SG 246357

ibm.
com/redbooks
Lotus Domino 6.5.1 and 5.1 and
Extended Products oducts
Integration Guide
Kelly Brooks
Ravinder Dhaliwal
Kevin ODonnell
Edmund Stanton
Carol Sumner
Stijn Van Herzele
Overview of new product features
Integration considerations and
best practices
Deployment scenarios
Front cover
Lotus Domino 6.5.1 and Extended Products
Integration Guide
October 2004
International Technical Support Organization
SG24-6357-00
Copyright International Business Machines Corporation 2004. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
First Edition (October 2004)
This edition applies to IBM Lotus Domino and Extended Products, Version 6.5.1.
Note: Before using this information and the product it supports, read the information in
Notices on page xi.
Copyright IBM Corp. 2004. All rights reserved. iii
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Part 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Structure of this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Strategic significance of Release 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Evolution toward integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Why upgrade: Overview of the integration strategy . . . . . . . . . . . . . . . . . 10
1.5 The Domino 6.5.1 Extended Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5.1 IBM Lotus Team Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5.2 IBM Lotus Domino Document Manager . . . . . . . . . . . . . . . . . . . . . . 14
1.5.3 IBM Lotus Instant Messaging and Web Conferencing . . . . . . . . . . . 16
1.5.4 IBM Lotus Domino Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5.5 IBM Lotus Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2. Integration of Domino 6.5.1 Extended Products . . . . . . . . . . . 23
2.1 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.1.1 Overview of key integration points . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.1.2 Presence awareness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.1.3 Chat features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.1.4 Single sign-on (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2 Notes/Domino integration with Lotus Instant Messaging . . . . . . . . . . . . . 28
2.2.1 Automatic logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.2 Presence awareness and chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.3 Schedule online meetings with the Notes calendar . . . . . . . . . . . . . 32
2.2.4 Other instant messaging tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.3 Domino Web Access integration with Lotus Instant Messaging . . . . . . . . 37
2.3.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.3.3 Contact list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.3.4 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.4 Team Workplace integration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
iv Lotus Domino 6.5.1 and Extended Products
2.4.1 Integrating Lotus Instant Messaging and Web Conferencing . . . . . . 42
2.4.3 Instant messaging features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.4.4 Schedule online meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.4.5 Integration with Domino Web Access . . . . . . . . . . . . . . . . . . . . . . . . 53
2.4.6 New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.5 Lotus Domino Document Manager integration . . . . . . . . . . . . . . . . . . . . . 56
2.5.1 Integration with the Notes client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.5.2 Presence awareness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.5.3 Enhancing and extending awareness integration . . . . . . . . . . . . . . . 61
2.6 Lotus Workflow integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
2.6.1 Integration with Domino Document Manager . . . . . . . . . . . . . . . . . . 62
2.6.2 Integration with Lotus Instant Messaging and Web Conferencing . . 63
Chapter 3. Directory and authentication considerations . . . . . . . . . . . . . 67
3.1 Why directories need to be considered. . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.1.1 What are directories? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.1.2 What are directory components? . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.1.3 What is LDAP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.1.4 What is an LDAP schema? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.2 Overview of how the components use the LDAP directory . . . . . . . . . . . . 73
3.3 Directory options for deploying the Domino 6.5.1 products. . . . . . . . . . . . 74
3.3.1 Deploying Domino 6.5.1 products on the native Domino Directory. . 74
3.3.2 Deploying Domino 6.5.1 products using the Domino LDAP . . . . . . . 76
3.4 Third-party LDAP directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.5 SSL and LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.6 Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Part 2. Installation, configuration, and coexistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Chapter 4. New Domino installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.1 Deployment considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.1.1 Domino network topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.1.2 Authentication directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.1.3 Product deployment sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.2 Domino hub/directory server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.2.1 Initial Domino installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.2.2 Initial configuration setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.2.3 Creating other server objects in the Domino domain . . . . . . . . . . . . 96
4.2.4 Preparing the domain for the Extended Products . . . . . . . . . . . . . . 100
4.2.5 Installing the rest of the Domino servers into the domain . . . . . . . . 104
4.2.6 Extended Products, LDAP, and SSL. . . . . . . . . . . . . . . . . . . . . . . . 108
4.2.7 Installing and configuring the Extended Products . . . . . . . . . . . . . . 109
4.3 Lotus Instant Messaging and Web Conferencing server. . . . . . . . . . . . . 110
Contents v
4.3.1 Initial Instant Messaging and Web Conferencing installation . . . . . 110
4.3.2 Post-installation configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.3.3 Post-configuration integration verification . . . . . . . . . . . . . . . . . . . . 115
4.4 Notes client installation and configuration. . . . . . . . . . . . . . . . . . . . . . . . 118
4.4.1 Directory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.4.2 Client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.4.3 General instant messaging preferences in the Notes client . . . . . . 121
4.4.4 Instant messaging status preferences in the Notes client . . . . . . . . 124
4.4.5 Optional configuration: Autofade the contact list . . . . . . . . . . . . . . . 125
4.5 Domino Web Access configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.5.1 Server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.5.2 Defining the Instant Messaging server for users. . . . . . . . . . . . . . . 126
4.5.3 Turning off use of the Secrets and Tokens database . . . . . . . . . . . 128
4.5.4 Copying key files between servers . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.5.5 Domino Web Redirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.5.6 Configuring the server to use the new DWALogin form . . . . . . . . . 133
4.5.7 Configuring the chat client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.6 Lotus Team Workplace server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.6.1 Initial Team Workplace installation . . . . . . . . . . . . . . . . . . . . . . . . . 139
4.6.3 Post-configuration integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.6.4 Optional configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
4.6.5 Optional integration with Domino Web Access . . . . . . . . . . . . . . . . 157
4.7 Domino Document Manager server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
4.7.1 Domino Document Manager taxonomy. . . . . . . . . . . . . . . . . . . . . . 162
4.7.2 Preinstallation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
4.7.3 Initial Domino Document Manager installation . . . . . . . . . . . . . . . . 165
4.8 Lotus Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
4.8.1 Initial Lotus Workflow installation . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Chapter 5. Upgrade and coexistence considerations . . . . . . . . . . . . . . . 211
5.1 Planning for product upgrades to Release 6.5.1. . . . . . . . . . . . . . . . . . . 212
5.1.1 Coexistence of versions within each product . . . . . . . . . . . . . . . . . 212
5.1.2 Interoperability of versions between products. . . . . . . . . . . . . . . . . 215
5.1.3 Upgrade dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
5.1.4 Suggested upgrade sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
5.1.5 Authentication and directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
5.2 Upgrading specific products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.2.1 Domino server upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
vi Lotus Domino 6.5.1 and Extended Products
5.2.2 Lotus Team Workplace upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . 226
5.2.3 Lotus Workflow upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
5.2.4 Domino Document Manager upgrade . . . . . . . . . . . . . . . . . . . . . . . 227
5.2.5 Lotus Instant Messaging and Web Conferencing upgrade . . . . . . . 227
5.3 Post-upgrade product integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
5.3.1 Lotus Instant Messaging and Web Conferencing integration . . . . . 230
5.3.2 Domino Document Manager integration . . . . . . . . . . . . . . . . . . . . . 232
5.4 Sample upgrade scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
5.4.1 Pre-upgrade environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
5.4.2 Upgrading the Domino server: All products . . . . . . . . . . . . . . . . . . 251
5.4.3 Upgrading the Domino hub/mail server and clients . . . . . . . . . . . . 252
5.4.4 Upgrading the Lotus Team Workplace server. . . . . . . . . . . . . . . . . 258
5.4.5 Upgrading the Domino Document Manager server. . . . . . . . . . . . . 263
5.4.6 Upgrading Instant Messaging and Web Conferencing server. . . . . 269
5.4.7 Post-upgrade Lotus Instant Messaging integration. . . . . . . . . . . . . 273
5.4.8 Post-upgrade Domino Document Manager integration. . . . . . . . . . 288
5.4.9 Converting from native Domino to Domino LDAP authentication . . 289
Part 3. Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Chapter 6. Extended Products for small-to-medium businesses. . . . . . 309
6.1 Single machine deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
6.1.1 Installing Lotus Domino and Interim Fix 1. . . . . . . . . . . . . . . . . . . . 312
6.1.2 Installing Instance1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
6.1.3 Registering another server (Instance2) . . . . . . . . . . . . . . . . . . . . . . 315
6.1.4 Installing Lotus Instant Messaging and Web Conferencing . . . . . . 316
6.1.5 Installing Domino Document Manager . . . . . . . . . . . . . . . . . . . . . . 320
6.1.6 Installing Lotus Team Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . 323
6.2 Multiple machine deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
6.2.1 Installing/configuring Domino Web Access and Team Workplace . 327
6.2.2 Installing/configuring Instant Messaging and Document Manager . 328
6.3 Basic performance tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
6.3.1 Modifying Domino tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
6.3.2 Modifying Person documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
6.3.3 Modifying Location documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
6.3.4 Modifying server memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
6.3.5 How to bind Internet Protocols on a multiport server . . . . . . . . . . . 334
6.3.6 When to enable transactional logging . . . . . . . . . . . . . . . . . . . . . . . 335
6.3.7 Modifying the number of mail.boxes . . . . . . . . . . . . . . . . . . . . . . . . 337
6.3.8 Modifying HTTP threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
6.3.9 Modifying HTTP memory caches . . . . . . . . . . . . . . . . . . . . . . . . . . 339
6.4 Minimum and recommended hardware requirements. . . . . . . . . . . . . . . 340
6.4.1 Lotus Notes 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Contents vii
6.4.2 Lotus Domino Administrator 6.5.1. . . . . . . . . . . . . . . . . . . . . . . . . . 342
6.4.3 Lotus Domino Designer 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
6.4.4 Lotus Domino server 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
6.4.5 Lotus Instant Messaging and Web Conferencing 6.5.1 . . . . . . . . . 345
6.4.6 Lotus Team Workplace 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
6.4.7 Domino Document Manager 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . 348
6.4.8 Lotus Workflow 6.5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Chapter 7. Integrating Domino 6.5.1 with a third-party LDAP directory. 351
7.1 Before you begin with a third-party LDAP directory . . . . . . . . . . . . . . . . 354
7.2 Tools for understanding your LDAP directory . . . . . . . . . . . . . . . . . . . . . 355
7.2.1 Using an LDAP tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
7.2.2 Confirming connectivity to your LDAP directory . . . . . . . . . . . . . . . 363
7.3 Differences between LDAP directories . . . . . . . . . . . . . . . . . . . . . . . . . . 364
7.4 Configuring Lotus Instant Messaging for Active Directory. . . . . . . . . . . . 365
7.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
7.4.2 Lotus Instant Messaging authentication architecture . . . . . . . . . . . 366
7.4.3 Configuration steps for Instant Messaging with Active Directory . . 367
7.4.4 Modifying the STConfig.nsf database . . . . . . . . . . . . . . . . . . . . . . . 379
7.4.5 Verifying the Lotus Instant Messaging configuration. . . . . . . . . . . . 381
7.4.6 Troubleshooting Lotus Instant Messaging LDAP problems . . . . . . 382
7.5 Configuring Lotus Team Workplace for Active Directory. . . . . . . . . . . . . 384
7.5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
7.5.2 Configuration of Lotus Team Workplace with Active Directory . . . . 385
7.5.3 Modifying the qpconfig.xml file for a third-party LDAP directory . . . 389
7.5.4 Why modify the qpconfig.xml file?. . . . . . . . . . . . . . . . . . . . . . . . . . 389
7.5.5 Tips for modifying the qpconfig.xml file . . . . . . . . . . . . . . . . . . . . . . 390
7.5.6 Configuring chat and presence awareness in Team Workplace. . . 394
7.5.7 Expanded group membership model in Lotus Team Workplace . . 397
7.5.8 Troubleshooting Lotus Team Workplace and Active Directory . . . . 400
7.6 Configuring Domino Document Manager and Active Directory. . . . . . . . 401
Chapter 8. Domino 6.5.1 Extended Products with WebSphere Portal . . 405
8.1 What is IBM WebSphere Portal?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
8.2 What are the Domino 6.5.1 Extended Products portlets? . . . . . . . . . . . . 410
8.3 Portal and LDAP directory prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . 413
8.3.1 Currently supported LDAP directories for WebSphere Portal . . . . . 414
8.3.2 Configuring WebSphere Portal for Domino 6.5.1 LDAP directory. . 414
8.3.3 Configuration steps to use a Domino 6.5.1 LDAP directory . . . . . . 417
8.3.4 Verifying the configuration through WebSphere Portal . . . . . . . . . . 430
8.3.5 Sample wpconfig.properties file . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
8.4 Configuring WebSphere Portal for Lotus Instant Messaging . . . . . . . . . 440
8.4.1 General tips for modifying the CSEnvironment.properties file . . . . 440
viii Lotus Domino 6.5.1 and Extended Products
8.4.2 Additional configuration required for Lotus Instant Messaging . . . . 441
8.4.3 Instant Messaging and Web Conferencing with two directories . . . 443
8.4.4 Sample CSEnvironment.properties file . . . . . . . . . . . . . . . . . . . . . . 444
8.5 Prerequisites for installing the Domino 6.5.1 portlets . . . . . . . . . . . . . . . 446
8.6 Installing the 6.5.1 Extended Products portlets . . . . . . . . . . . . . . . . . . . . 455
8.6.1 Downloading the Domino 6.5.1 portlets . . . . . . . . . . . . . . . . . . . . . 455
8.6.2 Installing the portlets and sample pages. . . . . . . . . . . . . . . . . . . . . 456
8.6.3 Establishing SSO before configuring Domino 6.5.1 portlets . . . . . . 459
8.6.4 Testing single sign-on (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
8.7 Additional configuration prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
8.7.1 Team Workplace and Instant Messaging requirements . . . . . . . . . 465
8.8 Configuring the 6.5.1 Extended Products portlets. . . . . . . . . . . . . . . . . . 467
8.8.1 Configuring the Team Spaces portlet . . . . . . . . . . . . . . . . . . . . . . . 468
8.8.2 Configuring the Web Conferences portlet . . . . . . . . . . . . . . . . . . . . 471
8.8.3 Configuring the Instant Messaging Contact List . . . . . . . . . . . . . . . 473
8.8.4 Configuring the Domino Web Access portlet . . . . . . . . . . . . . . . . . 474
8.8.5 Configuring the Document Manager portlet . . . . . . . . . . . . . . . . . . 475
8.8.6 Configuring the Domino Application portlet . . . . . . . . . . . . . . . . . . . 477
8.8.7 Configuring the Domino Databases (Notes View) portlet . . . . . . . . 478
8.9 Integrating Domino 6.5.1 into an existing portal . . . . . . . . . . . . . . . . . . . 480
8.9.1 Domino name mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
8.9.2 Using the LDAP name in database ACLs . . . . . . . . . . . . . . . . . . . . 483
8.9.3 Including the LDAP DN as an additional user name in Domino . . . 484
8.9.4 Including the Domino name in the LDAP directory . . . . . . . . . . . . . 484
8.9.5 Troubleshooting Domino name mapping . . . . . . . . . . . . . . . . . . . . 486
Chapter 9. IBM Lotus Domino Access for Microsoft Outlook. . . . . . . . . 489
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
9.2 Key advantages of Domino Access for Microsoft Outlook with Domino . 491
9.2.1 Domino Access for Microsoft Outlook deployment scenarios . . . . . 494
9.3 Why is Microsoft Outlook support important? . . . . . . . . . . . . . . . . . . . . . 496
9.4 Domino Access for Microsoft Outlook overview . . . . . . . . . . . . . . . . . . . 497
9.4.1 Domino mail in Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . 498
9.4.2 Domino calendar in Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . 499
9.5 Domino preferences in Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . 504
9.5.1 Passwords and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
9.5.2 Out of Office preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
9.5.3 Replication settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
9.5.4 Calendar Scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
9.5.5 Domino help in Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . 509
9.6 Detailed Domino Access for Microsoft Outlook architecture . . . . . . . . . . 509
9.6.1 Key design criteria for Domino Access for Microsoft Outlook . . . . . 510
9.6.2 Overview of Domino Access for Microsoft Outlook architecture . . . 510
Contents ix
9.6.3 Domino Access for Microsoft Outlook Extension Manager . . . . . . . 512
9.6.4 Domino Access for Microsoft Outlook replication layer . . . . . . . . . . 513
9.6.5 Domino Access for Microsoft Outlook mapping module . . . . . . . . . 515
9.6.6 Microsoft Outlook service providers . . . . . . . . . . . . . . . . . . . . . . . . 516
9.6.7 Add-in integration with Microsoft Outlook . . . . . . . . . . . . . . . . . . . . 518
9.7 Instant messaging with Microsoft Outlook. . . . . . . . . . . . . . . . . . . . . . . . 520
9.7.1 Deployment scenarios for Instant TeamMessenger . . . . . . . . . . . . 527
9.8 Installing Domino Access for Microsoft Outlook . . . . . . . . . . . . . . . . . . . 530
9.8.1 End-user hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 531
9.8.2 Administrator software requirements . . . . . . . . . . . . . . . . . . . . . . . 531
9.8.3 Microsoft Outlook 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
9.8.4 Microsoft Outlook XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Part 4. Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Appendix A. Additional material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Locating the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Using the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
x Lotus Domino 6.5.1 and Extended Products
Copyright IBM Corp. 2004. All rights reserved. xi
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions
are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES
THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.
xii Lotus Domino 6.5.1 and Extended Products
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX
Cloudscape
DB2
Domino Designer
Domino.Doc
Domino
Eserver
ibm.com
IBM
iNotes
iSeries
Lotus Enterprise Integrator
Lotus Notes
Lotus Workflow
Lotus
Netfinity
Passport Advantage
QuickPlace
Redbooks (logo)
Redbooks
S/390
Sametime
Tivoli
WebSphere
Workplace Messaging
z/OS
zSeries
The following terms are trademarks of other companies:
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
Copyright IBM Corp. 2004. All rights reserved. xiii
Preface
This IBM Redbook discusses how to install, configure, and integrate Release
6.5.1 of IBM Lotus Domino and the Extended Products.
Release 6.5.1 of Lotus Domino and the Extended Products represents a
significant change in the way Lotus delivers software for customers. Each
product in the 6.5.1 family is developed, tested, and supported to run with the
other Release 6.5.1 products. For example, IBM Lotus Instant Messaging and
Web Conferencing (formerly called Sametime) 6.5.1 and Lotus Team
Workplace (formerly called QuickPlace) 6.5.1 will run on Domino 6.5.1.
Customers will no longer need to spend time wondering (and testing) which
version of which product works with which version of Domino. This translates to
faster time to value for customers by enabling them to upgrade more frequently
and more easily.
Although Lotus Domino 6.5.1 and the Extended Products are now developed and
delivered to run together on the same release, it is necessary to perform
separate configuration steps within each of the components to achieve a highly
integrated collaborative environment with presence awareness throughout. This
book explains how to integrate and configure the IBM Lotus Domino 6.5.1
Extended Products in order to more effectively leverage each products
collaborative capabilities. We address the concept of integration from several
different perspectives:
How to build a Domino-based collaborative environment using exclusively
Release 6.5.1 of Domino and the Extended Products
How to upgrade an existing Domino-based collaborative environment, which
is based on some or all of the Extended Products
Finally, how to configure IBM WebSphere Portal to leverage Domino 6.5.1
and Extended Product portlets to provide an integrated and collaborative
platform for end users
The audience of this book is a network administrator or IT specialist who wants to
introduce or integrate Release 6.5.1 of Domino and the Extended Products. In
addition, business executives, system architects, and IT specialists who want to
better understand the collaborative benefits, the product features, integration
points, and configuration requirements between Domino 6.5.1 and the Extended
Products will benefit from this book.
xiv Lotus Domino 6.5.1 and Extended Products
The team that wrote this redbook
This redbook was produced by a team of specialists from around the world
working at the International Technical Support Organization, Poughkeepsie
Center.
John Bergland is a Project Leader at the International
Technical Support Organization, Cambridge Center. He
manages projects that produce Redbooks about Lotus
Software products. Before joining the ITSO in 2003, John
worked as an Advisory IT Specialist with IBM Software
Services for Lotus (ISSL), specializing in Notes and
Domino messaging and collaborative solutions.
Kelly Brooks is a Lotus Service Manager for IBM based
in Austin, TX. Kelly has been within the Lotus Software
Brand for more than seven years, supporting Domino and
many of the Domino Extended Products. Prior to
becoming a Lotus Service Manager, Kelly was a
curriculum developer, developing training documentation
for the worldwide Support organization. She has delivered
technical training and documentation still referenced
today.
Ravinder Dhaliwal is a Software Services Manager for
IBM Australia. He has more than nine years of consulting
experience in the Lotus Domino arena, having previously
specialized in infrastructure design, deployment, and
messaging migration. Increasingly, Ravinder has been
involved in a diverse range of software integration projects,
designing and deploying solutions that integrate the
collaboration capabilities of Domino with products such as
WebSphere Portal and Lotus Workplace. He is regularly
involved in helping customers with directory integration
and single sign-on issues having extensive experience
with LDAP and has also been an instructor for Domino,
Lotus Instant Messaging, Team Workplace, and WebSphere Application Server
administration courses. Ravinder has worked at IBM Lotus for four years and has
recently written about Microsoft Active Directory integration and Domino
Access for Microsoft Outlook.
Preface xv
Kevin ODonnell is President and Founder of Bizware
Partners Incorporated in Lynnfield, MA. He is an IBM
Certified Advanced Developer, Administrator, and
Instructor for Lotus Notes/Domino and the Extended
Products. He has more than 15 years of experience in
information technology and business consulting
services. Kevin has advanced degrees in Engineering
and Mathematics from MIT, but his current expertise is
focused on developing collaborative business solutions
and deploying, integrating, and administering Domino
and the Extended Products to support those solutions.
Edmund "Ted" Stanton is an Enterprise Software
Engineer for Lotus Software in North America. He has
been working with Lotus Domino and Extended
Products since 2000. He worked in system integration
for Towers Perrin before joining IBM in 2002. He holds a
double degree in Computer Science and Mathematics,
as well as a minor in Business from Virginia Wesleyan
College. His primary area of expertise includes mail
routing protocols and instant messaging. He has
certifications in Domino Document Manager, Lotus
Instant Messaging, Team Workplace, Lotus Domino
Administrator, Lotus Domino Designer, WebSphere
Server, and Microsoft Windows 2000. He is a Primary Area Expert for Lotus
Domino Shared Mail and has written extensively about this topic. He is a member
of the Notes/Domino 7 enablement team for beta testing and documenting new
product features. Ted is the author of the article Integrating voice, email, and fax
in a single unified messaging store on the Lotus Developer Domain.
(http://www.ibm.com/developerworks/lotus/library/article/DUC/). He is also
an active member of a designated focus group involving IBM Business Partners
to identify skills and knowledge required to successfully perform the role of the
Lotus Workplace Messaging System Administrator.
xvi Lotus Domino 6.5.1 and Extended Products
Carol Sumner is an Advisory I/T Specialist based in
Nashville, Tennessee. She has 12 years of IT
experience, including seven years of specialization in
messaging systems implementation, administration,
and migrations. Carol joined IBM in 2000 as a member
of the IBM Software Services for Lotus organization
and recently became a Lotus Services Manager. Her
concentration is based on Domino infrastructure,
architecture, deployment, and migrations. She is also
an author of the IBM Redbook Upgrading to Lotus
Notes and Domino 6, SG24-6889. She received a BA
from the University of Iowa and holds a Master of
Divinity degree from Texas Christian University.
Stijn Van Herzele is the Lotus Technologies Support
Team Leader at AMS EMEA Courseware
Development, IBM EMEA, Belgium. He and his team
are in charge of development, implementation,
maintenance, and support of applications, including
the WWRepository, RPS, LSCAS, and Prepare. He
has more than eight years of experience in the field in
Lotus solution design and architecture as an Advanced
System Engineer - Information Specialist and holds a
degree in Applied Computer Science from VUB
Etterbeek. He is a certified Lotus Instructor and is
actively teaching within IBM IT Education Services. In
addition, he has certifications as an Advanced Professional for Lotus in
Development and System Administration, specializing in Lotus Notes and
Domino messaging and collaborative solutions and has experience with Lotus
Notes/Domino R3, R4, R5, and R6.
Additional contributors
Thanks to the following people for their contributions to this project:
Jason Dumont
IBM, Westford, MA, U.S.
Peter Mierswa
Brian Gallagher
Alan Lepofsky
IBM, Cambridge, MA, U.S.
Preface xvii
Brendan Crotty
IBM, Cambridge, MA, U.S.
William Tworek
International Technical Support Organization, Cambridge Center
Chris Doughty
IBM, Austin, TX, U.S.
Casey Brown
IBM, Austin, TX, U.S.
Maren Nelson
IBM SMB Solutions, Austin, TX, U.S.
Become a published author
Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our Redbooks to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at:
ibm.com/redbooks
Send your comments in an Internet note to:
redbook@us.ibm.com
xviii Lotus Domino 6.5.1 and Extended Products
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. JLU Mail Station P099
2455 South Road
Poughkeepsie, New York 12601-5400
Copyright IBM Corp. 2004. All rights reserved. 1
Part 1 Introduction
In this part of the book, we introduce Domino Release 6.5.1 and the Extended
Products, highlight the integration features, and discuss strategic considerations
when building a collaboration infrastructure.
Part 1
2 Lotus Domino 6.5.1 and Extended Products
Chapter 1. Introduction
Release 6.5.1 of IBM Lotus Domino and the Extended Products represents a
significant change in the way Lotus delivers software for customers. Each
product in the Domino 6.5.1 family is developed, tested, and supported to run
with the other Release 6.5.1 products. For example, IBM Lotus Instant
Messaging and Web Conferencing (formerly called Sametime) 6.5.1 or IBM
Lotus Team Workplace (formerly called QuickPlace) 6.5.1 will run on Domino
6.5.1. Customers will no longer need to spend time wondering (and testing)
which version of which product works with which version of Domino. This
translates to faster time to value for customers by enabling them to upgrade more
frequently and more easily.
Although Lotus Domino 6.5.1 and the Extended Products are now developed and
delivered to run together on the same release, it is necessary to perform
separate configuration steps within each of the components to achieve a highly
integrated collaborative environment with presence awareness throughout. This
book explains how to integrate and configure the IBM Lotus Domino 6.5.1
Extended Products in order to more effectively leverage each products
collaborative capabilities. We address the concept of integration from several
different perspectives:
How to build a Domino-based collaborative environment using exclusively
Release 6.5.1 of Domino and the Extended Products
How to upgrade an existing Domino-based collaborative environment, which
is based on some or all of the Extended Products
1
Finally, how to configure IBM WebSphere Portal to leverage Domino 6.5.1
and Extended Product portlets to provide an integrated and collaborative
platform for end users
When referring to IBM Lotus Domino 6.5.1 and Extended Products, the official
set of IBM Lotus products includes the following:
Lotus Domino
Lotus Notes
Lotus Domino Web Access
Lotus Domino Designer
Lotus Enterprise Integrator
Lotus Domino Access for Microsoft Outlook
Lotus Instant Messaging and Web Conferencing
Lotus Team Workplace
Lotus Workflow
Lotus Domino Document Manager
Lotus Workplace Web Content Management
New and updated Domino 6.5.1 and Extended Products portlets and sample
portal page
For the purposes of this book, we focus primarily on a core set of Extended
Products, including IBM Lotus Instant Messaging and Web Conferencing, Lotus
Team Workplace, Lotus Domino Web Access, Lotus Domino Document Manager
(formerly called Domino.doc), and Lotus Workflow.
Chapter 1. Introduction 5
1.1 Structure of this book
The audience of this book is a network administrator or IT specialist who wants to
introduce or integrate Release 6.5.1 of Domino and the Extended Products. In
addition, business executives, system architects, and IT specialists who want to
better understand the collaborative benefits, the product features, integration
points, and configuration requirements between Domino 6.5.1 and the Extended
Products will benefit from this book.
The book is divided into three parts:
Part 1, Introduction introduces Release 6.5.1 and the Extended Products,
highlights the integration features, and raises strategic considerations when
building a collaboration infrastructure. Part 1 includes the following chapters:
Chapter 1, Introduction on page 3 outlines the individual benefits
associated with each product, as well as the benefits associated with
integrating the products. Read this chapter to gain an understanding of
collaborative possibilities and the IBM Lotus versioning strategy introduced
with Release 6.5.1.
Chapter 2, Integration of Domino 6.5.1 Extended Products on page 23
shows how the products intersect and how that integration will make your
users collaborative experience easier and more intuitive. We show new
client features and new administration features. Read this chapter to
become more familiar with the new features.
Chapter 3, Directory and authentication considerations on page 67
highlights the importance of considering a directory strategy when
integrating products. Read this chapter if you want to understand the
implications of using native Domino authentication versus using an LDAP
server for authentication.
Part 2, Installation, configuration, and coexistence deals with the
implementation and integration of the products. Part 2 contains the following
chapters:
Chapter 4, New Domino installation on page 85 illustrates how the
products integrate and describes how to make them work. Read this
chapter if you have a Notes and Domino environment, but have not
implemented the collaborative products previously, or have only
implemented one of them (for example, Lotus Instant Messaging and Web
Conferencing).
Chapter 5, Upgrade and coexistence considerations on page 211 deals
with the upgrade considerations. Read this chapter if you have already
implemented some of the products and need information about how to
upgrade them to the new releases.
Part 3, Scenarios includes three scenarios, which we believe address the
needs of organizations seeking to implement collaboration tools. Part 3
contains the following chapters:
Chapter 6, Extended Products for small-to-medium businesses on
page 309 addresses small and medium business considerations. Read
this chapter if you have limited server resources, or if you want to set up a
proof of concept for a larger organization.
Chapter 7, Integrating Domino 6.5.1 with a third-party LDAP directory on
page 351 addresses how to implement the Extended Products in a
non-Domino environment. Read this chapter if your organization uses a
non-Domino e-mail system, but wants to take advantage of the world-class
IBM Lotus collaboration products. We show you how to integrate these
products into your environment, with a particular focus on using Microsoft
Active Directory for authentication.
Chapter 8, Domino 6.5.1 Extended Products with WebSphere Portal on
page 405 describes how to expose the IBM Lotus collaboration tools in a
portal environment. Many companies are moving to a portal interface for
existing applications. Domino 6.5.1 and Extended Products include a set
of portlets for use with IBM WebSphere Portal.
Chapter 9, IBM Lotus Domino Access for Microsoft Outlook on page 489
examines Domino Access for Microsoft Outlook, an important new
addition to the Domino 6.5.1 Extended Products. Domino Access for
Microsoft Outlook allows Microsoft Outlook client users to easily access
mail and calendar data stored on Lotus Domino servers. This chapter
describes the many advantages of using the Outlook client with Lotus
Domino servers and also provides some typical deployment scenarios. In
addition, it includes a detailed architecture of the product and discusses
how to install the product.
1.2 Strategic significance of Release 6.5.1
Although technically a point release, Release 6.5.1 of Domino and Extended
Products represents a significant and strategic milestone from IBM Lotus about
the ongoing commitment to Domino. In addition to addressing functional and
performance enhancements within the product, there is a fundamental emphasis
placed on compatibility and integration between the products, including:
Verified compatibility between products running on the 6.5.1 Release
Each product in the 6.5.1 family is developed, tested, and supported to run
with the other 6.5.1 products. For example, Lotus Instant Messaging and Web
Conferencing 6.5.1 will run on Domino 6.5.1 and Team Workplace 6.5.1 will
run on Domino 6.5.1. No longer will customers have to spend time wondering
(and testing) which version of which product works with which version of
Domino. This translates to faster time to value for our customers by enabling
them to upgrade more frequently and more easily.
Forward compatibility between Release 6.5.1 and future releases
Beginning with Release 6.5.1 of Domino and the Extended Products, all
products will be compliant with future Domino maintenance releases. If future
compliance cannot be met, a new maintenance release of that product will be
released with that Domino version. No longer will your Domino environment
have to be mixed in order to maintain a supported environment based on the
requirements of your Extended Products.
In 1.4, Why upgrade: Overview of the integration strategy on page 10, we
discuss the strategic advantages of upgrading to Release 6.5.1 in greater detail.
1.3 Evolution toward integration
In the previous section, we emphasized how Release 6.5.1 represents a
milestone in product compatibility. In addition, it is very important to recognize
how Domino 6.5.1 and the Extended Products represent an evolution toward a
highly integrated platform for collaboration. Ultimately, this helps to define
different levels of integration, from an initial silo based approach of the different
Domino products toward a seamlessly integrated platform.
Each of the different levels of integration are illustrated as concepts within the
diagrams in Figure 1-1 on page 8, Figure 1-2 on page 9, and Figure 1-3 on
page 10. These levels include:
Pre-6.5.1 architecture (functional silos with some integration): Figure 1-1 on
page 8 illustrates the pre-6.5.1 Release architecture, highlighting the
following concepts:
Each of the core Domino collaborative products was released and tested
on its own schedule. Although it was possible to have a certain level of
integration between the products based on Lotus Instant Messaging and
Web Conferencing presence awareness, each product essentially
represented a functional silo. Note that different versions of Domino
servers were required for each product release.
For directory authentication, each of the products could authenticate in
one of the following ways:
Using a native Domino Directory.
Using a Domino Directory through LDAP.
All products (except Dom.Doc) could authenticate using a third-party
LDAP directory.
(Note that Lotus Team Workplace can only use a Native Domino Directory
for temporary upgrade purposes; in a production environment, Lotus
Team Workplace requires LDAP authentication.)
Finally, single sign-on was an option for logging on to Web-based Domino
Mail, Lotus Instant Messaging and Web Conferencing, and Lotus Team
Workplace.
Figure 1-1 Pre-6.5.1 architecture
Release 6.5.1 architecture (integrated collaborative platform): Figure 1-2 on
page 9 illustrates a significantly greater degree of integration in the 6.5.1
Release architecture, highlighting the following concepts:
Each of the core Domino collaborative products is now released and
tested on a synchronized schedule. Because Lotus Instant Messaging and
Web Conferencing presence awareness is much more integral to each of
the products, and because the products are released together, we no
longer represent this as functional silos, but as an integrated
collaborative platform. Note that all of the Extended Products now run on a
single version of the Domino server, namely 6.5.1.
For directory authentication, each of the products can authenticate using:
A native Domino Directory
A Domino Directory through LDAP
A third-party LDAP directory
(Note that Lotus Team Workplace can only use a Native Domino Directory
for temporary upgrade purposes; in a production environment, Lotus
Team Workplace requires LDAP authentication.)
Single sign-on now spans across the integrated collaborative suite of
products, including Web-based Domino Mail, Lotus Instant Messaging and
Web Conferencing, Team Workplace, and Domino Document Manager.
Figure 1-2 Release 6.5.1 architecture: A greater degree of integration
Integrating Release 6.5.1 collaborative portlets through WebSphere Portal:
Figure 1-3 on page 10 illustrates yet another level of integration: How Domino
6.5.1 and Extended Products portlets can be leveraged to render a
collaborative, Web-based environment through WebSphere Portal. Figure 1-3
on page 10 highlights the benefits and degree of integration within the 6.5.1
Release of Domino 6.5.1 and Extended Products serve as the basis for a
collaborative environment to be accessed through WebSphere Portal.
Figure 1-3 Integration through WebSphere Portal
1.4 Why upgrade: Overview of the integration strategy
Beginning with Release 6.5.1, IBM is delivering each of the products on a
common release schedule with a common set of operating systems, languages,
and supported browsers. By delivering products in this manner, customers will be
able to install releases of each product, secure in the knowledge that they have
been tested and are supported to run together. In addition, all product versions
have been reformed to match the Domino 6.5.1 versioning scheme. IBM will
continue to adopt this type of versioning moving forward so that customers will
know instantly which releases of the products have been tested with various
releases of Domino. This common Domino platform includes significant
implications:
Standard Domino Directory design and features for all products
Standard Directory Assistance design and features for all products
Standard LDAP integration points for all products
Domino fixes specific to these products and interoperability between the
products
Standard base-line debug, such as NSD, for all products
These small statements have a large significance when you begin thinking of a
deployment within a highly complex or customized environment. No longer does
the Domino Administrator need to consider not replicating design between
address books in order to maintain functionality. It is ideas such as this that were
behind the milestone of releasing these products together and on the same
Domino version.
Perhaps one of the most important milestones of this release, and an excellent
reason for upgrading, is the issue of forward compatibility. From this point
forward, the products beginning with the 6.5.1 Release will be compliant with
future Domino maintenance releases. If future compliance cannot be met, a new
maintenance release of that product will be released with that Domino version.
No longer will your Domino environment have to be mixed in order to maintain a
supported environment based upon the requirements of your Extended
Products. Figure 1-4 and Figure 1-5 on page 12 illustrate this point by contrasting
a typical server infrastructure running on a pre-6.5.1 Release together with an
infrastructure running all versions at 6.5.1.
Figure 1-4 Typical Domino installation requiring different server levels
For the example scenario shown in Figure 1-4, Lotus Instant Messaging and
Web Conferencing (Sametime) 3.0 and Lotus Team Workplace (QuickPlace)
3.0.1 are running in your environment. Lotus Instant Messaging and Web
Conferencing (Sametime) 3.0 requires Domino 6.0.2 and Lotus Team Workplace
(QuickPlace) requires Domino 5.0.12. Therefore, you have a mixed Domino
environment between two major Domino releases.
Figure 1-5 Domino 6.5.1 and Extended Products requiring one server level
As Figure 1-5 illustrates, now you can run Lotus Instant Messaging and Web
Conferencing (Sametime) and Lotus Team Workplace (QuickPlace) on Domino
6.5.1. If you upgrade to Domino 6.5.3, both products will still be supported to run
and will be tested, prior to release, for interoperability and integration issues. If
problems are found, the products would release a 6.5.3 version.
In addition to this common platform strategy, the 6.5.1 platform also contains
integration points within each of the products.
Online awareness: All programs contain functionality supporting online
awareness.
Instant messaging integration: All programs contain chatting functionality.
LDAP integration: All products now have the ability to talk with V3 compliant
LDAP directories.
Both the integration points and common platform standards benefit the
customers total cost of ownership and ease of deployment. With such powerful
standards set, it is difficult to argue in favor of not moving to Domino 6.5.1 and its
Extended Products.
1.5 The Domino 6.5.1 Extended Products
The Lotus Software team has coordinated key products in the Lotus portfolio to
align with the most current version of Notes/Domino. This version coordination
makes it easy to know which versions of Notes/Domino Extended Products will
work together, including Lotus Team Workplace, Lotus Instant Messaging and
Web Conferencing, Lotus Domino Document Manager (formerly called Lotus
Domino.Doc), and Lotus Workflow. The intention is to maintain version
coordination for each new release. Products will support four common
platforms: IBM Eserver iSeries, Microsoft Windows, AIX, and Sun Solaris.
Two common browsers will be supported: Microsoft Internet Explorer and
Mozilla.
1.5.1 IBM Lotus Team Workplace
IBM Lotus Team Workplace (formerly called QuickPlace) 6.5.1 is a self-service
work space expressly designed for team collaboration. With Lotus Team
Workplace, users can instantly create secure work spaces on the Web, providing
them with a place to coordinate, collaborate, and communicate on any project
or ad hoc initiative. The previous version of Lotus Team Workplace was Release
3.0.1. It is now Release 6.5.1, synchronized with the latest version of IBM Lotus
Notes and Domino.
Benefits of Team Workplace
The benefits of Team Workplace include:
Provides anytime, anywhere access to collective knowledge,
information-sharing, tasks, and team calendar events, whether online or
disconnected.
Seamlessly establishes a working community with a sense of accountability,
whether team members are centralized or geographically dispersed.
Increases team productivity and efficiency by virtualizing asynchronous
collaboration processes, and optionally integrates them with real-time
processes.
Increases responsiveness among colleagues, customers, business partners,
and suppliers by facilitating instant formation of working teams, whether the
team members reside within or beyond the organization.
Facilitates faster, collective decision making by centralizing timely and
accurate information and granting all team members equal opportunity to
review and react.
New features
The new features of Team Workplace include:
Functionality enhancements:
Support for the Mozilla browser on Red Hat Linux. Users connecting to
Team Workplace 6.5.1 can do so using the Mozilla browser on Red Hat
Linux.
Restriction: Domino Document Manager does not support the Mozilla
browser.
Expanded membership feature. The new expanded membership feature
supports up to 4000 individual members of a place. In previous releases,
places were limited to approximately 300 to 900 individual members.
Support for publishing Microsoft Office 2003 documents:
Import Office 2003 documents into Team Workplace.
Create and view Office 2003 documents within Team Workplace.
Perform editing round trips on Office 2003 pages.
Updated pages show last editor and the creator.
Performance enhancements:
New method for retrieving system images; pages that rely heavily on
system images (for example, editing pages) load more quickly.
New page compression algorithm reduces the size of HTML transmissions
to 30% of their original size, resulting in faster loading pages (requires a
browser that can support this).
Security features:
Ability to block specific protocols referenced in link URLs, and to block
imports of files that contain cross-site scripts.
Prevent Team Workplace from caching on the browser pages that contain
user data.
Team Workplace controls:
Control whether Team Workplace opens a place accessed through My
Places in the current browser window or in a new browser window.
Control whether the link for My Places lists the places in the page a user
is currently signed on to or in the Quickplace/quickplace main place.
1.5.2 IBM Lotus Domino Document Manager
IBM Lotus Domino Document Manager (formerly called Lotus Domino.Doc) is a
ready-built solution for organizing documents for shared access by work teams. It
manages versions so that each team member has the latest version and
automates document-driven processes, such as review and approval, assembly
and publishing, archiving, and records management.
New features
The new features of Domino Document Manager include:
Client functionality enhancements:
Web browser:
The Web browser interface includes a consolidated site map for quicker
access to the libraries, cabinets, binders, and documents. The site map
is also easier to resize; just click and drag the border to the width you
want.
The Web browser interface has new advanced search options,
including search word variants, fuzzy search, and thesaurus
synonyms.
Single sign-on between libraries.
The complete library hierarchy is now visible from the Folders view
and easy to navigate for quick access to information.
Notes client:
Move Lotus Notes e-mail content, including header information, body
text, and file attachments to a Document Manager library, and choose
which components to save.
Replace the original file attachments in a Notes e-mail message with a
link to the corresponding new document in the library.
Lotus Instant Messaging Connect client:
Save instant and meeting chat transcripts as new documents in a
Document Manager library directly from the Lotus Instant Messaging
Connect client.
Performance enhancements:
Response time for domain searches is faster in this release.
Infrastructure improvements:
When setting up Document Manager libraries, administrators can choose
whether to enable Light Directory Access Protocol (LDAP) integration for
user Directory Assistance. Domino Document Manager supports nested
LDAP groups for authentication
Administrators can set up single sign-on for easy access to multiple
libraries. This includes access from multiple clients (Web browser,
Microsoft Office applications, Windows Explorer).
New platforms supported:
Microsoft Windows 2003 Server
AIX 5L Version 5.2
Sun Solaris 8 and 9
1.5.3 IBM Lotus Instant Messaging and Web Conferencing
IBM Lotus Instant Messaging and Web Conferencing (formerly called Sametime)
6.5.1 is the IBM product and platform for real-time collaboration. It is based on
three on demand concepts:
Presence awareness: You can see in advance whether people or applications
are online and available to collaborate, share information, take action, or all of
these.
Instant messaging: You can communicate in real time through the exchange
of text-based, audio-based, and video-based information.
Web conferencing: You can participate in online meetings, allowing you to
share information, an application, or an entire desktop, or engage in team
white boarding.
Benefits of Lotus Instant Messaging and Web Conferencing
The benefits of Lotus Instant Messaging and Web Conferencing include:
Provides instant, anytime access to people and information through
integrated presence awareness, conversation, and object-sharing
capabilities.
Provides a secure environment for real-time collaboration. Individuals and
teams can communicate directly and effectively, despite geographic
boundaries.
Improves individual and team productivity, broadening communications
choice beyond the telephone, e-mail, and in-person meetings.
Enables faster, more informed decision-making by bringing people together,
spontaneously or in a structured fashion.
Improves general and customer-specific response times, ultimately
accelerating time-to-market, all while providing competitive advantage.
Reduces total cost of ownership (TCO) by providing a set of real-time
capabilities in a single product offering, and by providing flexible integration
with existing infrastructures and Web applications.
Reduces need for business travel, delivering fast and often measurable return
on investment (ROI).
The previous version of Lotus Instant Messaging and Web Conferencing was
Release 3.1. It is now Release 6.5.1, synchronized with the latest version of IBM
Lotus Notes and Domino.
New features
The new features of Lotus Instant Messaging and Web Conferencing include:
Enhanced capability:
Potential bandwidth savings and end-user performance. The administrator
can force the screen sharing tool to use 8-bit color depth. This saves
network bandwidth and improves processing by end-users clients.
Improved integration with LDAP directories (directory mapping). This
improves integration with application servers (for example, portal servers)
that use a different LDAP directory than the Lotus Instant Messaging and
Web Conferencing server.
Integrated Notes System Diagnostics (NSD) collection.
IBM Tivoli WebSeal Reverse Proxy integration capability.
Enhanced Lightweight Directory Access Protocol (LDAP) performance.
You can customize the logic by which Lotus Instant Messaging and Web
Conferencing conducts LDAP directory searches and how the results
format the user names.
Audio adaptor add-on.
Improved security, including encrypted buddy lists, privacy lists, and
presence status information. Announcements sent from Instant Messaging
(formerly called Sametime) Connect clients are now encrypted.
Client filtering capability so that the administrator can prevent earlier
versions of Instant Messaging Connect from using the Lotus Instant
Messaging and Web Conferencing server. This preserves the new security
features found in 6.5.1.
Auto away for Lotus Instant Messaging and Web Conferencing links.
Integration:
IBM Lotus Notes V6.5.1
IBM Lotus Team Workplace V6.5.1
New platforms supported:
IBM Lotus Domino V6.5.1
Microsoft Windows 2003
Solaris Version 9
AIX 5L Version 5.2
Compatible with Mozilla V1.4.1 Web browser
Retired features
IBM Lotus has retired the following features from the Lotus Instant Messaging
and Web Conferencing package. Some of these features were not based on
Internet standards and therefore do not meet the IBM commitment to
standards-based technologies.
TeamRoom and Discussion databases. It is no longer recommended to host
these databases on a Lotus Instant Messaging and Web Conferencing server.
Scheduling teleconferences on a Latitude Meeting Place server.
AOL instant messaging connectivity in the Lotus Instant Messaging Connect
client.
Access by Microsoft NetMeeting clients.
Access by Netscape Web browser.
Enterprise Meeting Server compatibility (you cannot add a Lotus Instant
Messaging and Web Conferencing 6.5.1 server to the Enterprise Meeting
Server to create a server cluster).
1.5.4 IBM Lotus Domino Web Access
Domino Web Access is now more fully integrated with Lotus Instant Messaging
and Web Conferencing and provides a robust interface for users. Because there
is one mail design for all users, it is truly feasible for users to access their mail
with both Domino Web Access and the Lotus Notes client and have very similar
experiences. Domino Web Access gives end users messaging and collaboration
features that were previously available only with a Lotus Notes client. Key
features include:
Presence awareness and instant messaging.
Create online meetings on the Lotus Instant Messaging and Web
Conferencing server.
Encrypt mail and read encrypted mail.
Configure Domino Web Access to use the Instant Messaging Connect for
browsers for more functionality.
Configure Domino Web Access to use single sign-on (SSO) for full integration
with Lotus Instant Messaging and Web Conferencing.
Use the Web Access Redirector so users do not have to know which mail
server they are on.
1.5.5 IBM Lotus Workflow
Lotus Workflow is a set of Lotus Notes databases and Windows programs that
enable your organization to plan, schedule, track, monitor, and archive its
document-based work and projects. One of the hallmarks of Lotus Workflow is its
flexibility. Processes can range from completely ad hoc informal teamwork to
rigidly structured procedures with multiple levels of approvals and automatic
notification to managers when deadlines are missed.
Benefits of IBM Lotus Workflow
As a Notes developer, you can build workflow applications (with pure Domino
programming), but you code this workflow cycle within your design. This implies
development knowledge to maintain and update the workflow application.
The basic idea behind Lotus Workflow is to abstract the workflow process from
the Notes design through a (work)flow diagram. A non-notes designer can
maintain and modify this process when business needs shift or impose
modifications without modifying the underlying Notes application.
Lotus Workflow can workflow enable any Notes database (for example, an
expense account application or HR hiring procedure). Most of the time you will
find Lotus Workflow as a companion application for Lotus Domino Document
Manager (formerly Domino.Doc).
Document Manager has a built-in Review and Approval cycle, but often this is not
sufficient. In these cases, Lotus Workflow has proven to be a solid partner for
Domino Document Manager. We show you, by means of a sample with
step-by-step explanations, how this coexistence can be realized.
Lotus Workflow consists of three main components:
The Lotus Workflow Architect to design the workflow processes.
The Lotus Workflow Engine, which consists of a couple of Notes databases to
store the workflow information and to process it.
The Lotus Workflow Viewer to give users an overview of the current status of
the workflow process. The Lotus Workflow Viewer ships as an additional
Windows client or as a server-based servlet.
New features
Lotus Workflow 6.5.1 contains significant performance enhancements, improved
directory support, security, tighter integration with IBM Lotus Domino Document
Manager (formerly Domino.Doc), and refinements in time management:
Performance:
Improvements in Java API and in the Workflow engine.
Java agents have been moved into a script library for faster execution.
Coarse-grained methods provide for retrieving and saving multiple
document and object properties with a single call to the API.
Quick features in the application database perform job initiation, activity
claims, and activity completion by immediately updating only selected
fields (visible or user-interactive) and letting the scheduled background
agent complete the operation.
An application database enhancement moves agents into script libraries,
which run faster.
Organization Directory enhancements speed up internal searches when
resolving groups and names.
Directory support and security:
LDAP support has been expanded to include group resolution.
LDAP security has been enhanced with support for Secure Sockets Layer
(SSL).
Other enhancements:
Time management improvements so that the process designer can now
specify the start time for activity durations, when the activity becomes
available, or when the activity is claimed.
IBM Lotus Domino Document Manager (formerly Domino.Doc) provides
multiplatform support.
Additional features and benefits of Lotus Workflow include:
Leverages customer's existing investment in Lotus technology
Lotus Workflow is built on Domino technology and allows application
developers to leverage their existing Notes and Domino skill sets. Lotus
Workflow takes advantage the Domino platform's strengths, including its
built-in security, messaging and replication capabilities, and its attractive cost
of ownership.
Integration with other Lotus products
Lotus Workflow, combined with IBM Lotus Domino Document Manager,
provides a powerful, comprehensive life management system for all kinds of
documents. By providing integration with IBM Lotus Instant Messaging and
Web Conferencing, developers can deliver applications that incorporate
instant messaging within the workflow process to enhance and accelerate
cycles.
Advanced user interface capabilities
Lotus Workflow features a fully customizable user interface decoupled from
the back-end workflow services, which allows developers and customers to
create their own interface, or customize the standard user interface design to
one that matches a particular application, industry, or preference. A new Web
Viewer lets users check the status and context of a workflow instance or job
from their Web browser.
Support for Linux
Lotus Workflow is also available on the Linux platform, providing Linux users
with access to the industry's most extensible and adaptive workflow
management services and tools for Web applications. Lotus Workflow on
Linux helps customers rapidly build, easily modify, and incrementally improve
business processes.
Easy to use
Lotus Workflow offers an easy-to-use graphical interface to simplify workflow
design and maintenance, while an intuitive flowchart-like visual design
environment helps managers and designers work together to design and
review business processes. With built-in process logic, users can also assign,
schedule, route, and track each job step.
Support for multiple environments
Support for multiple environments enables cost-effective deployment and the
ability to rapidly develop workflow applications.
Improved efficiencies in repetitive, people-based procedures
Lotus Workflow reduces operational costs and improves efficiencies by
automating and streamlining people-based business processes, improving
worker productivity. Business processes can be performed more consistently
and with fewer errors, because steps are predefined and documented.
Redundancies and unnecessary steps can be eliminated. Rules and
roles-based routing allows work activities to be reassigned in the event of
someones absence, ensuring that the work is done on time and deadlines
are met.
Support for Java and Web standards
With its support of Web standards, developers can use Lotus Workflow as a
standard tool for creating and managing workflow applications for Web-based
e-business processes. By providing support for Java APIs, XML, and SOAP,
developers are able to implement integrated workflow applications that
incorporate transaction-based e-business applications. Also, with Lotus
Workflow's extensive Developers Toolkit, developers are able to customize
workflow applications to meet their specific needs. For example, by leveraging
a powerful Java API, as well as JavaScript and XML, developers are able to
deliver solutions that integrate with IBM WebSphere to enhance existing
workflow processes beyond Domino. These processes can then be accessed
by outside suppliers and customers over the Internet.
Available in multiple languages
Lotus Workflow is available in multiple languages, including English, French,
Spanish, German, Korean, Chinese - Simplified, Chinese - Traditional,
Japanese, Italian, and Brazilian Portuguese.
Assists in process reengineering
Lotus Workflow can assist in process reengineering by documenting
procedures that can then be analyzed and refined as needed. Processes can
be standardized and monitored to meet organizational policies or government
and industry regulations such as ISO 9000. Using Lotus Workflow enables
customers to capture best practices and store people's knowledge of how to
perform functions. Lotus Workflow can foster work collaboration between
workers in different regions and time zones by deploying standardized
workflow applications across the enterprise.
Chapter 2. Integration of Domino 6.5.1
Extended Products
Chapter 1, Introduction on page 3 introduced new features within Domino 6.5.1
and the Extended Products. In this chapter, we focus on the specific integration
points between Domino 6.5.1 and the selection of 6.5.1 collaborative and
Extended Products. We provide specific examples illustrating how these
products can be integrated to create a collaborative platform with single sign-on,
presence awareness, chat capabilities, and document management capabilities.
2
2.1 Integration
In this section, we provide an overview of the key integration points and discuss
presence awareness, instant messaging, and single sign-on.
2.1.1 Overview of key integration points
One of the primary integration features that spans all of the products is presence
awareness. Each of the products uses a common set of awareness and chat
tools so that users do not have to re-learn those tools with each product. A
background feature that makes much of the integration and cross-functionality
possible is single sign-on. All servers sharing an LtpaToken are able to pass
authentication credentials between them, making it seamless for users to move
between all of the products. Finally, one mail template is available for both Notes
client users and Domino Web Access users, giving users a similar experience no
matter which method they use to access their mail account. This includes read
and unread marks.
The following list represents the key integration points between Domino 6.5.1
and the Extended Products:
Notes/Domino integration with Lotus Instant Messaging and Web
Conferencing (formerly called Sametime)
Domino Web Access integration with Lotus Instant Messaging and Web
Conferencing
Lotus Team Workplace (formerly called QuickPlace) integration with Lotus
Instant Messaging and Web Conferencing and integration with Domino Web
Access
Domino Document Manager (formerly called Domino.Doc) integration with
Notes/Domino and Lotus Instant Messaging and Web Conferencing
Lotus Workflow integration with Domino Document Manager and Lotus
Instant Messaging and Web Conferencing
2.1.2 Presence awareness
Awareness is based on the fact that each application and the Lotus Instant
Messaging and Web Conferencing server communicate about the online status
of each user. Therefore, the directory strategy becomes very important, because
this name recognition requires that individuals have the same name across all
products. This is facilitated if all products use the same directory and
authentication model; using different directories for different products can be very
difficult to integrate. See Chapter 3, Directory and authentication considerations
on page 67 for a discussion about the various authentication strategy options.
Chapter 2. Integration of Domino 6.5.1 Extended Products 25
One of the hallmarks of Version 6.5.1 is that the Notes client, which uses the
Domino Directory for authentication, and the Lotus Instant Messaging and Web
Conferencing server, using LDAP authentication, are able to compare names
and show the online status.
In all of the products, the user is aware of colleagues availability for instant
messaging through a common set of status icons. This awareness is visible in
many predefined locations, but can able be activated wherever a user name
appears:
A green square appears next to an available users name.
A yellow diamond appears next to a user who has logged on, but is not
currently available (for example, they have not used the computer for a while).
A circle with a line through it appears next to a user who has set their status to
Do not disturb.
A gray dot (Web applications) or no status icon (Notes client) indicates that
the user is not online.
2.1.3 Chat features
Just as the presence awareness works across all of the products, so do the chat
features. There are three types of chat clients built into the Domino 6.5.1
Extended Products. They are so similar that you might not even be aware that
you are using slightly different chat clients. You can tell the difference by the icon
that appears in the upper-left corner of each chat client.
The JavaConnect client has the Microsoft Internet Explorer icon in the upper-left
corner, as shown in Figure 2-1 on page 26.
Note: The icon descriptions listed here are applicable to Lotus Instant
Messaging and Web Conferencing V6.5.1. Be aware that the icons displayed
in future versions of Lotus Instant Messaging (Domino 7) and in Lotus
Workplace will be slightly different than these icon descriptions.
Figure 2-1 JavaConnect chat client
The Notes chat client is distinguished by the combination of the chat and Notes
icons in the upper-left corner, as shown in the left chat window in Figure 2-2. The
Lotus Instant Messaging (formerly called Sametime) Connect client has only the
chat icon in the upper-left corner, as shown in the chat window on the right in
Figure 2-2.
Figure 2-2 Notes and Instant Messaging Connect chat clients
The similarity of these clients makes it seamless to use the chat feature no
matter in which application a user is. The functionality of the three clients is
virtually identical. However, the features they offer are slightly different.
Table 2-1 Features of the different chat applications
It is possible for a user to be logged on to the Lotus Instant Messaging and Web
Conferencing server with an Instant Messaging Connect client (full desktop
version) and simultaneously be logged on to one or more Lotus Instant
Messaging and Web Conferencing-enabled Web application servers (for
example, Team Workplace and Domino Web Access). The user can start chats
from any of these applications. In this situation, incoming chats would be fielded
by the Instant Messaging Connect client.
2.1.4 Single sign-on (SSO)
Domino servers can be configured to share an LtpaToken for authentication
across one or more Domino servers within the same Internet domain (with
support for multiple Domino domains). This makes it seamless for users to switch
Client One-to-one
chatting
Instant
meetings
Add A/V
tools
Send files
Instant Messaging
Connect for the
desktop
Yes Yes Yes Yes
JavaConnect
(Sametime Connect
for browsers)
Yes Yes Yes Yes
Notes client (built-in
chat)
Yes Yes No No
Team Workplace
(built-in chat)
Yes Yes Yes No
Domino Document
Manager
(who is online)
Yes Yes Yes Yes
Domino Web Access
(built-in chat)
Yes Yes Yes No (unless
enabled with
JavaConnect)
Important: Many people are under the impression that you can run only one
session of a Lotus Instant Messaging and Web Conferencing client at a time.
This is not true. On a single machine, you can run the Instant Messaging
Connect client for browsers, alongside the Instant Messaging Connect client
for desktops, alongside the native Notes messaging client. When you change
the instant messaging status in any of these clients, it automatically changes
in all of them.
from server to server. For example, a user could be in their mail account through
a browser, click a link to a Team Workplace, and the Team Workplace would
open without challenging the user for authentication credentials. Several small
changes were made to take full advantage of SSO:
The Notes client can now log the user on to Lotus Instant Messaging and
Web Conferencing automatically (available for the Windows Notes client
only); the user does not even need to have an Internet password set in the
users Person document.
Team Workplace can be configured to open other Team Workplaces in a new
browser window, making it easy to be in more than one Team Workplace at a
time.
Users can switch between libraries in Domino Document Manager, including
access from multiple clients (Notes and Web).
2.2 Notes/Domino integration with Lotus Instant
Messaging
Notes 6.5.1 can integrate with Lotus Instant Messaging and Web Conferencing
6.5.1 for awareness and chat capabilities. This feature is built into the Notes
client and does not require an Instant Messaging Connect client. In order for this
integration to function, a Lotus Instant Messaging and Web Conferencing server
must be configured and an instant messaging-enabled database must be used
for awareness.
2.2.1 Automatic logon
There are two ways that users can achieve automatic logon to instant messaging
as they log on to Notes. They can have the Notes client save their Internet
password (Figure 2-3 on page 29) and pass it to the Lotus Instant Messaging
and Web Conferencing server at the time of logon or they can configure Notes to
make use of the SSO feature of the Domino servers.
Note: Although Notes integration with Lotus Instant Messaging and Web
Conferencing is supported for Notes 6.5 or later, it is supported in combination
with releases of the Lotus Instant Messaging and Web Conferencing server.
However, for the purpose of describing the integration functionality, we are
using only the 6.5.1 product suite.
Figure 2-3 Notes instant messaging logon window
With SSO configured, users do not need to enter a password at all. The Notes
client authenticates with the users mail server, and then, because the Lotus
Instant Messaging and Web Conferencing server and the mail server share an
SSO key, the user is automatically logged on to Lotus Instant Messaging and
Web Conferencing.
2.2.2 Presence awareness and chat
Instant messaging allows users to see their co-workers online status and to send
them instant messages. Because this awareness feature is built into the Notes
client, the online status will change with the Notes online status. In other words, if
you shut down Notes, you will be disconnected from Lotus Instant Messaging
and Web Conferencing; if you lock the Notes client (for example, an inactivity
timeout or by pressing F5), your instant message status will switch to Away.
In addition to one-on-one chat, you can also start instant online meetings among
three or more co-workers. When viewing the Inbox, you can check the instant
messaging status of the sender. If you hold your cursor over the status indicator,
the instant messaging status message appears. See Figure 2-4 on page 30.
Restriction: The Notes SSO feature is available for the Windows Notes client
only.
Figure 2-4 Inbox presence awareness
Anywhere that you view a status indicator, you can start an instant chat with your
colleague by right-clicking their name. When you right-click their name, you can
either start a chat with that person or add them to your instant contact list, as
shown in Figure 2-5.
Figure 2-5 Notes shortcut chat menu
Within a Notes e-mail message, there is a new button on the action bar called
Chat. Under Chat, there are four options (see Figure 2-6 on page 31):
Chat with Sender
Chat with All
Show/Hide Instant Contact List
Add Sender to Instant Contact List
If there are multiple recipients online, you can chat with all active recipients at
one time. This allows for an instant meeting with all users to discuss the
document without having to find and select them from the instant contact list.
Figure 2-6 Notes e-mail message chat options
You can also gather detailed information about each recipient after the document
has been opened. If you right-click a name, there is an option to Show Name
Details. This displays the users Person document with additional information, as
Figure 2-7 Notes displaying name details
Restriction: When you create a new memo, reply to a memo, or forward a
memo, the Notes Instant Messaging functionality is not available. Instant
Messaging functionality is only available for memos that you have already sent
or received and only when the memo is in Read mode, not Edit mode.
2.2.3 Schedule online meetings with the Notes calendar
Lotus Notes also has the ability to schedule and create an online meeting with
the Lotus Instant Messaging and Web Conferencing server through the calendar
interface. The user does not have to go to the Instant Messaging and Web
Conferencing server with a browser in order to schedule online meetings.
When scheduling any new meeting in the Notes calendar, there is now a new
check box option under the Where section to define the meeting as online, as
Figure 2-8 Scheduling an online meeting from a Calender entry
After you enable the meeting as online, there are additional online meeting
parameters that can be configured. The first is the meeting Type, which
corresponds to the available Instant Messaging and Web Conferencing meeting
types (see Figure 2-9):
Collaboration (default)
Moderated presentation/demo
Broadcast meeting
Figure 2-9 Online meeting type
After the meeting is enabled as online, the Place for the meeting can be selected
(here we show the default online instant messaging resource) from the list of
online meeting resources found in the Domino Directory, as shown in
Figure 2-10. As an administrator, you can define different online meeting
resources (that is, different Lotus Instant Messaging and Web Conferencing
servers). Some administrators use geographical distinctions for the online
meeting resource names so that users will know which resource to choose.
Figure 2-10 Online Meeting Places
After the meeting has been saved, the Chair will receive a confirmation e-mail
that the meeting was reserved. The invitees of the meeting will receive a meeting
invitation with a link to the Instant Messaging online meeting. After an invitee
accepts the meeting, it appears on the invitees calendar like other meetings. The
calendar entry for the meeting will contain a URL link to the meeting so that the
users will be able to attend without additional information from the Chair.
Figure 2-11 Online Meeting Invitation
2.2.4 Other instant messaging tools
Notes has instant messaging tools built into the client, including chats, meetings,
and contacts. There are many ways to accomplish almost any Instant Messaging
task. Here, we highlight some that we have found the most useful.
Status messages
Notes displays the status message for each user (hover over a name to see it as
shown in Figure 2-4 on page 30). The default Instant Messaging status
messages can be defined in the Notes client User Preferences. However, you
can also quickly change the message for your current online status by clicking
the Instant Messaging section of the status bar, as shown in Figure 2-12.
Figure 2-12 Change current online status message in Notes
Default meeting invitation message
The default meeting invitation message can be defined in the Notes client User
Preferences. The default message will appear when you send invitations to more
users to join a chat in-progress or when you start an instant meeting. You can
also edit these messages at the time you send an invitation. See Figure 2-13 on
page 35.
Figure 2-13 Invitation to an instant meeting
Toolbar buttons
Notes uses the standard Windows toolbar for many functions. With Release 6.5
and later, a new Instant Messaging toolbar has been added to provide easy
access to some of its Instant Messaging features, as shown in Figure 2-14. The
buttons on this toolbar provide the following functions:
Chat
Start an Instant Messaging Meeting
Add to Instant Contact List
Show/hide Instant Contact List
Figure 2-14 Notes 6.5.1 Instant Messaging toolbar
Contacts
There are numerous ways to show or hide the instant contact list. The instant
contact list displays the status of Notes users and it is managed by the Notes
user. The list is the same as the Instant Messaging buddy list and is stored in the
vpuserinfo.nsf database on the Lotus Instant Messaging and Web Conferencing
server so the user's contact list is consistent across Instant Messaging clients.
See Figure 2-15.
Figure 2-15 Instant Messaging Contact List
You can toggle the Show/Hide the Instant Contact List option from the File
Instant Messaging menu, the Instant Messaging toolbar, the action bar's chat
button, and a shortcut key (Ctrl+Shift+C). The instant contact list can consist of
both Personal and Public groups. Public groups can be selected from any of the
Domino Directories.
Another new feature is that you can now make your contact list partially
transparent so that you can see and work with Notes databases, but still see your
contacts and their online status. You can continue working in the database and
even type underneath the transparent contact list, as shown in Figure 2-16 on
page 37.
Note: The exception to this is Domino Web Access, which by default stores a
separate contact list in the mail file. This limitation can be overcome by using a
notes.ini variable. See Chapter 4, New Domino installation on page 85 for
more information about this.
Figure 2-16 Partially transparent Contact List
2.3 Domino Web Access integration with Lotus Instant
Messaging
This section describes the IBM Lotus Domino Web Access integration with Lotus
Instant Messaging and Web Conferencing.
2.3.1 Overview
IBM Lotus Domino Web Access (previously Lotus iNotes Web Access)
provides users with browser-based access to Notes mail and to Notes
calendering and scheduling features. Domino Web Access users can send and
receive mail, view their calenders, invite people to meetings, create to do lists,
keep a notebook, and work offline. Because both the Notes client and Domino
Web Access operate on the same underlying user mail file, read and unread
marks remain up-to-date regardless of where users reads their mail. Users can
also synchronize contact information in their personal address book with
information in their contact list in Domino Web Access. To use Domino Web
Access features, users must be on the new Domino Web Access (iNotes6.ntf)
mail template.
Domino Web Access can integrate with Lotus Instant Messaging and Web
Conferencing so that users can send and receive instant messages and maintain
an instant message contact list. Instant messaging functionality includes both
chat and presence awareness. Using the chat feature, Domino Web Access
users can maintain an instant messaging list that they can check to see the
online status of other users and initiate chats. The instant messaging awareness
feature displays the names of people in mail messages, views, and folders.
In order for Domino Web Access to integrate with the Lotus Instant Messaging
and Web Conferencing server, there are a series of configuration steps. Refer to
Chapter 4, New Domino installation on page 85 for specific server and client
integration details.
After it is fully integrated, the Domino Web Access client supports instant
messaging chat and awareness. When you view the Inbox in Domino Web
Access, you can immediately see the online status for all the listed names, as
Figure 2-17 Domino Web Access Inbox online awareness
When viewing the Domino Web Access Inbox, your online status is displayed in
the upper-left corner, and the online status of all users who have sent you mail is
shown to the left of their names. To change your current instant message status
click your name. Another dialog box opens where you can now change the
status. In the My Status dialog box, you can also enter a status message for your
current awareness, as shown in Figure 2-18 on page 39.
Figure 2-18 Domino Web Access instant messaging status indication
To check the status of any person who sent you mail, hover the cursor over the
status indicator and that persons instant messaging status message appears. To
start an instant chat with the sender, right-click the sender to bring up all the
instant messaging options, including Chat with, as shown in Figure 2-19.
Figure 2-19 Domino Web Access initiate chat with sender
The chat window for Domino Web Access is similar to that of the Notes chat
window. The only difference is that the Domino Web Access chat user interface is
HTML based and it has an Add Tools option, as shown in Figure 2-20 on
page 40.
Figure 2-20 Domino Web Access chat window
When you open a message in Domino Web Access, you will also be able to see
the status of the sender and any additional recipients in the TO, CC, and BCC
fields. However, unlike with the Notes client, you cannot right-click the name and
start an instant chat with a user. The instant messaging status in the header is
just for a visual indication of their online status. Also, Domino Web Access does
not provide the ability to start an instant meeting with all active members, as you
can in Notes. See Figure 2-21.
Figure 2-21 Domino Web Access awareness within an e-mail document
2.3.3 Contact list
The instant messaging chat list in Domino Web Access is not stored in
vpuserinfo.nsf on the Lotus Instant Messaging and Web Conferencing server
with the standard buddy list information from the other chat clients (Instant
Messaging Connect for desktops, Instant Messaging Connect for browsers, or
the Notes client). Instead, the Domino Web Access contact list is stored in the
users mail file and is, therefore, independent of the changes made to the buddy
list. It also means that when you log on to Domino Web Access, you will have to
create and maintain a separate instant messaging list. The Domino Web Access
instant messaging list allows users to create private groups and add members or
to select public groups from the Domino Directory. To manage the Domino Web
Access instant messaging list, there is a Chat link in the upper-right corner next
to the Logout link, as shown in Figure 2-22.
Figure 2-22 Domino Web Access chat and contact list
This feature is relatively unchanged from the iNotes5 template, but one of the
new Domino Web Access features is that this interface can be replaced with a
direct link to the full Instant Messaging JavaConnect client, thus enabling the
user to have full access to their server-based buddy list and all of the additional
Instant Messaging client features within Domino Web Access. To activate this
feature, the following line must be added to the Notes.ini file on any and all
Domino Web Access servers:
iNotes_WA_SametimeJavaConnect=1
The Domino Web Access servers must be restarted for this change to take effect.
2.3.4 Limitations
There are some other basic limitations with the Domino Web Access chat
interface compared to the Instant Messaging Connect client. The following
functionality is limited in Domino Web Access when compared to the Instant
Messaging Connect client:
You cannot rename Person groups in the Domino Web Access instant
messaging list.
You cannot drag and drop members between groups in Domino Web Access.
You cannot restrict who can see you online in Domino Web Access.
Domino Web Access does not provide collaborative or broadcast meeting
functionality.
2.4 Team Workplace integration options
This section describes integration points within Lotus Team Workplace. Initially,
we describe the built-in features in Team Workplace for Lotus Instant Messaging
and Web Conferencing and presence awareness. We also describe how to easily
include a link from within Team Workplace to a users mail file through Domino
Web Access.
2.4.1 Integrating Lotus Instant Messaging and Web Conferencing
IBM Lotus Team Workplace (formerly called Lotus QuickPlace) integrates with
Lotus Instant Messaging and Web Conferencing through the presence
awareness, chat, and Web conferencing features. Users logged on to Lotus
Team Workplace can see the online status of other members of the Team
Workplace, whether they have logged on to the Team Workplace server or not.
Team Workplace users can schedule online meetings on the Lotus Instant
Messaging and Web Conferencing server. It is also easy to set up links to other
applications or users mail files and install those as menu items in Team
Workplace.
As seen in Figure 2-23 on page 43, the user Kevin has logged on to Lotus Team
Workplace. Kevin can see the online status of all the members of the Team
Workplace community. This awareness is available wherever a user name
appears.
Figure 2-23 Presence awareness in Lotus Team Workplace
This awareness is available in all of the views in Team Workplace. The names
that appear as online are actionable. You can click a name and begin a chat with
that person, as shown in Figure 2-24.
Figure 2-24 Start a chat in Lotus Team Workplace
When a user is logged on to Team Workplace, that user becomes available for
chatting with everyone in the Lotus Instant Messaging and Web Conferencing
community (usually a much broader community than just the Team Workplace).
They do not need to log on with a separate Connect client or their Notes client in
order to receive chat messages from any other instant messaging user (Notes,
Instant Messaging Connect, and Browser Connect). See Figure 2-25.
Figure 2-25 Notes user can see status of Team Workplace users
When a Team Workplace user receives an instant message, a JavaConnect
applet starts on their workstation.
Figure 2-26 Team Workplace Chat link when not using LDAP
Tip: The Chat link on the Team Workplace pages does not work when the
Lotus Instant Messaging and Web Conferencing server is using Domino for
authentication (see Figure 2-26). You can resolve the issue by using LDAP
authentication for both Team Workplace and Instant Messaging and Web
Conferencing. Technote 1113025 explains the issue for Lotus Instant
Messaging and Web Conferencing (Sametime) 3.1 and Team Workplace
(QuickPlace) 3.x, but we found it to be true in 6.5.1 as well. Managers of Team
Workplaces can disable the Chat link, or you can create a PlaceType that has
it disabled so that all Team Workplaces created from that PlaceType would
automatically have it disabled.
Restriction: The Chat link on the Team Workplace pages does not recognize
members as being online if they have access by means of an LDAP group. As
you can see in Figure 2-27, the Members Online dialog box does not display
the user Ted Stanton as being online, even though in the Discussion view it is
evident that he is online.
Figure 2-27 Team Workplace Chat link does not recognize LDAP group members
2.4.3 Instant messaging features
The Lotus Team Workplace built-in instant messaging client provides significant
functionality without having to install an instant messaging client.
The following steps describe how to use the features:
1. To control your online status:
a. Click your name in any view of Team Workplace.
b. Select Change status, as shown in Figure 2-28.
Figure 2-28 Team Workplace: Change status
c. Select your status and change the status message if desired, as shown in
Figure 2-29.
Figure 2-29 Team Workplace online status selection
d. After you set your status, your new online status will be visible to all other
Lotus Instant Messaging and Web Conferencing users, regardless of their
particular Instant Messaging client.
2. To start an instant meeting:
a. Click a users name and select Chat.
b. Click the Invite Others button to add members to the chat (optional), as
shown in Figure 2-30 on page 47.
Note: The status message you enter through Team Workplace will not
persist indefinitely. It is valid while the status you chose is in effect.
Figure 2-30 Invite others to a chat meeting
c. In the Invite Others dialog box, type in the names of the users you want to
chat with or select them from the directory list.
d. Click Add to put the selected names into the Invitees list (you should then
be able to see their online status), as shown in Figure 2-31 on page 48.
Note: Although you started the chat within Team Workplace, you can
invite any member of the Lotus Instant Messaging and Web
Conferencing community to join the chat even if they are not in or a
member of the Team Workplace.
Figure 2-31 Chat meeting invitation list
e. Modify the invitation message if desired, and click Send.
f. Users will receive an invitation and be given the opportunity to join or
respond with a private message, as shown in Figure 2-32 on page 49.
Note: The person you selected when you first started the chat (step 2a
on page 46) will automatically be sent an invitation even though they do
not appear in the Invitees list.
Figure 2-32 Instant meeting invitation
g. After the chat meeting opens, you can see people joining. This meeting
client includes the following useful features (see Figure 2-33 on page 50):
You can see all of the people who have joined this instant meeting in
the Names panel.
You can see who is adding something to the discussion with a graphic
that shows that they are writing.
You can view the online status message of a user by hovering over the
users name in the Names panel.
Figure 2-33 Instant meeting features
2.4.4 Schedule online meetings
Specifying a Lotus Instant Messaging and Web Conferencing server to support
Web conferencing for the Lotus Team Workplace server is configured through the
administration tool. See 4.6.3, Post-configuration integration on page 146 for
detailed configuration instructions. For Team Workplace users, the steps for
creating an online meeting are simple and intuitive.:
1. From anywhere in Team Workplace, click the New button and select Online
Meeting, as shown in Figure 2-34 on page 51.
Figure 2-34 Create an Online Meeting
2. Click Next and fill in the meeting details (see Figure 2-35 on page 52):
Start the online meeting now or set one for sometime in the future.
Set a meeting password, if necessary.
Select the tools that should be available.
Give a detailed description with rich-text options.
Attach a presentation or documents (drag and drop).
Figure 2-35 Team Workplace online meeting configuration
3. Publish the meeting:
a. To select invitees to the meeting, click the Publish As button.
b. To put the meeting on the Team Workplace calendar without inviting
members, click the Publish button.
4. The meeting is then added to the schedule of the Lotus Instant Messaging
and Web Conferencing server, as shown in Figure 2-36 on page 53.
Note: Although the meeting is being created in Team Workplace, you
can invite people who are not members of the Team Workplace to
attend the meeting. This makes it easy to bring in non-team members
for special parts of a project.
Figure 2-36 Team Workplace meeting on Instant Messaging server schedule
2.4.5 Integration with Domino Web Access
It is easy to simplify a users interaction with the Domino servers through the use
of SSO, Domino Web Access Redirector, and Team Workplace. As an
administrator, you can add a link in the Team Workplace to users mail files.
Through the use of SSO and the Domino Web Access Redirector utility, users
can easily access their mail directly from a Team Workplace. We describe the
specific configuration instructions for this in 4.6.5, Optional integration with
Domino Web Access on page 157. See Figure 2-37.
Figure 2-37 Add a My Mail link to the Team Workplaces
2.4.6 New features
Lotus Team Workplace 6.5.1 has new features that users might find very useful.
The most obvious new feature to end users is the ability to see who last edited a
document. However, there are other optional configurations that an administrator
can make that can be very appealing to Team Workplace users.
Updated pages show last editor and the creator
In previous versions of Team Workplace, the last person to edit a document was
not displayed in a list of documents, as shown in Figure 2-38. In 6.5.1, the last
person to edit a document and their online status is displayed in the list of
documents, as shown in Figure 2-39.
Figure 2-38 Team Workplace (QuickPlace) 3.x list of documents
Figure 2-39 Team Workplace 6.5.1 list of documents
New configuration options
Two new settings are available for My Places, which make it easier for users to
navigate between several Team Workplaces.
Open other Team Workplaces in a new browser window
Team Workplace 6.5.1 can be configured to open a new browser window when
users click to enter a place. This makes it easier for users to work in two or three
places at a time, instead of manually opening another browser window to go into
a different Team Workplace. See Figure 2-40 on page 55.
Figure 2-40 Multiple Team Workplaces open in separate windows
Open the My Places list in the current page
Team Workplace 6.5.1 can be configured to show users all of their places in the
current page instead of switching to the Main page to see them. This makes it
easier to navigate between Team Workplaces and open new ones as needed. In
the example in Figure 2-41 on page 56, you can see that Ben is in the Legal
team place. By selecting My Places from the navigation pane, all of the users
places are listed in the current page, and the user is not forced back to the main
Team Workplace Welcome page.
Figure 2-41 All of a users places are listed in the current page
The previous two options are most powerful when deployed together, because
users can always get to the Team Workplace they need without closing their
current place.
2.5 Lotus Domino Document Manager integration
The section describes the IBM Lotus Domino Document Manager (formerly
called Lotus Domino.Doc) integration.
2.5.1 Integration with the Notes client
The Lotus Notes 6.5.1 client has new integration features with Lotus Domino
Document Manager. These features include drag and drop and the ability to
check in documents from your mail files directly to the Domino Document
Management server. In order to enable this integration, the Domino Document
Management Desktop Enabler must be installed with the Notes client.
After the Desktop Enabler has been installed on the workstation, users can copy
the contents of any document (text, attachments, or both) from within their mail
file to the Domino Document Manager library. From the Actions tab, there is a
new action called Move to Document Manager. This action is shown in
Figure 2-42 on page 57.
Figure 2-42 Notes action to Move to Document Manager
When you choose a document and select Move to Document Manager, a
window opens where you can choose how you want to save the document. The
Save As window consists of different configurations for the Location, Check in,
and Settings preferences.
On the Location panel, you choose where you want to save the file. You can also
specify if you want to save all e-mail content into one document or save e-mail
bodies and attachments into separate documents.You can also modify the title of
the document that you are saving and which portions of the document you want
to save if attachments are present. See Figure 2-43 on page 58.
Figure 2-43 Document Manager Location options
On the Check in panel, you have the option to check in the document as a
version, a draft, or to leave the document checked out. You can also add an
additional comment to the document or documents and choose if you want to
replace any attachments from the original document with links to the Domino
Document Manager. See Figure 2-44 on page 59.
Figure 2-44 Document Manager Check in options
On the Setting panel, you can choose a document type to use for the document
profile. In the Header Options section, there is a feature to save the header
information in the document profile. You can also expand group names to
individual names in the document profile. See Figure 2-45 on page 60.
Figure 2-45 Document Manager Settings options
After you click Save, the Domino Document Manager components will save the
document into the Binder that you have selected. If you choose the option to
replace any attachments with document links in the original e-mail, the original
document will now contain a document link to the Binder, as shown in
Figure 2-46.
Figure 2-46 Notes document link in original e-mail message
2.5.2 Presence awareness
Domino Document Manager can be configured to provide integration with Lotus
Instant Messaging and Web Conferencing to display online awareness. For
Domino Document Manager, the awareness is only available within the profile of
each document and the list of online users associated with that document
(typically readers, editors, and managers). When viewing the profile of a
document, this feature is available by clicking Discussion and then selecting the
Who is Online option, as shown in Figure 2-47.
Figure 2-47 Basic presence awareness in Domino Document Manager
2.5.3 Enhancing and extending awareness integration
You can customize views in Domino Document Manager in order to provide
enhanced presence awareness. In addition to the native Who is Online feature,
this would extend presence awareness to the binder and document level (see
Figure 2-48 on page 62). See Instant Messaging and presence awareness with
customized binders and documents on page 171 for configuration instructions.
Figure 2-48 Domino Document Manager customized to show presence awareness
2.6 Lotus Workflow integration
This section describes IBM Lotus Workflow integration.
2.6.1 Integration with Domino Document Manager
Lotus Workflow provides the ability to control the life cycle flow and behavior of
documents stored or created in Domino Document Manager. Check-in and
check-out of documents can be controlled from Lotus Workflow based on certain
conditions. For example, when the webmaster formally accepts a document
(Web Master Check), Lotus Workflow initiates a check-in of the document to
Domino Document Manager. Figure 2-49 on page 63 depicts an overview of how
this integration is implemented.
Figure 2-49 Workflow and Domino Document Manager integration example
2.6.2 Integration with Lotus Instant Messaging and Web
Conferencing
Lotus Workflow 6.5.1 features improved integration with Lotus Instant Messaging
and Web Conferencing. You are able to log on to the Instant Messaging and Web
Conferencing server and determine a users online status from within the
Workflow Architect, the Win Viewer, or the Web viewer. This section illustrates
several of the integration points where Lotus Workflow integrates with Instant
Messaging to use both the presence awareness and chat capabilities.
From within the Workflow Architect, a user can determine another users online
status through the two following options (see Figure 2-50 on page 64):
Through the Business Object Library (BOL) tree under the Person node
Using the Object Browser and selecting the Person object
Figure 2-50 Presence awareness and online status within Workflow Architect
In Workflow Architect, a user can also view the online status of job owners
involved in a process, a decision, or an activity. To determine the online status of
participants, select Process Basic Properties, Activity Basic Properties.
See Figure 2-51 on page 65.
Figure 2-51 Online status of job owners and process participants
From within the Win Viewer, users can also determine participants online status.
Within Win Viewer, log on to the Instant Messaging and Web Conferencing
server from the Tool menu by selecting Sametime Connect to Sametime.
When viewing the Job diagram, you can see online participants by
double-clicking any activity. Similarly, when viewing a Process diagram, you can
see online participants by clicking any of the activities or by right-clicking a
specific process area. See Figure 2-52 on page 66.
Figure 2-52 Online status for participants of activity through Win Viewer
Chapter 3. Directory and authentication
considerations
With the emphasis on integration between Lotus Domino 6.5.1 and the Extended
Products, it is very important to understand and appreciate the implications of
which type of directory you will use for authentication when accessing your
system. In this chapter, we introduce some of the fundamental concepts for a
better understanding of directories. In particular, we address some of the
high-level considerations for choosing a native Domino Directory or an LDAP
directory. The goal is to provide some key definitions and begin to highlight the
particularities of implementation that will need to be considered for a specific
directory type.
Although this chapter serves as an overview for introducing high-level directory
considerations, subsequent chapters go into much greater detail for
implementing and integrating Domino and the Extended Products for a specific
directory type. For example, Chapter 4, New Domino installation on page 85
discusses how to configure each of the products based on a native Domino
Directory. Chapter 7, Integrating Domino 6.5.1 with a third-party LDAP directory
on page 351 provides an in-depth look at how to integrate the products and
configure online presence awareness when using Microsoft Active Directory as a
third-party LDAP.
3
For more information about the topics covered in this chapter, refer to the
following Redbooks:
Using LDAP for Directory Integration, SG24-6163, available at:
http://www.redbooks.ibm.com/abstracts/sg246163.html
Lotus Security Handbook, SG24-7017, available at:
Chapter 3. Directory and authentication considerations 69
3.1 Why directories need to be considered
Prior to upgrading or installing Domino 6.5.1 and its Extended Products, it is
important to consider your current directory options and future directory plans.
Why?
New features
Better use of open standards
Interoperability testing between these products
All of these points offer customers more directory and authentication choices.
For example, many organizations have two directories. One is a centralized
directory that interacts with many applications, such as SAP, DB2, and Domino.
The other directory is the Domino Directory, which might be a duplicate or subset
of the centralized directory. Previously, having both directories was necessary,
because open standards did not exist or were not implemented ideally. The use
of open standards (such as the Lightweight Directory Access Protocol or LDAP)
has changed this landscape. As a result, with Domino 6.5.1 and Extended
Products, it might be good to reconsider your current directory structures and
look for new integration points, therefore setting the stage for possible future
consolidation.
The precedence set with Domino 6.5.1 and Extended Products also means
improved single sign-on (SSO) choices, which might affect your directory
choices. In previous releases, all products included single sign-on options;
however, interoperability problems were plentiful. Now with 6.5.1, SSO
interoperability has improved greatly, providing the Domino Administrator with a
one stop shop approach.
The following sections provide an overview of directory concepts, configuration
options, and terminology that will assist you in making directory choices prior to
the deployment and integration of Domino 6.5.1 and its related group of
Extended Products.
3.1.1 What are directories?
Before discussing the details involved in deploying Domino 6.5.1 and the 6.5.1
Extended Products, it is important that we define what we mean by the term
directory. As software continues to increase in functionality and complexity, it is
becoming increasingly important to understand (at least at a high level) how
directories function and the various ways they can be deployed and used by a
given organization.
In the most literal sense, a directory is a listing of information about related
objects arranged in some order that gives details about each object. Common
examples are a city telephone directory and a library card catalog.
For a telephone directory, the objects listed are people; the names are arranged
alphabetically, and the details given about each person are the address and
telephone number. Books in a library card catalog are ordered by author or by
title, and information such as the ISBN number of the book and other publication
information is given.
In information technology terms, there are many individual and vendor-specific
definitions for the term directory. For the purposes of deploying Domino 6.5.1
and the Extended Products, we define a directory as follows:
A directory is a specialized database, also called a data repository, that stores
typed and ordered information about objects.
Directories enable users or applications to find resources that have
characteristics needed for a particular task. For example, a directory of users can
be used to look up a person's e-mail address or fax number. A directory can be
searched to find a nearby PostScript color printer. Finally, a directory of
application servers could be searched to find a server that can access customer
billing information.
Because directories must be able to support high volumes of read requests, they
are typically optimized for read access. Write access might be limited to system
administrators or to the owner of each piece of information.
A general-purpose database, conversely, needs to support applications, such as
airline reservations and banking applications, with relatively high-update
volumes. Because directories are meant to store relatively static information and
are optimized for that purpose, they are not appropriate for storing information
that changes rapidly.
3.1.2 What are directory components?
Figure 3-1 on page 71 illustrates typical components of an LDAP directory entry.
Figure 3-1 also highlights how LDAP directories can differ from vendor to vendor.
For example, the ePerson object in Figure 3-1 does not exist in the Domino
LDAP schema (the equivalent Domino schema object being called
dominoPerson).
Figure 3-1 Typical directory components
3.1.3 What is LDAP?
LDAP, or Lightweight Directory Access Protocol, defines a standard method of
accessing a directory.
The LDAP standard is designed to provide access to directories supporting
X.500 hierarchical models without the intense resource requirements of the full
X.500 Directory Access Protocol (DAP), thus the term Lightweight DAP or
LDAP. It is a client/server model of communication, where the LDAP directory
server is capable of serving many simultaneous client requests on the standard
TCP/IP.
3.1.4 What is an LDAP schema?
Readers familiar with Domino databases know that a typical Domino application
has its design stored in a template (.ntf file), and both the application data and
some additional design elements are stored separately in a Notes database (.nsf
file).
The application design is therefore abstracted from the data, and the
application itself is thus a combination of these two elements. This is
advantageous because it allows the design to be queried and modified
independently of the data. The application design held primarily in the template is
therefore what determines what data is presented (and how) when the
application is queried by a Notes client or a browser.
Keeping this idea in mind, the LDAP schema can be thought of as a mapping or
abstraction of the directory structure that can be queried or modified, or both,
independently of the underlying data held in the directory. The advantage of
abstracting the directory structure in this way is similar to the example of the
Domino application in the previous paragraph, in that it allows the directory to be
easily queried, extended, or both without having to modify the underlying
directory data.
For example, the LDAP schema in Domino is stored in a Domino database (that
resides on each server), called Schema.nsf.
The Schema.nsf database contains the mappings between the Domino field
names and their LDAP attribute equivalents.
We can, therefore, think of Notes documents as being equivalent to LDAP
objects and Notes fields being equivalent to LDAP attributes.
For example, a person entry (or Person document as it is commonly referred to)
is Dominos proprietary method of storing information about individuals in the
directory. Because LDAP is an open standard, we have to have some way to
interrogate this person data, but while using the standard LDAP protocol.
This is achieved by running the LDAP server task on the Domino server that
works with the Schema.nsf database in order to determine what information is
being requested and how to present it to the requesting client. See Figure 3-2 on
page 73.
Figure 3-2 Example of the Domino LDAP schema
3.2 Overview of how the components use the LDAP
directory
This section illustrates a few simple ways in which all the components included
within Domino 6.5.1 and the Extended Products (including WebSphere Portal)
use the directory.
The components use the directory in four main ways:
Searching: The search service is used to find a unique person. Components
will often query the end user for their name. They will then do an LDAP search
for that string in a number of ways (common name, e-mail address, and so
on). This search can be configured in each component to match the directory
structure. The result of this search is a unique representation of that person's
name.
Authentication: The components will, when given a user name and password,
often issue an LDAP bind request. The bind requires the user's LDAP
distinguished name and Internet password. If the bind worked, the user is
who they say they are.
Authorization: Given the unique name of an individual, access to a resource
can be determined by searching the access control lists (ACLs) for that
resource, looking for that user's name or any group that user is in. The ACLs
are often stored in various places.
Information about people: Various information about people (including phone
number, office number, and so on) is stored in LDAP or other directories and
is found by using the person's unique name.
3.3 Directory options for deploying the Domino 6.5.1
products
In the following sections, we discuss three different directory options for
deploying the Release 6.5.1 products. The options are as follows:
Using a native Domino Directory versus an external directory
Using a Domino Directory and accessing this through the Domino LDAP
service
Using a third-party LDAP directory, such as Microsoft Active Directory
These sections are intended to provide some of the key considerations and
advantages of the different approaches. Note that the scenarios shown in
Chapter 4, New Domino installation on page 85, and Chapter 5, Upgrade and
coexistence considerations on page 211 both provide more in-depth information
about deploying the 6.5.1 products using the native Domino Directory. Chapter 7,
Integrating Domino 6.5.1 with a third-party LDAP directory on page 351
discusses considerations for using a third-party LDAP in much greater detail.
3.3.1 Deploying Domino 6.5.1 products on the native Domino
Directory
Many organizations that use Domino for messaging or collaboration, or both,
leverage the information stored in the Domino Directory as a convenient
centralized source of person and group information.
There are a number of inherent advantages to using the native Domino Directory
versus an external directory when deploying the Domino 6.5.1 Extended
Products. Keep in mind, however, that there are also a number of configuration
and support considerations.
Some of the many advantages to using the native Domino Directory versus using
an external directory include:
Convenience: Organizations will typically have most, if not all, of their
employees already registered in the Domino Directory.
Reliability and availability: The Domino Directory is invariably replicated
throughout the environment thus allowing for centralized control and
redundancy.
Scalability: With each successive release of Domino, the ability to scale the
Domino Directory increases.
Extensibility: Because the Domino Directory is based on a template, it is easy
for organizations to customize and extend its features through the Domino
Designer client or by using LotusScript, JavaScript, and Java.
Managability: Domino has many built-in (and often automated) directory
administration capabilities for things such as name changes and deletions.
Because these changes can be automatically propagated through groups,
ACLs, and so on, it is easier to maintain the integrity and accuracy of
information held in the directory.
This section describes the directory configuration options when installing the
Domino 6.5.1 Extended Products together with these considerations.
Figure 3-3 on page 76 shows the basic deployment scenario discussed in
Chapter 4, New Domino installation on page 85.
In this scenario, Domino and each of the 6.5.1 Extended Products are installed
on their own server with the hub server acting as the main server where directory
changes (such as additions and deletions) are made. If all the servers are in the
same Domino domain (that is, they share the same Domino Directory), it is
conceivable to not use a dedicated hub/directory server, but to configure each of
the Extended Products to use its own local Domino Directory. These local
directories will then be kept synchronized by a suitable replication schedule.
It is, however, generally regarded as best practice to adopt a hub/spoke model,
as depicted in Figure 3-3 on page 76, for the following reasons:
Centralized control and administration: Updates to the directory and server
configuration changes can be made on a designated hub server, thus
avoiding directory inconsistencies such as replication and save conflicts.
Performance: Typically, a hub server will not have any production users on it
and can therefore be dedicated to administration and maintenance tasks that
are often resource intensive. For example, the hub server will initiate a Pull
Push replication with all other servers, thereby alleviating the burden of
replication from the spoke servers.
Figure 3-3 Release 6.5.1 Extended Products using the Domino Directory
3.3.2 Deploying Domino 6.5.1 products using the Domino LDAP
Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for
searching and managing entries in a directory, where an entry is one or more
attributes associated with a distinguished name. The LDAP service is available in
Domino for products requiring an LDAP directory, where the Domino Directory
serves as the LDAP directory. It is important to note that when using the Domino
Directory using the Domino LDAP services, all of the inherent advantages of
using the native Domino Directory still apply. In addition to these, some of the
advantages of using Domino LDAP include:
Interoperability: The Domino Directory, through the use of the LDAP service,
can interact with other products, including third-party products, requiring an
LDAP directory.
Note: Lotus Team Workplace is only supported with an LDAP directory. In the
previous scenario, you want to make sure that LDAP is enabled for the Team
Workplace server. The following section provides more details about using the
Domino LDAP service.
Ease of administration: If you have applications that require LDAP, you will
not need to introduce another product, and therefore skill set, into your
environment. You can still use Domino to serve the purpose of an LDAP
directory.
This section describes the directory configuration options when installing the
6.5.1 Extended Products and using the Domino LDAP service.
Figure 3-4 shows the basic deployment scenario when using the Domino LDAP
service. In this scenario, Domino and each of the 6.5.1 Extended Products are
installed on their own server with the hub server acting as a centralized directory.
The Domino LDAP service has been enabled on the hub server, and each
product server queries the hub server for user authentication.
Figure 3-4 Baseline LDAP scenario
Notice that within this figure, we include the naming convention used for the
Domino LDAP service. Chapter 7, Integrating Domino 6.5.1 with a third-party
LDAP directory on page 351 discusses the LDAP naming schemes in more
detail.
How the Domino LDAP service works
The Domino LDAP server task enables the LDAP service to process LDAP client
requests using the Domino Directory as an LDAP directory. When the LDAP task
is running on a server, the server can listen for and process LDAP client
requests. By default, the LDAP task runs automatically on the administration
server for the Domino Directory.
In addition to using its primary Domino Directory for processing LDAP requests,
the LDAP service can extend LDAP request processing to directory catalogs and
secondary Domino Directories and can refer LDAP clients to remote LDAP
directories if processing is unsuccessful in any Domino Directory or directory
catalog.
By default, the LDAP task listens for LDAP client requests over TCP/IP port 389
and accepts both anonymous connections and connections that bind using
name-and-password security. The LDAP service can also listen for requests over
an SSL port, usually port 636. The LDAP service can accept requests over the
SSL port from anonymous LDAP clients and from LDAP clients authenticated
using name-and-password security or X.509 certificates, or both.
To search for an entry specified in an LDAP request, the LDAP service does
either a view lookup or a full-text search, depending on the search filter specified
in the request. View lookups are typically faster than full-text index searches.
3.4 Third-party LDAP directories
In addition to serving as an LDAP directory and server, Domino also has the
ability to interact with third-party LDAP directories for e-mail address lookups,
authentication, or both. This can be beneficial for those organizations that might
have a centralized directory they want to interact with for e-mail or applications.
Domino does not need to be running LDAP in order to interact with these servers.
Directory Assistance can be set up to define the LDAP or secondary servers with
which Domino needs to communicate.
How Directory Assistance works
Directory Assistance is a feature a server can use to look up information in a
directory other than a local primary Domino Directory (NAMES.NSF). You can
configure Directory Assistance to use a particular directory for any of these
services:
Client authentication
Group lookups for database authorization
Notes mail addressing
LDAP service searches or referrals
To configure Directory Assistance, you create a Directory Assistance database
from the template DA50.NTF and replicate it to the servers that will use it. A
server must have a local replica of a Directory Assistance database to use
Directory Assistance. Then, you add the database file name to the Directory
Assistance database name field in the Domino Directory Server documents of
these servers.
Using Directory Assistance with third-party LDAP directories
If servers use Directory Assistance to search a remote LDAP directory, you can
use the field Type of search filter to use in the Directory Assistance document
for the directory to control which LDAP search filters are used to search the
directory. The following choices are available:
Standard LDAP (default)
Microsoft Active Directory
Custom
The first two choices are predefined search filters used to work with the identified
directories. The last option gives you the ability to create your own custom filter
with the following options:
Mail
Authentication
Authorization
Review the Lotus Notes Administrator Help database or Chapter 7, Integrating
Domino 6.5.1 with a third-party LDAP directory on page 351 in this book for
more details about creating a customized filter.
3.5 SSL and LDAP
Secure Sockets Layer (SSL) is a security protocol that provides communications
privacy and authentication. SSL is strongly recommended when communicating
with an LDAP server if there is a risk that someone along the path of the
communication can eavesdrop on the communication. This section covers the
highlights of SSL and LDAP.
SSL offers these security benefits:
Data is encrypted to and from clients, so privacy is ensured during
transactions.
An encoded message digest accompanies the data and detects any message
tampering.
The server certificate accompanies data to assure the client that the server
identity is authentic.
The client certificate accompanies data to assure the server that the client
identity is authentic. Client authentication is optional and might not be a
requirement for your organization.
For more complete details, including setup and configuration instructions,
reference the following sources:
Lotus Security Handbook, SG24-7017
Using LDAP for Directory Integration, SG24-6163
Lotus Notes Administrator Help database
You set up SSL on a protocol-by-protocol basis.
3.6 Single sign-on
Beginning with Release 5.0.5 of Domino, Web users can log on once to a
Domino server and then access any other Domino or WebSphere servers in the
same DNS domain that are enabled for single sign-on without logging on again.
In addition, SSO works across multiple WebSphere application servers and
multiple independent Domino domains as long as they are all in the same
Internet domain.
This is accomplished by selecting a new multiserver authentication option (in a
Domino Server document) for session-based authentication, along with creating
a new domain-wide Configuration document in the Domino Directory called the
Web SSO Configuration document.
This document, which should be replicated to all servers participating in the
single sign-on domain, is encrypted for participating servers and contains a
shared secret key used by servers for authenticating user credentials.
Important: Keep in mind that SSL is costly in terms of performance. If the
server components using the LDAP service are all in your local intranet and
that intranet is well protected from the outside world by firewalls, proxies, and
DMZs, the use of SSL within the intranet is not necessarily recommended.
Note: For complete details about configuring SSO, refer to Configuring single
sign-on (SSO) on page 102 in this book or the Lotus Notes Administrator
Help database.
All servers participating in single sign-on must be at the Domino 5.0.5 level or
later.
The users' Web browsers must have cookies enabled, because the
authentication token that is generated by the server is transported to the browser
in a cookie.
Web single sign-on is made possible by the use of what is called an LPTA
token, which is issued by the server to the browser.
Both WebSphere Application Server and WebSphere Portal also support the use
of LTPA tokens, so it is therefore possible to achieve single sign-on between
Domino and WebSphere.
Part 2 Installation,
configuration, and
coexistence
In this part, we discuss two specific installation scenarios:
How to install and configure Domino 6.5.1 and the Extended Products in a
new environment, using only the 6.5.1 versions of each product and using a
native Domino Directory for authentication. (Note that Lotus Team Workplace
uses Domino LDAP for authentication.)
How to upgrade an existing environment using Domino and the Extended
Products from a release earlier than Domino 6.5.1.
Part 2
Chapter 4. New Domino installation
This chapter describes a new deployment of IBM Lotus Domino 6.5.1 and the
Extended Products into a new environment. We discuss setting up a Domino
network infrastructure and directory authentication to support the Extended
Products, and we present the installation, configuration, and integration
procedures necessary to provide full integration among the products.
4
4.1 Deployment considerations
When considering deployment options for any network infrastructure, it is
important to identify the needs and interoperability requirements for each product
and their associated functions. For this deployment, the following products need
to be considered:
Domino server for mail and directory services
Lotus Instant Messaging and Web Conferencing (formerly called Sametime)
server for integrated awareness and meeting services
Lotus Domino Document Manager (formerly called Domino.Doc) for
document management
Lotus Workflow for integrated document life cycle processing
4.1.1 Domino network topology
The underlying connections between each of these products is due to the fact
that the Domino server platform and its native services for mail routing, directory
services, and data synchronization is based on TCP/IP and industry standard
protocols. Although some of the Extended Products can coexist on a single
Domino server platform (see Chapter 6, Extended Products for small-to-medium
businesses on page 309), the ideal scenario would be to host each Extended
Product on a separate Domino server.
Because each product will share information and directory services through the
Domino infrastructure, we deployed the servers into a classic hub and spoke
topology, with the hub server providing centralized replication and directory
services for the domain. This topology is depicted in Figure 4-1 on page 87.
The following conditions were established for the infrastructure:
A new installation of the operating system (Microsoft Windows 2000
Advanced Server, Service Pack 4) on freshly imaged hard drives.
Each product was installed on its own physical machine.
Clean installations were performed through step-by-step guidance provided
by the product manuals.
Chapter 4. New Domino installation 87
Figure 4-1 Basic scenario topology
Domino 6.5.1 Enterprise Server and Interim Fix 1 (IF1) were installed on each
machine. Although IF1 is only required for Lotus Instant Messaging and Web
Conferencing and Lotus Team Workplace (formerly called QuickPlace), we
installed it on all servers for consistency and overall ease of maintenance of all
servers in a network infrastructure. (In Figure 4-1, IF1 indicates a required
installation and (IF1) indicates an optional installation).
Note: You do not need to mimic this topology if you do not want all of the
services. For example, if you only want to install Team Workplace and Lotus
Instant Messaging and Web Conferencing, you can simply use two Domino
servers, each with one of the products on it. The first server you install in a
Domino domain will be configured to be the administration server of the
domain and will also run LDAP automatically.
4.1.2 Authentication directory
As described in Chapter 3, Directory and authentication considerations on
page 67, the 6.5.1, the Extended Products can be configured to authenticate
against three basic directory structures:
Native Domino Directory using Notes Remote Procedure Call (NRPC) (3.3.1,
Deploying Domino 6.5.1 products on the native Domino Directory on
page 74)
Native Domino Directory using LDAP (3.3.2, Deploying Domino 6.5.1
products using the Domino LDAP on page 76)
Third-party LDAP directory (3.4, Third-party LDAP directories on page 78)
Each of these directory authentication schemes is discussed in detail in the
referenced sections. However, for the new installation configuration presented
here, we used the native Domino authentication. The only exception to this was
for Team Workplace, which is only supported using LDAP authentication. For that
product, we referenced its authentication to the Domino LDAP service running on
the hub/directory server. Because both the Domino and LDAP authentications
were based on the same underlying directory, this model supports common
authentication across all of the products. This network authentication topology is
depicted in Figure 4-2 on page 89.
Figure 4-2 Authentication topology
4.1.3 Product deployment sequence
We first installed our hub/directory server to support the hub/spoke topology
depicted in Figure 4-1 on page 87. After the hub server was up and running, we
deployed all of the remaining Domino servers without any of the Extended
Products. This allowed us to establish and verify proper replication and
communication between the underlying Domino servers prior to any other
deployments.
After the servers were properly configured, we then deployed Lotus Instant
Messaging and Web Conferencing as the first Extended Product.
The following list provides an overview of the order of installation and
configuration:
1. Domino server or servers: We started with the Domino Directory/hub server
and then added another Domino mail server into the domain. (See 4.2,
Domino hub/directory server on page 91.)
2. Lotus Instant Messaging Server and Web Conferencing: We installed a
stand-alone Instant Messaging and Web Conferencing server as the first of
the Extended Products to verify that instant messaging and presence
awareness were working between the products. (See 4.3, Lotus Instant
Messaging and Web Conferencing server on page 110.) As mentioned in the
previous Note box, presence awareness served as a key base integration
point between the products.
3. Notes client: Next, we installed the Notes client on a client machine to verify
access to our Domino servers, to test mail routing, and to verify instant
messaging and presence awareness functionality from the Notes client. (See
4.4, Notes client installation and configuration on page 118.)
4. Domino Web Access: After we verified that we could access our Domino mail
servers using the Notes client, we performed the necessary additional
configurations required to access mail and calender functionality through a
Web browser using Domino Web Access. (See 4.5, Domino Web Access
configuration on page 126.)
5. Lotus Team Workplace: We installed Team Workplace on a dedicated server
and configured it to work with Lotus Instant Messaging and Web
Conferencing and Domino Web Access. (See 4.6, Lotus Team Workplace
server on page 138.)
6. Domino Document Manager: Finally, we installed Domino Document
Manager on a dedicated machine and configured an initial document
hierarchy/taxonomy. (See 4.7, Domino Document Manager server on
page 161.)
Note: Although most customers would have already installed clients and mail
before installing Lotus Instant Messaging and Web Conferencing, we felt it
was strategic to install it as the first Extended Product for our ongoing testing
of integration. Instant Messaging presence awareness served as the base
integration function between all products. By installing Lotus Instant
Messaging and Web Conferencing first, we were able to reference the Instant
Messaging and Web Conferencing server during the installation of the other
Extended Products and to test presence awareness after each product
installation.
7. Lotus WorkFlow: Lotus Workflow was installed and configured on the same
machine as Domino Document Manager. (See 4.8, Lotus Workflow on
page 180.)
4.2 Domino hub/directory server
Installing a Domino server is relatively easy. There are a few options that you
should choose. We installed each of the Domino servers with identical options
and configured them individually for the various products. In the following
sections, we provide the steps for the basic installation and configuration. For
more detailed information about installing Domino servers, see the Lotus Domino
Administrator 6.5.1 Help file on the Lotus Developer Domain.
4.2.1 Initial Domino installation
For the initial Domino installation, complete the following steps:
1. Verify that the intended server meets the minimum hardware and operating
system requirements to support Domino 6.5.1.
2. Use the Domino CD or expand the downloaded file and run setup.exe to
install the Domino code.
3. Accept the license agreement and the defaults until you are prompted to
select the destination folders:
a. Program folder: D:\Lotus\Domino
b. Data folder: D:\Lotus\Domino\Data
Note: The order of the sections indicates the installation order of the products
for a new installation. If you are upgrading your Domino servers and Extended
Products, you will need to follow a different upgrade order. Refer to Chapter 5,
Upgrade and coexistence considerations on page 211 for instructions related
to upgrading to Release 6.5.1.
Tip: All the latest Lotus product documentation can be found at the Lotus
Developer Domain (commonly referred to as LDD), available at:
http://www.lotus.com/ldd
(Previously www.notes.net.)
Note: Select whichever drive has adequate space. In our lab
environment, we selected the D: drive.
4. Choose Domino Enterprise Server as the server type.
5. Accept defaults for the rest of the options until the server begins installing and
then wait while the server copies all the files to the appropriate directories.
4.2.2 Initial configuration setup
To set up the initial configuration, complete the following steps:
1. When you first start the Domino server, select the option to install the server
as a Windows service and always load as a service at system startup, as
Figure 4-3 Configure Domino to run as a Windows service
2. Accept the default fonts.
3. Because this is the first server in the domain, select the Set up the first
server or a stand-alone server option (all future servers will select the Add
a server to the domain option).
Important: For the servers in our lab environment, we installed both the
Domino server code (Enterprise Server) and the 6.5.1 Interim Fix 1 (IF1).
Before installing the Interim Fix 1, we recommend that you perform the basic
server configuration tasks. Occasionally, if you apply the Interim Fix 1 directly
after installing the Domino server code, without first configuring the server, you
might see the following error message: Unable to initiate the Notes
Environment. Make sure the server is installed and try again. To
resolve this issue, we configured the Domino server before applying the
Interim Fix 1.
Note: It is not a requirement that Domino be run as a service. We
recommend this as a best practice.
4. When prompted for server name and title:
a. Enter a name for the Domino server.
b. If you prefer, you can enter a short title and description of the Domino
server (this is an optional value and has no other impact on the server).
5. When prompted for organization name:
a. Enter the organization name for this infrastructure.
b. Enter a password for the certifier file (twice for confirmation).
Note: When deploying multiple Domino servers, it is best to consider a
consistent naming convention to be used for the servers. Names should
be reasonably short and should contain no spaces. Remember, the
server names will be seen by the users, so if they are somewhat
descriptive, it is also helpful.
If the Domino server name is not the same as the physical machine
name, you must ensure that the name is resolvable through DNS. For
example, we named the hub server bschub, which, combined with the
machines domain, yields the fully qualified host name of
bschub.cam.itso.ibm.com. We configured an entry in DNS for
bschub.cam.itso.ibm.com to point to the physical IP address of the
server.
Finally, it should be noted that it is not a requirement to make the
Domino server name the same as the physical machine name. It just
makes configuration easier. If this is not done, Connection documents
are required in all other servers and clients.
Tip: The organization name is equivalent to the /O=... in the x.500
naming convention. Domino will create a certifier ID file that will be used
to create the other objects in the domain within that /O=... hierarchy.
Most customers use either their company name, an acronym, or other
short descriptive value.
Important: You must remember the password to the certifier ID file in
order to create other objects in the domain. This password cannot be
recovered from the ID file itself and if it is ever lost/forgotten, it can
cause many problems.
6. When prompted for the Domino domain name, enter the Domino domain
name for this installation.
7. When prompted for an administrator name and password:
a. Enter the name of the first Domino Administrator.
b. Enter a password for this account (twice for confirmation).
c. Select the check box to save a local copy of the ID file and change the
location for saving it if desired.
8. When prompted to specify Internet services:
a. Select HTTP on all servers.
b. Select LDAP only on the hub server.
c. Do not select IMAP, POP3, or SMTP (they can be enabled later on specific
servers if needed).
9. On the Domino network settings page, click the Customize button to
configure the port drivers and host name (see Figure 4-4 on page 95):
a. Clear any NetBIOS ports.
b. In the TCP/IP line, modify the Host Name field to match the fully qualified
host name for the server.
c. If needed, modify the fully qualified Internet host name for this Domino
server in the text box below the port settings (this should match the entry
in step b).
Tip: The domain name is most often recognized as the text that appears
after a users name when sending e-mail, for example:
Domino Admin/ITSO@ITSO
Similar to the organization name, the Domain name should be short and it
is best if it not contain spaces. It is often the same as the organization
name.
Tip: Domino creates this user as the first administrator for the domain
and will also configure the environment to provide this user with special
administrative rights. We recommend that this user be reserved as a
trusted authority for the domain and not actually represent any specific
user. This will allow you to maintain your infrastructure even though
administrators may come and go. For our environment, we used the
generic name of Dom Admin.
Figure 4-4 Server network settings setup
d. After you click OK, you will be taken back to the Domino network settings
page where you can click Next.
10.Accept the security defaults.
11.When prompted, review the overall options you have selected during these
steps and click Setup to complete the process.
The setup program will create the ID files and databases needed for the server to
run. After this finishes, start the server from the Start menu or from the Windows
Services panel. When the server launches for the first time, the remaining
system databases are created.
Note: The default security settings create three groups,
LocalDomainServers, OtherDomainServers, and LocalDomainAdmins,
and give them appropriate access to servers and databases. The
administrator account you configured in step 7 on page 94 will be added to
the LocalDomainAdmins group. Later, you will want to add more names to
the LocalDomainAdmins group as needed.
4.2.3 Creating other server objects in the Domino domain
In order to create other objects in the domain (for example, the other servers and
users), install Lotus Notes and Domino Administrator on a workstation (called the
administrator workstation). We recommend that these clients be installed on a
separate workstation, that is, do not install Notes clients on the Domino server.
Set up the administrator workstation
To set up the administrator workstation, complete the following steps:
1. Copy the cert.id and the admin.id files to the administrator workstation.
2. Start Notes from the Start menu.
3. Accept the license agreement and choose to connect to a Domino server.
4. When prompted for a user name, enter the name that you chose for your
administrator in step 7 on page 94.
5. Browse for the ID and choose the admin.id you copied previously.
6. Enter the password and elect to have it copied to your Data directory.
7. Enter the name of the Domino server you chose in step 4 on page 92 (you
can enter the fully qualified host name or just the common name).
8. Accept the defaults in the rest of the setup windows.
9. When prompted for an instant messaging server, clear the option to configure
it.
10.After Notes finishes configuring itself, you will be brought to the default
Welcome page.
Creating the other servers and other users (as needed)
To create the other servers and other users, complete the following steps:
1. Open the Domino Administrator client using one of the following methods:
From the Bookmark bar icon on the Notes client
By selecting File Tools Server Administration in the Notes client
From the Lotus Application folder in the Windows Start menu
2. Select the server icon for your domain from the left Bookmark bar (hover the
cursor over them to display the domain name).
3. Because there is only one server in the domain at this point, it should open to
your hub server; if not, select File Open Server to navigate to the correct
server.
4. Click the Configuration tab and then open the Registration section in the
Tools bar. See Figure 4-5 on page 97.
Figure 4-5 Navigate to the Server registration tool
5. Click Server to open the Server registration tool.
6. Select Supply certifier ID and password. See Figure 4-6.
7. Click Certifier ID to choose the certifier you copied from the first server to the
administrator workstation.
8. Enter the password when prompted.
Figure 4-6 Select the certifier ID
9. If needed, click the Server button and select the hub server you previously
created.
10.When you receive a warning message about ID recovery information, click
OK to bypass it, as shown in Figure 4-7 on page 98.
Figure 4-7 Certifier Recovery Registration Warning message
11.Verify that the registration server, certifier, and the certification expiration date
are correct (you might want to change the certificate expiration date if your
organizations security policies require it). See Figure 4-8.
Figure 4-8 Change certificate expiration date
12.Fill in the registration details for each new server:
a. Add a server name.
b. Verify that the server administrator is correct.
c. Choose to save the ID file to a file system and specify the desired location
(this will allow you to not set a password on the server ID files).
d. Click the green check mark to add each server to the Registration queue,
as shown in Figure 4-9.
Figure 4-9 Put each server in the queue
e. Repeat these steps for each of the other servers to be registered.
Tip: You can select the LocalDomainAdmins group for the Server
Administrator name field. This will allow everyone who is in the
LocalDomainAdmins group to administer the server. After you create
new users, you can add the appropriate names to this group to grant
them administrator rights to the server. This saves you from having to
edit every Server document in order to add administrators.
13.After you have created entries for all of the remaining servers, select Register
All. The ID files will be saved to the location you specified (normally it is in the
program files\lotus\notes\data\id files\servers directory of the administrator
workstation). Copy each ID file to the appropriate server.
4.2.4 Preparing the domain for the Extended Products
A few configuration items can be done ahead of time in order to prepare the
servers and domain for the Extended Products. After each product is installed,
you will be making specific configuration changes for that product.
Date and time on servers
Make sure that the date and time of all the servers match as closely as possible.
Some administrators find that it is helpful to install software that checks the GMT
and adjusts the time of the server on a regular basis.
Creating the replication topology
Create Connection documents and make sure that replication is working
between each server and the hub server. System databases must replicate
between Domino servers in order for them to interact as designed.
To create the replication topology, complete the following steps:
1. Create a Servers only group that contains all of the servers except for the hub
server.
2. Create a Connection document from the hub server to the group created
above, as shown in Figure 4-10.
Figure 4-10 Connection document from hub to other servers
Fully qualified host name
Make sure that the fully qualified host name has been entered on the Server
documents in the following places (note that this must be done in each Server
document):
1. Basics tab: Fully qualified Internet host name
2. Ports tab: Net Address
3. Internet Protocols tab: HTTP - Host name(s)
Figure 4-11 Fully qualified host name in the Server document
Tip: To eliminate unnecessary Execution Control List (ECL) warnings, implicit
trust was enabled for the Administration ID on all users by creation of a
Security Settings document and an organizational policy so that all users
would inherit the Administration ECL settings. See the Lotus Domino
Administrator 6.5.1 Help file on the Lotus Developer Domain for more
information about ECL management.
Configuring single sign-on (SSO)
Single sign-on enables users to log on to one server and switch to another one
without presenting authentication credentials again. Perform all of these
configurations in the directory on the hub server.
To configure single sign-on, complete the following steps:
1. Use the Domino Administrator and open the hub server (see Figure 4-12):
a. Select the Configuration tab.
b. In the navigation pane, choose Server.
c. Click the Web button, and select Create Web SSO Configuration.
Figure 4-12 Create SSO Configuration document
2. In the SSO Configuration document, make the following entries (see
Figure 4-13 on page 103):
a. Select LtpaToken.
b. Leave the Organization field empty.
c. Select and add all of the servers from the directory to the Domino Server
Names field (this uses the proper hierarchical name for each server).
d. Enter the Internet domain that all of your servers share (you should
precede this name with a leading period; Domino 6 will insert it when the
document is saved if you forget).
Important: If you have a mixed R5/D6 environment, you will need to
use the Create Web R5 (SSO configuration) button found in the action
bar of Server documents. If you have a pure D6 environment, you can
use the method outlined here or use Internet Site documents. For more
information, see the IBM Redbook, Lotus Security Handbook,
SG-24-7017.
Figure 4-13 SSO Configuration document
e. Select Keys from the action bar and click Create Domino SSO Key, as
shown in Figure 4-14. You will receive a confirmation when it has been
successfully created.
Figure 4-14 Create the Domino SSO Key
f. Save and close the Web SSO document.
Important: The Web SSO document is automatically encrypted with
the users ID that created it. If another administrator subsequently
needs to edit the document, the administrator will receive a warning
about the document being encrypted and will not be able to edit it.
You might encounter this if you install Lotus Instant Messaging and Web
Conferencing before creating the Web SSO document. Lotus Instant
Messaging and Web Conferencing creates a Web SSO document if it
does not find one with itself listed in the Domino Server Names field. If
this happens, delete the document and create a new one so that you
can add all the servers to the document.
3. Open each Server document and make the following changes to the Internet
Protocols Domino Web Engine tab (see Figure 4-15):
a. Session authentication: Multiple Servers (SSO)
b. Web SSO Configuration: LtpaToken
Figure 4-15 Server document changes for SSO
4.2.5 Installing the rest of the Domino servers into the domain
In general, you can follow the instructions for installing a server found in 4.2.2,
Initial configuration setup on page 92. The differences are noted in the following
list:
You will be adding a server to the domain (not a stand-alone server).
When prompted for the first server in the domain, enter the name of the hub
server you configured previously (it must be up and available at this point).
When prompted for the servers ID file, use the Browse button to identify it.
When prompted for Internet services, enable HTTP and do not enable LDAP.
For more detailed information about the installation of Lotus Domino servers,
refer to the product documentation (Lotus Domino Administrator 6.5.1 Help).
Verifying that mail routing is working
To verify that mail routing is working, complete the following steps:
1. Create more users in the domain. The procedure for doing this is very similar
to registering a server. The Lotus Domino Administrator 6.5.1 Help file
contains more information about registering users. We created them with the
Domino Web Access mail design (iNotes6.ntf) and put them on the mail
server previously created because we wanted to test the integration of
Domino Web Access with the rest of the products. You will use these
accounts to test along the way.
2. Using your Notes client, send mail to these accounts. Observe the console of
the servers to see that mail is being transferred to the mail server and then
delivered to the accounts. Alternatively, you can use the Delivery Options
when sending mail and select to receive a delivery confirmation. Either
method will verify that mail is being properly routed and delivered.
3. If desired, add some of the users to the LocalDomainAdmins group. This will
allow more than one account to do some of the single sign-on testing in the
following steps.
Testing single sign-on
To test single sign-on, complete the following steps:
1. In order to test that single sign-on between the Domino 6.5.1 servers is
working correctly, you will need to change your browser settings to prompt for
cookies.
For Microsoft Internet Explorer 6, select Tools Internet Options
Privacy and click the Advanced button. You should then see the window
shown in Figure 4-16 on page 106. Select Override automatic cookie
handling and then select Prompt for both First-party and Third-party
Cookies.
Figure 4-16 Setting Internet Explorer 6 to prompt for cookies
2. We used the Web administration database as a test database for this. The
URL looks like this: http://bsc1hub.cam.itso.ibm.com/webadmin.nsf.
Figure 4-17 shows the default login page for SSO-enabled servers. If you
receive a pop-up dialog box for your name and password, you know that SSO
is not working on that server.
Figure 4-17 Default Web SSO Login page
3. Enter a valid user name and password. (If you are using webadmin.nsf to test
SSO, make sure that this user is listed as an administrator on the Security tab
of each Server document.)
Note: For Internet Explorer 5, select Tools Internet Options
Security and scroll down the list and select Prompt for Cookies.
4. You should then see a Privacy Alert prompt box (the example Figure 4-18 is
from Internet Explorer 6).
Figure 4-18 Privacy Alert box in Internet Explorer 6
5. Click More Info. In the Name field, you should see LtpaToken, as shown in
Figure 4-19. Notice that the Web site that issues the cookie is the domain, not
the server.
Figure 4-19 Verifying you have received the LtpaToken
6. Click Allow Cookie.
7. Now enter a URL to one of the other Domino servers (in this example, a URL
to webadmin.nsf on another server).
8. Notice that you are not prompted to log on again, and your user name
credentials appear in the Web administration tool automatically, as shown in
Figure 4-20.
Figure 4-20 SSO verification
9. You should be able to switch to any of the servers in the domain that are listed
in the SSO Configuration document (Figure 4-13 on page 103) without
presenting your authentication credentials again. If you open a different
database on one of the servers, you might be asked to accept another cookie,
but you should not have to present your credentials again.
10.After it is successfully tested, revert your browser cookie handling options
back to their previous settings to avoid multiple prompts.
4.2.6 Extended Products, LDAP, and SSL
If you are configuring the Extended Products to use LDAP authentication, you
should set it up to use SSL if there is the possibility of eavesdropping or another
security risk. When an instant messaging client seeks authentication with the
instant messaging server, it passes a name and password to the server. This
transmission is encrypted. When the instant messaging server seeks to verify the
authentication credentials with the LDAP server, that transmission is not
encrypted. The same holds true for the other Extended Products, because they
can also use the LDAP protocol to communicate authentication credentials with
the LDAP server. This is a very undesirable setup from a security standpoint. You
can configure the Extended Products to use the LDAP protocol with SSL so that
transmissions between it and the LDAP server are also encrypted. For our
sample environment, we used only the standard, non-encrypted LDAP protocol.
Figure 4-21 on page 109 illustrates the benefits of configuring SSL.
Figure 4-21 Benefits of configuring SSL
4.2.7 Installing and configuring the Extended Products
Each of the Extended Products works in conjunction with the server platform.
The general procedure will be to take the relevant Domino server down, install
the Extended Product, bring the server back up, and configure the Extended
Product. After installing each product, we verified the basic integration with the
other products. Each of the installation and configuration procedures will be
outlined in the following sections of this chapter:
Section 4.3, Lotus Instant Messaging and Web Conferencing server on
page 110
Note: For detailed information about implementing SSL on Domino servers,
see the IBM Redbook, Lotus Security Handbook, SG24-7017.
Important: Use of SSL is strongly recommended only if there is a risk of
eavesdropping or other security risks. We do not recommend it in all cases
due to possible performance implications.
Section 4.4, Notes client installation and configuration on page 118
Section 4.5, Domino Web Access configuration on page 126
Section 4.6, Lotus Team Workplace server on page 138
Section 4.7, Domino Document Manager server on page 161
Section 4.8, Lotus Workflow on page 180
4.3 Lotus Instant Messaging and Web Conferencing
server
As with the Domino hub/directory server, installation of a standard Lotus Instant
Messaging and Web Conferencing (formerly called Sametime) server is very
straightforward. We provide the procedure for installing an Instant Messaging
and Web Conferencing server into a Domino infrastructure in the following
sections.
4.3.1 Initial Instant Messaging and Web Conferencing installation
For the initial installation of Lotus Instant Messaging and Web Conferencing,
complete the following steps:
system requirements to support Lotus Instant Messaging and Web
Conferencing 6.5.1.
2. Stop the Domino server on which Lotus Instant Messaging and Web
Conferencing will be installed.
Note: As a best practice, we recommend that the Domino executables and
data files reside on the same relative drive for the Instant Messaging and Web
In earlier releases of Domino, some customers encountered problems with a
split configuration between Domino and Sametime. For earlier versions of
Lotus Instant Messaging and Web Conferencing, Lotus support recommended
that customers who had split drives to simply copy and paste the program files
onto the same relative position on the data drive, essentially having two copies
of all of the program files.
We believe that this has been corrected by later releases of the Lotus Instant
Messaging and Web Conferencing, but did not have the opportunity to
explicitly test a split configuration for this book.
3. Reset the Lotus Domino service from Automatic to Manual.
4. Restart the Windows server.
5. Use the Lotus Instant Messaging and Web Conferencing CD or expand the
downloaded file and run setup.exe to install the Lotus Instant Messaging and
Web Conferencing code.
6. Accept the license agreement.
7. Verify that the installation directories match the Domino server directories and
allow the installation to continue; when prompted, click Finish.
8. When prompted, browse to and select the ID file of the Domino server:
D:\Lotus\Domino\Data\server.id
9. Select Domino Directory from the drop-down list (we chose the Domino
Directory for our scenario, but Lotus Instant Messaging and Web
Conferencing also supports LDAP directories).
10.Do not allow HTTP tunneling unless you are an experienced administrator
and know that you need it (often used for access by clients who cannot use
the standard Lotus Instant Messaging and Web Conferencing ports, for
example, because their corporate network security policies restrict them to
port 80).
11.Do not configure Lotus Instant Messaging and Web Conferencing to be
managed by an Enterprise Meeting Server.
12.Wait while Lotus Instant Messaging and Web Conferencing configures itself.
13.Reset the Lotus Domino service from Manual to Automatic.
Tip: If you want to switch to an LDAP directory after you have set up the
Instant Messaging and Web Conferencing server, it is easier to uninstall
and reinstall it than to try to reconfigure it. A lot of things get configured in
the background, and it can be difficult to change them all manually after the
fact. See 5.4.9, Converting from native Domino to Domino LDAP
authentication on page 289 for additional information about switching
authentication from Domino to LDAP.
Note: When Lotus Instant Messaging and Web Conferencing is configured
for tunneling, chat and awareness do not work in Domino Web Access
without a work around. See Technote #1161236 in the Knowledge Base for
more information about this issue. See 5.4.7, Post-upgrade Lotus Instant
Messaging integration on page 273 for a description of the workaround.
14.Restart the Domino server that supports Instant Messaging and Web
Conferencing.
Lotus Instant Messaging and Web Conferencing configuration
that happens in the background
Instant Messaging and Web Conferencing automatically configures the server for
multiserver single sign-on, as follows:
If not already configured, Lotus Instant Messaging and Web Conferencing will
set the server for multiserver single sign-on authentication and create a Web
SSO document. If it detects that this has already been done, it leaves the
existing settings unchanged.
If not already created, Lotus Instant Messaging and Web Conferencing
creates the Domino Web Configuration database.
Sametime creates and configures a Sign In Form Mapping document in the
Domino Web Configuration database to support single sign-on, as shown in
Figure 4-22 Sign In Form Mapping document
4.3.2 Post-installation configuration
This section shows you the method for configuring the default HTTP home page
and accessing the Administration features of the Instant Messaging and Web
Note: It takes a while for all of the Lotus Instant Messaging and Web
Conferencing services to run. Even after the console says, Instant
Messaging and Web Conferencing (Sametime) server: Running, some
services are still being loaded in the background.
Configuring the default HTTP home page
To configure the default HTTP home page, complete the following steps:
1. Open the Instant Messaging and Web Conferencing servers Server
document for editing and navigate to the Internet Protocols HTTP tab.
2. In the Mapping section, change the Home URL to /stcenter.nsf?Open, as
Figure 4-23 Instant Messaging and Web Conferencing server Home URL
3. Save and close the document.
4. Restart the server.
Testing the results
When you enter the URL for the Instant Messaging and Web Conferencing
server, for example, http://bsc1st.cam.itso.ibm.com, you should see the
window shown in Figure 4-24 on page 114.
Figure 4-24 Instant Messaging and Web Conferencing (Sametime) server home page
When you attempt to do something that requires authentication (for example,
administer the server), you should see the window shown in Figure 4-25.
Figure 4-25 Instant Messaging and Web Conferencing SSO logon window
Administering the server
This section does not show you all of the administration features of the Instant
Messaging and Web Conferencing server. Instead, we introduce you to
configuring the server. For more information about all of the configuration
options, see the Lotus Instant Messaging and Web Conferencing Administrator's
Guide.
To administer the server, complete the following steps:
1. In a Web browser, enter the URL for the Instant Messaging and Web
Conferencing server:
http://bsc1st.cam.itso.ibm.com
This opens the home URL for the Instant Messaging and Web Conferencing
server as previously defined. See Figure 4-24 on page 114.
2. At the bottom of the page, click the Administer the Server link.
3. When prompted, enter the administrators ID and password.
4. Browse through the Configuration options, but do not change anything at this
point (notice that the directory is configured for Domino and not LDAP). See
Figure 4-26.
Figure 4-26 Instant Messaging and Web Conferencing administration tool
4.3.3 Post-configuration integration verification
This section describes the post-configuration integration verification steps.
Verifying functionality of Instant Messaging chat
To verify the functionality of Lotus Instant Messaging and Web Conferencing
chat, complete the following steps:
1. Use a browser to navigate to the Instant Messaging and Web Conferencing
server.
2. Click the Launch Sametime Connect link.
3. Enter a valid user name and password (previously created).
4. You should see the users name with a green square next to it, indicating that
the user is active, as shown in Figure 4-27.
Figure 4-27 Lotus Instant Messaging (Sametime) Connect test
5. Log on from another machine using a different account and test the chat
functionality between the users.
Verifying that Web Conferencing meetings function
To verify that Web Conferencing meeting function, complete the following steps:
1. Use a browser to navigate to the Instant Messaging and Web Conferencing
server.
2. Click the Schedule a Meeting link.
3. If prompted, enter a user name and password for someone authorized to
create meetings (the default setup allows anonymous users to create
meetings).
4. Enter a meeting name. Select Start Now and click Save to launch the
meeting, as shown in Figure 4-28.
Figure 4-28 Create a new meeting
5. The meeting should open in a new window.
6. Log on from another browser as another user and join the meeting (select
Attend a Meeting from the Instant Messaging and Web Conferencing server
home page).
7. Test the tools in the meeting (whiteboard, screen sharing, and so on), as
Note: It might take a few minutes to completely load the meeting applets. If
your workstation has a significantly different time than the server, you might
need to get them in synchronized to get the meeting to start. You might
also be prompted to trust IBM to download some software. Click Yes, or
the applets will not load and you will not get into the meeting.
Figure 4-29 Testing a Web Conferencing (Sametime) meeting
4.4 Notes client installation and configuration
The Notes client must be configured to work with the Instant Messaging and Web
Conferencing server in order to take advantage of presence awareness and the
chat utility.
4.4.1 Directory considerations
When Notes displays the awareness status for a name, it passes that name as
displayed to the Instant Messaging and Web Conferencing server for lookups in
that servers directory. Usually, this is the Notes abbreviated format (that is,
Brooke Harrison/EBS), although other formats can be found in e-mail, because
names can be received from the Internet. In order for the name to be found, the
directory needs to support a lookup of a Notes abbreviated name. If the directory
is a Domino Directory, this occurs by default. However, if the directory is an LDAP
directory, you might need to configure how the Instant Messaging and Web
Conferencing server performs a name lookup with the LDAP server.
As previously mentioned, the default Instant Messaging preference is to send
hierarchical names. If this is used in the client, you must add a note item
containing the hierarchical name and modify the LDAP schema to add an LDAP
attribute that maps to this Note item if it does not yet exist. In addition, you will
need to modify the Instant Messaging LDAP search. Ultimately, this will ensure
that the LDAP directory has a Notes abbreviated name attribute for each of its
entries.
Alternatively, if Lotus Instant Messaging uses LDAP, you can set the Notes client
preference to send canonical names. If you do this, make sure that you installed
the Lotus Instant Messaging and Web Conferencing 6.5.1 first maintenance
release. This configuration works without modifying Person documents or the
LDAP schema.
4.4.2 Client configuration
If you just upgraded the Notes client or you are installing the client for the first
time, you will be presented with the opportunity to configure the client settings for
instant messaging integration. Except for the Instant messaging server name
value, the defaults should work for this setup. If you change the When to
connect field to Manually, the user will have to remember to log on to instant
messaging in order to gain presence awareness and chat capabilities.
If you previously assigned an Instant Messaging and Web Conferencing server to
your users (through their Person documents or through Desktop Settings and
Policy documents), the Instant messaging server name field might already be
filled in with that value. However, this does not always work for all users. If the
field is blank, you will need to enter a reference to the Instant Messaging and
Web Conferencing server. The reference can be in the form of the fully qualified
Note: Within the scope of our testing of Instant Messaging and LDAP
authentication, changing the Notes client preference to use the canonical
name format (for example, CN=Ted Stanton/O=IBM) instead of the abbreviated
name format (for example, Ted Stanton/IBM) when attempting to resolve the
user in the Lotus Instant Messaging and Web Conferencing directory option
had no apparent effect on the Notes client awareness functionality.
This issue has been noted in SPR TPAE5WJKBZ and has been resolved in
the Notes Release 6.5.2 client.
host name of the server (see Figure 4-30) or the abbreviated Domino server
name, for example, bsc1st/ITSO.
Figure 4-30 Instant Messaging Setup in the Notes client
Lotus Instant Messaging services are configured in the Location document for
the end user. If end users make use of more than one Location document, each
Location document must be configured. The Instant Messaging Setup tool
configures the Office Location document for new installations (or the current
Location document for upgrades). Other Location documents have to be
configured manually. Edit the users Location document and add the Instant
Messaging server to the Instant Messaging Server field on the Servers tab and
confirm the settings on the Instant Messaging tab, as shown in Figure 4-31 on
page 121.
Figure 4-31 Notes client Location document settings for Instant Messaging
Port 1533 is the standard Lotus Instant Messaging and Web Conferencing
instant messaging port. If you are having trouble connecting to the Instant
Messaging and Web Conferencing server, check to make sure that this port
matches the port configured on the Instant Messaging and Web Conferencing
server and that the network does not block connections for that port.
4.4.3 General instant messaging preferences in the Notes client
In the User Preferences (File Preferences User Preferences), there are
additional settings under the Instant Messaging tab, as described in the following
sections.
Show instant messaging status for names
In the General/Configuration section, the Notes client can be configured to show
the instant messaging status next to names. A green square indicates that the
user is active. A yellow square indicates that the user is away. A round circle with
a line through it indicates do not disturb. This option displays the instant
messaging awareness next to any name if the database design has awareness
capabilities built-in. See Figure 4-32 on page 122.
Figure 4-32 General tab for User Preferences
Log onto IBM Lotus Instant Messaging using Single Sign-On
(SSO)
The Notes client also has the ability to log on to Lotus Instant Messaging using
single sign-on (SSO). This enables your Notes client to use the Instant
Messaging servers multiserver authentication feature, assuming the Instant
Messaging and Web Conferencing server is configured for SSO. In other words,
if you log on to Notes, you do not need to enter your Internet password as you
would to log on to a stand-alone instant messaging client. You do not even need
to have an Internet password set in your Person document.
As of this writing, there is no desktop policy to push down this user preference to
your users, and by default, it is not enabled. If you want enable this for your users
without physically touching their desktops, use the LotusScript code shown in
Restriction: The Notes SSO feature is only available for Notes clients
installed on a Windows operating system.
Example 4-1 in a button or database open event. This code will add or modify the
Notes.ini file and insert or update the following parameter:
IM_ENABLE_SSO=1
Example 4-1 LotusScript to enable Notes client SSO for Lotus Instant Messaging
Sub
Dim session As New NotesSession
Call session.SetEnvironmentVar("IM_ENABLE_SSO", "1" , True)
End Sub
Use canonical name for instant messaging status lookup
This setting changes the lookup process to use the canonical name format (for
example, CN=Ted Stanton/O=IBM) instead of the abbreviated name format (for
example, Ted Stanton/IBM) when attempting to resolve the user in the Lotus
Instant Messaging and Web Conferencing directory. This setting only applies if
the Instant Messaging and Web Conferencing server is also configured to look
up the canonical format instead of the abbreviated format. In all of our testing
with the Domino Directory (native and LDAP authentication), changing this option
had no apparent effect on the Notes client awareness functionality.
Invitation Messages
The Default text for invite to chat field enables Notes users to customize
invitations to chat. The default message appears when you send invitations to
more users to join a chat in-progress. You can also edit these messages at the
time you send an invitation. See Figure 4-33 on page 124.
Note: Since the time of our initial testing, this issue has been resolved with the
release of the Notes 6.5.2 client.
Figure 4-33 Invitation to a meeting
Clear Instant Messaging Password
When you log on to the Instant Messaging server through the Notes client, you
have the option to save your password. If you choose not to make use of the
single sign-on feature, this method allows you to achieve similar functionality as
with single sign-on. Notes stores your Internet password and submits it to the
Instant Messaging and Web Conferencing server automatically when you log on
to Notes. To clear your password so that Notes will prompt you for your Internet
password when logging on, click Clear Instant Messaging Password. You will
then be prompted to enter your Notes password (not your Internet password) for
identify confirmation before your Instant Messaging password will be cleared
from the Notes client.
4.4.4 Instant messaging status preferences in the Notes client
The Status tab is where you configure the default messages for when you are set
to Active, Away, or Do Not Disturb. Your away message will automatically be
displayed if a user attempts to start a chat with you. You can also choose whether
to automatically use the configured message when changing status, or if you
want to edit the status message each time you change your status. This enables
Notes users to have several status messages. See Figure 4-34 on page 125.
Figure 4-34 Instant Messaging Status preferences
4.4.5 Optional configuration: Autofade the contact list
The Notes Instant Messaging contact list has no minimize functionality. You
either have to move the list or hide (clear) the list if you want to see behind it. If
you want to keep the contact list open but out of the way, consider enabling the
Autofade option in the Notes client Notes.ini file:
AutoFadeIMContactList=(value between 1 and 100)
When Autofade is enabled, the contact list becomes partially transparent when
you change the focus from the contact list to the Notes client. For example, if you
use a value of 25, the contact list will display 25% opaque and 75% transparent
when it does not have the focus. When you want to make use of the contact list,
place you cursor over the list, the transparency disappears, and the list is 100%
opaque.
4.5 Domino Web Access configuration
IBM Lotus Domino Web Access provides you with advanced messaging and
collaborative functionality through a Web browser.
After your Domino Directory and mail servers are installed and configured (see
4.2, Domino hub/directory server on page 91), there are several
post-installation configuration tasks to be completed before Domino Web Access
will act as expected. There are also some optional configuration tasks. We
discuss the post-installation tasks and optional tasks in the following sections.
4.5.1 Server tasks
The mail server must be running HTTP, and the mail files must be based on the
Domino Web Access 6 template (iNotes6.ntf). If you followed the previous steps
for creating the mail server, HTTP should be already running on the server. If not,
you can type load http at the server console and add the task to the
ServerTasks line in the Notes.ini file so that it will load automatically whenever
the server starts.
4.5.2 Defining the Instant Messaging server for users
There are two methods to define the Instant Messaging and Web Conferencing
server for end users:
Add the name of the Instant Messaging and Web Conferencing server (in
hierarchical format, for example, bsc1st/ITSO) to the Person document of
each user, as shown in Figure 4-35 on page 127.
Note: When the Notes client is busy performing certain tasks, the Notes
Instant Messaging functionality is unavailable. Not until Notes has completed
the task (for example, opening large documents, rebuilding a view, or
performing a full text search) can you access the Instant Messaging contact
list, initiate a new chat, or continue an existing chat. In Notes, certain tasks are
performed in the foreground and others in the background (for example,
replication and saving attachments). Tasks that are performed in the
background do not affect Instant Messaging functionality.
Figure 4-35 Add Instant Messaging and Web Conferencing server to Person document
Set the same Instant Messaging and Web Conferencing server for all users
on a Domino Web Access server:
a. In an environment where there is only one Instant Messaging and Web
Conferencing server, or where all users on a given Domino Web Access
server always use the same Instant Messaging and Web Conferencing
server, you can use a Notes.ini variable on the Domino Web Access
server to refer all Lotus Instant Messaging and Web Conferencing
connections to a specific server:
iNotes_WA_SametimeServer=bsc1st.cam.itso.ibm.com
Note that the name of the Instant Messaging and Web Conferencing
server in this setting must be the fully qualified host name of the server.
b. Restart the Domino Web Access server for the Notes.ini setting to take
effect.
Tip: If you create an agent to add the Instant Messaging and Web
Conferencing server to many Person documents at a time, be sure to
specify the full canonical name in the field:
FIELD SametimeServer := CN=bsc1st/O=ITSO
Domino will not recognize the data entered from an agent as a valid name
if you do not enter it in canonical format.
4.5.3 Turning off use of the Secrets and Tokens database
By default, Domino Web Access tries to use the Lotus Instant Messaging and
Web Conferencing Secrets and Tokens authentication. If you want to enable
Domino Web Access to use SSO, you must turn this off. Although not technically
required, we strongly recommend that you do this, because SSO is a critical new
support feature across all of the 6.5.1 products, including the Notes client. To
convert to SSO, compete the following steps:
1. Add the following line to the Domino Web Access server Notes.ini file:
iNotes_WA_SametimeToken=0
2. Remove any copies of STAuthS.nsf or STAuthT.nsf from the Domino Web
Access server if they exist from a previous installation.
3. Remove any replication connection records between the Domino Web Access
and Instant Messaging and Web Conferencing servers that were dedicated to
STAuthS.nsf or STAuthT.nsf.
4. Restart the server for the Notes.ini setting to take effect.
4.5.4 Copying key files between servers
Certain files must be copied between the Domino Web Access and Instant
Messaging and Web Conferencing servers in order for presence awareness to
work.
From the Domino Web Access server to the Instant Messaging
and Web Conferencing server
This is not necessary in a pure Domino 6.x environment. It is necessary only in a
mixed environment (that is, when both forms5.nsf and forms6.nsf are being
used).
Copy the SametimeApplet folder (and all its contents) from the Domino Web
Access server to a folder with the same name and the same relative location on
the Instant Messaging and Web Conferencing server, for example:
D:\Lotus\Domino\Data\domino\html\SametimeApplet
Note: If you do not turn off the Domino Web Access use of the Secrets and
Tokens databases, you must make a replica of the Instant Messaging and
Web Conferencing servers Secrets database (STAuthS.nsf) in the Data
directory of the Domino Web Access server. If you turn on the secrets
generator agent (found in STAuthS.nsf), you will also need to set up a regular
replication schedule between the servers for this database so that their
secrets remain synchronized.
From the Instant Messaging and Web Conferencing server to
the Domino Web Access server
Copy the stlinks folder (and all its contents) from the Instant Messaging and Web
Conferencing server to a folder with the same name and the same relative
location on the Domino Web Access server, for example:
D:\Lotus\Domino\Data\domino\html\sametime\stlinks
This folder name is not case sensitive. Because there are so many files in this
folder, it is easiest to select the folder and copy it and its contents all at once.
Client configuration
Each user must enable instant messaging when they access their mail on the
Domino Web Access server. To enable instant messaging, complete the following
steps:
1. Access the mail file on the Domino Web Access server with a browser.
2. In the upper-right corner of the window, click the Preferences link, as shown
in Figure 4-36.
Figure 4-36 Preferences link in Domino Web Access
3. Click the Other link in the navigation panel, and then select Enable Instant
messaging in the Instant messaging section, as shown in Figure 4-37 on
page 130.
Important: Be aware that the folder name is case-sensitive. If you create the
folder manually, be sure to match the name precisely.
Tip: If your users will be using a Mozilla browser, you might need to replace
the stlinks.jar file with a signed version. This will be available from the
toolkit\stlinksignedapplet directory on the Lotus Instant Messaging and Web
Conferencing installation CD 2. You should also check LDD for new versions
of this file.
Figure 4-37 Enable instant messaging in the Domino Web Access client
4.5.5 Domino Web Redirector
Lotus has included a redirector that will take users directly to their mail file
whenever they log on to their mail server. In combination with SSO, this makes it
very easy for users to move between applications and their mail. This is not
strictly necessary for integration with Sametime, but users find it very helpful.
To configure the Domino Web Redirector, complete the following steps:
1. Create the Web Access Redirector database (see Figure 4-38 on page 131):
a. With the Notes client, create a new Web Redirector database by pressing
Ctrl+N or select File Database New.
b. Select the mail server as the server.
c. Type in a name for the new database, for example, Web Mail Redirect.
d. Type in a file name for the new database, for example,
webmailredirect.nsf.
e. Choose the mail server as the template server.
f. Select the Domino Web Access Redirect template (iwaredir.ntf).
g. Click OK and the database will be created.
Figure 4-38 Create the Web Mail Redirector database
2. Configure the Web Access Redirector database (see Figure 4-39 on
page 132):
a. Open the Web Redirector database you just created.
b. Click the Setup button to enter the configuration utility.
c. Click Server Settings and select MailServer.
Figure 4-39 Select MailServer for the type of redirector
d. If desired, you can customize some of the UI settings, but it is not
necessary to do so.
e. On the Application Setup page, click the Click to Auto Set ACL Settings
link to enable the default settings (you might want to tighten the security of
the database, depending on the security policies of your organization).
f. Save and exit the Domino Web Access Redirector utility.
3. Configure the server to use the Web Access Redirector database:
a. Open the Domino Directory on the Domino Web Access server.
b. Edit the Domino Web Access Server document.
c. Under the Internet Protocols HTTP tab, enter the file name for the
Redirector database just created followed by ?Open (see Figure 4-40 on
page 133). For example:
/webmailredirect.nsf?Open
d. Restart the HTTP process on the Domino Web Access server.
Figure 4-40 Configuration of Web Mail Redirector
4. Test the Web Access Redirector:
a. Using a Web browser, type in the URL for the Domino Web Access server.
b. Enter your name and password when prompted.
c. You will see the Redirector for a few seconds, as shown in Figure 4-41,
and then your mail file should open.
Figure 4-41 Mail Redirector
4.5.6 Configuring the server to use the new DWALogin form
If you have configured the server to use the Domino Web Access Redirector
utility, you can also configure it to use the new DWALogin form. This will give a
consistent look and feel to the Domino Web Access server. To configure this,
1. Create the Domino Web Server Configuration database on the Domino Web
Access server (see Figure 4-42 on page 134):
a. In the Notes client, press Ctrl+N or select File Database New to
open the New Database dialog box.
b. Select the Domino Web Access server for the Server field.
c. In the Title field, enter a title for the database, for example, Dom Web
Config.
d. In the File name field, enter domcfg.nsf (this exact file name is required).
e. In the Template Server field, select the Domino Web Access server.
f. Select Show advanced templates.
g. Select the Domino Web Server Configuration (6) template
(domcfg5.ntf).
h. Review the settings and click OK to create the database.
Figure 4-42 Sample settings for domcfg.nsf
2. Configure the Sign In form (see Figure 4-43 on page 135):
a. Open the domcfg.nsf database you just created.
b. Add a new mapping by clicking Add a mapping.
c. The Target Database should be the Web Redirector database you created
in 4.5.5, Domino Web Redirector on page 130.
d. The Target Form should be DWALoginForm.
Figure 4-43 Mapping configuration for Domino Web Access logon
3. Save the document and exit the database (you do not need to restart the
HTTP services on the Domino Web Access server; these changes are
activated instantly).
When users access the Domino Web Access server with a browser, they should
now see the new logon form, as shown in Figure 4-44.
Figure 4-44 New Domino Web Access logon form
4.5.7 Configuring the chat client
You can optionally configure Domino Web Access to use the full Instant
Messaging Connect for browsers client (also called the JavaConnect client) when
a user clicks the Chat link (Figure 4-45).
Figure 4-45 Domino Web Access Chat link
Without this configuration, the user sees a directory dialog box when the user
clicks the Chat link, as shown in Figure 4-46.
Figure 4-46 Default Chat interface in Domino Web Access
To configure Instant Messaging Connect for browsers in Domino Web Access,
1. Edit the Notes.ini file on the Domino Web Access server and add the following
line:
2. Restart the Domino Web Access server.
3. Observe the new client when a user clicks the Chat link, as shown in
Figure 4-47.
Figure 4-47 Domino Web Access launches Instant Messaging Connect for browsers
When the user clicks the Chat link, the Instant Messaging Connect client for
browsers is installed into the browser as a Web object. You can observe this in
Internet Explorer Options Settings View Objects, as shown in
Figure 4-48 JavaConnect is installed automatically
4.6 Lotus Team Workplace server
As with the Domino hub/directory server, installation of a standard Lotus Team
Workplace (formerly called QuickPlace) server is very straightforward. We
provide the procedure for installing a Team Workplace server into a Domino
infrastructure in the following sections.
Tip: If a users browser continues to bring up the standard chat interface
instead of the JavaConnect client, delete the JavaConnect client from their
downloaded program files directory (C:\WINDOWS\Downloaded Program
Files), as shown in Figure 4-48). This forces the browser to download and
install it again when the user clicks the Chat link. This might be necessary if a
user previously downloaded the JavaConnect client from a browser.
4.6.1 Initial Team Workplace installation
For the initial Lotus Team Workplace installation, complete the following steps:
system requirements to support Team Workplace 6.5.1.
2. Stop the Domino server on which Team Workplace will be installed.
5. Use the Team Workplace CD or expand the downloaded file and run
setup.exe to install the Team Workplace code.
6. Accept the license agreement.
7. Verify that the installation directories match the Domino server directories and
allow the installation to continue.
8. When prompted, enter the name and password for a Team Workplace
administrator, as shown in Figure 4-49.
Figure 4-49 Configure Team Workplace administrator
Important: This account and password is local to the Team Workplace
server. It must not match any entry in any Domino or LDAP directory used
for Team Workplace authentication.
9. When prompted, click Finish to complete the installation.
11.Restart the Team Workplace server.
When the Team Workplace Domino server starts, you should see that the Team
Workplace server starts as part of the Domino HTTP services and recognizes
the SSO configuration. You should also see that Team Workplace has configured
the server with its own DSAPI filter. See Figure 4-50.
Figure 4-50 Log file showing normal startup of Team Workplace (QuickPlace)
To make this Team Workplace server available to your users and to control how
they use it, you will want to make some configuration changes.
Domino Web Server Configuration database
Before you can log on to the Team Workplace server that has been enabled with
SSO, you must create a Domino Web Server Configuration database and direct
the SSO logon to use a specific Team Workplace logon form.
To create a Domino Web Server Configuration database, complete the following
steps:
1. Create the Domino Web Server Configuration database on the Team
Workplace server (see Figure 4-51 on page 141):
a. With the Notes client, press Ctrl+N or select File Database New to
open the New Database dialog box.
b. Select the Team Workplace server for the Server field.
c. In the Title field, enter a title for the database, for example, Dom Web
Config.
d. In the File name field, enter domcfg.nsf (this exact file name is required).
Note: If you have not enabled the server for multiserver (SSO) session
authentication, you do not need to do this to log on to the Team Workplace
server.
e. In the Template Server, field select the Team Workplace server.
f. Select Show advanced templates.
g. Select the Domino Web Server Configuration (6) template
(domcfg5.ntf).
h. Review the settings and click OK to create the database.
Figure 4-51 Creating the Team Workplace domcfg.nsf
2. Open the domcfg.nsf database you just created (see Figure 4-52 on
page 142):
a. Add a new mapping by clicking Add a mapping.
b. The Target Database should be \QuickPlace\resources.nsf.
c. The Target Form should be QuickPlaceLoginForm.
d. Save the document and exit the database.
Figure 4-52 Team Workplace (QuickPlace) Sign In Form Mapping
Team Workplace configuration
You can now log on to the Team Workplace server with the administrator account
and password that you created during the Team Workplace server installation.
The logon window should look like the one shown in Figure 4-53. If it does not,
you will need to go back through the SSO and domcfg steps until it does.
Figure 4-53 Team Workplace SSO logon form
To configure Lotus Team Workplace, complete the following steps (see
1. Define the user directory for Team Workplace:
a. From the main menu, select Server Settings.
b. On the next window, select User Directory.
c. Click the Change Directory button.
Figure 4-54 Navigate to User Directory settings
d. Specify the LDAP directory (see Figure 4-55 on page 144).
i. Select LDAP Server from the drop-down list.
ii. Enter the fully qualified host name of the LDAP server (we chose to
implement Domino LDAP from our hub server), for example:
bsc1hub.cam.itso.ibm.com
iii. If you have locked down anonymous access to the LDAP server, select
the option Check to use credentials specified below when
searching the directory and enter the appropriate user name and
password.
Important: Team Workplace requires an LDAP directory. You will see
Domino Directory as an option; however, this is only provided for
backward compatibility. It is not a supported configuration.
Figure 4-55 LDAP settings in Team Workplace
e. If you want your Team Workplace managers to only select names from the
LDAP directory (that is, not be able to create new local users) when adding
users to Team Workplaces, change the New Users option to Disallow
new users, as shown in Figure 4-56 on page 145.
Tip: The advantage of forcing the Team Workplace managers to use
the LDAP directory is that users in the directory do not have to
remember separate logons and passwords for every Team Workplace
and they will be able view all of their Team Workplaces in one list.
The disadvantage is that you will not be able to grant access to your
Team Workplaces to anyone not specified in the directory. In other
words, if you want to give someone access, you have to ensure that
they are in already in the directory.
Figure 4-56 New Users options in Team Workplace
f. Click Next, and Team Workplace will confirm that it can connect to the
LDAP directory.
Figure 4-57 Team Workplace confirmation of directory selections
2. Set security options:
From the Server Settings Security link, you can add users and groups to
the two security levels:
The ability to create Team Workplaces on the server
The ability to administer the server
3. Optional: Assign super user privileges to a person or group.
Add a super user to the qpconfig.xml in order to grant someone or a group the
right to enter any Team Workplace on the server and any room as a manager.
Note: Even if you entered credentials for accessing the LDAP directory,
Team Workplace will tell you that it succeeded with anonymous access.
It actually did use the credentials, so just ignore this.
Note: If you use the directory to add users and groups to these fields,
people can use their existing accounts to work with Team Workplace, and
the original administrator account can be protected from general use. This
is also a good test of whether the Team Workplace server can see the
LDAP user directory you previously defined.
This can be useful if you need to access a place in order to do
troubleshooting.
A super user can also use the Server Settings room in the administration
place to administer the server. This is a very powerful setting and should be
configured with care.
To assign super user privileges:
a. Edit the qpconfig.xml file from the Team Workplace server Data directory
(if one does not exist, make a copy of the qpconfig_sample.xml file and
rename it qpconfig.xml).
b. Find and edit the section that begins <super_user enabled=...>.
i. Remove the comment line above the <super_user ...> line.
ii. Remove the comment line after the </super_user> line.
iii. Enable the super user feature in the first line:
<super_user enabled=true>
iv. Enter the credentials of the super user. You cannot give super user
access to a local user or a local group. The user must exist in the LDAP
directory as configured above.
For a single user:
<dn>cn=QuickPlace Admin,o=ITSO</dn>
For a group:
<dn>cn=QuickPlaceAdministratorsSUGroup</dn>
c. Save the changes. See Example 4-2.
Example 4-2 Super user configuration in a qpconfig.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<server_settings>
<super_user enabled="true">
<dn>cn=QuickPlace Admin,o=ITSO</dn>
</super_user>
</server_settings>
4.6.3 Post-configuration integration
The steps in the following sections enable Lotus Instant Messaging and Web
Conferencing integration in the Team Workplaces created on this Team
Workplace server.
Enable online awareness
To enable online awareness, complete the following steps:
1. Obtain the Lotus Instant Messaging and Web Conferencing 6.5.1 Java Toolkit
from LDD and install it on the Instant Messaging and Web Conferencing
server.
2. On the Instant Messaging and Web Conferencing server, create the following
directory within the Domino Program directory and copy files to it:
\Lotus\Domino\Data\domino\html\QuickPlace\peopleonline
a. From the toolkit you just expanded, copy:
CommRes.jar (found in the toolkit in the \bin directory)
STComm.jar (found in the toolkit in the \bin directory)
b. From the Team Workplace server, copy:
Peopleonline31.jar (found in the Data\QuickPlace directory)
3. Specify the Instant Messaging and Web Conferencing server in the Team
Workplace server settings:
a. Log on to the Team Workplace server as an administrator.
b. Click Server Settings Other Options Edit Options.
c. Enter the fully qualified URL to the Instant Messaging and Web
Conferencing server in the Sametime Community Server field, as shown in
Figure 4-58.
d. Click Next to save the options.
Figure 4-58 Define Instant Messaging and Web Conferencing (Sametime) Servers in Team Workplace
4. Restart both the Lotus Instant Messaging and Web Conferencing and Team
Workplace servers.
Enable online meetings
To enable online meetings, complete the following steps:
1. Add a new user in the Domino Directory to be used by the Team Workplace
server for accessing the Instant Messaging and Web Conferencing server.
You can also use an existing account if you prefer.
2. Add the new user created above to the ACL of the stconfig.nsf database on
the Instant Messaging and Web Conferencing server (see Figure 4-59 on
page 149):
User type: Person
Access: Manager
Access Roles: [SametimeAdmin]
Note: You do not need to register this person with the Administrator client.
You can simply create a Person document, enter the name, and add the
Internet password. We used qpstintegrator/ITSO as the account name.
Tip: The ACL of the stconfig.nsf will have the administrator you named
during the setup of the Instant Messaging and Web Conferencing server as
the manager of the database. You will either need to switch to that ID or
use Full Access Administration to change the ACL. See the Lotus Domino
Administrator 6.5.1 Help file for more information about how to gain Full
Access Administration to a server.
Figure 4-59 ACL of the stconfig.nsf database
3. Copy files from the Domino Program directory of the Instant Messaging and
Web Conferencing server to the Domino Program directory of the Team
Workplace server:
\Lotus\Domino\STMtgManagement.jar
\Lotus\Domino\STCore.jar
\Lotus\Domino\ibmjsse.jar
4. Edit the Notes.ini file of the Team Workplace server:
a. Change the JavaUserClassesExt= line to:
JavaUserClassesExt=QPJC1,QPJC2,QPJC3,QPJC4,QPJC5,QPJC6,QPJC7,QPJC8
b. Add the following lines beneath similar lines:
QPJC6=D:\Lotus\Domino\ibmjsse.jar
QPJC7=D:\Lotus\Domino\STCore.jar
QPJC8=D:\Lotus\Domino\STMtgManagement.jar
c. The final entries should look similar to Example 4-3 (be sure to adjust for
your servers actual drive letter and directory path).
Example 4-3 Instant Messaging configuration in Team Workplace servers notes.ini
QPJC1=D:\LOTUS\DOMINO\quickplace.jar
QPJC2=D:\LOTUS\DOMINO\xercesImpl.jar
QPJC3=D:\LOTUS\DOMINO\xalan.jar
QPJC4=D:\LOTUS\DOMINO\xml-apis.jar
QPJC5=D:\LOTUS\DOMINO\log4j-118compat.jar
QPJC6=D:\LOTUS\DOMINO\ibmjsse.jar
QPJC7=D:\LOTUS\DOMINO\STCore.jar
QPJC8=D:\LOTUS\DOMINO\STMtgManagement.jar
5. Edit the qpconfig.xml file (in the Data directory on the Team Workplace
server):
a. If it does not exist, make a copy of the sample_qpconfig.xml file and
rename it qpconfig.xml.
b. Find a section called <sametime local_users...>.
i. Remove the Sample lines before and after this section to activate it.
ii. Edit the credentials line and enter the new user you just created.
Tip: Many administrators find it easier to work with a smaller
qpconfig.xml file rather than scroll through everything found in
qpconfig_sample.xml file. If you want to create a new qpconfig.xml
file and copy in the relevant code, be sure to include the lines
<server_settings> and </server_settings> at the beginning and
end of the file. Otherwise, the server will not recognize your code. In
this case, the entire qpconfig.xml would look like Example 4-4.
Example 4-4 qpconfig.xml for integrating Instant Messaging and Web Conferencing
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<server_settings>
<sametime local_users="false" ldap="true">
<meetings invite_servers="false">
<tools>
<audio enabled="true"/>
<video enabled="true"/>
</tools>
<credentials>
<dn>cn=qpstintegrator/o=ITSO</dn>
<password>password</password>
</credentials>
</meetings>
</sametime>
</server_settings>
iii. Save and close the file.
Tip: An easy way to test whether you have created a valid .xml file is
to open it with Internet Explorer. If it displays without any of the tags,
you know you have accurately included all of the tags for each line. A
common mistake is to not have matching beginning and ending tags
for a line or a section. See Figure 4-60 for examples of a malformed
and a correctly formed .xml file.
Figure 4-60 Incorrect and correct .xml files as displayed by Internet Explorer
6. Specify the Instant Messaging and Web Conferencing server in the Team
Workplace server settings:
a. Log on to the Team Workplace server as an administrator.
b. Click Server Settings Other Options Edit Options.
c. Enter the fully qualified URL to the Instant Messaging and Web
Conferencing server in the Sametime Meeting Server field (see
Figure 4-58 on page 147).
d. Click Next to save the options.
7. Restart the Team Workplace server.
Test the Lotus Team Workplace and Instant Messaging and
Web Conferencing integration
To test the Lotus Team Workplace and Instant Messaging and Web Conferencing
integration, complete the following steps:
1. Log on to Team Workplace as a user from the LDAP directory (presence
awareness is only supported for directory users, not local users such as the
original Team Workplace administrator account).
2. Test the presence awareness:
a. You should initially see a gray dot, but it should change to a green square
after a period of time (you can observe an applet loading in the status bar
of the browser).
b. Go to the members page and observe whether online awareness is
working for other users.
3. Test online meetings (see Figure 4-61 on page 154):
a. Click New and select Online Meeting from the options.
b. Give the meeting a name.
c. Select the Start now option.
d. Click Publish As.
e. Select the option for invitees to receive an e-mail and click Next.
f. Add an invitee to the list.
g. Click Next twice to publish the calendar page.
h. Go to the calendar entry and click it.
i. You should be given the option to go to the meeting.
Figure 4-61 Link to Web Conferencing meeting from Team Workplace
4.6.4 Optional configurations
You can use the qpconfig.xml file to manipulate the way users move between
places. We describe two new settings in the following sections.
Open places in a new browser window
This setting makes it easier for users to have multiple places open at one time.
When a user clicks a link to a place, it will open in a new browser window instead
of the current browser window.
To open places in a new browser window, complete the following steps:
server):
b. Find a section called <my_places> (see Example 4-5 on page 155).
ii. To avoid doing something you do not intend, delete everything between
the <my_places> and </my_places> brackets except for the line
<place_links open_new_window=true/>.
iii. Save the change (see Example 4-6 on page 155) and close the file.
Example 4-5 My_Places section of qpconfig.xml

