Congratulations!

[Valid RSS] This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

Source: http://collaborationben.com/feed/

  1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
  2. xmlns:content="http://purl.org/rss/1.0/modules/content/"
  3. xmlns:wfw="http://wellformedweb.org/CommentAPI/"
  4. xmlns:dc="http://purl.org/dc/elements/1.1/"
  5. xmlns:atom="http://www.w3.org/2005/Atom"
  6. xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
  7. xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
  8. xmlns:georss="http://www.georss.org/georss" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:media="http://search.yahoo.com/mrss/"
  9. >
  10.  
  11. <channel>
  12. <title>collaborationben</title>
  13. <atom:link href="https://collaborationben.com/feed/" rel="self" type="application/rss+xml" />
  14. <link>https://collaborationben.com</link>
  15. <description>A blog on Sametime, Connections, Portal and more</description>
  16. <lastBuildDate>Fri, 06 Jan 2017 21:45:31 +0000</lastBuildDate>
  17. <language>en</language>
  18. <sy:updatePeriod>hourly</sy:updatePeriod>
  19. <sy:updateFrequency>1</sy:updateFrequency>
  20. <generator>http://wordpress.com/</generator>
  21. <cloud domain='collaborationben.com' port='80' path='/?rsscloud=notify' registerProcedure='' protocol='http-post' />
  22. <image>
  23. <url>https://s2.wp.com/i/buttonw-com.png</url>
  24. <title>collaborationben</title>
  25. <link>https://collaborationben.com</link>
  26. </image>
  27. <atom:link rel="search" type="application/opensearchdescription+xml" href="https://collaborationben.com/osd.xml" title="collaborationben" />
  28. <atom:link rel='hub' href='https://collaborationben.com/?pushpress=hub'/>
  29. <item>
  30. <title>IBM Connections Mail not working due to Domino view oddness</title>
  31. <link>https://collaborationben.com/2017/01/06/ibm-connections-mail-not-working-due-to-domino-view-oddness/</link>
  32. <comments>https://collaborationben.com/2017/01/06/ibm-connections-mail-not-working-due-to-domino-view-oddness/#respond</comments>
  33. <pubDate>Fri, 06 Jan 2017 21:31:52 +0000</pubDate>
  34. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  35. <category><![CDATA[Connections]]></category>
  36. <category><![CDATA[Uncategorized]]></category>
  37. <category><![CDATA[AD]]></category>
  38. <category><![CDATA[Domino]]></category>
  39. <category><![CDATA[IBM]]></category>
  40. <category><![CDATA[IBM Connections Mail]]></category>
  41. <category><![CDATA[ibmconnections]]></category>
  42.  
  43. <guid isPermaLink="false">http://collaborationben.com/?p=805</guid>
  44. <description><![CDATA[I&#8217;m sure I could have come up with a better title but I&#8217;m not sure how else to put it. Prior to going live with an internal Connections 5.5 deployment my colleagues in India were testing Connections and they kept getting the following error appear on each page in Connections. "You are no longer logged [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=805&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  45. <content:encoded><![CDATA[<p>I&#8217;m sure I could have come up with a better title but I&#8217;m not sure how else to put it.</p>
  46. <p>Prior to going live with an internal Connections 5.5 deployment my colleagues in India were testing Connections and they kept getting the following error appear on each page in Connections.</p>
  47. <pre>"You are no longer logged in. Click OK to discard your current work and go to the log in screen...."</pre>
  48. <p><a href="https://collaborationben.files.wordpress.com/2017/01/1.jpg" target="_blank"><img data-attachment-id="806" data-permalink="https://collaborationben.com/2017/01/06/ibm-connections-mail-not-working-due-to-domino-view-oddness/1-24/#main" data-orig-file="https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=776&#038;h=134" data-orig-size="831,143" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="1" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=776&#038;h=134?w=300" data-large-file="https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=776&#038;h=134?w=776" class="alignnone wp-image-806 size-full" src="https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=776&#038;h=134" alt="1" width="776" height="134" srcset="https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=776&amp;h=134 776w, https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=150&amp;h=26 150w, https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=300&amp;h=52 300w, https://collaborationben.files.wordpress.com/2017/01/1.jpg?w=768&amp;h=132 768w, https://collaborationben.files.wordpress.com/2017/01/1.jpg 831w" sizes="(max-width: 776px) 100vw, 776px" /></a></p>
  49. <p>Having seen this in customer environments in the past I knew it was due to IBM Connections  Mail but I didn&#8217;t know why.</p>
  50. <p>I had the user open up (in a new tab in the same browser) the URL for iNotes and he got the following error.</p>
  51. <pre>"CN=****** you have insufficient rights for /mail/***.nsf. Please login with a username and password which has sufficient rights."</pre>
  52. <p><a href="https://collaborationben.files.wordpress.com/2017/01/2.jpg" target="_blank"><img data-attachment-id="807" data-permalink="https://collaborationben.com/2017/01/06/ibm-connections-mail-not-working-due-to-domino-view-oddness/2-13/#main" data-orig-file="https://collaborationben.files.wordpress.com/2017/01/2.jpg?w=776" data-orig-size="542,266" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="2" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2017/01/2.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2017/01/2.jpg?w=776?w=542" class="alignnone wp-image-807 size-full" src="https://collaborationben.files.wordpress.com/2017/01/2.jpg?w=776" alt="2" srcset="https://collaborationben.files.wordpress.com/2017/01/2.jpg 542w, https://collaborationben.files.wordpress.com/2017/01/2.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2017/01/2.jpg?w=300 300w" sizes="(max-width: 542px) 100vw, 542px"   /></a></p>
  53. <p>SSO has been set up correctly and the configuration is the same for everyone. Those in the UK work fine.</p>
  54. <p>I compared the DistinguishedName in AD (as Connections uses AD for it&#8217;s LDAP) and the OU my colleagues in India use differs to those in the UK. I noticed that there was a double space between the words in one of the India OUs. That was the only difference between the two sets of users.</p>
  55. <p>I checked the value in the user&#8217;s person document, Administration tab and LTPA user name field and it showed correctly ie it had the double spaces in it.</p>
  56. <p>My colleague looked at all the users connect to the iNotes server. For me it showed my Domino format name ie Ben Williams/Something/Org but for the problematic user and his colleagues it showed his AD name still. So name resolution wasn&#8217;t working.</p>
  57. <p>We scratched our heads and then I remembered an old problem for a customer (not related) and had my colleague open the address book and we looked in the $USERS view. In there we saw the user but the DN <strong>did not</strong> have the double space but a single space. That would explain why the AD DN didn&#8217;t resolve to the Domino hierarchical name.</p>
  58. <p>When my colleague attempted to paste the AD DN into the user name field of his person document and save the change we saw that the text &#8220;moved&#8221; removing the additional space! I Googled, looked at the old Domino Technote database and the APAR support website but I couldn&#8217;t find anything to describe why this would happen.</p>
  59. <p>In the end I spoke with our AD guys and they updated the OU removing the extra space. Then we updated the LTPA user name field (just to keep things clean) and our brethren in our India office could use IBM Connections Mail.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/805/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/805/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=805&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  60. <wfw:commentRss>https://collaborationben.com/2017/01/06/ibm-connections-mail-not-working-due-to-domino-view-oddness/feed/</wfw:commentRss>
  61. <slash:comments>0</slash:comments>
  62. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  63. <media:title type="html">collaborationben</media:title>
  64. </media:content>
  65.  
  66. <media:content url="http://collaborationben.files.wordpress.com/2017/01/1.jpg" medium="image">
  67. <media:title type="html">1</media:title>
  68. </media:content>
  69.  
  70. <media:content url="http://collaborationben.files.wordpress.com/2017/01/2.jpg" medium="image">
  71. <media:title type="html">2</media:title>
  72. </media:content>
  73. </item>
  74. <item>
  75. <title>HOMEPAGE.SR_RESUME_TOKENS duplicate data in IBM Connections &#8211; proper fix</title>
  76. <link>https://collaborationben.com/2016/12/06/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections-proper-fix/</link>
  77. <comments>https://collaborationben.com/2016/12/06/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections-proper-fix/#respond</comments>
  78. <pubDate>Tue, 06 Dec 2016 15:12:19 +0000</pubDate>
  79. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  80. <category><![CDATA[Connections]]></category>
  81. <category><![CDATA[DB2]]></category>
  82. <category><![CDATA[ibm connections]]></category>
  83. <category><![CDATA[SR_RESUME_TOKENS]]></category>
  84.  
  85. <guid isPermaLink="false">http://collaborationben.com/?p=800</guid>
  86. <description><![CDATA[I wrote a post, HOMEPAGE.SR_RESUME_TOKENS duplicate data in IBM Connections, where I work around the problem by clearing the contents of SR_RESUME_TOKENS. I found that every restart of the JVM hosting Search caused more rows to be added to the table. I raised a PMR and IBM came back and told me that others have [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=800&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  87. <content:encoded><![CDATA[<p>I wrote a post, <a href="https://collaborationben.com/2016/11/19/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections/">HOMEPAGE.SR_RESUME_TOKENS duplicate data in IBM Connections</a>, where I work around the problem by clearing the contents of SR_RESUME_TOKENS. I found that every restart of the JVM hosting Search caused more rows to be added to the table. I raised a PMR and IBM came back and told me that others have raised the same problem and it is due to the fact that constraints are missing. The missing constraints should have been added during the &#8220;post&#8221; migration process to reapply the constraints after using dbt.jar.</p>
  88. <p>My constraints looked like this:</p>
  89. <p><a href="https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg" target="_blank"><img data-attachment-id="801" data-permalink="https://collaborationben.com/2016/12/06/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections-proper-fix/constraints2/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=776&#038;h=86" data-orig-size="853,94" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="constraints2" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=776&#038;h=86?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=776&#038;h=86?w=776" class="alignnone wp-image-801 size-full" src="https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=776&#038;h=86" alt="constraints2" width="776" height="86" srcset="https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=776&amp;h=86 776w, https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=150&amp;h=17 150w, https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=300&amp;h=33 300w, https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg?w=768&amp;h=85 768w, https://collaborationben.files.wordpress.com/2016/12/constraints2.jpg 853w" sizes="(max-width: 776px) 100vw, 776px" /></a></p>
  90. <p>Whilst they should have looked like this:</p>
  91. <p><a href="https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg" target="_blank"><img data-attachment-id="802" data-permalink="https://collaborationben.com/2016/12/06/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections-proper-fix/constraints1/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=776&#038;h=29" data-orig-size="1372,52" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="constraints1" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=776&#038;h=29?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=776&#038;h=29?w=776" class="alignnone wp-image-802 size-full" src="https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=776&#038;h=29" alt="constraints1" width="776" height="29" srcset="https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=776&amp;h=29 776w, https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=150&amp;h=6 150w, https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=300&amp;h=11 300w, https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=768&amp;h=29 768w, https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg?w=1024&amp;h=39 1024w, https://collaborationben.files.wordpress.com/2016/12/constraints1.jpg 1372w" sizes="(max-width: 776px) 100vw, 776px" /></a></p>
  92. <p>I stopped the JVM hosting Search and ran the following DB2 queries</p>
  93. <p><em>db2 &#8220;DELETE FROM HOMEPAGE.SR_RESUME_TOKENS WHERE NODE_ID = &#8216;xxxxxNode01:InfraCluster_server1&#8242;&#8221;</em><br />
  94. <em>db2 &#8220;ALTER TABLE HOMEPAGE.SR_RESUME_TOKENS ADD CONSTRAINT &#8220;PK_TOKEN_ID&#8221; PRIMARY KEY (&#8220;TOKEN_ID&#8221;)&#8221;</em><br />
  95. <em>DB21034E  The command was processed as an SQL statement because it was not a</em><br />
  96. <em>valid Command Line Processor command.  During SQL processing it returned:</em><br />
  97. <em>db2 &#8220;ALTER TABLE HOMEPAGE.SR_RESUME_TOKENS ADD CONSTRAINT &#8220;FK_RT_IDX_MGMT_ID&#8221; FOREIGN KEY (&#8220;NODE_ID&#8221;) REFERENCES HOMEPAGE.SR_INDEX_MANAGEMENT(&#8220;NODE_ID&#8221;) ON DELETE CASCADE&#8221;</em><br />
  98. <em>DB20000I  The SQL command completed successfully.</em><br />
  99. <em>db2 &#8220;RUNSTATS ON TABLE HOMEPAGE.SR_RESUME_TOKENS&#8221;</em><br />
  100. <em>DB20000I  The RUNSTATS command completed successfully.</em><br />
  101. <em>db2 &#8220;RUNSTATS ON TABLE HOMEPAGE.SR_RESUME_TOKENS FOR INDEXES ALL&#8221;</em><br />
  102. <em>DB20000I  The RUNSTATS command completed successfully.</em></p>
  103. <p>On restarting the Search JVM a number of times I found that only one row was created for each application and not multiple as I found previously.</p>
  104. <p>Thanks IBM<img src="https://s0.wp.com/wp-content/mu-plugins/wpcom-smileys/twemoji/2/72x72/1f642.png" alt="🙂" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/800/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/800/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=800&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  105. <wfw:commentRss>https://collaborationben.com/2016/12/06/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections-proper-fix/feed/</wfw:commentRss>
  106. <slash:comments>0</slash:comments>
  107. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  108. <media:title type="html">collaborationben</media:title>
  109. </media:content>
  110.  
