Using the IBM Connections API from other languages using custom certificates

I was reading up on some stuff in the IBM Connections REST API during the weekend and came across a post titled Using IBM Connections API in different programming languages on how to use the REST API from other languages than JavaScript from within IBM Connections. The approach there is very nice and quite valid but it fails to mention what to do if the SSL certificate of the API endpoint either isn’t trusted or isn’t certified using a “known” root certificate. In this case “known” means to the Java runtime you’re using or the runtime of any other language for that matter. Here I’m only dealing with Java though.

By default the java.net classes will not allow a SSL connections to a server using a unknown/untrusted certificate but there are ways around that. Of course the best is always to make sure that the certificate of the server may be validated by the Java keystore (including intermediate certificates) but for testing – or if you know what you’re doing – simply ignoring the certificate test can be beneficial. Below is some code showing how to configure the SSL runtime to ignore the certificate and hostname checks. The code is a static configuration method and I deem it pretty readable. The code allows *all* certificates but could pretty easily be locked down to be more restrictive if need be.

private void enableSelfSignedCerts() throws Throwable {
  TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
      public java.security.cert.X509Certificate[]
        getAcceptedIssuers() {
        return null;
      }
      public void checkClientTrusted(X509Certificate[] certs,
          String authType) {
      }
      public void checkServerTrusted(X509Certificate[] certs,
        String authType) {
      }
    }
 };

 SSLContext sc = SSLContext.getInstance("SSL");
 sc.init(null,
         trustAllCerts,
         new java.security.SecureRandom());
  HttpsURLConnection.
    setDefaultSSLSocketFactory(sc.getSocketFactory());

  // Create all-trusting host name verifier
  HostnameVerifier allHostsValid = new HostnameVerifier() {
    public boolean verify(String hostname,
      SSLSession session) {
      return true;
    }
  };

  // Install the all-trusting host verifier
  HttpsURLConnection
    .setDefaultHostnameVerifier(allHostsValid);
}

http://./files/prettyprint/prettify.js

prettyPrint();

Bookmark to IBM Connections bookmarks from iOS

Bookmarks (aka Dogear) in IBM Connections is great and IBM provides a nifty bookmarklet to allow easy bookmarking from your browser. I couldn’t however make this bookmarklet work in Safari on iOS so I decided to look into it. And I’m happpy to say I got it to working with some inspiration from the Instapaper bookmarklet. The way it works for me now is that I have the bookmark bar visible on my iPhone and iPad and when I need to bookmark I use the bookmarklet which redirects to the IBM Connections bookmark page and back to the original page once done. Super easy and it works great.

Here is how to make it work.

  1. Open Safari and make a bookmark to a random page but be sure to place it in the bookmark bar (the bookmark bar can be made visible all the time in Safari options).
  2. Edit that bookmark and change the title to something that makes sense (I use “IV Dogear”).
  3. Clear the location field and paste in the JavaScript code from below replacing the hostname (lc.intravision.dk) with a hostname applicable to you.
  4. Save the bookmark and start bookmarking.

pre.wrap {
white-space: pre-wrap; /* css-3 */
white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
white-space: -pre-wrap; /* Opera 4-6 */
white-space: -o-pre-wrap; /* Opera 7 */
word-wrap: break-word; /* Internet Explorer 5.5+ */
}

javascript:function%20abcdefg()%7Bvar%20h='http://lc.intravision.dk/dogear';var%20d=document;var%20b=d.body;var%20e=encodeURIComponent;var%20u=h+'/bookmarklet/post?url='+e(location.href)+'&title='+e(d.title);location.href=u+'&inframe=true&ver=';%7D;abcdefg();void(0);

File not found when using IBM Connections Media Gallery

At a customer users were reporting that the media gallery in IBM Connections did not work. The error they were seeing was aneror message in the UI telling them that the file they just selected from their file system did not exist. Very strange. After diagnosing the issue it was caused by the media gallery not having been set up correctly as the default file types wasn’t imported into the configuration. Why these defaults are not set automatically is the topic for another day.

There are two templates which determine the file types you can upload
by default. You should also have these in your AppSrv01 profiles, or your
nodes, etc. The step is done by following the instructions in the info center.

Disabling HTTPS communication between IHS WAS Plugin and WAS servers

Many people believe that you have to have multiple servers to run IBM Connections – this simply isn’t true! There’s no reason why you cannot run everything of the same server which is what we do here at the office. When you do that, if all servers are inside the firewall – or if you simply doesn’t care about the security that it provides – you can disable the IHS WAS Plugin from communicating with the WAS server using SSL. A benefit from this is among other things that you do not have to care about certificates between the IHS WAS Plugin and the WAS server which simplifies installation and management.

Any way… For a while I’ve doing this configuration change manually directly in plugin-cfg.xml (by commenting the HTTPS transport out) until it bit us the other day. So I finally decided to find a proper, correct, solution. And of course there is a way to do this and it’s very well documented in IBM Technote 1452735. So if you want to make that change go ahead and do it – I did and it’s working flawlessly.

WAS profile creation on Windows Server 2008 64 bit

When installing Connections on Windows 2008 Server 64 bit the profile management tool doesn’t work so profile creation is done using manageprofiles.bat/sh. The syntax is hard to remember so here it is for future reference.

Deployment manager:
c:ibmwebsphereappserverbinmanageprofiles.bat -create -templatePath ..profileTemplatesmanagement -profileName dmgr -profilePath d:wasprofilesdmgr -cellName LCCell01 -nodeName dmgrNode -serverType DEPLOYMENT_MANAGER

Application server:
c:ibmwebsphereappserverbinmanageprofiles.bat -create -templatePath ..profileTemplatesdefault -profileName AppSrv01 -profilePath d:wasprofilesappsrv01 -nodeName appNode01

OnTime Group Calendar for Social Business

As part of the OnTime Group Calendar we’re building a series of widgets for IBM Connections to allow easier collaboration – the more we collaborate the more we need access to accurate, updated, calendar data. This puts OnTime Group Calendar smack in the middle of the move to social business. We are getting ready to release the widgets as part of the product and we have the first demo ready.


The integration into the Profiles feature is easily understandable and shows the calendar of the user right there on the profile page as shown on the right. Click the image to see a larger version.

However the real power lies in the integration into communities. Here we bring the calendar of community members into the community is a text list UI and a full graphical viewer based UI as in the rest of our clients. For communities we are also offering a Social Scheduling widget to allow you to find available meeting times and book meetings with community members plus people you may only know based on tags (keywords) or location. Very powerful and possible due to the API offered for OnTime Group Calendar.



(click the image for a larger version)

Please note that everywhere the access to calendar data is only available if the querying user has sufficient access.

The demo below outlines how OnTime Group Calendar for Social Business brings calendar data into IBM Connections in the Profiles feature and in the Communities feature.

All videos are available on the ontimesuite YouTube channel.

Backup for IBM Connections communities

An excellent and a bit overdue addition to IBM Connections is better control over backup of communities. We’re not talking fine grained control and integration with e.g. Tivoli Storage Manager but rather backup to and restore from ZIP-files. The asset has been added to the Greenhouse catalog and is described in the New backup & restore tool for IBM Connections Communities post on the Synch.rono.us blog.

IBM Connections Extension license – how to handle varying user entitlement and which drawbacks I see

As I blogged the other day (IBM Connections Extension license) IBM has released an extension license for IBM Connections to allow customers to buy the remaining features (besides Profiles and Files). It did however beg the question: “So how do I control access to the remaining features for users not entitled to use all features in Connections?”. After asking Ed Brill the solution from the IBM Connections team is surprisingly simple and easy to implement. It does however put the burden on you as the administrator is it’s not a “checkbox solution”. Let me try and explain how to do it.

In IBM Connections (and all other J2EE applications) access to functionality is controlled by roles. That is the container will verify that a user has been mapped to a particular role (either as the user or by virtue of being member of a group) before granting access. In Websphere Application Server this is done in the Integrated Solutions Console (ISC) on a per application basis. The way you restrict access to particular features is the same way you force users to log into Connections and is nicely described in the wiki/InfoCenter. The way you would do it for this scenario is to create an LDAP group of fully entitled users and make sure only these users are granted access to features other than Profiles and Files.

The solution works and is easy to implement but is has a major drawback in it doesn’t change the main menus. At least to the best of my knowledge as the service that returns menu items reads of the general Connections configuration and does not take the access of a particular user into account. A better solution would of course be that the service was aware of the access restriction and only features to which a user has access are presented in the menus. It would also lend itself better to a simpler UI for these casual users of Connections.

Another issue is that the approach doesn’t restrict a fully entitled user (“user 1”) to share information with a limited entitled user (“user 2”) in say communities. “User 1” is free to add “user 2” but “user 2” would be unable to see the information. The user would receive e-mail notifications etc. but wouldn’t be able to open the community. The user would try and go to the community, could log in successfully but still be unable to access the the community. Probably unable to realize why. The main culprit here is that the name resolution service isn’t aware of the – potentially – limitied entitlement of some users. I see helpdesk calls on the horizon.

So while I really, really, really praise IBM for the Profiles/Files entitlement being added to Notes 8.5.3 I also see room for improvement. The role based approach allows you to manage access and thus avoid problems in the event of an IBM compliance check but there are user experience issues. Hopefully IBM will address these in upcoming released.