IBM Connections 6 CR3 is Available!

IBM Connections 6 Cumulative Refresh 3 was released yesterday. And besides the usual and long Fix List it also includes some new features:

  • Possibility to return to the Communities and Files you viewed recently
  • Filter recent content in Communities and Files.
  • “Pick up where you left of”
  • Simplified Navigation and a full-screen option for Files.
  • The all new “Highlights” community widget.
  • And MORE! For the full list take a look at the blog post from René Schimmer.

It also includes all Features and Bug Fixes from previous releases (CR1 & CR2).

As usual, the update can be downloaded from the FixCentral. Database update scripts are available from the separate site and they include a script for the creation of the new Highlights database.

Before starting the update make sure you take a look to the update guide and the update strategy for IBM Connections 6.

I am happy that the IBM Connections is getting new features on the WebSphere platform, this will certainly make many customers happy who are not ready to implement the Component Pack. By the way the new Component Pack should be announced in the next weeks, so stay tuned.

Advertisements

Tips about Configuring IBM Connections to work with SPNEGO as Authentication Mechanism

Recently a customer asked me to review his Connections environment and implement SSO via SPNEGO. He started implementing it, but he couldn´t make to work, so he wanted me to pick up where he left it and make it work. I had a fair share of troubles to make it work and along the way I found some “typical” problems, so I thought I share these issues (and some other I had in the past) with you and hopefully save you some time.

Invest time in reading the Documentation about the Technology you plan to use

On the second thought invest a lot of time. The configuration will make sense only if you know the basics about Kerberos, SPNEGO and WebSphere Security in general. It will also help you a great deal troubleshooting and things like a WireShark trace (yes it may come all the way to that) will make much more sense. I strongly urge you to read the following article:

https://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

I never found a better article explaining how SPNEGO works in combination with WebSphere, it´s old, but it´s good.

I also recommend using the WebSphere documentation instead of Connections documentation (where it makes sense of course), I think that it is generally more in depth and more up to date. Which is OK I guess because Implementing SPNEGO has a lot more to do with WebSphere than with Connections Applications.

Plan Accordingly

Make sure your environment is up to date and there are no discrepancies between the Test and Production environment (a Test environment is essential). And keep it that way, I mean if you hit a “brick wall” in the Test Environment, do not go ahead and update the Production because a new Update came out. This will save you a lot of headache. Different versions mean different problems, so the chances are you will be trying to solve different problems in the Production than in the Test environment, when implementing SPNEGO, while the Production is down and someone is waiting for the whole thing to go online again.

Make sure Test and Production environments are the same

Here is where the details matter, I know that it is not always possible to have the exact same copy of a Production environment as a Test environment, but make sure that at least the things like DNS, Shares, User Access Rights… are the same as in Production. Difference between “CNAME” Alias and a “Host (A)” Record can have a lot of impact.

We had an issue, this will surely be a plague of the Test Environments, where the WebSphere Server Hostname, Primary Administration User and the URL for Connections Access, had a “Name-Clash” (as described in the URL pasted above) so make sure you check that and/or consider when building a Test environment.

Do it Step by Step

    I have made a mistake doing to many configuration changes at once, which essentially made it impossible to discover which part of the configuration led to an error. SPNEGO Implementation can be a combination of many different Configuration changes like: Primary Administrative User change, DNS changes and so on. So as my friend Martin Leyrer advised me, split the configuration in small steps/tasks, do one step, resync, restart and test and only after you are 100% happy with the change proceed with the next step.

Do you really need Kerberos?

As much as I know, SPNEGO is a “web friendly” version of Kerberos, right? So, it always made sense for me to do the Kerberos Configuration part in WebSphere before continuing with the SPNEGO part. Well I was wrong, the only Use-Case where you will need Kerberos implemented for IBM Connections is when you want to use IBM Connections Mail Plug-In with Exchange, which is not developed for Connections 6, so there´s that…

If you just want to achieve SSO from a Domain joined PC, then SPNEGO part will be sufficient. In that constellation Kerberos could just be another source of issues as Charlie Price made me realize that two months ago. 😀

LTPA Errors going through the roof

    We had an issue with LTPA, basically everything we tried to do in Connections GUI produced a mass of LTPA Errors in the logs. I tried everything, regenerating the LTPA Keys and so on, I contacted the support team, but we could not solve the issue. So, I asked Sharon Bellamy James for advice and she told me to export the LTPA Token from WebSphere and import it again, this solved that issue. The GUI looked much better and there were no LTPA Errors anymore.

Service Principal Name

When creating a Service Principal Name, never use “HTTPS/” in the “KTPASS” command, even though you are accessing Connections via “HTTPS”, only use “HTTP/”. For Examle:

ktpass -out c:\Node1.keytab –princ HTTP/connections.axians.local@AXIANS.LOCAL -mapuser connections_user -mapOp set –pass Password1 -ptype KRB5_NT_PRINCIPAL

If you need more than one keytab files and Service Principal Names, use a separate AD User for every one of them.

Delegation User Setting

    This is quite easy to forget, no matter what you do, Kerberos won´t work if your Service User Account used in the “KTPASS” command does not have the following setting set:

Although, I am not 100% sure you need to do this when you are Configuring SPNEGO without doing the Kerberos part in WebSphere. I will surely test this next time when I have a chance.

Disable TAI Authentication

    For SPNEGO to work with WebSphere as it should, you need to disable TAI Authentication:

Go to Security –> Global Security –> Custom Properties

Than enter the following:

Name

com.ibm.websphere.security.performTAIForUnprotectedURI

Value

false

 

I hope this is going to help someone, if you have any Tipps of your own, please share them in the comments below.

JUMP Session: Understanding and Configuring IBM Connections Engagement Center (ICEC)

A Jump Session about Connections Engagement Center (ICEC) will be held at 12th of September. For details and “.ics” file, take a look at the following page:

http://www-01.ibm.com/support/docview.wss?uid=ibm10713447&myns=swglotus&mynp=OCSSYGQH&mync=E&cm_sp=swglotus-_-OCSSYGQH-_-E

If you would like to know what ICEC is all about, than the following video is a good start:

 

 

 

 

IBM Connections – WAS Plugin issue

If you get an HTTP 404 Error in a browser, after trying to access an IBM Connections Application and errors like

“File does not exist: E:/IBM/HTTPServer/htdocs/profiles”

start popping out in “error.log” file of the IBM HTTP Server, then most probably there is an issue with WAS Plugin.

I had this error just after the Installation of IBM Connections and the reason was the incorrect value of “WebSpherePluginConfig” variable, which contains the path to the “plugin-cfg.xml” file in the HTTP Server configuration. After the value was corrected and a correct path was supplied, IBM Connections could be accessed without any issue.

Travelog, on the Path to Pink!

Today I attended an IBM Webcast, translated to English “Path to Pink”, it was held by Martti Garden and Matthias Schneider. Personally, I found it exciting and very informative. The IBM is keeping their promise and continuously delivers new Connections “Pink” parts.

I will skip the talk about technology and components on top of which Pink is being built, as well as the reasons why this is done, I am sure most are familiar with this part.

After a brief introduction with OrientMe, Connections Customizer and “Pink Metrics”, all these components are already delivered as a part of the pink package. We got a bit of insights what is coming next and a demo of some components which are not published yet.

For example, IBM Docs is coming as a Container, I personally liked the Docs Editor, which can be used in Files, Blogs and Wikis. It has a powerful export feature, which lets you export a blog to a wiki article.

“Pink Profiles” also extends the functionality of the Profiles application, many customers will like this, as it brings some highly practical functionality which was desired by many.

“Pink Middleware” will be delivered to allow new plugins and applications to be integrated in the Pink package easier.

“Pink Note”, “Connectron Client” (was also demonstrated) and “Pink Content” were just some of many terms mentioned.

For sure, these are very fun and excitement times to work with IBM Connections. I like the path were Connections is developing and the effort put by the IBM to develop the workplace of the future.