How being a Connections administrator gave me gray hairs

Transcript

1. @stoeps Social Connections 15 #CnxGrayHair 1 How being a Connections

   administrator gave me gray hairs Christoph Stoettner  @stoeps Munich, 18-09-2019

2. @stoeps Social Connections 15 #CnxGrayHair 2

3. @stoeps Social Connections 15 #CnxGrayHair 3 +49 173 8588719 christophstoettner

   Christoph Stoettner Senior Consultant at Linux (Slackware) since 1995 IBM Domino since 1999 IBM Connections since 2009 Experience in Migrations, Deployments Performance Analysis, Infrastructure Focusing in Monitoring, Security More and more DevOps stuff   [email protected]  linkedin.com/in/christophstoettner  stoeps.de   @stoeps panagenda

4. @stoeps Social Connections 15 #CnxGrayHair 4 Disclaimer I don’t think

   Connections is the reason for my gray hair. I’m just getting old. 

5. @stoeps Social Connections 15 #CnxGrayHair 5 Naming history of Connections

   2007: Lotus Connections 1.0 2009: Lotus Connections 2.5 (my first release) 2011: Lotus IBM Connections 3.0.1 2017: IBM Connections pink announced 2019: IBM HCL Connections 6.0 CR5 So I will talk about my 10 years with Lotus IBM HCL Connections. 

6. @stoeps Social Connections 15 #CnxGrayHair 6 2009

7. @stoeps Social Connections 15 #CnxGrayHair 7 iPhone 3GS Nokia N96

   Mobile Phones

8. @stoeps Social Connections 15 #CnxGrayHair 8 Lotus Connections 2.5

9. @stoeps Social Connections 15 #CnxGrayHair 9 Lotus Connections 2.5 -

   Profile

10. @stoeps Social Connections 15 #CnxGrayHair 10 as I promised

11. @stoeps Social Connections 15 #CnxGrayHair 11 2019

12. @stoeps Social Connections 15 #CnxGrayHair 12 Blackberry Key2 iPhone 11

    Mobile Phones

13. @stoeps Social Connections 15 #CnxGrayHair 13 HCL Connections 2019

14. @stoeps Social Connections 15 #CnxGrayHair 14 HCL Connections 2019 (Designstudy

    with Customizer)

15. @stoeps Social Connections 15 #CnxGrayHair 15 What has changed?

16. @stoeps Social Connections 15 #CnxGrayHair 16 Worldwide Figure 2. Image

    Statcounter Germany Figure 3. Image Statcounter Browser 2009 → 2019

17. @stoeps Social Connections 15 #CnxGrayHair 17 Device (Mobile or Desktop)

    Figure 4. Image statcounter

18. @stoeps Social Connections 15 #CnxGrayHair 18 10 years of Connections

    My personal point of view Is it hard to deploy? Depends It’s not just Connections During install we touch nearly everything in the network Core Product (WebSphere, DB2, Connections) greenfield deployment Pretty easy ComponentPack Kubernetes Interesting, but something to practise | learn a little bit

19. @stoeps Social Connections 15 #CnxGrayHair 19 Figure 5. Image IBM

    The IBM View - Greenfield O en got this deployment plans in the first years Lotus Wiki (official documentation)

20. @stoeps Social Connections 15 #CnxGrayHair 20 More real

21. @stoeps Social Connections 15 #CnxGrayHair 21 And now mostly meeting

    reality

22. @stoeps Social Connections 15 #CnxGrayHair 22 Decisions Operating System Linux

    Windows AIX Database DB2 Oracle MS SQL Server LDAP Domino LDAP Active Directory (and any LDAP v3 compatible product)

23. @stoeps Social Connections 15 #CnxGrayHair 23 Selecting the Operating System

    Experience of administrators is the main criteria easier to troubleshoot Shared Directory Windows Fileserver sometimes unstable for WebSphere not recognized for Windows clients short timeouts WebSphere will not reconnect WebSphere restart needed

24. @stoeps Social Connections 15 #CnxGrayHair 24 Select the LDAP server

    leading directory in your environment performance ( ) dependencies Spnego Mail integration Add AD $dn to the Domino Fullname Define a failover server WebSphere will not reconnect No DNS round robin (for WebSphere it’s one host → no failover) Server hang with default settings

25. @stoeps Social Connections 15 #CnxGrayHair 25 Men operating system customer

    with AIX Admin got a list with prerequisits Disk space Tools Installation crashed several times Admin enabled disk in 500 MB to 1GB chunks (10 steps to get up to 5GB) AIX tar does not support paths longer 100 characters, Weird errors during install GNU tar needed, just a sidenote in the documentation KSH No tab completion cite: "That’s for real men."

