IBM Connections – Restricting the Community Types Users can create

A while ago we had a requirement to restrict the Community types users can create, in the following I will describe how you can do that. First of these settings are primarily managed in “communities-policy.xml”, you must do the following steps to check the file out and be able to edit it.

  • Start the “wsadmin” command tool and give yourself the administration rights.

./wsadmin.sh -lang jython -username wasadmin -password <password>

execfile(“communitiesAdmin.py”)

  • Check out the “communities-policy.xml” configuration file.

wsadmin>CommunitiesConfigService.checkOutPolicyConfig(“/data/tmp”,”ic-cell01″)

  • Navigate to the folder where you have extracted the community configuration files and open “communities-policy.xml” file in your preferred editor.

Going through the Configuration file you will get the idea what you can do. But simply editing the file won´t get the job done, we also need to make use of the “Security role to user/group mapping” in Websphere console. We will get to that towards the end. Being the case that we cannot create additional user roles in WAS, we must make use of what we have offered, so in the example bellow we will make use of the “Reader” Role in Community application.

    The plan was to allow all users to create only Restricted Communities and grant the “Power Users” the ability to create Restricted and Moderated Communities, “Global” Community Administrators will still have the right to create all types of Communities, including Public Communities. In order to do that you have to take the following steps.

  • Add the following lines under <comm:policy>, Reader section:

<comm:permission class=“com.ibm.tango.auth.permission.CommunityManagementPermission”communityType=“private”action=“create”/>

  • And comment out the following lines in the Community Creator Role section (using “<!–” and “–>”):

<!– <comm:permission class=”com.ibm.tango.auth.permission.CommunityManagementPermission” communityType=”public” action=”create” /> –>

Screenshot of the Configuration file: 

  • Save the changes and check the configuration files back in.

CommunitiesConfigService.checkInPolicyConfig()

  • After that, make sure that the WebSphere Nodes are Synchronized.
  • Change the Security role to user/group mapping.

By using the following settings all Users will be allowed to create Restricted and Moderated Type of Communities.

By mapping the “Special Subjects” to “None” and setting a desired User Group for “community-creator” role, we can achieve the desired settings.

After clicking the “OK” button, the application should be restarted automatically, so you do not have to restart it manually, but keep that in mind, because your users will not be able to access Communities during restart. After doing so, we should have the following result, all users can create Restricted Communities:

Power Users have additionally the ability to create Moderated Communities:

This is just one of the possibilities you have, you could for example also manipulate the configuration file to take away the ability for all users to create Restricted Communities.

Engage 2019 – Part Two – Notes 11, Future of Connections and more!

After the exciting first two days, we continued at the same pace, the first sessions started at 8 o´clock. So after grabbing a few cafe cups and making some hard decisions on which Sessions to visit, I started going toward the presentation rooms. Just like in the previous post, I will list the Sessions I have visited and add some Information, which from my perspective is most important.

IBM Engagement Center Quickstart: Get your first Intranet pages up and running in minutes – by Martti Garden

In this Session, Martti unleashed the full power of ICEC and showed some tips and tricks, like resizing YouTube videos automatically, in order to “rock” any Connections Environment.

Notes 11 – by Ram Krishnamurthy

This got pretty interesting, by the way, as you can imagine, the room was completely full. Ram presented us the new Notes 11 Client. The Session consisted from three parts, first we got to see what HCL is striving to Achieve with the new release. We basically got a glimpse of how it should look at the end.

After that, we got to see the current state of the pre Beta release.

After the Design was presented, Ram explained us some technical differences and improvements which are going to be available on the new Notes 11 client.


IBM Connections: The Future is Bright – by Danielle Baptiste and Martti Garden

In this Session Danielle confirmed that HCL is going to continue to invest into Connections Platform, because of a strategic importance for HCL. Martti also showed us some new features which are going to come with the new CR Releases, like Integration with Slack! We also got to see what is coming with Connections 6.0 CR5, which is going to be released in the next two weeks. After the CR5, we should get at least two more CR Updates this year.

Domino on Docker Bootcamp – by Daniel Nashed and Thomas Hampel

Interested in running Domino (including Traveler) on Docker!? If that´s the case, then this was the session to be. Daniel and Thomas explained everything you need to know to “kick-start” your Domino deployment on Docker.

Domino and SSO – New Ways for secure collaboration – Round Table by Daniele Vistalli

In this Round Table Daniele presented his own Application/Solution for generating SSO Tokens, meant for environments or Use Cases where you can’t use SAML. The application is great, it is based on Domino and it shows just how versatile the platform is.

IBM Connections Customizer – Have it Your Way! – by Miki Banatwala

Miki showed us the true power and flexibility of IBM Connections Customizer. What I liked the most was the possibility to show different content based on different user groups.

