Part II Administering Instant Messaging

• Chapter 3, Instant Messaging Configuration File and Directory Structure Overview provides information about the configuration files you use to administer Instant Messaging.

• Chapter 4, Configuring Instant Messaging for High Availability (Solaris Only) describes configuring Instant Messaging in a Sun Cluster environment.

• Chapter 5, Scaling an Instant Messaging Deployment Using Server Pooling gives instructions on creating a server pool for a single domain to increase horizontal scalability.

• Chapter 6, Federating Deployment of Multiple Instant Messaging Servers details how to support multiple domains in your Instant Messaging deployment.

• Chapter 7, Administering Instant Messaging Components describes how to administer the Instant Messaging server, multiplexor, Calendar agent, cluster agent, and watchdog.

• Chapter 8, Using the Instant Messaging XMPP/HTTP Gateway provides instructions on setting up and using the gateway.

• Chapter 9, Managing Instant Messaging's LDAP Access Configuration contains information on configuring LDAP for use with Instant Messaging.

• Chapter 10, Managing SSL for Instant Messaging provides information about and how Instant Messaging uses SSL and StartTLS to ensure security.

• Chapter 11, Managing Logging for Instant Messaging describes configuring logging for Instant Messaging components and XMPP.

• Chapter 12, Administering Instant Messaging End Users provides instructions for disabling end user access to Instant Messenger, registering new users, using LDAP to store user properties, and assigning Instant Messaging and presence services to end users.

• Chapter 13, Managing Instant Messenger describes how to customize and administer Instant Messenger.

• Chapter 14, Using Calendar Pop-up Reminders describes how to configure the Instant Messaging server, Calendar agent, Calendar Server, and Instant Messenger to enable Calendar pop-up reminders.

• Chapter 15, Managing Instant Messaging and Presence Policies describes how to manage administrator and end user privileges, especially with policies set in Sun Java^TM System Access Manager.

• Chapter 16, Managing Archiving for Instant Messaging explains how to manage and configure the Instant Messaging archive.

• Chapter 17, Troubleshooting and Monitoring Instant Messaging lists the common problems that might occur during installation and deployment of Instant Messaging and provides instructions for using the monitoring agent.

Chapter 3 Instant Messaging Configuration File and Directory Structure Overview

This chapter provides information about the configuration files you use to administer Instant Messaging. Familiarize yourself with the locations of these files before making changes to your deployment’s configuration.

This chapter describes the Instant Messaging server directory structure and the properties files used to store Instant Messaging operational data and configuration information in the following sections:

• Instant Messaging Server Directory Structure

• Instant Messaging Server Configuration File

• Instant Messaging Data

Instant Messaging Server Directory Structure

Instant Messaging Server Directory Structure shows the platform-specific directory structure for the Instant Messaging server.

Instant Messaging Server Configuration File

Instant Messaging stores all configuration options in the iim.conf file. For more information on the parameters and their values stored in this file, see Appendix A, Instant Messaging Configuration Parameters in iim.conf

Instant Messaging Data

Instant Messaging server stores the following data used by Instant Messenger in the database directory (im_db_base), and is indicated by the iim.instancevardir parameter in iim.conf:

• End user properties, such as contact lists, messenger settings, subscribed news channels and access control (alternatively, these properties can be stored in LDAP).

• News channel messages and access rules.

• Alert Messages that are to be delivered. These messages are delivered and removed when the recipient logs in.

• Public conferences. This does not involve instant messages which are not persistent, but only properties of the conference objects themselves, such as access rules.

Chapter 4 Configuring Instant Messaging for High Availability (Solaris Only)

Configuring Instant Messaging for high availability (HA) provides for monitoring of and recovery from software and hardware failures. The high availability feature is implemented as a failover data service, not a scalable service, and is supported on Solaris only. This chapter describes an Instant Messaging HA configuration using Sun Cluster software. See HA Related Documentation for more information about scalable and failover data services provided by Sun Cluster.

This chapter describes how to configure an Instant Messaging HA service, including:

• Instant Messaging HA Overview

• Setting Up HA for Instant Messaging

• Stopping, Starting, and Restarting the Instant Messaging HA Service

• Managing the HA RTR File for Instant Messaging

• Removing HA for Instant Messaging

• HA Related Documentation

Instant Messaging HA Overview

You use Sun Cluster with Instant Messaging to create a highly available deployment. This section provides information about HA requirements, terms used in examples in this chapter, and permissions you need to configure HA in the following sections:

• Instant Messaging HA Configuration Software Requirements

• Instant Messaging HA Configuration Permission Requirements

• Instant Messaging HA Configuration Terms and Checklist

Before you begin, you should be familiar with general HA concepts, and Sun Cluster software in particular. For more information, see HA Related Documentation.

Instant Messaging HA Configuration Software Requirements

An Instant Messaging HA configuration requires the software shown in Table 4–1.

Instant Messaging HA Configuration Permission Requirements

To install and configure an Instant Messaging HA configuration, log in as or become superuser (root) and specify a console or window for viewing messages sent to /dev/console.

Instant Messaging HA Configuration Terms and Checklist

Table 4–2 describes the variable terms used in the examples in this chapter for configuration examples. In addition, you will need to gather the information before you configure HA for Instant Messaging. You will be prompted for this information during configuration. Use this checklist in conjunction with the checklist in Table 1–1.

Setting Up HA for Instant Messaging

The following is a high-level list of the steps necessary to install and configure an Instant Messaging HA configuration with two nodes:

• Choosing a Local or Shared Disk for Configuration Files and Binaries

• Preparing Each Node in the Cluster

• Selecting the Installation Directory (im_svr_base)

• Installing Sun Java^TM System Products and Packages

• Configuring the HA Environment

• Configuring the Logical Host

• Registering and Activating the Storage Resource

• Registering the Resource Type and Creating a Resource

• Verifying the Instant Messaging HA Configuration

• Troubleshooting the Instant Messaging HA Configuration

Choosing a Local or Shared Disk for Configuration Files and Binaries

Before you begin, you need to decide which of the following deployments best suits your needs. In both environments, shared components are installed locally on every node in the cluster. In addition, in both environments, runtime files are installed on a shared disk.

• Using a local disk for configuration files and binaries. The advantage to this setup is that upgrading Instant Messaging requires minimal downtime because you can upgrade on nodes where Instant Messaging is offline. The disadvantage is that you need to ensure that the same configuration and version of Instant Messaging exists on all nodes in the cluster.

  In addition, if you choose this option, you need to determine whether you will be using HAStoragePlus to mount a file system from a shared disk on each node when Instant Messaging data services are brought online, or if you will be using the cluster file system for global runtime files.

• Using a shared disk for configuration files and binaries. This setup is easier to administer, but you need to bring Instant Messaging down on all nodes in the cluster before upgrading.

Preparing Each Node in the Cluster

On each node in the cluster, you need to create the Instant Messaging runtime user and group under which the components will run. The UID and GID numbers must be the same on all nodes in the cluster.

• Runtime User ID. The user name under which Instant Messaging server runs. This name should not be root. The default is inetuser.

• Runtime Group ID. The group under which Instant Messaging server runs. The default is inetgroup.

Although the configure utility can create these names for you, you can create them before you run the configuration program, as part of the preparation of each node as described in this chapter. In addition, depending on whether you are using a local or shared disk, you may not run configure on a particular node and must manually create the runtime user and group ID.

The runtime user and group ID names must be in the following files:

• inetuser, or the name you select, in /etc/passwd on all nodes in the cluster

• inetgroup, or the name you select, in /etc/group on all nodes in the cluster

See Creating a UNIX System User and Group for instructions. Refer to your operating system documentation for detailed information about users and groups.

Selecting the Installation Directory (im_svr_base)

For Instant Messaging, the Java Enterprise System installer uses /opt/SUNWiim on Solaris as the default installation directory (im_svr_base). However, if you are using a shared disk for configuration files and binaries, you must specify a global (shared) installation directory. For example: /global/im/opt/SUNWiim.

If you are using a local disk, you can install Instant Messaging to the default directory. However, you should Install Instant Messaging in the same directory on each machine in the node.

Installing Sun Java^TM System Products and Packages

You install products and packages using the Sun Java Enterprise System installer program. For more information about the installer, refer to the Sun Java Enterprise System 2005Q4 Installation Guide.

Table 4–3 lists the products or packages required for a multiple node cluster configuration.

Configuring the HA Environment

The steps you need to perform vary depending on whether or not you are using a local or shared disk for configuration files and binaries.

If you are using a local disk for configuration files and binaries, follow the steps in the following two procedures:

• To Configure HA on Node 1 Using a Local Disk for Configuration Files and Binaries

• To Configure HA on Node n Using a Local Disk for Configuration Files and Binaries

If you are using a shared disk for configuration files and binaries, follow the steps in the following two procedures:

• To Configure HA on Node 1 Using a Shared Disk for Configuration Files and Binaries

• To Configure HA on Node n Using a Shared Disk for Configuration Files and Binaries

To Configure HA on Node 1 Using a Local Disk for Configuration Files and Binaries

Before You Begin

Fill out the checklists in Table 1–1 and Table 4–2 and have your answers readily available.

Steps

1. Install products and packages using the Java Enterprise System installer.

   See Selecting the Installation Directory (im_svr_base) for specific instructions on choosing an installation directory.

   See Table 4–3 for a list of required products and packages for HA. Refer to the Sun Java Enterprise System 2005Q4 Installation Guide for specific instructions.

2. If you are using HAStoragePlus for the runtime files, mount a shared disk to a local directory, otherwise skip to Step 3.

   For example:

   1. Create the mount point (/local/im/im_runtime_base/) if it does not already exist.

      When prompted during configuration in Step 4 you will specify this directory (/local/im/im_runtime_base/) as the Instant Messaging Server Runtime Files Directory.

   2. Use the mount command to mount the disk on /local/im/im_runtime_base.

3. Run the configure utility.

   See Chapter 1, Configuring Instant Messaging After Installation for instructions.

4. When prompted for the Instant Messaging Server Runtime Files Directory, enter one of the following:

   • If you are using an HAStoragePlus for the runtime files, enter /local/im/im_runtime_base/.

   • If you are using a cluster file system for the runtime files, enter /global/im/im_runtime_base/. Where /global/im is the global directory in the cluster file system.

5. When prompted for the Instant Messaging host name, enter the logical host.

   Choose to accept the logical host even if the configure utility cannot connect to the specified host. The logical host resource may be offline at the time you run the configure utility.

6. Do not choose to start Instant Messaging after configuration or on system startup.

   In an HA configuration, the Instant Messaging service also requires the logical host to be online for Instant Messaging to work properly.

7. If you are using HAStoragePlus for runtime files, unmount the shared disk.

To Configure HA on Node n Using a Local Disk for Configuration Files and Binaries

Before You Begin

Ensure that you have completed HA configuration on Node 1 as described in the previous procedure (To Configure HA on Node 1 Using a Local Disk for Configuration Files and Binaries).

Have your answers for the checklists in Table 1–1 and Table 4–2 readily available.

Steps

1. Install products and packages using the Java Enterprise System installer.

   Choose the same path you used when you installed Instant Messaging on node 1 for each subsequent node in the cluster. See Selecting the Installation Directory (im_svr_base) for specific instructions.

   See Table 4–3 for a list of required products and packages for HA. Refer to the Sun Java Enterprise System 2005Q4 Installation Guide for specific instructions.

2. Run the configure utility.

   See Chapter 1, Configuring Instant Messaging After Installation for instructions.

3. When prompted for the Instant Messaging Server Runtime Files Directory, enter the same value that you provided for Node 1.

4. When prompted for the Instant Messaging host name, enter the same logical host you provided for Node 1.

   Choose to accept the logical host even if the configure utility cannot connect to the specified host. The logical host resource may be offline at the time you run the configure utility.

5. When prompted for the user and group, enter the same value that you provided for Node 1.

6. Do not choose to start Instant Messaging after configuration or on system startup.

   In an HA configuration, the Instant Messaging service also requires the logical host to be online for Instant Messaging to work properly.

To Configure HA on Node 1 Using a Shared Disk for Configuration Files and Binaries

Before You Begin

Fill out the checklists in Table 1–1 and Table 4–2 and have your answers readily available.

You must use a cluster file system if you are using a shared disk for configuration files and binaries, not HAStoragePlus.

Steps

1. Install products and packages in a directory in the cluster file system using the Java Enterprise System installer.

   When you install Instant Messaging, you must specify a directory other than the default directory. See Selecting the Installation Directory (im_svr_base) for specific instructions.

   See Table 4–3 for a list of required products and packages for HA. Refer to the Sun Java Enterprise System 2005Q4 Installation Guide for specific instructions.

2. Create a soft link from /etc/opt/SUNWiim that points to /global/im/etc/opt/SUNWiim.

3. Run the configure utility from the global directory where you installed Instant Messaging (/global/im/im_svr_base/configure).

   See Chapter 1, Configuring Instant Messaging After Installation for instructions.

4. When prompted for the Instant Messaging Server Runtime Files Directory, enter the value for /global/im/im_runtime_base.

5. When prompted for the Instant Messaging host name, enter the logical host.

   Choose to accept the logical host even if the configure utility cannot connect to the specified host. The logical host resource may be offline at the time you run the configure utility.

6. Do not choose to start Instant Messaging after configuration or on system startup.

   In an HA configuration, the Instant Messaging service also requires the logical host to be online for Instant Messaging to work properly.

To Configure HA on Node n Using a Shared Disk for Configuration Files and Binaries

Before You Begin

Ensure that you have completed HA configuration on Node 1 as described in the previous procedure (To Configure HA on Node 1 Using a Shared Disk for Configuration Files and Binaries).

Have your answers for the checklists in Table 1–1 and Table 4–2 readily available.

Steps

1. Create a soft link from /etc/opt/SUNWiim that points to /global/im/etc/opt/SUNWiim.

2. Create a soft link for the resource type registration (RTR) file:

   ln -s /global/im/im_svr_base/cluster/SUNW.iim \ /usr/cluster/lib/rgm/rtreg/SUNW.iim

Configuring the Logical Host

Before starting Instant Messaging, you need to create a resource group, add the logical host, and bring the resource group online.

To Configure the Resource Group With the Logical Host

Steps

1. Create an Instant Messaging failover resource group named im_resource_group:

   # scrgadm -a -g im_resource_group -h im-node-2,im-node-1

2. Add the logical host name im_logical_host to the resource group.

   Instant Messaging will listen on this host name.

   # scrgadm -a -L -g im_resource_group -l im_logical_host

3. Bring the resource group online:

   # scswitch -Z -g im_resource_group

Registering and Activating the Storage Resource

Before you can bring the Instant Messaging data service online, you need to register and activate the storage resource as described in this section.

