Connections

Changing subdomain in Connections,CCM and Docs

I’ve just completed a process where a customer needed to change their subdomain due to an organisational name change. This site has a pretty large install.  CCM, Docs and also leveraged Windows Desktop SSO via SPNEGO.

The change was connections.OLD.sub.dom.au to connections.NEW.sub.dom.au

There is some documentation out there on how to change host names, but I wanted to compile a list for this specific task. So here you go.

Pre-tasks

SSL CSR created, new key created and imported into new KDB. Make available on IBM HTTP Server.

DNS change implemented, and points to existing IBM HTTP Server. Keep old record in place as well. Also ensure that the new record is resolvable on all Connections hosts.

Change the SSL Certificate over in IHS. (Change the following)

Keyfile D:\IBM\HTTPServer\NEWkey.kdb
SSLStashFile D:\IBM\HTTPServer\NEWkey.sth

CellDefaultTrustStore as it shared a common root with the previous Certificate.

Connections changes

Change the LotusConnectection-config.xml file. Check out with wsadmin, change the references to OLD and replace with NEW. Check-in. Process here

While in wsadmin, change the Notifications file to reflect new mail domain. Change the Administration user that notifications come from. Check-in. Process here

Change and update Blogs

To update the URL’s inside blogs, there is an AdminTask. while still in wsadmin, execute the following.

execfile(blogsAdmin.py)
BlogsAdminService.fixBrokenUrls(https://connections.old.sub.dom.au, https://connections.new.sub.dom.au)

 

Change LTPA to reflect new Domain.

In the ISC, select Global Security > Single sign-on

Update the Domain name field to reflect the new sub domain. i.e from .old.sub.com.au to .new.sub.dom.au

editor_image_cb34e16e-94cb-42a1-8921-1333db1dd095

Re-sync all nodes, stop and restart the entire environment (DMGR and NODES).

Docs Changes

Docs is pretty straight forward.

The property files for Docs all need to be changed. They are found in: <WAS_HOME>/profiles/<DMGR>/config/cells/{cellname}/IBMDocs-config/

Change all instances of OLD url to NEW in the concord-config.json file, and the viewer-config.json file. Just to be safe, verify no instances of OLD url exist in the other .json files in the directory. If there are, change them.

Re-sync all nodes, stop and restart the entire environment (DMGR and NODES).

CCM Changes

For CCM, we only had to update the Activity stream widget. Follow this process

 

Update Scheduled tasks

Jump back into wsadmin, and run the following. Following is from the knowledge centre.

Scheduler.listAllTasks() 
Scheduler.clearAllTasks()

Note: If Scheduler.clearAllTasks() does not clear tasks successfully, run clearScheduler.sql manually for each of the applications. 
For example:

db2 -v -td@ -f activities\db2\clearScheduler.sql
db2 -v -td@ -f homepage\db2\clearScheduler.sql 
The SQL scripts are in the following locations:

AIX or Linux: connections_root/connections.sql directory.

 

Update Search

I planned on updating search, but I didn’t get any errors after the change while using the search. Just to be safe,  I kicked off a new once off index task after the changes were completed.

Process.

SPNEGO SSO

 

…..and finally, a bit of a catch all

IBM HTTP Server rewrite – redirect OLD url to NEW

Add the following to handle any URLS that still come in using the old name. Replace your new server names below.

#Added to support redirect from OLD to NEW
<VirtualHost *:80>
    ServerName connections.OLD.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$    /homepage     [PT] 
    RewriteRule ^/(.*) http://connections.NEW.sub.dom.au/$1 [R,L]
  
</VirtualHost>
RewriteEngine off

<VirtualHost *:443>
    ServerName connections.OLD.sub.dom.au
    SSLEnable
    RewriteEngine on
    RewriteRule ^/$    https://connections.NEW.sub.dom.au/homepage [PT]      RewriteRule ^/(.*) https://connections.NEW.sub.dom.au/$1 [R,L]    
</VirtualHost>
RewriteEngine off
SSLDisable

<VirtualHost *:80>
    ServerName connections.NEW.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$     /homepage     [PT]
</VirtualHost>
RewriteEngine Off

<VirtualHost *:443>
    ServerName connections.NEW.sub.dom.au
    SSLEnable
    RewriteEngine On
    RewriteRule ^/$     /homepage     [PT]
</VirtualHost>
RewriteEngine Off

 

 

 

 

IBM Viewer / Docs error in C5.5 CR2

I’ve been a little quiet on the Blog front, but this year I’ll make an effort to update a bit more frequently. 2016 wasn’t a quiet year for me Technology wise, I got to work on some great Connections/Portal implementations and other environments. Apologies for the lack of updates.

I’ve been investigating an issue with Connections 5.5 CR2. and IBM Docs 2.0. What happens is that user will get an error while trying to view or edit the document. The users will get an error like the following.

"You are not entitled to use Docs or do not have permission to
edit this file. The file must be shared with you and your
access level set to editor. The file might also be locked by
another editor"

or

"The IBM Docs server cannot be reached. Please contact your administrator"

Errors in the Logs for Docs servers are similar to the following:

DocumentDraft E   Failed to generate snapshot for document. docID: 7125b890-4f8e-4a94-8fee-eb6bfc776802 com.ibm.docs.repository.RepositoryAccessException: Exception occurred with error code: CLFAD1000, message: Have no permission on this file in repository, and additional data: {"docUri":"7125b890-4f8e-4a94-8fee-eb6bfc776802","repo_err_code":"AccessDenied","repo_err_msg":"EJPVJ9070E: Unable to logon the user with the J2EE principal connectionsadmin.","repo_http_status":1000}

I’ve seen this sort of thing before after applying patches whereby you need to reapply the security to the J2EE principal and reserve the configuration. I tired that, and had the same issue.

Restarting the Files App seems to resolve the issue temporarily.

Appears that there is a known issue in CR2 and it’s being tracked in this APAR. (You’ll need an IBM Login)

RSA Premaster Secret Error in Connections 5

I’m doing an install for a customer at the moment, and it’s a large install. All on RHEL, integrated with Portal, and hosted in SoftLayer. Very Cool. I love playing with this stuff!

So the Connections install was running along great, until it was time to bring up the Connections Apps and test login. The way we usually configure Connections these days is to setup WAS primary administration user to exist in the LDAP directory, and use the default file based admin as a backup. We also then use this same user as the Connections administrator. We ensure that this user also has a profile. This just seems to make the installation (especially of companion products/extensions) easier..

I go to log into Connections the first time with the Admin user.. I get the “Unable to process your request page”. Damn.

Start troubleshooting. Eventually find the stanza that I think is logging for the error. This was in the Homepage Server System.Out. (Large Connections Install)..

 [14/01/16 19:30:20:532 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry Retrying request
 [14/01/16 19:30:20:535 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry I/O exception (javax.net.ssl.SSLKeyException) caught when processing request: RSA premaster secret error
 [14/01/16 19:30:20:536 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry Retrying request
 [14/01/16 19:30:20:539 EST] 00000120 UserInfoInter E com.ibm.lconn.homepage.web.interceptor.UserInfoInterceptor cacheUserInfo CLFRQ0341E: Could not retrieve details for the user with login ID: ConnectionsAdmin@domain.blah.au due to an exception. The exception occurred when retrieving the details via Profiles Directory Service Extension: [Ljava.lang.Object;@5c0f8907

More digging revealed that this error was due to…….the SSL Key.

What was occurring is this. I’d setup the IBM HTTP Server to use the key provided by the customer. I’d imported this into the CellDefaultTrustStore, as required. It was 4096 bits wide, which Java security in the WAS stack had an issue with. Some secret squirrel stuff about the governments wanting to control Encryption or something. So when the Homepage app was hitting the URL for profiles and verifying I am who I say I am, it caused the SSL error.

How did I fix it?

Copy and replace the Java policy files with the unrestricted policy files, then restart the Connections servers.

cd /opt/IBM/WebSphere/AppServer/java/demo/jce/policy-files/unrestricted/
[root@connwas2 unrestricted]# cp *.jar /opt/IBM/WebSphere/AppServer/java/jre/lib/security/
cp: overwrite `/opt/IBM/WebSphere/AppServer/java/jre/lib/security/local_policy.jar'? yes
cp: overwrite `/opt/IBM/WebSphere/AppServer/java/jre/lib/security/US_export_policy.jar'? yes

That’s it. Restart servers and enjoy.

Thanks to Mikkel Heisterberg,  you pointed me in the right direction with this Blog. Cheers!

 


					

Quick Tip – Name your console..

The guys I work with are full of good tips.

I’d always wondered how to do this, as I thought it was some sort of Developer jiggery-pokery.

Most environments I work in have a Development environment, and a Production environment.

Quite often, I get lost. Am I in Prod or Dev? Especially with cryptic server names.

Quick way to fix this is to Name your Consoles.

  • Logon to your ISC.
  • Expand System Administration > Task Management
  • Select Console Identity.
console1
  • Type in the Console name..ie Prod
console2
  • And hey presto…You know where you are..
Console3

You’re welcome.

CCM CR2 Upgrade/Backup Script errors – Access is denied.

Previous post was how to install CCM. This post will be about an error that I experienced just trying to apply the Fix Pack to get it to CR2 level.

When applying the CR2 update, the Content Engine Server is the first cab off the rank.

Following the instructions, I started with the D:\IBM\Connections\ccm\ccm\ccm\scripts\backup.bat

This script failed to run. Error was ADMN0022E: Access is denied……..because of insufficient or empty credentials.

*sigh*

I checked that the password wasn’t locked out. It wasn’t.

I logged into wsadmin manually, jut to verify all was good. I could.

So google put me onto this awesome post. In this case, wasn’t my issue, although I did try the fix.

Time to dig deeper.

I grabbed the backup.bat file, and scanned though till I found the part that was failing.

I enabled output to the screen by adding echo on..

2015-04-21_14-03-59_01

I then ran the backup script again. This revealed what the issue was.

The customers WAS admin password contains an exclamation point “!” for password quality. This script was passing this password as a variable to the the script which was running the wsadmin command. There appears to be a second time that this script calls the %was.admin.passwd% variable, but as it does it strips the “!” in my password. So I’m supplying the incorrect password, even though it’s correct at the time of input.

I’ve not been able to find a resolution to this apart from changing the password.

I had tried escaping the character out, and used different variations but to no avail. If anyone knows how to do this, please let me know.

CCM Installation fails with CLFRP0038E – Connections 5 CR2

I ran into this issue at a customer site I’m working on at the moment.

Here’s the scenario. Installing the following: Connections, Survey’s Polls (FEB), Social Mail, External Access, CCM, File Viewer. I’ve installed Connections, updated to CR2 and verified all is working. I’ve also installed FEB.

Following this documentation, I ensure I have all of the CR2 required files for install, including the fixpacks extracted to a directory. I’m installing CCM across 2 nodes in a cluster, on separate hosts.

I wanted to make sure that the Clusters/Servers were setup correctly in WAS. I have not had much luck with installers creating WAS clusters or servers,  so as this is pretty straight forward I like to set them up for installations to use.

Below is the summary screen of the CCM_Cluster.

2015-04-15_8-48-02

Time to install.

I’ve checked the prereqs. Note- Make sure you have at least 6GB free in %Temp%. In my case this was located on the C:\

I select the Modify option.

Select Add-on features IBM Connections Content Manager

2015-04-15_8-56-51

You’ll be asked for your existing WebSphere credentials. Put them in in then select Validate.

You’ll then hit this screen

2015-04-15_8-58-47

I selected New Deployment

Left remaining blank, then selected the Directory where I extracted all the installers and FP’s

If you’ve extracted everything out, you should get a Validation Successful. If not, check what files you are missing. The installer was pretty good in identifying what packages I was missing.

I then selected where I wanted to deploy CCM. I select my Servers/Cluster that I previously setup.

2015-04-15_8-59-09

Once this was selected, got to the next screen which I selected Modify.

CCM then installs.

I got the below error.

2015-04-12_8-43-02

Damn…

Looking through log files got me this..

2015-04-17_15-21-53

Further searching through the logs at  <WAS INSTALL>\profiles\Dmgr01\ConfigEngine\log\ConfigTrace.log reveals that a properties file for the nodes/cluster I’d setup did not exist in the D:\IBM\Connections directory.

[echo] Communities server: Cluster1_server1
 [echo] Loading properties from file: D:/IBM/Connections/Cluster1_server1.properties
 [echo] Communities server HTTP Port: 9082
 [echo] CE server: CCM_server1
 [echo] Loading properties from file: D:/IBM/Connections/CCM_server1.properties
--- Exception Thrown ---
D:\IBM\Connections\ccm\ccm\ccm\config\includes\ccm_cust_cfg.xml:1200: Source file does not exist.
at org.apache.tools.ant.taskdefs.LoadProperties.execute(LoadProperties.java:159)

This is where it got weird. I’d thought that is was because I’d setup the nodes/cluster outside of the install and that it was the IBM Installation Manager that created these properties files. Nope. I tried by setting up the nodes/clusters using the installer, same result, CCM not installed, same error.

Fix? Workaround?

To fix this one I created the files manually. This required grabbing the following values from my ISC in WAS.

2015-04-17_15-28-40

I created 2 files, one for each of my servers.

2015-04-17_15-28-56

These files were created before I hit Modify on the final installation screen, i.e after you’ve done all the above. I’m pretty sure that you could do this before you ran the installer.

Ran the installer again and was able to install.

2015-04-17_15-40-41

Hope this helps someone.

wsadmin ProfileAdmin error “NameError: bAskForNodeComm”

I stumbled across this issue when trying to update a users information in Connections after a UID change.

I’d successfully updated the PROF_UID and PROF_UID_LOWER with the new information, and TDI had synched across the new user data.

To then get the other Connections Applications to update their user information for this user, I ran the ProfilesService.publishUserData(“new.email@domain.com”)

I received a very descriptive error.ErrorProfiles

So I noticed that the unlike the other Connections admin commands, the ProfilesAdmin.py script had not asked me for “What node did you want to connect to?”

I tried various things, but was not able to get the ProfilesAdmin script to select a node.

I found this error  which seemed to match what I was getting, so I tried the suggested fix.

See below, it worked. This technique also will work with other ProfileAdmin commands.

NoErrorProfiles

Error when reparenting a sub-community.

Reparenting a sub-community is a feature added in Connections 4.5 CR3.

This feature allows you to move a sub-community to a Parent level, but also allows you to move the sub community to a different parent. (Think of the sub community as the child).

To move a sub-community, you use wsadmin, and the CommunitiesService.moveSubcommunityToCommunity(“CommunityUNID”) command.

Here is the IBM Link to the this utility.

I ran into an issue when trying to move the Community.

Firing up wsadmin as our usual Admin user,  I got the below error.

wsadminerror

 The System.Out

000009a TangoServiceI W com.ibm.tango.internal.service.TangoServiceImpl getMemberProfileWithUpdates CLFRM0110W: Undetermined memberProfile, in which its name: waslocaladmin, email: null, member uuid: 2f333cc26-b4d5-437d-b970-c9c1b3c076aa, and logins: [waslocaladmin], closely matches to directory service object of an user, whose name: waslocaladmin, email: null, and logins: [waslocaladmin].

Then

000009a TangoServiceI E com.ibm.tango.internal.service.TangoServiceImpl updateCommunity CLFRM0039E: internal error
com.ibm.tango.exception.MemberDuplicateLoginIdException: [waslocaladmin]
at com.ibm.tango.internal.service.TangoServiceImpl.getMemberProfileWithUpdates(TangoServiceImpl.java:3187)

 This was interesting, as the user waslocaladmin user was the Admin user for Connections, but wasn’t listed as an Admin userroles in the Application.

Additionally, waslocaladmin user was in the file based repository.

Workaround..

Switching to our support login, which has Administration access to the Communities application, I was able to run the reparenting command successfully.

This was done by running the wsadmin command as the support user.

Fix..

Further Troubleshooting revealed that this issue is more than likely the waslocaladmin id not being synced with the Community member database table.

This environment was upgraded, so in theory this could be correct. The migration method was a side-by-side install, so the waslocaladmin user would be different.

Synchronise a single member’s directory ID in the Communities member database table

  1. Open a command prompt and navigate to C:\IBM\WebSphere\AppServer\profiles\Dmgr01\bin
  2. Run wsadmin -lang jython -user waslocaladmin -password password -port 8879

From the wsadmin prompt run:
wsadmin>execfile(“communitiesAdmin.py”) (enter)
wsadmin>CommunitiesMemberService.syncMemberExtIdByLogin(“waslocaladmin”) 

Errors have stopped, so fingers crossed!

Connections theme reverts to 4.5 after applying C5 CR1

Just a quick post. I ran into this issue, and it’s not the first time I’ve seen it.

After applying the CR1 update to Connections 5, the theme reverted to version 4.5.

I made sure that all nodes were synced, restarted environment and the same issue was experienced.

The Fix

I removed the temporary caching directory for the WebSphere Server running Connections.

This forces WAS to update it’s cache on next restart.

  1. Shut down the Application server running Connections.
  2. Go to the <install_root>/profiles/<servername> directory
  3. Rename the /temp directory to /old_temp (as below.)
  4. Rename the /wstemp directory to /old_wstemp (as below)
  5. Restart Application Server.
temptheme

Once testing is completed, you can remove the old temp directories.

Moving Databases from DB2 9.7 to 10.1 on Windows 2012 R2 for C3-C5 upgrade.

Those people familiar with Connections will be aware of the different methods to upgrade.   The one that we use most often, due to the fact that we have the best chance of success, is the Side-by-Side migration. With this migration you essentially setup a new environment at the version you are upgrading to , then transition your data. This also allows for the old version to be available to the customer, so that historical data is still available.

We mainly use DB2 for the backend, and most of time it’s hosted on a Linux machine. But some times we come across Windows.

This is one of those cases….

I ran into an issue with migration of DB2 servers between versions of DB2, hosts and Operating Systems.
Moving from DB2 9.7 on Windows 2003 – DB2 10.1 on Windows 2012 Server R2.

Firstly, here is an overview of the process used.

On source host – this requires an outage of your Connections host.
Login as DB2ADMIN to the local machine.
Databases are backed up offline using the DB2 Control Center.
Backups are to Files.
On Target DB2 server
Logged as Domain user
Copy from the Source host to the Target host the DB Backups.
Switch to DB2Admin
Restore Databases. Nice thing with this is that the databases were automagically upgraded to 10.1.

The issue

When the databases were restored to the DB2 10.1 server, DB2Admin on the Target machine did not get the correct permissions and authorities to the databases. Even though DB2Admin was explicitly listed in the Database, this did not help.
The problem propagated itself further in the DB2 Upgrade wizards in Connections. When the DBUpgrade wizard ran, it could not verify which Connections version the databases were. This leads me onto the next thing..how do the Connections wizards identify what Connections version the database is?
Each database has a specific table that holds what version of Connections the database is. Being IBM, having these be the same table would be way too easy. The Table for HOMEPAGE is HOMEPAGE.SCHEMA.

When viewing the data in HOMEPAGE.SCHEMA, as DB2Admin, nothing was returned, We could see no data.
DB2Admin had no rights to the database, which makes no sense.. DB2Admin should be god.

The fix

Was to perform the following on the Target DB2 Server before the restore.

Set the DB2_RESTORE_GRANT_ADMIN_AUTHORITIES registry variable BEFORE preforming the restore into a new database.
Example:

db2stop
db2set DB2_RESTORE_GRANT_ADMIN_AUTHORITIES=ON
db2start

Just to automate the restore process, I created a batch script.

 D:
 db2 RESTORE DATABASE BLOGS USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022174241 TO "D:" INTO BLOGS WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE DOGEAR USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022174313 TO "D:" INTO DOGEAR WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE FILES USER db2admin USING 1password FROM "D:\DB2TFR2" TAKEN AT 20141022174401 TO "D:" INTO FILES WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE FORUM USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022180225 TO "D:" INTO FORUM WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 REM db2 RESTORE DATABASE HOMEPAGE USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022180322 TO "D:" INTO HOMEPAGE WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE OPNACT USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022180348 TO "D:" INTO OPNACT WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE PEOPLEDB USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022180432 TO "D:" INTO PEOPLEDB WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE SNCOMM USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022180459 TO "D:" INTO SNCOMM WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1
 db2 RESTORE DATABASE WIKIS USER db2admin USING password FROM "D:\DB2TFR2" TAKEN AT 20141022180525 TO "D:" INTO WIKIS WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1

I performed the above, restored the Databases. This time the DB’s took considerable time to restore….more stuff happening! I was now able to successfully access the Databases, and run the wizards.
Happy days,