Tag Archives: cnx

Dependencies Connections 4 Applications

Last week i want to build a “light” Connections Installation to test some things like OAuth and Customizing. So i installed Domino 9 Beta on Ubuntu 12.04 64 Bit, DB2 9.5.7 Express and WebSphere. I deployed the homepage and the profiles databases. After this i want to install the required applications of Connections (Homepage, Search and News) and Profiles.

Installation shows no more dependencies and i started up my Connections after install. Modules are looking good, but when i want to add a status update the windows opens, but show no buttons to Save the Status. Even on homepage or people views i can’t add status updates.

I had a look on a full installation and found “Files” addin in the Status Update Overlay. So i deployed filesDB and the application. Files was added to the overlay window, but still no buttons to save or cancel.

In Firebug i see that i get errors on some communities modules. So i deployed sncomm database and the communities application. After firing up Connections i can save Status Updates. It is enough to install Communities, the application mustn’t run! So i removed the autostart of communities and can use a lighter system, which runs on my notebook to test several things.

Status Update Overlay

Homepage Status Update

Red parts in this screenshots come with Files, blue ones with Communities Application.

I think IBM should document these dependencies in Connections Wiki or in the Installation Manager. I found no descriptions of dependencies in IM or the Wiki.

IBM Connections APAR LO73245

I read an open APAR on IBM Connections today (login required!): LO73245

Description:

TDI’s sync_all_users.sh doesn’t allow us to import departmentNumbers longer than 16 chars, although the database schema supports values up to 24 chars.

And as local solution:

worked around the issue with creating a custom field

I had a very similar problem with validation of LDAP Search filter (which is saved in employee-table too) and searched longer to solve this (I set sync_store_source_url=false), but the real error was like here in validate_dbrepos_fields.properties.

When you open validate_dbrepos_fields.properties (in your tdisol directory) you found following:

deptNumber=16

So here is the validation error and not in the database! You can solve the APAR without using a customField, when you set deptNumber to 24.

Install IC4 Lotus Notes Plugins on Mac OS X 10.8.x

Today Luis Benitez annouced the new Connections 4 Plugins for Lotus Notes.

The zip-file contains all three operating system installer. Windows, Linux and Mac, but i had no success to install through xpd.mac-addon.pgk, because the preinstall script stop the installation.

You can open this file in finder:

Now you can copy the updatesite folder to an other place and use File – Application – Install in Lotus Notes. Point the Install to the updatesite folder and install the whole package. I have to restart twice, but after this i can use the new Status Update, Files and Activities Plugins.

Hardening Connections – Part 1: IBM HTTP Server

Preamble

Before i begin with my securing article, i want to say something on security on IBM Connections. Mainly i don’t like the thing, that IBM only support very special versions of software.

So we must use WebSphere 7.0.0.21, DB2 9.7.0.5, IHS 7.0.0.11 and so on. Each product had updates the last months and i think we won’t get support when we use other versions.

So i have to chances. On the first side i can update my software to limit vulnerabilities and get perhaps no support, or i will have vulerable software with support.

Just my 2 cent and i hope i will get answer, if i will get support with higher program versions.

SSL and IHS

One of our customers had a pentest the last months and had some vulnerabilities with IBM HTTP Server (IHS), which is used to access IBM Connections.

I used a 2048 Bit key for ssl which was generated with iKeyman, but the pentest doc told me, that short keys were used for encryption (smaller 112 bit). So i read a little bit.

This 2048 bit mean the public key of my hostkey. SSL uses this key to encrypt the connection between browser and webserver. Within the ssl handshake session keys are generated on basis of this hostkey. Browser and Server check which protocols are enabled on both sides and use one of the protocols both support.

You can check your SSL enabled server here: https://www.ssllabs.com/ssltest/index.html.

Information on ciphers with IHS: http://www-01.ibm.com/software/webservers/httpservers/doc/v10/ibm/9acdciph.htm

You can limit the available ciphers and protocols on your IBM HTTP Server.

First you should disable SSL v2: SSLProtocolDisable SSLv2

I configure the directives in my virtual hosts section:
...

<ifmodule mod_ibm_ssl.c>
Listen 0.0.0.0:443
<virtualhost *:443>
ServerName  connections.example.com
SSLEnable
SSLProtocolDisable SSLv2
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35
SSLCipherSpec 2F
SSLCipherSpec 35b
</virtualhost>
</ifmodule>

...

Poorly TLS v1.1 and v1.2 support comes with IHS 8 and we can’t use it with IHS 7.

This is my first article on securing IHS and Connections. Next part will continue with IHS, i want to disable some parts, which comes with the default httpd.conf and are not used with connections.