Example 4-6 qpconfig.xml code to activate multiple browser windows feature
<my_places>
<place_links open_new_window="true"/>
</my_places>
2. Restart HTTP on the Team Workplace server.
When users click a place to enter it, a new browser window should open for that
place. This makes it easier for users to work in two or three places at a time,
instead of manually opening another browser window to go into a different Team
Workplace.
Open the My Places list in the current page
With this option, users can see all of their places in the current page instead of
switching to the Main page to see them. This makes it easier to navigate between
Team Workplaces and open new ones as needed.
To open the My Places list in the current page, complete the following steps:
server):
b. Find a section called <my_places> (see Example 4-5 on page 155):
ii. To avoid doing something you do not intend, delete everything between
the <my_places> and </my_places> brackets except for the lines
defining the place_ui setting.
iii. Save the change (see Example 4-7) and close the file.
Example 4-7 QPconfig.xml code to activate My Places list on all place pages
<my_places>
<place_ui enabled="true" show_in_main_place="false">
<url></url>
</place_ui>
</my_places>
2. Restart HTTP on the Team Workplace server.
Open a Team Workplace and navigate to a view with documents in it (for
example, the Discussion view). You should see a new link in the navigation pane
for all of your places, as in Figure 2-41 on page 56. The My Places link will open
the My Places list in the current place.
Note: If you have already trimmed this section down (for example,
from the previous option to open Team Workplaces in separate
windows), you can enter the additional text manually or simply copy
the portions that you need from the original qpconfig_sample.xml file
still in the Data directory on the server.
Note: In our testing, we found that this setting works for users who are not
administrators of the entire Team Workplace server. Administrators are still
taken back to the main Team Workplace even with this setting in place.
4.6.5 Optional integration with Domino Web Access
You can customize Team Workplace so that it will display a link in the Table of
Contents to users mail files. This makes it easier for users to quickly check their
e-mail while working in Team Workplace.
Figure 4-62 Team Workplace customized with link to My Mail
Prerequisites
This requires the following prerequisites:
Users mail accounts must be on a server using the same SSO token as the
Team Workplace server.
Users mail accounts must be based on the Domino Web Access 6 template
(iNotes6.ntf).
Configure Web Access Redirector on a server
You can use Web Access Redirector on any server. If your organization only has
one mail server, the easiest thing to do is to reference the Redirector on that mail
server. For scalability and performance reasons, however, you might want to
configure a Redirector on the Team Workplace server. This will future-proof the
configuration in the event that you add mail servers. With multiple mail servers,
the Redirector on the Team Workplace server will discover the correct mail server
and send the user there. If you configure the Team Workplace link to reference a
particular mail server, and the users mail file is on another mail server, that will
require two hops for the user to get to their mail file instead of one.
For specific instructions about setting up the Web Access Redirector, see 4.5.5,
Domino Web Redirector on page 130.
Create a new Team Workplace PlaceType
To create and configure a new Team Workplace PlaceType, complete the
following steps:
1. Create a new Team Workplace:
a. From the main Table of Contents, select Create a Place.
b. Add a Place name and descriptive phrase for the Team Workplace.
c. Enter your name and password and click Next for the new place to be
created and opened for you.
2. Customize the new Team Workplace; add a Link Page:
a. Click the New button and select a new Link Page, as shown in
Figure 4-63.
Figure 4-63 New Link Page
b. Give the Link Page a title, for example, My Mail.
c. Enter the URL to the Redirector database you want to reference (we
recommend using a Redirector database on the Team Workplace server).
d. Choose whether you want the mail file to appear in a different browser
window or to take over the current browser window.
Figure 4-64 Configure the link page
e. Click Publish.
f. When Team Workplace prompts you to select a location for the new Link
Page, select the Table of Contents and then decide where in the Table of
Contents to locate the link, as shown in Figure 4-65.
Figure 4-65 Put the link page in the Table of Contents
g. Click Next, and the page will be published. You should see the new link in
the Table of Contents.
3. Configure the Team Workplace to be usable as a PlaceType:
a. Select Customize from the Table of Contents.
b. In the Advanced Options section, select PlaceType Options and then
click Edit.
c. Select Yes in the Allow PlaceTypes to be created from this place option.
Figure 4-66 PlaceType Options
d. Change other options as desired and click Next.
e. Log out and close the browser window.
4. Create a PlaceType based on the customized Team Workplace:
a. Log on to the Team Workplace server as an administrator
b. Select PlaceTypes from the Table of Contents.
c. Click Create PlaceType.
d. Give the PlaceType a title and select the Team Workplace you customized
previously as the basis for this PlaceType. See Figure 4-67.
Figure 4-67 Create a PlaceType
e. Click Next, and you should see the new PlaceType listed in the Available
PlaceTypes, as shown in Figure 4-68 on page 161.
Figure 4-68 Available PlaceTypes
f. If you want creators of Team Workplaces to only see the new PlaceType
when creating Team Workplaces, click the Show/Hide button and clear
the PlaceTypes you do not want displayed for users.
g. Log out of Team Workplace and close the browser window.
5. Create a Team Workplace based on the new PlaceType and test it:
a. Log on to Team Workplace as a non-administrator and create a Team
Workplace based on the new type.
b. Verify that the My Mail link appears in the Table of Contents of the new
Team Workplace.
c. Test the My Mail link to make sure that it redirects the user to his or her
mail file.
4.7 Domino Document Manager server
As with the Domino hub/directory server, installation of a standard Lotus Domino
Document Manager (formerly called Domino.Doc) server is very straightforward.
However, unlike the other Extended Products, the subsequent configuration of
the Domino Document Manager architecture requires detailed planning,
especially with respect to designing the Domino Document Manager topology.
You will want to carefully consider what kind of topology to implement for your
document management needs. Usually, you will want to survey the business
needs and build the topology around business processes. The Document
Manager Administrators Guide contains an appendix with best practices. Review
these before you start. We provide the procedure for installing a Domino
Document Manager server and deploying a simple topology into a Domino
infrastructure in the following sections.
4.7.1 Domino Document Manager taxonomy
Domino Document Manager uses a classic library storage metaphor. From within
the library, you select a room (file room), pick a cabinet (file cabinet), open a
drawer, select a binder of documents, and finally select the document.
Figure 4-69, Figure 4-70, and Table 4-1 illustrate the mapping of these Domino
Document Manager objects to Domino objects.
Figure 4-69 Domino Document Manager taxonomy waterfall model
Tip: There is an Administrators Installation Guide in the \Docs directory on the
Document Manager CD. If you downloaded the installation package, you can
get this guide from the Lotus Developer Domain in the Technical
Library/Product Documentation area. The name of the file is ddmddig.pdf.
After you have installed Domino Document Manager, you can also find the
notes database version of this file in the domdoc directory (ddmddig.nsf).
Figure 4-70 Domino Document Manager navigator
Table 4-1 Domino Document Manager objects compared to Domino objects
Figure 4-71 on page 164 shows the library file cabinet binder document
topology within a Notes client with Instant Messaging awareness in the binder.
Domino Document Manager objects Domino objects
Library Database
File Room Category
File Cabinet Collection of Databases
a

a. A file cabinet contains at least two Notes databases, one to hold the binder pro-
files and another to hold the binder structures and documents. Within the file cab-
inet profile, you can control the creation of more database based on thresholds
such as database size and number of binders.
Binder Category Category
Binder ActiveX TOC/Notes Folder
b

