Social Connections Chicago – Here I come!


Had an email in my inbox a short while ago …

Congratulations! Your abstract for Social Connections 11 was accepted!

 

Looks like I will be in Chicago June 1-2 this year! Social Connections is a great conference, you should check it out and attend if you can – there is allot of great content and I am not just talking about my session … and you get to meet and interact with allot of people at the conference and make really, really, really great connections for yourself.

 

Oh yeah .. what will i be speaking on?

IBM Connections – Take Performance Tuning Beyond the Documentation

 

Domino – Redirect Rules and Strict Redirect URLs


This one was a bit of a challenge until I finally found a solution – after HOURS of work.

 

My Scenario:

I have a Domino URL that gets generated with a query at the end and I can’t change that. I need to redirect that URL to another strict/defined URL on another system that will not work with a query added to the end of the incoming URL – here an (obfuscated) example:

Original Domino URL: https://www.mydomain.com/something/anyDB.nsf?addAnotherQuery
URL To redirect to: https://www.anewdmain.com/something/anyUrlHere

If you just use a standard redirect rule (either standalone or for Internet sites) the query [?addAnotherQuery] will be appended to the redirect URL resulting in this example:

https://www.anewdmain.com/something/anyUrlHere?addAnotherQuery

Solution

In my case this was a problem as the FW was blocking unknown URLs and would not let anything non-defined through. I tried everything – all sort of combinations of redirects to redirect to another redirect,  to substitution rules… the query was always appended to the end of the resulting URL and the FW was rejecting me. I even redirected to an IBM HTTP server to use the rewrite capability – which is when I had  an epiphany after 8 hours of straight work: In Apache, when doing a re-write,  you can add a [?] to the end of the rewrite and it will cause any queries to be stripped from the resulting URL. I jut thought … let’s give it a try and …. it worked!

Here an screenshot of the example:

The redirector rule is otherwise standard. You can match any incoming URL patters using asterisks etc. or point it to other redirector results. You can also point to a local URLs by changing the [Redirect to this URL] to string that the Domino server will resolve locally such as [/anyfolder/adifferentDB.nsf?] or a URL created by another redirector such as [/NewSiteHere/Results?] – and by adding the [?] in the end any query like function (i.e. the very common query [?Open] appended to the end of a dB in a URL] will be stripped from the resulting URL.

Connections 5.5, TLSv1.2, java.security and the tale of a log day


Let’s set up the background for our story first: Connections 5.5 CR2 on Windows. 3rd party products galore (Docs, Kudos, ProjExec, Text.IO/Ephox), heavy usage and then – above all – the off-and-on problem with the Rich Text widget. As my penchant for acronyms is well known by my friends, so I shall refer to this overall topic as TPP (this pesky problem) – and it kept rearing it’s ugly, mishapen and thoroughly ugly head off and on. We would squash it and then some other config change wold make it come back again.

I wanted to avoid having to switch WAS all the way to TLSv1.2 because of the well documented (potential) fall out for IBM Docs, Text.io and other products. If you want more background on that one, you can read up at the blogs of some of my colleagues – such as Nico, Ben and Robert. There are more, but you can start your education here and branch out.

So, our last defense this time is to enable TLS v. 1.2 ONLY on WebSphere which is a well documented process that actually does not take long – until it turned into the beginning of 8 hours of hell.. All went well until I tried to do a manual sync (syncnode) from any of the Nodes back to the Deployment Manager. I saw errors I had never seen before, all pointing back to SSL and formatting errors. A syncnode with the [-trace] switch wold give me 3000+ lines of juicy gibberish to wade through and no amount of searches on google helped me with anything. It all came back to this errors in the logs:

[Error parsing HTTP status line “\00”: java.util.NoSuchElementException].

After hours of pulling my hair I did what every IT guy does after a while – I looked for somebody to whine to and then beg for help. Multiple people responded, all felt bad for me but nobody was able to assist. In the end, it took my friend Nico going through a list of possible causes for TPP until he hit something that jiggled my memory: [Java Security].

The Cuplprit

This is where we go from prose back to techno talk – I dimply remembered that the install of ProjExec (btw, great project management tool – complicated but really, really good) has a requirement in it’s install documentation to edit the contents of the java.securty file of each node involved – the change is basically to change which SSLServerSocketFactory to use and here the change:

# Default JSSE socket factories

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl

ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl # WebSphere socket factories (in cryptosf.jar)

#ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory

#ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

 

The above shows what the change looks like, basically you un-comment the first two lines and comment the second two.

I reversed the change and – presto – TLSv1.2 works and the nodes can all talk to each other. We are working with the vendor to figure out if we really still need this change going forward. I am also thinking that this might have something to do with an SSL error on Activities file uploads I saw here and there – not sure.

So, the lessons of this days was:

  • If you are following documentation and other people can get it to work – it’s you, not the documentation
  • Peel back the onion: If you set it all correctly in WebSphere, step one pace back/up the chain of technology – it runs java, is java based -> you need to check up the chain to see what base java settings are in place, other than what you set yourself.
  • Don’t cry, it’s unbecoming
  • When friends who are kind enough to answer your Skype calls, LISTEN TO EACH QUESTION and think the answer through, you might not be seeing the forest because all those damn trees are in the way.
  • Say thank you – publicly. You might still be sitting there all night trying to figure out what went wrong

Technote: “Freemarker Template files are overwritten during IBM Connections CR2 install”


This happened to me, I was only saved by having a local back-up on my machine … don’t let it hit you!

Technote Link – swg21996243

Hving a good back-up before ANY upgrade, change etc. is important. If nothing else, do a backup config with WebSphere – that will capture all of the important files for you as well!

 

 

 

 

IBM WebSphere / Connections – Performance, Security and the SESN0008E Error


Just found a new issue today that has been vexing me for quite some time, I only found it because of the error [SESN0008E] and the fact that I had to add a whole new WebSphere Nodes to an existing environment so that these errors finally happend with a frequency that I finally noticed it:

logServletError SRVE0293E: [Servlet Error]-[atom-basic]: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/CN=Joe Shmoe,OU=MYOU,dc=corp,dc=company,dc=com

We ran function testing on the new Node and performance was horrendous … I mean really horrendous. Performance has been bad overall before that, but at least tings worked. I investigated a few tech notes, there was some mentioning about the LTPA timeout being too short in combination with several other settings. This is an upgrade, same settings as other systems, should not be an issue … so I looked at other sites/pages here, here and here.

All of the tech notes mentioned [Security Integration] being at the heart of it. I checked all servers and noticed – none of the server that the Connections installer created had this settings set, all servers that I created manually had it. I looked into this a bit more and found out that the [Session Management] – [Security integration] is now a default setting for WebSphere and if you create a server manually it is automatically set. I ran a few third party products in separate servers that were all manually created … they probably brought the overall performance down.

So, I went through all servers that I had created, unset the settings (pic below) and then synced and restarted everything and …. voila, speed restored.

sessionManagement