2 Planning Your Instant Messaging Server Installation
This chapter provides information about planning your Oracle Communications Instant Messaging Server installation. It also describes the Instant Messaging Server logical and physical architectures.
About Instant Messaging Server
Instant Messaging Server enables secure, real-time communication and collaboration, combining presence awareness with instant messaging capabilities such as chat, conferences, and file transfers to create a rich collaborative environment. These features enable one-to-one and group collaboration through either short-lived communications or persistent venues such as conference rooms. Instant Messaging Server ensures the integrity of communications through its multiple authentication mechanisms and Secure Sockets Layer (SSL) connections. For more information about Instant Messaging Server, see Oracle White Paper—Oracle Communications Instant Messaging Server at:
http://www.oracle.com/us/industries/communications/oracle-instant-messaging-wp-1449642.pdf
Instant Messaging Server Components
Instant Messaging Server consists of the following internal core components that must integrate and inter-operate with external services to provide an instant messaging environment.
-
Instant Messaging Server. The Instant Messaging server component provides core services required for real time communications such as the presence engine, message handling and routing, roster management, security and authorization. The Instant Messaging server supports the connection of an Instant Messaging multiplexer that concentrates connections over one socket.
-
Instant Messaging Multiplexor. The Instant Messaging multiplexer adds scalability to the Instant Messaging environment. You can install multiple multiplexers as needed, depending on your configuration. As the user population grows beyond what is easily supported by a single Instant Messaging server, you can deploy additional servers to which you can connect additional multiplexers. In addition, you can configure an Instant Messaging multiplexor with a list of Instant Messaging Server hosts for failover.
-
Access, Communication, and Transfer Protocols. These protocols, such as LDAP, HTTP, TCP/IP, and SMTP, can be found in "Instant Messaging Server Supported Standards".
-
Instant Messaging API. Enables you to customize Instant Messaging in a variety of ways. For example, you can write custom clients and archive providers, add user presence information to other applications, develop custom authentication mechanisms, and so forth. For more information, see the topic on APIs in Instant Messaging Server System Administrator's Guide.
Instant Messaging Server Gateways
Instant Messaging Server provides the following gateways to enable connectivity to other systems:
-
XMPP/HTTP Gateway. Enables Instant Messaging Server to provide access to HTTP-based clients, such as HTML-based clients, and clients behind firewalls that allow HTTP traffic, but do not permit XMPP traffic. The gateway proxies instant messaging traffic to the XMPP server on behalf of HTTP clients.
-
XMPP WebSocket Gateway. Enables Instant Messaging Server to support the WebSocket protocol for XMPP.
-
SMS Gateway. Enables Instant Messaging Server to deliver chat messages and alerts in the form of SMS to offline users.
-
SIP Gateway. Instant Messaging Server implements a SIP/SIMPLE (Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions/Session Initiation Protocol) gateway, enabling federation and translation between the two protocols, and interoperation between XMPP and SIP/SIMPLE servers.
Components Related to Instant Messaging Server
The software components discussed in this section work with Instant Messaging Server, but are installed separately. See "Instant Messaging Server Planning Considerations" for more information on how these components interact with Instant Messaging Server.
Directory Server
(Required) Instant Messaging Server requires a directory server, such as Oracle Directory Server Enterprise Edition or Oracle Unified Directory for end user authentication and search, and to store conference rooms. Additionally, if you enable conference history persistence, that too is stored in directory server. This directory can either be dedicated for use by Instant Messaging Server, or be shared by other components.
By default, Instant Messaging Server relies on the common end-user attributes cn and uid to search for end-user and group information. If you want, you can configure the server to use another attribute for search. In addition, Instant Messaging properties (such as contact lists and subscriptions) are stored in the directory server. For instructions on configuring the server to use a non-default attribute for user search, see Instant Messaging Server System Administrator's Guide.
By default Instant Messaging Server uses the directory server to store user properties and data, which includes multiuser chat history. Instead of using the directory server to store multiuser chat history, you can use Oracle Database. For more information on storing multiuser chat history in Oracle Database, see Instant Messaging Server System Administrator's Guide.
Web Container
(Optional) You must install a web container for the Instant Messaging Server components described in Table 2-1.
