Wednesday Oct 17, 2012

Configure Calendar Server 7 to Use the davUniqueId Attribute

Starting with Calendar Server 7 Update 3 (Patch 08) we introduce a new attribute davUniqueId in the davEntity objectclass, to use as the unique identifier. 

The reason behind this is quite simple, the LDAP operational attribute nsUniqueId  has been chosen as the default value used for the unique identifier. It was discovered that this choice has a potential serious downside. The problem with using nsUniqueId is that if the LDAP entry for a user, group, or resource is deleted and recreated in LDAP, the new entry would receive a different nsUniqueId value from the Directory Server, causing a disconnect from the existing account in the calendar database. As a result, recreated users cannot access their existing calendars.

How To Configure Calendar Server to Use the davUniqueId Attribute?

Populate the davUniqueId to the ldap users. You can create a LDIF output file only or (-x option) directly run the ldapmodify from the populate-davuniqueid shell script.

# ./populate-davuniqueid -h localhost -p 389 -D "cn=Directory Manager" -w <passwd> -b "o=red" -O -o /tmp/out.ldif

The ldapmodify might failed like below, in that case the LDAP entry already have the 'daventity' objectclass, in those cases run populate-davuniqueid script without the -O option.

# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w <passwd> -c -f /tmp/out.ldif
modifying entry "uid=mparis,ou=People,o=vmdomain.tld,o=red"
ldapmodify: Type or value exists (20)

In this case the user 'mparis' already have the objectclass 'daventity', ldapmodify do not take care of this DN and just take the next DN (if you start ldapmodify with -c option otherwise it stop's completely)

dn: uid=mparis,ou=People,o=vmdomain.tld,o=red
changetype: modify
add: objectclass
objectclass: daventity
add: davuniqueid
davuniqueid: 01a2c501-af0411e1-809de373-18ff5c8d

Even run populate-davuniqueid without -O option or changing the outputfile to

dn: uid=mparis,ou=People,o=vmdomain.tld,o=red
changetype: modify
add: davuniqueid
davuniqueid: 01a2c501-af0411e1-809de373-18ff5c8d

The ldapmodify works fine now. The only issue I see here is you need verify which user might need the 'daventity' objectclass as well. On the other hand start without the objectclass and only add the objectclass for the users where you get 'Objectclass violation' report. That's indicate the objectclass is missing.

# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w <passwd> -c -f /tmp/out.ldif
modifying entry "uid=mparis,ou=People,o=vmdomain.tld,o=red"

Now it is time to change the configuration to use the davuniquid attribute

# ./davadmin config modify -o davcore.uriinfo.permanentuniqueid -v davuniqueid

It is also needed to modfiy the search filter to use davuniqueid instead of nsuniqueid

# ./davadmin config modify -o davcore.uriinfo.subjectattributes -v "cn davstore icsstatus mail mailalternateaddress davUniqueId  owner preferredlanguageuid objectclass ismemberof uniquemember memberurl mgrprfc822mailmember"

Afterward IWC Calendar works fine and my test user able to access all his old events.

14781101 popilate-davuniqueid should handle entries with or without daventity OC better

The observed issue is now even known as official Bug

Currently, the populate-davuniqueid script can generate LDAPMOD to add to the davEntity object class and the davUniqueId attribute at the same time. This does not work well when existing LDAP entries already have the davEntity object class.

In the populate-davuniqueid script, change lines 282-289 as follows:


  print $1 > OUT
  print "changetype: modify" > OUT
  print "add: objectclass" > OUT
  print "objectclass: daventity" > OUT
  print "-" > OUT
  print "add: davuniqueid" > OUT
  print "davuniqueid: " substr($2, 13) > OUT
  print "" > OUT


  print $1 > OUT
  print "changetype: modify" > OUT
  print "add: objectclass" > OUT
  print "objectclass: daventity" > OUT
  print "" > OUT
  print $1 > OUT
  print "changetype: modify" > OUT
  print "add: davuniqueid" > OUT
  print "davuniqueid: " substr($2, 13) > OUT
  print "" > OUT

Wednesday Sep 12, 2012

Setup a Autoreply Only Account

For some very good reason you might would like to setup a 'autoreply' only account, without storing the incoming mail into a mailbox. If not already done, create an account via Delegated Admin Gui or commadmin Commandline Tool.


/opt/sun/comms/da/bin/commadmin user create -D admin -d vmdomain.tld -w enigma -F Mike -l 
  mparis -L Paris -W tester -E Mike.Paris@vmdomain.tld -S mail -H mars.vmdomain.tld

Setup mailDeliveryOption to autoreply mode only, so no email will be stored in the user mailbox, skip this step if you want incoming emails stored in the mailbox.

ldapmodify -D "cn=Directory Manager" -w enigma -f /tmp/modfile

dn: uid=mparis,ou=People,o=vmdomain.tld,o=red
changetype: modify
replace: mailDeliveryOption
mailDeliveryOption: autoreply

Setup mailSieveRuleSource with the autoreply text and 'do-not-reply' From address. The "Thank you ..." part becomes the subject. The next string in quotes is the body part of the message. The ":hours 0" denotes that we want a reply sent for every message. Finally,  the \n is used because of the wanted newlines in the body.

ldapmodify -D "cn=Directory Manager" -w enigma -f /tmp/addfile

dn: uid=mparis,ou=People,o=vmdomain.tld,o=red
changetype: modify
add: mailSieveRuleSource
mailSieveRuleSource: require "vacation"; vacation :hours 0 :reply :from "do-not-reply" :subject "Thank you for contacting webpost" "Your Mail is being review
  ed.\nTo access contact information please visit : \nPlease do 
  not reply to this e-mail as it is an automated response on your mail being accessed
  .\n\nPublic Respose Unit.\n"

Monday Feb 13, 2012

COMMS Suite 7u2 on Solaris 11 in Solaris 10 branded Zone

Unfortunately it is not possible to install Communication Suite 7u2 native on Solaris 11 because the packaging system has changed in Solaris 11. Unfortunately there is no patchadd available any more. To get benefits of Solaris 11 for COMMS Suite, it is possible to install the COMMS Suite into a Solaris 10 branded Zone.

What's new in Solaris 11

Installation Notes COMMS Suite on Solaris 11 in Solaris 10 branded Zone

NOTE: Use two Network Adapter for Virtual Machine Setup, and configure the second Network Adapter to be used by the Solaris 10 branded Zone. It turns out that I can not connect to the Zone if only one Network Adapter is configured for the Virtual Machine Setup. My wild guess on this, it is a regression (or Security Rule) of the Virtual Machine, to 'allow' only one MAC address for the Virtual Machine.

Install Solaris 11

Configure Zone

root@host:~# /usr/sbin/zonecfg -z s10
s10: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:s10>  create -t SYSsolaris10
zonecfg:s10>  set zonepath=/export/s10
zonecfg:s10>  verify
zonecfg:s10>  commit
zonecfg:s10>  exit

Install Solaris 10 Zone from flash archive.
More about flash archive can be found here.

zoneadm -z s10 install -a s10u9b14ax.flar -u

Install rpc.rstatd from pkg
The rpc.rstatd is not on Solaris 11 and need to be installed from the repository.

pkg install service/network/legacy-remote-utilities

Solaris 11 Network Configuration
Use net0 for Solaris 11 and use net1 for Solaris 10 branded Zone. Furthermore I choose net0 as 'bridged' and net1 as 'nat' with static IP in the Virtual Machine setup.

# dladm show-vnic
LINK                OVER         SPEED  MACADDRESS        MACADDRTYPE       VID
s10/net0            net1         1000   2:8:20:16:87:a5   random            0

# dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net0              Ethernet             up         1000   full      e1000g0
net1              Ethernet             up         1000   full      e1000g1

# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
net1                phys      1500   up       --
s10/net0            vnic      1500   up       net1

# ipadm show-if
lo0        loopback ok       yes    --
net0       ip       ok       yes    --

# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok 
net0/_b           dhcp     ok 
lo0/v6            static   ok           ::1/128
net0/_a           addrconf ok           fe80::20c:29ff:fe21:1364/10

Configure second Network Adapter to used by the Solaris 10 branded Zone

dabrain@eleven:~$ dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net0              Ethernet             up         1000   full      e1000g0
net1              Ethernet             unknown    0      unknown   e1000g1

root@eleven:~# zonecfg -z s10
zonecfg:s10> info
zonename: s10
zonepath: /export/s10
brand: solaris10
autoboot: false
ip-type: exclusive
    linkname: net0
    lower-link: auto
    allowed-address not specified
    configure-allowed-address: true
    defrouter not specified
    allowed-dhcp-cids not specified
    link-protection: mac-nospoof
mac-address: random
    auto-mac-address: 2:8:20:16:87:a5
    mac-prefix not specified
    mac-slot not specified
    vlan-id not specified
    priority not specified
    rxrings not specified
    txrings not specified
    mtu not specified
    maxbw not specified
    rxfanout not specified
zonecfg:s10> select anet linkname=net0
zonecfg:s10:anet> set lower-link=net1
zonecfg:s10:anet> info
    linkname: net0
    lower-link: net1
    allowed-address not specified
    configure-allowed-address: true
    defrouter not specified
    allowed-dhcp-cids not specified
    link-protection: mac-nospoof
mac-address: random
    auto-mac-address: 2:8:20:16:87:a5
    mac-prefix not specified
    mac-slot not specified
    vlan-id not specified
    priority not specified
    rxrings not specified
    txrings not specified
    mtu not specified
    maxbw not specified
    rxfanout not specified
zonecfg:s10:anet> end
zonecfg:s10> verify
zonecfg:s10> commit
zonecfg:s10> exit

Boot up Solaris 10 Zone

zoneadm -z s10 boot
zlogin -C -d s10

Install COMMS Suite in Solaris 10 branded Zone

Communications Suite on a Single Host is the Deployment Guide I used for my Lab System.

For some reason Convergence did not fully work when GlassFish server.http-service.request-processing.thread-count is on 2, as it is mention in the Deployment Guide. This might be an issue of Non-Global Zone and/or Machine under VMWare control.

 _ThreadID=19;_ThreadName=RMI TCP Connection(26)-;|PWC2785: Cannot serialize session attribute
 WizardPageModel_1651029014 for session d4ae7931196f8463f24bb0bda2b7 com.iplanet.jato.view.html.OptionList

Set thread-count to 1

./asadmin set server.http-service.request-processing.thread-count=1

JISS needs a running LDAP Server, when LDAP is not under SMF control we need to disable JISS or enable SMF for LDAP Server.

svc:/application/jiss-indexSvc:default (JISS Index Service)
 State: maintenance since Thu Feb 09 13:28:55 2012
Reason: Start method failed repeatedly, last exited with status 1.
   See: /var/svc/log/application-jiss-indexSvc:default.log
Impact: 1 dependent service is not running:

svc:/application/jiss-searchSvc:default (JISS search service)
 State: maintenance since Thu Feb 09 13:28:55 2012
Reason: Start method failed repeatedly, last exited with status 1.
   See: /var/svc/log/application-jiss-searchSvc:default.log
Impact: This service is not running.

bash-3.00# svcadm disable /application/jiss-indexSvc:default
bash-3.00# svcadm disable /application/jiss-searchSvc:default

Enable SMF for LDAP Server check Directory Server Configuration and Administration Guide

# dsadm stop /export/home/ds/instances/your-instance
# dsadm enable-service -T SMF /export/home/ds/instances/your-instance
# dsadm start /export/home/ds/instances/your-instance

Overall the COMMS Suite is running fine in the Solaris 10 branded Zone, which did not really surprise me. On the other hand the COMMS Suite performance is better as an 'old' native Solaris 10 installation, most likely caused by the use of ZFS.

