dachnug51 - HCL Sametime 12 as a Software Appliance.pdf

Copyright © 2024 HCL Software Limited
HCL Sametime 12 as a
“Software Appliance”
Erik Schwalb
Technical Advisor –HCL Software Germany

.
. HCL’sstatements regarding its plans, directions, and intent are subject tochange orwithdrawalwithout notice and
at HCL’ssole discretion.
Information regardingpotential future products is intended to outline our general productdirection and it should not
be relied on in making a purchasing decision.
The information mentionedregarding potential future products is not a commitment, promise, orlegal obligation to
deliver any material, code orfunctionality. Information about potential futureproducts maynot be incorporated into
any contract.
Thedevelopment, release, and timing of any future features orfunctionality described for our products remains at
our sole discretion.
Performance is based onmeasurements and projections using standard HCL benchmarks in acontrolled
environment. The actual throughput or performance that anyuser will experience willvary depending upon many
factors, including considerationssuch as the amount of multiprogramming in the user’s job stream, theI/O
configuration, the storage configuration, and theworkloadprocessed. Therefore, no assurance can be given that
an individualuser will achieve results similar to those stated here.
https://www.hcltechsw.com/wps/portal/legal/hcl-software-disclaimer
Disclaimer

.
. Sametime 12 requires additional services
•LDAP
•MongoDB
Why should you consider running Sametime as a “Software Appliance”?
Running Sametime as a “Software Appliance” means simplification
✓Reduce the number of Linux (or Windows) servers required for Sametime
✓Avoid potential bottlenecks by running dedicated LDAP and MongoDB servers for Sametime
✓Simplify network connectivity and Firewall requirements
✓Reduce potential attack surface
✓Easy to spin up a secondary instance / backup instance
Installing and running these required components on separate servers results in additional work
Must maintain operating systems on multiple servers
Must secure the network connection between Sametime server and LDAP / MongoDB
Must make sure that LDAP and MongoDB are not overloaded by other non-Sametime clients

.
. Sametime, LDAP and
MongoDB run
in Docker containers
on the same Docker
Bridge network.
What does the architecture look like?
Sametime
•Chat
•Meetings
Domino
•LDAP
•NRPC
Linux Server
Firewall
Domino Administrator Client
Other Domino Servers
NRPC
Sametime Desktop, Web
and Mobile Clients
STUN / TURN
TCP / UDP portsconfigurable
Push notifications
docker network create
local_bridge
docker network create
local_bridge

.
. .
. Set Up Domino LDAP server

.
. Prepare /local/lab/DominoAutoConfig.json and use it to deploy a new Domino server.
•First server in new Domino domain or new server in existing Domino domain
Set Up Domino LDAP server on Docker using one-touch setup
One-touch setup allows you to create and update new server configuration incl. server tasks, define
replication settings and register new users and technical accounts (e.g. ldapbind-st).
mkdir -p /local/notesdata
chown 1000:1000 /local/notesdata/
mkdir -p /local/notesdata
chown 1000:1000 /local/notesdata/
docker load –i Domino_1202FP4_ContainerImage.tgz
docker image ls
docker load –i Domino_1202FP4_ContainerImage.tgz
docker image ls
Connect to the new Domino server using the Domino Administrator client and verify the configuration.
If everything is fine, stop the Domino server and remove the domino container.

.
. Example: DominoAutoConfig.json

.
. Set Up Domino LDAP server on Docker using one-touch setup
docker exec –it domino bash
whoami
pwd
domino console
docker exec –it domino bash
whoami
pwd
domino console
Explore the Domino container

.
. Run Domino LDAP server with Docker Compose
Create a docker compose file (e.g. /opt/hcl/domino.yml) and use it to start the Domino server

.
. When you deploy Sametime, provide the Domino container name as the name of
your LDAP server.
If you want to encrypt LDAP traffic between the Sametime Community container
and Domino, you need to provide a TLS certificate for Domino.
You can use the Domino Certificate Manager for that purpose:
https://help.hcltechsw.com/domino/12.0.2/admin/secu_le_using_certificate_manager.html
To learn more about Domino One-touch setup, check out the product
documentation and GitHub repository:
https://help.hcltechsw.com/domino/12.0.2/admin/inst_onetouch.html
https://github.com/HCL-TECH-SOFTWARE/domino-one-touch-setup

