Author Archives: Gabriella

09.03.15
by

Adding External Users To Connections – A Nice Simple Tool

Ever since Connections 5 gave us the ability to add external users to Communities it has been the number one requested feature from customers. The problem is that external users must exist in a LDAP source and also must have a profile in Connections that is created via TDI.

There are lots of ways to do this but few that are end user friendly and simple.  For that reason, some time ago we started to use our own XPages application that we make available to customers that automates the onboarding of external users into Connections.  The application is very simple and has two possible modes you can run in

  1. User self registration.  An external user can go to your website and create their own name / pw and email address. The system then sends an email to confirm the address is valid and asks them to click to activate.  On activation they create their own password that is checked against password requirements in the app (such as length, upper case, special character etc).  Once created the user can also self service a password reset via an email request sent to their account.
  2. User invite.  In this mode external users cannot create their own accounts but are instead invited by someone inside the company who again – goes to a webpage, creates a request and emails an activation link to their contact.  The rest of the process, activation, password checking, password reset remains the same.

It’s a single Domino database and can be set up in only a couple of hours.  Of course you still have to create the TDI sync but that’s a requirement no matter what you do.  For some time we’ve been considering how to make this tool available to the community at large since every customer we work with struggles with the same issue and we now have several good iterations of it we could share. We aren’t a product company and don’t want to sell it but we also can’t afford to commit to free support for a free download.

I’m not entirely sure of the answer. So far it’s been a non-issue since I’ve given it to customers we already do consultancy for or who ask us for consultancy. We’ve only charged for custom changes if required.  If you’d be interested in a copy of the database, seeing or testing it let me know and we’ll work something out.  It’s not open source, the code is our copyright but If you have any suggestions as to how we can make it more available without committing a lot of resource to productise it (which I would have to do for OpenNTF) I’d be very happy to hear them.

08.27.15
by

Turning The Optimism Up To 11

After last week’s great MWLUG conference (thank you Richard Moy, Lisa Duke & all the sponsors ) I realised how much I miss my community now there are fewer chances to meet in real life. I’m reminded it’s far too easy to think what’s the focus in my little personal bubble matches what everyone else is doing. My friends are not just my friends, they are the people who nudge me off track and kick my brain into thinking about new things it wants to learn and do.

The biggest gathering of all is always January in Orlando and although I had resigned myself earlier this year into saying goodbye for the last time (and literally did that) I realised I’m not ready to walk away whilst there’s still a strong community of people just as vocal and excited by technology (albeit very different technology) as when I first went in 1995. I saw it in Belgium in March, in Norway in May, in Atlanta last week and will see it again in London in a few weeks. So. Orlando.

I have no idea what the conference will be

I have no idea if my friends will be there

I have no idea if I’ll be speaking

But today I booked my flight, put a deposit on accommodation and sent in 4 abstracts which I’m excited about. I briefly went through the panic of “but how do I word this so IBM will pick it” before giving myself a slap to remember it’s not about what I’m meant to talk about, it’s about what I know, want to share and what I think people want to hear.

I may not be on stage – I don’t know if my subjects or even me are what are wanted this year – but I’ll be there, ready to hug my friends, share ideas, talk and laugh. I hope you will be too.

08.25.15
by

IBM Connections Mobile – Issues On Android

This is one of those posts that scare me – I’m fairly sure someone else must have seen and blogged this but since I can’t find anything I am writing this up.

I recently did a Connections 5 install for a customer, it was a clean install on clean hardware.  We did migrate the data but not the artifacts (the lc-export function) because we wanted to have clean XML and configuration files. Once installed the mobile application worked perfectly on iOS but on Android there were no applications listed when you logged into the mobile application.  Since the configuration for mobile isn’t OS specific (or isn’t documented as being so) I assumed the mobile-config.xml was correct as it worked for iOS.  So the customer went ahead an opened a PMR, the response from IBM was

“Your Connections engineer missed a step in migrating the mobile application”

Well that’s strange because this wasn’t a migration and if I look at the migration documentation in the IBM Knowledge Centre there’s no mention of any tasks related to mobile-config.xml.  A follow up IBM email said we had a missing “NavigationGroups” section so I check the mobile-config.xml.  The section is there but with no real entries in the default version

<NavigationGroups>
<NavigationGroup name=”Favorites”>
<Expanded>false</Expanded>
<HideNavGroup>false</HideNavGroup>
</NavigationGroup>
<NavigationGroup name=”Updates”>
<Expanded>true</Expanded>
</NavigationGroup>
<NavigationGroup name=”Applications”>
<Expanded>true</Expanded>
</NavigationGroup>
</NavigationGroups>
<NavigationGroups>

The only document on the knowledge base that has the words “NavigationGroups” in it is the one that talks about extensibility of the Mobile app – here.  So OK, I take the example from there and attempt to modify my mobile-config.xml but on checking it back in using MobileConfigService.checkInConfig it returns an invalid XML error.  Looking at the IBM example it seems their XML structure is wrong.  If you are going to have an ApplicationList node entry then it MUST come after the Expanded and HideNavGroup entries.

The IBM suggested content is below – this fails

The ApplicationList node entry before the Expanded node entry is invalid XML structure

The ApplicationList node entry before the Expanded node entry is invalid XML structure

The final correct format I used is

<NavigationGroups>
<NavigationGroup name =”Favorites”>
<Expanded>false</Expanded>
<HideNavGroup>false</HideNavGroup>
<ApplicationsList>communities,wikis,activities</ApplicationsList>
</NavigationGroup>
<NavigationGroup name = “Updates”>
<Expanded>true</Expanded>
<HideNavGroup>true</HideNavGroup>
</NavigationGroup>
<NavigationGroup name = “Applications”>
<Expanded>true</Expanded>
<HideNavGroup>false</HideNavGroup>
<ApplicationsList>profiles,communities,files,wikis,activities,forums,blogs,bookmarks</ApplicationsList>
</NavigationGroup>
</NavigationGroups>

I am still awaiting more testing but it does seem from IBM’s response that the Android OS requires this section to be completed in a way that the iOS OS doesn’t.  It’s not part of the migration documentation though

08.20.15
by

All Change On IBM Connected Abstract Submission

A couple of weeks ago I blogged about the Connected Abstract submission process and the topics available to choose from

.. that was then.  This is now  All change.  Gone are the topics of

Digital Experience, Email, Meetings and Chat, Social Collaboration, Social Content

To be replaced by more familiar “topics” that look more like the tracks we are used to.  As I discovered when I went to submit the ones I had written in draft .. time for a bit of a rework.  You still have until September 4th to submit yours

Abstract Topics

08.11.15
by

Submitting Abstracts For Connect 2016 And Some Interesting Discoveries

Yesterday the IBM Connect 2016 site updated with the call for abstracts, so today I’m submitting sessions because I don’t know 100% what form the conference will take but I want to contribute as best I can to deliver the kind of event we all want to be at.  They may not pick my session (alright sessions – I’m submitting a few choices) but I have topics I’m excited about and that I think people want to learn about so I went to submit.

First thing’s first, as with last year you have to create a speaker profile before you start with your background and a small bio but what I really found interesting was the submission form. There are no mentions of any specific tracks so when you submit a session you only get to choose from “Technical Breakout” or “Business Strategy Breakout”.  What’s really exciting is the list of topics to choose from which I assume are alphabetical rather than importance order

Digital Experience
Email
Meetings and Chat
Social Collaboration
Social Content

Look at that! Those topics may be broad but they are exactly the things I want to hear about (Email, Chat, Social Collaboration) and talk about.  In previous years we’ve had a lot of other topics listed that I would say fell outside the core interest of people that attended Lotusphere of old.  I’m not saying that’s bad but it’s certainly good news that this conference is embracing the topics and technologies we’re all working with today and not just those IBM hope we will be working with tomorrow.

The categories that your session can fall into are short and sweet as well – personally I”m excited to see sessions that fall under these headings

Analytics
Cloud
Cognitive
Commerce
Mobile
Security

There are only a few weeks to submit as it closes on September 4th and I’ve heard noises about the short notice but I’m honestly not sure why.  It’s not a surprise to anyone that Connect is running in January, that was announced months ago. It’s not surprise content, we are all working with these technologies.  Submitting an abstract is simply a case of finding a topic that interests you, that you have a unique slant on and sending it in.  My plan as always – be enthusiastic, write a good abstract and hope for the best.

I’m not involved in any way with the content this year but I’ve seen enough abstracts over the years to offer some advice I think – YMMV but here is last year’s posting on how to write an abstract 🙂

Good luck and click here to get started..

08.06.15
by

Domino LDAP And A Failure To Authenticate

Bear with me and try not to shout at the screen “we all know that” – this blog is about the 10 hrs I lost yesterday troubleshooting a problem I distinctly remembering seeing before and realising, once I solved it, that last time it had also taken me hours and ended up being the same issue.  In my defence the last time I had this problem it was with Quickr so that’s a throwback and even if this blog isn’t news to you, it will hopefully be there for me in another 5 years…

I was using Domino as a LDAP source for Connections.  I don’t manage the Domino side of things for this customer so I had just asked them to add a secondary directory (in this case for External users) to Directory Assistance on their LDAP servers. I wanted the DA document set to be LDAP only rather than LDAP & Notes / Internet Authentication**. They did that and I tried to login from Connections to discover that I could login as a user in names.nsf but not as a user in the secondary directory. Time to look at the configuration.  Here’s what I did

1. Confirmed the DA document looked OK.  It actually wasn’t set to trust for credentials so I enabled that.
No luck.

2. Tried “sh xdir” to verify the directory was listed. It was, as Directory #4 out of 6.  Tried sh xdir reload to refresh Directory Assistance and then tried restarting the server
No luck but at least I knew DA was configured correctly

3. Turned on LDAPDebug=3 so I could see the debug information. At this point I could see the failing accounts (any in the secondary directory) were coming up with “authentication failure using internet password” in Domino and in the SystemOut.log of the WAS server that hosts the homepage application I saw references to PasswordFailedCheckException behind CWWIM4529E and SECJ0369E errors. Password failed? That made no sense at all.   One thing that was an issue was that the server I was working on was being probed every few seconds by a remote machine for availability on LDAP so with debug turned on the screen was filling up with thousands of lines of content making it difficult to see and track my own issues.  In retrospect if I’d asked for that to be disabled it would have saved me hours.

4. I then took a step back and installed Softerra’s LDAP Browser so I could test things outside of Connections.  I could bind using any credential in names.nsf but when trying to bind using a credential in the secondary directory I got “invalid credentials” and LDAP wouldn’t bind.

5. I then cut and paste a person document from the secondary directory to names.nsf to verify if the issue was the directory itself or the format of the person documents. I knew those documents worked fine on another server where they were in the names.nsf.  Turns out that if I moved them to names.nsf they worked fine.  I could bind with Softerra and I could login with Connections.

hmmm

6. I go back and check the ACLs of both names.nsf and the secondary directory.  I may even have bumped up default to something stupidly high *cough*Editor*cough* for 30 seconds to rule that out.
No luck

7. I paste the person document back into names.nsf again and bind with Softerra. This time I try and search for a name I know is in both the names.nsf and secondary directory (not the same name, just the same lastname).  Interestingly I get access denied / unauthorised – it finds the two entries but doesn’t let me see the content of them.  The fact that it found the entries meant that it could search LDAP but it can’t display them?  Surely that’s ACL issues.  So back I go to check the -default- rights on both directories and even test effective access for the specific account i’m using.  Nothing.

Then I see it.  As I try searching and searching and trying to catch errors on the server logs amongst the mass of LDAP debug information.. I see
searching directory names.nsf for sn=davis
searching directory directories\custnames.nsf for sn=davis
search directory directories\morenames.nsf for sn=davis unauthorised, skipping
search directory directories\externalnames.nsf for sn=davis
search directory directories\suppliers.nsf for sn=davis

Right there – in the middle. A directory I don’t care about, that has two dummy documents in it but happens to be part of Directory Assistance.  I go look at yes – -Default- is set to No Access. I change that to “Reader” and ta-da! suddenly I can both bind and login.  Then I remember I had this exact problem before at another customer with many directories that I didn’t set up or configure and it took me forever to find because I simply don’t touch what I’m not meant to be managing. In this case a directory that’s nothing to do with me and isn’t being used by my application on a server I don’t manage.

So what happened? It appears that Domino LDAP will search multiple directories but once it comes across one it can’t access with those bind credentials it doesn’t skip over it.. it stops.  The “skipping” isn’t strictly true.  So when the credentials were in directories one or two they worked. in directories four or five they failed because it stopped at directory three.

My lessons are
1. Remove as much extraneous activity as you can or you won’t be able to debug quickly enough
2. Always check everything (or in my case ask permission to check everything) even if it looks unrelated and especially if you didn’t set it up yourself 🙂

You’re welcome Gab of the future….

**Added on this morning.  Using LDAP only for authentication doesn’t work because a Directory Assistance document set to LDAP only doesn’t actually work for anything but LDAP searching. Not for authentication at all.  Foolish me for trying to be logical.  Here’s what the pop up help says – and they’re right. I tested it :-)]

DirectoryAssistance

07.30.15
by

Return Of The Watch

Watches are gone or going the way of the dodo right? I mean actual watches that just tell time not watches that try and be supercomputers.  Everyone tells the time on their devices now so you don’t get a watch to do just that.  Right?

I don’t wear a watch.  I haven’t worn a watch since I was a child, I think my last watch memory was seeing 1979 click over to 1980 on my casio digital watch at new year’s eve (yes even as a child I knew how to party).  I stopped wearing watches as a child because I kept losing them.  As I got older I didn’t want a watch because I felt that paying too much attention to time was unhealthy and stressful.  I think I have a good internal clock and I can always tell when a kitchen alarm i’ve set is about to go off about 5 seconds before it does :-).  On top of that, working with computers taught me to stop wearing anything on my wrists – it slows me down, irritates me and I end up taking bracelets off and – yes – losing them.

So this is a long way of saying, today I bought a watch.  Not an expensive one.  Just a swatch but I finally decided a watch is what’s missing from my life. You see I get very little “down” time.  When I do get downtime I know I have a set window to relax before I have to get some more work done.  That means I have to keep picking up my phone to check the time.  When I pick up my phone to check the time, I see mail notifications or text messages or am reminded of 1000 other things I should be doing in that moment instead of just sitting and reading.

The devices that tell me the time are also now inextricably linked with “work” and therefore “stress”.  A watch is now the easiest and least stressful way to actually tell the time.  It’s an interesting full circle and I wonder if it’s just me.

07.29.15
by

More IBM Docs Fun And Games

…a few more notes from my latest IBM Docs install.  Previous installs including in test at this customer proceeded with no problems but this one presented several challenges so I’m sharing them here in case anyone else has the same.  Firstly since there’s a Windows machine involved let’s rule out the biggest possible issues

1. Make sure Windows is activated. Microsoft does restrict behaviour and performance in non activated Windows. No I don’t have proof I just have solid evidence of that behaviour.  Activating Windows often makes the pain go away

2. Make sure you disable the Windows local firewall.  Even if you can only do so during the install.  The server is going to have to talk to – and be talked to – the deployment manager at least and with Windows firewall enabled your install will fail

3. Make sure every server can ping every other server, even itself. And using an IPV4 not IPV6 routable address

4. Disable UAC.  PLEASE.  In Windows 2012 that’s a registry hack where you set EnableLUA to 0 under “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system”

So now we’re ready to install.  There are two options – Installation Manager and using the manual scripts.  Obviously Installation Manager is easier, if you’re installing all components at the same time and if it works.  Here are the standard components I’d usually install for full IBM Docs in a Connections environment with no CCM.

Installing IBM Docs

My problem was that in this instance the installer failed during the Docs Proxy server install.  I could see in the logs (found under the IBM Docs Conversion install directory – in my case D:\IBM\ConnectionsDocs\Conversion\logs) that Conversion, Docs and Viewer all installed and deployed with no problems.  However since I chose six components, when it failed on one it rolled back the entire thing.

The error was “Target with name docsserver.domain.com was not found“.  Why would it say that when the script is running on doscserver.domain.com and it can certainly find itself?  The answer is in how the installer works.  It has local python scripts that are actually called by the Job Manager in your Deployment Manager so the error (which exists only on the docs server) is basically saying “the Deployment Manager cannot run the python script on this server”. That’s curious.  Then I realise that to run a remote script the Deployment Manager must contain a job target.  A configuration setting that tells it how to reach a remote server and gives it credentials to run the code.  I checked and although the installer had created a job target , when I  tested there were no stored credentials.  My guess is this was from an earlier attempt when UAC wasn’t fully disabled and the job target was created incompletely.  I re-created it to make sure it worked ok (it tests on save).

JobTargets

So back to square 1 (or snapshot 1).  I removed the half created clusters for Docs, Conversion and Viewer, I removed the Docs Proxy cluster, but I left the job target in place and relaunched the install.  This time my plan was to install in stages taking snapshots between each one.  This was a VERY bad idea.  Docs and Conversion installed and tested perfectly.  However when I went to Installation Manager and chose “Modify” to add the Viewer component it failed.  It took 8hrs to fail, during which time I monitored the logs carefully and this is what it did.

  • To modify an existing IBM Docs install and add a new component the install first UNINSTALLS all existing components even the working ones you may have installed months before
  • It then reinstalls the components it just uninstalled and attempts to install the new component as well
  • When that failed , it uninstalled all the components again and then reinstalled the original two. Leaving me back where I started 8 hrs later

It wasn’t so much the time lost as my fear that during the whole uninstalling / reinstalling of perfectly good servers it would somehow fail and break something that worked.  So.  New plan.

I now had a working IBM Docs and Conversion server to which I needed to add Viewer and Docs Proxy.  I’m staying away from Installation Manager at this point.  I want more control and I don’t want to waste another 8hrs before I can troubleshoot.  Luckily we do have the option to manually install components instead of using installation manager. To do that I extracted the installers and modified the cfg.properties files as per the documentation.  That worked fine after an initial failure.  The instructions don’t say to pre-create the Clusters and server members before running the scripts but you must do that and use the Cluster server names as in the documentation.  If you don’t, the scripts will fail when they try and connect to the deployment manager to find the servers to install onto.  If you’re using Installation Manager you don’t need to do this as the installer does it for you.

Finally there are test URLs as you install each component of <hostname>/componentname/version.txt eg http://connect.turtlepartnership.com/docs/version.txt.  To ensure this works you must regenerate and propagate the plug-cfg.xml and restart your IHS server.  Also bear in mind the syntax must be lower case /docs/version.txt /viewer/version.txt and /conversion/viewer.txt.

So there you go.  This was probably the 5th 1.0.7 install I’ve done and the first one to hit a problem. Try it first with Installation Manager. Make sure you backup (or better yet snapshot) both Deployment Manager and your  IBM Docs server before starting and if it starts failing switch to running the manual scripts.

Have fun!

07.27.15
by

THIS is how our community learns, thrives and has fun like no other

In just over two weeks’ time I’m heading to Atlanta for the MWLUG conference.  It’s my first MWLUG visit and this year’s conference is ridiculously packed with technical experts, champions, sponsors and more great content than you’re going to see in person anywhere else in the US this year.  Take a look at this schedule (you’ll see me on it).

4.45 on Thursday I have a Domino session called “What is your server trying to tell you“.  I’ve done similar sessions with this title before but I always update it to talk about the best tools and new tricks I use to manage or healthcheck Domino environments.  It’s great having a pure Domino Admin session so I hope you’ll stick around to catch mine.

11.30 on Friday morning I have a session on “Planning and Completing A Connections Upgrade” whether it’s a version upgrade in place, a side by side upgrade, a fixpack or a cumulative release I’ll talk about how to plan, what to look out for, how not to finish until you’re completely done and deciding when to upgrade and when not.  If you’re thinking of upgrading to CR3 which shipped last week this should be a valuable session.

If you haven’t registered go do that now and i’ll see you there (the weather should be balmy in August yes?) REGISTER

07.13.15
by

The IBM Docs Dilemma

IBM Docs is a really nice add on to IBM Connections, what’s more it’s not particularly hard to install.  It does have one requirement, a big one, a show stopping one, a requirement that prevented my customer build from working for about four weeks until IBM and I came up with an agreement for how it could work.  Hopefully this will help you fast forward through that four weeks yourself ..

IBM Docs Infrastructure – The Simple Version

IBM Docs has four component WebSphere servers with applications stored on each

IBM Docs Servers

The servers also need access to three data shares; the standard Connections share, a new share for IBM Docs data and a new share for IBM Docs Viewer.  I created the two new shared on the Linux server that currently hosted the CIFS Connections share and installed Samba to enable a Windows server to access them.

I had one problem where it consistently failed during install if I didn’t use capital letters for the mapped drives.  It didn’t refuse to accept lower case letters, it just failed the install.  If your install fails make sure you aren’t using lower case letters.

Challenges

The key requirement for IBM Docs to actually work is that

1. The shares must use mapped drive letters and those drives letters must exist prior to the IBM Docs elements being started

2. The IBM recommendation for achieving this is to create a batch file on the IBM Docs OS (which must be partially if not wholly Windows) to do the drive mapping and have that load in Windows task scheduler on startup.

3. The WAS servers must then be run as services not using a system account but using a named Windows account that matches the one assigned to run the batch file in task scheduler

This solution had two problems, I hated it, and it didn’t work.

I hated this idea because my customer doesn’t run AD at all and their share was a samba share on a Linux box using CIFS.  That means there is no account that can be used to start the services that can also be used to map the drives. There is no easy way to have Windows pass credentials to mount the shares without storing both the name and password that samba recognises in the batch file – like this

net use m: \\hubshared\ibmdocsdata sambapassword /user:sambaaccount
net use n: \\hubshared\ibmdocsview sambapassword /user:sambaaccount
net use l: \\hubshared\conntestshare sambapassword /user:sambaaccount

Unfortunately after several weeks of different ideas from L3 support we admitted defeat to allow me to move on with the install.  I have minimised risk by ensuring the account isn’t a linux account and only has access to the samba shares.

The second part of the solution is the assumption that if you map the drives through task scheduler owned by a Windows user and that same Windows user starts the WAS services – the WAS services will be able to see the mapped drives.  To everyone’s disappointment that absolutely didn’t work because Microsoft kindly mapped the drives from the batch file in a different session to the one where it started the WAS services.  The servers couldn’t see the mapped drives.

So the install was simple but getting everything running securely and without the customer having to manually do anything held us up for weeks.  In the end I opted for a solution where I created a batch file to both map the drives and then start the WAS servers in a scheduled startup script.  That worked beautifully and this is what it looks like

net use m: \\hubshared\ibmdocsdata sambapassword /user:sambaaccount
net use n: \\hubshared\ibmdocsview sambapassword /user:sambaaccount
net use l: \\hubshared\conntestshare sambapassword /user:sambaaccount

Call “c:\IBM\WebSphere\AppServer\profiles\IBMDocs\bin\startnode”
Call “c:\IBM\WebSphere\AppServer\profiles\IBMConversion\bin\startnode”
Call “c:\IBM\WebSphere\AppServer\profiles\IBMViewer\bin\startnode”
Call “c:\IBM\WebSphere\AppServer\profiles\IBMDocsProxy\bin\startnode”

As you can see I only start the nodeagents. The servers themselves and the applications on them are bootstrapped to the start of those. To do that modify the server’s monitoring policy which is found under Java and Process Management for each server

Monitoring

Then set the “Node Restart State” to “RUNNING”

bootstrap nodeagents