Answers to the Most Common Questions for OnTime® Group Calendar
Do you have any questions about the OnTime® Group Calendar? See if you find the answer below. If you have a hard time finding what you are looking for, please contact us with your questions, we are ready to help.
If you didn't find what you were looking for, you might be able to find the answer in the documentation section. Otherwise, you can submit a question to our support team.
Please note: The approach described in this document was added in v. 4.2.
User debugging consists of two elements:
Prior to v. 4.2 user synchronization logging and API logging was enabled separately and in different ways. This is now much easier to enable.
Enabling user debug for one or more users are done as follows:
Remember to disable user debugging once the issue has been reproduced.
No, the OnTime Group Calendar 9 series and the OnTime Group Calendar version 7 / 8 are two totally different products and therefore also have seperate license keys.
Please contact your prefered OnTime partner or IntraVision in order to retreive a new license key.
OnTime Group Calendar is fault tolerant and support clustering on Domino but please note that not all databases in the OnTime Group Calendar installation should be clustered. The API database and the Web database are only used to serve up the Web and Mobile interfaces and to temporarily store documents related to the OnTime Group Calendar API. These two databases are not designed for clustering and hence should not be clustered as it may cause the clients to fail. Whether you choose to cluster the log database is up to the customer.
You may run OnTime Group Calendar even though you are running multiple domains in your Domino environment but it does pose some additional challenges when names and groups need to be resolved. In general the only requirement that OnTime Group Calendar imposes when running in multi-domain configuration is that all the Domino Directories from the other Domino domains must be replicated to the Domino server running the admin-task. OnTime Group Calendar does not however require Directory Assistance or similar to be configured.
Configuring the multi-domain option is very simple and generally only consists of adding references to the various Domino Directory databases and mapping each to a Domino domain. This is very clearly described in the OnTime Group Calendar Installation manual.
When using the multi-domain option special care needs to be taken when group names are specified. All group names may have the domain name appended to explicitly tell OnTime Group Calendar which Domino Directory to use when resolving the group. If nested groups are used they are resolved against the same Domino Directory as the parent group. If no domain is specified for a group OnTime Group Calendar will look to the group in allconfigured Domino Directory databases and resolve the group as being the combination of users from across directories.
Consider an Domino environment with three domains called US, EU and JP and an organizational certifier called /ACME. The OnTime Group Calendar admin-task is designated to run on the OnTimeServer/ACME server in the EU domain. To enable the multi-domain option the administrator would perform the following steps:
Imagine the following groups from the Domino Directories mentioned above.
Below are examples from resolving the specified group names using the Domino Directories above.
Runs at midnight.
To run manually: Server Settings view, "Servlet Commands" / "Main Servlet" / "Cleanup log"
By default the OnTime Group Calendar Administration task ("admin") runs every night at 2am on the OnTime Group Calendar Administration Server. The admin-task can also be initiated on demand from the OnTime Group Calendar Config database or from the Domino Server console using "tell ontimegc admin".
One of the purposes of the admin-task is to process information read by the synchronization process from mail files into the Configuration database such as mail file Access Control List (ACL), calendar settings profile document (work hours etc.) In OnTime Group Calendar each user has 3 documents:
It's important to know that all user based calls to OnTime Group Calendar is processed from the "user document" and hence the admin-task is required to run to "bring in" information read from the mail file. For instance if a user changes his/her work hours in the mail file OnTime Group Calendar will first need to synchronize the user (reads information from the mail file into into the "calendar document") and then run the admin-task to transfer the information from the "calendar document" to the "user document". OnTime Group Calendar maintains a very strict separation between which tasks may write to which documents to avoid data corruption and save/replica conflicts.
Sometimes the admin-task will take a while to run - sometimes even a long time if you have many thousands of users in OnTime Group Calendar. This is of course because the admin-task does a lot of things from maintaning users from associated directories to maintaining groups and groups membership. That doesn't mean that moving the admin-task to a separate server cannot be a good idea as it certainly will optimize I/O but it describes why the task may take a while to run.
Please note: For most organisations there should be no need to run admin during the day or even multiple times a day. It runs daily at 2am.
If you need to run the admin-task during the day consider using one of the sub-commands to tell the admin-task exactly what you would like it to do. If you only want to process static groups i.e. update group membership you could run "tell ontimegc admin gs" from the Domino Server console.
All of the "sub commands" from the admin-task is available to be run separately as shown in the below table. The sub-commands are listed in the actual sequence they are run.
Description |
Console Command |
Load* |
Day** |
Hour*** |
Update users |
tell ontimegc admin u |
X |
X |
|
Fixup / cleanup |
tell ontimegc admin f |
X |
X |
|
Static groups |
tell ontimegc admin gs |
X |
X |
|
Dynamic groups |
tell ontimegc admin gd |
X |
X |
|
External groups |
tell ontimegc admin ge |
X |
X |
|
Directory (NAB) groups |
tell ontimegc admin gn |
X |
X |
|
Process ACLs |
tell ontimegc admin a |
X |
X |
|
Process roles |
tell ontimegc admin r |
X |
X |
|
Rooms and resources |
tell ontimegc admin o |
X |
X |
|
Process settings |
tell ontimegc admin s |
X |
X |
|
Cutom fields |
tell ontimegc admin c |
X |
||
Process replica documents |
tell ontimegc admin e | X | X |
* When task loads on OnTime GC admin server
** Daily job that runs at 2am
*** Job that runs every hour
Please note: Starting from version 4.2.2 you can now control which admin sub-commands run on which days and on load in Global Settings. You also have the option of terminating a running admin-task by issuing the follow command on the IBM Domino Server console.
Set Config OnTimeGCAdmin=Quit
Internally in OnTime Group Calendar users are identified by a socalled OnTime ID which is a short, unique, ID. The OnTime ID first created for a user when he/she is brought into OnTime Group Calendar and is thereafter maintained by the administration task.
For each user OnTime records the fully distinguished name (DN, e.g. CN=John Doe/OU=Sales/O=Acme) as well as the UnID of the person document. Whenever a user is processed as part of the administration task the user in OnTime can be found using either the DN or the UnID. This means that a user in OnTime will keep their OnTime ID even though that are recertified (get new name, new organisational hierarchy) or a new person document is created for the same user (same DN). Since the OnTime ID stays the same the user also keeps their private groups.
It follows from the above, that a user cannot change both DN and Domino Directory UnID at the same time while keeping their OnTime ID.
Starting with OnTime Group Calendar v. 4.2, for each user connecting to OnTime Group Calendar, we log the client name (Application ID, ApplID) and the client version (Application Version, ApplVer). The information is logged automatically and saved to the user setting document for each user. To see the actual user settings documents do the following:
This view contains all the user setting documents. These documents has a number of backend fields - two fields per client (more specifically Application ID) as follows:
SettingsRead_<Application ID>_Ver
SettingsRead_<Application ID>_Time
For instance a user accessing OnTime Group Calendar using the OnTime GC Notes client (Application ID: Notes2011), Team-At-A-Glance sidebar component (Application ID: TAAG2011) and OnTime Group Calendar Mobile (Application ID: Mobile2011) will have the following 6 fields:
SettingsRead_Notes2011_Ver = "4.3.0.201507231633"
SettingsRead_Notes2011_Time = "03/08/2015 10:19:43 CEDT"
SettingsRead_TAAG2011_Ver = "4.3.0.201507231633"
SettingsRead_TAAG2011_Time = "31/07/2015 17:19:43 CEDT"
SettingsRead_Mobile2011_Ver = "4.2.2a"
SettingsRead_Mobile2011_Time = "12/07/2015 00:38:54 CEDT"
At the time of this writing this information is not surfaced in the user interface but is accessible using agents or manual access using the Document Property Explorer in Notes.
The below information must be set on the person document in Domino Directory for a person to be considered for import into OnTime Group Calendar. Please note that the user must also be included by the filter in Global Settings.
If you use OnTime Group Calendar for Domino in a hybrid scenario where OnTime Group Calendar for Domino contains both Domino and Microsoft Exchange users the Microsoft Exchange users must be defined in Domino Directory. The person documents must also have the following fields set:
Please note: The email address is used to map from the users in OnTime Group Calendars to users in Microsoft Exchange.
The OnTime Group Calendar server task listens to events on the Domino servers being monitored in order for OnTime Group Calendar to synchronize calendar entries from mail files. Part of this process is discovering the replica ID of the databases to support OnTime clustering among other things. To discover the replica ID the OnTime Group Calendar server require access to the databases even though they may not be a mail database or an OnTime Group Calendar system database.
