Remember to secure your IBM HTTP Server when implementing IBM Connections

In Security Now! episode 396 starting at 12:22 (to 25:25) Steve and Leo were talking about various SSL attacks and how one could verify sites. I decided to check out one of my own stock IBM Connections installs i.e. I verified the stock IBM HTTP Server (IHS) install. That was not a pleasant experience as the default IBM HTTP Server is very insecure in that it accepts SSL v.2 and hence some very weak ciphers. Using SSLLabs.com and their SSL Server Test it is very easy to test a SSL site.

Below is the results from a standard IHS install using a commercial SSL certificate. A grade of F isn’t nice.

After reading a bit on mod_ssl (the SSL module in Apache / IHS) I added the below lines to the mod_ssl section in the httpd.conf file.

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

Now I’m not a SSL wizard by any means so I suggest you do your own research as well but when I restarted the IHS I got a rating of A. BAM!! How’s them apples!?

How secure is the SSL stack for your IBM Connections environment?

Using DiscoveryServlet for debugging Connections Mail

When you install Connections Mail having a way to diagnose how Connections sees a particular users mail setup can be very helpful e.g. which mail system, which hostname, mail file etc. Digging through the network traffic in a working Connections Mail install I discovered calls to “DiscoveryServlet” which is a utility that Connections Mail itself uses for that purpose. It’s so nice. When called it returns full info about the mail setup for the queried users (by email address). To call it you use the following URL:

http://<hostname>/connections/resources/discovery/DiscoveryServlet?email=<email address>

Use at your own risk and as Stephan would say – YMMV…

Missing passthru_nonProxyHosts for IBM Connections widget proxy

When writing widgets for IBM Connections (version 1, 2, 3 and 4) and you have an iWidget (judgement still out on the OpenSocial gadget support) that needs to talk to other network resources than the IBM Connections server you need to change the proxy-config.tpl to work around the same origin policy restrictions imposed on JavaScript running in a browser. The change is easy enough and well documented but what do you do if you need to use a HTTP proxy for requests leaving your network? Well you use the passthrough proxy setting for the proxy (see ) to make sure that traffic passes through your HTTP proxy. The problem however is if you need to use a HTTP proxy to access resources external to your network but not to access internal resources since the setting is global and applies to all rules. So be warned and plan your network accordingly.

For the record there is a setting in Mashup Center to work around this (passthru_nonProxyHosts) but that setting hasn’t been implemented for IBM Connections unfortunately.

Social Connections IV in Amsterdam

The agenda for the upcoming Social Connections IV event in Amsterdam is now public and I’m happy to say that it includes yours truly. I will do a 30 minute introduction to the joys of widget development for IBM Connections. I’m pretty sure that there are still slots available for the event so if you’re in Europe on 30 November and you’re working with IBM Connections you really should join us. Oh – and bring your customers…

LCUSER.DUAL is an undefined name doing IBM Connections 3.0.1 side-by-side migration

In the process of moving our internal IBM Connections 3.0.1 server to IBM Connections 4.0 we need to upgrade our DB2 to be 64 bit which is giving us some problems. After talking to IBM they convinced us to first do a side-by-side migration of our 3.0.1 DB2 databases to another 3.0.1 instance before upgrading the databases to 4.0. However in the process we discovered that the documentation for this process is inacurate so I wanted to post the solution here in case others needed it. Referring to the documentation (Migrating 3.0.1 data side-by-side) one of the steps is to record the sequence numbers for 4 DB2 sequences used for the draft tables. The progress of these sequences should be discoverable by using the following SQL but it fails.

(Profiles only.) Run the following commands to update the
database sequence for DB2 or Oracle target databases:

DB2
Run the following commands on the 3.0.1 source database:
SELECT EMPINST.EMPINST.EXT_DRAFT_SEQ.NEXTVAL AS
   EXT_DRAFT_SEQ FROM DUAL;
SELECT EMPINST.EMPINST.EMP_DRAFT_SEQ.NEXTVAL AS
   EMP_DRAFT_SEQ FROM DUAL;
SELECT EMPINST.CHG_EMP_DRAFT_SEQ1.NEXTVAL AS
   CHG_EMP_DRAFT_SEQ1 FROM DUAL;
SELECT EMPINST.CHG_EMP_DRAFT_SEQ2.NEXTVAL AS
   CHG_EMP_DRAFT_SEQ2 FROM DUAL;

"SQL0204N "LCUSER.DUAL" is an undefined name. SQLSTATE=42704".

