SSL Certificate Issue with Ephox Textbox.io Editor in IBM Connections 5.5

After I installed the Ephox Textbox.io editor in IBM Connections 5.5 as described here everything worked perfect in Firefox and Internet Explorer. However opening the editor in Google Chrome displayed the following error message “The spelling service was not found: (https://server.example.com/ephox-spelling/).”

If you look at a Fiddler trace you see that the request “https://server.example.com/ephox-spelling/1/correction” returns an Error 500.

Looking at the SystemOut.log of the server where you have Ephox spell checking deployed displays several error messages complaining about untrusted SSL certificates:

[ironbark-akka.actor.default-dispatcher-34] ERROR s.can.client.HttpClientConnection - Aborting encrypted connection to servername.example.com/xxx.xxx.xxx.xxx:443 due to [SSLHandshakeException:General SSLEngine problem] -> [SSLHandshakeException:General SSLEngine problem] -> [m:PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=*************** is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error] -> [CertPathBuilderException:PKIXCertPathBuilderImpl could not build a valid CertPath.] -> [CertPathValidatorException:The certificate issued by CN=*************** is not trusted] -> [CertPathValidatorException:Certificate chaining error]

.....

[ironbark-akka.actor.default-dispatcher-26] ERROR akka.actor.ActorSystemImpl - Error during processing of request HttpRequest(POST,https://servername.example.com/1/correction,List(Host: servername.example.com, Content-Length: 28, Pragma: no-cache, Cache-Control: no-cache, Origin: https://servername.example.com, User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36, Content-Type: application/json, DNT: 1, Referer: https://servername.example.com/wikis/home?lang=en, Accept-Encoding: gzip, deflate, Accept-Language: en, de;q=0.8, Cookie: LtpaToken2=****************; LtpaToken=***********; ROLE_global-moderator=true; ROLE_metrics-report-run=true; ROLE_admin=false; ROLE_mail-user=true; X-IC-Preload=true; JSESSIONID=**************; BAYEUX_BROWSER=b0e4uvkqur88n75uikp8s53pyxw; org.cometd.reload=******************, Surrogate-Capability: WS-ESI="ESI/1.0+", _WS_HAPRT_WLMVERSION: -1, Expect: 100-Continue),HttpEntity(application/json,{"words":[],"language":"en"}),HTTP/1.1)
spray.can.Http$ConnectionException: Aborted
at spray.can.client.HttpHostConnectionSlot.reportDisconnection(HttpHostConnectionSlot.scala:228) ~[spray-can_2.11-1.3.2.jar:na]
at spray.can.client.HttpHostConnectionSlot$$anonfun$connected$1.applyOrElse(HttpHostConnectionSlot.scala:161) ~[spray-can_2.11-1.3.2.jar:na]
at akka.actor.Actor$class.aroundReceive(Actor.scala:465) ~[akka-actor_2.11-2.3.9.jar:na]
at spray.can.client.HttpHostConnectionSlot.aroundReceive(HttpHostConnectionSlot.scala:33) ~[spray-can_2.11-1.3.2.jar:na]
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516) [akka-actor_2.11-2.3.9.jar:na]
at akka.actor.ActorCell.invoke(ActorCell.scala:487) [akka-actor_2.11-2.3.9.jar:na]
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:254) [akka-actor_2.11-2.3.9.jar:na]
at akka.dispatch.Mailbox.run(Mailbox.scala:221) [akka-actor_2.11-2.3.9.jar:na]
at akka.dispatch.Mailbox.exec(Mailbox.scala:231) [akka-actor_2.11-2.3.9.jar:na]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.pollAndExecAll(ForkJoinPool.java:1253) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1346) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [scala-library-2.11.6.jar:na

Root cause:

The server used SSL certificates for which there was not Root resp. Intermediate Certificate present in the default Java trust store of the Websphere Java SDK. I needed to manually add both root and intermediate certificate to this trust store (you probably have already added these certificates to the Websphere Cell Default Truststore; but this is another one trust store!).

