Häufig gestellte ragen

Please note: The approach described in this document was added in v. 4.2.

User debugging consists of two elements:

1. API logging to see what traffic is being sent between the OnTime Group Calendar clients (or API) and the OnTime Group Calendar server.
2. Extended synchronization logging that  enabled to the user in question to help diagnose specific sychronization issues for a particular user. This is similar to enabling extended log in an OnTime Server Document for only for specific users and is hence much more lightweight.

Prior to v. 4.2 user synchronization logging and API logging was enabled separately and in different ways. This is now much easier to enable.

Enabling user debug for one or more users are done as follows:

1. Open the OnTime Group Calendar Configuration database.
2. Go to the "Users" view in the left hand navigator.
3. Select the user(s) to enable/disable user logging for.
4. From the action bar select "Selected/Debug/Enabled" to enable debugging and "Selected/Debug/Disable" to disable debugging.
5. A magnifying glass is shown to the right of the names where user debugging is enabled.
6. Now reproduce the issue and send the OnTime Group Calendar log database to OnTime support as arranged with us.

Remember to disable user debugging once the issue has been reproduced.

Enabling API logging enables OnTime support to see what traffic is being sent between the OnTime Group Calendar clients (or API) and the OnTime Group Calendar server. Enabling API logging is done by following the steps below:

Please note: The approach described in this document was changed in v. 4.0

1. Locate the OnTime Group Calendar Configuration database on your workspace and make sure you have the [Developer] role assigned to you in the ACL of the database. Please note that you may have to create the role if it hasn't yet been created.
2. Open the OnTime Group Calendar Configuration database.
3. Go to the "Server Settings" by clicking "Server Settings" at the top of the left hand navigator.
4. Open the server settings document for the server you will be accessing to reproduce the issue (or just open the one server settings document if you only have one OnTime Group Calendar server).
5. Bring the document into edit mode and check the "Log API Comm." check box on the lower right side of the form.
6. Save and close the document.
7. Now reproduce the issue and send the OnTime Group Calendar log database to OnTime support as arranged with us.

Remember to turn off API logging once the issue has been reproduced as having API logging enabled may affect the performance of your server.

Please note: The approach described in this document was added in v. 4.0

Enabling API logging enables OnTime support to see what traffic is being sent between the OnTime Group Calendar clients (or API) and the OnTime Group Calendar server. API logging may be enabled from the OnTime Group Calendar client to from the server. This document describes how API logging is enabled from the client. 

Web client

Opening the Web client is done through the Client database e.g. using a URL like the following:
http://demo.ontimesuite.com/ontime/ontimegcweb.nsf/web?open

To Enable API logging from the client append debug=1 to the url as follows:
http://demo.ontimesuite.com/ontime/ontimegcweb.nsf/web?open&debug=1

Notes

To enable API logging from the OnTime Group Calendar Notes client open the client and open the "OnTime" from the top menu, select the "Help" submenu and then "Enable API Log". API logging is enabled until explicitly disabled or the Notes client is restarted.

Mobile

It's currently not possible to enable API logging from the client. From v. 4.2 an option to enable API logging from the server was added.

Team-At-A-Glance

It's currently not possible to enable API logging from the client. From v. 4.2 an option to enable API logging from the server was added.

Social

It's currently not possible to enable API logging from the client. From v. 4.2 an option to enable API logging from the server was added.

No, the OnTime Group Calendar 9 series and the OnTime Group Calendar version 3 are two totally different products and therefore also have seperate license keys.

Please contact your prefered OnTime partner or IntraVision in order to retreive a new license key.

OnTime Group Calendar is fault tolerant and support clustering on Domino but please note that not all databases in the OnTime Group Calendar installation should be clustered. The API database and the Web database are only used to serve up the Web and Mobile interfaces and to temporarily store documents related to the OnTime Group Calendar API. These two databases are not designed for clustering and hence should not be clustered as it may cause the clients to fail. Whether you choose to cluster the log database is up to the customer.

You may run OnTime Group Calendar even though you are running multiple domains in your Domino environment but it does pose some additional challenges when names and groups need to be resolved. In general the only requirement that OnTime Group Calendar imposes when running in multi-domain configuration is that all the Domino Directories from the other Domino domains must be replicated to the Domino server running the admin-task. OnTime Group Calendar does not however require Directory Assistance or similar to be configured.

Configuring the multi-domain option is very simple and generally only consists of adding references to the various Domino Directory databases and mapping each to a Domino domain. This is very clearly described in the OnTime Group Calendar Installation manual.

