IBM Connections with Exchange Back-end – Chrome and Kerberos Delegation


First of all, thanks to my new found friend Michele Buccarello who had shared this document earlier last month on some very good pointers about how to integrate Exchange with IBM Connections.  With that document and some guesswork as to encryption settings between WAS and Exchange I was able to solve the problem – 90% of the way. We got it to work with IE and FireFox but Chrome was balking and getting into a log-out cycle. I used Fireshark to take a look and noticed it was an auth.redirect action by the HOMEPAGE app that was followed by a rest API call to Opensocial calendar settings .for my acocunt – and then righ back to the auth.redirect …. a classic redirect loop.
As things were working in FF and IE I knew it was not a system issue but rather a problem localized to Chrome so I looked up some technotes and knowledge base articles and here is how I solved it:
Chrome can be taught to work with Kerberos delegation just as IE and FF. For “normal” SPNEGO it takes it’s settings from IE and will accept them but with Exchange there is delegation going on (if you look at the Connections documentation it has you change two settings for both IE and FF, one of them refers to delegation) and Chrome needs to get a whitelist of which website it accepts delegation tickets from:
Option 1: Command line
Change the command line that starts Chrome to include a command switch:
chrome.exe –auth-negotiate-delegate-whitelist=*
Set the value to either [*] (make sure there are NO QUOTES surrounding the [*] as some documentation in various articles will have you enter it as) or any combination of the actual url you are connecting to i.e.: [*.domain.com] to limit it to anything inside the intranet domain or [connections.domain.com] for only the Connections website itself. Apparently this can also be a comma separated list of entries if that works for you.
Option 2: Create Windows Registry entry
Create this entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
In it create a string entry: [AuthNegotiateDelegateWhitelist]
Any of the values used in the above command line example will work in this registry entry so I suggest to try it above first.
Enjoy – you’re welcome!

IBM File Viewer 1.0.7 Installation – Getting Past The Conversion Server Install Woes


I will keep this short and sweet – to use the free IBM File Viewer with IBM Connections 5.0 with CCM you need to have Connections at CR2 and install IBM File Viewer 1.0.7. So far so good … until you run into all the issues that everybody has been having with the Installation of the product, the Conversion Server install fails … allot, often, and with annoying frequency.

There are two main problems with the Doc Conversion installer:

Problem 1: Doc Conversion Install Fails – Unexplained

The error most people see is this one in the installation log:

2015-06-22 19:53:58,236 INFO Setting Websphere variables…
2015-06-22 19:53:58,236 INFO Exception: cannot concatenate ‘str’ and ‘NoneType’ objects
2015-06-22 19:53:58,236 INFO –>IM:ERROR:Traceback (most recent call last):
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 197, in exec_commands
_do(cmd, cmd_instance)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 43, in __set_variable
log.info(“Setting ” + name + ” as:” + value)
TypeError: cannot concatenate ‘str’ and ‘NoneType’ objects

The funny thing is .. I got it to install a few times and then with other clients it woudl fail and I was not able to determine why … until I took a closer look at the python script that it references and the actual error it gives you:

File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\common\commands\command.py”, line 108, in _do
res = cmd_instance.do()
File “C:\Install\IBM_File_Viewer-1.0.7.20150213-2234\DocsConversion\installer\conversion\set_websphere_variable.py”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)

If you look at the python script, it is basically called to set a few WebSphere variables:

def do(self):
log.info(“Setting Websphere variables…”)
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
if not succ:
return False
succ = self.__set_variable(“DOCS_SHARE”, CFG.getSharedDataRoot())
if not succ:
return False
succ = self.__set_variable(‘VIEWER_SHARE’,CFG.getViewerSharedDataRoot())
if not succ:
return False
log.info(“Websphere variables set completed”)
return True

This is when I noticed  – the CONVERSION_INSTALL_ROOT variable calls for the  string [CFG.install_root_on_node] -> the point is – ON NODE. I did some more digging and … the variable for the install root is not taken from the main [cfg.properties] file but rather looked up in the [cfg.node.properties] file.

This explained allot – I would not always create that file before the install on the first Websphere noded even if the install documentation called for it since I did not think I needed it. By default that file does not exist, the installation package only contains a file called [cfg.node.properties.sample]. The documentation / WIKI tells you to create the file and copy the whole content from the [cfg.properties] into it but does not tell you why you might need it. If you don’t plan to install a secondary node or will only install it on another physical machine you might never create this file and the installer will fail forever because there is no good error handling AND no explanation as to why the [cfg.node.properties] file is important. Frankly, the way the installer works why you even need the [cfg.node.properties] is beyond me, but I assume there are some IBM Docs install variables that are necessary and IBM wants to keep the number of code changes necessary to a minimum.

Problem 2: Passwords saved to Install.log in the clear

This was something that my buddy Christoph Stoettner had already noticed and talked to me about a while back – not sure if he blogged on it but in any case, here is a shout out to him as he noticed it first.

The installer will stop and restart the IBM HTTP server for you, but for that it needs an OS admin account and asks you for it in the command line. It then promptly logs the entry in clear text in the installation log … a really great example of excellent security that makes me shudder and want to have a very long talk with the developers of the product ….. This is almost criminally negligent.

There is a great way around this,  though the IBM File Vieweer documentation fails to tell you about it: create a JOBS TARGET for all servers involved in the installation in WebSphere. Though technically you only need the HTTP servers registered, I usually crate the targets for all servers. Here is the documentation on how to do it from the IBM Docs documentation. Alternatively you can also just not have the installer restart the IHS, set the variable [restart_webservers=] to [False] and the system should not ask you for the username and password.

If you have already installed the IBM File Viewer – go back to the installation logs and check for the line:

WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: “[[[\’ihs.servername.com\’, \’adminaccountname\’, \’adminaccountpassword\’, \’windows\’, 0]]]”

Note: I replaced the server name, account name and password in the above example so just look for the logging code [WASX7303I]

Hope this helps, I know I was pulling may hair out and even had a PMR opened IBM that did not help me solve the issue originally as we never found out what really caused the problem – the poor IBM tech was pulling his hair out along with me and the IBM Docs support guy also was not able to help as they do not really work with the IBM File Viewer and do not know the product and what the installation procedure looks like.

Social Connections 8 – April 16 – 17 Boston, MA … and the best thing is I AM SPEAKING


Just got this in my in-box:

Thank you so much for submitting an abstract for Social Connections 8.

We are delighted to inform you that your session ‘DB2 – Did you know your “Social” runs on top of a database?’ has been selected for the event, and has been published to our agenda. It is provisionally scheduled for 11:25 on Friday.
So, it looks like I will be there! Nice thing is that I lice (almost) just around the corner and there are two Red Sox home games that weekend …. I guess it is time for some serious Boston Vacation Time with the family!
Go look and see if any of the content interests you http://socialconnections.info/ some of my favorites are going to be there and I am quite happy I am only speaking once, that give me more time to sit in the other sessions and learn some more. We get some real treats, some of the really good speakers that you usually don’t see other than at LotusPhere, Connect, ConnectED (what the hell is next????) are coming and bringing some really interesting sounding content.
Hope top see you there, you can even heckle in my session if you like!

 

IBM Connections – Michael Sampson’s State of Market Whitepaper


I have met Michael Sampson several times in person over the last few years, I have most of his books and actually suggest them as required reading to clients of mine, sometimes even buying them as gifts to make sure they actually get read. I don’t go as far as testing them on content and make them write essays, but I do discuss the books with them.

Michael just posted a VERY interesting new document that I suggest as an absolute required reading to anybody involved in “social in the enterprise”, and whereas the whitepaper (my title for it, not his) deals with IBM Connections, I do believe that you can extrapolate allot of trends to other products in the same general realm.

I have been pondering the content for the last day (he only posted it yesterday) but the one thing that stands out to me is the realization that after the initial sales surge of IBM Connections, it has started to attract a different type of client as of late. Michael mentions this is some of his findings as a possibility and frankly it meshes with what I see. The types of client I encounter now are quite different from the clients I first met when I started to work on IBM Connections 6 years back.

Size does matter and makes an impact, most of my clients now are in general smaller in user size and are more diverse in terms of the industry / business they conduct. I also do see a different attitude in terms of why they decide to purchase the product and what their goals are for adoption and what they want to “get out of it”. I also see some of the older (=previous) clients come back wanting to find if they can’t further improve their somewhat stagnant adoption and find ways to use IBM Connections in more parts of their company.

I really urge everybody to read the document and pick up all the really great insights you can gain from it. And, as always, I also urge you to buy Michael’s books , they are very educating (I don’t make a dime on commissions – ore whatever currency they have in New Zealand). And, if you are not already, follow his blog – good content!

 

SPNEGO: Map SPNs and Create Combined Keytab Files In One Step


I have been wanting to blog about my SPNEGO install guide for a while but have been just a bit busy lately (my usual excuse). However, I just had to help a client setup SPNEGO for their IBM Connections environment so I decided the time for procrastination is over.

