Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Instant Messaging 7 2005Q1 Administration Guide 

Chapter 4
Administering Instant Messaging Components

This chapter explains how to administer the Instant Messaging components (server, multiplexor, Calendar agent, and watchdog) and perform other administrative tasks, such as changing configuration parameters and managing logging.

This chapter contains the following sections, which describe the various administrative tasks in Instant Messaging:

Administering End Users

The administrative tasks in Instant Messaging are listed in the preceding section and are described throughout the rest of this chapter. Take note of the methods—as explained subsequently—for provisioning and managing end users.

Instant Messaging does not provide bulk user provisioning tools. You need to use a directory bulk provisioning tool for provisioning multiple Instant Messaging end users. By default, Instant Messaging does not provide specific commands to add, modify, or delete Instant Messaging end users. However, you can customize Instant Messenger to allow users to add themselves to the directory. See Registering New Users for information.

Likewise in an LDAP-only deployment, you cannot prevent an end user from using Instant Messenger. In an LDAP-only deployment, the only way to prevent end users from using Instant Messaging is to delete them from the directory. In a deployment using Sun Java System Access Manager policy attributes, you can prevent an end user from accessing Instant Messenger. If you deploy Instant Messaging with Access Manager, you should use the provisioning tools provided with Access Manager instead of allowing users to register themselves.

The administrator can manage Instant Messaging end users, using the Instant Messaging Administrator Access Control mechanism. For more information on Instant Messaging Administrator Access Control, see Overview of Privacy, Security, and Site Policies. If you are using Sun Java System Access Manager, then the Access Manager is used for provisioning Instant Messaging end users. For more information, see Sun Java System Communications Services Deployment Planning Guide.

Caution

If you deny end users the privilege to set up watches on other end users by editing the sysWatch.acl file, the Instant Messenger’s Main window is not displayed for these end users. This effectively denies end users the ability to send instant messages. However, end users would still be able to see alerts and news channels.

Registering New Users

You can customize Instant Messenger to allow new user registration. When a user registers, the Instant Messaging server uses the information provided during registration to perform an ldapadd operation to create a user entry in the directory.

Note

If you are using Instant Messaging with Sun Java System Access Manager, you should not allow users to register using this method. Instead, you should use the provisioning tools provided with Access Manager.

To allow new user registration, you need to add an argument to the im.jnlp.template and im.html.template files, run the configure utility, then (if necessary) redeploy the resource files.

This section describes:

See Chapter 5, "Managing Instant Messenger" for more information about customizing resource files.

Customizing Instant Messenger to Allow New User Registration

When you customize the resource files to allow new user registration, a new button appears on the Login dialog box. Users click this button to access the New User Registration dialog box where they can register. When a user registers, their information is added to the LDAP directory.

    To Customize Instant Messenger to Allow New User Registration
  1. Open the im.jnlp.template file in a text editor.

    2. By default this file is stored in im_svr_base/html.

  2. Search for the line:

    3. <application-desc main-class="com.iplanet.im.client.iIM">

  3. Add the following argument to the end of the section:

    4. <argument>register=true</argument>

  4. Save and close the im.jnlp.template file.
  5. Repeat steps 1 through 4 for im.html.template.
  6. Run the configure utility, selecting the “Messenger Resources” component only when prompted for which components you want to configure. See Configuring Instant Messaging After Installing or Upgrading for instructions.
  7. If you are using Sun Java System Access Manager or Sun Java System Web Server, redeploy the resource files as described in Redeploying Resource Files.
  8. Launch Instant Messenger.

    9. The I am a New User button should appear on the Login dialog box.

Registering New Users

Once you have added the new user registration argument to the im.jnlp and im.html files and redeployed the resource files users can register themselves.

    To Register as a New User
  1. In a web browser, go to the Instant Messaging home page.
  2. Click Start or click Use Java Plug-in.

    3. The Login dialog box appears, displaying the I am a New User button.

  3. Click I am a New User.

    4. The New User Registration dialog box appears.

  4. Enter the information in the fields provided and click OK.

    5. The information is stored in the directory.

Stopping, Starting, and Refreshing Instant Messaging Components

The imadmin command enables you to:

The imadmin command-line utility can be executed only by root or a user who has administration rights to the system(s) on which the Instant Messaging server and multiplexor are running. This end user is typically the identity that the server runs as, and is designated during installation:

The imadmin command-line utility is located in the following directory:

im_svr_base/sbin

Starting the Instant Messaging server enables Instant Messenger to connect to it. Stopping the Instant Messaging server closes all connections and disconnects all Instant Messenger clients.

To Start Instant Messaging Components

You can start all the components together or a single component separately.

Use the imadmin command to start the Instant Messaging Server, multiplexor, Calendar agent, and watchdog depending on which components are enabled:

    To Start All Components
    To Start a Single Component

To Stop Instant Messaging Components

You can stop all the components together or a single component separately.

Use the imadmin command to stop the Instant Messaging Server, multiplexor, Calendar agent, and watchdog depending on which components are enabled:

    To Stop All Components
    To Stop a Single Component

To Refresh Component Configuration

Use the imadmin command with the refresh parameter to stop and restart an individual Instant Messaging component and refresh that component’s configuration.

You can refresh all the components together or a single component separately.

Whenever you change a configuration parameter in the iim.conf file, make sure to refresh the configuration.

    To Refresh All Components
    To Refresh a Single Component

To Check the Status of Instant Messaging Components

You can check the status of all the components together or a single component separately using the imadmin command.

    To Check the Status of All Components
    To Check the Status of a Single Component

Changing Instant Messaging Server and Multiplexor Configuration Parameters

Instant Messaging stores configuration parameters in the iim.conf file. For a complete list of configuration parameters, see Instant Messaging Configuration Parameters.

To change configuration parameters, manually edit the configuration parameters and values in the iim.conf file, then refresh the Instant Messaging server configuration. If you change a multiplexor parameter, you only need to refresh the multiplexor using the following imadmin command:

imadmin refresh multiplexor

For a complete list of parameters and their values, see Instant Messaging Configuration Parameters.

    To Change Configuration Parameters
  1. Change to the config directory. For example, on Solaris type:

    2. cd etc/opt/SUNWiim/default/config

  2. Edit the iim.conf file. For example:

    3. vi iim.conf

  3. Save your changes.
  4. Refresh the configuration.

    5. Caution

    If you change the multiplexor listen port (iim_mux.listenport) or the multiplexor host, update the im.html or the im.jnlp files accordingly. Failure to do so disables Instant Messenger from connecting to the server. For more information, see the section on Managing Instant Messenger.

Managing Logging

Instant Messaging creates log files that record events, related status of various software components, system errors, and other aspects of the server, multiplexor, Calendar agent, and watchdog. By examining the log files, you can monitor many aspects of the server’s operation. In addition, you can collect logging data for Instant Messenger on demand. This section provides information about logging in the following topics:

Logging Overview

You can configure the level of logging for the Instant Messaging server, multiplexor, Calendar agent, and watchdog by specifying the parameters in the iim.conf file. For information on configuring the level of logging in the iim.conf file, see Changing Instant Messaging Server and Multiplexor Configuration Parameters.

The location of the log files are specified during Instant Messaging configuration. Typically, log files are stored in im_runtime_base/log. Where the defaults for im_runtime_base are as follows:

As part of regular system maintenance, you need to periodically review and trim the log files from occupying more disk space. The server does not perform this action.

Table 4-1 provides the name of the log files and the configuration parameter in iim.conf used to set the logging level for each log file.

Table 4-1  Log File Names and Logging Level Configuration Parameters 

Component

Log File Name

Logging Level Configuration Parameter

Server

xmppd.log

iim.log.iim_server.severity

Multiplexor

mux.log

iim.log.iim_mux.severity

Calendar agent

agent-calendar.log

iim.log.agent-calendar.severity

Watchdog

iim_wd.log

iim.log.iim_wd.severity

The configuration parameters can have the following values:

In addition, logging configuration in deployments with Sun Java System Access Manager is determined by the com.iplanet.services.debug.level property. You set this property in the AMConfig.properties file on the Sun Java System Access Manager host. By default, this file is installed in the following location:

AM_svr_base/lib/AMConfig.properties

Where AM_svr_base is the directory in which you installed Access Manager.

This property can contain the following values:

By default, the Sun Java System Portal Server desktop log file (desktop.debug) and archive log files (IMArchiveSearch.log and IMArchiveSubmit.log) are stored in the following locations:

Logging Levels

The level or priority of maintaining the error log defines how detailed, or verbose, the log should be. A higher priority level implies less details as only events of high priority (high severity) are recorded in the log file. In contrast a lower priority level implies greater details as more events are recorded in the log file.

You can set the logging level separately for the Instant Messaging server, multiplexor, watchdog, and the Calendar agent.

Table 4-2 describes the logging levels for the components. These logging levels are a subset of the levels defined by the Unix syslog facility.

Table 4-2  Logging Levels for Instant Messaging Components 

Level

Description

FATAL

This priority level records minimum logging details in the log file. A log record is added to the log file whenever a severe problem or critical condition occurs. If a FATAL problem occurs, the application might stop functioning.

ERROR

A log record is added to the log file whenever a recoverable software error condition occurs or a network failure is detected. For example, when the server fails to connect to a client or to another server.

WARNING

A log record is added to the log file whenever a user error is detected. For example, when the server cannot understand the communication sent by the client.

INFO

A log record is added to the log file whenever a significant action takes place. For example, when an end user successfully logs in or logs out.

DEBUG

The tasks are recorded in the log file. This information is useful for debugging purposes only. Each event with individual steps within each process or task are written to the log file, to help the end user identify the problems while debugging the application.

When you select a particular logging level, events corresponding to that level and to all higher and less verbose levels are logged.

INFO is the default level for the server. ERROR is the default level for the multiplexor and watchdog log files.

Note

If you specify DEBUG as the logging level, your log files will occupy more disk space. Monitor and trim your log files to prevent them from occupying more disk space.

To Set Log Levels

You set the log levels by modifying parameters within the iim.conf file. Table 4-1 contains a list of the log files and the parameter that you need to set for each component.

For more information on changing parameters, see Changing Instant Messaging Server and Multiplexor Configuration Parameters. For more information on the watchdog, see Managing the Watchdog Process. For more information on the Calendar agent, see Using Calendar Pop-up Reminders.

Administering Client Logging

By default, client data is not logged. You may be asked to collect client data during a support call. In this situation, you will need to enable logging before you can view client log data.

To enable client logging you need to complete the following steps:

  1. Enable logging in Java Web Start Application Manager or the Java Plug-In Control Panel on the client’s host.
  2. Add a debug parameter to the im.jnlp file.
  3. Redeploy the Instant Messenger resources if necessary.
    To Enable Client Logging
  1. Enable the logging feature in either the Java Web Start Application Manager or the Java Plug-In Control Panel as appropriate.

    2. If the client uses the Java plug-in with an earlier version of the JDK, run the Java Plug-In Control Panel. See the online help for the Java Plug-In Control Panel for instructions on enabling logging.

    If the client uses Java Web Start or uses the plug-in with JDK 5.0, run the Java Web Start Application Manager, then:

    1. Select File|Preferences.

      2. The Preferences dialog box appears.

    2. On the Advanced tab, select the Log Output checkbox and enter a Log File Name.
    3. Click OK.
  2. Open im.jnlp in a text editor.
  3. Search for the line:

    4. <application-desc main-class="com.iplanet.im.client.iIM">

  4. Add the following argument to the end of the section:

    5. <argument>debug=true</argument>

  5. Save and close the im.jnlp file.
  6. If you are using Sun Java System Access Manager or Sun Java System Web Server, redeploy the resource files as described in Redeploying Resource Files.
  7. Relaunch Instant Messenger.