  111. <media:content url="http://collaborationben.files.wordpress.com/2016/12/constraints2.jpg" medium="image">
  112. <media:title type="html">constraints2</media:title>
  113. </media:content>
  114.  
  115. <media:content url="http://collaborationben.files.wordpress.com/2016/12/constraints1.jpg" medium="image">
  116. <media:title type="html">constraints1</media:title>
  117. </media:content>
  118. </item>
  119. <item>
  120. <title>HOMEPAGE.SR_RESUME_TOKENS duplicate data in IBM Connections</title>
  121. <link>https://collaborationben.com/2016/11/19/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections/</link>
  122. <comments>https://collaborationben.com/2016/11/19/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections/#respond</comments>
  123. <pubDate>Sat, 19 Nov 2016 07:19:51 +0000</pubDate>
  124. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  125. <category><![CDATA[Uncategorized]]></category>
  126. <category><![CDATA[Connections]]></category>
  127. <category><![CDATA[DB2]]></category>
  128. <category><![CDATA[homepage]]></category>
  129. <category><![CDATA[ibm connections]]></category>
  130. <category><![CDATA[ibmconnections]]></category>
  131. <category><![CDATA[Search]]></category>
  132. <category><![CDATA[SR_RESUME_TOKENS]]></category>
  133.  
  134. <guid isPermaLink="false">http://collaborationben.com/?p=791</guid>
  135. <description><![CDATA[I was checking things after migrating IBM Connections from version 4.0 to 5.5 and found the following error in the application server hosting Search. It didn&#8217;t stop the search index and returning results. [11/18/16 18:46:00:604 GMT] 000001ba XmlBeanDefini I org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions Loading XML bean definitions from class path resource [org/springframework/jdbc/support/sql-error-codes.xml] [11/18/16 18:46:00:627 GMT] 000001ba SQLErrorCodes [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=791&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  136. <content:encoded><![CDATA[<p>I was checking things after migrating IBM Connections from version 4.0 to 5.5 and found the following error in the application server hosting Search. It didn&#8217;t stop the search index and returning results.</p>
  137. <h6><em>[11/18/16 18:46:00:604 GMT] 000001ba XmlBeanDefini I org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions Loading XML bean definitions from class path resource [org/springframework/jdbc/support/sql-error-codes.xml]</em><br />
  138. <em> [11/18/16 18:46:00:627 GMT] 000001ba SQLErrorCodes I org.springframework.jdbc.support.SQLErrorCodesFactory &lt;init&gt; SQLErrorCodes loaded: [DB2, Derby, H2, HSQL, Informix, MS-SQL, MySQL, Oracle, PostgreSQL, Sybase]</em><br />
  139. <em> [11/18/16 18:46:00:645 GMT] 000001ba IndexingTaskB W com.ibm.connections.search.ejbs.indexing.IndexingTaskBean processTask CLFRW0395E: An error occurred while running the scheduled indexing task named 15min-search-indexing-task.</em><br />
  140. <em>                                  com.ibm.connections.search.admin.index.exception.IndexingTaskException: org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [null]; error code [0]; Error: executeQueryForObject returned too many results.; nested exception is java.sql.SQLException: Error: executeQueryForObject returned too many results.</em></h6>
  141. <p>I Googled &#8220;returned too many results&#8221; and it hinted at duplicate data in databases for different IBM products. Hmmm.</p>
  142. <p>I enabled the following trace and ran a one of indexing task, SearchService.indexNow(&#8220;all_configured&#8221;)</p>
  143. <p>com.ibm.connections.search.index.indexing.*=all: com.ibm.connections.search.seedlist.*=all: com.ibm.connections.httpClient.*=all</p>
  144. <p>In trace.log I saw more information and just prior to the database exception I saw resume token messages</p>
  145. <h6>[11/18/16 18:46:00:580 GMT] 000001ba ResumeTokenIn &gt; com.ibm.connections.search.seedlist.crawler.util.ResumeTokenInterpreter getInitialResumeToken ENTRY wikis<br />
  146. [11/18/16 18:46:00:580 GMT] 000001ba ResumeTokenIn &gt; com.ibm.connections.search.seedlist.crawler.util.ResumeTokenInterpreter resumeTokenFromDate ENTRY Thu Jan 01 01:00:00 GMT 1970 wikis<br />
  147. [11/18/16 18:46:00:580 GMT] 000001ba ResumeTokenIn &lt; com.ibm.connections.search.seedlist.crawler.util.ResumeTokenInterpreter resumeTokenFromDate RETURN AAAAAAAAAAA=<br />
  148. [11/18/16 18:46:00:580 GMT] 000001ba ResumeTokenIn &lt; com.ibm.connections.search.seedlist.crawler.util.ResumeTokenInterpreter getInitialResumeToken RETURN AAAAAAAAAAA=</h6>
  149. <p>Resume tokens and references to duplicate data in the database, hmmm. Well HOMEPAGE has the SR_RESUME_TOKENS table. I opened it in dbVisualizer and saw this.</p>
  150. <p><a href="https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg" target="_blank"><img data-attachment-id="793" data-permalink="https://collaborationben.com/2016/11/19/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections/resumetoken2/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg?w=776" data-orig-size="622,607" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="resumetoken2" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg?w=776?w=622" class="alignnone wp-image-793 size-full" src="https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg?w=776" alt="resumetoken2" srcset="https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg 622w, https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg?w=300 300w" sizes="(max-width: 622px) 100vw, 622px"   /></a></p>
  151. <p>It didn&#8217;t look right and compared it with other deployments and found that others only have the one row per application. The knowledge center details how to manipulate them but not clear them.</p>
  152. <p>I shut down all application servers and backed up HOMEPAGE database. I then cleared the table</p>
  153. <p># su &#8211; db2inst1<br />
  154. $ cd /opt2/db2backups/55_homepage_resumetokens/homepage/<br />
  155. $ db2 backup db homepage to &#8216;/opt2/db2backups/55_homepage_resumetokens/homepage/&#8217;<br />
  156. $ db2 connect to homepage<br />
  157. $ db2 &#8220;DELETE FROM HOMEPAGE.SR_RESUME_TOKENS WHERE NODE_ID = &#8216;*****Node01:InfraCluster_server1&#8242;&#8221;<br />
  158. $ db2 connect reset</p>
  159. <p>On startup the errors have gone and there is only one row per application.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/791/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/791/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=791&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  160. <wfw:commentRss>https://collaborationben.com/2016/11/19/homepage-sr_resume_tokens-duplicate-data-in-ibm-connections/feed/</wfw:commentRss>
  161. <slash:comments>0</slash:comments>
  162. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  163. <media:title type="html">collaborationben</media:title>
  164. </media:content>
  165.  
  166. <media:content url="http://collaborationben.files.wordpress.com/2016/11/resumetoken2.jpg" medium="image">
  167. <media:title type="html">resumetoken2</media:title>
  168. </media:content>
  169. </item>
  170. <item>
  171. <title>Sametime photos served up by IHS</title>
  172. <link>https://collaborationben.com/2016/10/21/sametime-photos-served-up-by-ihs/</link>
  173. <comments>https://collaborationben.com/2016/10/21/sametime-photos-served-up-by-ihs/#comments</comments>
  174. <pubDate>Fri, 21 Oct 2016 22:31:04 +0000</pubDate>
  175. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  176. <category><![CDATA[Sametime]]></category>
  177. <category><![CDATA[Apache]]></category>
  178. <category><![CDATA[httpd.conf]]></category>
  179. <category><![CDATA[ibmsametime]]></category>
  180. <category><![CDATA[ihs]]></category>
  181. <category><![CDATA[Meetings]]></category>
  182. <category><![CDATA[stproxy]]></category>
  183. <category><![CDATA[TDI]]></category>
  184.  
  185. <guid isPermaLink="false">http://collaborationben.com/?p=783</guid>
  186. <description><![CDATA[Between customer work I have been working on replacing our internal Sametime servers with shiny new 9.0.1 servers using AD instead of Domino LDAP. The final piece of the puzzle is photos. Anyone who knows Sametime knows that something as simple as a photo is not made simple by the applications. The Sametime Proxy requires [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=783&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  187. <content:encoded><![CDATA[<p>Between customer work I have been working on replacing our internal Sametime servers with shiny new 9.0.1 servers using AD instead of Domino LDAP.</p>
  188. <p>The final piece of the puzzle is photos. Anyone who knows Sametime knows that something as simple as a photo is not made simple by the applications. The Sametime Proxy requires an LDAP attribute (PhotoURL) to be used which points STProxy to the image retrieving it for the client. Meetings doesn&#8217;t use the same approach, grr. It can use a binary object saved in LDAP or offload the retrieval to a web server like PhotoURL for STProxy but uses a &#8220;string&#8221; where all photos must be named [email protected] Confusing? Yep.</p>
  189. <p>I was about to roll over and say it&#8217;s not possible but it seems that it is possible to cover all use cases.</p>
  190. <ol>
  191. <li>Notes/Sametime clients using ImagePath URL</li>
  192. <li>STProxy web client using PhotoURL</li>
  193. <li>Meetings off loading to a web server</li>
  194. <li>Stop external access to photos</li>
  195. </ol>
  196. <p>The nice thing STProxy does is that it will &#8220;proxy&#8221; the photos so the web browser doesn&#8217;t need direct connectivity to the jpgs. That is great because I can put the photos on an internal facing web server. The STProxy then calls the URL specified in the user&#8217;s LDAP entry (PhotoURL), caches it locally and then serves it up. Brilliant, I can lock the photos away so that no one can browse them from the internet if they know our email addresses.</p>
  197. <p>You&#8217;ll need to update stproxyconfig.xml adding <span class="outputText"><span class="RToutputText">proxyServerURL</span></span> otherwise it will not work. Don&#8217;t forget to sync and restart STProxy.</p>
  198. <p><span class="outputText"><span class="RToutputText">    &lt;photoCache&gt;<br />
  199. &lt;enabled&gt;true&lt;/enabled&gt;<br />
  200. &lt;cacheExpiry&gt;60&lt;/cacheExpiry&gt;<br />
  201. &lt;storageLocation&gt;/opt/IBM/phototemp&lt;/storageLocation&gt;<br />
  202. &lt;proxyServerURL&gt;<a href="https://chat.acme.com&lt;/proxyServerURL&#038;gt" rel="nofollow">https://chat.acme.com&lt;/proxyServerURL&#038;gt</a>;<br />
  203. &lt;/photoCache&gt;</span></span></p>
  204. <p>Ah, the Meeting server doesn&#8217;t follow the same logic. Clients (thick or web browser or mobile) need direct access to the photo to render it in the client. This means I&#8217;m back to square one&#8230;.</p>
  205. <p>Let&#8217;s jump back a step. How do we get the photos up to a web server?</p>
  206. <h2>Photos from Connections</h2>
  207. <p>At present our Sametime and Connections servers are using different LDAPs so SSO is not possible and even if it was retrieving photos from Connections via photo.do is not possible for guests because the photos require authentication so using the Connections business card for STProxy and Meetings is a show stopper.</p>
  208. <p>Luckily in the Connections TDISOL there is an AL we can use called dump_photos_to_files. I won&#8217;t go into too much details about this but you can copy and paste the AL and then alter it. I altered it to return all user&#8217;s email addresses as well as UID and then dump the photos in the format of emailaddress.jpg which is the format needed by the Meeting server.</p>
  209. <p>You may find the email addresses are capitalised. If so you will need to add some JavaScript to the lookup_user process to get it all in lower case</p>
  210. <p>ret.value=conn.getstring(&#8220;email&#8221;).toLowerCase();</p>
  211. <p>Once you have the photos in the correct format you need to get them from the server running TDI to a web server.</p>
  212. <h2>Web server</h2>
  213. <p>The logical way to serve the photos is using IHS in front of Connections. To get the files there I needed to scp them from the TDI server to IHS. I had to create ssh-keygens detailed in <a href="http://www.linuxproblem.org/art_9.html" target="_blank">http://www.linuxproblem.org/art_9.html</a> so I could scp the files wrapped in a shell script. Incidentally , the shell script called the AL and then scp&#8217;d the photos to the IHS server. Then add the shell script to cron so it is called on a schedule.</p>
  214. <p>I wanted to lock down access to the photos so that people couldn&#8217;t browse to them. This is a little difficult to do but you can use IP ranges for all your internal offices and/or VPNs so that they are allowed to access the photos. The problem is guests who are truly external.</p>
  215. <p>I created a new virtual host in httpd.conf with the following details.</p>
  216. <p># Sametime photos<br />
  217. &lt;VirtualHost *:80&gt;<br />
  218. ServerName icphotos.acme.com:80<br />
  219. DocumentRoot &#8220;/opt/IBM/HTTPServer/photos&#8221;<br />
  220. RewriteEngine On<br />
  221. RewriteCond %{HTTP_COOKIE} !LtpaToken2=.*$ [NC]<br />
  222. RewriteCond %{HTTP_COOKIE} !LtpaToken=.*$ [NC]<br />
  223. RewriteCond %{HTTP_COOKIE} !STPluginActivePage=stMeetingroom [NC]<br />
  224. # Old subnets and staff VPN<br />
  225. RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.(x[x-x]|x[x-x])\.([x-x]|[x-x][x-x]|x([x-x][x-x])|x([x-x][x-x]|x[x-x]))$<br />
  226. # UK<br />
  227. RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.(x[x-x]|x[x-x])\.([x-x]|[x-x][x-x]|x([x-x][x-x])|x([x-x][x-x]|x[x-x]))$<br />
  228. # India<br />
  229. RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.(x[x-x]|x[x-x])\.([x-x]|[x-x][x-x]|x([x-x][x-x])|x([x-x][x-x]|x[x-x]))$<br />
  230. # Sametime Proxy<br />
  231. RewriteCond %{REMOTE_ADDR} !^xxx\.xx\.xx\.xxx$ [NC]<br />
  232. RewriteRule ^(.*)$ <a href="http://www.acme.com" rel="nofollow">http://www.acme.com</a> [R,L]<br />
  233. &lt;/VirtualHost&gt;</p>
  234. <p>In a nutshell this allows all clients on certain IP range s to access photos. It also allows any web browser whether it is internal or on the internet to access photos IF it has either one of three cookies, LtpaToken/LtpaToken2 which is provided to the browser when someone authenticates or the cookie STPluginActivePage which the browser stores when you enter a meeting room. STPluginActivePage is in the browser whether you are a guest or an authenticated user, you just need to enter a meeting room.</p>
  235. <p>I included both LtpaToken and LtpaToken2. I found the Sametime client was sending only LtpaToken with the HTTP GET for the photos. This may be due to the fact that I allow both LtpaToken and LtpaToken2 in the Domino web SSO configuration document. If you only allow LtpaToken2 then you may find that the client sends LtpaToken2 with the GET.</p>
  236. <p>If you are a web browser outside of the IP ranges and you do not have any of the three cookies then you will be redirected to <a href="http://www.acme.com" rel="nofollow">http://www.acme.com</a>. You could change this to a static html page of your choice.</p>
  237. <p>I&#8217;m no whiz when it comes to Apache but I have tested this quite a bit and it seems pretty secure and should cover most bases. Of course it doesn&#8217;t stop a meeting guest from guessing email addresses and browsing other people&#8217;s photos but since you have invited them to a meeting, provided them with the meeting room password there is an element of familiarity that should stop them from being malicious in this way. If you back this up with changing the meeting room passwords often you should be in a strong position to keep these photos relatively secure.</p>
  238. <p>If anyone has any thoughts on the httpd.conf I am all ears as I would like to tie it down further if it needs it.</p>
  239. <p>UPDATE</p>
  240. <p>I found that my original RewriteCond  for the IP addresses were not working. I was originally using the following method because it seemed nice and easy to just enter the CIDR but reading further the following approach only works with Apache 2.4 and IHS is using 2.2.8. You can find out by running apachectl -V.</p>
  241. <p>RewriteCond expr &#8220;-R &#8216;xxx.xx.xx.0/xx'&#8221;</p>
  242. <p>So regex was the only way to go and trying to work it out was going to be a headache. To my rescue came <a href="http://jodies.de/ipcalc" rel="nofollow">http://jodies.de/ipcalc</a>? to convert the CIDR to all the IP addresses (well the first and last) and then I put these values into <a href="http://www.analyticsmarket.com/freetools/ipregex" rel="nofollow">http://www.analyticsmarket.com/freetools/ipregex</a> to give me the regex.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/783/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/783/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=783&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  243. <wfw:commentRss>https://collaborationben.com/2016/10/21/sametime-photos-served-up-by-ihs/feed/</wfw:commentRss>
  244. <slash:comments>3</slash:comments>
  245. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  246. <media:title type="html">collaborationben</media:title>
  247. </media:content>
  248. </item>
  249. <item>
  250. <title>SSL certificates and TLSv1.2 for Sametime (but also valid for WebSphere)</title>
  251. <link>https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/</link>
  252. <comments>https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/#comments</comments>
  253. <pubDate>Thu, 13 Oct 2016 14:24:23 +0000</pubDate>
  254. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  255. <category><![CDATA[Sametime 9.0.1]]></category>
  256. <category><![CDATA[SSL]]></category>
  257. <category><![CDATA[Uncategorized]]></category>
  258. <category><![CDATA[ibmsametime]]></category>
  259. <category><![CDATA[TLSv1.2]]></category>
  260. <category><![CDATA[WebSphere]]></category>
  261.  
  262. <guid isPermaLink="false">http://collaborationben.com/?p=680</guid>
  263. <description><![CDATA[I thought I&#8217;d write this entry after assisting a peer and struggling myself to work out why TLSv1.2 was not working for a given node. I will detail how to add a wildcard certificate to a Sametime 9.0.1 cell and then how to enforce TLSv1.2 for Sametime Proxy and Meeting server nodes. Import the SSL [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=680&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  264. <content:encoded><![CDATA[<p>I thought I&#8217;d write this entry after assisting a peer and struggling myself to work out why TLSv1.2 was not working for a given node.</p>
  265. <p>I will detail how to add a wildcard certificate to a Sametime 9.0.1 cell and then how to enforce TLSv1.2 for Sametime Proxy and Meeting server nodes.</p>
  266. <h1>Import the SSL certificate</h1>
  267. <p>There are various ways to go about this but I will detail using a .p12 file (pcks#12 format). The nice thing about getting a .p12 file is that all the certificates should be in there, all intermediary and the root protected by a password.</p>
  268. <p>There are ways to create .p12 files using openSSL and Google is awash with posts so I won&#8217;t go into any more detail.</p>
  269. <p>You will want to export the intermediary and root certificates. You can view the contents of the .p12 using openSSL. I am running Cygwin on a Windows laptop hence the .exe.</p>
  270. <pre>openssl.exe pkcs12 -in ./wild_acme_com.p12 -info</pre>
  271. <p>This will allow you to copy and paste the intermediary and root certificates which are needed. Again there are commands to export the certificates are available from Google or you could down load them from the Certificate Authority (CA).</p>
  272. <p>Once you have your .p12 and intermediary and root certificates log into the ISC and go to <strong>SSL certificate and key management &gt; Key stores and certificates &gt; CellDefaultKeyStore &gt; Personal certificates.</strong></p>
  273. <p>Click <strong>Add</strong> and add the intermediary and root certificates.</p>
  274. <p>Now go to <strong>SSL certificate and key management &gt; Key stores and certificates &gt; CellDefaultKeyStore &gt; Personal certificates &gt; Import</strong> and click on key store file.</p>
  275. <p>Point it to your .p12 and enter the password. It will then read the contents and give you a ridiculous name for an alias. I suggest you enter something meaningful. Then press apply.</p>
  276. <p><a href="https://collaborationben.files.wordpress.com/2016/10/1.jpg"><img data-attachment-id="681" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/1-23/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=776" data-orig-size="869,473" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="1" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=776?w=776" class="alignnone size-full wp-image-681" src="https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=776" alt="1" srcset="https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=776 776w, https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=300 300w, https://collaborationben.files.wordpress.com/2016/10/1.jpg?w=768 768w, https://collaborationben.files.wordpress.com/2016/10/1.jpg 869w" sizes="(max-width: 776px) 100vw, 776px"   /></a></p>
  277. <p>At which point you will see the chain in <strong>SSL certificate and key management &gt; Key stores and certificates &gt; CellDefaultKeyStore &gt; Personal certificates</strong> which should look something like this</p>
  278. <p><a href="https://collaborationben.files.wordpress.com/2016/10/3.jpg"><img data-attachment-id="683" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/3-7/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=776" data-orig-size="864,457" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="3" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=776?w=776" class="alignnone size-full wp-image-683" src="https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=776" alt="3" srcset="https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=776 776w, https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=300 300w, https://collaborationben.files.wordpress.com/2016/10/3.jpg?w=768 768w, https://collaborationben.files.wordpress.com/2016/10/3.jpg 864w" sizes="(max-width: 776px) 100vw, 776px"   /></a></p>
  279. <p>You can see the chain is complete. This is important otherwise web browsers will show various types of untrusted errors.</p>
  280. <p>If you haven&#8217;t done this already you will need to apply the certificate to the nodes that need it.</p>
  281. <p>Go to <strong>SSL certificate and key management &gt; Manage endpoint security configurations.</strong></p>
  282. <p>From here you will need to expand the <strong>Inbound</strong> and <strong>Outbound</strong> sections for the STProxy and Meeting nodes. If you have a WebSphere proxy in front you will need to apply the certificate to that server. You can also add the certificate to the STProxy or Meeting application server too in case you have users connecting directly.</p>
  283. <p>You need to tick <strong>Override inherited values</strong> and then press <strong>Update certificate alias list</strong> at which point in the <strong>Certificate alias in key store</strong> you should see the alias for the imported .p12. Remember to repeat for both Inbound and Outbound.</p>
  284. <p><a href="https://collaborationben.files.wordpress.com/2016/10/4.jpg"><img data-attachment-id="684" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/4-6/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/4.jpg?w=776" data-orig-size="627,166" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="4" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/4.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/10/4.jpg?w=776?w=627" class="alignnone size-full wp-image-684" src="https://collaborationben.files.wordpress.com/2016/10/4.jpg?w=776" alt="4" srcset="https://collaborationben.files.wordpress.com/2016/10/4.jpg 627w, https://collaborationben.files.wordpress.com/2016/10/4.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/10/4.jpg?w=300 300w" sizes="(max-width: 627px) 100vw, 627px"   /></a></p>
  285. <p>Now normally you would stop all application servers, WAS proxies, node agents and then the deployment manager and start them back up but because we are enabling TLSv1.2 we need to do a little more&#8230;..</p>
  286. <h1>TLSv1.2</h1>
  287. <p>If you try to enforce TLSv1.2 on a SIP Proxy Registrar then it will not work properly and you&#8217;ll get messages like the following when clients try to connect.</p>
  288. <pre>[10/12/16 10:37:24:483 BST] 0000008e TelephonyServ I   UserName in Message
  289. is null
  290. [10/12/16 10:37:31:278 BST] 000000ba SSLHandshakeE E   SSLC0008E: Unable
  291. to initialize SSL connection.  Unauthorized access was denied or security
  292. settings have expired.  Exception is javax.net.ssl.SSLHandshakeException:
  293. Client requested protocol TLSv1 not enabled or not supported</pre>
  294. <p>This means that using <strong>SSL certificate and key management &gt; Key stores and certificates &gt; CellDefaultKeyStor</strong><strong>e </strong> to control the protocol will not work because it will apply to all application servers in the cell including the SIP Proxy Registrar.</p>
  295. <p>If you have awareness and meetings only then you can get away with it, although you need to take special care with recording of meetings because that will not work if you enforce TLSv1.2. In this case you may need to run the following to add the TLS configuration for recording.</p>
  296. <pre>"INSERT INTO mtg.configuration (server_id, CONFIGURATION_KEY,
  297. CONFIGURATION_VALUE) values ('&lt;substitue your server id here&gt;',
  298. 'meeting.recording.tlsVersion','TLSv1.2')"</pre>
  299. <h2>Limitations</h2>
  300. <p>Before I go on I will explain what limitation I found. If I enforce TLSv1.2 on the Meeting server I cannot connect to it using a Sametime  (thick) client. Web browser and mobile apps work fine. In the thick client it will not connect and I get errors in the client logs.</p>
  301. <p>The default in QoP is SSL_TLS which enables all SSL V3.0 and TLS 1.0 protocols. This is not terribly useful considering I want to use TLSv1.2 but cannot enforce it across all the cell. You can use SSL_TLSv2 which enables all SSL V3.0 and TLS 1.0, 1.1 and 1.2 protocols so at least I have the option of using TLSv1.2 if the client uses that protocol.</p>
  302. <p>So my steps involve some application servers using SSL_TLS, most using SSL_TLSv2 and the Sametime Proxy using TLSv1.2.</p>
  303. <p>Remember I have WebSphere proxies fronting STProxy and Meeting servers to host HTTP -&gt; HTTPS redirection and I will use them as the TLSv1.2 point.</p>
  304. <h2>Import p.12 to NodeDefaultKeyStore</h2>
  305. <p>So the steps are threefold, 1) add the .p12 certificate to the STProxy server node, 2) set the node to use the <strong>NodeDefaultKeyStore</strong> and 3) enforce <strong>TLSv1.2</strong>.</p>
  306. <p>As I have run through the steps to import the certificate to the cell I do not need to run through that again. You need to go to <strong>SSL certificate and key management &gt; Key stores and certificates &gt; NodeDefaultKeyStore &gt; Personal certificates/Signer certificates</strong> (choosing the node for STProxy) and repeat the steps above.</p>
  307. <p>Now go back to <strong>SSL certificate and key management &gt; Manage endpoint security configurations </strong>and go to the <strong>Inbound</strong> and <strong>Outbound</strong> sections. I made the change on the WebSphere proxy that fronts STProxy.</p>
  308. <p>Change <strong>SSL configuration</strong> <strong>NodeDefaultSSLSettings </strong>click update<strong> certificate alias list</strong> at which point in the <strong>Certificate alias in key store </strong>you can select the alias you set. Repeat as required.</p>
  309. <p><a href="https://collaborationben.files.wordpress.com/2016/10/5.jpg"><img data-attachment-id="685" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/5-5/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/5.jpg?w=776" data-orig-size="651,167" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="5" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/5.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/10/5.jpg?w=776?w=651" class="alignnone size-full wp-image-685" src="https://collaborationben.files.wordpress.com/2016/10/5.jpg?w=776" alt="5" srcset="https://collaborationben.files.wordpress.com/2016/10/5.jpg 651w, https://collaborationben.files.wordpress.com/2016/10/5.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/10/5.jpg?w=300 300w" sizes="(max-width: 651px) 100vw, 651px"   /></a></p>
  310. <p>It will then look something like this. Only <strong>was_stpProxy</strong> is using the <strong>NodeDefaultSSLSettings</strong>, all others are using the default, <strong>CellDefaultSSLSettings</strong>.</p>
  311. <p><img data-attachment-id="743" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/attachment/10/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/10.jpg?w=776" data-orig-size="514,838" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="10" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/10.jpg?w=776?w=184" data-large-file="https://collaborationben.files.wordpress.com/2016/10/10.jpg?w=776?w=514" class="alignnone size-full wp-image-743" src="https://collaborationben.files.wordpress.com/2016/10/10.jpg?w=776" alt="10" srcset="https://collaborationben.files.wordpress.com/2016/10/10.jpg 514w, https://collaborationben.files.wordpress.com/2016/10/10.jpg?w=92 92w, https://collaborationben.files.wordpress.com/2016/10/10.jpg?w=184 184w" sizes="(max-width: 514px) 100vw, 514px"   /></p>
  312. <p>The reason why you have done this is important in the next section.</p>
  313. <h2>Enforce TLSv1.2</h2>
  314. <p>I suggest you stop all the application servers, WebSphere proxies, node agents at this point.</p>
  315. <p>Now you need to enforce TLSv1.2 at the node level. Go to <strong>SSL certificate and key management &gt; SSL configurations &gt; NodeDefaultSSLSettings </strong>(for <strong>STProxy</strong>)<strong> &gt; Quality of protection (QoP) settings</strong> and change <strong>Protocol</strong> from <strong>SSL_TLS </strong>to<strong> TLSv1.2.</strong></p>
  316. <p><a href="https://collaborationben.files.wordpress.com/2016/10/6.jpg"><img data-attachment-id="686" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/attachment/6/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/6.jpg?w=776" data-orig-size="748,206" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="6" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/6.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/10/6.jpg?w=776?w=748" class="alignnone size-full wp-image-686" src="https://collaborationben.files.wordpress.com/2016/10/6.jpg?w=776" alt="6" srcset="https://collaborationben.files.wordpress.com/2016/10/6.jpg 748w, https://collaborationben.files.wordpress.com/2016/10/6.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/10/6.jpg?w=300 300w" sizes="(max-width: 748px) 100vw, 748px"   /></a></p>
  317. <p>Go to <strong>SSL certificate and key management &gt; SSL configurations</strong> and for all the other nodes including <strong>CellDefaultSSLSettings</strong> and <strong>XDADefaultSSLSettings </strong>set the Protocol to be <strong>SSL_TLSv2</strong> including the SIP Proxy Registrar.</p>
  318. <p>On <strong>all</strong> the nodes find the <strong>ssl.client.props</strong> file which is somewhere like <strong>/opt/IBM/WebSphere/AppServer/profiles/<em>host</em>STPPNProfile1/properties/ssl.client.props</strong> on Linux.</p>
  319. <p>Ensure this is set as the following default value</p>
  320. <p><strong>com.ibm.ssl.protocol=SSL_TLSv2</strong></p>
  321. <p>This file instructs the client (the node agent) what protocol to communicate with the deployment manager using. As you have set this protocol in QoP for the cell, all nodes (apart from STProxy) and <strong>XDADefaultSSLSettings </strong>then all node agents can talk freely to the deployment manager.</p>
  322. <p>If you miss a step here you&#8217;ll see from the deployment manager&#8217;s SystemOut.log that the node agent seems to stop and then start repeatedly. This is because the node agent cannot communicate properly, mainly because you have not changed <strong>XDADefaultSSLSettings </strong>appropriately.</p>
  323. <p>Stop and start the deployment manager, run syncNode on all nodes and start the node agents, application servers and proxies and test. Check the SystemOut.log for any exceptions and if you see them check your configuration.</p>
  324. <h2>Ciphers</h2>
  325. <p>If you run a test against your STProxy or Meeting servers you&#8217;ll get marked down for the weak ciphers.</p>
  326. <p><img data-attachment-id="769" data-permalink="https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/11-2/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=776" data-orig-size="957,434" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="11" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=776?w=776" class="alignnone size-full wp-image-769" src="https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=776" alt="11" srcset="https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=776 776w, https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=300 300w, https://collaborationben.files.wordpress.com/2016/10/11.jpg?w=768 768w, https://collaborationben.files.wordpress.com/2016/10/11.jpg 957w" sizes="(max-width: 776px) 100vw, 776px"   /></p>
  327. <p>You can remove these from<strong> SSL certificate and key management &gt; SSL configurations &gt; NodeDefaultSSLSettings &gt; Quality of protection (QoP) settings &gt; Cipher suite settings. </strong>You will need to change from Strong to custom and then remove the ciphers listed above, if you so wish.</p>
  328. <p>If you plan to do this for the Meeting server as well as STProxy then you will need to change the <strong>Inbound</strong> and <strong>Outbound</strong> options for the WebSphere proxy in front of Meetings so that it uses the <strong>NodedefaultSSLSettings </strong>which allows you to then use a default set of ciphers.</p>
  329. <h1>Finally</h1>
  330. <p>I have created a PMR to ask IBM about their support for TLSv1.2 in Sametime. I&#8217;ll update things once I get a response.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/680/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/680/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=680&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  331. <wfw:commentRss>https://collaborationben.com/2016/10/13/ssl-certificates-and-tlsv1-2-for-sametime-but-also-valid-for-websphere/feed/</wfw:commentRss>
  332. <slash:comments>8</slash:comments>
  333. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  334. <media:title type="html">collaborationben</media:title>
  335. </media:content>
  336.  
  337. <media:content url="http://collaborationben.files.wordpress.com/2016/10/1.jpg" medium="image">
  338. <media:title type="html">1</media:title>
  339. </media:content>
  340.  
  341. <media:content url="http://collaborationben.files.wordpress.com/2016/10/3.jpg" medium="image">
  342. <media:title type="html">3</media:title>
  343. </media:content>
  344.  
  345. <media:content url="http://collaborationben.files.wordpress.com/2016/10/4.jpg" medium="image">
  346. <media:title type="html">4</media:title>
  347. </media:content>
  348.  
  349. <media:content url="http://collaborationben.files.wordpress.com/2016/10/5.jpg" medium="image">
  350. <media:title type="html">5</media:title>
  351. </media:content>
  352.  
  353. <media:content url="http://collaborationben.files.wordpress.com/2016/10/10.jpg" medium="image">
  354. <media:title type="html">10</media:title>
  355. </media:content>
  356.  
  357. <media:content url="http://collaborationben.files.wordpress.com/2016/10/6.jpg" medium="image">
  358. <media:title type="html">6</media:title>
  359. </media:content>
  360.  
  361. <media:content url="http://collaborationben.files.wordpress.com/2016/10/11.jpg" medium="image">
  362. <media:title type="html">11</media:title>
  363. </media:content>
  364. </item>
  365. <item>
  366. <title>Sametime and NETWORK_SPRAYER_ADDRESS</title>
  367. <link>https://collaborationben.com/2016/10/04/sametime-and-network_sprayer_address/</link>
  368. <comments>https://collaborationben.com/2016/10/04/sametime-and-network_sprayer_address/#respond</comments>
  369. <pubDate>Tue, 04 Oct 2016 20:09:44 +0000</pubDate>
  370. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  371. <category><![CDATA[Sametime 9.0.1]]></category>
  372. <category><![CDATA[Domino]]></category>
  373. <category><![CDATA[ibmsametime]]></category>
  374. <category><![CDATA[NETWORK_SPRAYER_ADDRESS]]></category>
  375. <category><![CDATA[Notes]]></category>
  376. <category><![CDATA[SSO]]></category>
  377.  
  378. <guid isPermaLink="false">http://collaborationben.com/?p=672</guid>
  379. <description><![CDATA[I am planning to move our internal servers to the latest Sametime servers which are using  a different LDAP. I have constructed managed-community-configs.xml to redirect the clients to the new Community server sitting behind a DNS alias of sametime.acme.com whilst resetting the client and automatically signing them in to the new servers using Notes client [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=672&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  380. <content:encoded><![CDATA[<p>I am planning to move our internal servers to the latest Sametime servers which are using  a different LDAP. I have constructed managed-community-configs.xml to redirect the clients to the new Community server sitting behind a DNS alias of sametime.acme.com whilst resetting the client and automatically signing them in to the new servers using Notes client single sign on but I kept having a problem when the client tried to log in to the new Community server.</p>
  381. <p>I found that the client wouldn&#8217;t log in to the new server using the Notes single sign on method. This process sends the Notes ID to the Community server (or another Domino server). Domino then checks the Notes ID and then sends back an LtpaToken to the Notes client. The Notes client sends the same LtpaToken to the Community server which Sametime uses to authenticate the user.</p>
  382. <p>This really frustrated me. I couldn&#8217;t work out why this was happening. I enabled Wireshark trace and compared a successful connection to another server with the failing one. I found that the packets were similar up until a point and then there was a FIN, ACK. This normally means one of the host terminates the connection which seemed odd.</p>
  383. <p>I spoke with a colleague who is a goldmine of Domino knowledge and after a bit of experimentation we found that when I try opening sametime.acme.com in the Notes client (Ctrl + O) it failed whilst it worked when opening a database for the actual Domino server ie sametime004.acme.com worked.</p>
  384. <p>When putting  a trace on the client I got the following:</p>
  385. <pre><em>Using address 'x.x.x.x' for sametime.acme.com on TCPIP</em>
  386. <em>Connected to the wrong server Sametime/Servers/ACME using address x.x.x.x</em>
  387. <em>Using address 'sametime.acme.com' for sametime.acme.com on TCPIP</em>
  388. <em>Unable to connect to sametime.acme.com on TCPIP (The server is not
  389. responding. The server may be down or you may be experiencing network
  390. problems. Contact your system administrator if this problem persists.)</em></pre>
  391. <p>The server document does not have sametime.acme.com listed but sametime004.acme.com since that is the name of the Domino server. I changed the name of the fqhn on the basics tab to sametime.acme.com and restarted the server. Now, I could access a database using sametime.acme.com.</p>
  392. <p>Going back to the Wireshark trace it looks like the FIN, ACK was because the Notes client was stopped from connecting to the Domino server due to the different names.</p>
  393. <p>My colleague then came up with NETWORK_SPRAYER_ADDRESS. This notes.ini value is described <a href="https://www-10.lotus.com/ldd/dominowiki.nsf/dx/network_sprayer_address" target="_blank">here</a>.</p>
  394. <pre><em>When a notes client connects to a Domino server part of the protocol
  395. exchange includes the notes client telling the server what it thinks
  396. the server's name is.</em><em>If the names do not match, the connection is
  397. terminated. This mechanism is part of the code which supports partitioned
  398. servers running on the same IP address. However, because of this
  399. algorithm, we cannot use network sprayers in front of Domino servers.
  400. When a Notes client uses a Network Sprayer address as a Domino server
  401. address, the network sprayer may make the final connection to any of
  402. the Domino servers behind it. If the name supplied by the client is not
  403. the Domino server name of the selected server, the connection will be
  404. broken. This fix provides a mechanism to skip the server name checking
  405. to allow this configuration to work.</em></pre>
  406. <p>I stopped Domino, added NETWORK_SPRAYER_ADDRESS=* and then started Domino. On testing I could open a database using sametime.acme.com and sametime004.acme.com.</p>
  407. <p>When testing managed-community-configs.xml my Notes client was signed in fine to the new Community server!</p>
  408. <p>The crux is that the problem was because I was using a DNS alias to connect to Domino which didn&#8217;t match the actual Domino server name. Sametime doesn&#8217;t care normally but the Notes client obviously does. Using NETWORK_SPRAYER_ADDRESS tells Domino not to care and to allow the client to connect.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/672/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/672/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=672&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  409. <wfw:commentRss>https://collaborationben.com/2016/10/04/sametime-and-network_sprayer_address/feed/</wfw:commentRss>
  410. <slash:comments>0</slash:comments>
  411. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  412. <media:title type="html">collaborationben</media:title>
  413. </media:content>
  414. </item>
  415. <item>
  416. <title>End to Surveys problems in IBM Connections 5.0?</title>
  417. <link>https://collaborationben.com/2016/08/15/end-to-surveys-problems-in-ibm-connections-5-0/</link>
  418. <comments>https://collaborationben.com/2016/08/15/end-to-surveys-problems-in-ibm-connections-5-0/#respond</comments>
  419. <pubDate>Mon, 15 Aug 2016 08:42:11 +0000</pubDate>
  420. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  421. <category><![CDATA[Connections]]></category>
  422. <category><![CDATA[Uncategorized]]></category>
  423. <category><![CDATA[FEB]]></category>
  424. <category><![CDATA[ibmconnections]]></category>
  425. <category><![CDATA[rhel]]></category>
  426. <category><![CDATA[Surveys]]></category>
  427. <category><![CDATA[tmpwatch]]></category>
  428.  
  429. <guid isPermaLink="false">http://collaborationben.com/?p=665</guid>
  430. <description><![CDATA[I wrote a blog post Ongoing issues with Surveys (FEB) and IBM Connections which detailed some problems a customer was having with Surveys. This dragged on and resulted in a couple of PMR&#8217;s being raised with IBM but I am hopefully at the end of it now. Recently IBM provided me with a modified .jar [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=665&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  431. <content:encoded><![CDATA[<p>I wrote a blog post <a href="https://collaborationben.com/2016/04/05/ongoing-issues-with-surveys-feb-and-ibm-connections/" target="_blank">Ongoing issues with Surveys (FEB) and IBM Connections</a> which detailed some problems a customer was having with Surveys. This dragged on and resulted in a couple of PMR&#8217;s being raised with IBM but I am hopefully at the end of it now.</p>
  432. <p>Recently IBM provided me with a modified .jar to provide additional output when the problem occurred. I needed to add to the ear file. I did this as follows</p>
  433. <h6># cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/<br />
  434. # ./wsadmin.sh -lang jython<br />
  435. wsadmin&gt;AdminApp.export(&#8216;Forms Experience Builder&#8217;, &#8216;/tmp/Forms Experience Builder.ear&#8217;)<br />
  436. # cp /tmp/Forms\ Experience\ Builder.ear /tmp/Forms\ Experience\ Builder.ear.orig<br />
  437. # mkdir /tmp/feb_expanded<br />
  438. # mkdir /tmp/feb_collapsed<br />
  439. # /opt/IBM/WebSphere/AppServer/bin/EARExpander.sh -ear /tmp/Forms\ Experience\ Builder.ear -operationDir /tmp/feb_expanded/ -operation expand<br />
  440. ADMA4006I: Expanding enterprise archive (EAR) file /tmp/Forms Experience Builder.ear to directory /tmp/feb_expanded/.<br />
  441. # mkdir /tmp/feb_backup<br />
  442. # mv /tmp/feb_expanded/builder.war/WEB-INF/lib/ibm.fsp.core.service.startup-8.0.1.35.jar/ /tmp/feb_backup/<br />
  443. # cp -R /home/ldap/BenW/17891.033.866.ibm.fsp.core.service.startup-8.0.1.81/ /tmp/feb_expanded/builder.war/WEB-INF/lib/ibm.fsp.core.service.startup-8.0.1.35.jar<br />
  444. # /opt/IBM/WebSphere/AppServer/bin/EARExpander.sh -ear &#8216;/tmp/feb_collapsed/Forms Experience Builder.ear&#8217; -operationDir /tmp/feb_expanded/ -operation collapse<br />
  445. ADMA4007I: Collapsing the contents of directory /tmp/feb_expanded/ to enterprise archive (EAR) file /tmp/feb_collapsed/Forms Experience Builder.ear.<br />
  446. Update the current application using the ISC pointing to /tmp/feb_collapsed/Forms Experience Builder.ear and selecting the default values.</h6>
  447. <p>What I found in the SystemOut.log after a period of time was a different error which in the UI was not allowing me to create new surveys but I could complete existing ones which was slightly different to what I was seeing when I raised the PMR. The exception was</p>
  448. <h6>[7/11/16 10:34:12:359 BST] 00001b1e StandardExcep E com.ibm.form.nitro.platform.StandardExceptionMapper toResponse ac7d3dec-57f7-482f-83e5-9eaf77c82cbb<br />
  449. java.lang.RuntimeException: Error reading from /tmp/ibm.fsp.temp.1466513524000/fspjars, isDirectory = false, exists = false, canRead = false<br />
  450. at com.ibm.form.platform.service.startup.IsolatingClassLoader.getFileList(IsolatingClassLoader.java:1577)<br />
  451. at com.ibm.form.platform.service.startup.IsolatingClassLoader.access$100(IsolatingClassLoader.java:47)&#8230;&#8230;&#8230;&#8230;..</h6>
  452. <p>I created /tmp/ibm.fsp.temp.1466513524000/fspjars and some functionality returned but it wasn&#8217;t until I restarted the JVM that it started to work properly.</p>
  453. <p>IBM told me that the problem here is that the /tmp/ directory is getting cleared out and removing the aforementioned directory causing a problem for FEB.</p>
  454. <p>After a bit of Googling I found that tmpwatch was clearing out files/directories that haven&#8217;t been edited for 10 days. To stop this I added the bold text.</p>
  455. <pre># vi /etc/cron.daily/tmpwatch
  456. #! /bin/sh
  457. flags=-umc
  458. /usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \
  459.         -x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \
  460.         -X '/tmp/hsperfdata_*' -X '/tmp/.hdb*lock' -X '/tmp/.sapstartsrv*.log' \
  461.         <strong>-X '/tmp/ibm.fsp.*'</strong> -X '/tmp/pymp-*' 10d /tmp
  462. /usr/sbin/tmpwatch "$flags" 30d /var/tmp
  463. for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
  464.     if [ -d "$d" ]; then
  465.         /usr/sbin/tmpwatch "$flags" -f 30d "$d"
  466.     fi
  467. done</pre>
  468. <p>After a few weeks the problem hadn&#8217;t manifested again and IBM told me that the cause of the initial PMR was the /tmp directory being emptied. I was dubious at first but then found <a href="https://developer.ibm.com/answers/questions/219765/periodically-my-feb-server-stops-working-properly.html" rel="nofollow">https://developer.ibm.com/answers/questions/219765/periodically-my-feb-server-stops-working-properly.html</a> which describes problems due the /tmp directory being cleaned out.</p>
  469. <p>As other stuff gets written to the /tmp directory which is what WAS will use by default I decided to use the <strong>java.io.tmpdir</strong> custom property to instruct WAS to use a directory under /opt/ where it won&#8217;t be cleaned by tmpwatch.</p>
  470. <p>Fingers crossed this is the end of it.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/665/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/665/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=665&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  471. <wfw:commentRss>https://collaborationben.com/2016/08/15/end-to-surveys-problems-in-ibm-connections-5-0/feed/</wfw:commentRss>
  472. <slash:comments>0</slash:comments>
  473. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  474. <media:title type="html">collaborationben</media:title>
  475. </media:content>
  476. </item>
  477. <item>
  478. <title>IBM Connections Mail and Ephemeral Diffie-Hellman key size error  &#8211; part 2</title>
  479. <link>https://collaborationben.com/2016/07/18/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error-part-2/</link>
  480. <comments>https://collaborationben.com/2016/07/18/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error-part-2/#respond</comments>
  481. <pubDate>Mon, 18 Jul 2016 07:30:56 +0000</pubDate>
  482. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  483. <category><![CDATA[Connections]]></category>
  484. <category><![CDATA[Security]]></category>
  485. <category><![CDATA[SSL]]></category>
  486. <category><![CDATA[DHE]]></category>
  487. <category><![CDATA[Diffie-Hellman]]></category>
  488. <category><![CDATA[ibmconnections]]></category>
  489. <category><![CDATA[wasserv]]></category>
  490. <category><![CDATA[WebSphere]]></category>
  491.  
  492. <guid isPermaLink="false">http://collaborationben.com/?p=662</guid>
  493. <description><![CDATA[I wrote about the effects using DHE ciphers can have depending on the size of the SSL certificate used by iNotes when IBM Connections Mail is in play in IBM Connections Mail and Ephemeral Diffie-Hellman key size error In this blog I suggested the work around was to use the following notes.ini setting. SSL_DH_KEYSIZE=2048 Our [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=662&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  494. <content:encoded><![CDATA[<p>I wrote about the effects using DHE ciphers can have depending on the size of the SSL certificate used by iNotes when IBM Connections Mail is in play in <a href="https://collaborationben.com/2016/07/12/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error/">IBM Connections Mail and Ephemeral Diffie-Hellman key size error</a></p>
  495. <p>In this blog I suggested the work around was to use the following notes.ini setting.</p>
  496. <pre>SSL_DH_KEYSIZE=2048</pre>
  497. <p>Our Domino admins weren&#8217;t too keen on lowering the key size so I had to look into a way of forcing the server to use a different cipher instead of one of the DHE ciphers.</p>
  498. <p>This is the output from Domino when the DHE cipher is in play.</p>
  499. <p dir="ltr" style="padding-left:30px;">[00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested RSA_WITH_AES_128_CBC_SHA (0x002F)<br />
  500. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Best common cipherspec 0x002F (so far)<br />
  501. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Best common non-EC cipherspec 0x002F (so far)<br />
  502. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested RSA_WITH_AES_256_CBC_SHA (0x0035)<br />
  503. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Best common cipherspec 0x0035 (so far)<br />
  504. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Best common non-EC cipherspec 0x0035 (so far)<br />
  505. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)<br />
  506. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)<br />
  507. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt;<strong> Best common cipherspec 0x0039 (so far)</strong><br />
  508. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; <strong>Best common non-EC cipherspec 0x0039 (so far)</strong><br />
  509. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)<br />
  510. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)<br />
  511. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested RSA_WITH_3DES_EDE_CBC_SHA (0x000A)<br />
  512. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)<br />
  513. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested Unknown Cipher (0x0013)<br />
  514. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client requested TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF)<br />
  515. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; TLS_EMPTY_RENEGOTIATION_INFO_SCSV found<br />
  516. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Extensions found in this message<br />
  517. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Processing TLS signature algorithms extension<br />
  518. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; Client supports hash mask 0x007E; server cert chain has mask 0x0030<br />
  519. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; hash/alg in certchain  fSupHasAlg:0000<br />
  520. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessClientHello&gt; <strong>We selected cipher DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)</strong><br />
  521. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLProcessHandshakeMessage Exit&gt; Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 9 Cipher: <strong>DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)</strong><br />
  522. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLAdvanceHandshake Enter&gt; Processed: ClientHello (1) State: HandshakeServerIdle (3)<br />
  523. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLAdvanceHandshake client_hello&gt; SGC FLAG: 0   Count = 2<br />
  524. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeServerHello<br />
  525. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLEncodeServerHello&gt; Sending empty renegotiation_info (0xff01) extension<br />
  526. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeCertificate<br />
  527. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLEncodeCertificate&gt; Generating a certificate message with 3 certs<br />
  528. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeServerKeyExchange<br />
  529. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLEncodeDHKeyParams&gt; Server RSA key size 4096 bits<br />
  530. [00403:00011-2285692672] 07/15/2016 11:07:54.94 AM SSLEncodeDHKeyParams&gt; Using a DH key size of 4096 bits<br />
  531. [00403:00011-2285692672] 07/15/2016 11:07:55.01 AM SSLEncodeRSAServerKeyExchange&gt; Signing ServerKeyExchange using RSAWithSHA256<br />
  532. [00403:00011-2285692672] 07/15/2016 11:07:55.04 AM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeServerHelloDone<br />
  533. [00403:00011-2285692672] 07/15/2016 11:07:55.04 AM SSLAdvanceHandshake Exit&gt; State HandshakeClientKeyExchange (11)<br />
  534. [00403:00011-2285692672] 07/15/2016 11:07:55.04 AM SSL_Handshake&gt; After handshake state = HandshakeClientKeyExchange (11); Status = -5000<br />
  535. [00403:00011-2285692672] 07/15/2016 11:07:55.04 AM int_MapSSLError&gt; Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]<br />
  536. [00403:00011-2285692672] 07/15/2016 11:07:55.06 AM SSLProcessProtocolMessage&gt; Record Content: Alert (21)<br />
  537. [00403:00011-2285692672] 07/15/2016 11:07:55.06 AM SSLProcessAlert&gt; Got an alert of 0x50 (internal_error) level 0x2 (fatal)<br />
  538. [00403:00011-2285692672] 07/15/2016 11:07:55.06 AM SSL_Handshake&gt; After handshake2 state HandshakeClientKeyExchange (11)<br />
  539. [00403:00011-2285692672] 07/15/2016 11:07:55.06 AM SSL_Handshake&gt; SSL Error: -6994<br />
  540. [00403:00011-2285692672] 07/15/2016 11:07:55.06 AM int_MapSSLError&gt; Mapping SSL error -6994 to 4171 [SSLFatalAlert]</p>
  541. <p dir="ltr">The idea was to remove the DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) from the list of supported ciphers.</p>
  542. <p dir="ltr">You can do this by dictating all the ciphers Domino uses using the SSLCipherSpec notes.ini setting.</p>
  543. <p dir="ltr">I stopped Domino and added to the notes.ini the following and then started Domino.</p>
  544. <pre>SSLCipherSpec=C030009FC02F009EC028006BC014C0270067C013009D009C003D0035003C02F000A</pre>
  545. <p dir="ltr">You can see in the string <strong>0039</strong> is not listed. This means that Domino will not use DHE_RSA_WITH_AES_256_CBC_SHA and another cipher will be negotiated.</p>
  546. <p dir="ltr">On restart you can see that the cipher <strong>RSA_WITH_AES_256_CBC_SHA</strong> is now selected and that is being used which works.</p>
  547. <p dir="ltr" style="padding-left:30px;">[06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLInitContext&gt; Ignoring invalid SSLCipherSpec value F0<br />
  548. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLInitContext&gt; User is forcing 0xFFF3800 cipher spec bitmask for 15 ciphers<br />
  549. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_TRUSTPOLICY&gt;  bits for signature hashes: 0030<br />
  550. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM int_MapSSLError&gt; Mapping SSL error 0 to 0 [SSLNoErr]<br />
  551. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; outgoing -&gt;protocolVersion: 0303<br />
  552. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessProtocolMessage&gt; Record Content: Handshake (22)<br />
  553. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessHandshakeMessage Enter&gt; Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 0 Cipher: Unknown Cipher (0x0000)<br />
  554. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessHandshakeMessage client_hello&gt; SGC FLAG: 0 CTX state = 3 SGCCount = 0<br />
  555. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; clientVersion: 0303<br />
  556. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; SSL/TLS protocol clientVersion 0x0303, serverVersion 0x0303<br />
  557. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; 10 ciphers requested by client<br />
  558. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested RSA_WITH_AES_128_CBC_SHA (0x002F)<br />
  559. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; <strong>Client requested RSA_WITH_AES_256_CBC_SHA (0x0035)</strong><br />
  560. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; <strong>Best common cipherspec 0x0035 (so far)</strong><br />
  561. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; <strong>Best common non-EC cipherspec 0x0035 (so far)</strong><br />
  562. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)<br />
  563. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)<br />
  564. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)<br />
  565. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)<br />
  566. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested RSA_WITH_3DES_EDE_CBC_SHA (0x000A)<br />
  567. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)<br />
  568. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested Unknown Cipher (0x0013)<br />
  569. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client requested TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF)<br />
  570. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; TLS_EMPTY_RENEGOTIATION_INFO_SCSV found<br />
  571. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Extensions found in this message<br />
  572. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Processing TLS signature algorithms extension<br />
  573. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; Client supports hash mask 0x007E; server cert chain has mask 0x0030<br />
  574. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; hash/alg in certchain  fSupHasAlg:0000<br />
  575. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessClientHello&gt; We selected cipher <strong>RSA_WITH_AES_256_CBC_SHA (0x0035)</strong><br />
  576. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessHandshakeMessage Exit&gt; Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 1 Cipher: RSA_WITH_AES_256_CBC_SHA (0x0035)<br />
  577. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake Enter&gt; Processed: ClientHello (1) State: HandshakeServerIdle (3)<br />
  578. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake client_hello&gt; SGC FLAG: 0   Count = 2<br />
  579. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake client_hello&gt; Using resumed SSL/TLS Session<br />
  580. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeServerHello<br />
  581. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLEncodeServerHello&gt; Sending empty renegotiation_info (0xff01) extension<br />
  582. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeChangeCipherSpec<br />
  583. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeFinishedMessage<br />
  584. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLCalculateTLS12FinishedMessage Enter&gt; senderID: server finished, PRF using SHA256<br />
  585. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake Exit&gt; State HandshakeChangeCipherSpec (13)<br />
  586. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; After handshake state = HandshakeChangeCipherSpec (13); Status = -5000<br />
  587. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM int_MapSSLError&gt; Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]<br />
  588. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessProtocolMessage&gt; Record Content: Change cipher spec (20)<br />
  589. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; After handshake2 state HandshakeFinished (14)<br />
  590. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM int_MapSSLError&gt; Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]<br />
  591. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessProtocolMessage&gt; Record Content: Handshake (22)<br />
  592. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessHandshakeMessage Enter&gt; Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 1 Cipher: RSA_WITH_AES_256_CBC_SHA (0x0035)<br />
  593. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLCalculateTLS12FinishedMessage Enter&gt; senderID: client finished, PRF using SHA256<br />
  594. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLProcessHandshakeMessage Exit&gt; Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 1 Cipher: RSA_WITH_AES_256_CBC_SHA (0x0035)<br />
  595. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake Enter&gt; Processed: Finished (20) State: HandshakeFinished (14)<br />
  596. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSLAdvanceHandshake Exit&gt; State HandshakeServerIdle (3)<br />
  597. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; After handshake2 state HandshakeServerIdle (3)<br />
  598. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; Using resumed SSL/TLS session<br />
  599. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; Protocol Version = TLS1.2 (0x303)<br />
  600. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; Cipher = <strong>RSA_WITH_AES_256_CBC_SHA (0x0035)</strong><br />
  601. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; KeySize = 256 bits<br />
  602. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; Server RSA key size = 4096 bits<br />
  603. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM SSL_Handshake&gt; TLS/SSL Handshake completed successfully<br />
  604. [06035:00011-2986616576] 07/15/2016 12:30:35.85 PM int_MapSSLError&gt; Mapping SSL error 0 to 0 [SSLNoErr]</p>
  605. <p dir="ltr">The string below includes all the ECDHE ciphers which is detailed in <a href="https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration">https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration</a> but not the DHE cipher that was tripping me up.</p>
  606. <pre>SSLCipherSpec=C030009FC02F009EC028006BC014C0270067C013009D009C003D0035003C02F000A</pre>
  607. <p dir="ltr">It work&#8217;s now and I have tested it with all major browsers. I&#8217;m happy and so are the Domino guys too<img src="https://s0.wp.com/wp-content/mu-plugins/wpcom-smileys/twemoji/2/72x72/1f642.png" alt="🙂" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/662/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/662/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=662&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  608. <wfw:commentRss>https://collaborationben.com/2016/07/18/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error-part-2/feed/</wfw:commentRss>
  609. <slash:comments>0</slash:comments>
  610. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  611. <media:title type="html">collaborationben</media:title>
  612. </media:content>
  613. </item>
  614. <item>
  615. <title>Forcing TLSv1.2 breaks IBM Connections Surveys and Textbox.io</title>
  616. <link>https://collaborationben.com/2016/07/12/forcing-tlsv1-2-breaks-ibm-connections-surveys-and-textbox-io/</link>
  617. <comments>https://collaborationben.com/2016/07/12/forcing-tlsv1-2-breaks-ibm-connections-surveys-and-textbox-io/#comments</comments>
  618. <pubDate>Tue, 12 Jul 2016 20:38:35 +0000</pubDate>
  619. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  620. <category><![CDATA[Connections]]></category>
  621. <category><![CDATA[ibm connections]]></category>
  622. <category><![CDATA[ibmconnections]]></category>
  623. <category><![CDATA[RTE]]></category>
  624. <category><![CDATA[SSL]]></category>
  625. <category><![CDATA[Surveys]]></category>
  626. <category><![CDATA[Textbox.io]]></category>
  627. <category><![CDATA[TLSv1.2]]></category>
  628.  
  629. <guid isPermaLink="false">http://collaborationben.com/?p=656</guid>
  630. <description><![CDATA[I had to force TLSv1.2 across all of Connections to fix a problem with RTE as I detailed in Rich Content widget widget stops working due to mix matched SSL protocols but after testing I&#8217;ve found that this breaks Textbox.io in Chrome and Surveys. The process is well documented in How to Force IBM Connections [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=656&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  631. <content:encoded><![CDATA[<p>I had to force TLSv1.2 across all of Connections to fix a problem with RTE as I detailed in <a href="https://collaborationben.com/2016/06/21/rich-content-widget-widget-stops-working-due-to-mix-matched-ssl-protocols/">Rich Content widget widget stops working due to mix matched SSL protocols</a> but after testing I&#8217;ve found that this breaks Textbox.io in Chrome and Surveys.</p>
  632. <p>The process is well documented in <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21984847&amp;myns=swglotus&amp;mynp=OCSSYGQH&amp;mync=E&amp;cm_sp=swglotus-_-OCSSYGQH-_-E">How to Force IBM Connections 5.5 CR1 to Use TLSv1.2</a> but after making the changes the following happens.</p>
  633. <h2>Textbox.io</h2>
  634. <p>In IE and FF Textbox.io works fine but in Chrome the spell check service fails.</p>
  635. <p><a href="https://collaborationben.files.wordpress.com/2016/07/11.jpg" target="_blank"><img data-attachment-id="657" data-permalink="https://collaborationben.com/2016/07/12/forcing-tlsv1-2-breaks-ibm-connections-surveys-and-textbox-io/1-22/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/07/11.jpg?w=776" data-orig-size="705,202" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="1" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/07/11.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/07/11.jpg?w=776?w=705" class="alignnone wp-image-657 size-full" src="https://collaborationben.files.wordpress.com/2016/07/11.jpg?w=776" alt="1" srcset="https://collaborationben.files.wordpress.com/2016/07/11.jpg 705w, https://collaborationben.files.wordpress.com/2016/07/11.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/07/11.jpg?w=300 300w" sizes="(max-width: 705px) 100vw, 705px"   /></a></p>
  636. <p>In Fiddler trace is saw <em>Spelling server error:  Could not load url &#8220;<a href="https://connections.acme.com/ephox-spelling/1/correction&#038;#8221" rel="nofollow">https://connections.acme.com/ephox-spelling/1/correction&#038;#8221</a>;: 500 Internal Server Error</em></p>
  637. <p>In the SystemOut.log I saw</p>
  638. <p style="padding-left:30px;"><em>[6/29/16 10:00:38:507 BST] 00000200 SystemOut     O ironbark-akka.actor.default-dispatcher-17, RECV TLSv1 ALERT:  fatal, handshake_failure</em><br />
  639. <em>[6/29/16 10:00:38:507 BST] 00000200 SystemOut     O ironbark-akka.actor.default-dispatcher-17, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure</em></p>
  640. <p style="padding-left:30px;"><em>spray.can.Http$ConnectionException: Aborted</em><br />
  641. <em>    at spray.can.client.HttpHostConnectionSlot.reportDisconnection(HttpHostConnectionSlot.scala:228) ~[spray-can_2.11-1.3.3.jar:na]</em><br />
  642. <em>    at spray.can.client.HttpHostConnectionSlot$$anonfun$connected$1.applyOrElse(HttpHostConnectionSlot.scala:161) ~[spray-can_2.11-1.3.3.jar:na]</em><br />
  643. <em>    at akka.actor.Actor$class.aroundReceive(Actor.scala:465) ~[akka-actor_2.11-2.3.9.jar:na]</em></p>
  644. <p>IBM asked me to put on SSL trace, *=info:SSL=all. It seems that the client is sending TLSv1.0 which of course is not allowed now TLSv1.2 has been forced.</p>
  645. <p style="padding-left:30px;"><em>[7/11/16 9:31:17:286 BST] 00000115 SystemOut     O   ironbark-akka.actor.default-dispatcher-7, READ: TLSv1.2 Alert, length = 2</em><br />
  646. <em>[7/11/16 9:31:17:286 BST] 00000115 SystemOut     O   ironbark-akka.actor.default-dispatcher-7, RECV TLSv1 ALERT:  fatal, handshake_failure</em><br />
  647. <em>[7/11/16 9:31:17:286 BST] 00000115 SystemOut     O   ironbark-akka.actor.default-dispatcher-7, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure</em></p>
  648. <p>IBM have logged a ticket with Ephox as well as investigating it from there end.</p>
  649. <h2>Surveys</h2>
  650. <p>When in a community with previous surveys I can not see any of the historical surveys nor could I create new ones.</p>
  651. <p>In the SystemOut.log I saw the following</p>
  652. <p style="padding-left:30px;"><em>[6/29/16 10:01:56:542 BST] 0000033b StandardExcep E com.ibm.form.nitro.platform.StandardExceptionMapper toResponse eaa8e54e-7c38-4edb-a5ca-bcbd6d7f6c64</em><br />
  653. <em>                                 com.ibm.form.platform.service.framework.exception.ServicesPlatformException: com.ibm.connections.directory.services.exception.DSException: com.ibm.connections.directory.services.exception.DSOutOfServiceException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</em></p>
  654. <p style="padding-left:30px;"><em>Caused by: com.ibm.connections.directory.services.exception.DSException: com.ibm.connections.directory.services.exception.DSOutOfServiceException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</em></p>
  655. <p style="padding-left:30px;"><em>Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</em></p>
  656. <p>Again, it seems like it&#8217;s sending TLSv1.0.</p>
  657. <p>There&#8217;s at least one other person I know of who&#8217;s logged a PMR for these problems. It&#8217;s fairly urgent due to a problem with the RTE application which is only fixed when TLS1.2 is enforced. I&#8217;m hoping that these problems can be resolved sharpish so I can resolve the RTE problem for a customer.</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/656/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/656/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=656&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  658. <wfw:commentRss>https://collaborationben.com/2016/07/12/forcing-tlsv1-2-breaks-ibm-connections-surveys-and-textbox-io/feed/</wfw:commentRss>
  659. <slash:comments>5</slash:comments>
  660. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  661. <media:title type="html">collaborationben</media:title>
  662. </media:content>
  663.  
  664. <media:content url="http://collaborationben.files.wordpress.com/2016/07/11.jpg" medium="image">
  665. <media:title type="html">1</media:title>
  666. </media:content>
  667. </item>
  668. <item>
  669. <title>IBM Connections Mail and Ephemeral Diffie-Hellman key size error</title>
  670. <link>https://collaborationben.com/2016/07/12/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error/</link>
  671. <comments>https://collaborationben.com/2016/07/12/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error/#respond</comments>
  672. <pubDate>Tue, 12 Jul 2016 14:19:24 +0000</pubDate>
  673. <dc:creator><![CDATA[collaborationben]]></dc:creator>
  674. <category><![CDATA[Connections]]></category>
  675. <category><![CDATA[WAS]]></category>
  676. <category><![CDATA[WebSphere]]></category>
  677. <category><![CDATA[ciphers]]></category>
  678. <category><![CDATA[Diffie-Hellman]]></category>
  679. <category><![CDATA[ibm connections]]></category>
  680. <category><![CDATA[ibmconnections]]></category>
  681. <category><![CDATA[mail]]></category>
  682. <category><![CDATA[SSL]]></category>
  683. <category><![CDATA[TLS1.2]]></category>
  684.  
  685. <guid isPermaLink="false">http://collaborationben.com/?p=650</guid>
  686. <description><![CDATA[I&#8217;m building an IBM Connections 5.5 server to replace our internal Connections server and when configuring the Mail plug-in I came up against problems with the error &#8220;Mail server cannot be reached.&#8221; The Domino iNotes server is configured to accept SSL and have SSLv3 disabled via DISABLE_SSLV3=1. SSO works in both directions between the two [&#8230;]<img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=650&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></description>
  687. <content:encoded><![CDATA[<p>I&#8217;m building an IBM Connections 5.5 server to replace our internal Connections server and when configuring the Mail plug-in I came up against problems with the error &#8220;Mail server cannot be reached.&#8221;</p>
  688. <p><a href="https://collaborationben.files.wordpress.com/2016/07/1.jpg" target="_blank"><img data-attachment-id="651" data-permalink="https://collaborationben.com/2016/07/12/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error/1-21/#main" data-orig-file="https://collaborationben.files.wordpress.com/2016/07/1.jpg?w=776" data-orig-size="411,101" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="1" data-image-description="" data-medium-file="https://collaborationben.files.wordpress.com/2016/07/1.jpg?w=776?w=300" data-large-file="https://collaborationben.files.wordpress.com/2016/07/1.jpg?w=776?w=411" class="alignnone wp-image-651 size-full" src="https://collaborationben.files.wordpress.com/2016/07/1.jpg?w=776" alt="1" srcset="https://collaborationben.files.wordpress.com/2016/07/1.jpg 411w, https://collaborationben.files.wordpress.com/2016/07/1.jpg?w=150 150w, https://collaborationben.files.wordpress.com/2016/07/1.jpg?w=300 300w" sizes="(max-width: 411px) 100vw, 411px"   /></a></p>
  689. <p>The Domino iNotes server is configured to accept SSL and have SSLv3 disabled via DISABLE_SSLV3=1. SSO works in both directions between the two application servers.</p>
  690. <p>I checked the discoveryservlet URL (<a href="https://connections.acme.com/connections/resources/discovery/DiscoveryS[email protected]" rel="nofollow">https://connections.acme.com/connections/resources/discovery/DiscoveryS[email protected]</a>) which returned valid data so I know the configuration in socialmail-discovery-config.xml was good but there was very little to go on. Even after I enabled *=info:com.ibm.social.pim.discovery.*=all there was nothing much to go on.</p>
  691. <p>I reached out and Michele Buccarello responded and pointed me towards one of his documents <a href="http://www.slideshare.net/michelebuccarello/connections-mail-with-exchange-backend" rel="nofollow">http://www.slideshare.net/michelebuccarello/connections-mail-with-exchange-backend</a>. The document is written primarily for an Exchange server but it describes brilliantly what is happening and a bit of trace that came to my rescue.</p>
  692. <p>I enabled *=info:com.ibm.social.pim.discovery.*=all:com.ibm.cre.*=all and all of a sudden I saw what was happening.</p>
  693. <p style="padding-left:30px;"><em>[7/12/16 13:49:33:787 BST] 00000220 CREURLConnect 2   An unhandled exception occured connecting to the target host</em><br />
  694. <em>                                 javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair</em></p>
  695. <p style="padding-left:30px;"><em>Caused by: java.lang.RuntimeException: Could not generate DH keypair</em></p>
  696. <p style="padding-left:30px;"><em>Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 256 to 2048 (inclusive)</em></p>
  697. <p>I read around the various ciphers and I must admit I was a little lost and it&#8217;s been a while since I&#8217;ve delved deeply into Domino but some googling got me to some Daniel Nashed blogs.</p>
  698. <p><a href="http://blog.nashcom.de/nashcomblog.nsf/dx/first-perfect-forward-secrecy-ciphers-shipped-with-9.0.1-fp3-if2.htm?opendocument&#038;comments#anc1" rel="nofollow">http://blog.nashcom.de/nashcomblog.nsf/dx/first-perfect-forward-secrecy-ciphers-shipped-with-9.0.1-fp3-if2.htm?opendocument&#038;comments#anc1</a></p>
  699. <p><a href="http://blog.nashcom.de/nashcomblog.nsf/dx/dha-with-more-than-1024-key-size-and-java-still-works.htm?opendocument&#038;comments#anc1" rel="nofollow">http://blog.nashcom.de/nashcomblog.nsf/dx/dha-with-more-than-1024-key-size-and-java-still-works.htm?opendocument&#038;comments#anc1</a></p>
  700. <p>The second had a comment about the Mail plug-in not working so I knew I was getting closer. This put various stackoverflow posts into perspective such as</p>
  701. <p><a href="http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception" rel="nofollow">http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception</a></p>
  702. <p>I stopped Domino and added the following before starting it again and the plug-in started working and I could access my mail and calendar.</p>
  703. <pre>SSL_DH_KEYSIZE=1024</pre>
  704. <p>I upped the value to 2048 since a previous error said <em>&#8220;Prime size must be multiple of 64, and can only range from 256 to 2048 (inclusive).&#8221;</em></p>
  705. <p>On restart of Domino it continued to work. I tried increasing the value to 3072 but this broke the plug-in.</p>
  706. <p>The certificate I was provided was a 4096 bit certificate and not 2048 like I handle more often.</p>
  707. <p>In <a href="https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration" rel="nofollow">https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration</a> it states, <em>&#8220;By default, these ciphers will use a DH key with a size equivalent to the RSA keysize, so a server running with a 2048 bit SSL certificate would use a 2048 bit DH group.&#8221; </em>This means that the DH key being used is 4096 which IBM&#8217;s implementation of Java doesn&#8217;t support, hence the need to add SSL_DH_KEYSIZE=2048.</p>
  708. <p>I then found the following Domino trace.</p>
  709. <pre>DEBUG_SSL_CIPHERS=2
  710. DEBUG_SSL_DHE=2
  711. DEBUG_SSL_HANDSHAKE=2
  712. DEBUG_SSL_IO=0</pre>
  713. <p>When I recreate the problem I see in the console.log the following which shows the DH key size.</p>
  714. <p style="padding-left:30px;"><em>[11856:00011-1753671424] 07/12/2016 01:50:03.16 PM SSLEncodeDHKeyParams&gt; <strong>Server RSA key size 4096 bits</strong></em><br />
  715. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.16 PM SSLEncodeDHKeyParams&gt; <strong>Using a DH key size of 4096 bits</strong></em><br />
  716. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.26 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeServerHelloDone</em><br />
  717. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.26 PM SSLAdvanceHandshake Exit&gt; State HandshakeClientKeyExchange (11)</em><br />
  718. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.26 PM SSL_Handshake&gt; After handshake state = HandshakeClientKeyExchange (11); Status = -5000</em><br />
  719. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.26 PM int_MapSSLError&gt; Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]</em><br />
  720. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.27 PM SSLProcessProtocolMessage&gt; Record Content: Alert (21)</em><br />
  721. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.27 PM SSLProcessAlert&gt; Got an alert of 0x50 (internal_error) level 0x2 (fatal)</em><br />
  722. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.27 PM SSL_Handshake&gt; After handshake2 state HandshakeClientKeyExchange (11)</em><br />
  723. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.27 PM SSL_Handshake&gt; SSL Error: -6994</em><br />
  724. <em>[11856:00011-1753671424] 07/12/2016 01:50:03.27 PM int_MapSSLError&gt; Mapping SSL error -6994 to 4171 [SSLFatalAlert]</em></p>
  725. <p>In <a href="https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration" rel="nofollow">https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration</a> it also states, <em>&#8220;When using Domino 9.0.1 FP3 IF2 one can and should disable DHE_RSA_WITH_AES_128_CBC_SHA (33) which should make those old clients fall back to using RSA_WITH_AES_128_CBC_SHA (2F) instead.&#8221;</em></p>
  726. <p>I tried the below setting which removes &#8220;33&#8221; to see whether it worked but it did not. I would like to fiddle more with this to try and find a cipher that WAS and Domino can use in common that avoids setting the DH key too low but I suspect I will run out of time.</p>
  727. <pre>SSLCIPHERSPEC=9D9C3D3C352F0A39676B9E9F</pre>
  728. <p>BTW &#8211; I did all this after I had forced TLS1.2 via <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21984847&amp;myns=swglotus&amp;mynp=OCSSYGQH&amp;mync=E&amp;cm_sp=swglotus-_-OCSSYGQH-_-E" target="_blank">How to Force IBM Connections 5.5 CR1 to Use TLSv1.2</a> which is nice to know that Mail is not broken after enforcing TLS1.2 unlike Textbox.io and Surveys&#8230;..</p>
  729. <p>Oh, in Domino when it is successful it will look something like this.</p>
  730. <p style="padding-left:30px;"><em>[17825:00011-575325952] 07/12/2016 03:12:00.31 PM SSLEncodeDHKeyParams&gt; Server RSA key size 4096 bits</em><br />
  731. <em>[17825:00011-575325952] 07/12/2016 03:12:00.31 PM SSLEncodeDHKeyParams&gt; Using a DH key size of 2048 bits</em><br />
  732. <em>[17825:00011-575325952] 07/12/2016 03:12:00.32 PM SSLEncodeRSAServerKeyExchange&gt; Signing ServerKeyExchange using RSAWithSHA256</em><br />
  733. <em>[17825:00011-575325952] 07/12/2016 03:12:00.36 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage&gt; SSLEncodeServerHelloDone</em></p>
  734. <p style="padding-left:30px;"><em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; After handshake2 state HandshakeServerIdle (3)</em><br />
  735. <em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; Protocol Version = TLS1.2 (0x303)</em><br />
  736. <em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; Cipher = DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)</em><br />
  737. <em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; KeySize = 256 bits</em><br />
  738. <em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; Ephemeral Diffie-Hellman key size = 2048 bits</em><br />
  739. <em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; Server RSA key size = 4096 bits</em><br />
  740. <em>[17825:00011-575325952] 07/12/2016 03:12:00.41 PM SSL_Handshake&gt; TLS/SSL Handshake completed successfully</em></p>
  741. <p>You won&#8217;t see much difference in trace.log.</p>
  742. <p>If anyone has a better way to get around this without changing the value of the DH key size then please shout.</p>
  743. <h2>Additional information</h2>
  744. <p>I should mention that a useful tip Michele Buccarello pointed me towards taking a Fiddler trace.</p>
  745. <p>You&#8217;ll see a call to /connections/opensocial/gadgets/makeRequest. Within that entry in Fiddler I saw <strong>502 Bad Gateway</strong></p>
  746. <p><em>throw 1; &lt; &#8216;invalid javascript&#8217; &gt;{&#8220;<a href="https://webmail.acme.com/mail/bwilliam.nsf/iNotes/Proxy/?OpenDocument&#038;Form=f_SessionInfo_Data&#038;_icmb=20160425-0501&#038;#8221" rel="nofollow">https://webmail.acme.com/mail/bwilliam.nsf/iNotes/Proxy/?OpenDocument&#038;Form=f_SessionInfo_Data&#038;_icmb=20160425-0501&#038;#8221</a>;:{&#8220;rc&#8221;:502,&#8221;body&#8221;:&#8221;&amp;amp;amp;lt;HTML&amp;amp;amp;gt;&amp;amp;amp;lt;TITLE&amp;amp;amp;gt;<strong>502</strong>&amp;amp;amp;nbsp;-&amp;amp;amp;nbsp;<strong>Bad</strong>&amp;amp;amp;nbsp;<strong>Gateway</strong>&amp;amp;amp;lt;/TITLE&amp;amp;amp;gt;&amp;amp;amp;lt;BODY&amp;amp;amp;gt;&amp;amp;amp;lt;h1&amp;amp;amp;gt;502&amp;amp;amp;nbsp;An&amp;amp;amp;nbsp;unhandled&amp;amp;amp;nbsp;exception&amp;amp;amp;nbsp;occured&amp;amp;amp;nbsp;connecting&amp;amp;amp;nbsp;to&amp;amp;amp;nbsp;the&amp;amp;amp;nbsp;target&amp;amp;amp;nbsp;host&amp;amp;amp;lt;/h1&amp;amp;amp;gt;&amp;amp;amp;lt;/BODY&amp;amp;amp;gt;&amp;amp;amp;lt;/HTML&amp;amp;amp;gt;&#8221;,&#8221;headers&#8221;:{&#8220;date&#8221;:[&#8220;Mon, 11 Jul 2016 21:30:46 GMT&#8221;],&#8221;content-type&#8221;:[&#8220;text/html; charset=UTF-8&#8243;]},&#8221;DataHash&#8221;:&#8221;jslu7s57e7d899jbtr7p1d033g&#8221;}}</em></p>
  747. <p>You can also look at the JSON section to see it in a different format.</p>
  748. <p>The above is also seen in the trace.log with *=info:com.ibm.social.pim.discovery.*=all:com.ibm.cre.*=all</p>
  749. <p>[7/12/16 8:49:30:670 BST] 000001bb CREURLConnect 2   IOException caught, response code is <strong>502</strong>, Exception was java.io.IOException: Server returned HTTP response code: <strong>502</strong> for URL: <a href="https://webmail.acme.com/mail/bwilliam.nsf/iNotes/Proxy/?OpenDocument&#038;Form=s_ReadViewEntries_JSON&#038;PresetFields=FolderName;($Inbox)" rel="nofollow">https://webmail.acme.com/mail/bwilliam.nsf/iNotes/Proxy/?OpenDocument&#038;Form=s_ReadViewEntries_JSON&#038;PresetFields=FolderName;($Inbox)</a>,UnreadOnly;1,UnreadCountInfo;1,hc;$98&amp;Count=1&amp;resortdescendingpn=$70&amp;TZType=UTC&amp;KeyType=time&amp;_icmb=20160425-0501<br />
  750. [7/12/16 8:49:30:671 BST] 000001bb CREURLConnect 2   Retry error while in streaming mode: <strong>502</strong>, java.io.IOException: Server returned HTTP response code: <strong>502</strong> for URL: <a href="https://webmail.acme.com/mail/bwilliam.nsf/iNotes/Proxy/?OpenDocument&#038;Form=s_ReadViewEntries_JSON&#038;PresetFields=FolderName;($Inbox)" rel="nofollow">https://webmail.acme.com/mail/bwilliam.nsf/iNotes/Proxy/?OpenDocument&#038;Form=s_ReadViewEntries_JSON&#038;PresetFields=FolderName;($Inbox)</a>,UnreadOnly;1,UnreadCountInfo;1,hc;$98&amp;Count=1&amp;resortdescendingpn=$70&amp;TZType=UTC&amp;KeyType=time&amp;_icmb=20160425-0501</p><br />  <a rel="nofollow" href="http://feeds.wordpress.com/1.0/gocomments/collaborationben.wordpress.com/650/"><img alt="" border="0" src="http://feeds.wordpress.com/1.0/comments/collaborationben.wordpress.com/650/" /></a> <img alt="" border="0" src="https://pixel.wp.com/b.gif?host=collaborationben.com&#038;blog=17920770&#038;post=650&#038;subd=collaborationben&#038;ref=&#038;feed=1" width="1" height="1" />]]></content:encoded>
  751. <wfw:commentRss>https://collaborationben.com/2016/07/12/ibm-connections-mail-and-ephemeral-diffie-hellman-key-size-error/feed/</wfw:commentRss>
  752. <slash:comments>0</slash:comments>
  753. <media:content url="http://1.gravatar.com/avatar/73d65d70497b3486650a324a0d88ecf1?s=96&#38;d=identicon&#38;r=G" medium="image">
  754. <media:title type="html">collaborationben</media:title>
  755. </media:content>
  756.  
  757. <media:content url="http://collaborationben.files.wordpress.com/2016/07/1.jpg" medium="image">
  758. <media:title type="html">1</media:title>
  759. </media:content>
  760. </item>
  761. </channel>
  762. </rss>
  763.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//collaborationben.com/feed/

Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda