Fixing IBM Connections help for IE users

At a customer site they were actually using the IBM Connections help documents (a first I know) but it didn’t work for the users in Internet Explorer. After some research it turned out to be due to a missing compatability statement in the generated HTML documents (this statement is present in HTML generated for other features). I’ve previously reported this issue to IBM but it still hasn’t been fixed in version 4.0 CR3 so I took it upon me to find a solution. The solution turned out to be simpel using a “sledgehammer approach”. I simply used one of the cool modules in IHS (Apache) to add a compatability header to force all document into IE7 mode.

Below are the steps – YMMV.

  1. Open your httpd.conf file for edit
  2. Uncomment the mod_headers module near the top by removing the hash-character at the beginning so the line simply reads “LoadModule headers_module modules/”
  3. At the end of the file simply paste in the following command
    Header set X-UA-Compatible IE=7
  4. Save and close the file
  5. Restart the IHS

Hiding the Social Mail username and password from socialmail-discovery-config.xml

It’s been bothering me a while that the username and password for our LDAP user was visible in clear text in our socialmail-discovery-config.xml. After going looking for a solution by using very specific searching I found a solution where you can hide the username and password and – stupid as I am – it’s actually right there in the install docs. Stupid is as stupid does. The solution is to remove the authentication data from the socialmail-discovery-config.xml and replace the <DirectoryUser> and <DirectoryPW> tags with a single <DirectoryAuthAlias> tag. This tag should reference a J2C alias configured in the Websphere ISC. Simple and effective.

The above solution is for Domino only – if you’re using Exchange mail you need two additional tags. For complete instructions on the tags refer to the wiki at Enabling the discovery service for IBM Connections Mail.

Remember to secure your IBM HTTP Server when implementing IBM Connections

In Security Now! episode 396 starting at 12:22 (to 25:25) Steve and Leo were talking about various SSL attacks and how one could verify sites. I decided to check out one of my own stock IBM Connections installs i.e. I verified the stock IBM HTTP Server (IHS) install. That was not a pleasant experience as the default IBM HTTP Server is very insecure in that it accepts SSL v.2 and hence some very weak ciphers. Using and their SSL Server Test it is very easy to test a SSL site.

Below is the results from a standard IHS install using a commercial SSL certificate. A grade of F isn’t nice.

After reading a bit on mod_ssl (the SSL module in Apache / IHS) I added the below lines to the mod_ssl section in the httpd.conf file.

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher

Now I’m not a SSL wizard by any means so I suggest you do your own research as well but when I restarted the IHS I got a rating of A. BAM!! How’s them apples!?

How secure is the SSL stack for your IBM Connections environment?