Previous     Contents     DocHome    
iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Deployment Guide



Deploying iPlanet Portal Server: Instant Collaboration Pack Release 3.0


This guide gives an overview of the issues involved in designing and installing an instant messaging solution with iPlanetTM Portal Server: Instant Messaging Pack Release 3.0 (also referred to as iPlanetTM Instant Messaging Server Release 3.0). It outlines important deployment concepts and installation decisions to be considered.

This guide contains the following sections:



Planning the Operating System and Hardware

The first step in planning your iPlanet Portal Server: Instant Collaboration Pack configuration is to decide on the operating system platform and identify server hardware requirements. See the iPlanet Portal Server: Instant Collaboration Pack 3.0 Release Notes for more information.

http://docs.iplanet.com/docs/manuals/portal.html


Note Installing iPlanet Portal Server: Instant Collaboration Pack in portal mode requires that your operating system be Solaris. iPlanet Portal Server currently runs only on Solaris.



Concurrent Users and Resource Requirements

Correctly formulating the maximum number of concurrent users that has to be sustained by the system is key to planning your resource requirements. A deployment will have a maximum number of configured users, but the more important planning value is the maximum number of concurrent users.

To calculate the number of concurrent users, first determine your user base—the maximum number of configured users. A conservative estimate for the number of concurrent users can then be determined based on a 1:10 ration. Thus, for a deployment of 50,000 configured users, the concurrent users would be 5,000. (The active ratio of concurrent users will vary from site to site.)

Use Table 1 to help determine what hardware resources to plan for. <Portia's slide say 100MB of server memory per 8000 connections; 50MB of mux memory per 1000 connections>


Table 1    Concurrent Users and Resource Requirements

Number of Concurrent Users

Number of CPUs

Amount of Server Memory

Amount of Multiplexor Memory

0-5,000  

 

 

 

5,000-25,000  

 

 

 

25,000-50,000  

 

 

 

50,000 and above  

 

 

 


Note You need to use a provisioning tool to create the profile information on backend server (LDAP) for each new user.




Deploying iPlanet Portal Server: Instant Collaboration Pack in Portal or Standalone Mode Overview


This section provides an overview of deploying iPlanet Portal Server: Instant Collaboration Pack in both portal and standalone modes.


Deployment Options

You can install and configure iPlanet Portal Server: Instant Collaboration Pack in one of two ways:

  • As part of the iPlanet Portal Server environment, making iPlanetTM Instant Messenger available as an application in the iPlanet Portal Server Desktop Applications channel (Solaris only)

  • As a standalone server

Whether you install iPlanet Portal Server: Instant Collaboration Pack in the iPlanet Portal Server environment or as a standalone server, you can use a variety of configurations to fit your site needs. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for more information on these configurations.


Deploying iPlanet Portal Server: Instant Collaboration Pack in Portal Mode

iPlanet Portal Server: Instant Collaboration Pack enables you to utilize a number of different portal deployment scenarios, including:

  • Using an external LDAP server

  • Using iPlanet Portal Server's internal directory (instead of an external LDAP server)

  • Installing iIM server and client components on the same host (the portal host)

  • Installing iIM server and client components on different hosts

  • Using the iPlanet Portal Server: Secure Remote Access Pack (gateway) for encrypted communication (secure mode) between clients and the iIM server

You can add iPlanet Portal Server: Instant Collaboration Pack software to an existing portal deployment or create a fresh installation. When deploying iPlanet Portal Server: Instant Collaboration Pack in portal mode, answer the following questions before starting the installation:

  • Do I want to deploy all the components on the portal host, or do I want to separate components onto two hosts? See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Installation Guide for more guidelines.

  • Do I want to run the iPlanet Instant Messenger client in secure or non-secure mode? In secure mode, information is encrypted between the client machines and the iIM server. If you choose to use secure mode, you must install the iPlanet Portal Server: SRAP (gateway) product.

  • Do I want to use an external LDAP directory server, or iPlanet Portal Server's internal directory, for the iPlanet Instant Messenger user IDs? (You can still use whatever portal authentication mechanism you choose.)

  • Do I have all the other required software installed? See the "Other Software Dependencies" for more information on what other software is required.


Deploying iPlanet Portal Server: Instant Collaboration Pack in Standalone Mode

When deploying iPlanet Portal Server: Instant Collaboration Pack in standalone mode, you do not need to install the iPlanet Portal Server software. You will need an external LDAP directory server to contain the user IDs that iIM server will use for authentication.

iPlanet Portal Server: Instant Collaboration Pack enables you to utilize two different standalone deployment scenarios:

  • Installing the iIM server, multiplexor, and client components on the same system

  • Installing the iIM server, multiplexor, and client components on different systems.



Other Software Dependencies

This section describes the server and client software needed by iPlanet Portal Server: Instant Collaboration Pack and iPlanet Instant Messenger. This additional software is not included with the iPlanet Portal Server: Instant Collaboration Pack software package.

Be sure to install all the recommended operating system patches before installing any of the other required software or iPlanet Portal Server: Instant Collaboration Pack itself.


Note Currently, there are no high-availablity cluster agents for iPlanet Portal Server: Instant Collaboration Pack.



Server Software Dependencies

iIM server depends on the following software for proper operation. This software is not included with the iPlanet Portal Server: Instant Collaboration Pack software. You must install and configure this software separately. See the iPlanet Portal Server: Instant Collaboration Pack 3.0 Release Notes for information on supported software and versions.

  • iPlanet Portal Server - Required for deploying iPlanet Portal Server: Instant Collaboration Pack in a portal environment. If you are installing iPlanet Portal Server: Instant Collaboration Pack in a standalone environment, you do not need to install iPlanet Portal Server. (However, you still might be required to buy the iPlanet Portal Server software.)

  • Directory Server - Either an external LDAP directory for standalone or portal modes, or iPlanet Portal Server's internal directory for portal mode, is required. See "How iPlanet Instant Messenger Uses the Directory Server" for more information.


    Note For both portal and standalone modes, you can use an existing directory server; you do not need to install a directory server dedicated for iPlanet Portal Server: Instant Collaboration Pack use. See "Indexed LDAP Attributes" for information on which directory attributes need to be indexed to optimize for iPlanet Portal Server: Instant Collaboration Pack.


  • Web Server - Required to serve up HTML to iPlanet Instant Messenger and resolve URLs included in instant messages and news channel content.


    Note iPlanet Portal Server installations: You must install the iPlanet Portal Server: Instant Collaboration Pack client component on the host containing the iPlanet Portal Server and use the web server that ships with iPlanet Portal Server. You can install the iIM server and multiplexor components either on the iPlanet Portal Server host or on a separate host.


  • SMTP server - Required to send email to users who receive alerts while offline. In the absence of an SMTP server, alerts cannot generate email for offline users; otherwise, the product still functions normally. You can use an existing SMTP server; you do not need an SMTP server dedicated for iPlanet Portal Server: Instant Collaboration Pack use.

  • (Optional) User Provisioning Tool - Subscriber provisioning can be accomplished with LDAP command-line tools or through iPlanet Delegated Administrator, if you are using an external LDAP directory. All iPlanet Instant Messaging Server preferences are accessible with the iPlanet Instant Messenger. As such the use and deployment of iDA is optional.


Client Software Dependencies

iPlanet Instant Messenger depends on the following software (see the iPlanet Portal Server: Instant Collaboration Pack 3.0 Release Notes for more information on supported software and versions):

  • Java Runtime Environment

  • Java Web Start or Java Plug-in

This software is not included with the iPlanet Portal Server: Instant Collaboration Pack software. Download this software from the Javasoft web site and install it on each client running the iPlanet Instant Messenger client. Table 2 shows the client software dependencies.


Table 2    Client Software Dependencies

Client Operating System

Client Software Options

Solaris (2.6 or 8)  

You must use Java Web Start, Java Plug-in is not an option. Download both the JRE for Solaris and Java Web Start.  

Windows 98, NT, or 2000  
  • If you download the JRE for Windows, it includes the Java Plug-in, so you don't need to download and install it separately.

  • If you download Java Web Start, the JRE is bundled and you don't need to download and install it separately.

 

See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Installation Guide for information on obtaining and installing Java Runtime Environment, Java Web Start, and Java Plug-in software.


Note After downloading the Java software from the Javasoft web site, consider setting up your own internal web site to stage this software. You can customize your own web pages based on the index.html, solaris.htm, and windows.htm files supplied with iPlanet Portal Server: Instant Collaboration Pack. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for instructions on customizing these files.

Creating an internal web site prevents your users from having to go to the Internet to obtain this software, avoiding potential download delays and forcing individual users to register for the software. It also enables you to better control your client configurations. For example, if you want your users to use Java Web Start and not Java Plug-in, you configure your internal web site for the Java Web Start software only.




Planning Your Server Configuration


This section provides the namespace and LDAP server information you need to plan your configuration.


Namespace Management

A namespace is defined by a node in the directory under which all uids are unique. With the namespace you must be able to associate an instant messaging domain name. iPlanet Portal Server: Instant Collaboration Pack has the following namespace requirements:

  • iPlanet Portal Server: Instant Collaboration Pack supports one namespace per iIM server.

    iPlanet Portal Server: Instant Collaboration Pack does not support multiple name spaces per single server. In addition, in a domain hosting environment, a given iIM server instance cannot serve more than one domain, unless uids are unique across the entire site.

  • iPlanet Portal Server: Instant Collaboration Pack supports one iIM server per namespace.

    To enable users in different domains to communicate, you need to enable server-to-server communication. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for instructions on setting up server-to-server communications.


Directory Information Tree Examples

Use the following DIT examples to help determine how to deploy iPlanet Portal Server: Instant Collaboration Pack at your site.


DIT Example 1—Unique UIDs Across the DIT

Figure 1 shows a DIT in which uids are unique across the tree.

Figure 1    DIT Example 1—Unique UIDs Across the DIT

For this kind of tree structure, you would deploy a single iPlanet Portal Server: Instant Collaboration Pack server and make the base DN in the iim.conf file the following entry:

  • dc=isp, dc=com, o=internet


DIT Example 2—UIDs Unique Across Multiple Organizations

Figure 2 shows a DIT in which uids are unique across each organization (ou container).

Figure 2    DIT Example 2—UIDs Unique Across Multiple Organizations

For this kind of tree structure, deploy one iPlanet Portal Server: Instant Collaboration Pack server for each logical subtree and use the following base DN entries:

  • Server 1: ou=sales, dc=i-zed, dc=com, o=internet

  • Server 2: ou=engineer, dc=i-zed, dc=com, o=internet

  • Server 3: ou=marketing, dc=isp, dc=com, o=internet


    Note These base DNs would also enable iIM server to search LDAP groups, which appear at the same node in the DIT as the people containers. For simplicity's sake, Figure 2 does not show any group containers.


When deploying multiple iIM servers in this example, pay attention to the following:

  • You need to install three hosts each with its own iIM server process. When running multiple hosts, users must be informed how to connect to the proper multiplexor. You accomplish this by installing a specific client component for each server instance. Therefore, the proper multiplexor host name that the client connects to gets filled in the appropriate launch file (iim.html, or iim.jnlp/iimres.jnlp). You can install a single client component, but then you need to edit the appropriate launch files to point users to the proper multiplexor. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for more information on customizing these files.

  • iPlanet Instant Messenger distinguishes users in different instant messaging domains by appending the instant messaging domain name to the user name, for example, john@sales, scott@marketing, and so on. In iPlanet Instant Messenger, when you place your cursor over a userID, a tooltip message appears, displaying the user's status. If the user is on a server (domain) different than yours, the tooltip displays the userID in the form userID@domain.


    Note To see and communicate with users in instant messaging domains on different servers, you need to configure iPlanet Portal Server: Instant Collaboration Pack for server-to-server communication. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for more information.



Directory Server and Provisioning iPlanet Instant Messenger Users

iPlanet Portal Server: Instant Collaboration Pack itself does not store iIM user provisioning information, but does store data such as user preferences. The user ID information is maintained in a directory that you specify during the installation process.

iPlanet Portal Server: Instant Collaboration Pack does not provide user administration tools. If you choose, you can install iPlanet Delegated Administrator to perform that role, or use the site provisioning tools for your directory server.

There are no iPlanet Portal Server: Instant Collaboration Pack specific commands to add, modify, or delete an iPlanet Instant Messenger user. Because users exist in the directory, use your site provisioning tools to perform these operations.

Likewise, you cannot disable an iPlanet Instant Messenger user. The only way to prevent users from using iPlanet Portal Server: Instant Collaboration Pack is to delete them from the directory.


How iPlanet Instant Messenger Uses the Directory Server

iPlanet Instant Messenger uses the directory server for user authentication and/or user search depending on the following configurations:

  • External LDAP - If you use an external LDAP directory server—either in standalone mode or portal mode—the uids contained in the directory become user IDs for iPlanet Instant Messenger users. Additionally, iPlanet Instant Messenger performs user searches with that directory. In portal mode, iPlanet Instant Messaging users can also log on directly to the iPlanet Instant Messaging Server without first starting a session with iPlanet Portal Server.

  • Internal directory - If you use iPlanet Portal Server's internal directory (portal mode only), iPlanet Instant Messenger does not authenticate the user IDs in the directory, it just performs user searches with the directory. (iPlanet Portal Server itself performs the authentication based on whatever portal authentication mechanism is used.) When configured to use the internal directory, iPlanet Instant Messaging users must first establish a session with iPlanet Portal Server to use iPlanet Instant Messaging. Users cannot log on to iIM in standalone mode.


iPlanet Portal Server Namespace Implications

When you install iPlanet Portal Server: Instant Collaboration Pack in portal mode, either iPlanet Portal Server itself, or an external LDAP directory, can manage the user namespace. This has deployment implications.


First Case: External LDAP Directory
While iPlanet Portal Server Profile Service maintains information about each user in the domain, you create and remove users by adding and removing entries in the external LDAP directory.

In addition, the external LDAP directory might physically maintain some portal attributes. You can use the iPlanet Portal Server Administration Console to map attributes between portal attribute names and LDAP user attribute names using the Ext LDAP configuration.

In this scenario, the installer automatically creates an attribute mapping between the portal user attribute iwtUser-iIMUserId and the LDAP user attribute uid. iIM server uses the external LDAP uids as user IDs, and uses the external LDAP directory to search for users. This means that when configured for external LDAP, iPlanet Instant Messaging users can log on directly to the iPlanet Instant Messaging Server (standalone mode) without first starting a session with iPlanet Portal Server.


