Thursday, November 2, 2017

Brainfart from me! ssl_enabled=true is really, really important even though the service is disabled!!

OMG, I just had a huge brainfart!!

I had an issue on a Connections 5.5 CR3 site where the option to get notified about "Libraries" was in the GUI.


But the problem was that ECM has never been installed on this system, nor on a previously migrated system!!

I also had the Indexing tasks set to "all_configured" which gave me indexing errors in SystemOut.log:
[11/1/17 23:16:02:974 CET] 0000170f InitialWorkFa E com.ibm.connections.search.index.process.initial.InitialWorkFactory createCrawlingWork CLFRW0295E: Problem starting indexing for the ecm_files service, as part of the indexing task with the following details: ecm_files
                                 com.ibm.connections.search.common.registries.CrawlerUnavailableException: CLFRW0313E: Attempt by crawler registry to retrieve an unconfigured search service ecm_files. Check your Lotus-Connections-config.xml file.
....

Head scratcher!

I looked everywhere. The LotusConnections-config.xml file had the "ecm_files" set to be disabled.
The notification-config.xml also gave me nothing.

I reached out to the fabulous Skype team and it turned out that this was a weird issue.

Until Christoph Stoettner reached out and asked to get a copy of the LotusConnections-config.xml file.
He then discovered that the "ecm_files" service had the "ssl_enabled" set to true.

<sloc:serviceReference bootstrapHost="admin_replace" bootstrapPort="admin_replace" clusterName="" enabled="false" serviceName="ecm_files" ssl_enabled="true">

I also noticed this earlier, and never gave it a second thought!!

In all my years of working with IBM Connections, I always thought that when the service had "enabled=false" then that was it! I though that it did not matter if "ssl_enabled=true" was set, because I was under the impression that this only had to do with the fact that you are enabling the service to work over HTTPS.

Christoph proved me wrong! Lesson learned!!

After setting the "ssl_enabled=false" for the "ecm_files" in the LotusConnections-config.xml file, synced the nodes and restarted the News application, then the "Libraries" was gone from the list of notification options in the GUI.


And I also restarted the Search application, and now I don´t have any indexing errors in the SystemOut.log file neither.

The only documentation about this is in a version 3.0.1 infocenter HERE.

So, to sum up: enabled=true means that you enable the service for HTTP. ssl_enabled means that you enable it for HTTPS. Enabled=false does not mean that you disable the entire service!

Thanks Christoph, I owe you not one, but two beers!

Wednesday, October 18, 2017

Here´s my presentation I gave at Social Connections 12 in Vienna 17. October 2017.

Vienna was such a beautiful venue for the Social Connections 12 conference. Thanks to the #soccnx team for putting it all together!!

I´ve put my presentation up on SlideShare, and here it is:



Social Connections 12. We hired hackers to hack us from Robert Farstad

A small warning:
The section I talk about regarding tightening Header Security, setting the "Header set X-Frame-Options SAMEORIGIN". This might break your Sametime Awareness inside of IBM Connections. There is a X-Frame-Option "Allow From", where you can set the Sametime Proxy´s hostname to be allowed, but this one is not supported by Chrome. So, setting the "Header set X-Frame-Options SAMEORIGIN" will work for IBM Connections and IBM Docs, but not if you have Sametime Proxy integration into Connections.

Friday, September 15, 2017

I´m speaking at Social Connections 12 in Vienna

I got a nice email yesterday evening from the Social Connections team, letting me know that my abstract was accepted.

My session has the title
"We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections"

In this session I´ll be talking about a case study where I will show how we (Item Consulting) integrated the cloud-based third-party authentication mechanism, Auth0, into IBM Connections, and you will learn about the hack attempt and what the hackers were able to find out.
Did they manage to hack IBM Connections?


Here´s the link to the agenda: https://socialconnections.info/12-agenda/
And here´s the link to my session: https://socialconnections.info/sessions/hired-hackers-hack-us-case-study-cloud-based-authentication-security-ibm-connections/

Thursday, September 14, 2017

IBM Connections Desktop Plugin folder sync issue - now solved

I had an issue with the IBM Connections Desktop Plugin.

IBM introduced the "My Drive" and the ability to sync folders and sub-folders some months ago, and this seemed to be working fine when I connected the plugin to on-prem installations of Connections.
I was able to sync folders, files and sub-folders.

But then, I attempted to connect to the IBM Connections Cloud.

Here I was able to sync files, but when I attempted to sync folders, those just would'nt appear in the "My Drive" section of the windows explorer.

I reached out to the eminent Skype-team, but no one else had seen this error before.

I also attempted an install of the plugin on Windows 7 and Windows 10, but the same issue occured.

So, I started a PMR on the issue (#37584,756,000).

During the PMR, I learned that there is a debugging tool for the plugin, which is a standalone windows application located at the plugin install directory (C:\Program Files\IBM\Connections Desktop Plugins\DITrace.exe).
By starting this, you see the entire log for authentication and syncing when you reproduce the issue.

This is a great tool, which showed us that there were authentication issues to the cloud, which made only single files able to sync to the My Drive, not folders.

And the reason for this happening? I was logged into my customers cloud space as a Guest User!!
If I tried as a proper user, syncing of folders worked as it should.

So, this was a bug in the plugin. And was only affecting Guest User accounts in the Cloud.

If you see the same issue, the newest plugin available now has a fix for this. (Dated 08. September 2017).
So download the newest plugin from the Cloud here: http://public.dhe.ibm.com/software/dw/ibm/connections/IBMConnectionsMSDesktop.zip


The Trace the the ditrace.exe file gave me was btw, which led IBM to find the solution and provided a fix:

(1436,3972) 07/04/2017 07:35:17:989 2 CAuthenticator::Authorize CloudAuthExt - calling authorize with url: https://apps.ce.collabserv.com, uid: 'user.name@customer.no, and pw.isEmpty(): 0
(1436,3972) 07/04/2017 07:35:17:990 2 CAuthenticator::Authorize Beginning cloud auth using url: 
https://apps.ce.collabserv.com
(1436,3972) 07/04/2017 07:35:19:260 3 CAuthenticator::Authorize calling transport:getRequest for url: 
https://apps.ce.collabserv.com/eai/auth/basicMobile
(1436,3972) 07/04/2017 07:35:19:346 3 CAuthenticator::Authorize transport:getRequest returned rc 401 for url: 
https://apps.ce.collabserv.com/eai/auth/basicMobile
(1436,3972) 07/04/2017 07:35:19:349 1 CAuthenticator::Authorize 401 received. Bad pw or userid for this non-federated user against URL: 
https://apps.ce.collabserv.com/eai/auth/basicMobile
(1436,3972) 07/04/2017 07:35:19:350 2 LFServer::handleAuthorizationExtensionAuthorize-{864B3A20-AC5D-4109-A55F-A1BD2FA6BDE9} 0x80040191, httpCode 401, struserid (err): Incorrect user login or password.