09.18.14
by

Getting Around Documentation Errors With Connections Scripts

I’ve been meaning to write this blog for a while.  And by “a while” I mean since v4 of Connections.  IBM supply a series of scripts with the Connections install that are found in the install directory under the folder connnections.sql.  These scripts are used for a variety of things but most people will have to use them if migrating from an earlier version of Connections to a new one.  The scripts are under the database type folder for each application so the scripts for the Blogs database on DB is in

/connections.sql/blogs/db2

Now you can put those scripts where you want obviously, but that’s where you will find them.  In that folder there are lots of files that are basically a series of SQL commands written out for you.  Each command line terminates with a ; or a @ to identify that’s the end of the command.  When running these commands with db2 you use a different syntax depending on whether the SQL file ends each line in a ; or @.  For example

;  means our command line is written as “db2 – tvf {filename} >{writetoalogfile} “

@ means our command line is written as “db2 -td@ -vf {filename} >{writetologfile}”

Writing to a log file isn’t compulsory but I always do so I can check if the script ran OK.

The problem is that on the  IBM Documentation site they often give the wrong syntax for each database (oh and they aren’t consistent) so on this page the instructions for the profiles database are

“db2 -tvf predbxferxx.sql”

If you run that (and the clue is it takes less than a second which is suspicious) you will see no errors but if you check your log you will see a single line saying

“End of file reached while reading the command”

That basically means we used the wrong line terminator, we told it -tvf so it looked for a ; at the end of each line but if we open the predbxfer45.sql we can see each line ends in @.  If we change the command to

“db2 -td@ -vf predbxfer45.sql”

it runs perfectly.

It would be nice if the IBM documentation was correct but it’s a simple problem to catch and fix.

09.17.14
by

One Dumb And Two Smart Things – Calling That A Win

Last night / yesterday afternoon I was building a Connections server (for an internal project) when I wiped out hours of work doing something dumb.  I had spent some time downloading all the software and fixes to the server which was Windows 2008 R2 (because I have plenty of licensing for that)  and then I installed DB2 and WAS and created the WAS profile.  Next step was to run dbwizard.bat to create the databases but that’s where weird stuff started happening.  The dumb bit had already occurred I just hadn’t noticed it yet…..

The DBWizard would launch and let me move past the first screen but no amount of clicking on “Next” would let me move off the “Create, Edit, Update” screen.  Clicking ‘Back” actually took me to the next screen (!) but I couldn’t get any further than that.  I refused to believe it could be a DB2 problem because at the point in the Wizard it had no idea I was running DB2 as I hadn’t chosen my database platform because I couldn’t get to that screen.  I started from the assumption that since DBWizard is a java program my version of Java (brand shiny new updated yesterday) was incompatible.  So cue much time spent uninstalling and installing different java versions to try and fix it with no luck.  I could have run DBWizard from another machine but I wanted to fix whatever the underlying problem was.  Then I realised the dumb bit, I had installed 32bit DB2 on a 64bit platform which DB2 is fine with but the DBWizard really isn’t.  I don’t know if that was my problem (I still can’t believe on the early DBWizard screen it even knows to check) but in my attempts to fix uninstall and cleanup DB2 , I corrupted the Windows registry.  At least that’s what I think I did because on restart Windows would only boot to a grey branded screen with no login, even if I chose one of  the Safe modes or tried booting from a CD.

Since this work was about installing Connections and not fixing Windows I decided not to waste more time on it and startover.  Here come the two smart things.

1. I have a pre built Windows 2008 R2 VM disk with a 40GB C drive I use to clone and make new VMs.

2. I had downloaded and installed everything to a separate 100GB virtual disk

I detached the virtual disk from the broken VM

deleted that VM from the host entirely

made a copy of my simple VM disk

created a new virtual machine using that copy as its disk

added the 100GB virtual disk to that new VM

opened it up and changed its ip to match that of the VM I just deleted

and I was back in business.  Total time elapsed about 7 minutes

Of course I now had a D drive with software on it the Windows registry new nothing about but it was simple to just delete those installer folders and reinstall (the right) DB2, WAS etc and get back on track.  Certainly much simpler than trying to fix a broken Windows server!

09.16.14
by

IBM ConnectED 2015 Call For Abstracts – What Do Those Tracks Mean?

So the call for abstracts are out for ConnectED 2015 this coming January.  For those of you who don’t know.. ConnectED is a very different beast that Lotusphere or even Connect prreviously. It’s intention is to be much more technical as well as smaller (encompassing the Swan only). Think of it more like a technical user group, more opportunity to learn and network.

Smaller also means fewer session slots available so you need to submit if you want to speak as soon as you can.  Call for abstracts closes on October 8th.  Some tracks are still here (yay Best Practices!) some have moved on (SNT) and some are brand spanky new!.  Take a look at the track descriptions below to find out where you fit.  I’m particularly excited about Track 6 – Beyond the Everyday which looks at pushing the boundaries of IBM technology and where it coexists with other environments.

https://www-950.ibm.com/events/tools/ibmced/2015ems/

Track ONE: Strategy and Innovation
Who should attend?: CIOs, IT managers, IT professionals of all levels

Take your collaborative environment to the next level! Laying the foundation for the week, and designed for all levels of IT professionals, this track concentrates on these brand-new, “hot-off-the-press” technology innovations coming from the IBM labs and engineers, including exciting new technologies and glimpses of the future from industry gurus. From social transformation and exceptional web experiences to adoption best practices — and with “sneak peeks” at every turn — this track will be full of sessions that you won’t see anywhere else!

Track TWO: Application Development
Who should attend?: Developers and architects of all levels

The speed of business has accelerated to meet the speed at which people interact, digitally. People are “always on”, consuming data at constant rate. Their interactions and the Internet of things, are sources of that data. Traditional business processes are expected to combine that data with that which is inherent in their systems to provide individualized experiences to end users. This experience needs to be always available and customized to the device from which they choose to access it.

In this track, application developers will learn about building applications in a world of social interaction and information. Topics will include Cloud, Analytics, Mobile, and Social, using technologies for IBM Domino, IBM Connections, and IBM Exceptional Customer and Employee Experience Suite.

Track THREE: Infrastructure and Deployment
Who should attend?: System administrators, IT managers and integrators of all levels

The Infrastructure track is at the technical heart of IBM ConnectED; these sessions will provide the knowledge you need to design, deploy and manage a collaboration infrastructure tailored to your business needs. You’ll learn planning considerations, administration/deployment techniques, and daily “tips and tricks” straight from IBM’s software architects, developers, product managers and “in-the-field” experts. Whether you’re a new systems administrator, an experienced collaboration architect, or something in between – this track will provide what you need to get to the next level.

Track FOUR: Best Practices
Who should attend?: IT managers and practitioners: application developers, system administrators, integrators; technologists of all levels

The popular Best Practices track is delivered by the community – for the community – -and is all about technical solutions that can be implemented TODAY. Whether it’s adoption or development — Domino, mobile, cloud or portal, sessions here provide tips, tricks, and quick maneuvers with a focus on learning from the experiences of others. No product or marketing sessions found here, these sessions take away pain, bring back the fun and deliver the technologies. So put on your thinking cap and see if you can create a session that will meet these standards! We want to hear from you!

Track FIVE: Spotlight on IBM Business Partners
Who should attend?: IT managers and practitioners as well as business leaders and professionals

Back by popular demand! Sessions in this track showcase the highly-acclaimed solutions that our Business Partner community is known for – with technical detail and best practices on how the solution was built! Whether your focus is social software, email, unified communications, or creating exceptional digital experiences – on-premise or in the cloud – there’s something here for you!

Track Six: “Beyond the Everyday”
Who should attend?: IT managers and practitioners: application developers, system administrators, integrators, technologists of all levels

In this track, we step outside the standard uses of our IBM technologies and see how people have combined tools and new techniques to innovate and extend what their software can do. Meeting the demands for multiple technologies, platforms, frameworks, mobile, cloud, on premises and beyond, “Beyond the Everyday” is a deep technical track where approaches will be explained and demonstrated. These sessions may feature IBM products as part of a larger story or may be entirely focused around stretching the products we know to the limits of their capabilities. One think is for certain, they all will be about new ideas and will leave the audience excited to try for themselves!

Track Seven: Chalktalk Sessions
Who should attend?: Any and all ConnectED attendees, both IT and business roles

Come one, come all! Chalktalk sessions are informal, interactive discussion groups for attendees to share ideas and experiences in an small group, and open forum setting. Feel free to submit topics that interest you, either those you would like to lead, or topics and discussions that you’d like to participate in! As a reminder, attendees build the agenda by voting on all submissions and ultimately select the sessions that will appear on the agenda. So you’ll be sure find something that’s well worth your while!

Sessions will likely focus on the areas below, but other ideas more than welcome!

  • Messaging and Collaboration
  • Social Software
  • Exceptional Digital Experience portfolio
  • Cloud
  • Mobile
  • and more!
09.16.14
by

Adding External Users To Connections 5

Last week I did a presentation at Icon UK on the new Connections 5 feature that allows you to add external users into your Connections environment.  To write the presentation I built my own environment multiple times using different techniques for adding external users and discovered some interesting stuff along the way.  Since the presentation doesn’t have my commentary on it i’ll try and summarise that here

1. On page 6 are a list of things an external user can do according to IBM documentation.  Some of the items on that page (in italics) actually didn’t, in any of my testing, work.  This is because there are conflicting security limitations on what a user can’t do (see items in bold on page 7)

So for example although the documentation states that an external user can share files with people or communities, it also states that they can’t use type ahead or directory lookups.  Preventing type ahead and directory lookups actually disables the ability to share files with a user since there’s no way to lookup a user.  Sharing files with a Community works fine.

2. The external users can be added via an LDAP attribute from your LDAP server or by a separate LDAP server or branch.  Although an entirely separate LDAP server is more secure and in my opinion preferable, it must use a search base which means flat names in Domino can’t be part of the external LDAP source.

To counteract this in one instance I faked a hierarchy as the users were created (using a simple Xpages app to allow people to self register and manage their own passwords and setting a fake hierarchical name for them in the background).  In the other instance I used the same LDAP source as for internal users but with a specific attribute set to the word “external”

In general the external users feature has been locked down securely enough that i’d highly recommend it for inviting people to work with your Connections communities .

09.11.14
by

Icon UK Presentation – External Users in Connections 5

Today I am finishing my presentation for ICON UK on external users in Connections 5.  There’s a lot to cover and I’m trying to run neither over or under time and pull off the goldilocks of presentations covering…

  • How external access works
  • What can external users do (and not do)
  • How your internal users interact with external users
  • Configuring external user access
  • Securing the perimeter
  • Implications and things to think about…

I’ll post the presentation here once I’m done but of course it won’t come with me talking over each page (is that good or bad?)  – so if you can make it to Icon tomorrow at IBM South Bank in London, I hope to see you there.  My session is at 11am.

 

09.11.14
by

WebSphere Things That Drive Me Insane – Pt..um.. 3

I actually like WebSphere. Honestly I do.  But it really really does not like Domino and Domino is my first love (well 2nd love.. ccMail you’ll always be first in my heart).  I have always run into problems configuring Domino within WebSphere mostly due to the fact that Domino LDAP isn’t always hierarchical the way every other LDAP is.  Back in the original Sametime 8.5 days we couldn’t have users of ST who didn’t have hierarchical names and we used to have to fake a hierarchy (C=US) to trick WebSphere.

My latest hair tearing out insanity is shown below.  To configure external users for Connections you can choose to set up an alternate LDAP source – in this case I’m using a dedicated Domino server I can make publicly available for people to register themselves.  Here are my repositories set up in WebSphere showing the two Domino LDAP sources..

LDAP1 is our internal directory LDAP SSO the external / public facing

LDAP1 is our internal directory
LDAP SSO the external / public facing

Here’s the fun bit.. this is what the federated repositories actually look like in WebSphere

Federated Repositories

As soon as I added the external Domino LDAP repository it changed the original internal one to the external one so that’s listed twice.  Try and add it again and it adds the same one a third time.  Even more hilarious, only the original (unlisted) one actually works and lists / authenticates users.

And yes, if I try and delete one it actually deletes all three.  Off I go to edit some XML files….I’ll post a fix when I get there

09.09.14
by

IHS Errors or WHY Won’t Connections SSL Work

It happens.  Usually when I’m building a test server on a single box and i’m building in a hurry.  I get everything configured and installed and take a brief stopover at IHS configuration on my way to completing security setup.   I create my keyfile using ikeyman, I import my trusted root certificates from whichever CA I plan to use and I generate a personal certificate.  I think it’s all working fine then I restart IHS and one of two things happen

1. IHS starts but only for 80 not 443

2. IHS starts on both 80 and 443 but I get an error 500 trying to access any Connections page over SSL

The logging on the 2nd error isn’t terribly useful and it’s tempting to run around checking the module mappings and LotusConnections-Config.xml for the source of the problem.  For some reason, even though I’ve seen each of these lots of times, my brain insists on starting at the beginning with debugging and looking at the logs.  So this blog is for you brain – next time just come here and check this first

1. The solution is often that the keyfile either isn’t where I told httpd.conf it was OR where the plugin-cfg.xml is looking for it.  Take time to go check the plugin configuration under your webserver in the ISC and make sure the name and location are what you think they are.  Then go and actually make sure they are there

2. A handshaking error caused by either the signer certificates used by the application servers not being imported into the keyfile OR (and this one drives me batty) installing everything on one box with the same hostname for the WebSphere servers as the IHS server.  In the 2nd instance you can’t have two totally different certificates both claiming to be the same hostname trying to talk to each other.  I export the certificate from WAS trusted key store and import it into ikeyman (or import into WAS and map each of the servers).

In general when I’m configuring IHS it’s always down to a file not being where I told httpd.conf it was.

Here are my rewrite and plugin lines for 64bit IHS on this particular Linux box

LoadModule was_ap22_module “/opt/IBM/WebSphere/Plugins/bin/64bits/mod_was_ap22_http.so”

WebSpherePluginConfig “/opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.xml”

RewriteEngine On RewriteRule ^/$ https://<hostname>/homepage [R,L]

Update: I should have linked to this document which I found in the past and is always useful. Troubleshooting IHS

09.03.14
by

The IBM Champion – Dilemma

It’s IBM Champion nomination time once more.  I’ve been extremely appreciative of being made a Champion in both 2013 and 2014 (since the program for Collaboration Services started) but each year it becomes a very stressful experience (not quite on a par with wondering if I’ll get to present in January but close).

The process works by someone nominating you using this URL  on Greenhouse.  Existing Champions reset each year so having been one before is no guarantee you will be one again.  Why the dilemma? Well each year you can nominate yourself because – hey – who knows better what stuff you do than you ? The problem is where that process meets my own feelings about being a Champion, basically that if I did anything worth being a Champion people will nominate me and if I didn’t they won’t.

Nominating myself isn’t something I would feel comfortable doing so I wait and see if anyone out there considers me worth nominating.

So what’s the point of this post?

Last year a few friends who I thought would certainly be “Championed” were not nominated by anyone – not themselves and shamefully not me.  I had assumed that other’s would do it and they, like me, assumed if they added any significant community value then someone would nominate them.  But that’s not how this works and many many people (rightfully) nominate themselves.   So this post isn’t to ask you to nominate me, it’s not to give you a list of things I’m proud of doing or that I hope have added to the community in some way.  It’s to ask you to consider nominating anyone you think should be a champion, even if you don’t know much more about them than you’ve seen them present or read their blog or they’ve helped you out personally when they didn’t have to.  If they made a difference to you, go ahead and nominate them. The form itself is a bit overwhelming although you need only fill in a small amount and the nominee then gets asked to complete any “additional information” they think the committee should know.

And.. (my fingernails are curling back with embarrassment whilst typing this) but if you genuinely feel I added value to the you or the community this year then I would of course appreciate a nomination.  

09.03.14
by

Access Denied – Me vs OS and WebSphere Security

Today I went to apply a patch to a customer’s Sametime Proxy server.  This is a server that’s been around for a few weeks.  I’ve logged into the SSC countless times in that time.  I launch Installation Manager (using “run as administrator”) and when it gets to the “sign on to SSC” part it fails saying it can’t connect.  I check the logs in /users/myname/appdata/local/temp/SSCLogs and find the error saying it can’t resolve <sschostname>:9443/console/deployment/login.  So I try that URL in a browser myself  and sure enough it does fail.

Well I can guess what that is and it’s an easy fix.  In Sametime we map virtual hosts for each application including the SSC containing the hostnames and ports used by that application.  So I went to check that the default_host virtual host used by the SSC had 9443 in it.

Go to SSC on the Deployment Manager server through a browser, try and login using my file repository account.  Login failed.  Try again. and again.  and again. and again. Type into notepad to make sure there’s no caps lock or language issues.  Failed again. This is worrying, no-one else has access right now so no-one has changed any password. I check the SystemOut.log for dmgr and there are errors in there and in the FFDC files saying Password is wrong.  OK.  No need to panic.  I’ve seen this before when Dmgr gets low on memory so first things first, let’s restart the box.  If in doubt, reboot WebSphere.  Server comes back up and still I can’t login.

OK so now I start to worry.  I go find the security.xml file in the config for the cell and decode the password stored in there (don’t ask how because I shouldn’t be able to but it’s possible).  The password says it’s what I think it is.  I really really don’t want to go down the path of changing that password even though I can disable security and do that because that’s going to have knock on effects all over the place….So – deep breath – let’s try this again from another machine.  I go to the SSC from my desktop this time instead of a browser on the DMGR server and it logs in perfectly first time using the name and password that was failing when I tried from the DMGR server.  Back to the browser on the server, login still fails.   This makes no sense.

So the issue isn’t the “wrong password” at all.  The issue is that the security on the SSC OS is preventing me logging in via a browser – I assume preventing the browser accessing the files on the file system in some way.  In addition the SSC was unable to sync any nodes or restart any servers (this was new) although it could tell status – until I restarted everything manually under my account.  This appears to be a problem with the services on the SSC accessing the file system on any of the OS even its own.  The customer is looking into all of that since the environment is tightly locked down and I can’t see anything.

When I finally got in (and yes I could use the LDAP alternative accounts I had in there) I added 9443 and 9080 to default_host under the hostname of the SSC and the Installation Manager ran fine.

Today’s lesson learned..DON’T PANIC!