b. Depending on the options selected in the library and file cabinet profile, an Ac-
tiveX TOC (Table Of Contents) or a Notes folder is used to build the binder struc-
tures. Using the Notes folder option permits Notes developers to customize the
binders look and feel.
Document Category Category
Document Document
Figure 4-71 Library file cabinet binder topology in a Notes client
4.7.2 Preinstallation steps
Besides the normal preparation that you take when installing a new product
(server sizing, operating system level, Domino level), you should also perform
create a group in the Domino Directory for Domino Document Manager before
installing the Domino Document Manager 6.5.1 server.
For the group in the Domino Directory for Domino Document Manager, enter the
following values:
1. Group name: Domino Document Manager (Domino.Doc) Site Administrators
2. Members: At least one user who will be the Domino Document Manager
(Domino.Doc) administrator for the initial installation and configuration
4.7.3 Initial Domino Document Manager installation
For the initial Domino Document Manager installation, complete the following
steps:
system requirements to support Domino Document Manager 6.5.1.
2. Stop the Domino server on which Domino Document Manager will be
installed.
5. Use the Domino Document Manager CD or expand the downloaded file and
run setup.exe to install the Domino Document Manager code.
6. Accept the defaults on the next two window and then verify that the
destination location matches your Domino program and Data directories.
7. Define the directory for the Document manager installation (we recommend
accepting the default for ease of future integration steps), for example:
D:\Lotus\Domino\Data\domdoc
8. Select Master Server Install.
9. When prompted, open the readme file and then close the resulting window.
11.Restart the Domino Document Manager server.
Tip: The name of the Domino Document Manager site administrator should
also have ECL rights to the users Notes environments. This will prevent the
ECL Warning messages from popping up when Notes clients access the
libraries. Typically, this is not an actual user but a trusted authority within the
domain, whose signature is trusted by all users through the Administration
ECL in the domain. Refer to the Domino Administrator Guide for ECL
management details.
Note: By creating this group before the installation, you will be able to
configure the Domino Document Manager site without modifying the ACL of
the Site Administration database. There is a trick here. You have to be a
member of the group Document Manager Site administrators to get into the
database, but the group would normally not be created until the first library is
created, which has to be done through the database.
Example 4-8 Normal error messages after initial Document Manager installation
05/09/2004 09:59:04 AM Transaction Manager WinNT build 29: ERROR: Domino.Doc is
not fully installed or the transaction database has been moved. Make sure
Domino.Doc has been completely installed via the admin database.
05/09/2004 09:59:04 AM Transaction Manager WinNT build 29: ERROR: Could not open
transaction database domdoc\ddmtrans.nsf
05/09/2004 09:59:04 AM Transaction Manager WinNT build 29: ERROR: Could not
open index
05/09/2004 09:59:04 AM Transaction Manager WinNT build 29: Initialization
Failed
The following tasks must be accomplished in order to configure the Domino
Document Manager environment so that the first library can be created and
deployed.
Sign the Domino Document Manager templates and databases
By default, the initial Domino Document Manager templates and documentation
databases have been signed with the signature of the Domino Document
Manager server ID. You need to resign these databases before configuring the
Domino Document Manager environment.
To resign the Domino Document Manager templates and documentation
databases, complete the following steps:
1. Open the Domino Administrator client as the user specified as the initial
Domino Document Manager site administrator specified in 4.7.2,
Preinstallation steps on page 164.
2. Open the Domino Document Manager server and sign all of the Design
documents in:
a. All of the databases in the domdoc subdirectory
b. The six Domino Document Manager template databases in the Data
directory:
Domino Document Manager Library (domdoc.ntf)
Note: You will see errors on the Domino console as in Example 4-8. This is
because the task ddmTran has been added to the ServerTasks line of the
Domino Notes.ini file, but the databases on which this task relies have not
been created yet. These databases will be created and configured when you
configure the Site Administration database settings.
File Cabinet Template (filecab.ntf)
Domino Document Manager Log (dmlog.ntf)
Domino Document Manager Site Administration (ddadmin.ntf)
Domino Document Manager Transactions (ddmtrans.ntf)
Domino Document Manager Configuration (ddmconfg.ntf)
Configure the first library
When the first library is created, Domino Document Manager establishes the
remaining configuration settings for the environment.
To configure the first library, complete the following steps:
1. Open the Site Administrator database (domdoc\ddadmin.nsf) using a Notes
client and the ID of the initial Domino.Doc site administrator.
2. Click the Create Library button, as shown in Figure 4-72.
Figure 4-72 Create the first library
3. Enter a name for the library (we chose REDBOOK), accept all the other defaults,
and click Continue, as shown in Figure 4-73 on page 168.
Tip: When you name a library, try to make it a short descriptive word or
group of words without spaces between them. This name is used to create
the library database name and in other locations. It is simpler in the long
run if you start with this format.
Figure 4-73 Create the master library: Step one
4. On the Library Creation page (see Figure 4-74 on page 169):
a. If your native Domino domain can send SMTP mail (default), clear the
Foreign domain for SMTP Gateway field.
b. Ensure that the fully qualified host name of the Domino Document
Manager server is properly defined in the Name of the HTTP Host field.
c. Leave the group definitions and remaining fields as defined.
d. Select the Enable Instant Messaging (Sametime) for this library option.
Note: You can also enable LDAP integration for the library at this point,
but we chose to stay with native Domino authentication for our
environment.
Figure 4-74 Master library configuration
5. Click Finish to complete the installation.
6. When you receive a warning about overwriting the group, Domino Document
Manager (Domino.Doc) Site Administrators, click Yes to allow it to be
overwritten and continue creating the databases for the new library. See
Figure 4-75 Error message
7. At the final window, review the settings, and click Done, as shown in
Figure 4-76.
Figure 4-76 Final setup screen for the master library
8. The Library administrator will receive two e-mails:
a. Follow-up tasks that must be completed to finish the installation
b. Library summary information
9. At this point, the library is ready for the creation of file cabinets and the
additional components to support the desired topology (for additional details
about this process, refer to the Document Manager 6.5.1 Installation Guide).
This section describes the post-configuration integration for Domino Document
Manager.
Instant Messaging and presence awareness integration: Who
is online?
The integrated Instant Messaging awareness in Domino Document Manager is a
feature called Who is online. The concept behind this feature is to be able to
quickly chat with another author or reviewer of a document to get more
information about the referenced document in the library. The feature is available
within the document profile and it is enabled as follows:
1. Enable Instant Messaging integration for the library and file cabinets (this
should be done automatically for the file cabinets if the library was configured
for Instant Messaging, as described in 4.7.4, Post-installation configuration
on page 166).
2. Replicate the Instant Messaging (Sametime) Secrets database to the Domino
Document Manager server:
a. Using the administrator account, create a replica of the stauths.nsf
database from the Instant Messaging and Web Conferencing server on
the Domino Document Manager server.
b. In the Domino Directory on the Instant Messaging and Web Conferencing
server, create a replication connection record from the Instant Messaging
and Web Conferencing server to the Domino Document Manager server
specifically for the stauths.nsf database (see Figure 5-4 on page 239).
Instant Messaging and presence awareness with customized
binders and documents
This feature is not available with the standard Domino Document Manager
installation. However, as a proof of concept, we were able to customize some of
the designs to enable additional awareness features in Domino Document
Manager. We limited the development to copies of existing elements within the
Domino Document Manager framework. In other words, no changes were made
to the native Domino Document Manager design elements.
Within Document Manager on the file cabinet (and library) level, you get the
option to use Notes folders. We will need to enable this option, at least on the file
cabinet level, to be able to create a customized binder view. The next step is to
create a binder profile for this customized view. So when new binders are created
using this binder profile, a folder is created in the file cabinet with the design
based on this customized view. We also show you how Instant Messaging can be
implemented from in the Document Managers document.
Instant Messaging awareness at the binder level
To enable Instant Messaging awareness at the binder level, complete the
following steps:
1. Open the File Cabinet Template (filecab.ntf) in the Designer client.
2. Create a new Binder subform:
a. Copy the Categorized Binder subform.
b. Rename the new subform Customized Binder.
3. Create a new Binder view:
a. Copy the (Project Binder View) view.
b. Rename the new view to (Customized Binder View) with an alias name of
Customized Binder View.
c. Remove the columns in the view after Version.
d. Add a new column to the view with the following values (see Figure 4-77
on page 173):
i. Column Title: Notes Name.
ii. Formula: @Name([Abbreviate]; NotesName).
iii. Make sure the Style is Names in the Advanced format tab.
iv. Select Column contains a name.
v. Select Show online status.
Important: Because we did not want to touch the native Document Managers
code, we can only get awareness activated for the field on the subform (linked
to the Document Profile).
Note: For more details about this, refer to the Lotus Domino Designer
6.5.1 Help under the topic Adding instant messaging to an application.
The following specific help documents where used:
For the document: Enabling a field for instant messaging
For the binder (view): Enabling a column for instant messaging
Figure 4-77 Add a new column to the view
4. Activate the new design in the library:
a. Using Notes, open the library in the Site Administration database.
b. Go to Library Administration.
c. Click Create Binder Type, and enter the following values:
i. Type Name: Customized Binder.
ii. Table of Contents view: Specify a view.
iii. View Title: Customized Binder View.
iv. Save and close the new binder type.
5. Add the new binder type to a file cabinet:
a. Open and edit a file cabinet.
b. Add the new binder type to the list of allowable binder types.
c. Save and close the file cabinet.
6. Create a binder based on this type:
a. Click the Library button.
b. Open a file cabinet.
c. Click New Binder and use new Customized Binder type.
d. Save and close the new binder (see Figure 4-78 on page 174).
7. Enable awareness in a new document type, as shown in Instant Messaging
awareness at the document level on page 174.
Figure 4-78 Awareness in binder
Instant Messaging awareness at the document level
To enable Instant Messaging awareness at the document level, complete the
following steps:
1. Open the File Cabinet Template (filecab.ntf) in the Designer client.
2. Create a new document subform:
a. Copy any document subform.
b. Rename the new subform Customized Doc.
3. Remove all but one of the rows in the table.
4. Remove the contents of the row.
5. Enter the static text Notes Name in the left column.
6. Create a field in the right column with the following values:
a. Title: NotesName
b. Field Type: NAMES
7. On the Control tab of the Field Properties dialog box, select Show online
status, as shown in Figure 4-79.
Figure 4-79 Enabling awareness in a field
8. Activate the new design in the library:
a. Using Notes, open the library in the Site Administration database.
b. Go to Library Administration.
c. Click Create Document Type, and enter the following values:
i. Type Name: Customized Doc.
ii. Leave other settings as defaults.
iii. Save and close the new document type.
9. Add the new document type to a file cabinet:
a. Open and edit a file cabinet.
b. Add the new document type to the list of allowable document types.
c. Save and close the file cabinet.
10.Create a new document based on this type:
a. Click the Library button.
b. Open a file cabinet.
c. Open a binder (we suggest using the new awareness binder).
d. Click New Document and use the new Customized Doc type.
e. Fill in sample data and save and close the new document (Figure 4-80).
Figure 4-80 Notes client awareness in a Domino Document Manager document
Install the Desktop Enabler
Domino Document Manager comes with a tool to integrate document
management into your office tools (for example, Lotus Notes and Microsoft Word)
through the use of the Open Document Management Architecture (ODMA). In
order to enable these features, you must first install the Desktop Enabler
software on the Domino Document Manager server. After this is installed on the
server, users can also install the Desktop Enabler on their workstations and
access the ODMA features (for example, save documents and e-mail
attachments and chat transcripts directly to a document library instead of to the
file system). The installation procedure is the same for both the server and the
workstations.
To install the Domino Document Manager Desktop Enabler, complete the
following steps:
1. The installation software can be distributed to users, or anyone with access to
a library can download it (from a Web browser or Notes client).
2. From a browser, click Getting Started on a library home page, as shown in
Figure 4-81.
Figure 4-81 Download Desktop Enabler
3. Scroll to the bottom of the page and click the link to download the Desktop
Enabler.
4. If installing on the server, stop the server.
5. Click the Enabler icon (ddsetup.exe) and save the file to your workstation.
6. Close the browser and execute the installation program:
a. Accept the terms of the license.
b. Choose the typical installation.
c. Select a directory for the installation.
7. Restart the server or workstation (the remaining steps are for clients only).
Restriction: Figure 4-80 shows how the modification provides awareness in a
Domino Document Manager document, but only for a Notes client. This
feature is not yet available for Web applications.
8. To customize the ODMA settings for the Desktop Enabler, click Start
Programs Lotus Applications Doc Manager Desktop Administrator
(for example, on the Application Preferences tab, you can select which
desktop applications you want to be enabled for use with the Desktop
Enabler). See Figure 4-82.
Figure 4-82 Desktop Enabler administration tool
9. Configure the connection to the Document Management library:
a. On your desktop, you should have a new icon for your Doc Manager
Neighborhood.
b. Double-click the icon to bring up the Library Connect tool:
i. Add the appropriate URL for a library.
Note: The URL to any given library is expressed as the fully qualified
URL to the Domino Document Manager server, followed by the path
and database name of the library. When Domino Document Manager
creates a library, it places it in the default \domdoc subdirectory and the
file name is the library name appended with Lib.nsf, for example:
http://bsc1doc.cam.itso.ibm.com/domdoc/redbooklib.nsf
ii. Add a Library Display Name for the library (this is only a display option
for each client and has no impact on the server library itself), as shown
in Figure 4-83.
Figure 4-83 Library Connect tool
10.Verify that the Desktop Enabler is working inside of various programs, for
example:
a. Open the Notes client and select an e-mail message.
b. Click the Actions menu item, and you should be able to select a new
option at the bottom of the menu called Move to Document Manager, as
Figure 4-84 Document Manager connection within the Notes client
c. You will see the library and have several options for saving the e-mail, as
Figure 4-85 Save an e-mail to Document Manager
4.8 Lotus Workflow
As with the Domino hub/directory server, installation of a standard IBM Lotus
Workflow configuration is very straightforward. However, unlike the other
Extended Products, Lotus Workflow is not a stand-alone product in that it
performs no function unless integrated into other Domino or Domino Document
Manager applications. Therefore, the configuration of Lotus Workflow and
subsequent integration into other products requires an additional effort. The
procedure for installing Workflow into a Domino infrastructure is provided in the
following sections.
4.8.1 Initial Lotus Workflow installation
Unlike the other 6.5.1 products, Lotus Workflow uses the same application to
install both the server and the client components. Furthermore, Lotus Workflow
includes many individual components, some of which are intended for the server
and some for the client, although some can be installed on both. Table 4-2 lists
the various Lotus Workflow components and their typical installation locations.
Table 4-2 Lotus Workflow installation components
As previously described, Lotus Workflow must be installed and integrated into an
existing Domino or Domino Document Manager application. The integration is
typically configured by installing the Lotus Workflow server components into the
Domino or Domino Document Manager server supporting the applications that
will use Lotus Workflow. For our case, we chose to demonstrate the installation
with Domino Document Manager. For the initial Lotus Workflow installation,
1. Verify that the intended Domino Document Manager server meets the
minimum hardware and operating system requirements to support the Lotus
Workflow 6.5.1 server components.
2. Stop the Domino Document Manager server on which Lotus Workflow will be
installed.
Program file Server Client Default directories
a
a. <Workflow> is the default Workflow root (for example, \Lotus\Workflow), and
<Domino> is the default Domino root (for example, \Lotus\Domino).
Architect Client <Workflow>\Architect
Engine Server <Domino>\Data
Viewer Client <Workflow>\Viewer
Sample Server Optional <Domino>\Data\Workflow
Help Server Optional <Domino>\Data
Web Viewer
Servlet files
Server
only
<Domino>\Data\domino\servlet
Web Viewer
Auxilliary files
Server
only
<Domino>\Data\domino\html
Tip: You might consider changing the directory for the help databases to
<Domino>\Data\Help so that they are together with all of the Domino help
databases.
5. Use the Lotus Workflow CD or expand the downloaded file and run setup.exe
to install the Workflow server component code.
6. When prompted for components and directories:
a. Do not install the Architect or Viewer.
b. Verify that the installation directories for the remaining components match
your Domino program and data directories (see Table 4-2 on page 181).
7. Complete the software installation.
8. Reset the Lotus Domino service from Manual to Automatic.
9. Restart the Domino Document Manager server.
Install the client components on a separate workstation (not the server) that
already has the Notes client and Domino Designer installed using the following
steps:
1. Verify that the intended workstation meets the minimum hardware and
operating system requirements to support the Lotus Workflow 6.5.1 client
components.
2. Restart the workstation.
3. Use the Lotus Workflow CD or expand the downloaded file and run setup.exe
to install the Lotus Workflow client component code.
4. When prompted for components and directories:
a. Install only the Architect and Viewer.
b. Verify that the installation directories match the default directories (see
Table 4-2 on page 181).
5. Complete the software installation.
6. Restart the workstation.
The following tasks must be accomplished in order to configure the Lotus
Workflow environment so that it can be deployed and integrated with Domino
Document Manager.
Sign the Lotus Workflow templates and databases
To provide the necessary agent execution access and to prevent unwanted ECL
security warnings, the Lotus Workflow templates and databases must be signed
by an authorized and trusted administrator before configuring the Workflow
environment. To sign the templates and databases, complete the following steps:
1. Open the Domino Administrator client as the user specified as the initial
Domino Document Manager site administrator specified in 4.7.2,
Preinstallation steps on page 164.
2. Open the Domino Document Manager server and sign all of the Design
documents in:
All of the databases located in the Lotus Workflow subdirectory.
The Lotus Workflow Help databases (LWF*.nsf) located in the directory
selected in 4.8.1, Initial Lotus Workflow installation on page 180 (the
Data directory by default).
The Lotus Workflow design templates (LWF*.ntf) located in the Data
directory.
Create the Lotus Workflow databases
All Lotus Workflow applications consists of several databases (see Table 4-3):
Application
Design Repository
Organization
Process Definition
Audit Trail (optional)
Archive (optional)
Table 4-3 Workflow databases and functions
Note: By using the administrator account for the Domino Document Manager
server to sign the Lotus Workflow databases and templates, you are assured
of having the necessary agent execution rights to support Lotus Workflow. If
you choose to use a different signature, you must modify the Server document
to ensure that the administrator has the right to run unrestricted agents.
Database Function within the Lotus Workflow process
Application Primary job control and process starting point.
Design Repository Stores the design elements and acts as source for the
Workflow Architect.
Organization Defines organizational structure and resources (persons,
departments, workgroups, roles) to be assigned to different
activities.
For more detailed information, refer to the Key concepts and terms section in
the Lotus Workflow Installation and Administration Guide.
Lotus Workflow is configured through separate databases. The templates can be
used to create new databases, or you can deploy the sample databases
provided. To create the Lotus Workflow databases, complete the following steps:
1. Using a Notes client with sufficient access (for example, the Domino
Document Manager site administrator ID), create new copies of the sample
databases in another subdirectory on the Domino Document Manager server,
for example:
\Lotus\Domino\Data\Redbook\BG_Application_en.nsf
2. Using the corresponding Lotus Workflow templates, create two new
databases in the same subdirectory as used in the previous step:
a. Archiving
b. Audit Trail
3. Create a Mail-in Database document in the Domino Directory for each of the
databases created in the previous step.
Edit the servlet.properties file
To edit the servlet.properites file, located in the Data directory on the Domino
Document Manager server, complete the following steps:
1. Locate the section defining properties for the WFServlet.
2. Edit or add the line for servlet.WebViewer.initArgs, as shown in
Example 4-9 on page 185, with the corresponding references to the
application file name and Instant Messaging and Web Conferencing server
host name.
Process Definition Stores process definitions created by Workflow Architect.
Audit Trail Tracks and logs process activities.
Archive Archives completed or rejected processes.
Important: To protect the original sample databases, be sure to use the
Notes client to make database copies, not replicas or file system copies.
Note: The entire line and all parameters must be entered on one line,
separated by commas with no carriage returns.
Database Function within the Lotus Workflow process
Example 4-9 Example of the servlet.properties file
#Properties for WFServlet
servlet.WebViewer.code=com.lotus.wf.WFServlet
#NOTES: LogLevel determines amount of logging [DEBUG, NONE, ERROR, STATUS]
#NoLogin=true will permit all logins (no security), default is false
#another example:
#servlet.WebViewer.initArgs=LogLevel=DEBUG,ServerAlias=WebViewer,NoLogin=true
servlet.WebViewer.initArgs=LogLevel=DEBUG,ServerAlias=WebViewer,ApplPath=Redboo
k/BG_Application_en.nsf,Sametime=true,Sametimeserver=bsc1st.cam.itso.ibm.com
Configure the Lotus Workflow Engine
The Lotus Workflow Engine consists of three to five databases, as depicted in
Note: For the Lotus Workflow arguments in the servlet.properties file:
ApplPath = Path and file name of the Workflow application database
Sametime = True or False, indicating if the Web Viewer is Instant Messaging
enabled
Sametimeserver = Fully qualified host name for the Instant Messaging and
Web Conferencing server
Figure 4-86 Lotus Workflow Engine
Configure the Application database
To configure the Application database, complete the following steps:
1. Using a Notes client with the administrator ID, open the Application database
(for example, the copy of the sample database created previously).
2. Configure the sample:
a. Click the Action button provided at bottom of the About document to set
up Lotus Workflow samples.
b. Provide the administrators ID properties (First Name, Last Name, and so
on).
c. Enable Web browser access to the Workflow samples.
d. Provide the fully qualified host name (or IP address) in the IP address
field.
3. Database settings:
a. Navigate to Application Setup under the Administration section and switch
to edit mode.
b. Point to your copy of the Organization and Process Definition databases.
c. Verify the information provided in the Application section.
4. Archive and Audit Trail:
a. Navigate to the Archive and Audit Trail section.
b. Enable all the options (default schedule is once every hour).
5. Domino Document Manager integration setup:
a. Navigate to the Document Manager Integration Setup tab.
b. Create a new Document Manager profile with the following settings:
i. Profile name: Site_Admin.
ii. Access level: Low security (this is a just a test case).
iii. Read Access: [Process Reader].
iv. Enter the URL to the Domino Document Manager library.
v. Enter administration Web user account.
vi. Enter the password.
c. Point to the newly created Site_Admin profile (if it does not show up in the
list, use the Refresh List button).
d. Enter the location to the library.
e. Enter the profile name (Site_Admin) for the following access profile fields:
Access Profile for Automated Activities DD Check
Note: The pop-up list used in the Location button is populated from the
Catalog database.
Access Profile for Automated Activity DD Search
Archive access Profile
f. Enable the Use one Archive Binder for all jobs option as Type.
g. Point to the Cabinet and Binder where you want to store the reviewed
publications (for example, File Cabinet = Product Promos, Binder =
Publication Review).
h. Save and close the Application set-up profile.
6. Enable scheduled agents.
7. Add the administrator to the Application database ACL:
a. Type: Person
b. Access: Manager
c. All Roles enabled
8. Update the Process Cache:
a. Open the Application database.
b. Navigate to Administration Cache.
c. Click the Update Process Cache button.
Configure the Organization database
To configure the Organization database, complete the following steps:
1. Using a Notes client with the administrator ID, open the Organization
database.
2. Administration setup:
a. Navigate to the Administrator Setup section.
Note: Enable the scheduled agents in your copy of the Application
database. Refer to the Scheduled agents in the application database
section in the Lotus Workflow Installation and Administration Guide for
more information about this topic.
For testing purposes, you might consider changing the Schedule of the OS
TimeManagement Backgrounder agent to run every 5 minutes instead of
the default 15 minutes.
Note: We refer back to this step when the process is created and activated
from the Lotus Workflow Architect.
b. Create a new Setup document.
c. Enable the cache.
d. Save and close the document.
3. Refresh the cache:
a. Navigate to the Administration Cache section.
b. Click the Update Cache button.
c. The red icons will be marked green when the cache is updated.
4. Assign the administrator to the Testperson role:
a. Navigate to Organization Structure Roles.
b. Edit the Testperson document.
c. Remove the existing members.
d. Add your Administration ID here.
5. Enable Archivation and Audit Trail resources (see Figure 4-87 on page 190):
a. Navigate to Infrastructure Resources.
b. Create two Resource documents, one for Archivation and one for Audit
Trail.
c. Give them the same names as the Mail-in Database documents created
during the server installation.
d. Select Mail address as the type of resource.
e. Select the Mail-in database mail addresses from the pop-up list.
f. The database location information will automatically be entered after the
selection of the mail address.
Figure 4-87 Example of an Archive Infrastructure Resource document
6. Enable the scheduled agents in your copy of the Organization database.
7. Add the administrator to the Organization database ACL with the same
access and roles as the Lotus Workflow administrator.
Configure the Lotus Workflow Architect
The Lotus Workflow Architect is a designer client used to create and manage
Lotus Workflow application diagrams similar to the way that the Domino Designer
client creates and manages Notes applications. The resulting Lotus Workflow
design is stored in the Design Repository database, and the processes are
stored in the Process Definition database. See Figure 4-88 on page 191.
Figure 4-88 Lotus Workflow Architect
To configure the Lotus Workflow Architect, complete the following steps:
1. Link to the Lotus Workflow databases:
a. Launch the Louts Workflow Architect.
b. Configure a new profile:
i. Select File Open Database to open the window shown in
ii. Select the options to point to the newly created Lotus Workflow
databases.
Figure 4-89 Lotus Workflow Architect: Database Profile
2. Create a Workflow process (we create a copy the Web Publishing Domino
Document Manager integration sample process):
a. Open the Web Publishing Domino Document Manager Integration sample
process.
b. Save the process as a new copy (File Save Process As Copy).
c. Give this new process a name (for example, Redbook BG Publishing
Document Manager Integration).
d. Update the process title, for example, Redbook BG Publishing Document
Manager Integration Sample Process.
3. Simplify the process for demo purposes (see Figure 4-90 on page 193 and
a. Remove all side tracks marked with X.
b. Reconnect using Check in Copy as New with Graphics Rework.
Figure 4-90 Sample process before simplification
Figure 4-91 Sample process after simplification
4. Change the basic properties of the activity nodes (green) to enable mail
notification and assign the Testperson role as the Activity owner, as shown in
Note: Remember that we assigned the administrator ID to this role during
the configuration of the Organization database. This will enable you to do a
full Lotus Workflow test run using only one Notes ID. If you want to expand
this sample, you can easily indicate different people, roles, and so on for
each activity.
Figure 4-92 Basic properties of activity nodes
5. Change the properties of the automated activities (white boxes). See
Figure 4-93 Example of automated activities properties
a. Change the action type of Check Out Document and Attach to Job
automated activity to Document Manager- Checkout. See Table 4-4.
Table 4-4 Parameters for first activity
b. Change the action type of Check In Copy as New Draft automated activity
to Document Manager- Checkin. See Table 4-5.
Table 4-5 Parameters for second activity
Parameter Value Required
Access Profile Site_Admin Yes
Attachment field DDAttachment Yes
Comment No
Remove Attachment No Yes
Check-in status As Draft Yes
c. Change the action type of Check In Copy as New Version automated
activity to Document Manager- Checkin. See Table 4-6.
Table 4-6 Parameters for third activity
d. Do not change the Publish to Website automated activity.
e. Change the action type of Check In as New Version and Detach
automated activity to Document Manager- Checkin. See Table 4-7.
Table 4-7 Parameters for last activity
6. Modify the Advanced properties of the Workflow process to activate Audit Trail
(see Figure 4-94 on page 198):
a. Select Enable audit trail recording.
b. Set Degree of tracking to 100%.
c. Select Store audit trail in Audit trail database.
Comment No
Check Out Again Yes Yes
Remove Attachment No Yes
Check-in status As Version Yes
Comment No
Check Out Again Yes Yes
Remove Attachment Yes Yes
Check-in status As Version Yes
Comment No
Check Out Again No Yes
d. Specify the name of the Mail-in document for the Audit Trail database.
e. Select all of the Audit trail content.
Figure 4-94 Advanced process properties: Audit Trail options
7. Modify the Advanced properties of the Lotus Workflow process to activate
archiving (see Figure 4-95 on page 199):
a. Select Enable document archiving.
b. For the Archive database, select the Mail-in database.
c. Enter @All as the Move documents formula and as the Delete documents
formula.
Figure 4-95 Advanced process properties: Archive options
8. Activate the process by selecting File Activate Process.
9. Update the Process Cache in the Application database (see step 8 on
page 188).
Configure the Lotus Workflow Viewer
The Lotus Workflow Viewer is used to view the design diagram and present a
visual indication of the status within the Lotus Workflow process. The design can
be viewed through the Notes client or through the Web Viewer component. The
first time you launch the Viewer (through the Notes client), the system will prompt
you to complete the installation.
The Web client uses the server-based Web Viewer servlet, so nothing needs to
be installed on the client for that functionality. See Figure 4-96 on page 200.
Figure 4-96 Example of a part of a process shown through the Lotus Workflow Viewer
This brief example depicts the difference between terminated, current, and future
processes. Terminated processes are dark green-gray in color, and future
processes are light green. Current processes are indicated with a stacked
document icon next to the process description. See Figure 4-97.
Figure 4-97 Lotus Workflow Viewer
In this section, we present an overall configuration process focused on the
integration of Lotus Workflow with the Domino Document Manager application.
First, we present an overview of the required Domino Document Manager
configurations, and then we continue with the Lotus Workflow integration steps.
For more detailed instructions, refer to the product manuals (Lotus Workflow
6.5.1 Installation and Administration Guide and the readme file for Lotus
Workflow 6.5.1).
Required Domino Document Manager configurations for Lotus
Workflow
To support the integration of Lotus Workflow into Domino Document Manager,
configuration changes to the Domino Document Manager libraries and file
cabinets are required. The libraries must be configured to define the Lotus
Workflow-enabled binder and document types, and the file cabinets must be
configured to allow one or more of the Lotus Workflow-enabled binder and
document types when creating documents.
Document Manager library configuration
New binder or document types, or both, can be created within a library; however,
the default Document Manager Library template (domdoc.ntf) is already
configured with several Lotus Workflow-enabled binder and document type
samples. In this section, we review these samples. These samples can be
viewed with a Notes client from within the Library database:
1. Open the Library database with the site administrator ID.
2. Click the Library Administration button.
3. Click the Binder Types button and the Lotus Workflow-enabled binder types
that have names that begin with DWF.
4. Click the Document Types button and the Lotus Workflow-enabled document
types that have names that begin with DWF.
One of the sample document types is shown in Figure 4-98 on page 202. The
Workflow Options section is near the bottom of the document type form. These
option settings include:
Location of the Workflow Application database (indicated by replica ID or
path)
Method of Workflow process initiation (interactive initiation)
Workflow processes available to this document type and when to initiate them
(event based initiation)
Note: The names of Lotus Workflow-enabled binder and document types
within Domino Document Manager begin with DWF as a reference to the
previous Domino Workflow product. Although the 6.5.1 product has been
renamed Lotus Workflow, the names have not yet been changed in Domino
Document Manager.
Figure 4-98 Workflow options in a Domino Document Manager document type
Document Manager file cabinet configuration
After the Lotus Workflow-enabled binder and document types are defined within
a library, they must be added to the file cabinet or cabinets to make them
available when users create documents. These types can be added when
creating the file cabinets or anytime thereafter. To configure the Document
Manager file cabinets, complete the following steps (seeFigure 4-99 on
page 203):
1. Open the Library database with the site administrator ID.
Note: The selection list for the database locations is populated from the
Domino database catalog. If your Application database is not listed, load the
Catalog task from the Domino server console to update the catalog database
and try again.
2. Click the File Cabinets button.
3. Open a file cabinet.
4. Click Edit File Cabinet.
5. Within the file cabinet, click Edit.
6. Add one or more of the Lotus Workflow-enabled binder types to the list of
Allowable binder types.
7. Add one or more of the Lotus Workflow-enabled document types to the list of
Allowable document types.
8. Click Save, and then Close.
9. Create a new Lotus Workflow-enabled binder from one of the newly allowable
Lotus Workflow-enabled binder types.
10.Exit the file cabinet and library.
Figure 4-99 File cabinet profile: Security section for binder and document types
Test the integration sample
After we configured the Lotus Workflow Engine (see Configure the Lotus
Workflow Engine on page 185) and we have Lotus Workflow-enabled document
types available in the file cabinet, we can test the integration process. To test the
integration sample, complete the following steps:
1. Start the Lotus Workflow process (see Figure 4-100 on page 204):
a. Navigate to the newly created Lotus Workflow-enabled binder.
b. Create a new document.
c. Select one of the Lotus Workflow-enabled document types.
d. Save and check in the new document.
e. Open the document in read-only mode (no check-out).
f. Go to the Workflow tab.
g. Initiate the Lotus Workflow process by clicking a link to choose the activity
from the list of available processes.
Figure 4-100 Start Workflow process from a document in Domino Document Manager
2. Select and start the Lotus Workflow process (see Figure 4-101 on page 205):
a. Select the activation process (created with the Workflow Architect).
b. Enter a job name and select a priority.
c. During the entire Lotus Workflow process, you can access the Viewer
(View Process Diagram) to get a graphical overview of the status of the
process.
d. Click OK to close this window.
Figure 4-101 Select and start the Lotus Workflow process
3. Complete the process initiation:
a. A document will automatically be created in the Application database and
opened in edit mode.
b. Complete the information requested on the form.
c. Save and close the document.
After it is initiated, you can track the Lotus Workflow process from the
Application database. Under My Work Jobs Started, you can find the
initiated process, which is now referred to as a job. If you open this document
and ask for more information (Action More Information View Job
Diagram), the status of the process is shown in the Viewer, as shown in
Figure 4-102 Lotus Workflow process status
4. Complete the Lotus Workflow review process (see Figure 4-103):
a. When the automated activity is executed, the Lotus Workflow reviewer will
receive an e-mail inviting the reviewer to review the document.
Figure 4-103 New Lotus Workflow review e-mail notification
b. Follow the link from the e-mail. See Figure 4-104 on page 207.
Note: If the e-mail is delivered by Notes, the link is typically in the form
of a DocLink. If the e-mail is delivered by SMTP, the link is typically a
URL.
Figure 4-104 Workflow e-mail notification DocLink
c. Click Claim & Edit.
d. Enter comments and complete the information requested in the document,
as shown in Figure 4-105.
Figure 4-105 Enter feedback information
e. Edit the attachment and add a line of text as a test case, as shown in
Figure 4-106. Then, save and close the text editor.
Figure 4-106 Edit the attachment: Add a line
f. Click Save & Complete, and then select a routing option, as shown in
Figure 4-107 Save & Complete and Publish
g. Repeat each additional Lotus Workflow review cycle until the process is
complete (each step will start with an e-mail notification of the required
action to be performed).
When the entire process is finished, the original document in the Domino
Document Manager binder will contain all of the comments and edits inserted
during the review cycles. The external comments will be listed in the document
profile, and the content changes will appear in the attached file.
The Audit Trail database will also provide an overview of each step during the
Lotus Workflow cycle, as shown in Figure 4-108 on page 209.
Figure 4-108 Audit Trail: Overview of a completed Lotus Workflow process
Chapter 5. Upgrade and coexistence
considerations
This chapter provides the information and details necessary to support
upgrading the Extended Products from previous versions to the new 6.5.1
versions. Before upgrading to the new versions, we discuss version coexistence
issues within each product and across the various products. Because upgrades
can often occur over an extended period of time, we provide a recommended
upgrade sequence to support coexistence and minimize loss of functionality
during the upgrade process. We also review the authentication and directory
options necessary to support the final upgraded environment. Finally, we present
the specific steps necessary to support full integration between the 6.5.1
products.
This chapter does not provide detailed product upgrade procedures for the
individual products; those procedures will be referenced in other Redbooks,
installation guides, and upgrade guides. However, we provide specific
instructions and procedures related to post-upgrade integration of the various
6.5.1 products.
5
5.1 Planning for product upgrades to Release 6.5.1
Before upgrading any product, it is important to adequately plan not only for the
upgrade process itself, but also for changes to the overall environment resulting
from the upgrade. In this section, we review each new 6.5.1 product with respect
to the supported coexistence configurations. Based on those supported
configurations, we recommend a product upgrade sequence. Finally, we discuss
post-upgrade authentication requirements and supported directories.
For the purposes of describing upgrade procedures in this book, Table 5-1 lists
the minimum installed product versions that are considered. Refer to the specific
product upgrade documentation if you have an earlier version that needs to be
upgraded prior to the upgrade to 6.5.1.
Table 5-1 Minimum Extended Product versions
5.1.1 Coexistence of versions within each product
The first coexistence issue that must be addressed prior to any upgrade is that of
interoperability between different versions of the same product or products. In
other words, are there any coexistence or interoperability issues associated with
having earlier versions of the product or products in the same environment as the
new 6.5.1 version? For the purpose of describing coexistence and
interoperability across different versions of the same product, we use the
following terminology:
Coexistent Two different versions of the same product can coexist in
the same environment.
Note: To review and understand the IBM/Lotus officially supported
configurations when upgrading, visit the following URL and search for
Technote 1162481:
http://www.ibm.com/support
Product name Minimum version
Lotus Instant Messaging and Web Conferencing (formerly
known as Lotus Sametime)
2.0
Lotus Team Workplace (formerly known as Lotus QuickPlace) 2.0.8
Lotus Workflow 3.0.1
Domino Document Manager (formerly known as Domino.Doc) 3.1
Chapter 5. Upgrade and coexistence considerations 213
Upgrade only Two different versions of the same product can coexist
during the intended short period of time of the upgrade
process. This scenario is not intended for long-term
operation, and no updates or fixes will be released to
support this configuration.
Domino server
Domino 6.5.1 server can coexist without difficulty in an environment with earlier
release versions. For the purposes of this chapter, we are only concerned with
earlier releases of Domino that are used to support the earlier releases of the
Domino Extended Products described here, namely Lotus Team Workplace
(formerly known as QuickPlace), Lotus Workflow, Domino Document Manager
(formerly known as Domino.Doc), and Lotus Instant Messaging and Web
Conferencing (formerly known as Sametime). For specific details about Domino
version interoperability considerations, refer to the Domino administration guides
for the various versions.
The Lotus Team Workplace 6.5.1 server (formerly known as QuickPlace) can
coexist with prior server versions without difficulty. In other words, a new Team
Workplace 6.5.1 server can be added to an existing environment or a prior
version server can be upgraded to 6.5.1 without adversely affecting any other
pre-6.5.1 Team Workplace servers in the environment. However, if your existing
environment uses Team Workplace clusters, we recommend that clusters only
operate across servers using the same version. Refer to the Team Workspace
6.5.1 Installation and Upgrade Guide for specific details about upgrading Team
Workplace clusters. See Table 5-2 for a list of coexistence-supported prior
versions.
Table 5-2 Team Workplace 6.5.1 coexistence with prior versions
Lotus Workflow
There is no interoperability between Lotus Workflow installations, so there are no
coexistence issues with different versions of Lotus Workflow.
Product name Team Workplace 6.5.1 coexistence
Team Workplace (QuickPlace) 2.x Coexistent
Team Workplace (QuickPlace) 3.0a Coexistent
Team Workplace (QuickPlace) 3.0.1 Coexistent
Domino Document Manager
Domino Document Manager 6.5.1 server (formerly known as Domino.Doc) can
coexist with prior server versions, but it is only intended for short periods of time
during an upgrade process. This is especially true when Domino Document
Manager has been deployed with more than one server in a master-slave
configuration. In this situation, we recommend that all servers participating in
master-slave relationships be upgraded as close together as possible. Refer to
the Document Manager 6.5.1 Installation Guide for specific details about
upgrading Domino Document Manager master-slave servers. See Table 5-3 for a
list of coexistence-supported prior versions.
Table 5-3 Domino Document Manager 6.5.1 coexistence with prior versions
Lotus Instant Messaging and Web Conferencing 6.5.1 (formerly known as
Sametime) can only coexist with Version 3.x releases of Lotus Instant Messaging
and Web Conferencing, but only for short periods of time during an upgrade
process. See Table 5-4 for a list of coexistence-supported prior versions.
Table 5-4 Instant Messaging and Web Conferencing 6.5.1 coexistence with prior versions
Product name Domino Document Manager 6.5.1
coexistence
(Domino.Doc) 3.1
Upgrade only
(Domino.Doc) 3.5
a
a. Domino Document Manager (Domino.Doc) 3.1 and 3.5 both use the same serv-
er software. The 3.5 release only involved a client-side upgrade from Version 3.1
and did not affect the Domino Document Manager server itself.
Upgrade only
Product name Instant Messaging and Web
Conferencing 6.5.1 coexistence
(Sametime) 2.5
Unsupported
(Sametime) 3.0
Upgrade only
(Sametime) 3.1
Upgrade only
5.1.2 Interoperability of versions between products
In addition to the issue of coexistence between Version 6.5.1 and prior versions
within a specific product, the upgrade process is also dependent on coexistence
and interoperability between Version 6.5.1 of each product and prior versions of
other Extended Products yet to be upgraded. In other words, are there any
coexistence or interoperability issues associated with having pre-6.5.1 versions
of one or more products in the same environment as one or more of the new
6.5.1 versions of another product? For the purpose of describing coexistence
and interoperability, we use the following terminology:
Supported There is interoperability between the products, and the
referenced versions support that interoperability.
Interoperable These is interoperability between the products; however,
the referenced versions are not supported together.
Installable A product installs on the Domino server; however, the
referenced versions are not interoperable and are not
supported together.
Upgrade only Coexistence is supported during the intended short
period of time of the upgrade process. This scenario is not
intended for long-term operation, and no updates or fixes
will be released to support this configuration.
Domino server
Domino 6.5.1 server is intended for and fully supports all of the features and
interoperability among each of the Version 6.5.1 Extended Products. However,
not all pre-6.5.1 versions of Domino will support the Version 6.5.1 Extended
Products. See Table 5-5 on page 216 for a list of the interoperability issues with
pre-6.5.1 versions of the Extended Products and Table 5-6 on page 216 for a list
Domino versions that support the 6.5.1 Extended Products. The Notes 6.5.1
client is fully supported across all versions of the Extended Products.
Note: Although Domino 6.5.1 is intended to support all Version 6.5.1
Extended Products, the Domino 6.5.1 Server Interim Fix 1 must be installed
prior to the installation of Lotus Instant Messaging and Web Conferencing
6.5.1 or Lotus Team Workplace 6.5.1.
Table 5-5 Domino 6.5.1 interoperability with prior versions of the Extended Products
Table 5-6 Extended Products 6.5.1 interoperability with prior versions of Domino
Domino Web Access
With the 6.0.3 release of Domino, the new Web-based version of the mail
template has been renamed from iNotes Web Access to Domino Web Access.
With Domino 6.5.1, the template has been further enhanced to support online
awareness in addition to the chat feature that has existed since the Release 5
version of iNotes Web Access. See Table 5-7 for a list of iNotes Web
Access/Domino Web Access interoperability-supported versions of Lotus Instant
Messaging and Web Conferencing.
Table 5-7 Domino Web Access (iNotes) interoperability with Lotus Instant Messaging
Product name Domino 6.5.1 server interoperability
Lotus Team Workplace (QuickPlace) 2.x Installable
Lotus Team Workplace (QuickPlace) 3.x Installable
(Domino.Doc) 3.x
Interoperable
Lotus Workflow 3.x Interoperable
Sametime 3.x Upgrade only
Product name Domino server interoperability
Lotus Workflow 6.5.1 5.0.12 or later
Domino Document Manager 6.5.1 5.0.12, 6.0.3, 6.5, and later
Lotus Team Workplace 6.5.1 6.5.1 with Interim Fix 1
Lotus Instant Messaging and Web
Conferencing 6.5.1
6.5.1 with Interim Fix 1
Product name Domino Web Access interoperability
(iNotes)
Conferencing (Sametime) 3.x
iNote chat supported, no awareness
Domino Web Access chat and awareness
supported
Conferencing 6.5.1
iNote chat supported, no awareness
Domino Web Access chat and awareness
supported
Of the other Extended Products, Lotus Team Workplace (formerly known as
QuickPlace) is independent of Lotus Workflow and Domino Document Manager;
it is interoperable only with Lotus Instant Messaging and Web Conferencing. See
Table 5-8 for a list of Team Workplace 6.5.1 interoperability-supported versions of
Lotus Instant Messaging and Web Conferencing.
Table 5-8 Team Workplace 6.5.1 Interoperability with Lotus Instant Messaging
Of the other Extended Products, Domino Document Manager (formerly known as
Domino.Doc) is independent of Team Workplace, but it is interoperable with
Lotus Workflow and Lotus Instant Messaging and Web Conferencing. See
Table 5-9 for a list of Domino Document Manager 6.5.1 interoperability-supported
versions of Lotus Workflow and Lotus Instant Messaging and Web Conferencing.
Table 5-9 Document Manager 6.5.1 Interoperability with Workflow and Instant Messaging
Lotus Instant Messaging and Web Conferencing (formerly known as Sametime)
provides interoperability with each of the other Extended Products and is the
most dependent on specific versions. See Table 5-10 on page 218 for a list of
Lotus Instant Messaging and Web Conferencing 6.5.1 interoperability-supported
Product name Team Workplace 6.5.1 interoperability
Conferencing (Sametime) 2.5
Unsupported
Upgrade only
Supported
Product name Domino Document Manager 6.5.1
interoperability
Lotus Workflow 3.x Unsupported
Unsupported
Unsupported
Supported
versions of Lotus Team Workplace, Lotus Workflow, and Domino Document
Manager.
Table 5-10 Lotus Instant Messaging and Web Conferencing 6.5.1 interoperability
5.1.3 Upgrade dependencies
With the release of the 6.5.1 versions of Domino and the Extended Products,
there is now a common platform on which any or all of these products can coexist
and integrate together. However, as previously described, there are specific
dependencies between the product versions that must be considered when
planning the specific order of product upgrades to ensure proper coexistence
and interoperability during the upgrade process. These dependencies can be
broken down into two distinct types:
Required Basic operations will fail if not installed in the proper
sequence.
Interoperability Basic operations will function, but previous interoperability
with other products will fail if not installed in the proper
sequence.
Required upgrade dependencies
The only truly required upgrade dependency is that the minimum supportable
version of a Domino server (see Table 5-6 on page 216) must be installed prior to
the upgrade of any specific Extended Product. For Lotus Team Workplace and
Lotus Instant Messaging and Web Conferencing, neither can be upgraded until
the Domino server is upgraded to Version 6.5.1 and Interim Fix 1. For Lotus
Workflow and Domino Document Manager, the minimum supported version of
Domino is 5.0.12 or later.
Interoperability upgrade dependencies
As previously described, interoperability upgrade dependencies are those that
are required in order to maintain existing functionality between the Extended
Products during the upgrade process. If the current environment does not use
Product name Instant Messaging and Web
Conferencing 6.5.1 interoperability
Lotus Team Workplace (QuickPlace) 2.5 Interoperable
Lotus Team Workplace (QuickPlace) 3.x Interoperable
Lotus Workflow 3.x Interoperable
(Domino.Doc) 3.x
Awareness unsupported
any such Extended Product integration, these dependencies are not required.
For example, if Lotus Instant Messaging and Web Conferencing V3 and Team
Workplace V3 are both currently installed, but not integrated together (that is, no
online awareness or ability to schedule collaborative meetings in Team
Workplace), either product can be upgraded before the other, because there is
no interoperability functionality to lose during or after the upgrade.
Assuming that the pre-upgrade environment includes at least two Extended
Products that are integrated together, these are the specific upgrade sequences
that must be followed to maintain the integrated functionality during and after the
upgrade:
1. Lotus Instant Messaging and Web Conferencing must be upgraded to 3.x
prior to upgrading Team Workplace to 6.5.1.
2. Lotus Team Workplace must be upgraded to 6.5.1 prior to upgrading Lotus
Instant Messaging and Web Conferencing to 6.5.1.
3. Lotus Workflow must be upgraded to 6.5.1 prior to upgrading Domino
Document Manager to 6.5.1.
4. Lotus Instant Messaging and Web Conferencing must be upgraded to 3.1
prior to upgrading Domino Document Manager to 6.5.1.
5. Domino Document Manager must be upgraded to 6.5.1 prior to upgrading
Lotus Instant Messaging and Web Conferencing to 6.5.1.
5.1.4 Suggested upgrade sequences
In light of the various coexistence and interoperability dependencies between the
Extended Products, the specific upgrade sequence will be different for different
customer deployments. However, the following list of upgrade scenarios, covered
Note: The previous list describes the upgrade restrictions to support product
interoperability during the upgrade. If your environment dictates a different
upgrade order (for example, Lotus Instant Messaging and Web Conferencing
before Domino Document Manager or Team Workplace), you will not lose
native product functionality, but you might experience loss of interoperability.
For example, if you upgrade Lotus Instant Messaging and Web Conferencing
before Domino Document Manager, you will lose online awareness in Domino
Document Manager until it is upgraded. If you upgrade Lotus Instant
Messaging and Web Conferencing before Team Workplace, you should retain
interoperability, but the configuration is not supported. See 5.1.2,
Interoperability of versions between products on page 215 for additional
details.
in the following sections, should cover the majority of the existing deployments or
provide sufficient detail for planning the upgrade process:
No existing Extended Product integration
Existing Lotus Instant Messaging and Web Conferencing integration with
Notes/Domino
Existing Lotus Instant Messaging and Web Conferencing integration with one
or more Extended Products
Existing Workflow integration with Domino or Domino Document Manager, or
both
The upgrade sequence recommendations for these scenarios are provided
below, but the specific details of the actual upgrade procedure will be addressed
in 5.2, Upgrading specific products on page 225.
Upgrading with no Extended Product integration
For the customers who have installed one or more of the Extended Products, but
have yet to configure any of the integration features between those products, the
recommended upgrade sequence is simply the same as the recommended
installation sequence for a new environment. In other words, simply upgrade the
products as though you were installing them the first time. This procedure is
documented in Chapter 4, New Domino installation on page 85. However,
because this is an upgrade and not a new installation, you must first upgrade the
existing servers operating systems to the minimum required to support the new
6.5.1 products.
Upgrading Lotus Instant Messaging and Web Conferencing
integration with Notes/Domino
For customers who have installed Lotus Instant Messaging and Web
Conferencing integration only with Notes/Domino prior to Version 6.5.1, they
would already have Notes/Domino at Version 6.5 and a separate Instant
Messaging and Web Conferencing server supporting online awareness (for
example, Version 3.1 installed on Domino 6.0.2 or Version 3.0 installed on
Domino 5.0.10). For this case, the recommended upgrade sequence is as
follows:
1. Upgrade the Domino mail server or servers to 6.5.1 (5.2.1, Domino server
upgrade on page 225).
2. Implement the Lotus Instant Messaging and Web Conferencing post-upgrade
integration procedure for Notes clients or Domino Web Access, or both (5.3.1,
Lotus Instant Messaging and Web Conferencing integration on page 230).
3. Upgrade the Notes clients to 6.5.1.
4. Upgrade the Lotus Instant Messaging and Web Conferencing Domino server
to 6.5.1 with Interim Fix 1 (5.2.1, Domino server upgrade on page 225).
5. Upgrade the Instant Messaging and Web Conferencing server to 6.5.1 (5.2.5,
Lotus Instant Messaging and Web Conferencing upgrade on page 227).
6. Implement Lotus Instant Messaging and Web Conferencing post-upgrade
integration procedure for Notes clients or Domino Web Access, or both (5.3.1,
Lotus Instant Messaging and Web Conferencing integration on page 230).
Upgrading Lotus Instant Messaging and Web Conferencing
integration with Extended Product or Products
For customers who have installed Lotus Instant Messaging and Web
Conferencing integration with Team Workplace or Domino Document Manager
(with or without integration with Notes/Domino), Lotus Instant Messaging and
Web Conferencing must be upgraded last in order to preserve integration
functionality during the upgrade process. However, Lotus Instant Messaging and
Web Conferencing must be at Release 3.x to support the Team Workplace
upgrade to 6.5.1, and it must be at 3.1 to support the Domino Document
Manager upgrade to 6.5.1. Therefore, the following upgrade sequence is
recommended whenever Lotus Instant Messaging and Web Conferencing has
been integrated with one or more of the Extended Products.
If upgrading a Lotus Team Workplace server, and Lotus Instant Messaging and
Web Conferencing is a version earlier than Version 3.0, or if upgrading a Domino
Important: The previous step is only required if you have already activated
the Domino Web Access chat (iNotes) feature prior to the upgrade and you
want to retain that functionality during the upgrade and prior to upgrading
the Lotus Instant Messaging and Web Conferencing server. If not, you
should skip this step and perform the complete Lotus Instant Messaging
and Web Conferencing post-upgrade integration procedure after the
Instant Messaging and Web Conferencing server is upgraded.
Tip: Although the Domino Server 6.5.1 Interim Fix 1 is only required for Lotus
Instant Messaging and Web Conferencing and Team Workplace, we
recommend installing it on all 6.5.1 Domino servers for consistency across the
infrastructure.
Document Manager server, and Lotus Instant Messaging and Web Conferencing
is a version earlier than Version 3.1, complete the following required steps:
1. Upgrade the Lotus Instant Messaging and Web Conferencing Domino server
to 6.0.2 (refer to the Notes/Domino 6 Upgrade Guide for specific upgrade
procedures).
2. Upgrade the Instant Messaging and Web Conferencing server to 3.1 (refer to
the Sametime 3.1 Installation Guide for specific upgrade procedures).
If upgrading a Lotus Workflow server or a Domino Document Manager server,
complete the following required steps:
1. Upgrade the Workflow Domino server to 5.0.12 (refer to the Notes/Domino 5
Upgrade Guide for specific upgrade procedures).
2. Upgrade the Domino Document Manager server to 5.0.12 (refer to the
Notes/Domino 5 Upgrade Guide for specific upgrade procedures).
To complete the upgrade to 6.5.1, complete the following steps:
1. Upgrade the Domino mail server or servers to 6.5.1 (see 5.2.1, Domino
server upgrade on page 225).
2. Implement Lotus Instant Messaging and Web Conferencing post-upgrade
integration procedures for the relevant Notes/Domino or Extended Products,
or both, in use (see 5.3.1, Lotus Instant Messaging and Web Conferencing
integration on page 230).
3. Upgrade the Notes clients to 6.5.1.
4. Upgrade the Team Workplace Domino server to 6.5.1 with Interim Fix 1
(5.2.1, Domino server upgrade on page 225).
5. Upgrade the Team Workplace server to 6.5.1 (5.2.2, Lotus Team Workplace
6. Upgrade the Lotus Workflow server to 6.5.1 (5.2.3, Lotus Workflow upgrade
on page 227).
7. Upgrade the Lotus Workflow Domino server to 6.5.1 (5.2.1, Domino server
Important: The previous step is only required if you have already activated
the iNotes Web Access chat feature prior to the upgrade, and you want to
retain that functionality during the upgrade and prior to upgrading the Lotus
Instant Messaging and Web Conferencing server. If not, you should skip
this step and perform the complete Lotus Instant Messaging and Web
Conferencing post-upgrade integration procedure after the Instant
Messaging and Web Conferencing server is upgraded.
8. Upgrade the Domino Document Manager server to 6.5.1 (5.2.4, Domino
Document Manager upgrade on page 227).
9. Upgrade the Domino Document Manager Domino server to 6.5.1 (5.2.1,
Domino server upgrade on page 225).
10.Upgrade the Lotus Instant Messaging and Web Conferencing Domino server
to 6.5.1 with Interim Fix 1 (5.2.1, Domino server upgrade on page 225).
11.Upgrade the Lotus Instant Messaging and Web Conferencing server to 6.5.1
(5.2.5, Lotus Instant Messaging and Web Conferencing upgrade on
page 227).
12.Implement Lotus Instant Messaging and Web Conferencing post-upgrade
integration procedures for the relevant Notes/Domino or Extended Products,
or both, in use (5.3.1, Lotus Instant Messaging and Web Conferencing
integration on page 230).
13.Implement Domino Document Manager post-upgrade integration procedures
for the relevant Notes/Domino or Extended Products, or both, in use (5.3.2,
Domino Document Manager integration on page 232).
Upgrading Lotus Workflow integration with Domino/Domino
Document Manager
For customers who have installed Lotus Workflow integration with Domino
Document Manager, the Lotus Workflow server should be upgraded before
Domino Document Manager to maintain interoperability during the upgrade
process. However, because Lotus Workflow can also integrate into standard
Domino applications, it should not be upgraded without first evaluating the impact
on those applications. This book does not address those issues because they
are not related to Extended Product integration. Refer to 5.2.3, Lotus Workflow
Tip: Although the Domino Server 6.5.1 Interim Fix 1 is only required for Lotus
Instant Messaging and Web Conferencing and Team Workplace, we
recommend that you install it on all 6.5.1 Domino servers for consistency
across the infrastructure.
Note: For Lotus Instant Messaging and Web Conferencing and Team
Workplace, the Domino server must be upgraded to 6.5.1 prior to the product
upgrade. For Lotus Workflow and Domino Document Manager, the product
should be upgraded first to support functionality if the Domino server upgrade
was to be delayed. However, if the entire server is to be upgraded together, it
would be simpler and more consistent with all products to upgrade the Domino
server to 6.5.1 just before upgrading the product.
upgrade on page 227 and 5.2.4, Domino Document Manager upgrade on
page 227 for specific upgrade details.
5.1.5 Authentication and directories
Before upgrading Domino or any of the Extended Products, you must consider
the authentication models and respective directories required to support the new
products. Chapter 3, Directory and authentication considerations on page 67
provides more complete coverage of this topic, but we identify some important
points in this section.
Because all Domino servers (and therefore any of the Extended Products
residing on them) can employ Directory Assistance for authentication, they can
refer to external LDAP directories for authentication, but only after native Domino
authentication with the primary domain directory fails to authenticate. In order to
bypass Domino authentication in favor of an LDAP authentication (Domino or
external), you had to install the products into artificially created external Domino
domains that did not include the user accounts.
With the new 6.5.1 releases, Lotus Team Workplace, Lotus Instant Messaging
and Web Conferencing, and Domino Document Manager each support the ability
to authenticate directly against a defined LDAP server, whether that LDAP server
is from an external source or a Domino server providing LDAP service from a
Domino Directory. Prior to 6.5.1, the following native support for LDAP was
provided:
Prior to 2.0.8, only Domino authentication was used.
In 2.0.8 and 2.0.9, LDAP authentication was supported through Directory
Assistance.
In 3.x, native LDAP authentication was first provided; Domino
authentication was available for upgrade compatibility, but was no longer
supported.
Prior to 2.0, only Domino authentication was used.
With 2.x or 3.x, native LDAP authentication was provided; both Domino
and LDAP authentication were supported.
With 3.x, only LDAP authentication was supported for Lotus Instant
Messaging and Web Conferencing integration with Team Workplace.
In all previous versions, LDAP was supported only through Directory
Assistance.
For upgrade purposes, the only product that requires an LDAP directory for
supported functionality is Lotus Team Workplace. Therefore, if you are upgrading
from an earlier version of Team Workplace and still using Domino authentication,
you can upgrade with Domino authentication, but you will need to provide a valid
LDAP authentication source after the upgrade is complete.
With respect to providing full integration between Domino and the Extended
Products, you should also plan to convert Lotus Instant Messaging and Web
Conferencing to LDAP authentication. Domino authentication is not supported for
Lotus Instant Messaging and Web Conferencing 6.5.1 integration with Team
Workplace 6.5.1. Furthermore, if you plan to extend any of the 6.5.1 products into
WebSphere portlets and enable single sign-on (see Configuring single sign-on
(SSO) on page 102), LDAP authentication will also be required.
For our sample upgrade scenario (5.4, Sample upgrade scenario on page 233),
we perform the upgrades in two parts:
1. Products will be upgraded with existing authentication directories.
2. Authentication directories will be migrated to LDAP.
5.2 Upgrading specific products
Upgrading to the 6.5.1 products is covered thoroughly in specific documents
dedicated to each of the products. In this section, we reference those documents,
but we also highlight certain aspects of the specific upgrade processes that
should be considered with respect to the overall integration of all of the products.
5.2.1 Domino server upgrade
Before upgrading any Domino server, the resulting impact must be evaluated in
terms of the overall Domino infrastructure. This is especially true if it involves
migrating from one major version to another (for example, from 5.x to 6.x). The
desire to upgrade one of the Extended Products should not override the best
practices and recommendations for upgrading a larger Domino infrastructure, but
should be considered in terms of its proper sequence in an overall migration
strategy. Refer to Upgrading to Lotus Notes and Domino 6, SG24-6889, for
specific details about developing a proper migration plan.
For the purpose of supporting integration among Notes/Domino 6.5.1 and the
6.5.1 Extended Products, the following basic requirements should be met:
Ensure that the operating system is upgraded to support Domino 6.5.1.
Ensure that Domino 6.5.1 Interim Fix 1 is installed after the upgrade to
Domino 6.5.1 for at least the Lotus Instant Messaging and Web Conferencing
and Team Workplace servers.
Ensure that the client mail files are upgraded to the new 6.5.1 iNotes6.ntf mail
template for proper Lotus Instant Messaging and Web Conferencing
integration (in Notes and Domino Web Access).
5.2.2 Lotus Team Workplace upgrade
There are several issues to consider when upgrading a Team Workplace
(formerly called QuickPlace) server to 6.5.1. First, if you are upgrading from a
version earlier than 2.0.8, you must first upgrade to 2.0.8 or later before you can
upgrade to 6.5.1. For versions 2.0.8 or later, refer to the Team Workspace 6.5.1
Installation and Upgrade Guide for specific upgrade instructions. Some issues
that can affect the upgrade and integration with other Extended Products include:
If you are running a 2.0.x Team Workplace (QuickPlace) server in stand-alone
mode (that is, without an underlying Domino server installation), you cannot
upgrade directly to 6.5.1. Instead, you have to migrate those Team
Workplaces (QuickPlaces) as follows:
a. Back up the existing Team Workplace (QuickPlace) files.
b. Uninstall the Team Workplace (QuickPlace) server.
c. Installing a new Domino 6.5.1 server with Interim Fix 1.
d. Install the Team Workplace 6.5.1 server.
e. Restore the Team Workplace backup files.
f. Migrate the previous Places into the new Team Workplace server.
If you are running a Team Workplace server in overlay mode on top of an
existing Domino server, you can upgrade directly to Domino/Team Workplace
6.5.1, but you will have to upgrade the design of your Places and PlaceTypes
and modify some server configurations for full 6.5.1 feature functionality.
If you are running Team Workplace servers in a cluster, you should disable
the cluster prior to the upgrade and not re-enable it until all cluster members
have been upgraded to 6.5.1.
If you are using native Domino Directory authentication in Team Workplace,
you can continue with that during the upgrade, but you will have to convert to
LDAP directory authentication in the post-upgrade integration step.
5.2.3 Lotus Workflow upgrade
We do not perform a Lotus Workflow upgrade for this book. For specific details
about upgrading to Lotus Workflow 6.5.1, refer to the Lotus Workflow Migration
Guide. Some relevant upgrade considerations include:
Versions of Lotus Workflow prior to 3.0 cannot be migrated directly to 6.5.1.
Because Lotus Workflow can also support Notes/Domino applications,
migration of a Lotus Workflow server can affect Domino server activity and
applications other than those of the Extended Products.
If Lotus Workflow is integrated with Domino Document Manager, it should be
upgraded before Domino Document Manager to support functionality during
the upgrade process.
5.2.4 Domino Document Manager upgrade
There are several issues to consider when upgrading a Domino Document
Manager (formerly called Domino.Doc) server to 6.5.1. First, if you are upgrading
from a version earlier than 3.1, you must first upgrade to 3.1 before you can
upgrade to 6.5.1. To upgrade a Version 3.1 Domino Document Manager
(Domino.Doc) server, refer to the Document Manager 6.5.1 Installation Guide for
specific upgrade instructions. Some issues that might affect the upgrade and
integration with other Extended Products include:
If you have customized any of the standard Domino Document Manager
templates, you will have to save them and reapply them after any upgrades.
If you have master and replica servers, you will need to disable replication
prior to the upgrade and only reinstate it after the replicating servers are all
upgraded to 6.5.1.
The process for upgrading replica servers is different for servers that host
libraries and file cabinets from those that only host file cabinets.
Client-side enhancements for Domino Document Manager 6.5.1 will require
client upgrades to the new Desktop Enabler and Desktop Controls plug-ins.
Client-side ODMA connections (native or programmed) to the Document
Manager 6.5.1 server will no longer function until the client Desktop Enabler is
also upgraded to 6.5.1.
5.2.5 Lotus Instant Messaging and Web Conferencing upgrade
Although Lotus Instant Messaging and Web Conferencing (formerly called
Sametime) 6.5.1 is the most sensitive of the Extended Products to the specific
versions of the other products, it is relatively simple to upgrade from its previous
versions compared to the other products. Lotus Instant Messaging and Web
Conferencing can be upgraded directly to 6.5.1 from previous Versions 2.0, 2.5,
3.0 or 3.1. To upgrade Lotus Instant Messaging and Web Conferencing to version
6.5.1 from Version 1.5, you should first upgrade to Version 3.1. Refer to the
Instant Messaging and Web Conferencing 6.5.1 Installation Guide for Windows
for specific instructions about upgrading previous versions. Some issues that
might affect the upgrade and integration with other Extended Products include:
Domino versus LDAP directory authentication:
The directory authentication can be retained or changed during the server
software installation.
If Domino authentication is enabled, Lotus Instant Messaging and Web
Conferencing will not support the Team Workplace Chat menu option for
displaying online place members.
If LDAP authentication is enabled, Lotus Instant Messaging and Web
Conferencing will not support online awareness of hierarchical names in
the Notes 6.5.1. client (this is a known issue that has been addressed by
SPR TPAE5WJKBZ and has been resolved with the release of the Notes
6.5.2 client).
If authentication is changed from Domino to LDAP, all existing user buddy
lists will be lost unless they are converted to LDAP format.
If the Lotus Instant Messaging and Web Conferencing setup program
(stsetup.exe) is used to change configuration options, all existing user
buddy lists will revert back to using the default Show Online People Only
option. This issue can be corrected using the Name Conversion Utility tool
mentioned in the Tip box.
Tip: There are third-party tools that can be purchased and there is a
free tool available from the Sandbox on the Lotus Developer Domain
that can be used to migrate Domino-based buddy lists to LDAP format.
Tip: We recommend that you use the IBM Lotus Instant Messaging and
Web Conferencing 6.5.1 Name Conversion Utility tool available from the
Lotus Developer Domain download site. You will find this utility located
in the Lotus Instant Messaging and Web Conferencing
(Sametime) Other downloads section at:
http://www.lotus.com/ldd/down.nsf
Tunneling services for a single IP address on port 80:
Tunneling client connections for a single IP address on port 80 can be
enabled or disabled with a single check box during the server software
installation.
If tunneling on port 80 is enabled, at present, Lotus Instant Messaging and
Web Conferencing will not support online awareness in Domino Web
Access without a special workaround described in 5.4.7, Post-upgrade
Lotus Instant Messaging integration on page 273 (this is a known issue
that is being addressed by SPR DDES5W4JWM).
Instant Messaging Connect client 6.5.1 and AOL Instant Messenger:
New client installations of the 6.5.1 Connect client will not have embedded
AOL Instant Messenger integration.
Existing client upgrades to the 6.5.1 Connect client will retain the previous
embedded AOL Instant Messaging integration (this is a know issue that is
being addressed by SPR CDOY5YFLDX).
To remove the embedded AOL Instant Messaging integration from an
upgraded client, you must remove four files (aimui.dll, aim.ocx,
aimbase.ocx, and aimui.ocx) from the Instant Messaging Connect client
installation directory.
5.3 Post-upgrade product integration
As described in Chapter 4, New Domino installation on page 85, there are
many post-configuration integration procedures that must be performed to enable
full integration among the various products. In that chapter, the procedures are
presented in terms of installing the products into a new environment. In the case
of upgrading prior versions of the Extended Products, the installation sequence
can be very different. When no prior integration existed, the products can be
upgraded and integrated together as though it was a new installation (see
Upgrading with no Extended Product integration on page 220).
When upgrading Extended Products that had previously been integrated
together (see Upgrading Lotus Instant Messaging and Web Conferencing
integration with Extended Product or Products on page 221), the upgrade
sequence does not support the same sequence of post-configuration integration
procedures. In this case, the upgrade procedures are designed to maintain as
much inter-product integration as possible during the upgrade process. After all
of the products have been upgraded, any new product integration procedures
should be applied.
5.3.1 Lotus Instant Messaging and Web Conferencing integration
After the Instant Messaging and Web Conferencing server has been upgraded to
6.5.1, it can be integrated into the various other 6.5.1 Notes/Domino and
Extended Products. If Lotus Instant Messaging and Web Conferencing 6.5.1 is
deployed prior to the deployment of the other products, it can be integrated into
each of them as part of the post-installation integration procedures, as described
in 4.3.2, Post-installation configuration on page 112. However, in this chapter,
we focus on the upgrade process, where the Instant Messaging and Web
Conferencing server is upgraded to 6.5.1 after each of the other products has
been installed, upgraded, or both. Under those conditions, Lotus Instant
Messaging and Web Conferencing could not have been integrated as part of the
individual product integration procedures. The following sections describe the
specific post-upgrade procedures required to enable or update, or both, Lotus
Instant Messaging and Web Conferencing integration with the other 6.5.1
products.
Enable desktop awareness
Prior to 6.5.1, desktop awareness was available through the Instant Messaging
Connect client. After the Instant Messaging and Web Conferencing server is
upgraded to 6.5.1, users with prior Connect clients will continue to use the prior
versions until they install the new version (for example, from the Instant
Messaging and Web Conferencing server or other software distribution
mechanism). If you had previously used the Instant Messaging (formerly
Sametime) Client Packager to customize the Connect client installation for your
environment, you will need to repeat the process and create a newly customized
version of the 6.5.1 Connect client prior to distribution. Refer to the Instant
Messaging and Web Conferencing 6.5.1 Installation Guide for Windows for
specific details about customization using the Instant Messaging Client Packager
tool.
Enable awareness in Notes 6.5.1
Prior to 6.5.1, online awareness was only available in the Notes 6.5 client. It was
predominantly deployed through the 6.5 version of the iNotes6.ntf mail template,
but it was also available in other revised Domino templates and could have been
deployed into other Domino database applications. In each of these situations,
no changes should be required to support continued online awareness with the
Lotus Instant Messaging and Web Conferencing 6.5.1 server.
If upgrading from a previous version of Notes, or if online awareness was not
enabled in Notes prior to the Lotus Instant Messaging and Web Conferencing
upgrade, it can be enabled anytime after the client is upgraded as long as a valid
Instant Messaging and Web Conferencing server is available in the environment.
Enabling awareness in the Notes 6.5.1 client is the same after an upgrade as for
a new installation (see 4.4, Notes client installation and configuration on
page 118).
Enable awareness in Domino Web Access 6.5.1
Online awareness was only available with the most recent release of Domino
Web Access when integrated with Lotus Instant Messaging and Web
Conferencing (Sametime) 3.1. When integrating with Lotus Instant Messaging
and Web Conferencing 6.5.1, the process is nearly identical, except that
additional options are now available. Therefore, enabling awareness in Domino
Web Access 6.5.1 is the same after an upgrade as for a new installation (see 4.5,
Domino Web Access configuration on page 126).
Enable awareness, chat, and meetings in Lotus Team
Workplace 6.5.1
Prior to 6.5.1, online awareness, chat, and the ability to schedule collaborative
meetings were all available in Team Workplace (QuickPlace). Enabling those
features required configuration changes to the Lotus Instant Messaging and Web
Conferencing and Team Workplace servers, as well as the exchange of specific
.jar files between them. The specific versions of those .jar files will depend on the
specific releases of Lotus Instant Messaging and Web Conferencing and Team
Workplace when they were first integrated. Upgrading Lotus Instant Messaging
and Web Conferencing and Team Workplace will retain the configuration
changes, but it will not upgrade the .jar files that were manually exchanged.
Although the features should continue to function after the upgrade, the .jar files
should be upgraded to the newest versions after both products have been
upgraded to 6.5.1. Refer to 4.6, Lotus Team Workplace server on page 138 for
details of the specific versions of the jar files that should be deployed for 6.5.1.
Note: Awareness can be enabled in new Notes 6.5.1 client installations prior
to upgrading the Instant Messaging and Web Conferencing server to 6.5.1, but
we recommend that you wait for the Instant Messaging and Web Conferencing
server upgrade for consistency with the other Lotus Instant Messaging and
Web Conferencing integration procedures.
Note: If you are configuring your Instant Messaging server to work with LDAP,
note that the option to send canonical names is only available in Notes clients
6.5.1 or later. Accordingly, we do not recommend that you configure the
Instant Messaging server with LDAP and Notes client canonical names until
all the Notes clients that require Instant Messaging have been upgraded to
6.5.1 or later. For additional details about using canonical names in Instant
Messaging, see Use canonical name for instant messaging status lookup on
page 123.
Enable awareness in Domino Document Manager 6.5.1
Prior to 6.5.1, online awareness was available in Domino Document Manager
(Domino.Doc). Enabling awareness required the presence of a replica of the
Sametime Secrets database (stauths.nsf) on the Domino Document Manager
server and configuring the Domino Document Manage server and relevant file
cabinets to point to a valid Lotus Instant Messaging and Web Conferencing
server. If enabled prior to the upgrade to 6.5.1, they will be retained after the
upgrade, and awareness will be unaffected by the upgrade process. Therefore,
there are no special steps required to implement awareness in Domino
Document Manager if it existed prior to the upgrade. See Instant Messaging and
presence awareness integration: Who is online? on page 171 for details about
implementing awareness in Domino Document Manager if it did not exist prior to
the upgrade to 6.5.1.
5.3.2 Domino Document Manager integration
After the Domino Document Manager servers are upgraded to 6.5.1, its new
features can be integrated into Notes 6.5.1 clients and Lotus Workflow 6.5.1
servers. If no previous integration existed, it can be enabled as though a new
installation as part of the post-installation integration procedures, as described in
4.7.3, Initial Domino Document Manager installation on page 165. However, in
this chapter, we focus on the upgrade process, where the Domino Document
Manager server is upgraded to 6.5.1 after each of the other products has been
installed or upgraded, or both. The following sections describe the specific
post-upgrade procedures required to enable or update, or both, Domino
Document Manager integration with the other 6.5.1 products.
Enable Notes 6.5.1 client features
Prior to 6.5.1, the only native Notes client integration with Domino Document
Manager (Domino.Doc) was through the Domino.Doc Controls plug-in. This
plug-in enabled Notes clients to access Document Manager libraries and
provided a collection of Active-X controls and right-click options within the
libraries. This plug-in could be installed from a download or automatically
(through an on-screen prompt) whenever a Notes client without the plug-in
accessed a library. After upgrading a Domino Document Manager server to
6.5.1, Notes clients with the previous plug-in are not prompted to upgrade when
they re-enter the library, so the only way to upgrade the new plug-in is to
download or distribute the executable (DDBindX.exe) to the users.
Domino Document Manager provides another client interface through the
Document Manager Desktop Enabler application. This application provides direct
access to libraries from ODMA-compliant desktop applications (for example,
work processors and desktop publishers), as well as access through an
application programming interface (API). Although there were downloadable
tools to provide direct Notes client access to Domino Document Manager
through the API, previous versions of the Desktop Enabler did not provide any
native Notes interface to Domino Document Manager libraries.
The new Desktop Enabler 6.5.1 provides a native Notes e-mail interface with
Domino Document Manager. In order to enable this new interface, the Desktop
Enabler must be installed, upgraded, or both on each client workstation. The
procedure is described in Install the Desktop Enabler on page 176. If upgrading
a previous installation, the Desktop Enabler should be installed in the same
directory as the previous version.
5.4 Sample upgrade scenario
In this section, we created a sample pre-6.5.1 infrastructure representative of
what customers might have prior to upgrading to the new 6.5.1 products. We first
describe the existing infrastructure and then walk through the upgrade sequence,
as described in Upgrading Lotus Instant Messaging and Web Conferencing
integration with Extended Product or Products on page 221.
5.4.1 Pre-upgrade environment
This section describes the sample environment before the upgrade.
Infrastructure
The basic infrastructure used for the sample upgrade scenario is depicted in
Figure 5-1 on page 234. For Team Workplace and Lotus Instant Messaging and
Web Conferencing, the Domino server versions were chosen specifically to
support those products. For Domino Document Manager, we could have chosen
Note: Although we did only limited testing, we did not find any differences with
the Notes client access to Domino Document Manager 6.5.1 prior to
upgrading to the new version of the Controls plug-in. We were unable to find
out if there are any changes to the plug-in, but the new executable has a
newer file date than the previous version, which makes us think that some
changes were made. Therefore, we recommend that you upgrade to the new
version, but it need not take precedence or cause any concern if the upgrade
is not immediate.
many different Domino servers, but because we would have had to upgrade
Domino to 5.0.12 (see 5.2.4, Domino Document Manager upgrade on
page 227) prior to other upgrades, we chose to avoid that step and start with a
version that supported the direct upgrade of the Domino Document Manager
server, in this case, 6.0.3. For the mail/hub server, we chose Domino 6.0.3
because that server is typically the newest version in most environments.
Although there are many other combinations that could have been used, this one
has a mix of Domino server versions, and the upgrade process should represent
the basic steps necessary for most environments.
Figure 5-1 Sample pre-6.5.1 upgrade infrastructure
Common configuration settings across all servers include:
Microsoft Windows 2000 Advanced Server with Service Pack 4.
1 GB RAM.
Operating system installed on C: drive.
Domino and Extended Products installed on D: drive:
Program directory = D:\Lotus\Domino
Data directory = D:\Lotus\Domino\Data
Domino Enterprise server installed with default settings.
Domino servers configured with HTTP service enabled.
LocalDomainAdmins added to every ACL; Anonymous denied access.
Domino server installed as automatic service with administrative rights.
The fully qualified host names of the Domino servers are resolvable to all
users through DNS.
Authentication and directories
For our sample upgrade environment, we deployed Team Workplace using LDAP,
but all of the other Domino and Extended Products using authentication against
the standard Domino Directory replicated throughout the infrastructure. This was
done for several reasons:
Some of the Extended Products do not support LDAP prior to 6.5.1.
Team Workplace (QuickPlace) 3.x supports Domino authentication, but is
only intended for use during upgrades for backward compatibility.
Although full integration between Lotus Instant Messaging and Web
Conferencing and Team Workplace requires LDAP for both products, some
customers have delayed upgrading Lotus Instant Messaging and Web
Conferencing to LDAP for reasons, such as:
Difficulty migrating buddy lists from Domino to LDAP.
Awareness still functions in Team Workplace without LDAP.
Lost Team Workplace functionality, that is, the ability to create online
meetings and the menu chat feature, which shows specific Team
Workplace members who are online.
We want to demonstrate the upgrade process of converting from Domino to
LDAP authentication for those 6.5.1 products that now require it.
Note: In some combinations of earlier releases, online meetings could
be created in Team Workplace (QuickPlace) even when Team
Workplace (QuickPlace) used LDAP and Lotus Instant Messaging and
Web Conferencing used Domino authentication, and this functionality
could be retained when the products were upgraded to the latest
pre-6.5.1 versions. However, this functionality is not officially supported
unless both products use LDAP.
Deployment
For the deployment of Domino and the Extended Products, the basic process is
the same as described in Chapter 4, New Domino installation on page 85. This
section describes the specific sequence used to deploy the sample environment
and shows some of the resulting configuration settings.
Mail/hub server
The following steps briefly describe how to deploy and configure the mail/hub
server. For additional details, refer to 4.2.1, Initial Domino installation on
page 91 and 4.2.2, Initial configuration setup on page 92.
To deploy the mail/hub server, complete the following steps:
1. Install the Domino 6.0.3 server as the first Domino server in the domain with
the following values:
Server name: upgdom
Domain name: ITSOUPG
Certifier name: /ITSOUPG
Administrator name: Domino Admin/ITSOUPG
2. Enable LDAP by default for the first Domino 6 server in the domain.
3. Enable HTTP as a startup service (mail and applications).
4. Install and configure administrator workstation.
5. Convert administrator mail to Domino Web Access (6):
load convert -u mail\dadmin.nsf * iNotes6.ntf
6. Register three Domino servers to support the Extended Products.
7. Register test users with Domino Web Access (6) mail.
8. Create LtpaToken for multiserver single sign-on (SSO). See Figure 5-2 on
page 237.
Figure 5-2 LtpaToken Web SSO configuration
9. Modify all of the Server documents to use multiserver SSO:
a. Select the Internet Protocols Domino Web Engine tab.
b. Change Session authentication to Multiple Servers (SSO).
c. Change Web SSO Configuration to LtpaToken.
10.Create a new database on the mail server from the Domino Web Access
Redirect template (iwaredir.ntf):
a. Name the database something descriptive (for example,
WebMailRedirect.nsf).
b. Under Server Settings, configure for MailServer redirection.
c. Under Application Setup, click to auto set ACL settings.
11.Modify additional Server document configuration settings (see Figure 5-3 on
page 238):
a. Under the Internet Protocols HTTP tab:
Change Host name(s) to the fully qualified host name of the server.
Change the Home URL to /WebMailRedirect.nsf?Open (from step
10a).
b. Under the Security tab, verify the default security/agent execution settings.
Note: Because the LtpaToken is to be used across both 5.x and 6.x
servers, we created it using the Web configuration format that applies to
R5 servers. After all of the servers have been upgraded to 6.x, the format
can be changed to use the new Internet Site document configuration.
Figure 5-3 Hub/mail server additional configuration settings
12.Create a new database on the mail server from the Domino Web Server
Configuration (6) template (domcfg5.ntf):
a. Name the database domcgf.nsf (required).
b. Add a Mapping document:
Target Database: WebMailRedirect.nsf (from step 10a on page 237)
Target Form: DWALoginForm
13.Configure a domain-wide ECL-trusted administrator:
a. Create a Security Settings document in the Domino Directory.
b. On the Basics tab, provide a name for the document.
c. On the Execution Control List tab, click Edit.
d. Click Add, and select the name of a trusted authority.
e. Select all of the check boxes for allowed access.
f. Repeat the previous two steps for Java and JavaScript security.
g. Click OK, and save the Security Settings document.
h. Create an Organizational Policy document and specify the Security
Settings document just created.
14.Create a servers-only group with the other three server names and configure
replication from the hub and the server group. See Figure 5-4.
Figure 5-4 Replication connections
15.Restart the Domino server.
Lotus Instant Messaging and Web Conferencing server
The following steps briefly describe how to deploy and configure the Lotus
Instant Messaging and Web Conferencing server. For additional details, refer to
4.3, Lotus Instant Messaging and Web Conferencing server on page 110 and
the Sametime 3.1 Installation Guide for Windows.To deploy and configure the
Instant Messaging and Web Conferencing server, complete the following steps:
1. Install Domino 6.0.2CF2 server software on the Instant Messaging and Web
Conferencing server platform.
2. Configure the Lotus Instant Messaging and Web Conferencing Domino server
(upgst/ITSOUPG) as an additional server in the domain.
3. Run the Domino server and verify replication and communications with the
hub server.
4. Shut down the Lotus Instant Messaging and Web Conferencing Domino
server.
Note: Domino 6.x servers now support policy-based updating of user
ECL settings. In prior server versions, this was done only during client
setup or when mailed out to the users. If you are already using policies,
adapt these instructions to fit within your existing configuration. If you
still have Notes 5.x users, you will have to distribute the Administration
ECL manually to those users.
5. Install Lotus Instant Messaging and Web Conferencing (Sametime) 3.1 into
the Domino Program directory:
a. Verify that the installation finds the proper Domino Program directory.
b. When prompted, browse to and select the Domino server ID.
c. When prompted, choose the Domino Directory for authentication.
d. When prompted, do not select tunneling on port 80.
6. Install the Lotus Instant Messaging and Web Conferencing (Sametime) 3.1
Java Toolkit.
7. Install Lotus Instant Messaging and Web Conferencing (Sametime) 3.1
Interim Fix 1.
8. Restart the Lotus Instant Messaging and Web Conferencing Domino server.
9. Modify additional Server document configuration settings (see Figure 5-5 on
page 241):
Change the Home URL to /STCenter.nsf?Open.
b. Under the Security tab, verify the Lotus Instant Messaging and Web
Conferencing security/agent execution settings.
Tip: Although not required for the basic Instant Messaging and Web
Conferencing server functionality, the Java Toolkit will be required to enable
integration with Team Workplace. It will also be required for the
post-upgrade integration procedures.
Figure 5-5 Instant Messaging and Web Conferencing server additional configuration settings
10.Enable the SametimeSecretGenerator:
a. Using the administrator account, open the stauths.nsf database on the
Instant Messaging and Web Conferencing server.
b. Go to View Agents.
c. Enable the SametimeSecretGenerator agent.
d. Choose the Instant Messaging and Web Conferencing server on which the
agent should run.
11.Replicate the Sametime Secrets database to the hub/mail server:
database from the Instant Messaging and Web Conferencing server to the
hub/mail server.
and Web Conferencing server to the hub/mail server specifically for the
stauths.nsf database (see Figure 5-4 on page 239).
12.Assign the Instant Messaging and Web Conferencing server to the users:
Option 1: Manually edit each Person document and enter the hierarchical
name of the Instant Messaging and Web Conferencing server in the
designated field.
Option 2: Run an agent to populate the designated field, but be sure to
express the field in fully canonical format, for example:
FIELD SametimeServer := CN=upgst/O=ITSOUPG
13.Restart the Instant Messaging and Web Conferencing server.
Lotus Team Workplace server
The following steps briefly describe the steps to deploy and configure the Lotus
Team Workplace server. For additional details, refer to 4.6, Lotus Team
Workplace server on page 138 and the Team Workplace (QuickPlace) 3.0.1
Installation and Upgrade Guide for Windows. To deploy and configure the Team
Workplace server, complete the following steps:
1. Install Domino 5.0.12 server software on the Team Workplace server
platform.
2. Configure the Team Workplace Domino server (upgqp/ITSOUPG) as an
additional server in the domain.
hub server.
4. Shut down the Team Workplace Domino server.
5. Install Team Workplace (QuickPlace) 3.0.1 into the Domino Program
directory:
b. When prompted, enter the name and password for a unique Team
Workplace (QuickPlace) administrator.
6. Restart the Team Workplace Domino server.
7. Modify additional Server document configuration settings (see Figure 5-6):
Note: The Instant Messaging and Web Conferencing server installation
creates a new Domino Web Server Configuration database and preconfigures
it to use a special Lotus Instant Messaging and Web Conferencing logon form
using SSO, so this is not required during or after setup.
Important: The Team Workplace (QuickPlace) administrator should be
a unique name that does not exist in any external directory. For
simplicity, we suggest a single word as the user name (for example,
qpadmin) and whatever password you prefer.
Change the Home URL to /QuickPlace.
b. Under the Security tab, verify the Team Workplace (QuickPlace)
security/agent execution settings.
Figure 5-6 Team Workplace server additional configuration settings
8. Create a new database on the Team Workplace server from the Domino Web
Server Configuration (6) template (domcfg5.ntf):
Target Database: quickplace/resources.nsf (from step 2a on
page 141)
Target Form: QuickPlaceLoginForm
9. Create a new Group in the Domino Directory:
Name: QuickPlaceAdministratorsSUGroup
Type: Multi-purpose
Members: Names of administrators (for example, LocalDomainAdmins)
10.Configure Instant Messaging awareness integration with Team Workplace:
a. Create the following directory on the Instant Messaging and Web
<domino data dir>\domino\html\QuickPlace\peopleonline
b. Copy the STComm.jar and CommRes.jar files from the Lotus Instant
Messaging and Web Conferencing Java Toolkits:
<domino data dir>\domino\html\sametime\toolkits\st31javatk\bin
c. Copy the PeopleOnline30.jar file from the Team Workplace server:
<domino data dir>\QuickPlace
11.Configure the Team Workplace connection to the Instant Messaging and Web
a. Open a browser and navigate to the Team Workplace server.
b. Click the SignIn link and log on as the administrator (step 5b on
page 246).
c. Select Server Settings Other Options Edit Options.
Sametime Community Server: URL address of the Instant Messaging and
Web Conferencing server, for example:
http://upgst.cam.itso.ibm.com
12.Restart the Team Workplace Domino server.
13.Configure the Team Workplace server settings (see Figure 5-7 on page 245):
b. Click the SignIn link and log on as the administrator (step 5b on
page 246).
c. Click Server Settings User Directory Change Directory:
Type: LDAP Server.
Name: Fully qualified host name of the Domino LDAP server, for
example, upgdom.cam.itso.ibm.com.
Add user credentials for directory access (optional).
Disallow new users.
Note: Because integration between Team Workplace and Lotus Instant
Messaging and Web Conferencing for online meetings requires both
systems to be using LDAP for authentication, we did not enable this feature
in the pre-upgrade environment. We cover adding that feature after the
upgrade, and it should be consistent with those customers who had the
integration prior to the upgrade.
Figure 5-7 Team Workplace directory configuration
d. Click Next, and then click the Security link.
e. Add Team Workplace AdministratorsSUGroup to the list of administrators.
Domino Document Manager server
The following steps briefly describe the steps to deploy and configure the Domino
Document Manager server. For additional details, refer to 4.7, Domino
Document Manager server on page 161 and the Domino.Doc 3.1 Installation
Guide. To deploy and configure Domino Document Manager, complete the
following steps:
1. Install Domino 6.0.3 server software on the Domino Document Manager
server platform.
2. Configure the Domino Document Manager Domino server
(upgdoc/ITSOUPG) as an additional server in the domain.
hub server.
4. Shut down the Domino Document Manager Domino server.
5. Install Domino Document Manager into the Domino Program directory:
b. Verify that the installation finds the proper Domino Data directory.
c. Accept the default domdoc subdirectory for the root installation.
d. Select the Master Server installation.
e. Finish the setup process when the installation is complete.
6. Restart the Domino server.
7. Define the Domino Document Manager administrator or administrators:
a. Create or edit, or both, a group in the Domino Directory called Document
Manager Site Administrators.
b. Insert one or more names or groups into this group for those users who
will have administrator rights to the Domino Document Manager
environment.
8. Using the Domino Administrator client with the user ID from one of the
ECL-trusted site administrators, sign all of the Design documents in:
a. All of the databases in the domdoc subdirectory.
b. The six Document Manager template databases in the Data directory:
Document Manager Library (domdoc.ntf)
File Cabinet Template (filecab.ntf)
Document Manager Log (dmlog.ntf)
Document Manager Site Administration (ddadmin.ntf)
Tip: At least one of the Document Manager Site administrators should
be a user who is trusted within the Administration ECL of the Domino
domain. This need not be an actual user and is often just a trusted
authority used to sign applications in a Domino environment.
Document Manager Transactions (ddmtrans.ntf)
Document Manager Configuration (ddmconfg.ntf)
Figure 5-8 Registry changes to support Notes 6.x access to Domino Document Manager
Restriction: If you are using a Notes 6.x client that was not installed
into the same directory and upgraded from a previous Notes 5.x
installation, you will not be able to access Domino Document Manager
through the Notes client and install the necessary plug-in for full
functionality. If this is the case, you will need to create a registry entry
for Notes 5 to point to the program and data directories of the Notes 6
installation before accessing Domino Document Manager with the
Notes 6 client. See Figure 5-8 for before and after registry snapshots
and refer to the Domino Document Manager forum on the Lotus
Developer Domain for more information.
9. Using a Notes client with a site administrator ID, open the Document Manager
Site Administration database (domdoc\ddadmin.nsf) through the server:
a. Click CreateLibrary.
b. Edit the library name to something short and descriptive (for example,
Upgrade).
c. Accept the default display and template options and click Continue.
d. Refer to the Domino.Doc 3.1 Installation Guide for more details, but some
common configuration options on the final window include:
Add users/groups to the Administrator, File Cabinet Creators, or both.
Clear the Foreign SMTP domain field if Domino routes SMTP e-mail.
Verify the servers fully qualified HTTP address.
Enable Lotus Instant Messaging and Web Conferencing integration for
the library.
Enter the fully qualified host name of the Instant Messaging and Web
e. Click Finish and wait for the library creation process to complete.
f. Click Done when the library is complete.
g. Define additional settings as necessary (for example, file cabinets, binder
types, and document types).
10.Modify additional Server document configuration settings (see Figure 5-9 on
page 249):
Tip: When creating a library, try to keep the name short and do not
include spaces. The name is used to create the library database file
name, which is used to access the library through the Web unless
database links are used.
Note: When you create the first library, you might be prompted with a
message about overwriting the Document Manager Site Administrators
group. If so, allow the document to be overwritten so that the installation
can continue. After it completes, you can modify the group in the
Domino Directory and add any people or group names that were
removed.
Change the Home URL to /domdoc/Upgrade.nsf.
b. Under the Security tab, verify the Domino Document Manager
security/agent execution settings.
Figure 5-9 Domino Document Manager server additional configuration settings
11.Create a new database on the Domino Document Manager server from the
Domino Web Server Configuration (6) template (domcfg5.ntf):
Target Database: domcfg.nsf (from step 11a above)
Target Form: CustomLoginForm
12.Replicate the Sametime Secrets database to the Domino Document Manager
server:
Domino Document Manager server.
13.Download and install the Document Manager Desktop Enabler on the server
to support client-side access to the Document Manager API.
14.Restart the Domino Document Manager server.
Client installations
In this section, we show the various additional client applications that may or
mary not be installed at customer sites. In our pre-upgrade environment, we
installed all of them on the user machines so that we could demonstrate the
upgrade processes.
Domino Web Access (Figure 5-10):
No special client-side installation is required.
The user mail template must be either iNotes5.ntf, iNotes60.ntf, or
iNotes6.ntf to support the chat feature.
The client only supports the chat features.
The Chat contact list is maintained within the mail database.
Figure 5-10 Pre-upgrade Domino Web Access Chat feature
Instant Messaging (Sametime) Connect client (Figure 5-11 on page 251):
Requires installation of sametimeclient.exe on users desktops.
The application can be customized using Instant Messaging Client
Packager software.
The application must be downloaded or distributed to users.
The client supports chat and full integration with meeting services.
The Chat contact list is maintained on the Instant Messaging and Web
Conferencing server and can include directory groups.
Figure 5-11 Pre-upgrade Instant Messaging (Sametime) Connect client
Document Manager Desktop Enabler:
Requires installation of ddsetup.exe on users desktops.
The application must be downloaded or distributed to users.
The client supports native ODMA interface to desktop applications.
The client supports programmable interface to desktop applications, but
no native interface to the Notes client in the default product.
Domino Document Manager Controls:
Requires installation of ddbindx.exe on users desktops.
The application can be downloaded or distributed, or it can install
automatically when first entering the Domino Document Manager file
cabinet with a Notes client.
The client supports ActiveX and other features for a Notes client within
Domino Document Manager, but is not otherwise visible on user desktops.
5.4.2 Upgrading the Domino server: All products
Because each product upgrade will require an upgrade to the underlying Domino
server on which it resides, it is important to carefully examine your Domino
infrastructure prior to upgrading. It is beyond the scope of this book to cover all of
the implications; refer to the IBM Redbook Upgrading to Lotus Notes and Domino
6, SG24-6889, for specific details and best practices for upgrading Domino
servers to Version 6.
5.4.3 Upgrading the Domino hub/mail server and clients
Because our hub/mail server is starting from Release 6.0.3 and because we
have no unique customizations to preserve, the upgrade process is relatively
simple. The basic steps for upgrading a Domino mail server and clients are:
1. Upgrade the Domino server to 6.5.1.
2. Enable chat and awareness in Domino Web Access (optional).
3. Upgrade the Notes clients.
Domino server upgrade
The actual Domino server software upgrade follows the same process as a new
installation. To upgrade the Domino server, complete the following steps:
1. Ensure that the Microsoft Windows operating system will support Domino
6.5.1.
2. Shut down the Domino server.
5. Run the Domino setup program from a CD or local or mapped network drive.
6. Verify that the installation finds the existing Domino server program and
directories and will install into those same directories.
7. Select the Enterprise Server and complete the installation.
8. When complete, install the Domino 6.5.1 Server Interim Fix 1.
9. Start the Domino server.
10.From the server console, update the databases from the new templates:
load design
11.Verify that clients can access the upgraded server and that replication and
mail routing is working properly.
13.Shut down the Domino server.
14.Restart the Windows server.
Note: Although only required for Lotus Instant Messaging and Web
Conferencing and Team Workplace, we installed Interim Fix 1 on all of the
Domino servers for consistency.
Enabling chat and awareness in Domino Web Access
After the Domino server has been upgraded, but before the Notes clients can be
upgraded, you need to perform an additional step to prepare for the Notes client
and Domino Web Access integration with Instant Messaging and Web
Conferencing. This step is required if you want to enable the new Notes client
and Domino Web Access 6.5.1 awareness features and if you want to prevent the
loss of existing iNotes Web Access features. The process is described in detail
for a purely 6.5.1 installation in 4.5, Domino Web Access configuration on
page 126 and also in 5.4.7, Post-upgrade Lotus Instant Messaging integration
on page 273 for an upgrade process. In summary, the process involves the
following steps:
1. Define the Instant Messaging and Web Conferencing server for users
(required).
2. Disable the use of Sametime Secrets database in favor of SSO (optional).
3. Copy files between Instant Messaging and Web Conferencing server and
upgraded Domino Web Access servers (required).
Upgrading Notes clients
After the Domino mail servers have been upgraded and prepared for Lotus
Instant Messaging and Web Conferencing integration, you can then upgrade the
Notes clients. If you want to enable new Domino Web Access integration
features, you will need to upgrade the mail template. This can be done as part of
the client upgrade or prior to it. If you upgrade the template before upgrading the
client, you will not have the new client integration features. For users who were
not already using the Domino Web Access 6 mail template (iNotes6.ntf), you can
upgrade them in different ways:
Individually from the server console:
load convert -u mail\filename.nsf * iNotes6.ntf
All at once from the server console:
load convert -u mail\*.nsf * iNotes6.ntf
Using Upgrade-by-mail to update client software and mail database.
Using seamless mail upgrade with or without the Smart Upgrade process.
Note: The Smart Upgrade process can only be used for Notes clients already
running Notes 6.x, but the seamless mail upgrade can be applied regardless
of the users Notes client prior to the upgrade to 6.5.1.
There is one significant change that occurs with Domino Web Access when the
mail server is upgraded to Domino 6.5.1 and that is the apparent loss of the Chat
menu option shown in Figure 5-10 on page 250 (see Figure 5-12).
Figure 5-12 Post-upgrade loss of Chat option in Domino Web Access
When users return to their e-mail through Domino Web Access, this feature is
now temporarily disabled and must be reenabled manually. To do this, select
Preferences, select the Other tab, and then select the check box to enable all
features supported through Instant Messaging. See Figure 5-13.
Figure 5-13 Post-upgrade Domino Web Access preference to enable Instant Messaging
After you save the preferences and refresh the browser, both the Chat menu
option and online awareness should be fully activated. See Figure 5-14.
Figure 5-14 Post-upgrade Domino Web Access awareness
Note: Domino Web Access 6.5.1 uses GZIP compression to improve
performance for Internet clients. However, there is a known error arising from
certain cumulative security patches with Microsoft Internet Explorer 6 that
causes the error shown in Figure 5-15 when you attempt to open views or
folders that are not empty. You can avoid this error by disabling GZIP
compression with the following Notes.ini setting on each Domino Web Access
server:
iNotes_WA_GZIP_Disable=1
Refer to the Lotus Domino Administrator 6.5.1 Help database for additional
information about managing GZIP compression and the related performance
implications.
Refer to Technotes 1155029 and 1162697 for additional information about the
problems with Internet Explorer and other possible corrective measures
available from Microsoft.
Figure 5-15 Internet Explorer GZIP compression error
When the Notes 6.5.1 client is installed or upgraded from a previous version, it
has the ability to support native online awareness. This is activated when the
client is first launched after the upgrade or installation. The client setup process
will prompt for an Instant Messaging and Web Conferencing server to provide the
awareness features. If an Instant Messaging and Web Conferencing server is
already installed, and if the user already has an Instant Messaging and Web
Conferencing server assigned to their Person document (see Lotus Instant
Messaging and Web Conferencing server on page 239), the server name will be
filled in for the user, and the setup process will configure the awareness settings
for the user. If an Instant Messaging and Web Conferencing server is not
available during the client upgrade, you will have to configure the awareness
features after it is installed (see 5.4.7, Post-upgrade Lotus Instant Messaging
integration on page 273). After the client and mail template are upgraded, the
mail database will show online awareness even with the earlier version of the
Instant Messaging and Web Conferencing server (see Figure 5-16).
Figure 5-16 Post-upgrade Notes 6.5.1 client awareness
5.4.4 Upgrading the Lotus Team Workplace server
For additional details about upgrading Team Workplace (formerly QuickPlace)
servers to Version 6.5.1, refer to the Team Workspace 6.5.1 Installation and
Upgrade Guide, available from the Lotus Developer Domain. The basic steps
involved in a Team Workplace server upgrade are:
1. Upgrade the Team Workplace Domino server.
2. Install the Team Workplace 6.5.1 server.
3. Upgrade the design of all databases.
4. Upgrade the Places and Place Types.
5. Register the Places with the Place Catalog.
Upgrading the Team Workplace Domino server
As described in 5.2.2, Lotus Team Workplace upgrade on page 226, a Team
Workplace (QuickPlace) 2.0.8 or later server can be upgraded directly to 6.5.1 if
it is currently installed as an overlay to an installed Domino server. If upgrading a
pre-2.0.8 release or a stand-alone installation of Team Workplace (QuickPlace),
or if upgrading a cluster of Team Workplace (QuickPlace) servers, refer to the
Team Workspace 6.5.1 Installation and Upgrade Guide for additional upgrade
instructions.
Because no previous versions of Team Workplace (QuickPlace) run on 6.x
versions of Domino, upgrading the Team Workplace (QuickPlace) server will first
require a version upgrade to the Domino server. However, because the Domino
infrastructure already contains other 6.x servers, and because this server is
typically dedicated to Team Workplace (QuickPlace), this upgrade should be
relatively simple to perform. Refer to the IBM Redbook Upgrading to Lotus Notes
and Domino 6, SG24-6889, for specific details and best practices for upgrading
Domino servers to Version 6.
Other than special steps required for upgrading from 5.0.12 to 6.x, the process of
upgrading the Team Workplace (QuickPlace) Domino server is nearly the same
Notes: If upgrading from a 2.0.8 or 2.0.9 version of Team Workplace
(QuickPlace), any defined superuser accounts must be upgraded after the
server is upgrade; otherwise, they will not have the same access.
If upgrading a Team Workplace (QuickPlace) server that supported offline use,
users will need to reinstall their offline Places after the upgrade. Users should
also delete any PC references to Lotus iNotes, because they have become
obsolete and have been replaced by the Domino Web Access Sync Manager.
as the process for upgrading the mail/hub server described in 5.4.3, Upgrading
the Domino hub/mail server and clients on page 252. The basic process is:
1. Ensure that the Windows operating system will support Domino 6.5.1.
2. If any Places are set up for offline use, ensure that all such Places are
synchronized with all offline users before upgrading.
The only substantial difference is that you should not restart the upgraded
Domino server until you install the new version of Team Workplace. If you do, you
might receive errors on the server console indicating missing files. When you
shut down the server, upgrade Team Workplace, and restart, those errors should
disappear.
Installing the Team Workplace 6.5.1 server
The second step of upgrading an overlay installation of a 2.0.8 or later version of
Team Workplace (QuickPlace) is the actual installation of the new Team
Workplace 6.5.1 server. The process continues from the end of the previous
Domino server upgrade:
1. Stop the Domino server if it is running.
2. Run the Team Workplace 6.5.1 server setup program.
3. Accept the license agreement, and then click Next to continue.
4. Verify that the installation finds the correct Domino Program directory.
5. Verify that the installation recognizes the installation as an upgrade (see
It should indicate an upgrade to 6.5.1.
It should indicate the correct Domino Program directory.
It should indicate the correct Domino Data directory.
Click Next to copy files to the Domino server.
Figure 5-17 Team Workplace upgrade confirmation window
6. Click Next and then Finish to complete the Team Workplace installation.
7. Reset the Lotus Domino service from Manual to Automatic.
8. Restart the Domino server.
9. When prompted, accept the upgrade to the Domino Directory.
Upgrading the design of all databases
Using the QPTool utility, enter the following command at the Domino server
console (see Example 5-1):
load qptool upgrade -server
Example 5-1 Using QPTool at the server console to upgrade database designs
>load qptool server -upgrade
05/10/2004 10:57:28 AM JVM: Java Virtual Machine initialized.
05/10/2004 10:57:31 AM Upgrade: Started.
05/10/2004 10:57:31 AM Database Designer started
...
05/10/2004 11:00:47 AM Database Designer shutdown
05/10/2004 11:00:48 AM Upgrade: Finished.
05/10/2004 11:00:48 AM qptool: writing file: qptool.upgrade.xml
05/10/2004 11:00:48 AM qptool: command finished: upgrade
This command performs a detailed design update on the server and all of the
Team Workplace databases. Depending on the size and number of your Team
Workplaces, this can take some time to complete. When complete, the server
console will indicate that process has finished, and the QPTool utility will create
an XML file (qptool.upgrade.xml) indicating the results of the update. The XML
file will be in the format shown in Example 5-2.
Example 5-2 XML format after QPTool design update
<?xml version="1.0"?>
<service>
<servers>
<server>
<hostname>hostname</hostname>
<places />
<placetypes />
<action_status action="upgrade">
<code>action code (0 if successful)</code>
<message>error message (if an error)</message>
</action_status>
</server>
</servers>
</service>
Upgrading the Places and PlaceTypes
load qptool upgrade -a
Example 5-3 Using QPTool at the server console to upgrade Places and PlaceTypes
>load qptool server -a
05/10/2004 11:23:42 AM JVM: Java Virtual Machine initialized.
05/10/2004 11:23:45 AM qptool: processing place: upgrade
05/10/2004 11:23:58 AM qptool: processing placetype: h_StdPlaceType
05/10/2004 11:23:58 AM qptool: writing file: qptool.upgrade.xml
05/10/2004 11:23:58 AM qptool: command finished: upgrade
This command upgrades all of the existing Team Workplace Places and
PlaceTypes on the server. Depending on the size and number of your Team
Workplaces, this can take some time to complete. When complete, the server
console will indicate that process has finished, and the QPTool utility will
overwrite the existing XML file (qptool.upgrade.xml) indicating the results of the
update. The XML file will be in the format shown in Example 5-4 on page 262.
Example 5-4 XML format after QPTool Place/PlaceType upgrade
<service>
<servers>
<server>
<places>
<place>
<name>placename</name>
<action_status action="upgrade">
</action_status>
</place>
</places>
<placetypes />
</server>
</servers>
</service>
Registering the Places with the Place Catalog
load qptool register -a -placecatalog
Example 5-5 Using QPTool at the server console to register Places in the Place Catalog
>load qptool register -a -placecatalog
05/10/2004 12:09:31 PM JVM: Java Virtual Machine initialized.
05/10/2004 12:09:38 PM qptool: processing place: upgrade
05/10/2004 12:09:43 PM qptool: writing file: qptool.register.xml
05/10/2004 12:09:43 PM qptool: command finished: register
This command registers all of the existing Team Workplace Places and
PlaceTypes on the server into the central Place Catalog. Depending on the size
and number of your Team Workplaces, this can take some time to complete.
When complete, the server console will indicate that process has finished, and
the QPTool utility will create a new XML file (qptool.register.xml) indicating the
results of the update. The XML file will be in the format shown in Example 5-6 on
page 263.
Example 5-6 XML format after QPTool registration of Places in Place Catalog
<service>
<servers>
<server>
<places>
<place>
<name>placename</name>
<action_status action="registerInPlaceCatalog">
</action_status>
</place>
</places>
</server>
</servers>
</service>
5.4.5 Upgrading the Domino Document Manager server
For additional details about upgrading Domino Document Manager servers to
Version 6.5.1, refer to the Document Manager 6.5.1 Installation Guide, available
from the Lotus Developer Domain. The basic steps involved in a Domino
Document Manager (Domino.Doc) upgrade are:
1. Upgrade the Domino Document Manager (Domino.Doc) Domino server for
the master server.
2. Install the Domino Document Manager 6.5.1 server.
3. Upgrade the design of the Domino Document Manager databases.
4. If using ODMA, upgrade the Desktop Enabler on the server and all users.
5. Repeat these steps for each Domino Document Manager (Domino.Doc)
Replica server (if any).
For the purpose of this upgrade example, we are only considering a Domino
Document Manager infrastructure with a single master server. Refer to the
Document Manager 6.5.1 Installation Guide for additional instructions for
upgrading multiple master-replica Domino Document Manager servers.
Upgrading the Domino Document Manager Domino server
As described in 5.2.4, Domino Document Manager upgrade on page 227, only
a Domino Document Manager (Domino.Doc) 3.1 server can be upgraded directly
to 6.5.1. If upgrading a pre-3.1 release of Domino Document Manager
(Domino.Doc), refer to the Document Manager 6.5.1 Installation Guide for
additional upgrade instructions.
If upgrading Domino from 5.0.12, the same upgrade considerations apply as
those when upgrading the Team Workplace (QuickPlace) server. However,
because our sample scenario is using Domino 6.0.3, the upgrade to 6.5.1 is very
simple. Refer to the IBM Redbook Upgrading to Lotus Notes and Domino 6,
SG24-6889, for specific details and best practices for upgrading 5.x Domino
servers to Version 6.
Other than the special steps required for upgrading from 5.0.12 to 6.x, the
process of upgrading the Domino Document Manager (Domino.Doc) Domino
server is nearly the same as the process for upgrading the mail/hub server
described in 5.4.3, Upgrading the Domino hub/mail server and clients on
page 252. The basic process is:
Important: Domino Document Manager 6.5.1 can be installed on a Domino
server running 5.0.12, 6.0.3, 6.5, or 6.5.1. Therefore, Domino Document
Manager can be upgraded to 6.5.1 before the Domino server upgrade, and
this is the recommended procedure if you are not planning to upgrade the
Domino server for some period of time. However, we recommend that you
upgrade both products together, and therefore, we upgraded the Domino
server before Domino Document Manager (Domino.Doc) for consistency.
9. Start the Domino server.
10.If upgrading from 5.0.12, accept the upgrade to the Domino Directory.
Installing the Domino Document Manager 6.5.1 server
The second step of upgrading a Domino Document Manager (Domino.Doc)
server is the actual installation of the new Domino Document Manager 6.5.1
server. If you have made any changes to the original installation directories or
any customizations to the default templates, you will need to perform additional
steps to protect and backup those changes and reapply them after the server
upgrade. Refer to the Document Manager 6.5.1 Installation Guide for specific
instructions and best practices for upgrading under those conditions. Our
process describes upgrading a Domino Document Manager (Domino.Doc)
server based on the standard installation and use of all standard templates. The
process continues from the end of the previous Domino server upgrade:
1. If there are other Domino Document Manager (Domino.Doc) replica servers:
a. Replicate with them:
replicate replicaservername
b. Shut down all replica servers.
2. Restrict user access to the Domino server:
set config server_restricted=2
3. Stop the Domino server and any Notes clients running on the server.
4. Run the Domino Document Manager 6.5.1 server setup program.
6. Verify that the installation finds the correct directories:
It should indicate the correct Domino Program directory.
It should indicate the correct Domino Data directory.
It should indicate the correct Domino Document Manager root directory.
7. Verify that the installation recognizes the installation as an upgrade, as shown
in Figure 5-18 on page 266.
Note: Although only required for Lotus Instant Messaging and Web
Conferencing and Team Workplace, we installed Interim Fix 1 on all of the
Domino servers for consistency.
Figure 5-18 Domino Document Manager upgrade confirmation window
8. Click Yes to accept the upgrade.
9. Click Next to copy files to the Domino server.
10.Click OK to open the Release Notes, and then close the Release Notes.
11.Click Finish to close the installation program.
Upgrading the design of Document Management databases
Installing the new Domino Document Manager server software does not
automatically update the design of any existing libraries or file cabinets on the
server. The following procedure outlines the steps required to upgrade those
designs on your servers:
1. Start the Domino Document Manager Domino server.
2. Ensure that you are not preventing design updates on any of the Domino
Document Manager databases with the setting Prohibit design replace or
refresh to modify.
3. If you had customizations in the old templates, copy any customizations from
the backed up templates into the new 6.5.1 templates.
Note: When the installation detects an upgrade, it first copies and renames
(as *.1tf) the six Document Manager templates into a backup directory in
case you need to recover any customizations you might have made. In our
case, the backup directory was labeled ddbu350 in the Data directory, for
example:
D:\Lotus\Domino\Data\ddbu350
Important: Do not open the Document Manager Site Administration database
(ddadmin.nsf) until the database designs have been upgraded from the new
Document Manager templates.
4. Sign the new Domino Document Manager templates and documentation
databases with a user ID of one of the Document Manager Site administrators
(see Figure 5-9 on page 249).
5. If you were using custom templates, you will have to upgrade them from the
new templates before you can upgrade the Document Manager databases.
6. Update the database designs from the server console:
load design
7. Open the Document Manager Site Administration database (ddadmin.nsf),
and the upgrade will proceed automatically.
8. Click Done when the process is complete. See Figure 5-19.
Figure 5-19 Domino Document Manager server upgrade completion window
9. Reset the Domino server for user access:
set config server_restricted=0
When the final Domino Document Manager server upgrade process completed,
an e-mail was sent to the administrator performing the upgrade with information
about the status of the upgrade, as shown in Figure 5-20 on page 268.
Figure 5-20 Domino Document Manager site upgrade status report
In addition to the overall site status report, Domino Document Manager also
provides an agent to verify the status of file cabinets, as shown in Figure 5-21.
Figure 5-21 Domino Document Manager file cabinet status button
The result of the agent verification is another e-mail status report sent to the user
requesting the information, as shown in Figure 5-22 on page 269.
Figure 5-22 Domino Document Manager file cabinet status report
If the upgrade process did not work properly for a particular database, the
administration Upgrade Profile can be copied to that database and then an
Upgrade Agent that can be executed to perform the upgrade manually. Refer to
the Document Manager 6.5.1 Installation Guide for additional information.
Upgrade the Desktop Enabler
If the pre-upgrade Domino Document Manager (Domino.Doc) server supported
ODMA connections through the Desktop Enabler API, the Desktop Enabler
application must be upgraded on the server and all clients who have the previous
version installed. Clients will not be able to access the Domino Document
Manager server through previous versions of the Desktop Enabler. See 5.4.8,
Post-upgrade Domino Document Manager integration on page 288 for Desktop
Enabler installation instructions.
5.4.6 Upgrading Instant Messaging and Web Conferencing server
For additional details about upgrading Lotus Instant Messaging and Web
Conferencing (Sametime) servers to Version 6.5.1, refer to the Instant
Messaging and Web Conferencing 6.5.1 Installation Guide for Windows,
available from the Lotus Developer Domain. In our sample upgrade, we upgrade
from a Lotus Instant Messaging and Web Conferencing (Sametime) 3.1 server,
because it supports the pre-upgrade integration features and coexistence issues
described previously. If you are upgrading from an earlier release of Sametime,
refer to the installation guide for additional information.
The basic steps involved in a Lotus Instant Messaging and Web Conferencing
(Sametime) 3.1 upgrade are:
1. Upgrade the Lotus Instant Messaging and Web Conferencing (Sametime)
Domino server.
2. Install the Lotus Instant Messaging and Web Conferencing 6.5.1 server.
Upgrading the Lotus Instant Messaging and Web
Conferencing Domino server
As described in 5.2.5, Lotus Instant Messaging and Web Conferencing upgrade
on page 227, a Lotus Instant Messaging and Web Conferencing (Sametime) 2.0
or later server can be upgraded directly to 6.5.1. If upgrading a pre-2.0 release of
Instant Messaging and Web Conferencing (Sametime), you must first upgrade to
a higher release before upgrading to 6.5.1.
Because previous versions of Lotus Instant Messaging and Web Conferencing
(Sametime) run on both 5.x and 6.x versions of Domino, upgrading the Instant
Messaging and Web Conferencing (Sametime) server might first require a
version upgrade to the Domino server. However, because the Domino
infrastructure already contains other 6.x servers, and because this server is
typically dedicated to Instant Messaging and Web Conferencing, an upgrade
from 5.x should be relatively simple to perform. Refer to the IBM Redbook
Upgrading to Lotus Notes and Domino 6, SG24-6889, for specific details and
best practices for upgrading Domino servers to Version 6. For our sample
upgrade, the Instant Messaging and Web Conferencing server is running on
Domino 6.0.2CF2, so the Domino upgrade does not involve a version change.
Other than the special steps required for upgrading from 5.x to 6.x, the process of
upgrading the Lotus Instant Messaging and Web Conferencing Domino server is
nearly the same as the process for upgrading the mail/hub server described in
5.4.3, Upgrading the Domino hub/mail server and clients on page 252. The
basic process is:
9. Disable the Instant Messaging and Web Conferencing server:
a. Edit the server Notes.ini file.
b. Find the line that begins ServerTasks=.
c. Remove the STAddin task from the line.
d. Save and close the file.
10.Launch the Lotus Instant Messaging and Web Conferencing Domino server.
11.When prompted, accept the upgrade to the Domino Directory.
12.When the server upgrade processing is complete, stop the Domino server.
Installing the Lotus Instant Messaging and Web Conferencing
6.5.1 server
The second step of upgrading a 3.1 version of Lotus Instant Messaging and Web
Conferencing (Sametime) is the actual installation of the new Lotus Instant
Messaging and Web Conferencing 6.5.1 server. The process continues from the
end of the previous Domino server upgrade:
1. Stop the Domino server if it is running.
2. Enable the Instant Messaging and Web Conferencing server:
a. Edit the server Notes.ini file.
b. Find the line that begins ServerTasks=.
c. Add the STAddin task back to the end of the line.
3. Run the Lotus Instant Messaging and Web Conferencing 6.5.1 server setup
program.
5. Verify that the installation finds the correct Domino Program directory.
6. Verify that the installation recognizes the installation as an upgrade:
a. It should indicate a server upgrade, as shown in Figure 5-23 on page 272.
Figure 5-23 Instant Messaging and Web Conferencing upgrade confirmation window
b. It should indicate the correct Domino Program directory, as shown in
Figure 5-24.
Figure 5-24 Instant Messaging and Web Conferencing upgrade installation directory
7. Click Next to copy files to the Domino server.
8. After the files are installed, configure the Lotus Instant Messaging and Web
Conferencing settings:
a. When prompted, browse to and select the Domino server ID.
b. When prompted, do not select tunneling on port 80.
9. Install the Lotus Instant Messaging and Web Conferencing 6.5.1 Java Toolkit,
if available.
12.Apply or update, or both, the post-upgrade integration settings.
5.4.7 Post-upgrade Lotus Instant Messaging integration
In this chapter, we focus on the process of upgrading the Extended Products to
6.5.1, and we start with an existing environment where the previous versions of
the products were already integrated in some form. The upgrade process so far
has been designed to maintain as much of that integration as possible during the
upgrade. In this section, we now cover any remaining tasks that should be
implemented to fully integrate the new Lotus Instant Messaging and Web
Conferencing 6.5.1 features into the other products. For information about
integrating new installations, refer to Chapter 4, New Domino installation on
page 85.
Notes:
When upgrading a previous Instant Messaging and Web
Conferencing (Sametime) server, you are not prompted to choose
the method of directory authentication (Domino versus LDAP),
because the upgrade will retain the previous selection. Refer to
5.4.9, Converting from native Domino to Domino LDAP
authentication on page 289 for instructions about how to switch
directories after the upgrade.
Although you can enable/disable tunneling during the upgrade, we
chose not to enable it because the 3.1 release did not use it. Refer
to 5.4.7, Post-upgrade Lotus Instant Messaging integration on
page 273 for instructions about how to switch this option after the
upgrade and for the special workaround to enable awareness in
Domino Web Access when tunneling is in use.
Important: At the time of writing this book, the 6.5.1 Java Toolkit was not
yet available. Until it is, you can use files from the 3.1 Java Toolkit to
achieve integration with other products. However, you should install the 3.1
Java Toolkit on the Lotus Instant Messaging and Web Conferencing 6.5.1
server. If it is there from before the upgrade, that is fine. Otherwise, you will
need to extract the relevant files offline.
Desktop client
If you previous deployed an earlier version of the Lotus Instant Messaging and
Web Conferencing (formerly called Sametime) Connect desktop client, you
should still be able to use it when connecting to the new Lotus Instant Messaging
and Web Conferencing 6.5.1 servers; however, it will not support any of the new
features available with the new version. Therefore, you do not need to rush to
deploy the new Connect client, but you can begin to deploy new versions and
upgrades as needed.
If you previously used the SametimeClientPackager tool to customize the
deployment of the Connect client, that tool is also available with the 6.5.1 server,
but you will need to recreate your customizations from the new baseline 6.5.1
Connect client before deploying it. As with previous versions of Lotus Instant
Messaging and Web Conferencing (Sametime), you can still customize the links
from the Lotus Instant Messaging and Web Conferencing home page to replace
the default Connect client with your customized version. However, there is no
automated process provided with Lotus Instant Messaging and Web
Conferencing 6.5.1 for upgrading the Connect clients already installed on your
client workstations. Therefore, unless you have some other method of updating
software on your client workstations, your users will have to reinstall the Connect
client on their workstations to upgrade to the new version.
As described in 5.2.5, Lotus Instant Messaging and Web Conferencing upgrade
on page 227, there are issues related to AOL Instant Messaging and new versus
upgraded installations of the 6.5.1 Connect client. Specifically, the new client is
designed to not support AOL Instant Messaging. However, upgrades to existing
clients retain that functionality. If you want to remove AOL Instant Messaging
from the upgrades, you will need to remove four files (aimui.dll, aim.ocx,
aimbase.ocx, and aimui.ocx) from the Connect client installation directory.
Conversely, if you want to enable AOL Instant Messaging in new Connect client
installations, you need only copy those files into the Connect client installation
directory.
When upgrading an existing Connect client installation to 6.5.1, be sure to install
to the same directory as the previous installation so that you retain any local files
and settings that might have been created (for example, local chat transcripts
and local preferences). If you want to remove the Connect client, go to the
Windows Add/Remove programs option in Control Panel and select the Lotus
Instant Messaging and Web Conferencing Connect client to remove it. Note that
this will not remove the AOL Instant Messaging files, so they will still function if
you reinstall to the same location. To fully remove the previous client, you should
delete the directory after uninstalling the program.
Notes client
After the Domino mail server and Notes clients are both upgraded to 6.5 or later,
the Notes client has the native ability to support instant messaging features (see
Figure 5-16 on page 257). The only requirement to provide this basic
functionality is that the client must specify an Instant Messaging and Web
Conferencing server for online awareness information. When a Notes client is
upgraded (or first installed), the setup configuration tool prompts the user for this
information. If entered properly, the default Office Location document is updated
with the information, and the client is then Lotus Instant Messaging and Web
Conferencing enabled. See 4.4, Notes client installation and configuration on
page 118 for additional details.
Although the setup configuration tool will initially create a connection for an
Instant Messaging and Web Conferencing server, this only applies to the Office
Location document. In order to provide the necessary information across multiple
Locations and not require user intervention, an administrator should specify a
default Instant Messaging and Web Conferencing server for each user. This can
be done through the Person documents in the Domino Directory or with the use
of Desktop Settings through Policies. These methods will push the Instant
Messaging and Web Conferencing server information into the users Notes
clients automatically when they connect to their home mail server and also
provide a convenient way to centrally manage Lotus Instant Messaging and Web
Conferencing configurations for the users.
Although specifying an Instant Messaging and Web Conferencing server is
sufficient to enable integration, there are some additional steps that should be
considered:
1. To provide Lotus Instant Messaging and presence awareness in the mail
database, the design must be upgraded to the new Domino Web Access 6
(iNotes6.ntf) mail template.
2. To avoid having the user log on more than once, enable the client single
sign-on (SSO) feature or save the Instant Messaging and Web Conferencing
password in the client.
Domino Web Access
Prior to 6.5, the iNotes Web Access (now called Domino Web Access) mail
template provided a basic Chat option as a menu item but did not provide online
awareness built into the application. To support the previous chat feature, the
only file you needed to exchange between the Instant Messaging and Web
Conferencing server and the iNotes Web Access server was the Sametime
Secrets database (STAuthS.nsf) to allow Web users to remotely authenticate
from their iNotes Web Access server to the Instant Messaging and Web
Conferencing server without an additional logon prompt.
With the new release of Domino Web Access, the Internet client now has full
online awareness and instant messaging features in addition to the previous
Chat menu option. However, additional steps are required to upgrade to this new
design (see 4.5, Domino Web Access configuration on page 126 for additional
details). The basic steps are:
1. Define the Instant Messaging and Web Conferencing server for users
(required):
a. Assign an Instant Messaging and Web Conferencing server to each user:
i. Enter the server name in each Person document, for example:
upgst/ITSOUPG
ii. Create an agent to populate the Person document, for example:
FIELD SametimeServer := CN=upgst/O=ITSOUPG
b. Assign a single Instant Messaging and Web Conferencing server to all
users on each Domino Web Access server by setting a global assignment
in the Domino Web Access server Notes.ini file:
iNotes_WA_SametimeServer=upgst.cam.itso.ibm.com
2. Replace the Sametime Secrets database with SSO (optional/recommended):
a. Ensure that SSO is properly configured for all Lotus Instant Messaging
and Web Conferencing and Domino Web Access servers.
b. Remove the Secrets database (STAuthS.nsf) from the Domino Web
Access servers.
c. Disable the use of Sametime Secrets in the Domino Web Access server
Notes.ini file:
iNotes_WA_SametimeToken=0
d. Remove any replication connection records in the Domino Directory that
were dedicated to STAuthS.nsf on the Domino Web Access server.
3. Copy files between Instant Messaging and Web Conferencing server and
upgraded Domino Web Access servers (required):
a. Copy the SametimeApplet folder and all its files from the Domino Web
Access server to the same relative location on the Instant Messaging and
Web Conferencing servers, for example:
D:\Lotus\Domino\Data\domino\html\SametimeApplet
Important: If using an agent, be sure to express the server name in
fully canonical format; otherwise, the string will not be stored as a
proper NAMES type field and the server will not be able to use it.
b. Copy the stlinks folder and all of its contents from the Instant Messaging
and Web Conferencing server to the same relative location on the Domino
Web Access servers, for example:
D:\Lotus\Domino\Data\domino\html\sametime\stlinks
4. Restart the Instant Messaging and Web Conferencing servers.
5. Disable GZIP compression in the Notes.ini file on the Domino Web Access
servers (optional):
iNotes_WA_GZIP_Disable=1
6. Modify stlinks to support awareness if tunneling is enabled on port 80
(optional).
Important: The SametimeApplet files are only required in a mixed 5.x
and 6.x environment (using Forms5.nsf and Forms6.nsf), but because
the upgrade might have been from an environment with 5.x
servers/clients, we recommend that you copy these files anyway. This
directory name is case sensitive, so we recommend that you copy it as
a directory with its contents, rather than creating the directory manually.
If you do, be sure to match case precisely.
Note: There are known issues with Microsoft Internet Explorer and the new
GZIP compression used by Domino Web Access that might require you to
disable it until the problem is resolved by Microsoft. See 5.4.3, Upgrading
the Domino hub/mail server and clients on page 252 for more details.
7. Replace the default Domino Web Access chat applet with the Instant
Messaging JavaConnect client by inserting a new line into the Domino Web
Access server Notes.ini file (optional, see 2.3, Domino Web Access
integration with Lotus Instant Messaging on page 37 for more details):
8. Enable Domino Web Access connections from Team Workplace (optional,
see Optional integration with Domino Web Access on page 157 for
configuration details).
9. Restart the Domino Web Access servers.
10.Upgrade the client e-mail databases to the new Domino Web Access
template (iNotes6.ntf) using one of the following procedures:
a. Individually from the server console:
load convert -u mail\filename.nsf * iNotes6.ntf
b. All at once from the server console:
load convert -u mail\*.nsf * iNotes6.ntf
c. Using Upgrade-by-mail to update client software and mail database.
d. Using seamless mail upgrade with or without the Smart Upgrade process.
11.Enable Instant Messaging for the Internet:
a. Open the mail database from a browser.
Note: At present, awareness does not function in Domino Web Access
when the Instant Messaging and Web Conferencing server is configured to
support tunneling on port 80 (SPR DDES5W4JWM). Until this is corrected,
the following workaround will provide the missing functionality:
From the stlinks subdirectory on the Lotus Instant Messaging and Web
Conferencing and Domino Web Access servers, copy the two lines from
the hostinfo.js file to the beginning of the stlinks.js file:
\Lotus\Domino\Data\domino\html\sametime\stlinks\hostinfo.js
var HTTP_TUNNELING_PORT=80;
var TUNNELING_ADDRESS=;
Restart the Domino Web Access server.
Although this change should only be required on the Domino Web Access
server, we also recommend it for the Instant Messaging and Web
Conferencing server for consistency. When the SPR is resolved with an
update to Lotus Instant Messaging and Web Conferencing or Domino Web
Access, you might want to remove these changes to return to the standard
installation settings.
b. Click the Preferences link in the upper-right corner.
c. Go to the Other tab.
d. Select the Enable Instant messaging option (Figure 5-13 on page 255).
e. Save and close the Preferences window.
See Figure 5-14 on page 256 for an example of the native Domino Web Access
awareness and chat features.
Tunneling on port 80
In our sample upgrade environment, we chose not to enable tunneling on port 80
in the pre-upgrade or post-upgrade environment. However, because many
customers might want to enable tunneling, we show how to switch between them
in this section. To enable tunneling on port 80:
1. Using a browser, open the Instant Messaging and Web Conferencing server
home page and click the Administer the Server link (if you have hidden this
link, open the URL http://Instant Messaging and Web Conferencing
(Sametime) server address/servlet/auth/admin).
2. When prompted, log on as an authorized Lotus Instant Messaging and Web
Conferencing administrator.
3. Open the Configuration tab and click the Connectivity link (see Figure 5-25
on page 280):
a. To enable port 80 tunneling for the community services, select the
appropriate option and change the port number to 80.
b. To enable port 80 tunneling for the meeting services, select the
c. To enable port 80 tunneling for the broadcast services, select the
d. Click Update to save the changes to the server.
Figure 5-25 Enabling Instant Messaging tunneling on port 80
4. Update the Instant Messaging and Web Conferencing Server document (this
can be done using the Notes client, Domino Web administration database, or
through the Lotus Instant Messaging and Web Conferencing administration
console):
a. Go to the Ports tab Internet Ports tab Web tab. Change the TCP/IP
Port from 80 to 8088 (the default Lotus Instant Messaging and Web
Conferencing HTTP port when tunneling is enabled). See Figure 5-26 on
page 281.
Figure 5-26 Instant Messaging server HTTP port to support port 80 tunneling
b. Under the Internet Protocols tab Domino Web Engine tab, change the
Port number for generating references from 80 to 8088 (this must be the
same as the port number specified in the previous step). See Figure 5-27
on page 282.
Figure 5-27 Instant Messaging server HTTP reference port to support port 80 tunneling
c. Save and close the Server document.
5. Restart the Instant Messaging and Web Conferencing server.
6. Log on to the Lotus Instant Messaging and Web Conferencing administration
console and verify that the tunneling ports are properly reset to port 80. If they
are not properly reset:
a. Open the stconfig.nsf database on the Instant Messaging and Web
Conferencing server using a Notes client and a Lotus Instant Messaging
and Web Conferencing administrator ID.
b. Check for duplicate documents:
CommunityConnectivity controls the chat port.
MeetingServices controls the meeting port.
BroadcastGateway controls the broadcast port.
Note: After the Instant Messaging and Web Conferencing server restarts
with new configuration changes, you might need to restart other Domino
servers that have enabled Lotus Instant Messaging and Web Conferencing
integration (for example, Team Workplace, Domino Document Manager,
and Domino Web Access).
c. If there are duplicates, delete the older documents that do not have port 80
tunneling enabled and retain only one document of each type that has
tunneling on port 80 enabled.
d. Restart the Instant Messaging and Web Conferencing server.
e. Log on to the Lotus Instant Messaging and Web Conferencing
administration console and verify that the tunneling ports are properly
reset to port 80.
7. Apply the workaround to enable Lotus Instant Messaging and Web
Conferencing integration in Domino Web Access (see Domino Web Access
on page 275 about integrating awareness in Domino Web Access).
If you currently have tunneling enabled on port 80 and want to disable it, the
process is basically the reverse of the previous process, with the following
caveats:
It is not sufficient to clear the tunneling boxes in the Lotus Instant Messaging
and Web Conferencing administration console (Figure 5-25 on page 280).
You must change the tunneling port numbers back to something other than 80
(for example, the default values of 8082, 8081, and 554).
You will have to manually undo the Domino Web Access workaround in the
hostinfo.js file on the Domino Web Access server and in the stlinks.js file on
both servers (the Lotus Instant Messaging and Web Conferencing
configuration update will automatically update the hostinfo.js file on the
Instant Messaging and Web Conferencing server).
Team Workplace awareness and chat
To enable or upgrade Team Workplace awareness and chat functionality, three
files must be placed into a specific subdirectory on the Instant Messaging and
Web Conferencing server. This procedure is the same as for the previous
versions of Lotus Instant Messaging and Web Conferencing and Team
Workplace (QuickPlace) (see Lotus Team Workplace server on page 242),
except that the .jar files have changed, so the implementation steps are slightly
different. To enable or upgrade Team Workplace awareness and chat, complete
the following steps:
1. Create (or go to) the following directory on the Instant Messaging and Web
<domino data dir>\domino\html\QuickPlace\peopleonline
2. Copy the PeopleOnline31.jar file from the Team Workplace (QuickPlace)
server:
<domino data dir>\QuickPlace
3. If it exists, remove the PeopleOnline30.jar file from the directory.
4. Copy the STComm.jar and CommRes.jar files from the Lotus Instant
Messaging and Web Conferencing Java Toolkits:
<domino data dir>\domino\html\sametime\toolkits\st31javatk\bin
5. Configure the Team Workplace connection to the Instant Messaging and Web
b. Click the SignIn link and log on as a QuickPlace administrator.
Sametime Community Server: URL address of the Instant Messaging and
Web Conferencing server:
6. Restart the Instant Messaging and Web Conferencing server, and then restart
the Team Workplace server.
The previous awareness and related chat functionality in Team Workplace should
have continued to work through the upgrade, but after these changes are made,
the process will have been upgraded to support any new features that are
offered. However, the specific Chat menu function will be supported after this
upgrade, because our Instant Messaging and Web Conferencing server is still
configured to use Domino authentication. After that has been migrated to Domino
LDAP authentication, the Chat menu option should function with no other
server-side changes required. See 5.4.9, Converting from native Domino to
Domino LDAP authentication on page 289 for instructions about how to convert
the Lotus Instant Messaging and Web Conferencing authentication model.
Team Workplace collaborative meetings
We did not enable Team Workplace to be able to schedule online collaborative
meetings though Lotus Instant Messaging and Web Conferencing in our sample
pre-upgrade environment, because this is only supported when both Lotus
Important: At the time of writing this book, the Lotus Instant Messaging
and Web Conferencing 6.5.1 Java Toolkit was not yet available, but the
integration is still supported with the 3.1 versions of the .jar files. If you did
not upgrade from 3.1, do not install the 3.1 Java Toolkit on the Lotus Instant
Messaging and Web Conferencing 6.5.1 server. You will need to extract
those two .jar files from the 3.1 Java Toolkit offline and copy them into the
directory. When the 6.5.1 Java Toolkit is available, it should be installed on
the Instant Messaging and Web Conferencing server, and the new versions
of those two .jar files should be copied to the peopleonline directory to
replace the 3.1 versions.
Instant Messaging and Web Conferencing and Team Workplace are using the
same LDAP authentication directory. However, for the purpose of this section, we
describe how to enable this feature in the 6.5.1 environment even though our
Instant Messaging and Web Conferencing server is still configured for Domino
authentication. Full integration will only be supported after the Instant Messaging
and Web Conferencing server has been migrated to using Domino LDAP
authentication (5.4.9, Converting from native Domino to Domino LDAP
authentication on page 289).
Setting up collaborative meetings in Team Workplace is described in detail in
4.6.3, Post-configuration integration on page 146. We repeat the following basic
steps here:
1. Create a new user in the Domino Directory specifically for remote Team
Workplace access to the Lotus Instant Messaging and Web Conferencing
meeting database, for example, qpstintegrator/ITSOUPG.
2. Add the user created above to the ACL of stconfig.nsf:
Assign User type = Person
Assign Access = Manager
Assign Roles = [SametimeAdmin]
3. Copy the .jar files from the Lotus Instant Messaging and Web Conferencing
Domino Program directory to the Team Workplace Domino Data directory
(overwrite existing ones if necessary):
STMtgManagement.jar
STCore.jar
ibmjsse.jar
4. Modify the Team Workplace Notes.ini to reference the new jar files:
a. Remove or comment out any lines beginning with JavaUserClasses=.
b. Add three new lines below similar ones:
QPJC6=d:\lotus\domino\ibmjsse.jar
QPJC7=d:\lotus\domino\STCore.jar
QPJC8=d:\lotus\domino\STMtgManagement.jar
c. Append the three new entries to the line JavaUserClassesExt=:
5. Edit the qpconfig.xml file in the Team Workplace Domino Program directory:
a. If the file does not exist, copy and rename the qpconfig_sample.xml file.
b. Find the section beginning <sametime local_users= ...>.
c. Remove the comment line before the <sametime local_users...> line.
d. Remove the comment line after the </sametime> line.
e. Modify the credentials to match the newly created user created, as shown
in Example 5-7.
Example 5-7 Sample qpconfig.xml Instant Messaging credentials section
<meetings invite_servers="false">
<tools>
<audio enabled="true"/>
<video enabled="true"/>
</tools>
<credentials>
<dn>cn=qpstintegrator/o=ITSOUPG</dn>
<password>password</password>
</credentials>
</meetings>
</sametime>
6. Configure the Team Workplace connection to the Instant Messaging and Web
b. Click the SignIn link and log on as a QuickPlace administrator.
Sametime Meeting Server: URL address of the Instant Messaging and
Web Conferencing server:
8. When all of the Lotus Instant Messaging and Web Conferencing services are
active, restart the Team Workplace server.
Note: The sample shown in Example 5-7 is intended for the supported
configuration when Team Workplace and Lotus Instant Messaging and
Web Conferencing are both using LDAP. Until the Instant Messaging and
Web Conferencing server is migrated to LDAP authentication, we changed
the ldap parameter in the first line as follows:
<sametime local_users=false ldap=false>
Domino Document Manager awareness and chat
If Domino Document Manager had been previously enabled with awareness and
chat, no additional changes are required after the upgrade. If you need to
integrate new Instant Messaging awareness and chat into Domino Document
Manager, the procedure is as follows:
1. Replicate the Sametime Secrets database to the Domino Document Manager
server:
a. Using an administrator account, create a replica of the stauths.nsf
Domino Document Manager server.
2. Enable existing libraries and file cabinets for Lotus Instant Messaging and
Web Conferencing integration:
a. Open the Document Manager Site Administration database through
Notes.
b. Enable each library:
i. Open a library, click Library Administration, and then click System
Profile.
ii. Select the Enable Sametime integration for this library option. Fill in
the fully qualified host name of the Instant Messaging and Web
Conferencing server, as shown in Figure 5-28 on page 288.
Note: Although not supported and unexpected, we found that when we
upgraded the sample environment and made the changes previously listed,
we did achieve awareness, chat, and the ability to create collaborative
meetings in Team Workplace even though Lotus Instant Messaging and Web
Conferencing was configured for Domino authentication. It should also be
noted that although the directories protocols are different, they are the same
directory (that is, the LDAP directory is simply the Domino Directory served
through the LDAP protocol).
Figure 5-28 Domino Document Manager library Instant Messaging integration
iii. Click Save & Close to return to the list of file cabinets.
c. Enable each file cabinet:
i. Open and edit a file cabinet.
ii. Select the Enable Sametime integration for this File Cabinet option.
Figure 5-29 Domino Document Manager file cabinet Instant Messaging integration
iii. Click Save & Close to return to the list of file cabinets.
d. Repeat for the remaining file cabinets.
e. Close the library to return to the list of libraries.
f. Repeat for each library.
3. Close the Site Administration database.
5.4.8 Post-upgrade Domino Document Manager integration
In this section, we describe the post-upgrade procedures for Domino Document
Manager integration.
Installing or upgrading the Desktop Enabler
Installing the Desktop Enabler on a server or client PC is the same as for the
previous versions of Domino Document Manager (Domino.Doc). To install or
upgrade the Desktop Enabler, complete the following steps:
1. Download the installation file (ddsetup.exe) using one the following
procedures:
a. From a browser using the Getting Started link on any library home page.
b. From a Notes client under Library Administration Download Client
Software within any library database.
c. From another distribution source (that is, if an administrator has already
downloaded the file and made it available to others).
2. Shut down any Notes clients and Domino servers.
3. Run the ddsetup.exe installation program.
4. If this is an upgrade, you should see an upgrade warning and request to
uninstall any previous version of the Desktop Enabler, as shown in
Figure 5-30.
Figure 5-30 Desktop Enabler upgrade warning
5. Select the directory and complete the installation.
6. Restart the desktop, server, or both for the installation to take effect.
Notes client integration
Domino Document Manager 6.5.1 provides native integration with the Notes
6.5.1 client to enable users to directly access and transfer e-mail messages and
attachments into the libraries (see 2.5, Lotus Domino Document Manager
integration on page 56). This feature is enabled with the installation or upgrade
of the Document Manager Desktop Enabler and requires no further configuration
changes.
5.4.9 Converting from native Domino to Domino LDAP authentication
Throughout this chapter, we have referenced the fact that Lotus Instant
Messaging and Web Conferencing and Team Workplace 6.5.1 will allow the use
of native Domino authentication, but it is only intended for backward compatibility
during the upgrade process. The only supported configuration in 6.5.1 is for both
Lotus Instant Messaging and Web Conferencing and Team Workplace to use
LDAP authentication, especially in terms of supported integration between them.
In this section, we describe the process of converting from native Domino
authentication to Domino LDAP authentication. For instructions about how to
enable LDAP authentication with an external LDAP directory (for example,
Microsoft Active Directory or Sun), refer to Chapter 7, Integrating Domino 6.5.1
with a third-party LDAP directory on page 351.
Converting Team Workplace to LDAP
Although our Team Workplace server is already configured for Domino LDAP
authentication, you will need this procedure if you upgraded from a Domino
authentication-based Team Workplace server. We also cover an additional step
for defining Team Workplace superusers in LDAP:
1. Open the Team Workplace home page and log on as a server administrator.
2. Click Server Settings User Directory.
3. To switch from Domino to LDAP authentication (see Figure 5-31 on
page 291):
a. Click the Change Directory button.
b. Select LDAP Server from the Type drop-down list.
c. Enter the fully qualified host name of the Domino LDAP server.
d. The Port number should be 389 and the Search base should be blank.
e. You can leave the Check to use credentials option cleared and the fields
blank (default), but we recommend that you specify a user with known
reader access to the Domino Directory to avoid any future issues with
anonymous access to the LDAP directory.
Note: You should only change these settings if you are sure that your
LDAP configuration warrants the changes.
Tip: Be sure to specify a user whose Internet password will not change
over time. If not, you will lose Team Workplace authentication whenever
the password changes unless you update the Team Workplace settings
to match.
Figure 5-31 Team Workplace LDAP authentication configuration
f. Leave the authentication and search time-outs as the defaults (120 sec).
g. Select to Allow or Disallow new users:
Allow lets Place managers create local users within their Place.
Disallow requires that all users exist and be chosen from the directory.
h. Click Next to save the directory changes.
i. Test the configuration:
i. Click the Security link and then click one of the Add buttons.
ii. At the Add Access window, click Directory, as shown in Figure 5-32 on
page 292.
Figure 5-32 Team Workplace Add Access window
j. When the Add Members window opens, click Show All, as shown in
Figure 5-33.
Figure 5-33 Team Workplace Add Members window
k. If you see a list of user names from the Domino Directory, followed by the
LDAP representation of their canonical names, as shown in the following
line, the LDAP settings are configured properly. If not, review the settings
from the previous steps and try again.
Admin, Domino CN=Domino Admin,O=ITSOUPG
l. Close the Add Members window and close the browser.
4. To enable a Team Workplace superuser person or group:
a. Edit the qpconfig.xml file from the Team Workplace server Data directory
(if one does not exist, make a copy of the qpconfig_sample.xml file and
rename it qpconfig.xml).
b. Find and edit the section that begins <super_user enabled=...>:
i. Remove the comment line above the <super_user ...> line.
ii. Remove the comment line after the </super_user> line.
iii. Enable the superuser feature in the first line:
iv. Enter the credentials of the superuser (see Example 5-8):
For a single user:
<dn>cn=Domino Admin,o=ITSOUPG</dn>
For a group:
Example 5-8 Team Workplace superuser configuration in the qpconfig.xml file
</super_user>
c. Save the changes and close the file.
5. Restart the Team Workplace server.
Tip: Occasionally, when switching between directory protocols, the
Team Workplace server might not recognize group access for the
server security settings. If using group names to allow access for
creating Team Workplaces or managing the server, or both, we
recommend that you remove the groups and then add them again after
changing the directory protocols.
Converting Lotus Instant Messaging and Web Conferencing to
LDAP
Throughout our initial sample environment configuration and the entire upgrade
process, we maintained native Domino authentication in Lotus Instant Messaging
and Web Conferencing. At this point, we describe how to migrate over to Domino
LDAP authentication.
To convert Lotus Instant Messaging and Web Conferencing to LDAP, complete
1. Shut down the Instant Messaging and Web Conferencing server.
4. Edit the Lotus Instant Messaging and Web Conferencing Domino server
Notes.ini file. Change the parameter SametimeInstallType from COMPLETED to
REINSTALL MERGE and then save your changes. See Example 5-9.
Example 5-9 Instant Messaging and Web Conferencing Notes.ini change
...
DominoVersion=6.5.1IF1
STProgramDirectory=D:\Lotus\Domino
SametimeInstallType=REINSTALL MERGE
SametimeLog=STLog.nsf
SametimeConference=STConf.nsf
SametimeAdmin=STAdmin.nsf
SAMETIME_NAMELOOKUP_SERVER=1
SametimeServerConfig=OnDomino
...
Tip: It should be noted that there is a procedure for manually changing the
Lotus Instant Messaging and Web Conferencing directory authentication from
Domino to LDAP after installation provided in the Lotus Instant Messaging and
Web Conferencing 6.5.1 Administrator Guide (sthelpad.nsf). However, we
found it somewhat tedious and easy to make mistakes. The following
procedure takes advantage of the native Lotus Instant Messaging and Web
Conferencing setup tool (STSetup.exe) to install most of the LDAP
configuration settings automatically, and we strongly recommend its use.
However, because it does reset all of the Instant Messaging and Web
Conferencing server settings to the original defaults, you will have to reapply
any changes you made to the database designs, ACLs, or other configuration
settings. After executing STSetup.exe, the post-installation LDAP configuration
tasks are described in more detail in the Instant Messaging and Web
Conferencing 6.5.1 Administrator Guide.
5. Back up the existing Lotus Instant Messaging and Web Conferencing
databases:
a. If you have made any changes to the system databases (design, ACL, or
configurations), you will need to reapply them after the setup runs.
b. If you had any user buddy lists that you want to migrate to LDAP, you must
backup the vpuserinfo.nsf database, because it will be overwritten.
6. Run the STSetup.exe program from the Lotus Instant Messaging and Web
Conferencing Program directory to activate the automated setup tool:
a. When prompted, browse to and select the Domino server ID.
b. When prompted, choose the LDAP directory for authentication, fill in the
fully qualified host name of the Domino LDAP server, and leave the port
number as the default (389), as shown in Figure 5-34.
Figure 5-34 Instant Messaging and Web Conferencing setup LDAP configuration window
c. When prompted, select or clear tunneling on port 80 depending on your
desired configuration.
d. Click Next and complete the setup process.
Tip: You can use this same procedure to change tunneling settings
automatically instead of using the manual procedure described in
Tunneling on port 80 on page 279.
7. Modify the Directory Assistance LDAP configuration to match those described
in Implications of using LDAP with Domino Document Manager on
page 303, namely:
a. On the Basics tab:
i. Ensure that the Domain Name is unique from other documents.
ii. Change the Company name (optional).
iii. Make this record the first (1) in search order and reorder any other
documents as necessary to avoid conflicts.
b. On the Rules tab, ensure that Trusted for Credentials is set to Yes.
c. On the LDAP tab:
i. Enter the distinguished LDAP formatted name of a user authorized to
bind to the LDAP directory (optional if anonymous access enabled).
ii. Enter the password for the user entered above.
iii. Enter the Base DN for search (typically the organizational certifier).
d. Leave the remaining settings and save the document (ignore errors related
to not using the encrypted port 636).
8. Migrate the buddy lists (see Implications of using LDAP for Instant
Messaging and Web Conferencing on page 297 for additional details).
10.Open the stconfig.nsf database on the Instant Messaging and Web
Conferencing server using a Notes client and a Lotus Instant Messaging and
Web Conferencing administrator ID (refer to the Instant Messaging and Web
Conferencing 6.5.1 Administrator Guide for instructions about how to use the
Lotus Instant Messaging and Web Conferencing administration console to
make these changes).
11.Resolve duplicate copies of the BroadcastGateway, CommunityConnectivity,
and MeetingServices documents (see Tunneling on port 80 on page 279).
12.Edit the LDAPServers document (there should only be one in the view):
a. Login Name: User name for directory access (optional/recommended):
cn=Domino Admin,o=ITSOUPG
b. Password: Internet password if a user specified above (required).
c. Leave all other settings at their current values, which are preconfigured for
standard Domino LDAP directories by default and from STSetup.exe.
d. Save and close the document and exit the stconfig.nsf database.
13.Reapply any design, ACL, or configuration changes from the backup system
databases, if necessary.
14.If Team Workplace is enabled for Web Conferencing collaborative meetings:
a. Edit the qpconfig.xml file in the QuickPlace Domino Program directory.
b. Find the section beginning <sametime local_users= ...>.
c. Modify the first line and change the ldap reference to true (see
Example 5-7 on page 286):
16.Restart the Instant Messaging and Web Conferencing server.
17.Restart the other product servers, as necessary.
Implications of using LDAP for Instant Messaging and Web
Conferencing
Although LDAP is the recommended and supported authentication protocol for
Lotus Instant Messaging and Web Conferencing 6.5.1, there are a few known
issues after migrating to LDAP:
Notes client logon to Instant Messaging and Web Conferencing
The first issue arises when a Notes 6.5.x client attempts to log on to Instant
Messaging and Web Conferencing. By default, the client populates the logon
window with the abbreviated hierarchical name from the Notes ID of the user,
as shown in Figure 5-35 on page 298.
Note: This procedure is only valid for switching Lotus Instant
Messaging and Web Conferencing to Domino LDAP authentication and
should not be used for any other external LDAP directories. For other
external LDAP directories, there are additional configuration changes
that must be made.
Figure 5-35 Notes client Lotus Instant Messaging and Web Conferencing logon window
Unfortunately, there is a problem with Instant Messaging and Web
Conferencings ability to recognize the abbreviated hierarchical form of the
user name and the logon is not recognized. We found three possible options
to avoid the logon error:
Log on with just the common name, for example, Domino Admin.
Log on with the fully canonical name, for example, cn=Domino
Admin/o=ITSOUPG.
Enable SSO for Lotus Instant Messaging and Web Conferencing logon, as
Figure 5-36 Notes client preference for Instant Messaging SSO logon
The first two options require that users change their logon name, but the
change is remembered and will be used the next time the user attempts to log
on to Instant Messaging and Web Conferencing, even after a client restart.
The third option is the recommended approach, because it uses the
multiserver SSO token and does not require any additional client
configuration. This setting also uses the Notes password and allows the user
to log off and log on again without entering the password again (except as
necessary if the Notes client session locks the ID or times out).
Notes client awareness
The problem with Instant Messaging and Web Conferencings ability to
recognize the abbreviated hierarchical form of the user names also causes
problems with the native online awareness in the Notes 6.5.1 client. The
Notes client will not recognize awareness for any abbreviated hierarchical
user name. It will recognize all other valid names that resolve to each user
(Figure 5-37 on page 300):
Common name only, for example, Domino Admin
Canonical name, for example, cn=Domino Admin/o=ITSOUPG
E-mail address, for example, domino.admin@cam.itso.ibm.com
Figure 5-37 Notes client awareness with Instant Messaging and Web Conferencing using LDAP
Unfortunately, when using Notes mail, Domino converts the first two formats
into the abbreviated format whenever the document is refreshed or saved.
This leaves the e-mail address as the only name format to support
awareness, which does not lend itself to any practical workaround.
Loss of existing Instant Messaging buddy lists
When the Lotus Instant Messaging and Web Conferencing authentication
model changes from Domino to LDAP, it does not associate the
LDAP-authenticated user with the previously recognized
Domino-authenticated user. Therefore, it creates a new LDAP buddy list for
each user when they first connect to the Instant Messaging and Web
Conferencing server. There are third-party tools available to migrate Domino
buddy lists to LDAP, but we downloaded the Instant Messaging Buddy List
Conversion utility from the Lotus Sandbox at the Lotus Developer Domain.
Note: At the time of the writing of this book, we were told of an Instant
Messaging and Web Conferencing server fix that would correct this issue.
However, it is still undergoing internal IBM testing and was not available for
us to implement. Refer to Technote 1163059 for additional information.
Refer also to SPR #TPAE5WJKBZ. This SPR states that the problem will
be corrected in 6.0.4 and 6.5.2.
Important: This tool was only tested for a simple conversion from a
Domino buddy list to a default Domino LDAP buddy list. If you have
customized your LDAP configuration, or if you plan to use an external
LDAP directory, you might need to use a third-party tool with additional
migration capabilities.
To migrate the buddy lists:
a. Extract the files from the tool to a local directory.
b. Copy the backup vpuserinfo.nsf database to the local directory.
c. Execute the tool to migrate the buddy lists.
d. Stop the Instant Messaging and Web Conferencing server.
e. Replace the vpuserinfo.nsf database on the Lotus Instant Messaging and
Web Conferencing server with the migrated version from the local
directory.
f. Restart the Instant Messaging and Web Conferencing server.
Compare Figure 5-38 with the Domino based buddy list depicted in
Figure 5-38 Instant Messaging buddy list after LDAP conversion
Note: The default name display filter for Instant Messaging using LDAP
authentication is only to display the common name of the user in the buddy
list. In other words, the option to Show Short Names has no effect because
it is always displaying the short name. If you have a large organization in
which people might have the same name (and perhaps different OUs), you
might want to investigate modifying the LDAP name display filters.
Potential problems with the Show Online People Only option
When we switched Lotus Instant Messaging and Web Conferencing from
Domino to LDAP authentication, we re-ran the Lotus Instant Messaging and
Web Conferencing setup procedure (STSetup.exe), as described in
Converting Lotus Instant Messaging and Web Conferencing to LDAP on
page 294, and we used the migration utility from the Lotus Sandbox to
convert the buddy lists from Domino to LDAP format. Although only tested
once, we did find that when users reconnected to the Instant Messaging and
Web Conferencing server, their Connect client preference for Show Online
People Only had been reset to enabled. The immediate behavior was that it
appeared that some or all of the buddy list had been lost. After this is
disabled, the entire buddy list was visible. You will want to test this behavior
and be prepared to tell your users how to disable this preference after the
migration.
Converting Domino Document Manager to LDAP
Domino Document Manager can also be migrated to use LDAP authentication.
To migrate the Domino Document Manager server to Domino LDAP, complete
1. Enable LDAP Directory Assistance on the Domino Document Manager
server.
3. Open the Document Manager Site Administration database from a Notes
client with a Document Manager site administrator ID.
4. Enable LDAP for each library:
a. Open a library record.
b. Click Library Administration, and then System Profile.
c. Select the Enable LDAP Integration option, as shown in Figure 5-39.
Figure 5-39 Document Manager library LDAP enablement setting
d. Save and close the system profile.
e. Click Replication.
f. Open and edit each master/replica Server document.
g. Select the Enable LDAP Integration option.
h. Click Retrieve LDAP Settings.
i. For Object Class for LDAP Groups, enter dominogroup.
j. For Attribute for group members, enter member. See Figure 5-40.
Figure 5-40 Domino Document Manager master/replica server LDAP enablement setting
k. Save and close the document.
5. Exit the Site Administration database.
Implications of using LDAP with Domino Document Manager
When Domino Document Manager is migrated from native Domino to Domino
LDAP authentication, there is only a small change in the behavior of the Who is
Online feature. When LDAP is enabled, the list of names in the Who is Online
applet appear in fully canonical LDAP format, for example, cn=Domino
Admin,o=ITSOUPG.
Setting up LDAP Directory Assistance
Directory Assistance is required for both the Lotus Instant Messaging and Web
Conferencing and Domino Document Manager servers when migrating from
native Domino to Domino LDAP authentication. If using the Lotus Instant
Messaging and Web Conferencing setup tool (STSetup.exe), part of this process
will have been performed automatically. For Domino Document Manager, the
entire procedure must be performed manually:
1. Create a Directory Assistance database on the Domino server:
a. Use the Directory Assistance 6 template (da50.ntf) and name the file
DA.NSF (the exact name is optional).
b. Add a Directory Assistance record to the database:
i. Under the Basics tab fill in the following values (see Figure 5-41):
Domain type: LDAP
Domain name: LDAP (must be unique from other documents)
Company name: ITSOUPG (label only, can be anything)
Search order: 1
Make available to: Notes Clients & Internet
Authentication/Authorization
Group Authorization and Nested group expansion: Yes
Enabled: Yes
Figure 5-41 Directory Assistance LDAP configuration: Basics tab
ii. Under the Naming Context (Rules) tab (see Figure 5-42 on page 305):
Wildcards for all hierarchical name components
Enabled: Yes
Trusted For Credentials: Yes
Figure 5-42 Directory Assistance LDAP configuration: Naming Contexts (Rules) tab
iii. Under the LDAP tab (see Figure 5-43):
Hostname: Fully qualified host name of the Domino LDAP server, for
example, upgdom.cam.itso.ibm.com
Credentials: LDAP distinguished name and password for LDAP bind
access (optional)
Channel encryption: None (ignore warnings)
Figure 5-43 Directory Assistance LDAP configuration: LDAP tab
iv. Save and close the record.
c. Exit the database.
2. Edit the Domino Server document and enter the name of the Directory
Assistance database to the corresponding field on the Basics tab, as shown in
Figure 5-44.
Figure 5-44 Domino Document Manager Directory Assistance in the Server document
Part 3 Scenarios
This part describes three scenarios that we believe address the needs of
organizations seeking to implement collaboration tools.
Part 3
Chapter 6. Extended Products for
small-to-medium businesses
This chapter discusses how the small-to-medium business can use Domino and
the Extended Products. A small-to-medium business might not need to deploy all
of the Domino Extended Products or might want to know more about how they
can combine specific products to build a collaborative environment using a
minimum number of servers. Alternatively, an IT specialist or technical sales
representative might be interested in knowing how to install Domino 6.5.1 and a
subset of the Extended Products on a single machine to demonstrate a
collaborative environment as a proof of concept.
In this chapter, we discuss alternatives to deploying IBM Lotus Instant Messaging
and Web Conferencing (formerly known as Sametime), IBM Lotus Team
Workplace (formerly known as QuickPlace), IBM Lotus Domino Enterprise
Server, and IBM Lotus Domino Document Manager (formerly known as
Domino.doc) with limited resources. We map out different paths for configuring a
native Domino environment with some or all of the Extended Products running on
one or more machines. We describe the following topics:
Single machine deployment
Multiple machine deployment
Performance tuning
Hardware and software requirements
6
Important disclaimers regarding officially supported
configurations
When installing multiple Extended Products on one physical machine or
partitioned server, there are some unsupported configurations. IBM does not
support Lotus Instant Messaging and Web Conferencing installed on the same
server as Lotus Team Workplace. A Lotus Domino server limitation prevents all
Java class files required by both of these servers from loading when both Lotus
Instant Messaging and Web Conferencing and Lotus Team Workplace are
installed on the same physical machine.
IBM does not support Lotus Domino Web Access installed on the same server
running Lotus Instant Messaging and Web Conferencing. IBM does not support
the use of DSAPI filters on a Lotus Instant Messaging and Web Conferencing
server. Domino Web Access uses DSAPI filters for offline services (ndolextn).
IBM also does not support Lotus Instant Messaging and Web Conferencing
installed on a Lotus Domino partitioned server running on a Microsoft Windows
operating system. The following error message will be generated during the
install process while attempting to run STSetup.exe and after selecting the
Server ID:
Error encountered in local server, server name not found in name and
address book
Note: IBM WebSphere Portal is not discussed in this chapter. Integration with
WebSphere Portal is addressed in Chapter 8, Domino 6.5.1 Extended
Products with WebSphere Portal on page 405. In addition, we recommend
that you also refer to the official Lotus Domino 6.5.1 Extended Products
Integration Guide, which is available as an additional material to this book.
See Appendix A, Additional material on page 543 for details about
downloading this documentation.
Important: Lotus Instant Messaging and Web Conferencing can be installed
on a Domino partitioned server running on an IBM Eserver iSeries platform.
Installing Lotus Instant Messaging for iSeries is not covered in this book.
Chapter 6. Extended Products for small-to-medium businesses 311
6.1 Single machine deployment
As we mentioned in the introduction to this chapter, companies, IT specialists, or
technical sales representative might be interested in knowing how to install
Domino 6.5.1 and a subset of the Extended Products on a single machine to
demonstrate a collaborative environment as a proof of concept. Although this is
not a supported configuration and would never be recommended for a
production environment, we want to illustrate that it can be done and describe
how to configure the subset of products to provide collaborative environment.
The purpose of this section is to describe the appropriate steps to configure
Lotus Instant Messaging and Web Conferencing, Lotus Domino Document
Manager, Lotus Domino Web Access, and Lotus Team Workplace on one
physical server. It is important to follow the steps in order to avoid any port
conflicts and interoperability issues. As a directory strategy in a single machine
deployment, we authenticate with a pure Domino Directory.
In this deployment scenario, we used an IBM Netfinity 5600 server running
Microsoft Windows 2000 Advanced Server with Service Pack 4. The server has
two 1 gigahertz Pentium III processors, 2 gigabytes of RAM, one network
interface card, and two partitions.
Figure 6-1 on page 312 illustrates a high-level topology for a single machine
deployment.
Note: Although we chose to use the native Domino Directory for
authentication for the sake of simplicity in a proof of concept, it is also possible
to access the Domino Directory through LDAP.
Figure 6-1 Topology for a single machine deployment
6.1.1 Installing Lotus Domino and Interim Fix 1
All the Extended Products install on top of the IBM Lotus Domino server. For a
single machine deployment, the physical machine needs to have two instances
of Domino running.
Important: When you run the installation of Lotus Domino 6.5.1, make sure
that you do not select the Partitioned Server Installation options, as shown in
Figure 6-2. This deployment consists of two instances of Domino running on
the same physical machine, and not two partitions. Accordingly, do not select
the Partitioned Server Installation option when installing each instance of the
Domino server.
Figure 6-2 Do not select Partitioned Server Installation
For load balancing and performance reasons, we are going to deploy Lotus
Domino Web Access and Lotus Team Workplace on Instance1 and Lotus
Domino Document Manager and Lotus Instant Messaging and Web
Conferencing on Instance2.
6.1.2 Installing Instance1
First, you need to install an Lotus Domino 6.5.1 server and Interim Fix 1
(Instance1). Refer to 4.2.1, Initial Domino installation on page 91 for details
about the installation of Domino and Interim Fix 1.
Configuring ports to avoid conflicts
Because this machine is going to be running two instances of Domino, we need
to change the NRPC port to avoid any conflicts. After the Domino server is
running, edit the notes.ini and add TCPIP_TCPIPAddress=0,1.2.3.4:13520, where
1.2.3.4 is replaced with the machines IP address, and then restart Domino. This
will now bind the NRPC port to 13520 for the Domino server. To verify that Lotus
Domino is now listening on Port 13520, open up a command prompt and issue a
netstat -a command, as shown in Figure 6-3 on page 314.
Note: Lotus Workflow is not covered in this chapter. Lotus Workflow can be
installed on the same server that is running Domino Document Manager.
Figure 6-3 Netstat -a from a DOS command prompt
In order for a Lotus Notes client to connect to the server through NRPC (now
changed to 13520), you need to create a Server Connection document in the
Local Name and Address Book. On the Advanced tab of the Connection
document, for the destination server address, you need to append :13520 to
either the IP address or fully qualified Internet host name of the machine that
Domino is running, as shown in Figure 6-4.
Figure 6-4 Lotus Notes Server Connection document
Note: If the physical machine has multiple network interface cards, refer to
6.3.5, How to bind Internet Protocols on a multiport server on page 334.
After Domino is running, you can register users for Notes mail or Domino Web
Access. Before moving on to the next step, you should verify that users are able
to access their mail over HTTP and NRPC.
To enable Instant Messaging awareness for Domino Web Access, you must first
complete 6.1.4, Installing Lotus Instant Messaging and Web Conferencing on
page 316. In addition to installing an Instant Messaging and Web Conferencing
server, there are some files that need to be copied from the Lotus Instant
Messaging and Web Conferencing Java Toolkit. Refer to 4.5.2, Defining the
Instant Messaging server for users on page 126 for the complete steps for
configuring Domino Web Access with Instant Messaging and Web Conferencing
integration.
6.1.3 Registering another server (Instance2)
The next step is to register another server (Instance2). Just register the server,
do not run setup.exe for Instance2. We cover the setup of Instance2 in 6.1.4,
Installing Lotus Instant Messaging and Web Conferencing on page 316. Before
we set up the Lotus Instant Messaging and Web Conferencing server
(Instance2), we need to change the HTTP port to avoid any conflicts. Now that
the server has been registered, we need to modify the Server document for
Instance2 and change the HTTP TCP/IP port number to 8003 (see Figure 6-5 on
page 316).
For the two Domino instances to communicate, we need to create
server-to-server Connection documents for both servers. When you add a
Connection document from Instance2 to Instance1, you need to include the
optional network address and append :13520.
In addition, you need to configure Domino single sign-on (SSO). This is not
covered in this chapter; refer to Configuring single sign-on (SSO) on page 102.
Figure 6-5 Server document
6.1.4 Installing Lotus Instant Messaging and Web Conferencing
To install a second instance of Domino running on the same physical machine,
we need to modify the registry. Before modifying the registry, you must shut
down Domino Instance1.
In the Windows registry for the server, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Lotus\Domino and delete the subfolder
titled 1, as shown in Figure 6-6.
Figure 6-6 Windows registry
After closing the registry, you can now run setup.exe to install a Lotus Domino
6.5.1 server and Interim Fix 1 (Instance2). It is important that when you go
through the setup procedures, that you specify a different Program directory and
Data directory for Instance2.
When configuring the Domino server setup for Instance2, you need to start
Instance1. During the server setup, when you get to the window to provide the
system databases for this Domino server, make sure that you enter the optional
network address with :13520 appended to the IP address or fully qualified
Internet host name (see Figure 6-7).
Figure 6-7 Lotus Domino Server setup
To install the Lotus Instant Messaging and Web Conferencing server on top of
Instance2, we need to shut down both Instance1 and Instance2. When setting up
the directory type, select Domino Directory. When setting up server
connectivity, do not select the allow tunneling option.
Now, you should be able to start both instances of Domino. A second Lotus
Domino Server window opens, as shown in Figure 6-8.
.
Figure 6-8 Two instances of Domino running on one physical machine
Now that your instant messaging server is running, you need to populate the
Person documents with the correct Lotus Instant Messaging and Web
Conferencing server name. To verify that the Instant Messaging and Web
Conferencing server is running, issue a Show Tasks Only command, as show in
Figure 6-9 Domino Show Tasks Only command
To connect to the Lotus Instant Messaging and Web Conferencing server over a
browser, you can type the following address:
http://fully.qualified.servername:8003/STCenter.nsf
Where fully.qualified.servername is the fully qualified Internet host name or IP
address of the server.
6.1.5 Installing Domino Document Manager
The next step is to install Domino Document Manager on top of Instance2. First,
we need to make sure that Instance1 and Instance2 are not running. Follow the
procedure described in 4.7, Domino Document Manager server on page 161
for complete installation steps.
After setup is complete, start Instance2 and create a library from the Lotus Notes
client. When creating the master library, make sure you enter the proper HTTP
host name. Because we modified the Instance2 Server document for the HTTP
TCP/IP port number, this needs to be appended at the end of the HTTP Host
name, as shown in Figure 6-10 on page 321.
Note: After the fully qualified Internet host name or IP address, you must enter
:8003, because we changed the HTTP TCP/IP port number to 8003.
Also make sure that you enable Instant Messaging and Web Conferencing
integration for this library and specify the Instant Messaging and Web
Conferencing (formerly Sametime) server name. When you specify the Instant
Messaging and Web Conferencing server for the library, you will need to create
an alias host name to map to the physical IP address of the server.
Figure 6-10 Lotus Domino Document Manager Master Library Creation
In our deployment, we entered st.cam.itso.ibm.com as the Instant Messaging
and Web Conferencing server. If you are going to access Domino Document
Important: When you specify the Instant Messaging and Web Conferencing
server, you cannot use the IP address or fully qualified Internet host name of
the actual server. Lotus Domino Document Manager is unable to connect
unless you trick the server into thinking the Instant Messaging and Web
Conferencing server is a different machine.
Manager over a Web browser on the same machine that Domino is running, you
need to modify the hosts file to map the IP address to this host name. If you plan
to access Domino Document Manager over a Web browser on a different
machine, that machine would need either an entry in the hosts file or an entry in
DNS. In either case, you should make sure that your workstation can ping the
fully qualified Internet host name of the Instant Messaging and Web
Conferencing server alias and return the correct IP address.
After the master library has been created with file cabinets and binders, you can
access Document Manager over HTTP. To connect to the Domino Document
Manager server over a browser, you can type the following address
http://fully.qualified.servername:8003/domdoc/ebsdocumentlibrarylib.nsf
Where fully.qualified.servername is the fully qualified Internet host name or IP
address of the server and ebsdocumentlibrarylib.nsf is the master library
database name.
When you type the URL address to access Domino Document Manger, the logon
window will be that of Lotus Instant Messaging and Web Conferencing (formerly
Sametime), as shown in Figure 6-11, because Lotus Instant Messaging and Web
Conferencing is installed on the server. After you enter the user name and
password, the browser interface for Document Manager opens, as shown in
Figure 6-11 Document Manager logon window
Note: After the fully qualified Internet host name or IP address, you must enter
:8003, because we changed the HTTP TCP/IP port number to 8003.
The customization of logon windows is not discussed in the book, refer to the
Lotus Domino Administrator 6.5.1 Help for creating Internet Site documents.
Figure 6-12 Domino Document Manager through a Web browser
Lotus Domino Document Manager can also integrate with the Lotus Instant
Messaging and Web Conferencing server to see who is online. For complete
instructions about how to set up Domino Document Manager and Lotus Instant
Messaging and Web Conferencing, refer to 4.7.5, Post-configuration integration
on page 171.
6.1.6 Installing Lotus Team Workplace
We are going to deploy Team Workplace on Instance1. Before we can install
Lotus Team Workplace, we need to modify the registry. Make sure that both
Instance1 and Instance2 are not running. Open up the Windows registry and
navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Lotus\Domino.
Inside of the Domino folder, you need to modify the DataPath and Path entry to
the Program directory and Data directory for Instance1. The default entries in the
registry will be for Instance2 because that was the last installation of Domino, as
Figure 6-13 Windows registry modification
Important: If you attempt to install IBM Team Workplace without modifying the
Windows registry, you will get an error message. When Team Workplace runs
through the installation process, it checks these registry settings for the install
path. Even if you attempt to browse to the correct path, you will be unable to
install, and an error message will be generated, as shown in Figure 6-14 on
page 325.
Figure 6-14 Team Workplace setup error
After the Team Workplace (formerly QuickPlace) task is running, verify that you
can access the Team Workplace server by typing:
http://fully.qualified.servername/quickplace
You want to log on as with the QuickPlace administrator user name and
password. After you have logged on to Team Workplace, you need to configure
the directory for Team Workplace. To configure the directory, select Server
Settings User Directory. Select Domino Server as the Directory Type and
list the fully qualified Internet host name of the server for the Directory Name.
Figure 6-15 Lotus Team Workplace directory structure
In order for IBM Team Workplace to have instant messaging awareness, you
need to install the Lotus Instant Messaging and Web Conferencing 6.5.1 Java
Toolkit. You can also use the Lotus Instant Messaging and Web Conferencing
(Sametime) 3.1 Java Toolkit, as shown in Figure 6-16.
Figure 6-16 Sametime Java Toolkit
For Team Workplace to integrate with Instant Messaging and Web Conferencing,
refer to 4.6.3, Post-configuration integration on page 146. When following the
steps in 4.6.3, Post-configuration integration on page 146, you must substitute
the Team Workplace directory with Instance1 and the Lotus Instant Messaging
and Web Conferencing directory with Instance2.
6.2 Multiple machine deployment
A multiple machine deployment of the Lotus Domino Extended Products can be
used by small volume businesses. We still recommend that each Domino
Extended Product be installed on a separate physical server. Customers might
want to reduce administrative tasks by installing two Domino Extended Products
on one physical server.
IBM will not support a single machine deployment of all the Domino Extended
Products. Therefore, an important questions for many customers is, How many
products can we run on one physical machine? Due to some of the restrictions
and unsupported configurations described in the introduction of this chapter, to
install all the Domino Extended Products in a supported configuration would
require a minimum of two separate physical servers.
We are going to deploy a supported environment involving Lotus Instant
Messaging and Web Conferencing and Lotus Domino Document Manager
installed on one machine and Domino Web Access and Lotus Team Workplace
installed on another machine. For a supported environment, the Lotus Team
Workplace server needs to authenticate with an LDAP server. All other Domino
Extended Products (with the exception of WebSphere Portal) can use pure
Domino Directory for authentication.
This deployment is based on the needs of a small-to-medium business or to limit
the number of resources in a demilitarized zone (DMZ). This type of environment
is for a limited number of end users and should not be deployed in a large scale
environment.
6.2.1 Installing/configuring Domino Web Access and Team
Workplace
Lotus Domino Web Access and Lotus Team Workplace can be installed on the
same machine in a supported manner. The first step is to install Lotus Domino
and Interim Fix 1. Depending on the environment, users can access their mail
through Domino Web Access, Domino Web Mail, POP3, IMAP, Lotus Notes client
interface, or any combination of these.
Note: Lotus Workflow is not covered in this chapter or in this specific
deployment scenario. Lotus Workflow can be installed on the same server that
is running Lotus Domino Document Manager for a supported configuration.
For details about installing Lotus Workflow, see 4.8.1, Initial Lotus Workflow
installation on page 180.
The installation of Lotus Team Workplace is straightforward. Refer to 4.6.1,
Initial Team Workplace installation on page 139 for the installation and
configuration of Team Workplace. In order for Lotus Team Workplace, Domino
Web Access, or Lotus Notes to use instant messaging and awareness features,
you will still need to copy the some files. To make Domino Web Access and Team
Workplace integrate with Instant Messaging and Web Conferencing, refer to
4.6.3, Post-configuration integration on page 146.
After Lotus Team Workplace has been installed, you need to point the application
to an LDAP server for authentication. Any Version 3 LDAP server, including
Domino, can be used as the LDAP server. For our scenario, we decided to
enable the Domino Web Access/Team Workplace server for LDAP. Then in the
Team Workplace server configuration, we pointed the application to its fully
qualified domain name, as shown in Figure 6-17.
Figure 6-17 Team Workplace directory settings
6.2.2 Installing/configuring Instant Messaging and Document
Manager
The installation and configuration of Lotus Instant Messaging and Web
Conferencing and Domino Document Manger is similar to the procedure used if
they were to be installed on separate machines. The only difference is that to
integrate Domino Document Manger with Lotus Instant Messaging and Web
Conferencing, you do not have to copy additional files between servers. This
deployment requires fewer steps than if the two Extended Products were to be
installed on separate machines. For the procedures to install Lotus Instant
Messaging and Web Conferencing, refer to 4.3.1, Initial Instant Messaging and
Web Conferencing installation on page 110. For instructions about how to install
and configure Lotus Domino Document Manager, refer to 4.7.3, Initial Domino
Document Manager installation on page 165.
6.3 Basic performance tuning
After you have multiple Extended Products installed on one physical machine,
there are some basic performance tuning tips to better use your Lotus Domino
server. Getting the most resources from your Domino server will allow more
users access with less bottlenecks. Performance tuning is up to the Domino
Administrator, and the following sections are just some recommendations. It is
important to keep in mind what functionality your Domino server needs and what
type of environment you have configured. In some cases to increase Domino
performance, you might need to upgrade hardware or software.
6.3.1 Modifying Domino tasks
When you install Lotus Domino, there are several tasks that get added into the
notes.ini file by default, as shown in Figure 6-18 on page 330. In many cases
(depending on your specific organizations Domino environment), all of these
tasks might not need to be running on the Domino server. To improve
performance, it can be beneficial to review which tasks are loading by default,
and when appropriate, remove some tasks from the notes.ini file. This will
prevent tasks from loading when the server starts up. Decisions about removing
these tasks should only be made by a knowledgeable system administrator who
understands the requirements of the environment.
Note: This section is not intended to provide a comprehensive review of
possible performance tuning measures for your Domino environment. Instead,
it is just intended to review some of the basic parameters and settings. For a
more thorough review of performance tuning, we recommend that you review
Domino 6.5.x performance-related articles on the Lotus Developer Domain
site, available at:
Figure 6-18 Default tasks in the notes.ini
Table 6-1 provides a brief overview of some of the server tasks that are loaded by
default. One of the tasks that might be worth reviewing (and ultimately might not
be required in your Domino environment) is the Billing task. Unless this a specific
function that you are using on your Domino server, this is an example of a task
that can be removed to help optimize Domino performance.
Table 6-1 List of several default server tasks
For more information about these tasks, refer to the Lotus Domino Administrator
6.5.1 Help database.
Task Task name Description
Administration process AdminP Automates a variety of
administrative tasks.
Agent manager AMgr Runs agents on one or more
databases.
Billing Billing Collects all generated billing
information.
Calendar Connector Calconn Processes requests for free-time
information from another server.
LDAP Server LDAP Enables a Domino server to
provide LDAP directory services to
LDAP clients.
Replicator Replica Replicates databases with other
servers.
Router Router Routes mail to other servers.
Schedule manager Sched Returns meeting times and dates
and available invitees.
Stats Stats Generates statistics for a remote
server on demand.
DIIOP DIIOP Allows Java applets/applications to
access Domino data remotely
using CORBA.
6.3.2 Modifying Person documents
One important performance improvement on Domino mail servers is to modify
Person documents for Format preference for incoming mail. The why in which
end users retrieve their mail is critical to how to set this field. There are three
different configuration settings for this field (see Figure 6-19):
Prefers MIME: Messages in Notes Rich Text Format are converted to MIME
when delivered to the users mail file. This is the preferred setting for users
who access mail using POP3 or IMAP.
Prefers Notes Rich Text: Messages in MIME format are converted to Notes
Rich Text Format when delivered to the users mail file.
Keep in senders format: Mail is delivered to the users mail file in the format
specified by the sender. Lotus Domino does not convert the format. This is the
preferred setting for users who access mail using a Notes 5 or Notes 6 client.
This is also the preferred setting if the end user retrieves mail through Domino
Web Access or IBM Web Mail.
Figure 6-19 Person document in the Domino Directory
These settings are controlled by the Domino Administrator. When the router task
delivers a message to a mail file, the format can be in either MIME format or
Notes Rich Text Format. If a message is converted (meaning it was in MIME
format and is now converted to Notes Rich Text, or vice versa) there can be a
loss of message fidelity. The default setting in Lotus Domino 6.5.1 is to Keep in
senders format. However, if you upgrade the Domino Directory from Domino
4.6, this value is set to Prefers Notes Rich Text.
6.3.3 Modifying Location documents
Anytime that the Domino server has to do a conversion on a message, this
impairs server performance. In the Lotus Notes client Location document, there
is a setting that controls the format for how message addressed to the Internet
will be built. On the Mail tab, the field value Format for messages addressed to
internet addresses can be set to one of the following values:
MIME Format
Notes Rich Text Format
Figure 6-20 Location document in Lotus Notes client
The recommended value for this field is MIME Format. If a user creates a memo
and the recipients address is in an Internet address (for example
john_smith@ibm.com) instead of an Notes address (for example, john
smith/support@ibm), the message will be constructed in the MIME format. If the
message is addressed to a recipient outside of the local Internet domain or
domains, the message must be in MIME format in order to transfer the message
through SMTP. If the Location document is set to Notes Rich Text Format, the
SMTP Domino server has to do a Notes Rich Text Format to MIME conversion,
which causes more overhead on the server.
Note: If you still have Lotus Notes 4.x clients, performance will be improved by
having this value set to Prefers Notes Rich Text. The Lotus Notes 4.x client
cannot handle documents in MIME format.
6.3.4 Modifying server memory
There is a notes.ini parameter to help monitor the amount of memory that is
allocated to Domino when the application starts up. This parameter can be used
to tune memory management if you are running Domino partitioned servers or
have multiple instances of Domino running on one partition (not supported). The
default behavior of Domino is to assume that it has 100% of the system memory
available to it.
Using the parameter PercentAvailSysResources=<value between 2 and 100>
assigns a portion of memory to Domino. The value represents a percentage of a
systems total physical memory. For example, if you want to dedicate 75% of
system memory to Domino, add the following line to the notes.ini file:
PercentAvailSysResources=75
This effectively leaves a percentage of memory for other applications. To follow
through with the example, a Domino server on a system with 2 GB of RAM and
the notes.ini setting PercentAvailSysResources=75 would reserve 1.5 GB for
itself and .5 GB for additional resources.
This parameter is primarily used for partitioned servers. For example, if you have
a server with two Domino partitions and want to control the memory resources
allocated to each partition, you could set the notes.ini on Partition1 to
PercentAvailSysResources=60 and the notes.ini on Partition2 to
PercentAvailSysResources=40. In this scenario, Partition1 would use 60% of the
system memory resources and Partition2 would use 40%.
Another use for PercentAvailSysResources is with a Citrix MetaFrame or
Microsoft Windows terminal server. For example, if there are 200 data directories
on the terminal server, the notes.ini file in each client Data directory could
contain the parameter PercentAvailSysResources=5. This limits each user on the
terminal server to only 5% of the servers system memory.
Note: If you still have Lotus Notes 4.x clients, the Location documents must be
set to Notes Rich Text Format. The Lotus Notes 4.x client cannot create
documents in MIME format.
Important: Make sure that the sum of the values you specify in each partition
does not exceed 100%. To reserve system memory for other applications, you
can choose values that total less than 100%.
In an Lotus Domino environment, the private and shared memory must reside in
a limited virtual address space, which is usually 4 gigabytes. You can encounter
error messages if Domino runs out of virtual memory or shared memory. If your
Domino server is producing the following error message or any Insufficient
memory error received from any task, you should implement the notes.ini
parameter ConstrainedSHM=1:
PANIC: Cannot attach to shared memory region, due to insufficient access
(probably owned by another user or group)
This parameter ConstrainedSHM=1 will restrict shared memory to the following
set of default sizes, depending on the operating system:
Microsoft Windows and Macintosh: 2 GB
IBM AIX: 2.25 GB
Sun Solaris and Linux: 3 GB
IBM Eserver iSeries: 2 GB
6.3.5 How to bind Internet Protocols on a multiport server
If the physical machine has multiple network interface cards (NIC), it is beneficial
to bind different protocols to different NIC cards. This can be used by machines
running one instance of Domino or machines running server instances (not
supported) or partitions of Domino. In Domino, the following listening tasks can
be configured:
SMTP
ICM
IMAP
LDAP
POP3
The default behavior for Domino is to use the first TCP/IP port listed in the
PORTS= line in the notes.ini file. In order to change the NIC card to which a
certain port will bind, you need to add the following line in the notes.ini file:
<PROTOCOL>NotesPort=<TCPPORTNAME>
Note: If you use the PercentAvailSysResources parameter, you should not
use the NSF_Buffer_Pool_Size parameter unless IBM Lotus Support
recommends it.
For example, if the physical server has two NIC cards, first you need to define
two TCP ports. In Figure 6-21, we define two port names (TCPIP and TCPEXT).
Next, you need to map each port name with the static IP addresses of the NIC
cards. In our scenario, you want to replace 1.2.3.4 with the IP address of NIC 1
and 5.6.7.8 with the IP address of NIC 2. Then, you can use the notes.ini
parameter to bind an Internet Protocol to a port name.
Figure 6-21 Lotus Domino notes.ini file
In our test environment, we had two NIC cards. One NIC card was used for all
ports and internal connectivity. The second port was used only by the SMTP
listener task.
6.3.6 When to enable transactional logging
Transactional logging is method of writing out database changes to improve
performance and to ensure data integrity. Its main purpose is threefold:
To improve performance on the Domino server through sequential writes to
the transactional logs
Better data integrity by avoiding inconsistencies and data corruption
Faster server restart and crash recovery
To enable transactional logging, you need to have the appropriate ACL role to
modify the Server document under the Transactional Logging tab, as shown in
Figure 6-22 on page 336. For more information about transactional logging
settings, refer to the Lotus Domino Administrator 6.5.1 Help database.
Note: An enhancement request has been submitted to the IBM Lotus Quality
Engineering to give Internet Protocol listener tasks the ability to bind to more
than one port.
Figure 6-22 Transactional Logging tab in the Server document
A transactional log is simply a binary file where transactions are written. The
transactions are saved in log extensions that have a .txn extension. The
transactional logs must be on a separate physical drive for there to be any
performance improvement. It is not sufficient to simply redirect the logs to a
separate partition or a separate logical drive. In general, if the transactional logs
are on a separate drive, a 10-20% improvement should be seen. However, if the
logs are put on the same drive, it is likely that there will be an approximately 60%
degradation.
When you enable transactional logging, all databases and mail.boxes are
enabled by default for transactional logging. However for performance reasons,
there are some databases that do not need to have transactional logging.
Databases that are constantly having data written to them (log.nsf, mail.box,
stlog.nsf, ddmtran, and so on), but do not contain critical data, do not need to be
enabled for transactional logging. In fact, enabling these for transactional logging
can cause excessive overhead on the server. You also do not need to enable
transactional logging for databases that have static data, such as help files and
reference files.
Note: Setting MailBoxDisableTXNLogging=1 in the notes.ini file will disable
transactional logging for the mail.box or mail.boxes created by Domino.
Tip: For the best performance, only the core system, core application, mail,
Team Workplace, and document library databases should have transactional
logging. Non-critical data that does not need to be restored incase of a outage
should be backed up nightly.
6.3.7 Modifying the number of mail.boxes
Additional mail.boxes are required on a server only when the amount of mail
traffic prevents the router from being able to effectively access the mail.box files,
which results in access conflicts. Access conflicts occur when other threads or
processes lock the mail.box, while another entry tries to access the mail.box and
is denied.
IBM recommends that when the percentage of access conflicts consistently
exceeds 2%, another mail.box should be created. This does not take into
account peak mail routing time periods, just the average time under normal mail
routing conditions.
To measure this percentage, you can use two statistics: Mail.Mailbox.Accesses
and Mail.Mailbox.AccessConflicts. These figures can be obtained by issuing a
show stat mail command on the Domino server console. Use those figures in
the following formula:
(Mail.Mailbox.AccessConflicts / Mail.Mailbox.Accesses) x 100 > 2.
If the result is greater than 2 on a consistent basis, a new mail.box is needed.
In general, four mail.boxes yield a maximum level of efficiency in most
environments. In some cases, having more than four mail.boxes could decrease
performance, because this gives the router more places to sweep for new
messages. This determination should be made on an as-needed basis.
If mail routing performance issues occur, and you suspect the number of
mail.boxes as a cause, you can always lower the number of mail.boxes. If the
issue persists, too many mail.boxes might be configured for that system.
To increase or decrease the number of mail.boxes on a server, complete the
following steps:
1. Open the Configuration document for that server.
2. On the Router/SMTP, Basics panel, enter a number in the Number of
mailboxes field.
3. Close and save the Configuration document.
4. Restart the Domino application.
Important: At least two mail.boexs are required to gather the appropriate
statistics for the this formula.
Note: You can configure the number of mail.boxes between 1 and 10.
6.3.8 Modifying HTTP threads
If the Lotus Domino server is going to be running as a Web server, there are
some configuration changes that can improve how the server handles HTTP
requests. These settings should be considered if you are running multiple Web
services on the Domino server.
One time consuming and performance degradation setting is to enable reverse
DNS lookups, as shown in Figure 6-23. When this feature is enabled, a reverse
DNS lookup will be done for every connection to turn the client's IP address into a
host name for the HTTP log. DNS lookups will slow performance because they
will cause additional network transactions.
Figure 6-23 DNS lookup for HTTP in the Server document
Another important performance tuner for HTTP is the number of threads. In the
Server document, there is a setting under the Internet Protocols HTTP tab for
the number of active threads. The default value is 40 active threads. You can
change the number of active threads. IBM recommends that you specify 1 active
thread for every 10 Web mail users. For a single processor machine, you should
never set this value greater than 64 active threads. For a multiprocessor
machine, you should never set this value greater than 128.
Note: The default number of mail.boxes on a server is one. When you view the
Configuration document, if no value is entered in the Number of mailboxes
field, then this defaults to only one mail.box.
To determine if you need to increase the number of active threads, on the
Domino console, issue the command Show Stat domino.active.threads.peak. If
the value returned is equal or close to the current value set in the Server
document, you should increase this value. If you find that you need to increase
the value of active HTTP threads greater than what is recommended, then
should consider clustering and load balancing.
Internet Cluster Manager is a Domino server task. It runs on one or more Domino
servers that are members of a Domino cluster. The purpose of Internet Cluster
Manager is to redirect client requests to the host that can best service them. This
is done based on the clustered servers awareness on the Domino Server
Availability Index and which databases are housed on which server. Internet
Cluster Manager works as a redirector technology by sending 302 status codes
to clients to point them to the right server.
6.3.9 Modifying HTTP memory caches
It is important to monitor the HTTP memory cache to improve performance on a
Domino Web Access server. Domino Web Access users pull their design
elements from two locations: Forms5.nsf and Forms6.nsf in the iNotes
subdirectory of the Domino Data directory. Design elements are cached by the
Web server in order to improve performance.
The default value is 128 elements. This should be sufficient, but depending on
the server load, it might be beneficial to increase this value. To modify this value,
you need to edit the Domino Server document under the Internet Protocols
Domino Web Engine tab, as show in Figure 6-24.
Figure 6-24 Domino Server document
To monitor the HTTP memory cache, you need to issue a Show Stat Domino
command. Check the following values:
Domino.Cache.Design.Count
Tip: For an in-depth look at clustering strategies, see the article Predicting
Domino cluster performance, available at:
http://www.lotus.com/ldd/today.nsf/lookup/Predict_Cluster_Performance
Domino.Cache.Design.MaxSize
Domino.Cache.Design.DisplaceRate
If the count grows close to the MaxSize, or the DisplaceRate grows, increase the
size of the design cache in 5 to 10 increments.
You also want to monitor the user cache. If the count value nears the MaxSize
value, the DisplaceRate grows, or both, the Domino Administrator should
increase the size of the user cache in 5 to 10 increments. To monitor this setting,
you need to check the following values:
Domino.Cache.User.Count
Domino.Cache.User.MaxSize
Domino.Cache.User.DisplaceRate
6.4 Minimum and recommended hardware requirements
Before installing Lotus Domino and Extended Products, it is important that you
have the essential hardware and software. When installing multiple instances
and Domino partitions, it is most important to make sure that the physical
machine has the minimum requirements. All of the required and supported
hardware configurations can be found in the Administration Help databases and
Release Notes.
Operating system patches, service packs, and other updates are not specified in
this chapter. Note that operating system vendors frequently release updates. For
the most recent information regarding updates, contact your local Lotus Support
representative or go to the Lotus Support Services online at:
http://www.ibm.com/software/lotus/support
6.4.1 Lotus Notes 6.5.1
Table 6-2 lists the supported configurations for Lotus Notes.
Table 6-2 Lotus Notes supported configurations
Platform Microsoft
Windows 95/98
Windows
2000/XP
Macintosh Windows NT
Supported
operating system
versions
Windows 95
(second edition);
Windows 98
Windows 2000
Professional;
Windows XP
Professional
Macintosh OS
10.1.x; Macintosh
OS 10.2.x
Windows NT 4
Processors
supported
Intel Pentium Intel Pentium Power PC Intel Pentium
RAM 64 MB minimum;
128 MB or more
recommended
128 MB minimum;
256 MB or more
recommended
128 MB minimum;
256 MB or more
recommended
64 MB minimum;
256 MB or more
recommended
Disk space
required for
installation only
275 MB required 275 MB required (OS 10) 250 MB
required
275 MB required
Monitors
supported
Color monitor
required
Color monitor
required
Color monitor
required, 256
colors or greater
Color monitor
required
Protocols
supported
NetBEUI/NetBIOS
(1)
Yes Yes (Windows
2000); No
NetBEUI
(Windows XP)
No Yes
NetBIOS over IP
(2)
Yes Yes No Yes
NetBIOS over IPX Yes Yes No Yes
SPX Yes Yes No Yes
SPX II No No No Yes
TCP/IP Yes Yes Yes Yes
X.PC Yes Yes Yes Yes
6.4.2 Lotus Domino Administrator 6.5.1
Table 6-3 lists the supported configurations for Lotus Domino Administrator.
Table 6-3 Domino Administrator supported configurations
Note: The Lotus Notes client is supported on Citrix Metaframe XPe FR3 on
Windows 2000 and Windows 2003 Server using Windows NT and MAC ICA
clients. For additional information, see the Citrix support statement in the
Release Notes, available at:
http://www.lotus.com/ldd/doc
Platform Windows 98 Windows 2000/
Windows XP
Windows NT
Supported operating
system versions
Windows 98 Windows 2000
Professional; Windows
XP Professional
Windows NT 4
Processors supported Intel Pentium Intel Pentium Intel Pentium
RAM 64 MB minimum; 256
MB or more
recommended
128 MB minimum; 256
MB or more
recommended
64 MB minimum; 256
MB or more
recommended
Disk space required for
installation only
275 MB required 275 MB required 275 MB required
Monitors supported Color monitor required Color monitor required Color monitor required
Protocols supported
NetBEUI/NetBIOS (1) Yes Yes (Windows 2000);
No NetBEUI (Windows
XP)
Yes
NetBIOS over IP (2) Yes Yes Yes
NetBIOS over IPX Yes Yes Yes
SPX Yes Yes Yes
SPX II No No Yes
TCP/IP Yes Yes Yes
X.PC Yes Yes Yes
6.4.3 Lotus Domino Designer 6.5.1
Table 6-4 lists the supported configurations for Lotus Domino Designer.
Table 6-4 Lotus Domino Designer supported configurations
Platform Windows 98 Windows 2000/
Windows XP
Windows NT
Supported operating
system versions
Windows 98 Windows 2000
Professional; Windows
XP Professional
Windows NT 4
MB or more
recommended
128 MB minimum; 256
MB or more
recommended
64 MB minimum; 256
MB or more
recommended
Disk space required for
installation only
275 MB required 275 MB required 275 MB required
Protocols supported
NetBEUI/NetBIOS (1) Yes Yes (Windows 2000);
No NetBEUI (Windows
XP)
Yes
SPX Yes Yes Yes
SPX II No No Yes
TCP/IP Yes Yes Yes
X.PC Yes Yes Yes
6.4.4 Lotus Domino server 6.5.1
In this section, we cover the minimum requirements for Windows platform
servers. If you want to know the minimum requirements for other operating
systems, refer to the release notes. Table 6-5 lists the supported configurations
for Lotus Domino server.
Table 6-5 Lotus Domino server supported configurations
Platform Windows 2000 Windows NT Windows 2003
Supported operating
system versions
Windows 2000 Server;
Windows 2000
Advanced Server
Windows NT 4 Intel Windows 2003 Server
Standard Edition;
Windows 2003 Server
Enterprise Edition
MB or more
recommended
128 MB minimum; 192
MB or more
recommended
256 MB minimum
Disk space 1 gigabyte minimum;
1.5 gigabyte or more
recommended
1 gigabyte minimum;
recommended
1 gigabyte minimum;
recommended
Disk swap space Two times the physical
RAM installed
Two times the physical
RAM installed
Two times the physical
RAM installed
Protocols supported
NetBEUI/NetBIOS (1) Yes Yes Yes
SPX Yes Yes Yes
SPX II Yes Yes Yes
TCP/IP Yes Yes Yes
X.PC Yes Yes Yes
Note: Operating systems other than Windows are not covered in this section.
Refer to the release notes for additional information about AIX, Linux, Sun
Solaris, IBM Eserver iSeries, z/OS, and Linux on zSeries.
6.4.5 Lotus Instant Messaging and Web Conferencing 6.5.1
In this section, we outline the requirements for Lotus Instant Messaging and Web
Conferencing.
Server requirements
Lotus Instant Messaging and Web Conferencing requires one physical machine
for installation that meets these requirements:
Operating system: Microsoft Windows 2000, Windows 2003, IBM Eserver
iSeries, AIX 5L Version 5.2, Sun Solaris 8, or Sun Solaris 9
CPU: Pentium II 400 MHz (or higher)
RAM: 512 MB minimum; 1 GB (or higher) recommended
Disk space: 500 MB minimum; 1 GB (or higher) free disk space
recommended to allow space for meetings
Disk swap space: 64 MB
Network software: TCP/IP network software installed
Browser: Refer to Table 6-6 on page 346
Client requirements
The client system requirements for operation with the Lotus Instant Messaging
and Web Conferencing server and multimedia services include:
Operating system: Windows 2000, AIX 5L Version 5.2, Sun Solaris 8, or
Citrix.
CPU: Pentium II 266 MHz (or higher).
RAM: 128 MB RAM (or higher).
Sound card: A full duplex sound card is required to participate in interactive
audio/video meetings. A half duplex sound card is required to enable a user to
listen to audio meetings that are broadcast by the IBM Lotus Instant
Messaging Broadcast Services.
Microphone and speakers: High-quality microphones are recommended.
Avoid microphones with on and off switches unless they are of high quality. A
headset that contains a boom microphone performs best. If a desktop
microphone is used, a unidirectional dynamic microphone that uses batteries
is preferred.
Note: Ensure that the administrator who is logging on to the Windows
machine to perform the installation has full administration rights. If not, Lotus
Instant Messaging and Web Conferencing will not be installed properly
Camera: A high-quality USB or PCMCIA PC camera is recommended. Do not
use parallel port cameras.
Table 6-6 Supported operating systems and browsers
Instant Meeting Scheduling for Microsoft Exchange
To configure Instant Meeting Scheduling for Microsoft Exchange, you must have
the following hardware and software:
Software requirements:
Microsoft Exchange 2000 Conferencing Server: You must have an
Exchange Conferencing Server installed and running on a separate server
from your Lotus Instant Messaging and Web Conferencing server.
You must install the Exchange Conferencing Server on a server running
Windows 2000 Server or Windows 2000 Advanced Server. The Exchange
Conferencing Server must be in the same domain as the server running
Exchange. All conference calender mail.boxes and conference resources
for the conference technology must have Windows accounts on this
domain.
Client operating
system browser
support
Internet Explorer
6.0
Internet Explorer
5.5
Mozilla 1.1.4
Windows 2000
Professional with
SP3
JVM 1.1 JVM 1.1 JVM 1.4.1 - Sun
Windows XP
Professional with
SP1
JVM 1.1; JVM 1.4.1 JVM 1.4.1 - Sun
AIX 5L Version 5.2 JVM 1.4 - IBM
Solaris 8; Solaris 9 JVM 1.4.1 - Sun
Red Hat Enterprise
Linux 3.0
Workstation
JVM 1.4.2 - SUN
Important: To support conference resource objects and configuration
objects, you must have Active Directory installed in your organization.
The Exchange 2000 Server requires Active Directory to function
properly.
Microsoft Internet Information Services (IIS): You must have IIS installed
on the same site as a server running the Conference Management
service.
Lotus Instant Messaging and Web Conferencing 6.5.1 server.
Hardware requirements:
Processor: Intel Pentium 133 MHz processor minimum; Intel Pentium 400
MHz processor (or higher) recommended.
RAM: 128 MB minimum; 256 MB (or higher) recommended.
6.4.6 Lotus Team Workplace 6.5.1
You must install Lotus Team Workplace 6.5.1 on a Lotus Domino 6.5.1 server.
The software requirements to support Lotus Team Workplace are:
Server operating system: IBM AIX 5L Version 5.1 or 5.2; IBM Eserver
iSeries V5R1 or V5R2; Microsoft Windows 2000 Server or Advanced Server;
Microsoft Windows 2003 Server or Advanced Server; Sun Solaris 8 or 9
Client operating system: Microsoft Windows 2000 Professional; Microsoft
Windows XP Professional; Red Hat Linux 9; Red Hat Enterprise Linux 3.0
Workstation
Browsers: Microsoft Internet Explorer 5.5 on Windows with SP2 and Internet
Explorer Security Patch Q828750; Microsoft Internet Explorer 6 on Windows
with SP2 and Internet Explorer Security Patch Q828750; Mozilla 1.4.1 on the
supported versions of Red Hat Linux
LDAP V3 directories: Microsoft Active Directory on Windows 2000 Server;
Lotus Domino 5 or 6; IBM Tivoli Directory Server 4.1 or 5.1; IBM Tivoli Access
Manager 4.1 5.1; iPlanet/Sun ONE Server 5.1
Native office suites: Microsoft Office 2000, 2003, or XP
Authentication: Netegrity SiteMinder 5.5; Muliti-Server/LTPA; Domino DSAPI
Important: Exchange automatically creates the Windows accounts for
the Lotus Instant Messaging and Web Conferencing Conference
Technology Provider (CTP) when you set the properties for a resource
in the Lotus Instant Messaging and Web Conferencing Management
component.
Restriction: Netegrity SiteMinder 5.5 is not supported for Lotus Team
Workplace servers running UNIX or iSeries
Java Developers Kit (JDK): Version 1.3.1
6.4.7 Domino Document Manager 6.5.1
The following operating systems, clients, and browsers are required for Domino
Document Manager:
Operating system: Microsoft Windows 2003 Server; Microsoft Windows 2000
Server; Windows NT 4; AIX 5L Version 5.1 or 5.2; IBM Eserver iSeries
V5R1 or V5R2; Sun Solaris 8 or 9
Lotus Domino servers and Notes clients: 5.0.12, 6.0.3, 6.5, 6.5.1
Browsers: Netscape Communicator 4.78 or 4.79; Microsoft Internet Explorer
5.5 with SP2; Microsoft Internet Explorer 6
Domino Document Manager Desktop Enabler:
Microsoft Windows 2000 Professional; Microsoft Windows XP
Professional with SP3; Microsoft NT 4 with SP6a
128 MB Ram (or higher)
9 MB disk space to install the Desktop Enabler, plus additional space to
download temporary files from the Document Manager server
256 color display with a minimum of 800x600 resolution
Important: Refer to the Domino 6.5.1 server requirements for hardware in
6.4.4, Lotus Domino server 6.5.1 on page 344.
Note: For information about platform system requirements, see the Lotus
Domino Document Manager Installation Guide.
Note: For information about Domino server and Notes client requirements
by platform, see 6.4.1, Lotus Notes 6.5.1 on page 341 and 6.4.4, Lotus
Domino server 6.5.1 on page 344.
Note: For information about the Domino Document Manger client (Desktop
Enabler) requirements, see the Readclnt.txt file located in the Document
Manager library.
6.4.8 Lotus Workflow 6.5.1
In this section, we outline the requirements for the Lotus Workflow components.
Lotus Workflow Viewer 6.5.1 and Lotus Workflow Architect 6.5.1:
Operating systems: Microsoft Windows NT 4; Microsoft Windows 2000
Professional; Microsoft Windows XP Professional
Lotus Notes: Release 5.0.12 (or later)
Processor: Intel Pentium
RAM: 128 MB RAM minimum; 256 MB (or higher) recommended
Other software: Lotus Workflow Engine 6.5.1 in a client/server
environment
Lotus Workflow Engine 6.5.1: Server:
Operating systems:
Microsoft Windows NT 4
Microsoft Windows 2000 running Lotus Domino R5.0.12 (or later)
Microsoft Windows 2003 running Lotus Domino R6.5 (or later)
IBM AIX 5L Version 5.2
Red Hat Linux Advanced Server 2.1 running Louts Domino 6.5 (or later)
Sun Solaris 9
IBM Eserver iSeries V5R1
IBM z/OS V1R2
Linux on zSeries
Lotus Workflow Engine 6.5.1: Client
Operating systems: Microsoft Windows XP; Microsoft Windows 2000;
Microsoft Windows NT 4; Microsoft Windows 98
Processor: Intel Pentium
RAM: 128 MB RAM minimum; 256 MB (or higher) recommended
Lotus Workflow Engine 6.5.1: Browser client software
Internet Explorer 6.x or later on Windows
Netscape Communicator 4.7x on Windows
Mozilla 1.4.1 with Sun JRE 1.4.2 on Linux Red Hat 9/EL 3
Lotus Workflow Web Viewer 6.5.1
Operating systems:
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT 4
Note: For non-Windows platforms, see Technote 7003217 for the latest
installation instructions and visit the Lotus Workflow Web site for the latest
installation information about supported platforms, available at:
http://www.lotus.com/home.nsf/welcome/domworkflow
Chapter 7. Integrating Domino 6.5.1
with a third-party LDAP
directory
As part of the IBM Lotus continuing commitment to open standards and
interoperability, the integration capabilities inherent in the Domino 6.5.1 platform
enable organizations that do not use Domino mail or the Domino Directory to
easily deploy the 6.5.1 products into their existing technology landscape.
The open standards that are built into the Domino 6.5.1 platform enable any size
organization to gain the considerable benefits of the IBM Lotus collaboration,
instant messaging, and document management products, without having to
install and configure specialized software or to rip and replace the entire
underlying network operating system. The primary open standard that is built into
the Domino 6.5.1 platform that allows for this seamless integration is the
Lightweight Directory Access Protocol (LDAP).
LDAP is fast becoming the industry standard for accessing directory information
and for authentication and is popular with all types and sizes of organizations. It
allows non-heterogeneous environments and software products from different
vendors to integrate transparently.
7
This chapter describes how to configure the Extended Products in the Domino
6.5.1 platform to work with a third-party LDAP directory. In this chapter, we focus
on using Microsoft Active Directory as the third-party LDAP directory.
The Active Directory implementation of LDAP has a number of features that differ
from many other LDAP directory implementations. As such, it serves as a good
example of the considerations that have to be kept in mind (and many of the
pitfalls that can arise) when using a third-party LDAP directory.
For those of you unfamiliar with LDAP concepts, now might be an appropriate
time to review Chapter 3, Directory and authentication considerations on
page 67.
This chapter is organized as follows:
Before you begin with a third-party LDAP directory on page 354
This section provides a high-level overview of LDAP directory concepts and
describes the prerequisite information you should gather before configuring
any of the 6.5.1 products to use Active Directory or any other third-party
LDAP directory.
Tools for understanding your LDAP directory on page 355
In this section, we discuss how to familiarize yourself with your LDAP
directory and describe some important troubleshooting techniques and tools
that should be used before configuring the 6.5.1 products for use with any
third-party LDAP directory.
Differences between LDAP directories on page 364
In this section, we discuss the different interpretations and LDAP attributes
associated with various vendor directories.
Configuring Lotus Instant Messaging for Active Directory on page 365
This section describes how to configure IBM Lotus Instant Messaging and
Web Conferencing for use with Active Directory and how to set up search and
authentication, together with steps about how to verify the configuration. As
previously mentioned, the steps and methodology presented in this section
can be applied to any third-party LDAP directory.
Note: Although this chapter focuses on using Microsoft Active directory, the
configuration, testing, and troubleshooting methodology presented here can
be applied to any third-party LDAP directory (in most cases, without any or
only minor modifications).
Chapter 7. Integrating Domino 6.5.1 with a third-party LDAP directory 353
Configuring Lotus Team Workplace for Active Directory on page 384
This section describes how to configure IBM Lotus Team Workplace for use
with Active Directory, together with the configuration changes required in
Lotus Team Workplace to enable presence awareness, chat, and online
meetings using Lotus Instant Messaging and Web Conferencing. Again, the
steps and methodology presented in this section can be applied to any
third-party LDAP directory.
Configuring Domino Document Manager and Active Directory on page 401
This section describes how to configure IBM Lotus Domino Document
Manager for use with Active Directory, together with the configuration
changes required in Lotus Domino Document Manager to enable presence
awareness using Lotus Instant Messaging and Web Conferencing.
Domino and LDAP directories
Although this chapter focuses on Active Directory, the Domino 6.5.1 platform can
use most LDAP v3 compliant directories, for example:
IBM Lotus Domino Directory
IBM Directory Server 5.x
Sun ONE Directory
Novell e-Directory
Recommended further reading
If you are unfamiliar with LDAP concepts and terminology, refer back to
Chapter 3, Directory and authentication considerations on page 67.
If you are already familiar with LDAP concepts and terminology, but are looking
for more detailed information, see the recently published Lotus Security
Handbook, SG24-7017, available at:
Important: Although your organizations LDAP directory might not appear in
this list, typically, any LDAP v3 compliant directory will work with the 6.5.1
platform. For example, the Exchange 5.5 Global Address List can be used as
an LDAP v3 compliant directory.
7.1 Before you begin with a third-party LDAP directory
As previously mentioned, the products that make up the Domino 6.5.1 platform
have the ability to work with an organizations existing LDAP directory (or
directories).
Before configuring any of the products in the Domino 6.5.1 platform to work with
an LDAP directory, there are a number of important points to consider:
Ensure that the LDAP directory is V3 compliant. This can be achieved by
looking at the value of the supportedldapversion attribute in the directory.
Example 7-2 on page 358 gives an example of a search query that can be
used to return the value of the supportedldapversion attribute.
Familiarize yourself with the directorys LDAP schema, in particular, the
names of the object classes and attributes. Although LDAP is an industry
standard protocol, software vendors often implement certain LDAP features in
a different way, so it is important to understand and be familiar with your LDAP
directory schema. In 7.2, Tools for understanding your LDAP directory on
page 355, we provide details about some of the tools that can help with this
familiarization. For an explanation of any of these LDAP terms, refer to
Chapter 3, Directory and authentication considerations on page 67.
Determine if you will need a user name and password to connect to the LDAP
directory. There are effectively two common methods of accessing an LDAP
directory. The first method is anonymous access or the anonymous bind as it
is commonly referred to. With anonymous bind, a user name and password
are not required to access or search the contents of the LDAP directory.
The second method involves having to specify a valid user name and
password (commonly referred to as bind credentials) in order to access and
search the LDAP directory. This method is commonly referred to as binding
and is generally required by most organizations. Before configuring any of the
Domino 6.5.1 products to use an LDAP directory, confirm with your
organizations LDAP administrator to see if bind credentials are required.
Make sure that the servers on which you will be installing the Domino 6.5.1
products can query the LDAP directory server. There are a number of free
tools that can be used for this. In 7.2, Tools for understanding your LDAP
directory on page 355, we provide details about the tools we used in our
testing.
Confirming connectivity to the LDAP directory with one of these tools not only
familiarizes you with the directory schema, but it also confirms that all servers
that need access to the LDAP directory can connect to it successfully and
search its contents.
Ensure that you have network connectivity on the correct ports. By default,
the LDAP protocol uses TCP/IP port 389 (port 636 is using SSL), so it is
important to ensure that network connectivity on these ports is in place prior
to configuring any of the Domino 6.5.1 products.
Although your network administrator should be able to confirm connectivity
using these ports, it is still important to use an LDAP browser type of tool to
ensure that the LDAP directory can be searched correctly (see 7.2, Tools for
understanding your LDAP directory on page 355 for more details about
LDAP browsers).
7.2 Tools for understanding your LDAP directory
Prior to working with the 6.5.1 products and LDAP, it is very important to
establish connectivity to your LDAP directory and understand your LDAP
directory schema. This section describes several approaches for performing
these tasks and the tools you can use to complete them.
7.2.1 Using an LDAP tool
One of the most important considerations for anyone who wants to configure the
Domino 6.5.1 products to use an LDAP directory is familiarization with the
directorys LDAP schema. Using an LDAP browser or similar tool is essential for
familiarizing yourself with the schema and is extremely helpful when specifying
things such as the attribute names that are required by the Domino 6.5.1
products.
Attribute names are one of the most common LDAP objects that vendors
implement differently from one another, so it is important to be able to view and
refer to them both prior to and during the configuration of the Domino 6.5.1
products. For example, in the Domino LDAP schema, a group is defined as per
the LDAP standard (RFC 2256) as groupofNames. However, Active Directory
refers to a group simply as group.
The first tool we explore is the LDAP browser. For our testing, we used an LDAP
browser from Softerra. A version of this tool containing limited functionality can
be downloaded for free at:
http://www.softerra.com
Figure 7-1 on page 356 illustrates the type of information and attributes that can
be viewed using an LDAP browser.
Figure 7-1 LDAP browser query
As can be seen from Figure 7-1, the LDAP browser has a Microsoft Windows
Explorer-type interface with the schema objects in the left window pane and the
attributes names and values associated with the schema objects in the right
pane.
In one search, you can gather the attributes for e-mail, distinguished name,
common name, and so on. Also, most LDAP browser-type tools such as this one
offer the ability to specify bind credentials to the LDAP directory, as well as
directory searching and data export features. See Figure 7-2 on page 357.
Figure 7-2 Specifying server settings and bind credentials in the LDAP browser
Using Ldapsearch.exe
Ldapsearch.exe is a commonly used and widely available command line utility
that can also be used to verify connectivity, authentication, and searching in an
LDAP directory without the need to install additional software.
Ldapsearch.exe is installed with all of the Domino 6.5.1 products and is also
installed with the Notes client. Ldapesearch.exe can be found and run from the
<install drive>:\LOTUS\DOMINO directory.
If you want to run an LDAP search from your workstation, and you have the
Notes client installed, Ldapsearch.exe can be found in the Notes Program
directory (typically, <install drive>:\Program Files\Lotus\Notes.
Example 7-1 Using Ldapsearch.exe to confirm connectivity to an LDAP directory
C:\Lotus\Domino>ldapsearch.exe -h bscads.cam.itso.ibm.com -D CN=QP
ADS,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com -w password -b
CN=Users,DC-bscads,DC=cam,DC=itso,DC=ibm,DC=com (cn=Cara Delaney)
Example 7-2 Verifying the LDAP directory version using Ldapsearch
C:\Lotus\Domino>ldapsearch.exe -h <hostname> -b -s base objectclass=*
The following list gives a brief explanation of the values we specified in our test
Ldapsearch query in Example 7-1:
-h is the LDAP servers host name. In our case, bscads.cam.itso.ibm.com.
-D is the fully distinguished user name to connect (or bind) to the LDAP
directory with. In our case: CN=QP ADS, CN=Users, DC=bscads, DC=cam,
DC=itso, DC=ibm, DC=com.
Where CN is the common name of the user, that is, QP ADS.
CN=Users and DC= are the various attribute-value pairs that combine to make
up the users fully distinguished name.
w is the password assigned to the user. In this case, the password was
password.
-b is the search base or location in the directory to search for user names and
groups. In Active Directory, users and groups exist under CN=Users.
Tip: Ldapsearch.exe has many options and flags. The following syntax was
successful during our testing because it confirmed network connectivity,
binding, and searching. Therefore, we recommend that you use this type of
search query when testing with your LDAP directory (see Example 7-1 and
Example 7-2):
ldapsearch -h <hostname> -D <fully distinguished bind user name> -w
<bind password> -b <search base> <user name>
If your LDAP search is successful, be sure to make a note of the values you
used. These values can then be reapplied to the configuration steps for the
various Domino 6.5.1 products you want to use with the LDAP directory.
Pay particular attention to the use of quotation marks () in the Ldapsearch
example above and ensure that they are included in your search query where
appropriate.
The final value is the common name of the user in the LDAP directory for
which you want to search. Common name is typically First Name Last Name,
and in our case, was the user Cara Delaney.
Figure 7-3 shows the results of a successful search with these values.
Figure 7-3 Sucessful results from Ldapsearch.exe
As can be seen in Figure 7-3, all the details for the user Cara Delaney that are
stored in Active Directory have been returned by the Ldapsearch query.
Comparing the results from the Ldapsearch query with our LDAP browser
confirmed the search results were complete and correct, as shown in Figure 7-4.
Figure 7-4 Comparing Ldapsearch results with an LDAP browser
The easiest way to confirm what the fully distinguished name of the user should
be is to use an LDAP browser.
Figure 7-5 shows how the fully distinguished name of the user QP ADS is
represented in the LDAP directory.
Figure 7-5 Confirming a distinguished name with an LDAP browser
Later in this chapter, we use the fully distinguished name and password of the
user QP ADS to bind to the LDAP directory when configuring Lotus Team
Workplace to use Active Directory. We also use another users fully distinguished
name and password (ST ADS) for the same purpose when configuring Lotus
Instant Messaging and Web Conferencing to use Active Directory.
Important: Unlike most other LDAP directories, Active Directory uses a
slightly different naming convention for the fully distinguished name of users
and groups, specifically how it names the first organizational unit to which the
user belongs.
Most LDAP directories represent the various organizational units that make up
a user or groups fully distinguished name using either an OU and O or
DC naming convention. For example:
Sun ONE directory represents Cara Delaneys fully distinguished name as:
uid=CDelaney,OU=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
IBM Directory server represents Cara Delaneys fully distinguished name
as:
uid=CDelaney,DC=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
Domino LDAP represents Cara Delaneys fully distinguished name with an
OU and O naming convention:
CN=Cara Delaney,OU=Users,OU=bscads,OU=cam,OU=itso,O=ibm
Active Directory also uses a DC naming convention to represent the
organizational units, including the top level or O, so the fully distinguished
name in our example above is represented by Active Directory as:
CN=Cara Delaney,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
However, in addition to using this DC naming convention, notice how the
second organizational unit in the users name in Active Directory is
represented as CN= as opposed to say OU= or DC=.
This subtle difference in naming convention is vital to note and understand
when configuring the Domino 6.5.1 products to work with Active Directory.
These differences in naming convention are invariably the cause of
configuration problems, especially in areas such as configuring presence
awareness and chat between Lotus Team Workplace and Lotus Instant
Messaging and Web Conferencing (see 7.5.6, Configuring chat and presence
awareness in Team Workplace on page 394 for more details).
Whichever LDAP directory your organization uses, be sure to use an LDAP
browser tool to understand what naming convention is being used for directory
objects and attributes.
Important points about search queries
In our example Ldapsearch query, we searched Active Directory by the users
common name of CN=Cara Delaney.
We could have searched the directory with any attribute associated with the user.
For example, if we only knew the users e-mail address, we could have amended
our search query to include the e-mail address of
Cara_Delaney@bscads.cam.itso.ibm.com.
However, before searching by the e-mail address (or any other attribute
associated with the user), we would need to first find out what the corresponding
attribute in Active Directory is that actually stores the users e-mail address.
This is where an LDAP browser tool proves to be essential.
Using our LDAP browser, we can browse to the users entry in Active Directory
and easily see that Active Directory stores the users e-mail address in an
attribute called mail, as shown in Figure 7-6.
Figure 7-6 How the e-mail address is stored in Active Directory
The bold text in Example 7-3 shows how to amend the Ldapsearch query with
the information gathered with the LDAP browser and then search by e-mail
address.
Example 7-3 Using Ldapsearch to search by e-mail address
C:\Lotus\Domino>ldapsearch.exe -h bscads.cam.itso.ibm.com -D CN=QP
ADS,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com -w password -b
CN=Users,DC-bscads,DC=cam,DC=itso,DC=ibm,DC=com
(mail=Cara_Delaney@bscads.cam.itso.ibm.com)
This Ldapsearch query returned exactly the same results as Figure 7-3 on
page 359; however, the results were obtained with a different attribute.
7.2.2 Confirming connectivity to your LDAP directory
After you select an LDAP browser tool and have a greater understanding of the
information it will provide, you can establish connectivity to your LDAP directory
and review its schema. See Figure 7-7.
Make a note of attribute names. For example, how does your schema reflect a
common name, e-mail address, or fully distinguished name? What delimiters are
used between attributes? What part or branch of the directory are you
searching?
Figure 7-7 Confirming connectivity to your LDAP directory
Important: It is extremely important to understand that an LDAP directory can
be searched by different attributes, and knowing how best to find the names of
those attributes is essential for successfully configuring the Domino 6.5.1
products to work with a third-party LDAP directory.
As will be seen later in this chapter, knowing this information (and more
importantly how to get it) is vital to successfully configuring bind credentials,
search filters, and authentication filters in the Domino 6.5.1 products.
Understanding these concepts also helps in determining what attribute or
attributes we will allow users to authenticate with.
7.3 Differences between LDAP directories
As previously mentioned, despite LDAP being an industry standard protocol,
software vendors often implement certain LDAP directory features in different
ways.
These differences (which are often very subtle in nature) tend to be the cause of
configuration issues with the Domino 6.5.1 products and can lead to much
frustration.
Table 7-1 shows some of the settings required to configure Lotus Instant
Messaging and Web Conferencing for an LDAP directory. The table highlights
how some of the values can differ depending on the LDAP directory being used.
Table 7-1 Examples of how LDAP settings can differ
Note: Table 7-1 does not exhaustively go through each setting required to
configure Lotus Instant Messaging and Web Conferencing for an LDAP
directory. It merely provides a few examples of how some of the LDAP
attribute names can differ depending on what LDAP directory is being used.
When configuring Lotus Instant Messaging and Web Conferencing or any of
the Domino 6.5.1 Extended Products for an LDAP directory, be sure to use an
LDAP browser type of tool to determine the attribute names to use for your
organizations LDAP directory.
LDAP directory settings for Lotus Instant
Messaging and Web Conferencing
Corresponding LDAP directory attribute
Where to start searching for people Netscape and IBM Directory: O=DomainName
Sun ONE: DC=<domain>,DC=com
Domino: O=<certifier>
Exchange 5.5:
CN=Recipients,OU=ServerName,O=DomainName
Attribute of a person entry that defines the
persons e-mail address
Netscape, Sun ONE, Exchange 5.5, Domino, and
IBM Directory: mail
The object class used to determine if an entry
is a person
Netscape, Sun ONE, Exchange 5.5, Domino, and
IBM Directory: organizationalPerson or Person
7.4 Configuring Lotus Instant Messaging for Active
Directory
This section provides the steps required to successfully configure Lotus Instant
Messaging and Web Conferencing (formerly called Sametime) to work with
Active Directory.
As previously mentioned, although this chapter focuses on Active Directory, the
techniques, troubleshooting tips, and methodology described throughout can be
applied to any third-party LDAP directory with little or no modification.
7.4.1 Prerequisites
Before configuring Lotus Instant Messaging and Web Conferencing to work with
Active Directory (or any other third-party LDAP directory), ensure that the
following prerequisites have been met (see 7.1, Before you begin with a
third-party LDAP directory on page 354 for more detailed information about
these prerequisites):
Ensure that the LDAP directory to be used is V3 compliant and preferably a
supported LDAP directory (see Domino and LDAP directories on page 353).
Where to start searching for groups Netscape and IBM Directory: O=DomainName
Sun ONE: DC=<domain>,DC=com
Domino: Leave empty
Exchange 5.5:
CN=Recipients,OU=ServerName,O=DomainName
Attribute of the group that defines the group
name
Typically CN
The group object class used to determine if an
entry is a group
Domino, Exchange 5.5, and IBM Directory:
groupOfNames
Netscape and Sun ONE: groupOfUniqueNames
LDAP directory settings for Lotus Instant
Corresponding LDAP directory attribute
Important: If you are currently using Lotus Instant Messaging and Web
Conferencing with the Domino Directory and now want to switch to an LDAP
directory, refer to the instructions described in Converting Lotus Instant
Messaging and Web Conferencing to LDAP on page 294.
Also, Example 7-2 on page 358 gives an example of a search query that can
be used to ascertain the LDAP directory version.
Familiarize yourself with the directorys LDAP schema, in particular the
names of the object classes and attributes. Use an LDAP browser type of tool
for this.
Determine if you will need a user name and password to connect to the LDAP
directory.
Make sure that the server or servers on which you will be installing Lotus
Instant Messaging and Web Conferencing 6.5.1 can query the LDAP
directory server. See 7.2.1, Using an LDAP tool on page 355 for some of the
tools that can be used to test connectivity.
Ensure that you have network connectivity on the correct ports. By default,
the LDAP protocol uses TCP/IP port 389 (port 636 is using SSL), so it is
important to ensure that network connectivity on these ports is in place prior
to configuring any of the Domino 6.5.1 products.
Ensure that you select LDAP Directory as the directory type when installing
Lotus Instant Messaging and Web Conferencing 6.5.1, and that you specify
the host name and TCP/IP port to use. In most cases, the default port of 389
(or 636 if using SSL) are sufficient.
Make sure that you follow the installation procedure as described in 7.4,
Configuring Lotus Instant Messaging for Active Directory on page 365 if you
upgraded an existing Lotus Instant Messaging and Web Conferencing
(Sametime) server to Release 6.5.1 and were previously using the Domino
Directory (that is, you were not previously using an LDAP directory but now
want to).
Ensure that you have configured Web single sign-on if you plan to configure
Lotus Team Workplace to work with Lotus Instant Messaging and Web
Conferencing, as described in Configuring single sign-on (SSO) on
page 102.
7.4.2 Lotus Instant Messaging authentication architecture
Before describing in detail the steps associated with configuring Lotus Instant
Messaging and Web Conferencing to use an LDAP directory, it is important to
review a brief overview of the Lotus Instant Messaging and Web Conferencing
authentication architecture.
This overview will assist you in understanding why certain LDAP-related
configuration is required in Lotus Instant Messaging and Web Conferencing, and
more importantly, where in Lotus Instant Messaging and Web Conferencing to
make the necessary changes for certain pieces of Lotus Instant Messaging and
Web Conferencing functionality (such as chat and meetings).
Lotus Instant Messaging and Web Conferencing is unique among the Domino
6.5.1 products in that it has several authentication layers. These layers can be
broadly categorized as:
Domino authentication
Connect client authentication
Meeting and Web-based chat, using Instant Messaging (formerly Sametime)
Connect for browsers, authentication
As a result of this layered authentication architecture, it is necessary to configure
various LDAP settings in a number of different places in Lotus Instant Messaging
and Web Conferencing:
Directory Assistance database: Typically called DA.NSF. If you selected to
use an LDAP directory when installing Lotus Instant Messaging and Web
Conferencing, this database if created and configured automatically for you
and no further configuration should be required.
If you have upgraded your Instant Messaging and Web Conferencing server
(and were previously using a Directory Assistance database) or are changing
to a different LDAP directory, you will need to edit it to adjust the search and
authentication filters and directory type in this database (see 5.4.9,
Converting from native Domino to Domino LDAP authentication on
page 289 for more details).
STCenter.nsf: This is the Web-based administration interface for Lotus
Instant Messaging and Web Conferencing. The configuration required here is
discussed in detail in the next section, 7.4.2, Lotus Instant Messaging
authentication architecture on page 366.
STConfig.nsf: The settings specified in the STCenter.nsf database are stored
in a document in the Lotus Instant Messaging and Web Conferencing
Configuration database. Depending on the LDAP directory used by your
organization, it might also be necessary to change certain settings in this
database. An example of one such change is described in 7.4.4, Modifying
the STConfig.nsf database on page 379.
7.4.3 Configuration steps for Instant Messaging with Active Directory
After all the prerequisties have been satisfied, using a browser, navigate to the
STCenter.nsf database on the Lotus Instant Messaging and Web Conferencing
server and click the Administer Server link and complete the following steps:
1. Log on as the Lotus Instant Messaging and Web Conferencing administrator
(typically, this is the same user name and password as the servers Domino
Administrator).
2. Click the LDAP Directory link on the left navigator. This link expands to
reveal a number of sublinks. Click the Connectivity link. See Figure 7-8.
Figure 7-8 LDAP Directory - Connectivity settings
3. The values on the LDAP Directory - Connectivity page define how Lotus
Instant Messaging and Web Conferencing will connect to the LDAP server.
Enter the following values:
a. Host name or IP address of the LDAP server. Enter the host name or IP
address of the LDAP directory server. It is generally considered best
practice to use the host name. This means that the LDAP servers IP
address can be changed at any point in the future and Lotus Instant
Messaging and Web Conferencing will not have to be reconfigured. In our
case, the Active Directory server host name was
bscads.cam.itso.ibm.com.
b. Position of this server in the search order. It is possible for Lotus
Instant Messaging and Web Conferencing to use multiple LDAP
directories to search for users and groups (although typically an
organization will standardize on a single directory). If you are using only
one LDAP directory, leave this value set to 1.
c. Port. This value specifies the TCP/IP port to use for the LDAP directory.
The default is port 389, and for most organizations, this will be sufficient.
Some organizations might designate a different port for security reasons
that can be specified here.
d. Administrator distinguished name. This is the user name that Lotus
Instant Messaging and Web Conferencing will use to bind to Active
Directory. In our case, this user was:
CN=ST ADS,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com
e. Administrator password. This is the password for the administrator
distinguished name.
f. LDAP SSL port. If you are using the default TCP/IP LDAP port of 389,
you should be aware that search and authentication information between
servers communicating with the LDAP protocol is not encrypted in any
way. SSL is the most common way to encrypt such traffic and has to be
configured on the Domino server on which Lotus Instant Messaging and
Web Conferencing has been installed. See the Lotus Domino
Administrator 6.5.1 Help database for more details about how to configure
SSL.
Tip: Use an LDAP browser tool or an Ldapsearch.exe query to bind
using this administrator user name and password and see if you can
connect to and search the directory. The LDAP browser tool will also
confirm the exact syntax of the users distinguished name (see 7.2.1,
Using an LDAP tool on page 355 for more details).
g. Adding an LDAP Server. As previously mentioned, Lotus Instant
Messaging and Web Conferencing can be configured to use additional
LDAP directories for user and group searches. In general, most
organizations will standardize on a single directory (such as Active
Directory), because this helps simplify user and group administration and
authentication.
In our testing, we only used one Active Directory server, so this field was
left blank. See the Lotus Instant Messaging and Web Conferencing 6.5.1
Administrator Help database for more information about configuring
multiple LDAP servers.
4. Click the Update button at the bottom of the page.
5. On the left navigator, under LDAP Directory, click the Basics link. See
Tip: If your organization decides to use SSL, configure the Lotus
Instant Messaging and Web Conferencing server without SSL first to
verify that you have LDAP connectivity and that all Lotus Instant
Messaging and Web Conferencing features and functions work as
expected with Active Directory.
After Lotus Instant Messaging and Web Conferencing functionality has
been successfully verified, configure SSL and re-test the Lotus Instant
Messaging and Web Conferencing server.
This approach will help eliminate the SSL configuration as being a
possible cause of Lotus Instant Messaging and Web
Conferencing/LDAP configuration issues.
Figure 7-9 LDAP Directory - Basics settings
6. The values on the LDAP Directory - Basics page define how Lotus Instant
Messaging and Web Conferencing will search the directory for users and
groups. Enter the following values:
a. Where to start searching for people. This is the base or point in the
LDAP directory where Lotus Instant Messaging and Web Conferencing
will begin searching for user entries.
Active Directory stores users under the CN=Users directory container.
Therefore, for our Active Directory installation, the base was:
CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com
We verified this using an LDAP browser tool, as shown in Figure 7-10.
Figure 7-10 Using an LDAP browser to verify search base for users and groups
b. Scope for searching for a person. This value defines the number of
levels in the directory (below the previously specified base) that Lotus
Instant Messaging and Web Conferencing will go to in order to find user
entries. If you have a large LDAP directory with many hierarchical levels,
you might want to limit the scope to only a few levels. The recursive
value means that Lotus Instant Messaging and Web Conferencing will
search the directory from the specified base downward.
Tip: Use an LDAP browser type of tool to verify where user and group
information is stored in your organizations LDAP directory and adjust
this value in Lotus Instant Messaging and Web Conferencing
accordingly.
c. The attribute of the person entry that defines the persons name. This
value defines which attribute in the directory that Lotus Instant Messaging
and Web Conferencing will treat as being the users name. In most cases,
cn or common name (that is, First Name Last Name) is sufficient;
however, depending on your organizations requirements and naming
standards, this can be any unique attribute in the LDAP directory.
For example, if we had wanted the user name in Lotus Instant Messaging
and Web Conferencing to be the persons e-mail address, we would have
specified the corresponding Active Directory attribute mail for this value.
d. Attribute used to distinguish between two similar person names. In
our testing, we only had a small number of users in Active Directory, so we
left this value blank. Depending on your organizations size, you might
need to identify a particular attribute in the LDAP directory (such as a
middle initial or employee serial number) to distinguish between users with
the same name.
e. Attribute of a person entry that defines the persons e-mail address.
In Active Directory, this attribute is called mail. Use an LDAP browser
type of tool to verify what this attribute is called in your organizations
LDAP directory.
f. The object class used to determine if an entry is a person. For Active
Directory (and most other third-party LDAP directories), this value is
organizationalPerson.
It is essential to specify the correct object class name here; otherwise,
directory searching and authentication will not work. Again, an LDAP
browser type of tool will easily tell you the object class that a person is
associated with in the LDAP directory, as shown in Figure 7-11 on
page 374.
Tip: An LDAP browser type of tool is particularly useful here in
identifying the names of attributes that can be used for a users name.
For example, in Active Directory, we could have specified the mail
(e-mail address), givenName (first name), userPrincipalName (first name
last name @ domain), or sAMAccountName (Windows logon name)
attributes to be the user name.
Figure 7-11 Using an LDAP browser to find a persons object class
g. Where to start searching for groups. This is the base or point in the
LDAP directory where Lotus Instant Messaging and Web Conferencing
will begin searching for group entries.
Active Directory stores groups under the CN=Users directory container.
Therefore, for our Active Directory installation, the base was:
Again, we verified this using our LDAP browser tool.
h. Scope for searching for groups. This value defines the number of levels
in the directory (below the previously specified base) that Lotus Instant
Messaging and Web Conferencing will go to in order to find group entries.
If you have a large LDAP directory with many hierarchical levels, you
might want to limit the scope to only a few levels. The recursive value
means that Lotus Instant Messaging and Web Conferencing will search
the directory from the specified base downward.
i. Attribute of the group that defines the group name. This value defines
which attribute in the directory Lotus Instant Messaging and Web
Conferencing will treat as being a groups name. In most cases, the
groups cn or common name is sufficient.
j. Attribute used to distinguish between two similar group names. In
our testing, we only had a small number of groups in Active Directory, so
we left this value to be the default of member. Depending on your
organizations size, you might need to identify a particular attribute in the
LDAP directory (such as department or location) to distinguish between
groups with the same name.
k. The group object class used to determine if an entry is a group. For
most third-party LDAP directories, this value is groupOfNames; however, for
Active Directory, this object class value is called group.
It is essential to specify the correct object class name here; otherwise,
directory searching for groups will not work. Again, an LDAP browser type
of tool will easily tell you the object class that a group is associated with in
the LDAP directory.
7. Click Update at the bottom of the page.
8. On the left navigator, under LDAP Directory, click the Authentication link.
9. The values on the LDAP Directory - Authentication page define how Lotus
Instant Messaging and Web Conferencing will authenticate users with Active
Directory. See Figure 7-12.
Figure 7-12 LDAP Directory - Authentication settings
Enter the following values:
a. Search filter to use when resolving a user name to a distinguished
name. The value specified here governs how Lotus Instant Messaging
and Web Conferencing will search for the name a user specifies in order
to authenticate with the LDAP directory. In our testing with Active
Directory, we specified the following value:
&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s))
This value means that when a user specifies a user name to authenticate
with (represented by the %s variable), Lotus Instant Messaging and Web
Tip: If you are not able to log on to Lotus Instant Messaging and Web
Conferencing after you completed the configuration with Active Directory
(or any other third-party LDAP directory), it is likely that an error has been
made with the authentication settings specified on this page.
Re-visit the values on this page and verify their correctness using an LDAP
browser type of tool if necessary.
Conferencing will search all the common name, given name, surname,
and e-mail address attributes in the Active Directory that are associated
with the organizationalPerson object class.
In other words, for all entries in the directory that are people, Lotus Instant
Messaging and Web Conferencing will search the common name, given
name, surname, and e-mail address attributes for the name that the user
specified.
It is vital to specify this value correctly; otherwise, users will not be able to
log on.
b. Home Lotus Instant Messaging and Web Conferencing (Sametime)
server. It is quite common for an organization to have more than one
Lotus Instant Messaging and Web Conferencing server. In such cases,
Lotus Instant Messaging and Web Conferencing needs to know which
attribute in the LDAP directory will store the name of the users home
Lotus Instant Messaging and Web Conferencing server.
With the exception of the Domino LDAP directory, which has a Lotus
Instant Messaging and Web Conferencing server attribute, third-party
LDAP directories, including Active Directory, do not have a specific field to
store this information.
There are two ways to overcome this:
Extend the schema of the LDAP directory and define a new attribute
(for example, called homeSametimeServer) and associate this attribute
with the organizationalPerson object class. This is not a trivial task
and would require a skilled developer to make the necessary schema
extensions.
Tip: This search filter can be extended to include any number of
attributes. For example, if we want users to be able to authenticate with
their Active Directory principal name (first name last name @ domain),
we could easily extend the search query to include the corresponding
directory attribute, in this example, (userPrincipalName=%s).
Alternatively, we might want to limit how users authenticate and force
them to only use their common name (first name last name). In that
case, we could amend our search query to be:
&(objectclass=organizationalPerson)(|(cn=%s))
Use an attribute that already exists in the LDAP directory, but which is
not populated with a value, to hold the name of the home Lotus Instant
Messaging and Web Conferencing server. For example, in our testing,
we stored the name of the users home Lotus Instant Messaging and
Web Conferencing server in the Users Home Web Page field of their
person entry. This field corresponds to the LDAP attribute WwwHomePage,
which can be specified in Lotus Instant Messaging and Web
Conferencing.
10.Click Update at the bottom of the page.
11.On the left navigator, under LDAP Directory, click the Searching link. See
Figure 7-13.
Figure 7-13 LDAP Directory - Searching settings
12.The values on the LDAP Directory - Searching page define how Lotus Instant
Messaging and Web Conferencing will resolve user names in the LDAP
directory. Enter the following values:
a. Search filter for resolving person names. For Active Directory, we
specified:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)(ma
il=%s*)))
Note: It is a generally recommended best practice to avoid
extending the LDAP directorys schema and to reuse an existing
attribute.
This means that when resolving a persons name, Lotus Instant
Messaging and Web Conferencing will search the common name (first
name last name), given name (first name), surname (last name), and
e-mail address attributes in the LDAP directory.
As with all other user and group search filters specified in Lotus Instant
Messaging and Web Conferencing, they can be extended to include more
attributes, or reduced to force users in to specifying a particular format of
user or group name.
b. Search filter for resolving group names. For Active Directory, we
specified:
(&(objectclass=group)(cn=%s*)
This means that when resolving group names, Lotus Instant Messaging
and Web Conferencing will search only for the groups common name.
Again, this search filter can be extended to include other attributes
associated with groups.
14.)In the left navigator, under LDAP Directory, click the Group Contents link.
See Figure 7-14.
Figure 7-14 LDAP Directory - Group Contents settings
Note: The object class for groups in Active Directory is called group.
For most other third-party LDAP directories (including Domino LDAP),
this object class is called groupOfNames (as defined in the LDAP Internet
standard, in RFC 2256).
Use an LDAP browser type of tool to verify what the object class is
called in your organizations LDAP directory.
15.The values on the LDAP Directory - Group Contents page define how Lotus
Instant Messaging and Web Conferencing will resolve the members of
groups. Enter the following value:
How Lotus Instant Messaging and Web Conferencing (Sametime)
determines the members of a group in your organization. For Active
Directory (and most other third-party LDAP directories), this attribute is called
member.
Before restarting the server, you must also complete the configuration steps
described in 7.4.4, Modifying the STConfig.nsf database on page 379.
7.4.4 Modifying the STConfig.nsf database
During our testing, we discovered some issues with presence awareness and
case sensitivity that are particular to Active Directory.
For example, in some Lotus Instant Messaging and presence
awareness-enabled databases, we did not see presence awareness when
authenticating as an Active Directory user. We also found case sensitivity issues
with names in Active Directory in the Lotus Instant Messaging Connect client.
For example, a user can log on to the Lotus Instant Messaging and Web
Conferencing server using a lowercase distinguished name such as:
CN=Troy Mclure,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
If another user adds Troy Mclure to a contact list using the uppercase
distinguished name, as shown in the following text, Lotus Instant Messaging
presence awareness for Troy Mclure will not work:
CN=TROY MCLURE,CN=USERS,DC=BSCADS,DC=CAM,DC=ITSO,DC=IBM
This problem occurs because Active Directory does not enforce case-sensitivity
when returning the users distinguished name (DN).
Active Directory returns the DN using the same case and spacing that was
entered by the user when authenticating to the server or when they added the
user their Lotus Instant Messaging buddy list.
Because the Lotus Instant Messaging and Web Conferencing server requires
that the internal user ID be precisely the same each time it is returned, it
assumes that the lowercase Troy Mclure and the uppercase Troy Mclure are
different users and awareness does not function properly. This issue might also
result in Troy Mclures display name appearing more than once in a user's buddy
list with various case formats.
To overcome this issue with Active Directory, you must carry out an additional
piece of configuration in the STConfig.nsf database.
In the STConfig.nsf database, you need to modify the LDAP Server document
and configure the Attribute of a person entry that defines the internal ID of
the Sametime user parameter.
This parameter must specify the distinguishedName directory attribute.
This parameter is not discussed in any Lotus Instant Messaging and Web
Conferencing documentation, so you must perform this additional procedure if
you are following the instructions in the Lotus Instant Messaging and Web
Conferencing documentation that explains how to set up a connection to an
LDAP server. This additional step is, however, described in the Lotus Instant
Messaging and Web Conferencing 6.5.1 Release Notes.
To modify this parameter, complete the following steps:
1. Use a Notes client to open the STConfig.nsf database on the Lotus Instant
2. Open the LDAPServer document in the STConfig.nsf database (as shown in
Figure 7-15).
Figure 7-15 Modifying the LDAP Server document in STConfig.nsf
3. In the Attribute of a person entry that defines the internal ID of a Sametime
user field, enter the value distinguishedName and save the document, as
Figure 7-16 Adding the distinguishedName parameter in STConfig.nsf
4. Close the STConfig.nsf database and restart the Lotus Instant Messaging
and Web Conferencing server.
Configuring the server in this way ensures that the Lotus Instant Messaging and
Web Conferencing server authentication and search operations always return
the value stored for a user in the distinguishedName attribute of the user's
person entry in Active Directory.
To function properly, the Lotus Instant Messaging and Web Conferencing server
LDAP directory search and authentication operations must return an internal
user ID when a user authenticates or adds another user to a buddy list.
Sametime requires this user ID to be precisely the same string (an exact
case-sensitive and space-sensitive match) each time it is returned.
If the Attribute of a person entry that defines the internal ID of the Sametime
user field is left blank, the Lotus Instant Messaging and Web Conferencing
authentication and search operations use the name as entered by the user (not
the distinguishedName attribute) as the user ID. Active Directory does not
guarantee that the user name entered by the user will always be returned in the
same case-sensitive and space-sensitive format.
Active Directory does, however, guarantee that the distinguishedName attribute
is always returned in the same case-sensitive format so that these awareness
problems do not occur if the distinguishedName attribute is used as the internal
user ID of the Lotus Instant Messaging and Web Conferencing user instead of
the name entered by the user.
7.4.5 Verifying the Lotus Instant Messaging configuration
After you complete the configuration steps in 7.4.3, Configuration steps for
Instant Messaging with Active Directory on page 367 and the additional steps in
7.4.4, Modifying the STConfig.nsf database on page 379, you should verify that
Lotus Instant Messaging and Web Conferencing is functioning properly.
Here are some recommended verification steps based on our testing:
1. Log on to the STCenter.nsf database as the Lotus Instant Messaging and
Web Conferencing administrator and verify that all the Lotus Instant
Messaging and Web Conferencing services are running.
2. Log out as the administrator and log back on as a user who exists in Active
Directory.
3. Click the Launch Sametime Connect for Browsers link and log on with your
Active Directory credentials. Verify that you are online and can add users and
groups from Active Directory to your buddy list.
4. Click the Schedule a meeting link and click the Log on to Sametime link.
Schedule a meeting to Start Now and verify that you can attend. From
another workstation, log on to the same meeting as another user in the Active
Directory and verify that you can both attend the meeting.
5. Finally, on your workstation, log on with your Lotus Instant Messaging
Connect client and verify you can add users and groups from Active Directory
to your buddy list.
7.4.6 Troubleshooting Lotus Instant Messaging LDAP problems
In the event that you encounter some problems with Lotus Instant Messaging
and Web Conferencing after you have completed the LDAP directory
configuration and made the necessary changes to the STConfig.nsf database,
here are a few useful troubleshooting tips gathered from our testing:
Check that the Lotus Instant Messaging and Web Conferencing server has
network connectivity to the LDAP directory (in particular on the LDAP ports of
389 or 636 if using SSL).
If you cannot log on to Lotus Instant Messaging and Web Conferencing,
check that the bind credentials are correct by doing an Ldapsearch.exe query
or by using an LDAP browser (see 7.2.1, Using an LDAP tool on page 355).
If the bind credentials are correct, re-verify the search and authentication
filters are set correctly for your particular directory. This is usually where most
LDAP configuration problems occur (see Figure 7-9 on page 371 and
Figure 7-12 on page 375).
Important: You must make sure that all Lotus Instant Messaging and Web
Conferencing users only exist in Active Directory. They cannot exist in the
Domino Directory or any additional LDAP directories that Lotus Instant
Messaging and Web Conferencing has been configured to use.
If you are unable to see or add users and groups to your Lotus Instant
Messaging buddy list, check that the user and group filters are configured
correctly for your directory (see Figure 7-13 on page 377 and Figure 7-14 on
page 378).
There are also a number of useful debug parameters that can be set to assist
you with Lotus Instant Messaging and Web Conferencing and LDAP issues.
These parameters provide a high level of detailed information and not all of
them are required. We, therefore, recommend that you apply them only in
conjunction with the help of an IBM Lotus Support representative.
To trace Domino authentication problems (that is, if Domino is not binding
to the LDAP directory), the following parameters can be added to the
Lotus Instant Messaging and Web Conferencing servers Notes.ini file:
LOGLEVEL_NAME_MAPPING=1
WEBAUTH_VERBOSE_TRACE=1
DEBUG_SSO_TRACE_LEVEL=1 or 2
To trace Lotus Instant Messaging and Web Conferencing authentication
problems, the following parameters can be added to the Lotus Instant
Messaging and Web Conferencing servers Notes.ini file:
ST_DEBUG_FILE_NAME=<path and name of text file to log to>
VPCONFIG_TRACE=1
VPS_DEBUG_CONFIG=1
For Lotus Instant Messaging and Web Conferencing authentication
problems, the following parameters can also be added to the [Debug]
section of the Lotus Instant Messaging and Web Conferencing servers
Sametime.ini file. If the [Debug] section does not exist, you can create
one.
VP_LDAP_TRACE=1
VPS_AUTH_DEBUG=1
VPS_DEBUG_LOGIN_MSG=1
Note: Results from these last three parameters are stored in the <Domino
Install>\Traces\ST*.txt file on the Lotus Instant Messaging and Web
More information about these and other debug parameters can be found in the
Lotus Knowledge Base, available at:
http://www.lotus.com
7.5 Configuring Lotus Team Workplace for Active
Directory
A Lotus Team Workplace (formerly called QuickPlace) server can connect to any
user directory on any server using LDAP Version 3x. In order for the Lotus Team
Workplace server to reach the Active Directory server, you will need the following
values:
Port number: By default, the Team Workplace server is set up to connect to
an LDAP server that uses port 389.
Search base: By default, no search base is specified, indicating that the
search base starts at the highest levels of the directory structure; however, for
some LDAP directories, it is necessary to specify a search base.
User name and password for connecting to the LDAP server.
7.5.1 Prerequisites
This section describes the prerequisites for configuring Lotus Team Workplace
for Active Directory.
Specifying a search base for group searches
By default, the search base you specify when you set up a connection to a user
directory is used for both user and group searches. You can use the
qpconfig.xml file to specify a search base specifically for group searches. To
specify a search base for group searches, review and modify the values in the
User_Directory section the qpconfig.xml file, substituting the search base
values within the <group> and </group> tags to the search base desired. See
Example 7-6 on page 392 for details.
Mapping to the Lotus Team Workplace schema
Users, groups, and all other objects in an LDAP directory are described by a
variety of attributes. For example, the value for a users first name is often stored
as the givenname attribute and the last name as the sn(surname) attribute. Not all
LDAP directories define attributes for users and groups in the same way. To
display accurate information in the Team Workplace user interface about users
and groups, such as names, phone numbers, and e-mail addresses, you might
have to change some of the default attributes that Team Workplace assumes.
Important: If you are currently using Lotus Team Workplace with the Domino
Directory and are now switching to an LDAP directory, refer to the instructions
described in Converting Team Workplace to LDAP on page 290.
To specify a search base for group searches, review and modify the values in the
User_Directory section the qpconfig.xml file, substituting the search base
values within the <group> and </group> tags to the search base desired. See
Example 7-6 on page 392 for details. The values in bold are the ones that you
customize. The LDAP directory server must give the Team Workplace server
access to the attributes you specify.
7.5.2 Configuration of Lotus Team Workplace with Active Directory
To connect Lotus Team Workplace to Active Directory, perform the following
steps:
1. Browse to the Lotus Team Workplace server and log on as the Team
Workplace administrator.
2. Click Sign-in.
3. Enter the Team Workplace administrator user name and password.
4. In the left navigator, click the Server Settings link.
5. Click the User Directory link.
6. In the Type field, select LDAP Server, as shown in Figure 7-17.
7. In the Name field, enter the host name of the server on which the LDAP
directory resides. In our case, this was bscads.cam.itso.ibm.com.
Figure 7-17 Specifying the LDAP server host name in Team Workplace
8. In the Port number field, enter the port number that the LDAP server uses to
communicate with other servers. The default is 389.
(Optional) Select the Check for SSL connection with LDAP User Directory
option. Select this option if SSL is configured correctly on the Team
Workplace server. See the Lotus Team Workplace Administrator Help
database for information about how to configure Team Workplace to use
SSL.
9. In the Search base field, specify the search base or starting point in the LDAP
directory that Team Workplace will use to search for user and group entries,
as shown in Figure 7-18 on page 386.
Active Directory stores users under the CN=Users directory container.
Therefore, our Active Directory search base was:
Figure 7-18 Specifying the search base for Active Directory
10.If a user name and password are required to access (or bind) to the LDAP
directory, do the following (see Figure 7-19 on page 389):
a. Select the Check to use credentials specified below when searching
the directory option.
b. Enter the user name (in our case, QP ADS).
c. Enter the password for the specified user.
Tip: By default, Team Workplace uses the same search base to search for
users and groups.
Team Workplace does, however, have a configuration file called
qpconfig.xml located in the <Domino Install>\Data directory that can be
amended to specify a different search base for group searches.
Important: By default, Lotus Team Workplace does not use the
qpconfig.xml file for any of its configuration settings. The file actually exists
in the <Domino Install>\Data directory as qpconfig_sample.xml and has to
be renamed to qpconfig.xml before it can be edited and any of its settings
can take effect.
When specifying user credentials for Team Workplace with which to bind to
the LDAP directory (step 10 in 7.5.2, Configuration of Lotus Team
Workplace with Active Directory on page 385), the user name should be
specified in the fully distinguished name format.
However, in Figure 7-19 on page 389, you can see that we have actually
specified the bind credentials using the common name (which in our case
was the user QP ADS), as opposed to the fully distinguished name of
CN=QP ADS,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com.
As part of our testing, we configured Team Workplace to work with Lotus
Instant Messaging and Web Conferencing (see 7.5.6, Configuring chat
and presence awareness in Team Workplace on page 394). This required
us to use the qpconfig.xml file and specify some LDAP directory specific
changes to the User Directory section in the file.
As a result of these changes, we found that Team Workplace could no
longer bind to Active Directory, and we could not log on as any of the
Active Directory users.
The reason for this is that in the User Directory section of the
qpconfig.xml file the authentication filters that are specified by default (in
bold below), do not include the distinguishedName attribute:
<authentication>
<![CDATA[
(|(cn={0})(uid={0})(shortname={0}))
]]>
</authentication>dName
As can be seen from the authentication filter, only the common name, user
ID, and shortname value can be used to authenticate with Active Directory.
11.In the Authentication Timeout and Search Timeout fields, change the
maximum amount of time, in seconds, that the Team Workplace server can
take to authenticate a user from the User Directory or to perform a search.
The default value for both timeout settings is 120 seconds and is adequate in
most environments.
12.Decide whether or not you want place managers to be able to register new
users, meaning members who are listed in the LDAP directory:
To allow managers to register members who are not listed in the User
Directory, select Allow managers to create new users in each place.
To limit the members of places on the server to users who are listed in the
LDAP directory, select Disallow new users - Require managers to
select existing users from the available directory.
13.Make sure to click Next or your settings will not take effect.
There are two ways around this issue:
You can specify the fully distinguished name when initially configuring
Team Workplace to use an LDAP directory. However, after you have
completed any remaining Team Workplace LDAP configuration steps (that
include modifying the User Directory section in the qpconfig.xml file), log
back on to Team Workplace as the Team Workplace administrator and
change the user name to the simpler common name format.
You can add the distinguishedName attribute to the authentication search
filter in the qpconfig.xml file:
(|(cn={0})(uid={0})(shortname={0})(distinguishedName={0})))
See 7.5.3, Modifying the qpconfig.xml file for a third-party LDAP directory on
page 389) for more details.
Figure 7-19 Changing the User Directory in Team Workplace Administrative Place
7.5.3 Modifying the qpconfig.xml file for a third-party LDAP directory
As previously mentioned, by default, Lotus Team Workplace does not use the
qpconfig.xml file for any of its configuration settings.
The file exits in the <Domino Install>\Data directory as qpconfig_sample.xml.
It is considered a best practice to make a copy of this default sample .xml file and
then rename the original to qpconfig.xml before making any changes to it.
The qpconfig.xml file can be edited using any text editor. In our testing, we used
Notepad.
7.5.4 Why modify the qpconfig.xml file?
As previously mentioned, by default, the search base you specify when you
configure Lotus Team Workplace to use an LDAP directory is used for both user
and group searches.
Depending on your organizations LDAP directory, groups might be specified in a
different part of the directory from users. Therefore, a different group search
base would need to be specified in order to use groups in Team Workplace.
This can be achieved by editing the User Directory section of the qpconfig.xml
file.
The values in bold specify the search base for groups (for Active Directory both
users and groups are located in the same part of the directory). This is why the
search base for groups in Example 7-4 is identical to the search base for users
specified in step 9 on page 385 of 7.5.2, Configuration of Lotus Team Workplace
with Active Directory on page 385.
Example 7-4 Specifying a search base for groups in the qpconfig.xml file
<group>CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com</group>
Another more common reason to modify the qpconfig.xml file relates to the
subtle differences in object and attribute naming in various third-party LDAP
directories.
Users, groups, and all other objects in an LDAP directory are described by a
variety of attributes.
For example, the value for a users first name is typically stored as the
givenname attribute and the last name as the sn attribute.
Not all LDAP directories define attributes for users and groups in the same way.
To display accurate information in the Team Workplace user interface about
users and groups, such as names, phone numbers, and e-mail addresses, it
might be necessary to change some of the default attributes that Team
Workplace assumes.
This is were a tool such as an LDAP browser proves to be essential. By browsing
to the LDAP directory, you can confirm that the bind credentials you have
specified in Team Workplace are correct, and you can also easily see the names
of attributes and objects in your organizations LDAP directory.
7.5.5 Tips for modifying the qpconfig.xml file
Consider the following tips when modifying the qpconfig.xml file:
Always make a copy of the original qpconfig.xml file and always make a copy
of the current qpconfig.xml file before making new changes.
Each section in the qpconfig.xml file is enclosed by sample comments. To
activate the values you have modified in a particular section, you must
remove both sets of sample comments.
For example, in order to make the following values active in the qpconfig.xml,
you would have to remove the START OF SAMPLE and END OF SAMPLE lines, as
shown in Example 7-5 on page 391.
Example 7-5 Making values in the qpconfig.xml file active

