Sun Java System Instant Messaging 6 2004Q2 Administration Guide |
Chapter 2
Administering Instant Messaging Server and MultiplexorThis chapter explains how to administer the Instant Messaging server and multiplexor, and perform other administrative tasks, such as changing configuration parameters and managing end-user privileges. This chapter also lists the administrative tasks for Sun Java System Portal Server deployments.
This chapter contains the following sections, which describe the various administrative tasks in Instant Messaging:
Administering End UsersThe administrative tasks in Instant Messaging are listed in the preceding section and are described throughout the rest of this chapter. Take note of the methods—as explained subsequently—for provisioning and managing end users.
Instant Messaging does not provide user provisioning tools. You need to use a directory provisioning tool for provisioning Instant Messaging end users. Instant Messaging does not provide specific commands to add, modify, or delete Instant Messaging end users.
Likewise in an LDAP-only deployment, you cannot prevent an end user from using Instant Messenger. In an LDAP-only deployment, the only way to prevent end users from using Instant Messaging is to delete them from the directory. In an Identity deployment using the policy attributes, you can prevent an end user from accessing Sun Java System Instant Messenger.
The administrator can manage Instant Messaging end users, using the Instant Messaging Administrator Access Control mechanism. For more information on Instant Messaging Administrator Access Control, see Overview of Privacy, Security, and Site Policies. In an Identity deployment, Identity Server is used for provisioning Instant Messaging end users. For more information, see Sun Java System Instant Messaging Deployment Planning Guide.
Stopping and Starting the Server and Multiplexor (On Unix)The imadmin command enables you to:
The imadmin command-line utility can be executed only by the end user who has administration rights to the system(s) on which the Instant Messaging server and multiplexor are running. This end user is typically the identity that the server runs as and is designated during installation:
- On Solaris - inetuser
- On Windows - the end user with full administration privileges, such as an administrator.
- In an Identity deployment, if the Portal Server and the Instant Messaging server are installed on the same host, the end user is the one who is running the Sun Java System Sun Java System Identity Server, as root.
The imadmin command-line utility is located in the following directory:
Starting the Instant Messaging server enables Sun Java System Instant Messenger to connect to it. Stopping the Instant Messaging server closes all connections and disconnects all the Instant Messengers.
If required, you can start and stop the multiplexor instance separately. For example, if you have changed a configuration parameter which only affects the multiplexor, or if you only have the multiplexor installed on a different host, you can start and stop the multiplexor instance separately.
To Start the Instant Messaging Server and Multiplexor
For a given instance, the configuration specifies whether only the multiplexor or only the server or both these components are enabled.
Use the imadmin command to start the Instant Messaging Server and/or multiplexor, depending on which component is enabled:
imadmin start
If both server and multiplexor are enabled, this command first starts the Instant Messaging server, and then starts the multiplexor.
To Stop the Instant Messaging Server and Multiplexor
Use the imadmin command to stop the Instant Messaging server and/or multiplexor, depending on which component is enabled.
imadmin stop
This command stops the server and the multiplexor, terminates all end user connections, and disconnects any inbound and outbound servers configured.
To Refresh the Configuration (Instant Messaging Server and Multiplexor)
Use the imadmin command with the refresh parameter to refresh the server and/ or multiplexor configuration, as shown in the following example:
imadmin refresh
This command stops and restarts the enabled server and/or multiplexor components.
Note
Whenever you change a configuration parameter in the iim.conf file, make sure to refresh the configuration.
If necessary, you can stop, start or refresh the multiplexor or server only, regardless of which components are enabled in the configuration. To do this, use the multiplexor or server argument with the imadmin command.
To Start and Stop the Instant Messaging Server and Multiplexor (Windows Only)
On Windows, open the Services dialog box from the Control Panel to start and stop the Instant Messaging server and the multiplexor. For more instructions on starting and stopping services, refer to the documentation provided with the Windows operating system.