.
. .
. Set Up MongoDB

.
. Set Up MongoDB on Docker (1)
mkdir -p /local/mongodatamkdir -p /local/mongodata
Create a docker compose file (e.g. /opt/mongodb/mongo.yml) and use it to start the MongoDB server

.
. Set Up MongoDB on Docker (2)
docker exec -it mongo mongosh --eval "rs.initiate({
_id: \"rs0\",
members: [
{_id: 0, host: \"mongo\"}
]
})"
docker exec -it mongo mongosh --eval "rs.initiate({
_id: \"rs0\",
members: [
{_id: 0, host: \"mongo\"}
]
})"
Start the Mongo shell mongosh inside the MongoDB container, initiate the replication set rs0
and add the MongoDB container as a member of the replica set.
# Check status and members list of the replica set
docker exec -it mongo mongosh --eval "rs.status()"
# Check status and members list of the replica set
docker exec -it mongo mongosh --eval "rs.status()"
# Check the configuration of the replica set
docker exec -it mongo mongosh --eval "rs.conf()"
# Check the configuration of the replica set
docker exec -it mongo mongosh --eval "rs.conf()"

.
. Configure MongoDB for Sametime
docker exec -it mongo mongoshdocker exec -it mongo mongosh
Start the Mongo shell mongosh inside the MongoDB container
useadmin
db.createUser({user: "sametimeUser", pwd: "sametime", roles:[{role:
"userAdminAnyDatabase",db:"admin"}, {role:"readWrite",db:"chatlogging"},
{role:"dbAdmin",db:"chatlogging"}, {role:"readWrite",db:"mobileOffline"},
{role:"dbAdmin",db:"mobileOffline"}, {role:"readWrite",db:"meeting"}, {role:"dbAdmin", db:"meeting"},
{role:"readWrite",db:"privacy"}, {role:"dbAdmin",db:"privacy"}, { role:"readWrite",db:"userinfo"},
{role:"dbAdmin",db:"userinfo"}]})
db.createUser({"user": "sametimeClusterAdmin", "pwd": "sametime", roles:
[{"role":"clusterAdmin","db":"admin"}]})
usechatlogging
db.EVENTS.insertOne({"_id" : "dummy"})
db.SESSIONS.insertOne ({"_id" : "dummy"})
exit
useadmin
db.createUser({user: "sametimeUser", pwd: "sametime", roles:[{role:
"userAdminAnyDatabase",db:"admin"}, {role:"readWrite",db:"chatlogging"},
{role:"dbAdmin",db:"chatlogging"}, {role:"readWrite",db:"mobileOffline"},
{role:"dbAdmin",db:"mobileOffline"}, {role:"readWrite",db:"meeting"}, {role:"dbAdmin", db:"meeting"},
{role:"readWrite",db:"privacy"}, {role:"dbAdmin",db:"privacy"}, { role:"readWrite",db:"userinfo"},
{role:"dbAdmin",db:"userinfo"}]})
db.createUser({"user": "sametimeClusterAdmin", "pwd": "sametime", roles:
[{"role":"clusterAdmin","db":"admin"}]})
usechatlogging
db.EVENTS.insertOne({"_id" : "dummy"})
db.SESSIONS.insertOne ({"_id" : "dummy"})
exit
Create a MongoDB user for Sametime and assign it the required roles, also assign the clusterAdmin role,
then initialize two collections in the chatlogging database

.
. use admin
db.getUsers()
use admin
db.getUsers()
List users in admin db

.
. If you want to run a MongoDB cluster, you can achieve that by deploying 3
MongoDB containers with separate data directories…even on the same Linux host.
For details see the MongoDB documentation and Sametime documentation incl. the
topic about implementing keyfile authentication for MongoDB clusters.
https://opensource.hcltechsw.com/sametime-doc/v1202/admin/t_create_mongo_replset.html
When you deploy Sametime, provide the MongoDB container name as the name
of your Mongo server. The connection string will be stored in custom.env.
Example:
MONGO_URL=mongodb://sametimeUser:sametime@ mongo:27017/?authSource=admin&replicaSet=rs0

