HCL Safelinx – Untrusted Certificate Issue

A few days ago I came across a rather weird issue with HCL Safelinx and HCL Domino. After setting up HCL Safelinx, it was not possible to access the Websites hosted by an HCL Domino Server. The user would just get an HTTP Error, “503 – Service Unavailable”.

I checked the network, no issues there, Safelinx could access the Domino Server via port 443 without any issues. SSL Certificates from both Domino and Safelinx were trusted, no issues could be seen there via Internet Browsers (Firefox, Chrome, …) and a quick check with “openssl” didn’t show any problems. The SSL Cipher configuration was also Ok, on both Safelinx and Domino.

After turning on all possible trace and debug settings on Safelinx, the following errors could be observed:

75613:936171264 (Sep 18 2020/10:06:12.4153)[WARN] SSLPort::raw_connect: open returns rc=414 (Unknown error — 414)
75613:936171264 (Sep 18 2020/10:06:12.4154)[ERROR] SSLPort: failed to open secure connection (rc = 414)–> <Domino_Server_IP>:443
75613:936171264 (Sep 18 2020/10:06:12.4154)[LOG] SSLPort::connect: (return), rc=-1
75613:936171264 (Sep 18 2020/10:06:12.4154)[WARN] HTTP-AS: failed to connect to server ‘<Safelinx_Server_IP>:56796 –> <Domino_Server_Hostname>:443’ (Unknown error — 0)
75613:936171264 (Sep 18 2020/10:06:12.4155)[DEBUG] setup connection, elapsed time: 23ms
75613:936171264 (Sep 18 2020/10:06:12.4155)[WARN] http-service1: failed to setup back end connection, elapsed time: 23ms [<Username>]
75613:936171264 (Sep 18 2020/10:06:12.4156)[HTTPAS]httpServerResponse: HTML pkt size: 2787
HTTP/1.1 503 Service Unavailable
Server: HCL Verse via SafeLinx
Connection: close
Content-Type: text/html; charset=utf-8

I have set some Domino HTTP Debug parameters, but I had to wait for the window where I could restart the Domino/HTTP Task. So I have decided to try setting “Accept untrusted certificates from internal servers” on HCL Safelinx.

Screenshot of the Safelinx setting.

And guess what, after restarting Safelinx, the users could access Domino Web applications without any issues.

I hope this saves you some time. 🙂

HCL Connections Invite – Trace/Debug Parameters

If you are having issues with HCL Connections Invite, than the following Websphere debug or trace code might help:


HCL Connections Invite is assigned, per Default, to the WebSphere Homepage Cluster/Server. So this is where you have to set the parameter mentioned above.

This is how you can set the debug parameter during runtime. No restart needed.

HCL Connections – Configure access for the Tiny Editors Services through a HTTP proxy – Configuration/Documentation error

Take care when configuring access for the Tiny Editor through an HTTP proxy. The Documentation says to modify the “application.conf” in following manner:

ephox {
    proxy {
        http.proxyHost = someproxy.internal.corp
        http.proxyPort = 8080
        https.proxyHost = someproxy.internal.corp
        https.proxyPort = 8443
        http.nonProxyHosts = localhost|*.internal.corp

If you follow the official documentation and do not set the values of “http.nonProxyHosts” in the double quotation marks the Tiny Editor WAS Application will start, but some features of Tiny Editor will not work (like Spellchecking). The correct will configuration looks like the following:

An example of proxy settings:

ephox {
    proxy {
        http.proxyHost = someproxy.internal.corp
        http.proxyPort = 8080
        https.proxyHost = someproxy.internal.corp
        https.proxyPort = 8443
        http.nonProxyHosts = "localhost|*.internal.corp"

Hope this helps.

Peculiar File Transfer related error in HCL Sametime 11 FP1

After going through the HCL Sametime 11 FP1 Community Server logs, I found the following error:

CLMONGO, ChatResource::readSrvMsgFlags ERROR: empty UCM_LOCAL_IP

Like in the Screenshot bellow:

I am not sure if this error affects the any functionality of the System, but to solve it I simply added the “UCM_LOCAL_IP” parameter to the sametime.ini file, inside the “[Connectivity]” section. The Value of the “UCM_LOCAL_IP” parameter should be set to the local IP Address of the Sametime Community Server.

I hope this helps.

HCL Sametime 11 FP1 – Send Push Notifications via Web Proxy

As of today, with the current version of HCL Sametime Proxy Server, there is no supported Sametime configuration which will enable you to send APNs or GCM push notifications via Web Proxy server. This feature will be implemented in future releases.

Keep that in mind when planing your Sametime Deployment.

HCL Traveler and HCL Connections support this functionality, as documented in official documentation:

HCL Traveler – Push messaging through a proxy

HCL Connections – Mobile configuration properties for HCL Connections 5.5

HCL Connections – Configure access for the Tiny Editors Services through HTTP proxy

HCL Sametime 11 & SSO via Sametime Embedded Client in Notes Basic Client

On a customer site I had to make sure that users are able to authenticate via HCL Sametime Embedded Clients, inside of HCL Notes 9.0.1 Basic Client, using Domino SSO (LTPA).

After installing the HCL Sametime 11 Community Server, and applying the standard configuration, the login via Domino SSO for Sametime embedded clients inside of HCL Notes standard or eclipse clients worked without any issues. But we had to make some configuration changes in the “sametime.ini” file to make the same work for ST Embedded clients inside the HCL Notes basic clients.

We had to change the “VP_SECURITY_LEVEL” parameter value from the default “7000” to “0”. Furthermore, we added the value “1216” to the “VPS_PREFERRED_LOGIN_TYPES” parameter. If the “VPS_ALLOWED_LOGIN_TYPES” parameter is used in your environment, then you will have to add “1216” value to this parameter as well.

After saving the “sametime.ini” file and restarting the Sametime Community server, the Sametime embedded clients, inside the Notes basic clients, should be able to login via Domino SSO Mechanism.

We Have Lost The “wasadmin” Account Password!

If you have lost the “wasadmin” account password or any other local WebSphere account, there is a rather simple way to recover it.

Just connect to the server where WebSphere Deployment Manager is running, via RDP or SSH, depending on the OS of the server, and open the “security.xml” file located under “<WebSphere_Installation_Directory>/AppServer/profiles/<Deployment_Manager_Profile>/config/cells/<Cell_Name>” for example “/opt/IBM/WebSphere/AppServer/profiles/ic-dmgr01/config/cells/ic-cell01”.

After that just search for the account name, for which you would like get the password, in the same line you should find the attribute “password”:

Then just copy the value of the “password” attribute, now we need to decode the xor encoded password. For that I am usually using the following Website: https://strelitzia.net/wasXORdecoder/wasXORdecoder.html

Just paste the encoded text and click the “decode” button, after that you should have the password.

EngageUG – Implementing Certificate Based Authentication for HCL Traveler Access

I am proud and honored that I was allowed to present this year at Engage in Arnhem. To be frank, I still can’t believe it. 🙂 I held a 25-Minute Session about implementing certificate based authentication for HCL Notes Traveler authentication. If anyone is interested, the Slides is embedded below:

I also took a video of my presentation, I wanted to make sure I didn’t miss any errors I have made, so that I can improve my overall presentation skills. Apart from the viewing angle, the video has not turned out to bad. 🙂

HCL Sametime 11 – SSO between ST WebClient and iNotes/Verse on-Premises

You can integrate HCL iNotes and/or HCL Verse on-Premises, with Sametime 11 via ST Proxy server, the same way the integration was done with Sametime Version 9.0.1.

But before you can integrate the products mentioned above, you have to configure Single-Sign-On between Sametime WeClient and iNotes/VoP.

With Sametime version 9.0.1, you would export the LTPA Token from Websphere Application Server and import it in the Domino “Web SSO Configuration” document of the iNotes/VoP server and Sametime Community Server. Thus making sure that all components involved are using the same LTPA Token.

But in the Sametime Version 11, we do not have any WebSphere components. So, you just have to make sure that the Sametime Community and iNotes/VoP servers are using the same LTPA Token. Either export the LTPA Token from the old Sametime environment or any other existing WebSphere server and import it in the relevant Domino “Web SSO Configuration” documents. After restarting all components involved, the SSO should be working and you can proceed with integrating Sametime with iNotes and/or Verse on-Premises.