Second Case: Namespace Maintained by iPlanet Portal Server Only
In this scenario, iIM server uses iPlanet Portal Server Profile Service's internal LDAP store for user search. iIM server performs no authentication, thus it does not support standalone mode. Users must have an active iPlanet Portal Server session to be able to use iIM server. In this scenario, the installer does not create any attribute mapping.


Logical Domain vs. DNS Domain

An important distinction needs to be made between the iPlanet Portal Server: Instant Collaboration Pack domain (instant messaging domain) and the DNS domain, as they are not equivalent. The instant messaging domain name is the logical domain name you want the iIM server to support. This is the name that is used by other iIM servers in the network to identify this server (the name tagged to users on this server when displayed to users on other server). It is also the name used by this server to identify its users to other servers. This is not necessarily the FQDN (fully qualified domain name) of the system running the iIM server.

During installation, the installer prompts you to enter the iPlanet Portal Server: Instant Collaboration Pack domain name, which is stored in the iim.conf file as the iim_server.domainname parameter. This name can, and probably should be, different than the underlying DNS domain name. For example, if your DNS domain is www.i-zed.com, rather than use the same name for the instant messaging domain, consider using something such as iim.i-zed.com. This could help alleviate confusion that the iPlanet Instant Messenger ID is not an email address.

The result of this is that an iPlanet Instant Messenger user ID, user@domain, which looks like an email address, is in fact not an email address. In some cases the iPlanet Instant Messenger user ID might map to an email address, but not necessarily. Thus, users might have a user ID such as johndoe@i-zed.com and an iPlanet Instant Messenger ID of johndoe@iim.i-zed.com (the ID displayed by the tooltip in the iPlanet Instant Messenger client).

In addition, if you install multiple iIM servers, hence multiple instant messaging logical domains, users need to know about these domains to search for and locate appropriate contacts. Users can use the Domain to search on pull-down menu in the various iPlanet Instant Messenger windows to search other domains they are configured to access.


Note In the future, the product might be redesigned to use DNS. At such point in time, the logical instant messaging domain name would no longer apply and you would want to use the DNS name.



Searching the Directory and Anonymous Bind

iPlanet Portal Server: Instant Collaboration Pack needs to be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, iPlanet Portal Server: Instant Collaboration Pack has the capability it needs. If the directory is not readable by anonymous users, you must take additional steps to configure the iim.conf file with the credentials of a user ID that has at least read access to the directory.

These credentials consist of:

  • A distinguished name (dn)

  • The password of the above dn

Thus, you need to modify the iim.conf file if:

  • The external LDAP directory server does not allow anonymous bind, or

  • You are using iPlanet Portal Server's internal directory, because the internal directory server in general does not allow anonymous bind.

See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for the steps to configure a specific user to search your directory.


LDAP Issues

The following LDAP issues might arise in a given deployment. Change the LDAP parameters in the iim.conf file accordingly.

Issue: Your directory does not permit anonymous bind. By default, iIM server performs an anonymous search of the LDAP directory. However, it is common for sites to prevent anonymous searches in their directory so that any random person cannot do a search and retrieve all the information.

Solution: If your site's directory is configured to prevent such anonymous searches, the iIM server needs to have a user ID and password it can use to bind and do searches. Use the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters to configure the necessary credentials. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for more details.

Issue: Your site does not use the uid attribute for user authentication.

Solution: Use the iim_ldap.loginfilter parameter to set the attribute that is used by your directory for authentication. By default, this parameter is set to uid. Also, change any "filter" parameters that contains uid in its value.

Issue: You want to change how iPlanet Instant Messenger displays contact names from the default.

Solution: The default attribute that iPlanet Instant Messenger uses to display contact names is cn. Thus, contact names appear as Frank Smith, Mary Jones, and so on. Edit the iim_ldap.userdisplay and iim_ldap.groupdisplay parameters to a different attribute, such as uid.

Issue: Your directory is indexed for wildcarding.

Solution: Change the iim_ldap.allowwildcardinuid parameter to True. This parameter determines if wildcarding should be enabled for uids while doing a search. As most directory installations have uids indexed for exact searches only, the default value is False. Setting this value to True can impact performance unless uids are indexed for substring search.

Issue: Your directory uses non-standard object/group classes.

Solution: Change the appropriate iim_ldap.* parameters, replacing inetorgperson and groupofuniquenames with your values.

Issue: Your directory does not use the mail attribute for email addresses. If so, iPlanet Instant Messenger will not be able to forward instant messages to offline users as email messages.

Solution: By default, the iim_ldap.user.mailattr contains the value mail. Change this value to your site's value.


Indexed LDAP Attributes

Index the attributes below as indicated for adequate directory performance when used with iPlanet Portal Server: Instant Collaboration Pack. If you use iPlanet Delegated Administrator, the following lines should appear in the slapd.ldbm.conf file.

index cn pres,eq,sub

index sn pres,eq,sub

index givenName pres,eq,sub

index uid eq

index uniquemember eq

If you site permits substring search on uid, the index list for uid should be:

index uid eq,sub



Planning Your Client Configuration


This section describes potential problems and solutions when installing and configuring the iPlanet Instant Messenger client software to work with a web server. It also describes issues associated with running the client with iPlanet Portal Server. See the iPlanet Portal Server: Instant Collaboration Pack 3.0 Release Notes for information on supported web server software.


Web Server Overview

When installing iPlanet Portal Server: Instant Collaboration Pack with iPlanet Portal Server, you must use the iPlanet Portal Server's web server. When installing iPlanet Portal Server: Instant Collaboration Pack in a standalone deployment, you supply the web server.

iPlanet Portal Server: Instant Collaboration Pack depends on a web server to serve up HTML, including:

  • An initial index.html file, provided by the product, or your own home page, with a link to invoke the iPlanet Instant Messenger. (This applies only to a standalone deployment.)

  • The product's client jar files (iim.jar, iimres.jar, iimnet.jar, and iimjni.jar).

  • The iPlanet Instant Messenger online help.

  • Embedded URLs in messages and news channels, to iPlanet Instant Messenger.


Web Server Issue for Both Portal and Standalone Deployments


Location of iPlanet Instant Messenger Software and Web Server

Issue: You must install the iPlanet Instant Messenger client software on the host where the web server is installed. In a portal deployment, this will be the iPlanet Portal Server host (the iPlanet Portal Server's web server).

For standalone installations, some sites might include the web server on the iIM server host, in which case there is no issue. However, if the web server is not on the iIM server host, you will need to install the iPlanet Instant Messenger client software separately on the web server host.

Solution: Run the iPlanet Portal Server: Instant Collaboration Pack installer, after installing the iIM server software, and install just the client files (the iPlanet Instant Messenger component) on the web server host. See the iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Installation Guide for more information.


Web Server Issues for Standalone Deployments Only

This section contains web server deployment issues for standalone deployments only.


iPlanet Instant Messenger Software Not Located in Web Server Document Root

Issue: By default, iPlanet Portal Server: Instant Collaboration Pack expects to find the iPlanet Instant Messenger software installed in the web server document root. However, you might choose to install the iPlanet Instant Messenger software files in a directory other than the web server document root.

Solution: You need to edit iPlanet Instant Messenger's .html and .jnlp files if iPlanet Instant Messenger software is not located in the web server's document root.

  • index.html and iim.html Files - The URL for the index.html and iim.html files needs to reference the iPlanet Instant Messenger installation directory. You either have to configure the web server to enable access to the directory where you installed the iPlanet Instant Messenger files, or create a symbolic link in the web server's document root.

    For example, on iIM Server host iim.i-zed, if the iPlanet Instant Messenger software is installed in the /opt/SUNWiim/html directory, you could create a symbolic link iim, which points to /opt/SUNWiim/html, in the web server's document root. Users would then type the following URL to access iPlanet Instant Messenger:

    http://iim.i-zed.com/iim/


    Note By using a symbolic link, you do not need to change the web server's configuration.


  • iim.jnlp and iimres.jnlp Files - The iim.jnlp and iimres.jnlp files have a codebase parameter that needs to be changed to reference the web server and path to the iPlanet Instant Messenger software. The line to change is:

    codebase="http://servername:port/path/"

    You only need to include the port number of the web server if it is not using the default (80).

    For example, on iIM server host iim.i-zed, if the iPlanet Instant Messenger software is installed in the /opt/SUNWiim/html directory, you could create a symbolic link iim, which points to /opt/SUNWiim/html, in the web server's document root. Then you would change the codebase parameters in the iim.jnlp and iimres.jnlp files:

    codebase="http://iim.i-zed.com/iim/"


    Note The iim.jnlp and iimres.jnlp files are used for Java Web Start configurations. If you are only using Java Plugin, you do not need to edit these files as they will not be used.



Web Server Installed on a Port Other than Default (80)

Issue: Your web server might be installed on a port other than the default (80).

Solution: You need to edit the iim.jnlp and iimres.jnlp files and change the codebase parameter to:

codebase="http://webserver:webserverport"

For example, on iIM server host iim.i-zed, if the web server is running on port 8080, codebase parameters in the iim.jnlp and iimres.jnlp files would become:

codebase="http://iim.i-zed.com:8080"


Launching Java Web Start and MIME Types

Issue: To run iPlanet Instant Messenger using Java Web Start, you might need to edit the web server's MIME types file to include a line for JNLP.

Solution: For iPlanet Web Server, the default location for this file is:

/usr/netscape/server4/https-xxx/config/mime.types

where xxx is your web server instance name.

If not already present, add the following line:

type=application/x-java-jnlp-file exts=jnlp

For this change to take effect, you must restart the http-xxx server.