See a message similar to the following means that the OnTime Group Calendar server does not have access to the listed database:
OnTime-server01: WARNING: CN=Server01/O=OnTime!!IBM_ID_VAULT\MyIDVault.nsf: You are not authorized perform that operation
To not see the message the OnTime Group Calendar should have at least "No access w/ read public documents" access to the database. With this low access OnTime Group Calendar can discover the replica ID without having access to contained data.
Do you have problems launching OnTime GC Web after installing and setting up, then you can try to open the test page.
The test page can be found if you add "/test" after the normal path to the web database. http://<path>/<ontimeclient database (.nsf)>/test
Here you can, amongst others, validate if the path to the config database is correct.
There can be 2 reasons to why you have to login every time:
Cookies can be blocked by the browser, therefore check the security settings to set allow cookies for the website.
To use the web database, the user you use for authentication must be in the ontimegc.nsf database, since its otherwise impossible to find the user credentials for accessing peoples calendars.
Basic Authentication enabled and OTGC web 2011 is not supported for that.
Create Site document for website and Enable SSO (LTPAToken).
This FAQ outlines the different application settings available to change the default behaviour of the OnTime Group Calendar Web Desktop.
Application settings are configured from the OnTime Config DB using the "Default Settings" as shown below.
Below you will find a section per setting and a description of the setting.
CalItemBodyHeightExtra
This application setting allows control over the additional height of the body field on calendar entries in pixels.
Note: No longer used from version 5.4 as the body field now expands dynamically.
CalItemReread
To avoid conflicts when saving edited entries, the client will re-fetch data from the back end, before the user is presented with the calendar entry dialogue box. This setting takes the value true or false. This resembles doing a refresh (F9) before opening the entry for editing.
FreeTimeSearchDays
Changes the number of days into the future the clients will perform a free time search. The default value is 93 days (3 months). Use this setting to override the value. If <= 0 we use the default value.
FreeTimeSearchMaxUsers
Controls the number of users that be included in a free time search. The default value is 200 but can be increased. This setting is new in 5.4.
SearchCalendarsMaxUsers
Controls the number of users that be included in a search for content in calendar entries. The default value is 1.000 but can be increased. This setting is new in 5.4.2.
MaxUsersInGroups
This setting controls how many users can be added to a private or a shared group. The default value is 200 but can be increased. It is however important that the total size of the combined names never exceed 32Kb.
NoWeeksInWeeksView
Allows you to show more than the default 2 weeks in the week view.
Note: No longer used from version 5.4. Can be defined by the user directly.
NoWeeksInVacationView
Allows you to show more than the default 8 weeks in the week view.
Note: No longer used from version 5.4. Can be defined by the user directly.
PageSize
This setting controls how many users are loaded at a time in the main view. This setting can be increased in newer browsers but older browsers can run out of memory if you increase this setting.
Note: No longer used from version 5.4.
QuestUrl
This new setting controls the "?" help. If it is not set for the user the ? works as in previous versions. If it is added to settings for the user but left as "" blank then the ? is not available for the user. If it set like this "QuestUrl" : "http://www.acmeinc.com" then clicking ? will open a new window with www.acmeinc.com. This setting is new in 5.4.4.
UserListMaxUsers
Controls the number of users which will be shown in name select dialogues if "Enterprise Scaling" is deselected. This setting is new in 5.4.3.
UserListRowHeight
This setting controls whether 1,2 or 3 lines of information from the name format should be displayed in the name selection dialogue boxes.
Please note: The below applies only to version 4.2.x and older.
If instructed to enable trace logging for the OnTime Group Calendar - Social server side components follow the below steps:
Reproduce the issue and send us the trace.log file which will be saved to the log directory of the server(s) in question.
Please note: You do not need to restart the WebSphere Application Server(s) to apply trace logging using the above approach.
Please note: Enabling trace logging will output LtpaTokens, usernames and passwords as clear text to the trace.log so please handle it appropriately.
Please note: The below applies only to version 4.3.0 and newer.
If instructed to enable trace logging for the OnTime Group Calendar - Social server side components follow the below steps:
Reproduce the issue and send us the trace.log file which will be saved to the log directory of the server(s) in question.
Please note: You do not need to restart the WebSphere Application Server(s) to apply trace logging using the above approach.
Please note: Enabling trace logging will output LtpaTokens, usernames and passwords as clear text to the trace.log so please handle it appropriately.
Starting with OnTime Group Calendar Social v. 4.4.0 the following debug capabilities are available to debug various aspects of the application.
/ontime/common/api/wim/currentuser
Resolves the currently logged in user in WebSphere Identity Manager (WIM) showing the name, uid and e-mail address is available.
/ontime/common/api/cnx/following
Shows the e-mail addresses of the people the currently logged in user is following.
/ontime/common/api/cnx/network
Shows the e-mail addresses of the people the currently logged in user is in network with.
/ontime/common/api/cnx/community/<community uuid>
When supplied with a community UUID will resolve the members of the community and show the e-mail addresses of the members. The currently logged in user must have access to the community in Connection.
Example:
/ontime/common/api/cnx/community/6840ee81-0e19-4418-8b7b-3b1a02c69041
/ontime/common/admin/test
Opens the Test Page as described in the manual. Require the admin-role.
/ontime/common/admin/wim/currentuser
Same as /ontime/common/api/currentuser but requires the admin-role.
/ontime/common/admin/wim/searchuser/email/<email address>
Searches for the supplied e-mail address in WebSphere Identity Manager and shows the name, uid and e-mail address of the found user. Requires the admin-role.
Example:
/ontime/common/admin/wim/searchuser/email/
/ontime/common/admin/wim/searchuser/uid/<uid>
Searches for the supplied uid in WebSphere Identity Manager and shows the name, uid and e-mail address of the found user. Requires the admin-role.
Example:
/ontime/common/admin/wim/searchuser/uid/ch
/ontime/common/admin/wim/resolvegroup/<DN of group>
Searches for the supplied group in WebSphere Identity Manager and shows the name, uid and e-mail address of the members. Requires the admin-role.
Examples:
/ontime/common/admin/wim/resolvegroup/CN=All+Users,CN=Groups,dc=ontimesuite,dc=com
/ontime/common/admin/wim/resolvegroup/CN=All+Users
/ontime/common/admin/debug/config
Shows the configuration for the modules. Requires the admin-role.
/ontime/common/admin/debug/ontimeinfo
Shows the OnTime Group Calendar specific configuration. Requires the admin-role.
/ontime/common/admin/debug/url/<target>/<auth>/<url>
Attempts to load the specified URL using the specified authentication mechanism. Requires the admin-role.
The short answer is "Yes!". The longer answer is that starting with Connections v. 5.5 there is a new attribute which is required when configuring custom widgets such as OnTime Group Calendar - Social. The attribute needs to be added to the widgets-config.xml file and the declarations for the OnTime Group Calendar - Social widgets listed there. The attribute is called "themes" and describes the various locations that are valid for the widget meaning left column, middle column, right column and banner (new with v. 5.5).
This is mainly an issue when upgrading a previous installation as the OnTime documentation has been updated to address this.
To fix an existing installation do as follows:
The various "themes" actually map to locations the widget may be dropped by the user as shown below (click the image for a large version):
For more information about the "themes" attribute see the Domino technote at http://www-01.ibm.com/support/docview.wss?uid=swg21974593
There are two ways to locate the build / version number. The build version can be seen in the WebSphere ISC as follows:
Another way - which some find easier - is using a browser to inspect the version.json in each application e.g. <hostname>/ontime/<application>/version.json. E.g. the following links show the application versions deployed to our demo environment:
The above links shows the version output in JSON format.
As described in the Domino Redbook titled "Preparing your enterprise for IBM Connections Cloud" OnTime Group Calendar works with Connections Cloud meaning that it is able to synchronize mail databases located in Connections Cloud. Although you can use the normal OnTime Group Calendar distribution there are a number of differences in the setup to deal with the Connections Cloud mail setup.
Since you cannot run applications in Connections Cloud you must have a Domino Server running as part of your environment. This is called SmartCloud Notes Hybrid and means that you have an on-premises Domino installation sharing Domino Directory with the Connections Cloud mail servers. Since this is also required for Rooms and Resources (RnR) most customers will deploy Connections Cloud this way.
To optimize the synchronization process the OnTime Group Calendar server task creates a specialized view in the mail databases it synchronizes. Since no user or server may have Designer level access to a mail database in Connections Cloud the server task cannot create and maintain this view. To work around this you have two options:
The OnTime Group Calendar databases must be signed by the server hosting the databases. Only servers may access mail databases in Connections Cloud. Additionally the server(s) must be part of the same organization as the certifier uploaded to Connections Cloud i.e. if the certifier uploaded to Connections Cloud is called /SCN/Acme the server running OnTime Group Calendar must be certified by /Acme or a descendent certifier (i.e. /Servers/Acme or similar).
Please note: As of 17 August 2015 it is now possible for customers to control and maintain the access control lists (ACL's) for mail files SmartCloud Notes them selves using the administration panel. Please refer to Domino's InfoCenter for more information (http://www.ibm.com/support/knowledgecenter/SSPS94/service/topics/adm_acl_change.dita)
The Domino Server running the OnTime Group Calendar synchronization must have access to the mail databases in Connections Cloud. By default this access isn’t granted. This access may be granted as follows:
Manually adding the server to the mail database ACL's using the Calendar Delegation Profile as you would any other user. This is a suitable solution for test purposed but isn’t recommended for production use.
When the OnTime Group Calendar server(s) cannot access the Domino servers in the Connections Cloud (SmartCloud) and hence users cannot be synchronized it is usually due to one of the following:
At some point you may need to revoke an OnTime Access Token ("token") if a mobile device has been stolen or you fear that a token which is still valid has been compromised. Revoking the token takes effect immediately and renders the token unusable. To obtain a new token the user will need to reauthenticate to OnTime Group Calendar.
To revoke a token follow the below steps:
Please note: The below information pertains to HTTP based access to the OnTime Group Calendar API that is for OnTime Group Calendar Web, Mobile and Social. It also pertains to Notes and Team-At-A-Glance if these are configured for HTTP access. If native IBM Notes API (NRPC) access is used for the latter two clients an OnTime Access Token is not used.
Users are solely authenticated to the OnTime Group Calendar API (the "service" that provides the data for the OnTime Group Calendar user interfaces such as Web, Mobile, Notes etc.) using an OnTime Access Token. An OnTime Access Token is an encrypted text token that identifies the user and has a point in time it expires encoded in it (among other things). In order to obtain an OnTime Access Token the user must be authenticated to IBM Domino in whatever way the organisation requires such as basic authentication, form based authentication (using LtpaToken), certificates based authentication etc. Once an OnTime Access Token has been obtained it is used on subsequent requests to the OnTime Group Calendar API and identifies the user to the OnTime Group Calendar API. Once an OnTime Access Token is issued it is valid until it expires. The expiration duration can be controlled in the OnTime Group Calendar server document(s) and may be set to a duration in hours. The OnTime Group Calendar API issues a new OnTime Access Token on each request so the expiration time set in the OnTime Group Calendar server document(s) should be considered an "Idle time between requests".
Please note: In the OnTime Group Calendar Configuration database the OnTime Access Token idle timeout is referred to as the "HTTP Token Timeout".
Once an OnTime Group Calendar client obtains an OnTime Access Token it is cached by the client (for Mobile and Web it is cached in a browser cookie) and attempted used on subsequent requests to the API. This means that a user may access OnTime Group Calendar Web or OnTime Group Calendar Mobile without reauthenticating to IBM Domino if a valid OnTime Access Token is available. It also means that a suitable idle time should be set that suits the organisations security policy. For example if permitted by the security policy an idle time of 24 hours allows a user to use OnTime Group Calendar Mobile or Web during the day and reopen the client next day without reauthentication to IBM Domino as the OnTime Access Token is still valid.
It follows from the above that all API requests following obtaining an OnTime Access Token may be unauthenticated ("anonymous") from an IBM Domino perspective. This is not a security hole but is simply because non-token requests are solely authenticated from the OnTime Access Token. It also means that the IBM Domino HTTP server must allow anonymous requests whether that be over HTTP or HTTPs.
Please note that an OnTime Access Token may be revoked from the OnTime Group Calendar Configuration database. This means that even though a user have obtained an OnTime Access Token valid a year into the future the administrator may revoke it requiring the user to reauthenticate to use OnTime Group Calendar. This is a security measure.
Below we assume that your OnTime Group Calendar Client database (”Client database”) is called ”ontimegcclient.nsf” and is in the ”ontime” directory. To open OnTime Group Calendar Web you would redirect users to ”/ontime/ontimegcclient.nsf/web”.
The login process is as follows:
Below we assume that your OnTime Group Calendar Client database (”Client database”) is called ”ontimegcclient.nsf” and is in the ”ontime” directory. To open OnTime Group Calendar Mobile you would redirect users to ”/ontime/ontimegcclient.nsf/mobile”.
Besides the URL required the login process is the same as for OnTime Group Calendar Web.
When the OnTime Group Calendar Notes and/or Team-At-A-Glance clients are launched they need information about how to access the OnTime Group Calendar API. This information is stored in the users mail file in a profile document maintained by the OnTime Group Calendar synchronisation process. This profile document is updated every time OnTime Group Calendar reads in (”synchronises”) appointment data from the mail file.
Please note: It follows from the above that while having multiple OnTime Group Calendar environments read appointment data from the same mail file it is important that only one environment is configured to write this profile document.
The launch process is as follows:
When using the native IBM Notes API and digital signatures to verify and identify the user both the OnTime Group Calendar client and the OnTime Group Calendar API participate in the cryptographic process.
Often customers are looking to provide a Single Sign On solution to OnTime Group Calendar and its user interfaces. Choosing the correct solution depends on the security infrastructure in place but most times the user is authenticated by some other system and/or the user identity may not map to IBM Domino. It may also be the case that the user is authenticated to some other system but the credentials cannot be reused for IBM Domino. There are various ways to solve this as described below.
THE SIMPLE APPROACH
Use the OnTime Group Calendar security as-is but set a long idle time for the OnTime Access Token. While this strictly speaking does not provide Single Sign On it will only require the user to authenticate once as long as the idle time for the OnTime Access Token is long enough and the user access OnTime Group Calendar within the idle time period set. This option is available out-of-the-box.
THE API APPROACH
If you have purchased the OnTime Group Calendar Open API option (sold separately) you may also use the OnTime Group Calendar API to issue tokens to users. Using the OnTime Group Calendar API a system user may obtain an OnTime Access Token on behalf of other users and thus provide access to OnTime Group Calendar using an identity verified by some other system such as Microsoft Sharepoint, a CRM system or an MDM provider. We have previously created Single Sign On (SSO) solutions for customers wanting to provide SSO from non-IBM Domino platforms to OnTime Group Calendar running on IBM Domino.
For example we have a customer with an intranet based on Microsoft technologies where the user is automatically authenticated to the intranet using Windows Integrated Authentication (IWA). The customer wanted users to be able to open OnTime Group Calendar Web without having to re-authenticate which was tricky as the user was only authenticated to the Microsoft intranet and not IBM Domino. To solve this we employed the OnTime Group Calendar API.
We solved it by having the intranet, once the user had logged in to it, use the verified username to obtain an OnTime Access Token on behalf of the user (using the OnTime Group Calendar API). Once the intranet server obtained an OnTime Access Token for the user it set the correct browser cookie to complete the puzzle. Now when the user tries to access OnTime Group Calendar the browser automatically provides the obtained OnTime Access Token and the user may access OnTime Group Calendar without reauthentication thus achiving Single Sign On.
SPNEGO / KERBEROS (OR IF FORM BASED AUTHENTICATION CANNOT BE USED)
For customers using SPNEGO with IBM Domino the default access control list (ACL) setup of the OnTime Group Calendar Client database can cause problems. This is due to the fact that the Client database allows Anonymous access by default and hence the required HTTP 401 response code that cause the operating system to initialiate the authorization handshake is never sent. To solve this the Client database has a special page that does require the user to be authenticated. Instead of using the page called ”Web” you simply use the page called ”WebSSO”.
For example if your Client database is called ”ontimegcclient.nsf” and is in the ”ontime” directory you would normally redirect users to ”/ontime/ontimegcclient.nsf/web” to open the OnTime Group Calendar Web user interface. If using SPNEGO simply replace ”/web” with ”/websso” and redirect users to /ontime/ontimegcclient.nsf/websso”. Nothing more is required.
Please note: It’s very important that the ACL is configured correctly as described in the documentation for this to work.
Yes.
