering Users and Resources."

---

Calendar Server Data

This section describes the following information about Calendar Server data:

Calendar Server Data Format
Import and Export of Calendar Data
Calendar Links for Data Exchange
Calendar Server Alarms

Calendar Server Data Format

Calendar Server data format is modeled after RFC 2445, Internet Calendaring and Scheduling Core Object Specification (iCalendar). Calendar Server supports the following formats:

SHTML (.shtml)—the default
XML (.xml)—WCAP only
iCalendar (.ical)—WCAP only

You can add other formats by developing your own XSL translations for the Calendar Express views and dialogs. You can also use CSAPI to develop a translator DLL or shared library for the WCAP protocol. For information about WCAP and CSAPI, see the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Import and Export of Calendar Data

Calendar data can be imported and exported in either iCalendar (.ical) or XML (.xml) format. End users import and export data using one of the graphical user interfaces, for example, Sun Java System Calendar Express. For information, see the appropriate user interface’s online Help. Calendar Server administrators can import and export calendar data using the Calendar Server csimport and csexport utilities.

Calendar Links for Data Exchange

Calendars can be referenced as links embedded in email messages and on Web pages. Users can then click a link to view a calendar as long as the calendar allows read access, without having to log into Calendar Server. For example, the following link specifies a resource room named Auditorium:

http://calendar.sesta.com:8080/?calid=Auditorium

Calendar Server Alarms

Calendar Server supports server-side email alarms, which can be sent to a list of recipients. The format of the email message is configurable and is maintained as a server attribute, rather than as a user or calendar attribute. Calendar Server has limited support for the ITIP/IMIP standards (RFC-2446 and RFC-2447), including ITIP methods PUBLISH, REQUEST, REPLY, and CANCEL for events.

---

Calendar Access Control

Sun™ ONE Calendar Server uses Access Control Lists (ACLs) to determine the access control for calendars, calendar properties, and calendar components such as events and todos (tasks).

This section covers these topics:

Secure Calendar Server Logins
Access Control by Users
Access Control Lists (ACLs)

Secure Calendar Server Logins

When users log in to Calendar Server through Calendar Express, by default the authentication process does not encrypt the login information, including user names and passwords. If you want secure logins as your site, configure Calendar Server to use the Secure Sockets Layer (SSL) protocol to encrypt the login data. For more information, see Chapter 7, "Configuring SSL."

Access Control by Users

Calendar Server considers the following users when determining access to calendars, calendar properties, and calendar components:

Primary calendar owners

Primary calendar owners have full access to their own calendars. Calendar Server does not perform any access control checks for primary owners accessing their own calendars.

Administrators and superusers

An administrator such as calmaster, or a superuser such as root, is not subject to access control restrictions and can perform any operation on a calendar or calendar component. For more information, see Calendar Server Administrators.

Other calendar owners

Primary calendar owners can designate other owners for their calendars. The other owner can then act on behalf of the primary owner to schedule, delete, modify, accept, or decline events or todos (tasks) for a calendar.

anonymous user

The special calendar ID (calid) anonymous can access Calendar Server using any password, if service.http.allowanonymouslogin in the ics.conf file is set to “yes” (which is the default). The anonymous user is not associated with any particular domain.You can change the calid for the anonymous user by editing the calstore.anonymous.calid parameter.

You can also view a calendar anonymously if the calendar’s permissions allow read access for everybody. For example, the following link allows users to anonymously view the calendar with the calid tchang:meetings (if the calendar’s permissions allow read access for everybody):

http://calendar.sesta.com:8080/?calid=tchang:meetings

An anonymous user can view, print and search for public events and tasks on the calendar but cannot perform any other operations.

For information about viewing a resource calendar anonymously, see Chapter 13, "Administering Calendars".

Access Control Lists (ACLs)

Calendar Server uses access control lists (ACLs) to determine access control for calendars, calendar properties, and calendar components such as events and todos (tasks). An ACL consists of one or more access control entries (ACEs), which are strings that collectively apply to the same calendar or component Each ACE in an ACL must be separated by a semicolon. For example:

jsmith^c^wd^g consists of a single ACE.
@@o^a^r^g;@@o^c^wdeic^g;@^a^sf^g consists of three ACEs.