.
. .
. Prepare Sametime installation

.
. Unzip Sametime Premium or Sametime Limited Use installation files to e.g. /opt/hcl/sametime
Prepare Sametime installation
Before running install.sh modify docker-compose.yml as follows.
Add reference to Docker local_bridge network at the end of the file.
mkdir -p /opt/hcl/sametime
unzip <install zip file> –d /opt/hcl/sametime/
mkdir -p /opt/hcl/sametime
unzip <install zip file> –d /opt/hcl/sametime/

.
. .
. Sametime Monitoring Dashboard

.
. The Sametime 12.0.2 Monitoring Dashboard is embedded in the /admin Web UI.
All containers required for monitoring (Prometheus, Grafana, cAdvisor, Node Exporter) are being started via
docker-compose.yml and run on the same Docker network as the Sametime services. There is no separate
docker-compose-monitoring.yml file.
➢No need to expose any ports of the monitoring services to localhost
➢No need to open firewall for any monitoring services ports
HCL Sametime 12.0.2 Monitoring Dashboard on Docker
Settings in .env
COMPOSE_PROFILES=monitoringCOMPOSE_PROFILES=monitoring
Settings in custom.env
MONITORING_ENABLED=true
ENABLE_GRAFANA_PROXY=true
MONITORING_ENABLED=true
ENABLE_GRAFANA_PROXY=true
If you would like to be asked about enabling monitoring
during installation, you need to
export ENABLE_DARK_LAUNCH_MONITORING=true
before you run install.sh
Monitoring in Sametime 12.0.2 on Docker relies on the following settings:

.
. Use persistent volumes for Prometheus
and Grafana data
Add* / Update theMonitoring stack
Adjust URL for cadvisor image
Do not expose Grafana port
* For Sametime Limited Use you need to add
the Monitoring services and persistent volumes
to docker-compose.yml

.
. Sametime Limited Use does not provide meetings
Remove the 'meetings’ scrape job from prometheus.yml
Fix Prometheus configuration in Sametime 12 Limited Use

.
. .
. Sametime Admin Web UI

.
. When you install Sametime 12.0.2 on Docker, install.sh will ask you to provide the email address of
your Sametime administrator. An account with that email address must already exist in your LDAP directory.
Sametime 12.0.2 Admin Web UI
You can add additional users to the Sametime administrator role by using one of these methods:
•Use a Mongo shell to add a user as an administrator to the meeting database
•Use the Sametime Admin API
Retrieve CSRF token from / sametime-auth, then use /sametime-admin to set an additional admin user
use meeting
db.administrators.insertOne ({"_id": (new ObjectId()).toString(), "email": "[email protected]"})
use meeting
db.administrators.insertOne ({"_id": (new ObjectId()).toString(), "email": "[email protected]"})

.
. The Sametime Admin Web UI (/admin) provides tools to manage Sametime policies.
Sametime 12.0.2 Admin Web UI
# Reset Grafana admin password
cd /opt/hcl/sametime
docker compose exec -it grafana bash
grafana-cli admin reset-admin-password admin
# Reset Grafana admin password
cd /opt/hcl/sametime
docker compose exec -it grafana bash
grafana-cli admin reset-admin-password admin
The admin UI also embeds the Grafana dashboard for Sametime Monitoring.
Grafana admin credentials are separate from your Sametime administrator credentials, i.e. they don’t exist in
LDAP. You can also add additional Grafana users or Grafana administrators in the Grafana Web UI.

.
. .
. Integration with Let’s Encrypt

.
. Sametime 12 on Docker can request, retrieve and apply a TLS certificate from Let’s Encrypt.
It will also automatically renew the TLS certificate before it expires.
The built-in integration is based on the ACME protocol (Automatic Certificate Management Environment) using an
HTTP-01 challenge to verify, that you are the owner of the requesting website.
1.ACME server (= Let's Encrypt) sends a challenge to ACME client (= NGINX service in Sametime)
2.ACME server will ask via in-bound HTTP request on port 80 for the “secret” at a well-known URL
➢The FQDN of your Sametime server must be registered in public DNS
➢Your Sametime server must be accessible on the public Internet via http port 80
Integrate Sametime on Docker with Let’s Encrypt
The built-in integration is broken in 12.0.1 FP1…and fixed in Sametime 12.0.2

.
. # Exposed HTTP port
HTTP_PORT=80
# Exposed HTTPS port
HTTPS_PORT=443
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1
# Let's Encrypt configuration
# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN= <your.sametimeserver.com>
# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL= <YourAdminEmailAddress>
# Use the staging server (for avoiding rate limits while testing)
# LETSENCRYPT_USE_STAGING=1
# Exposed HTTP port
HTTP_PORT=80
# Exposed HTTPS port
HTTPS_PORT=443
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1
# Let's Encrypt configuration
# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN= <your.sametimeserver.com>
# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL= <YourAdminEmailAddress>
# Use the staging server (for avoiding rate limits while testing)
# LETSENCRYPT_USE_STAGING=1
Integrate Sametime 12.0.1 or 12.0.2 on Docker with Let’s Encrypt
Settings in .env
If you set up the integration for the first time, make
sure to test it first with the Let’s Encrypt staging
service enabled!
Enable HTTP_REDIRECT only for Sametime 12.0.1
Do NOT enable this for Sametime 12.0.2
Set HTTP_PORT to 80

.
. nginx:
image: hclcr.io/st/meetings-web:${BUILD_LEVEL}
restart: ${RESTART_POLICY}
...
environment:
...
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
-LETSENCRYPT_USE_STAGING
...
nginx:
image: hclcr.io/st/meetings-web:${BUILD_LEVEL}
restart: ${RESTART_POLICY}
...
environment:
...
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
-LETSENCRYPT_USE_STAGING
...
Integrate Sametime 12 on Docker with Let’s Encrypt
Settings in docker-compose.yml
# Example: PUBLIC_URL=https://sametime.company.com
PUBLIC_URL=https://<your.sametimeserver.com>
# Example: PUBLIC_URL=https://sametime.company.com
PUBLIC_URL=https://<your.sametimeserver.com>
Settings in custom.env
A setting for PUBLIC_URL can be found both in
.env and in custom.env.
Make sure you define a value for this setting only in
custom.env.
If you want to use the Let’s Encrypt staging service
make sure LETSENCRYPT_USE_STAGING is included in
the list of environment variables of the nginx service.

.
. # Exposed HTTP port
HTTP_PORT=8000
# Exposed HTTPS port
HTTPS_PORT=443
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1
# Let's Encrypt configuration
# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN= <your.sametimeserver.com>
# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL= <YourAdminEmailAddress>
# Use the staging server (for avoiding rate limits while testing)
# LETSENCRYPT_USE_STAGING=1
# Exposed HTTP port
HTTP_PORT=8000
# Exposed HTTPS port
HTTPS_PORT=443
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1
# Let's Encrypt configuration
# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN= <your.sametimeserver.com>
# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL= <YourAdminEmailAddress>
# Use the staging server (for avoiding rate limits while testing)
# LETSENCRYPT_USE_STAGING=1
Workaround for Sametime 12.0.1 FP1 on Docker with Let’s Encrypt
Settings in .env
nginx:
image: hclcr.io/st/meetings-web:${BUILD_LEVEL}
user: "0:0“ # temporary fix
restart: ${RESTART_POLICY}
ports:
- '${HTTP_PORT}:8080'
- '${HTTPS_PORT}:4443’
-80:80 # temporary fix
...
environment:
...
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
-LETSENCRYPT_USE_STAGING
...
nginx:
image: hclcr.io/st/meetings-web:${BUILD_LEVEL}
user: "0:0“ # temporary fix
restart: ${RESTART_POLICY}
ports:
- '${HTTP_PORT}:8080'
- '${HTTPS_PORT}:4443’
-80:80 # temporary fix
...
environment:
...
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
-LETSENCRYPT_USE_STAGING
...
Settings in docker-compose.yml

.
. The nginx container will use the ACME protocol to register an account with Let’s Encrypt.
If successfull it will then request and retrieve a TLS certificate.
Integrate Sametime 12 on Docker with Let’s Encrypt

.
. The TLS certificate will be placed in a subdirectory below the ./sametime-config directory,
that is named after the FQDN of your server.
Integrate Sametime 12 on Docker with Let’s Encrypt

hcltechsw.com

dachnug51 - HCL Sametime 12 as a Software Appliance.pdf

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

dachnug51 - HCL Sametime 12 as a Software Appliance.pdf

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx