Sametime WAS Proxy Stops Working

I’ve had an interesting system down call with an existing Sametime 9.0.1 customer in the past week.  The environment is over 18 months old and consists of every server component in single instances including ST Proxy, Meetings, ST Advanced and all Media components.  The media components were added in Dec 2015 and everything has been fine. The Meeting and Proxy servers both have WAS proxies in front of them to handle traffic over port 80 / 443 separately.  Last week the Meeting node was restarted and the WAS Proxy stopped working.  It would load.  The Meeting server was responding on its own application ports to http(s)://hostname:9080 / 9443 both worked but http(s)://hostname failed with

503 Service Unavailable

The WAS Proxy server showed started.  There were no errors in the logs for that or the ST Meeting server.  Not all WAS proxies were broken because the one in front of the ST Proxy server worked.  In short that error suggests that the Meeting server is offline when we knew it wasn’t and since there isn’t any real configuration for the WAS Proxy other than what node it points to – there was nothing to troubleshoot.  I tried deleting and recreating the WAS Proxy a few times, I tried switching it to use alternate ports 81/444, nothing would fix it.

It took a few days and some combined effort to find.  The WAS team wanted us to upgrade to WAS fixpack 5 but that would mean upgrading 8 working servers in the hopes of fixes one WAS proxy.  There was a suggestion that since the Meeting server was a single, not a cluster, I could just change the Meeting server ports to use 80/443 instead of 9080/9443 and do away with the WAS proxy entirely.  That would get rid of the problem but not fix it, just circumvent it.  I wanted to fix it and find out why it happened.

I had checked the virtual hosts to make sure the hostname / port combination was in the stmeet host and wasn’t anywhere else and discovered that in default_host new wildcard port entries had appeared for ports 80 and 443.  I had already deleted those but that didn’t fix the problem.  How did those port entries appear ? I’ve seen this before when you install new ST servers (as we did with Media in Dec) it come sometimes write virtual host entries to the wrong places.  In fact that was my first guess but after I removed those entries from default_host and it still didn’t fix the problem I was out of ideas.  Then Tony Payne from IBM spotted that the admin_host virtual host which is only used by the SSC had the ports 9080 and 9443 in it when it should only have 8700 and 8701.  Again I assume these were added by the previous server installs and of course I never went to look there because the Meeting server was specifically set to use the STMeet host.

I removed those extra ports from the admin_host virtual host definition and restarted the Meeting node and servers (clearing the temp directories first \profilename\temp and \profilename\wstemp as well as \profilename\config\temp) and that fixed the problem.

So why was the presence of those two ports 9080/9443  (used by the ST Meeting server) that were in a virtual host the ST Meeting server doesn’t even use causing the WAS Proxy to break? Why didn’t the Meeting server itself break and why didn’t the ST Proxy Server which also had a WAS proxy in front of it break?

Turns out that no matter what virtual host mapping you have in place for applications, in Sametime the code checks the admin_host and if a port appears there – it silently disables looking up any other host.  The fact that the Meeting server ports appeared at all in the admin_host meant that the STMeet host was being ignored and the WAS Proxy had no way to direct the traffic.

Unfortunately none of that is visible in the logs or in debug logs which all reported the servers and services using the correct STMeet host.  So it wasn’t something that was able to be seen.  It was a combination of Tony seeing the admin entries and me having had a previous call with a server install which added ports to unwanted virtual hosts that allowed us to find it and fix it.

The ST Proxy server itself wasn’t affected because that server was running on 9082/9445 so its ports weren’t in admin_host and its virtual host therefore wasn’t ignored.

Always good to have a problem fixed and learn a ton of stuff about application behaviour at the same time 🙂

Access Denied – Me vs OS and WebSphere Security

Today I went to apply a patch to a customer’s Sametime Proxy server.  This is a server that’s been around for a few weeks.  I’ve logged into the SSC countless times in that time.  I launch Installation Manager (using “run as administrator”) and when it gets to the “sign on to SSC” part it fails saying it can’t connect.  I check the logs in /users/myname/appdata/local/temp/SSCLogs and find the error saying it can’t resolve <sschostname>:9443/console/deployment/login.  So I try that URL in a browser myself  and sure enough it does fail.

Well I can guess what that is and it’s an easy fix.  In Sametime we map virtual hosts for each application including the SSC containing the hostnames and ports used by that application.  So I went to check that the default_host virtual host used by the SSC had 9443 in it.

Go to SSC on the Deployment Manager server through a browser, try and login using my file repository account.  Login failed.  Try again. and again.  and again. and again. Type into notepad to make sure there’s no caps lock or language issues.  Failed again. This is worrying, no-one else has access right now so no-one has changed any password. I check the SystemOut.log for dmgr and there are errors in there and in the FFDC files saying Password is wrong.  OK.  No need to panic.  I’ve seen this before when Dmgr gets low on memory so first things first, let’s restart the box.  If in doubt, reboot WebSphere.  Server comes back up and still I can’t login.

OK so now I start to worry.  I go find the security.xml file in the config for the cell and decode the password stored in there (don’t ask how because I shouldn’t be able to but it’s possible).  The password says it’s what I think it is.  I really really don’t want to go down the path of changing that password even though I can disable security and do that because that’s going to have knock on effects all over the place….So – deep breath – let’s try this again from another machine.  I go to the SSC from my desktop this time instead of a browser on the DMGR server and it logs in perfectly first time using the name and password that was failing when I tried from the DMGR server.  Back to the browser on the server, login still fails.   This makes no sense.

So the issue isn’t the “wrong password” at all.  The issue is that the security on the SSC OS is preventing me logging in via a browser – I assume preventing the browser accessing the files on the file system in some way.  In addition the SSC was unable to sync any nodes or restart any servers (this was new) although it could tell status – until I restarted everything manually under my account.  This appears to be a problem with the services on the SSC accessing the file system on any of the OS even its own.  The customer is looking into all of that since the environment is tightly locked down and I can’t see anything.

When I finally got in (and yes I could use the LDAP alternative accounts I had in there) I added 9443 and 9080 to default_host under the hostname of the SSC and the Installation Manager ran fine.

Today’s lesson learned..DON’T PANIC!




Sametime Audio and Video Problems

This week’s Sametime PMR was a problem with Audio / Video on a newly deployed infrastructure.  This is a long blog but hopefully you’ll find it all useful. The installs all went fine and the peer to peer calling worked, which meant the clients were able to register with the proxy registrar.  However multi user or meeting video was failing.

The first thing you need to know about ST Audio / Video is that there are several moving parts – in this instance all servers are installed on SLES11

  1. Proxy Registrar / Conference Manager – in this environment both these applications are installed into one instance of STMediaServer
  2. Video Manager which is a WebSphere server installed as a standalone node (outside the SSC cell) and requires SolidDB (which the Video Manager installer places and configures)
  3. VMCU – the Video MCU which will handle the multi way video traffic via the Video Manager

The second thing you need to know – and it’s not well documented at all – is that the start order of those elements is vitally important. Start them in the wrong order and you won’t get any audio / video at all (if you check your Sametime client preferences you will not see any A/V components or options).  So what’s the start and stop order?

Start with Video Manager components

  1. Soliddb must be started first using /opt/soliddb/soliddb-7.0/bin/solid -c /opt/soliddb/soliddb-7.0/eval/standalone*
  2. Once started the Video manager can be started using the server name STMediaServer
  3. Start the Video MCU by typing  :  service soft_mcu start (also “status” and “stop”) work
  4. Start the PR/CM WebSphere server STMediaServer

To stop all elements do 4-3-2-1 in reverse

To stop soliddb type solsql then when prompted for login details use the name and password admin
issue the commands (with a semi colon at the end of each line)

admin command ‘force shutdown’;


*soliddb listens on port 2315 – you can verify it’s running or stopped by doing a netstat. On linux that’s
netstat -an | grep -i “2315”

(the solid.ini file in /opt/soliddb/solidb-7.0/eval/standalone will tell you which port is being used by the server)

The next thing you need to know is that even if it all installed perfectly you must go through the process of exchanging certificates between the PR/CM in the SSC cell and the Video Manager standalone server.  This is documented here and this is where my PMR occurred   The problem was once the certificates were exchanged we lost all video completely.  Even peer to peer.  I assumed it was a small problem, maybe my start order or I wasn’t letting everything have enough time to start but no.. the problem was that we were using a wildcard certificate.

IBM do support wildcards, they have to since the ST Advanced server and ST Proxy server must share a certificate.  Unfortunately we discovered that the underlying video software (which actually comes from Polycom licensed to IBM) doesn’t support a wildcard certificate so when I did the exchange, everything broke.  Once I knew that I reverted the Video servers (PR/CM and Video Manager) to the IBM installed certificate (since the clients don’t directly connect there) and everything started working.

I am waiting to hear back from L3 if using the mixed certificates (wildcard for ST Proxy, Meeting and Advanced and IBM installed for the Video and SSC) will present any problems but right now we are back in business with all ST features.

The IBM Support Overnight Mystery

Several days this week I have worked on a different PMR (two ST bugs one CCM more on later) with people from IBM support who have been helpful, informed and as curious about the problem as I was (or faking it really really well) . We’ve had screen shares, investigated the problem and left it at the end of day the as “escalate to L3 development”.

Then each morning I wake up to an overnight email from someone new saying they are in charge of the PMR but who has seemingly never seen the problem and is asking me to do basic stuff like send in logs or apply a patch that was already checked (and updated in the PMR) at least a day earlier.

I understand the difficulties in providing 24×7 support and I’m sure there’s an alert somewhere that gives someone a kick overnight and tells them I HAVE to be followed up even if there’s no action task back from L3. Clearly there is a process for “following up” out of hours which does exactly that and only that based on the original call. I now reluctantly set those emails to ignore , or respond asking them to read the PMR history, but I worry what customers do .

Do they run around in circles doing this repeat “make work” until someone who has read the actual updates comes in ?

Oh and two out of the three PMRs are now closed. I will blog both which are interesting and apparently a googlewhack of problems (we were the first to report) later today. :-). So thank you to everyone who worked with me on them this week.

Sametime Trusted IPs – A Problem That Won’t Go Away

Every since Sametime 8.5.2 was released I have seen a continual problem with Sametime trusted ips that  is still there in Sametime 9.0.1.  The issue is that the trusted ips list (which tells the Community Server which server ips to accept connections from) is now entered into the Sametime System Console in WebSphere and not directly into the CommunityConnectivity document in stconfig.nsf.  This means that since 8.5.2  the trusted ips in the Community Server configuration in WebSphere are then written to the Domino document at intervals.

So what’s the problem?  Well when WebSphere writes the list of trusted ips into the Domino document, it does so as a string, not as a list.  A small thing but that means when the Community server restarts the trusted ips don’t work as what Sametime sees is a long string instead of multiple values.  To fix this I wait until WebSphere has updated and then open and save the CommunityConnectivity document which refreshes and parses the string with commas in it into a list (since the field is a multi value list field anyway Domino is smart enough to do that).

Of course I then have to restart the server. Below are the examples of what I mean, first how WebSphere writes the values and secondly how Sametime needs to see them written.

How WebSphere Writes The Values

How WebSphere Writes The Values

How Sametime Wants To See The Values

How Sametime Wants To See The Values

I first opened a PMR on this back in 8.5.2 days and have tried occasionally since then  to open others but never got very far (around the time I am explaining Domino multi value fields to someone in China I lose the will to live). It always occurs if I have several ips to enter, not so much if there is just one or two.  The annoying thing is remembering to check every time I make any change to the Community Server configuration (which isn’t often once it’s setup).  Anyway, this has been my built in workaround for 3 years, it’s not hard and I know one of two other people out there have seen this too so here’s my “fix”…..

Choose Your Installation Manager Carefully….

In both Sametime and Connections builds I have come across customers installing different versions of Installation Manager than that recommended or supplied with the product. The ST and Connections apps are both 32bit so although they will install under a 64bit version of Installation Manager, you will get a warning about it being 64bit.  Don’t ignore that.

There’s no advantage to you choosing 64bit Installation Manager over 32bit on a 64bit platform and worse, since it manages all your installs, if you discover it’s a problem later you can’t fix it because you can’t uninstall it without uninstalling everything it installed itself.  I did a workaround at a customer  I was brought into once where we renamed the IM folder and installed a new 32bit version to make sure ST Media Manager would install but that’s a fudge.

Do yourself a favour, you can’t go wrong with 32bit 🙂