The problem is that the documented SQL references a non-existing table called “DUAL” and some table columns which then doesn’t make any sense either. What you actually want to look at are the actual sequences (see “SELECT SEQNAME FROM SYSCAT.SEQUENCES”). Once you know that it’s pretty easy to get the starting values.

Please note that if you’ve never used the draft functionality and DSML to sync changes back to LDAP you can happily omit these steps altogether.

IBM Connections 4.0 is 64 bit only

This weekend we’ve been upgrading to IBM Connections 4.0 on a number of systems and for one we are having problems. The problem is that it’s a small demo environment which is running on 32 bit Windows. The new release is only supported on 64 bits and the DBWizard will actually not run on 32 bit as the JVM supplied with the wizard is 64 bits only. Whether you can run the wizard on a 64 bit machine and connect to a 32 bit DB2 instance remains to be seen. So now you know…

IBM Connections 4.0 Detailed System Requirements for Windows

Reusing IBM Connections Atom date formatting for custom widgets


In a recent IBM Connections project I needed to display dates in the same as IBM Connections does it that is full dates sometimes but also using “yesterday”, “today” etc. Plus it needed to cater for the fact that the customer might at some future point in time allow the user to change the UI language. Coding this is tedious and would take quite some time so I wanted to figure out if IBM Connections had some libraries that could help me.

And it did.

By messing around in Firebug I found out that the way IBM Connections does it is by using a nifty JavaScript object called lconn.core.DateUtil.AtomDateToString. This object is actually a helper object that does two things – first it is able to convert an Atom date/time string (such as 2012-08-01T12:44:42.713Z) into a JavaScript Date object and then format it according to i18n settings and the language set in the UI.

Once I knew what to look for in the IBM Connections code it was simple enough. They do it by adding a hidden span-tag (CSS class “lotusHidden”) with a special tagging CSS class called “formatDate” as shown below.

<span class="formatDate lotusHidden">
  2012-08-01T12:44:42.713Z
</span>

Then using dojo.query they locate the nodes with the formatDate CSS class, use the utility class to convert the Atom date string and then remove the “lotusHidden” CSS class to make it visible.

// expand dates
if (lconn && lconn.core && lconn.core.DateUtil &&
lconn.core.DateUtil.AtomDateToString) {
   dojo.query(".formatDate", root).forEach(function(item){
      item.innerHTML=lconn.core.
         DateUtil.AtomDateToString(item.innerHTML);
      dojo.removeClass(item,"lotusHidden");
   });
}

Customizing the feature titles for IBM Connections mobile plus new URL handlers which are (almost) useful

Luis Benitez already blogged this (How To Customize the IBM Connections Mobile App for iOS, Android & BlackBerry) but I think it is so important that it bears mentioning again. With the latest update to IBM Connections (version 3.0.1.1 CR2) you know have the option to customize the mobile apps using a new mobile-config.xml file. It allows you to configure settings to do with login and the general configuration of the app. An important point is also that it allows you to change the title of the features in the app which is great if you have change feature names in the web UI. We have customers that change some of the Danish translations (especially for Community because they feel that the Danish word really isn’t representative of the feature) so making that feature name change apply to the mobile UI’s are great.

To install the fixes simply download the IBM Connections 3.0.1.1 CR2 jar-files and follow the steps from the technote (technote 1595154) to update IBM Connections. Please note that you need the newest update installer to perform the update.

As if this wasn’t enough Chris Reckling recently blogged (Custom URLs in IBM Connections Mobile Apps) on the new URL handlers that were added to the Connections mobile apps for iOS and Android. This means you can add a link in an email to take you directly to Profiles or a profile as well as Communities or a community. The URL’s are easy to use and pretty straight forward – to open John Does profile one could use ibmscp://com.ibm.connections/profiles?email=jdon%40example.com from anywhere on the app. Pretty neat.

There’s also a URL handlers to configure the app for a user to allow for easier set up of the app.

The URL handlers are great but I think it is too bad they didn’t add support for all features now they were at it. For instance having a direct link capability into Activities would be killer as it would allow you to add links to the email notifications that would take you to the mobile app instead of the web UI. Would have been soo cool and would have been something I could use now – having the Communities part is nice but I receive way more Activities notifications by email so a link capability there is worth much more to me. I hoping it will make it into the next update.

IBM Connections API tip – override Content-Type header

When working with the IBM Connections REST API all responses are returned with the application/atomsvc+xml Content-Type which makes it not show up natively in the browser (or at least in Firefox). A quick solution is the install the Force Content-Type extension and change the Content-Type to text/xml on the fly to make the result show up in the browser. Rules are quick and easy to define.