An ACE consists of the following elements, with each element separated by a caret (^):

Who - The individual, user, domain, or type of user who the ACE applies to.
What - The target being accessed, such as a calendar or a calendar component such as an event, todo (task), or calendar property.
How - The type of access control rights permitted, such as read, write, or delete.
Grant - A specific access control right that is either granted or denied.

For example, in the ACE jsmith^c^wd^g:

jsmith is the Who element, indicating who the ACE applies to.
c is the What element, indicating what is being accessed (only the calendar components).
wd is the How element, indicating which access rights are to be granted or denied (write and delete).
g is the Grant element, indicating that the specified access rights, write and delete, for the calendar components are granted to jsmith.

Who

The Who element is the principal value for an ACE and indicates who the ACE applies to, such an individual user, domain, or specific type of user.

Who is also called the Universal Principal Name (UPN). The UPN for a user is the user’s login name combined with the user’s domain. For example, user bill in domain sesta.com has the UPN bill@sesta.com.

Table 1-2 shows the Who formats used in Calendar Server ACEs.

Table 1-2  Who Formats for Access Control Entry (ACE) Strings 

Format	Description
user	Refers to a specific user. For example: jsmith.
user@domain	Refers to a specific user at a specific domain. For example: jsmith@sesta.com.
@domain	Refers to any user at the specified domain. For example: @sesta.com specifies jsmith@sesta.com, sally@sesta.com, and anyone else at sesta.com. Use this format to grant or deny access to an entire domain of users.
@	Refers to all users.
@@{p|o|n}	Refers to owners for the calendar: @@p – primary owner only @@o – all owners, including the primary owner @@n – not an owner

What

The What element specifies the target being accessed, such as a calendar, calendar component (event or task), or calendar property.

Table 1-3 shows the What target values used in Calendar Server ACEs.

Table 1-3  What Values for Access Control Entry (ACE) Strings 

Value	Description
c	Specifies calendar components such as events and tasks
p	Specifies calendar properties such as name, description, owners, and so forth
a	Specifies an entire calendar (all), including both components and properties

How

The How element specifies the type of access control rights permitted, such as read, write, or delete.

Table 1-4 shows the How types of access control rights used in Calendar Server ACEs.

Table 1-4  How Types for Access Control Entry (ACE) Strings 

Type	Description
r	Read access.
w	Write access, including adding new items and modifying existing items.
d	Delete access.
s	Schedule (invite) access. Requests can be made, replies will be accepted, and other iTIP scheduling interactions will be honored.
f	Free/busy (availability) access only. Free/busy access means that a user can see scheduled time on a calendar, but is not allowed to see the event details. Instead, only the words “Not Available” appear by a scheduled time block. Blocks of time without any scheduled events are listed with the word “Available” next to them.
l	Lookup access for a domain.
e	Act on behalf of for reply access. This type grants a user the right to accept or decline invitations on behalf of the calendar’s primary owner. This type of access does not need to be granted explicitly because it is implied when a user is designated as an owner (an owner other than the primary owner) of a calendar.
i	Act on behalf of for invite access. This type grants a user the right to create and modify components in which other attendees have been invited on behalf of the calendar's primary owner. This type of access does not need to be granted explicitly because it is implied when a user is designated as an owner (an owner other than the primary owner) of a calendar.
c	Act on behalf of for cancel access. This type grants a user the right to cancel components to which attendees have been invited on behalf of the calendar's primary owner. This type of access does not need to be granted explicitly because it is implied when a user is designated as an owner (an owner other than the primary owner) of a calendar.

Grant

The Grant element specifies whether to grant or deny access for a specified access type, such as d (delete) or r (read).

Table 1-5 shows the Grant attribute values used in Calendar Server ACEs.

Table 1-5  Grant Values for Access Control Entry (ACE) Strings 

Value	Description
g	Grant the specific access control right.
d	Deny the specific access control right.

Examples of ACEs

The following examples show the use of ACEs:

Grant the user ID jsmith read access to the entire calendar, including both components and properties:

jsmith^a^r^g

Grant jsmith write and delete access to components only:

jsmith^c^wd^g

Grant all users in the sesta.com domain privileges to schedule, availability, and read access to components only:

@sesta.com^c^sfr^g

Grant all owners write and delete access to components only:

@@o^c^wd^g

Deny jsmith all access to calendar data:

jsmith^a^sfdwr^d

Grant all owners read, schedule, and availability access to the entire calendar, including both components and properties:

@@o^a^rsf^g

Grant read access to all users:

@^a^r^g

Placing ACEs in an ACL

When the Calendar Server reads an ACL, it uses the first ACE it encounters that either grants or denies access to the target. Thus, the ordering of an ACL is significant, and ACE strings should be ordered such that the more specific ones appear before the more general ones.

For example, suppose the first ACE in an ACL for the calendar jsmith:sports grants read access to all users. Then, Calendar Server encounters a second ACE that denies bjones read access to this calendar. In this case, Calendar Server grants bjones read access to this calendar and ignores the second ACE because it is a conflict. Therefore, to ensure that an access right for a specific user such as bjones is honored, the ACE for bjones should be positioned in the ACL before more global entries such as an ACE that applies to all users of a calendar.

---

Calendar Server Internal Subsystems

Sun Java System Calendar Server includes the following internal subsystems:

Protocol Subsystem
Core Subsystem
Database Subsystem

Figure 1-4 shows the logical flow through these subsystems.

Figure 1-4  Calendar Server Internal Subsystems Logical Flow

 

Protocol Subsystem

Commands and requests enter through the HTTP protocol layer. This is a minimal HTTP server implementation, streamlined to support calendar requests.

Clients use SHTML or Web Calendar Access Protocol (WCAP) commands to submit requests:

The Calendar Express UI uses SHTML commands, which are based on XML and XSLT specifications that generate the user interface. In response to an incoming request, the UI generator uses an XML specification to build a document tree with calendar and user data, subject to access control. The XSLT specification then traverses the document data tree and emits HTML. This design results in fewer interactions between the client and server, which reduces the network traffic.
The Communications Express UI uses WCAP commands to retrieve calendar data that is used by its presentation layer to display the data. WCAP is an open protocol that allows you to write your own interface to Calendar Server. Using WCAP commands (.wcap extension), you can perform most server commands, except for certain administrative commands. You can use WCAP commands to return raw, unformatted calendar information, or you can also use WCAP commands to request output as XML or iCalendar wrapped in HTML.

For information about WCAP commands, see the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Core Subsystem

The Core subsystem includes the access control subsystem, user interface (UI) generator subsystem (either SHTML using XML and XSLT or WCAP using data translators), calendar database subsystem, and any CSAPI plug-ins. The Core subsystem processes calendar requests and generates the desired UI output. The Core subsystem also handles user authentication, including Calendar Server API (CSAPI) and Proxy Authentication SDK (authSDK).

Database Subsystem

The Database subsystem uses the Berkeley DB from Sleepycat Software (the database API is not public). The Database subsystem stores and retrieves calendar data to and from the database, including events, todos (tasks), and alarms. Calendar data is based on iCalendar format, and the schema used for Calendar Server data is a superset of the iCalendar standard.

The Database subsystem returns data in a low-level format, and the Core UI generator (either SHTML or WCAP) then translates the low-level data into the desired output.

For a distributed calendar database, Calendar Server uses the Distributed Database Service (DWP) to provide a networking capability. For more information, see Distributed Database Service: csdwpd.

For information about the calendar database, refer to Chapter 14, "Administering Calendar Server Databases."

---

Calendar Server Services

Calendar Server services run as daemons (or processes) on Solaris Operating Systems. These services include:

Administration Service: csadmind
HTTP Service: cshttpd
Event Notification Service (ENS): csnotifyd and enpd
Distributed Database Service: csdwpd

Administration Service: csadmind

The csadmind service provides a single point of authentication for administering Calendar Server, including most administration utilities (for example, start and stop commands, create and delete users, create and delete calendars, and so on). The csadmind service also manages alarm notifications, group scheduling requests, database checkpointing, and deadlock detection, as well as disk usage and server response monitoring.

HTTP Service: cshttpd

Since Calendar Server uses HTTP as its primary transport, the cshttpd service listens for HTTP commands from Calendar Server end users, receives the user commands, and returns calendar data, depending on the format of the incoming command:

For a command received with the default .shtml extension, cshttpd returns data formatted in HTML.
For a command received with the.wcap extension, cshttpd returns data formatted as calendar data in standard RFC2445 iCalendar format (text/calendar) or XML format (text/xml).

