Announcement plugin for IBM Connections

Last week i searched a way to send all Connections users an information on important updates, which should be configurable and uses cookies to hide it for a specific time.

First i had a look at the Greenhouse Announcement Widget which is used within Greenhouse.

2014-12-19_16-46-41

Quite nice, but i had problems with IE 9 users and the popup appears on each page you open within Connections. So i tried something other.

After some searching i found a script of Ollie Phillips which is originally used to inform users about Cookie usage on the site. Ollie published the cookiesDirective.js under the MIT License. When you find the announcement slider useful, please buy him a beer.

I took the script and put it to a osgi bundle and added some configuration parameters.

Selection_20141219_16:43:43_001

If you want to test it, announcement-osgi.

Installation

Unarchive the package and copy de.stoeps.announcement_1.0.0.jar to your Connections customization folder/provision/webresources and the folder de (and all content below) to customization/javascript.

The text which is shown within the slider can be edited within customization/javascript/de/stoeps/announcement/popup.txt. You can use html code and links within this text file. So you can add links to additional informations.

Background color backgroundColor: '#CACACA', button text (buttonTextPre & buttonTextPost) and opacity (set backgroundOpacity: '99' to show a solid color) is configured in customization/javascript/de/stoeps/announcement/initialize.js

The announcement can be disabled with announcementEnabled: 'false'.

cookieLiveTime: 2 set the cookie to 2 days, so your users get the announcement again after 2 days and must confirm with the button.

After installation and after changes in initialize.js you must restart Common Application.

IBM ConnectED 2015 – Session “Best and Worst Practices in deploying IBM Connections”

Today IBM announced the session agenda for IBM ConnectED 2015.

I’m really interested in the new concept of more technical content and hope that all attendees will enjoy the format of the smaller designed event.

My session “BP203: Best And Worst Practices in Deploying IBM Connections” is accepted and i’m proud and happy to go to Orlando in january 2015 again.

If you haven’t already registered, follow this link.

Here some points of my planned agenda for this session:

Depending on deployment size, operating system and security considerations you have different options to configure IBM Connections.

This session will show worst practices examples from multiple customer deployments of IBM Connections. I will describe things I found and how you can optimize your systems.

Main topics include:

  • Do’s and Don’ts during IBM Connections deployments
  • simple (documented) tasks that should be applied
  • missing documentation
  • automated user synchronization, TDI solutions and user synchronization
  • performance tuning
  • security optimizing and planning
  • Single Sign On for mail, IBM Sametime and SPNEGO.

B5KHUSYCIAExPzT

IBM Champions 2015 for ICS

IBM announced the new and returning IBM Champions Class for IBM Collaboration Solutions. I’m really proud that I was nominated and elected this year again. Thanks!

So i see forward to IBM ConnectED 2015 to meet the other 95 IBM Champions. Big congratulations to all of them. Special thanks to Oli and Amanda, they are open for questions nearly all day and supports us within IBM.

What’s an IBM Champion?

Good explanation can be found on the nomination post:

These individuals are non-IBMers who evangelize IBM solutions, share their knowledge and help grow the community of professionals who are focused on social business and IBM Collaboration Solutions. IBM Champions spend a considerable amount of their own time, energy and resources on community efforts — organizing and leading user group events, answering questions in forums, contributing wiki articles and applications, publishing podcasts, sharing instructional videos and more!

Securing Domino Protocols against Brute Force Attacks

Since years i think that the Internet Lockout Feature of IBM Domino is not enough. The function is documented here: IBM Domino Administrator Help

Cite of this document:

There are some usage restrictions for Internet password lockout: You can only use Internet password lockout with Web access. Other Internet protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM® Lotus® Quickr®, and IBM Sametime® are not currently supported. However, Internet password lockout can be used for Web access if the password that is used for authentication is stored on an LDAP server

So documentation tells us, that only HTTP can be secured through inetlockout.nsf and over years the documentation was right. So protocols like LDAP, SMTP or POP3 are prone to dictionary attacks.

Last week at a customer site i can’t login into IBM Connections, even with the right spelled password. After checking the Domino server i found that the user has an entry in the inetlockout.nsf database. That was the first time that i had this behavior, Domino server was version 8.5.3.

Today i had some spare time and checked the other protocols of my demo server for my AdminCamp sessions next week.

So i secured SMTP, POP3 and IMAP for authentication and started to use the wrong password for login and i tried to test wrong passwords on LDAP authenticated Sametime and Connections. What should i say? I was lockedout through all protocols! Martin Leyrer points me to following technote, where the feature is mentioned to secure SMTP against brute force. That’s the only document i can find where the extended inetlockout is mentioned or documented. lockout

I don’t know how many of my customers or friends asks for this feature, but we talked often about this. That’s a feature we asked long time and which is really important for all deployments of Domino with internet access. Now all important protocols are save against brute force or dictionary attacks.

So great news, but the documentation must be updated and the feature must be officially announced.

Why?

  1. It is a really important security feature
  2. If you use already inetlockout for http and you update your Domino server, the feature is active without any additional work! Good for security, but your helpdesk team could be a little bit surprised.

Which Domino version first had this code icluded?

When you want to know how to deploy the lockout feature, please read documentation and this technote.

Update:

I got a mail that with 8.5.3 FP6 only SMTP and LDAP are working with inetlockout. I can’t test this in the moment, but with 9.0.1 pop3 and imap are secured too. Need to test this back with lower version and diiop.

nginx

You can use nginx as a reverse proxy for mail protocols. So this is a way to add SHA256 enabled certifiers in front of your domino servers.

My next ICS events

So my vacation is finished, i enjoyed 13 lovely rainy days in bavaria and see forward to my next travels. Hope to get some sun at ICON UK in London next week.

I will speak with Sharon about Tips and Scripts for your daily business our session we made for Connect 2014 and which is updated for IBM Connections 5 now.

Admincamp will be at 29th september to 1st october in Gelsenkirchen. Admincamp is a great event with lots of technical content and no advertises, organized by Rudi Knegt and some more. I enjoy it very much to be again part of it, this year i will prepare three sessions with Klaus Bild.

41st DNUG will be at 11. and 12. November in Leipzig. I made some session proposals and will see if i can speak there and meet the german ICS community.

Last but not least Social Connections VII will be in Stockholm at 13th and 14th november. Agenda is still open, but i made a session proposal and see forward to meet the Connections User group there.