<< Previous | Home

Custom widgets for IBM Connections v.5.5 and what the "themes" attribute mean

Starting with IBM Connections v. 5.5 a new required attribute was added to the widgets-config.xml file that controls how widgets are rendered for Profiles and Communities. IBM addresses the issue by referring to a technote (Custom widgets not displaying correctly after migrating to IBM Connections 5.5) that mentions just adding an attribute. The fact that simply requiring customers to add static text is lunacy for a product - if you need something where a static text will do for most cases and it's not there then simply assume the value. Don't break installations because some developer or product manager didn't think... End rant...

Anyways - I looked into this for the OnTime widgets and it turns out that the "themes" attribute actually points to WebSphere Portal themes and control where a user may drop widgets. Starting with IBM Connections v. 5.5 users may not only drag'n'drop widgets up and down in the center column but also move widgets to the left and right column. Furthermore with the addition of custom layouts ("Change Layout" for the community owners) a new "banner" location has been added. The banner location stretches from left to right above the right column giving the widget as much horizontal space as an iWidget shown in fullpage mode gets. The value of the "themes" attribute is described by IBM to contain the following values: wpthemeThin, wpthemeNarrow, wpthemeWide and wpthemeBanner, The image below describes there locations in the UI (click the image for a larger image):

So the attribute is actually quite interesting. Adding the "themes" attribute and setting it to "wpthemeWide wpwhemeBanner" I can actually control what the OnTime Group Calendar widget (shown center in the image above) may only be in the "wpthemeWide" and "wpthemeBanner" locations but not in the "wpthemeThin" or "wpthemeNarrow" locations as they are too -- well -- narrow and thin. Sweet!

It's a shame that you can still drop a widget in an unsupported configuration. The user will see a explanation of this not being possible after the fact (and the widget will not render) but being blocked all together would be better. The image below shows the OnTime widget in an unsupported location. A widget which is mandated in Profiles or Communities may still not be moved around and the "themes" attribute does not apply which again is why mandating the attribute be defined is crazy...

If only IBM had a mail client...

Over the last year we've seen more and more customers move to Microsoft Office 365 for mail and calendaring. The funny thing is that very few users actually end up using the webmail experience but almost all end up in Outlook. This made me think that IBM could probably still be competitive in the mail market including for the people who prefer a rich client if it wasn't for IBM Notes. The client is simply too bloated, too slow and too difficult to centrally manage and update. Oh and then there's the name "Notes" which for many still is a showstopper.

So what if IBM actually had a mail only client? What if they had a mail only client - think IBM Notes with only mail, calendaring, contacts and to-dos. Keep replication, require Windows Shared Login (i.e. SSO with the operating system) and I think it would be a winner. Extensibility would be nice for us ISV's but currently I would prefer customers to stay with IBM and having to use a web browser for applications.

If IBM had that they could actually still be a player in a market where many customers are moving to Office 365 but all complain about the cost and the performance. In many cases the IBM Connections Cloud is cheaper and WAY more performant as Office 365 is dog slow. All in all I still see IBM as a better play. If only they had a mail client...

Introduction to OAuth - the technology you need but never really learned

OAuth is core to integrations these days but I see many developers that try and use OAuth without really understanding the protocol. The protocol is very easy to understand so I created this presentation to try and explain it in easy, visual, chunks. I'll present on the topic tomorrow (Friday 6 November 2015) at the Social Connections IX conference in Stuttgart, Germany. I hope you'll come see it live if you are at the conference.

Possible to crash WAS using System.out.println?

I've been pulling my hair out trying to diagnose an issue we've been having with the OnTime Group Calendar Social components that is the widgets we have for IBM Connections. After loads of frustration and lost time I've managed to find the issue and will document it here for the future and for Google.

The issue which appears on WebSphere Application Server ND v. 8.5.5.3 and 8.5.5.4 is caused by doing a simple System.out.println. This makes the server go bananas, throw a NullPointerException and make the JVM unstable and no longer reliable. Simply removing these System.out.println's seems to solve the problem. Now I know System.out.println should not be used and really they were left in my mistake in an embedded library. But they should hardly crash the JVM. The observed stacktrace is shown below. The System.out.println call appears on line 102 of dk.intravision.connections.FeedReader (in bold).

java.lang.NullPointerException
java.io.Writer.write(Writer.java:151)
java.io.BufferedWriter.newLine(BufferedWriter.java:236)
java.io.PrintStream.newLine(PrintStream.java:518)
java.io.PrintStream.println(PrintStream.java:670)
com.ibm.ejs.ras.StreamEvent6.writeDataToStream(StreamEvent6.java:205)
com.ibm.ejs.ras.StreamEvent6.writeSelfToStream(StreamEvent6.java:157)
com.ibm.ejs.ras.SystemStream.doPrintLine(SystemStream.java:800)
com.ibm.ejs.ras.SystemStream.println(SystemStream.java:703)
com.ibm.ejs.ras.SystemOutStream.println(SystemOutStream.java:80)
org.apache.felix.gogo.runtime.threadio.ThreadPrintStream.println(ThreadPrintStream.java:200)
org.apache.felix.gogo.runtime.threadio.ThreadPrintStream.println(ThreadPrintStream.java:200)
dk.intravision.connections.FeedReader.read(FeedReader.java:102)
dk.intravision.connections.profiles.Profile.getFollowingIDs(Profile.java:241)
dk.intravision.connections.profiles.Profile.getFollowingUsers(Profile.java:213)
...

PaaS, Bluemix and controlling runtime costs with cron

Back at IBM ConnectED 2015 I created a small demo for IBM using the yet-to-be-released extensibility API of IBM Verse to show of third party extension of IBM Verse. Ever since IBM has been using the demo which is great. The app I wrote is running on Bluemix and I turn it on and off whenever they need it. Now with Bluemix being a Platform As A Service (PaaS) offering I pay for the resource I use and since IBM is still to own up and provider partners with a free plan or larger allowance the monthly allowance of free gigabyte hours is cherished. Simply having it run day in and day out is burning up this free allowance. What is a geek to do? Script it of couse...

Since Bluemix is controllable using the cf command line tool I wrote a small script to allow me to start and stop the app on Bluemix using a script (see below). Invoking it is as simple as doing "versedemo_ctrl.sh start" or "versedemo_ctrl.sh stop" allowing me to do this remotely.

#!/bin/sh
cf login -a https://api.ng.bluemix.net -u {username} -p {password}
cf $1 "IBM ConnectED 2015 Verse Demo Contribution"
Even better is that I've added it to an existing on-prem servers crontab so that it starts and stops on business days in the period of time I need it. The cronjob even attaches the log of the start/stop and forwards it to our scheduled job management console so I'm only notified if stuff goes wrong. Love it. Below is a sample crontab entry.
0 12 * 9-11 1-5 ~/versedemo_ctrl.sh start 2>&1 > ~/versedemo.log && mail -s "Verse Demo App Started" 
     -a ~/versedemo.log ***XXX***@intravision.dk
The above job simply starts the app Mon-Fri at 12pm (Sept-Nov) and then emails the job logs to our Job Controller service as an attachment.

Tags : , , ,

Getting ready for iOS 9 and App Transport Security (ATS)

Much has already been written on the web about the upcoming iOS 9 release and how Apple is tightening security with App Transport Security (ATS) which basically only allows for HTTPS traffic using advanced and secure ciphers. Other voices in the community is staying on top and blogging much more about it and how it pertains to IBM Traveler and particularly if you are terminating your IBM Traveler connections on Domino. As it stands now (IBM Domino 9.0.1 FP4) IBM Domino cannot deliver the ciphers required for ATS. While the latest beta of iOS 9 can still connect insecurely I suggest you start to look for a right solution that is terminating your IBM Traveler traffic using TLS v. 1.2 using Elliptic Curve crypto and Diffie-Hellman key exchange.

For one of our OnTime Group Calendar demo servers we have IBM HTTP Server (IHS) in front which made the process pretty easy as IHS already support the required ciphers. As always configuring security is a mix of securing your server while keeping compatibility with older operating systems and browsers. For me this meant allowing both TLS v. 1.0, 1.1 and 1.2 and keeping some less secure ciphers for older operating systems and browsers while also enabling strong crypto to support ATS.

Below is our configuration from domino.conf which is used to configured IHS for IBM Domino (there are two ciphers supported by ATS that are not supported by IHS (based on SHA-1)).

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Making the above configuration changed will give you a A- score on ssllabs.com which is a pretty nice score while keeping backwards compatibility. If that kind of config isn't needed turn off TLS v. 1.0 and 1.1 and remove the lines starting with "SSLCipherSuite ALL" - that will give you a score of A.

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Tags : , , ,

IBM Connections Cloud (SmartCloud) FINALLY adds much awaited feature

We have had OnTime Group Calendar working with IBM Connections Cloud (SmartCloud) for a years so that customers could move all or part of their mail users to IBM Connections Cloud and host OnTime Group Calendar on-premises or (IBM SmartCloud Notes Hybrid). We have seen adoption and do have customers using it but the main obstacle to full adoption by customers has been the lack of mailfile ACL controls for the customers. Since we require access to the mail files (we do need to read data you know...) a PMR to change ACL's and/or a custom mail template in IBM Connections Cloud was required to add on-premises Domino servers to the cloud mail file ACL's. With the latest update of IBM Connections Cloud this capability has finally been added to the administration panel so that customers may control these capabilities themselves. Yay!!

Administrators can control access to mail files from administrator interface (available on or after August 17 2015)
Company administrators can now control access to mail files through the Users page of the IBM SmartCloud Notes administration interface. Previously, IBM services needed to review, and then apply the template to the users. Administrators can now make the ACL changes directly against the mail file, saving them time and money.

For more information refer to the info center (Administration: control access to mail files).

Eclipse target platform invalidated by IBM Notes 9.0.1FP4 on Mac

After installing IBM Notes 9.0.1FP4 I have been unable to launch Notes from my Eclipse workspace when doing RCP development (i.e. plugin development) for Notes. I finally decided to solve it. The stacktrace is like the one below:

2015/07/20 08:16:42.280 SEVERE CLPDN0016E: Error starting RCPApplication com.ibm.rcp.personality.framework.RCPApplication 
::class.method=com.ibm.rcp.personality.framework.internal.RCPApplication.run() ::thread=Thread-1 
::loggername=com.ibm.rcp.personality.framework.internal

java.lang.NoSuchFieldError: isWindows
   at com.ibm.rcp.platform.personality.DefaultWorkbenchWindowAdvisor.createLaunchChevron(DefaultWorkbenchWindowAdvisor.java:2229)
   at com.ibm.rcp.platform.personality.DefaultWorkbenchWindowAdvisor.createShortcutBarItems(DefaultWorkbenchWindowAdvisor.java:591)
   at com.ibm.rcp.platform.personality.DefaultWorkbenchWindowAdvisor.createWindowContents(DefaultWorkbenchWindowAdvisor.java:733)
The issue turned out to be due to duplicate similar named plugins from the target platform with different versions. For instance I had the com.ibm.common.services.icalendar plugin in both version 9.0.1.20131022-0932 and in version 9.0.1.20150610-1521. Manually running through the plugins included in the target platform and excluding the older versions solved the issue. There must have been a problem deleting the older versions when upgrading my Notes client but in any case it's solved now.