Security

Card image cap

Some time back, I stumbled upon a flaw in HCL Connections 7 and 8 that allowed for user enumeration. This flaw could be exploited by anonymous users.

Created: Read in about 2 min
Card image cap

Elasticsearch in HCL Connections Componentpack is secured with Searchguard and needs certificates to work properly. These certificates are generated by bootstrap during the initial container deployment with helm.

These certificates are valid for 10 years (chain_ca.pem) or 2 years (elasticsearch*.pem) and stored in the Kubernetes secrets elasticsearch-secret, elasticsearch-7-secret. So when your HCL Connections deployment is running for 2 years, the certficates stop working.

Created: Read in about 3 min
Card image cap

In late 2021 I had an HCL Connections environment starting swapping, because the AppCluster used more than 30 GB of memory.

The system has

  • two nodes
  • is installed with the medium-sized deployment option
  • About 7500 users with a high adoption rate, because Connections is also used as intranet
Created:
Last Update:
Read in about 5 min
Card image cap

A long time ago, I wrote about the new implementation of allowlists in HCL Connections and that the documentation on customization and adding new rules was an absolute miracle for me.

Created:
Last Update:
Read in about 5 min
Aaron Burden: Fountain pen and a notebook

And the second linkdump with contents I read that week.

  • I don’t like the idea, sounds very 1984:
Created:
Last Update:
Read in about 2 min
Card image cap

So up to IBM Connections 6.0 everything was allowed until it was not excluded in one of the blocklist files. This files are stored within the Deployment Manager profile/config/cells/<cellname>/LotusConnections-config/extern. Now with Connections 6.0CR1 everything is forbidden, until it is enabled in the allowlist. This concept is rolled out for widgets (homepage and communities) and active content. Active content means HTML content too. So everything you or your users add to Connections (blog-posts, wiki pages) gets filtered during the save procedure. This removes all HTML tags and attributes which are not explicitly allowed!

Created:
Last Update:
Read in about 5 min