Sun Java System Instant Messaging 6 2004Q2 Deployment Planning Guide |
Chapter 1
OverviewSun JavaTM System Instant Messaging enables secure, real-time communication and collaboration, combining presence awareness with instant messaging capabilities such as chat, conferences, alerts, news, polls, and file transfers to create a rich collaborative environment. These features enable one-to-one as well as group collaboration through either short-lived communications or persistent venues such as conference rooms or news channels.
Instant Messaging ensures the integrity of communications through its multiple authentication mechanisms and secure SSL connections. Integration with the Sun Java System Portal Server and Sun Java System Identity Server bring additional security features, services-based provisioning access policy, user management, and secure remote access.
This chapter describes basic concepts you should understand prior to deploying Instant Messaging. It includes the following sections:
What is an Instant Messaging Service?An instant messaging service is an open standards-based client-server solution that meets the instant messaging needs of enterprises and hosts of all sizes. It provides superior administration, scalability, performance, security, and connectivity throughout the enterprise and across the Internet.
At a simplistic level, an instant messaging service:
In addition, an instant messaging service can provide real-time conferencing, news and calendar alerts, and for offline users, email message forwarding.
Of crucial importance to a good instant messaging service is that the service follows the SHARP (scalability, high availability, reliability, and good performance) standard.
Sun ONE Instant Messaging Core Product ComponentsSun JavaTM System Instant Messaging contains the following core components:
- Instant Messenger resources (client), a set of files that make up the client program for end users to initiate, compose, and reply to messages. Typically users also use the client to participate in conferences. The client is also called Sun JavaTM System Instant Messenger.
- Instant Messaging server, an electronic message delivery system that supports instant message delivery from one system to another system. The server serves the presence information to Instant Messenger clients, allows end users to establish sessions, and enforces policies.
- Instant Messaging multiplexor, a scalability component that consolidates messenger connections. In order to support large deployments, for example 40,000 concurrent connections, Instant Messaging uses a connection multiplexor to improve server scalability. This component opens a single connection to the Instant Messaging server. In addition to scalability, you can install the multiplexor outside the firewall while leaving the server inside the firewall in order to protect from unauthorized external access. The Instant Messaging multiplexor is also referred to as the multiplexor.
- Access, Communication, and Transfer Protocols, such as LDAP, HTTP, TCP/IP, and SMTP protocols. These protocols can be found in Supported Standards.
- Sun JavaTM System Identity Server Instant Messaging Service Definition, a service used by the Sun Java System Identity Server and the Sun Java System Identity Server SDK to provide policy management and single sign-on capabilities for Instant Messaging.
- Instant Messaging API, allows you to create custom Instant Messaging clients.
- LDAP server, a “lightweight” version of the Directory Access Protocol (DAP). While typically not an instant messaging server component, the LDAP server is integral for user maintenance and management. It usually serves the needs of a wide variety of applications in an organization.
Components Related to Instant MessagingThe software components discussed in this section work with Instant Messaging server, but are installed separately. Chapter 2, "Deployment Examples" provides more detailed information that illustrates how these servers interact with Instant Messaging.
Web server
(Required) For a basic deployment, you need to install a web server, such as Sun JavaTM System Application Server SE (Standard Edition). Deployments with Sun Java System Portal Server use the web server that ships with Portal Server. In either case, the Instant Messenger resources must reside on the web server host.
Instant Messaging requires a web server to serve the Instant Messenger resources. The Instant Messenger resource files include:
- The index.html file, provided by Instant Messenger, or a home page with a link to invoke Sun JavaTM System Instant Messenger.
- Sun JavaTM System Instant Messenger jar files (messenger.jar, imres.jar, imbrand.jar, imdesktop.jar, imnet.jar, and imjni.jar).
- The Sun JavaTM System Instant Messenger Online Help.
You must install Instant Messenger resources on the same host where the web server is installed. In a Sun Java System Identity Server deployment, you can install these resources on the Identity server’s host or on a different web server host. In most cases, the resources will be installed on the same host where you installed the Instant Messaging server software. It is possible to locate the Instant Messenger resources on a host other than the Instant Messaging server or multiplexor. For more information on this, see Sun Java System Instant Messaging Installation Guide.
LDAP server
(Required) Instant Messaging uses an LDAP server, such as Sun Java System Directory Server, for end user authentication and search. In a deployment with Sun Java System Portal Server, Instant Messaging uses the same LDAP server used by the Portal server.
The Instant Messaging server does not store the Instant Messenger end-user authentication information; instead, this information is stored in the LDAP server.
By default, the Sun JavaTM System Instant Messaging server relies on the common end-user attributes cn and uid to search for end-user and group information. If you want, you can configure the server to use another attribute for search. In addition, Sun JavaTM System Instant Messaging properties (such as contact lists and subscriptions) can be stored in files on the Sun JavaTM System Instant Messaging server or in the LDAP server.
If you do not have an LDAP directory installed, you must install one. For more information, see Sun Java System Instant Messaging Installation Guide. For instructions on configuring the server to use a non-default attribute for user search, see the Sun Java System Instant Messaging Administration Guide.
SMTP server
(Optional) A Messaging server, such as Sun Java System Messaging Server, is used to forward instant messages, in the form of email, to end users who are offline. The SMTP server is not shipped with Instant Messaging.
Sun Java System Calendar Server
(Optional) The Sun Java System Calendar Server, is used to notify users of calendar-based events. The Calendar server is not shipped with Instant Messaging.
Sun ONE Identity Server and Sun Java System Identity Server SDK
(Optional, Solaris only) Sun Java System Identity Server and Sun Java System Identity Server SDK provide end user and service management, authentication and single sign-on services. They also provide policy management, logging service, debug utilities, the admin console, and client support interfaces.
In addition, Sun Java System Identity Server and SDK are required in deployments that include Sun Java System Portal Server. In both deployments, the SDK must be installed on the Instant Messaging server’s host.
Sun JavaTM System Portal Server
(Optional, Solaris only) Sun JavaTM System Portal Server supports message archiving, and allows you to run Instant Messaging in secure mode. In addition, the Instant Messenger client is made available to end users through the Portal Server desktop. The following two components of Sun Java System Portal Server provide additional functionality:
Portal Server Desktop
Sun JavaTM System Instant Messenger installed in the Portal Server environment can be launched from the Instant Messaging channel available to end users on Portal Server Desktop.
Sun ONE Portal Server, Secure Remote Access
Sun ONE Portal Server, Secure Remote Access enables remote end users to securely access their organization’s network and its services over the Internet for Solaris-based or Windows-based systems. The end user can access Secure Remote Access by logging into the web-based Portal Server Desktop through the portal gateway. The authentication module configured for Sun ONE Portal Server authenticates the end user. The end-user session is established with Sun ONE Portal Server and the access is enabled to the end user’s Portal Server Desktop.
In the Sun Java System Portal Server environment, you can configure Instant Messenger in either secure or non-secure mode. In the secure mode, communication is encrypted through the Sun Java System Portal Server Netlet. When you are accessing Instant Messenger in the secured mode, a lock icon appears in the Status area of the Instant Messenger. In the non-secure mode, the Instant Messenger session is not encrypted. For more information on Netlet, see Sun ONE Portal Server, Secure Remote Access Administrator’s Guide.
Supported StandardsInstant Messaging is built on native Internet technology, so you can maintain a single architecture inside and outside your organization, even when collaborating with your customers and partners. Additionally, you aren’t locked into a proprietary system. All key components of Instant Messaging are based on proven, open Internet standards such as:
- LDAP. Provides access to enterprise directory information, enabling an accurate, secure instant messaging system.
- HTML. Formatting language for providing web browser access for the client.
- HTTP. HypterText Transport Protocol for providing web browser access for the client.
- SMTP. Simple Mail Transfer Protocol for reliable delivery of instant messages over Internet mail messages.
- TCP/IP. Proven, worldwide networking protocol.
Instant Message Structure Format
HTML (HyperText Markup Language) is typically used as a standard for web documents. The Instant Messenger client also formats instant messages using HTML. This allows users to include hyperlinks within messages.
Access Protocol
In Instant Messaging, user information and preferences are retrieved from an LDAP directory. This directory can be dedicated for use by Instant Messaging, or the Sun Java System Portal Server’s directory. User data is typically retrieved using LDAP search functions.
LDAP provides a common language that client applications and servers use to communicate with one another. LDAP is a “lightweight” version of the Directory Access Protocol (DAP) used by the ISO X.500 standard. DAP gives any application access to the directory via an extensible and robust information framework, but at an expensive administrative cost. DAP uses a communications layer that is not the Internet standard TCP/IP protocol and has complicated directory-naming conventions.
LDAP preserves the best features of DAP while reducing administrative costs. LDAP uses an open directory access protocol running over TCP/IP and uses simplified encoding methods. It retains the X.500 standard data model and can support millions of entries for a modest investment in hardware and network infrastructure.
Communication and Message Transfer Protocols
Server-to-server and client-to-server communications occur over TCP/IP.
A message transfer protocol is used to send messages to offline users. SMTP is the most commonly used protocol.
Browsers use HTTP to retrieve Instant Messenger resource files from the Web server. Once retrieved, the browser reads the HTML and displays the contents of the files.
Instant Messaging ArchitectureFigure 1-1 shows the basic out-of-the-box Sun JavaTM System Instant Messaging architecture.
Figure 1-1 Sun JavaTM System Instant Messaging Basic Architecture
The Web server (or an application server with a Web service embedded), downloads the Instant Messaging resources via a browser to the clients. The resource files make up the client. Clients sends messages to one another through a multiplexor which forwards the messages on to the Instant Messaging server.
The Directory server stores and retrieves local user and group delivery information such as preferences, location, and to which multiplexor to route messages for this user. When the Instant Messaging server receives a message, it uses this information to determine where and how the message should be delivered. In addition, the Directory server may contain user information such as contact lists and subscriptions.
In this basic configuration, Instant Messaging directly accesses a Directory Server to verify user login name and passwords for mail clients that use Instant Messaging.
Outgoing instant messages from clients go directly to the multiplexor. The multiplexor sends the message to the appropriate Instant Messaging server, which in turn forwards the message to another Instant Messaging server, or if the message is local, to the multiplexor with which the recipient is associated. (See Physical Deployment Examples for illustrations of this process.)
New users are created by adding user entries to the directory. Entries can be created or modified by modifying the directory using the tools provided with the Directory server.
Instant Messaging components are administered using a set of command line interfaces and text-based configuration files. Any machine connected to the Instant Messaging host can perform administrative tasks (assuming, of course, the administrator has the required privileges).
The following sections outline the three primary components of Instant Messaging in further detail:
The Instant Messaging Server
The Instant Messaging server handles tasks such as controlling Instant Messenger privileges and security, enabling Sun JavaTM System Instant Messenger clients to communicate with each other by sending alerts, initiating chat conversations, and posting messages to the available news channels.
The Instant Messaging server supports the connection of a multiplexor that consolidates connections over one socket. For more information on the multiplexor, see The Multiplexor.
Access control files and Sun Java System Identity Server policies are used for administration of end users, news channels, and conference rooms.
The Instant Messaging server routes, transfers, and delivers instant messages for the Sun JavaTM System Instant Messaging product.
Direct LDAP Lookup
The server can look up directory information directly from the LDAP server. The results of the LDAP queries are cached in the process, with configurable aging and expiration, so settings are tunable. Refer to the Sun JavaTM System Directory Server Administrator’s Guide for further information.
Message Delivery
After the message is processed, the server sends the message to the next stop along the message’s delivery path. This may be the intended recipient’s multiplexor, or another server. Once received by a multiplexor, the message is routed directly to the intended recipient. (See Physical Deployment Examples for illustrations of this process.)
