IBM Connections, Exchange, Kerberos and the Tale of External Non-Collaboration

It is a longer tale, so to make keep it short I decided to busy the lead and give you the synopsis right here:

If you are running IBM Connections integrated with Exchange as your ICMail setup you are using Kerberos. If you want to enable external collaboration by adding another LDAP source for your external users – it will not work.

You can create the repository, add it to WebSphere, you can do all the TDI settings to import the users in it as external users .. but they will not be able to authenticate. The reason is that WebSphere has the authentication mechanism at it’s top level of security (global) and not at the repository level. That means, once you use Kerberos you have to use Kerberos for ALL authentication that happens. Trust me, I have tested. I had PMRs open (with both Connections and WebSphere support). I talked to the IBM Connections Product team and verified that this specific scenario was never actually tested so nobody appears to have known of this, which is also why it never made it’s way into any documentation.

I don’t think there are many clients for whom this might be an issue currently, but I do see many environments wanting more security and wanting to tie in other back-end systems and if that client environment is running AD as their LDAP source , then KERBEROS will be right there as a feature request – or a necessity.

Is External Collaboration Dead when Using Kerberos?

That is an easy answer – No.

But you are now forced to add those external users to your AD forest and either add them to some branch/OU that you can treat as external users or add some AD/LDAP attribute to identify them as external users.

Feature Enhancement Request for WebSphere – PLEASE VOTE!

I entered a feature enhancement request to move the authentication method from a global setting to the repository level – either in general or as art of a security domain setup in WebSphere, thereby allowing non-Kerberos repositories to be used for authentication alongside a KERBEROS enabled repository.

Here is the link to the feature request – the more people look at it, follow it and vote for it the more likely it is to make it’s wat into a future release. you will need to have an IBM website ID to even just look at it but I’d appreciate the effort!

IBM Sametime 9.x – Linux Install Errors – Installation Manager Failed Validation

I am blogging this one becuase when it happened to me I did not find a solution for it anywhere.


Problem Scenario

Installing ST9 Video Manager on Red Hat 6.4 – using either built-in IBM Installation Manager that comes with the installation package or a preexisting Installation Manager (used to install WebSphere first). When starting the install you get as far as choosing the package to install and then you get an error – “Validation Failed” in the Installation Manager interface. In the console used to execute the Installation Manager you see the error:

IBM installation manager error “Failed to determine a hostname for WAS to use”

I looked far and wide for this one in Google and bing to no avail – until I had a hunch: the host configuration for the server was incorrect.



In the ssh session execute the command [system-config-network] to verify the fully qualified host name entered there. In my case there was a typo in the name so the Installation Manager was never able to look up the Red Hat server it was running on successfully. Edit/fix the entry and then save it. A restart is not necessary, though this change did kill the X11 forwarding I had going so I simply ended the ssh session and reconnected again and then the install went flawless.

IBM Sametime 9 – Advanced Server Log-in Not Working

Solved an interesting problem this morning. In a new environment (rebuild/replacement of a V 7 awareness only system) that I built for clients our users were not able to log in to the ST Advanced Servers broadcast communities and chat rooms from their integrated Sametime client in Notes even though they were able to log-in through a browser and had full functionality. At the same time off-line messaging was not working either – but everything else was working just fine.

No matter of trace was giving me the reasons … until I had an epiphany during a thunderstorm this morning – the fact that one of our dogs is deathly afraid of thunder and will try to get INSIDE of you if in any way possible, actually prompted some thoughts that helped me find the issues in one go.

I was pretty sure that something was keeping policies from being applied correctly, there had to be something with the way users were being identified. during the upgrade I had not  paid enough attention to some of the changes I was testing – I forgot to add the [objectGUID] (using AD as the LDAP directory) to the search filters. Awareness will still work and Meetings as well … however the rest is going to be strange. I had also had some problems looking up users when adding them to the buddy list – that is when I had the epiphany that it was all related.

Here the changes to the Search Filters:

Search filter for resolving person names:

Original: (&(objectclass=user)(|(mail=%s*)(samAccountName=%s*)(cn=%s*)))
New:       (&(objectclass=user)(|(mail=%s*)(objectguid=%s)(samAccountName=%s*)(cn=%s*)))

Search filter to use when resolving a user name to a distinguished name:

Original: (&(objectclass=user)(|(mail=%s)(cn=%s)(samAccountName=%s)))
New:       (&(objectclass=user)(|(mail=%s)(objectguid=%s)(cn=%s)(samAccountName=%s)))

Search filter for resolving group names:

Original: (objectclass=group)
New:       (&(objectclass=group)(|(objectguid=%s)(cn=%s*)))



Well, proves once again that it is all about BASICS, BASICS, BASICS ….


IBM File Viewer 1.0.7 Installation – Getting Past The Conversion Server Install Woes

I will keep this short and sweet – to use the free IBM File Viewer with IBM Connections 5.0 with CCM you need to have Connections at CR2 and install IBM File Viewer 1.0.7. So far so good … until you run into all the issues that everybody has been having with the Installation of the product, the Conversion Server install fails … allot, often, and with annoying frequency.

There are two main problems with the Doc Conversion installer:

Problem 1: Doc Conversion Install Fails – Unexplained

The error most people see is this one in the installation log:

2015-06-22 19:53:58,236 INFO Setting Websphere variables…
2015-06-22 19:53:58,236 INFO Exception: cannot concatenate ‘str’ and ‘NoneType’ objects
2015-06-22 19:53:58,236 INFO –>IM:ERROR:Traceback (most recent call last):
File “C:\Install\IBM_File_Viewer-\DocsConversion\installer\common\commands\”, line 197, in exec_commands
_do(cmd, cmd_instance)
File “C:\Install\IBM_File_Viewer-\DocsConversion\installer\common\commands\”, line 108, in _do
res =
File “C:\Install\IBM_File_Viewer-\DocsConversion\installer\conversion\”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
File “C:\Install\IBM_File_Viewer-\DocsConversion\installer\conversion\”, line 43, in __set_variable“Setting ” + name + ” as:” + value)
TypeError: cannot concatenate ‘str’ and ‘NoneType’ objects

The funny thing is .. I got it to install a few times and then with other clients it woudl fail and I was not able to determine why … until I took a closer look at the python script that it references and the actual error it gives you:

File “C:\Install\IBM_File_Viewer-\DocsConversion\installer\common\commands\”, line 108, in _do
res =
File “C:\Install\IBM_File_Viewer-\DocsConversion\installer\conversion\”, line 30, in do
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)

If you look at the python script, it is basically called to set a few WebSphere variables:

def do(self):“Setting Websphere variables…”)
succ = self.__set_variable(“CONVERSION_INSTALL_ROOT”, CFG.install_root_on_node)
if not succ:
return False
succ = self.__set_variable(“DOCS_SHARE”, CFG.getSharedDataRoot())
if not succ:
return False
succ = self.__set_variable(‘VIEWER_SHARE’,CFG.getViewerSharedDataRoot())
if not succ:
return False“Websphere variables set completed”)
return True

This is when I noticed  – the CONVERSION_INSTALL_ROOT variable calls for the  string [CFG.install_root_on_node] -> the point is – ON NODE. I did some more digging and … the variable for the install root is not taken from the main [] file but rather looked up in the [] file.

This explained allot – I would not always create that file before the install on the first Websphere noded even if the install documentation called for it since I did not think I needed it. By default that file does not exist, the installation package only contains a file called []. The documentation / WIKI tells you to create the file and copy the whole content from the [] into it but does not tell you why you might need it. If you don’t plan to install a secondary node or will only install it on another physical machine you might never create this file and the installer will fail forever because there is no good error handling AND no explanation as to why the [] file is important. Frankly, the way the installer works why you even need the [] is beyond me, but I assume there are some IBM Docs install variables that are necessary and IBM wants to keep the number of code changes necessary to a minimum.

Problem 2: Passwords saved to Install.log in the clear

This was something that my buddy Christoph Stoettner had already noticed and talked to me about a while back – not sure if he blogged on it but in any case, here is a shout out to him as he noticed it first.

The installer will stop and restart the IBM HTTP server for you, but for that it needs an OS admin account and asks you for it in the command line. It then promptly logs the entry in clear text in the installation log … a really great example of excellent security that makes me shudder and want to have a very long talk with the developers of the product ….. This is almost criminally negligent.

There is a great way around this,  though the IBM File Vieweer documentation fails to tell you about it: create a JOBS TARGET for all servers involved in the installation in WebSphere. Though technically you only need the HTTP servers registered, I usually crate the targets for all servers. Here is the documentation on how to do it from the IBM Docs documentation. Alternatively you can also just not have the installer restart the IHS, set the variable [restart_webservers=] to [False] and the system should not ask you for the username and password.

If you have already installed the IBM File Viewer – go back to the installation logs and check for the line:

WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: “[[[\’\’, \’adminaccountname\’, \’adminaccountpassword\’, \’windows\’, 0]]]”

Note: I replaced the server name, account name and password in the above example so just look for the logging code [WASX7303I]

Hope this helps, I know I was pulling may hair out and even had a PMR opened IBM that did not help me solve the issue originally as we never found out what really caused the problem – the poor IBM tech was pulling his hair out along with me and the IBM Docs support guy also was not able to help as they do not really work with the IBM File Viewer and do not know the product and what the installation procedure looks like.

Got my latest Certification: IBM Certified Associate – Social Software and Unified Communications

Just got my latest certification … I will probably do a few more soon. Nice to get this email in your in-box:


From: “IBM Certification Program” <ibmcert>

Date: Aug 5, 2014 7:06 PM
Subject: IBM Certified Associate – Social Software and Unified Communications
To: <victor>

Dear Victor Toal,

Certification: IBM Certified Associate – Social Software and Unified Communications
CandidateTesting ID: xxxxxxx

Congratulations on achieving your certification and welcome to the world of IBM Collaboration Solutions certifications! Your commitment to increasing your expertise and knowledge with IBM Collaboration Solutions technology is an asset to you and your customers. The Professional Certification Program from IBM distinguishes professionals in the IT community as experts in leading-edge technology.

Your certificate is attached below, in .PDF file format. You can view your certificate, using Adobe Acrobat Reader V6.0 or higher, and print it on any high quality color printer.

Please remember to access services at the IBM Certification Member Site Information:
– select “Request e-Certificate ” to request all your certificates
– select “Account Services” to update demographics, email address, and request transcripts
– select “Member eStore” to order premium certificates and wallet cards
– select “Entitled Resources” to obtain your certification marks



Rebranding of Notes Mail / Connections Mail and Consequences – #RebrandingFail

I received this marketing/sales email earlier today and reading it made me a bit confused and also concerned. Not because I think that IBM and email is going away, but because f the way that IBM has initialized it’s latest round of rebranding Notes (aka Connections Mail) there is confusion in the marketplace and this is a great example for what clients are going to be bombarded with:

Dear Victor,

IBM is ending the “Lotus” brand, and has been building more functionality into “IBM Connections”, suggesting that they may be trying to get rid of email as a single platform. Notes users have had no choice but to look for alternatives and make plans to switch over to another system.

Unfortunately, migration away from Notes is tricky and companies need 3rd party assistance to make the switch. For companies who plan to consolidate control over legacy data, the most important consideration in selecting a 3rd party is the subsequent accessibility of historical Notes data.

ZL Technologies has years of experience successfully migrating our customers off of Domino systems and specializes in providing them with a Unified system of information governance. To find out how ZL is able to accurately migrate all your legacy data while drastically reducing storage footprint and minimizing resulting operational costs, read our complimentary datasheet.

To learn more about us, please visit our website at, or reach out to ZL experts directly at


I have worked with ZL’s previously and they have a very kick-ass product. However, I can’t see the necessity for my clients to now suddenly “run for the hills” and look for another mail system. Again, I don’t really blame ZL that much as they are simply taking advantage of IBM’s efforts to sell their products. Rather, I lay the blame for this squarely at IBM. I don’t feel that the whole rebranding thing was well explained (a all!) at Connect2014 nor did I as a business partner get any follow-up and additional info. I am no sure if and how much effort IBM has extended to the follow-up of their (for me very confusing) announcement at Connect, but clearly it ain’t enough. In the absence of a clear and resounding message, messages by third parties like this is all that clients will be hearing.

I assume more companies will be using this as an opening to try and sell their services and products to make sure that those poor IBM customers that will be abandoned by IBM can safely migrate to another – hopefully much safer – platform with all their data intact and enjoy another 100 years of email longevity . . ..

Should I tweet it … #rebrandingfail ??

Connections Certified – Finally!

As if yesterday I am now finally IBM Connections certified:


I had had just no time previously but here at Connect the certification tests are all free for participants so I went for it – and past! It was about time too, having worked with Connections for the last 6 years not having a certification just seemed strange. I do not test well (my dyslexia makes it hard for me) but I guess doing all these crazy IBM Connections projects finally paid off.