Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How being a Connections administrator gave me gray hairs

September 17, 2019

How being a Connections administrator gave me gray hairs

After ten years of HCL Connections installations at a variety of different customers, environments and operating systems, I have seen and bypassed far too many exceptions and special settings inside and outside of Connections. In this session, you will see the funniest and most bizarre things that are responsible for at least part of my gray hair. I’ll show you some pitfalls that should be avoided during installation and configuration.


September 17, 2019

More Decks by LetsConnect

Other Decks in Technology


  1. @stoeps Social Connections 15 #CnxGrayHair 1 How being a Connections

    administrator gave me gray hairs Christoph Stoettner  @stoeps Munich, 18-09-2019
  2. @stoeps Social Connections 15 #CnxGrayHair 3 +49 173 8588719 christophstoettner

    Christoph Stoettner Senior Consultant at Linux (Slackware) since 1995 IBM Domino since 1999 IBM Connections since 2009 Experience in Migrations, Deployments Performance Analysis, Infrastructure Focusing in Monitoring, Security More and more DevOps stuff   [email protected]  linkedin.com/in/christophstoettner  stoeps.de   @stoeps panagenda
  3. @stoeps Social Connections 15 #CnxGrayHair 4 Disclaimer I don’t think

    Connections is the reason for my gray hair. I’m just getting old. 
  4. @stoeps Social Connections 15 #CnxGrayHair 5 Naming history of Connections

    2007: Lotus Connections 1.0 2009: Lotus Connections 2.5 (my first release) 2011: Lotus IBM Connections 3.0.1 2017: IBM Connections pink announced 2019: IBM HCL Connections 6.0 CR5 So I will talk about my 10 years with Lotus IBM HCL Connections. 
  5. @stoeps Social Connections 15 #CnxGrayHair 16 Worldwide Figure 2. Image

    Statcounter Germany Figure 3. Image Statcounter Browser 2009 → 2019
  6. @stoeps Social Connections 15 #CnxGrayHair 18 10 years of Connections

    My personal point of view Is it hard to deploy? Depends It’s not just Connections During install we touch nearly everything in the network Core Product (WebSphere, DB2, Connections) greenfield deployment Pretty easy ComponentPack Kubernetes Interesting, but something to practise | learn a little bit
  7. @stoeps Social Connections 15 #CnxGrayHair 19 Figure 5. Image IBM

    The IBM View - Greenfield O en got this deployment plans in the first years Lotus Wiki (official documentation)
  8. @stoeps Social Connections 15 #CnxGrayHair 22 Decisions Operating System Linux

    Windows AIX Database DB2 Oracle MS SQL Server LDAP Domino LDAP Active Directory (and any LDAP v3 compatible product)
  9. @stoeps Social Connections 15 #CnxGrayHair 23 Selecting the Operating System

    Experience of administrators is the main criteria easier to troubleshoot Shared Directory Windows Fileserver sometimes unstable for WebSphere not recognized for Windows clients short timeouts WebSphere will not reconnect WebSphere restart needed
  10. @stoeps Social Connections 15 #CnxGrayHair 24 Select the LDAP server

    leading directory in your environment performance ( ) dependencies Spnego Mail integration Add AD $dn to the Domino Fullname Define a failover server WebSphere will not reconnect No DNS round robin (for WebSphere it’s one host → no failover) Server hang with default settings
  11. @stoeps Social Connections 15 #CnxGrayHair 25 Men operating system customer

    with AIX Admin got a list with prerequisits Disk space Tools Installation crashed several times Admin enabled disk in 500 MB to 1GB chunks (10 steps to get up to 5GB) AIX tar does not support paths longer 100 characters, Weird errors during install GNU tar needed, just a sidenote in the documentation KSH No tab completion cite: "That’s for real men."
  12. @stoeps Social Connections 15 #CnxGrayHair 26 Core Connections & …

    IBM Docs IBM Docs Viewer IBM Surveys (formerly Forms Experience Builder) Touchpoint ICEC (lite for Community Highlights) Metrics | Cognos Elasticsearch (Standalone, Kubernetes) | Solr (deprecated) Mail Integration (Exchange & Domino) Sametime Integration (Chat, Persistent Chat, Meeting Rooms) Verse on Premises (Profile Photos)
  13. @stoeps Social Connections 15 #CnxGrayHair 27 Firewalls and (Reverse)Proxies Always

    test deployment without them check the web application firewall logs Chrome: affects not only blogs had this with the activity stream NetIQ, WebSeal httpd.conf https://www.ibm.com/support/pages/ibm-connections-403-error-when- creating-new-blog-entry-using-chrome-55-and-56 Header unset Origin RequestHeader unset Origin
  14. @stoeps Social Connections 15 #CnxGrayHair 28 High Availability Load Balancer

    No access a er WebSphere 8.5.5 FP14 Update Java 1.8 mandatory LB wasn’t able to access TLS with high encryption Database WebSphere Web-Server Single point of failure Connections supports only one URL. So using multiple webserver means multiple different DNS entries. 
  15. @stoeps Social Connections 15 #CnxGrayHair 29 Important for integrations Example:

    Intranet Getting content from Connections Posting to Connections Authentication Gateway only supports SPNEGO No exceptions Add additional webserver without TAM in front Needs same hostname 
  16. @stoeps Social Connections 15 #CnxGrayHair 30 Single Sign On IBM

    World: LTPAToken Sametime Portal Domino Kerberos | SPNEGO SAML ADFS Tivoli Combinations of Authentication Gateways
  17. @stoeps Social Connections 15 #CnxGrayHair 31 Security Authentication Gateway Tivoli

    Access Manager Siteminder Firewalls Proxy Reverse Proxy
  18. @stoeps Social Connections 15 #CnxGrayHair 32 Hosts file is not

    a workaround Decent name resolution is important With componentpack /etc/hosts is more complicated you can use hostAliases in yaml files edit of yaml | helm is needed (don’t forget to do before each update) → unusable
  19. @stoeps Social Connections 15 #CnxGrayHair 33 Unsupported Authentication Gateway or

    SAML Possible with custom Trust Association Interceptor (TAI) All applications needs to be tested Weird issues with Docs Viewer Uses a seperate login page Documentation for SAML tells you to add a TAI Only for TFIM and ADFS
  20. @stoeps Social Connections 15 #CnxGrayHair 34 Single Sign On with

    TAM Tivoli Access Manager Supports Spnego | Kerberos handles LtpaToken (not promoted to browsers / clients) So all integrated products need to be configured in TAM Example Connections with TAM Sametime and Domino use same LTPAToken No Single Sign On, because only CNX is on TAM
  21. @stoeps Social Connections 15 #CnxGrayHair 35 Technical Accounts connectionsAdmin Url

    Preview docsAdmin Password Policies change within WebSphere needs some preperation Password length Different LDAP trees TDI WebSphere 
  22. @stoeps Social Connections 15 #CnxGrayHair 36 Local WebSphere Users Documentation

    o en mentions the wasadmin account No dependencies for password or security rules Problems in several Connections versions UrlPreview File Preview SPNEGO not possible No SAML I use a LDAP account for connectionsAdmin since 3.0 
  23. @stoeps Social Connections 15 #CnxGrayHair 37 Kerberos and the technical

    user Customer with 4 Connections environments All use the same technical account for connectionsAdmin Each time when we generated a new keytab file SSO in other environments broke until we deployed the new keytab everywhere Remember to add all SPN and deploy one keytab with all SPN to all servers 
  24. @stoeps Social Connections 15 #CnxGrayHair 38 SAML and the technical

    user Documentation: connectionsAdmin j2c-alias needs to be able to login to IDP O en technical users are not allowed to login security reasons Policies I saw: Password change mandatory all 30 days (even connectionsAdmin) 60 character password instead → no support statement tested and it’s working → check a er each fixpack
  25. @stoeps Social Connections 15 #CnxGrayHair 39 Browsers Chrome Import SSL

    Certs to Websphere cacerts IE compatibility mode intranet zone breaks SPNEGO if you aren’t careful with GPO and Enterprise mode Ad blocker define exceptions for Connections
  26. @stoeps Social Connections 15 #CnxGrayHair 40 Plugins SSL Only LotusConnections-config.xml:

    <forceConfidentialCommunications enabled="true"/> Broke Notes Plugins several times Adjustments in account documents needed Plugin_customization.ini: com.ibm.lconn.client.base/requireSSL SPNEGO Server and Client in same domain SAML Only for cloud at the moment
  27. @stoeps Social Connections 15 #CnxGrayHair 41 Kubernetes (Cluster Name) Hardcoded

    name cluster.local in older ComponentPacks Should be fixed with Still issues with a mongo-k8s-sidecar Workaround: https://github.com/stoeps13/ibm-connections- component-pack-install-script
  28. @stoeps Social Connections 15 #CnxGrayHair 42 Kubernetes (Namespace) Idea at

    a customer was deploying a huge Kubernetes Cluster Test, QA and production should use it (better HA) uses Nodeport (reverse proxy from IBM HTTP Server) So you need to manually adjust the ports in the helm charts redo with each fixpack install I think it’s planned for the next version
  29. @stoeps Social Connections 15 #CnxGrayHair 44 +49 173 8588719 christophstoettner

      [email protected]  linkedin.com/in/christophstoettner  stoeps.de   @stoeps