Connections

IBM Connections Component Pack 6.0.0.5 – Install fails with can’t connect to Connections FQHN.

I’ve been working with Connections Pink since the first release of the “Orient Me” package. The scripts used to deploy this feature set are getting better with each release – good job IBM.

I’ve got an issue currently with the Deployment of ICCP 6.0.0.5 – The deploycfc.sh errors with the message below.

It can’t connect to the Connections FQHN that is provided.

2018-03-21_10-47-42

It sounded to me like something to do with the security settings we had enabled on the Connections 6 environment..turns out it was. I pulled apart the scripts, and found where I think it was occurring..The particular script that is is failing is the B-23-master-configure-cfc.sh,  in particular one of the functions called validate_ic_host  that appears to use curl to grab a URL.

Anyhoo, IBM have this tech note that expands on the problem and provides a work around. >> http://www-01.ibm.com/support/docview.wss?uid=swg22014269

 

Changing subdomain in Connections,CCM and Docs

I’ve just completed a process where a customer needed to change their subdomain due to an organisational name change. This site has a pretty large install.  CCM, Docs and also leveraged Windows Desktop SSO via SPNEGO.

The change was connections.OLD.sub.dom.au to connections.NEW.sub.dom.au

There is some documentation out there on how to change host names, but I wanted to compile a list for this specific task. So here you go.

Pre-tasks

SSL CSR created, new key created and imported into new KDB. Make available on IBM HTTP Server.

DNS change implemented, and points to existing IBM HTTP Server. Keep old record in place as well. Also ensure that the new record is resolvable on all Connections hosts.

Change the SSL Certificate over in IHS. (Change the following)

Keyfile D:\IBM\HTTPServer\NEWkey.kdb
SSLStashFile D:\IBM\HTTPServer\NEWkey.sth

CellDefaultTrustStore as it shared a common root with the previous Certificate.

Connections changes

Change the LotusConnectection-config.xml file. Check out with wsadmin, change the references to OLD and replace with NEW. Check-in. Process here

While in wsadmin, change the Notifications file to reflect new mail domain. Change the Administration user that notifications come from. Check-in. Process here

Change and update Blogs

To update the URL’s inside blogs, there is an AdminTask. while still in wsadmin, execute the following.

execfile(blogsAdmin.py)
BlogsAdminService.fixBrokenUrls(https://connections.old.sub.dom.au, https://connections.new.sub.dom.au)

 

Change LTPA to reflect new Domain.

In the ISC, select Global Security > Single sign-on

Update the Domain name field to reflect the new sub domain. i.e from .old.sub.com.au to .new.sub.dom.au

editor_image_cb34e16e-94cb-42a1-8921-1333db1dd095

Re-sync all nodes, stop and restart the entire environment (DMGR and NODES).

Docs Changes

Docs is pretty straight forward.

The property files for Docs all need to be changed. They are found in: <WAS_HOME>/profiles/<DMGR>/config/cells/{cellname}/IBMDocs-config/

Change all instances of OLD url to NEW in the concord-config.json file, and the viewer-config.json file. Just to be safe, verify no instances of OLD url exist in the other .json files in the directory. If there are, change them.

Re-sync all nodes, stop and restart the entire environment (DMGR and NODES).

CCM Changes

For CCM, we only had to update the Activity stream widget. Follow this process

 

Update Scheduled tasks

Jump back into wsadmin, and run the following. Following is from the knowledge centre.

Scheduler.listAllTasks() 
Scheduler.clearAllTasks()

Note: If Scheduler.clearAllTasks() does not clear tasks successfully, run clearScheduler.sql manually for each of the applications. 
For example:

db2 -v -td@ -f activities\db2\clearScheduler.sql
db2 -v -td@ -f homepage\db2\clearScheduler.sql 
The SQL scripts are in the following locations:

AIX or Linux: connections_root/connections.sql directory.

 

Update Search

I planned on updating search, but I didn’t get any errors after the change while using the search. Just to be safe,  I kicked off a new once off index task after the changes were completed.

Process.

SPNEGO SSO

 

…..and finally, a bit of a catch all

IBM HTTP Server rewrite – redirect OLD url to NEW

Add the following to handle any URLS that still come in using the old name. Replace your new server names below.

#Added to support redirect from OLD to NEW
<VirtualHost *:80>
    ServerName connections.OLD.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$    /homepage     [PT] 
    RewriteRule ^/(.*) http://connections.NEW.sub.dom.au/$1 [R,L]
  
</VirtualHost>
RewriteEngine off

<VirtualHost *:443>
    ServerName connections.OLD.sub.dom.au
    SSLEnable
    RewriteEngine on
    RewriteRule ^/$    https://connections.NEW.sub.dom.au/homepage [PT]      RewriteRule ^/(.*) https://connections.NEW.sub.dom.au/$1 [R,L]    
</VirtualHost>
RewriteEngine off
SSLDisable

<VirtualHost *:80>
    ServerName connections.NEW.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$     /homepage     [PT]
</VirtualHost>
RewriteEngine Off

<VirtualHost *:443>
    ServerName connections.NEW.sub.dom.au
    SSLEnable
    RewriteEngine On
    RewriteRule ^/$     /homepage     [PT]
</VirtualHost>
RewriteEngine Off

 

 

 

 

IBM Viewer / Docs error in C5.5 CR2

I’ve been a little quiet on the Blog front, but this year I’ll make an effort to update a bit more frequently. 2016 wasn’t a quiet year for me Technology wise, I got to work on some great Connections/Portal implementations and other environments. Apologies for the lack of updates.

I’ve been investigating an issue with Connections 5.5 CR2. and IBM Docs 2.0. What happens is that user will get an error while trying to view or edit the document. The users will get an error like the following.

"You are not entitled to use Docs or do not have permission to
edit this file. The file must be shared with you and your
access level set to editor. The file might also be locked by
another editor"

or

"The IBM Docs server cannot be reached. Please contact your administrator"

Errors in the Logs for Docs servers are similar to the following:

DocumentDraft E   Failed to generate snapshot for document. docID: 7125b890-4f8e-4a94-8fee-eb6bfc776802 com.ibm.docs.repository.RepositoryAccessException: Exception occurred with error code: CLFAD1000, message: Have no permission on this file in repository, and additional data: {"docUri":"7125b890-4f8e-4a94-8fee-eb6bfc776802","repo_err_code":"AccessDenied","repo_err_msg":"EJPVJ9070E: Unable to logon the user with the J2EE principal connectionsadmin.","repo_http_status":1000}

I’ve seen this sort of thing before after applying patches whereby you need to reapply the security to the J2EE principal and reserve the configuration. I tired that, and had the same issue.

Restarting the Files App seems to resolve the issue temporarily.

Appears that there is a known issue in CR2 and it’s being tracked in this APAR. (You’ll need an IBM Login)

RSA Premaster Secret Error in Connections 5

I’m doing an install for a customer at the moment, and it’s a large install. All on RHEL, integrated with Portal, and hosted in SoftLayer. Very Cool. I love playing with this stuff!

So the Connections install was running along great, until it was time to bring up the Connections Apps and test login. The way we usually configure Connections these days is to setup WAS primary administration user to exist in the LDAP directory, and use the default file based admin as a backup. We also then use this same user as the Connections administrator. We ensure that this user also has a profile. This just seems to make the installation (especially of companion products/extensions) easier..

I go to log into Connections the first time with the Admin user.. I get the “Unable to process your request page”. Damn.

Start troubleshooting. Eventually find the stanza that I think is logging for the error. This was in the Homepage Server System.Out. (Large Connections Install)..

 [14/01/16 19:30:20:532 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry Retrying request
 [14/01/16 19:30:20:535 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry I/O exception (javax.net.ssl.SSLKeyException) caught when processing request: RSA premaster secret error
 [14/01/16 19:30:20:536 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry Retrying request
 [14/01/16 19:30:20:539 EST] 00000120 UserInfoInter E com.ibm.lconn.homepage.web.interceptor.UserInfoInterceptor cacheUserInfo CLFRQ0341E: Could not retrieve details for the user with login ID: ConnectionsAdmin@domain.blah.au due to an exception. The exception occurred when retrieving the details via Profiles Directory Service Extension: [Ljava.lang.Object;@5c0f8907

More digging revealed that this error was due to…….the SSL Key.

What was occurring is this. I’d setup the IBM HTTP Server to use the key provided by the customer. I’d imported this into the CellDefaultTrustStore, as required. It was 4096 bits wide, which Java security in the WAS stack had an issue with. Some secret squirrel stuff about the governments wanting to control Encryption or something. So when the Homepage app was hitting the URL for profiles and verifying I am who I say I am, it caused the SSL error.

How did I fix it?

Copy and replace the Java policy files with the unrestricted policy files, then restart the Connections servers.

cd /opt/IBM/WebSphere/AppServer/java/demo/jce/policy-files/unrestricted/
[root@connwas2 unrestricted]# cp *.jar /opt/IBM/WebSphere/AppServer/java/jre/lib/security/
cp: overwrite `/opt/IBM/WebSphere/AppServer/java/jre/lib/security/local_policy.jar'? yes
cp: overwrite `/opt/IBM/WebSphere/AppServer/java/jre/lib/security/US_export_policy.jar'? yes

That’s it. Restart servers and enjoy.

Thanks to Mikkel Heisterberg,  you pointed me in the right direction with this Blog. Cheers!

 


					

Quick Tip – Name your console..

The guys I work with are full of good tips.

I’d always wondered how to do this, as I thought it was some sort of Developer jiggery-pokery.

Most environments I work in have a Development environment, and a Production environment.

Quite often, I get lost. Am I in Prod or Dev? Especially with cryptic server names.

Quick way to fix this is to Name your Consoles.

  • Logon to your ISC.
  • Expand System Administration > Task Management
  • Select Console Identity.
console1
  • Type in the Console name..ie Prod
console2
  • And hey presto…You know where you are..
Console3

You’re welcome.

CCM CR2 Upgrade/Backup Script errors – Access is denied.

Previous post was how to install CCM. This post will be about an error that I experienced just trying to apply the Fix Pack to get it to CR2 level.

When applying the CR2 update, the Content Engine Server is the first cab off the rank.

Following the instructions, I started with the D:\IBM\Connections\ccm\ccm\ccm\scripts\backup.bat

This script failed to run. Error was ADMN0022E: Access is denied……..because of insufficient or empty credentials.

*sigh*

I checked that the password wasn’t locked out. It wasn’t.

I logged into wsadmin manually, jut to verify all was good. I could.

So google put me onto this awesome post. In this case, wasn’t my issue, although I did try the fix.

Time to dig deeper.

I grabbed the backup.bat file, and scanned though till I found the part that was failing.

I enabled output to the screen by adding echo on..

2015-04-21_14-03-59_01

I then ran the backup script again. This revealed what the issue was.

The customers WAS admin password contains an exclamation point “!” for password quality. This script was passing this password as a variable to the the script which was running the wsadmin command. There appears to be a second time that this script calls the %was.admin.passwd% variable, but as it does it strips the “!” in my password. So I’m supplying the incorrect password, even though it’s correct at the time of input.

I’ve not been able to find a resolution to this apart from changing the password.

I had tried escaping the character out, and used different variations but to no avail. If anyone knows how to do this, please let me know.

CCM Installation fails with CLFRP0038E – Connections 5 CR2

I ran into this issue at a customer site I’m working on at the moment.

Here’s the scenario. Installing the following: Connections, Survey’s Polls (FEB), Social Mail, External Access, CCM, File Viewer. I’ve installed Connections, updated to CR2 and verified all is working. I’ve also installed FEB.

Following this documentation, I ensure I have all of the CR2 required files for install, including the fixpacks extracted to a directory. I’m installing CCM across 2 nodes in a cluster, on separate hosts.

I wanted to make sure that the Clusters/Servers were setup correctly in WAS. I have not had much luck with installers creating WAS clusters or servers,  so as this is pretty straight forward I like to set them up for installations to use.

Below is the summary screen of the CCM_Cluster.

2015-04-15_8-48-02

Time to install.

I’ve checked the prereqs. Note- Make sure you have at least 6GB free in %Temp%. In my case this was located on the C:\

I select the Modify option.

Select Add-on features IBM Connections Content Manager

2015-04-15_8-56-51

You’ll be asked for your existing WebSphere credentials. Put them in in then select Validate.

You’ll then hit this screen

2015-04-15_8-58-47

I selected New Deployment

Left remaining blank, then selected the Directory where I extracted all the installers and FP’s

If you’ve extracted everything out, you should get a Validation Successful. If not, check what files you are missing. The installer was pretty good in identifying what packages I was missing.

I then selected where I wanted to deploy CCM. I select my Servers/Cluster that I previously setup.

2015-04-15_8-59-09

Once this was selected, got to the next screen which I selected Modify.

CCM then installs.

I got the below error.

2015-04-12_8-43-02

Damn…

Looking through log files got me this..

2015-04-17_15-21-53

Further searching through the logs at  <WAS INSTALL>\profiles\Dmgr01\ConfigEngine\log\ConfigTrace.log reveals that a properties file for the nodes/cluster I’d setup did not exist in the D:\IBM\Connections directory.

[echo] Communities server: Cluster1_server1
 [echo] Loading properties from file: D:/IBM/Connections/Cluster1_server1.properties
 [echo] Communities server HTTP Port: 9082
 [echo] CE server: CCM_server1
 [echo] Loading properties from file: D:/IBM/Connections/CCM_server1.properties
--- Exception Thrown ---
D:\IBM\Connections\ccm\ccm\ccm\config\includes\ccm_cust_cfg.xml:1200: Source file does not exist.
at org.apache.tools.ant.taskdefs.LoadProperties.execute(LoadProperties.java:159)

This is where it got weird. I’d thought that is was because I’d setup the nodes/cluster outside of the install and that it was the IBM Installation Manager that created these properties files. Nope. I tried by setting up the nodes/clusters using the installer, same result, CCM not installed, same error.

Fix? Workaround?

To fix this one I created the files manually. This required grabbing the following values from my ISC in WAS.

2015-04-17_15-28-40

I created 2 files, one for each of my servers.

2015-04-17_15-28-56

These files were created before I hit Modify on the final installation screen, i.e after you’ve done all the above. I’m pretty sure that you could do this before you ran the installer.

Ran the installer again and was able to install.

2015-04-17_15-40-41

Hope this helps someone.

wsadmin ProfileAdmin error “NameError: bAskForNodeComm”

I stumbled across this issue when trying to update a users information in Connections after a UID change.

I’d successfully updated the PROF_UID and PROF_UID_LOWER with the new information, and TDI had synched across the new user data.

To then get the other Connections Applications to update their user information for this user, I ran the ProfilesService.publishUserData(“new.email@domain.com”)

I received a very descriptive error.ErrorProfiles

So I noticed that the unlike the other Connections admin commands, the ProfilesAdmin.py script had not asked me for “What node did you want to connect to?”

I tried various things, but was not able to get the ProfilesAdmin script to select a node.

I found this error  which seemed to match what I was getting, so I tried the suggested fix.

See below, it worked. This technique also will work with other ProfileAdmin commands.

NoErrorProfiles

Error when reparenting a sub-community.

Reparenting a sub-community is a feature added in Connections 4.5 CR3.

This feature allows you to move a sub-community to a Parent level, but also allows you to move the sub community to a different parent. (Think of the sub community as the child).

To move a sub-community, you use wsadmin, and the CommunitiesService.moveSubcommunityToCommunity(“CommunityUNID”) command.

Here is the IBM Link to the this utility.

I ran into an issue when trying to move the Community.

Firing up wsadmin as our usual Admin user,  I got the below error.

wsadminerror

 The System.Out

000009a TangoServiceI W com.ibm.tango.internal.service.TangoServiceImpl getMemberProfileWithUpdates CLFRM0110W: Undetermined memberProfile, in which its name: waslocaladmin, email: null, member uuid: 2f333cc26-b4d5-437d-b970-c9c1b3c076aa, and logins: [waslocaladmin], closely matches to directory service object of an user, whose name: waslocaladmin, email: null, and logins: [waslocaladmin].

Then

000009a TangoServiceI E com.ibm.tango.internal.service.TangoServiceImpl updateCommunity CLFRM0039E: internal error
com.ibm.tango.exception.MemberDuplicateLoginIdException: [waslocaladmin]
at com.ibm.tango.internal.service.TangoServiceImpl.getMemberProfileWithUpdates(TangoServiceImpl.java:3187)

 This was interesting, as the user waslocaladmin user was the Admin user for Connections, but wasn’t listed as an Admin userroles in the Application.

Additionally, waslocaladmin user was in the file based repository.

Workaround..

Switching to our support login, which has Administration access to the Communities application, I was able to run the reparenting command successfully.

This was done by running the wsadmin command as the support user.

Fix..

Further Troubleshooting revealed that this issue is more than likely the waslocaladmin id not being synced with the Community member database table.

This environment was upgraded, so in theory this could be correct. The migration method was a side-by-side install, so the waslocaladmin user would be different.

Synchronise a single member’s directory ID in the Communities member database table

  1. Open a command prompt and navigate to C:\IBM\WebSphere\AppServer\profiles\Dmgr01\bin
  2. Run wsadmin -lang jython -user waslocaladmin -password password -port 8879

From the wsadmin prompt run:
wsadmin>execfile(“communitiesAdmin.py”) (enter)
wsadmin>CommunitiesMemberService.syncMemberExtIdByLogin(“waslocaladmin”) 

Errors have stopped, so fingers crossed!

Connections theme reverts to 4.5 after applying C5 CR1

Just a quick post. I ran into this issue, and it’s not the first time I’ve seen it.

After applying the CR1 update to Connections 5, the theme reverted to version 4.5.

I made sure that all nodes were synced, restarted environment and the same issue was experienced.

The Fix

I removed the temporary caching directory for the WebSphere Server running Connections.

This forces WAS to update it’s cache on next restart.

  1. Shut down the Application server running Connections.
  2. Go to the <install_root>/profiles/<servername> directory
  3. Rename the /temp directory to /old_temp (as below.)
  4. Rename the /wstemp directory to /old_wstemp (as below)
  5. Restart Application Server.
temptheme

Once testing is completed, you can remove the old temp directories.