Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Instant Messaging 6 2004Q2 Administration Guide 

Chapter 2
Administering Instant Messaging Server and Multiplexor

This chapter explains how to administer the Instant Messaging server and multiplexor, and perform other administrative tasks, such as changing configuration parameters and managing end-user privileges. This chapter also lists the administrative tasks for Sun Java System Portal Server deployments.

This chapter contains the following sections, which describe the various administrative tasks in Instant Messaging:

Administering End Users

The administrative tasks in Instant Messaging are listed in the preceding section and are described throughout the rest of this chapter. Take note of the methods—as explained subsequently—for provisioning and managing end users.

Instant Messaging does not provide user provisioning tools. You need to use a directory provisioning tool for provisioning Instant Messaging end users. Instant Messaging does not provide specific commands to add, modify, or delete Instant Messaging end users.

Likewise in an LDAP-only deployment, you cannot prevent an end user from using Instant Messenger. In an LDAP-only deployment, the only way to prevent end users from using Instant Messaging is to delete them from the directory. In an Identity deployment using the policy attributes, you can prevent an end user from accessing Sun Java System Instant Messenger.

The administrator can manage Instant Messaging end users, using the Instant Messaging Administrator Access Control mechanism. For more information on Instant Messaging Administrator Access Control, see Overview of Privacy, Security, and Site Policies. In an Identity deployment, Identity Server is used for provisioning Instant Messaging end users. For more information, see Sun Java System Instant Messaging Deployment Planning Guide.

Caution

If you deny end users the privilege to set up watches on other end users by editing the sysWatch.acl file, the Instant Messenger’s Main window is not displayed for these end users. This effectively denies end users the ability to send instant messages. However, end users would still be able to see alerts and news channels.

Stopping and Starting the Server and Multiplexor (On Unix)

The imadmin command enables you to:

The imadmin command-line utility can be executed only by the end user who has administration rights to the system(s) on which the Instant Messaging server and multiplexor are running. This end user is typically the identity that the server runs as and is designated during installation:

The imadmin command-line utility is located in the following directory:

Starting the Instant Messaging server enables Sun Java System Instant Messenger to connect to it. Stopping the Instant Messaging server closes all connections and disconnects all the Instant Messengers.

If required, you can start and stop the multiplexor instance separately. For example, if you have changed a configuration parameter which only affects the multiplexor, or if you only have the multiplexor installed on a different host, you can start and stop the multiplexor instance separately.

To Start the Instant Messaging Server and Multiplexor

For a given instance, the configuration specifies whether only the multiplexor or only the server or both these components are enabled.

Use the imadmin command to start the Instant Messaging Server and/or multiplexor, depending on which component is enabled:

imadmin start

If both server and multiplexor are enabled, this command first starts the Instant Messaging server, and then starts the multiplexor.

To Stop the Instant Messaging Server and Multiplexor

Use the imadmin command to stop the Instant Messaging server and/or multiplexor, depending on which component is enabled.

imadmin stop

This command stops the server and the multiplexor, terminates all end user connections, and disconnects any inbound and outbound servers configured.

To Refresh the Configuration (Instant Messaging Server and Multiplexor)

Use the imadmin command with the refresh parameter to refresh the server and/ or multiplexor configuration, as shown in the following example:

imadmin refresh

This command stops and restarts the enabled server and/or multiplexor components.

Note

Whenever you change a configuration parameter in the iim.conf file, make sure to refresh the configuration.

If necessary, you can stop, start or refresh the multiplexor or server only, regardless of which components are enabled in the configuration. To do this, use the multiplexor or server argument with the imadmin command.

To Start and Stop the Instant Messaging Server and Multiplexor (Windows Only)

On Windows, open the Services dialog box from the Control Panel to start and stop the Instant Messaging server and the multiplexor. For more instructions on starting and stopping services, refer to the documentation provided with the Windows operating system.

Changing Instant Messaging Server and Multiplexor Configuration Parameters

Instant Messaging stores configuration parameters in the iim.conf file. For a complete list of configuration parameters, see Instant Messaging Configuration Parameters.

To change configuration parameters, manually edit the configuration parameters and values in the iim.conf file, then refresh the Instant Messaging server configuration. If you change a multiplexor parameter, you only need to refresh the multiplexor using the following imadmin command:

imadmin refresh multiplexor

To Change Configuration Parameters

For a complete list of parameters and their values, see Instant Messaging Configuration Parameters.

To Change Configuration Parameters:

  1. Change to the config directory. For example, on Solaris type:

    2. cd /etc/opt/SUNWiim/default/config

  2. Edit the iim.conf file. For example:

    3. vi iim.conf

  3. Save your changes.
  4. Refresh the configuration.

    5. Caution

    If you change the multiplexor listen port (iim_mux.listenport) or the multiplexor host, update the im.html or the im.jnlp files accordingly. Failure to do so disables Sun Java System Instant Messenger from connecting to the server. For more information, see the section on Managing Instant Messenger.

Managing Logging

Instant Messaging creates log files that record events, related status of various software components, system errors, and other aspects of the server and multiplexor. By examining the log files, you can monitor many aspects of the server’s operation.

You can configure the level of logging for both the Instant Messaging server and the multiplexor by specifying the parameters in the iim.conf file. For information on configuring the level of logging in the iim.conf file, see the section on To Change Configuration Parameters.

The location of the log files are specified during Instant Messaging installation.

As part of the regular system maintenance, you need to periodically review and trim the log files from occupying more disk space. The server does not perform this action.

Logging Levels

The level or priority of maintaining the error log defines how detailed, or verbose, the log should be. A higher priority level implies less details as only events of high priority (high severity) are recorded in the log file. In contrast a lower priority level implies greater details as more events are recorded in the log file.

You can set the logging level separately for the Instant Messaging server and the multiplexor.

Table 2-1 contains the logging levels for the Instant Messaging server and their description. These logging levels are a subset of the levels defined by the Unix syslog facility.

Table 2-1  Logging Levels for the Instant Messaging Server and the Multiplexor

Level

Description

FATAL

This priority level records minimum logging details in the log file. A log record is added to the log file whenever a severe problem or critical condition occurs. If a FATAL problem occurs, the application might stop functioning.

ERROR

A log record is added to the log file whenever a recoverable software error condition occurs or a network failure is detected. For example, when the server fails to connect to a client or to another server.

WARNING

A log record is added to the log file whenever a user error is detected. For example, when the server cannot understand the communication sent by the client.

NOTICE

A periodic event is written to the log file to report the status of the server. This includes state (running), the number of clients connected, and number of inbound and outbound servers connected.

INFO

A log record is added to the log file whenever a significant action takes place. For example, when an end user successfully logs in or logs out.

DEBUG

The tasks are recorded in the log file. This information is useful for debugging purposes only. Each event with individual steps within each process or task are written to the log file, to help the end user identify the problems while debugging the application.

When you select a particular logging level, events corresponding to that level and to all higher and less verbose levels are logged.

NOTICE is the default level for both the server and the multiplexor log files.

Note

If you specify DEBUG as the logging level, your log files will occupy more disk space. Monitor and trim your log files to prevent them from occupying more disk space.

To Set Log File Levels

The log file levels are set within the iim.conf file. The following are the two log file logging level options:

For more information on configuring Instant Messaging, see To Change Configuration Parameters.

Managing End-User Privileges

The Administrator can control end-user access to Instant Messaging information by restricting privileges to the end user. These privileges determine if the end user can add and delete news channels, send alerts, and setup watches on other end users. These features provide the end users the access to the required features and views in the Instant Messaging. All the Instant Messaging features are controlled by the privilege system that determines what a end user can view or perform on Instant Messaging.

Instant Messaging provides the following access control mechanisms:

Conference Room and News Channel Access Controls

For each Conference room and News channel, you can define the default access end users can have. The access privileges end users can have on Conference rooms and News channels are:

End users with the MANAGE privilege can set the default privilege level for all the other end users. They can also define the exception rules to grant an access level that is different from the default access level to specific end users or groups.

Note

Setting the WRITE privilege, grants end users the READ privilege.

The conference room and news channel privileges are set through Sun Java System Instant Messenger. These files are updated automatically when you use Sun Java System Instant Messenger to manage conference rooms and news channels.

Table 2-2 lists the Conference room and News channel access control files and the privileges that these files provide end users. These access control files are located in the db/acls directory.

Table 2-2  Conference Room and News Channel Access Control Files

ACL File

Privileges

roomname.acl

This file sets access privileges that end users can have on conference rooms.

news channelname.acl

This file sets access privileges that end users can have on news channels.

Room and News Channels Access Control File Format

The format of the roomname.acl and news channelname.acl files is slightly different from the system level access control files. For more information on the system level access control files, see Access Control File Format. The roomname.acl and news channelname.acl files contain an additional number entry after the user or group entry that defines the access level. The access levels are:

In the following news channel access control file example, the default access is Read, with Manage access given to user1, Write access given to user2, and an access of None to user3.

# Example newschannel.acl file

v:3.0.1

u:user1:14

u:user2:6

u:user3:1

g:cn=group1,ou=groups,o=example:6

d:2

Note

The line v:3.0.1 in the newschannel.acl file, tells the server how to interpret the values. If this line is not included, the server will not be able to associate the value of 2 with Read access, and the value 6 with Write access.

Note

Do not edit the roomname.acl and news channelname.acl files manually. These files are updated automatically as you use Sun Java System Instant Messenger to manage conference rooms and news channels. Because Instant Messaging server reads and writes these files when end users change access using Sun Java System Instant Messenger, end users can lose their changes if the files are edited manually while the server is running.

User Privacy

You can specify if other end users can see your presence or not. By default, all end users can see your presence status. You can also set exceptions for denying this access to certain end users and groups.

If you have denied other end users from accessing your presence status, then these end users will see your availability status as offline in their contact lists. These end users will not be able to send alerts or chat invitations to you, as your presence status is offline.

User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Instant Messaging Online Help.

Federating Deployment of Multiple Instant Messaging Servers

In an LDAP-only deployment, when you federate multiple Sun Java System Instant Messaging deployments you form a larger Instant Messaging community. End users from different servers can communicate with each other, user conference rooms on other domains, and subscribe to news channels on remote servers based on the access privileges.

In an Identity deployment, a single Sun Java System Instant Messaging server can host multiple domains. You can designate a single domain as the default domain for a Sun Java System Instant Messaging server instance. End users in different domains hosted by the same server cannot interact with each other. When you federate multiple Sun Java System Instant Messaging deployments, end users in default domains can see the end users in default domains of other remote Sun Java System Instant Messaging servers.

For enabling communication between multiple Sun Java System Instant Messaging servers in your network, you need to configure your server to identify itself to the other Sun Java System Instant Messaging servers in the network. A Sun Java System Instant Messaging server identifies itself with its domain name, host and port number, serverID, and password.

Within the server configuration, you can assign each Sun Java System Instant Messaging server a symbolic name, consisting of letters and digits, for example, IMserver1.

Caution

It is recommended that the server-to-server communication is secured using TLS (SSL). This is required to prevent third party infringement of security when data is exchanged between two servers. This precaution is extremely desirable in the case where the link between the two servers uses the public internet. Follow the instructions outlined below to configure SSL between Instant Messaging servers.

To Configure Communication Between Instant Messaging Servers

This procedure describes how to enable communication between two Instant Messaging servers, iim.company22.com and iim.i-zed.com.

  1. Gather the following information listed in Table 2-3.

    2. Table 2-3 lists the parameters in the iim.conf file for server-to-server communication and the values for these parameters in the Instant Messaging servers, iim.company22.com and iim.i-zed.com.

    Table 2-3  Configuration Information for Server-to-Server Communication

    Parameter in iim.conf File

    Value for Server iim.company22.com

    Value for Server iim.i-zed.com

    iim_server.serverid

    Iamcompany22

    Iami-zed

    iim_server.password

    secretforcompany22

    secret4i-zed

    iim_server.coservers

    coserver1

    coserver1

    iim_server.coserver1.host

    iim.i-zed.com:9919

    iim.company22.com:9919

    iim_server.coserver1.serverid

    Iami-zed

    Iamcompany22

    iim_server.coserver1.password

    secret4i-zed

    secretforcompany22

    For more information on the configuration parameters, see Instant Messaging Configuration Parameters.

    Note

    You can configure your server to communicate with other Instant Messaging servers. Each Instant Messaging server is identified by its symbolic name. The symbolic name of the server is added in the iim_server.coservers parameter in the iim.conf file. This parameter has multiple values and each value is separated by a comma.

  2. Change to the config directory on the server iim.company22.com. For example, on Solaris:

    3. cd /etc/opt/SUNWiim/default/config

  3. Edit the iim.conf file, for example:

    4. vi iim.conf

    Note

    The iim.conf file should be owned by the Instant Messaging server account you created during installation. If the iim.conf file cannot be read by the Instant Messaging server account, Instant Messaging server and multiplexor would be unable to read the configuration. Additionally, you might lose the ability to edit the iim.conf file.

    The following example shows the section of the iim.conf file on iim.company22.com corresponding to the server-to-server communications that you can modify:

    iim_server.serverid=Iamcompany22

    iim_server.password=secretforcompany22

    iim_server.coservers=coserver1

    iim_server.coserver1.host=iim.i-zed.com:9919

    iim_server.coserver1.serverid=Iami-zed

    iim_server.coserver1.password=secret4i-zed

  4. Follow Step 2 through Step 3 for the iim.conf file on server iim.i-zed.com.

    5. The following example shows the section of the iim.conf file on iim.i-zed.com corresponding to the server-to-server communications that you can modify:

    iim_server.serverid=Iami-zed

    iim_server.password=secret4i-zed

    iim_server.coservers=coserver1

    iim_server.coserver1.host=iim.company22.com:9919

    iim_server.coserver1.serverid=Iamcompany22

    iim_server.coserver1.password=secretforcompany22

  5. Save the changes and refresh the configurations on both servers.

Using SSL in Instant Messaging

Instant Messaging supports the Secure Sockets Layer (SSL) protocol, for encrypted communications and for certificate-based authentication of Instant Messaging servers. Instant Messaging server supports SSL version 3.0.

Sun Java System Instant Messaging multiplexor and Instant Messenger also support SSL for encrypted communication between the client and the multiplexor.

For detailed information on SSL, see Appendix B in Console and Administration Server 2004Q2 Server Management Guide.

Enabling SSL for Instant Messaging server necessitates the following:

  1. Obtaining and installing a certificate for your Instant Messaging server, and configuring the Instant Messaging server to trust the Certification Authority’s certificate.
  2. Ensuring that each Instant Messaging server that needs to communicate using SSL with your server, obtains and installs a certificate.
  3. Turning on SSL in the server by setting the appropriate parameters in the iim.conf file.

Enabling SSL between the multiplexor and Sun Java System Instant Messenger requires the following:

  1. Requesting a Certificate from the Certificate Authority
  2. Installing the Certificate

    3. Note

    For more information about managing certificates, see Sun Java System Web Server Administrator’s Guide.

  3. Enabling SSL Between the Multiplexor and Instant Messenger
  4. To Activate SSL for Server to Server Communication
  5. Invoking the Secure Version of Instant Messenger

Requesting a Certificate from the Certificate Authority

To enable SSL between Instant Messenger and multiplexor, you need to install the certificate and create databases for secure communication. You can request and install the certificate using Web Server.

To request and install a certificate using Web Server:

  1. Type the following URL for starting the administration server in your browser:

    2. http://hostname.domain-name:administration_port

    Web Server then displays a window prompting you for a user name and password.

  2. Type the administration user name and password you specified during the Web Server installation.

    3. Web Server displays the Administration Server page.

  3. Create a separate Web Server instance. For more information on installing multiple instances of the server, see Installing Multiple Instances of the Server in Web Server, Enterprise Edition Administrator's Guide at:

    4. http://docs.sun.com/source/816-5682-10/esgstart.htm#1003083

  4. Create a trust database to store the public and private keys, referred as the key-pair file. The key-pair file is used for SSL encryption.

    5. For information on creating a trust database, see Creating a Trust Database in Web Server, Enterprise Edition Administrator's Guide at:

    http://docs.sun.com/source/816-5682-10/esecurty.htm#1004127

  5. Request a certificate from the Certificate Authority.

    6. For more information on requesting a certificate, see Requesting and Installing Other Server Certificates in Web Server, Enterprise Edition Administrator's Guide at:

    http://docs.sun.com/source/816-5682-10/esecurty.htm#1004981

Installing the Certificate

When you receive the server certificate from your Certificate Authority, you need to install the certificate.

To install the certificate:

  1. Type the following URL for starting the administration server in your browser:

    2. http://hostname.domain-name:administration_port

    Web Server then displays a window prompting you for a user name and password.

  2. Type the administration user name and password you specified during the Web Server installation.

    3. Web Server displays the Administration Server page.

  3. Install the server certificate.

    4. For more information on installing the certificate, see Requesting and Installing Other Server Certificates in Web Server, Enterprise Edition Administrator's Guide at:

    http://docs.sun.com/source/816-5682-10/esecurty.htm#1004981

  4. Change to your Web Server alias directory.
  5. Copy the database files from your Web Server alias directory to the Instant Messenger config directory.

    6. To copy the database files from Web Server alias directory to the Instant Messenger config directory, type the following:

    cp https-serverid-hostname-cert7.db /etc/opt/SUNWiim/default/config/cert7.db

    cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db

    cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db

    Note

    The end user on which the Instant Messaging server runs should have Read permission on cert7.db, key3.db,and secmod.db files.

  6. Change to your Instant Messaging config directory.

    7. cd /etc/opt/SUNWiim/default/config

  7. Create the sslpassword.conf file using an editor of your choice. For example, you could type:

    8. vi sslpassword.conf

  8. Enter the following line to the sslpassword.conf file

    9. Internal (software) Token:password

    Password: The password specified during the creation of the trust database.

  9. Save the file.

    Note

    All Instant Messenger end users should have Ownership and Read permission on the sslpassword.conf file.

  10. After verifying the functioning of SSL, log in to Web Server as an administrator and remove the web server instance that you have created while requesting the certificate.

Enabling SSL Between the Multiplexor and Instant Messenger

Table 2-4 lists the parameters in the iim.conf file for enabling SSL between Instant Messenger and multiplexor. It also contains the description and the default value of these parameters:

Table 2-4  Configuration Information for enabling SSL Between Instant Messenger and Multiplexor

Parameter

Default Value

Description

iim_mux.usessl

off

If the value is set to “on”, the multiplexor requires an SSL handshake for each connection it accepts, before exchanging any application data.

iim_mux.secconfigdir

/etc/opt/SUNWiim/default/config

This directory contains the key and certificate databases. It usually contains the security module database.

iim_mux.keydbprefix

None

This value should contain the key database filename prefix. The key database file name must always end with key3.db.

If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.

iim_mux.certdbprefix

None

This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.

If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.

iim_mux.secmodfile

secmod.db

This value should contain the name of the security module file.

iim_mux.certnickname

Server-Cert

This value should contain the name of the certificate you entered while installing the certificate.

The certificate name is case-sensitive.

iim_mux.keystorepasswordfile

sslpassword.conf

This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line:

Internal (software) Token:password

Where password is the password protecting the key database.

To enable SSL between Instant Messenger and Multiplexor:
  1. Change to the config directory. For example, on Solaris:

    2. cd /etc/opt/SUNWiim/default/config

  2. Edit the iim.conf file, for example:

    3. vi iim.conf

  3. Add the values mentioned in the Table 2-4 to the Multiplexor configuration parameters.

    4. The following is an example of the iim.conf file with the Multiplexor configuration parameters:

    ! IIM multiplexor configuration

    ! =============================

    !

    ! Multiplexor specific options

    ! IP address and listening port for the multiplexor.

    ! WARNING: If this value is changed, the port value of ’-server’ argument

    ! in the client’s im.html and im.jnlp files should also be changed to match th

    is.

    iim_mux.listenport = "siroe.com:49909"

    ! The IM server and port the multiplexor talks to.

    iim_mux.serverport = "siroe.com:49999"

    ! Number of instances of the multiplexor.

    iim_mux.numinstances = "1"

    ! Maximum number of threads per instance

    iim_mux.maxthreads = "10"

    ! Maximum number of concurrent connections per multiplexor process

    iim_mux.maxsessions = "1000"

    iim_mux.usessl = "on"

    iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"

    iim_mux.keydbprefix = "This-Database"

    iim_mux.certdbprefix = "Secret-stuff"

    iim_mux.secmodfile = "secmod.db"

    iim_mux.certnickname = "Server_Cert"

    iim_mux.keystorepasswordfile = "sslpassword.conf"

Invoking the Secure Version of Instant Messenger

The secure version of Instant Messenger can be invoked by accessing the imssl.html file or imssl.jnlp file from your browser. These files are located under the resource directory, the base directory under which all the Sun Java System Instant Messenger resources are stored.

The links to these applet descriptor files can also be added to index.html file.

To Activate SSL for Server to Server Communication

Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA’s certificate as described earlier.

  1. Set these iim.conf parameters:
    • iim_server.usesslport=true
    • iim_server.sslport=9910

      • These parameters should already be in the iim.conf file.

  2. Set the server-to-server configurations as described in Federating Deployment of Multiple Instant Messaging Servers, and add the following:
    • iim_server.coserver1.usessl=true

      • Change the port number of the following:

    • iim_server.coserver1.host=hostname:9910

      • The port number should be the SSL port of the other server.

      Following is a section of iim.conf file with the required SSL configuration:

      ! Server to server communication port.

      iim_server.port = "49919”

      ! Should the server listen on the server to server communication port

      iim_server.useport = "True”

      ! Should this server listen for server-to-server communication using ssl port

      iim_server.usesslport = "True”

      iim_server.sslport=49910

      iim_server.coservers=coserver1

      iim_server.coserver1.serverid=Iamcompany22

      iim_server.coserver1.password=secretforcompany22

      iim_server.coserver1.usessl=true

      iim_server.coserver1.host=iim.i-zed.com:49910

      iim_server.serverid=Iami-zed

      iim_server.password=secret4i-zed

      iim_server.secconfigdir = "/etc/opt/SUNWiim/default/config"

      iim_server.keydbprefix = "This-Database"

      iim_server.certdbprefix = "Secret-stuff"

      iim_server.secmodfile = "secmod.db"

      iim_server.certnickname = "Server_Cert"

      iim_server.keystorepasswordfile = "sslpassword.conf"

      __

Enabling SSL between two servers

Table 2-5 lists the parameters in the iim.conf file for enabling SSL between two Instant Messaging servers. It also contains the description and the default value of these parameters:

Table 2-5  Configuration Information for Enabling SSL Between Two Instant Messaging Servers

Parameter

Default Value

Description

iim_server.secconfigdir

/etc/opt/SUNWiim/default/config

This directory contains the key and certificate databases. It usually contains the security module database.

iim_server.keydbprefix

None

This value should contain the key database filename prefix. The key database file name must always end with key3.db.

If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.

iim_server.certdbprefix

None

This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.

If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.

iim_server.secmodfile

secmod.db

This value should contain the name of the security module file.

iim_server.certnickname

Server-Cert

This value should contain the name of the certificate you entered while installing the certificate.

The certificate name is case-sensitive.

iim_server.keystorepasswordfile

sslpassword.conf

This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line:

Internal (software) Token:password

Where password is the password protecting the key database.

iim_server.trust_all_cert

false

If this value is true than the server will trust all certificates and will also add the certificate information into the log files.

Managing Instant Messaging's LDAP Configuration

An LDAP-only deployment of Sun Java System Instant Messaging server requires a directory server. In an LDAP-only deployment, the Instant Messaging server uses the directory server to perform end-user authentication and to search for end users.

In an Identity deployment, Sun Java System Instant Messaging server uses the directory used by Sun Java System Portal Server. When installed in an Identity deployment environment, Sun Java System Instant Messaging server uses the directory used by the Sun Java System Sun Java System Identity Server to search for end users, and not for end-user authentication. In an Identity deployment, Sun Java System Sun Java System Identity Server performs the authentication.

If you use an LDAP directory to maintain your user namespace, the default configuration makes the following assumptions regarding the schema used by this directory:

You can change these default settings by editing the iim.conf file.

Searching the Directory as Anonymous Users

Instant Messaging needs to be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging has the capability to search the directory. If the directory is not readable by anonymous users, you must take additional steps to configure the iim.conf file with the credentials of a user ID that has at least read access to the directory.

These credentials consist of:

To Enable the Server to Conduct Directory Searches as a Specific End User

  1. Identify values for the following parameters in the iim.conf file:
    • iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.
    • iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn)

      • For example:

      iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com"

      iim_ldap.usergroupbindcred=secret

      Note

      You do not have to use administrator-level credentials with write level access, as all that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.

  2. In an Identity deployment, the directory is generally not searchable by anonymous users. In an Identity deployment set the iim_ldap.useidentityadmin configuration parameter to true. Also you can delete or comment out the following configuration parameters:
    • iim_ldap.usergroupbinddn
    • iim_ldap.usergroupbindcred.
  3. Edit the iim.conf file.

    4. See To Change Configuration Parameters for instructions on editing the iim.conf file.

    If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters do not appear in the iim.conf file, you can add them anywhere in the file.

Configuring Dynamic LDAP Server Group

In the LDAP Server, the dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server as the groupOfUrls objectclass.

To enable end users to view the dynamic groups in search results and add them to their contact list, you need to include the groupOfUrls objects to search results.

The following modifications need to be made to the server configuration file iim.conf:

  1. Change to the config directory. For example, on Solaris:

    2. cd /etc/opt/SUNWiim/default/config

  2. Edit the iim.conf file. For example:

    3. vi iim.conf

  3. Add the following information to the iim.conf file:

    iim_ldap.usergroupbynamesearchfilter=(|(&(|(objectclass=groupofuniquenames) (objectclass=groupofurls)))(cn={0}))(&(objectclass=inetorgperson)(cn={0})))

    iim_ldap.groupbrowsefilter=(|(objectclass=groupofuniquenames)(objectclass=g roupofurls))

    iim_ldap.groupclass=groupOfUniqueNames,groupOfURLs

The attribute and objectclass names are configurable.By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.

Backing Up Instant Messaging Data

Instant Messaging does not come with any disaster recovery tools. Use your site’s backup system to backup the configuration and database directories periodically.

Backup Information

The Instant Messaging information that needs to be backed up are of the following types:

The configuration information is stored in the Instant Messaging configuration directory as follows:

The Sun Java System Instant Messaging end user data is stored in the following database directories:

The Instant Messenger resources must be backed up if they have been customized. The location of the Instant Messenger resources are provided during installation.

Performing Backup

While the configuration information does not change frequently, the Instant Messaging end-user data changes rapidly and to prevent any loss of end-user data it is recommended that the Instant Messaging end-user data is backed up on a periodic basis. Backup needs to be performed before running the installation program and the uninstallation program.

To backup the end user data and the configuration information you do not have to stop the Instant Messaging server as all the disk commits by the server are automatically performed.

Restoring the Back Up Information

The back up of the end-user data and the configuration information needs to be restored when there is a disk failure and all the end-user data and the configuration information is lost.

To restore the backed up end-user data:

  1. Change to the runtime directory. For example:

    2. cd runtime-directory

  2. Grant read-only permission to the instant-messaging-database directory, type:

    3. chmod -R 400 db

  3. Stop the Instant Messaging server, type:

    4. imadmin stop

  4. Grant Write permission on the end-user data files for the server end user, type:

    5. chmod -R 600 runtime-directory/db/.

  5. To restore the data, copy the backed up data to the instant- messaging-database directory.
  6. Start the Instant Messaging server, type:

    7. imadmin start



Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.