Federating Deployment of Multiple Instant Messaging Servers

In an LDAP-only deployment, when you federate multiple Instant Messaging deployments you form a larger Instant Messaging community. End users from different servers can communicate with each other, use conference rooms on other domains, and subscribe to news channels on remote servers based on the access privileges.

In a deployment with Sun Java System Access Manager, a single Instant Messaging server can host multiple domains. You can designate a single domain as the default domain for a Instant Messaging server instance. End users in different domains hosted by the same server cannot interact with each other. When you federate multiple Instant Messaging deployments, end users in default domains can see the end users in default domains of other remote Instant Messaging servers.

For enabling communication between multiple Instant Messaging servers in your network, you need to configure your server to identify itself to the other Instant Messaging servers in the network. A Instant Messaging server identifies itself with its domain name, host and port number, serverID, and password.

In an LDAP-only deployment, the two servers should reside in different domains.

Within the server configuration, you can assign each Instant Messaging server a symbolic name, consisting of letters and digits, for example, IMserver1.

Caution

It is recommended that the server-to-server communication is secured using TLS (SSL). This is required to prevent third party infringement of security when data is exchanged between two servers. This precaution is extremely desirable in the case where the link between the two servers uses the public internet. Follow the instructions outlined below to configure SSL between Instant Messaging servers.

To Configure Communication Between Instant Messaging Servers

This procedure describes how to enable communication between two Instant Messaging servers, iim.company22.com and iim.i-zed.com..

    To Configure Communication Between Two Servers
  1. Gather the following information listed in Table 4-3.

    2. Table 4-3 lists the parameters in the iim.conf file for server-to-server communication and the values for these parameters in the Instant Messaging servers, iim.company22.com and iim.i-zed.com.

    Table 4-3  Configuration Information for Server-to-Server Communication

    Parameter in iim.conf File

    Value for Server iim.company22.com

    Value for Server iim.i-zed.com

    iim_server.serverid

    Iamcompany22

    Iami-zed

    iim_server.password

    secretforcompany22

    secret4i-zed

    iim_server.coservers

    coserver1

    coserver1

    iim_server.domain

    iim.company22.com

    iim.i-zed.com

    iim_server.coserver1.host

    iim.i-zed.com:9919

    iim.company22.com:9919

    iim_server.coserver1.serverid

    Iami-zed

    Iamcompany22

    iim_server.coserver1.password

    secret4i-zed

    secretforcompany22

    iim_server.coserver1.domain

    i-zed.com

    company22.com

    For more information on the configuration parameters, see Instant Messaging Configuration Parameters.

    Note

    You can configure your server to communicate with other Instant Messaging servers. Each Instant Messaging server is identified by its symbolic name. The symbolic name of the server is added in the iim_server.coservers parameter in the iim.conf file. This parameter has multiple values and each value is separated by a comma.

  2. Change to the config directory on the server iim.company22.com. For example, on Solaris:

    3. cd /etc/opt/SUNWiim/default/config

  3. Edit the iim.conf file, for example:

    4. vi iim.conf

    Note

    The iim.conf file should be owned by the Instant Messaging server account you created during installation. If the iim.conf file cannot be read by the Instant Messaging server account, Instant Messaging server and multiplexor would be unable to read the configuration. Additionally, you might lose the ability to edit the iim.conf file.