After making changes to the qpconfig.xml file, be sure to restart the Team
Workplace server for the new settings to take effect.
Example 7-6 on page 392 shows the active User Directory section of the
qpconfig.xml file that we used in our testing.
The values in bold are the values we added specifically for Active Directory and
can be used as a useful reference when configuring your Team Workplace
environment to use Active Directory (or any other third-party LDAP directory).
These bold values will vary depending on the options you want to specify for
searching and authentication and on the LDAP directory your organization is
using.
The important point to note is that the qpconfig.xml file is the place where
organization-specific and LDAP directory-specific changes are made.
Example 7-6 Modifying the qpconfig.xml file for Active Directory
<user_directory>
<ldap>
<base_dn>
<group>CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com</group>
</base_dn>
<schema>
<object_class>objectClass</object_class>
<user>
<object_class_value>organizationalPerson</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<first_name>givenname</first_name>
<last_name>sn</last_name>
<email>mail</email>
<phone>telephone</phone>
</user>
<group>
<object_class_value>group</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<member>member</member>
</group>
<dn_delimiter robust_compare="true"/>
Important: In Example 7-6 on page 392, you will see that we have set our
search and authentication filters for Team Workplace to have the same values
we previously used for Lotus Instant Messaging and Web Conferencing.
This was deliberate, because we wanted to configure Team Workplace to use
Lotus Instant Messaging and Web Conferencings awareness, chat, and
online meeting features (see Setting up Team Workplace to use Lotus Instant
Messaging on page 394 and Setting up Team Workplace to use Lotus
Instant Messaging on page 394 for more details).
During our testing, we encountered a great deal of problems with single
sign-on and presence awareness as a result of having slightly different search
and authentication filters in Team Workplace and Lotus Instant Messaging
and Web Conferencing.
In order to avoid such problems, if you are planning to use Team Workplace
with Lotus Instant Messaging and Web Conferencing, we strongly recommend
that, aside from using the same LDAP directory, both products should be
configured with the same search and authentication filters.
<dn_incoming_is_native enabled="true"/>
<secondary_cn_component enabled="true"/>
</schema>
<search_filters>
<authentication>
<![CDATA[
(|(cn={0})(uid={0})(shortname={0}))
]]>
</authentication>
<user_lookup>
<![CDATA[
(&(objectclass=organizationalPerson)(sn={0})(givenname={1}))
]]>
</user_lookup>
<group_lookup>
<![CDATA[
(&(objectclass=group)(cn={0}))
]]>
</group_lookup>
<group_membership>
<![CDATA[
(&(objectclass=group)(member={0}))
]]>
</group_membership>
</search_filters>
<member_lookup_ui>
<column_name>
<person>sn, givenname</person>
</column_name>
<column_disambiguate>
<person>dn</person>
</column_disambiguate>
</member_lookup_ui>

<search_ui_hint>
<![CDATA[
( enter <B>last name, first name</B>)
]]>
</search_ui_hint>
<search_ui_index>sn</search_ui_index>
</ldap>
</user_directory>
7.5.6 Configuring chat and presence awareness in Team Workplace
This section describes how to set up and test chat and presence awareness in
Lotus Team Workplace using Active Directory.
Setting up Team Workplace to use Lotus Instant Messaging
Lotus Team Workplace can be configured to provide presence awareness, chat,
and the ability to attend online meetings by using a Lotus Instant Messaging and
Web Conferencing server.
The configuration instructions in Chapter 4, New Domino installation on
page 85 assume that we will be using the Domino Directory with Team
Workplace and Lotus Instant Messaging and Web Conferencing. However, in our
case, we use an LDAP directory, so there are some additional considerations to
keep in mind:
Both the Team Workplace and Instant Messaging and Web Conferencing
server or servers must be using the same LDAP directory.
Single sign-on should be configured and working correctly between the Team
Workplace and Instant Messaging and Web Conferencing servers (see
Configuring single sign-on (SSO) on page 102).
Note: In this sample qpconfig.xml file shown in Example 7-6 on page 392,
notice how in the group lookup and group membership sections we changed
the object class to be group, as opposed to the default groupOfNames.
As previously mentioned in 7.4, Configuring Lotus Instant Messaging for
Active Directory on page 365, Active Directory uses a different object class
name for groups than most other third-party LDAP directories.
Had we not made these changes, we would not have been able to search for
and add groups in Team Workplace.
This is a perfect illustration of why we might want to modify the qpconfig.xml
file when working with a specific type of LDAP directory.
Notice also how in the authentication section, we only specified common
name, user ID, or shortname. As a result, specifying the users fully
distinguished would not allow them to authenticate.
Tip: For details about the how to configure Team Workplace to use Lotus
Instant Messaging and Web Conferencing, follow the configuration
instructions in 4.6.3, Post-configuration integration on page 146.
We recommend that Team Workplace and Lotus Instant Messaging and Web
Conferencing are configured with the same search and authentication filters.
Lotus Instant Messaging and Web Conferencing functionality should be
independently tested and verified before attempting to configure Team
Workplace for awareness (see 7.4.5, Verifying the Lotus Instant Messaging
configuration on page 381).
Special considerations for Active Directory
Despite having configured both Lotus Instant Messaging and Web Conferencing
and Team Workplace correctly for use with Active Directory, during our testing,
we found that we could not get presence awareness in Team Workplace to work.
After extensive investigation, the problem was determined to lie in the difference
between how Team Workplace represents a users fully distinguished name and
how Active Directory represents the same fully distinguished name.
As previously mentioned in 7.2.1, Using an LDAP tool on page 355, and more
specifically in Using Ldapsearch.exe on page 357, most LDAP directories
represent the various organizational units that make up a users fully
distinguished name with an OU and O or DC naming convention. For
example:
Sun ONE directory represents a users fully distinguished name as:
uid=CDelaney,OU=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
IBM Directory server represents a users fully distinguished name as:
uid=CDelaney,DC=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
Active Directory also uses a DC naming convention to represent the
organizational units, including the top level or O, so the fully distinguished name
in our example is represented by Active Directory as:
CN=Cara Delaney,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm
However, in addition to using this DC naming convention, notice how the second
organizational unit in the users name in Active Directory is represented as CN=
as opposed to say OU= or DC=.
This difference in naming convention was the reason presence awareness would
not work in Team Workplace.
The testing we carried out to determine (and fix) this is described in the following
section.
Testing awareness in Team Workplace with Active Directory
To test awareness in Team Workplace with Active Directory:
1. We logged on to Team Workplace as an Active Directory user.
2. The Java applet for presence awareness successfully loaded (the little gray
dot next to the user name), but did not turn green (which is the indication that
the user is now online).
3. We turned on the status bar option in Internet Explorer (View Status Bar),
and clicked the gray presence awareness applet next to the users name.
4. The status bar at the bottom of the browser window then revealed the users
name. As can be seen in Figure 7-20, the user name appears with an
ou=Users in the name. However, Lotus Instant Messaging and Web
Conferencing represents the user name with the Active Directory
distinguished name which has CN=Users. As a result, Lotus Instant Messaging
and Web Conferencing assumes that these users are two different people
and presence awareness does not work.
Figure 7-20 How Team Workplace represents an LDAP name
Team Workplace is representing the users fully distinguished name in the
conventional LDAP format, while Active Directory uses a slightly different
naming convention from most other LDAP directories.
5. In order to overcome this issue with Active Directory, we modified the
following setting in the User Directory section of the qpconfig.xml file and set
it to be true:
<secondary_cn_component enabled="true"/>
Setting this value to true and then restarting the server forces Team
Workplace to preserve the Active Directory naming convention.
Now, instead of the users fully distinguished name containing ou=Users, it
now contains CN=Users, which is the same name format that Lotus Instant
Messaging and Web Conferencing uses. See Figure 7-21 on page 397.
As a result, presence awareness worked.
Figure 7-21 An LDAP name after modifying the qpconfig.xml file
7.5.7 Expanded group membership model in Lotus Team Workplace
Starting in Lotus Team Workplace 6.5.1, there is a new feature called expanded
group membership model.
This feature works around a previous 32 K ACL limit in Team Workplace that
only allowed for 300-900 names, depending on length, in the ACL.
For a highly collaborative and dynamic environment, this ACL limit can be
detrimental to the Team Workplace environment.
The expanded group membership model removes this limitation by generating
groups in an LDAP directory that contain the names of external user members
and then uses these groups, rather than the individual user names, in room
ACLs.
The expanded membership model design imposes no limit on the number of
external user members in a place. However, performance considerations can
dictate a practical limit. Therefore, currently expanded membership is certified for
a maximum of 4000 external user members in a place.
Tip: To find out what name is being represented by the presence awareness
Java applet, turn on the status bar option in your browser and place your
cursor on the applet.
The status bar reveals the format of the users fully distinguished name.
For more detailed information, reference the Lotus Software Knowledge Base
document 1137076, available at:
http://www.ibm.com/support/docview.wss?rs=474&uid=swg21137076
Groups generated by the expanded group membership model
Team Workplace generates room-specific access control groups in an LDAP
directory specified through the qpconfig.xml file.
Team Workplace creates the following three groups in the directory for the main
room (Main.nsf) of a place and adds them to the main room database ACL:
CN=h_Managers, OU=placename, base_dn
CN=h_Authors, OU=placename, base_dn
CN=h_Readers, OU=placename, base_dn
Placename is the name of the place. Base_dn is a base distinguished name for
the Team Workplace-generated groups configured through the qpconfig.xml file.
When someone adds an external user member to the place, Team Workplace
adds the users name to one of these groups, according to the access assigned
to the user. For example, Team Workplace adds an external user member with
Reader access to the places CN=h_Readers... group.
If someone creates a subroom, Team Workplace creates the following groups in
the directory and adds them to the subroom ACL:
CN=h_Managers, OU=uniquenumber, OU=placename, base_dn
CN=h_Authors, OU=uniquenumber OU=placename, base_dn
CN=h_Readers, OU=uniquenumber, OU=placename, base_dn
Uniquenumber is the unique number XX in the room name PageLibraryXX.nsf
that identifies the room. Placename is the name of the place that contains the
room. Base_dn is the base distinguished name configured for the Team
Workplace-generated groups.
Configuration of the expanded group membership model
In order to enable this feature, you must modify the qpconfig.xml file, configure
the user name and password to use for binding to the LDAP server, and enable
places to use this feature.
Note: The expanded membership relates only to individual external user
members and not to local members or to external group members.
Enabling the expanded group membership model in qpconfig.xml
To enable the expanded group membership model, use the
expanded_membership_model settings in the qpconfig.xml file. Figure 7-22
shows example values in bold that you can customize to suit your needs. Note
the baseDn references.
Figure 7-22 The qpconfig.xml file expanded group membership model settings
When you have configured the expanded membership model, save the
qpconfig.xml file and restart the HTTP task on the server.
Configuring the bind credentials for the Team Workplace server
If the directory allows anonymous write access to the base distinguished name
(not a typical configuration), this step is unnecessary.
After you enable the expanded membership model through the qpconfig.xml file,
configure a user name and password for the Team Workplace server to provide
when connecting to the LDAP directory server that stores the Team
Workplace-generated groups.
The name and password must correspond to a valid user record in the LDAP
directory. The name must also have write access to the base distinguished name
in the directory used for the Team Workplace-generated groups.
To configure the bind credentials for the Team Workplace server, complete the
following steps:
1. Sign on to the Team Workplace server as an administrator.
2. Click Server Settings.
Note: At this time SSL is not supported with LDAP when using this feature.
This is referenced in SPR WQUN5PXNZ5 and in the Knowledge Base
document 1137076 mentioned previously.
This feature is only supported when using an LDAP directory, not a Domino
Directory.
3. Click User Directory.
4. Click Change Directory.
5. Under Expanded Membership Model, enter the user name in distinguished
name format, for example:
CN=QP ADS,CN=Users,DC=bscads,DC=cam,DC=itso,DC=ibm,DC=com
6. Enter the password for the user name.
7. Click Next.
Enable the expanded membership model in places
You must enable the expanded membership model explicitly in the places that
you want to use it.
To enable the expanded membership model in a place or places, use the QPTool
membershipmodel command.
To enable expanded membership in one, two, or a few places, use the following
command:
load qptool membershipmodel toexpanded p place(s)
Places is the name of the place or places to convert. Separate place names with
a space.
To enable the expanded membership model in all places on a server, use the
following command:
load qptool membershipmodel toexpanded a
If there are replicas of a place, run the command on one replica only.
7.5.8 Troubleshooting Lotus Team Workplace and Active Directory
If you encounter problems with Lotus Team Workplace after you complete the
LDAP directory configuration and make the necessary changes to the
qpconfig.xml database, here are a few useful troubleshooting tips gathered from
Note: The Expanded Membership Model option is viewable only when you
have enabled the expanded membership model on the server through the
qpconfig.xml file and selected LDAP for the Team Workplace user directory in
the Team Workplace server settings.
our testing. These tips are similar to what you would use for troubleshooting
Lotus Instant Messaging and Web Conferencing server problems.
Check that the Team Workplace server has network connectivity to the LDAP
directory (in particular on the LDAP ports of 389 or 636 if using SSL).
If you cannot log on to Team Workplace, check that the bind credentials are
correct by doing an Ldapsearch.exe query or by using an LDAP browser.
Remember that the bind credentials are specified in several places, so be
sure to check all locations, because misspelling might only occur in one
place.
If the bind credentials are correct, re-verify that the search and authentication
filters are set correctly for your particular directory.
If you are experiencing problems with awareness, verify that
secondary_cn_comonent value in the qpconfig.xml file is enabled correctly
and that you have removed the sample code indications.
There are also a number of useful debug parameters that can be set to assist
you with Team Workplace and LDAP issues. These parameters provide a
high level of detailed information and not all of them are required. We,
therefore, recommend that you apply them only in conjunction with the help of
an IBM Lotus Support representative.
To trace Team Workplace authentication problems, the following parameters
can be added to the Team Workplace servers Notes.ini file:
WEBAUTH_VERBOSE_TRACE=1
DEBUG_SSO_TRACE_LEVEL=1 or 2
QuickPlaceAuthenticationLogging=5 (values of 1-5 can be used)
7.6 Configuring Domino Document Manager and Active
Directory
Configuring Lotus Domino Document Manager (formerly known as Domino.Doc)
for Active Directory is far simpler than the other Extended Products discussed
previously in this chapter.
This is because Domino Document Manager relies mainly on the Domino
Directory Assistance database for LDAP authentication (in addition to some
More information about these and other debug parameters can be found in the
Lotus Knowledge Base, available at:
additional configuration changes in the Domino Document Manager Site
Administrator database).
The following screen captures are taken from the Directory Assistance database
we created on our Domino Document Manager test server.
Our test Domino Document Manager server used Active Directory. Depending
on the LDAP directory used by your organization, you might need to modify
some of the settings shown in the following screen captures.
Figure 7-23 Directory Assistance Basics tab
Tip: See Converting Domino Document Manager to LDAP on page 302 for
full details about how to configure Domino Document Manager for use with an
LDAP directory.
Figure 7-24 Directory Assistance Naming Contexts tab
Figure 7-25 Directory Assistance LDAP tab
During our testing, we used our LDAP browser to verify that the values specified
for the fully distinguished user name and password and the base DN for search
were correct.
Note: In the bind credentials field, the password is not encrypted by default.
Modify the field using Domino Designer to encrypt the value specified here if
you want; otherwise, ensure that the ACL of the Directory Assistance
database allows access only to trusted administrators.
Chapter 8. Domino 6.5.1 Extended
Products with WebSphere
Portal
This chapter provides information about how to integrate IBM Lotus Domino
6.5.1 and the Extended Products into a new or existing IBM WebSphere Portal
environment.
We begin this chapter with a brief overview of WebSphere Portal, together with
the key business benefits of integrating the Domino 6.5.1 products into it.
Next, we discuss the LDAP directory and WebSphere Application Server and
WebSphere Portal prerequisites that must be completed before the Domino 6.5.1
products can be successfully integrated.
We then focus on how to configure WebSphere Portal to work with a Domino
6.5.1 LDAP directory and with Lotus Instant Messaging and Web Conferencing,
as well as how to install and configure the Domino 6.5.1 portlets. These portlets
are the mechanism that allows the Domino 6.5.1 products and WebSphere
Portal to integrate.
Finally, we describe a common scenario of an organization that already has an
existing WebSphere Portal infrastructure (using a third-party LDAP directory)
8
and a separate Domino mail, application, and collaboration environment and now
wants to integrate the two.
In this scenario, we discuss the options about how best to overcome the
challenges of having multiple directories in an environment, specifically the
Domino Directory and a third-party LDAP directory, such as Microsoft Active
Directory, IBM Directory Server, or the Sun ONE directory.
Important: This chapter assumes that you already have WebSphere Portal
Version 5 installed and running in your environment, so it does not include
information about installing and configuring WebSphere Portal.
For details about how to install and configure WebSphere Portal, refer to the
product documentation that accompanies WebSphere Portal (or the following
Information Center links).
An excellent source of information for both WebSphere Application Server and
WebSphere Portal are the online Information Centers that accompany each of
these products.
The WebSphere Application Server Version 5 Information Center is available
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
The WebSphere Portal Version 5 Information Center is available at:
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc.html#ic5
Information Centers are available for every version of these products and they
contain a wealth of installation, configuration, troubleshooting, and upgrade
documentation.
Whether you are new to these products or are already familiar with them, we
highly recommend that you bookmark these sites and refer to them frequently
before carrying out any of the configuration or upgrades described in this
chapter.
Finally, note that the Domino 6.5.1 portlets are available for download from the
WebSphere Portal and Lotus Workplace Catalog, available at:
http://catalog.lotus.com/wps/portal/portalworkplace
Chapter 8. Domino 6.5.1 Extended Products with WebSphere Portal 407
8.1 What is IBM WebSphere Portal?
WebSphere Portal is application software that is designed to provide end users
with a single point of access to the applications, information, and people they
need to do their jobs more productively.
The value derived from a portal comes not only by providing this single point of
access, but by providing a framework for collaboration. More specifically, it is this
framework that gives context to the information presented and enables users to
immediately act on this content.
Users within a portal might want to collaborate with others to share information
and generate new ideas, locate other people within the organization, or set up a
new virtual workplace for future teamwork.
Ultimately, it is the degree of collaborative functionality built into a portal that
provides the greatest benefit toward increasing individual and organizational
productivity.
Collaboration represents the simple act of working together to accomplish a
common goal.
Integrating collaborative services (such as those provided with the Domino 6.5.1
platform) with business functions helps companies gain a significant competitive
advantage.
Information is shared more effectively, communication is more efficient, and
companies can make quicker, more informed decisions.
More specifically, companies can shorten sales cycles, accelerate product
development, generate more transactions, increase partner and customer
retention, and expedite problem resolution. Ultimately, these collaborative
capabilities provide competitive advantage in the marketplace and impact the
bottom line.
In addition helping improve the bottom line, Domino collaborative capabilities
within a portal contribute in the following ways to improve business efficiency:
Conquer the barriers of time and space: Businesses today are more global,
and employees are more geographically dispersed. Web-based collaboration
capabilities enable members of a department, agency, or organization to
maintain connectivity across time and space, overcoming logistical barriers
such as multiple time zones and different software or hardware.
Avoid breakdowns in communication: By facilitating the free flow of
information between different groups of people involved in a project, errors
and misunderstandings can be avoided. The ability to communicate
immediately and keep all members informed of a change in scheduling,
specifications, or requirements is critical to completing a project on time and
within budget.
Cross-fertilization of ideas: Collaboration within a portal enables exposure
between people who otherwise might not work together. Members from
various disciplines and areas of expertise can become aware of each others'
projects by observing and participating in online discussions or forums.
Knowledge retention: Work performed within an online collaborative portal
environment can be securely and centrally stored and managed. Ultimately,
all transactions and communications can be stored in an organized archive,
creating an organizational memory. When appropriate, this information can
be disseminated to a wider collaborative audience.
Business benefits of Domino 6.5.1 with WebSphere Portal
Now that a foundation has been established to illustrate overall benefits of
collaboration in a business environment, it is important to examine more
specifically how WebSphere Portal featuring the Domino 6.5.1 Extended
Products can help companies to realize these benefits.
Within the business market today, customers are not necessarily suffering from a
lack of tools, capabilities, or features and functions. Instead, the more difficult
challenge is trying to make all of the different tools and systems work well
together. The functionality provided by integrating the Domino 6.5.1 products in
to WebSphere Portal produces the following business benefits:
Solution focused: Although it had previously been possible to access the
functionality of IBM Lotus Instant Messaging and Web Conferencing (formerly
called Sametime) and IBM Lotus Team Workplace (formerly called
QuickPlace) using the Lotus collaborative components APIs within
WebSphere Portal, the introduction of the Domino 6.5.1 Extended Products
portlets extends the capabilities beyond just integration and access. Portlets
are the mechanism by which the Domino 6.5.1 products are integrated into
WebSphere Portal and are discussed further in 8.2, What are the Domino
6.5.1 Extended Products portlets? on page 410.
By providing an online directory with people awareness, integrated tools for
managing online meetings, and integrated tools for managing My Team
Workplaces, the Domino 6.5.1 portlets combine to provide one of the most
complete collaboration solutions available.
Focus on the business issues, not the integration: Due to the high degree of
built-in integration, both among the Domino 6.5.1 portlets and the Lotus
collaborative software servers (Web Conferencing and Team Workplace),
customers can focus primarily on addressing business issues, rather than
resolving integration issues. For the end users, the complexity of the
supporting infrastructure is hidden. Users can be more productive, without
being burdened by a complex system.
Common UI: The Domino 6.5.1 portlets provide a common user interface to
Lotus collaborative products. This enables end users to leverage the
functionality of Lotus Web Conferencing and Lotus Team Workplace, while
working directly from within the native portal interface. Providing this
collaborative functionality within a consistent interface significantly reduces
the need for user training and increases the rate of user adoption.
Leverage single sign-on: The Domino 6.5.1 portlets leverage the WebSphere
Portal single sign-on capability for access to the portal and for access to the
supporting Lotus Software collaborative products. Users must only sign on
once, resulting in fewer passwords to administer and a better user
experience.
Online presence: A portal user can see if other users are online directly from
the portlet and then select from a menu of options to interact with those users.
Contextual menus: Within each of the Domino 6.5.1 portlets, contextual
menus are enabled to let users take specific actions directly from within the
portlet. With a single click from inside the portal, users can locate and work
with the information they need. For example, from within the My Team
Workplaces portlet, a user can click a workplace title and choose to search
the workplace or just view My Tasks or My Pages in the workplace. This
functionality increases productivity by enabling users to efficiently navigate to
the information they need, without first opening up each Team Workplace in a
separate window.
The built-in integration and features of Domino 6.5.1 portlets serve to provide the
one of the most complete collaborative portal solutions available. See Figure 8-1
on page 410.
The Domino 6.5.1 portlets are available for download from the WebSphere Portal
and Lotus Workplace Catalog, available at:
Figure 8-1 The Domino 6.5.1 Extended Products portlets in WebSphere Portal
8.2 What are the Domino 6.5.1 Extended Products
portlets?
Portlets are the heart of a portal. The term portlet refers to a small portal
application, usually depicted as a small box in the Web page.
Portlets are reusable components that provide access to applications,
Web-based content, and other resources. Web pages, Web services,
applications, and syndicated content feeds can be accessed through portlets.
Companies can create their own portlets or select from a catalog of portlets
created by IBM and by IBM Business Partners.
Portlets are essentially applications that are installed into a portal that provide a
seamless way to integrate applications; they are not just frames, but provide
business intelligence and a common interface.
The Domino 6.5.1 Extended Products portlets are an enhancement to the
existing WebSphere Portal Collaboration Center portlets and, therefore, offer the
ability to integrate the application functionality of the Domino 6.5.1 platform into a
intelligent common user interface served up by WebSphere Portal.
The Domino 6.5.1 portlets consist of the following components:
Domino Extended Products Portlets Welcome Page
Domino Web Access (formerly iNotes)
Domino Application Portlet
1
Lotus Domino Document Manager (formerly Domino.Doc)
Lotus Notes Discussion
2
Lotus Notes Mail
2
Lotus Notes Teamroom
2
Lotus Notes View
Lotus Web Conferencing (formerly Sametime)
Lotus Instant Messaging Contact List (formerly Sametime Contact List)
My Lotus Notes To Do
2
My Lotus Team Workplaces (formerly QuickPlace)
People Finder
As previously mentioned, the Domino 6.5.1 portlets are available for download
from the WebSphere Portal and Lotus Workplace Catalog, available at:
Although it has been possible to access Lotus collaborative applications prior to
the introduction of the Collaboration Center and Domino 6.5.1 Extended
Products portlets, any user interaction with this data could only take place
outside of the context of the portal (that is, it would be required to launch a new
browser window). Furthermore, interaction between the collaborative portlets
required a certain degree of custom programming and configuration within
WebSphere Portal.
The Domino 6.5.1 Extended Products portlets have been designed to work
together out of the box, providing a complete collaborative solution. They
represent a significant step forward toward seamless integration.
1
This product includes software developed by the Apache Software Foundation
(http://www.apache.org).
2
Discussion, Mail, Teamroom, and To Do are installed as views in the Lotus Notes View portlet. You
must create instances of the Lotus Notes View and change each instances name to be able to use
these services. For more information, see the WebSphere Portal Information Center topic Notes and
Domino Version.
These portlets come with sample portal pages that integrate all core messaging
and collaborative applications into a portal user interface (UI).
The Domino 6.5.1 Extended Products portlets come with IBM Lotus Workplace
sample pages that show how users in a portal environment can collaborate using
portlets that rely on Domino 6.5.1 and its Extended Products.
Therefore, the new release of Domino 6.5.1 is a bridge to the world of J2EE
and open standards, extending Dominos capabilities by providing the means to
connect different sources of data, regardless of vendor.
Both new and updated portlets are provided. These include standard Lotus
Notes and Domino features such as e-mail, calendar and scheduling, discussion,
teamrooms, and to-dos, as well as the Notes View capability that lets you work
with the documents from any view of any Domino database. See Figure 8-2.
Figure 8-2 Integration of the Domino 6.5.1 products with a common portal interface
8.3 Portal and LDAP directory prerequisites
Any existing WebSphere Portal environment will undoubtedly already be using
an LDAP directory of some sort for user and group information.
WebSphere Portal installs with a built-in lightweight user registry based on IBM
Cloudscape. However, for practical purposes (such as scalability), this is
generally not used for production purposes.
This section, therefore, describes the process of configuring a brand new
WebSphere Portal installation to use an external LDAP directory.
In this section, we focus on configuring the Domino 6.5.1 Directory to be our
LDAP directory.
Using the Domino LDAP directory enables organizations that already have a
Domino infrastructure, but that are new to WebSphere Portal, to leverage their
existing Domino Directory users and groups with no additional administration.
Figure 8-3 Configuring WebSphere Portal with a Domino 6.5.1 LDAP directory
Note: Although this chapter focuses on using a Domino 6.5.1 LDAP directory,
the configuration, testing, and troubleshooting methodology presented in this
chapter can be applied to any third-party LDAP directory that WebSphere
Portal supports (and in most cases without any or only minor modifications).
8.3.1 Currently supported LDAP directories for WebSphere Portal
As previously mentioned, although this section focuses on using the Domino
Directory, WebSphere Portal currently supports the following LDAP directories:
IBM Lotus Domino Directory 5.x and later
IBM Directory Server 5.x
Sun ONE Directory
8.3.2 Configuring WebSphere Portal for Domino 6.5.1 LDAP directory
Before you can configure WebSphere Portal to work with any LDAP directory,
the directory must have some specific user and group information already
populated.
Required groups and users in the LDAP directory
A minimum of one group and one user is required for WebSphere Portal.
Depending on the software you already have deployed and configured, you
might need to set up to two additional user accounts. These can either be
existing user accounts that you want to use in WebSphere Portal, or you can
create new user accounts.
The required group is wpsadmins or an equivalent. This is the first administrator
group for WebSphere Portal. Members of this group have administrative
authority within WebSphere Portal. It is expected that the first WebSphere Portal
administrative user be a member of the wpsadmins group in the directory.
The following points describe the one required and two possibly needed user
accounts:
Required: WebSphere Portal administrative user. This is the first
administrator account for WebSphere Portal. This account is also a member
of the wpsadmins group and is typically called wpsadmin.
Important: Although your organizations LDAP directory might not appear in
this list, typically, any LDAP V3-compliant directory will work with WebSphere
Portal. For example, the Exchange 5.5 Global Address List can be used as an
LDAP V3 compliant directory.
The directories listed above are considered supported because they have
been extensively tested and documented by IBM.
Optional: WebSphere Portal is an application that runs on top of WebSphere
Application Server. WebSphere Application Server handles the security for
WebSphere Portal; however, you can choose to have WebSphere Portal
configure WebSphere Application Server security for you.
In this case, you must specify a security server ID account name and
password. This account is configured into WebSphere Application Server. It
becomes the ID that is used to administer WebSphere Application Server.
During our testing, we created a user account called wpsbind.
Optional: An LDAP access account for WebSphere Application Server and,
by extension, WebSphere Portal.
This identity is used by WebSphere Portal to access the LDAP directory. As
you will see in 8.3.2, Configuring WebSphere Portal for Domino 6.5.1 LDAP
directory on page 414, both LDAP directory and security configuration for
WebSphere Portal involves modifying values in the wpconfig.properties file.
If you keep the default values for the Bind Distinguished Name in this
properties file, the user name wpsbind will be used for this LDAP access
account.
The required privileges for this account in the LDAP directory are as follows:
Write: If you want to allow users or portal administrators to create and
modify LDAP directory attributes through self-registration and self-care
windows or the Manage Users and Groups portlet, the LDAP access
account must have permission to write and search the LDAP director.
Read: If you will not use any WebSphere Portal facilities to write to the
directory, but your directory security policies do not allow anonymous
searches of the directory, the LDAP access account must have permission
to read and search the LDAP directory.
Note: Installing a brand new WebSphere Portal also installs WebSphere
Application Server for you. This is what we did in our testing environment,
which is why we elected to have WebSphere Portal configure WebSphere
Application Server security.
Detailed instructions about configuring WebSphere security in this way can
be found in 8.3.3, Configuration steps to use a Domino 6.5.1 LDAP
directory on page 417.
Note: It is not necessary to give the LDAP access account rights to
read, write, or search the entire LDAP directory. It is perfectly feasible
to give the account the necessary rights to the part of the directory
(subtree) that only contains users and groups.
Portal administrator users
You can select an existing user in the LDAP directory to act as the WebSphere
Portal administrator if you want.
If you want to create a new user to administrator for your portal, you should
create the user before installing WebSphere Portal.
To create a new user as the portal administrator, use your directory
administration tools (for example, if using Domino LDAP, use the Domino
Administrator client) to create a new portal administrator user.
Figure 8-4 shows the various users we added to our Domino 6.5.1 LDAP
directory using the Domino Administrator client.
Figure 8-4 LDAP directory user entries for WebSphere Portal example
The WebSphere Portal administrative user is wpsadmin, and the LDAP access
account and the WebSphere Application Server administrative user is wpsbind.
As previously mentioned, these administrative users must also be added to the
wpsadmins group (see Figure 8-5 on page 417).
Important: LDAP relative distinguished name (RDN) prefixes, such as cn=,
uid=, and ou=, should be entered in lowercase. Uppercase or mixed case can
cause problems with subsequent case-sensitive queries of the WebSphere
Member Management and WebSphere Portal databases.
Figure 8-5 shows the required group we added to our Domino 6.5.1 LDAP
directory (wpsadmins) and the administrative users that were added to the group
for use with WebSphere Portal.
Figure 8-5 Example of LDAP directory group entries for WebSphere Portal
8.3.3 Configuration steps to use a Domino 6.5.1 LDAP directory
Configuring WebSphere Portal to use a Domino 6.5.1 LDAP directory involves
configuring the wpconfig.properties file located on WebSphere Portal.
The wpconfig.properties file can also be used to configure global security and
single sign-on properties for WebSphere Portal. This is what we elected to do in
our test environment because it was a brand new WebSphere Portal installation.
Important: In Figure 8-5, the group wpsadmins has been manually edited to be
wpsadmins/lotus. In other words, it now has a fully distinguished LDAP name
of cn=wpsadmins/o=lotus.
This change has to be made when using a Domino LDAP directory, because
Domino does not store groups in the hierarchical format that WebSphere
Portal expects.
The following steps describe what to edit in the wpconfig.properties file and what
commands need to be run so that WebSphere Portal can work with the Domino
6.5.1 LDAP directory server.
Password considerations
Before configuring WebSphere Portal to use the Domino 6.5.1 LDAP directory
(or any other third-party LDAP directory), there are some security considerations
of which you should be aware.
The wpconfig.properties file that is used to configure WebSphere Portal for an
LDAP directory requires that certain password information be specified in it.
For security reasons, your organization might elect not to store passwords in the
wpconfig.properties file.
To overcome this requirement, it is possible to specify passwords on the portal
server command line using the syntax shown in Example 8-1.
Example 8-1 Syntax for specifying portal passwords on the command line
WPSconfig task_name [-Dpassword_property_key=password_value]
In our test environment, we decided not to store passwords in the
wpconfig.properties file so we ran the command shown in Example 8-2.
Example 8-2 Specifying password information about the command line
WPSconfig validate-ldap -DPortalAdminPwd=password -DLDAPAdminPwd=password
-DLDAPBindPassword=password -DWasPassword=password -DLTPAPassword=password
The values in bold represent the various LDAP user entries that both WebSphere
Application Server and WebSphere Portal use for security.
The validate-ldap flag also returns any errors, such as if the password specified
is incorrect for a given user entry.
These entries are as follows:
PortalAdminPwd: The password assigned to the WebSphere Portal
administrative user (in our case, the user wpsadmin).
Note: These instructions configure WebSphere Portal to work with Domino as
an LDAP server only. To configure WebSphere Portal for the 6.5.1
collaborative features, see 8.7, Additional configuration prerequisites on
page 465.
LDAPAdminPwd: The password assigned to the LDAP directory administrative
user (in our case, the user wpsbind).
LDAPBindPassword: The password assigned to the LDAP directory user that
will be used by WebSphere Portal to connect or bind to the LDAP directory
(again, in our case, the user was wpsbind).
WasPassword: The password assigned to the WebSphere Application Server
administrative user (in our case, the user wpsbind).
LTPAPassword: An LTPA token is the mechanism used to achieve single
sign-on between the Domino 6.5.1 products and WebSphere Portal. As part
of the configuration of the wpconfig.properties file, the token is automatically
created, and a token password must also be specified in the properties file.
To avoid having to specify the password in this wpconfig.properties specify it
here on the command line.
Before you modify the wpconfig.properties file
Before modifying the wpconfig.properties file, there are a number of prerequisites
that must be satisfied:
1. Ensure that the LDAP directory is installed and configured with the required
entries (see 8.3.2, Configuring WebSphere Portal for Domino 6.5.1 LDAP
directory on page 414). See Figure 8-7 on page 421.
Note: In our test environment, we used a password of password for all of
these entries.
Note: Use an LDAP browser-type of software to confirm that the LDAP
directory is configured correctly.
It is useful to configure the LDAP browser to bind to the LDAP directory
with the same user name and password that will be used by WebSphere
Portal (that is, the wpsbind user).
This will ensure that the wpsbind user name and password are correct and
will help in avoiding any security configuration issues. See Figure 8-6 on
page 420 for more details).
Figure 8-6 Configuring the LDAP browser with the WebSphere Portal bind credentials
Note: A useful LDAP browser is available for download at:
We used it for testing the WebSphere Portal environment in this chapter
(see 7.2, Tools for understanding your LDAP directory on page 355 for
more details about LDAP browser tools).
Figure 8-7 Verifying that the LDAP server is correctly setup with an LDAP browser
2. On WebSphere Portal, locate the <wp_root>/config/wpconfig.properties file
and create a backup copy before changing any values.
3. Use a text editor (we used Notepad) to open the
<wp_root>/config/wpconfig.properties file and enter the values appropriate for
your environment (see WebSphere Application Server properties on
page 422 for more details about the recommended values).
Tip: For each of the sections in the wpconfig.properties file, there are
helpful comments containing the recommended configuration settings for
various types of LDAP directories, including Domino.
Important: Do not change any settings in the wpconfig.properties file other
than those specified in the following steps.
When editing the wpconfig.properties file, use / instead of \ for all
platforms.
Some values, shown in italics in Table 8-1 on page 422, might need to be
modified to your specific environment.
The wpconfig.properties file has values that can be grouped into five major
sections. The following tables describe the values we used in each of these
sections for our test environment, together with the recommended values if using
a Domino LDAP directory.
Use these tables as a guide to configuring your wpconfig.properties file and
substitute your particular user names and so on where appropriate.
WebSphere Application Server properties
Table 8-1 describes the specific WebSphere Application Server settings that
should be configured in the wpconfig.properties file.
Table 8-1 WebSphere Application Server settings in the wpconfig.properties file
Property Description and recommended value
WasUserid This is the user ID for WebSphere Application Server security
authentication.
This should be the fully qualified distinguished name (DN).
Note: If a value is specified for WasUserid, a value must also
be specified for WasPassword. If WasUserid is left blank,
WasPassword must also be left blank.
Note: For LDAP configuration, this value should not contain
spaces.
Recommended value for Domino:
cn=wpsbind,o=<your domain>
WasPassword The password for WebSphere Application Server security
authentication.
Note: If a value is specified for WasPassword, a value must
also be specified for WasUserid. If WasPassword is left blank,
WasUserid must also be left blank.
Recommended value for Domino: Use a password specific to
your environment.
WebSphere Portal configuration properties
Table 8-2 describes the specific WebSphere Portal settings that should be
configured in the wpconfig.properties file.
Table 8-2 WebSphere Portal settings in the wpconfig.properties file
PortalAdminId The user ID for the WebSphere Portal administrator.
This should be the fully qualified distinguished name
(DN).
Note: For LDAP configuration, this value should not
contain spaces.
cn=<portaladminid>,o=<your domain>
PortalAdminIdShort The short form of the user ID for the WebSphere Portal
administrator, as defined in the PortalAdminId property.
<portaladminid>
PortalAdminPwd The password for the WebSphere Portal administrator, as
defined in the PortalAdminId property.
Recommended value for Domino: Use value specific to
your environment.
PortalAdminGroupId The name of the group to which the WebSphere Portal
administrator belongs.
cn=wpsadmins
PortalAdminGroupIdShort The short form of the group name to which the
WebSphere Portal administrator belongs as defined in the
PortalAdminGroupId property.
wpsadmins (or the user name specific to your environment)
WebSphere Portal security LTPA and SSO configuration
Table 8-3 describes the specific WebSphere Portal settings that should be
configured in the wpconfig.properties file to enable the LTPA token used for
single sign-on between WebSphere Portal and the Domino 6.5.1 products.
Table 8-3 LTPA and SSO settings in the wpconfig.properties file
LTPAPassword The password for the LTPA token used in single sign-on.
Recommended value for Domino: Use a password specific to
your environment.
LTPATimeout Sets the timeout value for the LTPA token.
120
SSODomainName WebSphere Portal and any Domino 6.5.1 servers
participating in single sign-on (SSO) must be in the same
DNS domain.
This value is, therefore, the DNS domain of the servers
participating in SSO.
<your companys DNS domain>
LDAP properties configuration
Table 8-4 describes the specific LDAP settings that should be configured in the
wpconfig.properties file.
Table 8-4 LDAP properties configuration in the wpconfig.properties file
Lookaside The purpose of a Lookaside database is to store attributes
that cannot be stored in the LDAP directory.
You can either install WebSphere Portal with an LDAP
directory only or with LDAP using a Lookaside database.
To enable a Lookaside database, set this property to true.
If you intend to use a Lookaside database, set this value
before configuring security, because it cannot be configured
after security is enabled.
Note: Using a Lookaside database might slow down
performance.
Recommended value for Domino: false
LDAPHostName The host information for the LDAP server that WebSphere
Portal will use, for example, yourserver.yourcompany.com.
Recommended value for Domino: Your
ldapserver_host_name
LDAPPort The port number for the LDAP directory that WebSphere
Portal will use.
Recommended value for Domino (non-SSL): 389
Recommended value for Domino with SSL: 636
LDAPAdminUId The LDAP administrator ID, for example,
LDAPAdminUId=cn=root.
Recommended value for Domino: <LDAP_admin_id>
LDAPAdminPwd The LDAP administrator password.
Recommended value for Domino: Use value specific to your
environment.
Advanced LDAP properties configuration
Table 8-5 describes the advanced specific LDAP settings that should be
configured in the wpconfig.properties file.
Table 8-5 Advanced LDAP settings in the wpconfig.properties file
LDAPServerType Type of LDAP Server to be used.
Note: Use the value DOMINO502 for supported Domino 5.x and
Domino 6.x servers.
Recommended value for Domino: DOMINO502
LDAPBindID User ID for LDAP bind authentication.
environment.
For example, cn=wpsbind,ou=yourco,o=com
LDAPBindPassword Password for LDAP bind authentication.
environment.
LDAPUserFilter This key is used to configure the user filter.
(&(|(cn=%v)(uid=%v))(objectclass=inetOrgPerson))
LDAPGroupFilter This key is used to configure the group filter.
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=g
roupOfUniqueNames)))
LDAPSuffix LDAP suffix.
Recommended value for Domino: <none>
LdapUserPrefix DN prefix attribute name for user entries.
Recommended value for Domino: cn
WebSphere Portal security LTPA and SSO configuration
The values in Table 8-6 on page 428 are particularly important, because in order
for the Domino 6.5.1 products to integrate successfully with WebSphere Portal,
single sign-on (SSO) must be correctly configured.
As previously mentioned, the mechanism by which Single Sign-on operates is the
LTPA token, so the LTPA values in Table 8-6 on page 428 must also be correctly
configured.
LDAPUserSuffix LDAP suffix.
LdapGroupPrefix DN prefix attribute name for user entries.
Recommended value for Domino: cn
LDAPGroupSuffix DN suffix attribute name for group entries.
LDAPUserObjectClass User object class corresponding to your directory.
Domino 5.x: inetOrgPerson
Domino 6.x: dominoPerson
LDAPGroupObjectClass Group object class corresponding to your directory.
Domino 5.x: groupOfNames
Domino 6.x: dominoGroup
LDAPGroupMember Specifies the attribute name of the membership attribute of
your group object class.
Recommended value for Domino: member
LDAPsslEnabled Specifies whether secure socket communications is
enabled to the LDAP server.
Recommended value (non-SSL) for Domino: false
Table 8-6 Security LTPA and SSO configuration in the woconfig.properties file
After you enter the values in these tables, continue with the following steps:
1. Save the file.
2. Open a command prompt and change to the <was_root>/bin directory.
3. Enter the following commands:
startServer server1
stopServer WebSphere_Portal
Important: If you already have an LTPA token and single sign-on configured in
your Domino domain, but now want to incorporate WebSphere Portal, you will
need to import the LTPA key created by WebSphere into the existing Domino
Web Configuration document and overwrite the Domino LTPA key. You must
then replicate the updated Domino Web Configuration document to all other
Domino servers participating in single sign-on.
Refer to Creating a Web SSO Configuration document in the Lotus Domino
Administrator 6.5.1 Help database for more information about configuring
single sign-on and importing the WebSphere LTPA key.
SSOEnabled Specifies that the single sign-on function is enabled.
Recommended value for Domino: true
SSORequiresSSL Specifies that single sign-on is enabled only when requests are
over HTTPS Secure Sockets Layer (SSL) connections.
Choose false unless SSL is already enabled for WebSphere
Portal.
In most cases, SSL for WebSphere Portal will not yet be in
place.
After SSL for WebSphere Portal is set up, change this value
using the WebSphere Application Server Administrative
Console.
Recommended value for Domino: false or true depending on
your environment.
4. Change to the <wp_root>/config directory.
Enter the following command to run the appropriate configuration task for
your specific operating system:
UNIX:./WPSconfig.sh validate-ldap
Windows: WPSconfig.bat validate-ldap
5. The validate-ldap command will now run and produce output similar to that
Figure 8-8 Validating Domino LDAP configuration
6. After you have verified that there are no errors, you now need to enable
security in WebSphere Portal.
Enter the appropriate command to run the configuration task for your specific
operating system:
On UNIX: ./WPSconfig.sh enable-security-ldap
On Microsoft Windows: WPSconfig.bat enable-security-ldap
Important: Check the output for any error messages before proceeding
with any additional tasks. If any the configuration task fails, verify the
values in the wpconfig.properties file, make any necessary changes, and
run the command again.
7. Perform this step only if you want to allow users or portal administrators to
create and modify directory attributes through self-registration and self-care
windows or the Manage Users and Groups portlet:
a. Open the PumaService.properties file. You can find this file in the
<wps_home>/shared/app/config/services directory.
b. Add the line user.sync.remove.attributes=cn.
c. Save the file.
d. Restart WebSphere Portal.
8.3.4 Verifying the configuration through WebSphere Portal
After you have completed these configuration steps, browse to the URL of your
WebSphere Portal, for example:
http://<hostname.yourco.com>:<port_number>/wps/portal
Verify that you can log on.
Important: Check the output for any error messages before proceeding
with any additional tasks. If the configuration task fails, verify the values in
the wpconfig.properties file, make any necessary changes, and run the
command again.
Before running the task again, be sure to stop the WebSphere Portal
application server by entering the following command from the
<was_root>/bin directory and specifying the WebSphere Application
Server user ID and password (as defined by the WasUserid and
WasPassword properties):
stopServer WebSphere_Portal -user <was_admin_userid> -password
<was_admin_password>
Note: If you do not perform these steps, WebSphere Portal will not be
able to create or update a user by using portal functions because of a
misconfiguration.
Note: Configuring WebSphere Portal to work with an LDAP directory
automatically enables WebSphere Application Server Global Security. After
security is enabled, you must type the fully qualified host name when
accessing WebSphere Portal and the WebSphere Application Server
Administrative Console.
Security is now enabled
After you have enabled security with your LDAP directory by making the
necessary changes to the wpconfig.properties file and running the WPSConfig
batch file, you will need to provide the user ID and password required for security
authentication on WebSphere Application Server when you perform certain
administrative tasks with WebSphere Application Server.
For example, to stop the WebSphere Portal application server, you would issue
the following command:
stopServer WebSphere_Portal -user <was_admin_userid> -password
<was_admin_password>
When you next log on to the WebSphere Application Server Administrative
Console, you will now be prompted for a user ID and password.
Take a moment to look at some of the security and LDAP settings in WebSphere
Application Server.
You will notice values that you specified in the wpconfig.properties files. See
Figure 8-9.
Figure 8-9 WebSphere Application Server LDAP settings
8.3.5 Sample wpconfig.properties file
Example 8-3 is a sample of the five major sections we modified in our
wpconfig.properties file for our test environment
Use this example for reference and guidance when modifying the properties file
for your WebSphere Portal.
The values in bold represent the values we used in our test environment.
Example 8-3 Sample of the wpconfig.properties file for Domino 6.5.1 LDAP directory
###############################################################################
# WebSphere Application Server Properties - BEGIN
###############################################################################
# VirtualHostName: The name of the WebSphere Application Server virtual host
VirtualHostName=default_host
# WasAdminServer: The name of the WebSphere Application Server administration
server (server1)
WasAdminServer=server1
# WasHome: The directory where WebSphere Application Server product files are
installed
WasHome=C:/Program Files/WebSphere/AppServer
# WasUserHome: The directory where WebSphere Application Server user data is
created
WasUserHome=C:/Program Files/WebSphere/AppServer
# WasUserid: The user ID for WebSphere Application Server security
authentication
# CUR: WasUserid=wpsbind
# See LDAP examples below:
# IBM Directory Server: { uid=wpsbind,cn=users,dc=yourco,dc=com }
# Domino: { cn=wpsbind,o=yourco.com }
# Active Directory: { cn=wpsbind,cn=users,dc=yourco,dc=com }
# SunOne:{ uid=wpsbind,ou=people,o=yourco.com }
# Novell eDirectory { uid=wpsbind,ou=people,o=yourco.com }
WasUserid=cn=wpsbind,o=lotus
# WasPassword: The password for WebSphere Application Server security
authentication (LDAP and CUR)
WasPassword=password
# WpsInstallLocation: The directory where WebSphere Portal is installed
WpsInstallLocation=C:/Program Files/WebSphere/PortalServer
# CellName: The name of the WebSphere Application Server Cell
CellName=wpsportal
# NodeName: The name of WebSphere Application Server Node
NodeName=wpsportal
# ServerName: The name of application server for WebSphere Portal
ServerName=WebSphere_Portal
# WpsHostName: The name of the WebSphere Portal host
# For example:
http://<WpsHostName>:<WpsHostPort>/<WpsContextRoot>/<WpsDefaultHome>
# For example "localhost" in the URL: http://localhost:80/wps/portal
WpsHostName=localhost
# WpsHostPort: The port used by WebSphere Portal
# For example:
# For example "80" in the URL: http://localhost:80/wps/portal
WpsHostPort=9081
# WpsAdminConsolePort: The port used by WebSphere Admin Console deployed on
WebSpere Portal Server
# Note: This property may not be used to reconfigure the WpsAdminConsolePort.
# For example: http://<WpsHostName>:<WpsAdminConsolePort>/admin
# For example "9091" in the URL: http://localhost:9091/admin
WpsAdminConsolePort=
# WpsAppName: The WebSphere Portal application name
WpsAppName=wps
# WpsContextRoot: The WebSphere Portal context root
# For example:
# For example "wps" in the URL: http://localhost:80/wps/portal
WpsContextRoot=wps
# WpsDefaultHome: The WebSphere Portal default home
# For example:
# For example "portal" in the URL: http://localhost:80/wps/portal
WpsDefaultHome=portal
# WpsPersonalizedHome: The WebSphere Portal personalized home
# For example:
http://<WpsHostName>:<WpsHostPort>/<WpsContextRoot>/<WpsPersonalizedHome>
# For example "myportal" in the URL: http://localhost:80/wps/myportal
WpsPersonalizedHome=myportal
# ContentAccessServiceProxyHost: The HTTP proxy host used by the Content Access
Service
ContentAccessServiceProxyHost=
# ContentAccessServiceProxyPort: The HTTP proxy port used by the Content Access
Service
ContentAccessServiceProxyPort=
###############################################################################
# WebSphere Application Server Properties - END
###############################################################################
###############################################################################
# Portal Config Properties - BEGIN
###############################################################################
# PortalAdminId: The user ID for the WebSphere Portal Administrator
# DEV (No security): PortalAdminId=uid=<portaladminid>,o=default organization
# CUR: PortalAdminId=uid=<portaladminid>,o=default organization
# IBM Directory Server: { uid=<portaladminid>,cn=users,dc=yourco,dc=com }
# Domino: { cn=<portaladminid>,o=yourco.com }
# Active Directory: { cn=<portaladminid>,cn=users,dc=yourco,dc=com }
# SunOne:{ uid=<portaladminid>,ou=people,o=yourco.com }
# Novell eDirectory { uid=<portaladminid>,ou=people,o=yourco.com }
PortalAdminId=cn=wpsadmin,o=lotus
# PortalAdminIdShort: The short WebSphere Portal admin ID
PortalAdminIdShort=wpsadmin
# PortalAdminPwd: The password for the WebSphere Portal Administrator
PortalAdminPwd=password
# PortalAdminGroupId: The group ID for the WebSphere Portal Administrator group
# DEV (No security): PortalAdminGroupId=cn=wpsadmins,o=default organization
# CUR: PortalAdminGroupId=cn=wpsadmins,o=default organization
# IBM Directory Server: { cn=wpsadmins,cn=groups,dc=yourco,dc=com }
# Domino: { cn=wpsadmins }
# Active Directory: { cn=wpsadmins,cn=groups,dc=yourco,dc=com }
# SunOne:{ cn=wpsadmins,ou=groups,o=yourco.com }
# Novell eDirectory { cn=wpsadmins,ou=groups,o=yourco.com }
PortalAdminGroupId=cn=wpsadmins,o=lotus
# PortalAdminGroupIdShort: The WebSphere Portal admin group ID
PortalAdminGroupIdShort=wpsadmins
# PortalUniqueID: The 12 hex digits unique to this WebSphere Portal instance.
# Usually a MAC address from a communications adapter on this node
PortalUniqueID=000C296D7E9A
###############################################################################
# Portal Config Properties - END
###############################################################################
##################################################################
#
# WebSphere Portal Security Configuration - BEGIN
#
##################################################################
##################################################################
# WebSphere Portal Security LTPA and SSO configuration
##################################################################
# LTPAPassword: Specifies the password to encrypt and decrypt the LTPA keys.
LTPAPassword=password
# LTPATimeout: Specifies the time period in minutes at which an LTPA token will
expire.
LTPATimeout=120
# SSOEnabled: Specifies that the Single Sign-on function is enabled.
SSOEnabled=true
# SSORequiresSSL: Specifies that Single Sign-On function is enabled
# only when requests are over HTTPS Secure Socket Layer (SSL) connections.
SSORequiresSSL=false
# SSODomainName: Specifies the domain name (.ibm.com, for example) for all
Single Sign-on hosts.
SSODomainName=.lotus.com
##################################################################
# General Global Security Settings
##################################################################
# Description: The values in this section should only be adapted by advanced
users
# useDomainQualifiedUserNames: Specifies the user names to qualify with the
security domain within which they reside.
useDomainQualifiedUserNames=false
# cacheTimeout: Specifies the timeout value in seconds for security cache.
cacheTimeout=600
# issuePermissionWarning: Specifies that when the Issue permission warning is
enabled, during application deployment
# and application start, the security run time emits a warning if applications
are granted any custom permissions.
issuePermissionWarning=true
# activeProtocol: Specifies the active authentication protocol for RMI/IIOP
requests when security is enabled.
activeProtocol=BOTH
# activeAuthMechanism: Specifies the active authentication mechanism, when
security is enabled.
activeAuthMechanism=LTPA
##################################################################
# LDAP Properties Configuration - BEGIN
##################################################################
# LookAside: To configure LDAP with an additional LookAside Database
# true - LDAP + Lookaside database
# false - only LDAP
LookAside=false
# LDAPHostName: The LDAP server hostname
LDAPHostName=domino651.lotus.com
# LDAPPort: The LDAP server port number
# For example, 389 for non-SSL or 636 for SSL
LDAPPort=389
# LDAPAdminUId: The LDAP administrator ID
LDAPAdminUId=cn=wpsbind,o=lotus
# LDAPAdminPwd: The LDAP administrator password
LDAPAdminPwd=password
# LDAPServerType: The type of LDAP server to be used for WebSphere Portal
# IBM Directory Server: { IBM_DIRECTORY_SERVER }
# Domino: { DOMINO502 }
# Active Directory: { ACTIVE_DIRECTORY }
# SunOne: { IPLANET }
# Novell eDirectory: { NDS }
# Note: use IPLANET for SunONE
LDAPServerType=DOMINO502
#LDAPBindID: The user ID for LDAP Bind authentication
# IBM Directory Server: { uid=wpsbind,cn=users,dc=yourco,dc=com }
# Domino: { cn=wpsbind,o=yourco.com }
# Active Directory: { cn=wpsbind,cn=users,dc=yourco,dc=com }
# SunOne: { uid=wpsbind,ou=people,o=yourco.com }
# Novell eDirectory { uid=wpsbind,ou=people,o=yourco.com }
LDAPBindID=cn=wpsbind,o=lotus
#LDAPBindPassword: The password for LDAP Bind authentication
LDAPBindPassword=password
##################################################################
# LDAP Properties Configuration - END
##################################################################
################################################################
# Advanced LDAP Configuration - BEGIN
################################################################
# LDAPSuffix: The LDAP suffix appropriate for your LDAP server
# IBM Directory Server: { dc=yourco,dc=com }
# Domino value is null
# Domino: { }
# Active Directory: { dc=yourco,dc=com }
# SunOne: { o=yourco.com }
# Novell eDirectory { o=yourco.com }
LDAPSuffix=
# LdapUserPrefix: The LDAP user prefix appropriate for your LDAP server
# IBM Directory Server: { uid }
# Domino: { cn }
# Active Directory: { cn )
# SunOne: { uid }
# Novell eDirectory { uid }
LdapUserPrefix=cn
# LDAPUserSuffix: The LDAP user suffix appropriate for your LDAP server
# IBM Directory Server: { cn=users }
# Domino: { o=yourco.com }
# Active Directory: { cn=users }
# SunOne: { ou=people}
# Novell eDirectory { ou=people }
LDAPUserSuffix=o=lotus
# LdapGroupPrefix: The LDAP group prefix appropriate for your LDAP server
# IBM Directory Server: { cn }
# Domino: { cn }
# Active Directory: { cn }
# SunOne: { cn }
# Novell eDirectory { cn }
LdapGroupPrefix=cn
# LDAPGroupSuffix: The LDAP group suffix appropriate for your LDAP server
# IBM Directory Server: { cn=groups }
# Domino value is null
# Domino: { }
# Active Directory: { cn=groups }
# SunOne: { ou=groups }
# Novell eDirectory { ou=groups }
LDAPGroupSuffix=
# LDAPUserObjectClass: The LDAP user object class appropriate for your LDAP
server
# IBM Directory Server: { inetOrgPerson }
# Domino: { inetOrgPerson }
# Active Directory: { user }
# SunOne: { inetOrgPerson }
# Novell eDirectory { inetOrgPerson }
LDAPUserObjectClass=dominoPerson
# LDAPGroupObjectClass: The LDAP group object class appropriate for your LDAP
server
# IBM Directory Server: { groupOfUniqueNames }
# Domino: { groupOfNames }
# Active Directory: { group }
# SunOne: { groupOfUniqueNames }
# Novell eDirectory { groupOfNames }
# Shared UserRegistry with WebSeal/TAM: { accessGroup }
LDAPGroupObjectClass=dominoGroup
# LDAPGroupMember: The LDAP group member attribute name appropriate for your
LDAP server
# IBM Directory Server: { uniqueMember }
# Domino: { member }
# Active Directory: { member }
# SunOne: { uniqueMember }
# Novell eDirectory { uniqueMember }
# Shared UserRegistry with WebSeal/TAM: { member }
LDAPGroupMember=member
# LDAPUserFilter: The LDAP user filter appropriate for your LDAP server (to
work with default values in WMM)
#IBM Directory Server: { (&(uid=%v)(objectclass=inetOrgPerson)) }
#Domino: { (&(|(cn=%v)(uid=%v))(objectclass=inetOrgPerson)) }
#Active Directory: { (&(|(cn=%v)(samAccountName=%v))(objectclass=user)) }
#SunOne: { (&(uid=%v)(objectclass=inetOrgPerson)) }
#Novell eDirectory { (&(uid=%v)(objectclass=inetOrgPerson)) }
LDAPUserFilter=(&(|(cn=%v)(uid=%v))(objectclass=inetOrgPerson))
# LDAPGroupFilter: The LDAP group filter appropriate for your LDAP server (to
work with default values in WMM)
#IBM Directory Server: { (&(cn=%v)(objectclass=groupOfUniqueNames)) }
#Domino: {
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
#Active Directory: { (&(cn=%v)(objectclass=group)) }
#SunOne { (&(cn=%v)(objectclass=groupOfUniqueNames)) }
#Novell eDirectory { (&(cn=%v)(objectclass=groupOfUniqueNames)) }
LDAPGroupFilter=(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUnique
Names)))
# LDAPGroupMinimumAttributes: This attribute is loaded for group search
(performance issues)
LDAPGroupMinimumAttributes=
# LDAPUserBaseAttributes: These attributes are loaded for user login
LDAPUserBaseAttributes=givenName,sn,preferredLanguage
# LDAPUserMinimumAttributes: These attributes are loaded for user search
LDAPUserMinimumAttributes=
#LDAPsearchTimeout: Specifies the timeout value in seconds for an LDAP server
to respond before aborting a request.
LDAPsearchTimeout=120
#LDAPreuseConnection: Should set to true by default to reuse the LDAP
connection.
# { false | true }
LDAPreuseConnection=true
#LDAPIgnoreCase: Specifies that a case insensitive authorization check is
performed.
# { false | true }
LDAPIgnoreCase=true
#LDAPsslEnabled: Specifies whether secure socket communications is enabled to
the LDAP server.
# { false | true }
# Set to true if configuring LDAP over SSL
LDAPsslEnabled=false
################################################################
# Advanced LDAP Configuration - END
################################################################
##################################################################
# LDAP Properties - END
##################################################################
##################################################################
#
# WebSphere Portal Security Configuration - END
#
##################################################################
8.4 Configuring WebSphere Portal for Lotus Instant
Messaging
Configuring WebSphere Portal to use Lotus Instant Messaging and Web
Conferencing (formerly called Sametime) involves modifying values in the
CSEnvironment.properties file located on WebSphere Portal.
8.4.1 General tips for modifying the CSEnvironment.properties file
To modify the CSEnvironment.properties file, complete the following steps:
1. Stop WebSphere Portal.
2. Edit the csenvironment.properties file (located in the
wp_root\shared\app\config directory by default) to include the desired values.
3. Remove the comment tag (#) from the beginning of each line.
4. Save the changes.
5. Restart WebSphere Portal.
Note: The following instructions assume that you are using Lotus Instant
Messaging and Web Conferencing 6.5.1 with WebSphere Portal 5.0.
For further information about the settings described in this section (in
particular the settings to configure if you are using multiple directories and
how to handle duplicate names), refer to the WebSphere Portal 5.0.2
Information Center, available at:
http://publib.boulder.ibm.com/pvc/wp/502/ent/en/InfoCenter/index.html
8.4.2 Additional configuration required for Lotus Instant Messaging
This section contains information for setting Lotus Instant Messaging and Web
Conferencing-related values in the CSEnvironment.properties file.
Specify to use the LTPA token for logging on to Lotus Instant
You can override the credential settings in the CSEnvironment.properties file to
enable an LTPA token for logging on to Lotus Instant Messaging and Web
Conferencing.
By default, an internal Lotus Instant Messaging and Web Conferencing (formerly
Sametime) token is used.
To override this setting so that the LTPA token will be used, you must change the
setting for CS_SERVER_SAMETIME_1.useLTPAToken to true and remove the pound
sign (#) at the beginning of the line.
The following example shows the syntax:
CS_SERVER_SAMETIME_1.useLTPAToken=true
Specify server connection properties for Lotus Instant
The following Lotus Instant Messaging and Web Conferencing settings relate to
the server-to-server connection between WebSphere Portal and the Instant
The sole purpose of this connection is to obtain Instant Messaging and Web
Conferencing tokens for users that are used to log users on to Lotus Instant
Messaging and Web Conferencing from their Web browsers.
Specify the following server connection properties:
Port through which the Instant Messaging and Web Conferencing server
should connect:
CS_SERVER_SAMETIME_1.serverappPort
To connect directly to the server, a value for the port can be set explicitly, for
example: CS_SERVER_SAMETIME_1.serverappPort=1516.
Note: If CS_SERVER_CUSTOM_CRED.enabled is set to true, and the value for
CS_SERVER_CUSTOM_CRED.ssoTokenAttrib is set, the token that is set will be
used for logging on to Lotus Instant Messaging and Web Conferencing
instead of the LTPA token.
Instant Messaging and Web Conferencing reconnect interval:
CS_SERVER_SAMETIME_1.reconnect
Use this to change the reconnect interval in seconds to the Instant Messaging
and Web Conferencing server after being disconnected or not connected, for
example: CS_SERVER_SAMETIME_1.reconnect=10. Use 0 to indicate that a
reconnection should not be attempted. If not set, the internal default of 30
seconds is used.
Sametime timeout value:
CS_SERVER_SAMETIME_1.timeout
This is the maximum amount of time in seconds to wait for a response from
the Instant Messaging and Web Conferencing server. If not set, the internal
default of 60 seconds is used. For example:
CS_SERVER_SAMETIME_1.timeout=120.
Specify the name format to use when resolving the portal user with the Instant
Messaging and Web Conferencing server:
CS_SERVER_SAMETIME_1.nameFormatForResolve
This setting is important for resolving name formats between two user
registries that use different schemas. For example, if the user registry for
Lotus Instant Messaging and Web Conferencing is native Domino Directory,
and the user registry for the portal is an LDAP directory, such as IBM
Directory Server, setting the nameFormatForResolve value will resolve name
mapping issues between Lotus Instant Messaging and Web Conferencing
and the portal.
Valid values include cn, dn, and loginName, for example:
CS_SERVER_SAMETIME_1.nameFormatForResolve=dn.
Specify the character to use to separate distinguished names:
CS_SERVER_SAMETIME_1.dnNameSeparator
The value is a character that is used to resolve names with the Instant
Messaging and Web Conferencing server and the name used to log on to
Important: The loginName or cn value must be used if you are using
multiple directories. For example:
WebSphere Portal points to a user directory and Lotus Instant
Messaging and Web Conferencing is using its own Domino Directory.
Domino Directory contains mapping entries to the WebSphere Portal
user directory (DN, cn, and uid, explicitly). See 8.9, Integrating Domino
6.5.1 into an existing portal on page 480 for more details about name
mapping.
Lotus Instant Messaging and Web Conferencing from a browser. A valid
value is the single character comma (,) or slash (/). For example:
CS_SERVER_SAMETIME_1.dnNameSeparator=,
8.4.3 Instant Messaging and Web Conferencing with two directories
In this section, we introduce how to address environments that use both the
native Domino Directory and an LDAP directory for WebSphere Portal.
Lotus Instant Messaging and Web Conferencing with Domino
Directory and WebSphere Portal using LDAP directory
The following instructions are required for environments where WebSphere
Portal and Lotus Instant Messaging and Web Conferencing are configured to
work together so that portlets can use People Awareness. However, Lotus
Instant Messaging and Web Conferencing uses the native Domino Directory, and
WebSphere Portal uses an LDAP server (such as Microsoft Active Directory or
IBM Director Server) that is different from the Domino Directory that is used by
Lotus Instant Messaging and Web Conferencing.
In this situation, two values in the CSEnvironment.properties file must be
changed so that People Awareness will work properly.
After you make these changes, name mapping issues between the Instant
Messaging and Web Conferencing server and WebSphere Portal will resolve.
Perform the following steps:
1. Stop WebSphere Portal.
2. Open the CSEnvironment.properties file. The CSEnvironment.properties file
is installed in the wp_root\shared\app\config directory by default.
3. Locate the property CS_SERVER_SAMETIME_1.nameFormatForResolve.
a. Remove the comment tag (#) from the beginning of the line if a comment
tag is present.
b. Change the value for this property to loginName or cn, for example,
CS_SERVER_SAMETIME_1.nameFormatForResolve=loginName.
Important tip: Domino servers use slashes / in the distinguished name.
c. Locate the property CS_SERVER_SAMETIME_1.dnNameSeparator.
i. Remove the comment tag (#) from the beginning of the line if a
comment tag is present.
ii. Change the value for this property to /, for example,
CS_SERVER_SAMETIME_1.dnNameSeparator=/.
4. Save and close the CSEnvironment.properties file.
5. Restart WebSphere Portal so that the changes take effect.
8.4.4 Sample CSEnvironment.properties file
Example 8-4 shows the CSEnvironment.properties file that we configured for our
test environment.
In our test environment, both Lotus Instant Messaging and Web Conferencing
and WebSphere Portal were using the same LDAP directory (IBM Directory
Server).
Use this example for reference and guidance when modifying the properties file
for your WebSphere Portal.
Example 8-4 Sample of the CSEnvironment.properties file
##############################################################
# This will always be true in the Portal
##############################################################
CS_SERVER_WEBSPHERE_PORTAL_EXTEND.enabled=true
##############################################################
Note: The value loginName is the preferred setting. The value
loginName in the LDAP directory for Portal should be present in the
Domino Directory as the Short Name/UserID field. If cn is specified, the
Common Name in the LDAP directory for Portal should be present in
the Domino Directory, as one of the entries in the User Name field.
Tip: For each of the sections in the CSEnvironment.properties file, there are
helpful comments explaining what each of the values are for.
Note: For ease of reading, in Example 8-4 on page 444, we removed many of
these comments.
#
# SAMETIME properties
# If Sametime is enabled, the required settings must be filled in.
##############################################################
#
# Required settings
#
CS_SERVER_SAMETIME.enabled=true
CS_SERVER_SAMETIME_1.hostname=bscst.cam.itso.ibm.com
CS_SERVER_SAMETIME_1.version=3.0
# The protocol and port that the ST server uses
# to serve up HTML, CSS and JavaScript files, etc.
CS_SERVER_SAMETIME_1.protocol=http
CS_SERVER_SAMETIME_1.port=80
# Class that provides the ST user login name, token, and whether ST is enabled
for this user
CS_SERVER_SAMETIME_1.initclass=com.lotus.cs.stserverapp.STUtil
#
# Optional advanced settings
#
CS_SERVER_SAMETIME_1.useLTPAToken=true
# CS_SERVER_SAMETIME_1.serverappPort=1516
# CS_SERVER_SAMETIME_1.reconnect=10
# CS_SERVER_SAMETIME_1.timeout=50
# CS_SERVER_SAMETIME_1.nameFormatForResolve=dn
# CS_SERVER_SAMETIME_1.dnNameSeparator=,
##############################################################
#
# DOMINO DIRECTORY properties
# (LDAP server)
# Important:
# Should always point to a Domino Server.
# Leave enabled flag as true.
# Use the custom_ldap_* settings to point to a any LDAP Server to
# get user information.
##############################################################
CS_SERVER_DOMINO_DIRECTORY.enabled=true
CS_SERVER_DOMINO_DIRECTORY_1.hostname=bscdom.cam.itso.ibm.com
CS_SERVER_DOMINO_DIRECTORY_1.port=389
CS_SERVER_DOMINO_DIRECTORY_1.ssl=false
CS_SERVER_DOMINO_DIRECTORY_1.anonymous=true
# Optional LDAP User credential overrides
# default - uses Portal credentials or anonymous
# Use tool PropFileEncoderPassword.bat to encrypt the password and copy
# the encrypted password to this file.
#CS_SERVER_DOMINO_DIRECTORY_1.userid=username
#CS_SERVER_DOMINO_DIRECTORY_1.encryptedpwd=pwd
##############################################################
8.5 Prerequisites for installing the Domino 6.5.1 portlets
In order to integrate the Domino 6.5.1 products into WebSphere Portal, it is first
necessary to upgrade both WebSphere Application Server and WebSphere
Portal to Version 5.0.2.
This can be a tricky procedure if not done correctly and can result in a loss of
functionality in WebSphere Portal, or in the worst case, not being able to start
WebSphere Portal.
There are a number of fixes and fix packs that need to be applied to both
WebSphere Application Server and WebSphere Portal in order to bring them
both up to Version 5.0.2.
The typical steps to upgrade WebSphere Portal to Version 5.0.2 are:
1. Verify your current versions of WebSphere Application Server and
WebSphere Portal.
2. Download the appropriate fix packs and fixes for the versions of WebSphere
Application Server and WebSphere Portal that you are currently running.
3. Copy the fixes and fix packs to the server running WebSphere Portal in the
location specified in the documentation that accompanies the fix packs or
fixes.
4. Shut down the server and install the fix packs and fixes necessary to upgrade
WebSphere Application Server to Version 5.0.2 first.
5. Then, run the fix packs and fixes necessary to upgrade WebSphere Portal to
Version 5.0.2.
In our test environment, we were running WebSphere Application Server
Enterprise Version 5.0.1 and WebSphere Portal Version 5.0.
At the time of writing, the fix packs and fixes we required in order to upgrade both
WebSphere Application Server and WebSphere Portal from these versions to
Version 5.0.2 are as per the following list.
They appear in the order in which we applied them to our test WebSphere Portal
(which was running Windows 2000 server).
1. was50_fp2_win (WebSphere Application Server Enterprise Fix Pack 2 for
Windows)
2. was50_pme_fp2_win (WebSphere Application Server Enterprise fixes for
Windows)
3. was502windows (WebSphere Application Server Enterprise 5.0.2 fixes for
Windows)
4. wpsfixpak2 (WebSphere Portal Fix Pack 2 for Windows)
Verifying WebSphere Application and WebSphere Portal
versions
Fixes and fix packs are constantly updated, so it is important to ensure that you
have the latest and correct ones for the versions of WebSphere Application
Server and WebSphere Portal that you are currently running.
Before installing any fix packs, make sure that you verify what your current
versions of WebSphere Application Server and WebSphere Portal are so that
you download and install the correct fix packs.
The versions you are currently running can easily be verified by logging on to the
WebSphere Administrative Console and logging on to WebSphere Portal itself.
For WebSphere Application Server, it is also important to know what type of
WebSphere Application Server you are running, that is, Base, Network
Deployment, or Enterprise.
Important: The fix packs and fixes listed here are specific to the WebSphere
Application Server and WebSphere Portal versions we used in our test
environment and are only included here as a guide.
The fix packs and fixes for your particular environment might differ depending
on your operating system and the versions of WebSphere Application Server
and WebSphere Portal you are currently running.
It is, therefore, essential that you download and install the correct fixes and fix
pack versions for your environment.
Figure 8-10 shows how logging on to the WebSphere Administrative Console
gives you the necessary version and type information. As you can see, in our test
environment, we were running the Enterprise type of WebSphere Application
Server and the version number was 5.0.1.
Figure 8-10 Verifying the version of WebSphere Application Server
Logging on to WebSphere Portal and looking at the About WebSphere Portal
portlet (Figure 8-11) will also tell you what version of WebSphere Portal you are
currently running.
Figure 8-11 Verifying the version of WebSphere Portal
Downloading the correct fix packs and fixes
Fixes and fix packs for WebSphere Application Server can be downloaded at the
WebSphere Application Server zone, available at:
http://www.ibm.com/developerworks/websphere/zones/was/
In the Download Software section, click the WebSphere Application Server
code fixes link and search for the fixes and fix packs you require to bring your
current WebSphere Application Server server up to Version 5.0.2.
Fixes and fix packs for WebSphere Portal can be downloaded from the
WebSphere Portal zone, available at:
http://www.ibm.com/developerworks/websphere/zones/portal
Again, search for the fixes and fix packs required to bring your current
WebSphere Portal up to Version 5.0.2.
After they are downloaded and expanded, each of the fix packs and fixes comes
with a set of installation instructions (in the doc subdirectory) and a very
important readme_updateinstaller file that contains specific details about the fix
pack and how to install it in your particular environment. See Figure 8-12 on
page 450.
Important: It is vital that you fully read the instructions contained in the
readme_updateinstaller file and any other accompanying fix pack
documentation before proceeding.
This is because the installation of a particular fix or fix pack will vary
depending on a number of factors such as your current version of WebSphere
Application Server and WebSphere Portal, the operating system you are
using, and whether or not your WebSphere Portal is a new installation or if it is
already part of an existing WebSphere installation (or cell as it is commonly
referred to).
Figure 8-12 Example of the instructions in the readme_updateinstaller file
Installing the fix packs and fixes
After you download the fix packs and fixes specific to your environment, copy the
expanded fixes and fix pack directories to the server running WebSphere Portal.
There are two methods of applying fix packs or fixes. The first method is using
the command line, and the second method is through an update wizard.
Details of both methods can be found in the readme_updateinstaller file that
accompanies the particular fix pack or fix.
In our test environment, we used the update wizard method, which is invoked
through a batch file, as seen in Figure 8-13 on page 451.
Figure 8-13 Launching the update wizard batch file
After the batch file is successfully invoked, the remainder of the fix pack
installation is carried out through a wizard.
The update wizard provides an easy to use interface that is common to applying
fix packs or fixes.
It is also possible to use the update wizard to uninstall fixes and fix packs in the
event you encounter a problem.
Figure 8-14 on page 452 shows the update wizard prompting for the location of
the particular fix pack to be applied.
Tip: If you receive an error message when running the update wizard batch
file, you will probably need to specify the JAVA_HOME environment variable
correctly.
This environment variable can be set by running a script (appropriate to your
operating system) in the /bin directory of the WebSphere Application Server.
Details about how to specify this environment variable and which script to run
can be found in the readme_updateinstaller file that accompanies the fix or fix
pack.
Figure 8-14 Identifying the fix pack directory
After the correct location for the fix pack has been specified, the update wizard
displays the relevant details, as shown in Figure 8-15.
Figure 8-15 Displaying fix pack details
In the event that the fix pack you have specified is not correct for the current
version of WebSphere Application Server or WebSphere Portal, the update
wizard will prompt you with the error shown in Figure 8-16 on page 453.
Figure 8-16 Error if the fix pack is not correct
In this case, browse to the location of the correct fix or fix pack and try again.
Alternatively, you might have downloaded the incorrect fix or fix pack, in which
case, refer back to the WebSphere Application Server zone or WebSphere
Portal zone Web sites and find the correct one.
As previously mentioned, the update wizard provides a common interface for
installing fixes and fix packs. It also provides the ability to uninstall them, as
Figure 8-17 Installing or uninstalling fixes and fix packs
As with installing fix packs, when installing WebSphere Application Server or
WebSphere Portal fixes, the update wizard provides a detailed summary of the
specific fixes that will be applied (see Figure 8-18 on page 454).
Note: Sometimes applying a fix also results in the removal of other fixes that
are no longer required. The update wizard also give details of any fixes that
will be removed.
Figure 8-18 Details of fixes that will be applied
Figure 8-19 shows an example of applying a fix pack using a command line.
Figure 8-19 Applying a fix pack using the command line
Full details of the correct syntax and appropriate flags to use can be found in the
readme_updateinstaller file that accompanies the particular fix pack that you are
applying.
After you have applied the necessary fixes and fix packs, restart WebSphere
Portal and verify that it is now Version 5.0.2 by looking at the About WebSphere
Portal portlet (Figure 8-20).
Figure 8-20 Confirming that WebSphere Portal is now Version 5.0.2
8.6 Installing the 6.5.1 Extended Products portlets
This section describes the IBM Lotus Notes/Domino and Extended Products
portlets and provides instructions for installing the portlets on WebSphere Portal.
Several sample portal pages that incorporate some of the portlets are also
installed to show you the look and feel of the portal environment.
8.6.1 Downloading the Domino 6.5.1 portlets
The Domino 6.5.1 Extended Products portlets can be downloaded from the
WebSphere Portal and Lotus Workplace Catalog, available at:
These portlets come with sample portal pages that integrate all core messaging
and collaborative applications into a portal user interface.
The sample pages show how users in a portal environment can collaborate using
portlets that rely on Lotus Notes/Domino and its Extended Products. Thus, the
new release of Lotus Notes/Domino 6.5.1 is a bridge to the world of J2EE and
open standards, extending Dominos capabilities by providing the means to
connect different sources of data, regardless of vendor.
These portlets include standard Lotus Notes and Domino features, such as
e-mail, calendar and scheduling, discussion, teamrooms, and to-dos, as well as
the Notes View capability that lets you work with the documents from any view of
any Lotus Notes database.
Portlets based on the Domino Extended Products let you conduct Web
conferences, manage documents, see a list of your team workplaces, find people
in your company directory, use other Domino applications as portlets, and more.
8.6.2 Installing the portlets and sample pages
After WebSphere Portal has been upgraded to Version 5.0.2, complete the
following steps to install the Domino 6.5.1 Extended Products portlets and
sample pages:
1. Download the Lotus Notes/Domino and Extended Products 6.5.1 portlets
from the WebSphere Portal and Lotus Workplace Catalog, available at:
2. On WebSphere Portal, create the <wp_root>/EPPUpdate directory, and copy
the extracted Notes/Domino and Extended Product portlets files into that
directory.
3. Verify that the WAS_HOME and WPS_HOME environment variables are set.
If not, you can specify them in the Deploy command line with the following
parameters:
-washome <wasHomeDirectory>
-wpshome <wpsHomeDirectory>
4. Make sure that WebSphere Portal is running.
5. To deploy the portlets and sample pages, run the following command from
the previously created EPPUpdate directory (see Figure 8-21 on page 458):
Deploy [-f] [-v] <serverdns:port> <wpsadmin> <wpspassword> [<nodename>]
([-portlets] | [-samplepages])
Table 8-7 on page 457 shows the parameter values.
Note: Directory names that contain space characters need to be enclosed
in double quotation marks.
Table 8-7 Parameter values
Parameter Description
serverdns:port The DNS address and port of WebSphere Portal, for example,
wpsportal.lotus.com:9081.
wpsadmin The administrative user for WebSphere Portal.
wpspassword The administrative password for WebSphere Portal.
nodename The name of the WebSphere Application node. This should be the
same as the host name of your WebSphere Portal.
The node name will appear as a subdirectory under
<wasHomeDirectory>/installedApps.
If this name is different than your host name, enter the node name.
-portlets Deploys only the portlets.
-samplepages Deploys on the sample pages.
-f Forces a copy of the portlets or theme. Normally, the deployer only
copies files if they are not already present on WebSphere Portal. If
you already deployed the portlets or the theme and need to refresh
the files, you can use this flag to force the files to copy again.
-v Verbose more.
Tip: You can also simply enter Deploy and press Enter, and you will be
prompted for each parameter.
For example, the following command deploys the portlets and the sample
pages to a server called wpsportal:
deploy wpsportal.lotus.com:9081 wpsadmin wpsadmin
You can also specify the server, administrative user, and administrator
password using the following parameters:
-s <server dns name>
-u <admin user>
-p <admin password>
Enter the parameter -h to display command line help.
Figure 8-21 Installing the Domino 6.5.1 portlets and sample pages
6. Log on to WebSphere Portal and select My Workplace to confirm that the
sample portal pages and portlets have deployed (see Figure 8-22).
Figure 8-22 Verifying that 6.5.1 portlets and sample pages are installed correctly
8.6.3 Establishing SSO before configuring Domino 6.5.1 portlets
As previously mentioned in this chapter, establishing single sign-on (SSO) is a
necessary configuration step before configuring any of the Domino 6.5.1 portlets.
Single sign-on between WebSphere Portal and the Domino 6.5.1 products relies
on an LTPA token, which can be issued by any server that is participating in the
single sign-on and which is then passed on to the users browser (in the form of a
cookie).
This cookie enables a user to access WebSphere Portal and any of the Domino
6.5.1 products through a browser by only logging on once.
Detailed information about how to configure SSO for WebSphere Portal can be
found in the WebSphere Application Server Information Center, available at:
Detailed information about the how to configure SSO for the Domino 6.5.1
products can be found in Configuring single sign-on (SSO) on page 102.
Important: When WebSphere Portal and any of the Domino 6.5.1 products
participate together in single sign-on, the LTPA key must not be created in
Domino (as shown in Figure 4-12 on page 102)
The LTPA key must first be created in WebSphere Application Server,
exported as a file, and then imported into the Domino Web Configuration
document.
See the WebSphere Application Server Information Center for more details
about how to create and export the LTPA key, available at:
If you already have an LTPA token and single sign-on configured in your
Domino domain, but now want to incorporate WebSphere Portal, you will need
to import the LTPA key created by WebSphere into the existing Domino Web
Configuration document and overwrite the Domino LTPA key.
You must then replicate the updated Domino Web Configuration document to
all other Domino servers participating in single sign-on.
Refer to Creating a Web SSO Configuration document in the Lotus Domino
Administrator 6.5.1 Help database for more information about configuring
single sign-on and importing the WebSphere LTPA key.
8.6.4 Testing single sign-on (SSO)
After SSO has been configured between WebSphere Portal and the Domino
6.5.1 products, it is important to test that it is working correctly before attempting
to configure any of the Domino 6.5.1 portlets.
If SSO is not working, many of the portlets will either prompt the user to
re-authenticate, or in many cases, will generate an error.
Use the following steps to test that single sign-on between the Domino 6.5.1
products and WebSphere Portal is working correctly:
1. You will need to change your browser settings to prompt for cookies. For
Microsoft Internet Explorer 6, select Tools Internet Options Privacy
and click the Advanced button. You should then see the window shown in
Figure 8-23.
Figure 8-23 Setting Internet Explorer 6 to prompt for cookies
2. Enter a suitable URL. In this example, the URL is for the administrators mail
file, which has been created with the Domino Web Access template.
3. Log on as usual (see Figure 8-24 on page 461).
Note: For Internet Explorer 5, select Tools Internet Options
Security and scroll down the list and select the Prompt for Cookies
options.
Figure 8-24 Logging on to Domino Web Access
4. You should then see a Privacy Alert prompt box (the example shown in
Figure 8-25 is from Internet Explorer 6).
Figure 8-25 Privacy Alert box in Internet Explorer 6
5. Click More Info. In the Name field, you should see LtpaToken, as shown in
Figure 8-26 Verifying that you have received the LtpaToken
6. Click Allow Cookie.
Tip: When logging on to Domino Web Access, you might get several
additional Privacy Alert notifications. These are for the Shimmer cookies
that are specific to Domino Web Access.
Click Allow Cookie at each subsequent prompt, and eventually, you will
be logged on to your mail (see Figure 8-27 on page 463).
Figure 8-27 Domino Web Access
7. Now enter a URL to another Web resource to which you have access (in this
example, a URL to the 6.5.1 Lotus Team Workplace server and a test place
that was manually entered).
8. You should see the Privacy Alert box again. Click Allow Cookie once more,
and the place should open without prompting you to log on again (see
Figure 8-28).
Figure 8-28 Accessing a Team Workplace without having to log on again
9. If you have a Lotus Instant Messaging and Web Conferencing server
participating in single sign-on, browse to the Lotus Instant Messaging and
Web Conferencing Meeting Center URL (if you have previously configured
Team Workplace for online meetings, you can also click New in Team
Workplace and create a new Web conference there). In this example, we
browsed to the Web Conferencing Meeting Center URL manually. See
Figure 8-29.
Figure 8-29 Scheduling an Instant Messaging and Web Conferencing meeting
Notice that you are not prompted to log on again, and your user name
credentials appear in the meeting center automatically.
10.Now browse to the URL of your WebSphere Portal. You should not be
prompted to log on again and should see your logon name at the top left side
of the portals Welcome page, as shown in Figure 8-30 on page 465.
Figure 8-30 Accessing WebSphere Portal without logging on again
11.After you have successfully tested, revert your browser cookie handling
options back to their previous settings to avoid multiple prompts.
8.7 Additional configuration prerequisites
Depending on which Domino 6.5.1 products you want to integrate with
WebSphere Portal, it might be necessary to carry out some additional
configuration on the Domino 6.5.1 product. This is particularly true in the case of
Lotus Team Workplace and Lotus Instant Messaging and Web Conferencing.
8.7.1 Team Workplace and Instant Messaging requirements
Within Lotus Instant Messaging and Web Conferencing and Team Workplace,
there are a number of configuration changes that have to be made before
installing the 6.5.1 Extended Product portlets so that features such as awareness
and online meetings will function in WebSphere Portal.
Depending on which Domino 6.5.1 products you want to integrate with
WebSphere Portal, it might be necessary to carry out some additional
configuration on the Domino 6.5.1 product.
This is particularly true in the case of Lotus Team Workplace and Lotus Instant
Messaging and Web Conferencing.
For example, there are a number of configuration changes that have to be made
to products such as Lotus Instant Messaging and Web Conferencing and Team
Workplace so that features such as awareness and online meetings will function
in WebSphere Portal.
We provide a brief summary checklist of these configuration changes for the
products.
For Lotus Team Workplace:
Specify an LDAP server (this should be the same LDAP server used by
WebSphere Portal).
Specify the Instant Messaging and Web Conferencing server to use if you
want awareness in Team Workplace.
Configure the Notes.ini to include the DIIOP Sever task.
Create the servlets.properties file and copy the Team Workplace servlet from
WebSphere Portal to the Team Workplace server.
Modify the Notes.ini to point to the new Team Workplace servlet.
Modify the Team Workplace servers Server document so that Domino is
acting as the servlet manager.
Important: Full details of these configuration changes can be found in the
Lotus documentation Domino 6.5.1 Extended Products Integration Guide,
which can also be downloaded as an additional material for this book.
See Appendix A, Additional material on page 543 for instructions about how
to download and access this document.
It is important to refer to this guide for the configuration changes you will need
to make for the particular Domino 6.5.1 product or products you want to
integrate with WebSphere Portal. Otherwise, you might find that certain
features, such as awareness might not work, or the portlet might not function
at all.
We, therefore, recommend that you download this guide prior to configuring
the Domino 6.5.1 Extended Products portlet so that you can easily refer to it.
For Lotus Instant Messaging and Web Conferencing:
Configure Lotus Instant Messaging and Web Conferencing to use the same
LDAP server as WebSphere Portal (additional details and troubleshooting
tips can also be found in Chapter 7, Integrating Domino 6.5.1 with a
third-party LDAP directory on page 351).
Modify the Sametime.ini file to trust the WebSphere Portal IP address.
Enable the Purge Meeting agent in Lotus Instant Messaging and Web
Conferencing.
For Domino Document Manager, enable Lotus Instant Messaging and Web
Conferencing integration if you want the Who is Online feature to work in
WebSphere Portal.
For Domino Web Access, if you want Lotus Instant Messaging and Web
Conferencing awareness to work for Domino Web Access in WebSphere Portal,
the following configuration changes need to be made:
Configure Directory Assistance on the Domino Web Access server for the
LDAP directory used by WebSphere Portal.
Add iNotes_WA_SametimeServer=<Sametime_Server_Hostname> to the
Notes.ini of the Domino Web Access server.
Copy the \stlinks folder from the Instant Messaging and Web Conferencing
server to the Domino Web Access server if you want awareness to work in
WebSphere Portal.
8.8 Configuring the 6.5.1 Extended Products portlets
This section discusses how to configure the various Domino 6.5.1 Extended
Products portlets, specifically:
Lotus Team Workplaces (formerly QuickPlace)
Lotus Web Conferencing (formerly Sametime)
Lotus Instant Messaging Contact List (formerly Sametime Contact List)
Domino Web Access, which consists of the Inbox, Calendar, and Contacts
Lotus Domino Document Manager (formerly Domino.Doc)
Domino Application
Lotus Notes View, which consists of any Domino database view, such as
Discussion, Teamroom, To Do, or Notes Mail.
8.8.1 Configuring the Team Spaces portlet
To configure the Team Spaces portlet, complete the following steps:
1. Log on to WebSphere Portal as an administrator, as shown in Figure 8-31.
Figure 8-31 Logging in on WebSphere Portal as an administrator
2. In the administration section of the portal, click Portlets and then click
Manage Portlets, as shown in Figure 8-32.
Figure 8-32 Manage Portlets
Note: Configuring the People finder portlet is not discussed in this section. If
you already have the WebSphere Portal Collaboration Center installed and
configured on your WebSphere Portal, no further configuration for this portlet
is required.
Otherwise, for configuration details about the People Finder portlet, refer to
the Collaboration Center Release Notes, available at:
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc.html
Important: Ensure that you completed any prerequisite configuration (as
described in the Domino 6.5.1 Extended Products Integration Guide) before
following the portlet configuration instructions in this section. This Lotus
documentation can be downloaded as an additional material for this book. See
Appendix A, Additional material on page 543 for more information about
downloading this information.
This window shown in Figure 8-33 opens.
Figure 8-33 Selecting a portlet to configure
3. From the list of portlets, select the Team Spaces portlet, as shown in
Figure 8-34.
Figure 8-34 Modifying the Team Spaces portlet
4. For the Team Spaces portlet, click Modify parameters. The window shown
in Figure 8-35 on page 470 opens.
Figure 8-35 Changing values for the Team Spaces portlet
5. Change the QuickPlaceHostname to the server name of your Team
Workplace server, for example, quickplace651.lotus.com.
6. Verify that QuickPlacePort is set to the correct port. The default port is 80.
7. Click Save at the bottom of the window.
8. After the settings are saved, click Cancel to return to the Manage Portlets
window.
Figure 8-36 shows how the Team Spaces portlet looks to a user after it has
been successfully configured.
Figure 8-36 Team Spaces portlet
8.8.2 Configuring the Web Conferences portlet
To configure the Web Conference portlet, complete the following steps:
1. Follow steps 1 to 4 as described in Configuring the Team Spaces portlet on
page 468, except at step 3 on page 469, select the Web Conferences
portlet.
2. For the Web Conferences portlet, click Modify parameters.
3. Change the SametimeServer1 parameter to the Instant Messaging and Web
Conferencing server name.
4. Change SametimeUserName1 to be an administrative user that exists in the
LDAP directory and that also has manager access to the STConfig.nsf
database on the Instant Messaging and Web Conferencing server.
In our test environment, we used the wpsadmin user.
Note: The user name specified in the ACL of the STConfig.nsf database
must be in the fully hierarchical LDAP format and have administrator rights
with all the necessary roles, as shown in Figure 8-37 on page 472.
Figure 8-37 Specifying an administrative user in the STConfig.nsf ACL
5. Change SametimePassword1 to the password for the user specified in step 4
on page 471.
6. Verify that SametimePort1 is set to the correct port. The default port is 80.
7. Click Save at the bottom of the window.
8. After saving the settings, click Cancel to return to the Manage Portlets
window.
9. Click My Portal and then My Workplace.
10.If single sign-on has been correctly configured, you should see something
similar to the window shown in Figure 8-38.
Figure 8-38 The Web Conferences portlet
Figure 8-39 Using Who Is Here portlet to confirm Lotus Instant Messaging connectivity
8.8.3 Configuring the Instant Messaging Contact List
There are no additional configuration steps for the Instant Messaging Contact
List portlet.
If Lotus Instant Messaging and Web Conferencing connectivity has been
successfully confirmed, and single sign-on is working correctly, your Instant
Messaging buddy list will appear in the portlet, as shown in Figure 8-40.
Figure 8-40 Instant Messaging Contact List
Tip: A useful way to ensure that you have Instant Messaging connectivity in
WebSphere Portal is to add the Who Is Here portlet to a page.
In our test environment, we logged on as the WebSphere Portal administrator,
clicked the Administration link and added this portlet to the Welcome Page.
We were then able to confirm that we had connectivity to the Instant
Messaging and Web Conferencing server because we had awareness for the
administrator logon name (see Figure 8-39).
If there is a problem with Instant Messaging and Web Conferencing
connectivity, this portlet will generate an appropriate error message. Check
that the Instant Messaging and Web Conferencing server is up and running
and that there are no network connectivity problems.
You might also need to check that the values specified for Lotus Instant
Messaging and Web Conferencing in the csenvironment.properties file on the
WebSphere Portal are correct (see 8.4, Configuring WebSphere Portal for
Lotus Instant Messaging on page 440 for more details about the
csenvironment.properties file).
8.8.4 Configuring the Domino Web Access portlet
To configure the Domino Web Access portlet, complete the following steps:
1. Click the My Workplace link.
2. Click the Mail link.
3. Click the Edit portlet properties icon on the top right side of the portlet
window.
4. Specify the host name of the mail server and the location of your mail file, as
Figure 8-41 Configuring the Domino Web Access portlet
5. If single sign-on has been correctly configured (and your mail file has been
created with the Domino Web Access template), you should see something
similar to the window shown in Figure 8-42 on page 475.
Figure 8-42 The Lotus Notes mail (Domino Web Access) portlet
6. Repeat steps 1 through 4 for the Calendar and Address Book links. See
Figure 8-43 and Figure 8-44.
Figure 8-43 Calendar portlet
Figure 8-44 Contacts portlet
8.8.5 Configuring the Document Manager portlet
To configure the Domino Document Manager portlet, complete the following
steps:
1. Click the My Workplace.
2. Click the Document link.
3. Click the Edit portlet properties icon in the top-right area of the portlet
window.
4. Specify the host name of the Domino Document Manager server and the
database path and name for the library (see Figure 8-45).
Figure 8-45 Specifying the Domino Document Manager server and library
5. If single sign-on has been correctly configured you should see something
similar to the window shown in Figure 8-46.
Figure 8-46 The Document Manager portlet
8.8.6 Configuring the Domino Application portlet
The Domino Application portlet enables you to integrate any Web-enabled
Domino application into WebSphere Portal.
The Domino Application portlet acts like a tunnel, channelling all requests from
the browser through WebSphere Portal and on to the Domino HTTP server at the
backend. It manages cookies, caching, user authentication, and framing.
To configure the Domino Application portlet, complete the following steps:
1. Click the My Workplace link.
2. Click the Domino Application link.
3. Click the Configure portlet properties icon in the top-right area of the portlet
window. This icon looks like a wrench.
4. Specify the host name of the Domino Web server, the database path, and
port to use (the default port is 80), as shown in Figure 8-47.
Figure 8-47 Configuring the Domino Application portlet
5. On the Authentication tab, select Single Sign-On (SSO), as shown in
Figure 8-48.
Figure 8-48 Configuring authentication in the Domino Application portlet
6. Click Done and then click Close to save your changes and exit.
7. If SSO has been configured correctly, and you have the necessary access
rights to the Domino Application, you should see something similar to the
window shown in Figure 8-49, which shows our sample Discussion database.
Figure 8-49 A Discussion database in the Domino Application portlet
8.8.7 Configuring the Domino Databases (Notes View) portlet
The Domino Databases portlet enables you work with the documents from any
view of any Domino database.
In our test environment, we used the People view of the Domino Directory. To
configure the Domino Databases portlet, complete the following steps:
1. Select the Edit portlet properties icon in the upper-right corner of the portlet.
2. In the Available Views section, select Add.
3. In the View Title section, enter the name of the view you want to access. In
our case, this was $People. See Figure 8-50 on page 479.
4. In the Server section, specify the server name where the database is located
Select the check box next to the Server section.
5. In the Database filename section, select the file path and database name. In
our case, this was names.nsf.
6. In the View section, select a name of the view that corresponds to the View
Title entered earlier.
Figure 8-50 Configuring the Notes View in the Domino Databases portlet
7. Add more views to the portlet (repeating steps 2-6) if wanted. See
Figure 8-51.
Figure 8-51 Adding additional views to the Domino Databases portlet
8. Click Save. You should then see the view or views you specified in the portlet
window. For example, Figure 8-52 shows the People view of the Domino
Directory that we specified in our test environment.
Figure 8-52 The People view of the Domino Directory in the Domino Databases portlet
8.9 Integrating Domino 6.5.1 into an existing portal
As mentioned in the introduction to this chapter, this final section focuses on the
the increasingly common scenario of an organization that already has an existing
WebSphere Portal infrastructure (using a third-party LDAP directory), as well as
a separate Domino mail, application, and collaboration environment (that uses
the native Domino Directory), but now wants to integrate the two.
Figure 8-53 on page 481 illustrates this scenario. The organization has user and
group information stored in their LDAP directory and is serving up applications to
end users through WebSphere Portal.
Figure 8-53 An existing WebSphere Portal implementation with other applications
The challenge here is how to integrate the organizations existing Domino
collaboration environment (consisting of mail, applications, instant messaging,
and team spaces) in to this existing WebSphere Portal environment without
having to re-create all the Domino Directory user entries in the LDAP directory
and without have to modify the access control lists for all Domino applications
with LDAP name entries.
One of the simplest solutions to this challenge is to use the technique of Domino
name mapping, which we now discuss in further detail. See Figure 8-54 on
page 482.
Figure 8-54 Integrating Domino 6.5.1 in to an existing WebSphere Portal environment
8.9.1 Domino name mapping
When an existing Domino environment is integrated with other Web
technologies, such as WebSphere Portal through a single sign-on solution, or a
Domino environment leverages an external LDAP directory for authentication,
Domino name mapping capabilities will often be required to allow the continued
use of the fully qualified Notes/Domino names within Domino database ACLs.
Some examples of when name mapping might be needed include:
Domino and WebSphere Portal. When a Domino server is used as part of a
WebSphere Portal implementation, WebSphere Portal will authenticate the
user against the LDAP directory, and the LTPA token will be created with an
LDAP hierarchical name, such as uid=tworek,ou=users,o=redbooks,c=us.
Now when the user accesses a mail portlet, which must access Domino data
on behalf of the user, Domino is passed and reads the same LTPA token
(assuming WebSphere Portal and Domino are enabled with a common LTPA
SSO domain). However, the ACL on the users mail database will contain the
notes fully qualified name, for example, William Tworek/ITSO. Because the
LTPA token contains the LDAP name, Domino will not see this as the same
user and will not allow access to the mail file.
Domino and an external LDAP. When Domino Directory Assistance is
enabled to trust a third-party LDAP directory for authentication, users will be
authenticated against the LDAP directory, and an LDAP hierarchical name
will be returned to Domino. If Domino databases then contain original Lotus
Notes hierarchal names, users will not be allowed access to their databases,
because Domino will not understand that the LDAP name is the same.
Fortunately, Domino supports several options for working around this issue:
Using the LDAP name in database ACLs.
Including the LDAP DN as an alternate name in Domino Person
documents.This is supported in Domino 5.x and Domino 6.02 and later.
Including the Domino fully distinguished name in the LDAP directory. This is
supported in Domino 6.x through new Directory Assistance capabilities.
8.9.2 Using the LDAP name in database ACLs
This approach is not really a name mapping solution, but rather is a modification
of the ACLs in Domino so that it trusts the LDAP names. In this approach, all
database ACLs would need to be modified to include the LDAP hierarchical
names in addition to the original Notes fully qualified names.
For example, say user William Tworek/ITSO has manager access to his
Domino mail file, but in the LDAP directory, his name is stored as
uid=tworek/ou=users/o=redbooks/c=us. The ACL of his mail file could be
modified as shown in Figure 8-55.
Figure 8-55 An LDAP name in the ACL of a Domino database
Note: The traditional LDAP syntax of commas must be replaced with forward
slashes (/) when entering the LDAP name into the Domino ACL.
8.9.3 Including the LDAP DN as an additional user name in Domino
In this approach to name mapping, all users in the Domino Directory must be
updated so that their LDAP distinquished name is included as an additional user
name in the Domino Person document.
An example of this is shown in Figure 8-56.
Figure 8-56 LDAP distinguished name included in Person document
This approach will most commonly be implemented by leveraging some form of a
third-party directory synchronization tool.
By using such a tool, you can ensure that the two directories stay in
synchronization, such that any name changes in the LDAP directory will be
represented in the Domino Directory Person documents in a timely manner, thus
ensuring the continued name mapping capabilities.
Again, this option is supported in Domino 5.x and Domino 6.02 and later.
However, it does not work in Domino 6.0 and 6.01.
8.9.4 Including the Domino name in the LDAP directory
This final option for Domino name mapping requires some additional setup time
and requires modification of the LDAP directory.
It is basically a reverse of the previous option, in that the Domino name is now
populated into the LDAP directory.
To implement this option, you must perform the following steps:
1. Identify an attribute from the LDAP directory that can be used, or the LDAP
schema might need to be extended to add a new attribute.
2. Populate the LDAP directory so that this identified attribute for each LDAP
user is populated with that users Notes fully qualified name (for example,
Gary Wallis/Cambridge/IBM).
3. Finally, update the Domino Directory Assistance document and define the
name of the attribute in LDAP to Directory Assistance. This tells Directory
Assistance what attribute in LDAP to reference to perform the name mapping.
This Directory Assistance change is shown in Figure 8-57.
Figure 8-57 Updating Domino Directory Assistance with an LDAP mapping attribute
As can be seen Figure 8-57, the attribute NotesFQDN in the LDAP directory will be
used to store users fully distinguished Notes name.
As previously mentioned, it is perfectly feasible to reuse an existing attribute in
the LDAP directory to store a users fully distinguished Notes name.
For example, in our Domino name mapping test environment, our LDAP
directory was IBM Directory Server, which has an attribute called mobile, which
we did not use for any other purpose.
We then populated this field with the users fully distinguished Notes name and
modified the Directory Assistance document on our server to use this mobile
attribute, as shown in Figure 8-58.
Figure 8-58 Reusing an existing LDAP attribute for Domino name mapping
Similar to the other mapping option, this option can often be supported through
the implementation of a directory synchronization tool to handle the population of
the new LDAP attribute in LDAP.
8.9.5 Troubleshooting Domino name mapping
One of the issues with having the same user name in different directories and
employing name mapping is having the ability to confirm that the correct name is
being used when a user authenticates.
Note: This option is new to Domino 6, and thus is supported in Domino 6.x,
but is not supported in Domino 5.x or earlier.
The following useful troubleshooting technique can be used:
1. On a Domino server (running the HTTP task) create a Discussion database
with the default template.
2. Change the ACL of this Discussion database so that the entry Anonymous
has no access. This will force users to authenticate with the database.
3. Set up your preferred Domino name mapping solution.
4. Browse to this Discussion database and click New Topic.
5. This will reveal the user name that Domino is using. If name mapping is
working successfully, the user name should appear in the fully distinguished
Notes format, as shown in Figure 8-59.
Figure 8-59 Verifying that name mapping is working with a Discussion database
If name mapping is not working, the user name will appear in the fully
distinguished LDAP format, as shown in Figure 8-60.
Figure 8-60 Verifying that name mapping is not working with a Discussion database
Chapter 9. IBM Lotus Domino Access
for Microsoft Outlook
IBM Lotus Domino Access for Microsoft Outlook is an important new addition to
the Domino 6.5.1 Extended Products. Domino Access for Microsoft Outlook
enables Microsoft Outlook client users to easily access mail and calendar data
stored on Lotus Domino servers.
This chapter looks at the many advantages of using the Microsoft Outlook client
with Lotus Domino servers and provides some typical deployment scenarios.
We also provide a detailed look at the Domino Access for Microsoft Outlook
architecture, together with the ability to use IBM Lotus Instant Messaging and
Web Conferencing (formerly Sametime) with the Microsoft Outlook client.
Finally, this chapter provides Domino Access for Microsoft Outlook installation
instructions for both Microsoft Outlook 2000 and Outlook XP.
9
9.1 Introduction
With the release of the Domino 6.5.1 platform, IBM Lotus is delivering all
Domino-based collaboration products on a common set of operating systems,
languages, and supported browsers.
This is a significant step in the release, testing, and support of these products
and most importantly ensures that when installing or upgrading, customers can
be confident that all of the 6.5.1 products will work seamlessly with one another,
as well as being backward compatible with previous releases.
IBM Lotus Domino Access for Microsoft Outlook is an important part of the 6.5.1
platform and represents IBM Lotus continuing commitment to integrate its
technology with software from other vendors.
Domino Access for Microsoft Outlook delivers the leading messaging,
calendaring, scheduling, and personal information management of Domino to the
Microsoft Outlook 2000 or 2002 client.
After it is installed, users continue to read their mail, perform calendar and
scheduling tasks, and manage their contacts in Microsoft Outlook just as they
always have; no retraining is required.
Organizations can greatly improve the reliability and scalability of their
messaging infrastructure by upgrading from Microsoft Exchange to Domino.
Domino Access for Microsoft Outlook enables organizations to accomplish this
without needing to change clients. This is significant in helping to minimize
end-user disruption and to drastically reduce the costs of messaging migration,
client deployment, and most importantly end-user training.
Also, by moving from Exchange to Domino, organizations will be migrating to a
secure, reliable, and scalable Domino messaging infrastructure that can use the
hardware, operating system, and directory of their choice. This gives
organizations more deployment flexibility than Microsoft Exchange and enables
them to much more effectively leverage the performance, scalability, and
reliability of different types of hardware and, more significantly, a multitude of
non-Windows- based operating systems.
There are several similar solutions to Domino Access for Microsoft Outlook
currently available from other vendors (including Microsoft). However, these
generally require the Lotus Notes client to also be installed on the same
workstation as Outlook. In this case, each desktop in the organization has to
have new software installed, resulting in a significant deployment cost that largely
negates the benefit of allowing end users to continue using the Outlook client.
Chapter 9. IBM Lotus Domino Access for Microsoft Outlook 491
Domino Access for Microsoft Outlook is unique because it simply installs as a
plug-in to the existing Outlook client on the users workstation.
Domino Access for Microsoft Outlook takes the form of a standard MSI installer
package that can be easily installed through an organizations existing software
distribution tool. An MSI package also has the advantage of being easily tailored
for an organizations specific needs.
Domino Access for Microsoft Outlook also has a very small desktop footprint
(approximately 30 MB), which also helps ease its deployment.
After Domino Access for Microsoft Outlook is installed, instead of accessing
Microsoft Exchange servers, Outlook users will be accessing Lotus Domino
servers. This is transparent to Outlook users and provides an increased quality of
service owing to the benefits of Dominos integrated spam prevention, streaming
replication, network compression, increased network security, and most
significantly, its advanced automated server failover and load balancing features.
As a result, the Microsoft Outlook user experience is unchanged with Domino
Access for Microsoft Outlook, because Outlook users simply continue to work
with their mail, calendar, and task data on Domino instead of Microsoft
Exchange. What they are transparently receiving now, however, are all the
additional benefits of Lotus Domino servers.
We discuss these benefits in more detail in 9.2, Key advantages of Domino
Access for Microsoft Outlook with Domino on page 491 and throughout the rest
of this chapter.
9.2 Key advantages of Domino Access for Microsoft
Outlook with Domino
As mentioned previously, Domino Access for Microsoft Outlook gives Microsoft
Outlook users the additional benefits of numerous out- of-the-box Domino
Important: All of these features (and many others not covered here) are built
into Domino and, therefore, require no additional product purchases or
installations.
Note: As previously discussed, Domino Access for Microsoft Outlook is part of
the 6.5.1 platform and can be downloaded from the Lotus Passport
Advantage Web site. It is also important to note that Domino Access for
Microsoft Outlook will be shipping as a standard feature of Domino Release
6.5.2.
features that are not available with Microsoft Exchange. Some of these key
benefits include:
Multiple operating system support: Lotus Domino servers are supported on
multiple hardware platforms, software operating systems (such as Linux, Sun
Solaris, IBM AIX, OS/400, S/390, and Microsoft Windows), and LDAP
directories. This gives organizations far more deployment choices and
enables them to leverage the increased scalability, reliability, and performance
available on non-Windows-based operating systems.
Clustering: A cluster is a group of Domino servers that provides clients with
automatic load balancing and failover if a server or servers in the group are
not available. Servers might be inaccessible due to planned outages, such as
upgrades, or due to unplanned outages, such as hardware failures.
Clustering is a built-in Domino server feature and has been available since
Release 4. Because it works at the Domino server level, it is completely
independent of the underlying hardware and operating system, thus allowing
a cluster to contain servers with completely different hardware and operating
systems. This gives organizations more deployment choices for load
balancing and failover and also enables them to leverage the scalability,
reliability, and performance available with different operating systems. For
example, a cluster can contain servers running Microsoft Windows 2000,
Linux, Sun Solaris, and AIX, but the load balancing and failover is automatic
and transparent to the client regardless of whether the client is Outlook, the
Notes client, or even a browser.
Domino Access for Microsoft Outlook, therefore, takes full advantage of
Dominos built-in advanced clustering features, providing Outlook users with a
fully reliable messaging system at all times without any client-side
configuration or having to purchase any additional failover or load balancing
products.
Replication and network compression: Domino Access for Microsoft Outlook
enables the Outlook client to use Dominos advanced streaming replication
technology to synchronize the native Outlook PST storage file located on the
users machine to a Domino-based mail file residing on the Domino server.
Users work with their mail and calendar offline, and their data is synchronized
with the server the next time they connect, thus improving end-user
performance while reducing network bandwidth usage.
Domino Access for Microsoft Outlook, therefore, takes full advantage of the
Notes Remote Procedure Call (NRPC) protocol to send mail from client
workstations to the Domino server and for mail routing between servers.
Dominos built-in compression significantly decreases the number of bytes
sent during these transactions, thus reducing network bandwidth usage,
leading to reduce costs.
Preventing unwanted and unsolicited e-mail: Domino Access for Microsoft
Outlook enables Outlook users to leverage Domino servers anti-spam
technology. This enables administrators to manage spam at the server level,
drastically reducing the amount of unwanted mail that reaches the users
inbox. Some of the many Domino anti-spam features include:
Domino Name System (DNS) Blacklists that allow incoming e-mails to be
checked against lists of know spam offenders
Server-based mail rules, where administrators can set filtering conditions
based on specific criteria and then define actions to take
Reducing the amount of unwanted mail makes users more productive,
eliminates wasted storage, and reduces network bandwidth usage.
Ease of installation: One of the biggest costs associated with messaging
infrastructures and messaging migrations is the cost in deploying new client
software and retraining end users.
Because Domino Access for Microsoft Outlook installs easily using standard
MSI technology, user workstations can be automatically updated using a
company's standard software delivery system (such as SMS or Active
Directory Services).
As a result of using standard MSI technology, Domino Access for Microsoft
Outlook installations can be fully scripted and tailored to an organizations
specific needs. There are also many solutions and consulting services
available from IBM and IBM Business Partners that can assist with migration
and installation.
Choice of client access: Domino Access for Microsoft Outlook supports
interoperability between Lotus Notes and Outlook users, including the ability
to send and receive e-mail and perform free and busy time lookup and
calendar functions for users, rooms, and resources. For example, if you have
some users using the Lotus Notes client and others using Outlook, they can
each view the others busy time calendar information and send meeting
invitations, without knowing which client the other is using. Also, you can
provide your Outlook users access to their mail, calendar, and PIM data
through a Web browser (including users running Mozilla on Linux).
Domino Preferences in Outlook: Domino Access for Microsoft Outlook adds a
new Domino Preferences tab to the Outlook Options display menu. This
integrated display add-in provides users access to many Domino features and
settings. Some of the many features users can access from Outlook include:
Change the password for their Notes ID
Enable/disable the Out of Office agent
Manage replication settings
Set some general preferences for their mail and calendar
Greatly reduced migration costs: When migrating existing Exchange users
and servers to Domino, organizations can choose to switch all users over at a
single time, or more typically, to have periods of coexistence where both
systems are in production.
Domino includes a built-in set of automated migration tools for Exchange (as
well as numerous other messaging and directory products) called Domino
Upgrade Services.
With Domino Upgrade Services, organization have complete flexibility when it
comes to the migration and configuration of users from Exchange to Domino,
but with no additional costs for migration tools.
Domino Upgrade Services, in concert with Domino Access for Microsoft
Outlook, therefore, gives organizations complete flexibility and control over
their migration because it enables them to automate the migration and
configurations of users, their mail, and calendar entries, either on an
individual user basis, or for logical groups of users, for example, by Exchange
server, department, or geographic location, without the cost of purchasing
additional migration tools.
9.2.1 Domino Access for Microsoft Outlook deployment scenarios
Figure 9-1 on page 495 shows a typical scenario of a Microsoft Outlook client
with Domino Access for Microsoft Outlook installed accessing their mail on a
Domino server.
The Outlook client user simply logs on to their Windows file server as normal (for
example, a Microsoft Windows NT 4 or Windows 2000 server), and through the
Single Logon feature, Domino Access for Microsoft Outlook is able to access
their mail, which is now on a Domino server.
Notice how the Domino servers in this scenario are clustered for failover despite
being on completely different operating systems. Domino clustering allows for
active users on both servers, and these users can be any mixture of Notes
clients, Web browsers, or Outlook with Domino Access for Microsoft Outlook
users.
Figure 9-1 Using Domino Access for Microsoft Outlook with Domino mail servers
In some instances, an organization might want to use an existing LDAP directory
for user and group names.
Because Domino fully supports the LDAP protocol, Domino Access for Microsoft
Outlook can be used in a scenario where an Outlook users mail is stored on a
Domino mail server, but the Domino mail server is using a corporate LDAP
directory for name and group lookups.
This scenario is described in Figure 9-2 on page 496.
Note: If the user in the scenario described in Figure 9-2 on page 496 was
logging on to Active Directory (as opposed to Windows NT, for example),
Active Directory can also act as the corporate LDAP directory for both the
Outlook client and the Domino servers.
It should also be noted that the Domino Directory itself can also be used as a
corporate LDAP directory and is frequently deployed by organizations as one.
Figure 9-2 Using Domino Access for Microsoft Outlook: Domino mail servers and corporate LDAP directory
9.3 Why is Microsoft Outlook support important?
Lotus Domino offers a consistent, enterprise grade architecture, excellent
reliability, and built-in automated failover and load balancing. Domino also
provides robust virus handling and anti-spam protection features. Accordingly,
Lotus Domino is widely regarded as the enterprise messaging and calendar
server of choice, offering superior reliability and scalability.
However, despite these features, changing the Outlook client is often strongly
resisted by end users hesitant to change. This, in turn, can lead to a loss in user
productivity and, therefore, an overall rise in costs.
Having a common platform for all client messaging options, however, helps
reduce the total cost of ownership (TCO) of a messaging and collaboration
environment.
It is also quite common for organizations to operate multiple messaging systems
that can consist of both Lotus Domino and Microsoft Exchange. This is often the
case when organizations merge or when one company purchases another.
In such cases, standardizing on a common Lotus Domino back end for
messaging and collaboration would help reduce TCO, but the cost of deploying a
new messaging client and retraining users might be prove to be prohibitive.
Figure 9-3 The Microsoft Outlook client
Bearing these points in mind, Domino Access for Microsoft Outlook is, therefore,
best used by:
Existing Outlook and Exchange customers who are looking for alternatives to
Microsoft fault tolerance.
Mixed environments moving toward standardization that want value add
rather than simply replacing one e-mail system with another.
9.4 Domino Access for Microsoft Outlook overview
Before delving into the detailed architecture of Domino Access for Microsoft
Outlook, it is important to understand what the Outlook user experience is like
when using Domino as the back end.
This is important because it addresses the key purpose of Domino Access for
Microsoft Outlook: Giving Outlook users the increased functionality, reliability,
and security of Domino without having to retrain them.
9.4.1 Domino mail in Microsoft Outlook
Figure 9-4 shows an Outlook client connected to a Domino mail file. In this
instance, the Domino server is clustered for load balancing and failover and is
running on Linux.
Figure 9-4 Using Domino mail with Microsoft Outlook
This is transparent to the Microsoft Outlook user, but the look and feel of the mail
environment is exactly the same as when the Outlook user was connected to an
Exchange server back end.
9.4.2 Domino calendar in Microsoft Outlook
Figure 9-5 shows Microsoft Outlook displaying exactly the same data as the
Notes client. Notice how the calendar entries appear in the regular Outlook
format look and feel.
Figure 9-5 Using Domino calendar entries in Microsoft Outlook
Calendar entries
Figure 9-6 shows in more detail how an individual calendar entry in the Notes
client appears in Microsoft Outlook. Notice how the information from the Notes
calendar data is displayed in the regular Outlook format.
Figure 9-6 Domino calendar entries in Microsoft Outlook
Free time lookups
Figure 9-7 shows how the Lotus Notes and Microsoft Outlook clients both display
free time in their respective calendars. Users can easily search for free time on
other Domino users calendar regardless of what clients are being used.
Figure 9-7 Free time lookups in Outlook
Contacts in Microsoft Outlook
Figure 9-8 shows how contacts appear in Microsoft Outlook. Again, note how
they are presented in the regular Outlook format with which users are familiar.
Figure 9-8 Contacts in Microsoft Outlook
Accessing directories in Microsoft Outlook
Figure 9-9 shows how the Domino Directory (and any additional corporate
directories such as an LDAP directory or the Exchange Global Address list)
appear in Outlook.
Figure 9-9 Accessing the Domino Directory in Microsoft Outlook
Notice how the Domino Directory simply appears as an additional directory in the
regular Outlook directory pull-down menu.
This greatly assists users with mail addressing and retrieving user information
and is particularly helpful in any periods of coexistence between Domino and
Exchange (because user entries will typically be split between both mail systems
during a migration).
The fact that Domino is able to make other corporate LDAP directories available
to Outlook users means that users can very easily gain access to a greater
amount of corporate data.
9.5 Domino preferences in Microsoft Outlook
Existing Lotus Notes client users will already be familiar with a number of specific
Notes client preferences that relate to areas such as security, Out of Office, and
replication settings.
Domino Access for Microsoft Outlook installs these preferences into the Outlook
client and makes them available from the usual Outlook options menu.
This section takes a closer look at these preferences. See Figure 9-10.
Figure 9-10 Domino Preferences tab in the Microsoft Outlook options menu
9.5.1 Passwords and security
Figure 9-11 on page 505 shows the Notes user password and security
preferences installed in to the Outlook client by Domino Access for Microsoft
Outlook.
Figure 9-11 Domino password and security options in Outlook
Unlike Microsoft Exchange, Notes/Domino does not rely on the underlying
operating system security, but contains a highly secure and robust private/public
key mechanism.
Outllook users, therefore, have the ability to change their Notes password from
within the Outlook client and can also import and export certificates (for example,
an X.509 certificate) into their Notes ID. See Figure 9-12.
Figure 9-12 Single Logon options installed in Outlook client by Domino
9.5.2 Out of Office preferences
Figure 9-13 shows the Out of Office preferences installed into the Outlook client
by Domino Access for Microsoft Outlook.
Figure 9-13 Domino Out of Office settings in Microsoft Outlook
Important: The Domino Access for Microsoft Outlook installation includes a
Single Logon option that, if selected, keeps the Notes ID password
synchronized with the operating system password. Outlook users are also
provided with the options highlighted in red in Figure 9-12.
Not only is the Single Logon feature extremely convenient for end users, it also
helps to greatly reduce the administrative tasks associated with password
maintenance.
More importantly though, it gives Outlook client users all the added benefits of
the Notes/Domino robust private/public key security architecture.
More information about the Single Logon option can be found in 9.8, Installing
Domino Access for Microsoft Outlook on page 530.
As can bee seen in Figure 9-13 on page 506, the functions available in the Notes
client is now reproduced in the Outlook client.
Outlook users have the ability to set specific Out of Office preference handling
options.
9.5.3 Replication settings
Replication is the pivotal mechanism used by Domino Access for Microsoft
Outlook for mail and calendar data synchronization between the Outlook client
and Domino servers. See Figure 9-14.
Figure 9-14 Domino replication settings in Microsoft Outlook
These preferences enable users to control which server they replicate their data
with, the replication schedule, and what to do if their server mail file exceeds its
quota, and most importantly, these options give Outlook users the ability to
encrypt and compress their replication sessions with the Domino server.
This ensures that network communications between the Outlook client and the
Domino sever are both optimal and secure.
Again, these options help demonstrate how Outlook clients are able to easily
take advantage of Domino replication, compression, and security features.
9.5.4 Calendar Scheduling options
Figure 9-15 shows the Calendar Scheduling options installed into the Microsoft
Outlook client by Domino Access for Microsoft Outlook.
Figure 9-15 Domino Calendar Scheduling in Outlook
These preferences give Outlook client users the ability to set their time zone, to
define the hours and days their calendar is made available, and to automatically
process specific types of calendar invitations.
For example, users can automatically accept or decline meeting invitations and
users also have the ability to send automatic responses to invitations from
specific users.
9.5.5 Domino help in Microsoft Outlook
Figure 9-16 shows the help information installed into the Microsoft Outlook client
by Domino Access for Microsoft Outlook.
Figure 9-16 Domino help in Outlook
The ability to readily access help information from within the Outlook client
significantly improves the end-user experience and helps reduce the number of
queries for administrators.
9.6 Detailed Domino Access for Microsoft Outlook
architecture
This section describes in detail the architecture of Domino Access for Microsoft
Outlook and its key design criteria.
Understanding the Domino Access for Microsoft Outlook architecture and its
design is important because it directly relates to the end-users experience of
using Microsoft Outlook with a Domino server back end.
9.6.1 Key design criteria for Domino Access for Microsoft Outlook
The key design criteria for Domino Access for Microsoft Outlook are:
The need to keep the Outlook storage (.pst) file in sync with the users mail file
on a Lotus Domino server.
The use of Domino replication as the mechanism between the Outlook client
and Domino.
This is the key architectural component of Domino Access for Microsoft
Outlook, enabling Domino and Outlook data to be interchanged.
Also, because Domino data is replicated to a local .pst file, the Outlook user
has much faster performance while helping to reduce network bandwidth
usage.
Standardization of the installation package and client upgrade. The Domino
Access for Microsoft Outlook installation program is written using the standard
Windows MSI Installer and, as such, can be distributed in a multitude of ways
and with multiple software distribution tools. Because it is an MSI package,
the installation can also be easily scripted and tailored to an organizations
specific needs.
The ability to change Domino preferences from within the Outlook client.
Domino Access for Microsoft Outlook adds a new Domino Preferences page
to Outlooks Options display page. This integrated display add-in provides
users access to many Domino features and settings. Some of the many
features users can access from Outlook include:
Change the password for their Notes ID
Enable/disable the Out of Office agent
Manage replication settings
9.6.2 Overview of Domino Access for Microsoft Outlook architecture
Domino Access for Microsoft Outlook acts as an intermediary layer of what can
be thought of as a three-layer architecture.
The first layer is the Outlook client itself, which, as can bee seen in Figure 9-17
on page 511, has not had any of its native code altered. Outlook continues its
Note: Domino Access for Microsoft Outlook has a very small footprint on
the users workstation. The MSI package itself is approximately 30 MB and
once installed, takes up approximately only 70 MB of additional disc space
(not including the users .pst file).
normal operations by interacting with its various service providers such as those
for accessing its message store (the .pst file) and its address book.
Figure 9-17 Overview of Domino Access for Microsoft Outlook architecture
Skipping ahead slightly, the third layer is the Domino server, which is now hosting
the users mail file. The mail file contains the users mail and calendar data that
has been previously migrated from a Microsoft Exchange server (using the
Domino built-in Domino Upgrade Services tools).
The second or middle layer is Domino Access for Microsoft Outlook itself, which
acts as the binding layer between the Outlook client and the Domino server.
The Domino Access for Microsoft Outlook layer provides the programming
extensions necessary for Outlook and Domino to interact, a replication layer to
Note: For more detailed information about Domino Upgrade Services, refer to
the IBM Redbook Migrating from Microsoft Exchange 5.5 to Lotus Notes and
Domino 6, SG24-6955, available at:
Mail.box NSF
Extension
Manager
Replication
Layer
Mapping
Module
Mail.box
Cache
Message
Store

PST
Address
Book
Transport
Provider
Service Provider Interface
MAPI
Free/Busy
Addin
Preference
Addin
Domino
Domino Access for
Microsoft Outlook
Outlook
NRPC
6.51
or later
handle the synchronization of data between the Outlook client and the users
Domino mail file, and a mapping module that determines how Domino-specific
elements map to their corresponding elements in Outlook.
Because the Domino Access for Microsoft Outlook layer is built up of
components that interact with each other, future Domino Access for Microsoft
Outlook enhancements and features will be easier to develop and deploy.
The Domino Access for Microsoft Outlook layer also provides additional add-ins
to allow the Outlook client to integrate with Domino calendar and scheduling
features and an add-in that allows Domino specific preferences to be modified in
the Outlook client.
In the following sections, we discuss these modules and layers in greater detail.
9.6.3 Domino Access for Microsoft Outlook Extension Manager
The Extension Manager allows an executable program library (a DLL) to register
a callback routine called when Domino performs selected internal operations.
Figure 9-18 The Domino Access for Microsoft Outlook Extension Manager
The Extension Manager is used to tie into the standard, proven, and reliable
Domino replication engine.
The Extension Manager interface provides details about notification events and
data types and is exposed in the Domino software development kit.
Exposing the interface in this way allows the Extension Manager to be easily
modified, and as future Domino server versions are released and newer features
are added, enhancements can easily be made to Domino Access for Microsoft
Outlook.
9.6.4 Domino Access for Microsoft Outlook replication layer
The replication layer is the center of Domino Access for Microsoft Outlook and
acts to bind all the other components together (whether they are Outlook or
Domino components).
Extension
Manager
Mail.box
Cache
MAPI
Outlook
Events
Replication
Layer
Mapping
Module
PST
NRPC
Figure 9-19 The Domino Access for Microsoft Outlook replication layer
The replication layer provides the replication management options provided in
the Outlook client, such as the interval for polling for new mail.
The polling interval in the replication layer is optimized to use the mail database
sequence number; therefore, there are less transactions and no open database
sessions.
This optimization provides a significant performance improvement for Outlook
users.
The replication layer also controls things such as folder management (create,
delete, and rename) and Outlook events (such as send mail and send
invitation).
Finally, the replication layer handles the management of local cache information
for things such as read/unread marks. Caching this information locally also
provides significant performance gains for Outlook client users.
Replication
Layer
Extension
Manager
Mail.box
Cache
MAPI
Outlook
Events
Mapping
Module
PST
NRPC
9.6.5 Domino Access for Microsoft Outlook mapping module
The function of the mapping module is to handle the document mapping and
translation between the Outlook clients mail storage (.pst) file and the Domino
mail file. See Figure 9-20.
Figure 9-20 The Domino Access for Microsoft Outlook mapping module
For example, a Notes document (such as a mail message or calendar invitation)
is mapped to and from the corresponding Outlook entry (mail, invite.)
The mapping module efficiently itemizes entry properties and document items for
translation and interacts with the replication layer to map them appropriately
when replication occurs.
The mapping module also ensures that outgoing Outlook client mail is mapped to
the Domino mail.box, facilitating mail routing. It is also responsible for attachment
support.
Figure 9-21 on page 516 shows how the mapping module translates and maps
items between Domino and Outlook when replication occurs.
Mapping
Module
Replication
Layer
Extension
Manager
Mail.box
Cache
MAPI
Outlook
Events

PST
NRPC
Figure 9-21 Replication with the Domino Access for Microsoft Outlook mapping module
9.6.6 Microsoft Outlook service providers
The Outlook clients operations are dictated by service providers. See
Service providers are specified in a user profile and include the message store
provider that stores and retrieve messages from the .pst file, the address book
provider for contact information, and a transport provider to handle the sending
and receiving of messages.
Mapping
Module
Outlook
Entry
Notes
Document
Message Appointment
Contact Meeting Notice
Message Appointment
Contact Meeting Notice
Properties
Items
Figure 9-22 Microsoft Outlook service providers
The Domino Access for Microsoft Outlook layer hooks into these standard
Outlook providers, thus allowing the Outlook client to continue with its normal
operations, while the components in the Domino Access for Microsoft Outlook
layer handle the interaction with the Domino server.
For example, Domino Access for Microsoft Outlook uses its hook to the transport
provider to send and receive messages from the Outlook client through the
replication layer (which, in turn, handles the synchronization with the Domino
server).
Figure 9-23 on page 518 shows examples of how some of the other Outlook
service providers function.

PST
Service Provider Interface
MAPI
Message
Store
Provider
Address
Book
Provider
Transport
Provider
Figure 9-23 Service providers in use
9.6.7 Add-in integration with Microsoft Outlook
As previously mentioned, the Domino Access for Microsoft Outlook architecture
has been designed to leverage existing Outlook capabilities.
This can be clearly demonstrated by the Free/Busy time and Domino
Preferences add-ins that are installed as part of the Domino Access for
Microsoft Outlook layer. See Figure 9-24 on page 519.
Figure 9-24 Add-in integration with Microsoft Outlook
These add-ins are seamlessly integrated with the Outlook user interface as
additional items in the Outlook clients options menu, as shown in Figure 9-25.
Figure 9-25 The Domino Preferences add-in
As can be seen in Figure 9-25 and Figure 9-26 on page 520, the integration of
these add-ins is seamless.
To Outlook client users, the options and their look and feel are familiar and
therefore easy to use.
Figure 9-26 Free/Busy time add-in
These add-ins are designed using the Component Object Model (COM) add-in
architecture and housed in ActiveX DLLs (in-process servers).
The integration of these add-ins with the Outlook client is achieved through the
Outlook object model and the Windows registry.
9.7 Instant messaging with Microsoft Outlook
For a number of years now, IBM Lotus has been a leading provider of secure and
scalable enterprise-wide instant messaging and presence awareness with its
IBM Lotus Instant Messaging and Web Conferencing product (formerly
Sametime).
Microsoft also offers an instant messaging and presence awareness solution.
However, this involves organizations having to rip and replace their entire file
and print infrastructure and upgrade to Windows 2003 Server, as well as
designing and implementing an Active Directory solution. In addition, Microsoft
Live Communications Server needs to be deployed and then presence
awareness is only available for Microsoft Office and Outlook 2003.
For many organizations, the disruption, time, and large costs involved in
replacing an entire network infrastructure together with every Outlook client just
to get instant messaging and presence awareness functionality is not feasible.
IBM has, therefore, partnered with Instant Technologies to provide the instant
messaging and presence awareness capabilities of Lotus Instant Messaging and
Web Conferencing for use with the Outlook client.
Instant Technologies Instant TeamMessenger for Microsoft Outlook supports
IBM Lotus Instant Messaging and Web Conferencing and the Outlook 2000 client
and later.
Like IBM Lotus Domino server, Lotus Instant Messaging and Web Conferencing
runs on a multitude of operating systems such as Microsoft Windows, IBM AIX,
and Sun Solaris.
This gives organizations more hardware and software options and a greater level
of deployment flexibility, while at the same time, helping them leverage the
inherent scalability, reliability, and performance of many of the
non-Windows-based operating systems.
In addition to providing a highly secure and scalable solution, Lotus Instant
Messaging and Web Conferencing also fully supports the LDAP protocol. This
enables organizations to leverage existing corporate directories with no need to
maintain and administer additional user and group repositories and passwords.
More significantly, by using Lotus Instant Messaging and Web Conferencing with
the Outlook client, there is no requirement to rip and replace the underlying
operating system. Also, as Instant TeamMessenger supports Outlook 2000 and
later. Finally, there is no need to upgrade the end users Outlook client.
As a result, by using IBM Lotus Instant Messaging and Web Conferencing with
the Outlook client and Instant TeamMessenger, organizations gain total cost of
ownership savings (with the added benefit of not disrupting end users).
Similar to Domino Access for Microsoft Outlook, this Instant TeamMessenger
simply installs as a plug-in to the users existing Outlook client.
Note: For more information about Instant TeamMessenger, refer to the Instant
Technologies Web site, available at:
http://www.instant-tech.com/
Figure 9-27 shows the Who is Online feature that Instant TeamMessenger
installs in o the Outlook client.
Figure 9-27 Who is Online feature in Outlook
Presence awareness and user status are available as a simple pop-up box.
Figure 9-28 shows the user buddy list that Instant TeamMessenger installs into
the Outlook client.
The buddy list can be added manually from a corporate directory (which for Lotus
Instant Messaging and Web Conferencing can be any LDAP V3 compliant
directory), or dynamically by selecting names from the users mail messages.
Figure 9-28 Buddy List feature in Outlook with Intstant TeamMessenger
Figure 9-29 shows a number of e-mail messages that have been selected by the
user and automatically added to the buddy list.
Figure 9-29 Adding users to the Buddy List automatically
Increasingly for legal and compliance reasons, organizations are required to
keep copies of e-mail and instant messages.
Lotus Instant Messaging and Web Conferencing has the facility to log all chats at
the server. However, it might also be convenient for day-to-day working purposes
for users to be able to save chats locally and retrieve them for future reference.
With Instant TeamMessenger, chat sessions can be stored to the users journal.
In addition to being readily available for reference, the chat sessions are also
stored by date and time order.
This can be particularly useful for following the progress of a chat over a period of
time (for example, the status of a current project).
Figure 9-30 shows an example of journaled chats stored by date, together with a
meaningful description.
Figure 9-30 Journaling chats
Instant TeamMessenger also has the ability to show presence awareness for a
users contacts, as shown in Figure 9-31.
Figure 9-31 Presence awareness for a users contacts
Instant TeamMessenger does not only function from within a users e-mail. It is
also possible for users to add and check presence awareness from within the
Outlook calendar, as shown in Figure 9-32.
Figure 9-32 Presence awareness in the Outlook calendar
9.7.1 Deployment scenarios for Instant TeamMessenger
By using Lotus Instant Messaging and Web Conferencing in concert with Instant
TeamMessenger, an organization can easily leverage the strengths of both the
Domino and Instant Messaging and Web Conferencing server platforms, while
continuing to use their present file and print infrastructure and desktop mail client
software.
Note: The various scenarios in this section refer to both Domino Access for
Microsoft Outlook and Instant TeamMessenger being installed with the
Outlook client.
It should be noted that these products are independent of one another and
can be installed together or individually depending on an organizations
requirements.
There is no need to rip and replace or change the network operating system or
users Outlook client software with the IBM Lotus solution.
Figure 9-33 on page 529 demonstrates this scenario.
Microsoft Outlook client users log on to their Windows file server as usual (for
example, a Windows NT 4 or Windows 2000 server), and through the Single
Logon feature in Domino Access for Microsoft Outlook, are able to access their
mail, which is now on a Domino server.
With the Instant TeamMessenger software also installed in the Outlook client, the
user has instant messaging and presence awareness available now using the
IBM Lotus Instant Messaging and Web Conferencing server.
Notice how the Domino servers in this scenario are clustered for failover despite
being on completely different operating systems.
Domino clustering allows for active users on both servers, and these users can
be any mixture of Notes clients, Web browsers, or Outlook with Domino Access
for Microsoft Outlook users.
Notice also how the Lotus Instant Messaging and Web Conferencing server is
using a different operating system.
This ability to use a variety of operating systems gives organizations greater
deployment flexibility than with the Microsoft instant messaging solution, which is
based on migrating to the Windows 2003 and Active Directory platform.
Figure 9-33 Outlook with Domino Access and Instant TeamMessenger: Domino mail and Instant Messaging
As with the scenario discussed previously for Domino Access for Microsoft
Outlook (see Figure 9-2 on page 496), in some instances, an organization might
want to use an existing corporate LDAP directory for user and group names.
Because Domino and Lotus Instant Messaging and Web Conferencing both fully
support the LDAP protocol, Domino Access for Microsoft Outlook and Instant
TeamMessenger could be used in a scenario where an Outlook users mail is
stored on a Domino mail server, but the Domino mail server and Lotus Instant
Messaging and Web Conferencing server are both using a corporate LDAP
directory for name and group lookups.
Figure 9-34 on page 530 illustrates this scenario.
Figure 9-34 Outlook with Domino Access and TeamMessenger: Domino mail, Instant Messaging with LDAP
9.8 Installing Domino Access for Microsoft Outlook
This section describes the steps involved in installing Domino Access for
Microsoft Outlook for Outlook 2000 and Outlook XP (also referred to as Outlook
2002).
Note: If the user in this scenario was logging on to Active Directory (as
opposed to Windows NT, for example), Active Directory could also act as the
corporate LDAP directory for both the Outlook client and the Domino and
Lotus Instant Messaging and Web Conferencing servers.
It should also be noted that the Domino Directory itself can also be used as a
corporate LDAP directory and is frequently deployed by organizations as one.
9.8.1 End-user hardware requirements
The following list specifies the minimum hardware requirements for end users of
Domino Access for Microsoft Outlook:
Intel Pentium P133 processor or higher
136 MB RAM
Microsoft Outlook 2000/2002 with SP 2
Microsoft Windows 2000 or Windows XP
9.8.2 Administrator software requirements
The following list specifies the administrator software requirements:
Lotus Domino server 6.5.1 or later
Domino Administrator Client 6.5 or later (6.5.1 recommended)
9.8.3 Microsoft Outlook 2000
This section describes the prerequisites and installation procedures for Microsoft
Outlook 2000.
Prerequisites
You need the following prerequisites:
Your computer must be running the Microsoft Windows 2000 or Windows XP
operating system.
The release of Microsoft Outlook 2000 with SP2 shown in Figure 9-35 on
page 532 must be installed on the system before you can install Domino
Access for Microsoft Outlook 6.5.1.
Microsoft Outlook must be set as the default e-mail client. To verify this
setting, open your Microsoft Internet Explorer browser and select Tools
Internet Options Programs.
Microsoft Outlook must be installed in Corporate or Workgroup mode, not
Personal mode or No Email mode. To verify the release and mode of
Microsoft Outlook, select Help About Microsoft Outlook. A dialog box
opens, displaying your Outlook release and mode at the top, as shown in
Figure 9-35 Verifying the Outlook installation release and mode
Your Domino server or servers must be Domino server 6.5.1 or later.
You must know the hierarchical name of your home Domino server (for
example, ServerA/East/Acme). You will need to enter this information during
the installation and setup process.
Installation
To install Microsoft Outlook 2000, complete the following steps:
1. Run the C563HIE.EXE file.
2. The InstallShield Wizard loads. Click Next on the Welcome to IBM Lotus
Domino Access for MS Outlook window.
3. After reading the License Agreement, select I accept the terms in the
license agreement and click Next.
4. On the next installation window, enter your user name and organization.
Then, for the Install this application for option, select either Anyone who
uses this computer (All users) or Only for me. Click Next. This set of
instructions follows the path where Only for me has been selected.
5. The next window prompts you for the Install Directory. The default directory is
c:\Program Files\DominoForOutlook\. Either change the path to the desired
path or click Next to accept the default.
6. In the Custom Setup window, you can enable the Single Logon feature if
desired, as shown in Figure 9-36 on page 533. Click Next.
Figure 9-36 Enabling the Single Logon feature in Domino Access for Microsoft Outlook
The next window displays a bar that shows the progress of the installation.
7. After the files have been installed a Setup window opens. Enter your name
and your Domino server name, as shown in Figure 9-37. For the Domino
server name, be sure to enter the hierarchical name, for example,
ServerA/East/Acme. Click Next.
Figure 9-37 Enter user name and Domino server name
The next installation window shows you the status of the setup (for example,
Creating Domino environment and configuring MAPI profile), as shown in
Figure 9-38.
Figure 9-38 Installation progress and creating the MAPI profile
8. Next, a Domino Mail dialog box opens. The purpose of this dialog box is to
inform you that, for a MAPI profile to be successfully configured, Outlook must
be set as the default mail client. Click OK.
Figure 9-39 MAPI profile successfully created
Post installation
When you first start Microsoft Outlook, you will likely be prompted for a profile to
use (a Domino profile or some other profile), as shown in Figure 9-40 on
page 535. However, this depends on the current settings in the Outlook
preferences.
Figure 9-40 Outlook prompt for profile
After this profile prompt, you might also be prompted for a Domino password, as
shown in Figure 9-41. Again, this depends on your current Outlook settings.
Figure 9-41 Domino user ID password prompt
When you load Microsoft Outlook (see Figure 9-42 on page 536), an e-mail is
sent to your Inbox from the System Administrator with the subject, Welcome to
IBM Lotus Domino Access for Microsoft Outlook!
Note: This box will not appear if you installed the Single Logon feature, or if
you selected the Save your Password option in the Password dialog box.
Figure 9-42 Welcome e-mail
9.8.4 Microsoft Outlook XP
This section describes the prerequisites and installation procedures for Microsoft
Outlook XP.
Prerequisites
Before you install Domino Access for Microsoft Outlook 6.5.1 on Microsoft
Outlook XP, you must meet the following prerequisites:
Your computer must be running the Microsoft Windows XP or Windows 2000
operating system.
Microsoft Outlook 2002 with SP2 (also known as Microsoft Outlook XP) must
be installed on the system before you can install Domino Access for Microsoft
Outlook 6.5.1.
Microsoft Outlook must be set as the default e-mail client. To verify this
setting, open your Microsoft Internet Explorer browser and select Tools
Internet Options Programs.
Your Domino server or servers must be Domino server 6.5.1 or later.
You must know the hierarchical name of your home Domino server (for
example, ServerA/East/Acme). You will need to enter this information during
the installation and setup process.
If you have a pre-6.5.1 release of Domino Access for Microsoft Outlook
installed on your system, you must uninstall it first before installing Domino
Access for Microsoft Outlook 6.5.1.
Installation
To install Microsoft Outlook XP, complete the following steps
1. Install Microsoft Outlook 2002 (XP) on the workstation. When setting up,
select No in the Account Configuration dialog box to not configure an e-mail
account, as shown in Figure 9-43.
Figure 9-43 Configuring e-mail accounts in Outlook 2002 (XP)
2. Run the C563HIE.EXE file.
3. The InstallShield Wizard loads. Click Next on the Welcome to IBM Lotus
Domino Access for MS Outlook page.
4. After reading the License Agreement, select I accept the terms in the
license agreement and click Next.
5. On the next installation window, enter your user name and organization.
Then, for the Install this application for option, select either Anyone who
uses this computer (All users) or Only for me. Click Next. This set of
instructions follows the path where Only for me has been selected.
6. The next window prompts you for the Install Directory. The default directory is
c:\Program Files\DominoForOutlook\. Either change the path to the desired
path or click Next to accept the default.
7. On the Custom Setup page, you can enable the Single Logon feature if
desired, as shown in Figure 9-44 on page 538. Click Next.
Figure 9-44 Enabling the Single Logon feature in Domino Access for Microsoft Outlook
The next page displays a progress bar that shows the progress of the
installation.
8. Note that if your user ID is not attached to your Person document in the
Domino Directory, you will see the message shown in Figure 9-45.
Figure 9-45 Browse for user ID if not in the Person document
9. Browse to your user ID and click Next. You will be prompted to enter your
Domino password, as shown in Figure 9-46 on page 539.
The next installation window shows you the status of the setup (such as
Creating Domino environment and configuring MAPI profile).
10.Next, a Domino Mail dialog box opens, as shown in Figure 9-47. The purpose
of this dialog box is to inform you that, for a MAPI profile to be successfully
configured, Outlook must be set as the default mail client. Click OK.
Figure 9-47 MAPI profile successfully created
Post installation
When you first start Microsoft Outlook, you will likely be prompted for a profile to
use (a Domino profile or some other profile), as shown in Figure 9-48. However,
this depends on the current settings in the Outlook preferences.
Figure 9-48 Outlook prompt for profile
After this profile prompt, you might also be prompted for Domino password, as
shown in Figure 9-49 on page 540. Again, this depends on your current Outlook
settings.
When you load Microsoft Outlook (see Figure 9-50), an e-mail is sent to your
Inbox from the System Administrator with the subject, Welcome to IBM Lotus
Domino Access for Microsoft Outlook!
Figure 9-50 Welcome e-mail
Note: This box will not appear if you installed the Single Logon feature, or if
you selected the Save your Password option in the Password dialog box.
Part 4 Appendix
This part contains information about downloading and using the additional
material that is associated with this book.
Part 4
Appendix A. Additional material
This IBM Redbook refers to additional material that can be downloaded from the
Internet as described in this appendix.
Locating the Web material
The Web material associated with this redbook is available in softcopy on the
Internet from the IBM Redbooks Web server. Point your Web browser to:
ftp://www.redbooks.ibm.com/redbooks/SG246357
Alternatively, you can go to the IBM Redbooks Web site at:
ibm.com/redbooks
Select the Additional materials and open the directory that corresponds with
the redbook form number, SG246357.
A
Using the Web material
The additional Web material that accompanies this redbook includes the
following file:
File name Description
ep651int.pdf Lotus Documentation
Domino 6.5.1 Extended Products Integration Guide
Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this redbook.
IBM Redbooks
For information about ordering these publications, see How to get IBM
Redbooks on page 546. Note that some of the documents referenced here may
be available in softcopy only.
Lotus Security Handbook, SG24-7017
Migrating from Microsoft Exchange 5.5 to Lotus Notes and Domino 6,
SG24-6955
Upgrading to Lotus Notes and Domino 6, SG24-6889
Using LDAP for Directory Integration, SG24-6163
Online resources
These Web sites and URLs are also relevant as further information sources:
Lotus software
Lotus Developer Domain
Lotus Support Services
http://www.ibm.com/software/lotus/support
Lotus Documentation
http://www.lotus.com/ldd/doc
Lotus downloads
http://www.ibm.com/developerworks/lotus/downloads/
WebSphere Application Server Version 5 Information Center
WebSphere Portal Version 5 Information Center
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc.html#ic5
WebSphere Portal and Lotus Workplace Catalog
WebSphere Portal zone
http://www.ibm.com/developerworks/websphere/zones/portal
WebSphere Application Server zone
http://www.ibm.com/developerworks/websphere/zones/was/
Predicting Domino cluster performance article
http://www.lotus.com/ldd/today.nsf/lookup/Predict_Cluster_Performance
Integrating voice, email, and fax in a single unified messaging store article
http://www.ibm.com/developerworks/lotus/library/article/DUC/
Instant Technologies Web site
http://www.instant-tech.com/
Softerra Web site
How to get IBM Redbooks
You can search for, view, or download Redbooks, Redpapers, Hints and Tips,
draft publications and Additional materials, as well as order hardcopy Redbooks
or CD-ROMs, at this Web site:
ibm.com/redbooks
Help from IBM
IBM Support and downloads
ibm.com/support
IBM Global Services
ibm.com/services
Index
Numerics
6.5.1 Java Toolkit 326
A
Accessing directories in Microsoft Outlook 503
Active Directory 79, 352
Configuring chat and awareness 394
Configuring Domino Document Manager (Domi-
no.Doc) 401
Configuring Lotus Instant Messaging and Web
Conferencing (Sametime) to work with Active Di-
rectory 365
Configuring Team Workplace (QuickPlace) 384
implementation of LDAP 352
naming convention for LDAP attributes 361
ActiveX DLLs (in-process servers) 520
Adding an additional LDAP server 370
Advanced LDAP properties configuration 426
Advantages of Domino Access for Microsoft Outlook
with Domino 491
Advantages of Domino LDAP 76
Advantages of native Domino Directory vs.external
directory 74
anonymous bind 354
AOL Instant Messaging Client and upgrading 274
Authentication 289
Authentication topology used in Base Scenario 89
Autofade the contact list 125
Awareness for Domino Document Manager at the
binder level 171
B
Base scenario
Order of installation/configuration 90
Base scenario example 86
Basic performance tuning 329
Basic performance tuning recommendations 309
Benefits of common Domino 6.5.1 platform
Domino fixes specific to interoperability between
the products 11
standard base-line debug (NSD) 11
standard Directory Assistance design 10
standard Domino Directory design 10
standard LDAP integration points 10
Benefits to upgrading to Release 6.5.1 10
bind credentials 354
Bind Internet Protocols on a multiport server 334
Binder of documents 162
Business benefits of Domino 6.5.1 with WebSphere
Portal 408
C
Calendaring and scheduling options installed by
Domino Access for Microsoft Outlook 508
Canonical name 123, 299
Clustering 492
Coexistence issues
Domino Document Manager 214
Domino Server 6.5.1 213
(Sametime) 6.5.1 214
Team Workplace (QuickPlace) Server 6.5.1
213
Coexistence of versions of Extended Products 212
Common release schedule 10
Compatibility and integration 6
Compatibility between Domino 6.5.1 and Extended
Products 3, 6
Compatibility between versions 213
Component Object Model (COM) 520
Concept of integration 3, 24
Configuration of initial Domino server 92
Configure default HTTP home page 113
Configuring Document Manager Library 167
Configuring LTPA token for WebSphere Portal SSO
428
Configuring Team Workplace (Team Spaces) portlet
468
Configuring the 6.5.1 Extended Products portlets
467
Configuring the Document Manager (Domino.Doc)
portlet 475
Configuring the Domino 6.5.1 portlets
prerequisites 459
Configuring the Domino Application portlet 477
Configuring the Domino Databases (Notes View)
portlet 478
Configuring the Domino Web Access portlet 474
Configuring the Instant Messaging Contact List for
WebSphere Portal 473
Configuring the Web Conferences portlet 471
Configuring WebSphere Portal to use Lotus Instant
Messaging and Web Conferencing (Sametime)
440
Connectivity to LDAP directory 363
Contacts in Outlook 502
Converting Domino Document Manager (Domi-
no.Doc) to LDAP 302
converting from native Domino to Domino LDAP au-
thentication 289
Converting Lotus Instant Messaging and Web Con-
ferencing (Sametime) to LDAP 294
copying files from mail file directly to Domino Docu-
ment Manager 56
Copying key files between the Domino Web Access
and Instant Messaging servers 128
Core set of Extended Products focused on in this
book 4
Creating a Web SSO Configuration document 459
Creating Instant Messaging awareness at the docu-
ment level for Domino Document Manager 174
CSEnvironment.properties file 440, 444, 473
D
DA
see Directory Assistance
DEBUG_SSO_TRACE_LEVEL=1 or 2 383
Default HTTP home page 113
Deployment Scenarios
Integrating Domino 6.5.1 and Extended Prod-
ucts with WebSphere Portal 405
Deployment scenarios 480
Base scenario for new installation 85
Instant TeamMessenger 527
Multiple machine deployment 327
Single machine deployment (proof of concept)
311
Upgrade scenario for existing installation 211
Desktop Enabler 176
ODMA Settings 177
upgrading 269
Directories
directory configuration options using Domino
LDAP service 77
Domino and third-party LDAP directories 78
Hub and spoke model 75
Information about people 74
options for deploying the 6.5.1 products 74
see also LDAP
Switching to an LDAP directory after having in-
stalled Instant Messaging and Web Conferenc-
ing 111
Using the native Domino Directory 74
Why they need to be considered 69
Directory Assistance 7879, 403
Directory authentication schemes for base scenario
88
Directory components 70
Directory strategies and considerations 67
Disclaimers regarding officially supported configura-
tions 310
distinguishedName directory attribute 380
Document Manager (Domino.Doc) portlet 475
Domino
name mapping 482
Domino 6.5.1 and Extended Products 34
milestone in product compatibility 7
Domino 6.5.1 Extended Products Integration Guide
466
Domino 6.5.1 Extended Products portlets 410
downloading 455
installing 455
Domino 6.5.1 portlets
Prerequisites for installing 446
Domino 6.5.1 portlets sample pages 456
Domino 6.5.1 products with a common portal inter-
face 412
Domino Access for Microsoft Outlook 489, 521, 530
Accessing directories 503
Administrator software requirements 531
Architecture 508509
Calendaring and scheduling options 508
Contacts in Outlook 502
Domino Access for Microsoft Outlook mapping
module 515
Domino calendar in Outlook 499
Domino Preferences in Outlook 504
End-user minimum hardware requirements for
extension manager 512
installation 489
Index 549
Instant messaging integration 520
key advantages 491
key design criteria 509
most suitable users 497
Out Of Office preferences 506
Overview 497
Password and security preferences 504
prerequisites for Outlook 2000 531
Prerequisites for Windows XP 531
Presence awareness and user status 522
Replication layer 513
Replication settings 507
role within the 6.5.1 platform 490
similar solutions 490
Single Logon option 506
Domino Access for Microsoft Outlook Architecture
508509
Domino Access for Microsoft Outlook Extension
Manager 512
Domino Access for Microsoft Outlook integration of
add-ins 519
Domino Access for Microsoft Outlook mapping mod-
ule 515
Domino Access for Microsoft Outlook replication lay-
er 513
Domino Application portlet 477
Domino calendar in Outlook 499
Domino Databases (Notes View) portlet 478
Binder of documents 162
configuring the first library 167
Instant Messaging Awareness at the binder level
171
Instant Messaging awareness at the Document
level 174
integration with Lotus Workflow 62
Integration with the Notes client 56
URL to server 177
Domino Document Manager (Domino.Doc)
awareness and chat 287
upgrading 264
Domino Document Manager (Domino.Doc) server
Installation 161
Domino Document Manager and presence aware-
ness 61
Domino hub/directory server 91
Domino LDAP 76
Schema.nsf database 72
Domino LDAP schema 70
Domino LDAP Service 7677
How it works 77
Domino name mapping 481482, 484, 486
Including LDAP DN as additional user name in
Domino 484
using the LDAP name in database ACLs 483
Domino Preferences in Outlook 504
Domino server name and physical machine name
93
Domino server upgrade 225
Domino SSO key 103
Domino Web Access
Configuration 126
Server tasks required 126
Domino Web Access chat client 136
Domino Web Access portlet 474
Domino Web redirector 130
Domino Workflow
see IBM Lotus Workflow
Domino.Doc
see IBM Lotus Domino Document Manager
dominoPerson LDAP attribute 70
DWALogin form 133
E
ePerson object 70
Exchange Global Address list 503
Expanded Membership Model in Team Workplace
397
F
Fix packs for WebSphere Portal and WebSphere
Application Server 447
Forward compatibility 7, 11
H
Hardware Requirements 340
Hierarchical LDAP tree structure 71
Hierarchy within Domino Document Manager 163
HTTP threads 338
HTTP tunneling 111
Hub and spoke 75
I
IBM Lotus Domino Document Manager (Domi-
no.Doc)
New Features 14
IBM Lotus Workflow 19
Benefits 19
New Features 19
Icon descriptions for presence awareness 25
ID for administering WebSphere Application Server
(wpsbind) 415
ID for administering WebSphere Portal (wpsadmin)
414
Importance of Microsoft Outlook 496
Including the Domino name in LDAP directory 484
Information Center for WebSphere 406
installation 110
Installing
Domino 6.5.1 and the Extended Products into a
new environment 85
Installing Domino Access for Microsoft Outlook 530
Installing Domino hub/directory server 91
Installing the Domino 6.5.1 portlets and sample pag-
es 456
Installing the fix packs and fixes for WebSphere Ap-
plication Server and WebSphere Portal 450
Instant Messaging 16
Integration with Domino Web Access 37
Integration with Notes client 30
Integration with Team Workplace 42
Online status messages 34
Instant Messaging and Web Conferencing (Same-
time) server
installation 110
Instant Messaging with Domino Directory and Portal
using LDAP directory 443
Instant TeamMessenger 522524, 526
Instant TeamMessenger for Microsoft Outlook 521
Integrating Domino 6.5.1 and the Extended Prod-
ucts with WebSphere Portal 405
Integrating Domino 6.5.1 into an existing portal 480
Integrating with third-party LDAP directories 351
Integration
Analysis of integration between Domino 6.5.1
and Extended Products 3, 24
Release 6.5.1 Collaborative Portlets and Web-
Sphere Portal 9, 405
Integration points
Domino Document Manager and the Notes cli-
ent 56
Instant Messaging integration 12
LDAP integration 12
Lotus Workflow and Domino Document Manag-
er 62
Lotus Workflow and Instant Messaging 63
Online awareness 12
Overview between Domino 6.5.1 and the collab-
orative and Extended Products 23
Presence awareness 24
Integration with WebSphere Portal
testing Single Sign-on (SSO) 460
Intended audience for this book 5
Interim Fix 1 (IF1)
Order of installation and configuration 92
Interim Fix 1 (IF1) for Domino 6.5.1 87
Interoperability
Domino Document Manager (Domino.Doc) 217
Domino Server 6.5.1 215
Domino Web Access 216
Team Workplace (QuickPlace) 217
Interoperability of versions 215
Interoperabilty
(Sametime) 217
J
JAVA_HOME environment variable 451
K
Key design criteria for Domino Access for Microsoft
Outlook 509
L
Layers that make up Domino Access for Microsoft
Outlook architecture 510
LDAP 71
Active Directory naming attributes 361
Adding an additional LDAP server 370
anonymous bind 354
Authentication 74
Authorization 74
bind credentials 354
Connectivity to LDAP directory 363
Creating a custom filter 79
Differences between LDAP directories 364
Directory Authentication settings 375
directory configuration options using Domino
LDAP service 77
Example of an LDAP tree 71
Hierarchical and canonical names when using
Instant Messaging and LDAP 119
Index 551
How the components use the LDAP directory
73
Information about people 74
Modifying STConfig.nsf database 379
Portal and LDAP directory prerequisites 413
recommended reading 353
search queries 362
Search service 73
supportedldapversion attribute 354
Tools for understanding your LDAP directory
355
Troubleshooting LDAP and Instant Messaging
authentication problems 382
Using Ldapsearch.exe 357
Using the LDAP name in database ACLs 483
v3 compliant LDAP directories 353
LDAP concepts 353
LDAP Directory - Basics 372
LDAP Directory - Connectivity 369
LDAP Directory - Searching 377
LDAP Directory Assistance
setting it up 303
LDAP Properties Configuration 425
LDAP schema 71, 354
LDAPAdminPwd 419
LDAPBindPassword 419
Ldapsearch.exe 357
options and flags 358
Levels of integration
integration with WebSphere Portal 9, 405
pre-6.5.1 architecture 7
Release 6.5.1 architecture 8
Lightweight Directory Access Protocol
see LDAP
Listing of 6.5.1 Extended Products 4
Listing of Domino 6.5.1 Extended Products portlets
411
LOGLEVEL_NAME_MAPPING=1 383
Lotus Instant Messaging (Sametime)
Benefits 16
New Features 17
(Sametime)
Troubleshooting LDAP problems 382
(Sametime) 6.5.1 Java Toolkit 326
(Sametime) authentication architecture 366
(Sametime) upgrade 227
Lotus Security Handbook, SG24-7017 68
Lotus Workflow 62
configuring the Architect 190
configuring the Workflow engine 185
Creating the Workflow databases 181
Engine 181
Sample 181
Sample Process after simplification 194
standard configuration 180
Test the integration sample 203
Viewer 181
Web Viewer Auxiliary File 181
Web Viewer Servlet Files 181
Lotus Workflow Architect 181
Lotus Workflow integration with Instant Messaging
63
Lotus Workflow upgrade 227
Lotus Workplace Catalog URL 409
LTPA 424
LTPA and SSO Configuration 424
LTPA key 459
LTPA token 427, 459
LTPA token and enabling logging in to Sametime
441
LTPA tokens 81
LTPA values 427
LTPAPassword 419
LtpaToken 102
M
mail.box settings 337
Mapping to the Team Workplace (QuickPlace) sche-
ma 384
Microsoft Active Directory 352
Microsoft Internet Information Services (IIS) 347
Microsofts instant messaging solution 528
Modifying qpconfig.xml file for a third-party LDAP di-
rectory 389
Multiple machine deployment 309, 327
installation and configuration of IBM Lotus In-
stant Messaging 328
Installation of Domino Web Access and IBM Lo-
tus Team Workplace 327
My Places list 155
N
Network settings 94
New environment installation 85
Notes client
upgrading 275
Notes client configuration 119
Notes/Domino Integration with Instant Messaging
(Sametime) 28
O
ODMA settings for the Desktop Enabler 177
Organization name 93
Outlook client with Domino backend server 490
Outlook service providers 516
Outlook with Domino Access for Microsoft Outlook
and Instant TeamMessenger 529
Overview of Domino Access for Microsoft Outlook
497
Overview of Domino Access for Microsoft Outlook
architecture 511
Overview of integration strategy 10
P
Partially transparent online contact list 36
Partitioned Server Installation 312
Performance and SSL 80
Performance Tuning
HTTP threads 338
mail.box settings 337
Performance tuning
review Domino Tasks 329
reviewing Location documents 332
reviewing Person document settings for incom-
ing mail format 331
Transactional logging 336
Performance Tuning recommendations 309
PlaceType 160
Port for Instant Messaging Server to connect to Por-
tal 441
Portal and LDAP directory prerequisites 413
PortalAdminPwd 418
Pre-6.5.1 Architecture 7
Preparing the domain for 6.5.1 Extended Products
100
Presence awareness 16, 24
integration with Domino Document Manager 61
overview of integrated functionality with Notes
client 30
Using as an integration validation 90
Presence awareness in the Notes client 118
Product deployment sequence 89
Proof of concept deployment 309
Q
qpconfig.xml 389
Tips on modifying qpconfig.xml 390
qpconfig.xml file 155
R
readme_updateinstaller file for WPS upgrade 451
Recommendations for small to medium business
309
Recommended Hardware Requirements 340
recommended upgrade sequences 219
Redbook - Lotus Security Handbook, SG24-7017
68
Redbook - Using LDAP for Directory Integration,
SG246163 68
Redbooks Web site 546
Contact us xvii
Release 6.5.1 Architecture 8
Replication topology 100
Replication with the Domino Access for Microsoft
Outlook Mapping Module 516
Required fix packs for upgrading WebSphere Portal
and WebSphere Application Server 447
S
Sametime and Active Directory 365
Sametime authentication architecture 366
Sametime Meetings 116
Sametime reconnect interval 442
Sametime server 110
Sametime timeout value 442
Sample CSEnvironment.properties file 444
Sample portlet pages 456
Sample wpconfig.properties file 432
Scheduling online meetings with Notes calendar 30
Schema.nsf 72
Secrets and Tokens database 128
Secure Sockets Layer (SSL) 79
Using for LDAP authentication 108
servlet.properties file 184
changes for Domino Document Manager 184
Setting up additional server objects in the Domino
domain 96
Single machine (proof of concept) deployment 309
Index 553
Single Machine Deployment 309, 311
Installing Domino Document Manager 320
Installing Instance 1 313
Installing Lotus Instant Messaging (Sametime)
316
Installing Team Workplace 323
Registering another server (Instance 2) 315
Single machine deployment - disclaimers regarding
officially supported configurations 310
Single Sign-On (SSO) 80, 315
configuring 102
Instant Messaging Single Sign-On with Notes
client 122
Introduction 27
Testing 105
Single Sign-on (SSO) 459
Small to medium business scenario 309
Softerra LDAP Browser 420
SSL
performance implications 80
see Secure Sockets Layer
SSO
see Single Sign-On
STConfig.nsf database 379
Stop WebSphere Portal command 430
Strategic significance of 6.5.1 release 6
Structure of this book 5
Suggested upgrade sequences 219
Sun ONE LDAP 364
supportedldapversion attribute 354
T
TCP/IP 94
Team Workplace (QuickPlace)
awareness and chat 283
collaborative meetings 284
Converting to LDAP 290
Team Workplace (QuickPlace) 6.5.1 3, 13
Benefits 13
New Features 13
Team Workplace (QuickPlace) upgrade 226
Team Workplace (Team Spaces) portlet 468
Team Workplace PlaceType 158
Team Workplace Server
configuration 142
initial installation 139
Testing for valid xml file 151
Testing Instant Messaging and Web Conferencing
(Sametime) Server 113
Testing Single Sign-on (SSO) 460
Third-party LDAP directories 78, 351
Tools
Integrate document management 176
Tools for understanding your LDAP directory 355
Transactional Logging 335
troubleshooting 486
Tunneling on port 80 279
Two Instances of Domino running on one physical
machine 319
U
Upgrade
Desktop Enabler 269
Domino Document Manager (Domino.Doc) 264
Domino server upgrade 225
(Sametime) 227
Lotus Workflow upgrade 227
Notes client 275
Team Workplace (QuickPlace) upgrade 226
Upgrade dependencies 218
Upgrading
authentication and directories 224
upgrading from Pre-6.5.1 environment 211
with no Extended Product integration 220
Upgrading from earlier versions 212
URL for Lotus Workplace Catalog 409
URL for WebSphere Portal 430
Using Domino 6.5.1 with a third-party LDAP 79
Using Domino Access for Microsoft Outlook with
Domino mail servers 495
Using LDAP for Directory Integration, SG246163
68
Using the LDAP name in database ACLs 483
V
v3 compliant LDAP directories 353
Valid XML file 151
Verifying Instant Messaging (Sametime) connectivi-
ty in WebSphere Portal 473
Verifying versions of WebSphere Application and
WebSphere Portal 447
Verifying WebSphere Portal access 430
W
WAS_HOME 456
WasPassword 419
Web Access Redirector 157
Web Conference (Sametime) meetings 116
Web Conferences portlet 471
Web conferencing 16
Web Single Sign-on 81
Web SSO Configuration 102, 104
Creating in a mixed R5/D6 environment 102
Web SSO Configuration document 80
Web SSO document 103, 112
WEBAUTH_VERBOSE_TRACE=1 383
WebSphere Application Server Properties 422
WebSphere Application Server Zone 448
WebSphere LTPA key 459
WebSphere Portal
integrating Domino 6.5.1 and Extended Prod-
ucts 405
overview and benefits 407
WebSphere Portal Configuration Properties 423
WebSphere Portal integration
configuring LTPA token 428
Configuring the Instant Messaging Contact List
473
configuring to use Instant Messaging (Same-
time) 440
Installing the fix packs and fixes for WebSphere
Application Server and WebSphere Portal 450
Instant Messaging reconnect interval 442
Instant Messaging timeout value 442
Instant Messaging with Domino Directory & Por-
tal using LDAP directory 443
perquisites for Team Workplace and Instant
Messaging (Sametime) 465
Validating Domino LDAP configuration 429
WebSphere Portal Security 424
WebSphere Portal zone 449
Who Is Here portlet 473
Why upgrade 10
Workflow Architect 63, 190
viewing online status of job owners 64
Workflow Architect - Database Profile 192
Workflow Engine 185
wpconfig.properties file 415, 417, 432
Advanced LDAP properties configuration 426
wpconfig.propeties file
considerations before modifying 419
WPS_HOME environment variables 456
wpsadmin 414
wpsbind 415
X
X.500 71
X.509 certificates 78
(
1
.
0

s
p
i
n
e
)
0
.
8
7
5
<
-
>
1
.
4
9
8
4
6
0

<
-
>

7
8
8

p
a
g
e
s
L
o
t
u
s

D
o
m
i
n
o

6
.
5
.
1

a
n
d

E
x
t
e
n
d
e
d

P
r
o
d
u
c
t
s

I
n
t
e
g
r
a
t
i
o
n

G
u
i
d
e
SG24-6357-00 ISBN 0738491438

INTERNATIONAL
TECHNICAL
SUPPORT
ORGANIZATION
BUILDING TECHNICAL
INFORMATION BASED ON
PRACTICAL EXPERIENCE
IBM Redbooks are developed by
the IBM International Technical
Support Organization. Experts
from IBM, Customers and
Partners from around the world
create timely technical
information based on realistic
scenarios. Specific
recommendations are provided
to help you implement IT
solutions more effectively in
your environment.
For more information:
ibm.com/redbooks
Lotus Domino 6.5.1 and
Extended Products
Integration Guide
Overview of new
product features
Integration
considerations and
best practices
Deployment
scenarios
Release 6.5.1 of Lotus Domino and the Extended Products
represents a significant change in the way Lotus delivers software
for customers. Each product in the 6.5.1 family is developed, tested,
and supported to run with the other Release 6.5.1 products. For
example, IBM Lotus Instant Messaging and Web Conferencing
(formerly called Sametime) 6.5.1 and Lotus Team Workplace
(formerly called QuickPlace) 6.5.1 will run on Domino 6.5.1.
Customers will no longer need to spend time wondering (and testing)
which version of which product works with which version of Domino.
Although Lotus Domino 6.5.1 and the Extended Products are now
developed and delivered to run together on the same release, it is
necessary to perform separate configuration steps within each of the
components to achieve a highly integrated collaborative environment
with presence awareness throughout.
This book explains how to integrate and configure the IBM Lotus
Domino 6.5.1 Extended Products in order to more effectively
leverage each products collaborative capabilities. We address the
concept of integration from several different perspectives:
How to build a Domino-based collaborative environment using
exclusively Release 6.5.1 of Domino and the Extended Products
How to upgrade an existing Domino-based collaborative
environment, which is based on some or all of the Extended
Products
Finally, how to configure IBM WebSphere Portal to leverage
Domino 6.5.1 and Extended Product portlets to provide an
integrated and collaborative platform for end users
Back cover

SG 246357

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SG 246357

Caricato da

Copyright:

Formati disponibili

ibm.

SG24-6357-00 ISBN 0738491438

Potrebbero piacerti anche