To do that, run the following commands on all Websphere Application Server nodes (you need to adapt the names and path names of your certificate files):

cd /opt/IBM/WebSphere/AppServer/java/jre/lib/security
../../bin/keytool -import -trustcacerts -alias StartSSL_Root -file /opt/INSTALL/SSL/root.crt -keystore cacerts -storepass changeit -noprompt
../../bin/keytool -import -trustcacerts -alias StartSSL_SubClass2Server -file /opt/INSTALL/SSL/sub.class2.server.sha2.ca.crt -keystore cacerts -storepass changeit -noprompt

After you have done that and restarted the Websphere Clusters, your Ephox Textbox.io editor should work also with Google Chrome.

Battery Backup for my Raspberry Pi

I just installed a battery backup for my Raspberry Pi to prevent file system corruption and data loss in case of a power failure. I choose the UPS Pico from PImodules. This module also has a Real Time clock on board which is something the Pi is natively missing. On the web page of PImodules there is a detailed description how to install and configure the module.

First tests were successful. It recognizes a power loss and if the power does not restore within a few minutes it will automatically run a clean shutdown of the Pi. After power is restored again it boots up automatically again.

As the Pi with the power module did no longer fit into the case I was using before, I also bought a new case (UPS Pico Case B+) with enough space to host the power modul including the battery.

So far I am very satisfied.

Erfahrungen mit “musicals.com” bzw. “heidpark.com”

Wir haben heute zwei Gutscheine für einen Musicalbesuch eingelöst, die wir bei “Heidpark” (http://www.heidpark-heidpark.com) bzw. “http://www.musicals.com” erworben hatten. Wir können aufgrund dieser Erfahrung nur davon abraten, bei diesen Seiten Musical-Gutscheine oder -Karten zu erwerben. Und zwar aus folgenden Gründen:

  • Für 2 Karten für das Musical “Aladdins” in Hamburg haben wir in der Preiskategorie A zusammen 30 EUR mehr bezahlt, als wenn wir die Karten heute bei Stage Entertainment auf deren Webseite direkt bestellt hätten.
  • Um die Gutscheine einzulösen, muss man diese nun per Post an die Firma Heidpark senden und bekommt dann (hoffentlich) die Karten im Anschluss zugesandt. Das kostet nun noch mal 2,85 EUR an Porto (Einwurf-Einschreiben).

Ganz ehrlich: Wir fühlen uns übers Ohr gehauen und werden dort ganz sicher nichts mehr bestellen.

Update 13.02.2016:

Heute kamen die Ticket und eine Rechnung. Es wurden jetzt auch noch zusätzlich 9,80 EUR “Auftrags- und Versandpauschale” abgerechnet (und bereits abgebucht), die auf der Webseite jedenfalls nicht sofort erkennbar waren und am Telefonat bei der Bestellung auch nicht erwähnt wurden. Jetzt reicht es mir. Ich werde, wenn die Firma auf meine Mail von heute nicht reagiert, die Lastschrift widerrufen und den Betrag ohne die 9,80 EUR dann überweisen. Dann werden wir uns halt um den Betrag vor Gericht streiten. Ausserdem werde ich die Verbraucherberatung einmal über die Geschäftspraktiken informieren.

Update 19.02.2016:

Heidpark hat nun versprochen, die “Auftrags- und Versandpauschale” zu erstatten … Die Verbraucherberatung kennt die Beschwerden, kann aber nicht viel tun.

Issue with IBM Connections 5.5 CCM file download via HTTP server

I tried to configure file download via HTTP server for IBM Connections Content Manager (CCM) as described in the IBM Connections 5.5 info center.

However, changing the “fncs-sitePrefs.properties” file in the “FNCS_HOME/configure/explodedformat/fncs/WEB-INF/classes” directory and restarting Filenet and FNCS application did NOT work for me.

I needed to copy the changed file manually also to

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/connectionsCell/navigator.ear/fncs.war/WEB-INF/classes

(overwriting the existing one. Caution: There was an additional statement “enablePropertySheetTemplateMinMax=true” in that version of the file which I first copied into my properties file before copying!).

