IBM Connections Component Pack – Install fails with can’t connect to Connections FQHN.

I’ve been working with Connections Pink since the first release of the “Orient Me” package. The scripts used to deploy this feature set are getting better with each release – good job IBM.

I’ve got an issue currently with the Deployment of ICCP – The deploycfc.sh errors with the message below.

It can’t connect to the Connections FQHN that is provided.


It sounded to me like something to do with the security settings we had enabled on the Connections 6 environment..turns out it was. I pulled apart the scripts, and found where I think it was occurring..The particular script that is is failing is the B-23-master-configure-cfc.sh,  in particular one of the functions called validate_ic_host  that appears to use curl to grab a URL.

Anyhoo, IBM have this tech note that expands on the problem and provides a work around. >> http://www-01.ibm.com/support/docview.wss?uid=swg22014269


Changing subdomain in Connections,CCM and Docs

I’ve just completed a process where a customer needed to change their subdomain due to an organisational name change. This site has a pretty large install.  CCM, Docs and also leveraged Windows Desktop SSO via SPNEGO.

The change was connections.OLD.sub.dom.au to connections.NEW.sub.dom.au

There is some documentation out there on how to change host names, but I wanted to compile a list for this specific task. So here you go.


SSL CSR created, new key created and imported into new KDB. Make available on IBM HTTP Server.

DNS change implemented, and points to existing IBM HTTP Server. Keep old record in place as well. Also ensure that the new record is resolvable on all Connections hosts.

Change the SSL Certificate over in IHS. (Change the following)

Keyfile D:\IBM\HTTPServer\NEWkey.kdb
SSLStashFile D:\IBM\HTTPServer\NEWkey.sth

CellDefaultTrustStore as it shared a common root with the previous Certificate.

Connections changes

Change the LotusConnectection-config.xml file. Check out with wsadmin, change the references to OLD and replace with NEW. Check-in. Process here

While in wsadmin, change the Notifications file to reflect new mail domain. Change the Administration user that notifications come from. Check-in. Process here

Change and update Blogs

To update the URL’s inside blogs, there is an AdminTask. while still in wsadmin, execute the following.

BlogsAdminService.fixBrokenUrls(https://connections.old.sub.dom.au, https://connections.new.sub.dom.au)


Change LTPA to reflect new Domain.

In the ISC, select Global Security > Single sign-on

Update the Domain name field to reflect the new sub domain. i.e from .old.sub.com.au to .new.sub.dom.au


Re-sync all nodes, stop and restart the entire environment (DMGR and NODES).

Docs Changes

Docs is pretty straight forward.

The property files for Docs all need to be changed. They are found in: <WAS_HOME>/profiles/<DMGR>/config/cells/{cellname}/IBMDocs-config/

Change all instances of OLD url to NEW in the concord-config.json file, and the viewer-config.json file. Just to be safe, verify no instances of OLD url exist in the other .json files in the directory. If there are, change them.

Re-sync all nodes, stop and restart the entire environment (DMGR and NODES).

CCM Changes

For CCM, we only had to update the Activity stream widget. Follow this process


Update Scheduled tasks

Jump back into wsadmin, and run the following. Following is from the knowledge centre.


Note: If Scheduler.clearAllTasks() does not clear tasks successfully, run clearScheduler.sql manually for each of the applications. 
For example:

db2 -v -td@ -f activities\db2\clearScheduler.sql
db2 -v -td@ -f homepage\db2\clearScheduler.sql 
The SQL scripts are in the following locations:

AIX or Linux: connections_root/connections.sql directory.


Update Search

I planned on updating search, but I didn’t get any errors after the change while using the search. Just to be safe,  I kicked off a new once off index task after the changes were completed.




…..and finally, a bit of a catch all

IBM HTTP Server rewrite – redirect OLD url to NEW

Add the following to handle any URLS that still come in using the old name. Replace your new server names below.

#Added to support redirect from OLD to NEW
<VirtualHost *:80>
    ServerName connections.OLD.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$    /homepage     [PT] 
    RewriteRule ^/(.*) http://connections.NEW.sub.dom.au/$1 [R,L]
RewriteEngine off

<VirtualHost *:443>
    ServerName connections.OLD.sub.dom.au
    RewriteEngine on
    RewriteRule ^/$    https://connections.NEW.sub.dom.au/homepage [PT]      RewriteRule ^/(.*) https://connections.NEW.sub.dom.au/$1 [R,L]    
RewriteEngine off

<VirtualHost *:80>
    ServerName connections.NEW.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$     /homepage     [PT]
RewriteEngine Off

<VirtualHost *:443>
    ServerName connections.NEW.sub.dom.au
    RewriteEngine On
    RewriteRule ^/$     /homepage     [PT]
RewriteEngine Off





RSA Premaster Secret Error in Connections 5

I’m doing an install for a customer at the moment, and it’s a large install. All on RHEL, integrated with Portal, and hosted in SoftLayer. Very Cool. I love playing with this stuff!

So the Connections install was running along great, until it was time to bring up the Connections Apps and test login. The way we usually configure Connections these days is to setup WAS primary administration user to exist in the LDAP directory, and use the default file based admin as a backup. We also then use this same user as the Connections administrator. We ensure that this user also has a profile. This just seems to make the installation (especially of companion products/extensions) easier..

I go to log into Connections the first time with the Admin user.. I get the “Unable to process your request page”. Damn.

Start troubleshooting. Eventually find the stanza that I think is logging for the error. This was in the Homepage Server System.Out. (Large Connections Install)..

 [14/01/16 19:30:20:532 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry Retrying request
 [14/01/16 19:30:20:535 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry I/O exception (javax.net.ssl.SSLKeyException) caught when processing request: RSA premaster secret error
 [14/01/16 19:30:20:536 EST] 00000120 HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry Retrying request
 [14/01/16 19:30:20:539 EST] 00000120 UserInfoInter E com.ibm.lconn.homepage.web.interceptor.UserInfoInterceptor cacheUserInfo CLFRQ0341E: Could not retrieve details for the user with login ID: ConnectionsAdmin@domain.blah.au due to an exception. The exception occurred when retrieving the details via Profiles Directory Service Extension: [Ljava.lang.Object;@5c0f8907

More digging revealed that this error was due to…….the SSL Key.

What was occurring is this. I’d setup the IBM HTTP Server to use the key provided by the customer. I’d imported this into the CellDefaultTrustStore, as required. It was 4096 bits wide, which Java security in the WAS stack had an issue with. Some secret squirrel stuff about the governments wanting to control Encryption or something. So when the Homepage app was hitting the URL for profiles and verifying I am who I say I am, it caused the SSL error.

How did I fix it?

Copy and replace the Java policy files with the unrestricted policy files, then restart the Connections servers.

cd /opt/IBM/WebSphere/AppServer/java/demo/jce/policy-files/unrestricted/
[root@connwas2 unrestricted]# cp *.jar /opt/IBM/WebSphere/AppServer/java/jre/lib/security/
cp: overwrite `/opt/IBM/WebSphere/AppServer/java/jre/lib/security/local_policy.jar'? yes
cp: overwrite `/opt/IBM/WebSphere/AppServer/java/jre/lib/security/US_export_policy.jar'? yes

That’s it. Restart servers and enjoy.

Thanks to Mikkel Heisterberg,  you pointed me in the right direction with this Blog. Cheers!



iKeyman: How to receive an online CSR.

I have a love/hate relationship with iKeyman. It never seems to want to work the way I think it should.

Take the instance when a customer manages their SSL keys online, and creates the private certs without actually creating a CSR on the host machine. It just gets tricky. iKeyman won’t allow you to import the private key, and if you try to install the new certificate, you’ll get an error along the lines of “No CSR found for Certificate”

What you can do is use 3rd party tools to create a .p12 certificate, then import this into a new .kdb.

So here is my cheat sheet for how I got this working.

  1. Extract the certificates from email.
  2. Use OpenSSL to create a p12
  3. Create a new KDB
  4. Import the root certificates, intermediate certificates
  5. Import the Personal certificate

Copy the certificates from the email you have been provided. In my case I had the new trusted cert, the Intermediate and I had to get the Private key as well.

Copy the text certificates from the email and create a file with the extensions like the following for each. In my case I had 3, NewCert.key, NewPrvKey.crt and Intermediate.cer.

They will look something like below.


Once you’ve done this, you’ll need access to OpenSSL. I’m on a Mac, so this is installed already.

OpenSSL is accessed via Terminal.

OpenSSL will be used to create a .p12 file so we can import into iKeyman. Use the following command.

openssl pkcs12 -export -name "NewKey" -inkey ~/Desktop/NewPrvKey.crt -in ~/Desktop/NewCert.key -out ~/Desktop/NewCert.p12 -keypbe PBE-SHA1-RC2-40

You’ll be prompted for a password for the .p12 you are creating. Remember this, you’ll need it.

Ok.You’ve now got a .p12 . Transfer this to your IHS server, along with the Intermediate.cer that you created previously.

Fire up iKeyman, I’m running this on my IBM HTTP Server.

Now we are going to –

  1. Extract the existing trusted root and intermediates from the old KDB (optional)
  2. Create a new KDB
  3. Import the Trusted root and intermediates if you need to (optional)
  4. Import your private keys


Import the Intermediate Certificate, and also if you required to pull in the other Root Certificates. I’m using TrustiCo so this is the following. I had these already in another keystore, so I just Extracted and then imported from the .kdb I was replacing.


Create a new .kdb, I’m calling mine 2015Key.kdb.


Make sure to stash the “Password to a file”, then hit OK.


Now select “Personal Certificates”

Select “Receive”


Change the Keyfile type to PKCS12 and browse to our .p12 certificate.


Enter your password for the .p12, then change the label to something that makes sense. Hit Apply and OK

2015-11-17_15-57-21.pngThis will import the new certificate for your server into the KDB file. If it is the only one, it should automatically be set as the default.

Once done you can then Validate trust (Personal Certificates>Validate). If everything is working, then it should give you a nice “Validation successful” If not, you more than likely don’t have the correct Trust Chain. Go to the vendor of your 3rd party cert and get the correct signer certs.

Then all that is left is change the IHS server config to point to the new key and stash (.kdb, .sth). Restart IHS and you should be good to go..


Sametime 9 Managed Settings – HTTP port problem

Just a quick update. I’ve recently been doing some work trying to Auto magically configure Sametime using Managed Settings. This has been a bit of a struggle, but we are getting there.

If you’ve not heard of Managed Settings before, they are a way that you can push out and update Sametime Connect (both embedded and standalone) settings. Here is a good overview.

One caveat that we ran into is with the update site that is pushed out via policies must be a http server running on port 80.  Once we enabled tracing on the Sametime Connect clients we were able to get more infiormation on what was going on.

<globalInstanceId="ELc0a8c93700014fac6b9c030000000b" msg="CWPMS0202E: The Managed Settings File Provider was unable to open the URL http://sametime.domain.com:88/sametime/updates/managed-settings.xml due to the following error: Forbidden." severity="50" version="1.0.1">
 <extendedDataElements name="CommonBaseEventLogRecord:level" type="noValue">

We tried everything to make sure that the file was being served correctly. You could access the URL and the managed-settings file was loaded via a browser.

The Workaround

Relocating the managed-setting file on another HTTP server appeared to resolve this issue. We were then able to use the managed settings and push out our changes.

Profiles population, helpful search filter (MS AD).

I’m currently installing Connections 5 for a customer. It’s a great place as the onsite guys really know their stuff. Anyway, their LDAP is in a bit of a state. Typical example of an organisation that has grown, gone through many Active Directory upgrades and no hard and fast rules for user management.

For Connections to be useful, you need relevant and current users in the Profiles database.

With populating the profiles DB, you’ve got 2 types of people. You’ve got the Wizards, and the Command lines. I’m a Wizard guy, just because it has come along way since I first used it (2.5) and hey, it automates half of my job. I still like to know and understand what the Wizards are doing, but if they automate it, awesome.

So I’m doing this install, and I run the Wizard with the default search scope.

The default search filter I used was below. I wanted to see how many records…


As you do, I iterate the log file..

LFRN0027I: After operation, success records is 634, duplicate records 0, failure records is 366.

That’s interesting…these guys only have 400 users?

Opened the PEOPLEDB, and there were heaps..I means heaps… of deactivated users. Doesn’t look like a user account had been deleted. Ever.

So, reset everything, dropped the DB and recreated it.

I had to work out how to populate without syncing accounts that were disabled. I also wanted mail to be populated.

Here is the search string that did it..


The parameter (!(userAccountControl:1.2.840.113556.1.4.803:=2) is a feature with MS AD, and is called a bitwise filter. Essentially, we’ve selected the users with the  useraccountcontrol flag enabled. This link explains it better than I ever could.

After operation, success records is 406, duplicate records 0, failure records is 24, and last successful entry is

This worked, users synced dropped to the correct numbers. Happy days.






Connections 5 CR1 CR2 IBM upgrade guides

Found these guides hidden in the depths of the release notes for IBM Connections 5 CR2.

Noted that the CR2 guide also has call-outs if you are doing a 5.0 > CR2 update.

Looks like the 5.0 -> 5 CR2 requires some extra SQL scripts against your connections database and some additional Content Manager requirements.

CR1 guide here

CR2 guide here

Thanks to IBM for some good material.

Installation Manager fails own install – Exit code 1 on CentOS

CentOS is pretty awesome. I do most of my work these thankfully on a Linux distro. We usually just run command line, and use tools like XMing and Putty to do the GUI only bits of the install.

In this particular install, we were using the Servers GNOME desktop. When running installation manager, we were getting a JVM crash when hitting “Next” on the install for Installation manager 1.8.


After much searching, ensuring everything was up to date I stumbles across this technote.

Once this fix was in place, I was able to continue the install.

Updating a user’s personal library quota in Connections Files

I get asked quite a bit on how to do some routine things in Customers environments. You’d think the simple task of increasing a users File quota would be pretty straight forward. Unfortunately, it’s more complex and convoluted then it should be. I can only hope the upcoming versions of Connections start integrating the great Administration tools that are available from BP’s out there into the Core product.

Overview of the process 

  1. Create a policy – refer to this blog on how to create a policy.
  2. Find the user
  3. Find the library belonging to the user
  4. Apply the policy to the Library

Start up wsadmin on the Deployment manager

D:\>cd IBM\WebSphere\AppServer\profiles\Dmgr01\bin
D:\IBM\WebSphere\AppServer\profiles\Dmgr01\bin>wsadmin.bat -lang jython -user <connectionsadminuser> -password <connectionsadminuserpassword>-port 8879
WASX7209I: Connected to process “dmgr” on node CellManager01 using SOAP connector; The type of process is: DeploymentManager
WASX7031I: For help, enter: “print Help.help()”

Start Files Administration, and connect to a node
1: WebSphere:name=FilesSchedulerMBean,process=Cluster2_server1,platform=dynamicproxy,node=Node01,version=,type=LotusConnections,mbeanIdentifier=FilesSchedulerMBean,cell=Cell01,spec=1.0
2: WebSphere:name=FilesSchedulerMBean,process=Cluster2_server2,platform=dynamicproxy,node=Node01,version=,type=LotusConnections,mbeanIdentifier=FilesSchedulerMBean,cell=Cell01,spec=1.0
Which service do you want to connect to?

Connecting to WebSphere:name=FilesAdminService,type=LotusConnections,cell=Cell01,node=Node01,*
Files Administration initialized.

Find the users ID, notated below in bold by using their email address.
{directoryGroupLastUpdate=Tue Sep 09 12:48:02 EST 2014, lastVisit=Tue Sep 09 12:46:01 EST 2014, communityLastUpdate=Tue Sep 09 12:48:02 EST 2014, createDate=Thu Jul 04 16:50:43 EST
2013, id=97ea886e-fa34-415f-9883-2658af528bb6, name=User Who, email=userwhoneedsmorespace@blah.com, directoryLastUpdate=Tue Sep 09 12:46:01 EST 2014, isOprhan=false}

Take note of the value in “id=” . This is the internal representation of the user in the Files Application.

In this case it is  “id=97ea886e-fa34-415f-9883-2658af528bb6″

Use the ID, and find the users Library ID

{maximumSize=524288000, size=524174032, percentUsed=0.9997826232910156, summary=, createDate=Thu Jul 04 16:50:43 EST 2013, policyId=00000000-0000-0000-0000-000000000000, externalContainerId=null, themeName=, label=036841EC-8E19-4118-986A-B55B53BA663A, title=User Who, ownerUserId=97ea886e-fa34-415f-9883-2658af528bb6, type=personal, id=021b4d54-c47a-41ca-97d3-46b301b3bc34, externalInstanceId=null, lastUpdate=Thu Jul 04 16:50:43 EST 2013}

Note that some pretty interesting information is displayed, i.e Policy currently applied “policyId”, Current percent used “percentUsed” etc. The bit we are interested in is the id of the Library, which in this case is “id=021b4d54-c47a-41ca-97d3-46b301b3bc34″.

Assign the policy to the Library

I had already created a policy for 1GB, and taken note of it’s ID. For completeness, it was “d60abd07-5d86-45b3-8500-20ce95596bd5”

Syntax of the command is FilesLibraryService.assignPolicy(“LibraryID”,”PolicyID”)


If complete, you’ll get a confirmation, like below.
The policy with the id d60abd07-5d86-45b3-8500-20ce95596bd5 is now assigned to the library with the id 021b4d54-c47a-41ca-97d3-46b301b3bc34″)