Table 2-1 Required Web Containers for Instant Messagng Server Components
| Web Container | Instant Messaging Components |
|---|---|
|
Oracle GlassFish Server |
Use GlassFish Server if you are hosting Bidirectional-streams Over Synchronous HTTP (BOSH) or using Presence API components. In addition, GlassFish Server is required as a web container if you are deploying the Oracle Communications Convergence client. |
|
Oracle WebLogic Server |
WebLogic Server supports the PresenceAPI and XMPP WebSocket Gateway component. |
|
Oracle Converged Application Server |
Converged Application Server supports the SIP/SIMPLE component. |
Note:
Install the web container before configuring Instant Messaging Server.SMTP Server
(Optional) An SMTP messaging server, such as Oracle Communications Messaging Server, is used to forward instant messages, in the form of email, to end users who are offline. The SMTP server can also be used to archive instant messaging communications. The SMTP server does not have to reside on the same host as the Instant Messaging Server host.
Instant Messaging Server Supported Standards
This section lists national, international, industry, and de-facto standards related to electronic messaging and for which support is claimed by Oracle Communications Instant Messaging Server. Most of these are Internet standards, published by the RFC Editor and approved by the Internet Engineering Task Force (IETF). Standards for documents from other sources are noted.
Protocols Support by Instant Messaging Server
Instant Messaging Server supports the following protocols:
-
Extensible Messaging and Presence Protocol(XMPP):
-
XMPP Core Protocols (RFC 3920, RFC 3921)
-
XMPP Extensions
-
-
Short message peer-to-peer protocol (SMPP)
Table 2-2 lists the supported XMPP Extensions.
Table 2-2 Supported XMPP Extensions
| Number | Name | Comments |
|---|---|---|
|
XEP-0004 |
Data Forms |
No comments |
|
XEP-0016 |
Privacy Lists |
No comments |
|
XEP-0022 |
Message Events |
No comments |
|
XEP-0030 |
Service Discovery |
No comments |
|
XEP-0045 |
Multiuser Chat |
No comments |
|
XEP-0047 |
In-Band Bytestreams |
No comments |
|
XEP-0048 |
Bookmarks |
No comments |
|
XEP-0049 |
Private XML Storage |
No comments |
|
XEP-0054 |
vcard-temp |
No comments |
|
XEP-0055 |
Jabber Search |
No comments |
|
XEP-0065 |
SOCKS5 Bytestreams |
No comments |
|
XEP-0066 |
Out of Band Data |
Implemented by Client |
|
XEP-0071 |
XHTML-IM |
Implemented by Client |
|
XEP-0077 |
In-Band Registration |
No comments |
|
XEP-0078 |
Non-SASL Authentication |
No comments |
|
XEP-0079 |
Advanced Message Processing |
No comments |
|
XEP-0085 |
Chat State Notifications |
Implemented by Client |
|
XEP-0092 |
Software Version |
No comments |
|
XEP-0095 |
Stream Initiation |
No comments |
|
XEP-0096 |
SI File Transfer |
No comments |
|
XEP-0100 |
Gateway Interaction |
No comments |
|
XEP-0106 |
JID Escaping |
No comments |
|
XEP-0114 |
Jabber Component Protocol |
No comments |
|
XEP-0124 |
Bidirectional-streams Over Synchronous HTTP (BOSH) |
No comments |
|
XEP-0126 |
Invisibility |
No comments |
|
XEP-0153 |
vCard-Based Avatars |
No comments |
|
XEP-0160 |
Best Practices for Handling Offline Messages |
No comments |
|
XEP-0166 |
Jingle |
Implemented by Client |
|
XEP-0167 |
Jingle RTP Sessions |
Implemented by Client |
|
XEP-0177 |
Jingle Raw UDP Transport Method |
Implemented by Client |
|
XEP-0191 |
Simple Communications Blocking |
No comments |
|
XEP-0206 |
XMPP Over BOSH |
No comments |
|
XEP-0107 |
User Mood |
No comments |
|
XEP-0108 |
User Activity |
No comments |
|
XEP-0118 |
User Tune |
No comments |
|
XEP-0163 |
Personal Eventing Protocol |
No comments |
|
XEP-0060 |
Publish-Subscribe |
Partially implemented |
|
XEP-0199 |
XMPP Ping |
Support for client-to-server and server-to-client pings |
|
XEP-0215 |
XMPP External Service Discovery |
Implemented by custom plugin |
|
XEP-0280 |
Message Carbons |
No comments |
|
XEP-0313 |
Message Archive Management |
Implemented by custom plug-in except for XEP-0059 support |
|
XEP-0333 |
Chat Markers |
No comments |
|
RFC-7395 |
XMPP Over Web Sockets |
No comments |
Instant Messaging Server Software Architecture
Figure 2-1 shows the Instant Messaging Server software architecture.
Figure 2-1 Instant Messaging Server Software Architecture
Description of ''Figure 2-1 Instant Messaging Server Software Architecture ''
Clients send messages to the multiplexor, which forwards the messages to the Instant Messaging server. Clients send messages to one another through a multiplexor, which forwards the messages to the Instant Messaging server.
The directory server stores and retrieves local user and group delivery information such as preferences, location, and to which multiplexor to route messages for this user. When the Instant Messaging server receives a message, it uses this information to determine where and how the message should be delivered. In addition, the directory server can contain user information such as contact lists and subscriptions.
In this basic configuration, Instant Messaging Server directly accesses the directory server to verify user login name and passwords for mail clients that use Instant Messaging.
Outgoing instant messages from clients go directly to the multiplexor. The multiplexor sends the message to the appropriate Instant Messaging server, which in turn forwards the message to another Instant Messaging server, or if the message is local, to the multiplexor with which the recipient is associated.
New users are created by adding user entries to the directory server. Entries in the directory can be created through Instant Messaging Server (by enabling new-user registration feature) or changed by using the tools provided with the directory server. You can then assign services to the user. For more information about new user registration for Instant Messaging Server, see the topic on administering end users in Instant Messaging Server System Administrator's Guide.
You administer Instant Messaging Server components through a set of command-line interfaces and text-based configuration files.
Note:
Typical Instant Messaging Server deployments are not installed on a single machine. They also have additional features like multiplexing and high availability enabled. See "Instant Messaging Server Planning Considerations" for more information.Instant Messaging Server Planning Considerations
This section contains the following planning topics you must consider before installing Instant Messaging Server:
-
Planning Instant Messaging Server Privacy, Security, and Site Policies
-
Planning for Email Notification Architecture and Calendar Alerts
Planning to Protect Instant Messaging Server
Instant Messaging Server supports Transport Layer Security (TLS). Instant Messaging Server uses a startTLS extension to the TLS 1.0 protocol for client-to-server and server-to-server encrypted communications and for certificate-based authentication between servers.
When planning for SSL for Instant Messaging Server, keep in mind the following:
-
You can secure the Instant Messaging Server deployment by enabling SSL on the web container port (either Web Server or Application Server) and accessing Instant Messaging Server functionality by using the XMPP/HTTP Gateway (httpbind).
-
Set the proper file and directory permissions for the Instant Messaging Server configuration files (im.conf.xml and httpbind.conf in the InstantMessaging_cfg/config directory):
-
Solaris OS:
/etc/opt/sun/comms/im/default/config/
-
Red Had Linux:
/etc/opt/sun/im/default/config/
Instant Messaging Server runs as the user specified in the iim.conf.xml file. This user needs read access to the file. If you use httpbind, the user that runs the web container should be able to access the Instant Messaging Server directory path and configuration file. When you create additional Instant Messaging server or multiplexor instances manually, you must also ensure that the file and directory permissions are correct. The default installation sets the file and directory permissions. The default instance directory has the following permissions:
drwx------ 5 root other 512 Oct 16 14:24 default
-
-
Take care while enabling Instant Messaging Server monitoring, as this exposes server statistics that could be considered security issues. The default configuration does not enable the monitoring feature. You enable this property through the iim.conf.xml file.
-
Enable debug logging only when needed, as this impacts overall system performance. Though passwords are not logged, the protocol communication between users is logged, which could be a potential security issue.
-
When you enable startTLS, use a single server certificate for both client-to-server and server-to-server communication.
-
An Instant Messaging Server deployment that leverages LDAP needs proper authentication for access.
The Instant Messaging Server default installation supports only SASL Plain. If you require a higher level of security, use the Instant Messaging public Service Provider Interface. SASL Plain and jabber:iq:auth are two forms of plain text authentication. That is, in both, the password is sent in the clear (encoded perhaps, but still clear text) and so both are insecure forms of authentication. Nevertheless, this is an issue only if end-to-end encryption (through startTLS for direct socket connection, and HTTPS for httpbind) is not enabled. If end-to-end encryption is enabled, the password is not "seen" in the clear on the network.
Alternatively, if you do not want to transmit passwords in the clear (even if over an encrypted stream), use the Instant Messaging SPI for plugging in authentication mechanism's at the server side through SASLRealm. You can implement custom SASL mechanisms as implementations but you will then need an Instant Messaging client that supports this custom mechanism.
See Instant Messaging Server Security Guide for more information on using TLS.
Planning Instant Messaging User Authentication
User authentication enables your users to log in through their Instant Messaging clients to chat and access other features of Instant Messaging.
Instant Messaging Server and Passwords
User IDs and passwords are stored in your LDAP directory. Password security criteria, such as minimum length, are determined by directory policy requirements. Password security criteria is not part of Instant Messaging Server administration. See the directory server documentation to understand directory server password policies.
Instant Messaging Server and LDAP
All Instant Messaging Server deployments require a directory server to perform end user authentication and to search for end users. For various ways to secure the directory, see the directory server documentation.
The default Instant Messaging Server configuration makes the following assumptions regarding the schema used by this directory:
-
End user entries are identified by the inetOrgPerson object class.
-
Group entries are identified by the groupOfUniqueNames or groupofURLs object class.
-
The email address of an end user is provided by the mail attribute.
-
The display name of an end user or group is provided by the cn attribute.
-
The list of members of a group is provided by the uniqueMember attribute (groupOfUniqueNames object class).
Note:
Some user attributes might contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users.Planning for Anonymous Directory Server Searching
Instant Messaging Server needs to be able to search the directory to function correctly. If you want, you can configure your directory to be searchable by anonymous users. To configure your directory to be readable or searchable by anonymous users, see the topic on enabling the directory server searches on a specific user in Instant Messaging Server System Administrator's Guide.
Planning Instant Messaging Server Privacy, Security, and Site Policies
Instant Messaging Server provides the ability to control access to Instant Messaging Server features and preserve end-user privacy.
Instant Messaging Server Site Policies
Site policies specify end-user access to specific functionality in Instant Messaging Server. When developing your site policies for Instant Messaging Server, keep in mind the following questions:
-
Can users access the presence status of other end users?
-
Can users send alerts to other end users?
-
Do you want users to save properties on the server?
-
Who do you want to be able to create and manage conference rooms?
For more information, see Instant Messaging Server Security Guide.
Controlling Instant Messaging Server End User and Administrator Privileges
Different sites using Instant Messaging Server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Instant Messaging Server features and privileges is referred to as policy management. You can manage policies to adjust end-user privileges in the following areas: conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also enables specific end users to be assigned as system administrators.
For more information, see Instant Messaging Server Security Guide.
Planning to Protect the Instant Messaging Archive
Instant Messaging Server has the capability to archive instant messages for later retrieval and searching. If you enable the email archive, you must decide which administrators are to receive email containing archived instant messages. You can configure a separate list of administrators to receive polls, news, conference, alerts, or chat sessions. You can also configure Instant Messaging Server to use the extended RFC 822 header. Doing so enables mail clients to filter messages based on the header content.
Planning for a Basic Installation
The basic Instant Messaging Server architecture provides such functionality as presence, roster management, chat, and conferences. To provide this basic functionality, you must install the following components:
-
Instant Messaging server and one or more Instant Messaging multiplexors
-
Directory server
In the basic architecture:
-
The directory server provides user entries for authentication and lookup.
-
Clients always connect to the Instant Messaging server through an Instant Messaging multiplexor.
Planning for Email Notification Architecture and Calendar Alerts
You can deploy Instant Messaging Server to support email notification to offline users, and Instant Messaging based notification of calendar events to users.
Figure 2-2 shows an Instant Messaging Server deployment that supports email notification to offline users.
An Instant Messaging Server architecture that supports email notification provides the same functionality as Basic Instant Messaging Architecture. To provide this functionality, you must include the components listed in "Planning for a Basic Installation". To support email alerts, you also install an SMTP server such as Oracle Communications Messaging Server.
Figure 2-2 Instant Messaging Architecture with Email Notification
Description of ''Figure 2-2 Instant Messaging Architecture with Email Notification''
To enable email notification, you are prompted during installation to identify the SMTP server to use with Instant Messaging. If you do not have an SMTP server installed, you must install one before installing the Instant Messaging software.
Authentication flow in this architecture is the same as in a basic deployment.
In this example:
-
The directory server provides user entries for authentication and lookup.
-
The Instant Messaging server forwards messages intended for offline users to the SMTP server. The SMTP server then sends the message as an email to the user's mailbox.
-
Clients always connect to the Instant Messaging server through an Instant Messaging multiplexor.
Figure 2-3 shows Instant Messaging Server with calendar notification enabled on the network. If you do not have Calendar Server installed, you must install it before installing the Instant Messaging software.
Figure 2-3 Instant Messaging Architecture with Calendar Alerts
Description of ''Figure 2-3 Instant Messaging Architecture with Calendar Alerts''
In this example:
-
The directory server provides user entries for authentication and lookup.
-
Java Message Service (JMS) sends notifications of calendar events to the Instant Messaging server which then forwards the notification on to the appropriate end user.
-
Clients always connect to the Instant Messaging server through an Instant Messaging multiplexor.
System Deployment Planning
This section contains the following system-level planning topics you must consider before installing Instant Messaging Server:
Planning for High Availability
You can use server pooling to provide high availability (HA) for your Instant Messaging Server deployment. Server pools provide redundancy so that if one server in the pool fails, affected clients can reconnect and continue their sessions through another server in the pool with a minimum of inconvenience. Additionally, if you set up your deployment with load balancers, users can immediately reconnect and be directed by a load balancer to another node in the pool. For more information, see the topic on scaling Instant Messaging Server by using server pooling in Instant Messaging Server System Administrator's Guide.
You can also configure an Instant Messaging multiplexor with a list of Instant Messaging Server hosts for failover. For more information, see the topic on multiplexor failover in Instant Messaging Server System Administrator's Guide.
Providing Instant Messaging Client Access Through a Firewall
The XMPP/HTTP Gateway (httpbind) provides Instant Messaging access to XMPP-based clients, such as HTML based clients, and clients that are behind firewalls that allow HTTP traffic only and do not permit XMPP traffic. The gateway proxies Instant Messaging Server traffic to the XMPP server on behalf of HTTP clients.
When planning to use the XMPP/HTTP Gateway, keep in mind the following:
-
Use port 5222 at the Gateway if the Gateway is communicating to the server through a multiplexor. Also, use port server port 5269 if no multiplexor is involved. You can specify port 5222 or 5269 in the httpbind.conf file.
-
The XMPP/HTTP gateway supports startTLS. When you enable startTLS on the server, all communications is encrypted.
-
Do not expose the Instant Messaging server to direct access. In a typical deployment scenario, locate the multiplexor in the DMZ, and open the multiplexor to server communication port (45222 usually) in the second firewall.
Using Load Balancing
Instant Messaging Server supports the use of load balancers located in front of the Instant Messaging multiplexors.
Planning Backup Strategies
Backing up and restoring data is one of the most important administrative tasks for your Instant Messaging Server deployment. You must implement a backup and restore policy for your Instant Messaging Server deployment to ensure that data is not lost if the system crashes, hardware fails, or information is accidentally deleted.
You must back up the following Instant Messaging Server information:
-
Configuration Information
-
Instant Messaging end user data
The configuration information is stored in the configuration directory (InstantMessaging_cfg). The Instant Messaging data is stored in the database directory (InstantMessaging_database).
For more information on backing up your Instant Messaging Server deployment, see Instant Messaging Server System Administrator's Guide.
Sample Instant Messaging Server Physical Architecture
This section explains variations to the deployment scenario described in "Planning for a Basic Installation". For example, you can install the various required servers and components in the following physical configurations, or any combination of each example:
Physical Deployment Example: Multiplexors on Separate Hosts
Figure 2-4 shows a configuration consisting of two multiplexors installed on two separate hosts. The Instant Messaging server is installed on a different host. This configuration enables you to place a multiplexor outside your company's firewall. Installing multiplexors on multiple hosts distributes the load of Instant Messaging Server across multiple systems.
Figure 2-4 Instant Messaging Multiplexors Installed on Separate Hosts
Description of ''Figure 2-4 Instant Messaging Multiplexors Installed on Separate Hosts''
Note:
The multiplexor can be resource-intensive, so putting it on a separate host can improve the overall performance of the system.Physical Deployment Example: Multiple Instant Messaging Hosts
Figure 2-5 shows a configuration consisting of two Instant Messaging servers. This configuration is used when the site contains multiple administrative domains. The server configuration on each Instant Messaging server host has to be set up so that end users on one Instant Messaging server can communicate with end users on other Instant Messaging servers.
Figure 2-5 Multiple Instant Messaging Server Hosts
Description of ''Figure 2-5 Multiple Instant Messaging Server Hosts''
About Installing a Secure System
In conjunction with the TLS protocol, Instant Messaging Server provides client-to-server and server-to-server encrypted communications and certificate-based authentication between servers. For information about secure installation and configuration of Instant Messaging Server, see Instant Messaging Server Security Guide.