Connections 5.5, TLSv1.2, java.security and the tale of a log day


Let’s set up the background for our story first: Connections 5.5 CR2 on Windows. 3rd party products galore (Docs, Kudos, ProjExec, Text.IO/Ephox), heavy usage and then – above all – the off-and-on problem with the Rich Text widget. As my penchant for acronyms is well known by my friends, so I shall refer to this overall topic as TPP (this pesky problem) – and it kept rearing it’s ugly, mishapen and thoroughly ugly head off and on. We would squash it and then some other config change wold make it come back again.

I wanted to avoid having to switch WAS all the way to TLSv1.2 because of the well documented (potential) fall out for IBM Docs, Text.io and other products. If you want more background on that one, you can read up at the blogs of some of my colleagues – such as Nico, Ben and Robert. There are more, but you can start your education here and branch out.

So, our last defense this time is to enable TLS v. 1.2 ONLY on WebSphere which is a well documented process that actually does not take long – until it turned into the beginning of 8 hours of hell.. All went well until I tried to do a manual sync (syncnode) from any of the Nodes back to the Deployment Manager. I saw errors I had never seen before, all pointing back to SSL and formatting errors. A syncnode with the [-trace] switch wold give me 3000+ lines of juicy gibberish to wade through and no amount of searches on google helped me with anything. It all came back to this errors in the logs:

[Error parsing HTTP status line “\00”: java.util.NoSuchElementException].

After hours of pulling my hair I did what every IT guy does after a while – I looked for somebody to whine to and then beg for help. Multiple people responded, all felt bad for me but nobody was able to assist. In the end, it took my friend Nico going through a list of possible causes for TPP until he hit something that jiggled my memory: [Java Security].

The Cuplprit

This is where we go from prose back to techno talk – I dimply remembered that the install of ProjExec (btw, great project management tool – complicated but really, really good) has a requirement in it’s install documentation to edit the contents of the java.securty file of each node involved – the change is basically to change which SSLServerSocketFactory to use and here the change:

# Default JSSE socket factories

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl

ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl # WebSphere socket factories (in cryptosf.jar)

#ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory

#ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

 

The above shows what the change looks like, basically you un-comment the first two lines and comment the second two.

I reversed the change and – presto – TLSv1.2 works and the nodes can all talk to each other. We are working with the vendor to figure out if we really still need this change going forward. I am also thinking that this might have something to do with an SSL error on Activities file uploads I saw here and there – not sure.

So, the lessons of this days was:

  • If you are following documentation and other people can get it to work – it’s you, not the documentation
  • Peel back the onion: If you set it all correctly in WebSphere, step one pace back/up the chain of technology – it runs java, is java based -> you need to check up the chain to see what base java settings are in place, other than what you set yourself.
  • Don’t cry, it’s unbecoming
  • When friends who are kind enough to answer your Skype calls, LISTEN TO EACH QUESTION and think the answer through, you might not be seeing the forest because all those damn trees are in the way.
  • Say thank you – publicly. You might still be sitting there all night trying to figure out what went wrong
Advertisements

Technote: “Freemarker Template files are overwritten during IBM Connections CR2 install”


This happened to me, I was only saved by having a local back-up on my machine … don’t let it hit you!

Technote Link – swg21996243

Hving a good back-up before ANY upgrade, change etc. is important. If nothing else, do a backup config with WebSphere – that will capture all of the important files for you as well!

 

 

 

 

IBM Connections, Exchange, Kerberos and the Tale of External Non-Collaboration


It is a longer tale, so to make keep it short I decided to busy the lead and give you the synopsis right here:

If you are running IBM Connections integrated with Exchange as your ICMail setup you are using Kerberos. If you want to enable external collaboration by adding another LDAP source for your external users – it will not work.

You can create the repository, add it to WebSphere, you can do all the TDI settings to import the users in it as external users .. but they will not be able to authenticate. The reason is that WebSphere has the authentication mechanism at it’s top level of security (global) and not at the repository level. That means, once you use Kerberos you have to use Kerberos for ALL authentication that happens. Trust me, I have tested. I had PMRs open (with both Connections and WebSphere support). I talked to the IBM Connections Product team and verified that this specific scenario was never actually tested so nobody appears to have known of this, which is also why it never made it’s way into any documentation.

I don’t think there are many clients for whom this might be an issue currently, but I do see many environments wanting more security and wanting to tie in other back-end systems and if that client environment is running AD as their LDAP source , then KERBEROS will be right there as a feature request – or a necessity.

Is External Collaboration Dead when Using Kerberos?

That is an easy answer – No.

But you are now forced to add those external users to your AD forest and either add them to some branch/OU that you can treat as external users or add some AD/LDAP attribute to identify them as external users.

Feature Enhancement Request for WebSphere – PLEASE VOTE!

I entered a feature enhancement request to move the authentication method from a global setting to the repository level – either in general or as art of a security domain setup in WebSphere, thereby allowing non-Kerberos repositories to be used for authentication alongside a KERBEROS enabled repository.

Here is the link to the feature request – the more people look at it, follow it and vote for it the more likely it is to make it’s wat into a future release. you will need to have an IBM website ID to even just look at it but I’d appreciate the effort!

Who Said You Can’t Have Fun At Work?