Resolving groups

When using the multi-domain option special care needs to be taken when group names are specified. All group names may have the domain name appended to explicitly tell OnTime Group Calendar which Domino Directory to use when resolving the group. If nested groups are used they are resolved against the same Domino Directory as the parent group. If no domain is specified for a group OnTime Group Calendar will look to the group in allconfigured Domino Directory databases and resolve the group as being the combination of users from across directories.

Configuration example

Consider an Domino environment with three domains called US, EU and JP and an organizational certifier called /ACME. The OnTime Group Calendar admin-task is designated to run on the OnTimeServer/ACME server in the EU domain. To enable the multi-domain option the administrator would perform the following steps:

1. Replicate the Domino Directory for the US and JP domains to the OnTimeServer/ACME server in the EU domain.
2. In the OnTime Group Calendar configuration database enable the multi-domain option mapping each Domino Directory to the corresponding domain.
3. Make sure all groups used in the OnTime Group Calendar configuration is qualified with a domain name. E.g. the group SalesEurope from the EU Domino Directory should be SalesEurope@EU to explicitly tell OnTime how to resolve the group.

Group resolving example

Imagine the following groups from the Domino Directories mentioned above.

EU domain

• SalesEurope (members: Jane Ellen/ACME@EU, Marc Rogers/ACME@EU)
• Administrators (members: Pete Sams/ACME@EU)

US domain

• SalesUS (members: Sales@US)
• Sales (members: John Ops/ACME@US, Eileen Hums/ACME@US)
• Administrators (members: Marc Willis/ACME@US)

JP domain

• SalesJP (members: Sales@JP)
• Sales (members: Jiro Tokyo/ACME@JP, Masuru Heiku/ACME@JP)
• Administrators (members: Jiro Tokyo/ACME@JP)

Below are examples from resolving the specified group names using the Domino Directories above.

• SalesEurope (result: Jane Ellen/ACME@EU, Marc Rogers/ACME@EU)
• SalesEurope@EU (result: Jane Ellen/ACME@EU, Marc Rogers/ACME@EU)
• Administrators@JP (result: Jiro Tokyo/ACME@JP)
• Administrators@US (result: Marc Willis/ACME@US)
• Administrators (result: Pete Sams/ACME@EU, Marc Willis/ACME@US, Jiro Tokyo/ACME@JP)
  Please note: Resolved against all directories as no domain name is specified for the group and the group exists in all directories)
• Sales@US (result: John Ops/ACME@US, Eileen Hums/ACME@US)
• Sales (result: John Ops/ACME@US, Eileen Hums/ACME@US, Jiro Tokyo/ACME@JP, Masuru Heiku/ACME@JP)
  Please note: Resolved against US and JP directories as no domain name is specified for the group name was found in both the US and JP directories.

The logs are cleaned up as part of the clean-up process that runs automatically at 2am. If you want to run the log clean up on request issue the below command from the Domino Server console.

tell ontimegc cleanup

If you experience only having the default legend color on all appointments in OnTime Group Calendar user interfaces but have legends in the OnTime Group Calendar Configuration database a database setting may be the cause. To resolve it please beform the following steps:

1. Open the database properties on the OnTime Group Calendar Configuration database.
2. Go to the last tab ("the beanie").
3. Verify that the 'Don't support specialized response hierachy' property is NOT set. If it is this is the cause.
4. Untick the property.
5. Close the database
6. Terminate the OnTimeGC task on the Domino Server console (tell ontimegc quit).
7. Delete all Legends from the OnTime Group Calendar Configuration database.
8. Fetch the Default Legends by pushing the 'Deefault Legends' button (top right corner of the Legends view).
9. Verify that nobody has the OnTime Configuration database open and run a copy-style compaction on the database (load compact -c <path  to database>'). Please note: Since the database may be in use you may have to flush dbcache or similar to make the compact work (dbcache flush).
10. Load the OnTime task (load ontimegc)
11. Run FullSync on all users

If the above steps doesn't resolve the issue please contact OnTime support.

Please note: If you are using the servlet to improve performance for HTTP based calls the below information is not applicable.

There are a few Domino Server settings that needs to be set to make sure OnTime Group Calendar runs as smoothly as possible. These are listed below.

Concurrently web agents

On the server document in the Domino Directory on the "Internet Protocols/Domino Web Engine" there is a setting called "Run web agents and web services concurrently?" that needs to be enabled. This setting is disabled by default and restricts Domino from running the same agent concurrently.

Authentication

The OnTime Group Calendar web interface only supports form based authentication also known as "Multiple Servers (SSO)". Whether you use LtpaToken or LtpaToken2 is up to you.