If you do have more than one CCM server you need to copy that file to the other servers profile directory as well.

After a restart of CCMCluster I now can see subfolders appearing in CCMCACHE so I would say the file download is now working via HTTP server.

I am not sure when the changed file from “FNCS_HOME/configure/explodedformat/fncs/WEB-INF/classes directory” should be copied to the application server profile. But I think this will only happen if you redeploy the FNCS application in Websphere.

Update:

I guess the documentation is missing the step “Reconfiguring FileNet Collaboration Services” after changing anything in “fncs-sitePrefs.properties” file … After that the changes in the file should be redeployed to all nodes.

IBM Connections 5.5: File Upload via HTTP Server (Documentation error)

If you try to configure file upload via HTTP server in Connections 5.5 as described in the infocenter, you will get an error similar to this if you try to start the HTTP server afterwards:

httpd: Syntax error on line 958 of /opt/IBM/HTTPServer/conf/httpd.conf: Syntax error on line 5 of /opt/IBM/HTTPServer/conf/ic_fileupload.conf: Can’t locate API module structure `ibm_local_upload_module’ in file /opt/IBM/HTTPServer/modules/mod_ibm_upload.so: /opt/IBM/HTTPServer/modules/mod_ibm_upload.so: undefined symbol: ibm_local_upload_module

Root Cause:

There are two typos in the documentation. The documentation says:

LoadModule ibm_local_upload_module path_to_module/mod_ibm_local_redirect.so

However the correct line for including the file upload module should be:

LoadModule ibm_upload_module modules/mod_ibm_upload.so

 

Update: Someone has now created an official technote.

Update 02.02.2016:

There are other documentation errors on that page:

Most of the RewriteRule statements (for both activities and files) above are missing a blank before “/ihs”. So the rules are not used and you are unable to upload files bigger than the size you have specified for IHS upload in files-config.xml.

Example:

RewriteRule ^/files/(basic|form|oauth)/api/myuserlibrary/feed(\?[^/]*)?/ihs/files/$1/api/myuserlibrary/feed$2 [PT,L]

should read (see the blank before “/ihs”):

RewriteRule ^/files/(basic|form|oauth)/api/myuserlibrary/feed(\?[^/]*)? /ihs/files/$1/api/myuserlibrary/feed$2 [PT,L]

Update 24.05.2017 (thanks to Cristoph Stoettner):

The path name for the shared directory for “Files” seems also to be wrong.

<Location "/ihs/files">    
IBMUploadHandler On    
SetHandler ibm_upload_handler    
IBMUploadBaseStore "/opt/IBM/Connections/data/files/upload"    
IBMUploadMethods POST,PUT
IBMUploadURLPrefix /ihs
</Location>

should read correctly:

<Location "/ihs/files">    
IBMUploadHandler On    
SetHandler ibm_upload_handler    
IBMUploadBaseStore "/opt/IBM/Connections/data/files/upload/files"    
IBMUploadMethods POST,PUT
IBMUploadURLPrefix /ihs
</Location>

 

My Raspberry Pi

It is now 10 months ago since I got my Raspberry Pi 2 Model B and I am still fascinated by the power of that small device. I only made minor changes to the configuration since I got it.

First, I am using a new case for the Raspberry Pi as with the old one I was unable to use the GPIO pins. And I reconfigured the Raspberry to use an 64 GB USB stick as storage device instead of the SD card. The SD card is now only used for booting the device. I did that for security reasons as SD cards suddenly seem to die after heavy usage.

And I upgraded the Debian version from “Wheezy” to “Jessie” which was also quite easy. As part of that I also uninstalled unnecessary packages from the Raspberry. Especially all packages related to XWindows as I am using the device only via the command line and no graphical .

Here is a list of things my Raspberry is currently doing:

  • Providing VPN access to my internal network from outside via OpenVPN. I already described what you need to do to automatically connect via VPN if a ressource from the home network is accessed on iOS devices in that article.
  • Monitoring all my network devices and services via Icinga (a Nagios fork). Currently it is monitoring 20 hosts and 58 services in my network. Besides monitoring and sending mails if something is wrong, it is able to send me SMS messages if sending mails is no longer working. I am using an Huawei UMTS stick (similar to that one) for that. A description how to set up SMS can be found here. If Icinga recognizes that the Internet connections is down and it seems to be a problem with my Unitymedia Fritzbox 6490, it is able to automatically  switch off the box and switch it on again. If it is not an issue with Unitymedia itself, the Internet connection normally will be available again after the Fritzbox has been restartet. I am using a Wemo Switch for that. Here is a description how to control a Wemo device from the Raspberry Pi.
  • The Raspberry also serves a list of my eBooks which are stored on my Netgear NAS device. I am using BicBucStriim and calibre2opds as software for that.
  • I also configured the Apache HTTP server on my Raspberry as a HTTP reverse proxy. So I am able to provide several HTTP services in my network to the Internet
  • The Raspberry Pi is working as a TOR relay node. A guide how to set that up can be found here.
  • Last but not least: Since a few weeks I have installed the house automation software FHEM on the Raspberry Pi. Although I already have played a lot with FHEM in the meantime, it is still more playing than serious work. Maybe I will write down a bit more about that in a seperate article sometime later.

You still do not see that this small device has something to. Most of the time it is quite idle …

Unitymedia: Instabile Verbindung mit Fritzbox 6490 gelöst

Es ist zwar schon eine ganze Weile her, aber ich will niemanden die Lösung meiner Internet-Probleme mit Unitymedia vorenthalten:

Nach dem Austausch meiner alten Unitymedia-Fritzbox 6360 durch  eine neue 6490 hatte ich das Problem, dass mehrmals am Tag einfach die Box neu startete und die Internetverbindung neu aufgebaut wurde. Mal lief es ein paar Tage stabil, dann gab es wieder mehrere Neustarts an einem Tag. Ein Grund dafür war einfach nicht ersichtlich.

An einem Abend konnte ich allerdings das Verhalten reproduzieren: Sobald ich mein Amazon FireTV in Betrieb nahm um einen Film zu schauen, startete die Box innerhalb von 30 Sekunden neu. Und das jedes Mal. Das Problem lag daran, dass mein Amazon FireTV mit dem 5 GHz-WLAN meines WLAN-Routers (ich nutze nicht das WLAN der Fritzbox) verbunden war.  Sobald über dieses WLAN-Segment Traffic erzeugt wurde, kam es zu dem beschriebenen Verhalten.

Nachdem ich das FireTV auf das 2,4 GHz-WLAN umkonfiguriert hatte, konnte ich wieder probemlos Filme schauen. Allerdings blieben die sporadischen Neustarts der Fritzbox immer noch bestehen.

Das Problem löste sich erst dann, als ich das 5 GHz-WLAN auf meinem Router komplett deaktivierte. Seit dieser Zeit hatte ich keine Neustarts der Fritzbox mehr und das hält jetzt schon ein paar Monate an.

Vermutlich gab es irgendwelche Einstrahlstörungen in die Fritzbox, die zu den Neustarts geführt haben. Sollte ja eigentlich nicht passieren, da die 6490 von Haus aus auch im 5 GHz-Band senden kann.

Vielleicht hilft dieser Hinweis ja jemanden, der ähnliche Probleme hat. Einen Austausch der 6490 durch Unitymedia habe ich übrigens nicht beauftragt, da keiner weiss, welche Probleme die nächste Box dann hat. Es läuft ja jetzt alles zufriedenstellend 😉

RDP: Problem to connect to Windows 2008 Server

I had problems to connect with RDP (Windows Remote Desktop) from a Windows 7 client to a Windows 2008 Server. Although I used the correct user and password and this user had the rights to connect via RDP, I always got the error that my credentials are invalid.

The server had been configured to show a logon warning message before displaying the logon screen. In this case you need to add the following parameter to your RDP file on the client for your RDP session:

 enablecredsspsupport:i:0

 

After that you should be able to login to the server without problems.