 

If you look at the IBM documentation, the process to create the SPNEGO keytab files and mapping the correct URLs and Fully Qualified Hostnames of servers to the AD account is rather onerous. IBM documentation will have you create separate keytab files for each url/FQHN that you want to include in the SPNEGO config and then merge them. For the normal user that is setting up SPNEGO for the fist time that is painful indeed and confusing. My process below does it all in one step (one step per URL/fqhn) and adds all the settings to ONE keytab file. I am usually done in 5 minutes and then create the config file using wsadmin commands and am up and running in SPNEGO in under an hour.

Note: all commands below have to happen ON AN AD DOMAIN CONTROLLER, running them on your workstation will not work.

 

Environment / Variables:

  • SPNEGOAD account: SPNEGOAccount@DOMAIN.COM – domain\SPNEGOAccount
  • Server FQHN: serverfqhn1.example.com, serverfqhn2.example.com, serverfqhn3.example.com, etc.
  • Connections URL (c-record): connections.example.com



Check Current SPN mappings for SPNEGO AD Account:

  • setspn -l SPNEGOAccount
    (review output)


Step 2: Add SPN mapping to SPNEGOAccount
 and create Keytab files

[setspn -s] or [setspn -a] could be used just to add/map the SPNs to the account, but this does not create the keytab files.

  • setspn -s HTTP/servernew.example.com SPNEGOAccount
  • setspn -s HTTP/newsite.example.com SPNEGOAccount

 

Run commands to create a SINGLE keytab file AND map accounts at the same time:

  • ktpass -princ HTTP/servernew.example.com@example.com -ptype KRB5_NT_PRINCIPAL -mapUser SPNEGOAccount -mapOp set -pass password1A -in C:\Temp\KRB\krb5.keytab-out C:\Temp\KRB\krb5.keytab
  • ktpass -princ HTTP/newsite.example.com@example.com -ptype KRB5_NT_PRINCIPAL -mapUser SPNEGOAccount -mapOp add -pass password1A -in C:\Temp\KRB\krb5.keytab -out C:\Temp\KRB\krb5.keytab

 

Note: the first command has the command [set], all the following commands (one for each url/fqhn you want to add) has the command [add]. If you do not use the [add] command, each of your subsequent commands will override your previous one, leaving your AD account with only one fqhn/URL mapped to it. THIS IS IMPORTANT!
Check whether the SPNS are all correct:

  • setspn -l SPNEGOAccount
    (get output and show it has mappings)
  • ldifde -f c:\temp\new-output1.txt -r “(servicePrincipalName=HTTP/ serverfqhn1.example.com)”
  • ldifde -f c:\temp\new-output2.txt -r “(servicePrincipalName=HTTP/connections.example.com)”
    (Get output files and review)

 

 

Some Gotchas

Which  URLs/c-records and server FQHNs to map:

I map EVERYTHING. The main reason is that often your C-record for the site (our example connections.example.com) will point to the fqhn of a server or a load balancing device. In that case you need BOTH of them mapped. I mal all webservers/HIS, WAS servers and (if existing) the LB address (this s usually overkill and not necessary … but paranoia pays off sometimes).

Command errors:

Depending you your AD forest, the above ktpass command might need the AD account your are mapping to either in the [ACCOUNTNAME@DOMAIN.COM] format or [DOMAIN\ACCOUNTNAME] format. You will see the error right away when you run it for the first time.

SPNEGO setting in WebSphere:

If you go by the IBM documentation (there is allot flying around) you will see they generally tell you to add the fqhn of the Deployment Manager as the HOSTNAME in SPNEGO. Keep in mind that works for them because generally they testers tend to work with single server test installs where ALL the systems run on one server and the Dmgr is also the HIS server and often they don’t bother to change the URL for the Connections setup. What you need in there is the C-Record your users will be putting into their browsers to get to Connections in in our example connections.example.com. Should the C-record point to the FQHN of a web server then you could input that address as well. That is why I generally map EVERYTHING, that way you have maximum flexibility should you need to finagle with your architecture and move functionality around.

Oops, you forgot something …

If you suddenly notice you have to add servers to the SPNEGO setup (maybe you are migrating) – DO NOT ADD MORE MAPPINGS TO THE SPNEGO AD ACCOUNT. That will invalidate the existing keytab files and you will have a n SSO outage. To add additional files you have to stop all WebSphere servers involved , add the mappings with the ktpass command using the [ADD] variable and use the existing keytab file from one of your WebSphere servers. Then recreate the config file using wsdmin and replace the old keytab files with the new one.

Webinar Tomorrow: Learn how the Ephox editor works in IBM Connections


If you are working with IBM Connections and you want to know more about the new (and FREE) entitlement of the EPHOX editor EditLive! for IBM Connections V4.5 then you should tune in to this webinar tomorrow ….

In January, IBM announced terrific news for IBM Connections customers — it’s making the Ephox editor, EditLive!, available to all IBM Connections v4.5 clients. Now IBM Connections’ users have access to the industry’s most advanced WYSIWYG editor.In this short, but impactful webinar, we will shareways in which your IBM Connections users can derive the most value out of EditLive!’s advanced editing capabilities.

Join Ephox tomorrow to learn how to get access to EditLive! if you’re using IBM Connections v4.5.

Tim Thatcher and Michael Fromin of Ephox will present the following:

  • The capabilities of Ephox’s editor, EditLive!
  • How Ephox’s editor can deliver value to users of IBM Connections
  • Ways other IBM customers are reaping benefits using EditLive! for IBM Connections while increasing user adoption and engagement

Date: Thursday, March 27
Time: 10 a.m. PDT, noon CDT, 1 p.m. EDT, 5 p.m. GMT

Who should attend:

  • IBM Sales Team Members and Leaders
  • IBM Client Technical Professionals
  • IBM Business Partners
  • IBM Connections Customers (IT, end users, content contributor, social media contributors)

Presenters:

Tim Thatcher, chief operating officer, Ephox
Michael Fromin, director of client services, Ephox

Register for the Ephox webinar today.

Look forward to seeing you there.

Dave Dabbah
Vice President, Marketing
dave.dabbah

Connect with Ephox at:
blankTweet This blankSend to Linkedin blankSend to Facebookblankblank

1.650.292.9659
contact@ephox.com | support@ephox.com
© Ephox Corporation; All rights reserved. Unsubscribe from email communications
darkspacer20.gif

2014 – What is waiting at the starting line for this year?


Since I finally got back to my bog and wrote a short / brief “2013-in-a-nutshell” post, I thought it might be time to also look ahead. There is allot hat I am working on, here the short list:

 

Connect2014

Yes, I mentioned I am going and what my (not very short) list of must-see presentations are. The other reason I like to go is that is a great time to talk to vendors and colleagues to see where the market and technology is going and what clients are (likely/maybe/hopefully) looking for for the future. It is not just fun and golf – even if my wife thinks otherwise.

Connections Training

I speak frequently at LUGS and seminars on IBM Connections administration, that goes hand-in-hand with the Connections training that I offer as part of my business. This last year has seen allot of one-on-one / one-on-many training where I make the whole Connections install a training seminar for the client where they learn not only how to install but how to document, what decisions they need to think of ahead of time and then how to think ahead to production / operations. I also do class-room hands-on training where I bring in a VM environment and the participants get hands-on and get to break it and repair it. When necessary I actually created “broken” snapshots that I have them fix. Hands-on is the only way to go really

For 2014 I am thinking slightly larger …. I am partnering with a good friend of mine to munch off his good reputation and experience … ;) there will be some more detailed announcements on this later in the 1st quarter. for right now it is still  “Pssssst .. it’s a secret

Technology Trends

Over the last few years I have seen a big uptick in my IBM Connections business and a decline in Domino work. Not because I think Domino itself is declining but because the base knowledge in the market place out there is good and clients see less need in bringing in outside talent – upgrades and migrations yes – or integration work with other systems but not really for basic Domino operations.

Recently I also see a large uptick in Sametime inquiries – ST9 is making allot of clients thinking of upgrades and they want help. Also, they want ST to integrate with more – video, telephony, awareness in every other system they can get it to work in … ST9 looks good for me and I like the changes and (some of) the simplifications in the product – and I think that the licensing changes that IBM put into place will drive allot more adoption.

International Work

I also see an uptick in my “international” work. Whereas my focus used to be 99% North America I do get more inquiries for Europe and Asia … I speak several languages which helps but that is not the real reason, I just guess this internet thing really makes the world smaller and brings us closer in many different ways. Now, if I could just somehow get an app that does something about time zones and jet lag …..

 

 

I am curious to talk to my colleagues out there and see what the technology barometer is showing them – that is one of the reasons I always try to attend Connect (LotusPhere) – but for now all I can say is that 2014 looks good!