I have completed a migration to Sametime 11 FP1 and the STProxy is on a separate server sat in the DMZ. Everything is working apart from they wanted to use the Connections Business Cards as they did with previous versions. I have completed the setup for this as per the documentation but it is still not showing the information. I have double checked the config I used against another install I have completed where it works but the server is sat inside the Network not in the DMZ and the config is identical. This also worked before the STProxy server was moved to the DMZ as we tested it all just internally first.
I can get to the Connections server from the STProxy server so thats not being blocked the only thing I could think of is that maybe as this is sat in the DMZ I am overlooking a port required to be open to the Connections server from the STProxy? This is clutching at straws I know but I am a little stumped as to why the Biz Cards are not showing.
After looking at the STProxy logs I can see the following but I can now see an error but I am not sure why and who is reporting the error is this Connections or the STProxy?
22-Apr-2020 20:38:43.196 WARNING [Chuck the postman's dispatching thread.1] com.ibm.collaboration.realtime.stproxy.services.userinfo.PhotoUrlProcessor.saveImageFromUrl SID: e0034206-fae1-46ab-99d4-35cee3d1e6cc, userId: CN=xxxxxxx,O=xxx,C=xx
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.ibm.collaboration.realtime.stproxy.services.userinfo.PhotoUrlProcessor.saveImageFromUrl(PhotoUrlProcessor.java:355)
at com.ibm.collaboration.realtime.stproxy.services.userinfo.PhotoUrlProcessor.process(PhotoUrlProcessor.java:264)
at com.ibm.collaboration.realtime.stproxy.services.userinfo.UserinfoService$UserInfoServiceListener.userInfoQueried(UserinfoService.java:378)
at com.lotus.sametime.userinfo.UserInfoComp.processUserInfoEvent(UserInfoComp.java:280)
at com.lotus.sametime.userinfo.UserInfoComp.processSTEvent(UserInfoComp.java:254)
at com.lotus.sametime.core.comparch.STCompPart$STCompPartSTEventListener.processSTEvent(STCompPart.java:238)
at com.lotus.sametime.core.comparch.MessageDispatcher.dispatch(MessageDispatcher.java:358)
at com.lotus.sametime.core.comparch.MessageDispatcher.flush(MessageDispatcher.java:177)
at com.lotus.sametime.core.comparch.MessageDispatchingThread.run(MessageDispatchingThread.java:102)
at java.lang.Thread.run(Thread.java:821)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hey Richard,
Did you setup Connection profiles thru the Proxy configuration (stproxyconfig.xml) or are you specifying individual Connection Profile URLs in a field of the person documents or LDAP? The above suggests you are using a PhotoURL with a link to the user's Connection Profile. Is this working on Rich clients with ImagePath set? The Proxy server doesn't necissarlly need to use the Sametime Community server's userinfo servlet for Connection profiles to be used, as the proxy configuration can be updated to directly connect to the Connection server (avoiding the Community server's business card retrieval.
If this was all working before moving to the DMZ, this would suggest the configuration is correct. If PhotoURL is being used, confirm the Connection profile urls are accessible from the Sametime Proxy. In this case the Community server would be sending the Proxy server the url, not the actual image.
A lot of options to consider. Open a support case and we can help better vet this out.
Thanks,
Trevor Tallackson
Sametime Support
Hi Trevor, I have actually done both mainly because the URL in the person document (it is using an LDAP config though to a Domino server as this is what it was using during the environments WebSphere days) was already there from the previous environment. I then added the stproxconfig for Connections business cards as well.
I have raised a support call as you suggested but this certainly is an interesting one as I can get to the URL for Connections profiles from the STProxy server.
It sounds like a ssl configuration problem. If you configured the proxy to directly connect to the connections server, you will probably need to add the connections ssl certificate to the trusted root in java CaCerts keystore
Bang on the cert even though a full trusted 3rd party cert was not trusted in the java keystore so I had to do the following :-
- Go to URL in your browser:
- firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click
"more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
-
Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg. C:\HCL\sametimeproxy\openjdk\lib\security\cacerts
-
Next import the example.cer file into cacerts in command line:
C:\HCL\sametimeproxy\openjdk\bin\keytool -import -alias example -keystore C:\HCL\sametimeproxy\openjdk\lib\security\cacerts -file example.cer
You will be asked for password which default is changeit
Restart the STProxy.
What I will say though is it seems like my config is by passing the stproxyconfig.xml settings. The reason I say that is because the STProxy is not showing the business cards from connections only the photo so it is using the stuserinfo settings (I do have PhotURL set) not bcard from stproxyconfig. This is what I have in stproxyconfig is this incorrect or does the stuserinfo setup take precedence over the stproxyconfig?
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<server>
<host>xxx.xxx.com</host>
<port>1516</port>
<clusterlist />
<maxconnections>-1</maxconnections>
</server>
<bcard>
<url>https://xxx.xxx.com/profiles</url>
<type>1</type>
</bcard>
<httponlyexception>sid</httponlyexception>
<secureexception></secureexception>
</configuration>
That is the correct stproxyconfig.xml settings. You can confirm this is being read by the server reviewing the Proxy startup where it dumps it's configuration reads.'
This should override the need to use the Community server's userinfo servlet. Let us know if you have a support case open for this and we can look into why it's not being used.
Thanks,
Trevor Tallackson
Sametime Support
Hi Richard,
Did you got the businesscard from connections working?
I also got the photo working (thanks to your post above) , but connections option in the businesscard are not there.
Hi, I have business cards from Connections working everywhere apart from the Webclient. The reason for this is because it actually doesn't work. I raised a call and to configure connections business cards in the proxy you just add the following to the stproxyconfig :-
<bcard>
<url>https://connections.acme.com/profiles</url>
<type>1</type>
</bcard>
After a load of testing between myself and HCL this doesn't work, it doesn't read this config. I was told this is supposed to be fixed in the next version of Sametime.
However I do have the photos working from Connections as you said and I also have any details I have that are listed in the Person Document (Domino Directory) so it does have details for each user as we keep certain things populated in the directory.
Fingers crossed when 11.5 is released I will upgrade and the Connections Business Card info will fully show in the Webclient.
Hello,
any news about this problem ?
I try to to implement connections bcards with sametime 11.6 - still same behavier with this version. Bcard section seems to be ignored from sametime proxy.
Only BC configuration from sametime community server are used.
Do you have an SPR number for the problem ?