Sametime Meeting 11.5 installation on Docker

My good friend and HCL Lifetime Ambassador Daniel Nashed already wrote a post about this topic, here.

Since in my test environment I do not have a proper domain name I had to tweak a bit some configuration settings in order to make the installation work; this can be useful if you want to setup a Meeting server inside your network using a domain like .local instead of your company real domain and hosts file instead of DNS.

The instructions in Daniel’s post are very clear, if you follow them the installation will go fine. The next step is to enable Sametime Community for Meetings
One critical thing to be aware of is this part:

Enable Windows Sametime Community server to support Meetings
Contact HCL Support for instructions to receive a required patch to allow JWT Configuration. Do not continue on Windows until this patch is in place.

Obviously I tried to configure ST Meetings without the patch, (what is a geek doing test installations expected to do ?) and it did not work. So open a case with Support and obtain that patch before setting up the Meeting server integration with Community server.

UPDATE: As per the comment from Tony Payne, the needed patch is now available on Flexnet when you download the product

What you need to do to make it work with hosts file instead of DNS is this:
Edit the file docker-compose.yml and in the sections ‘auth’ and ‘nginx’ add an “extra hosts” entry and put there the name of your community and meeting servers, like this

This is a yaml file, so be careful to use spaces and not tabs and align text correctly as in the images.
Then run the commands
docker-compose down
docker-compose up -d

to restart the server

Many thanks to the Sametime Wizard, Tony Payne from HCL ,for helping me with this.

Andrea Fontana 1964 – 2020

This is a post I would have never wanted to write.

As many of you know by now, our friend Andrea Fontana tragically passed away in an accident with his motorcycle last saturday, Aug 15.

I have been knowing him since the mid 90’s, when I was working in Lotus and he was working for a Business Partner. What started as a professional relationship soon turned out in a friendship and later in the 10’s when I left IBM we worked together quite a lot. He moved near Milano and we met often with the families.

In 25 years we made a lot of things together, so I could tell you lots of stories about him, but I simply can’t right now; I am still devastated by the loss of Andrea and can’t put my thoughts together. In any case I don’t think is necessary, anyone in our community that got to know him knows well the kind of person he was. He was appreciated and loved by anyone that had the opportunity of knowing him, not for his technical skills, which were excellent, but for his humanity.

This picture was taken at the Ice Bar in Stockholm, when we went to Social Connections 7; it was the first community event he spoke at and the beginning of his friendship with many members of our community.

I will be speaking at DNUG47ONLINE

My session is “Setting up Jitsi authentication and customization”. July 2 at 16.30.
You can find the agenda of all the sessions here

Use a SSL certificate for the Sametime Proxy – a very easy way

By default when you install Sametime Proxy 11 it will use self signed certificates. My peer HCL Ambassador Ales Lichtenberg has written a blog post, here, about how to use a CA issued certificate. In his article he uses the .pem format for the certificates; I found there is another way to do this using the pfx format for certificates.

Once you have the pfx file, and the relative password, is very easy to configure Tomcat to use it. Open the server.xml file in the sametimeproxy\conf directory, edit it and change the connector stanza from this:

port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”conf/stproxy.keystore” keystorePass=”samet1me”
clientAuth=”false” sslProtocol=”TLS”/>

to this

port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”YOURCERT.pfx” keystorePass=”YOURPASS” keystoretype=”PKCS12/”
clientAuth=”false” sslProtocol=”TLS”/>

Using certificate in pfx format makes the configuration much easier, as you see; there is no need to import anything, just modify the server.xml

Sametime 11 commonly faced issues

HCL had a webinar on Sametime 11 and they talked about some of the most commonly faced issues. If you have not attended the webinar, here is the presentation, the last slides are referring to the issues.

Sametime 11 integration with Jitsi – allow guest access

In my previous post here I described how to set up a Jitsi server using the Domino directory as LDAP. That setup required all the users to authenticate before joining a room.

A customer of mine wanted a different thing, he wants to do video meetings with people external to his organization, that obviously are not listed in the Domino directory. I did some research and in the Jitsi forums I saw some other people have done something on that topic, so in the end I came up with a solution.

The idea is this, an user need to log in to create a new room while a guest has only to click on the room link to access it without any authentication.

NOTE: to make this work you should do a apt update and apt upgrade to receive the latest version of the packages used. At first for me this was not working but after the upgrade it did.

1) Go in /etc/prosody/conf.avail, you will see a file with your hostname and the extension.lua. In my case the server is named
Edit it and at the end of the file add this

VirtualHost ""
        authentication = "anonymous"
        allow_empty_token = true
        c2s_require_encryption = false

2) Then edit the file /etc/jitsi/meet/ and add a domin for anonymous.

hosts: {
        // XMPP domain.
        domain: '',
        anonymousdomain: '',

3) Add this line in the /etc/jitsi/jicofo/ file

Now when a user access the server and create a room he is asked for credentials

All the other users can then join without being asked for credentials once the room is created.

If you set up two Jitsi servers, you can easily use both the solutions I described if you want to have internal users to authenticate and at the same time allow guest access. Use a server for internal meetings and the other for external ones. The Sametime web client can be configured with more than one external service provider. Unfortunately the Sametime connect client can not, you can define only one provider.

Sametime 11 integration with Jitsi. An easy solution to use video-conferencing now

I have worked with my friend and fellow HCL Master Detlev Poettgen in setting up a solution to allow customers to use video-conferencing now, while we wait for Sametime Meetings to ship.

We have used Jitsi, the same technology used by Sametime meeting, and set up a raw integration. Is obviously not  a fully integrated solution, but it works pretty well.

This is something useful for those customers who don’t want to use cloud services like Zoom or Webex or others, but prefer to have a completely on-premise solution, and I have more than one of this kind of customers.

To use this integration, change the preferences in the Sametime client and define an external meeting provider, using a room on the Jitsi server

The same for the web client

Installation and configuration of Jitsi

The first thing to do is to install Jitsi on Ubuntu server 18.04. You can find the instructions here

By default Jitsi does not use authentication, when you set up a Jitsi server, everyone who can access it can create a room or join an existing room.

There is the option to use LDAP for authentication, and I successfully set it up using Domino 11 as LDAP server.

I used the LDAP authentication for jitsi-meet via cyrus/saslauthd

At first, you need to install the following packages:

apt install sasl2-bin libsasl2-modules-ldap lua-cyrussasl

Then go in /etc/prosody/conf.avail, you will see a file with your hostname and the extension.lua, in my example the server is named

Edit it and change the authentication to cyrus and add the auth_cyrus to modules_enabled.

You also have to add the config options

    cyrus_application_name = “xmpp”

    allow_unencrypted_plain_auth = true`

as well.

The file should now be looking like this:

VirtualHost ""

        -- enabled = false -- Remove this line to enable this host

        authentication = "cyrus" 

        -- Properties below are modified by jitsi-meet-tokens package config

        -- and authentication above is switched to "token"



        -- Assign this host a certificate for TLS, otherwise it would use the one

        -- set in the global section (if any).

        -- Note that old-style SSL on port 5223 only supports one certificate, and will always

        -- use the global one.

        ssl = {

                key = "/etc/prosody/certs/";

                certificate = "/etc/prosody/certs/";


        cyrus_application_name = "xmpp"

        allow_unencrypted_plain_auth = true 

        speakerstats_component = ""

        conference_duration_component = ""

        -- we need bosh

        modules_enabled = {



     "ping"; -- Enable mod_ping






        c2s_require_encryption = false

Configure saslauthd

Create the file /etc/sasl/xmpp.conf. If the folder sasl do not yet exist, create it.

Paste the follwoing inside the xmpp.conf:

pwcheck_method: saslauthd

mech_list: PLAIN

Now create /etc/saslauthd.conf and add the following. Replace the IP with yours, as well as the search base and the Bind user/password!

ldap_servers: ldap:// ldaps:// 

ldap_search_base: o=eld

ldap_bind_dn: cn=Roberto Boccadoro,o=eld

ldap_bind_pw: password

ldap_filter: (mail=%u*)

ldap_version: 3

ldap_auth_method: bind

Important note on ldap filter:

At the first try I used ldap_filter: (mail=%u) but it didn’t work

Use ldap_filter: (mail=%u*)  note the * direct after the %u, and tell your users to enter the portion before the @ sign of their mail address.

Now edit the /etc/default/saslauthd file:

  • Change START to yes
  • Change MECHANISMS to ldap
  • Change MECH_OPTIONS to /etc/saslauthd.conf

and restart the service with service saslauthd restart. You also have to restart prosody now with service prosody restart.

Add prosody to the sasl group by executing the command usermod -aG sasl prosody.

Once you do this configuration, the users accessing your jitsi server will be asked for authentication before joining or creating a room.

Sametime 11 FP1 upgrade. A couple of things I found

Sametime 11 FP1 has shipped, so me and my fellow Master and friend Matteo Bisi started upgrading our test servers immediately.
We found a couple of thing you may want to be aware of in order to upgrade successfully.

Upgrading the Community server on Linux
Matteo did a upgrade of ST to FP1, but for whatever reson it failed. He had 23 file starting with st* in the data direcory instead of 40. So he did a uninstall of Domino and installed it again.
When trying the upgrade of Sametime he got this error

The problem is due to the fact that in the directory /var, there is a hidden file named .com.zerog.registry.xml. I looked into that file and found that it contained the information about Sametime 11 FP1

registry install_date="2020-03-10 11:26:39" version="1.1" last_modified="2020-04-09 09:41:28">

<product name="HCL Domino" id="0e1cb10d-1f39-11b2-8202-e8e16a17fbf8" upgrade_id="0e1cb10e-1f39-11b2-8202-e8e16a17fbf8" version="" copyright="2018" info_url="" support_url="" location="/opt/hcl/domino/notes/11000000/linux" last_modified="2020-04-09 09:41:28"

<product name="HCL Sametime Server 11.0 FP1" id="17cc219c-1f40-11b2-8e97-ef3209dd0f10" upgrade_id="a63c37b2-1f3f-11b2-af58-ef3209dd0f10" version="" copyright="2019" info_url="" support_url="" location="" last_modified="2020-04-08 23:05:50">

I told Matteo to remove all the lines relative to Sametime in the file so that it looked like this
After that, the installation of FP1 was successful

Upgrading Sametime Proxy on Windows
When you unzip the file you will see that it contains a directory “sametimeproxy”.
Do not extract it where you already have your SametimeProxy overwriting the content. Extract it in another temporary directory.
From that directory launch install.bat; accept the license and in the following screen you will see this

The installer will recognize there is already a ST Proxy installed and ask you if you want to upgrade. If you select to do it, you will be asked where is it installed

Specify the directory where is your existing ST Proxy
This will upgrade your proxy server keeping the existing configuration.

Sametime 11 – What to do if person pictures don’t show in the web client

I wrote a post explaining what to do to have user pictures show in the Sametime classic client and in the Sametime web client, here .

In a case, I found that the pictures did not show in the web client, so I opened a case with HCL Support. After debugging the problem, the great Trevor Tallackson found that my browser was trying to open a file that had a _tmp in the name

while on his server it was requesting the correct file with a .jpg extension

The solution is to delete the content of the temporary directory that the Sametime Proxy uses to store people pictures.
After doing that, I logged in again from the web client and the pictures were shown correctly.

Sametime 11 – Enabling person photo in the client

If you want to enable photos in the Sametime client, there is documentation available, unfortunately it all refers to versions 9 or 10, where it was told to use the Sametime Console. Now in version 11 the Sametime Console does not exist, so how do you do that ? The Sametime Console wrote the settings selected in a series of XML configuration files, so the only way now to work is manually edit those files, see for example my previous post on enabling file transfer.
With the help (again) of the excellent Trevor Tallackson from HCL I was able to set up the pictures in Sametime, here is how to do it

First add the picture URL in the person document in the Domino directory

Now edit the file UserInfoConfig.xml located in the Domino program directory and add those lines
<Detail FieldName="PhotoURL" Id="PhotoURL" Type="text/plain"/>
<Detail FieldName="PhotoURL" Id="ImagePath" Type="text/plain" />

in the section <Details>
Add these two Detail Ids to the <ParamsSets> section
<Set SetId="0" params="MailAddress,Name,Title,Location,Telephone,PhotoURL,ImagePath,Company"/>
<Set SetId="1" params="MailAddress,Name,Title,Location,Telephone,PhotoURL,ImagePath,Company"/>
These are needed because in the UserInfoConfig.xml file on the Sametime Community server, the Standalone Connect client and Embedded require ImagePath string detail, Mobile and Web clients require the PhotoURL detail

Note: do not copy/paste from above. I had reports it does not work well. Just add PhotoURL and ImagePath to the params= line.

Now check the UserInfo servlet according to the instructions here
You should see something like this

For me it was not working initially, then Trevor wrote me this:
Looks like the stconfig.nsf “UserInfo” document is getting in the way here. Add the following to your UserInfoConfig.xml file between <UserInformation> and <Resources>
<ReadStConfigUpdates value= “false”/>
This tells the UserInfoServlet to only use the UserInfoConfig.xml configuration.

Restart the server and now you have pictures in Sametime client