Category Archives: IBM

All around IBM Software

IBM Verse on Premises Integration with Connections and Docs issue with iNotes_WA_Security_NonceCheck

During the week we integrated IBM Connections and IBM Docs in our test environment and everything worked fine. Then we moved the configuration to production and most of the stuff was working, like showing Business cards, profile pictures and Connections files to add into mails. Docs Viewer and uploading files from a mail to Connections generated an error: “because of an internal server error”

I digged into it with Burpsuite and Fiddler4, in the meantime a customer called me and described the same symptoms. Within the traces I found that the systems which didn’t upload the files had following header set:

X-IBM-INOTES-NONCE: <none>

and the working one had:

X-IBM-INOTES-NONCE: 2640941AE5454F5853E6732F79E7D2F5

So i searched a little bit on X-IBM-INOTES-NONCE and found that is introduced in Notes/Domino 8.5.2 and shall prevent XSS.

You can disable this with iNotes_WA_Security_NonceCheck=0 and this is mentioned in a technote, that sometimes proxies or F5 needs this setting. First we tried that on our testsystems and we seemed to be right, the upload was broken too.

We removed the notes.ini entry (or set it to 1) and after a http restart the file upload from VOP and the IBM Viewer worked!

Thanks to Thomas who digged into this with me today.

Update 2017-11-20

IBM released a technote on this.

Internet Explorer – Edge Mode without SPNEGO SSO

Last week I had an issue that some Domino Server didn’t provide SSO through SPNEGO any longer (environment worked for over 2 years now). This environment uses the customized domcfg.nsf template of Andreas Artner, maybe it’s related, but I don’t think so, on Windows 7 with latest Internet Explorer 11 and Domino Servers 9.0.1 with latest fix pack.

So what happened? The Domino servers are placed in the “Local Intranet Zone” of IE through Group Policy from beginning. The Windows administrators started to enable “Enterprise Mode” for better handling of compatibility mode and one of the steps is to deactivate the “Display intranet sites in compatibility View” option.

After this, all sites which are not explicitly configured in “Enterprise Mode” are loading in “Edge Mode” and not longer in quirks mode.

Nearly everything worked fine, XPages load every HTML5 Element, the sites seem to deliver content faster and so on.

BUT:

The configured SPNEGO authentication does not load any longer. The domcfg.nsf loads directly the fallback login form. I analyzed with Fiddler 4, but nothing suspicious was in the trace. So we configured one Domino Url to load in Quirks Mode (IE Level 5) and Desktop SSO worked immediately. So we played with the different levels and it showed that only the “Edge Mode” in IE11 made problems, when we went a step back and used the IE 10 compatibility mode everything worked: XPages, HTML5 and Desktop Single Sign-On.

I hope this saves you some time during troubleshooting, I think the Enterprise Mode is a trending thing and removing the Quirks Mode is an important step.

Using Docker and ELK to Analyze WebSphere Application Server SystemOut.log

I often get SystemOut.log files from customers or friends to help them analyzing a problem. Often it is complicated to find the right server and application which generates the real error, because most WebSphere Applications (like IBM Connections or Sametime) are installed on different Application Servers and Nodes. So you need to open multiple large files in your editor, scroll each to the needed timestamps and check the lines before for possible error messages.

Klaus Bild showed on several conferences and in his blog the functionality of ELK, so I thought about using ELK too. I started to build a virtual machine with ELK Stack (Elasticsearch, Logstash & Kibana) and imported my local logs and logs i got mailed. This way is cool to analyze your environment, but adding just some SystemOut.logs from outside is not the best way. It’s hard to remove this stuff after analyzing from a ELK instance.

Then I found a tutorial to install ELK with Docker, there is even a great Part 2 of this post, which helps us installing an ELK Cluster. Just follow this blog posts, install Docker and Docker-compose. It’s really fast deployed. In my case i do not use flocker, it’s enough to use a local data container for the elasticsearch data.

Why do I use Docker instead of a virtual machine? It’s super easy to just drop the data container and begin with an empty database.

My setup

I created a folder on my Mac to put all needed stuff for the Docker images to it:

mkdir elk
cd elk

(more…)

Missing images in Wikis after migration to IBM Connections 5.5

Wikis in IBM Connections 5.5 have a little bug, because the link (/library instead of /wikis/form/api/library) for images are wrong and so they are not displayed.

There is a technote, which should solve this issue, but the used way with ProxyPass is not what i want to use. When you use ProxyPass and ProxyPassReverse you should add a ProxyRequest off to be more secure. ProxyPass to localhost can be a problem too, i would suggest to change localhost to the Connections IHS Hostname.

Why do I use a different approach?

Most of my deployments already use a RewriteRule to redirect the hostname to there Connections Homepage, so i don’t need an additional module (which needs ressources and can have security considerations), when i can solve the image issue through mod_rewrite.

RewriteRule "^/library/(.*)" "/wikis/form/api/library/$1" [R,L]

If you haven’t set <forceConfidentialCommunications enabled="true"/> in LotusConnections-config.xml you need to set the RewriteRule and the ProxyPass config within your http and your https configuration parts!

Example httpd.conf:

... 
# HTTP configuration
<VirtualHost *:80>
    ServerName connections.example.com

    RewriteEngine On

     # Redirect hostname to Homepage
    RewriteRule ^\/$ https://connections.example.com/homepage [noescape,L,R]

    # Fix wrong wiki image URL
    RewriteRule "^/library/(.*)" "/wikis/form/api/library/$1" [R,L]
</VirtualHost>
# HTTPS configuration
<VirtualHost *:443>
    ServerName connections.example.com

    RewriteEngine On

    # Redirect hostname to Homepage
    RewriteRule ^\/$ https://connections.example.com/homepage [noescape,L,R]

    # Fix wrong wiki image URL
    RewriteRule "^/library/(.*)" "/wikis/form/api/library/$1" [R,L]

    SSLEnable
    SSLProtocolDisable SSLv2 SSLv3
</VirtualHost>
...

Social Connections 9 In Germany – Only Three Weeks Away

The next big IBM Connections Community event – Social Connections 9 – takes place November 05/06 in Ehningen / Germany. The theme of the event is “Working out loud” and it offers tons of sessions all around IBM Connections and Adoption in the social software world.

This will be my fifth Social Connections Event after Zurich, Prague, Stockholm and Boston, for me all of them were great experiences and personally very successful.

I have been working with ESS / ICS / Lotus products since 2000 and I followed many other community members through blogs, forums, web events and tweets, but I rarely had the chance to meet any of them in person. This changed with Social Connections V – I sent my first English session on the topic of scripting in IBM Connections and was accepted. I still can remember the warm welcome of Sharon, Klaus, Stuart, Simon, Femke, Sandra and Tim – it was phantastic!

Some Impressions of Social Connections 8 (Photo ©2015 by Oliver Heinz)

There a some really good ESS events all around the globe, but my focus topic is best covered by Social Connections. I like the agenda with all the different topics it covers: announcements (René Schimmer will show IBM Connections next); Technic (master brains like Victor, Martin and Sjaak will speak); Deployment; Development (e.g. Paul and René); Use Cases (Alan Hamilton); or Adoption. And the best of all there is room to get the speaker personally for deeper discussion during the day and on the evening reception. Best chances for growing the own knowledge.

After “only” attending and speaking up until now, This time Ii got the chance to help organizing this event. So, for the last three months I had the honour of assisting Wannes, Stuart, Simon, Doug, Lars, Martin, Jan, Maria and Femke in creating “Social Connections 9”. It is my sincere wish that you will like this event as much as I enjoyed all the events I “only” participated in before.

This time I am presenting two sessions, one with Victor Toal on IBM Connections Administration and a renewed “Best and worst practises deploying IBM Connections”. I am looking forward to co-presenting with Victor – I think we are a funny, yet dynamic duo with strange German dialects (him Austrian and I Bavarian), but we will (try to) speak in English, so all the people can follow, not only Germans with a fair understanding of the more beautiful German dialects ….

So, this is enough of me, my opinions and an introduction into German dialects – you Can still register for this event and I urge you to if you have not done so yet – think of all the lovely folk you can finally meet and interact with!

Registration is still open and thanks to our great sponsors it will cost you only 179€ (excl VAT), which also covers the admission to the AWESOME gala reception.

What are you waiting for?