    The following example shows the section of the iim.conf file on iim.company22.com corresponding to the server-to-server communications that you can modify:

    iim_server.serverid=Iamcompany22

    iim_server.password=secretforcompany22

    iim_server.domain=iim.icompany22.com

    iim_server.coservers=coserver1

    iim_server.coserver1.host=iim.i-zed.com:9919

    iim_server.coserver1.serverid=Iami-zed

    iim_server.coserver1.password=secret4i-zed

    iim_server.coserver1.domain=i-zed.com

  4. Follow Step 2 through Step 3 for the iim.conf file on server iim.i-zed.com.

    5. The following example shows the section of the iim.conf file on iim.i-zed.com corresponding to the server-to-server communications that you can modify:

    iim_server.serverid=Iami-zed

    iim_server.password=secret4i-zed

    iim_server.domain=iim.i-zed.com

    iim_server.coservers=coserver1

    iim_server.coserver1.host=iim.company22.com:9919

    iim_server.coserver1.serverid=Iamcompany22

    iim_server.coserver1.password=secretforcompany22

    iim_server.coserver1.domain=company22.com

  5. Save the changes and refresh the configurations on both servers.

Using SSL in Instant Messaging

Instant Messaging supports the Secure Sockets Layer (SSL) protocol, for encrypted communications and for certificate-based authentication of Instant Messaging servers. Instant Messaging server supports SSL version 3.0.

Instant Messaging multiplexor and Instant Messenger also support SSL for encrypted communication between the client and the multiplexor.

Enabling SSL for Instant Messaging server requires the following:

  1. Obtaining and installing a certificate for your Instant Messaging server, and configuring the Instant Messaging server to trust the Certification Authority’s certificate.
  2. Ensuring that each Instant Messaging server that needs to communicate using SSL with your server, obtains and installs a certificate.
  3. Turning on SSL in the server by setting the appropriate parameters in the iim.conf file.

Enabling SSL between the multiplexor and Instant Messenger requires the following:

  1. Requesting a Certificate from the Certificate Authority
  2. Installing the Certificate
  3. Enabling SSL Between the Multiplexor and Instant Messenger
  4. To Activate SSL for Server to Server Communication
  5. Invoking the Secure Version of Instant Messenger

For more information about managing certificates, see the Web Server and Application Server product documentation at http://docs.sun.com

Requesting a Certificate from the Certificate Authority

To enable SSL between Instant Messenger and multiplexor, you need to install the certificate and create databases for secure communication. You can request and install the certificate using Web Server or Application Server.

    To Request and Install a Certificate
  1. Type the following URL for starting the administration server in your browser:

    2. http://hostname.domain-name:administration_port

    A window prompting you for a user name and password appears.

  2. Type the administration user name and password you specified during the Web Server or Application Server installation.

    3. The Administration Server page appears.

  3. Create a separate Web Server or Application Server instance. For more information on installing multiple instances of the server, see the product documentation at:

    4. http://docs.sun.com/

  4. Create a trust database to store the public and private keys, referred as the key-pair file. The key-pair file is used for SSL encryption.

    5. For information on creating a trust database, see the Web Server or Application Server product documentation at:

    http://docs.sun.com/

  5. Request a certificate from the Certificate Authority.

    6. For more information on requesting a certificate, see the Web Server or Application Server product documentation at:

    http://docs.sun.com/

Installing the Certificate

When you receive the server certificate from your Certificate Authority, you need to install the certificate.

    To Install the Certificate
  1. Type the following URL for starting the administration server in your browser:

    2. http://hostname.domain-name:administration_port

    A window appears, prompting you for a user name and password.

  2. Type the administration user name and password you specified during the Web Server or Application Server installation.

    3. The Administration Server page appears.

  3. Install the server certificate.

    4. For more information on installing the certificate, see the Web Server or Application Server product documentation at:

    http://docs.sun.com/

  4. Change to your Web Server or Application Server’s alias directory.
  5. Copy the database files from the alias directory to the Instant Messenger config directory.

    6. To copy the database files from the alias directory to the Instant Messenger config directory, type the following:

    cp https-serverid-hostname-cert8.db /etc/opt/SUNWiim/default/config/cert8.db

    cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db

    cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db

    Note

    The end user on which the Instant Messaging server runs should have Read permission on cert7.db, key3.db,and secmod.db files.