To Register and Enable the Storage Resource

Steps

1. Register the storage resource.

   If you are using HAStoragePlus with a global file system (GFS), set the mount point as the value for the FileSystemMountPoints property. For example:

   # scrgadm -a -j im_resource_group_store -g im_resource_group -t SUNW.HAStorage \ -x FileSystemMountPoints=/global/im -x AffinityOn=True

   Otherwise, specify the mount point as the value for the ServicePaths property. For example:

   # scrgadm -a -j im-resource-group-store -g im-resource-group -t SUNW.HAStorage \ -x ServicePaths=/global/im -x AffinityOn=True

2. Enable the storage resource:

   # scswitch -e -j im_resource_group_store

Registering the Resource Type and Creating a Resource

Before you start the HA Instant Messaging server or multiplexor, you need to register the resource type SUNWiimsc with Sun Cluster and create a resource.

To Register the Resource Type and Create a Resource

Steps

1. Register the resource type.

   # scrgadm -a -t SUNW.iim

2. Create the resource.

   Enter the following command on a single line:

   # scrgadm -a -j im_resource -g im_resource_group -t SUNW.iim -x Confdir_list=/global/im/im_resource_group -y Resource_dependencies=im_resource_group_store -y Port_list=80/tcp

3. Enable the resource:

   # scswitch -e -j im_resource

4. Start Instant Messaging components.

   ---

   Caution –

   Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

   ---

Verifying the Instant Messaging HA Configuration

After you start Instant Messaging, you need to verify the HA configuration as described in this section.

To Verify the HA Configuration for Instant Messaging

Steps

1. Check that all required processes are running.

2. Conduct a switchover of the service to the backup node to ensure the high availability.

   For example, if the service is running on im_node_1, issue the following command to switch the service to im_node_2.

   # scswitch -z -g im_resource_group -h im_node_2

3. Check that all required processes are started on im_node_2.

Troubleshooting the Instant Messaging HA Configuration

To help with troubleshooting, error messages are written to the error log. The logs are controlled by the syslog facility. For information about using the logging facility, refer to the HA Related Documentation and to the man page for syslog.conf.

Stopping, Starting, and Restarting the Instant Messaging HA Service

To start and stop the Instant Messaging HA service, use the Sun Cluster scswitch command.

Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

For more information about the Sun Cluster scswitch command, refer to the Sun Cluster Reference Manual for Solaris OS.

To Start the Instant Messaging HA Service

Step

Type the following at the command line:

# scswitch -e -j im_resource

To Stop the Instant Messaging HA Service

Step

Type the following at the command line:

# scswitch -n -j im_resource

To Restart the Instant Messaging HA Service

Step

Type the following at the command line:

# scswitch -R -j im_resource

Managing the HA RTR File for Instant Messaging

The resource type registration (RTR) file is an ASCII text file that describes a highly-available resource type that runs under the control of the Resource Group Manager (RGM). The RTR file is used as an input file by the scrgadm command to register the resource type into the cluster configuration. The Instant Messaging RTR file, SUNW.iim, is created when you install the SUNWiimsc package during HA configuration.

This section provides information about managing this file in the following sections:

• Instant Messaging RTR File Parameters

• Customizing the RTR File for Instant Messaging

Instant Messaging RTR File Parameters

The following table lists the extension properties in the Instant Messaging RTR file (SUNW.iim) that are specific to Instant Messaging.

Customizing the RTR File for Instant Messaging

You can modify the values for several of the extension properties in the Instant Messaging RTR file (SUNW.iim) to configure your HA environment. Extension properties are properties that are specific to the resource type. These properties are inherited by every resource of the same type. Instant Messaging extension properties are described in Table 4–4.

See the documentation for rt_reg and property_attributes in the Sun Cluster Reference Manual for Solaris OS for more information on the contents of resource type registration files and instructions on customizing values for extension properties.

Removing HA for Instant Messaging

In order to remove Instant Messaging from an HA environment, you need to remove the Instant Messaging cluster agent SUNWiimsc as described in this section.

To Remove HA for Instant Messaging

Before You Begin

When you remove the SUNWiimsc package as described in this procedure, any customizations you made to the RTR file SUNW.iim are lost. If you want to restore them at a later time, you need to create a backup copy of SUNW.iim before removing the SUNWiimsc package.

Steps

1. Bring down the Instant Messaging data service:

   scswitch -F -g im_resource_group

2. Disable all resources in the Instant Messaging resource group (im_resource_group):

   # scswitch -n -j im_resource # scswitch -n -j im_logical_host # scswitch -n -j im_resource_group_store

3. Remove the resources from the Instant Messaging resource group:

   # scrgadm -r -j im_resource # scrgadm -r -j im_logical_host # scrgadm -r -j im_resource_group_store

4. Remove the Instant Messaging resource group:

   # scrgadm -r -g im_resource_group

5. Remove the Instant Messaging resource type:

   # scrgadm -r -t SUNW.iim

6. Remove the SUNWiimsc package using the Java Enterprise System installer or manually as follows:

   pkgrm SUNWiimsc

   When you remove the package, any customizations you made to the RTR file are lost.

7. If you are using a shared directory for configuration files and binaries, remove any soft links created during HA configuration.

   On Node 1:

   rm /etc/opt/SUNWiim

   On all other nodes:

   rm /usr/cluster/lib/rgm/rtreg/SUNW.iim

HA Related Documentation

• Sun Java Enterprise System 2005Q4 Technical Overview.

• Sun Java Enterprise System 2005Q4 Installation Guide for UNIX describes the Java Enterprise System installer (and uninstaller) and the supported installation scenarios.

• Sun Java Enterprise System 2005Q4 Release Notes provide current information about the Sun Java Enterprise System product.

• Sun Cluster Concepts Guide for Solaris OS provides a general background about Sun Cluster software, data services, and terminology resource types, resources, and resource groups.

• Sun Cluster Data Services Planning and Administration Guide for Solaris OS provides general information on planning and administration of data services.

• Sun Cluster System Administration Guide for Solaris OS provides the software procedures for administering a Sun Cluster configuration.

• Sun Cluster Reference Manual for Solaris OS describes the commands and utilities available with the Sun Cluster software, including commands found only in the SUNWscman and SUNWccon packages.

• Sun Java System Communications Services 6 2005Q4 Deployment Planning Guide provides further information about how HA is implemented in Instant Messaging.

Chapter 5 Scaling an Instant Messaging Deployment Using Server Pooling

Server pooling allows you to support millions of users within a single domain. Using a server pool, you can share a domain across several servers in a server pool. In addition, you can use a load balancer to help manage server utilization in the pool. This chapter provides information on server pooling in the following sections:

• Overview of Server Pooling for Instant Messaging

• Availability in an Instant Messaging Server Pool

• Configuring Server-to-Server Communication Between Instant Messaging Servers in a Server Pool

• Adding a New Node to an Existing Instant Messaging Deployment

• Securing a Multi-node Deployment

Overview of Server Pooling for Instant Messaging

By creating a server pool, the number of users you can support in an Instant Messaging deployment is no longer constrained by the capacity of a single server system. Instead, you can use the resources of several systems to support the users in a single domain. In addition, server pools provide redundancy so that if one server in the pool fails, affected clients can reconnect and continue their sessions through another server in the pool with a minimum of inconvenience. Deploying more than one server in a server pool creates a multi-node deployment.

You create a server pool by configuring the Instant Messaging servers to communicate over the server-to-server port and get user data from the same storage location; either a shared file system or LDAP directory. Once you have configured the servers, you need to configure the client resources to point to the load balancer, or load director, instead of a single node's host and port.

In order to ensure that all servers within a server pool have consistent data, the following information is replicated among all servers in the pool:

• Routing information for end users

• Conference membership and configuration

• Multiparty conference messages

The following information is not replicated:

• One on one chat messages

• Presence subscriptions and notifications

In addition, if you are enforcing policy through access control files in your deployment, the content of the access control files must be the same among all servers in a server pool. See Managing Policies Using Access Control Files for more information.

Availability in an Instant Messaging Server Pool

If a node in a server pool goes down, all currently connected clients are disconnected and the sessions and resources become unavailable. If you set up your deployment with load balancers, users can immediately reconnect and be directed by a load balancer to another node in the pool. When they do so, they will not need to recreate conferences or news channels as this information is shared between servers in the pool. In addition, one-to-one chat sessions can be continued after the user is directed to another node in the pool.

Configuring Server-to-Server Communication Between Instant Messaging Servers in a Server Pool

This section describes how to enable communication between two Instant Messaging servers, or peers, in a server pool. You must configure all servers in the pool with information about all other servers in the pool.

Table 5–1 lists the parameters in iim.conf and their values used to set up communication for two example Instant Messaging servers in a server pool; iimA.siroe.com and iimB.siroe.com.

For more information on the configuration parameters, see Appendix A, Instant Messaging Configuration Parameters in iim.conf.

To Set Up Communication Between Two Instant Messaging Servers in a Server Pool

Steps

1. Gather the information listed in Table 5–1.

2. Change to im_cfg_base on the server iimA.siroe.com.

   See Instant Messaging Server Directory Structure for instructions on locating im_cfg_base.

3. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

   ---

   Note –

   The iim.conf file should be owned by the Instant Messaging server account you created during installation. If the iim.conf file cannot be read by the Instant Messaging server account, the server and multiplexor will be unable to read the configuration. Additionally, you might lose the ability to edit iim.conf.

   ---

4. Modify the parameter values to match your deployment.

   Table 6–1 lists the parameters you need to modify. If the parameters do not exist in iim.conf, add them. The following example shows the section of iim.conf on iimA.siroe.com corresponding to the server-to-server communications that you need to modify:

   iim_server.serverid=iimA.siroe.com iim_server.password=secretforiimA iim_server.domain=siroe.com iim_server.coservers=coserver1 iim_server.coserver1.host=iimB.siroe.com:9919 iim_server.coserver1.serverid=iimB.siroe.com iim_server.coserver1.password=secret4iimB iim_server.coserver1.domain=siroe.com

5. Follow steps 2 through 4 for the iim.conf file on server iimB.siroe.com.

   The following example shows the section of iim.conf on iimB.siroe.com corresponding to the server-to-server communications that you need to modify:

   iim_server.serverid=iimB.siroe.com iim_server.password=secret4iimB iim_server.domain=siroe.com iim_server.coservers=coserver1 iim_server.coserver1.host=iimA.siroe.com:9919 iim_server.coserver1.serverid=iimA.siroe.com iim_server.coserver1.password=secretforiimA iim_server.coserver1.domain=siroe.com

6. Save the changes and close iim.conf.

7. Refresh the configuration on both servers.

   imadmin refresh server

   ---

   Caution –

   Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

   ---

Adding a New Node to an Existing Instant Messaging Deployment

If you need to add an additional node to an existing server pool, you need to configure the new server for server-to-server communication and then add configuration information about the new server to all existing servers in the pool. See To Set Up Communication Between Two Instant Messaging Servers in a Server Pool for instructions.

Securing a Multi-node Deployment

When a node connects to a remote server, the node provides a dialback key. The remote server then connects back to the node in order to verify the dialback key. In a multi-node deployment, the remote server may connect back to a different node in the pool from the node that originally sent the dialback key. The node the remote server connects to must provide the same dialback key that the original connecting node supplied. The iim_server.dialback key configuration parameter defines which dialback key a node should use. The value for the dialback key is randomly generated unless you explicitly specify one. See To Manually Define the Dialback Key for an Instant Messaging Server in a Server Pool for instructions.

The From attribute is used by a remote server to connect back to an initiating server. Typically, a server's domain name is used as the value for the From attribute in server-to-server communication under Jabber. However, all servers in a server pool share the same domain name. Therefore, the domain name cannot be used as a key to locate a single server in a pool. Instead, Instant Messaging uses a server or peer identifier (serverid) instead of the domain name as the value for the From attribute.

To Manually Define the Dialback Key for an Instant Messaging Server in a Server Pool

The value for the dialback key is randomly generated unless you explicitly specify one.

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Modify the value of the iim_server.dialback.key parameter.

   For example:

   iim_server.dialback.key=mymultinodedialbackkey

3. Save the changes and close iim.conf.

4. Refresh the configuration on both servers.

   imadmin refresh server

   ---

   Caution –

   Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

   ---

Chapter 6 Federating Deployment of Multiple Instant Messaging Servers

In an LDAP-only deployment, when you federate multiple Instant Messaging deployments you form a larger Instant Messaging community. End users from different servers can communicate with each other, use conference rooms on other domains, and subscribe to news channels on remote servers based on the access privileges.

In a deployment with Sun Java^TM System Access Manager, a single Instant Messaging server can host multiple domains. You can designate a single domain as the default domain for a Instant Messaging server instance. End users in different domains hosted by the same server cannot interact with each other. When you federate multiple Instant Messaging deployments, end users in default domains can see the end users in default domains of other remote Instant Messaging servers.

For enabling communication between multiple Instant Messaging servers in your network, you need to configure your server to identify itself to the other Instant Messaging servers in the network. An Instant Messaging server identifies itself with its domain name, host and port number, server ID, and password.

In an LDAP-only deployment, the two servers should reside in different domains.

Within the server configuration, you can assign each Instant Messaging server a symbolic name, consisting of letters and digits, for example, IMserver1.

It is recommended that the server-to-server communication is secured using TLS (SSL). This is required to prevent third party infringement of security when data is exchanged between two servers. This precaution is extremely desirable in the case where the link between the two servers uses the public internet. Follow the instructions outlined below to configure SSL between Instant Messaging servers.

Configuring Federated Communication Between Instant Messaging Servers

This section describes how to enable federated communication between two Instant Messaging servers.

Table 6–1 lists the parameters in iim.conf used to federate communication between two servers, and the values for these parameters for two example Instant Messaging servers; iim.company22.com and iim.i-zed.com.

For more information on the configuration parameters, see Appendix A, Instant Messaging Configuration Parameters in iim.conf.

Each Instant Messaging server is identified by its symbolic name. The symbolic name of the server is added in the iim_server.coservers parameter in iim.conf. This parameter has multiple values and each value is separated by a comma.

To Federate Communication Between Two Instant Messaging Servers

Steps

1. Gather the information listed in Table 6–1.

2. Change to im_cfg_base on the server iim.company22.com.

   See Instant Messaging Server Directory Structure for instructions on locating im_cfg_base.

3. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

   ---

   Note –

   The iim.conf file should be owned by the Instant Messaging server account you created during installation. If the iim.conf file cannot be read by the Instant Messaging server account, the server and multiplexor will be unable to read the configuration. Additionally, you might lose the ability to edit iim.conf.

