LOTUSCONNECTIONS.org

In WebSphere you have a SSL certification expiration checker. This
mechanism monitors the expiration dates of all the SSL certificates
that are configured in WebSphere.

You can control how many days before the cert. expires WebSphere will
send a notification mail and in what frequency the check has to be performed.

Notification per mail need to be configured with a SMTP server an a recipient
address.

You also have the options “Automatically replace expiring self-signed certificates“
and “Delete expiring certificates and signers after replacement“.

But in a Connections setup these two options will not take away any manual
work. If you got a Connections config with a IHS webserver in front you will always
have to export the new SSL key and import it into the plugin-cfg.kdb file
of the WAS-plugin on the IHS webserver. If you don’t do this the connection
between WebSphere and the IHS webserver will not work any longer.
Clients will be faced with 500 error pages when they want to visit Connections.

All things written above work perfectly, the only thing that doesn’t function the
way you want it is the sending of the notification mails.
The mails will be sent either the certification expires or not. With a notification
treshhold of 30 days and a Connections setup will multiple JVM servers
you will receive 11 mails of certifcates that aren’t about to expire every
30 days .

Described behavior has been noted and is fixed in WAS version 6.1.0.27.

Check the technote.

If you don’t want to do a install a complete new fixpack we also got
our hands on the ifix. Which will not have that much impact on your
WAS install as a complete new Fixpack.

We now just renew the certs. of WebSphere to somewhere in the end
of 2020 and disable the SSL certificate check. This to get rid of installing
a fixpack or ifix for every LC installation and keeping this up to date.

The default expiration date for WebSphere it’s own SSL certificate
is one year, but my experience is that this can vary with every fixpack
level.

A couple of weeks ago Fixpack 2 for Connections 2.5 was released.

Mitch Cohen is alway one of the first to bring the good news to the
world check his blog entry for the important links.

http://www.curiousmitch.com/CuriousMitch/mitch2.nsf/d6plinks/MCON-85ZFQU

But as an addition to this information I would like to share
my experience installing this update.

When you read through the update guide you will bump into iFix
LO52087 which is an update for the TDISOL config directory as
used by Tivoli Directory Integrator.

This is an mandatory fix, and although English is not my primary
language this means “required”, Google translate is my friend .

Before getting to the upgrade process of Fixpack 2 I first wanted
to install this iFix. The first problem was that it was mentioned
in the documentation but wasn’t available yet at Fixcentral.
After it was released the Technote was not available. So again
waiting for this to complete, a few days later the technote was
updated and a installation instruction were available.

Unfortunate the instructions where far from complete, the iFix
itself is just a new version of the TDISOL directory. The instructions
are somewhat similair as in the InfoCenter for setting up a initial
TDISOL config directory.

There are no instructions for how you have to copy/migratie
your old property files to the new TDISOL config directory.
You can’t just copy your old property files because the syntax
used is different and there are some new options.

In my current TDISOL config dir. I made edits to the following
three files.

- profiles_functions.js
- profiles_tdi.properties.
- map_dbrepos_from_source.properties

To get the correct information from my profiles_tdi.properties
and combine this with the new options from the profiles_tdi.properties
from LO5287 I jused sdiff.
With sdiff you can merge two files in an interactive mode and save
the outcome in a new file so you will have the best from both worlds :-p.

#sdiff -o profiles_tdi.properties profiles_tdiOLD.properties profiles_tdiLO5287.properties

For profiles_functions.js I just copied my self written functions.
And to migratie the file map_dbrepos_from_source.properties I just
placed both files next to each other and created my own new version.

That concludes the fun I had with LO52087. I filled in the “Rate this
page” section of the technote to do some more then just
throwing mud at the walls of big blue.

Next thing to do was to really apply Fixpack 2.
Starting from the third point the Installation instructions are
documented very good.  Except the point what time frame you
have to keep in mind when installing this Fixpack. Because what
the UpdateInstaller does when installing Fixpack 2 is uninstalling
all iFixes applied after Fixpack 1.

( Probaly all applied after Fixpack 1, but I don’t know this for sure ).

As an overactive Connections administrator I applied all
iFixes until 13 may 2010. Which then brought me a very long
upgrade process which took twelve hours, only waiting for the installer
to finish. Only installing the Fixpack will take you like twenty minutes.
Post installation tasks can be done in an hour.
( note, time needed is of course related to used hardware )

This all disappointed me a bit, cause I thought yeah a Fixpack no
need to wait such a long time for applying al these iFixes one
by one Unfortunately the truth is some what difference under
certain circumstances.

This upgrade fact is certain something to keep in my mind
when you want to upgrade a production cluster deployment
with a lot of iFixes applied.

“The update installer does not currently support 24×7
updates. You must apply the updates at a time when
no one is logged into the product.
See PreparingLotus Connections for maintenance
for more information.”

This blog item is about a longstanding issue that we had with the
River-of-News function on the Homepage of Connections.

The problem that we had was that the River-of-News function
broke down when SSO functionality was active before
navigating to the Homepage of Connections.

We noticed this issue only on a Connections configuration where
multiple server instances were involved like the Advanced stand-alone
installation of Connections. We didn’t had the issue on our
Stand-alone Connections installation with only one JVM.

In our environment we have configured SSO between our Connections
QuickR, webmail and Sametime servers. The River-of-news function
broke when your initial login was on Quickr, webmail or Sametime and
you navigated to the homepage of Connections in the same session.

The error printed on the Homepage was something like below

[3/31/10 18:55:01:666 CEST] 0000004c HomepageSaveN E com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageSaveNewsAction getAllTopStoriesForPerson CLFRQ0382E: An error occurred while invoking a remote interface (EJB) for fetching news stories for person ID 37A3BC5F-CB07-D6CA-C125-72730054A71A. Check nested exception for more details.
                                 com.ibm.lotus.connections.dashboard.common.exceptions.servlet.NewsRepositoryRelatedException: CLFRQ0382E: An error occurred while invoking a remote interface (EJB) for fetching news stories for person ID 37A3BC5F-CB07-D6CA-C125-72730054A71A. Check nested exception for more details.
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageRiverOfNewsAction.handleRemoteExceptionForFetchAction(HomepageRiverOfNewsAction.java:79)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.getAllTopStoriesForPerson(HomepageFetchNewsAction.java:307)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.fetchAndSetStories(HomepageFetchNewsAction.java:137)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.handle(HomepageFetchNewsAction.java:80)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.news.NewsStoryServlet.handle(NewsStoryServlet.java:126)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.news.NewsStoryServlet.doGet(NewsStoryServlet.java:73)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)

Scrolling further down the next error came by.

Caused by: java.rmi.AccessException: CORBA NO_PERMISSION 0×49424306 No; nested exception is:
        org.omg.CORBA.NO_PERMISSION: JSAS0202E: [{0}] Credential token expired.  {1}  vmcid: 0×49424000  minor code: 306  completed: No
        at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemException(UtilDelegateImpl.java:263)
        at javax.rmi.CORBA.Util.mapSystemException(Util.java:84)
        at com.ibm.lconn.news.ejb.client._NewsStoryEJBBean_Stub.getNewsStories(_NewsStoryEJBBean_Stub.java:1296)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.getAllTopStoriesForPerson(HomepageFetchNewsAction.java:304)
        … 51 more
Caused by: org.omg.CORBA.NO_PERMISSION: JSAS0202E: [{0}] Credential token expired.  {1}  vmcid: 0×49424000  minor code: 306  completed: No

A simple work-around then was to logout in Connections en login
again directly to the Homepage.

We raised a PMR at IBM to figure out what we could do to fix this issue.

After a couple of mailings with Danny Chong from the LotuS Connections
Technical Support team we were advised to install the following iFix.

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK77853

The stupid thing about this iFix is that the error description is totally not
relevant to our situation. Also mentioned that to the guys at IBM but
they insisted that this iFix could solve our issue.

And magically what happened , our issue was solved after applying
this iFix. You can’t download this iFix separately it is only packed  in
WAS fixpack 6.1.0.25 and above. Happily they sent me the separate
iFix so I didn’t had to apply fixpack 25 something that is not supported
by Connections 2.5.

Check this link to download this iFix.

Because I think this issue is very specific to the setup you use, here
is a short list which describes ours.

- Advanced stand-alone Lotus Connections 2.5 GA fixpack 1
   ( issue was also present before fixpack 1 )
- Linux SLES 10 SP1 – WAS 6.1.0.23
- Linux SLES 9 SP4  – DB2 9.1 FP6
- Linux SLES 9 SP4   – TDI 6.1.1 FP6
- Windows 2003 SP2 – Lotus Domino 8.5.1 LDAP

Thanks again to Danny from the LotuS Connections Technical Support
team on helping us with this one.

This morning I took my Lotus Connections 2.5 exam and
passed it successfully .

I found this real exam a little bit harder then the test
exam from Prometric I took last week.  A few questions
about Files and Wikis were a pain for me because
I didn’t dove into the depths of these two parts of LC 2.5 yet.

Next Monday I’m going to take the LOT-987 exam, aka
Administering IBM Lotus Connections 2.5.

To prepare myself for this one I took this test exam from
the prometric site.

http://www-03.ibm.com/certify/tests/samL987.shtml

I went smoothly through this test exam, didn’t do much
preparation before taking this ( 78%, 74% is required ).

So hopefully the real exam goes as smooth as this test exam .

Some talking about the exam from other Connections
guys.

From the blog of Stuart McIntyre, he worked in the team creating the exam.

http://lotusconnectionsblog.com/blog/connblog.nsf/dx/lotus-connections-2.5-certification-now-available

Mikkel about the exam at his blog lekkimworld.com

http://lekkimworld.com/2010/02/25/im_a_certified_lotus_connections_2_5_administrator.html

I tried to figure out how I could map a group to
a role as used by the Lotus Connections apps.

It would be handy if I could create a group like blogadmins
which contains all the people which require admin
privileges on Blogs.

But unfortunately you can’t map groups to a role as used by
Connections, yeah you can but it won’t work.

http://www-10.lotus.com/ldd/lcforum.nsf/d6091795dfaa5b1185256a7a0048a2d0/c20e137e3b31e826852576fd00265771?OpenDocument

Because I can’t map a group to a role I need
to add every user individual.

I want this action to be scripted so I was looking how this could be
done. The trick was the separator which needs to be a “|”.

So check the script below.

appName = ‘Blogs’
lcsearchadmin=’LCdev admin’
blogadmins=’LCdev admin|Donald Duck|Dagobert Duck|Mickey Mouse’
lcadmin=’LCdev admin’

AdminApp.edit(appName, ‘[ -MapRolesToUsers [ ["person" no yes "" ""] ["everyone" yes no "" ""] ["reader" no yes "" ""] ["search-admin" no no "'+lcsearchadmin+'" "" ] [ "admin" no no "'+blogadmins+'" "" ]  ["widget-admin" no no "'+lcadmin+'" "" ] ] ]’)
print “done…. Configuring rights Blogs EAR”
AdminConfig.save()

In the Profiles part of Lotus Connections you can configure
multiple profile types, which will give you different lay-outs per type.

You can follow this InfoCenter link how to set it up.
Mitch Cohen also wrote a very detailed guide how to do it.

One thing I came about is how to populate the PROF_TYPE database
field in the EMPINST.EMPLOYEE table. This column is used to determine
what kind of profile type should be used for an user.

I discovered that you can use the following line in the
map_dbrepos_from_source.properties file to use a LDAP attribute
to populate the PROF_TYPE field. This option is not mentioned
in the InfoCenter of Lotus Connections.

PROF_TYPE=employeeType

(
or what LDAP attribute you want to use, but the field employeeType
looks pretty obvious to me :-p

employeeType is an attribute from the objectClass inetorgperson
)

With this config, the sync_all_dns.sh command will use the LDAP
field employeeType to fill the PROF_TYPE column in the
EMPLOYEE table of profiles. This also will keep the profile type
up-to-date if the employeeType LDAP attribute of a user should change.                                       

Below a script you can use to set the rights for every part of Connections correctly.

Handy to fix the rights after you have done an upgrade.

FILE ConfigureRightsActivities.py
 appName = ‘Activities’
 lcsearchadmin=’LCdev admin’
 lcadmin=’LCdev admin’

 AdminApp.edit(appName, ‘[ -MapRolesToUsers [ ["person" no yes "" ""] ["everyone" yes no "" ""] ["reader" no
 yes "" ""] ["search-admin" no no "'+lcsearchadmin+'" ""]  ["widget-admin" no no "'+lcadmin+'" "" ] ] ]’)
 print “done…. Configuring rights Activities EAR”
 AdminConfig.save()
!FILE

Run it as follow.

./wsadmin.sh -lang jython -port 8880 -username wasadmin -password udontneedtoknowthispunk -f ./wsadmin_scripts/configureRightsActivities.py

To do it for the other parts just change the appName var, be aware
that the roles between all the Connections parts differ. The Homepage
part for example doesn’t has the search-admin role.

Lotus Connections 2.0.1 Fix Pack 1 ( 2.0.1.1) has been released.

Currently there are already four new ifixes for the 2.0.1.1 version. Can’t give
any practical tips yet, cause I didn’t saw a change to apply this one.

When installing Lotus Connections one of the tasks is to make a secure trust
between the WebSphere server and the IHS server. To do this you have to
configure SSL in such a way that the signer of the SSL certificate of the
WebSphere server is known by the IHS server.