There is nothing to fear than Websphere itself

Saw this link on and I think it’s well worth making sure that more Yellowheads know about it. It’s becoming clear that more and more Lotus products are being based on Websphere (which I understand and somewhat support!!) so getting to know Websphere is probably not the worst way to spend a weekend. This PDF from IBM (1 hour course to demystify Websphere Application Server for Lotus is now available) is a crash course introduction to Websphere Application Server, what it’s all about and what the terminology is. I highly recommend you take a peek.

SSL certificates and the WAS plugin

Had some issues yesterday morning with the SSL certificate used between the WAS IHS plugin and WAS for a Lotus Connections installation (Dannotes in case you were wondering why you couldn’t log in this morning). Again it turned out to be the all to well known “ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)” issue where the SSL certificate from WAS isn’t trusted by the IHS WAS plugin.

The issue were “easily” solved by help of Technote 1264477 (GSK_ERROR_BAD_CERT error configuring SSL between Plug-in and Application Server V6.1). The solution is of course to extract the certificate from WAS and import it into the IHS WAS plugin keystore.

Using a non self-signed certificate with Lotus Connections

When you deploy Lotus Connections you find out that the login has to be done using SSL and hence you need a SSL certificate. When Lotus Connections is installed a self-signed certificate is generated but you’ll probably want to use a “real” certificate whether this be one signed by a public CA or one signed by a corporate CA. Doing this is quite simple if you only swap out the IBM HTTP Server certificate as this only requires change to httpd.conf and using the ikeyman application.

Although the ikeyman application looks like something from another century it works and does its job. To launch it go to c:websphereappserverprofilesappserver1bin and invoke ikeyman.bat (substitute the path as appropriate). Once this is done follow the documentation to create a new keystore database (KDB format) and create a stash file. Then generate a new key pair and submit the keys for certification at your CA (again follow the documentation). The stash file is used by the web server to open the otherwise encrypted keystore without a password.

When you receive the reply please bear in mind that the certifying certificate must be in the keystore before accepting the reply. For most CA’s this will require you to import a certificate before proceeding. This goes for Equifax as well as Verisign. The easiest way to find these is to surf to your CA and search for “intermediate”.

Once this is done you can import the certificate reply, update httpd.conf, restart IHS and you’re laughing…

Configuring SSO between Lotus Domino and Lotus Connections

This morning I configured single-sign-on (SSO) between Lotus Connections and Lotus Domino and was again surprised by how easy it is. The steps are simple:

  1. Open the WAS server administration interface and go to Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.
  2. Select “Authentication mechanisms and expiration” in the “Authentication” section on the right hand side.
  3. Now in the “Cross-cell single sign-on” section specify a set of passwords and export the keys to a file on the file system.
  4. Move the file to your local file system.
  5. Now follow the guidelines in the Domino Administrator help for importing the keys into Domino LTPA configuration.


“Have you ever find out that you spent 3 days in something that could be done in 3 hours? Or maybe you just missunderstood some part of the documentation? Well, this space is created to avoid that. The main goal is to have a repository or Configurations, Workarounds and Technotes of the Lotus and WebSphere brands but from the user side. Documentation is the base, experience is the key.”