   ---

4. Modify the parameter values to match your deployment.

   Table 6–1 lists the parameters you need to modify. If the parameters do not exist in iim.conf, add them. The following example shows the section of iim.conf on iim.company22.com corresponding to the server-to-server communications that you need to modify:

   iim_server.serverid=Iamcompany22 iim_server.password=secretforcompany22 iim_server.domain=iim.icompany22.com iim_server.coservers=coserver1 iim_server.coserver1.host=iim.i-zed.com:9919 iim_server.coserver1.serverid=Iami-zed iim_server.coserver1.password=secret4i-zed iim_server.coserver1.domain=i-zed.com

5. Follow steps 2 through 4 for the iim.conf file on server iim.i-zed.com.

   The following example shows the section of iim.conf on iim.i-zed.com corresponding to the server-to-server communications that you need to modify:

   iim_server.serverid=Iami-zed iim_server.password=secret4i-zed iim_server.domain=iim.i-zed.com iim_server.coservers=coserver1 iim_server.coserver1.host=iim.company22.com:9919 iim_server.coserver1.serverid=Iamcompany22 iim_server.coserver1.password=secretforcompany22 iim_server.coserver1.domain=company22.com

6. Save the changes and close iim.conf.

7. Refresh the configuration on both servers.

   imadmin refresh server

Chapter 7 Administering Instant Messaging Components

This chapter explains how to administer the Instant Messaging components (server, multiplexor, Calendar agent, cluster agent, and watchdog) and perform other administrative tasks, such as changing configuration parameters and creating backups.

This chapter contains the following sections, which describe the various administrative tasks in Instant Messaging:

• Stopping, Starting, Refreshing, and Checking Instant Messaging Components

• Changing Instant Messaging Server and Multiplexor Configuration Parameters

• Backing Up Instant Messaging Data

Stopping, Starting, Refreshing, and Checking Instant Messaging Components

The imadmin command enables you to:

• Start and stop all Instant Messaging components (server, multiplexor, Calendar agent, cluster agent, and watchdog).

• Start and stop an individual Instant Messaging component.

• Refresh all Instant Messaging component configurations.

• Refresh an individual Instant Messaging component.

• Check the status of Instant Messaging components.

The imadmin command-line utility can be executed only by root or a user who has administration rights to the system(s) on which the Instant Messaging server and multiplexor are running. This end user is typically the identity that the server runs as, and is designated during installation:

• On Solaris - inetuser.

• In a deployment with Sun Java^TM System Access Manager, if the Sun Java^TM System Portal Server and the Instant Messaging server are installed on the same host, the user is the one who is running the Access Manager, as root.

The imadmin command-line utility is located in the following directory:

im_svr_base/sbin

Starting the Instant Messaging server enables Instant Messenger to connect to it. Stopping the Instant Messaging server closes all connections and disconnects all Instant Messenger clients.

Starting Instant Messaging Components

You can start all the components together or a single component separately.

Use the imadmin command with the start option to start the Instant Messaging Server, multiplexor, Calendar agent, cluster agent, and watchdog depending on which components are enabled.

Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

To Start All Components

Step

At the command line, type the following:

imadmin start

If both server and multiplexor are enabled, this command first starts the Instant Messaging server, and then starts the multiplexor.

If the watchdog is enabled (default), this command starts the watchdog, then the watchdog reads the configuration file and starts the Instant Messaging Server and/or multiplexor as necessary.

To Start a Single Component

Step

At the command line, type the imadmin start command with an argument that designates the component as follows:

Server:

imadmin start server

Multiplexor:

imadmin start multiplexor

Calendar agent:

imadmin start agent-calendar

Watchdog:

imadmin start watchdog

Stopping Instant Messaging Components

You can stop all the components together or a single component separately.

Use the imadmin command with the stop option to stop the Instant Messaging Server, multiplexor, Calendar agent, cluster agent, and watchdog depending on which components are enabled.

Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

To Stop All Components

Step

At the command line, type the following:

imadmin stop

If the watchdog is running, imadmin brings the watchdog down first, and then stops the server and/or the multiplexor.

This command stops the server, multiplexor, Calendar agent, cluster agent, and watchdog, terminates all end user connections, and disconnects any inbound and outbound servers configured.

To Stop a Single Component

Step

At the command line, type the imadmin stop command with an argument that designates the component as follows:

Server:

imadmin stop server

Multiplexor:

imadmin stop multiplexor

Calendar agent:

imadmin stop agent-calendar

Watchdog:

imadmin stop watchdog

Refreshing Component Configuration

Use the imadmin command with the refresh option to stop and restart an individual Instant Messaging component and refresh that component’s configuration.

You can refresh all the components together or a single component separately.

Whenever you change a configuration parameter in the iim.conf file, you also need to refresh the configuration.

Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

To Refresh All Components

Step

At the command line, type the following:

imadmin refresh

This command stops the server, multiplexor, Calendar agent, cluster agent, and watchdog, terminates all end user connections, and disconnects any inbound and outbound servers configured.

If the watchdog is running, imadmin brings the watchdog down first, and then stops the server and/or the multiplexor. Then starts the watchdog which reads the configuration file and starts the Instant Messaging server and/or multiplexor as necessary.

To Refresh a Single Component

Step

At the command line, type the imadmin refresh command with an argument that designates the component as follows:

Server:

imadmin refresh server

Multiplexor:

imadmin refresh multiplexor

Calendar agent:

imadmin refresh agent-calendar

Cluster agent:

imadmin refresh monitor

Watchdog:

imadmin refresh watchdog

Checking the Status of Instant Messaging Components

You can check the status of all the components together or a single component separately using the imadmin command with the status option. This command returns results in the following format:

Component  [status]

For example:

Server          [UP]
Multiplexor     [UP]
Agent:calendar  [DOWN]
Watchdog        [UP]

To Check the Status of All Components

Step

At the command line, type the following:

imadmin status

This command returns the status of all enabled components.

To Check the Status of a Single Component

Step

At the command line, type the imadmin status command with an argument that designates the component as follows:

Server:

imadmin status server

Multiplexor:

imadmin status multiplexor

Calendar agent:

imadmin status agent-calendar

Watchdog:

imadmin status watchdog

Changing Instant Messaging Server and Multiplexor Configuration Parameters

Instant Messaging stores configuration parameters in the iim.conf file. For a complete list of configuration parameters, see Appendix A, Instant Messaging Configuration Parameters in iim.conf.

To change configuration parameters, manually edit the configuration parameters and values in the iim.conf file, then refresh the Instant Messaging server configuration. If you change a multiplexor parameter, you only need to refresh the multiplexor as follows:

imadmin refresh multiplexor

For a complete list of parameters and their values, see Appendix A, Instant Messaging Configuration Parameters in iim.conf.

Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

To Change Configuration Parameters

Steps

1. Change to the im_cfg_base directory.

   See Instant Messaging Server Directory Structure for instructions on locating im_cfg_base.

2. Edit iim.conf using a text editor.

3. Save your changes.

4. Refresh the configuration using imadmin.

   For example:

   imadmin refresh

   ---

   Note –

   If you change the multiplexor listen port (iim_mux.listenport) or the multiplexor host, update the im.html or the im.jnlp files accordingly. Failure to do so disables Instant Messenger from connecting to the server. For more information, see Chapter 13, Managing Instant Messenger.

   ---

Backing Up Instant Messaging Data

Instant Messaging does not come with any disaster recovery tools. Use your site’s backup system to backup the configuration and database directories periodically. This section describes backing up Instant Messaging in the following sections:

• Backup Information

• Performing a Backup

• Restoring Backup Information

Backup Information

The Instant Messaging information that needs to be backed up are of the following types:

• Configuration Information

• Instant Messaging end user data

• Instant Messenger resources

The configuration information is stored in the configuration directory (im_cfg_base). Default paths are described in Instant Messaging Server Directory Structure.

The Instant Messaging data is stored in the database directory (im_db_base). Defaults for im_db_base are also described in Instant Messaging Server Directory Structure.

The Instant Messenger resources must be backed up if they have been customized. The location of the Instant Messenger resources are provided during installation.

Performing a Backup

While the configuration information does not change frequently, the Instant Messaging end-user data changes rapidly and to prevent any loss of end-user data you should back up the Instant Messaging end-user data on a periodic basis. You need to perform the backup before running the installation program and the uninstallation program.

To backup the end user data and the configuration information you do not have to stop the Instant Messaging server as all the disk commits by the server are automatically performed.

Restoring Backup Information

The back up of the end-user data and the configuration information needs to be restored when there is a disk failure and all the end-user data and the configuration information is lost.

To Restore End-user Data from Backup

Steps

1. Change to the im_runtime_base directory.

   See Instant Messaging Server Directory Structure for information on locating im_runtime_base.

2. Stop the Instant Messaging server:

   imadmin stop

3. Copy the backed up data to the im_db_base directory.

   Be sure to maintain the directory structure of the backed up data.

4. Verify the permissions and owner of the newly restored data.

   The files should be owned by the Instant Messaging system user. See Creating a UNIX System User and Group for information on this user. Permissions should be set as follows:

   • Files: 600 (indicating read and write permissions for owner only)

   • Directories: 700 (indicating read, write, and execute permissions for owner only)

   Refer to your operating system documentation for information on changing permissions and owners.

5. Start the Instant Messaging server.

   imadmin start

Chapter 8 Using the Instant Messaging XMPP/HTTP Gateway

The XMPP/HTTP Gateway provides Instant Messaging access to non-XMPP based clients, such as HTML based clients, and clients behind firewalls that allow HTTP traffic, but don't permit XMPP traffic. The gateway proxies Instant Messaging traffic to the XMPP server on behalf of HTTP clients.

The XMPP/HTTP Gateway is deployed with the Instant Messenger resource files as a webapp on the web container.

This chapter provides information on configuring and maintaining the XMPP/HTTP Gateway in the following sections:

• Instant Messaging XMPP/HTTP Gateway Configuration Files

• Configuring the Instant Messaging XMPP/HTTP Gateway

• Managing Logging for the XMPP/HTTP Gateway

Instant Messaging XMPP/HTTP Gateway Configuration Files

The XMPP/HTTP Gateway uses the following files for configuration:

• Gateway webapp configuration file (web.xml). The contents of this file determine which gateway configuration file to use. For information on using a non-default configuration file, see To Configure the Instant Messaging XMPP/HTTP Gateway to Use a Non-default Configuration File.

• Gateway configuration file (typically httpbind.conf). See Configuring the Instant Messaging XMPP/HTTP Gateway for instructions on configuring the gateway. See Appendix B, Instant Messaging XMPP/HTTP Gateway Configuration Parameters in httpbind.conf for a description of httpbind.conf file syntax, file location, and a list of configuration parameters in this file.

• Gateway logging configuration file (typically log4j.logger.httpbind). See Managing Logging for the XMPP/HTTP Gateway for more information on configuring logging. See XMPP/HTTP Gateway log4j Log Configuration File Syntax for logging configuration file syntax.

Configuring the Instant Messaging XMPP/HTTP Gateway

When you run the configure utility after installation, you can choose to deploy the XMPP/HTTP Gateway or not. If enabled, the configure utility creates a default configuration file (httpbind.conf) for the gateway. You can change the configuration by modifying the values in this file. See Appendix B, Instant Messaging XMPP/HTTP Gateway Configuration Parameters in httpbind.conf for a description of httpbind.conf file syntax, file location, and a list of configuration parameters in this file, or refer to the instructions in this section.

In addition, when you choose to deploy the gateway during initial configuration, the configure utility creates a .war file in the im_svr_base/work directory and then deploys this file on the web or application server in the directory you specified for the codebase.

You can also configure the gateway to use a non-default configuration file by modifying the values in web.xml which is deployed with the client resources on the web container.

The instructions in this section assume the gateway configuration file is httpbind.conf. If you are using a non-default configuration file, substitute your configuration file for httpbind.conf in the instructions.

Any time you make a change to httpbind.conf, you will need to restart the XMPP/HTTP Gateway.

This section contains the following instructions:

• To Enable or Disable the Instant Messaging XMPP/HTTP Gateway

• To Configure the Number of Concurrent Requests Handled by the XMPP/HTTP Gateway

• To Set the JEP 124 hold Attribute for Client Requests to the XMPP/HTTP Gateway

• To Specify the Allowed Client Inactivity Time for the XMPP/HTTP Gateway

• To Set the content-type HTTP Header for the XMPP/HTTP Gateway

• To Set the Round Trip Delay for the XMPP/HTTP Gateway

• To Set the Default Time Within Which the XMPP/HTTP Gateway Will Send a Response to the Client

• To Configure an XMPP/HTTP Gateway in a Instant Messaging Gateway Pool

• To Configure the List of Key IDs for Supported XMPP/HTTP Gateway Domains

• To Configure the Instant Messaging XMPP/HTTP Gateway to Use a Non-default Configuration File

For instructions on configuring logging for the gateway, see Managing Logging for the XMPP/HTTP Gateway.

To Enable or Disable the Instant Messaging XMPP/HTTP Gateway

You enable the gateway by running the configure utility and then setting a parameter in iim.conf. You can disable the gateway later using tools provided by your web container or application server.

Steps

1. To enable the gateway:

   1. Run the configure utility.

   2. Choose to deploy the gateway when prompted.

      See Chapter 1, Configuring Instant Messaging After Installation for more information.

   3. In iim.conf, set the iim_agent.httpbind.enable parameter to true.

      For example:

      iim_agent.httpbind.enable=true

2. To disable the gateway, disable the webapp using the tools provided by the web or application server.

To Configure the Number of Concurrent Requests Handled by the XMPP/HTTP Gateway

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the httpbind.requests parameter to the maximum number of concurrent requests a single client can send to the gateway.

   The default is 2. For example:

   httpbind.requests=2

   The number of concurrent requests a client can make to the gateway. If the value of this parameter is less than the value for the JEP 124 hold attribute in the client request, the value for this parameter will be set to hold+1. Do not set this parameter to 1, as doing so could severely degrade performance. See To Set the JEP 124 hold Attribute for Client Requests to the XMPP/HTTP Gateway and Table B–1 for more information on the httpbind.hold parameter.

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Set the JEP 124 hold Attribute for Client Requests to the XMPP/HTTP Gateway

Before You Begin

Ensure that you are familiar with the JEP 124 draft standard. More information is available at http://www.jabber.org/jeps/jep-0124.html.

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the httpbind.hold parameter to the maximum value you want the gateway to allow for the hold attribute in the client request.

   The default is 5. For example:

   httpbind.hold=5

   If the hold value sent by the client is greater than the gateway's hold value, the gateway's hold value is used.

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Specify the Allowed Client Inactivity Time for the XMPP/HTTP Gateway

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set httpbind.inactivity parameter to the time in seconds after which you want the gateway to terminate idle connections.

   The default is 180 seconds. For example:

   httpbind.inactivity=180

   If clients do not poll the gateway before this time elapses, the gateway terminates the connection.

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Set the content-type HTTP Header for the XMPP/HTTP Gateway

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the httpbind.content_type parameter to the content-type you want the gateway to use if the client does not specify one in its initial request.

   The default is text/xml; charset=utf-8. For example:

   httpbind.content_type=text/xml; charset=utf-8

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Set the Round Trip Delay for the XMPP/HTTP Gateway

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the httpbind.round_trip_delay parameter as required.

   The round_trip_delay is the amount of time, in seconds, you want to allow in addition to time-outs for round trips between gateway and client. This helps to account for network latencies. Setting this value too high may degrade performance. The value is in seconds. The default is 1 second. For example:

   httpbind.round_trip_delay=1

   Setting this value too high may degrade performance. Consider the general latency in your network before changing this parameter.

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Set the Default Time Within Which the XMPP/HTTP Gateway Will Send a Response to the Client

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the httpbind.wait_time parameter as required.

   The client is guaranteed a response from the XMPP/HTTP Gateway within the wait time you designate with this parameter. Consider the speed of your network when setting this parameter. Do not set the value so low that the XMPP/HTTP Gateway is unlikely to be able to send the request in time.

   The value is in seconds. The default is 120 seconds. For example:

   httpbind.wait_time=120

   If the value set for the client is greater than the value for the gateway, the gateway wait time is used.

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Configure an XMPP/HTTP Gateway in a Instant Messaging Gateway Pool

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. To configure the gateway as part of a deployment with an Instant Messaging gateway pool:

   1. Set the httpbind.pool.support parameter to true:

      httpbind.pool.support=true

   2. Set the httpbind.pool.nodeId parameter to the full URL of the gateway.

      The URL is used as the gateway's nodeId. This nodeId must be unique within the server pool. The gateway uses this nodeId to determine whether it must service a received request or forward the request to another gateway in the pool.

3. To configure the gateway not to work within a gateway pool, set the httpbind.pool.support parameter as follows:

   httpbind.pool.support=false

4. Save and close httpbind.conf.

5. Restart the gateway using the tools provided by the web or application server.

To Configure the List of Key IDs for Supported XMPP/HTTP Gateway Domains

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the httpbind.config to the list of IDs you want the gateway to use.

   For each domain you need to specify a separate ID for this parameter. For example:

   httpbind.config=gwdomain_id

   Where gwdomain_id is the identifier you want to use for the domain.

   For example:

   httpbind.config=siroe

3. For each gwdomain_id you specify, add the following parameters to the httpbind.conf file:

   gwdomain_id.domain=domain_name gwdomain_id.hosts=gateway_host gwdomain_id.componentjid=component_jid gwdomain_id.password=password

   Where:

   • gwdomain_id is the ID specified for the gateway in httpbind.config in the previous step.

   • domain_name is the domain in which the identified gateway runs.

   • gateway_host is a comma-separated or space-separated list of the fully-qualified domain name (FQDN) and port number of the gateway hosts that support this domain.

   • component_jid is the component JID of the gateway.

   • password is the password of the identified gateway.

   For example, if the gwdomain_id is set to siroe:

   siroe.domain=siroe.com siroe.hosts=gateway.siroe.com:5222 siroe.componentjid=http.gateway.siroe.com siroe.password=gatewaypassword

   See Gateway Domain ID Key Parameters for httpbind.config for more information about these key parameters.

4. Save and close httpbind.conf.

5. Restart the gateway using the tools provided by the web or application server.

To Configure the Instant Messaging XMPP/HTTP Gateway to Use a Non-default Configuration File

Steps

1. On the web container on which Instant Messenger resource files are deployed, edit web.xml.

   Use your web container's tools to edit this file.

2. Change the value for the httpbind.config.file parameter to the location of the configuration file you want the gateway to use.

Managing Logging for the XMPP/HTTP Gateway

You can configure the level of logging for the XMPP/HTTP Gateway, enable or disable logging entirely, and change the location of the gateway log file or the gateway log configuration file as described in the following sections:

• To Enable or Disable Logging for the XMPP/HTTP Gateway

• To Change the Location of the XMPP/HTTP Gateway Log Configuration File

• To Change the Location of the XMPP/HTTP Gateway Log File

• To Set the XMPP/HTTP Gateway Logging Level

• XMPP/HTTP Gateway log4j Log Configuration File Syntax

More information about the log4j format supported by Instant Messaging's is described at the Apache Logging Services website.

To Enable or Disable Logging for the XMPP/HTTP Gateway

You can enable or disable logging for the gateway in two ways:

• Adding or removing the value for the httpbind.log4j.config parameter in httbind.conf.

• (Recommended) Modifying the configuration within the gateway's log4j configuration file (httpbind_log4j.conf).

Under most circumstances, you should modify the configuration in the httpbind_log4j.conf file itself, leaving the httpbind.log4j.config parameter set to the location of the httpbind_log4j.conf file. This procedure describes modifying the configuration within the httpbind_log4j.conf file.

Steps

1. Open the httpbind_log4j.conf file.

   This file is stored at the location you specified in httpbind.conf file as the value for thehttpbind.log4j.config parameter. By default the file is stored in the following directory under the default Instant Messaging instance:

   im_cfg_base/httpbind_log4j.conf

2. To disable logging for the gateway, set the log4j.logger.gateway parameter as follows:

   log4j.logger.gateway=OFF

3. To enable logging, set the log4j.logger.gateway parameter to the desired logging level.

   For example:

   log4j.logger.gateway=ERROR

   See Table 11–1 for a list of valid logging levels you can use.

4. Save and close httpbind_log4j.conf.

To Change the Location of the XMPP/HTTP Gateway Log Configuration File

Steps

1. Open httpbind.conf.

   See httpbind.conf File Location for information on finding this file.

2. Set the value of the httpbind.log4j.config parameter to the location of the XMPP/HTTP Gateway log configuration file.

3. Save and close httpbind.conf.

4. Restart the gateway using the tools provided by the web or application server.

To Change the Location of the XMPP/HTTP Gateway Log File

Before You Begin

Ensure that you are familiar with the log4j syntax and general implementation described at the Apache Logging Services website.

Steps

1. Open httpbind_log4j.conf.

   This file is stored at the location you specified in httpbind.conf file as the value for thehttpbind.log4j.config parameter. By default the file is stored in the following directory under the default Instant Messaging instance:

   im_cfg_base/httpbind_log4j.conf

2. Set the value for the log4j.appender.appender_ID parameter to the location where you want to store the log file.

3. Save and close httpbind_log4j.conf.

4. Restart the web container.

To Set the XMPP/HTTP Gateway Logging Level

Before You Begin

Ensure that you are familiar with the log4j syntax and general implementation described at the Apache Logging Services website.

Steps

1. Open httpbind_log4j.conf.

   This file is stored at the location you specified in httpbind.conf file as the value for thehttpbind.log4j.config parameter. By default the file is stored in the following directory under the default Instant Messaging instance:

   im_cfg_base/httpbind_log4j.conf

2. Set the log4j.logger.gateway parameter to the desired logging level.

   For example:

   log4j.logger.gateway=ERROR

   See Table 11–1 for a list of valid logging levels you can use.

XMPP/HTTP Gateway log4j Log Configuration File Syntax

For more information about the log4j syntax and general implementation, see the Apache Logging Services website. The gateway log configuration file syntax is as follows.

log4j.logger.gateway=logging_level, Appender_ID
# DEFAULT TO RollingFileAppender
log4j.appender.Appender_ID=org.apache.log4j.RollingFileAppender
log4j.appender.Appender_ID.file=log_dir/httpbind.log
log4j.appender.Appender_ID.append=true|false
log4j.appender.Appender_ID.maxBackupIndex=7
log4j.appender.Appender_ID.maxFileSize=max_log_file_size
log4j.appender.Appender_ID.layout=org.apache.log4j.PatternLayout
log4j.appender.Appender_ID.layout.ConversionPattern=log_entry_syntax

Example 8–1 XMPP/HTTP Gateway Log Configuration File (httpbind_log4j.conf)

log4j.logger.gateway=ERROR, A1
# DEFAULT TO RollingFileAppender
log4j.appender.A1=org.apache.log4j.RollingFileAppender
# log4j.appender.A1.file=$(logdir)/gateway.log
log4j.appender.A1.file=/tmp/gatewaylog
log4j.appender.A1.append=true
log4j.appender.A1.maxBackupIndex=7
log4j.appender.A1.maxFileSize=5mb
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n

Chapter 9 Managing Instant Messaging's LDAP Access Configuration

This chapter describes how Instant Messaging uses LDAP in deployments with and without Access Manager in the following sections:

• Overview of how Instant Messaging Uses LDAP

• Searching the Directory Anonymously

• Configuring Instant Messaging to Use LDAP Dynamic Groups

Overview of how Instant Messaging Uses LDAP

All deployments of Instant Messaging require a directory server. In a deployment without Sun Java^TM System Access Manager, the Instant Messaging server uses the directory server to perform end-user authentication and to search for end users.

In a deployment with Sun Java^TM System Access Manager, the Instant Messaging server uses the directory used by Sun Java^TM System Portal Server. When installed in an Access Manager deployment environment, the Instant Messaging server uses the directory used by the Access Manager to search for end users, and not for end-user authentication. In an Access Manager deployment, Access Manager performs the authentication.

If you use an LDAP directory to maintain your user namespace, the default configuration makes the following assumptions regarding the schema used by this directory:

• End user entries are identified by the inetOrgPerson object class.

• Group entries are identified by the groupOfUniqueNames or groupofURLs object class.

• Instant Messenger user ID attribute of an end user is provided by the uid attribute (from inetOrgPerson objectclass).

• The email address of an end user is provided by the mail attribute.

• The display name of an end user or group is provided by the cn attribute.

• The list of members of a group is provided by the uniqueMember attribute (groupOfUniqueNames object class).

You can change these default settings by editing the iim.conf file. See iim.conf File Syntax.

Some user attributes may contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users. Refer to your directory documentation for more information.

Searching the Directory Anonymously

Instant Messaging needs to be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging has the capability to search the directory. If the directory is not readable or searchable by anonymous users, you must take additional steps to configure iim.conf with the credentials of a user ID that has at least read access to the directory. These credentials consist of:

• A distinguished name (dn)

• The password of the above dn

To Enable the Server to Conduct Directory Searches as a Specific End User

Steps

1. Identify values for the following parameters in iim.conf:

   • iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.

   • iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn).

   For example:

   iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com"

   iim_ldap.usergroupbindcred=secret

   ---

   Note –

   You do not have to use administrator-level credentials with write level access, as all that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.

   ---

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. In a deployment with Sun Java^TM System Access Manager, if the directory is not searchable by anonymous users:

   • Set the iim_ldap.useidentityadmin configuration parameter to true.

   • Also, you can delete or comment out the following configuration parameters:

     • iim_ldap.usergroupbinddn

     • iim_ldap.usergroupbindcred

3. Edit iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

   If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters do not appear in iim.conf, you can add them anywhere in the file.

Configuring Instant Messaging to Use LDAP Dynamic Groups

In the Sun Java^TM System Directory Server and some other LDAP servers, dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server by the groupOfUrls objectclass.

To enable end users to view the dynamic groups in search results and add them to their contact list, you need to include groupOfUrls objects in search results.

The following modifications need to be made to iim.conf:

To Configure Instant Messaging to Use Dynamic Groups

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Add the following three lines to iim.conf:

   iim_ldap.usergroupbynamesearchfilter=(|(&(| (objectclass=groupofuniquenames) (objectclass=groupofurls))) (cn={0}))(&(objectclass=inetorgperson) (cn={0}))) iim_ldap.groupbrowsefilter=(| (objectclass=groupofuniquenames) (objectclass=groupofurls)) iim_ldap.groupclass=groupOfUniqueNames,groupOfURLs

   Do not include line breaks within a single line. The attribute and objectclass names are configurable. By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.

Chapter 10 Managing SSL for Instant Messaging

You use SSL for secure Instant Messaging communications. This chapter provides instructions on setting up SSL for Instant Messaging in the following sections:

• Overview of Using SSL in Instant Messaging

• Requesting a Certificate from the Certificate Authority

• Installing the Certificate

• Enabling SSL Between the Multiplexor and Instant Messenger

• Invoking the Secure Version of Instant Messenger

• Activating SSL for Server to Server Communication

Overview of Using SSL in Instant Messaging

Instant Messaging supports the Secure Sockets Layer (SSL) protocol, for encrypted communications and for certificate-based authentication of Instant Messaging servers. Instant Messaging server supports SSL version 3.0.

Instant Messaging multiplexor and Instant Messenger also support SSL for encrypted communication between the client and the multiplexor.

Enabling SSL for Instant Messaging server requires the following:

1. Obtaining and installing a certificate for your Instant Messaging server, and configuring the Instant Messaging server to trust the Certification Authority’s certificate.

2. Ensuring that each Instant Messaging server that needs to communicate using SSL with your server, obtains and installs a certificate.

3. Turning on SSL in the server by setting the appropriate parameters in the iim.conf file.

Enabling SSL between the multiplexor and Instant Messenger requires the following:

1. Requesting a Certificate from the Certificate Authority.

2. Installing the Certificate.

3. Enabling SSL Between the Multiplexor and Instant Messenger.

4. Activating SSL for Server to Server Communication.

5. Invoking the Secure Version of Instant Messenger.

For more information about managing certificates, see the Web Server and Application Server product documentation at http://docs.sun.com.

Requesting a Certificate from the Certificate Authority

To enable SSL, you need to request a certificate. You can request the certificate using Sun Java^TM System Web Serveror Sun Java^TM System Application Server.

To Request a Certificate

Steps

1. Type the following URL for starting the administration server in your browser:

   http://hostname.domain-name:administration_port

   A window prompting you for a user name and password appears.

2. Type the administration user name and password you specified during the Web Server or Application Server installation.

   The Administration Server page appears.

3. Create a separate Web Server or Application Server instance.

   For more information on installing multiple instances of the server, see the product documentation at http://docs.sun.com/.

4. Create a trust database to store the public and private keys, referred as the key-pair file.

   The key-pair file is used for SSL encryption.

   For information on creating a trust database, see the Web Server or Application Server product documentation at http://docs.sun.com/.

5. Request a certificate from the Certificate Authority.

   For more information on requesting a certificate, see the Web Server or Application Server product documentation at http://docs.sun.com/.

Installing the Certificate

After you receive the server certificate from your Certificate Authority, you need to install the certificate and create databases for secure communication.

To Install the Certificate

Steps

1. Type the following URL for starting the administration server in your browser:

   http://hostname.domain-name:administration_port

   A window appears, prompting you for a user name and password.

2. Type the administration user name and password you specified during the Web Server or Application Server installation.

   The Administration Server page appears.

3. Install the server certificate.

   For more information on installing the certificate, see the Web Server or Application Server product documentation at http://docs.sun.com

4. Change to your Web Server or Application Server’s /alias directory.

5. Copy the database files from the /alias directory to the Instant Messaging server's im_cfg_base directory.

   cp https-serverid-hostname-cert8.db /etc/opt/SUNWiim/default/config/cert8.db

   cp https-serverid-hostname-key3.db /etc/opt/SUNWiim/default/config/key3.db

   cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db

   ---

   Note –

   The end user on which the Instant Messaging server runs should have Read permission on cert7.db, key3.db, and secmod.db files. In addition, if you created multiple instances of Instant Messaging, the name of the /default directory will vary depending on the instance.

   ---

   See Table 3–1 for default locations for im_cfg_base.

6. Change to your Instant Messaging server's im_cfg_base directory.

   See Instant Messaging Server Directory Structure for information on locating im_cfg_base.

7. Create a file named sslpassword.conf using an editor of your choice.

8. Enter the following line in sslpassword.conf.

   Internal (Software) Token:password

   Where password is the password you specified when you created the trust database.

9. Save and close sslpassword.conf.

10. Ensure that all Instant Messenger end users have Ownership and Read permission on sslpassword.conf.

11. Verify that SSL is working properly.

    You can do this a number of ways, for example by following the steps in Invoking the Secure Version of Instant Messenger.

12. Log in to the Web Server or Application Server as an administrator.

13. Remove the server instance that you created while requesting the certificate.

Enabling SSL Between the Multiplexor and Instant Messenger

Table 10–1 lists the parameters in iim.conf for enabling SSL between Instant Messenger and multiplexor. It also lists the description and the default value of these parameters.

To Enable SSL Between Instant Messenger and the Multiplexor

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Add the values from Table 10–1 to the multiplexor configuration parameters in iim.conf.

Example 10–1 SSL Multiplexor Configuration in iim.conf

The following is an example of iim.conf with the multiplexor configuration parameters included:

! IIM multiplexor configuration
! =============================
!
! Multiplexor specific options

! IP address and listening port for the multiplexor.
! WARNING: If this value is changed, the port value of ’-server’
! argument in the client’s im.html and im.jnlp files should 
! also be changed to match this.
iim_mux.listenport = "siroe.com:5222"

! The IM server and port the multiplexor talks to.
iim_mux.serverport = "siroe.com:45222"

! Number of instances of the multiplexor.
iim_mux.numinstances = "1"

! Maximum number of threads per instance
iim_mux.maxthreads = "10"

! Maximum number of concurrent connections per multiplexor process
iim_mux.maxsessions = "1000"

                         
iim_mux.usessl = "on"
iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_mux.keydbprefix = "This-Database"
iim_mux.certdbprefix = "Secret-stuff"
iim_mux.secmodfile = "secmod.db"
iim_mux.certnickname = "Server_Cert"
iim_mux.keystorepasswordfile = "sslpassword.conf"

Invoking the Secure Version of Instant Messenger

The secure version of Instant Messenger can be invoked by accessing imssl.html or imssl.jnlp from your web browser. These files are located under the resource directory, the base directory under which all the Instant Messenger resources are stored.

The links to these applet descriptor files can also be added to index.html.

Activating SSL for Server to Server Communication

Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA’s certificate as described earlier.

Table 10–2 lists the parameters in iim.conf used to enable SSL between two Instant Messaging servers. It also contains the description and the default value of these parameters.

To Activate SSL Between Servers

Steps

1. Set these iim.conf parameters:

   • iim_server.usesslport=true

   • iim_server.sslport=5223

   These parameters should already be in the iim.conf file.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Set the server-to-server configuration as described in Chapter 6, Federating Deployment of Multiple Instant Messaging Servers.

3. Add the following additional parameter to iim.conf:

   iim_server.coserver1.usessl=true

4. Change the port number of the following parameter:

   iim_server.coserver1.host=hostname:5223

   The port number should be the SSL port of the other server.

5. Refresh the server configuration using imadmin.

   imadmin refresh server

Example 10–2 SSL Server Configuration in iim.conf

Following is a section of iim.conf file with the required SSL configuration:

! Server to server communication port.
iim_server.port = "5269”
! Should the server listen on the server to server
! communication port
iim_server.useport = "True”
! Should this server listen for server-to-server communication
! using ssl port
iim_server.usesslport = "True”
iim_server.sslport=5223
iim_server.coservers=coserver1
iim_server.coserver1.serverid=Iamcompany22
iim_server.coserver1.password=secretforcompany22
iim_server.coserver1.usessl=true
iim_server.coserver1.host=iim.i-zed.com:5223
iim_server.serverid=Iami-zed
iim_server.password=secret4i-zed
iim_server.secconfigdir = "/etc/opt/SUNWiim/default/config"
iim_server.keydbprefix = "This-Database"
iim_server.certdbprefix = "Secret-stuff"
iim_server.secmodfile = "secmod.db"
iim_server.certnickname = "Server_Cert"
iim_server.keystorepasswordfile = "sslpassword.conf"

Chapter 11 Managing Logging for Instant Messaging

Instant Messaging creates log files that record events, related status of various software components, system errors, and other aspects of the server, multiplexor, Calendar agent, and watchdog. By examining the log files, you can monitor many aspects of the server’s operation. In addition, you can collect logging data for Instant Messenger on demand. This section provides information about logging in the following topics:

• Instant Messaging Logging Overview

• Instant Messaging Log File Location

• Instant Messaging Component Logging Levels

• Managing Instant Messaging Logging Using Log4j

• Configuring Logging for Instant Messaging Components Using iim.conf Parameters

• Administering Instant Messaging Client Logging

For information on logging for the XMPP/HTTP Gateway, see Managing Logging for the XMPP/HTTP Gateway.

Instant Messaging Logging Overview

Instant Messaging provides two ways to generate log files; using log4j, or without log4j by specifying parameters in iim.conf. Log4j style logging is available for the server, Calendar agent, watchdog, and the XMPP/HTTP Gateway, but not the multiplexor.

For information on logging for the XMPP/HTTP Gateway, see Managing Logging for the XMPP/HTTP Gateway.

The iim.conf parameter-based logging mechanism may be deprecated in a future release. Use log4j wherever possible.

You can configure the level of logging for the Instant Messaging server, multiplexor, Calendar agent, watchdog, and XMPP/HTTP Gateway. In addition, using log4j, you can configure Instant Messaging to generate a separate log file for XMPP traffic only.

If you are not using log4j style logging, as part of regular system maintenance, you need to periodically review and trim the log files from occupying more disk space. The server does not perform this action.

For more information about log4j, see the Apache Logging Services website.

Instant Messaging Log File Location

You specify the location of the log files when you run the configure utility after installing Instant Messaging. Typically, log files are stored in im_runtime_base/log. See Instant Messaging Server Directory Structure for information on locating im_runtime_base.

If you are using log4j for log file generation in your deployment, the logger will also use the directory you specify during configuration as the base directory in which to store log4j logs.

Instant Messaging Component Logging Levels

The level or priority of maintaining the error log defines how detailed, or verbose, the log should be. A higher priority level implies less details as only events of high priority (high severity) are recorded in the log file. In contrast a lower priority level implies greater details as more events are recorded in the log file.

Regardless of whether you are using log4j or parameter-based logging, you can set the logging level separately for each component.

Table 11–1 describes the logging levels for the components. These logging levels are a subset of the levels defined by the UNIX syslog facility.

When you select a particular logging level, events corresponding to that level and to all higher and less verbose levels are logged.

INFO is the default level for the server. ERROR is the default level for the multiplexor, Calendar agent, and watchdog log files.

If you are not using log4j, and you specify DEBUG as the logging level, your log files will occupy more disk space. Monitor and trim your log files to prevent them from occupying more disk space.

Managing Instant Messaging Logging Using Log4j

When you install Instant Messaging, a template file (log4j.conf.template) for the log4j configuration file is installed into the im_svr_base/lib directory. When you run the configure utility after installation, the template is used to create the log4j configuration file (log4j.conf) in the im_cfg_base directory. This configuration file is used to determine where to store log files generated by log4j, the logging level to use for various components, the output syntax, and to determine what log files to generate.

This section describes using the log4j logger to generate log files for Instant Messaging in the following sections:

• Instant Messaging Log4j Configuration File (log4j.conf) Location

• Instant Messaging Log4j Log File Syntax

• Log4j Log Levels for Instant Messaging Components

• To Specify the Location of the Log4j Configuration File (Log4j.conf)

• To Set Log4j Log Levels for Instant Messaging

The logging levels described in Instant Messaging Component Logging Levels are used by the log4j logger.

For more information about log4j, and instructions on configuring aspects of log files, such as size, number of backups, etc., see the Apache Logging Services website.

Instant Messaging Log4j Configuration File (log4j.conf) Location

You can change the location of the log4j configuration file, log4j.conf, by modifying the iim.log4j.config parameter in iim.conf. If you do not specify a value for this parameter, the logger will look in im_cfg_base. If the logger does not find the log4j configuration file in that directory, it uses the logging parameters in iim.conf to generate non-log4j style logs.

See Instant Messaging Server Directory Structure for information on locating im_cfg_base.

Instant Messaging Log4j Log File Syntax

The configure utility generates the log4j configuration file (log4j.conf) based on the content of the log4j configuration file template (log4j.conf.template). Example 11–1 shows the log4j template. In this template:

• ${logdir} corresponds to the directory you specified during configuration in which you want to store log files. See Instant Messaging Log File Location.

• Each component's log configuration section starts with the following text:

  log4j.logger.

  Where:

  xmppd

  Generates xmppd.log which contains logging information for the server.

  iim_wd

  Generates wd.log which contains information for the watchdog

  xmppd.xfer

  Generates xfer.log which contains only for XMPP traffic.

  agent-calendar

  Generates logging information for the Calendar agent.

  net.outer_planes.jso.BasicStream

  Generates jso.log which contains information for Jabber stream objects. See the Jabber Stream Objects website for more information.

  genredirect

  Reserved for future use.

• A#, for example A1 are appender IDs.

Example 11–1 Log4j Template File

log4j.logger.xmppd=INFO, A1
# DEFAULT TO RollingFileAppender
log4j.appender.A1=org.apache.log4j.RollingFileAppender
log4j.appender.A1.file=${logdir}/xmppd.log
log4j.appender.A1.append=true
log4j.appender.A1.maxBackupIndex=7
log4j.appender.A1.maxFileSize=5mb
# More example appenders..
# Straight to console..
# log4j.appender.A1=org.apache.log4j.ConsoleAppender
# log4j.appender.A1.ImmediateFlush=true
# Rollover at midnight..
# log4j.appender.A1=org.apache.log4j.DailyRollingFileAppender
# log4j.appender.A1.DatePattern='.'yyyy-MM-dd
# log4j.appender.A1.file=${logdir}/xmppd.log
# log4j.appender.A1.ImmediateFlush=true
# log4j.appender.A1.append=true
# Send to SMTP..
# log4j.appender.A1=org.apache.log4j.SMTPAppender

# PATTERN LAYOUT AND OPTIONS
# DEFAULT TO PatternLayout
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
# For full dates..
log4j.appender.A1.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n
# IM traditional output format..
#log4j.appender.A1.layout.ConversionPattern=%d{HH:mm:ss,SSS} %-5p %c [%t] %m%n
# More example layouts
# XMLLayout for chainsaw consumption
# log4j.appender.A1.layout=org.apache.log4j.xml.XMLLayout
# TTCCLayout for NDC information

# log4j.appender.A1.layout=org.apache.log4j.xml.TTCCLayout
# log4j.appender.A1.layout.DateFormat=ISO8601
# log4j.appender.A1.layout.TimeZoneID=GMT-8:00
# log4j.appender.A1.layout.CategoryPrefixing=false
# log4j.appender.A1.layout.ThreadPrinting=false
# log4j.appender.A1.layout.ContextPrinting=false

# Now we list logger/appender/layout for the other default loggers, but
# only the defaults..
log4j.logger.iim_wd=ERROR, A2
log4j.appender.A2=org.apache.log4j.RollingFileAppender
log4j.appender.A2.file=${logdir}/iim_wd.log
log4j.appender.A2.append=true
log4j.appender.A2.maxBackupIndex=7
log4j.appender.A2.maxFileSize=5mb
log4j.appender.A2.layout=org.apache.log4j.PatternLayout
log4j.appender.A2.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n

# For separate xmpp traffic log, disabled by default.
log4j.logger.xmppd.xfer=DEBUG, A3
log4j.appender.A3=org.apache.log4j.varia.NullAppender
# Select next block instead of previous line to enable separate transfer log
# log4j.appender.A3=org.apache.log4j.RollingFileAppender
# log4j.appender.A3.file=${logdir}/xfer.log
# log4j.appender.A3.append=true
# log4j.appender.A3.maxBackupIndex=7
# log4j.appender.A3.maxFileSize=5mb
# log4j.appender.A3.layout=org.apache.log4j.PatternLayout
# # Note, simpler default output than above 3 loggers:
# log4j.appender.A3.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n

log4j.logger.agent-calendar=ERROR, A4
log4j.appender.A4=org.apache.log4j.RollingFileAppender
log4j.appender.A4.file=${logdir}/agent-calendar.log
log4j.appender.A4.append=true
log4j.appender.A4.maxBackupIndex=7
log4j.appender.A4.maxFileSize=5mb
log4j.appender.A4.layout=org.apache.log4j.PatternLayout
log4j.appender.A4.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n

log4j.logger.net.outer_planes.jso.BasicStream=OFF, A5
log4j.appender.A5=org.apache.log4j.RollingFileAppender
log4j.appender.A5.file=${logdir}/jso.log
log4j.appender.A5.append=true
log4j.appender.A5.maxBackupIndex=7
log4j.appender.A5.maxFileSize=5mb
log4j.appender.A5.layout=org.apache.log4j.PatternLayout
log4j.appender.A5.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n

log4j.logger.genredirect=INFO, A6
log4j.appender.A6=org.apache.log4j.RollingFileAppender
log4j.appender.A6.file=${logdir}/genredirect.log
log4j.appender.A6.append=true
log4j.appender.A6.maxBackupIndex=7
log4j.appender.A6.maxFileSize=5mb
log4j.appender.A6.layout=org.apache.log4j.PatternLayout
log4j.appender.A6.layout.ConversionPattern=[%d{DATE}] %-5p %c [%t] %m%n

Log4j Log Levels for Instant Messaging Components

The log4j logger uses the same logging levels described for the iim.conf parameter-based logging mechanism in Instant Messaging Component Logging Levels.

To Specify the Location of the Log4j Configuration File (Log4j.conf)

Steps

1. Open iim.conf.

   See iim.conf File Location for information on locating this file.

2. Set the iim.log4j.config parameter to the path in which you want the logger to look for log4j.conf.

   For example, on Solaris:

   iim.log4j.config=/etc/opt/SUNWiim/default/config/log4j.conf

   On Linux:

   iim.log4j.config=/etc/opt/sun/im/default/config/log4j.conf

3. Save and close iim.conf.

4. Refresh the server.

   imadmin refresh

   ---

   Caution –

   Do not use the imadmin start, imadmin stop, or imadmin refresh commands in an HA environment with Sun Cluster. Instead, use the Sun Cluster administrative utilities.

