<< Previous | Home

Introduction to OAuth - the technology you need but never really learned

OAuth is core to integrations these days but I see many developers that try and use OAuth without really understanding the protocol. The protocol is very easy to understand so I created this presentation to try and explain it in easy, visual, chunks. I'll present on the topic tomorrow (Friday 6 November 2015) at the Social Connections IX conference in Stuttgart, Germany. I hope you'll come see it live if you are at the conference.

Possible to crash WAS using System.out.println?

I've been pulling my hair out trying to diagnose an issue we've been having with the OnTime Group Calendar Social components that is the widgets we have for IBM Connections. After loads of frustration and lost time I've managed to find the issue and will document it here for the future and for Google.

The issue which appears on WebSphere Application Server ND v. and is caused by doing a simple System.out.println. This makes the server go bananas, throw a NullPointerException and make the JVM unstable and no longer reliable. Simply removing these System.out.println's seems to solve the problem. Now I know System.out.println should not be used and really they were left in my mistake in an embedded library. But they should hardly crash the JVM. The observed stacktrace is shown below. The System.out.println call appears on line 102 of dk.intravision.connections.FeedReader (in bold).


PaaS, Bluemix and controlling runtime costs with cron

Back at IBM ConnectED 2015 I created a small demo for IBM using the yet-to-be-released extensibility API of IBM Verse to show of third party extension of IBM Verse. Ever since IBM has been using the demo which is great. The app I wrote is running on Bluemix and I turn it on and off whenever they need it. Now with Bluemix being a Platform As A Service (PaaS) offering I pay for the resource I use and since IBM is still to own up and provider partners with a free plan or larger allowance the monthly allowance of free gigabyte hours is cherished. Simply having it run day in and day out is burning up this free allowance. What is a geek to do? Script it of couse...

Since Bluemix is controllable using the cf command line tool I wrote a small script to allow me to start and stop the app on Bluemix using a script (see below). Invoking it is as simple as doing "versedemo_ctrl.sh start" or "versedemo_ctrl.sh stop" allowing me to do this remotely.

cf login -a https://api.ng.bluemix.net -u {username} -p {password}
cf $1 "IBM ConnectED 2015 Verse Demo Contribution"
Even better is that I've added it to an existing on-prem servers crontab so that it starts and stops on business days in the period of time I need it. The cronjob even attaches the log of the start/stop and forwards it to our scheduled job management console so I'm only notified if stuff goes wrong. Love it. Below is a sample crontab entry.
0 12 * 9-11 1-5 ~/versedemo_ctrl.sh start 2>&1 > ~/versedemo.log && mail -s "Verse Demo App Started" 
     -a ~/versedemo.log ***XXX***@intravision.dk
The above job simply starts the app Mon-Fri at 12pm (Sept-Nov) and then emails the job logs to our Job Controller service as an attachment.

Tags : , , ,

Getting ready for iOS 9 and App Transport Security (ATS)

Much has already been written on the web about the upcoming iOS 9 release and how Apple is tightening security with App Transport Security (ATS) which basically only allows for HTTPS traffic using advanced and secure ciphers. Other voices in the community is staying on top and blogging much more about it and how it pertains to IBM Traveler and particularly if you are terminating your IBM Traveler connections on Domino. As it stands now (IBM Domino 9.0.1 FP4) IBM Domino cannot deliver the ciphers required for ATS. While the latest beta of iOS 9 can still connect insecurely I suggest you start to look for a right solution that is terminating your IBM Traveler traffic using TLS v. 1.2 using Elliptic Curve crypto and Diffie-Hellman key exchange.

For one of our OnTime Group Calendar demo servers we have IBM HTTP Server (IHS) in front which made the process pretty easy as IHS already support the required ciphers. As always configuring security is a mix of securing your server while keeping compatibility with older operating systems and browsers. For me this meant allowing both TLS v. 1.0, 1.1 and 1.2 and keeping some less secure ciphers for older operating systems and browsers while also enabling strong crypto to support ATS.

Below is our configuration from domino.conf which is used to configured IHS for IBM Domino (there are two ciphers supported by ATS that are not supported by IHS (based on SHA-1)).

<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLProtocolDisable SSLv2 SSLv3

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

KeyFile C:/Lotus/Domino/ihs/key.kdb

Making the above configuration changed will give you a A- score on ssllabs.com which is a pretty nice score while keeping backwards compatibility. If that kind of config isn't needed turn off TLS v. 1.0 and 1.1 and remove the lines starting with "SSLCipherSuite ALL" - that will give you a score of A.

<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

KeyFile C:/Lotus/Domino/ihs/key.kdb

Tags : , , ,

IBM Connections Cloud (SmartCloud) FINALLY adds much awaited feature

We have had OnTime Group Calendar working with IBM Connections Cloud (SmartCloud) for a years so that customers could move all or part of their mail users to IBM Connections Cloud and host OnTime Group Calendar on-premises or (IBM SmartCloud Notes Hybrid). We have seen adoption and do have customers using it but the main obstacle to full adoption by customers has been the lack of mailfile ACL controls for the customers. Since we require access to the mail files (we do need to read data you know...) a PMR to change ACL's and/or a custom mail template in IBM Connections Cloud was required to add on-premises Domino servers to the cloud mail file ACL's. With the latest update of IBM Connections Cloud this capability has finally been added to the administration panel so that customers may control these capabilities themselves. Yay!!

Administrators can control access to mail files from administrator interface (available on or after August 17 2015)
Company administrators can now control access to mail files through the Users page of the IBM SmartCloud Notes administration interface. Previously, IBM services needed to review, and then apply the template to the users. Administrators can now make the ACL changes directly against the mail file, saving them time and money.

For more information refer to the info center (Administration: control access to mail files).

Eclipse target platform invalidated by IBM Notes 9.0.1FP4 on Mac

After installing IBM Notes 9.0.1FP4 I have been unable to launch Notes from my Eclipse workspace when doing RCP development (i.e. plugin development) for Notes. I finally decided to solve it. The stacktrace is like the one below:

2015/07/20 08:16:42.280 SEVERE CLPDN0016E: Error starting RCPApplication com.ibm.rcp.personality.framework.RCPApplication 
::class.method=com.ibm.rcp.personality.framework.internal.RCPApplication.run() ::thread=Thread-1 

java.lang.NoSuchFieldError: isWindows
   at com.ibm.rcp.platform.personality.DefaultWorkbenchWindowAdvisor.createLaunchChevron(DefaultWorkbenchWindowAdvisor.java:2229)
   at com.ibm.rcp.platform.personality.DefaultWorkbenchWindowAdvisor.createShortcutBarItems(DefaultWorkbenchWindowAdvisor.java:591)
   at com.ibm.rcp.platform.personality.DefaultWorkbenchWindowAdvisor.createWindowContents(DefaultWorkbenchWindowAdvisor.java:733)
The issue turned out to be due to duplicate similar named plugins from the target platform with different versions. For instance I had the com.ibm.common.services.icalendar plugin in both version and in version Manually running through the plugins included in the target platform and excluding the older versions solved the issue. There must have been a problem deleting the older versions when upgrading my Notes client but in any case it's solved now.

IBM Notes IBM Connections plugins cannot connect after upgrade to v. 9.0.1FP4 on Mac

After upgrading to IBM Notes 9.0.1 on my Mac the IBM Connections activities sidebar plugin failed to connect to our IBM Connections server. After tingering around with connection settings I checked the trace log and saw the below stacktrace:

CWPST0306W: An exception occurred while invoking the target method login.
   at com.ibm.rcp.accounts.internal.auth.module.AbstractJ2eeFormLoginModule.login(AbstractJ2eeFormLoginModule.java:393)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at com.ibm.rcp.security.auth.ExtLoginModuleProxy.invokeImpl(ExtLoginModuleProxy.java:109)
   at com.ibm.rcp.internal.security.AbstractProxy.invoke(AbstractProxy.java:77)
   at com.sun.proxy.$Proxy2.login(Unknown Source)
   at com.ibm.rcp.security.auth.ExtLoginModuleProxy.login(ExtLoginModuleProxy.java:141)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
   at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
   at com.ibm.rcp.security.auth.service.AbstractLoginService.login(AbstractLoginService.java:125)
   at com.ibm.rcp.accounts.internal.AccountsLoginContextServiceImpl.login(AccountsLoginContextServiceImpl.java:189)
   at com.ibm.rcp.net.http.internal.URLConnectionFactory.getURLConnection(URLConnectionFactory.java:175)
   at com.ibm.rcp.net.http.internal.URLConnectionFactory.getURLConnection(URLConnectionFactory.java:69)
   at com.ibm.rcp.net.http.internal.protocol.HttpsURLConnection.(HttpsURLConnection.java:73)
   at com.ibm.rcp.net.http.internal.protocol.HttpsHandler.createURLConnection(HttpsHandler.java:42)
   at com.ibm.rcp.net.http.internal.protocol.BaseHandler.openConnection(BaseHandler.java:73)
   at com.ibm.rcp.net.http.internal.protocol.BaseHandler.openConnection(BaseHandler.java:96)
   at org.eclipse.osgi.framework.internal.protocol.URLStreamHandlerProxy.openConnection(URLStreamHandlerProxy.java:112)
   at java.net.URL.openConnection(URL.java:945)
   at com.ibm.lconn.client.base.service.Connector.getConnection(Connector.java:69)
   at com.ibm.lconn.client.base.service.Connector.get(Connector.java:39)
   at com.ibm.lconn.client.base.service.ServiceFeedUtil.getHiddenEmail(ServiceFeedUtil.java:278)
   at com.ibm.lconn.client.base.service.ServiceFeedUtil$1.run(ServiceFeedUtil.java:212)
   at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: java.lang.IllegalArgumentException: TLSv1.1
   at com.sun.net.ssl.internal.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:133)
   at com.sun.net.ssl.internal.ssl.ProtocolList.(ProtocolList.java:38)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledProtocols(SSLSocketImpl.java:2218)
   at com.ibm.rcp.security.ssl.PlatformSSLProtocolSocketFactory.createSocket(PlatformSSLProtocolSocketFactory.java:158)
   at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:404)
   at sun.net.NetworkClient.doConnect(NetworkClient.java:145)
   at sun.net.www.http.HttpClient.openServer(HttpClient.java:424)
   at sun.net.www.http.HttpClient.openServer(HttpClient.java:538)
   at sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:276)
   at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
   at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:172)
   at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:966)
   at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:158)
   at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
   at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
   at com.ibm.rcp.accounts.internal.auth.module.AbstractJ2eeFormLoginModule.executeLogin(AbstractJ2eeFormLoginModule.java:180)
   at com.ibm.rcp.accounts.internal.auth.module.AbstractJ2eeFormLoginModule.login(AbstractJ2eeFormLoginModule.java:364)
   ... 33 more
The issue is caused by IBM Notes on Mac using the standard Apple Java v. 1.6 that doesn't support TLS v. 1.1 and it seems like the newer versions of the sidebar plugin forces the TLS version to 1.1. I couldn't find a way using JVM arguments to change that.

After corresponding with IBM the issue has been confirmed and is tracked as IBM Notes SPR #NPEI9Y85BZ and the Lotus Expeditor team is working on a fix. If you open a PMR and reference this detect you will receive the fix once ready.

Guest post - Moving on: Brian O'Neill Edition

First, thanks to Mikkel for letting me publish this on his blog. I've always gone back and forth about starting my own blog in the past, but never did, hence why I needed some help to get this message out.

So, why am I writing? I'm excited to announce that I have accepted a new role within my current company, Gore. I will be transitioning into our customer facing capabilities center in Newark, Delaware. I will be championing the digital experience in that facility as well as helping the existing team grown into two new facilities located in the Asia Pacific and European regions. This role will find me moving out of IT (and out of the IBM space), and into the public relations leg of corporate sales. One of the cool things about this role is that it will still allow me to keep my feet wet in the IT space. I am very excited.

As I've been a part of the Lotus community since 2001, I've been inspired by the stories of those who have followed their passions by doing things like building their lego empire or becoming a college professor. Even with their love for our yellow community, they showed the rest of us that it's okay to change and grow in other areas. I will surely miss working in the social software space and directly with IBM Connections, but I am really looking forward to learning new skills and seeing what this new world holds for me.

I've been honored to have had the opportunity to work within the ICS community. All of you have made these years a highlight of my career. I started thinking through who I might want to thank for where I am now. Certainly there is my family. And there are many within my group of colleagues at Gore, the IBM Champion program, and also Social Connections. But, really, it comes down to YOU. If you are reading this, I'm sure you have helped me with something along the way. No matter how big or how small, thank you.

As a song from my favorite band, 311, says "Reconsider everything".