  6. Change to your Instant Messaging im_cfg_base directory. For example, on Solaris:

    7. cd /etc/opt/SUNWiim/default/config

  7. Create the sslpassword.conf file using an editor of your choice. For example, you could type:

    8. vi sslpassword.conf

  8. Enter the following line to the sslpassword.conf file

    9. Internal (Software) Token:password

    Password: The password specified during the creation of the trust database.

  9. Save the file.

    10. Note

    All Instant Messenger end users should have Ownership and Read permission on the sslpassword.conf file.

  10. After verifying the functioning of SSL, log in to the Web Server or Application Server as an administrator and remove the server instance that you have created while requesting the certificate.

Enabling SSL Between the Multiplexor and Instant Messenger

Table 4-4 lists the parameters in the iim.conf file for enabling SSL between Instant Messenger and multiplexor. It also contains the description and the default value of these parameters:

Table 4-4  Instant Messenger and Multiplexor SSL Parameters 

Parameter

Default Value

Description

iim_mux.usessl

off

If the value is set to “on”, the multiplexor requires an SSL handshake for each connection it accepts, before exchanging any application data.

iim_mux.secconfigdir

Solaris: /etc/opt/SUNWiim/default/config

Linux: /etc/opt/sun/im/default/config

This directory contains the key and certificate databases. It usually contains the security module database.

iim_mux.keydbprefix

(Empty string)

This value should contain the key database filename prefix. The key database file name must always end with key3.db.

If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.

iim_mux.certdbprefix

(Empty string)

This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.

If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.

iim_mux.secmodfile

secmod.db

This value should contain the name of the security module file.

iim_mux.certnickname

Server-Cert

This value should contain the name of the certificate you entered while installing the certificate.

The certificate name is case-sensitive.

iim_mux.keystorepasswordfile

sslpassword.conf

This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line:

Internal (Software) Token:password

Where password is the password protecting the key database.

    To Enable SSL Between Instant Messenger and Multiplexor
  1. Change to the im_cfg_base directory. For example, on Solaris:

    2. cd /etc/opt/SUNWiim/default/config

  2. Edit the iim.conf file, for example:

    3. vi iim.conf

  3. Add the values mentioned in the Table 4-4 to the multiplexor configuration parameters.

    4. The following is an example of the iim.conf file with the multiplexor configuration parameters:

    ! IIM multiplexor configuration

    ! =============================

    !

    ! Multiplexor specific options

    ! IP address and listening port for the multiplexor.

    ! WARNING: If this value is changed, the port value of ’-server’ argument

    ! in the client’s im.html and im.jnlp files should also be changed to match th

    is.

    iim_mux.listenport = "siroe.com:5222"

    ! The IM server and port the multiplexor talks to.

    iim_mux.serverport = "siroe.com:45222"

    ! Number of instances of the multiplexor.

    iim_mux.numinstances = "1"

    ! Maximum number of threads per instance

    iim_mux.maxthreads = "10"

    ! Maximum number of concurrent connections per multiplexor process

    iim_mux.maxsessions = "1000"

    iim_mux.usessl = "on"

    iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"

    iim_mux.keydbprefix = "This-Database"

    iim_mux.certdbprefix = "Secret-stuff"

    iim_mux.secmodfile = "secmod.db"

    iim_mux.certnickname = "Server_Cert"

    iim_mux.keystorepasswordfile = "sslpassword.conf"

Invoking the Secure Version of Instant Messenger

The secure version of Instant Messenger can be invoked by accessing the imssl.html file or imssl.jnlp file from your browser. These files are located under the resource directory, the base directory under which all the Instant Messenger resources are stored.

The links to these applet descriptor files can also be added to index.html file.

To Activate SSL for Server to Server Communication

Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA’s certificate as described earlier.