   ---

To Enable or Disable Log4j Logging for an Instant Messaging Component

By default, log4j logging is used for all components for which logging information is generated.

Steps

1. To disable log4j logging, set the logging level for the component to OFF in both log4j.conf and log4j.conf.template.

   See To Set Log4j Log Levels for Instant Messaging for more information.

2. To enable log4j logging, set the logging level for the component to any logging level other than OFF in both log4j.conf and log4j.conf.template.

To Set Log4j Log Levels for Instant Messaging

You can set log levels by modifying either the template or the log configuration file. However, if you only modify the configuration file, any changes you make will be overwritten the next time you run configure. To prevent this, you should make your changes to both the configuration file and the template.

Steps

1. Open log4j.conf.template.

   By default, this file is stored in the following location:

   im_svr_base/lib

2. For each component, specify the logging level you want to use.

   For example, to set the log level for the server:

   log4j.logger.xmppd=log_level

   Where log_level is one of FATAL, ERROR, WARNING, INFO, or DEBUG.

   See Table 11–1 for detailed information on each of these logging levels.

3. Save and close log4j.conf.template.

4. Repeat the procedure for the configuration file log4j.conf.

To Specify the Maximum Log4j Log File Size for Instant Messaging Components

You can set log levels by modifying either the template or the log configuration file. However, if you only modify the configuration file, any changes you make will be overwritten the next time you run configure. To prevent this, you should make your changes to both the configuration file and the template.

Steps

1. Open log4j.conf.template.

   By default, this file is stored in the following location:

   im_svr_base/lib

2. For each component, specify the maximum size for the component's log file.

   For example, to set the size for the server log file:

   log4j.appender.A1.maxFileSize=max_logfile_size

   Where A1 is the default appender ID for the server, max_logfile_size is in MB, for example 5MB.

3. Repeat the procedure for the configuration file log4j.conf.

Configuring Logging for Instant Messaging Components Using iim.conf Parameters

If you are not using log4j to generate log files, you need to set a configuration parameter specific to each component for which you want Instant Messaging to generate logging information. This method is referred to as parameter-based logging for Instant Messaging.

This iim.conf parameter-based logging mechanism may be deprecated in a future release. Use log4j when possible.

Table 11–2 provides the name of the log files and the configuration parameter in iim.conf used to set the logging level for each Instant Messaging component log file.

The configuration parameters can have the following values:

• fatal

• error

• warning

• info

• debug

See Instant Messaging Component Logging Levels for information on the details logged for each logging level.

In addition, logging configuration in deployments with Sun Java^TM System Access Manager is determined by the com.iplanet.services.debug.level property. You set this property in the AMConfig.properties file on the Sun Java^TM System Access Manager host. By default, this file is installed in the following location:

AM_svr_base/lib/AMConfig.properties

Where AM_svr_base is the directory in which you installed Access Manager.

This property can contain the following values:

• message

• warning

• error

• off

By default, the Sun Java^TM System Portal Server desktop log file (desktop.debug) and archive log files (IMArchiveSearch.log and IMArchiveSubmit.log) are stored in the following locations:

• Solaris: /var/opt/SUNWam/debug

• Linux: /var/opt/sun/am/debug

To Set Log Levels for Instant Messaging Components Using iim.conf Parameters

Step

Modify logging parameters in iim.conf.

See Table 11–2 for a list of the log files and the associated parameter you need to set for each component.

See iim.conf File Syntax for instructions on locating and modifying iim.conf. For more information on the watchdog, see Managing the Watchdog Process. For more information on the Calendar agent, see Chapter 14, Using Calendar Pop-up Reminders.

Administering Instant Messaging Client Logging

By default, client data is not logged. You may be asked to collect client data during a support call. In this situation, you will need to enable logging before you can view client log data.

To Enable Client Logging for Instant Messaging

Steps

1. Enable the logging feature in either the Java Web Start Application Manager or the Java Plug-In Control Panel as appropriate.

   If the client uses the Java plug-in with an earlier version of the JDK, run the Java Plug-In Control Panel. See the online help for the Java Plug-In Control Panel for instructions on enabling logging.

   If the client uses Java Web Start or uses the plug-in with JDK 5.0, run the Java Web Start Application Manager, then:

   1. Select File->Preferences.

      The Preferences dialog box appears.

   2. On the Advanced tab, select the Log Output checkbox and enter a Log File Name.

   3. Click OK.

2. Open im.jnlp in a text editor.

3. Search for the line:

   <application-desc main-class="com.iplanet.im.client.iIM">

4. Add the following argument to the end of the section:

   <argument>debug=true</argument>

5. Save and close the im.jnlp file.

6. If you are using Sun Java^TM System Access Manager or Sun Java^TM System Web Server, redeploy the resource files as described in Redeploying Resource Files.

7. Relaunch Instant Messenger.

Chapter 12 Administering Instant Messaging End Users

Instant Messaging does not provide bulk user provisioning tools. You need to use a directory bulk provisioning tool for provisioning multiple Instant Messaging end users. By default, Instant Messaging does not provide specific commands to add, modify, or delete Instant Messaging end users. However, you can customize Instant Messenger to allow users to add themselves to the directory.

Likewise in an LDAP-only deployment, you cannot prevent an end user from using Instant Messenger. In an LDAP-only deployment, the only way to prevent end users from using Instant Messaging is to delete them from the directory or inactivate their user accounts in the directory. Keep in mind that doing this also prevents the user from binding to the directory. In a deployment using Sun Java^TM System Access Manager policy attributes, you can prevent an end user from accessing only Instant Messenger. In addition, if you deploy Instant Messaging with Access Manager, you should use the provisioning tools provided with Access Manager instead of allowing users to register themselves.

The administrator can manage Instant Messaging end users, using the Instant Messaging Administrator Access Control mechanism. For more information on Instant Messaging Administrator Access Control, see Overview of Privacy, Security, and Site Policies, then the Access Manager is used for provisioning Instant Messaging end users. For more information, see Sun Java System Communications Services 6 2005Q4 Deployment Planning Guide.

If you deny end users the privilege to set up watches on other end users by editing the sysWatch.acl file, the Instant Messenger’s Main window is not displayed for these end users. This effectively denies end users the ability to send instant messages. However, end users would still be able to see alerts and news channels.

This chapter contains the following sections:

• Disabling End User Access to Instant Messenger

• Registering New Instant Messaging Users

• Storing Instant Messaging User Properties in LDAP

• Assigning Instant Messaging and Presence Services to End Users

Disabling End User Access to Instant Messenger

If you are using Instant Messaging with Access Manager, you can deny user access to Instant Messenger services as described in this section.

To Disable Instant Messaging End Users

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Modify the following values as shown:

   iim_ldap.useidentityadmin="true" iim_server.usesso=1The value for this parameter may also be 0 iim.policy.modules="identity" iim.userprops.store="ldap"

3. Save and close iim.conf.

4. Refresh the Instant Messaging server.

   imadmin refresh server

   SeeRefreshing Component Configuration for more information. If you are using Instant Messaging in an HA environment, do not use imadmin, instead use the Sun Cluster tools to refresh the server.

5. Use the Access Manager console (amconsole) to remove Instant Messaging services from the user for which you want to disable access.

Registering New Instant Messaging Users

You can customize Instant Messenger to allow new user registration. When a user registers, the Instant Messaging server uses the information provided during registration to perform an ldapadd operation to create a user entry in the directory.

If you are using Instant Messaging with Sun Java^TM System Access Manager, you should not allow users to register using this method. Instead, you should use the provisioning tools provided with Access Manager.

To allow new user registration, you need to configure the server to allow registration and then customize Instant Messenger resources by adding an argument to the im.jnlp.template and im.html.template files, running the configure utility, then (if necessary) redeploying the resource files.

This section describes:

• Configuring the Instant Messaging Server to Allow New User Registration

• Customizing Instant Messenger to Allow New User Registration

• Registering as a New Instant Messaging User

See Chapter 13, Managing Instant Messenger for more information about customizing resource files.

Configuring the Instant Messaging Server to Allow New User Registration

In order to configure the Instant Messaging server to allow new user registration you need to add four configuration parameters to iim.conf. Table 12–1 lists the parameters you need add and a brief description of each.

To Configure the Instant Messaging Server to Allow New User Registration

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Add the configuration parameters and appropriate values as described in Table 12–1.

3. Save and close iim.conf.

4. Refresh the server configuration using the imadmin command.

   imadmin refresh server

Customizing Instant Messenger to Allow New User Registration

When you customize the resource files to allow new user registration, a new button appears on the Login dialog box. Users click this button to access the New User Registration dialog box where they can register. When a user registers, their information is added to the LDAP directory.

To Customize Instant Messenger to Allow New User Registration

Steps

1. Open the im.jnlp.template file in a text editor.

   By default this file is stored in im_svr_base/html.

2. Search for the line:

   <application-desc main-class="com.iplanet.im.client.iIM">

3. Add the following argument to the end of the section:

   <argument>register=true</argument>

4. Save and close im.jnlp.template.

5. Open the im.html.template file in a text editor.

   By default this file is stored in im_svr_base/html.

6. Add the register parameter to the file:

   <PARAM NAME="register" VALUE="true">

7. Add the following parameter to the EMBED tag:

   register=true

8. Save and close im.html.template.

9. Run the configure utility, selecting the “Messenger Resources” component only when prompted for which components you want to configure.

   See Configuring Instant Messaging After Installing or Upgrading for instructions.

10. If you are using Sun Java^TM System Access Manager or Sun Java^TM System Web Server, redeploy the resource files.

    See Redeploying Resource Files for instructions.

11. Launch Instant Messenger.

    The I am a New User button should appear on the Login dialog box.

Registering as a New Instant Messaging User

Once you have added the new user registration argument to the im.jnlp and im.html files and redeployed the resource files users can register themselves.

To Register as a New Instant Messaging User

Steps

1. In a web browser, go to the Instant Messaging home page.

2. Click Start or click Use Java Plug-in.

   The Login dialog box appears, displaying the I am a New User button.

3. Click I am a New User.

   The New User Registration dialog box appears.

4. Enter the information in the fields provided and click OK.

   The information is stored in the directory.

Storing Instant Messaging User Properties in LDAP

In a deployment without Sun Java^TM System Access Manager, you can choose to store user properties in LDAP instead of a file (default). You need to run the imadmin assign_services command in order to add required objectclasses to user entries in the directory. These objectclasses are used by Instant Messaging to store user properties in user entries.

Some user attributes may contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users. Refer to your directory documentation for more information.

To Store Instant Messaging User Properties in LDAP

Steps

1. In iim.conf, ensure that the iim.policy.modules parameter has a value of iim_ldap.

   See iim.conf File Syntax for information on iim.conf.

2. In iim.conf, ensure that the iim.userprops.store parameter has a value of ldap.

3. From the command line, run imadmin with the assign_services option:

   imadmin assign_services

   imadmin checks the value of the iim.policy.modules parameter in iim.conf.

4. Enter the Bind DN and password you want imadmin use to bind to the directory.

   The Bind DN should have sufficient credentials to modify the directory schema, for example the Directory Manager DN.

5. Enter the Base DN under which user entries are stored.

   Next, imadmin adds sunIMUser, and sunPresenceUser objectclasses to the user entries in the organization you specified.

Assigning Instant Messaging and Presence Services to End Users

In a deployment with Sun Java^TM System Access Manager, you can assign Instant Messaging and presence services to end users with the imadmin assign_services command. Alternatively, you can use the Access Manager console.

To Assign Instant Messaging and Presence Services to End Users

Steps

1. In iim.conf, ensure that the iim.policy.modules parameter has a value of identity.

   See iim.conf File Syntax for information on iim.conf.

2. From the command line, run imadmin with the assign_services option:

   imadmin assign_services

   imadmin checks the value of the iim.policy.modules parameter in iim.conf.

3. Enter the Base DN of the organization under which user entries are stored.

   This is the organization that contains the user entries managed by Access Manager.

   Next, imadmin assigns Instant Messaging and presence services to the users in the organization you specify.

Chapter 13 Managing Instant Messenger

This chapter describes how to customize and administer Instant Messenger in the following sections:

• Configuring Instant Messenger

• Invoking Instant Messenger

• Changing the Codebase

• Changing the Web Container Port

• Customizing Instant Messenger

• Instant Messenger Resource Files

• Modifying How Client Users Search for Contacts

• Administering Conference Rooms and News Channels

• Modifying Instant Messenger Proxy Settings

• Controlling the Exposed Messenger Feature Set

• Instant Messenger Data Stored in the End User’s System

• Redeploying Resource Files

Configuring Instant Messenger

There are two ways to invoke and run Instant Messenger:

Using Java Web Start - In this configuration, Instant Messenger is launched as an application from the Java Web Start. The browser is no longer necessary once Instant Messenger is launched.

Using the Java Plug-in - In this configuration, Instant Messenger is run as a Java applet. To keep the Instant Messenger session active, the browser window from which the applet was launched must remain open and cannot be used to locate any other URL.

For more information on how to configure the Java software that enables Instant Messenger, see Chapter 2, Setting up and Launching Instant Messenger.

Invoking Instant Messenger

You can invoke Instant Messenger from several locations:

• The index.html file that provides you the options to launch both the Java Web Start and Java Plug-in versions of Instant Messenger. This file also contains links to Instant Messenger documentation.

• A web page you have designed with a link to Instant Messenger.

• A direct URL for either the im.html or im.jnlp files.

• From the command-line.

• Using a desktop shortcut.

Invoking Instant Messenger is described in the following sections:

• To Invoke Instant Messenger Using a Direct URL

• To Invoke Instant Messenger From the Command-Line (Solaris Only)

• To Invoke Instant Messenger Using a Desktop Shortcut

To Invoke Instant Messenger Using a Direct URL

Step

Enter the following URL in your web browser to invoke Instant Messenger:

http://webserver:webserverport/path/filename

In this URL,

webserver

Specifies the name of the web container on which you have installed the Instant Messenger resources.

webserverport

(Optional) Specifies the web container port. The default value is 80.

path

(Optional) Specifies the directory where the client files are installed. If the default is selected during the installation, then no subdirectory is required to store the client files.

filename

Specifies the Instant Messenger file to use:

index.html - This file is provided with the product. The file contains links to im.jnlp and im.html which launch the Java Web Start and Java Plug-in versions of Instant Messenger respectively.

im.jnlp - The .jnlp file to launch only the Java Web Start version of Instant Messenger.

im.html - The web page to launch only the Java Plug-in version of Instant Messenger.

To Invoke Instant Messenger From the Command-Line (Solaris Only)

Step

Type the following at the command-line:

javaws_cmd URL

See To Invoke Instant Messenger Using a Direct URL for information about constructing the URL.

To Invoke Instant Messenger Using a Desktop Shortcut

Step

Create and use a desktop shortcut to invoke Instant Messenger

• Create a shortcut using Java Web Start.

• Create a shortcut manually and set the target value as follows:

  javaws_cmd jnlp_URL

  Where jnlp_URL is the URL to the im.jnlp file.

Changing the Codebase

The codebase is the URL from which Instant Messenger accesses resources, including the start page for initial downloads of the Instant Messaging client. This URL is defined during postinstallation configuration when the resource files are deployed by the configure utility. If you change any portion of the URL used to access Instant Messenger resources including the web container port number you need to update the codebase.

If you want to change the codebase after you have deployed the resource files you will need to:

• Modify the template files to point to the new URL. See To Change the Codebase in the Resource Templates.

• Run the configure utility, selecting the “Messenger Resources” component only when prompted for which components you want to configure. See Configuring Instant Messaging After Installing or Upgrading for instructions.

• Redeploy the resource files. See Redeploying Resource Files for instructions.

To Change the Codebase in the Resource Templates

Step

Edit each of the template files in the im_svr_base/html directory with the new URL.

Template files are named *.template. See Instant Messenger Resource Files for a complete list of template files.

Changing the Web Container Port

If you change any portion of the URL used to access Instant Messenger resources including the web container port number you need to update the codebase. See Changing the Codebase for instructions.

Customizing Instant Messenger

Instant Messenger is customizable. HTML and JNLP files can be customized to suit an organization's specific needs. If you want to customize the resource files for your deployment, you should run the configure utility (if you haven’t already done so after installing), customize the files, then redeploy the resource files. You need to run the configure utility first because configure creates some of the files that you can customize. (See Redeploying Resource Files for redeployment instructions.)

You can customize Instant Messenger to meet your requirements in the following ways:

• Instant Messenger Resource Files

• Customizing the index.html and im.html Files

• Launching Instant Messenger Using Sun Java^TM System Access Manager SSO

• Customizing the Application (Java Web Start)

• Rebranding Instant Messenger

• Customizing User Name and Group Name Display

This section describes the Instant Messaging server files you can modify to customize Instant Messenger. The files that you can customize are all located in the resource directory im_svr_base/html directory. See Table 3–1 for information on default directory locations.

Instant Messenger Resource Files

The Instant Messenger resource files are located within a directory referred to as the resource directory or im_svr_base/html.

Table 13–1 contains the list of Instant Messenger files in the resource directory (im_svr_base/html). It also contains the description and customization information for these files. Within the resource directory, the /locale subdirectory is represented generically in a directory path as lang, but specifically as abbreviations of languages, such as, en_US, jp, and fr_FR.

Customizing the index.html and im.html Files

If you are using Instant Messenger in a deployment without Sun Java^TM System Access Manager, you can modify the static portion of the index.html and im.html files to produce a fully customized user interface. These HTML files contain both text and markups describing how the text is formatted and handled. Markup is implemented through a set of tags, which specify formats for headers, indents, font size, and font style.

Some of the page elements that can be modified are:

• Images

• Banner

• Text on screen including title and field labels

• Background schemes

You can launch the Instant Messenger applet and the Java Web Start application from index.html. If you are running the Instant Messenger applet, modify the im.html file. The im.html file is called by index.html, and invokes the Instant Messenger applet. The im.html file is generated when you run the configure utility and contains an applet argument that points to the multiplexor.

The argument “<PARAM NAME="server" VALUE="servername">” represents the Instant Messaging multiplexor and its port in the im.html file. If you change the iim_mux.listenport parameter’s default value, you need to change the servername value to host.domain:port.

Launching Instant Messenger Using Sun Java^TM System Access Manager SSO

To launch the Instant Messenger client using single sign-on (SSO) with Sun Java^TM System Access Manager use IMLaunch.jsp. This file is in the resource directory.

Sun Java^TM System Access Manager and Instant Messenger must be configured to use the same web container to enable SSO.

To launchInstant Messenger enter the following in a web browser:

codebase/IMLaunch.jsp?server=multiplexor-hostname:muliplexor-port

or

codebase/IMLaunch.jsp?server=www.example.com:5222

Where:

codebase is the codebase from which the Instant Messenger resources are downloaded. For example, http://www.example.com.

multiplexor-hostname is the host name of the mulitplexor. For example, http://www.company22.com.

muliplexor-port is the port number on which the multiplexor listens for incoming client requests. For example, 5222.

IMLaunch.jsp is used for launching Instant Messenger through either Java Web Start or Java Plug-in.

Customizing the Application (Java Web Start)

If you are running Instant Messenger using Java Web Start, you can modify the im.jnlp, imres.jnlp, and imres.jar files to customize the user interface. The following are modifications that can be made to these files:

• imbrand.jar - This file contains the image and audio files, and the properties that can be customized. You need Java Developers Kit 1.3 (JDK) to extract the contents from the imres.jar file using the jar command. For more information on imbrand.jar contents, see Contents of imbrand.jar.

  Use the following command to extract imbrand.jar:

  jar xvf imbrand.jar

  This command creates a directory tree where the resource files are copied. This directory structure has to be maintained when you modify the individual files in the .jar file.

  You can substitute your version of .gif files or .wav files, without changing the file names and then place the changed files back to the directory using the following jar command:

  jar -uf imbrand.jar com/Sun/im/client/images/*.gif

  This command updates the imbrand.jar file with the modified .gif files. The same is possible with the audio files (.wav files).

• im.jnlp - this file invokes the Java Web Start version of the Instant Messenger application. You can modify the codebase, title, vendor, and descriptions in the file.

  Example 13–1 shows a sample im.jnlp file with the HTML code that can be customized in bold typeface.

Example 13–1 Sample im.jnlp File

<?xml version="1.0" encoding="utf-8"?>
<!-- Instant Messenger -->
<jnlp
  spec="1.0+"
  codebase="http://im.i-zed.com:80/im"
  href="en/im.jnlp">
  <information>
    <title>Instant Messaging</title>
    <vendor>I-Zed.com</vendor>
    <homepage href="http://www.I-zed.com/"/>
    <description>I-Zed’s Sun Java System Instant Messenger</description>
    <description kind="short">Instant Messenger</description>
    <icon href="CompanyLogo.gif"/>
    <offline-allowed/>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <j2se version="1.3+">
      <resources>
        <jar href="en/imres.jar"/>
        <jar href="en/imbrand.jar"/>
      </resources>
    </j2se>
    <jar href="messenger.jar"/>
    <jar href="imdesktop.jar"/>
    <jar href="imnet.jar"/>
    <jar href="icalendar.jar"/>
    <nativelib href="imjni.jar"/>
  </resources>
  <application-desc main-class="com.iplanet.im.client.iIM">
    <argument>server=im.i-zed.com:45222</argument>
    <argument>help_codebase=http://im.i-zed.com:80/im/en</argument>
  </application-desc>
</jnlp>

In the im.jnlp file, the argument <argument>servername</argument> represents the Instant Messaging multiplexor host and port. If you change the default value of the iim_mux.listenport parameter, you need to change the servername value to host.domain:port.

Contents of imbrand.jar

The tables in this section list the files in the imbrand.jar file and provide a description of each file wherever possible. The imbrand.jar file also contains the image and audio files you can use to re-brand Instant Messenger. This section contains the following tables:

• Table 13–2 – configuration files used to configure Instant Messenger.

• Table 13–3 – emoticons available for use during chat sessions.

• Table 13–4 – icons used by the application on Windows.

• Table 13–5 – icons used by the application on all platforms.

• Table 13–6 – icons used in the toolbar.

• Table 13–7 – icons used in the contact list.

• Table 13–8 – icons used to describe presence information in the contact list.

• Table 13–9 – icons used to describe presence information in the status bar.

• Table 13–10 – available backgrounds.

• Table 13–11 – sounds used to indicate alerts and status or configuration changes.

Rebranding Instant Messenger

The imbrand.jar file contains all images and the properties that control the look and feel of Instant Messenger. You can customize the appearance of Instant Messenger by modifying the images and the properties in imbrand.jar.

To Rebrand Instant Messenger

Steps

1. Copy imbrand.jar file to a working directory.

   For example:

   cp im_svr_base/html/lang/imbrand.jar working_directory

2. Change to the working directory.

   cd working_directory

3. Extract the imbrand.jar file.

   jar xf imbrand.jar

   This command creates a directory tree where the resource files are copied. This directory structure has to be maintained when you modify the individual files in the imbrand.jar file.

   Alternatively, you can extract a single file included in imbrand.jar and put it under the directory structure you specify. For example, to extract only brand.properties, use the following command:

   jar xf imbrand.jar com/sun/im/desktop/brand/brand.properties

4. Update imbrand.jar with the modified .gif, .wav, and .properties files.

   You can update all the files in imbrand.jar as follows:

   jar cf imbrand.jar .

   To update imbrand.jar with a single modified file, use the following command:

   jar uf imbrand.jar com/sun/im/desktop/brand/filename

   Where filename is the name of the file included in imbrand.jar, for example, brand.properties.

5. Copy imbrand.jar to the resource directory.

   For example:

   cp imbrand.jar im_svr_base/html/lang/ .

   ---

   Note –

   If you support multiple locales in your deployment, follow the procedure for rebranding Instant Messenger for every supported locale.

   ---

Customizing User Name and Group Name Display

You can customize how Instant Messenger displays contact and group names by changing the attribute used to display contact names. By default, the Instant Messenger uses the attribute cn to represent a user's display name. In your deployment, you may prefer to use uid or some other attribute instead of cn.

Contact names appear as First Name, Last Name. For example, Frank Smith, Mary Jones, and so on. When two end users have the same first name and last name, it is impossible to know which end user has to be added to the contact list. You can customize Instant Messenger to display more information in the search results for the user search, and to display additional information in the Contact tooltip to help distinguish between contacts. For example, you can display the phone number of the Contact when the mouse is placed over the Contact.

To Change the Attribute Used to Display a User's Name

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Specify the attribute you want to use to display usernames as the value for iim_ldap.userdisplay.

   For example, to use the nickname attribute, set the iim_ldap.userdisplay attribute as follows:

   iim_ldap.userdisplay=nickname

3. Save and close the file.

To Change the Attribute Used to Display a Group's Name

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Specify the attribute you want to use to display usernames as the value for iim_ldap.groupdisplay.

   For example, to use the uid attribute, set the iim_ldap.groupdisplay attribute as follows:

   iim_ldap.groupdisplay=uid

   Save and close the file.

To Customize User Name Display in Search Results

Steps

1. Extract the files from imbrand.jar.

   See Table 13–1 for default locations for imbrand.jar

2. Change to the following directory:

   com/sun/im/client/

3. Open brand.properties.

4. Add the dialogs.searchresults.format attribute to the file.

5. Add the attributes you want to include in search results in the following format:

   ${attr:attribute-name}

   Where attribute-name is the name of the LDAP attribute.

   For example, to include the title attribute, add the following line:

   dialogs.searchresults.format=(${attr:title})

6. Save your changes and close the file.

7. Repackage imbrand.jar.

8. Add the user attributes to iim.conf.

   Specify the attributes as values for the iim_ldap.userattributes parameter. Separate multiple attributes with a comma, for example:

   iim_ldap.userattributes=title,department,telephonenumber

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

To Customize Tooltip Contents

Steps

1. Extract the files from imbrand.jar.

   See Table 13–1 for default locations for imbrand.jar

2. Change to the following directory:

   com/sun/im/client/

3. Open brand.properties.

4. Add the contact.tooltip.format.html attribute to the file.

5. Specify the attribute you want to display in the tooltip as the value for contact.tooltip.format.html.

   For example, if you want to display the telephone number and email address of the contact, you would enter:

   contact.tooltip.format.html=mailto: ${attr:mail} tel: ${attr:telephonenumber}

   For more information on customizing the contents of imbrand.jar file, see Customizing the Application (Java Web Start).

6. Save your changes and close the file.

7. Repackage imbrand.jar.

Modifying How Client Users Search for Contacts

By default the commonname or cn LDAP attribute is used as a search attribute for users. You can configure Instant Messaging to allow users to search on additional attributes. In addition, If your directory is indexed to allow the use of wildcards, you can configure the Instant Messaging server to allow wildcards in searches for contact names.

To Allow Users to Search on Custom Attributes

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Modify the iim_ldap.usergroupbynamesearchfilter attribute.

   This parameter specifies the LDAP search string used when searching for users or groups. Provide the attribute value in standard LDAP filter syntax. You can modify it to allow more complex searches. See your Directory Server documentation for more information on modifying search strings.

3. Save and close the file.

To Allow Wildcards in Searches

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Set the iim_ldap.allowwildcardinuid parameter to True.

   This parameter determines if the use of wildcards should be enabled for User IDs while doing a search. Most directory installations have User IDs indexed for exact searches only, so the default value is False.

3. Ensure that User IDs are indexed for substring search in your directory.

   Setting the iim_ldap.allowwildcardinuid parameter to True can impact performance unless User IDs are indexed for substring search in your directory. See your directory server documentation for instructions on indexing.

Administering Conference Rooms and News Channels

The administrator can create conference rooms and news channels for end users. However, with the proper privileges, end users can do this also. For more information about adding policies to give end users access to create conference rooms and news channels, see Chapter 15, Managing Instant Messaging and Presence Policies. End users who create a conference room or a news channel by default have Manage access, enabling them to administer the conference room or the news channel.

Listed below are tasks that you can perform in Instant Messenger to administer the conference rooms and the news channels. For more information on performing these tasks, see the Online Help.

• Administering conference rooms

• Administering and managing news channels

• Assigning conference room access levels to end users

• Assigning news channel access levels to end users

• Assigning end users to conference rooms

• Assigning end users to news channels (subscribing)

• Creating new conference rooms

• Creating new news channels

• Configuring end user settings

• Deleting conference rooms

• Deleting messages from news channels

• Deleting news channels

• Posting messages in news channels

• Removing end users from conference rooms

• Removing end users from news channels

Modifying Instant Messenger Proxy Settings

Instant Messaging messages can contain embedded URLs. For example, http://stocks.yahoo.com?id=sunw. If you are using proxy servers, you need to resolve such embedded URLs by modifying the Instant Messenger proxy settings in the Java Web Start configuration.

This is likely to happen if your organization has a firewall, and you need to go through the proxy server before connecting your client hosts to internet, and if Java Web Start has not been configured with the right proxy settings.

Java Web Start can automatically configure the proxy settings by querying the system or the default browser. However, it is not possible for the Java Web Start to automatically configure these settings if the proxy settings are configured using a JavaScript file.

To Set Proxy Settings Manually

Steps

1. Invoke Java Web Start.

2. From the File menu, choose Preferences.

3. Select Manual option in the Preferences dialog.

4. Enter the following details:

   HTTP Proxy. Enter the Name or the IP address of the proxy server.

   HTTP Port. Enter the port number of the proxy server.

   No Proxy_Hosts. Enter the name of any domain that you can connect directly, bypassing the proxy server. Use commas to separate multiple host names.

5. Click OK to save the proxy settings.

Controlling the Exposed Messenger Feature Set

You can control the exposed feature set of Instant Messenger by configuring the Instant Messaging applet parameters in the applet descriptor files.

Table 13–12 shows the Instant Messenger applet parameters in the applet descriptor files. It also contains the description and the default values of these parameters.

Instant Messenger Data Stored in the End User’s System

Instant Messenger caches a limited amount of information on the end user’s system for auto-login. This information is located at:

home_directory/.sunmsgr

home_directory is the end user's home directory. The home directory of the end user can be obtained from the user.home parameter in the Java system property.

Table 13–13 shows the directories and files containing the cached data. It also contains the description of the files and the directories.

Table 13–14 shows the auto-logon properties for Instant Messaging. It also contains the description and the default values of these properties.

Redeploying Resource Files

If you are using Sun Java^TM System Application Server or Sun Java^TM System Web Server, and you make changes to the resource files after you run the configure utility as a result of site changes or customization, you need to redeploy the files to the web container.

To Redeploy Resource Files to Sun Java^TM System Access Manager or Sun Java^TM System Web Server

Step

Run the redeploy command.

im_svr_base/html/redeploy

Where im_svr_base is the directory in which you installed Instant Messaging.

See the documentation for your web container for additional information.

Chapter 14 Using Calendar Pop-up Reminders

Instant Messaging is integrated with Sun Java^TM System Calendar Server to provide automatic pop-up reminders to Instant Messenger users for both calendar events and tasks.

This section contains the following topics:

• Pop-up Reminders Overview

• Configuring Instant Messaging Pop-ups

• Administering the Calendar Agent

Pop-up Reminders Overview

This section contains the following topics:

• Pop-up Reminders Operation

• Pop-up Reminders Architectural Flow

• iim.conf Calendar Pop-up Configuration Parameters

Pop-up Reminders Operation

Users can receive Instant Messenger pop-up reminders for upcoming events and tasks on their calendars. To enable these pop-up reminders, the following must occur:

• The administrator must configure the Calendar server and the Instant Messaging server to allow pop-up notifications.

• The end user must specify email reminders in the Options tab of either Calendar Express or Communications Express, which sets an alarm in the Event Notification System.

• The end user must enable calendar reminders in Instant Messenger.

With pop-ups enabled, when an impending event or task nears, the alarm set in the Event Notification System causes Calendar Server to send an email notification and Instant Messaging to display a pop-up reminder.

Pop-up Reminders Architectural Flow

If configured, Instant Messaging pop-up reminders follow this architectural flow:

1. The Instant Messaging JMS subscriber subscribes to Calendar server events and notifications in the Event Notification Service (ENS).

2. Calendar server publishes an event or task notification in text/xml or text/calendar format to ENS.

3. The Instant Messaging JMS subscriber receives the calendar event or task notification and then generates a message in text/calendar format.

4. The Instant Messaging server sends the message to the calendar owner, if the end user is online.

5. If the recipient is available, Instant Messenger generates an HTML pop-up reminder on the end user’s desktop based on the message.

   If the recipient is not available, the Instant Messaging server discards the message.

iim.conf Calendar Pop-up Configuration Parameters

When you install Instant Messaging, several configuration parameters used with the Calendar agent are added by default to iim.conf. You can also enable the Calendar agent and provide associated configuration information when you run the configure utility. However, you might want to manually configure pop-ups, for example, if you have customized the resource files for Instant Messenger. If you rerun configure, you will then need to redeploy the resource files. If you choose to manually configure the Instant Messaging server for Calendar pop-ups instead of running the configure utility, you will need to provide values for these parameters. See Chapter 1, Configuring Instant Messaging After Installation for information on the configure utility.

Table 14–1 lists the configuration parameters you will use to configure the Instant Messaging server and the Calendar agent in order to use Calendar pop-ups.

Configuring Instant Messaging Pop-ups

This section includes the following configuration instructions:

• To Configure Instant Messaging Server for Calendar Pop-ups Using the configure Utility

• To Manually Configure Instant Messaging Server for Calendar Pop-ups

• To Configure Calendar Server for Pop-ups

• To Configure Instant Messenger for Calendar Pop-ups

To Configure Instant Messaging Server for Calendar Pop-ups Using the configure Utility

Steps

1. Run configure.

   See Completing the Configuration Checklist for more information about the configure utility.

2. On the Calendar Agent configuration screen, select the Enable Calendar Agent checkbox.

3. Enter the Notification Server hostname and port number.

   Use the same port number as the port number specified by the service.ens.port parameter in the ics.conf file on the Calendar Server.

   The values you provide are combined and stored as the value for the jms.provider.ens.broker parameter in iim.conf. For example, if you enter localhost for the hostname and 57997 for the port number, the jms.provider.ens.broker parameter would be set as follows:

   jms.provider.ens.broker=localhost:57997

4. Enter the Calendar Alarm URL.

   This URL is the destination of the alarm. For example:

   enp:///ics/customalarm

   Use the same URL as the URL specified by the caldb.serveralarms.url parameter in the ics.conf file on the Calendar Server.

   The value you provide is stored as the value for the jms.consumer.cal_reminder.destination parameter in iim.conf.

5. Click Next and continue with configuration.

   See Chapter 1, Configuring Instant Messaging After Installation for more information about the configure utility.

To Manually Configure Instant Messaging Server for Calendar Pop-ups

Before You Begin

Gather the information in Table 14–1.

Steps

1. Edit one or more of the parameters in the iim.conf file as shown in Table 14–1.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

   The parameter values shown assume you want pop-up reminders for both events and tasks. If these parameters do not already exist in iim.conf, add them.

2. Start the Calendar agent using imadmin.

   imadmin start agent-calendar

   The imadmin command-line utility is located in the following directory:

   im_svr_base/sbin

   Where im_svr_base is the directory in which you installed Instant Messaging.

To Configure Calendar Server for Pop-ups

Steps

1. Log in to the Calendar server host as an administrator with permission to change the configuration.

2. Change to the cal_svr_base/SUNWics5/cal/config directory.

   Where cal_svr_base is the directory in which you installed Calendar Server.

3. Save your old ics.conf file by copying and renaming it.

4. Confirm that the parameters shown in the following table have the values shown. If they do not, you need to modify them.

   Parameter	Description and Default Value
   caldb.serveralarms	Enables calendar alarms to be queued. The default is "1" (enabled).
   caldb.serveralarms.contenttype	Output format for alarm content. The default is "text/xml".
   caldb.serveralarms.dispatch	Enables calendar alarms to be dispatched. The default is "yes".
   caldb.serveralarms.dispatchtype	The type of server alarm to dispatch. The default is "ens".
   caldb.serveralarms.url	This is the URL for alarm retrieving alarm contents. The default is "enp:///ics/customalarm".

5. Save the ics.conf file.

6. Restart Calendar server.

   cal_svr_base/SUNWics5/cal/sbin/start-cal

   Where cal_svr_base is the directory in which you installed Sun Java^TM System Calendar Server.

To Configure Instant Messenger for Calendar Pop-ups

Steps

1. On the Instant Messenger Main window, select Tools ->Settings.

2. On the Settings window, click the Alerts tab.

3. Check the Show Calendar Reminders option.

4. Click OK.

   Users can now receive Calendar pop-ups through Instant Messenger while they are online.

Administering the Calendar Agent

The Calendar agent is an Instant Messaging component that provides pop-up functionality to Calendar and Instant Messaging users. Using tools provided with Instant Messaging, you can start, stop, restart, or check the status of the Calendar agent as well as monitor its activity through log files. See Stopping, Starting, Refreshing, and Checking Instant Messaging Components for information on administering the Calendar agent component. Also see Chapter 11, Managing Logging for Instant Messaging for information about Calendar agent logs.

Chapter 15 Managing Instant Messaging and Presence Policies

Instant Messaging provides various functional features such as chat, conferencing, polls, presence access, etc. A policy describes a set of access control privileges that can be associated with these features. In turn, end users and groups can be assigned to policies according to the needs of an organization.

This chapter describes how to define and use policies to manage the access that end users and administrators have to the Instant Messaging server features and privileges:

• Overview of Privacy, Security, and Site Policies

• Methods for Controlling End User and Administrator Privileges

• Managing Policies Using Access Control Files

• Managing Policies using Sun Java^TM System Access Manager

Overview of Privacy, Security, and Site Policies

Instant Messaging provides the ability to control access to Instant Messaging features and preserve end-user privacy.

Site Policies

Site policies specify end-user access to specific functionality in Instant Messaging. Site policies specify the ability to:

• Access the presence status of other end users

• Send alerts to other end users

• Save properties on the server

• Create and manage conference rooms

• Create and manage news channels

The Instant Messaging administrator has access to all Instant Messaging features. The administrator has MANAGE access to all conference rooms and news channels, can view presence information of any end user, and can view and modify properties such as Contact Lists and Instant Messenger Settings of any end user. The site policy settings have no impact on the administrator’s privileges.

By default, the end user is provided with the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values are not changed. These default values need to be changed when Instant Messaging is used exclusively for the pop-up functionality.

When Instant Messaging is used exclusively for the pop-up functionality, the end user will not be provided with the access privileges to presence information, chat, and news features.

Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users, roles, or groups.

Conference Room and News Channel Access Controls

End users can have the following access privileges on Conference rooms and News channels:

• MANAGE - full access, which includes the ability to set the conference room or the news channel privilege for other end users.

• WRITE - privilege to add contents to the conference room or the news channel.

• READ - privilege to read the conference room or the news channel contents.

• NONE - no access privileges.

End users with the MANAGE privilege can set the default privilege level for all the other end users. These end users can also define the exception rules to grant an access level that is different from the default access level permission given to specific end users or groups.

Setting the WRITE privilege, also grants the end users the READ privilege.

User Privacy

End users can specify whether other end users can see their presence. By default, all end users can access the presence information of all other end users. End users can also set exceptions for denying this access to certain end user and groups.

If an end user has denied other end users from accessing the end user’s presence status, then that end user’s availability status appears as offline in other end user's contact lists. No alerts or chat invitations can be sent to an end user whose presence status is offline.

User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Instant Messenger Online Help.

Methods for Controlling End User and Administrator Privileges

Different sites using Instant Messaging server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Instant Messaging server features and privileges is referred to as policy management. There are two methods of policy management available: through access control files or through Sun Java^TM System Access Manager.

• Managing Policies Using Access Control Files - The access control file method for managing policies allows you to adjust end-user privileges in the following areas: news channel management, conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also allows specific end users to be assigned as system administrators.

• Managing Policies using Sun Java^TM System Access Manager - This method gives you control of the same privileges available with the access control file method; however, it additionally allows more fine-tuned control over various features, such as the ability to receive alerts, send polls, receive polls, etc. For a complete list, see Table 15–3. Furthermore, managing policies using Sun Java^TM System Access Manager gives you finer-tuned control over privileges.

  Two types of policies exist, Instant Messaging policies and Presence policies. The Instant Messaging policies govern general Instant Messaging features, such as the ability to send or receive alerts, the ability to manage public conferences and news channels, and the ability to send files. Presence policies govern the control end users have over changing their online status, and in allowing or preventing others from seeing their online or presence information.

If your deployment does not include Sun Java^TM System Access Manager, you must use the access control file method to manage policies. If you are using Sun Java^TM System Access Manager with the Instant Messaging server, and you have installed the Instant Messaging and Presence services components, you can use either policy management method. Managing policies using Sun Java^TM System Access Manager is a more comprehensive method. One advantage of this method is that it allows you to store all end-user information in the directory.

Setting the Policy Management Method

When you choose which method to use to manage policies, you must also choose where they will be stored. Select the method for managing policies by editing the iim.conf file and setting the iim.policy.modules parameter to either identityfor the Access Manager method or iim_ldap for the access control file method, which is also the default method.

Follow these steps to set which method you want to use to manage policies.

To Set the Policy Management Method

Steps

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Edit the iim.policy.modules parameter by setting it to one of the following:

   • iim_ldap (default, the access control file method)

   • identity (the Access Manager method)

   If you choose identity, you can run imadmin assign_services to assign Instant Messaging and presence services to existing users.

3. Edit the iim.userprops.store parameter and set it to either:

   • ldap (To store user properties in LDAP.)

     If you choose ldap, you can run imadmin assign_services to add the required objectclasses that store user properties to user entries in the directory.

   • file (Default, to store user properties in files.)

4. Save and close iim.conf.

5. Refresh the configuration.

Policy Configuration Parameters

Table 15–1 lists and describes the parameters available in iim.conf that relate to the increased role that Sun Java^TM System Access Manager can play in Instant Messaging deployments.

Managing Policies Using Access Control Files

By editing access control files you control the following end-user privileges:

• Access to the presence status of the other end users

• Send alerts to other end users

• Save properties on the server

• Create new conference rooms

• Create new news channels

By default, end users are provided the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. For most deployments, default values do not need to be changed.

Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users or groups.

In addition, if you are enforcing policy through access control files in your deployment, those files must be the same for all servers in a server pool.

Table 15–2 lists the global access control files for Instant Messaging and the privileges these files provide end users.

To Change End-user Privileges in Access Control Files

Steps

1. Change to the im_cfg_base/acls directory.

   See Instant Messaging Server Directory Structure for information on locating im_cfg_base.

2. Edit the appropriate access control file.

   For example:

   vi sysTopicsAdd.acl

   See Table 15–2 for a list of access control files.

3. Save the changes.

4. End users need to refresh the Instant Messenger window to see the changes.

Using Access Control Files in a Server Pool

If you are enforcing policy through access control files in your deployment, the content of the files must be the same for all servers in a server pool. To ensure this, copy the files from one server to each of the other nodes in the pool. See Access Control File Location for information on finding these files.

Access Control File Location

The location of the access control files is im_cfg_base/acls. Where im_cfg_base is the configuration directory. See Instant Messaging Server Directory Structure for information about the default location of the configuration directory.

Access Control File Format

The access control file contains a series of entries that define the privileges. Each entry starts with a tag as follows:

• d: - default

• u: - user

• g: - group

The tag is followed by a colon (:). In case of the default tag it is followed by true or false.

End-user and group tags are followed by the end-user or group name.

Multiple end users and groups are specified by having multiple end users (u) and groups (g) in lines.

The d: tag must be the last entry in an access control file. The server ignores all entries after a d: tag. If the d: tag is true, all other entries in the file are redundant and are ignored. You cannot set the d: tag as true in an access control file and selectively disallow end users that privilege. If default is set to false, only the end users and groups specified in the file will have that particular privilege.

The following are the default d: tag entries in the ACL files for a new installation:

• sysAdmin.acl - Contains d:false

• sysTopicsAdd.acl - Contains d:false

• sysRoomsAdd.acl - Contains d:false

• sysSaveUserSettings.acl - Contains d:true

• sysSendAlerts.acl - Contains d:true

• sysWatch.acl - Contains d:true