I have been quite for a while. ALLOT of client work, the Connect2016 conference, family, Christmas, cookies .. allot of cookies. A new year, a new work-out plan and new projects!

This was one of those days – in a good way. Major client of mine who has been successfully running IBM Connections for several years and is fairly vested in the platform. They have dedicated company resources that look into adoption and training and how they can use the platform for the business and make it work. Not everything is rosy-sunshine-and-cloudless-days but overall this client as a whole just gets it.

This client uses Outlook as their email platform, but they have a very large Domino application presence which runs a major part of their company business and is thriving. Again, not everything is all sunshine but overall things go in the right direction – the client listens, tries hard and improves constantly. The discussions generally evolve around how to get “it” done and not why not to do “it”.

I come onsite regularly to have face-to-face meetings and do some staff training and mentoring and I found this one inconspicuous meeting invite in my calendar for today to talk about a new business venture they want to automate and have custom development done for. This is where things get exciting for me. It is not every day that you participate in these kinds of talks and do not have to wade through preconceived notions about wanting to re-invent the wheel and “using the latest in technology” and the “newest development platform” because it sounds good n marketing material. Instead, the meeting first evolves around educating me on their business (much to learn, young Paduan …), the client(s) and their future plans so I can help them to achieve their goals by using ( no, it’s time for a buzz-word) “leveraging” existing technologies along with some outside assistance/expertise that might not yet be available in-house. There are slides prepared with business processes and decision trees that need to be translated into program code and automated processes, wishlists about capabilities and the question “Victor, how do we best make this work”…one of those priceless Mastercard moments for any IT guy, really. “Tell me how to make it work” – the words we all want to hear – empowering, challenging, exciting – all wrapped up into one short sentence.

So now I find myself up in the middle of the night, thinking through the two new potentials (yes, hey have TWO new processes hey want to do) and how to best realize them. What partners in code/crime to assemble and how to best architect this solution using the best of the capabilities that Domino and Connections has to offer – I am so excited I can’t sleep – blogging helps categorize the process and organize my thoughts.

Now I will have to scratch together time between all the other work I have (NOT COMPLAINING, work is good and pays the bills – thank you customers!) to translate all my notes and the documentation they gave me into something I can put out to bid to a few partners I already have on mind and see what comes back. Knowing the people I plan to talk to, there are bound to be some ideas and improvements that I might never had considered.

The power of marrying IBM Domino and IBM Connections and using the best capabilities of both platforms. Sometimes it is just plain fun to be an IBM Champion …..

My New Secondary Workstation – Take a look


I just added this one to my collection of machines running in my home:

InFocus Kangaroo

I always try to keep my home footprint small: energy usage, space, noise (fans can add up) and just usability. I have a few mini servers that I use for utilities machines that I run, I have my main laptop that at home turns into my communication machine and I have my main workstation/desktop that hosts several virtual machines.

Now I can have a small machine that I can run all the time to make it available as a remote machine and then also be small enough to just unplug and throw into a bag and take it to a client when a laptop is not what I need or want … and now I have it – it can use a tablet as a touchscreen display. I can also use it to just make it a media server and put behind my TV if I want and hook it up to the network directly.  Of, if we need something to hook up to the main TV (55 inches, we ain’t talking dinkie screens here) and I want to be able to do something that requires a PC now I can … Bluetooth mouse and keyboard make it easy …. The opportunities are limitless. go and see if this is something for you!

 

Woha – I’m a Champion


Holy crap – I’ve been chosen as an IBM Champion. . . .

On behalf of IBM, it is with great pleasure that I invite you to join the IBM Champion program for 2016. After reviewing your nomination(s), the selection committee agreed that your efforts over the last 12 months distinguish you as a true IBM Champion.

Well,  this is certainly an unexpected honor,  and something I will need to wrap my head around until I can really grasp it in totality.  It’s also a really great way to start into 2016,  I am looking forward to the upcoming year and my added role as an IBM Champion.

Thank you to those who nominated me and to IBM for choosing me.

Wheew,  now I need a bourbon to celebrate. . . .

SocialConnections 9 in Stuttgard Nov 5-6, I am speaking again!


I just noticed that I forgot to announce to the world that I will be at SocialConnections 9 in Stuttgart next. The dates to save are November 5 – 6 and the location for the Shindig is STUTTGART in good old Germany.

The agenda is already finalized , take a look right here: http://socialconnections.info/agenda/

You will actually find me in there twice because this time I am not just presenting my own, riveting content but also co-presenting with a good friend of mine, Christoph Stoettner. Him being Bavarian and I being half Austrian we are able to totally confuse the crowd with insider talk and strange dialects that most Germans north of the Weißwürschtl Grenze (see below) have allot of trouble understanding – but don’t worry, the actual presentation will be in English.

For all of those among you who want to know more about the everlasting love-hate-indifference relationship between the north and south of German speaking people, look this up: Weißwurstäquator. And additionally, just for the insiders – we count our Swiss friends and brethren as human and normal, even though nobody else really understands Schwyzerdütsch. But the Swiss are just cool and know it, so we accept them as is.

As you can see, next to the unbelievably captivating content and massive amount of slides that Christoph and I will be presenting, we are fully prepared for any linguistic duel that might be waiting.

I do hope to see allot of you at the conference, judging fro the agenda it promises to be quite the exciting – sign up and let me know if you are planning to come!