Domino v10 Premiere – A short recap from Frankfurt

The optimism, high hopes and anticipation for the Domino v10 was clearly not missing at the Bleed Yellow Party, the night before the official Domino v10 Launch event. The party was fully booked, and I really liked the event. Having everybody, people from IBM, HCL and Domino Enthusiasts, under the one roof before a big event like this felt great. A big thumbs up to DNUG for organizing this.

The Domino v10 Premiere was held at the Kap Europa Congress Centre, look at the entrance:

Pretty neat if you ask me.

The main event started at ten O’clock and was going well past twelve O´clock, so there was a lot of ground covered, new Information and some seriously cool demos! JavaScript and Node.JS was clearly a big point for many. There were a lot of new Domino and Notes features shown and explained as well as some statistics. Below are some slides I was able to catch during the presentation, sorry for the bad quality…

After the overview of the v10, Luis Guirigay showed us what is possible with Domino 10. Integration of Domino Applications with Office365, which looks great by the way, new features in IBM Verse on-Premises, Notes Client on Apple iOS (remarkable how good and clean this looks), “Webinized” Domino Applications with Teamworkr (which will be part of the Domino offering) and Domino Integration with Watson Workspace, Slack and Microsoft Teams.

And then some slides with features for the Administration and Maintenance.

This is how you can get Domino:

What is planed next:

Advertisements

The World Premiere of Domino V10

Next week will surely be interesting, so many events, so many new announcements.

On Monday the 8th of October I will be at the Domino V10 Bleed Yellow Party organized by DNUG, after that on Tuesday I will be attending the Champions Breakfast and Domino V10 World Premiere in Frankfurt. On Wednesday we will be having a Domino V10 World Premiere Event in Vienna, which I will also be attending.

It is going to be a very busy week. 🙂

IBM Connections 6 CR3 is Available!

IBM Connections 6 Cumulative Refresh 3 was released yesterday. And besides the usual and long Fix List it also includes some new features:

  • Possibility to return to the Communities and Files you viewed recently
  • Filter recent content in Communities and Files.
  • “Pick up where you left of”
  • Simplified Navigation and a full-screen option for Files.
  • The all new “Highlights” community widget.
  • And MORE! For the full list take a look at the blog post from René Schimmer.

It also includes all Features and Bug Fixes from previous releases (CR1 & CR2).

As usual, the update can be downloaded from the FixCentral. Database update scripts are available from the separate site and they include a script for the creation of the new Highlights database.

Before starting the update make sure you take a look to the update guide and the update strategy for IBM Connections 6.

I am happy that the IBM Connections is getting new features on the WebSphere platform, this will certainly make many customers happy who are not ready to implement the Component Pack. By the way the new Component Pack should be announced in the next weeks, so stay tuned.

Tips about Configuring IBM Connections to work with SPNEGO as Authentication Mechanism

Recently a customer asked me to review his Connections environment and implement SSO via SPNEGO. He started implementing it, but he couldn´t make to work, so he wanted me to pick up where he left it and make it work. I had a fair share of troubles to make it work and along the way I found some “typical” problems, so I thought I share these issues (and some other I had in the past) with you and hopefully save you some time.

Invest time in reading the Documentation about the Technology you plan to use

On the second thought invest a lot of time. The configuration will make sense only if you know the basics about Kerberos, SPNEGO and WebSphere Security in general. It will also help you a great deal troubleshooting and things like a WireShark trace (yes it may come all the way to that) will make much more sense. I strongly urge you to read the following article:

https://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

I never found a better article explaining how SPNEGO works in combination with WebSphere, it´s old, but it´s good.

I also recommend using the WebSphere documentation instead of Connections documentation (where it makes sense of course), I think that it is generally more in depth and more up to date. Which is OK I guess because Implementing SPNEGO has a lot more to do with WebSphere than with Connections Applications.

Plan Accordingly

Make sure your environment is up to date and there are no discrepancies between the Test and Production environment (a Test environment is essential). And keep it that way, I mean if you hit a “brick wall” in the Test Environment, do not go ahead and update the Production because a new Update came out. This will save you a lot of headache. Different versions mean different problems, so the chances are you will be trying to solve different problems in the Production than in the Test environment, when implementing SPNEGO, while the Production is down and someone is waiting for the whole thing to go online again.

Make sure Test and Production environments are the same

Here is where the details matter, I know that it is not always possible to have the exact same copy of a Production environment as a Test environment, but make sure that at least the things like DNS, Shares, User Access Rights… are the same as in Production. Difference between “CNAME” Alias and a “Host (A)” Record can have a lot of impact.

We had an issue, this will surely be a plague of the Test Environments, where the WebSphere Server Hostname, Primary Administration User and the URL for Connections Access, had a “Name-Clash” (as described in the URL pasted above) so make sure you check that and/or consider when building a Test environment.

Do it Step by Step

    I have made a mistake doing to many configuration changes at once, which essentially made it impossible to discover which part of the configuration led to an error. SPNEGO Implementation can be a combination of many different Configuration changes like: Primary Administrative User change, DNS changes and so on. So as my friend Martin Leyrer advised me, split the configuration in small steps/tasks, do one step, resync, restart and test and only after you are 100% happy with the change proceed with the next step.

Do you really need Kerberos?

As much as I know, SPNEGO is a “web friendly” version of Kerberos, right? So, it always made sense for me to do the Kerberos Configuration part in WebSphere before continuing with the SPNEGO part. Well I was wrong, the only Use-Case where you will need Kerberos implemented for IBM Connections is when you want to use IBM Connections Mail Plug-In with Exchange, which is not developed for Connections 6, so there´s that…

If you just want to achieve SSO from a Domain joined PC, then SPNEGO part will be sufficient. In that constellation Kerberos could just be another source of issues as Charlie Price made me realize that two months ago. 😀

LTPA Errors going through the roof

    We had an issue with LTPA, basically everything we tried to do in Connections GUI produced a mass of LTPA Errors in the logs. I tried everything, regenerating the LTPA Keys and so on, I contacted the support team, but we could not solve the issue. So, I asked Sharon Bellamy James for advice and she told me to export the LTPA Token from WebSphere and import it again, this solved that issue. The GUI looked much better and there were no LTPA Errors anymore.

Service Principal Name

When creating a Service Principal Name, never use “HTTPS/” in the “KTPASS” command, even though you are accessing Connections via “HTTPS”, only use “HTTP/”. For Examle:

ktpass -out c:\Node1.keytab –princ HTTP/connections.axians.local@AXIANS.LOCAL -mapuser connections_user -mapOp set –pass Password1 -ptype KRB5_NT_PRINCIPAL

If you need more than one keytab files and Service Principal Names, use a separate AD User for every one of them.

Delegation User Setting

    This is quite easy to forget, no matter what you do, Kerberos won´t work if your Service User Account used in the “KTPASS” command does not have the following setting set:

Although, I am not 100% sure you need to do this when you are Configuring SPNEGO without doing the Kerberos part in WebSphere. I will surely test this next time when I have a chance.

Disable TAI Authentication

    For SPNEGO to work with WebSphere as it should, you need to disable TAI Authentication:

Go to Security –> Global Security –> Custom Properties

Than enter the following:

Name

com.ibm.websphere.security.performTAIForUnprotectedURI

Value

false

 

I hope this is going to help someone, if you have any Tipps of your own, please share them in the comments below.

DeskCenter Issue with Anti-Malware

If you are getting the following error (as a Pop-Up or a Event in “Event Viewer”) on a DeskCenter Client, at time when inventory via SDIAgent is started:

Fehlgeschlagene Anwendung SDIService.exe, Version 10.6.7.3, fehlgeschlagenes Modul SDIService.exe, Version 10.6.7.3, Fehleradresse 0x004236d8.

Then most likely you are having a problem with your Anti-Malware Software, so make sure to whitelist all the directories needed, as stated in the official System Requirements.

I am sorry for not having an English version of this error, I will add it as soon as I come across it.