Friday, January 6, 2012

IBM Connections - add Tim Self-Service edit TAB alongside with the "Contact Information" tab

This is a customer scenario that is currently a work in progress.

A customer who I performed the IBM Connections 3.0.1 installation for also had Tivoli Identity Manager (TIM) where all the extended employee information was stored.
So after manually setting up the TDI assemblyjob to iterate through a LDAP search, I did a side-lookup to get the fields from the TIM TDS server, which is TIMs LDAP server. The fields fetched were things like mobile phone number, officephone, manager, country, department etc etc.

And after this, we disabled the same fields from beeing edited in the profiles-config.xml file for IBM Connections.

And then to the "tricky" part:

TIM offers a "Self-Service" page where the users them selves can go in and edit their information. And the customer wanted to have this integrated into IBM Connections. But they also wanted to edit some of the fields that are "Connections only" such as Secretary, Alternate e-mail and Building.

So the solution, so far, was to leave the Connections fields editable in the profiles-config.xml file, and then I added a TAB for the TIM Self-Service page.

So now it looks like this:
As you can see, the "Contact Information" Tab is still there, with some of the "Connections only" fields, and as you can also see; There's a new Tab called "Corporate Information".

When users click on this, for now, it only opens up a popup-window to the TIM Self-Service page, but eventually I want to create an iFrame inside of Connections so that it looks lite it's seemless. But I'm not quite there yet.... Any tips will be greatly appreceated.

To be able to create this new Tab, I search a lot of the Connections config-files, used a lot of firebug and finally came up with this file which defines the Tabs in the "Edit my profile" section:


This file is located on each of the Nodes which hosts the Profiles Application. So if you have a Cluster of servers, then the file has to be edited on each of the nodes.

When opening up this file in a text-editor, you see this code:

So I copied the first "li" code, and pasted it in before the next "li" section, just so that the position is set as number 2 of the other tabs.

Then I edited the code to open up a popupwindow with the following code:

    <li id="editTabContactInfoTIM">
       <a id="aEditTabContactInfoIM" href='#' onclick="'https://TIM_SERVERNAME.COMPANY.COM/itim/self/','popup','width=800,height=800,location=0,status=1,scrollbars=1');" role="button">Corporate Information</a>

This opens up a popup window with widt 800 and height 800 pixels. The code is pretty much self-explanatory.

So now, the file looks like this:

As I said, do this on all Node-servers.

And then you have to "touch" the file on all the Node-servers aswell:


By "touch" I mean, open it up in a text-editor, on both nodes, and just save the file. This somehow makes the servers be aware that there are changes made, by "touching" the file that has the "editProfileTabs.tag" file included.

Then restart the Connections Servers that has the Profile application installed.

Heads-up #1: There's some caching involved here. I have tried just to restart the Profiles application, but this does not do the trick for me to see the changes made. If I haven't been accessing the "edit my profile" page before, then It's sufficent just to restart the profiles application. But a restart of the servers is the best thing to do each time you do a change in the files. And remember the "touching"...

Heads-up #2:
If you install any fixes for Profiles, or a Fixpack for Connections, these changes most probably will be overwritten. So then you have to do the whole thing again :-)

Thursday, January 5, 2012

IBM Connections WAS Security - not so secure after all?

Today I forget the wasadmin password for the Websphere Deployment Server in a IBM Connections environment.
I thought about removing the security for WAS, like the steps 1-5 describes here:

But then I remembered seeing a Websphere Password Decoder somewhere.
So after a quick google, I found this:

And opening up the file security.xml in a text-editor I found this:

authDataEntries xmi:id="JAASAuthData_1303920963452" alias="connectionsAdmin" userId="connadm" password="{xor}LStuOS4rLF==" description="JAAS Alias for Lotus Connections Administrator"/

I changed the encrypted password above, so the password you get from decrypting this won't mean a thing :-)

So the JAAS alias is listed here, with the password decrypted!! The JAAS alias UserID is the same as the WASAdmin userID in this environment.
So I copied out the password, and removed the {xor} part and pasted it in the Websphere Password Decoder page, and voila, there I had the password right in front of me and I could log in to the Connections Websphere Admin console again.....

Is this security for ya? This means that anyone that can get access to the server and the file system actually has access to all the passwords aswell??


Please feel free to comment to get a discussion started.

Tuesday, January 3, 2012

Sametime 8.5.2 meeting room desktop sharing not working after SPNEGO integration

Update: This is now fixed in 8.5.2 ifr1 :-)

After enabling SPNEGO SSO, by following this: , sharing your desktop in a meeting room won't work.
The Meeting Room then complains about not finding Java installed on your computer.

When enabling the Java Console, Error messages like this was shown:

network: Connecting with cookie "__utma=196210227.1528252485.1309809906.1309809906.1309809906.1; __utmz=196210227.1309809906.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=0000Xl5-guFFt6wzPlob0X4SsCw:-1; inMeetingRoom=4d634344_55ca_4b52_a956_524b9e54211b.1324476918705; inMeetingRoomName=IK%2520System%2520Grupevre"
basic: load: class not found.
load: class not found.
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$ Source)
at Source)
Exception: java.lang.ClassNotFoundException:

Or you just get an error message in the java console that says that "VMVerifier.jar not found".

I remembered chatting with the author (Conall) of the SPNEGO document regarding an issue I had with SSO not working on the Proxy server when entering the proxy server directly without thouching the snoop applet first, and we came to the conclusion that the Proxyserver application needed to remap the roles in order for the SPNEGO to work.
So the "AllUsers" role needed to change from "Everyone" to "All Authenticated in Application's Realm".

So I opened up the WAS Console for the Sametime Meetingserver, selected the "Sametime Meeting Server" application, and clicked the "Security role to user/group mapping" link.
Then, selected the "AllUsers" Role and then clicked the button "Map Special Subjects" and selected the "All Authenticated in Application's Realm". Then saved.

So the old setting was like this:

And the new setting is like this:

Restarted the Application and voila, Desktop sharing worked!

Monday, January 2, 2012

Chat with IBM'ers from an external Sametime Client

When switching jobs from beeing an IBM'er to becoming a business partner, I knew about the possibility to use an external sametime client to chat with internal IBM'ers. So I googled a bit and came up with this page:

So the steps are:

1. Register an ID here:

I had a previously registred Developerworks ID, and this did not work, so I created a new one because the one I had was registrered with an IBM email address as the user-id.

2. Then, either start the sametime web-client from here:

Or set up your IBM Sametime Connect client towards this server:
Port: 80 (important!!)

Log in with your IBM userID and password.

3. And then add IBM'ers by selecting "new" and then select the correct community, and check the "Add external users by E-mail Address" and then just type in the email address of the IBM'er you want to contact over Sametime.

If you want to find the email addresses of the people you know inside IBM, see here:

And then you're good to go.