Solution: For Apache Web Server, the mime.types file, located in the Apache Web Server configuration directory (its location is site-specific), should be edited to include the line:

application/x-java-jnlp-file jnlp


iPlanet Web Server and obj.conf File (Standalone Deployment Only)

Issue: If you chose to install the iPlanet Instant Messenger software at the document root using iPlanet Web Server as your web server, you might not be able to see the iPlanet Instant Messaging Server online help.

Solution: Edit the iPlanet Web Server obj.conf file, found at:

/usr/netscape/server4/https-xxx/config/obj.conf

where xxx is your web server instance name.

Comment out the following line:

NameTrans fn="pfx2dir" from="/help" dir="/export1/webserver/manual/https/ug" name="es-internal"


iPlanet Portal Server Issues

This section describes iPlanet Portal Server specific issues with regards to iPlanet Instant Messenger.


Application Channel Links

When installing iPlanet Portal Server: Instant Collaboration Pack in the iPlanet Portal Server environment, the installer inserts the following three links in the Applications channel of the iPlanet Portal Server Desktop:

  • iPlanetTM Portal Server: Instant Messenger Quick Reference (Displays the iPlanet Portal Server: Instant Collaboration Pack Quick Reference in a new web browser window)

  • Launch iPlanetTM Instant Messenger using Java plug-in (Starts iPlanet Instant Messenger using the Java Plug-in)

  • Launch iPlanetTM Instant Messenger using Java Web Start (Starts iPlanet Instant Messenger using Java Web Start)

These links are displayed to users in their iPlanet Portal Server Desktop Applications channel only if they have not customized the iwtAppProvider component. If users do not automatically receive the iPlanet Instant Messenger links, then they must add them manually from the available Applications channel.


To Manually Add Applications to the Applications Channel

  1. Click Edit on the Applications toolbar.

  2. Select the iPlanet Instant Messenger applications you want displayed in the Applications channel.

  3. Click Finished to return to the Portal Server Desktop page.


Secure Mode vs. Non-Secure Mode

When you install iPlanet Portal Server: Instant Collaboration Pack in the iPlanet Portal Server environment, users invoke the iPlanet Instant Messenger client from their iPlanet Portal Server Desktop Applications channel. In the iPlanet Portal Server environment, you configure iPlanet Instant Messenger in either secure or non-secure mode. In secure mode, communication is encrypted through the iPlanet Portal Server Netlet (SRAP gateway). A lock icon appears in iPlanet Instant Messenger's Status area when you are running in secure mode. See the iPlanet Portal Server documentation for more information on Netlet at:

http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm#17676

In non-secure mode, no encryption takes place between iPlanet Portal Server and the user's machine.


Launching iPlanet Instant Messenger in iPlanet Portal Server Overview

Figure 3 shows how iPlanet Instant Messenger functions in the iPlanet Portal Server Single Sign-on (SSO) environment.

Figure 3    xxx

The following describes the above figure:

  1. User logs on to the iPlanet Portal Server Desktop. iPlanet Portal Server sets a Single Signon (SSO) cookie.

  2. User clicks on the Launch iPlanet Instant Messenger link in the Applications Channel.


    Note If the iPlanet Instant Messenger log on fails, a "logon failed" dialog appears. The user would need to click the Launch iPlanet Instant Messenger link again.


  3. The iPlanet Instant Messenger launch applet servlet validates the user's session ID and gets the user profile, provided by the iPlanet Portal Server Session Service and Profile Service.

  4. The launch applet returns the iPlanet Instant Messenger applet launch page, which contains the iPlanet Portal Server SSO token as parameter.

  5. The iPlanet Instant Messenger applet is launched.

  6. iPlanet Instant Messenger talks to iIM Server, passing the SSO token.

  7. iIM Server validates the SSO token with the iPlanet Portal Server services.


Notes on Running iPlanet Instant Messenger with iPlanet Portal Server

Note the following conditions when running iPlanet Instant Messenger in the iPlanet Portal Server environment:

  • You can run iPlanet Instant Messenger in secure mode using either Java plug-in and Java Web Start to launch the application. (You can configure iPlanet Instant Messenger for secure mode only if the iPlanet Portal Server gateway is configured.) When running in secure mode, iPlanet Instant Messenger displays a lock icon in the Status area at the top of the Main window.

  • Secure mode does not work if users launch iPlanet Instant Messenger from a desktop shortcut. In addition, unlike a standalone deployment, when running in a portal deployment Java Web Start does not give the option of creating a desktop shortcut. However, users can still create bookmarks (for both Java Web Start and Java Plug-in) to launch iPlanet Instant Messenger. (Launching by a shortcut should only be done in standalone mode.)

  • Single Signon (SSO) is not supported with the iPlanet Portal Server Desktop if users launch iPlanet Instant Messenger from an operating system desktop shortcut.