Sadly could not visit all Sessions, every track had at least two or three sessions which were interesting to me, so it was always a tough call which session to choose.
Like always, the organization of the Conference was brilliant, many thanks to Theo!

IBM Connections – How to change Personal Notification Preferences for all Users

You may find yourself in a situation where you need to change the personal IBM Connections E-Mail Notification Settings for all Users. IBM Connections Users have the following options to choose from:

17_49_39-Email Notifications

There is a set of Default Settings which is applied to every user, as soon as the TDI-Sync runs, and the user is created in a database. So, the first thing to do, is to change these default settings. The official documentation does a pretty good job explaining the possibilities you have here, like Locking the User Notification Preferences, and the steps needed to apply the changes, so I won´t go in greater detail on those here. It is important to keep in mind, except if you are not “locking” the preferences, the preferences on Email notifications will only be set automatically for users which are created in Connections, as a result of the TDI Assembly Line, after you make those changes. In order to test the modifications made, you could use the “Restore Defaults” option on the Notification Preferences page.

But changing the default settings will not have any impact on the existing users, to change the notification options for them, you need to take a different approach.

I wanted to change the notification settings for all Users to “No Email”, but still make sure that the users can change those settings if they wish to, so simply locking those settings was not an option. I tried locking the Notification settings for all users to “No Email”, but after removing the lock, the setting would just be reverted to the setting done earlier. It turns out that there is no other possibility than to change the records in the database directly. A word of warning, you should contact the IBM Support before proceeding, because changing the records in the Connections Databases directly is not supported, I also recommend a database backup. 🙂

I am using for IBM Data Studio Software, but any other Database Software which allows you to connect to your type of database will suffice.

The Database Tables in which we need to change the records are “HOMEPAGE.EMD_RESOURCE_PREF” and “HOMEPAGE.EMD_EMAIL_PREFS” (in the HOMEPAGE database), a big thumbs up to Martin Schmidt for saving me countless hours searching for the correct table. Both of these tables have “PERSON_ID” column, so I searched in the “HOMEPAGE.PERSON” table for my test accounts in order to find out the “PERSON_ID” values of these accounts, so I could reproduce the desired state of one account and make sure that the changes made are valid and as I wanted them set. I’ve done that with the following SQL statement:

select *

from empinst.employee

where prof_display_name = ‘Milan Matejic’;

After getting the right “PERSON_ID”, I could check the Records in “HOMEPAGE.EMD_RESOURCE_PREF” and “HOMEPAGE.EMD_EMAIL_PREFS” tables.

— Email Notifications

select *

from homepage.emd_resource_pref

where person_id = ’13a96f01-37d8-4674-ae51-f6d2d19ee8e9′;


— Direct Emails

select *

from homepage.emd_email_prefs

where person_id = ’13a96f01-37d8-4674-ae51-f6d2d19ee8e9′;

The columns we need to change are “SEND_DIRECTED” in “HOMEPAGE.EMD_RESOURCE_PREF” table and “RESOURCE_TYPE” in “HOMEPAGE.EMD_EMAIL_PREFS” table. Setting “SEND_DIRECTED” to ‘0’ will result in deactivating “Receive notifications from other people by email”. For “RESOURCE_TYPE” we have the following options:

‘4’ –> Weekly

‘3’ –> Daily

‘2’ –> Individual

‘1’ –> Deactivated

In my case I wanted to set the notifications to “No Email” for all users, so I went with setting ‘1’ in all rows in the table.

Note: Before making changes for all users, you should make the change just for one test user, to make sure that there are no problems and that your statement is working properly.

I accomplished the task with the following update statements:

—– Update Statement HOMEPAGE.EMD_RESOURCE_PREF

update homepage.emd_resource_pref

set frequency_type = ‘1’

where frequency_type != ‘1’;

—– Update Statement HOMEPAGE.EMD_RESOURCE_TYPE

update homepage.emd_email_prefs

set send_directed = ‘0’

where send_directed != ‘0’;

Before and after running the update statements, you can verify the changes by looking on the number of rows with certain settings:

—- Search for Frequency Type

select *

from homepage.emd_resource_pref

where frequency_type = ‘1’;

—- Search for Send Direct

select *

from homepage.emd_email_prefs

where send_directed = ‘0’;

After running the update statements, just refresh your browser, there is no need to restart any applications or components.

As a bonus, I created an Enhancement Request, so hopefully in future we don’t need to change the database records for this, so please vote for it by accessing the IBM Connections Product Ideas Lab.

IBM Connections Docs – Issue with File Preview in Google Chrome

I recently deployed a new Connections Environment, together with IBM Connections Docs Applications. After the installation I have encountered an issue with a File Preview, some files cannot be viewed in a Google Chrome Browser. Screenshot of the issue:

We could reproduce this issue only with “.doc” and “.docx” files and only in Google Chrome, version 72, where the Preview still works well with other office files like “.ppt” and “.xlsx”. In other Browsers like the newest version of Firefox (65.0.2) and IE, there are no such issues.

It turns out that issue lies with Code in the current Version of Google Chrome, Version 72.0.x, so if you have the possibility, try to delay or stop the update in your environment until there is a solution for this issue. IBM is currently working on a Fix for this Bug, and it may be available as a Fix for IBM Connections Files rather than a IBM Docs Fix, so read the Release notices carefully.

As a workaround you can open the problematic files in “Edit” mode, if you have sufficient access rights, here the contents will be displayed without any issue.

I have deployed IBM Connections 6.0 CR4 and IBM Docs 2.0 CR3 iFix006, but some folks have the same issue also with older Version of IBM Connections and IBM Docs.

IBM Connections Plug-in for Microsoft Outlook – End of Support

There was a lot of speculation recently what happened with “IBM Connections Plug-in for Microsoft Outlook”, it was removed from the Solution Catalog without any Information prior to the removal.

Now it is official, yesterday an official article was published stating that the Plug-in will not be available for download in the Solution Catalog. You will still be able to get it by opening a Case in the IBM Support Portal, until December 31, 2019, bug fixes and security Updates will also be available until this time. For more Information take a look at the official article:

https://www-01.ibm.com/support/docview.wss?uid=ibm10869556&myns=swglotus&mynp=OCSSYGQH&mync=E&cm_sp=swglotus--OCSSYGQH--E

I liked this plug-in and it is a mystery to me why it got removed…

Problems adding Blogs Widget after updating to Connections CR3

I am not 100% sure if this is related to IBM Connections CR3 Update oder WAS 8.5.5 FP14 update. But after I applied both updates, I got the following error in the GUI, when I tried to add the “Blogs” or “Ideation Blogs” widget to a community:

CLFWZ0004E: Event ‘widget.added’ sent to remote lifecycle handler at /blogs/roller-ui/BlogsWidgetEventHandler.do returned bad response: 302 – Found

I was able to solve this issue by mapping the “wasadmin” user to the “reader” role in Blogs “Security role to user/group mapping”. In one Instance I needed to map the “reader” role to the “All Authenticated in Application´s Realm”. Take a look to the Screenshot bellow:

mapping

IBM Docs 2.0 CR3 iFix 006 Available

As of today Docs 2.0 CR3 iFix 006 is available for download from the Fix Central, it includes the following Fixes:

  • Common:
    • Fixed the issue of failing to open files when the browser language setting is en-* other than en, en-us, or en-gb by providing a solution of language fallback to en.
    • Fixed the sanity check failure of soffice process on Linux Conversion server.
    • Fixed the hang issue caused by some files with specific wmf images.
    • Fixed a rare issue that content might be corrupted when multiple editors start editing the same document at the same time.

    Documents editor:

    • Fixed the issue of one specific document that contains empty shape cannot be opened after publishing.
    • Fixed the issue of title shown as “undefined” in the dialog of  Insert Special Character.
    • Fixed the issue that some comment items are duplicated in the view of comments list when co-editing.

    Presentations editor:

    • Added Copy Formatting that you can use to quickly copy and apply text styles and list styles by clicking the icon.
    • Increased the supported file size to 300 slides and 100MB, and removed the restriction of 3000 objects(such as text boxes, shapes, images and OLE objects).
    • Fixed the issue that font size shown in IBM Docs presentation editor is smaller than in MS office.

    Spreadsheets editor:

    • Fixed the date time formatting issue in some specific time zones (for example, Dublin Summer Time) after upgrading your browser.

    Viewer:

    • Fixed the issue that documents cannot be opened in Viewer when watermark is turned on.

Prior to installing this iFix you need to install CR3 for IBM Docs 2.0, iFix 006 includes the updates from all previous iFix updates.

Official Release Notes to IBM Docs 2.0 CR3 iFix006.

Download

IBM Connections 6 CR3 is Available!

IBM Connections 6 Cumulative Refresh 3 was released yesterday. And besides the usual and long Fix List it also includes some new features:

  • Possibility to return to the Communities and Files you viewed recently
  • Filter recent content in Communities and Files.
  • “Pick up where you left of”
  • Simplified Navigation and a full-screen option for Files.
  • The all new “Highlights” community widget.
  • And MORE! For the full list take a look at the blog post from René Schimmer.

It also includes all Features and Bug Fixes from previous releases (CR1 & CR2).

As usual, the update can be downloaded from the FixCentral. Database update scripts are available from the separate site and they include a script for the creation of the new Highlights database.

Before starting the update make sure you take a look to the update guide and the update strategy for IBM Connections 6.

I am happy that the IBM Connections is getting new features on the WebSphere platform, this will certainly make many customers happy who are not ready to implement the Component Pack. By the way the new Component Pack should be announced in the next weeks, so stay tuned.

Tips about Configuring IBM Connections to work with SPNEGO as Authentication Mechanism

Recently a customer asked me to review his Connections environment and implement SSO via SPNEGO. He started implementing it, but he couldn´t make to work, so he wanted me to pick up where he left it and make it work. I had a fair share of troubles to make it work and along the way I found some “typical” problems, so I thought I share these issues (and some other I had in the past) with you and hopefully save you some time.

Invest time in reading the Documentation about the Technology you plan to use

On the second thought invest a lot of time. The configuration will make sense only if you know the basics about Kerberos, SPNEGO and WebSphere Security in general. It will also help you a great deal troubleshooting and things like a WireShark trace (yes it may come all the way to that) will make much more sense. I strongly urge you to read the following article:

https://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

I never found a better article explaining how SPNEGO works in combination with WebSphere, it´s old, but it´s good.

I also recommend using the WebSphere documentation instead of Connections documentation (where it makes sense of course), I think that it is generally more in depth and more up to date. Which is OK I guess because Implementing SPNEGO has a lot more to do with WebSphere than with Connections Applications.

Plan Accordingly

Make sure your environment is up to date and there are no discrepancies between the Test and Production environment (a Test environment is essential). And keep it that way, I mean if you hit a “brick wall” in the Test Environment, do not go ahead and update the Production because a new Update came out. This will save you a lot of headache. Different versions mean different problems, so the chances are you will be trying to solve different problems in the Production than in the Test environment, when implementing SPNEGO, while the Production is down and someone is waiting for the whole thing to go online again.

Make sure Test and Production environments are the same

Here is where the details matter, I know that it is not always possible to have the exact same copy of a Production environment as a Test environment, but make sure that at least the things like DNS, Shares, User Access Rights… are the same as in Production. Difference between “CNAME” Alias and a “Host (A)” Record can have a lot of impact.

We had an issue, this will surely be a plague of the Test Environments, where the WebSphere Server Hostname, Primary Administration User and the URL for Connections Access, had a “Name-Clash” (as described in the URL pasted above) so make sure you check that and/or consider when building a Test environment.

Do it Step by Step

    I have made a mistake doing to many configuration changes at once, which essentially made it impossible to discover which part of the configuration led to an error. SPNEGO Implementation can be a combination of many different Configuration changes like: Primary Administrative User change, DNS changes and so on. So as my friend Martin Leyrer advised me, split the configuration in small steps/tasks, do one step, resync, restart and test and only after you are 100% happy with the change proceed with the next step.

Do you really need Kerberos?

As much as I know, SPNEGO is a “web friendly” version of Kerberos, right? So, it always made sense for me to do the Kerberos Configuration part in WebSphere before continuing with the SPNEGO part. Well I was wrong, the only Use-Case where you will need Kerberos implemented for IBM Connections is when you want to use IBM Connections Mail Plug-In with Exchange, which is not developed for Connections 6, so there´s that…

If you just want to achieve SSO from a Domain joined PC, then SPNEGO part will be sufficient. In that constellation Kerberos could just be another source of issues as Charlie Price made me realize that two months ago. 😀

LTPA Errors going through the roof

    We had an issue with LTPA, basically everything we tried to do in Connections GUI produced a mass of LTPA Errors in the logs. I tried everything, regenerating the LTPA Keys and so on, I contacted the support team, but we could not solve the issue. So, I asked Sharon Bellamy James for advice and she told me to export the LTPA Token from WebSphere and import it again, this solved that issue. The GUI looked much better and there were no LTPA Errors anymore.

Service Principal Name

When creating a Service Principal Name, never use “HTTPS/” in the “KTPASS” command, even though you are accessing Connections via “HTTPS”, only use “HTTP/”. For Examle:

ktpass -out c:\Node1.keytab –princ HTTP/connections.axians.local@AXIANS.LOCAL -mapuser connections_user -mapOp set –pass Password1 -ptype KRB5_NT_PRINCIPAL

If you need more than one keytab files and Service Principal Names, use a separate AD User for every one of them.

Delegation User Setting

    This is quite easy to forget, no matter what you do, Kerberos won´t work if your Service User Account used in the “KTPASS” command does not have the following setting set:

Although, I am not 100% sure you need to do this when you are Configuring SPNEGO without doing the Kerberos part in WebSphere. I will surely test this next time when I have a chance.

Disable TAI Authentication

    For SPNEGO to work with WebSphere as it should, you need to disable TAI Authentication:

Go to Security –> Global Security –> Custom Properties

Than enter the following:

Name

com.ibm.websphere.security.performTAIForUnprotectedURI

Value

false

 

I hope this is going to help someone, if you have any Tipps of your own, please share them in the comments below.