I sit here at my desk with a somewhat vexing issue. You see, we are a Blackberry standard shop. By being so, it does offer some simplification in how we support our infrastructure from a support and security point of view. However, we are also in the midst of an ERP refresh, that does have some challenges with that mobile platform choice. One of those choices is the iPhone. Now the iPhone is a great device, with some distinct comparative limitations. I am choosing to speak about one of those limitations, Sametime usage from the device.

Traveler does a very nice job of messaging, calendaring and contact management, with also offering a nice vertical in terms of support and deployment with our existing Domino environment. Missing though is the same ease of deployment of Sametime collaboration. Yes, I do know about the new v8.x Sametime server, but the investment support in such a back-end infrastructure to support mobile devices is not there for a company our size.

So I ask the regular readers of this site, do you know of any clients for IOS that will function with Sametime v7/v8? Without requiring a large back-end investment?

Sametime Business Cards … Who Wants To Upload Their Picture?
  

Following a post I wrote a few weeks ago about Sametime Pictures and another here about a security issue with the Sametime Business Card feature, someone asked via the comments if I could post my code that I used to resize and upload the pictures in our Domino Directory. The short answer was “sorry, no”. For various reasons I cannot post the code of the agent that I wrote for my company because it does various other things and even pulls data from other sources that wouldn’t matter much to anyone else but us.
   

However, I gave this some thought and I decided to write a small agent that can be called by employees from the Actions menu of the Domino Directory to upload their own picture. And, since I said that I’d try to write a blog post about this, here’s the result.
   

Before You Start – You Need To Setup The Business Card Feature!
  

Before you start thinking about using this agent to allow people to upload their own picture into your Domino Directory, you need to make sure that your Sametime server is configured correctly to pull the pictures from the right place using the right field name and data type. I won’t go into details here because Lotus has written Technote #1244204 on the matter which I used to setup our own Sametime 7.5 server to “see” the jpegPhoto field correctly. Basically speaking, you need to add “:binary” to the photo field of the Business Card configuration screen … which is weird if you ask me.
  

Keep in mind that we have not upgraded our servers to Sametime 8.5 yet (way too scary for now … but we might go with the “classic” edition later down the road) so you’ll need to look somewhere else for the “how to make sure it’s configured properly” if you are using Sametime 8.5 servers.
  

The Good Stuff: A Bit More About The Agent
   

Well, right away, I need to mention that the agent is in Java. Yep, Java. Scary isn’t it? It’s in Java because that programming language has classes that can resize an image built right into it. And because of that, it means that employees don’t need to install anything on their computers to resize the 10 mega-pixel picture they are trying to upload.
  

Also keep in mind that I’m very rusty when it comes to Java so, although the agent does the trick for me, feel free to revamp it to make it better. In fact, you might find the code a bit “procedural” and not very fancy in terms of “object oriented-ness” but hey, it does the trick. Also, keep in mind that image resizing techniques in Java are a dime a dozen on the Intertubes and I used the most basic method I could find (you can read more about the method here on Java.net but I tweaked it to suit my needs).
   

How to Use The Agent
   

Well, first and foremost, you need to download the code below and create the Java agent in your own Domino Directory that can be called from the “Actions” menu. I called my agent “Import Picture”. 
  

Once you have created the agent, any employee that opens the Domino Directory can select his/her name can then click on “Actions -> Import Picture” (or whatever name you gave the agent). When the agent starts, it does a check to make sure that the employee has only 1 “Person” selected but it does not check to make sure that it’s the employee’s very own document that’s selected. So, “buyer beware”: they’ll get a nice error if they try to upload a funny picture into someone else person document (unless you’ve set your Domino Directory ACL wrong and anybody can modify everyone else person doc in there … if that’s the case, you have bigger things to worry about than someone uploading a picture of someone else passed out drunk on his lawn).
  

Anyhow, if the employee has a person document selected, they’ll then be prompted to select a file with a “JPG” extension from their hard drive. Yes, a file with a “JPG” extension. Not “JPEG”. Not “GIF”. Not “BMP”. I need a ”JPG” file. Sure, I could have updated the code to work around this but I wanted to keep it simple.
  

It’s important to note that the picture that the employee selects has to be on their own computer (or on a network share that they have “write” access to) because the code will create a resized copy in the same location as the original file. In other words: they’ll get another nice error if they selected a picture on a network share that they only have “read” access to.
 

Once the jpg file is selected, the code will kick-in and create a copy of the selected image resized to a width of 100 pixels (it will keep the aspect ratio). You can modify the code to resize them smaller or bigger but 100 pixels seems a good compromise between the “look & feel” of the Sametime Business Cards vs. how much more data the Domino Directory has to store. In fact, I think that the Business Cards feature re-downsizes the pictures to 90 pixels but I could be wrong.
   

Once the image is resized, the code checks to make sure that the resized picture is not bigger than 20 000 bytes because that kills the Sametime Business Card feature (read more on that topic on the excellent blog of Mr. Vladimir Kocjancic in his post here).
   

At that point, if everything is ok, the resized picture gets inserted into the hidden “jpegPhoto” field on the person document. That field is not visible on the UI so employees cannot “see” the results when they open their own person document in the Domino Directory. However, they can right-click on their entry in their Sametime Contact list and select “Refresh Business Card” to see their new picture.
   

So, Where’s the Beef … err, Where’s The Code?
   

Well, here you go… the code of the agent is attached below. Simply click on it to download the code to your hard drive. Once you have it, import it into a new Java agent that can be called from the Actions menu in your Domino Directory and test it out in your test environment first before moving this production.
  

The Usual Disclaimers …
  

Well, as usual, I have to do a bit of CYA: if you decide to use this code, test it in your test environment 1st. It works for me but you need to make sure it works fine in your own environment before moving it production.
  

Also, if you are a Java guru, please review the code to see if you can improve it. And if you can: please post the updated code on your own blog (you are blogging right?).
   

Parting Words …
  

Oddly enough, this is only blog post in April (so far) … it’s been an insanely busy month (which included a business trip to New Jersey). I have no idea where time went but I haven’t been able to keep up with everything so blogging took a back seat up to this weekend. Hopefully, things will quiet down and I’ll be able to post things more often.
   

Thanks for reading!
   

Marc

Ever since I got the Sametime Business Cards pictures to work …
   

… I’ve started to receive a steady stream of calls from people asking me (a) ”why” their picture is there now and (b) how to update it. Today is not an exception and I got 1 call from someone asking me the usual questions … but this time the picture was not being pulled from the usual place.
   

Here’s the phone call I got …
   

[Phone Rings]

1. Marc [answers] – “Marc speaking, how can I help?”

2. Sales Rep – “Hi Marc, can you remove my picture from Sametime?”.

3. Marc [replies] – “Why”?

4. Sales Rep – “Check this out”.

5. [sound of email typing ...].

6. [new mail sound].

7. Marc [looks at email] – “Well, Mr. X, this is interesting (see modified version below)… that’s not the kind of picture HR would upload … let me check a few things… ”
   

Seriously, Where’s that Picture Coming From?
  

So, I checked the main database where our pictures are stored (an HR database). There was no picture for that employee in there. The pictures from the HR database are exported, resized and re-imported into the Domino Directory by an agent that I wrote so this is why I looked in there first.
   

I then checked the Person doc of the employee in the Domino Directory. There was no jpgPhoto field on his document. That confirmed that he never had a picture in the HR Database.
  

At this point, I was puzzled. But as I looked back at the picture, I thought it was funny looking. It looks like he’s mid sentence trying to grab his phone back … and that’s when I remembered that he’s a BlackBerry user.
   

So, I asked him to check in his Personal Address Book (names.nsf on local) for an entry with his name in it. He said that “Yes”, he had an entry for himself which he keeps some personal notes into. His entry also has his email address in it. He opened it up and … presto, there was the picture.
  

He promptly removed the picture from his own entry in his Personal Address Book, saved it and then right clicked on his name in his Sametime Contact list and selected “Refresh Business Info” … a few seconds later, the picture was gone.
  

That’s it … that’s all.
  

So it looks like the Sametime Business Cards feature in Sametime does a lookup on local first and if it finds a match on your email address, it will pull up that picture 1st. Interesting…
   

Addendum …
  

After we got his picture removed, I asked him if he remembered where that picture had been taken. Mr. X told me that it was taken during “one of those nights at the bar” during a Sales Meeting by another sales rep who had grabbed his phone on the table and started to take pictures … so that explains it.
   

Thanks for reading!
  

Marc

Summary …
  

While working on getting the Business Card feature to work correctly, I discovered that I was able to access the UserInfoServlet on my Sametime server without having to provide any credentials and “see” what Business Card information would be returned for me, Patrick and anybody in our company.
  

The important keywords here are “without having to provide any credentials”. After digging a bit more, I discovered that I could reproduce the same results when I accessed the internet facing Sametime servers of other companies. With this, I was able to get one of the phone number another famous blogger of the Yellowverse (one who happens to be a pilot to give you a hint) and the location of a famous speaker at Lotusphere (one who likes Turtles to give you another hint).
   

This. Is. Not. Good. 
  

The Problem …
 

The Sametime Business Card feature, introduced a while back, works by having the Sametime server call a servlet called “UserInfoServlet” in the servlet directory. Mr. Mikkel Flindt Heisterberg has written a very nice, and detailed, blog post (here) titled “Reverse engineering the Sametime 7.5 business card servlet” to help us all understand how that servlet works.
  

The information from Mr. Heisterberg’s blog is especially useful, for example, when you are setting up your Sametime Server and fiddling with the Business Card feature. Why? Simply because you can troubleshoot and test what the Business Card will display by accessing a URL like this:
  

http://st.uu.com/servlet/UserInfoServlet?operation=3&userid=rincewind
   

And here’s the catch 22: if your Sametime Server is configured to allow anonymous access so that your employees can have Sametime meetings with other people from the outside, the server will give you the info about that user without asking for any credentials whatsoever.
  

So, now that you know this, what’s stopping you from doing a Google search on “Welcome to IBM Sametime”, finding a server which allows anonymous access, doing a cross-check in the company’s “Contact Us” page or forums to find the CEO’s name and hitting that URL to get his phone number after a few trials and errors to get his user id right?
  

Answer: nothing is stopping you.
   

The Fix That Lotus Recommends …
   

Well, I thought I had a security issue on my server so I did what I always do: I opened a PMR with Lotus Support. After going back and forth in emails with a support rep, he said that the only solution he could think of was to put in a firewall restriction on any url with “servlet/UserInfoServlet?” in the URL. When I asked if that would break the Sametime Business Card lookups, the answer I got was “Most of the our clients do not send the information directly via HTTP directly to the HTTP server. We use the VP channel via 1533. In this case we send this information to the Sametime server which then uses this request to format the URL to call to the userinfoservlet and send this request to lookup names. In this case if you denied external HTTP access to the server, other calls (browser based) would be denied, but the client based calls should still go through.“.
  

Apart from that, he wrote that there no other solutions yet. Since there was no other solutions, he created an SPR for a future release (the SPR # is MALN82QM5M).
       

Now, just to make sure that I wasn’t crazy, I emailed Mr. Mikkel Flindt Heisterberg and he quickly replied back to me that, “yes”, this could be a potential issue depending on your viewpoint and that “yes”, the firewall workaround would be a good workaround for now. Mr. Heisterberg also mentioned in his reply that ”the servlet specification doesn’t provide any access control in the same way we’re used to with Notes and Domino so unfortunately protecting the servlet is not as easy as “just adding access control”. It will also make getting business card data from Sametime more complex.”.
  

The Temporary Fix … Until your Firewall Guys Put the Rule in Place … 
  

Since most of my firewall experts are snowed-in and currently digging their way out of their own house, I could have decided to fiddle with the firewall myself … but I decided to go another way: I created a temporary URL redirection rule for my Sametime server to prevent access to the servlet. 
  

That’s what I did for now and here’s the exact steps on how I did it if you want to go this route …
  

01. Open the Domino Directory on your Sametime server.
  

02. Go to the server documents view and open the Sametime server  document (if I remember, internet sites docs aren’t allowed for a ST 7.5 server … but if I’m wrong and you are using Internet sites documents then open the site for your Sametime server).
  

03. Once the server doc is opened (or internet site document), click on the action button “Create Web…” and select “URL Mapping/Redirection”.
  

04. Once the new document has appeared, go to the “Basics” tab.
  

05. On the “Basics” tab, select “URL –> Redirection URL” in the “What do you want to setup” field.
  

06. Now go to the “Site Information” tab.
  

07. Enter the IP address of our server in the “IP Address” field (actually, I noticed that it’s not required …).
  

08. Now go to the “Mappings” tab.
  

09. On the “Mappings” tab, go in the “Incoming URL Path” field and type this: /servlet/UserInfoServlet*
  

10. Now, click in the “Redirection URL string” field and type this: /stcenter.nsf
  

11. Click on the “Administration” tab.
  

12. Set the Owner and Administrators field to whatever is the standard in your environment.
  

13. When ready, click on “Save & Close”.
  

14. Now go on the server console and type “TELL HTTP REFRESH”.
  

15. Once the HTTP tasks has refreshed, try to access the same url as above (change the hostname to your server name and the userid to yours) to test if it redirects you to the Meeting Center instead of handing you information about your user id.
  

 
Parting Words …
 

Keep in mind that “mileage may vary” … i.e., I want to protect this Servlet and the information it returns from the outside but maybe this is a non-issue for you. If you haven’t configured the business cards feature or if your Sametime server uses a completely different directory, maybe this is not something you need to be worried about … just keep this in mind.
       

Thanks for reading!
  

Marc

Hi everyone,

Last Saturday, Patrick had to fly back home to his family for personal reasons. I tried to call him on that day but I got transferred to voicemail almost right away. So, I was a little surprised when he emailed me at around 3:30 pm and his email was simply 1 line: ”I’m on a plane!”. Since it wasn’t written “Sent by from BlackBerry” at the bottom, I figured he was joking and using his Notes client … so I logged into Sametime.

After a small chat via Sametime he told me that he was on a flight above Nevada and was using “GoGo Wireless Internet” on the plane to get into Notes and Sametime. He said he was flying at 485 mph at 38 000 feet. How did he know? Simple: he had his automotive GPS along for the ride and he sent me this screenshot while he was over Wyoming:

So, because we were both bored (him from sitting in a plane and me from studying for my re-certifications exams all afternoon) we decided to test out a few things to see if GoGo Wireless Internet was blocking any kind of traffic.

The first thing we tried was fiddling with a Sametime Online Meeting. It didn’t work the first time: partly because I got out of the meeting room when I discovered that my Logitech QuickCam 9000 was broken. On the second try, I plugged back into my computer my old QuickCam Live for Notebook and that worked!

The only bad thing was the he didn’t have a headset that had a microphone (only headphones) with him on the plane so his laptop microphone was picking up the engine noise and I couldn’t hear him. However, if I talked, he could hear me and reply back via the group chat feature in the meeting room. The video was a bit sluggish: Patrick said there was a 15 second delay in his video but hey, it worked!

Utter nerdgasm. Or boredom. Or a mix of both?

Anyhow, after we had our fun with the Sametime Meeting room we tried a Skype Video Call and it also worked! The same “engine noise” problem drowned out Patrick’s voice but he could hear me. The video was a bit quicker in Skype … but then again the lag in the video while we were in the Sametime 7.5 meeting room might have to do with how Sametime 7.5 encodes video. Maybe we’ll get to re-try if I ever get the courage to upgrade our Sametime server to 8.5? Time will tell.

I hope you enjoyed this post …

Marc