  • Auto-logon - Because SSO is used, the Auto-logon feature for iPlanet Instant Messenger cannot be disabled when running in portal mode.


iPlanet Instant Messenger Memory Usage

Observations of iPlanet Instant Messenger memory usage make it imperative to make sure your client machines have sufficient memory. Memory usage starts out at around 20 Mbytes on a Windows client and grows to about 30 Mbytes. Memory usage on a Solaris client starts at about 15 Mbytes and grows to about 20 Mbytes. These figures can change depending on usage.



Planning Your Multiplexor Configuration


This section describes the information you need to plan the iIM multiplexor configuration.


Using the Multiplexor to Scale (something like that)

The iPlanet Instant Messaging multiplexor component is a connection multiplexor that listens for iPlanet Instant Messenger clients and opens only one connection to the backend iIM server.

In effect, the multiplexor always acts as a frontend component to the iIM server. Any client-server communication must go through the multiplexor; that is, iIM Server is architected to always use the multiplexor. iPlanet Instant Messenger and iIM server do not talk to each other directly.

You can install multiple multiplexors as needed, depending your configuration. When using multiple multiplexors, you should consider also installing some sort of load balancer product, such as offered by Resonate.


Note Windows NT only supports one multiplexor process per machine. Solaris supports multiple multiplexors per machine.




Planning Security


This sectin describes the information you need to plan for iPlanet Instant Messenger security, including:

  • Access control

  • Server-to-server communications

  • Secure Sockets Layer (SSL)

  • Netlet (SRAP Gateway)

  • ISP: Placement of multiplexor outside firewall, IM server inside <can we even say anything about this?>


Planning Privileges: Access Control

Almost all features of iPlanet Instant Messenger are controlled by a privilege system that limits what a user can see or do. Before deploying iIM Server, determine the privileges you want your users to have from the following list:

  • Administrator privileges - Enables a user to control all aspects of the system, so should be restricted to the few administrator accounts.

  • Privilege to change client user settings - Most likely you'll want to permit users to set and save their own preferences. However, for sites that want to standardize on user settings, you can deny this privilege and lock out users from making any preference changes.

  • Privilege to add and delete news channels - Enables a user to create and delete news channels from iIM Server.

  • Privilege to add and delete conference rooms - Enables a user to create and delete conference rooms from iIM Server.

  • Privilege to send and forward alerts - Enables a user to create and send alert messages.

  • Privilege to set up watches on other users - Enables a user to monitor the status of other users and receive an alert when the status changes.

You set or change user privileges by editing the appropriate ACL file. See iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for more information on how to set privileges for the system.

You cannot disable an iPlanet Instant Messenger user. Because iPlanet Portal Server: Instant Collaboration Pack authenticates uses the directory for authentication, any existing user has can access to iPlanet Instant Messenger. The only way to prevent users from using iPlanet Portal Server: Instant Collaboration Pack is to delete them from the directory.


Note If you deny users the privilege to set up watches on other users —by editing the sysWatch.acl file—they will not be able to display iPlanet Instant Messenger's Main window, effectively denying them the ability to send instant messages. However, users would still be able to see alerts and news channels.



Planning Server-to-Server Communication

You can configure multiple iIM servers to communicate and form a larger instant messaging community. Users on each server can communicate with users on every other server, use conferences rooms on other servers, and subscribe to news channels on other servers (subject to access privileges).

For communication between multiple iIM servers in your network, you need to configure server-to-server communication. When configuring server-to-server communication, you identify your server to the other servers, and identify each coserver, or cooperating server, which will have a connection to your server.

You establish server-to-server communication by editing the appropriate parameters in the iim.conf file on each server. See iPlanet Portal Server: Instant Collaboration Pack Release 3.0 Administrator's Guide for more information on how to configure server-to-server communication.


Note You can configure a standalone installation of iIM Server to user server-to-server communication with a portal installation.



Planning Secure Sockets Layer

The high-level steps to configure SSL for iPlanet Portal Server: Instant Collaboration Pack are:

  1. Generating a self-signed certificate.

  2. Generating a Certificate Signing Request.

  3. Sending a Certificate Signing Request to a Certificate Authority (CA) and getting back a signed certificate.

  4. Installing the Certificate on the iIM server, and the CA's certificate on other servers; which means you also have to install the other server's CA certificate on your system. (This is much easier when you have the same CA.)

  5. Activating SSL

When enabling SSL for use with iPlanet Portal Server: Instant Collaboration Pack, choose one of the following methods:

  • Using a self-signed certificate - Put your self-signed certificate in the iimkeys file (on Solaris, im30_install_dir/config/iimkeys; on Windows NT, im30_install_dir\config\iimkeys)and also export it to other iIM servers so they can put it in their nlcacerts file.

  • Using a certificate signed by a CA that is not already in cacerts - Put your certificate and your signing CA's certificate in the iimkeys file (on Solaris, im30_install_dir/config/iimkeys; on Windows NT, im30_install_dir\config\iimkeys). Also, export your signing CA's certificate to the other servers so they can put it in their nlcacerts file.

  • Using a certificate signed by a CA already in cacerts - Put your certificate in the iimkeys file only (on Solaris, im30_install_dir/config/iimkeys; on Windows NT, im30_install_dir\config\iimkeys), and the other servers already have your signing CA in their cacerts file.


    Note You can run the following command to show all the CAs in your cacerts file:

    Javahome/keytool -list -keystore cacerts

    Run this command from the directory that contains the cacerts file. Press Return when prompted for password.


In all cases, remember that your iIM server is the "client" of the other server, so you might have to import the CA's certificate for that server.


Netlet Stuff

<From a planning perspective, what do we need to say about how the Netlet works to provide security/encryption to the client in a portal installation?>


ISP - Firewall Placement

<Are we touting this product in such an environment, if so, what would we say here?>

what ports should be opened up? do we know?



Tuning iPlanet Portal Server: Instant Collaboration Pack Performance


This section describes the information you need to tune iPlanet Portal Server: Instant Collaboration Pack software.


Tuning the Server

Currently, the maximum memory allocation for the Java Virtual Machine defaults to 256 Mbytes. On Solaris, you can change this default by modifying the iimadmin script. <what are the details here?>

On NT, you cannot currently change this value.


Note Upgrading your system overwrites any changes that you have made to the iimadmin script, so you need to reenter your change after performing an upgrade.



Tuning the Multiplexor

The parameters in the iim.conf file used in tuning the multiplexor are:

  • iim_mux.maxsessions - Specifies the maximum number of concurrent connections per multiplexor process. The default is 1000.

  • iim_mux.maxthreads - Specifes the maximum number of threads per instance of the multiplexor. The default is 5.

The issue in tuning the multiplexor is twofold: you want to be sure to set these parameters high enough to not deny users the ability to log in, but you don't want to set them so high that you use up system resources.

The way these work together is as follows: For each thread, there will be able to be the number of maximum concurrent sessions. So, for the default, you'd have 5 x 1,000, or up to 5,000 concurrent users. The trick is that you don't want to have more than 1,000 users per thread, so to support levels above this, you'd need to configure more threads. But you don't want to configure more threads than you need. <wonder if we could throw some figures in here.>



iPlanet Portal Server: Instant Collaboration Pack Deployment Example


Figure 4 shows a sample deployment, including two iIM servers (one in portal mode and one in standalone mode), and the required software components. <show port numbers in this diagram?>

Figure 4   


Software Components Description

Table 3 describes the software components deployed on each host.


Table 3    Sample Deployment—Software Components for Hosts

ipsgate.i-zed

ips.i-zed

ldap.i-zed

iim.i-zed

SRAP gateway host:

  • iPlanet Portal Server: Secure Remote Access Pack

 

iPlanet Portal Server host:

  • iPlanet Portal Server (includes web server and services for Single Sign-on)

  • iIM Server component

  • iIM Multiplexor component

  • iIM Client Files component

 

External LDAP directory host for iim.i-zed users.

  • iPlanet Directory Server

 

Standalone iIM server host:

  • iIM Server component

  • iIM Multiplexor component

  • iIM Client Files component

  • iPlanet Web Server

 


Client Files

Table 4 shows the client files that are needed for the two iim hosts.


Table 4   

Client File

Used by ips.i-zed?

Used by iim.i-zed?

index.html  

No. Not necessary for portal deployment.  

Yes.

Location: ips.i-zed/icp/index.html  

iim.html  

No, as this host's clients are only using Java Web Start.  

Yes.

Location: ips.i-zed/icp/iim.html  

iim.jnlp  

Yes.

Location: ips.i-zed/iim.jnlp  

No, as this host's clients are only using Java Plug-in.  

iimres.jnlp  

Yes.

Location: ips.i-zed/iimres.jnlp  

No, as this host's clients are only using Java Plug-in.  

iim files on applicable hosts and how they are configured (codebase, etc)

Client Files Content

ips.i-zed

iim.jnlp

iimres.jnlp

iim-i.zed

index.html

iim.html

ips.i-zed would serves jws community, so it has iim.jnlp/iimres.jnlp files

iim.i-zed serves java plugin community, so it has index.html and iim.html files; iim client component was not installed at doc root of web server, was put in its own icp directory, so make adjustments accordingly

each iim server has its own client component


How the Sample Deployment Works

From a high-level overview, this sample deployment functions as follows.

ipsgate.i-zed - Host containing the SRAP gateway, that ...

ips-i-zed - Host containing the iPlanet Portal Server and iPlanet Portal Server: Instant Collaboration Pack software.

ldap.i-zed - Host containing external LDAP directory server.

iim-i-zed - Host containing iPlanet Portal Server: Instant Collaboration Pack software, installed in standalone mode.


Previous     Contents     DocHome    
Copyright © 2001 Sun Microsystems, Inc. All rights reserved.

Last Updated November 07, 2001