Friday, September 15, 2017

I´m speaking at Social Connections 12 in Vienna

I got a nice email yesterday evening from the Social Connections team, letting me know that my abstract was accepted.

My session has the title
"We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections"

In this session I´ll be talking about a case study where I will show how we (Item Consulting) integrated the cloud-based third-party authentication mechanism, Auth0, into IBM Connections, and you will learn about the hack attempt and what the hackers were able to find out.
Did they manage to hack IBM Connections?


Here´s the link to the agenda: https://socialconnections.info/12-agenda/
And here´s the link to my session: https://socialconnections.info/sessions/hired-hackers-hack-us-case-study-cloud-based-authentication-security-ibm-connections/

Thursday, September 14, 2017

IBM Connections Desktop Plugin folder sync issue - now solved

I had an issue with the IBM Connections Desktop Plugin.

IBM introduced the "My Drive" and the ability to sync folders and sub-folders some months ago, and this seemed to be working fine when I connected the plugin to on-prem installations of Connections.
I was able to sync folders, files and sub-folders.

But then, I attempted to connect to the IBM Connections Cloud.

Here I was able to sync files, but when I attempted to sync folders, those just would'nt appear in the "My Drive" section of the windows explorer.

I reached out to the eminent Skype-team, but no one else had seen this error before.

I also attempted an install of the plugin on Windows 7 and Windows 10, but the same issue occured.

So, I started a PMR on the issue (#37584,756,000).

During the PMR, I learned that there is a debugging tool for the plugin, which is a standalone windows application located at the plugin install directory (C:\Program Files\IBM\Connections Desktop Plugins\DITrace.exe).
By starting this, you see the entire log for authentication and syncing when you reproduce the issue.

This is a great tool, which showed us that there were authentication issues to the cloud, which made only single files able to sync to the My Drive, not folders.

And the reason for this happening? I was logged into my customers cloud space as a Guest User!!
If I tried as a proper user, syncing of folders worked as it should.

So, this was a bug in the plugin. And was only affecting Guest User accounts in the Cloud.

If you see the same issue, the newest plugin available now has a fix for this. (Dated 08. September 2017).
So download the newest plugin from the Cloud here: http://public.dhe.ibm.com/software/dw/ibm/connections/IBMConnectionsMSDesktop.zip


The Trace the the ditrace.exe file gave me was btw, which led IBM to find the solution and provided a fix:

(1436,3972) 07/04/2017 07:35:17:989 2 CAuthenticator::Authorize CloudAuthExt - calling authorize with url: https://apps.ce.collabserv.com, uid: 'user.name@customer.no, and pw.isEmpty(): 0
(1436,3972) 07/04/2017 07:35:17:990 2 CAuthenticator::Authorize Beginning cloud auth using url: 
https://apps.ce.collabserv.com
(1436,3972) 07/04/2017 07:35:19:260 3 CAuthenticator::Authorize calling transport:getRequest for url: 
https://apps.ce.collabserv.com/eai/auth/basicMobile
(1436,3972) 07/04/2017 07:35:19:346 3 CAuthenticator::Authorize transport:getRequest returned rc 401 for url: 
https://apps.ce.collabserv.com/eai/auth/basicMobile
(1436,3972) 07/04/2017 07:35:19:349 1 CAuthenticator::Authorize 401 received. Bad pw or userid for this non-federated user against URL: 
https://apps.ce.collabserv.com/eai/auth/basicMobile
(1436,3972) 07/04/2017 07:35:19:350 2 LFServer::handleAuthorizationExtensionAuthorize-{864B3A20-AC5D-4109-A55F-A1BD2FA6BDE9} 0x80040191, httpCode 401, struserid (err): Incorrect user login or password.
 

Friday, April 7, 2017

IBM Docs 2.0 CR2 upgrade issue with the Conversion app. Deja vu with a twist.

We´ve seen it before on CR1 for Docs 2.0, first discovered by Roberto Boccarodo (See this blog post about that issue),  and now we see it again, with a twist...


UPDATE: See this link for a quicker workaround:

Here´s the output of the attempted upgrade:


And the iFixInstall.log file says:

WASX7017E: Exception received while running file “../execwas.py”; exception information: com.ibm.websphere.management.exception.AdminException: CWWSY0102E: Target with name docsserver.yourdomain.com was not found.

The fix last time was to edit the "applypatch.py" script where you had to comment out 2 lines + do some additional steps. (These additional steps are now described in the "Patch Guide.pdf" which is in the CR2 package btw. I´ll talk about those steps later on.)

The twist this time is that "applypatch.py" has changed and has more code in it. It´s not just a matter of uncommenting 2 lines. It has multiple if-statement for this specific part now....

This was CR1 code, where 2 lines needed to be commented out:


 This is the code in applyPatch.py in CR2:



As you can see, it´s hard to figure out what to comment out.

So, I tried to just uncomment the line "update_conversion_binary()" like this:

I also added a logging.info line, just to be sure that the indent order in the py file is kept. python is mean if you don´t....

I then deleted the file "concord-config.json", which is in the CR2 installation catalog under the
DocsApp subdirectory. (This file gets created when you attempted the first upgrade).

Then, I ran the update again:

So, it has already been updated. Good.

Now, you have to fix the "soffice" part and the scheduled tasks part manually:

See in the "Patch guide.pdf" and go to the bottom, where the part about "Installing CR2 without job manager" is described, and start at step 3, which goes like this:

3. Copy the file [CR2_install_dir]\DocsConversion\docs_remote_installer.zip, extract it to directory "C:\temp\docs_remote_installer" for instance.
4. From Start, run cmd.exe, and then run command:
a. cd c:\temp\docs_remote_installer\installer\
b. Run command:
"upgrade_node.bat --installroot [CONVERSION_INSTALL_ROOT] --symcount [SYM_COUNT]"
(Remember the double hyphens!!)
• [CONVERSION_INSTALL_ROOT] is the install directory of Conversion, you can get it through WebSphere Console > Environment > WebSphere variables > CONVERSION_INSTALL_ROOT
• [SYM_COUNT] is the number of symphony instances, you can get this by counting how many inst* in [CONVERSION_INSTALL_ROOT]\symphony. Usually it is 4 or 8, but you should confirm it by yourself.

The command I used was:
"upgrade_node.bat --installroot D:\IBM\ConnectionsDocs\Conversion --symcount 8"

5. Check fixpack.log in directory [CONVERSION_INSTALL_ROOT]\logs\.
6. Repeat 3-5 for other Conversion servers.
7. Start IBMConversionCluster by clicking Websphere Console > Servers > Clusters > WebSphere application server clusters > IBMConversionCluster > Start.

Then check the url https://docs.yourdomain.com/conversion/version to see if it says 2.0.0.2.

Then, update the jar files which is described in the "Apply patch.pdf" regarding the viewerDaemonLib, the DocsExtention and the ViewExtention.

Then, do some testing of course.

And yeah. Running this upgrade_node.bat command deletes your scheduled tasks "sym_monitor" and "kill_timeout".
You have to reconfigure them if needed. I´ve blogged about this before here:
http://blog.robertfarstad.com/2016/11/automate-startup-of-ibm-docs-20-server.html

I don´t know how to check if my jobmanager works or not. The "Apply Patch.pdf" describes this:


 3. If updating DocsConversion fails because jobmanager does not work, or updating conversion node fails, you can update DocsConversion according to Install IBMDocs CR2 Without Jobmanager at the end of the guide. 
If I knew how to check if my JobManager was working, then I could have followed the "without Jobmanager" install guide, and perhaps this would not be an issue for me.
I installed this CR2 on 2 different environments now, and the first time I got no issues. The second time, this happened.....
We will ask IBM about this.


Update 29. May 2017:
You can do this a little quicker by just follow the "Install IBMDocs CR2 Without Jobmanager" every time you do a CR2 upgrade.
It only has a small change in the "applyPatch.py" command and is documented in the "Patch Guide.pdf".
You then have to do the manual steps either way, but you won´t get the error message after applying the "applypatch.py".
It´s all there in the "Patch Guide.pdf".


Friday, February 10, 2017

TDI / SDI - Connect to Active Directory over SSL - How to

I mostly write this post as a reminder to my self the next time I have a similar need.

I had a case where I had to connect to Active Directory to be able to create users and set passwords on that user, off course, using TDI.


The AD administrator gave me a .pfx format of the certificate which is stored in AD.
Installing this file in Windows is easy. Just double click it and install.
Then, starting the "certmgr.msc" from Start - Run inn Windows, I was able to right click the cert, selected "export".


Then, go like this:
And select the DER format:

Saved this exported cert on d:\temp as "cert.der"


Then, open up a command prompt and go to the tdi\jvm\jre\bin catalog:

cd D:\IBM\TDI\V7.1.1\jvm\jre\bin

Then, create a .jks keystore and import the cert.der into it:

keytool -import -file d:\temp\cert.cer -keystore ADKEYSTORE.jks -storepass PaSsW0Rd -alias ADKEYSTORE

If all goes good, output will be:

Owner:
Issuer: CN=FS03-CA, DC=CUSTOMER, DC=local
Serial number: 7a638e0a000000000001
Valid from: 10.02.17 14:20 until: 10.02.19 14:30
Certificate fingerprints:
MD5:  F8:2E:4B:C7:1B:04:58:5F:E1:FF:2E:B1:88:EE:02:4A
SHA1: 06:97:8F:E":93:21:FB:BB:71:E2:C2:FF:02:06:17:8E:8E:02:8C:A5
Trust this certificate? [no]:  yes
Certificate was added to keystore

And to check the content of the .jks keystore:
keytool -list -keystore ADKEYSTORE.jks -storepass PaSsW0Rd

Output will be:

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

ADKEYSTORE, 10.feb.2017, trustedCertEntry,
Certificate fingerprint (MD5): F8:2E:4B:B7:1B:14:58:5F:A1:FF:2E:91:88:3E:02:4A

I then moved the ADKEYSTORE.jks file to my TDI Solutions directory, which is in this case:

From:
D:\IBM\TDI\V7.1.1\jvm\jre\bin
over to:
E:\TDISOL\TDI_custom

I then modified the file "E:\TDISOL\TDI_custom\solution.properties"

Where I inserted:

#server authentication
#example
javax.net.ssl.trustStore=E:\TDISOL\TDI_custom\ADKEYSTORE.jks
javax.net.ssl.trustStorePassword=PaSsW0Rd
javax.net.ssl.trustStoreType=jks
#client authentication
#example
javax.net.ssl.keyStore=E:\TDISOL\TDI_custom\ADKEYSTORE.jks
javax.net.ssl.keyStorePassword=PaSsW0Rd
javax.net.ssl.keyStoreType=jks

After restarting TDI, I was able to connect to the AD server on port 636 in TDI.


Thursday, January 19, 2017

IBM Connections 5.5 - Make top header/menu sticky

Update: Now also supports Safari on Mac. I got a comment on this blog-entry from Stanislav Shvachko, who pointed out that it does not work on Safari on Mac.
I went through the code and fixed it. So no it also works for Safari, Internet Explorer 11, Firefox and Chrome.

Original Blog:

I had this challenge given to me from a customer;
"Can you make the top menu/header always visible when scrolling the pages downwards in Connections?"

Originally, my answer was NO, because this is not an out-of-the-box option.

But, being the html/css enthusiast as I am, I started looking into it.

I played around a bit with it in Firefox using Firebug. And I noticed that when I put in a "position: fixed" css property on the correct Divs, I was actually getting somewhere.

Along the way, I tested all the different apps in Connections, and in some of the apps, like Homepage, Files and the Profiles Directory Search, there were already some elements that was "sticky" when you were scrolling down.