Changing Instant Messaging Server and Multiplexor Configuration ParametersInstant Messaging stores configuration parameters in the iim.conf file. For a complete list of configuration parameters, see Instant Messaging Configuration Parameters.
To change configuration parameters, manually edit the configuration parameters and values in the iim.conf file, then refresh the Instant Messaging server configuration. If you change a multiplexor parameter, you only need to refresh the multiplexor using the following imadmin command:
imadmin refresh multiplexor
To Change Configuration Parameters
For a complete list of parameters and their values, see Instant Messaging Configuration Parameters.
To Change Configuration Parameters:
- Change to the config directory. For example, on Solaris type:
cd /etc/opt/SUNWiim/default/config
- Edit the iim.conf file. For example:
vi iim.conf
- Save your changes.
- Refresh the configuration.
Caution
If you change the multiplexor listen port (iim_mux.listenport) or the multiplexor host, update the im.html or the im.jnlp files accordingly. Failure to do so disables Sun Java System Instant Messenger from connecting to the server. For more information, see the section on Managing Instant Messenger.
Managing LoggingInstant Messaging creates log files that record events, related status of various software components, system errors, and other aspects of the server and multiplexor. By examining the log files, you can monitor many aspects of the server’s operation.
You can configure the level of logging for both the Instant Messaging server and the multiplexor by specifying the parameters in the iim.conf file. For information on configuring the level of logging in the iim.conf file, see the section on To Change Configuration Parameters.
The location of the log files are specified during Instant Messaging installation.
As part of the regular system maintenance, you need to periodically review and trim the log files from occupying more disk space. The server does not perform this action.
Logging Levels
The level or priority of maintaining the error log defines how detailed, or verbose, the log should be. A higher priority level implies less details as only events of high priority (high severity) are recorded in the log file. In contrast a lower priority level implies greater details as more events are recorded in the log file.
You can set the logging level separately for the Instant Messaging server and the multiplexor.
Table 2-1 contains the logging levels for the Instant Messaging server and their description. These logging levels are a subset of the levels defined by the Unix syslog facility.
When you select a particular logging level, events corresponding to that level and to all higher and less verbose levels are logged.
NOTICE is the default level for both the server and the multiplexor log files.
Note
If you specify DEBUG as the logging level, your log files will occupy more disk space. Monitor and trim your log files to prevent them from occupying more disk space.
To Set Log File Levels
The log file levels are set within the iim.conf file. The following are the two log file logging level options:
For more information on configuring Instant Messaging, see To Change Configuration Parameters.
Managing End-User PrivilegesThe Administrator can control end-user access to Instant Messaging information by restricting privileges to the end user. These privileges determine if the end user can add and delete news channels, send alerts, and setup watches on other end users. These features provide the end users the access to the required features and views in the Instant Messaging. All the Instant Messaging features are controlled by the privilege system that determines what a end user can view or perform on Instant Messaging.
Instant Messaging provides the following access control mechanisms:
Conference Room and News Channel Access Controls
For each Conference room and News channel, you can define the default access end users can have. The access privileges end users can have on Conference rooms and News channels are:
End users with the MANAGE privilege can set the default privilege level for all the other end users. They can also define the exception rules to grant an access level that is different from the default access level to specific end users or groups.
The conference room and news channel privileges are set through Sun Java System Instant Messenger. These files are updated automatically when you use Sun Java System Instant Messenger to manage conference rooms and news channels.
Table 2-2 lists the Conference room and News channel access control files and the privileges that these files provide end users. These access control files are located in the db/acls directory.
Room and News Channels Access Control File Format
The format of the roomname.acl and news channelname.acl files is slightly different from the system level access control files. For more information on the system level access control files, see Access Control File Format. The roomname.acl and news channelname.acl files contain an additional number entry after the user or group entry that defines the access level. The access levels are:
In the following news channel access control file example, the default access is Read, with Manage access given to user1, Write access given to user2, and an access of None to user3.