Event Notification Service (ENS): csnotifyd and enpd

The ENS service consists of these individual services:

csnotifyd – The csnotifyd service sends notifications of events and todos (tasks). The csnotifyd service also subscribes to alarm events. When an alarm event occurs, csnotifyd sends an SMTP message reminder to each recipient.
enpd – The enpd service acts as the broker for event alarms. The enpd service receives notifications of alarms from the csadmind service, checks for subscriptions to this event, and then notifies the event’s subscribers by passing the subscribed-to alarm notifications to csnotifyd. The enpd service also receives and stores subscriptions and cancellations of subscriptions (unsubscribe) from csnotifyd.

Note	The enpd and csnotifyd services are not required to run on the same server as the cshttpd, csdwpd, or csadmind processes.

Distributed Database Service: csdwpd

The csdwpd service is required only on back-end servers, that is, a server that has a calendar database, but does not provide user access services (cshttpd). It is not required on front-end servers that do not have a calendar database. The csdwpd service allows you to link front-end/back-end servers within the same Calendar Server configuration to form a distributed calendar store.

The csdwpd service runs in the background on a back-end server and accepts requests that follow the Database Wire Protocol (DWP) for accessing the calendar database. DWP is an internal protocol used to provide networking capability for the Calendar Server database.

---

Calendar Server APIs and SDKs

Calendar Server includes the following APIs and SDKs:

Web Calendar Access Protocol (WCAP)
Calendar Server API (CSAPI)
Event Notification Service (ENS) API
Proxy Authentication SDK (authSDK)

Web Calendar Access Protocol (WCAP)

Calendar Server supports WCAP 3.0, a high-level, command-based protocol that allows communication with clients. WCAP commands, which use the .wcap extension, allow clients to get, modify, and delete calendar components, user preferences, calendar properties, and other calendar information such as time zones. WCAP elements such as times, strings, and parameters generally follow RFC 2445, RFC 2446, and RFC 2447 specifications.

WCAP returns output calendar data in an HTTP message in the following formats:

Standard RFC2445 iCalendar format (text/calendar)
XML format (text/xml)

Using WCAP commands, a Calendar Server administrator who logs in using the login.wcap has the following capabilities:

To override the access control of WCAP commands

The administrator can use WCAP commands to read (fetch), alter (store), or delete other user’s calendars. For an administrator to have this privilege, the following parameter in the ics.conf file must be set to “yes”:

service.admin.calmaster.overrides.accesscontrol="yes"

To retrieve and modify user preferences for any user

The administrator can use get_userprefs.wcap and set_userprefs.wcap to retrieve and modify any user’s preferences. For an administrator to have this privilege, the following parameter in the ics.conf file must be set to “yes”:

service.admin.calmaster.wcap.allowmodifyuserprefs="yes"

For more information, see the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Calendar Server API (CSAPI)

The Calendar Server API (CSAPI) allows you to customize functional areas of Calendar Server such as user login authentication, access control, and calendar lookup. For example, by default Calendar Server uses entries in an LDAP directory server to authenticate users and to store user preferences. The CSAPI allows you to override the default Calendar Server authentication by implementing another authentication mechanism that is not based on an LDAP directory server.

For information about CSAPI, see the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Event Notification Service (ENS) API

The Event Notification Service (ENS) is an alarm dispatcher that detects events on an alarm queue and sends notifications of these events to its subscribers. The ENS API allows programmers to modify publish-and-subscribe functions used by Calendar Server to perform functions such as subscribe to events, unsubscribe to events, and notify a subscriber of events. The ENS APIs consists of these specific APIs: Published API, Subscriber API, and Publish and Subscribe Dispatcher API.

For information about the ENS API, see the Sun Java System Communications Services 6 2004Q2 Event Notification Service Manual.

Proxy Authentication SDK (authSDK)

Calendar Server provides the authSDK for user authentication. With authSDK, you can integrate an existing portal service with Calendar Server, thus allowing users to access various applications without requiring re-authentication. The authSDK consists of the functions packaged in a DLL/shared-object library and a header file.

A connection established between Calendar Server and the authSDK forms a trusted relationship. If a user logs in and successfully authenticates to the authSDK, Calendar Server accepts the certificate generated by the proxy for its functions.

For information about authSDK, see the Sun Java System Calendar Server 6 2004Q2 Developer’s Guide.

Previous      Contents      Index      Next

---

Copyright 2004 Sun Microsystems, Inc. All rights reserved.