    To Activate SSL
  1. Set these iim.conf parameters:
    • iim_server.usesslport=true
    • iim_server.sslport=5223

      • These parameters should already be in the iim.conf file.

  2. Set the server-to-server configurations as described in Federating Deployment of Multiple Instant Messaging Servers, and add the following:
    • iim_server.coserver1.usessl=true

      • Change the port number of the following:

    • iim_server.coserver1.host=hostname:5223

      • The port number should be the SSL port of the other server.

      Following is a section of iim.conf file with the required SSL configuration:

      ! Server to server communication port.

      iim_server.port = "5269”

      ! Should the server listen on the server to server communication port

      iim_server.useport = "True”

      ! Should this server listen for server-to-server communication using ssl port

      iim_server.usesslport = "True”

      iim_server.sslport=5223

      iim_server.coservers=coserver1

      iim_server.coserver1.serverid=Iamcompany22

      iim_server.coserver1.password=secretforcompany22

      iim_server.coserver1.usessl=true

      iim_server.coserver1.host=iim.i-zed.com:5223

      iim_server.serverid=Iami-zed

      iim_server.password=secret4i-zed

      iim_server.secconfigdir = "/etc/opt/SUNWiim/default/config"

      iim_server.keydbprefix = "This-Database"

      iim_server.certdbprefix = "Secret-stuff"

      iim_server.secmodfile = "secmod.db"

      iim_server.certnickname = "Server_Cert"

      iim_server.keystorepasswordfile = "sslpassword.conf"

Enabling SSL between two servers

Table 4-5 lists the parameters in the iim.conf file for enabling SSL between two Instant Messaging servers. It also contains the description and the default value of these parameters:

Table 4-5  Server-to-Server SSL Configuration Parameters 

Parameter

Default Value

Description

iim_server.secconfigdir

Solaris: /etc/opt/SUNWiim/default/config

Linux: /etc/opt/sun/im/default/config

This directory contains the key and certificate databases. It usually contains the security module database.

iim_server.keydbprefix

None

This value should contain the key database filename prefix. The key database file name must always end with key3.db.

If the Key database contains a prefix, for example This-Database-key3.db, then value of this parameter is This-Database.

iim_server.certdbprefix

None

This value should contain the certificate database filename prefix. The certificate database file name must always end with cert7.db.

If the certificate database contains a prefix, for example Secret-stuff-cert7.db, then value of this parameter is Secret-stuff.

iim_server.secmodfile

secmod.db

This value should contain the name of the security module file.

iim_server.certnickname

Server-Cert

This value should contain the name of the certificate you entered while installing the certificate.

The certificate name is case-sensitive.

iim_server.keystorepasswordfile

sslpassword.conf

This value should contain the relative path and the name of the file containing the password for the key database. This file should contain the following line:

Internal (Software) Token:password

Where password is the password protecting the key database.

iim_server.trust_all_cert

false

If this value is true than the server will trust all certificates and will also add the certificate information into the log files.

Managing Instant Messaging's LDAP Access Configuration

An LDAP-only deployment of Instant Messaging server requires a directory server. In an LDAP-only deployment, the Instant Messaging server uses the directory server to perform end-user authentication and to search for end users.

In a deployment with Sun Java System Access Manager, the Instant Messaging server uses the directory used by Sun Java System Portal Server. When installed in an Access Manager deployment environment, the Instant Messaging server uses the directory used by the Access Manager to search for end users, and not for end-user authentication. In an Access Manager deployment, Access Manager performs the authentication.

If you use an LDAP directory to maintain your user namespace, the default configuration makes the following assumptions regarding the schema used by this directory:

You can change these default settings by editing the iim.conf file. See Using the iim.conf file for more information.

Searching the Directory as Anonymous Users

Instant Messaging needs to be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging has the capability to search the directory. If the directory is not readable or searchable by anonymous users, you must take additional steps to configure the iim.conf file with the credentials of a user ID that has at least read access to the directory.