If you want to check latest Solaris technology but still need Solaris 10 packaging System then installing your Software in a Solaris 10 branded zone might be the answer.

Wednesday Aug 03, 2011

MySQL database size does not change after deleting event on CalDAV Server

Did you noticed that the MySQL database size will not change if you delete event on CalDAV Server?

The InnoDB shared tablespace file will automatically increase but it will never decrease. If you really need to decrease the size of the DB then manually administration is needed.

See following resources for further detailed information:,121880,121886#msg-121886

Monday Jun 27, 2011

Setup Convergence Address Book DisplayName Lookup

At Convergence Address Book the default lookup for 'Display Name' is the LDAP attribute 'cn', which leads into confusion if you start to setup 'displayName' LDAP attributes for your users.

LDAP User Entry with diaplyName attribute:

LDAP User Entry

This behavior can be controlled by the configuration file xlate-inetorgperson.xml. Change the default value of XPATH abperson\entry\displayname from 'cn' to 'displayName'.



In case the user has no 'displayName' attribute in LDAP you might noticed '...' at the user entry, if found via 'mail' attribute.

Friday Jun 24, 2011

LDAP ACI Debugging

If you've ever wondered which ACI in LDAP is used for a special ADD/DELETE/MODIFY/SEARCH request you need to enable ACI debugging to get details about this.

Edit/Modify dse.ldif

nsslapd-infolog-area: 128
nsslapd-infolog-level: 1

ACI Logging will be placed at 'errors' file, looks like:

[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  Num of ALLOW Handles:15, DENY handles:0
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  Processed attr:nswmExtendedUserPrefs for entry:uid=mparis,ou=people,o=vmdomain.tld,o=isp
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  Evaluating ALLOW aci index:33
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  ALLOW:Found READ ALLOW in cache
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  acl_summary(main): access_allowed(read) on entry/attr(uid=mparis,ou=people,o=vmdomain.tld,o=isp, nswmExtendedUserPrefs) to (uid=msg-admin-redzone.vmdomain.tld-20100927093314,ou=people,o=vmdomain.tld,o=isp) (not proxied) (reason: result cached allow , deciding_aci  "DA anonymous access rights", index 33)

Monday Jun 20, 2011

iCal CalDAV multiple alarm notification

In case you work with Apple iCal CalDAV Client you might noticed an issue with several alarm notification was send / received. So Alice add Calendar of Mike in iCal, Mike created an event with email alarm notification for Tom. Guess what, Tom will receive an email alarm notification from Mike and Alice.

So whenever you add Calendars which are not your own Calendar in iCal you should use the Option Ignore Alarms

iCal Ignore Alarms

Monday Oct 18, 2010

Calendar 6.3 Subscribe Internals

In this Blog I'll explain how the calendar subscribe will be working and where you need to look at when something went wrong.

Calendar subscribe is done by the following actions:

Bob              -> Calendar properties request for Alice Calendar   -> Calendar Server
Calendar Server  -> Result (read access)                             -> Bob
Bob              -> Calendar subscribe request for Alica Calendar    -> Calendar Server

Calendar Server  -> MODify request Bob LDAP entry                    -> Directory Server
Directory Server -> MODify result                                    -> Calendar Server

Calendar Server  -> Calendar subscribe result                         -> Bob 

First we need to check the Calendar User ACL. The User ACL setting of Alice can prevent User Bob read/invite/freebusy lookup. If no permission is setup to User Bob, subscribe will not working.

ACL User setting can be checked on Calendar Server side via command line cscal -v list <user@domain.tld>

bash-3.00# ./cscal -v list alice@domain.tld
alice@domain.tld: owner=alice@domain.tld status=enabled
 name=Bob User
 other owners=
 double book=yes
 time zone=
 character set=
 language code=en
 created=Oct 08, 2010 12:14:01 GMT
 last modified=Oct 08, 2010 12:14:36 GMT
 events last modified=Oct 08, 2010 12:14:01 GMT
 todos last modified=Oct 08, 2010 12:14:01 GMT
 deletelog last modified=Oct 08, 2010 12:14:01 GMT
 number of events=0
 number of tasks=0
 number of deleted events=0
 number of deleted tasks=0
 number of deleted recurring events=0
 number of deleted recurring tasks=0

Check if read/invite or freebusy is allowed, if nothing is allowed then you will not able to subscribe to the Alice calendar. Information about the ACL in Calendar can be found at -

If the ACL is correct, so sharing of Alice Calendar is allowed the http.log of Calendar Server will look like this (debug mode - ics.conf - logfile.loglevel = "Debug")


[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug: WCAP: search_calprops command called.
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[0] = id=vb+hlYD/wrw
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[1] = search-string=alice
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[2] = primaryOwner=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[3] = calid=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[4] = name=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[5] = moreinfo=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[6] = fmt-out=text/json
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[7] = dojo.preventCache=1287398290481

[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug: WCAP: subscribe_calendars command called.
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[0] = id=vb+hlYD/wrw
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[1] = calid=alice@domain.tld
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[2] = fmt-out=text/json
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[3] = dojo.preventCache=1287398396328

Looking at the Directory Server part and understand how the MODify request is done.

Working example:

[18/Oct/2010:12:39:56 +0200] conn=6 op=170 msgId=171 - MOD dn="uid=bob,ou=People,o=domain.tld,o=isp"
[18/Oct/2010:12:39:56 +0200] conn=6 op=170 msgId=171 - RESULT err=0 tag=103 nentries=0 etime=0

Not working example:

[13/Oct/2010:11:24:07 +0200] conn=9 op=75 msgId=76 - MOD dn="uid=bob,ou=People,o=domain.tld,o=isp"
[13/Oct/2010:11:24:07 +0200] conn=9 op=75 msgId=76 - RESULT err=50 tag=103 nentries=0 etime=0, Insufficient 'write' privilege to the 'preferredLanguage' attribute of entry 'uid=bob,ou=people,o=domain.tld,o=isp'.

From the access log above we did not see WHO would like to MODify the user entry, if you scroll back in the access log you might will find the BIND request for 'conn=9' (connection number) and you need to check if this user has write access right on the mention LDAP entry.

For Calendar Server 6.3 the BIND is done by the user specified in ics.conf on Calendar Server side as local.authldapbinddn. If you take a look into the Directory Server ACI you will not find this specific user, what you will find is a Calendar End User Administrators Group.

NOTE: To search/list the LDAP ACI do:

ldapsearch -D "cn=Directory Manager" -w <password> -b o=isp "aci=\*" aci

aci: (target="ldap:///o=isp")(targetattr="objectclass || cn || givenname || sn
  || mail || mailalternateaddress || preferredlanguage || sunUCDateFormat ||
 sunUCDateDeLimiter || sunUCTimeFormat || icsAllowedServiceAccess || icsCalen
 dar || icsCalendarOwned || icsDefaultSet || icsDWPHost || icsExtended || ics
 ExtendedUserPrefs || icsFirstDay || icsFreeBusy || icsGeo || icsPartition ||
  icsPreferredHost || icsQuota || icsSet || icsStatus || icsSubscribed || ics
 Timezone ")(version 3.0; acl "Calendar Server End User Administrator Write A
 ccess Rights - product=ics,class=installer,num=101,version=1"; allow (all) g
 roupdn="ldap:///cn=Calendar End User Administrators Group, ou=Groups, o=isp"

And now the 'local.authldapbinddn' User needs to be a 'uniqueMember' of exactly this Group.

dn: cn=Calendar End User Administrators Group,ou=Groups,o=isp
objectClass: top
objectClass: groupOfUniqueNames
objectClass: iplanet-am-managed-static-group
objectClass: iplanet-am-managed-group
cn: Calendar End User Administrators Group
uniqueMember: uid=calmaster, ou=People, o=domain.tld,o=isp
uniqueMember: uid=cal-admin-host.domain.tld-200909301402,ou=People,o=domain.tld,o=isp

In the non working example above the 'local.authldapbinddn' user was not part of the Admin Group and therefor the MODify request was failing.

Monday May 31, 2010

Random Glassfish Tuning Debugging Notes

From my point of view it is hard to find information about Glassfish Tuning and Debbuging as there are so much and around. Therefor I'll try to put notes and resources together on this Topic.

How can I configure Glassfish to use a 64-bit JVM?

If you need to break the 2GB or 4GB heap (depending on your OS/JVM) maximum barrier for your GlassFish-powered application, you can move to a 64-bit JVM.  The following applies to the Glassfish "developer" and "cluster" profiles.

To do so :

  • make sure you have a 64-bit JVM properly installed
  • adjust the AS_JAVA variable in GLASSFISH_HOME/config/asenv.conf (applies to an entire install, not to a specific domain or instance)
  • replace the -client or -server option with -d64 in the domain jvm-options (use the Admin tool or asadmin create-jvm-options rather than editing domain.xml).       


It worked after doing below steps:

  • Reinstalled 1.6.0_07 64 bit jdk.
  • added -d64 to asadmin script
  • added <jvm-options>-d64</jvm-options> to domain.xml
  • Changed <jvm-options>-client</jvm-options> to <jvm-options>-server</jvm-options>

Glassfish "hangs"?

[Thanks to oleksiys but I've to correct some minor issues on this Topic.]

When you found that Glassfish is not responsive - please take a snapshot of threads dump:

Find the pid of the Glassfish process:

/usr/ucb/ps -auxwww | grep java | grep <install instance of glassfish>

Force threads dump to be written to the jvm.log file:

kill -3 <pid>

Please collect 3-5 sets of the above data during the hang.

Locate jvm.log file (usually it could be found in the instance log directory):  GF/domains/domain1/logs/jvm.log

You can check the jvm.log file and make sure listed threads are not blocked inside your (web) application classes.

If not - report the problem on glassfish users mailing list or forum, providing as detailed info/observations on the usecase as possible.

Glassfish - Grizzly Notes

Grizzly Option    


_ThreadName=httpSSLWorkerThread-80-3;|SocketChannel headersjava.nio.channels.SocketChannel
[connected local=/ remote=/] are: === MimeHeaders ===
host = funky.vmdomain.tld
user-agent = Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100401 Firefox/3.6.3
accept = text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
accept-language = en-us,en;q=0.5
accept-encoding = gzip,deflate
accept-charset = ISO-8859-1,utf-8;q=0.7,\*;q=0.7
keep-alive = 115
connection = keep-alive
content-type = text/xml; charset=UTF-8
referer = http://funky.vmdomain.tld/iwc_static/layout/main.html?lang=de&13.01_012515&
content-length = 120
cookie = JSESSIONID=b72180d3f69020df575f8262eed2; form:tree-hi=form:tree:configurations:configuration1:jvmSettings;
pragma = no-cache
cache-control = no-cache


Grizzly 1.0.33-b running on SunOS-5.10 under JDK version: 1.6.0_16-Sun Microsystems Inc.
         port: 1080
         maxThreads: 5
         ByteBuffer size: 8192
         useDirectByteBuffer: 8192
         maxKeepAliveRequests: 256
         keepAliveTimeoutInSeconds: 30
         Static File Cache enabled: false
         Pipeline : com.sun.jbi.httpsoapbc.embedded.LinkedListThrottlePipeline
         Round Robin Selector Algorithm enabled: false
         Round Robin Selector pool size: 0
         Asynchronous Request Processing enabled: true|#]

Further Resources

Tuning the Java Heap

Glassfish Tuning - HTTP Thread Pool

Measuring HTTP Listener Service Time With BTrace

IWC Performance Tuning

Tuesday Apr 06, 2010

Use particular .msg file on different Mailstore

If you need to use a .msg file for testing purpose in a different user mailbox, even from totally different mailstore / domain / user, then this blog will describe how to do it.

First of all you need to know the location of the destination user mailbox. Therefor use the hashdir command line tool.

bash-3.00# /opt/sun/comms/messaging64/bin/hashdir mparis

The location of the mailbox then should look like this (on default installation)

bash-3.00# pwd

Now copy the .msg file to the destination user mailbox

cp /tmp/1234.msg .

Take care that the file gets the right permissions

chown mailsrv:mail 1234.msg

Finally you need to run reconstruct on the destination user mailbox

/opt/sun/comms/messaging64/bin/reconstruct -f -r user/mparis

Now you able to access the user Mailbox and access the Message for further testings / debugging.

Tuesday Mar 23, 2010

IWC debugging lite

If you need to debug IWC you can use Firebug Plugin, but you even can enable debug option in IWC itself. I decide to doing this only if needed but I didn't won't to stop IWC, enable it, and start IWC up again, and vise versa for disable it.

My 'hack' is to do like this;

Create a copy of iwc_static/layout/main.html to iwc_static/layout/main-fb.html

Edit the new main-fb.html and enable debugging (change isDebug to true);

isDebug: true,

If you now need to do debugging on IWC you just need to login into IWC. 

Now manually change the URL from main.html to main-fb.html and here we go.

Click on Popup open debug in extra window.

The second trick is to add the "isDebug=true" parameter to the URL. This can be done prior to login and will be carried forward to when main.html is loaded for the first time, e.g.


NOTE: This only works in Convergence 2 currently.

Happy debugging....

Thursday Jan 28, 2010

VMWare Network Interface configuration on MacOS

If you would like to use static IP addresses for you Virtual Machines and you might already have one of them, you might run in trouble connecting to them on a different Host System. Assume your VM's on external HD and you connect them to a different Host System.

I don't know how VMWare choose the IP addresses to be used for the network interface but I noticed it is always a different IP address after installation or on different Host system.

Network Interface configuration after installation of VMWare;

    inet netmask 0xffffff00 broadcast
    ether 00:50:56:c0:00:01
    inet netmask 0xffffff00 broadcast
    ether 00:50:56:c0:00:08

Because I choose network for all of my VM's I'm unable to connect to them out of the box installing VMWare. In this Blog I'll describe how to change the Host Network Interface configuration for VMWare.

Stop the VMWare network interfaces:

/Library/Application Support/VMware Fusion

./ --stop
VMware Fusion 215242: Shutting down VMware Fusion:
Stopped DHCP service on vmnet1
Disabled hostonly virtual adapter on vmnet1
Stopped DHCP service on vmnet8
Stopped NAT service on vmnet8
Disabled hostonly virtual adapter on vmnet8
Stopped all configured services on all networks

Now you need to edit the locations, networking file and the dhcp.conf, nat.conf below the interface subdirectory. I use the vmnet8 interface for my setup

grep -i vnet_8 locations
remove_answer VNET_8_NAT
answer VNET_8_NAT yes
remove_answer VNET_8_DHCP
answer VNET_8_DHCP yes

grep -i vnet_8 networking
answer VNET_8_DHCP yes
answer VNET_8_DHCP_CFG_HASH 2A9C9A6C4638668427E2D91C857EDE91F35FFFC1
answer VNET_8_NAT yes

/Library/Application Support/VMware Fusion/vmnet8


allow unknown-clients;
default-lease-time 1800;                # default is 30 minutes
max-lease-time 7200;                    # default is 2 hours

subnet netmask {
    option broadcast-address;
    option domain-name-servers;
    option domain-name localdomain;
    default-lease-time 1800;                # default is 30 minutes
    max-lease-time 7200;                    # default is 2 hours
    option routers;
host vmnet8 {
    hardware ethernet 00:50:56:C0:00:08;
    option domain-name-servers;
    option domain-name "";
    option routers;


# NAT gateway address
ip =
netmask =
# VMnet device if not specified on command line
device = /dev/vmnet8

Start the VMWare service  and the interface now should have the configuration.

./ --start
VMware Fusion 215242: Starting VMware Fusion:
Verifying files from package 'com.vmware.fusion.application' on '/'.
Finished verifying files from package 'com.vmware.fusion.application' on '/'.
Started network services
Verifying and re-installing files from /Library/Application Support/VMware Fusion/thnuclnt

Network Interface configuration for vmnet8 now looks to be perfect:

    inet netmask 0xffffff00 broadcast
    ether 00:50:56:c0:00:08

And is it now working? Yes it is....

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=255 time=1.021 ms
64 bytes from icmp_seq=1 ttl=255 time=0.357 ms
64 bytes from icmp_seq=2 ttl=255 time=0.409 ms
64 bytes from icmp_seq=3 ttl=255 time=0.411 ms
64 bytes from icmp_seq=4 ttl=255 time=0.364 ms
64 bytes from icmp_seq=5 ttl=255 time=0.402 ms
64 bytes from icmp_seq=6 ttl=255 time=0.390 ms
64 bytes from icmp_seq=7 ttl=255 time=0.395 ms
64 bytes from icmp_seq=8 ttl=255 time=0.300 ms
64 bytes from icmp_seq=9 ttl=255 time=0.521 ms
64 bytes from icmp_seq=10 ttl=255 time=0.367 ms
64 bytes from icmp_seq=11 ttl=255 time=0.474 ms
64 bytes from icmp_seq=12 ttl=255 time=0.464 ms
64 bytes from icmp_seq=13 ttl=255 time=0.473 ms
--- ping statistics ---
14 packets transmitted, 14 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.300/0.453/1.021/0.167 ms

Wednesday Dec 02, 2009

COMMS Delegated Admin Password Reset

If you need to reset the Delegated Admin Password for COMMS you need to take care about Messaging Server and Convergence as well.

Setup a new password for the Delegated Admin user ( dn: uid=admin,ou=People,o=domain.tld,o=isp ), I prefer to do such LDAP tasks with the Apache Directory Studio.

Now you able to login in into Delegated Administrator and perform tasks like add/modify/delete user or domains. But if you login as user into Convergence you will get the following error message.

At this point you need to configure Messaging Server and Convergence with the new password, as they still use the old password for the admin user you will run into this issue. 

Setup Messaging Server admin password, could be done with the configutil command at /opt/sun/comms/messaging64/sbin

./configutil -o local.service.proxy.adminpass -v newpassword

As well you need to configure Convergence with the new admin password with iwcadmin command at /opt/sun/comms/iwc/sbin

./iwcadmin -u admin -w iwcadminpass -o mail.proxyadminpwd -v newpassword 

Restart Messaging Server and the Web Container where Convergence is deployed usually at Glassfish Application Server.

Last but not least you need to update the last saveState file with the new password, otherwise you run in trouble next time you install a Convergence Patch, as the post patch script will use the password value from the saveState file.

java -cp /var/opt/sun/comms/iwc/WEB-INF/lib/iwc-shared-util.jar com.sun.comms.shared.util.EncryptInstallPasswd newpassword

Use the output from the above command and modify the last saveState file, for example it is located at /opt/sun/comms/iwc/install/Iwc-config_20091001150607


iwc.webMailAdminUserID = admin
iwc.webMailAdminPass = 

Friday Nov 27, 2009

Glassfish Key Management

number9 has a very detailed blog about adding existing SSL keypairs to Java keystores

Friday Nov 13, 2009

COMMS7 Installation Experience on RHEL5

For some reason you might would like to install Comms7 on RedHat Enterprise Linux. I gave it a try on RHEL5. Please find below my experience. As always; your miles may vary.

RedHat preparations

Network DHCP

After installation my RHEL5 used dhcp for the network config, but I would like to disable dhcp and assign a static IP Address, which can be done by editing:



Afterward restart the network service with:

# service network restart

Disable SELinux

I didn't know SELinux in detail, and I'm not yet would like to get knowledge about this security stuff. Nevertheless I run in trouble already with start of the LDAP Directory Server.

SELinux is preventing ns-slapd from loading /opt/sun/directory/ds6/lib/ which requires text relocation.

The following commands will allow this access:

chcon -t textrel_shlib_t '/opt/sun/directory/ds6/lib/'
chcon -t textrel_shlib_t '/opt/sun/directory/ds6/lib/'
chcon -t textrel_shlib_t '/opt/sun/directory/ds6/lib/'
chcon -t textrel_shlib_t '/opt/sun/directory/ds6/lib/'

But even after the commands mention above the LDAP Directory Server wasn't able to run correctly.

Long wording short story - Disable SELinux!


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.


Note: You should read more about SELinux by Kerry Thompson.


Get the software here

I installed COMM7 without Access Manager. Because of this I even don't need the WebServer to deploy the Access Manager into it.

The instruction at our wiki for single host installation.

Glassfish and JAVA 1.6 (32Bit / 64Bit)

Even on Linux you should use Java 1.6 but annoying is the fact that you need the 32Bit version for the installation even on a 64Bit OS Linux. This one is known as Bug 6820045, the Bug mention Glassfish only but it is the same for Convergence as well.

Synopsis: Glassfish cannot be installed on Linux 64 version

If you are installing Sun GlassFish Enterprise Server on a 64–bit machine (running a 64–bit operating system), use a 32–bit JDK to install Sun GlassFish Enterprise Server on your 64–bit machine. You will need to use the following command:

./distribution_filename —javahome path to 32–bit JDK location

After installation, download the 64–bit JDK from Edit the value of the AS_JAVA variable in the asenv.conf file to point to the 64–bit JDK installation, so that Sun GlassFish Enterprise Server uses the 64–bit JDK.

The rest of the installation and configuration went through very well. Finally I create a start script for COMMS7 Suite.


echo "\*\*\* Start Directory Server \*\*\*"
/opt/sun/directory/ds6/bin/dsadm start /var/opt/sun/directory/dsins1/
echo "\*\*\* Start Messaging Server \*\*\*"
echo "\*\*\* Start Calendar Server \*\*\*"
echo "\*\*\* Start Glassfish Application Server \*\*\*"
/opt/sun/appserver/bin/asadmin start-domain domain1
echo "\*\*\*Start Instant Messaging \*\*\*"
/opt/sun/comms/im/sbin/imadmin start

Thursday Oct 29, 2009

Deploy URI of COMMS7 Application

During the installation of Comms7 you need to enter the URI path for the deploy of Applications like DA (Delegated Admin), IWC (Convergence), DAV (Caldav), etc.

If you plan to have several Applications deployed in the same instance never ever choose / for any of the Application, this will result in non working other Application. So the Application which is deployed in / is the only one working left.

If you already at this stage that you choose / for one of the Application this even isn't a great issue. Just stop the Application Server and edit the domain.xml config file of Application Server, the file is in /appserver-root-dir/domains/domains1/config directory, setup the context-root similar as below.

web-module  ...  context-root="/commcli"   ... name="commcli"     
web-module  ...  context-root="/da"        ... name="Delegated_Administrator"     
web-module  ...  context-root="/davserver" ... name="davserver" 
web-module  ...  context-root="/im"        ... name="im"     
web-module  ...  context-root="/iwc"       ... name="Convergence" 

Afterwards start the Application Server. You should now see the default index.html when you access the root URI of the Glassfish Application Server


If you would like to avoid your users seeing the Glassfish index.html by accessing the / you might would like to change the index.html of Glassfish with something that forward your users to one of the deployed Application, most likely IWC. For this kind of forwarding you 'just' need a single line in the /appserver-root-dir/domains/domain1/docroot/index.html

<meta http-equiv="refresh" content="1;url=http://yourserver.domain.tld/iwc">

Tuesday Oct 27, 2009

Update Mac iCal with Sun Java System Calendar Server events

Export and Import is an easy way to get your Mac iCal up to date. But doing it manually is boring, therefor I thought it would be nice to have this scripted but unfortunately I was not able to create a working applescript for iCal, even the applescript recorder result in empty applescript, don't ask me why. 

My result so far now is a small shell script which export your calendar from the Calendar Server, save it as export.ics and open iCal with the exported.ics file, you only have to click OK for the import.

Note: The script don't take care about hosted domain, but you might get an idea how that need's to look like. In the script itself you need to place the settings for server, username and password. It works for http and https.


# Your calendar server

# username and password

curlopts='--silent --insecure'

# Open up a session with the calender server
id=`curl $curlopts "${request}" | \\
  grep SESSION-ID | head -1 | \\
  sed -e "s/.\*SESSION-ID:\\([a-z,A-Z,0-9]\*\\).\*/\\1/"`
if [ -z "${id}" ]; then
  echo "Error: Could not get session id!"
  exit 1
printf "\\nSession ID: ${id} - OK\\n" 
printf " - - - - - - - - - \\n"

# export
curl --data "id=${id}&calid=${user}&content-out=text/calendar" "${request}" > ./export.ics

printf "\\n"
printf " - - - - - - - - - \\n"

# logout
curl $curlopts "${request}"

open export.ics
The console output will look like this:
$ ./ 

Session ID: fMLeoJtcMMw - OK
 - - - - - - - - - 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  222k  100  222k    0    53   304k     72 --:--:-- --:--:-- --:--:--  381k

 - - - - - - - - - 
PRODID:-//Sun/Calendar Server//EN

Note: If you would update the Sun Java Calendar Server vise versa from iCal then jCalendarCopy might be a solution for you

Monday Oct 26, 2009

Empty Convergence Address Book

I've got an request these dayz about an empty Convergence Address Book for a certain user. The dedicated user had several entries in his Address Book from LDAP point of view. Even newly created entries in the Address Book was disappeared after relogin.

First of all I requested the LDAP ldif output of this Address Book entry to reproduce this in my lab setup.

In the ldif file itself I need to change each piPStoreOwner to fit for my lab user.

The original:

piEntryID=e102780a18b2208e, piPStoreOwner=source-user, o=source-domain.tld,o=piserverdb

changed to:

piEntryID=e102780a18b2208e, piPStoreOwner=tberlin, o=vmdomain.tld,o=piserverdb

Afterwards I add this to the LDAP Server with:

ldapadd -f abook-test.ldif -D "cn=Directory Manager" -w password

I got the same result for my lab user and empty Convergence Address Book View. Taking a look into the LDAP access log file report 282 entries was returned by the ldapsearch from Convergence.

[23/Oct/2009:16:20:35 +0200] conn=30 op=55 msgId=75 - SRCH base="pipstoreowner=tberlin,o=vmdomain.tld,o=piserverdb" scope=2 filter="...snipped..."
[23/Oct/2009:16:20:35 +0200] conn=30 op=55 msgId=75 -  SORT displayName (282)
[23/Oct/2009:16:20:35 +0200] conn=30 op=55 msgId=75 - RESULT err=0 tag=101 nentries=282 etime=0 notes=U

Interestingly the iwc.log (Debug mode) reported nb total entries found=0

ADDRESS_BOOK: DEBUG from com.sun.comms.client.ab.coresrv.CorePersonalStore  
  Thread httpSSLWorkerThread-80-2 at 2009-10-23 16:22:05,430 - searchBook: bookEntryID=e102780a18b2208e, 
ADDRESS_BOOK: DEBUG from com.sun.comms.client.ab.abutil.ABUtils  
  Thread httpSSLWorkerThread-80-2 at 2009-10-23 16:22:05,431 - Host & Port to match funky.vmdomain.tld:389
ADDRESS_BOOK: DEBUG from com.sun.comms.client.ab.abutil.ABUtils  
  Thread httpSSLWorkerThread-80-2 at 2009-10-23 16:22:05,431 - Returning dbKey ==null
ADDRESS_BOOK: DEBUG from com.sun.comms.client.ab.coresrv.CorePersonalStore  
  Thread httpSSLWorkerThread-80-2 at 2009-10-23 16:22:05,440 - searchBook: nb total entries found=0

It turns out that 'corrupt' entries in LDAP cause this issue. LDAP entries which caused this issue had 'corrupt' sn and displyname information.

After I remove the corrupt entries the Address Book was worked as expected.

Wednesday Oct 14, 2009

Calendar Server 6 and Calendar Server 7 Coexistent

I've setup Calendar Server 6 and CalDAV Server Coexistent on the same system, which is quite easy to do, just follow the description at our wiki. You need to be sure that autoprovision on CS6.3 is disabled, LDAP attributes correct set and CalDAV user not exist on CS6.3 Backend.

You can setup user on CalDAV Server, they able to access the Calendar with CalDAV Clients, like iCal, iPhone, Thunderbird Lightning, etc.

Convergence (Patch 10) Limitations:

- Convergence not able to access CalDAV backend (Feature planned for next Convergence Update Release - End 2009)

- Freebusy Lookup for CalDAV User didn't work (Issue is already addressed and will be integrated in upcoming Release)

- Event Invitation is based on Mail with \*.ics Attachment (The Event will not automatically stored in CalDAV User Calendar)

MacOS iCal Limitations:

- iCal always would like to save the \*.ics Attachment in the default Calendar. I've not found any option yet to choose the CalDAV Calendar for the save.

- iCal send mail is based on a AppleScript at: /Applications/ and it will use per default the MacOS If you, like me, working on Thunderbird and would like to setup Thunderbird as Mail Client for iCal this looks to be a challenge. Thunderbird currently (Version not able to used AppleScript. Therefor it will not working by just change "Mail" with "Thunderbird" in the Mail.scpt script. You need to rewrite the script more or less completely. I just setup my Account on MacOS specially for this purpose. More on AppleScript and Thunderbird could be found at this Thread.

Tuesday Oct 06, 2009

COMMS7 Installation Experience

My personal experience of COMMS7 installation and configuration. 

Get the Software here

I followed the instruction at our wiki for single host installation.

Java 1.6 Version

First of all take care that you get Java 1.6, even it is already installed or get the Java 6 JDK. As per default Glassfish (Application Server) and the WebServer are still using Java 1.5 out-of-the-box, but at least the IM and CalDAV Server are needed Java 1.6 for deploy of the Server Applications.

IM (Instant Messaging Server)

Beside of the current Release Notes the supported Web Container is the Glassfish (Application Server). But you even able to deploy the IM Application in the WebServer (as mention on our the wiki).  I've not yet observed any issues as I even deploy IM in the WebServer.

Glassfish (Application Server)

The bundled Application Server Glassfish is a bit outdated, you better get the latest version, but you even can install the latest version after installing and configuration of Comms Suite 7. The patch installation, which is a binary will ask you if you would like to upgrade the older version (current Solaris-x86 version is 128648-13).

Setup Java 1.6 in /opt/sun/appserver/config/asenv.conf - AS_JAVA = "/path/to/java1.6"

Calendar Server 7 (CalDAV Server)

Don't ask me why, but the deploy of the CalDAV Application did not work from the init-config in my case. Therefor I manually deploy the CalDAV Application afterwards which works fine.

/opt/sun/comms/davserver/sbin/config-appsvr deploy <AS-admin-password>

For some unknown reason the needed JDBC resource are also missing, maybe because the init-config wasn't able to deploy the CalDAV Application. Taking a look into the davserver log files was mention the missing resource.

SEVERE  [2009-10-02T16:09:18.617+0200] <...JdbcBackend.getDataSource> Cannot lookup DataSource: javax.naming.NameNotFoundException: defaultbackend not found
SEVERE  [2009-10-02T16:09:18.619+0200] <...DavServer.loadBackend> failed to instantiate or create backend com.sun.comms.davserver.backends.BackendException: Cannot get DataSource: javax.naming.NameNotFoundException: defaultbackend not found(OPERATION_NOT_SUPPORTED) 

So I've to create the missing resource, with asadmin.

% asadmin create-jdbc-connection-pool -p 4848 --user admin --datasourceclassname com.mysql.jdbc.jdbc2.optional.MysqlDataSource --restype javax.sql.DataSource --property "DatabaseName=caldav:serverName=localhost:user=caldav:password=passwd:portNumber=3306:networkProtocol=jdbc:characterEncoding=UTF-8" caldavPool
% asadmin create-jdbc-resource -p 4848 --user admin --connectionpoolid caldavPool jdbc/defaultbackend

NOTE: Take care you choose the right user and hostname, in my case 'caldav' and 'localhost'. This is the user and host which is allowed to connect to the MySQL Backend. You might would like to crosscheck your setting on the MySQL Backend.

mysql> SELECT user, host FROM mysql.user WHERE user='caldav';
| user   | host      |
| caldav | localhost |

iCal Config

If you try to add an iCal Account for a CalDAV user then you need to take care to use the email address and NOT the uid of the CalDAV user for the Server path in iCal, it has to look like this


You even can access the CalDAV via your Browser but here the URL need's the uid and NOT the email, this is a bit confusing, the URL has to look like this;


Calendar Server 6 and Calendar Server 7 Coexistent

Unfortunately I'm not finished yet with this part completely, anyway the setup is mention at our wiki as well. More to comment on this soon.

Other useful Tools for Comms Suite

Apache Directory Studio -  LDAP browser/editor.

Sequel Pro - MySQL browser/editor (MacOS)


Andreas Breuer - TSC Engineer - writes about his life in support.


« December 2016