Sametime Critical Hit – Missing Servlets

This week I will be presenting on upgrading Sametime to 9.0.1 as part of IBM’s New Way To Learn program (see here for details – requires login ).  In preparation for that I wanted to take an existing environment I had and step through the upgrade of all components using the documentation.  I discovered a few things I’ll share in my presentation and on this blog but one spectacular reoccuring critical full stop can’t move any further what was THAT – problem I thought best to share now.

After successfully upgrading the Community server (I know it was successful because the installer and the logs told me so 🙂  I discovered that the server couldn’t start the policy servlet.  It was hard to see since all the other servlets started fine but if I watched the console as it tried to start I saw a servlet error when loading Policy and a message saying com.lotus.sametime.admin.policy.PolicyServlet could not be located.  Luckily I’ve seen similar errors before in some 9.0 upgrades and on those it was the STCore.jar file which sits in the Domino program directory that was at fault.  I took a backup of that STCore.jar and replaced the one in the program directory with one from a 9.0 server (bear with me, it was just to prove something) and sure enough, the server came up and launched Sametime this time finding the Policy servlet but missing the UserInfo servlet.  

OK so I knew where I was.  The STCore.jar that installed as part of the 9.0.1 upgrade was missing some policy files.  I rename both the new 9.0.1 STCore.jar and the copy of my 9.0 STCore.jar to STCore.zip and then extracted them both so I could compare. I drilled down to the folder it claimed was mising com\lotus\sametime\admin\policy and in the screenshots below you can see my 9.0.1 version only has 4 files whereas my 9.0 version had 6 files including the missing one (PolicyServlet).

skitch 2

The STCore.jar as installed by the 9.0.1 upgrade

skitch

The STCore.jar from my 9.0 server

As you can see, the two missing files include the one the server was looking for.  I extracted the two files and added them to my 9.0.1 folder then compressed everything again as STCore.zip and renamed to STCore.jar.  I copied this new “fixed” (I hope) STCore.jar to the Domino directory and the server started with no problems.  At least none I could immediately see.

I had come across this once before (an incorrect STCore.jar) on an earlier customer upgrade so it’s a recurring problem. I’m not sure what happens during the upgrade process – the file itself is dated 25th April 2016 so it’s not built during the install and isn’t broken for new installs.  So two suggestions

1. Always backup STCore.jar before starting any upgrade along with sametime.ini vpuserinfo.nsf stconfig.nsf etc

2. If your server console is reporting a missing servlet during launch then verify that servlet exists in the  STCore.jar

Sametime 9.0.1 Arrives – Sort Of

Like the sun breaking through the clouds on a gorgeous May holiday weekend, the IBM site has just published a document announcing Sametime 9.0.1 with a release date of May 3.

There’s no documentation or even system requirements out there yet but here are some delicious part numbers from the IBM download site to get your teeth into.

I’m not a big fan of installing without documentation but as soon as it appears I’ll be documenting both a clean install and an upgrade process.  If you want any advice on how to upgrade your existing environment feel free to email me.

Screen Shot 2016-05-03 at 14.34.30

Sametime WAS Proxy Stops Working

I’ve had an interesting system down call with an existing Sametime 9.0.1 customer in the past week.  The environment is over 18 months old and consists of every server component in single instances including ST Proxy, Meetings, ST Advanced and all Media components.  The media components were added in Dec 2015 and everything has been fine. The Meeting and Proxy servers both have WAS proxies in front of them to handle traffic over port 80 / 443 separately.  Last week the Meeting node was restarted and the WAS Proxy stopped working.  It would load.  The Meeting server was responding on its own application ports to http(s)://hostname:9080 / 9443 both worked but http(s)://hostname failed with

503 Service Unavailable

The WAS Proxy server showed started.  There were no errors in the logs for that or the ST Meeting server.  Not all WAS proxies were broken because the one in front of the ST Proxy server worked.  In short that error suggests that the Meeting server is offline when we knew it wasn’t and since there isn’t any real configuration for the WAS Proxy other than what node it points to – there was nothing to troubleshoot.  I tried deleting and recreating the WAS Proxy a few times, I tried switching it to use alternate ports 81/444, nothing would fix it.

It took a few days and some combined effort to find.  The WAS team wanted us to upgrade to WAS fixpack 5 but that would mean upgrading 8 working servers in the hopes of fixes one WAS proxy.  There was a suggestion that since the Meeting server was a single, not a cluster, I could just change the Meeting server ports to use 80/443 instead of 9080/9443 and do away with the WAS proxy entirely.  That would get rid of the problem but not fix it, just circumvent it.  I wanted to fix it and find out why it happened.

I had checked the virtual hosts to make sure the hostname / port combination was in the stmeet host and wasn’t anywhere else and discovered that in default_host new wildcard port entries had appeared for ports 80 and 443.  I had already deleted those but that didn’t fix the problem.  How did those port entries appear ? I’ve seen this before when you install new ST servers (as we did with Media in Dec) it come sometimes write virtual host entries to the wrong places.  In fact that was my first guess but after I removed those entries from default_host and it still didn’t fix the problem I was out of ideas.  Then Tony Payne from IBM spotted that the admin_host virtual host which is only used by the SSC had the ports 9080 and 9443 in it when it should only have 8700 and 8701.  Again I assume these were added by the previous server installs and of course I never went to look there because the Meeting server was specifically set to use the STMeet host.

I removed those extra ports from the admin_host virtual host definition and restarted the Meeting node and servers (clearing the temp directories first \profilename\temp and \profilename\wstemp as well as \profilename\config\temp) and that fixed the problem.

So why was the presence of those two ports 9080/9443  (used by the ST Meeting server) that were in a virtual host the ST Meeting server doesn’t even use causing the WAS Proxy to break? Why didn’t the Meeting server itself break and why didn’t the ST Proxy Server which also had a WAS proxy in front of it break?

Turns out that no matter what virtual host mapping you have in place for applications, in Sametime the code checks the admin_host and if a port appears there – it silently disables looking up any other host.  The fact that the Meeting server ports appeared at all in the admin_host meant that the STMeet host was being ignored and the WAS Proxy had no way to direct the traffic.

Unfortunately none of that is visible in the logs or in debug logs which all reported the servers and services using the correct STMeet host.  So it wasn’t something that was able to be seen.  It was a combination of Tony seeing the admin entries and me having had a previous call with a server install which added ports to unwanted virtual hosts that allowed us to find it and fix it.

The ST Proxy server itself wasn’t affected because that server was running on 9082/9445 so its ports weren’t in admin_host and its virtual host therefore wasn’t ignored.

Always good to have a problem fixed and learn a ton of stuff about application behaviour at the same time 🙂

Access Denied – Me vs OS and WebSphere Security

Today I went to apply a patch to a customer’s Sametime Proxy server.  This is a server that’s been around for a few weeks.  I’ve logged into the SSC countless times in that time.  I launch Installation Manager (using “run as administrator”) and when it gets to the “sign on to SSC” part it fails saying it can’t connect.  I check the logs in /users/myname/appdata/local/temp/SSCLogs and find the error saying it can’t resolve <sschostname>:9443/console/deployment/login.  So I try that URL in a browser myself  and sure enough it does fail.

Well I can guess what that is and it’s an easy fix.  In Sametime we map virtual hosts for each application including the SSC containing the hostnames and ports used by that application.  So I went to check that the default_host virtual host used by the SSC had 9443 in it.

Go to SSC on the Deployment Manager server through a browser, try and login using my file repository account.  Login failed.  Try again. and again.  and again. and again. Type into notepad to make sure there’s no caps lock or language issues.  Failed again. This is worrying, no-one else has access right now so no-one has changed any password. I check the SystemOut.log for dmgr and there are errors in there and in the FFDC files saying Password is wrong.  OK.  No need to panic.  I’ve seen this before when Dmgr gets low on memory so first things first, let’s restart the box.  If in doubt, reboot WebSphere.  Server comes back up and still I can’t login.

OK so now I start to worry.  I go find the security.xml file in the config for the cell and decode the password stored in there (don’t ask how because I shouldn’t be able to but it’s possible).  The password says it’s what I think it is.  I really really don’t want to go down the path of changing that password even though I can disable security and do that because that’s going to have knock on effects all over the place….So – deep breath – let’s try this again from another machine.  I go to the SSC from my desktop this time instead of a browser on the DMGR server and it logs in perfectly first time using the name and password that was failing when I tried from the DMGR server.  Back to the browser on the server, login still fails.   This makes no sense.

So the issue isn’t the “wrong password” at all.  The issue is that the security on the SSC OS is preventing me logging in via a browser – I assume preventing the browser accessing the files on the file system in some way.  In addition the SSC was unable to sync any nodes or restart any servers (this was new) although it could tell status – until I restarted everything manually under my account.  This appears to be a problem with the services on the SSC accessing the file system on any of the OS even its own.  The customer is looking into all of that since the environment is tightly locked down and I can’t see anything.

When I finally got in (and yes I could use the LDAP alternative accounts I had in there) I added 9443 and 9080 to default_host under the hostname of the SSC and the Installation Manager ran fine.

Today’s lesson learned..DON’T PANIC!

 

 

 

Sametime Audio and Video Problems

This week’s Sametime PMR was a problem with Audio / Video on a newly deployed infrastructure.  This is a long blog but hopefully you’ll find it all useful. The installs all went fine and the peer to peer calling worked, which meant the clients were able to register with the proxy registrar.  However multi user or meeting video was failing.

The first thing you need to know about ST Audio / Video is that there are several moving parts – in this instance all servers are installed on SLES11

  1. Proxy Registrar / Conference Manager – in this environment both these applications are installed into one instance of STMediaServer
  2. Video Manager which is a WebSphere server installed as a standalone node (outside the SSC cell) and requires SolidDB (which the Video Manager installer places and configures)
  3. VMCU – the Video MCU which will handle the multi way video traffic via the Video Manager

The second thing you need to know – and it’s not well documented at all – is that the start order of those elements is vitally important. Start them in the wrong order and you won’t get any audio / video at all (if you check your Sametime client preferences you will not see any A/V components or options).  So what’s the start and stop order?

Start with Video Manager components

  1. Soliddb must be started first using /opt/soliddb/soliddb-7.0/bin/solid -c /opt/soliddb/soliddb-7.0/eval/standalone*
  2. Once started the Video manager can be started using the server name STMediaServer
  3. Start the Video MCU by typing  :  service soft_mcu start (also “status” and “stop”) work
  4. Start the PR/CM WebSphere server STMediaServer

To stop all elements do 4-3-2-1 in reverse

To stop soliddb type solsql then when prompted for login details use the name and password admin
issue the commands (with a semi colon at the end of each line)

admin command ‘force shutdown’;

exit;

*soliddb listens on port 2315 – you can verify it’s running or stopped by doing a netstat. On linux that’s
netstat -an | grep -i “2315”

(the solid.ini file in /opt/soliddb/solidb-7.0/eval/standalone will tell you which port is being used by the server)

The next thing you need to know is that even if it all installed perfectly you must go through the process of exchanging certificates between the PR/CM in the SSC cell and the Video Manager standalone server.  This is documented here and this is where my PMR occurred   The problem was once the certificates were exchanged we lost all video completely.  Even peer to peer.  I assumed it was a small problem, maybe my start order or I wasn’t letting everything have enough time to start but no.. the problem was that we were using a wildcard certificate.

IBM do support wildcards, they have to since the ST Advanced server and ST Proxy server must share a certificate.  Unfortunately we discovered that the underlying video software (which actually comes from Polycom licensed to IBM) doesn’t support a wildcard certificate so when I did the exchange, everything broke.  Once I knew that I reverted the Video servers (PR/CM and Video Manager) to the IBM installed certificate (since the clients don’t directly connect there) and everything started working.

I am waiting to hear back from L3 if using the mixed certificates (wildcard for ST Proxy, Meeting and Advanced and IBM installed for the Video and SSC) will present any problems but right now we are back in business with all ST features.

The IBM Support Overnight Mystery

Several days this week I have worked on a different PMR (two ST bugs one CCM more on later) with people from IBM support who have been helpful, informed and as curious about the problem as I was (or faking it really really well) . We’ve had screen shares, investigated the problem and left it at the end of day the as “escalate to L3 development”.

Then each morning I wake up to an overnight email from someone new saying they are in charge of the PMR but who has seemingly never seen the problem and is asking me to do basic stuff like send in logs or apply a patch that was already checked (and updated in the PMR) at least a day earlier.

I understand the difficulties in providing 24×7 support and I’m sure there’s an alert somewhere that gives someone a kick overnight and tells them I HAVE to be followed up even if there’s no action task back from L3. Clearly there is a process for “following up” out of hours which does exactly that and only that based on the original call. I now reluctantly set those emails to ignore , or respond asking them to read the PMR history, but I worry what customers do .

Do they run around in circles doing this repeat “make work” until someone who has read the actual updates comes in ?

Oh and two out of the three PMRs are now closed. I will blog both which are interesting and apparently a googlewhack of problems (we were the first to report) later today. :-). So thank you to everyone who worked with me on them this week.