Content Feed

27 April 2017

IBM Docs 2.0 CR2 IF1 Available

No sooner after I publish my post about the Security Updates in CR2, do I see that there's CR2 IF1 available now as well.

IBM Connections Docs 2.0 CR2 iFix 001 Release Notes

This includes support for TLS v1.2, so if that' important to you - I'm looking at you externally facing servers - then you'll want to check this out.


 IBM Connections Docs  IBM Docs 27 April 2017

IBM Docs 2.0 - CR2 Includes Fixes For Security Vulnerabilities

If you're looking for another reason to install CR2 for IBM Docs 2.0 beyond "just getting the latest", here's one: this CR includes fixes for three different security vulnerabilities.  If you've got an externally facing Connections environment, I would recommend getting the update scheduled sooner rather than later.

Security Bulletin: IBM Connections Docs is Vulnerable to a Denial of Service (CVE-2015-8806)

Security Bulletin: IBM Connections Docs is Vulnerable to a Heap-based Buffer Overflow (CVE-2016-2073)

Security Bulletin: IBM Connections Docs is Vulnerable to a Stack-based Buffer Overflow (CVE-2016-3705)

Happy upgrading!

 IBM Verse  Traveler  Verse 17 February 2017

IBM Traveler - A Note On Upgrading

So IBM Traveler is now available.  We've been waiting on it to upgrade our internal server that was on an older version, mostly due to the issue that Detlev posted about in December.  That is "fixed" in this release, however my experience upgrading revealed that it wasn't so much fixed as the command that you need to issue to resolve the error was enabled for use.

So, after upgrading Traveler from the .12 release, the server started up and watched as the Traveler db had its design updated and also saw updates to the Derby database used by Traveler getting logged:

02/16/2017 05:19:42 PM Traveler: Server starting...
02/16/2017 05:19:56 PM Traveler: GUIDMAP has no records violating the constraint.
02/16/2017 05:19:56 PM Traveler: Primary key PK_GUIDMAP successfully created.
02/16/2017 05:19:56 PM Traveler: GUIDMAP table is repaired.
02/16/2017 05:19:56 PM Traveler: TS_FILTERS has no violating records.
02/16/2017 05:19:56 PM Traveler: Primary key PK_TSFILTERS successfully created.
02/16/2017 05:19:56 PM Traveler: TS_FILTERS table is repaired.
02/16/2017 05:19:56 PM Traveler: PUSH has no violating records.
02/16/2017 05:19:56 PM Traveler: Primary key PK_PUSH successfully created.
02/16/2017 05:19:56 PM Traveler: PUSH table is repaired.
02/16/2017 05:19:56 PM Traveler: REPLICAS has no violating records.
02/16/2017 05:19:56 PM Traveler: Primary key PK_REPLICAS successfully created.
02/16/2017 05:19:56 PM Traveler: REPLICAS table is repaired.

However, after that was done, I saw the message Detlev wrote about:

02/16/2017 05:20:00 PM Traveler: WARNING *system Exception caught trying to create constraint PK_INVMAP on Table INV_MAP. Exception Thrown: com.lotus.sync.db.PersistenceException: java.sql.SQLSyntaxErrorException: 'DEVUID' cannot be a column of a primary key because it can contain null values.

I wasn't expecting this, but figured I could try the command IBM gave out with the Hotfix:

tell traveler sql ALTER TABLE inv_map ALTER COLUMN devuid NOT NULL

After restarting HTTP, the error did not appear again, so it looks like running this command may be necessary if you are upgrading your standalone Traveler install from an older release.

Of course, as always, YMMV.

I'll be at the IBM Connect conference next week - hope to see some of you there!

 Verse  IBM Verse 17 January 2017

IBM Verse On-Premises - some thoughts after using for two weeks

We installed IBM Verse On-Premises (VOP) the day it was released.  See my previous post about the installation (simple).  This post will cover my impressions after having used it for two weeks as my main access point to my company email.

Basic Usage:

Overall, I'm pretty pleased with the VOP 1.0 release.  Reading and composing emails are easy and straightforward. When new mail arrives, the browser tab adds a red dot to the Verse icon to let me know there's something new. Messages render as expected and give me the option to show images if desired - just like Notes or iNotes do. The options to work with a message are available in the icon bar and are a mix of text button (Reply, Reply All, Forward) or images (Mark Needs Action, Mark read/unread, delete, move to folder, print or schedule a meeting).  There's also an indicator of which folder(s) the message is found in. This is very nice.   The Mark Read/Unread button was a topic of conversation in that it wasn't immediately apparent from the icon what it's for - and was missed entirely by someone else.  The hover text does point it out, but I'm chalking up missing it due to me not paying attention.

Continue Reading "IBM Verse On-Premises - some thoughts after using for two weeks" »

 ibm connections  IBM Connections Docs  IBM Docs 13 January 2017

IBM Docs - Technote on Understanding the Save, Publish and Copy options

This came across my feed this morning and I think it's a useful piece of information to share with users of IBM Docs.  They often ask the difference between the save, auto-save, publish, auto-publish and the copy options when working on documents.  This technote from IBM gives a fairly succinct explanation of what the differences are.

Understanding Save, Auto-save, Publish, Auto-publish, and Copy

 Domino  ibm connections  Lotus Notes Domino  SSL  iNotes 6 January 2017

IBM Connections Files Integration with iNotes

Now that Verse On-Premises 1.0 is out, I was taking a look at the integration with Connections Files.  I've run into an issue with that that I'm still looking at, but as part of the diagnosis, I went back to look at the Connections Files integration with iNotes to try and get some better logging.  During that inspection, I came across a different issue after we've upgraded our Connections instance to 5.5 and narrowed the TLS settings.

The issue in iNotes was that the client was failing wth a SSL handshake error in the iNotes console (nice to have that in iNotes).  Further review in the IHS log on the Connections side indicated a cipher mismatch.

First off, on the Domino side I enabled SSL_DEBUG_ALL=1 to get more information and the interesting thing is that Domino as the client was attempting to connect using the ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher. On Domino this is the top cipher used when TLS 1.2 is enabled.  However, this cipher isn't enabled by default in IHS according to the docs, so I updated the httpd.conf to add the additional ciphers for TLS 1.2 and all TLS versions.

# SSL Cipher settings

After making that change and restarting HTTP, I still saw the handshake errors.  Going back into the httpd.conf, I changed the settings from only supporting TLSv12 to all TLS versions:

SSLProtocolEnable TLS
SSLProtocolDisable SSLv3 SSLv2

Saving and restarting HTTP, this got Connections Files with iNotes working.  

Unfortunately, that didn't get the Connections Files with VOP working, so I'm back to looking at that.  More to come...

 Domino  Verse 30 December 2016

Initial impressions on IBM Verse On-Premises 1.0

NOTE:  This is a "first impression" post after working with VOP for a few hours.  I didn't participate in the betas, so this is a fresh experience.

So, as has been announced on the interwebs today, IBM Verse On-Premises 1.0 (VOP) was made available for download today.  Part number: CNDG8ML  

We had some time today, so Chris Whisonant and I installed it and setup the integration with Connections.  So Chris did the Domino side and I handled the Connections side.  Here are my brief comments on my couple of hours in.

INSTALL:  Went very smoothly on Windows, no issues.  Install the Hotfix that enables Verse, copy some JARs to the OSGI folder, set some notes.ini parameters, update the redirect db design, mail design and that's it. One note is that while the documentation only advises to make sure mail files are indexed, it looks like if you already have an indexed file, you'll want to rebuild the indexes.  We ran into that on my mail file on the server.  The server will initiate a rebuild, but it looks like it may cause some errors in the Inbox until the index is re-done.  At least that was my experience.

Also, there is one URL for all users.  So if you want to make verse the default, you'll want to update your server configuration.

INTERFACE:  If you've seen any slidedeck from this year, you'll know what to expect for the most part.  It's an interface that you'll recognize. When you login, you'll be prompted to allow browse notifications in Chrome, Safari and Firefox.

You get links to Mail, Calendar, People and Apps (links to iNotes, Notebook and ToDo).  Interesting note - Calendar takes you to the iNotes calendar, so it has not been "versefied" yet.  

The next "row" is icons for Inbox/Unread, Needs Action, Waiting For and then your Important People.  The Needs Action and Waiting for look to have lots of potential, I'll be playing around with that more.  Our initial test of trying to send an action to another didn't result in the message getting flagged in the recipient's mail. We'll look at this further.

SEARCH:  The "big" thing is the faceted search.  So far - working great.  You can drill down based on important people or perform a search and then you can refine the search based on time or folders. It is really nice - a big reason to check it out.

CALENDAR BAR: At the bottom is the calendar bar that shows your day in "blocks" where you have something scheduled and click on the block and get the details.  I like it, you can scroll through the day or from day to day. We'll see how much "use" I'll get out of it, but I like it so far.

CONNECTIONS INTEGRATION:  Integration was easy and simple to setup. Nothing installed on the Connections side, just some changes to the httpd.conf on the HTTP Server and a notes.ini change on the servers. Integration gives you photos and business card data.  Nicely done. If you have iNotes files integration, it will be available when composing a message as well.

So - in summary, for a 1.0 release it's looking pretty good.  Deeper testing will be done as I use the browser to access my mail primarily.

UPDATE:  Here's the link to the VOP Knowledge Center - it has the details on confguring VOP and integrating with Connections and Box.

Happy New Year everyone!

 connections  ibm connections 22 December 2016

IBM Connections 5.5 - Errors in SystemOut.log cleaning up HOMEPAGE database

Working with a client on IBM Connections 5.5 CR1, they were noticing errors in the SystemOut.log of the InfraCluster around 11pm regularly.  Lately, the errors were filling up 1GB of logs for a minute when it occurred.

The "critical" piece of information was the line below:
Error for batch element #1: A parent row cannot be deleted Page 10 of 67 because the relationship "HOMEPAGE.NR_READ_STATUS.FK_READ_STATUS_STR" restricts the deletion.. SQLCODE=-532, SQLSTATE=23504, DRIVER=4.19.49

We looked through the logs to find which entry it was, but couldn't find anything specific in the logs or the DB2DIAG log. It looked like it was trying to delete newsletter stories, but that's as close as we could get.

A PMR was opened with IBM and after reviewing the logs, we were told it was a known issue and there was a fix planned for CR3, but one is available for CR1 now. I'm guessing that a version for CR2 is available as well.

If that error is popping up in your logs, open a PMR and request the fix LO90678.

As I was searching on the fix, I happened across a link to a IBM technote (login required for this one) regarding this entry. Not much info beyond that this appears to be an issue in 5.5 and later CRs, but has the full stack of the error if you're interested.

 connections  ibm connections 21 November 2016

IBM Connections Mail - destined for end of support

Over the weekend, I noticed a blog entry in my feed reader from the IBM Collaboration Solutions Support blog -  End of Support Plans for the Connections Mail Plug-in - which starts of detailing that the IC Mail plugin for Connections 4.0 and 4.5 entered end of support this month. It also indicated EOS dates for the plugins for 5.0

The interesting/disturbing piece is related to future plans for IC Mail and Connections.  The statement is that there are no plans for a version of the Mail plugin to work with Connections 6.0.  And there is no mention of what a replacement might be.

Most of our clients that use Connections use the Mail plugin as well, so this would be a significant loss of functionality if there is actually nothing to replace the plugin.  Is it going to be part of the main suite now? Will Verse (cloud and on-prem) replace it?  Who knows, but apparently IBM is happy to let speculation play out until it makes a complete announcement.

Once again - we need IBM to fully explain what's going on.  

 ibm connections  connections  spnego  sso 3 November 2016

File Downloads from Connections using SPNEGO

With IBM Connections, there are options to utilize different SSO options. One of the eaiser is using Windows Integrated Authentication, better known as SPNEGO. This uses the AD domain and the user's Windows credentials to issue a ticket that can be used to authenticate users against other resources, such as an IBM Connections site.

In some cases, this doesn't work like it should.  One example is if the user gets an email with a link to download a file stored in Connections, but hasn't yet authenticated with the site.  By default, the Files download isn't configured to support this, it relies on getting the LTPA token after authentication to serve requests.  The user gets a login page (or just the basic auth pop-up) before getting to the download page. For users that are used to never "logging in" to Connections, this can cause some anxiety and unnecessary Service Desk calls.

Here's what you can change in IBM Connections 5.5 to get File downloads to "work" as expected.  You'll need to remove the spaces between the < symbol and the following character for the XML to work. That's just so its readable here.

1 - Backup the web.xml from the \profiles\dmgr01\config\cells\\applications\Files.ear\deployments\Files\files.web.war\WEB-INF folder
2 - Locate the nodes in the web.xml file and add the following:


< security-constraint>
< display-name>Forms< /display-name>
< web-resource-collection>
< web-resource-name>Form< /web-resource-name>
< url-pattern>/form/*< /url-pattern>
< http-method>GET< /http-method>
< http-method>PUT< /http-method>
< http-method>POST< /http-method>
< http-method>DELETE< /http-method>
< /web-resource-collection>
< auth-constraint>
< description>Form< /description>
< role-name>reader< /role-name>
< /auth-constraint>
< /security-constraint>

3 - Perform a full resynch of all nodes
4 - Restart all clusters

Also check the SPNEGO config to make sure the  url /form/anonymous/* isn’t included in the filter criteria. If it’s there, remove it, save the change and resent the nodes. SPNEGO config should be dynamic, so a restart won’t be needed.

We opened a PMR for this and we're waiting to hear if IBM is going to make this change permanent in a future release .