IBM Connections, Exchange, Kerberos and the Tale of External Non-Collaboration


It is a longer tale, so to make keep it short I decided to busy the lead and give you the synopsis right here:

If you are running IBM Connections integrated with Exchange as your ICMail setup you are using Kerberos. If you want to enable external collaboration by adding another LDAP source for your external users – it will not work.

You can create the repository, add it to WebSphere, you can do all the TDI settings to import the users in it as external users .. but they will not be able to authenticate. The reason is that WebSphere has the authentication mechanism at it’s top level of security (global) and not at the repository level. That means, once you use Kerberos you have to use Kerberos for ALL authentication that happens. Trust me, I have tested. I had PMRs open (with both Connections and WebSphere support). I talked to the IBM Connections Product team and verified that this specific scenario was never actually tested so nobody appears to have known of this, which is also why it never made it’s way into any documentation.

I don’t think there are many clients for whom this might be an issue currently, but I do see many environments wanting more security and wanting to tie in other back-end systems and if that client environment is running AD as their LDAP source , then KERBEROS will be right there as a feature request – or a necessity.

Is External Collaboration Dead when Using Kerberos?

That is an easy answer – No.

But you are now forced to add those external users to your AD forest and either add them to some branch/OU that you can treat as external users or add some AD/LDAP attribute to identify them as external users.

Feature Enhancement Request for WebSphere – PLEASE VOTE!

I entered a feature enhancement request to move the authentication method from a global setting to the repository level – either in general or as art of a security domain setup in WebSphere, thereby allowing non-Kerberos repositories to be used for authentication alongside a KERBEROS enabled repository.

Here is the link to the feature request – the more people look at it, follow it and vote for it the more likely it is to make it’s wat into a future release. you will need to have an IBM website ID to even just look at it but I’d appreciate the effort!

Social Connections – Toronto Jun 6-7, 2016 – I am attending!


The next Social Connections Conference has been announced: June 6-7, 2016 in wonderful and clean TORONTO CANADA

http://socialconnections.info/

 

I already signed up and a submission for an abstract is already in ….

Anybody in the social media/social networking sphere should really attend this conference. Technical and Strategy without the marketing hype, that is why I really like to attend.

 

Go forth and attendeth!

Connections 5.5 – Install Problem for WebSphere Cluster Settings with UNC Shares


I just installed a new Connections V5.5 environment for a new client and came across this issue that I had encountered once before in previous versions when installing the IBM File viewer (look at my presentation from last year at MWLug 2015) .

Scenareo:

  • Connections 5.5,
  • Clustered Windows WebSphere servers (2 nodes on separate Windows server)
  • Windows File Share for shared file services (accessed using a UNC link i.e.: \\[fqhn of server]\[share name])

The Installer will go through and work without a problem, all apps are installed and the clusters in WebSphere created. When you run the WebSphere servers/JVMs for the first time you might notice a new folder created on the same drive as your WebSphere install, the name follows the above UNC naming for the shared file services location. In my case the folder created was [D:\FILESERVER\CnxData\messagestores\xxx).

Messagestores are the way that messaging engines running on WebSphere clustered servers communicate with each other by reading/writing log files (there is much more to it, but let’s keep this lite here …). Both Windows server will create the same folders and you will probably not see a whole lot of errors in the systemout.log files of the WebSphere servers because … those servers can access the files they expect, that they are not getting any inputs from other cluster members is not going to raise any errors inside of WebSphere.

In V5.0 what happens is that the installer creates a WebSphere variable and uses that variable in the cluster settings and then the system works and the UNC drive is read correctly. The V5.5 installer does not do this, it writes the location directly into the sib-engines.xml file of the cluster created and then things fall apart ….

 

What to do:

Basically you have to manually do what the installer should have done:

Create a WebSphere variable

  • I created the same one as V5.0 would have [MESSAGE_STORE_PATH] and gave it the value of the UNC folder location in WINDOWS format (using “\” slashes): i.e. [\\servername\share\messagestores]

Update the sib-engines.xml

  • Search for the sib-engine.cml files  on the Dmgr profile under: ..\WebSphere\AppServer\profiles\Dmgr01\config\cells\[cell name]\clusters\[Cluster Name]
  • Edit the last line in the file for each cluster to look something like this:
<fileStore xmi:id="SIBFilestore_1456105865384" uuid="5976E93BC88E6CB1" logSize="100" minPermanentStoreSize="200" maxPermanentStoreSize="500" minTemporaryStoreSize="200" maxTemporaryStoreSize="500" logDirectory="${MESSAGE_STORE_PATH}/UtilCluster/log" permanentStoreDirectory="${MESSAGE_STORE_PATH}/UtilCluster/store" temporaryStoreDirectory="${MESSAGE_STORE_PATH}/UtilCluster/store"/>

Note the use of “/” in this entry, do it that way!

Do the WAS Thing:

  • You need to then sync the nodes and restart all servers/clusters and then WebSphere will create the folders and subfolders is needs and all will be well ….

 

After a restart you can delete the incorrectly created folders, they do not contain any data you need, the data written into there is transactions and will be re-created when the servers restart.

Who Said You Can’t Have Fun At Work?


I have been quite for a while. ALLOT of client work, the Connect2016 conference, family, Christmas, cookies .. allot of cookies. A new year, a new work-out plan and new projects!

This was one of those days – in a good way. Major client of mine who has been successfully running IBM Connections for several years and is fairly vested in the platform. They have dedicated company resources that look into adoption and training and how they can use the platform for the business and make it work. Not everything is rosy-sunshine-and-cloudless-days but overall this client as a whole just gets it.

This client uses Outlook as their email platform, but they have a very large Domino application presence which runs a major part of their company business and is thriving. Again, not everything is all sunshine but overall things go in the right direction – the client listens, tries hard and improves constantly. The discussions generally evolve around how to get “it” done and not why not to do “it”.

I come onsite regularly to have face-to-face meetings and do some staff training and mentoring and I found this one inconspicuous meeting invite in my calendar for today to talk about a new business venture they want to automate and have custom development done for. This is where things get exciting for me. It is not every day that you participate in these kinds of talks and do not have to wade through preconceived notions about wanting to re-invent the wheel and “using the latest in technology” and the “newest development platform” because it sounds good n marketing material. Instead, the meeting first evolves around educating me on their business (much to learn, young Paduan …), the client(s) and their future plans so I can help them to achieve their goals by using ( no, it’s time for a buzz-word) “leveraging” existing technologies along with some outside assistance/expertise that might not yet be available in-house. There are slides prepared with business processes and decision trees that need to be translated into program code and automated processes, wishlists about capabilities and the question “Victor, how do we best make this work”…one of those priceless Mastercard moments for any IT guy, really. “Tell me how to make it work” – the words we all want to hear – empowering, challenging, exciting – all wrapped up into one short sentence.

So now I find myself up in the middle of the night, thinking through the two new potentials (yes, hey have TWO new processes hey want to do) and how to best realize them. What partners in code/crime to assemble and how to best architect this solution using the best of the capabilities that Domino and Connections has to offer – I am so excited I can’t sleep – blogging helps categorize the process and organize my thoughts.

Now I will have to scratch together time between all the other work I have (NOT COMPLAINING, work is good and pays the bills – thank you customers!) to translate all my notes and the documentation they gave me into something I can put out to bid to a few partners I already have on mind and see what comes back. Knowing the people I plan to talk to, there are bound to be some ideas and improvements that I might never had considered.

The power of marrying IBM Domino and IBM Connections and using the best capabilities of both platforms. Sometimes it is just plain fun to be an IBM Champion …..

Connections 5.5 – The first fixes are already out …


The download for the latest version of IBM Connections just became available on Dec. 18 (this last Friday) and with it ..a bunch of fixes as well. so, if you are one of those willing to jump into the fray and download and install Connections 5.5, head over to FixCentral and get these fixes as well:

 

IBM Connections: Fixes
Updated IBM Cognos installation wizard for IBM Connections 5.5 for Windows
This package is a required update for the IBM Cognos installation wizard for IBM Connections 5.5 for Windows. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
Updated Database and population wizard for IBM Connections 5.5 Day1 iFix for AIX
This package is a required update for the Database and Population Wizard for IBM Connections 5.5 for AIX and Linux. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
Updated Database and Population Wizard for IBM Connections 5.5 for Windows
This package is a required update for the Database and Population wizard for IBM Connections 5.5 for Windows. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
IBM Connections 5.5 Migration Tool
This package contains the Migration Tool for IBM Connections 5.5. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
5.5.0.0-IC-Multi-IFLO87330
This is a required interim fix for IBM Connections 5.5. This iFix must be applied using the new Update Installer for IBM Connections 5.5 on Fix Central. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
IBM Connections 5.5 Smart Type-ahead
This package contains IBM Connections v5.5 Type-ahead Search
Updated IBM Cognos installation wizard for IBM Connections 5.5 for Linux
This package is a required update for the IBM Cognos installation wizard for IBM Connections 5.5 for Linux. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
Updated IBM Cognos installation wizard for IBM Connections 5.5 for AIX
This package is a required update for the IBM Cognos installation wizard for IBM Connections 5.5 for AIX. Refer to the document Update Strategy for IBM Connections 5.5 for additional information on downloading the required software and installation information
IBM Connections 5.5 Update Installer (20151218)
This package contains the Update Installer for IBM Connections 5.5

IBM Connections with Exchange Back-end – Chrome and Kerberos Delegation


First of all, thanks to my new found friend Michele Buccarello who had shared this document earlier last month on some very good pointers about how to integrate Exchange with IBM Connections.  With that document and some guesswork as to encryption settings between WAS and Exchange I was able to solve the problem – 90% of the way. We got it to work with IE and FireFox but Chrome was balking and getting into a log-out cycle. I used Fireshark to take a look and noticed it was an auth.redirect action by the HOMEPAGE app that was followed by a rest API call to Opensocial calendar settings .for my acocunt – and then righ back to the auth.redirect …. a classic redirect loop.
As things were working in FF and IE I knew it was not a system issue but rather a problem localized to Chrome so I looked up some technotes and knowledge base articles and here is how I solved it:
Chrome can be taught to work with Kerberos delegation just as IE and FF. For “normal” SPNEGO it takes it’s settings from IE and will accept them but with Exchange there is delegation going on (if you look at the Connections documentation it has you change two settings for both IE and FF, one of them refers to delegation) and Chrome needs to get a whitelist of which website it accepts delegation tickets from:
Option 1: Command line
Change the command line that starts Chrome to include a command switch:
chrome.exe –auth-negotiate-delegate-whitelist=*
Set the value to either [*] (make sure there are NO QUOTES surrounding the [*] as some documentation in various articles will have you enter it as) or any combination of the actual url you are connecting to i.e.: [*.domain.com] to limit it to anything inside the intranet domain or [connections.domain.com] for only the Connections website itself. Apparently this can also be a comma separated list of entries if that works for you.
Option 2: Create Windows Registry entry
Create this entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
In it create a string entry: [AuthNegotiateDelegateWhitelist]
Any of the values used in the above command line example will work in this registry entry so I suggest to try it above first.
Enjoy – you’re welcome!

IBM File Viewer 1.0.7 Installation – Getting Past The Conversion Server Install Woes


I will keep this short and sweet – to use the free IBM File Viewer with IBM Connections 5.0 with CCM you need to have Connections at CR2 and install IBM File Viewer 1.0.7. So far so good … until you run into all the issues that everybody has been having with the Installation of the product, the Conversion Server install fails … allot, often, and with annoying frequency.

There are two main problems with the Doc Conversion installer:

Problem 1: Doc Conversion Install Fails – Unexplained

The error most people see is this one in the installation log:

2015-06-22 19:53:58,236 INFO Setting Websphere variables…
2015-06-22 19:53:58,236 INFO Exception: cannot concatenate ‘str’ and ‘NoneType’ objects
2015-06-22 19:53:58,236 INFO –>IM:ERROR:Traceback (most recent call last):
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 197, in exec_commands
_do(cmd, cmd_instance)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 43, in __set_variable
log.info(“Setting ” + name + ” as:” + value)
TypeError: cannot concatenate ‘str’ and ‘NoneType’ objects

The funny thing is .. I got it to install a few times and then with other clients it woudl fail and I was not able to determine why … until I took a closer look at the python script that it references and the actual error it gives you:

File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)

If you look at the python script, it is basically called to set a few WebSphere variables:

def do(self):
log.info(“Setting Websphere variables…”)
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
if not succ:
return False
succ = self.__set_variable(“DOCS_SHARE”, CFG.getSharedDataRoot())
if not succ:
return False
succ = self.__set_variable(‘VIEWER_SHARE’,CFG.getViewerSharedDataRoot())
if not succ:
return False
log.info(“Websphere variables set completed”)
return True

This is when I noticed  – the CONVERSION_INSTALL_ROOT variable calls for the  string [CFG.install_root_on_node] -> the point is – ON NODE. I did some more digging and … the variable for the install root is not taken from the main [cfg.properties] file but rather looked up in the [cfg.node.properties] file.

This explained allot – I would not always create that file before the install on the first Websphere noded even if the install documentation called for it since I did not think I needed it. By default that file does not exist, the installation package only contains a file called [cfg.node.properties.sample]. The documentation / WIKI tells you to create the file and copy the whole content from the [cfg.properties] into it but does not tell you why you might need it. If you don’t plan to install a secondary node or will only install it on another physical machine you might never create this file and the installer will fail forever because there is no good error handling AND no explanation as to why the [cfg.node.properties] file is important. Frankly, the way the installer works why you even need the [cfg.node.properties] is beyond me, but I assume there are some IBM Docs install variables that are necessary and IBM wants to keep the number of code changes necessary to a minimum.

Problem 2: Passwords saved to Install.log in the clear

This was something that my buddy Christoph Stoettner had already noticed and talked to me about a while back – not sure if he blogged on it but in any case, here is a shout out to him as he noticed it first.

The installer will stop and restart the IBM HTTP server for you, but for that it needs an OS admin account and asks you for it in the command line. It then promptly logs the entry in clear text in the installation log … a really great example of excellent security that makes me shudder and want to have a very long talk with the developers of the product ….. This is almost criminally negligent.

There is a great way around this,  though the IBM File Vieweer documentation fails to tell you about it: create a JOBS TARGET for all servers involved in the installation in WebSphere. Though technically you only need the HTTP servers registered, I usually crate the targets for all servers. Here is the documentation on how to do it from the IBM Docs documentation. Alternatively you can also just not have the installer restart the IHS, set the variable [restart_webservers=] to [False] and the system should not ask you for the username and password.

If you have already installed the IBM File Viewer – go back to the installation logs and check for the line:

WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: “[[[\’ihs.servername.com\’, \’adminaccountname\’, \’adminaccountpassword\’, \’windows\’, 0]]]”

Note: I replaced the server name, account name and password in the above example so just look for the logging code [WASX7303I]

Hope this helps, I know I was pulling may hair out and even had a PMR opened IBM that did not help me solve the issue originally as we never found out what really caused the problem – the poor IBM tech was pulling his hair out along with me and the IBM Docs support guy also was not able to help as they do not really work with the IBM File Viewer and do not know the product and what the installation procedure looks like.