The API Explorer is probably the easiest way to work with and learn the API. The API Explorer can be found online at http://demo.ontimesuite.com/apiexplorer (username: demo, password: demo) but this of course works on a set of demo data. To use the API Explorer in your own environment open the API Explorer from your web database by opening the following URL http://<hostname>/ontime/ontimegcweb.nsf/APIExplorer (given that the OnTime Group Calendar client database can be found in /ontime/ontimegcweb.nsf. Also please substitute <hostname> with the actual hostname of the server hosting your OnTime Group Calendar client database.
Please note: In versions prior to version 3.1.3 contains a slightly outdated API Explorer. If you running version 3.1.2 or newer please contact Support to obtain the latest version. The API Explorer will be current from version 3.1.3 and onwards.
Using the OnTime Group Calendar API (here after API) using Notes native API's is done using the following 5 basic steps:
The document you create should have the following backend items.
Item name | Type | Value |
_Author | Authors, Readers | [ReadAll ] [Developer] <Distinguished name of effective user> <Distinguished name of API server> |
$Request_X | Text | The JSON request split into 32kb items named $Request_0, $Request_1, $Request_2 and so on |
The request and response is in the same JSON format as the HTTP based API.
In the two questions below ("Using native Notes API's - LotusScript example" & "Using native Notes API's - Java example") are examples in Java and LotusScript.
Please refer to the document describing using the OnTime Group Calendar API (here after API) using Notes native API's before reading this document (see the questions above "Using the OnTime Group Calendar API using Notes native API's (over NRPC).
import lotus.domino.Agent;
import lotus.domino.AgentBase;
import lotus.domino.Database;
import lotus.domino.Document;
import lotus.domino.Item;
import lotus.domino.Session;
import java.util.Vector;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
// get agent session
Session session = getSession();
// compose request
String request = "{\"Main\": {\"ApplVer\": \"0.0.1\", \"ApplID\": \"Web2011\", \"APIVer\": 2}}";
// get api database, agent and document
final Database dbApi = session.getDatabase("Solace/Krynn", "ontime/ontimegcapi.nsf");
final Agent agentApi = dbApi.getAgent("ApiNotes");
Document docApi = dbApi.createDocument();
final Vector v = new Vector();
v.add("[ReadAll]");
v.add("[Developer]");
v.add(dbApi.getServer());
v.add(session.getEffectiveUserName());
Item item = docApi.replaceItemValue("_Authors", v);
item.setReaders(true);
item.setAuthors(true);
docApi.replaceItemValue("$Request_0", request);
docApi.sign();
docApi.save();
// get note id
final String noteid = docApi.getNoteID();
docApi.recycle();
docApi = null;
// execute agent
agentApi.runOnServer(noteid);
// fetch api document
docApi = dbApi.getDocumentByID(noteid);
// get response
StringBuilder b = new StringBuilder();
for (int i=0; docApi.hasItem("$Response_" + i); i++) {
b.append(docApi.getItemValueString("$Response_" + i));
}
// write response
System.out.println(b.toString());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Please refer to the document describing using the OnTime Group Calendar API (here after API) using Notes native API's before reading this document (see the questions above "Using the OnTime Group Calendar API using Notes native API's (over NRPC).
Option Public
Option Declare
Sub Initialize
'declarations
Dim session As New NotesSession
Dim noteid As String
Dim request As String
Dim response As String
Dim dbApi As NotesDatabase
Dim agentApi As NotesAgent
Dim docApi As NotesDocument
Dim item As NotesItem
'create request
request = |{"Main": {"ApplVer": "0.0.1", "ApplID": "Web2011", "APIVer": 2}}|
'get API database, agent and document
Set dbApi = New NotesDatabase("Solace/Krynn", "ontime/ontimegcapi.nsf")
Set docApi = New NotesDocument(dbApi)
Set agentApi = dbApi.GetAgent("ApiNotes")
'set items
Dim v(4) As String
v(0) = "[ReadAll]"
v(1) = "[Developer]"
v(2) = dbApi.Server
v(3) = session.Effectiveusername
Set item = docApi.Replaceitemvalue("_Authors", v)
item.Isauthors = True
item.Isreaders = True
Call docApi.ReplaceItemValue("$Request_0", request)
Call docApi.Sign()
Call docApi.Save(True, false)
'get note id
noteid = docApi.Noteid
Delete docApi
'call agent
Call agentApi.Runonserver(noteid)
'fetch API document
Set docApi = dbApi.Getdocumentbyid(noteid)
'get response
Dim i As Integer
While docApi.Hasitem("$Response_" & i)
'append
response = response & docApi.GetItemValue("$Response_" & i)(0)
'increment
i = i + 1
Wend
'show (JSON) response
Print response
End Sub
The OnTime Group Calendar API is a separate offering and is purchased separately so the API Explorer is deliberately limited in what it can return. By default the API Explorer uses the ApiExplorer Application ID which is limited in the following way:
Please note that none or these limitations are present when the Open API option has been purchased and using a custom Application ID issued by OnTime support.
OnBehalfOf is a way to allow certain users to impersonate other users in the API. Impersonation is required for most server application as they need to work on behalf of a user even though the code is signed by another user. For example OnBeHalfOf allows application XYZ to work on behalf the user name supplied to it.
Please note that OnBehalfOf is required to use the OnTime Group Calendar API Java wrapper from XPages.
To configure OnBehalfOf perform the steps below:
See the question below "OnBehalfOf - How does it work? Do you have an example?" for documentation on how to use it in the API.
Developers new to using the OnBehalfOf functionality of the OnTime Group Calendar API (hereafter “API”) sometimes finds it awkward to understand when first introduced to it. This post aims to solve that by explaining exactly how it works.
All requests made to the API needs to run in the context of a user in OnTime Group Calendar as it needs to figure out the access to calendar data. This is why only users in OnTime Group Calendar can make requests against the API. By default when a request is made to the API the request run as the owner of the OnTime Group Calendar access token if using HTTP or the signer of the request if using NRPC. This is what you want when you write a client application where requests should be done as the logged in user. When for some reason you want to perform API operations using the access context of someone else than the OnTime Group Calendar access token (if using HTTP) or the signer of the request (if using NRPC) you use OnBehalfOf.
Examples could be a Domino agent running as under a server identity, applications on a Java Enterprise Edition server such as WebSphere Application Server or simply if a user needs to make requests for other users.
Below is an example of using the OnBehalfOf functionality over HTTP where the Chris Holmes (Chris Holmes/OnTime, chris.holmes[at]ontimesuite.com) user makes requests for Linda Rohdes (linda.rohdes[at]ontimesuite.com) and Jane Fonda (Jane Fonda/OnTime).
Start by registering the caller identity (e.g. “Chris Holmes/OnTime”) in the “Users allowed to run OnBehalfOf” field on Server Settings in the OnTime Group Calendar Configuration database.
With Chris Holmes logged into IBM Domino a request to the apihttptoken endpoint is performed to obtain a HTTP access token.
Request |
POST /ontime/ontimegcweb.nsf/apihttptoken HTTP/1.0 {"Main": {"APIVer": 5, "ApplVer": 1, "ApplID": "MyCustomApp"}} |
Response |
{APIVersion: "3.10.0", |
Now using the access token (for Chris Holmes) I can perform a Login call as though I’m either Linda Rohdes.
Request |
POST /ontime/ontimegcweb.nsf/apihttp HTTP/1.0 {"Main": {"APIVer": 5, "ApplVer": 1, "ApplID": "MyCustomApp", "Token": "chris.holmes.token123", "OnBehalfOf": "linda.rohdes[at]ontimesuite.com"}, "Login": {}} |
Response |
{APIVersion: "3.10.0", |
...or Jane Fonda (here using her DN).
Request |
POST /ontime/ontimegcweb.nsf/apihttp HTTP/1.0 {"Main": {"APIVer": 5, "ApplVer": 1, "ApplID": "MyCustomApp", "Token": "chris.holmes.token234", "OnBehalfOf": "Jane Fonda/OnTime"}, "Login": {}} |
Response |
{APIVersion: "3.10.0", |
If I do not add the OnBehalfOf information the request will be processed for Chris Holmes himself as show below:
Request |
POST /ontime/ontimegcweb.nsf/apihttp HTTP/1.0 {"Main": {"APIVer": 5, "ApplVer": 1, "ApplID": "MyCustomApp", "Token": "chris.holmes.token345"}, "Login": {}} |
Response |
{APIVersion: "3.10.0",
|
Contact: Venlighedsvej 6 | 2970 Hørsholm, Denmark | CVR: DK 1935 2838 | Phone: +45 70 23 23 40
Opening hours (EST): Mon - Thu 09:00 to 16:30 | Fri 09:00 to 16:00 | Sat - Sun < closed >