# Example newschannel.acl file
v:3.0.1
u:user1:14
u:user2:6
u:user3:1
g:cn=group1,ou=groups,o=example:6
d:2
User Privacy
You can specify if other end users can see your presence or not. By default, all end users can see your presence status. You can also set exceptions for denying this access to certain end users and groups.
If you have denied other end users from accessing your presence status, then these end users will see your availability status as offline in their contact lists. These end users will not be able to send alerts or chat invitations to you, as your presence status is offline.
User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Instant Messaging Online Help.
Federating Deployment of Multiple Instant Messaging ServersIn an LDAP-only deployment, when you federate multiple Sun Java System Instant Messaging deployments you form a larger Instant Messaging community. End users from different servers can communicate with each other, user conference rooms on other domains, and subscribe to news channels on remote servers based on the access privileges.
In an Identity deployment, a single Sun Java System Instant Messaging server can host multiple domains. You can designate a single domain as the default domain for a Sun Java System Instant Messaging server instance. End users in different domains hosted by the same server cannot interact with each other. When you federate multiple Sun Java System Instant Messaging deployments, end users in default domains can see the end users in default domains of other remote Sun Java System Instant Messaging servers.
For enabling communication between multiple Sun Java System Instant Messaging servers in your network, you need to configure your server to identify itself to the other Sun Java System Instant Messaging servers in the network. A Sun Java System Instant Messaging server identifies itself with its domain name, host and port number, serverID, and password.
Within the server configuration, you can assign each Sun Java System Instant Messaging server a symbolic name, consisting of letters and digits, for example, IMserver1.
To Configure Communication Between Instant Messaging Servers
This procedure describes how to enable communication between two Instant Messaging servers, iim.company22.com and iim.i-zed.com.
- Gather the following information listed in Table 2-3.
Table 2-3 lists the parameters in the iim.conf file for server-to-server communication and the values for these parameters in the Instant Messaging servers, iim.company22.com and iim.i-zed.com.
For more information on the configuration parameters, see Instant Messaging Configuration Parameters.
- Change to the config directory on the server iim.company22.com. For example, on Solaris:
cd /etc/opt/SUNWiim/default/config
- Edit the iim.conf file, for example:
vi iim.conf
The following example shows the section of the iim.conf file on iim.company22.com corresponding to the server-to-server communications that you can modify:
The following example shows the section of the iim.conf file on iim.i-zed.com corresponding to the server-to-server communications that you can modify:
iim_server.serverid=Iami-zed
iim_server.password=secret4i-zed
iim_server.coservers=coserver1
iim_server.coserver1.host=iim.company22.com:9919
iim_server.coserver1.serverid=Iamcompany22
iim_server.coserver1.password=secretforcompany22
- Save the changes and refresh the configurations on both servers.
Using SSL in Instant MessagingInstant Messaging supports the Secure Sockets Layer (SSL) protocol, for encrypted communications and for certificate-based authentication of Instant Messaging servers. Instant Messaging server supports SSL version 3.0.
Sun Java System Instant Messaging multiplexor and Instant Messenger also support SSL for encrypted communication between the client and the multiplexor.
For detailed information on SSL, see Appendix B in Console and Administration Server 2004Q2 Server Management Guide.
Enabling SSL for Instant Messaging server necessitates the following:
- Obtaining and installing a certificate for your Instant Messaging server, and configuring the Instant Messaging server to trust the Certification Authority’s certificate.
- Ensuring that each Instant Messaging server that needs to communicate using SSL with your server, obtains and installs a certificate.
- Turning on SSL in the server by setting the appropriate parameters in the iim.conf file.
Enabling SSL between the multiplexor and Sun Java System Instant Messenger requires the following:
Requesting a Certificate from the Certificate Authority
To enable SSL between Instant Messenger and multiplexor, you need to install the certificate and create databases for secure communication. You can request and install the certificate using Web Server.
To request and install a certificate using Web Server:
- Type the following URL for starting the administration server in your browser:
http://hostname.domain-name:administration_port
Web Server then displays a window prompting you for a user name and password.
- Type the administration user name and password you specified during the Web Server installation.
Web Server displays the Administration Server page.
- Create a separate Web Server instance. For more information on installing multiple instances of the server, see Installing Multiple Instances of the Server in Web Server, Enterprise Edition Administrator's Guide at:
http://docs.sun.com/source/816-5682-10/esgstart.htm#1003083
- Create a trust database to store the public and private keys, referred as the key-pair file. The key-pair file is used for SSL encryption.
For information on creating a trust database, see Creating a Trust Database in Web Server, Enterprise Edition Administrator's Guide at:
http://docs.sun.com/source/816-5682-10/esecurty.htm#1004127
- Request a certificate from the Certificate Authority.
For more information on requesting a certificate, see Requesting and Installing Other Server Certificates in Web Server, Enterprise Edition Administrator's Guide at:
Installing the Certificate
When you receive the server certificate from your Certificate Authority, you need to install the certificate.
To install the certificate:
- Type the following URL for starting the administration server in your browser:
http://hostname.domain-name:administration_port
Web Server then displays a window prompting you for a user name and password.
- Type the administration user name and password you specified during the Web Server installation.
Web Server displays the Administration Server page.
- Install the server certificate.
For more information on installing the certificate, see Requesting and Installing Other Server Certificates in Web Server, Enterprise Edition Administrator's Guide at:
http://docs.sun.com/source/816-5682-10/esecurty.htm#1004981
- Change to your Web Server alias directory.
- Copy the database files from your Web Server alias directory to the Instant Messenger config directory.
To copy the database files from Web Server alias directory to the Instant Messenger config directory, type the following:
cp https-serverid-hostname-cert7.db /etc/opt/SUNWiim/default/config/cert7.db
cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db
cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db
Note
The end user on which the Instant Messaging server runs should have Read permission on cert7.db, key3.db,and secmod.db files.
- Change to your Instant Messaging config directory.
cd /etc/opt/SUNWiim/default/config
- Create the sslpassword.conf file using an editor of your choice. For example, you could type:
vi sslpassword.conf
- Enter the following line to the sslpassword.conf file
Internal (software) Token:password
Password: The password specified during the creation of the trust database.
- Save the file.
- After verifying the functioning of SSL, log in to Web Server as an administrator and remove the web server instance that you have created while requesting the certificate.
Enabling SSL Between the Multiplexor and Instant Messenger
Table 2-4 lists the parameters in the iim.conf file for enabling SSL between Instant Messenger and multiplexor. It also contains the description and the default value of these parameters:
Table 2-4 Configuration Information for enabling SSL Between Instant Messenger and Multiplexor
Parameter
Default Value
Description
iim_mux.usessl
off
If the value is set to “on”, the multiplexor requires an SSL handshake for each connection it accepts, before exchanging any application data.
iim_mux.secconfigdir
/etc/opt/SUNWiim/default/config
This directory contains the key and certificate databases. It usually contains the security module database.
iim_mux.keydbprefix
None
This value should contain the key database filename prefix. The key database file name must always end with key3.db.
If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.
iim_mux.certdbprefix
None
This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.
If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.
iim_mux.secmodfile
secmod.db
This value should contain the name of the security module file.
iim_mux.certnickname
Server-Cert
This value should contain the name of the certificate you entered while installing the certificate.
The certificate name is case-sensitive.
iim_mux.keystorepasswordfile
sslpassword.conf
This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line:
Internal (software) Token:password
Where password is the password protecting the key database.
To enable SSL between Instant Messenger and Multiplexor:
- Change to the config directory. For example, on Solaris:
cd /etc/opt/SUNWiim/default/config
- Edit the iim.conf file, for example:
vi iim.conf
- Add the values mentioned in the Table 2-4 to the Multiplexor configuration parameters.
The following is an example of the iim.conf file with the Multiplexor configuration parameters:
! IIM multiplexor configuration
! =============================
!
! Multiplexor specific options
! IP address and listening port for the multiplexor.
! WARNING: If this value is changed, the port value of ’-server’ argument
! in the client’s im.html and im.jnlp files should also be changed to match th
is.
iim_mux.listenport = "siroe.com:49909"
! The IM server and port the multiplexor talks to.
iim_mux.serverport = "siroe.com:49999"
! Number of instances of the multiplexor.
iim_mux.numinstances = "1"
! Maximum number of threads per instance
iim_mux.maxthreads = "10"
! Maximum number of concurrent connections per multiplexor process
iim_mux.maxsessions = "1000"
iim_mux.usessl = "on"
iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_mux.keydbprefix = "This-Database"
iim_mux.certdbprefix = "Secret-stuff"
iim_mux.secmodfile = "secmod.db"
iim_mux.certnickname = "Server_Cert"
iim_mux.keystorepasswordfile = "sslpassword.conf"
Invoking the Secure Version of Instant Messenger
The secure version of Instant Messenger can be invoked by accessing the imssl.html file or imssl.jnlp file from your browser. These files are located under the resource directory, the base directory under which all the Sun Java System Instant Messenger resources are stored.
The links to these applet descriptor files can also be added to index.html file.
To Activate SSL for Server to Server Communication
Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA’s certificate as described earlier.
- Set these iim.conf parameters:
- Set the server-to-server configurations as described in Federating Deployment of Multiple Instant Messaging Servers, and add the following:
- iim_server.coserver1.usessl=true
Change the port number of the following:
- iim_server.coserver1.host=hostname:9910
The port number should be the SSL port of the other server.
Following is a section of iim.conf file with the required SSL configuration:
__
! Server to server communication port.
iim_server.port = "49919”
! Should the server listen on the server to server communication port
iim_server.useport = "True”
! Should this server listen for server-to-server communication using ssl port
iim_server.usesslport = "True”
iim_server.sslport=49910
iim_server.coservers=coserver1
iim_server.coserver1.serverid=Iamcompany22
iim_server.coserver1.password=secretforcompany22
iim_server.coserver1.usessl=true
iim_server.coserver1.host=iim.i-zed.com:49910
iim_server.serverid=Iami-zed
iim_server.password=secret4i-zed
iim_server.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_server.keydbprefix = "This-Database"
iim_server.certdbprefix = "Secret-stuff"
iim_server.secmodfile = "secmod.db"
iim_server.certnickname = "Server_Cert"
iim_server.keystorepasswordfile = "sslpassword.conf"
Enabling SSL between two servers
Table 2-5 lists the parameters in the iim.conf file for enabling SSL between two Instant Messaging servers. It also contains the description and the default value of these parameters:
Table 2-5 Configuration Information for Enabling SSL Between Two Instant Messaging Servers
Parameter
Default Value
Description
iim_server.secconfigdir
/etc/opt/SUNWiim/default/config
This directory contains the key and certificate databases. It usually contains the security module database.
iim_server.keydbprefix
None
This value should contain the key database filename prefix. The key database file name must always end with key3.db.
If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.
iim_server.certdbprefix
None
This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.
If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.
iim_server.secmodfile
secmod.db
This value should contain the name of the security module file.
iim_server.certnickname
Server-Cert
This value should contain the name of the certificate you entered while installing the certificate.
The certificate name is case-sensitive.
iim_server.keystorepasswordfile
sslpassword.conf
This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line:
Internal (software) Token:password
Where password is the password protecting the key database.
iim_server.trust_all_cert
false
If this value is true than the server will trust all certificates and will also add the certificate information into the log files.
Managing Instant Messaging's LDAP ConfigurationAn LDAP-only deployment of Sun Java System Instant Messaging server requires a directory server. In an LDAP-only deployment, the Instant Messaging server uses the directory server to perform end-user authentication and to search for end users.
In an Identity deployment, Sun Java System Instant Messaging server uses the directory used by Sun Java System Portal Server. When installed in an Identity deployment environment, Sun Java System Instant Messaging server uses the directory used by the Sun Java System Sun Java System Identity Server to search for end users, and not for end-user authentication. In an Identity deployment, Sun Java System Sun Java System Identity Server performs the authentication.
If you use an LDAP directory to maintain your user namespace, the default configuration makes the following assumptions regarding the schema used by this directory:
- End user entries are identified by the inetOrgPerson object class.
- Group entries are identified by the groupOfUniqueNames object class.
- Sun Java System Instant Messenger user ID attribute of an end user is provided by the uid attribute (from inetOrgPerson objectclass).
- The email address of an end user is provided by the mail attribute.
- The display name of an end user or group is provided by the cn attribute.
- The list of members of a group is provided by the uniqueMember attribute (groupOfUniqueNames object class).
You can change these default settings by editing the iim.conf file.
Searching the Directory as Anonymous Users
Instant Messaging needs to be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging has the capability to search the directory. If the directory is not readable by anonymous users, you must take additional steps to configure the iim.conf file with the credentials of a user ID that has at least read access to the directory.
These credentials consist of:
To Enable the Server to Conduct Directory Searches as a Specific End User
- Identify values for the following parameters in the iim.conf file:
- iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.
- iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn)
For example:
iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com"
iim_ldap.usergroupbindcred=secret
Note
You do not have to use administrator-level credentials with write level access, as all that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.
- In an Identity deployment, the directory is generally not searchable by anonymous users. In an Identity deployment set the iim_ldap.useidentityadmin configuration parameter to true. Also you can delete or comment out the following configuration parameters:
- Edit the iim.conf file.
See To Change Configuration Parameters for instructions on editing the iim.conf file.
If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters do not appear in the iim.conf file, you can add them anywhere in the file.
Configuring Dynamic LDAP Server Group
In the LDAP Server, the dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server as the groupOfUrls objectclass.
To enable end users to view the dynamic groups in search results and add them to their contact list, you need to include the groupOfUrls objects to search results.
The following modifications need to be made to the server configuration file iim.conf:
The attribute and objectclass names are configurable.By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.
Backing Up Instant Messaging DataInstant Messaging does not come with any disaster recovery tools. Use your site’s backup system to backup the configuration and database directories periodically.
Backup Information
The Instant Messaging information that needs to be backed up are of the following types:
The configuration information is stored in the Instant Messaging configuration directory as follows:
- Solaris: /etc/opt/SUNWiim/default/config
- Linux: /etc/opt/soim/default/config
- Windows: instant-messaging-installation-directory\config
- (Optional) If you customized any of the files mentioned in Customizing Sun Java System Instant Messenger, back them up from the resource directory.
The Sun Java System Instant Messaging end user data is stored in the following database directories:
The Instant Messenger resources must be backed up if they have been customized. The location of the Instant Messenger resources are provided during installation.
Performing Backup
While the configuration information does not change frequently, the Instant Messaging end-user data changes rapidly and to prevent any loss of end-user data it is recommended that the Instant Messaging end-user data is backed up on a periodic basis. Backup needs to be performed before running the installation program and the uninstallation program.
To backup the end user data and the configuration information you do not have to stop the Instant Messaging server as all the disk commits by the server are automatically performed.
Restoring the Back Up Information
The back up of the end-user data and the configuration information needs to be restored when there is a disk failure and all the end-user data and the configuration information is lost.
To restore the backed up end-user data:
- Change to the runtime directory. For example:
cd runtime-directory
- Grant read-only permission to the instant-messaging-database directory, type:
chmod -R 400 db
- Stop the Instant Messaging server, type:
imadmin stop
- Grant Write permission on the end-user data files for the server end user, type:
chmod -R 600 runtime-directory/db/.
- To restore the data, copy the backed up data to the instant- messaging-database directory.
- Start the Instant Messaging server, type:
imadmin start