The Multiplexor
The Instant Messaging multiplexor component connects multiple instant messenger connections into one TCP (Transmission Control Protocol) connection, which is then connected to the Instant Messaging server. The multiplexor reads data from Instant Messenger and writes it to the server. Conversely, when the server sends data to Instant Messenger, the multiplexor reads the data and writes it to the appropriate connection. The multiplexor does not perform any end user authentication or parse the client-server protocol (IM protocol). Each multiplexor is connected to one and only one Instant Messaging server.
You can install multiple multiplexors based on your deployment requirements. You must install at least one multiplexor. For more information, see Chapter 2, "Deployment Examples".
The Instant Messenger Client
The Java-based Sun JavaTM System Instant Messenger is Instant Messaging’s client that can be configured to be a browser-based applet using Java Plug-in, or a standalone Java application using Java Web Start.
To run Instant Messenger client on Solaris, you must use Java Web Start. On Microsoft Windows you can run Instant Messenger as an applet or a Java Web Start application. It is recommended that you run Sun ONE Instant Messenger as a Java Web Start application.
For more information on customizing Sun JavaTM System Instant Messenger, see the Sun Java System Instant Messaging Administration Guide.
Instant Messenger provides the following modes of communication:
- Chat - Sun JavaTM System Instant Messenger’s version of Instant Messaging conferences is called chat. Chat is a real-time conversation capability that enables end users to complete projects, answer customer queries, and complete other time-critical assignments. Chat sessions (two or more participants) are held in chat rooms created on a need basis.
- Conference Rooms - Conference rooms are persistent chat rooms that work similarly to regular chat sessions, but offer:
- Alerts - Alerts enable information delivery and response to end users through the Instant Messenger interface. Alerts can deliver time-critical information to the end user. The sender of the alert message is notified when the message is delivered, and read by the recipient.
- Poll - The polling function enables you to ask end users for their response to a question. You can send a question and possible answers to poll recipients, and the recipients can respond with their selected answer.
- News - News channels are forums for posting and sharing information. End users can subscribe to news channels of interest to see updates using the URL of the news channels or view the news channel updates through static messages. Administrators control news channel access by assigning end users to the channels they need, and deciding who can see or post information to the channels.
Designing Your DeploymentDuring the planning process, you will gather data about your requirements, such as environment and data sources. With this information, you can design an Instant Messaging deployment that meets the needs of your users.
The flexibility of Sun JavaTM System Instant Messaging allows you to rework your design to meet unexpected or changing requirements, even after deployment.
The following topics outline the stages in a successful deployment:
Planning Process
The process for planning your deployment can be broken into the following functions:
- Determining Your Infrastructure Needs
For example network capacity, backup infrastructure, and DNS services.
- Designing Your Topology
Topology design involves determining how you divide your system among multiple servers and how these servers communicate with one another.
- Planning Your Directory Data
You need to understand the relationships between your directory tree, schema, and Instant Messaging.
- Developing an Instant Messaging Architecture
- Designing Secure Instant Messaging
You need to plan how to protect Instant Messaging from common security threats.
- Creating a Monitoring Strategy
This chapter explains basic sizing concepts. Chapter 3, "Planning Your Sizing Strategy" outlines the factors to consider when sizing your deployment.
Piloting Instant Messaging
After you have designed your deployment, you can start the deployment process. The first step of the deployment phase is installing a server instance as a pilot and testing whether Instant Messaging can:
If the deployment is not adequate as it is, you can adjust your pilot design until you have a robust service you can confidently introduce to your enterprise.
Putting Instant Messaging Into Production
Once you have piloted and tuned Instant Messaging, you need to develop and execute a plan for taking Instant Messaging from a pilot to production. Create a production plan that includes the following:
For information on installing Instant Messaging, refer to the Sun Java System Instant Messaging Installation Guide. For information on administering and maintaining Instant Messaging, refer to the Sun Java System Instant Messaging Administration Guide.