These credentials consist of:

    To Enable the Server to Conduct Directory Searches as a Specific End User
  1. Identify values for the following parameters in the iim.conf file:
    • iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.
    • iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn)

      • For example:

      iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com"

      iim_ldap.usergroupbindcred=secret

      Note

      You do not have to use administrator-level credentials with write level access, as all that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.

  2. In a deployment with Access Manager, the directory is generally not searchable by anonymous users. You should set the iim_ldap.useidentityadmin configuration parameter to true in this case. Also you can delete or comment out the following configuration parameters:
    • iim_ldap.usergroupbinddn
    • iim_ldap.usergroupbindcred.
  3. Edit the iim.conf file.

    4. See Changing Instant Messaging Server and Multiplexor Configuration Parameters for instructions on editing the iim.conf file.

    If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters do not appear in the iim.conf file, you can add them anywhere in the file.

Configuring Dynamic LDAP Server Group

In the LDAP Server, the dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server as the groupOfUrls objectclass.

To enable end users to view the dynamic groups in search results and add them to their contact list, you need to include the groupOfUrls objects to search results.

The following modifications need to be made to the server configuration file iim.conf:

  1. Change to the config directory. For example, on Solaris:

    2. cd /etc/opt/SUNWiim/default/config

  2. Edit the iim.conf file. For example:

    3. vi iim.conf

  3. Add the following information to the iim.conf file:

    4. iim_ldap.usergroupbynamesearchfilter=(|(&(|(objectclass=groupofuniquenames) (objectclass=groupofurls)))(cn={0}))(&(objectclass=inetorgperson)(cn={0})))

    iim_ldap.groupbrowsefilter=(|(objectclass=groupofuniquenames)(objectclass=g roupofurls))

    iim_ldap.groupclass=groupOfUniqueNames,groupOfURLs

The attribute and objectclass names are configurable.By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.

Backing Up Instant Messaging Data

Instant Messaging does not come with any disaster recovery tools. Use your site’s backup system to backup the configuration and database directories periodically.

Backup Information

The Instant Messaging information that needs to be backed up are of the following types:

The configuration information is stored in the configuration directory (im_cfg_base). Default paths are as follows:

The Instant Messaging data is stored in the database directory (im_db_base). Defaults for im_db_base are as follows:

The Instant Messenger resources must be backed up if they have been customized. The location of the Instant Messenger resources are provided during installation.

Performing a Backup

While the configuration information does not change frequently, the Instant Messaging end-user data changes rapidly and to prevent any loss of end-user data you should back up the Instant Messaging end-user data on a periodic basis. You need to perform the backup before running the installation program and the uninstallation program.

To backup the end user data and the configuration information you do not have to stop the Instant Messaging server as all the disk commits by the server are automatically performed.

Restoring Backup Information

The back up of the end-user data and the configuration information needs to be restored when there is a disk failure and all the end-user data and the configuration information is lost.

    To Restore End-user Data from Backup
  1. Change to the runtime directory.

    2. For example:

    cd im_runtime_base

    The default values for im_runtime_base are as follows:

    Solaris: /var/opt/SUNWiim/default

    Linux: /var/opt/sun/im/

  2. Stop the Instant Messaging server, type:

    3. imadmin stop

  3. Copy the backed up data to the im_db_base directory. Be sure to maintain the directory structure of the backed up data.
  4. Verify the permissions and owner of the newly restored data.

    5. The files should be owned by the Instant Messaging system user. See Creating a UNIX System User and Group for information on this user. Permissions should be set as follows:

    • Files: 600 (indicating read and write permissions for owner only)
    • Directories: 700 (indicating read, write, and execute permissions for owner only)

      • Refer to your operating system documentation for information on changing permissions and owners.

  5. Start the Instant Messaging server.

    6. imadmin start



Previous      Contents      Index      Next     

Part No: 819-0430-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.