26. @stoeps Social Connections 15 #CnxGrayHair 26 Core Connections & …

    IBM Docs IBM Docs Viewer IBM Surveys (formerly Forms Experience Builder) Touchpoint ICEC (lite for Community Highlights) Metrics | Cognos Elasticsearch (Standalone, Kubernetes) | Solr (deprecated) Mail Integration (Exchange & Domino) Sametime Integration (Chat, Persistent Chat, Meeting Rooms) Verse on Premises (Profile Photos)

27. @stoeps Social Connections 15 #CnxGrayHair 27 Firewalls and (Reverse)Proxies Always

    test deployment without them check the web application firewall logs Chrome: affects not only blogs had this with the activity stream NetIQ, WebSeal httpd.conf https://www.ibm.com/support/pages/ibm-connections-403-error-when- creating-new-blog-entry-using-chrome-55-and-56 Header unset Origin RequestHeader unset Origin

28. @stoeps Social Connections 15 #CnxGrayHair 28 High Availability Load Balancer

    No access a er WebSphere 8.5.5 FP14 Update Java 1.8 mandatory LB wasn’t able to access TLS with high encryption Database WebSphere Web-Server Single point of failure Connections supports only one URL. So using multiple webserver means multiple different DNS entries. 

29. @stoeps Social Connections 15 #CnxGrayHair 29 Important for integrations Example:

    Intranet Getting content from Connections Posting to Connections Authentication Gateway only supports SPNEGO No exceptions Add additional webserver without TAM in front Needs same hostname 

30. @stoeps Social Connections 15 #CnxGrayHair 30 Single Sign On IBM

    World: LTPAToken Sametime Portal Domino Kerberos | SPNEGO SAML ADFS Tivoli Combinations of Authentication Gateways

31. @stoeps Social Connections 15 #CnxGrayHair 31 Security Authentication Gateway Tivoli

    Access Manager Siteminder Firewalls Proxy Reverse Proxy

32. @stoeps Social Connections 15 #CnxGrayHair 32 Hosts file is not

    a workaround Decent name resolution is important With componentpack /etc/hosts is more complicated you can use hostAliases in yaml files edit of yaml | helm is needed (don’t forget to do before each update) → unusable

33. @stoeps Social Connections 15 #CnxGrayHair 33 Unsupported Authentication Gateway or

    SAML Possible with custom Trust Association Interceptor (TAI) All applications needs to be tested Weird issues with Docs Viewer Uses a seperate login page Documentation for SAML tells you to add a TAI Only for TFIM and ADFS

34. @stoeps Social Connections 15 #CnxGrayHair 34 Single Sign On with

    TAM Tivoli Access Manager Supports Spnego | Kerberos handles LtpaToken (not promoted to browsers / clients) So all integrated products need to be configured in TAM Example Connections with TAM Sametime and Domino use same LTPAToken No Single Sign On, because only CNX is on TAM

35. @stoeps Social Connections 15 #CnxGrayHair 35 Technical Accounts connectionsAdmin Url

    Preview docsAdmin Password Policies change within WebSphere needs some preperation Password length Different LDAP trees TDI WebSphere 

36. @stoeps Social Connections 15 #CnxGrayHair 36 Local WebSphere Users Documentation

    o en mentions the wasadmin account No dependencies for password or security rules Problems in several Connections versions UrlPreview File Preview SPNEGO not possible No SAML I use a LDAP account for connectionsAdmin since 3.0 

37. @stoeps Social Connections 15 #CnxGrayHair 37 Kerberos and the technical

    user Customer with 4 Connections environments All use the same technical account for connectionsAdmin Each time when we generated a new keytab file SSO in other environments broke until we deployed the new keytab everywhere Remember to add all SPN and deploy one keytab with all SPN to all servers 

38. @stoeps Social Connections 15 #CnxGrayHair 38 SAML and the technical

    user Documentation: connectionsAdmin j2c-alias needs to be able to login to IDP O en technical users are not allowed to login security reasons Policies I saw: Password change mandatory all 30 days (even connectionsAdmin) 60 character password instead → no support statement tested and it’s working → check a er each fixpack

39. @stoeps Social Connections 15 #CnxGrayHair 39 Browsers Chrome Import SSL

    Certs to Websphere cacerts IE compatibility mode intranet zone breaks SPNEGO if you aren’t careful with GPO and Enterprise mode Ad blocker define exceptions for Connections

40. @stoeps Social Connections 15 #CnxGrayHair 40 Plugins SSL Only LotusConnections-config.xml:

    <forceConfidentialCommunications enabled="true"/> Broke Notes Plugins several times Adjustments in account documents needed Plugin_customization.ini: com.ibm.lconn.client.base/requireSSL SPNEGO Server and Client in same domain SAML Only for cloud at the moment

41. @stoeps Social Connections 15 #CnxGrayHair 41 Kubernetes (Cluster Name) Hardcoded

    name cluster.local in older ComponentPacks Should be fixed with 6.0.0.5 Still issues with a mongo-k8s-sidecar Workaround: https://github.com/stoeps13/ibm-connections- component-pack-install-script

42. @stoeps Social Connections 15 #CnxGrayHair 42 Kubernetes (Namespace) Idea at

    a customer was deploying a huge Kubernetes Cluster Test, QA and production should use it (better HA) 6.0.0.5 uses Nodeport (reverse proxy from IBM HTTP Server) So you need to manually adjust the ports in the helm charts redo with each fixpack install I think it’s planned for the next version

43. @stoeps Social Connections 15 #CnxGrayHair 43

44. @stoeps Social Connections 15 #CnxGrayHair 44 +49 173 8588719 christophstoettner

      [email protected]  linkedin.com/in/christophstoettner  stoeps.de   @stoeps