IBM Connections 4: Connect TDI to Secure LDAP server via SSL

If you want Tivoli Directory Integrator (TDI ) to connect to a secure LDAP server (LDAPS) via SSL you need to import the SSL root certificate of the LDAP server into your TDI configuration. This article describes the basics how to do that.

For the TDI configuration included in IBM Connections the steps are as described below:

  • First, get the root certificate of your LDAP server. This can most easily be done with OpenSSL:

openssl s_client -connect <hostname of ldap server>:636 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > <filename for certificate>.cer

If you do not have “sed” available you can just manually extract all lines from “—BEGIN CERTIFICATE—” to “—END CERTIFICATE—” with a text editor and save this section.

  • Now you need to import this certificate into the TDI JKS keystore.

You can either do that via the IBM IKEYMAN utility or, faster, via the command line (start the command from the “…\TDISOL\serverapi” directory):

<TDI program directory>/jvm/jre/bin/keytool -import -trustcacerts -alias <alias name for certificate> -file <filename of the certificate>.cer -keystore testadmin.jks -storepass administrator

E.g.:

/opt/IBM/TDI/V7.1/jvm/jre/bin/keytool -import -trustcacerts -alias LDAP-Certificate -file ldaproot.cer -keystore testadmin.jks -storepass administrato

You need to confirm with “yes”  that you trust this certificate.

  • If you still get SSL errors in the IBMDI.LOG (like “Keystore was tampered with, or password was incorrect”) open the file “<TDI program directory>/etc/global.properties” with a text editor.

Find the sections “## server authentication” and “## client authentication” and replace the line “#{protect}-javax.net.ssl.trustStorePassword={encr}……..” with the line “{protect}-javax.net.ssl.trustStorePassword=administrator” in both sections.

Now your TDI should be able to successfully connect to your secure LDAP server.

Update:

Please make sure that you use the “testadmin.jks” in the “serverapi” directory of your TDI solutions directory (e.g. “TDISOL/serverapi”)!

IBM Connections 4: SSL Termination on Load Balancer

If you configure IBM Connections 4 behind a load balancer which does SSL termination you are unable to login. This is because Connections does force SSL for the login page. So even if you access Connections via HTTP during login, the WAS server redirects you to HTTPS access. The load balancer changes that to HTTP again and so you are in an endless loop.

The solution is described in this technote (which is originally for Websphere Portal Server). However it solves the issue also for IBM Connections.

  • First, you need to tell your load balancer to insert an additional HTTP header variable (the name does not matter).
  • Then open the Websphere Administrative Console.
  • For each Connections application server you go to “Servers –> Application Servers –> <AppServer Name> -> Web Container –> Custom Properties” and add a new property called “HttpsIndicatorHeader”. In the value field you enter the nam eof the HTTP header field which the load balancer inserts.
  • After restarting you arpplication servers, the login should be possible again

Windows Update Problem (“#elementModuleHeaderText#”)

Suddenly my Windows 7 machine the Windows Update could no longer be used. As soon as you click either on Windows Update or the Windows Update settings there was an almost empty screen with just an empty button. If you clicked on it you got error messages like “#elementModuleHeaderText#” etc.

After trying many things I found on Google I finally ran the the following Microsoft Auto Fix: Automatically diagnose and fix common problems with Windows Update“”.

This fixed the issue immediatly. Afterwards I was at least able to view all the settings again. I just was unable to change the some of the settings and I got the message “Einige Einstellungen werden vom Systemadministrator verwaltet“ (in English something like “Some settings are controlled by the system administrator”).

To fix this issue I just deleted the following registry key:

HKLM\Software\Policies\Microsoft\Windows\Windows Update

and restarted the Windows Update service.

IBM Connections 4: Java out-of-memory error during plugin generation

Another issue we now saw several times during the installation of IBM Connections 4 (both times a medium deployment option has been choosen):

If you want to generate the plugin for the IBM HTTP server you might see the Websphere Deployment Manager crashing with a Java “out of memory” error. To avoid that you should increase the maximum Java Heapsize for the Deployment manager process to 1024 before generating the plugin. You can do that in the Integrated System Console -> System Administration -> Deployment Manager -> Java and Process Management -> Process definition ->Java Virtual Machine -> Maximum heap size)

In the installation wiki only the Java heap size for the application servers are mentioned, but no information is give that you should increase the size for the DMgr as well. 

IBM Connections 4: Install into a Websphere node with no application server installed

At a customer site we did have a problem installing IBM Connections 4. The customer had installed the Websphere node without an default application server. This should normally not be a problem as the application servers for Connections will be installed by the Installation Manager later..

In the IBM Connections Installation Manager there is a panel for the Cognos installation. If you do not want to install Cognos at that time, you should be able to just enter a dummy user/password and press the “Validate” button. Even if the validation is not successful you should get the “Next” button to go forward to the next panel.

However: If your node,,into which you want to install Connections, does not yet contain an application server, the Installation Manager is unable to read the value for the port number from the application server profile. And without a port number you are unable to proceed to the next panel.

As a workaround you need to close the Installation Manager, create a dummy application server via the Integrated System Console into the node where you want to install Connections, and then start the installation again. Now the Installation Manager does find the server profile and can read the port number from there and you are able to proceed.

After your installation has been completed you can then delete the dummy application server again.

This is for sure a bug and IBM Support will write a technote for it (and hopefully this will be fixed in the next release as well ;-))

Windows 7: System Error 67 trying to connect to network share

On my Windows 7 PC I suddenly had problems to connect to Windows shares (neither shares from other Windows computers nor my ReadyNAS). I always got the message “”System error 67 has occurred. The network name cannot be found” . This did happen even if I tried to connect to the IP address instead of the Netbios name.

The root cause for that issue was a missing entry “LanmanWorkstation” in the network provider registry key:

HKLM->System->CurrentControlSet->Control->NetworkProvider-> HwOrder

This key did contained only the values “cbfs4,npnotes” but no longer “LanmanWorkstation”. After changing this key to “LanmanWorkstation,cbfs4,npnotes” everything worked fine again.

However, I still have no idea why this entry disappeared…

 

Tivoli Directory Integrator: Connect to MySQL Database

As I did not found it somewhere documented, here are the instructions to connect Tivoli Directory Integrator (TDI) to a MYSQL database:

  • Get the MySQL JDBC driver
  • Copy the file “mysql-connector-java-5.1.22-bin.jar” (the version number may differ!)  from the archive to “<TDI install directory\ jars\3rdparty\others”
  • Restart TDI if it is already running
  • In a TDI assembly line add a new component of type “Database Connectors (JDBC)”
  • As “Database Type” select “JDBC”
  • As “JDBC URL” use: “jdbc:mysql://<dbhostname>:<port>/<databasename>” (e.g. “jdbc:mysql://localhost:3306/test”)
  • As “JDBC Driver” use “com.mysql.jdbc.Driver”

Now you should be able to successfully connect to your MySQL database.

Fix Pack 34 for Quickr 8.5.1 adds support for Domino 8.5.3

Now you can use the latest version of Domino (8.5.3) together with your IBM Quickr 8.5.1 server. The newest fixpack 34 adds support for this and the Internet Explorer 9 Compatibility mode as well. From now on there are two different versions of the Quickr fix pack: One for Domino 8.5.3 FP1 and one for customers running still Domino 8.5.1 FP5.

Although there are two codestreams maintained I strongly recommend upgrading your servers to Domino 8.5.3FP1. Not only that you will benefit from many improvements in stability it also can be that the Domino 8.5.1FP5 version of the hotfix will no longer be available in future.

Customers using DAOS together with Quickr should, in any case, upgrade to Domino 8.5.3FP1.

You can download the newest fixpack  from here.

You will need to install a hotfix on top of Domino 8.5.3 FP1 as well which can be download from here.

Error (0xc0000225) installing Windows 7 on VirtualBox

If you get this error while trying to install Windows 7 or Windows 2008 Server within a Virtualbox guest

[codesyntax lang="text"]
Windows Boot Manager
Windows failed to start. A recent hardware or software change might be the cause.
To fix the problem......

Status: 0xc0000225
Info: An unexpected error has occurred.
[/codesyntax]

you need to do the following to resolve the issue:

  • Power Down the Virtual Machine
  • Go to the Settings of the Virtual Machine
  • Under “System” tick on “Enable IO APIC”

[Reference]