Available from v. 4.6

If you require outgoing requests from the Domino server to an on-premises Microsoft Exchange server or to Microsoft Office 365 to be proxied this is configured using servlets.properties. The following parameters are available to support HTTP proxying: 

• ProxyHost
• ProxyPort

Below is an example of adding a proxy host (proxy.example.com) on port 8080 to the configuration:

servlet.ontimegcex.code=com.ontimesuite.gcex.OnTimeGCEx
servlet.ontimegcex.initArgs=ProxyHost=proxy.example.com,ProxyPort=8080

By default the OnTime Group Calendar Administration task ("admin") runs every night at 2am on the OnTime Group Calendar Administration Server. The admin-task can also be initiated on demand from the OnTime Group Calendar Config database or from the Domino Server console using "tell ontimegc admin". 

One of the purposes of the admin-task is to process information read by the synchronization process from mail files into the Configuration database such as mail file Access Control List (ACL), calendar settings profile document (work hours etc.) In OnTime Group Calendar each user has 3 documents:

• User document (maintained by the admin-task)
• Calendar document (maintained by the synchronization task, created on first synchronization of a user)
• Settings document

It's important to know that all user based calls to OnTime Group Calendar is processed from the "user document" and hence the admin-task is required to run to "bring in" information read from the mail file. For instance if a user changes his/her work hours in the mail file OnTime Group Calendar will first need to synchronize the user (reads information from the mail file into into the "calendar document") and then run the admin-task to transfer the information from the "calendar document" to the "user document". OnTime Group Calendar maintains a very strict separation between which tasks may write to which documents to avoid data corruption and save/replica conflicts.

Sometimes the admin-task will take a while to run - sometimes even a long time if you have many thousands of users in OnTime Group Calendar. This is of course because the admin-task does a lot of things from maintaning users from associated directories to maintaining groups and groups membership. That doesn't mean that moving the admin-task to a separate server cannot be a good idea as it certainly will optimize I/O but it describes why the task may take a while to run.

Please note:  For most organisations there should be no need to run admin during the day or even multiple times a day. It runs daily at 2am.

If you need to run the admin-task during the day consider using one of the sub-commands to tell the admin-task exactly what you would like it to do. If you only want to process static groups i.e. update group membership you could run "tell ontimegc admin gs" from the Domino Server console. 

All of the "sub commands" from the admin-task is available to be run separately as shown in the below table. The sub-commands are listed in the actual sequence they are run.

* When task loads on OnTime GC admin server
** Daily job that runs at 2am
*** Job that runs every hour

Please note: Starting from version 4.2.2 you can now control which admin sub-commands run on which days and on load in Global Settings. You also have the option of terminating a running admin-task by issuing the follow command on the Domino Server console.

Set Config OnTimeGCAdmin=Quit

Internally in OnTime Group Calendar users are identified by a socalled OnTime ID which is a short, unique, ID. The OnTime ID first created for a user when he/she is brought into OnTime Group Calendar and is thereafter maintained by the administration task.

For each user OnTime records the fully distinguished name (DN, e.g. CN=John Doe/OU=Sales/O=Acme) as well as the UnID of the person document. Whenever a user is processed as part of the administration task the user in OnTime can be found using either the DN or the UnID. This means that a user in OnTime will keep their OnTime ID even though that are recertified (get new name, new organisational hierarchy) or a new person document is created for the same user (same DN). Since the OnTime ID stays the same the user also keeps their private groups.

It follows from the above, that a user cannot change both DN and Domino Directory UnID at the same time while keeping their OnTime ID.

Please note: This applies to using the agent based API for OnTime Group Calendar.

Agents in Domino has a maximum execution time at which point the thread execuring the agent is terminated. By default the maximum agent execution time in Domino Directory is set to 0 meaning there is no maximum execution time. If for some reason the maximum execution time has been changed the following stacktrace may be seen on the Domino server console.

HTTP JVM: java.lang.ThreadDeath
HTTP JVM: at java.lang.Thread.stop(Thread.java:941)
HTTP JVM: at java.lang.ThreadGroup.stopHelper(ThreadGroup.java:722)
HTTP JVM: at java.lang.ThreadGroup.stopHelper(ThreadGroup.java:727)
HTTP JVM: at java.lang.ThreadGroup.stop(ThreadGroup.java:704)
HTTP JVM: at lotus.domino.AgentLoader.runAgent(Unknown Source)

This message indicates that an agent thread ran for too long time and was terminated. If you are repeatedly seeing this message we suggest you review your maximum agent execution time and make sure it is appropriate.

A solution could be to start using the servlet which also provides better performance.

Starting with OnTime Group Calendar v. 4.2, for each user connecting to OnTime Group Calendar, we log the client name (Application ID, ApplID) and the client version (Application Version, ApplVer). The information is logged automatically and saved to the user setting document for each user. To see the actual user settings documents do the following:

1. Assign the [Developer] role to your self in OnTime Group Calendar Configuration database.
2. Open the OnTime Group Calendar Configuration database.
3. In the "Developer" section on the left open the "Users Settings" view.

This view contains all the user setting documents. These documents has a number of backend fields - two fields per client (more specifically Application ID) as follows:

SettingsRead_<Application ID>_Ver
SettingsRead_<Application ID>_Time

For instance a user accessing OnTime Group Calendar using the OnTime GC Notes client (Application ID: Notes2011), Team-At-A-Glance sidebar component (Application ID: TAAG2011) and OnTime Group Calendar Mobile (Application ID: Mobile2011) will have the following 6 fields:

SettingsRead_Notes2011_Ver = "4.3.0.201507231633"
SettingsRead_Notes2011_Time = "03/08/2015 10:19:43 CEDT"
SettingsRead_TAAG2011_Ver = "4.3.0.201507231633"
SettingsRead_TAAG2011_Time = "31/07/2015 17:19:43 CEDT"
SettingsRead_Mobile2011_Ver = "4.2.2a"
SettingsRead_Mobile2011_Time = "12/07/2015 00:38:54 CEDT"

At the time of this writing this information is not surfaced in the user interface but is accessible using agents or manual access using the Document Property Explorer in Notes.

The below information must be set on the person document in Domino Directory for a person to be considered for import into OnTime Group Calendar. Please note that the user must also be included by the filter in Global Settings.

• User must have a mail server (field "MailServer" in Domino Directory)
• User must have a mail file (field "MailFile" in Domino Directory)
• User must have a fullname (field "FullName" in Domino Directory)
• User must have Mail System set to one of the following values:
  • "Notes mail" (field "MailSystem" set to "1" in Domino Directory)
  • "POP or IMAP mail" (field "MailSystem" set to "6" in Domino Directory)

If you use OnTime Group Calendar for Domino in a hybrid scenario where OnTime Group Calendar for Domino contains both Domino and Microsoft Exchange users the Microsoft Exchange users must be defined in Domino Directory. The person documents must also have the following fields set:

• User must have Mail System set to  something else than one of the following values:
  • "Notes mail" (field "MailSystem" set to "1" in Domino Directory)
  • "POP or IMAP mail" (field "MailSystem" set to "6" in Domino Directory)
• User must have an email address set (field "InternetAddress" in Domino Directory)

Please note: The email address is used to map from the users in OnTime Group Calendars to users in Microsoft Exchange.

The OnTime Group Calendar server task listens to events on the Domino servers being monitored in order for OnTime Group Calendar to synchronize calendar entries from mail files. Part of this process is discovering the replica ID of the databases to support OnTime clustering among other things. To discover the replica ID the OnTime Group Calendar server require access to the databases even though they may not be a mail database or an OnTime Group Calendar system database.

See a message similar to the following means that the OnTime Group Calendar server does not have access to the listed database:
OnTime-server01: WARNING: CN=Server01/O=OnTime!!IBM_ID_VAULT\MyIDVault.nsf: You are not authorized perform that operation

To not see the message the OnTime Group Calendar should have at least "No access w/ read public documents" access to the database. With this low access OnTime Group Calendar can discover the replica ID without having access to contained data.

Do you have problems launching OnTime GC Web after installing and setting up, then you can try to open the test page.

The test page can be found if you add "/test" after the normal path to the web database. http://<path>/<ontimegcweb database (.nsf)>/test

Here you can, amongst others, validate if the path to the config database is correct. 

The reason for Anonymous to have Author access with create rights on the web database:

To solve the problem with people having to log in every time they open the OnTime GC Web database, be it in a browser on the computer or a phone or inside the notes platform, we created an alternative form of handling the authenticating of users.

When the user tries to open the web database for the first time, we check the local computer for a cookie. This cookie contains the Token which we are using to Authenticate the user. Since its the first time, the cookie wont be there, so the user will be presented with a normal login screen. When the user has provided his login credentials, a token will be generated and saved in a cookie for future use. A token document is also created in the Web database. This is why the user needs the Create Document rights. The next time the user opens the web database, the cookie provides the token for authentication, and the user will not be presented with the authentication screen again.

If the user logs out using the logout function in OnTime GC Web, the cookie is deleted and the user has to log in again, the next time the user opens the web database.

If the user hasn't used the web database for a month, the cookie will be too old, and again the user has to log in the next time the user opens the web database.

In the OnTime GC Database, the administrator can alter the token lifespan for each user. If its set to 2 days, then the user has to log in every 2 days. 

There can be 2 reasons to why you have to login every time:

1. Your administrator has not set the correct Acces Control on the web database regarding Anonymous access. Described in the Installation manual
2. You Domino environment use SSL and TCP Authentication for Anonymous is set to "No". Contact your Domino administrator

Cookies can be blocked by the browser, therefore check the security settings to set allow cookies for the website.

If you are experiencing that the OnTime Mobile client is missing the top icons or they are shown as small squares with numbers, there is a possible solution to the problem.

On the Domino server, there is a file in the data directory called httpd.cnf. This holds the mapping to which file types the domino can understand. This file is not touched, when
the Domino server is upgraded, so if you have been continually upgrading from older versions, this file might not contain all the recent values.

An excerpt from this file may look like the following:

#
# Text formats
#
AddType .html text/html 8bit # HTML
AddType .htm text/html 8bit # HTML variant
AddType .htmls text/html 8bit # HTML w/ Server-side includes
AddType .shtml text/html 8bit # HTML w/ Server-side includes
AddType .css text/css 8bit # Cascading Style Sheet
AddType .xml text/xml 8bit # XML
...continuing.
.
.

If the type .css is missing here, the domino server returns a mime header as a binary file instead of a text/css type file and the browsers wont understand the format.
To solve the missing Icons problem, simply add the .css line to your httpd.cnf file and restart the http task on the domino server (restart task http).

Please note that this snippet file is applicable for OnTime Group Calendar - Social version 3.7.0 to 4.2.x.

Please note: These snippets are no longer used for version 4.3.0 and newer.

Profiles - widgets-config.xml

<!-- OnTime Group Calendar - Social - Profiles for Connections -->
<widgetDef defId="ontimeProfilesCalendar" bundleRefId="ontimeProfilesCalendar_res" url="/ontime/profiles/Profiles.xml" modes="view">
<itemSet>
<item name="resourceId" value="{resourceId}"/>
</itemSet>
</widgetDef>

<widgetInstance uiLocation="col3" defIdRef="ontimeProfilesCalendar" />

Profiles - lotusconnections-config.xml

<resources>
<widgetBundle name="com.ontimesuite.gc.social.profiles" prefix="ontimeProfilesCalendar_res"/>
</resources>

Communities - widgets-config.xml

<!-- OnTime Group Calendar – Socal – Communities for Connections -->
<widgetDef defId="ontimeCommunitiesAvailability" bundleRefId="ontimeCommunitiesAvailability_res" modes="view" showInPalette="false" uniqueInstance="true" url="/ontime/communities/Availability.xml">
<itemSet>
<item name="resourceId" value="{resourceId}"/>
</itemSet>
</widgetDef>

<widgetDef defId="ontimeCommunitiesCalendar" bundleRefId="ontimeCommunitiesCalendar_res" modes="view fullpage" showInPalette="true" uniqueInstance="true" url="/ontime/communities/Calendar.xml">
<itemSet>
<item name="resourceId" value="{resourceId}"/>
</itemSet>
</widgetDef>

<widgetInstance uiLocation="col3" defIdRef="ontimeCommunitiesAvailability" />

Communities - lotusconnections-config.xml

<resources>
<widgetBundle name="com.ontimesuite.gc.social.communities.availability" prefix="ontimeCommunitiesAvailability_res" />
<widgetBundle name="com.ontimesuite.gc.social.communities.calendar" prefix="ontimeCommunitiesCalendar_res" />
</resources>

Please note: The below applies only to version 4.2.x and older.

If instructed to enable trace logging for the OnTime Group Calendar - Social server side components follow the below steps:

1. Log into the WebSphere ISC on the Deployment Manager
2. From the lefthand menu select "Troubleshooting/Logs and trace"
3. Click on the server running the "OnTime Group Calendar - Common" application (if multiple servers are in running the application the following steps need to be performed for each server running the application)
4. Select "Change Log Detail Levels"
5. Click the "Runtime" tab
6. In the text box append ": com.ontimesuite.gc.social=all: dk.intravision.http=all: com.ontimesuite.gc2011.api.http=all" (please note the leading colon). 
   Please note: For most installations this means that the field value will now be "*=info: com.ontimesuite.gc.social=all: dk.intravision.http=all: com.ontimesuite.gc2011.api.http=all"
7. Click Apply (a status message will appear at the top saying "Note: your specified trace string was optimized")

Reproduce the issue and send us the trace.log file which will be saved to the log directory of the server(s) in question.

Please note: You do not need to restart the WebSphere Application Server(s) to apply trace logging using the above approach.

Please note: Enabling trace logging will output LtpaTokens, usernames and passwords as clear text to the trace.log so please handle it appropriately.

Please note: The below applies only to version 4.3.0 and newer.

If instructed to enable trace logging for the OnTime Group Calendar - Social server side components follow the below steps:

1. Log into the WebSphere ISC on the Deployment Manager
2. From the lefthand menu select "Troubleshooting/Logs and trace"
3. Click on the server running the "OnTime Group Calendar - Common" application (if multiple servers are in running the application the following steps need to be performed for each server running the application)
4. Select "Change Log Detail Levels"
5. Click the "Runtime" tab
6. In the text box append ": com.ontimesuite.gc.social.*=all: dk.intravision.http=all: com.ontimesuite.gc.api=all: com.ontimesuite.gc.api.http=all" (please note the leading colon). 
   Please note: For most installations this means that the field value will now be "*=info: com.ontimesuite.gc.social.*=all: dk.intravision.http=all: com.ontimesuite.gc.api=all: com.ontimesuite.gc.api.http=all"
7. Click Apply (a status message will appear at the top saying "Note: your specified trace string was optimized")

Reproduce the issue and send us the trace.log file which will be saved to the log directory of the server(s) in question.

Please note: You do not need to restart the WebSphere Application Server(s) to apply trace logging using the above approach.

Please note: Enabling trace logging will output LtpaTokens, usernames and passwords as clear text to the trace.log so please handle it appropriately.

• http://youtu.be/SoCcXNAhHF8

Starting with OnTime Group Calendar Social v. 4.4.0 the following debug capabilities are available to debug various aspects of the application.

/ontime/common/api/wim/currentuser
Resolves the currently logged in user in WebSphere Identity Manager (WIM) showing the name, uid and e-mail address is available. 

/ontime/common/api/cnx/following
Shows the e-mail addresses of the people the currently logged in user is following.

/ontime/common/api/cnx/network
Shows the e-mail addresses of the people the currently logged in user is in network with.

/ontime/common/api/cnx/community/<community uuid>
When supplied with a community UUID will resolve the members of the community and show the e-mail addresses of the members. The currently logged in user must have access to the community in Connection.

Example:
/ontime/common/api/cnx/community/6840ee81-0e19-4418-8b7b-3b1a02c69041

/ontime/common/admin/test
Opens the Test Page as described in the manual. Require the admin-role.

/ontime/common/admin/wim/currentuser
Same as /ontime/common/api/currentuser but requires the admin-role.

/ontime/common/admin/wim/searchuser/email/<email address>
Searches for the supplied e-mail address in WebSphere Identity Manager and shows the name, uid and e-mail address of the found user. Requires the admin-role.

Example:
/ontime/common/admin/wim/searchuser/email/Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!

/ontime/common/admin/wim/searchuser/uid/<uid>
Searches for the supplied uid in WebSphere Identity Manager and shows the name, uid and e-mail address of the found user. Requires the admin-role.

Example:
/ontime/common/admin/wim/searchuser/uid/ch

/ontime/common/admin/wim/resolvegroup/<DN of group>
Searches for the supplied group in WebSphere Identity Manager and shows the name, uid and e-mail address of the members. Requires the admin-role.

Examples:
/ontime/common/admin/wim/resolvegroup/CN=All+Users,CN=Groups,dc=ontimesuite,dc=com
/ontime/common/admin/wim/resolvegroup/CN=All+Users

/ontime/common/admin/debug/config
Shows the configuration for the modules. Requires the admin-role.

/ontime/common/admin/debug/ontimeinfo
Shows the OnTime Group Calendar specific configuration. Requires the admin-role.

/ontime/common/admin/debug/url/<target>/<auth>/<url>
Attempts to load the specified URL using the specified authentication mechanism. Requires the admin-role.

The short answer is "Yes!". The longer answer is that starting with Connections v. 5.5 there is a new attribute which is required when configuring custom widgets such as OnTime Group Calendar - Social. The attribute needs to be added to the widgets-config.xml file and the declarations for the OnTime Group Calendar - Social widgets listed there. The attribute is called "themes" and describes the various locations that are valid for the widget meaning left column, middle column, right column and banner (new with v. 5.5). 

This is mainly an issue when upgrading a previous installation as the OnTime documentation has been updated to address this.

To fix an existing installation do as follows:

1. Using wsadmin checkout the widget-config.xml file
2. Locate each of the OnTime Group Calendar - Social widget declarations and add the "themes" attribute as applicable for each widget:
   1. Profiles: themes="wpthemeThin wpthemeNarrow wpthemeBanner wpthemeWide"
   2. Who Is Available: themes="wpthemeThin wpthemeNarrow wpthemeBanner wpThemeWide"
   3. Group Calendar: themes="wpthemeBanner wpthemeWide"
3. Save and close the file and check the configuration back in
4. Restart your WebSphere Application Server(s)

The various "themes" actually map to locations the widget may be dropped by the user as shown below (click the image for a large version):

For more information about the "themes" attribute see the Domino technote at http://www-01.ibm.com/support/docview.wss?uid=swg21974593

There are two ways to locate the build / version number. The build version can be seen in the WebSphere ISC as follows:

1. Open WebSphere Application Server Integrated Solutions Console (ISC)
2. From the lefthand menu expand "Applications/Application Types" and select ”WebSphere Enterprise Applications"
3. In the list click on the OnTime Group Calendar application to look into (e.g. "OnTime Group Calendar - Social - Profiles")
4. Click "Display module build Ids" in the uppe right corner on the available options and note the "Build id" in the right hand column

Another way - which some find easier - is using a browser to inspect the version.json in each application e.g. <hostname>/ontime/<application>/version.json. E.g. the following links show the application versions deployed to our demo environment:

• https://showtime.ontimesuite.com/ontime/common/version.json
• https://showtime.ontimesuite.com/ontime/profiles/version.json
• https://showtime.ontimesuite.com/ontime/communities/version.json

The above links shows the version output in JSON format.

Please note: The below information pertains to HTTP based access to the OnTime Group Calendar API that is for OnTime Group Calendar Web, Mobile and Social. It also pertains to Notes and Team-At-A-Glance if these are configured for HTTP access. If native Notes API (NRPC) access is used for the latter two clients an OnTime Access Token is not used.

Users are solely authenticated to the OnTime Group Calendar API (the "service" that provides the data for the OnTime Group Calendar user interfaces such as Web, Mobile, Notes etc.) using an OnTime Access Token. An OnTime Access Token is an encrypted text token that identifies the user and has a point in time it expires encoded in it (among other things). In order to obtain an OnTime Access Token the user must be authenticated to Domino in whatever way the organisation requires such as basic authentication, form based authentication (using LtpaToken), certificates based authentication etc. Once an OnTime Access Token has been obtained it is used on subsequent requests to the OnTime Group Calendar API and identifies the user to the OnTime Group Calendar API. Once an OnTime Access Token is issued it is valid until it expires. The expiration duration can be controlled in the OnTime Group Calendar server document(s) and may be set to a duration in hours. The OnTime Group Calendar API issues a new OnTime Access Token on each request so the expiration time set in the OnTime Group Calendar server document(s) should be considered an "Idle time between requests".

Please note: In the OnTime Group Calendar Configuration database the OnTime Access Token idle timeout is referred to as the "HTTP Token Timeout".

Once an OnTime Group Calendar client obtains an OnTime Access Token it is cached by the client (for Mobile and Web it is cached in a browser cookie) and attempted used on subsequent requests to the API. This means that a user may access OnTime Group Calendar Web or OnTime Group Calendar Mobile without reauthenticating to Domino if a valid OnTime Access Token is available. It also means that a suitable idle time should be set that suits the organisations security policy. For example if permitted by the security policy an idle time of 24 hours allows a user to use OnTime Group Calendar Mobile or Web during the day and reopen the client next day without reauthentication to Domino as the OnTime Access Token is still valid.

It follows from the above that all API requests following obtaining an OnTime Access Token may be unauthenticated ("anonymous") from an Domino perspective. This is not a security hole but is simply because non-token requests are solely authenticated from the OnTime Access Token. It also means that the Domino HTTP server must allow anonymous requests whether that be over HTTP or HTTPs.

Please note that an OnTime Access Token may be revoked from the OnTime Group Calendar Configuration database. This means that even though a user have obtained an OnTime Access Token valid a year into the future the administrator may revoke it requiring the user to reauthenticate to use OnTime Group Calendar. This is a security measure.

HOW LOGIN TO ONTIME GROUP CALENDAR WEB WORKS

Below we assume that your OnTime Group Calendar Client database (”Client database”) is called ”ontimegcclient.nsf” and is in the ”ontime” directory. To open OnTime Group Calendar Web you would redirect users to ”/ontime/ontimegcclient.nsf/web”.

The login process is as follows:

1. User navigate to ”/ontime/ontimegcclient.nsf/web”.
2. The code checks whether an OnTime Access Token is present as a browser cookie or in the URL if launched from the Notes workspace icon. If it is, access is attempted using it.
3. If that OnTime Access Token doesn’t work (i.e. is expired) any browser cookie is cleared and the login process restarts.
   1. If no OnTime Access Token is found an API call is performed to obtain an OnTime Access Token. If the user is not authenticated to Domino the API tells the client that and the user is redirected to the Domino login page (hard coded which is why we only support form based authentication for this process).
   2. If an OnTime Access Token is obtained is it stored in a browser cookie and the login process restarts.

HOW LOGIN TO ONTIME GROUP CALENDAR MOBILE WORKS

Below we assume that your OnTime Group Calendar Client database (”Client database”) is called ”ontimegcclient.nsf” and is in the ”ontime” directory. To open OnTime Group Calendar Mobile you would redirect users to ”/ontime/ontimegcclient.nsf/mobile”.

Besides the URL required the login process is the same as for OnTime Group Calendar Web.

HOW LOGIN TO ONTIME GROUP CALENDAR NOTES AND TEAM-AT-A-GLANCE WORKS

When the OnTime Group Calendar Notes and/or Team-At-A-Glance clients are launched they need information about how to access the OnTime Group Calendar API. This information is stored in the users mail file in a profile document maintained by the OnTime Group Calendar synchronisation process. This profile document is updated every time OnTime Group  Calendar reads in (”synchronises”) appointment data from the mail file.

Please note: It follows from the above that while having multiple OnTime Group Calendar environments read appointment data from the same mail file it is important that only one environment is configured to write this profile document.

The launch process is as follows:

1. User clicks the icon to launch the client.
2. If access information is cached this information is attempted used to access the OnTime Group Calendar API. If this does not work (or any cached token has been explicitly revoked) this cached information is cleared the the launch process is restarted.
3. The users mail file is located using the information specified in the users location document. If the user cannot press Ctrl-M (Cmd-M on Mac) to compose a new email this process will fail.
4. The profile document is retrieved and access information is read.
   1. If OnTime Group Calendar is configured for HTTP access an OnTime Access Token is obtained using native Notes API access using digital signatures to verify and identify the user. Once an OnTime Access Token has been obtained the API is accessed over HTTP identifying the user by the OnTime Access Token.
   2. If OnTime Group Calendar is configured for native Notes API access information is tranferred using the native Notes API using digital signatures to verify and identify the user.

When using the native Notes API and digital signatures to verify and identify the user both the OnTime Group Calendar client and the OnTime Group Calendar API participate in the cryptographic process.

SINGLE SIGN ON (SSO)

Often customers are looking to provide a Single Sign On solution to OnTime Group Calendar and its user interfaces. Choosing the correct solution depends on the security infrastructure in place but most times the user is authenticated by some other system and/or the user identity may not map to Domino. It may also be the case that the user is authenticated to some other system but the credentials cannot be reused for Domino. There are various ways to solve this as described below.

THE SIMPLE APPROACH

Use the OnTime Group Calendar security as-is but set a long idle time for the OnTime Access Token. While this strictly speaking does not provide Single Sign On it will only require the user to authenticate once as long as the idle time for the OnTime Access Token is long enough and the user access OnTime Group Calendar within the idle time period set. This option is available out-of-the-box.

THE API APPROACH

If you have purchased the OnTime Group Calendar Open API option (sold separately) you may also use the OnTime Group Calendar API to issue tokens to users. Using the OnTime Group Calendar API a system user may obtain an OnTime Access Token on behalf of other users and thus provide access to OnTime Group Calendar using an identity verified by some other system such as Microsoft Sharepoint, a CRM system or an MDM provider. We have previously created Single Sign On (SSO) solutions for customers wanting to provide SSO from non-Domino platforms to OnTime Group Calendar running on Domino.

For example we have a customer with an intranet based on Microsoft technologies where the user is automatically authenticated to the intranet using Windows Integrated Authentication (IWA). The customer wanted users to be able to open OnTime Group Calendar Web without having to re-authenticate which was tricky as the user was only authenticated to the Microsoft intranet and not Domino. To solve this we employed the OnTime Group Calendar API.

We solved it by having the intranet, once the user had logged in to it, use the verified username to obtain an OnTime Access Token on behalf of the user (using the OnTime Group Calendar API). Once the intranet server obtained an OnTime Access Token for the user it set the correct browser cookie to complete the puzzle. Now when the user tries to access OnTime Group Calendar the browser automatically provides the obtained OnTime Access Token and the user may access OnTime Group Calendar without reauthentication thus achiving Single Sign On.

SPNEGO / KERBEROS (OR IF FORM BASED AUTHENTICATION CANNOT BE USED)

For customers using SPNEGO with Domino the default access control list (ACL) setup of the OnTime Group Calendar Client database can cause problems. This is due to the fact that the Client database allows Anonymous access by default and hence the required HTTP 401 response code that cause the operating system to initialiate the authorization handshake is never sent. To solve this the Client database has a special page that does require the user to be authenticated. Instead of using the page called ”Web” you simply use the page called ”WebSSO”.

For example if your Client database is called ”ontimegcclient.nsf” and is in the ”ontime” directory you would normally redirect users to ”/ontime/ontimegcclient.nsf/web” to open the OnTime Group Calendar Web user interface. If using SPNEGO simply replace ”/web” with ”/websso” and redirect users to /ontime/ontimegcclient.nsf/websso”. Nothing more is required.

Please note: It’s very important that the ACL is configured correctly as described in the documentation for this to work.