Plus, when I tried accessing the top-menus in Connections, after I put the header in sticky-mode, the drop-down menus needed some tweaking regarding it´s position.

So, in the end, here´s the custom.css that I came up with.

Disclaimer:
I can not promise that I´ve covered all the areas and that this will work in all browsers, in all scenarios. But this one worked in my Connections 5.5 CR2 server in Firefox, Internet Explorer 11 and in Chrome.

NOTE that if you have a logo already present in the custom.css, as described here you need to edit my css regarding the "top" and the "margin-top" pixel sizes. Because if you have a logo which is larger in height and is pushing the header-height downwards a bit, you need to add more pixels in those 2 css properties.

Ok, if you don´t have a "custom.css" already in place in you Connections installation, create this file in the "shared\customization\themes\hikariTheme" directory. (You might have to create this directory structure if it´s not already there)


Then, using your favorite text-editor, paste this into it:

/* Header code */
.lotusui30 .lotusBanner {
    background: #325c80 none repeat scroll 0 0;
    padding: 0;
    position: relative;
    width: 100%;
    z-index: 11;
    overflow: visible;
    text-align: left;
}

/* The top header/banner/menu - added position and width. The rest is default values. */
.lotusui30 div.lotusBanner .lotusRightCorner {
    background: #325c80 none repeat scroll 0 0;
    height: 44px;
    overflow: hidden;
    padding-bottom: 1px;
    position: fixed; /*NEW*/
    width: 100%; /*NEW*/
}

/* The body below the header/banner/menu, needs top padding of 42px */
.lotusui30 .lotusTitleBar, .lotusui30 .lotusTitleBar2 {
    background: rgba(0, 0, 0, 0) none repeat scroll 0 0;
    border: 0 none;
    border-radius: 0;
    margin: 0;
    padding: 42px 0 0; /*NEW*/
}

/* Fix for Files app - lefmenu which is already sticky. Adding some top margin */
.files-independent-scrollbars-compatible .lotusui30_body .lotusMain {
    padding-left: 50px;
    padding-right: 0;
    top: 42px;
}


/* Fix for the Homepage "what do you want to share" box, which was already sticky. Added som top margin */
.lotusStream #activityStreamMain.lotusWidgetBody .streamHeaderWrapper.isSticky {
    margin-top: 42px; /*NEW*/
    position: fixed; /*NEW*/
    top: 0;
    z-index: 2;
}

/* Fix for the homepage left-hand side menu, which was already sticky. Added some top margin */
#homepageLeftNavigationMenuContainer.isSticky {
    margin-top: 42px !important; /*NEW*/
    position: fixed; /*NEW*/
    top: 10px;
    width: 215px;
}

/* Fix for the dropdown menus in the banner. Needed 42px top margin */
.dijitPopup {
    background-color: transparent;
    border: 0 none;
/*    margin: 42px 0 0; /*NEW*/ */
    padding: 0;
    position: absolute;
}

/* Fix for the sticky grey search bar in Directory Search. Needed 45px top */
.lotusui30 .lconn_directoryPage .lconn_searchNode.fixed {
    background-color: #f0f0f0;
    padding-top: 15px;
    position: fixed; /*NEW*/
    top: 45px !important; /*NEW*/
    z-index: 900;
}

/* Thanks to @robertfarstad I now have a sticky top banner in Connections */

And then, a simple restart of the "Common" application should suffice, in order for you to see the changes. (Perhaps a browser cache wipe as well).

If you have issues with the fact that custom.css is not being picked up at all by Connections, you might find some tips here:

http://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/customize/t_admin_navbar_change_style.html


I ask of you. If you try this, could you please notify me if there´s anything that I´ve missed regarding sticky stuff? Positioning of other widgets, menus and such is something that can be tuned in this css, but I need to know which page/app you see that it´s not working on.
If you have a test server, it´s real simple to test this out. So please do and let me know the result, good or bad :-)

I have some fellow IBM Connections friends on Skype that is going to test this. I will update this blog post with their findings and results as well.

Oh, yeah... Here´s the result on "my profile" page: