IBM Sametime 9 – Advanced Server Log-in Not Working


Solved an interesting problem this morning. In a new environment (rebuild/replacement of a V 7 awareness only system) that I built for clients our users were not able to log in to the ST Advanced Servers broadcast communities and chat rooms from their integrated Sametime client in Notes even though they were able to log-in through a browser and had full functionality. At the same time off-line messaging was not working either – but everything else was working just fine.

No matter of trace was giving me the reasons … until I had an epiphany during a thunderstorm this morning – the fact that one of our dogs is deathly afraid of thunder and will try to get INSIDE of you if in any way possible, actually prompted some thoughts that helped me find the issues in one go.

http://www-01.ibm.com/support/docview.wss?uid=swg21499716

I was pretty sure that something was keeping policies from being applied correctly, there had to be something with the way users were being identified. during the upgrade I had not  paid enough attention to some of the changes I was testing – I forgot to add the [objectGUID] (using AD as the LDAP directory) to the search filters. Awareness will still work and Meetings as well … however the rest is going to be strange. I had also had some problems looking up users when adding them to the buddy list – that is when I had the epiphany that it was all related.

Here the changes to the Search Filters:

Search filter for resolving person names:

Original: (&(objectclass=user)(|(mail=%s*)(samAccountName=%s*)(cn=%s*)))
New:       (&(objectclass=user)(|(mail=%s*)(objectguid=%s)(samAccountName=%s*)(cn=%s*)))

Search filter to use when resolving a user name to a distinguished name:

Original: (&(objectclass=user)(|(mail=%s)(cn=%s)(samAccountName=%s)))
New:       (&(objectclass=user)(|(mail=%s)(objectguid=%s)(cn=%s)(samAccountName=%s)))

Search filter for resolving group names:

Original: (objectclass=group)
New:       (&(objectclass=group)(|(objectguid=%s)(cn=%s*)))

 

 

Well, proves once again that it is all about BASICS, BASICS, BASICS ….

 

IBM Connections with Exchange Back-end – Chrome and Kerberos Delegation


First of all, thanks to my new found friend Michele Buccarello who had shared this document earlier last month on some very good pointers about how to integrate Exchange with IBM Connections.  With that document and some guesswork as to encryption settings between WAS and Exchange I was able to solve the problem – 90% of the way. We got it to work with IE and FireFox but Chrome was balking and getting into a log-out cycle. I used Fireshark to take a look and noticed it was an auth.redirect action by the HOMEPAGE app that was followed by a rest API call to Opensocial calendar settings .for my acocunt – and then righ back to the auth.redirect …. a classic redirect loop.
As things were working in FF and IE I knew it was not a system issue but rather a problem localized to Chrome so I looked up some technotes and knowledge base articles and here is how I solved it:
Chrome can be taught to work with Kerberos delegation just as IE and FF. For “normal” SPNEGO it takes it’s settings from IE and will accept them but with Exchange there is delegation going on (if you look at the Connections documentation it has you change two settings for both IE and FF, one of them refers to delegation) and Chrome needs to get a whitelist of which website it accepts delegation tickets from:
Option 1: Command line
Change the command line that starts Chrome to include a command switch:
chrome.exe –auth-negotiate-delegate-whitelist=*
Set the value to either [*] (make sure there are NO QUOTES surrounding the [*] as some documentation in various articles will have you enter it as) or any combination of the actual url you are connecting to i.e.: [*.domain.com] to limit it to anything inside the intranet domain or [connections.domain.com] for only the Connections website itself. Apparently this can also be a comma separated list of entries if that works for you.
Option 2: Create Windows Registry entry
Create this entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
In it create a string entry: [AuthNegotiateDelegateWhitelist]
Any of the values used in the above command line example will work in this registry entry so I suggest to try it above first.
Enjoy – you’re welcome!

IBM File Viewer 1.0.7 Installation – Getting Past The Conversion Server Install Woes


I will keep this short and sweet – to use the free IBM File Viewer with IBM Connections 5.0 with CCM you need to have Connections at CR2 and install IBM File Viewer 1.0.7. So far so good … until you run into all the issues that everybody has been having with the Installation of the product, the Conversion Server install fails … allot, often, and with annoying frequency.

There are two main problems with the Doc Conversion installer:

Problem 1: Doc Conversion Install Fails – Unexplained

The error most people see is this one in the installation log:

2015-06-22 19:53:58,236 INFO Setting Websphere variables…
2015-06-22 19:53:58,236 INFO Exception: cannot concatenate ‘str’ and ‘NoneType’ objects
2015-06-22 19:53:58,236 INFO –>IM:ERROR:Traceback (most recent call last):
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 197, in exec_commands
_do(cmd, cmd_instance)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 43, in __set_variable
log.info(“Setting ” + name + ” as:” + value)
TypeError: cannot concatenate ‘str’ and ‘NoneType’ objects

The funny thing is .. I got it to install a few times and then with other clients it woudl fail and I was not able to determine why … until I took a closer look at the python script that it references and the actual error it gives you:

File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)

If you look at the python script, it is basically called to set a few WebSphere variables:

def do(self):
log.info(“Setting Websphere variables…”)
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
if not succ:
return False
succ = self.__set_variable(“DOCS_SHARE”, CFG.getSharedDataRoot())
if not succ:
return False
succ = self.__set_variable(‘VIEWER_SHARE’,CFG.getViewerSharedDataRoot())
if not succ:
return False
log.info(“Websphere variables set completed”)
return True

This is when I noticed  – the CONVERSION_INSTALL_ROOT variable calls for the  string [CFG.install_root_on_node] -> the point is – ON NODE. I did some more digging and … the variable for the install root is not taken from the main [cfg.properties] file but rather looked up in the [cfg.node.properties] file.

This explained allot – I would not always create that file before the install on the first Websphere noded even if the install documentation called for it since I did not think I needed it. By default that file does not exist, the installation package only contains a file called [cfg.node.properties.sample]. The documentation / WIKI tells you to create the file and copy the whole content from the [cfg.properties] into it but does not tell you why you might need it. If you don’t plan to install a secondary node or will only install it on another physical machine you might never create this file and the installer will fail forever because there is no good error handling AND no explanation as to why the [cfg.node.properties] file is important. Frankly, the way the installer works why you even need the [cfg.node.properties] is beyond me, but I assume there are some IBM Docs install variables that are necessary and IBM wants to keep the number of code changes necessary to a minimum.

Problem 2: Passwords saved to Install.log in the clear

This was something that my buddy Christoph Stoettner had already noticed and talked to me about a while back – not sure if he blogged on it but in any case, here is a shout out to him as he noticed it first.

The installer will stop and restart the IBM HTTP server for you, but for that it needs an OS admin account and asks you for it in the command line. It then promptly logs the entry in clear text in the installation log … a really great example of excellent security that makes me shudder and want to have a very long talk with the developers of the product ….. This is almost criminally negligent.

There is a great way around this,  though the IBM File Vieweer documentation fails to tell you about it: create a JOBS TARGET for all servers involved in the installation in WebSphere. Though technically you only need the HTTP servers registered, I usually crate the targets for all servers. Here is the documentation on how to do it from the IBM Docs documentation. Alternatively you can also just not have the installer restart the IHS, set the variable [restart_webservers=] to [False] and the system should not ask you for the username and password.

If you have already installed the IBM File Viewer – go back to the installation logs and check for the line:

WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: “[[[\’ihs.servername.com\’, \’adminaccountname\’, \’adminaccountpassword\’, \’windows\’, 0]]]”

Note: I replaced the server name, account name and password in the above example so just look for the logging code [WASX7303I]

Hope this helps, I know I was pulling may hair out and even had a PMR opened IBM that did not help me solve the issue originally as we never found out what really caused the problem – the poor IBM tech was pulling his hair out along with me and the IBM Docs support guy also was not able to help as they do not really work with the IBM File Viewer and do not know the product and what the installation procedure looks like.

MWLUG 2015 – August 19-21 in Atlanta, GA: I’m Speaking – Are You Coming?


MWLUG 2015 Banner

 

I submitted for MWLUG again this year and one of my submissions was accepted:

IBM Connections – Installing the Free “Extras” and Integrating with other Products

The (absolutely riveting) topic will show you all the extras that you get as free entitlements IBM and a small assortment of for pay third party tools and applications.   I will be talking about asome of the tricks, tips and potential pitfalls of the install process and how to maneuver between the icebergs.

 

Will I see you guys there? It’s a great LUG and Atlanta is a fun city with great food and good Baseball … and it is home of the best Irish Pub of 2015 – who’d a thunk it?

Sametime 9 – Cumulative Hotfix for Sametime Proxy 9.0.0 install woes


Installing a new environment for a client and ran into an issue trying to install the Cumulative Hotfix for Sametime Proxy 9.0.0 ontop.  The documentation is wrong, the location of the registry.xml is incorrect in the document, but let’s not dwell on that one.

I set up the package and ran the Installation Manager and the install was always failing, the package tried to update things in incorrect profile locations and failed with the error it could not find the wimconfig.xml … strange.

I ran the issue past a few friends and compatriots and Declan Lynch had some suggestions: he had run into problems installing HF for Sametime if the WebSphere server running the actual ST process (in this case STProxy) was set to auto-start using the Java Monitoring settings.

So – I disabled the auto-start settings, synced the nodes and restarted the STPRoxy server …. and the update went through without a hitch. I will be disabling this for all servers during updates/upgrades from here on – I noticed the process stops and starts the nodes and the auto-start of the servers probably made the install scripts go haywire.

Good luck, everybody!

My New Look – Thanks to Social Connections8


Just wanted to give a quick shout out to the whole Social Connections 8 team – it was a SOLID event and I had allot of fun. Events like this are always a n opportunity to learn something new and meet friends (old and NEW) at the same time. Plus, it never hurts that they lock the doors when I start speaking so I get my captive audience – in every sense of the word! And we all know – my DB2 themed presentation (it will be up on slideshare.com pretty soon) was riveting and mesmerizing at the same time. I had me people enthralled …

What I got out of Social Connections this time was more than just more knowledge, I also got a new look … thanks to Wannes for thinking this idea up – I especially like the fact that the picture/piece of art took 15 lbs off the real Victor and eliminated allot of my “facial flaws” …

Victor_Toal_Carricature

Social Connections 8 – April 16 – 17 Boston, MA … and the best thing is I AM SPEAKING


Just got this in my in-box:

Thank you so much for submitting an abstract for Social Connections 8.

We are delighted to inform you that your session ‘DB2 – Did you know your “Social” runs on top of a database?’ has been selected for the event, and has been published to our agenda. It is provisionally scheduled for 11:25 on Friday.
So, it looks like I will be there! Nice thing is that I lice (almost) just around the corner and there are two Red Sox home games that weekend …. I guess it is time for some serious Boston Vacation Time with the family!
Go look and see if any of the content interests you http://socialconnections.info/ some of my favorites are going to be there and I am quite happy I am only speaking once, that give me more time to sit in the other sessions and learn some more. We get some real treats, some of the really good speakers that you usually don’t see other than at LotusPhere, Connect, ConnectED (what the hell is next????) are coming and bringing some really interesting sounding content.
Hope top see you there, you can even heckle in my session if you like!