IBM Connections with Exchange Back-end – Chrome and Kerberos Delegation


First of all, thanks to my new found friend Michele Buccarello who had shared this document earlier last month on some very good pointers about how to integrate Exchange with IBM Connections.  With that document and some guesswork as to encryption settings between WAS and Exchange I was able to solve the problem – 90% of the way. We got it to work with IE and FireFox but Chrome was balking and getting into a log-out cycle. I used Fireshark to take a look and noticed it was an auth.redirect action by the HOMEPAGE app that was followed by a rest API call to Opensocial calendar settings .for my acocunt – and then righ back to the auth.redirect …. a classic redirect loop.
As things were working in FF and IE I knew it was not a system issue but rather a problem localized to Chrome so I looked up some technotes and knowledge base articles and here is how I solved it:
Chrome can be taught to work with Kerberos delegation just as IE and FF. For “normal” SPNEGO it takes it’s settings from IE and will accept them but with Exchange there is delegation going on (if you look at the Connections documentation it has you change two settings for both IE and FF, one of them refers to delegation) and Chrome needs to get a whitelist of which website it accepts delegation tickets from:
Option 1: Command line
Change the command line that starts Chrome to include a command switch:
chrome.exe –auth-negotiate-delegate-whitelist=*
Set the value to either [*] (make sure there are NO QUOTES surrounding the [*] as some documentation in various articles will have you enter it as) or any combination of the actual url you are connecting to i.e.: [*.domain.com] to limit it to anything inside the intranet domain or [connections.domain.com] for only the Connections website itself. Apparently this can also be a comma separated list of entries if that works for you.
Option 2: Create Windows Registry entry
Create this entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
In it create a string entry: [AuthNegotiateDelegateWhitelist]
Any of the values used in the above command line example will work in this registry entry so I suggest to try it above first.
Enjoy – you’re welcome!

IBM File Viewer 1.0.7 Installation – Getting Past The Conversion Server Install Woes


I will keep this short and sweet – to use the free IBM File Viewer with IBM Connections 5.0 with CCM you need to have Connections at CR2 and install IBM File Viewer 1.0.7. So far so good … until you run into all the issues that everybody has been having with the Installation of the product, the Conversion Server install fails … allot, often, and with annoying frequency.

There are two main problems with the Doc Conversion installer:

Problem 1: Doc Conversion Install Fails – Unexplained

The error most people see is this one in the installation log:

2015-06-22 19:53:58,236 INFO Setting Websphere variables…
2015-06-22 19:53:58,236 INFO Exception: cannot concatenate ‘str’ and ‘NoneType’ objects
2015-06-22 19:53:58,236 INFO –>IM:ERROR:Traceback (most recent call last):
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 197, in exec_commands
_do(cmd, cmd_instance)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 43, in __set_variable
log.info(“Setting ” + name + ” as:” + value)
TypeError: cannot concatenate ‘str’ and ‘NoneType’ objects

The funny thing is .. I got it to install a few times and then with other clients it woudl fail and I was not able to determine why … until I took a closer look at the python script that it references and the actual error it gives you:

File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)

If you look at the python script, it is basically called to set a few WebSphere variables:

def do(self):
log.info(“Setting Websphere variables…”)
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
if not succ:
return False
succ = self.__set_variable(“DOCS_SHARE”, CFG.getSharedDataRoot())
if not succ:
return False
succ = self.__set_variable(‘VIEWER_SHARE’,CFG.getViewerSharedDataRoot())
if not succ:
return False
log.info(“Websphere variables set completed”)
return True

This is when I noticed  – the CONVERSION_INSTALL_ROOT variable calls for the  string [CFG.install_root_on_node] -> the point is – ON NODE. I did some more digging and … the variable for the install root is not taken from the main [cfg.properties] file but rather looked up in the [cfg.node.properties] file.

This explained allot – I would not always create that file before the install on the first Websphere noded even if the install documentation called for it since I did not think I needed it. By default that file does not exist, the installation package only contains a file called [cfg.node.properties.sample]. The documentation / WIKI tells you to create the file and copy the whole content from the [cfg.properties] into it but does not tell you why you might need it. If you don’t plan to install a secondary node or will only install it on another physical machine you might never create this file and the installer will fail forever because there is no good error handling AND no explanation as to why the [cfg.node.properties] file is important. Frankly, the way the installer works why you even need the [cfg.node.properties] is beyond me, but I assume there are some IBM Docs install variables that are necessary and IBM wants to keep the number of code changes necessary to a minimum.

Problem 2: Passwords saved to Install.log in the clear

This was something that my buddy Christoph Stoettner had already noticed and talked to me about a while back – not sure if he blogged on it but in any case, here is a shout out to him as he noticed it first.

The installer will stop and restart the IBM HTTP server for you, but for that it needs an OS admin account and asks you for it in the command line. It then promptly logs the entry in clear text in the installation log … a really great example of excellent security that makes me shudder and want to have a very long talk with the developers of the product ….. This is almost criminally negligent.

There is a great way around this,  though the IBM File Vieweer documentation fails to tell you about it: create a JOBS TARGET for all servers involved in the installation in WebSphere. Though technically you only need the HTTP servers registered, I usually crate the targets for all servers. Here is the documentation on how to do it from the IBM Docs documentation. Alternatively you can also just not have the installer restart the IHS, set the variable [restart_webservers=] to [False] and the system should not ask you for the username and password.

If you have already installed the IBM File Viewer – go back to the installation logs and check for the line:

WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: “[[[\’ihs.servername.com\’, \’adminaccountname\’, \’adminaccountpassword\’, \’windows\’, 0]]]”

Note: I replaced the server name, account name and password in the above example so just look for the logging code [WASX7303I]

Hope this helps, I know I was pulling may hair out and even had a PMR opened IBM that did not help me solve the issue originally as we never found out what really caused the problem – the poor IBM tech was pulling his hair out along with me and the IBM Docs support guy also was not able to help as they do not really work with the IBM File Viewer and do not know the product and what the installation procedure looks like.

MWLUG 2015 – August 19-21 in Atlanta, GA: I’m Speaking – Are You Coming?


MWLUG 2015 Banner

 

I submitted for MWLUG again this year and one of my submissions was accepted:

IBM Connections – Installing the Free “Extras” and Integrating with other Products

The (absolutely riveting) topic will show you all the extras that you get as free entitlements IBM and a small assortment of for pay third party tools and applications.   I will be talking about asome of the tricks, tips and potential pitfalls of the install process and how to maneuver between the icebergs.

 

Will I see you guys there? It’s a great LUG and Atlanta is a fun city with great food and good Baseball … and it is home of the best Irish Pub of 2015 – who’d a thunk it?

Sametime 9 – Cumulative Hotfix for Sametime Proxy 9.0.0 install woes


Installing a new environment for a client and ran into an issue trying to install the Cumulative Hotfix for Sametime Proxy 9.0.0 ontop.  The documentation is wrong, the location of the registry.xml is incorrect in the document, but let’s not dwell on that one.

I set up the package and ran the Installation Manager and the install was always failing, the package tried to update things in incorrect profile locations and failed with the error it could not find the wimconfig.xml … strange.

I ran the issue past a few friends and compatriots and Declan Lynch had some suggestions: he had run into problems installing HF for Sametime if the WebSphere server running the actual ST process (in this case STProxy) was set to auto-start using the Java Monitoring settings.

So – I disabled the auto-start settings, synced the nodes and restarted the STPRoxy server …. and the update went through without a hitch. I will be disabling this for all servers during updates/upgrades from here on – I noticed the process stops and starts the nodes and the auto-start of the servers probably made the install scripts go haywire.

Good luck, everybody!

My New Look – Thanks to Social Connections8


Just wanted to give a quick shout out to the whole Social Connections 8 team – it was a SOLID event and I had allot of fun. Events like this are always a n opportunity to learn something new and meet friends (old and NEW) at the same time. Plus, it never hurts that they lock the doors when I start speaking so I get my captive audience – in every sense of the word! And we all know – my DB2 themed presentation (it will be up on slideshare.com pretty soon) was riveting and mesmerizing at the same time. I had me people enthralled …

What I got out of Social Connections this time was more than just more knowledge, I also got a new look … thanks to Wannes for thinking this idea up – I especially like the fact that the picture/piece of art took 15 lbs off the real Victor and eliminated allot of my “facial flaws” …

Victor_Toal_Carricature

Social Connections 8 – April 16 – 17 Boston, MA … and the best thing is I AM SPEAKING


Just got this in my in-box:

Thank you so much for submitting an abstract for Social Connections 8.

We are delighted to inform you that your session ‘DB2 – Did you know your “Social” runs on top of a database?’ has been selected for the event, and has been published to our agenda. It is provisionally scheduled for 11:25 on Friday.
So, it looks like I will be there! Nice thing is that I lice (almost) just around the corner and there are two Red Sox home games that weekend …. I guess it is time for some serious Boston Vacation Time with the family!
Go look and see if any of the content interests you http://socialconnections.info/ some of my favorites are going to be there and I am quite happy I am only speaking once, that give me more time to sit in the other sessions and learn some more. We get some real treats, some of the really good speakers that you usually don’t see other than at LotusPhere, Connect, ConnectED (what the hell is next????) are coming and bringing some really interesting sounding content.
Hope top see you there, you can even heckle in my session if you like!

 

IBM Connections – Michael Sampson’s State of Market Whitepaper


I have met Michael Sampson several times in person over the last few years, I have most of his books and actually suggest them as required reading to clients of mine, sometimes even buying them as gifts to make sure they actually get read. I don’t go as far as testing them on content and make them write essays, but I do discuss the books with them.

Michael just posted a VERY interesting new document that I suggest as an absolute required reading to anybody involved in “social in the enterprise”, and whereas the whitepaper (my title for it, not his) deals with IBM Connections, I do believe that you can extrapolate allot of trends to other products in the same general realm.

I have been pondering the content for the last day (he only posted it yesterday) but the one thing that stands out to me is the realization that after the initial sales surge of IBM Connections, it has started to attract a different type of client as of late. Michael mentions this is some of his findings as a possibility and frankly it meshes with what I see. The types of client I encounter now are quite different from the clients I first met when I started to work on IBM Connections 6 years back.

Size does matter and makes an impact, most of my clients now are in general smaller in user size and are more diverse in terms of the industry / business they conduct. I also do see a different attitude in terms of why they decide to purchase the product and what their goals are for adoption and what they want to “get out of it”. I also see some of the older (=previous) clients come back wanting to find if they can’t further improve their somewhat stagnant adoption and find ways to use IBM Connections in more parts of their company.

I really urge everybody to read the document and pick up all the really great insights you can gain from it. And, as always, I also urge you to buy Michael’s books , they are very educating (I don’t make a dime on commissions – ore whatever currency they have in New Zealand). And, if you are not already, follow his blog – good content!