IBM WebSphere / Connections – Performance, Security and the SESN0008E Error


Just found a new issue today that has been vexing me for quite some time, I only found it because of the error [SESN0008E] and the fact that I had to add a whole new WebSphere Nodes to an existing environment so that these errors finally happend with a frequency that I finally noticed it:

logServletError SRVE0293E: [Servlet Error]-[atom-basic]: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/CN=Joe Shmoe,OU=MYOU,dc=corp,dc=company,dc=com

We ran function testing on the new Node and performance was horrendous … I mean really horrendous. Performance has been bad overall before that, but at least tings worked. I investigated a few tech notes, there was some mentioning about the LTPA timeout being too short in combination with several other settings. This is an upgrade, same settings as other systems, should not be an issue … so I looked at other sites/pages here, here and here.

All of the tech notes mentioned [Security Integration] being at the heart of it. I checked all servers and noticed – none of the server that the Connections installer created had this settings set, all servers that I created manually had it. I looked into this a bit more and found out that the [Session Management] – [Security integration] is now a default setting for WebSphere and¬†if you create a server manually it is automatically set. I ran a few third party products in separate servers that were all manually created … they probably brought the overall performance down.

So, I went through all servers that I had created, unset the settings (pic below) and then synced and restarted everything and …. voila, speed restored.

sessionManagement

IBM Connections – CCM Folders and File Loss … or not


Thought I’d share this one, it was a bit unique. Anyone out there who has had to do a restore of CCM and CCM files will know it is a pain. I will blog about how to do that separately .. It is not fun.

Here the scenario:

  • Client with IBM Connections 5.0, CR3, CCM – very active site,.
  • Many communities, allot of File Libraries. Many users use the Windows Plug-ins and access files and CCM libraries via the Windows desktop.
  • A user – somehow by mistake – deleted a folder inside a community library (CCM library!) containing a whole bunch of files – and this user did it via the desktop. Apparently what the user did how in Windows Explorer a folder was either moved or deleted (I was never able to exactly find out) and the folder with all files contained in it disappeared. Not to be found.

Long Story Short:

I was in the middle of restoring the Filenet databases from the day before to a separate environment to figure out if I could identify the files and ask the back-up team to restore them for me from tape. I took another look in the system and could not find the files in the acce interface.

But then I had an idea … Connections search indexes it all, no matter where it is.

So, using the Filenet restore I identified the files to look for, did a search for the filenames in Connections … and found them. We then did a “Move to Folder” for all the files (into a new folder in Libraries that we created) and all files were back where they belonged.

So – what this taught¬†us is that deleting folders using the Windows plug-is does nothing to the actual files, it just appears to be removing the pointers to the database that the system needs to display the files … But Connections search still find them all. Like Pokemons … gotta catch’em all!

If I had known this earlier I could have saved myself a day of work …

 

 

 

IBM Connections, Exchange, Kerberos and the Tale of External Non-Collaboration


It is a longer tale, so to make keep it short I decided to busy the lead and give you the synopsis right here:

If you are running IBM Connections integrated with Exchange as your ICMail setup you are using Kerberos. If you want to enable external collaboration by adding another LDAP source for your external users – it will not work.

You can create the repository, add it to WebSphere, you can do all the TDI settings to import the users in it as external users .. but they will not be able to authenticate. The reason is that WebSphere has the authentication mechanism at it’s top level of security (global) and not at the repository level. That means, once you use Kerberos you have to use Kerberos for ALL authentication that happens. Trust me, I have tested. I had PMRs open (with both Connections and WebSphere support). I talked to the IBM Connections Product team¬†and verified that this specific scenario was never actually tested so nobody appears to have known of this, which is also why it never made it’s way into any documentation.

I don’t think there are many clients for whom this might be an issue currently, but I do see many environments wanting more security and wanting to tie in other back-end systems and if that client environment is running AD as their LDAP source , then KERBEROS will be right there as a feature request – or a necessity.

Is External Collaboration Dead when Using Kerberos?

That is an easy answer – No.

But you are now forced to add those external users to your AD forest and either add them to some branch/OU that you can treat as external users or add some AD/LDAP attribute to identify them as external users.

Feature Enhancement Request for WebSphere РPLEASE VOTE!

I entered a feature enhancement request to move the authentication method from a global setting to the repository level – either in general or as art of a security domain setup in WebSphere, thereby allowing non-Kerberos repositories to be used for authentication alongside a KERBEROS enabled repository.

Here is the link to the feature request – the more people look at it, follow it and vote for it the more likely it is to make it’s wat into a future release. you will need to have an IBM website ID to even just look at it but I’d appreciate the effort!

Social Connections – Toronto Jun 6-7, 2016 – I am attending!


The next Social Connections Conference has been announced: June 6-7, 2016 in wonderful and clean TORONTO CANADA

http://socialconnections.info/

 

I already signed up and a submission for an abstract is already in ….

Anybody in the social media/social networking sphere should really attend this conference. Technical and Strategy without the marketing hype, that is why I really like to attend.

 

Go forth and attendeth!

Connections 5.5 – Install Problem for WebSphere Cluster Settings with UNC Shares


I just installed a new Connections V5.5 environment for a new client and came across this issue that I had encountered once before in previous versions when installing the IBM File viewer (look at my presentation from last year at MWLug 2015) .

Scenareo:

  • Connections 5.5,
  • Clustered Windows WebSphere servers (2 nodes on separate Windows server)
  • Windows File Share for shared file services (accessed using a UNC link i.e.: \\[fqhn of server]\[share name])

The Installer will go through and work without a problem, all apps are installed and the clusters in WebSphere created. When you run the WebSphere servers/JVMs for the first time you might notice a new folder created on the same drive as your WebSphere install, the name follows the above UNC naming for the shared file services location. In my case the folder created was [D:\FILESERVER\CnxData\messagestores\xxx).

Messagestores are the way that messaging engines running on WebSphere clustered servers communicate with each other by reading/writing log files (there is much more to it, but let’s keep this lite here …). Both Windows server will create the same folders and you will probably not see a whole lot of errors in the systemout.log files of the WebSphere servers because … those servers can access the files they expect, that they are not getting any inputs from other cluster members is not going to raise any errors inside of WebSphere.

In V5.0 what happens is that the installer creates a WebSphere variable and uses that variable in the cluster settings and then the system works and the UNC drive is read correctly. The V5.5 installer does not do this, it writes the location directly into the sib-engines.xml file of the cluster created and then things fall apart ….

 

What to do:

Basically you have to manually do what the installer should have done:

Create a WebSphere variable

  • I created the same one as V5.0 would have [MESSAGE_STORE_PATH] and gave it the value of the UNC folder location in WINDOWS format (using “\” slashes): i.e. [\\servername\share\messagestores]

Update the sib-engines.xml

  • Search for the sib-engine.cml files ¬†on the Dmgr profile under:¬†..\WebSphere\AppServer\profiles\Dmgr01\config\cells\[cell name]\clusters\[Cluster Name]
  • Edit the last line in the file for each cluster to look something like this:
<fileStore xmi:id="SIBFilestore_1456105865384" uuid="5976E93BC88E6CB1" logSize="100" minPermanentStoreSize="200" maxPermanentStoreSize="500" minTemporaryStoreSize="200" maxTemporaryStoreSize="500" logDirectory="${MESSAGE_STORE_PATH}/UtilCluster/log" permanentStoreDirectory="${MESSAGE_STORE_PATH}/UtilCluster/store" temporaryStoreDirectory="${MESSAGE_STORE_PATH}/UtilCluster/store"/>

Note the use of “/” in this entry, do it that way!

Do the WAS Thing:

  • You need to then sync the nodes and restart all servers/clusters and then WebSphere will create the folders and subfolders is needs and all will be well ….

 

After a restart you can delete the incorrectly created folders, they do not contain any data you need, the data written into there is transactions and will be re-created when the servers restart.

Engage 2016 in Eindhoven, NL – Here I Come!


Just got this happy little email in my in-box:

 

Dear Victor,

More than 140 session proposals came in, and we had to make VERY tough decisions to get them reduced to 58.
We even added an extra track, to allow for 10 additional slots!
We are extremely happy to inform you that we accepted the following session:

Adm09. IBM Connections – Managing Growth and Expansion.

We look forward to seeing you soon at our 2-day event on WednesdayThursday, March 23-24, 2016, in Eindhoven, the Netherlands.
We picked out an awesome venue.

Now I have to book fights and get myself over there …..

If you are in Europe … if you are anywhere in the world, you will want to attend this user group!

 

For more info, go to this link HERE