Embedded experience to the clients (policies)

This is the following of embedded experience quest.
Fisrt part of this quest is here.

Sources

1. Domino Policies FAQ
2. IBM Domino 9.0 Social Edition OpenSocial Component Deployment Cookbook
3. Troubleshooting policies
4. Make your business Open and Social using IBM Notes Social Edition 9.0 

CLPEE5021E

CLPEE5021E: The Gadget Server URL is not configured.
CLPEE6026E: The Gadget Server URL is not configured or not valid and the gadget cannot be used.

I put the URL of my shindig server into the desktop policy and that worked. Apparently there no other than to use a policy. In a test phase I would imagine putting the setting directly into the notes client but this seems not to be possible.

CLPEE2012E

The errors disappeared but not I have :

CLPEE2012E: An error occurred obtaining a security token to access the server.
java.io.IOException: Server returned HTTP response code: 401 for URL: XXXXXXX/fiesta/container/stgen?u=XXXXXXX/fiesta&m=0&c=default&d=remote&i=XXXXXXXX at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source) at java.security.AccessController.doPrivileged(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getChainedException(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at com.ibm.rcp.net.http.internal.protocol.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.ibm.fiesta.notes.security.ContainerSecurityTokenProvider$2.run(Unknown Source) at org.eclipse.core.internal.jobs.Worker.run(Unknown Source) Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: XXXXX/fiesta/container/stgen?u=XXXXXX at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.HttpURLConnection.getResponseCode(Unknown Source) at com.ibm.rcp.net.http.internal.protocol.HttpURLConnection.reAuthenticate(Unknown Source) ... 4 more
CLPEE5015W: The error JSON does not contain the property code.
CLPEE6017W: Error preloading the gadget at

This error can be found in the troubleshooting guide. SSO is not configured.
Here again I tried to configure locally for testing purpose by configuring the "account" directly into my Notes client. By entering it into the policy (see Source 4. page 47), rebooting my client a few times, the error disappeared.

No error but still not working

This time I have no error left in the client's trace. However the embedded experience widget is still not working right. In order to have more information, I use Wireshark

In wireshark I have :

He cannot find the way to my locked domain it seems. Opened a request to open DNS for

• unlocked.server.domain.com
• *-locked.server.domain.com

To server.domain.com's IP

More next time!

Node Synchronization problem

2 Websphere 8.0.0.5 servers :
1 Dmgr + appserver
1 appserver that I federated to the Dmgr
This last one won't synchronize

I have 2 errors in the nodeagent log : ADMS0005E and ADMS0036E

[15/07/13 15:51:49:235 CEST] 0000001e NodeSyncTask  A   ADMS0036E: La synchronisation de la configuration n'a pas abouti.
[15/07/13 15:51:51:595 CEST] 0000001f NodeSync      E   ADMS0005E: Le système ne peut pas générer de demande de synchronisation : javax.management.JMRuntimeException: ADMN0022E: L'accès est refusé pour l'opération getRepositoryEpoch sur le MBean ConfigRepository en raison de justificatifs insuffisants ou vides.
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.handleAdminFault(SOAPConnectorClient.java:948)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplateOnce(SOAPConnectorClient.java:916)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplate(SOAPConnectorClient.java:682)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplate(SOAPConnectorClient.java:672)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invoke(SOAPConnectorClient.java:658)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invoke(SOAPConnectorClient.java:480)
at $Proxy2.invoke(Unknown Source)
at com.ibm.ws.management.AdminClientImpl.invoke(AdminClientImpl.java:224)
at com.ibm.ws.management.sync.NodeSync.getCellRepositoryEpoch(NodeSync.java:410)
at com.ibm.ws.management.sync.NodeSyncTask.doSync(NodeSyncTask.java:248)
at com.ibm.ws.management.sync.NodeSyncTask.run(NodeSyncTask.java:157)
at java.lang.Thread.run(Thread.java:772)

And in the Dmgr log I have : SECJ0305I

[15/07/13 16:13:16:384 CEST] 000002bc RoleBasedAuth A   SECJ0305I: Echec du contrôle d'autorisation basée sur le rôle pour admin-authz opérations StatusCache : placeReport:com.ibm.ws.management.status.StatusReport.  L'utilisateur UNAUTHENTICATED (ID unique : unauthenticated) n'a pas reçu un des rôles requis suivants : operator, administrator.

But I am not unauthenticated, I am wasadmin.

FFDC in Dmgr's SystemOut.log :

[15/07/13 17:53:50:217 CEST] 0000002f FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: Incident FFDC émis sur C:\IBM\WebSphere\AppServer\profiles\Dmgr01\logs\ffdc\dmgr_67421e5f_13.07.15_17.53.50.2011205009599192654889.txt com.ibm.ws.security.token.WSCredentialTokenMapper.createPropagationTokenBeforeAuthenticatedCallerSet 1691

 FFDC is "first failure data capure" and you can find more information about it here

I found a lot of information on a similar problem in Websphere 6 but this is 8. And it was related to automatic key generation. It is unchecked in my configuration.

I found this :
http://www-01.ibm.com/support/docview.wss?uid=swg21458372


I have HMGR0149E
Validation of LTPA token failed due to invalid keys or token

It seems that my LTPA (Lightweight Third Party Authentication is an authentication technology) is not valid, but how do I check the validity ?

Finally this did help :
http://www-01.ibm.com/support/docview.wss?uid=swg21167729

I disabled administrative security, stopped everything on both servers, rebooted the marchines

Enabled "Synchronize Changes with Nodes"

Enabled Administrative security back again and rebooted everything.

Now my nodes are synchronized and no errors in the logs.

Installing Filenet fixes for IBM Connections 4.5

Here is how I did. YMMV

• Download : Filenet IF002
• Read the read me! :)
• Backup

Filenet installation directory is :
C:\IBM\Connections\addons\ccm\ContentEngine

Backup these files :
C:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\profiles\CCM\ear\Engine-ws.ear
C:\IBM\Connections\addons\ccm\ContentEngine\lib\BootstrapConfig.jar


Uninstall FileNetEngine application in websphere

Turn every websphere process off and delete this directory :

C:\IBM\WebSphere\AppServer\profiles\AppSrv01\temp\DEMOCONNECTIONSNode01\IBMConnections_server1\FilenetEngine

From the fixpack, copy the 2 files Engine-ws.ear and BootstrapConfig.jar into :

C:\IBM\Connections\addons\ccm\ContentEngine\lib\

It is said in the read me not to overwrite the Engine-ws.ear. I don't really know what this means as there already is a Engine-ws.ear, so I backed it up as well.
I start everything again.
Launch the configuration manager. Open profile :

C:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\profiles\CCM\CCM.cfgp

Then, edit Configure Bootstrap :

Save and run "Upgrade" task :

Same with Deploy Application, edit and run :

I got "The following task has one or more blank passwords: Deploy Application" :

I do not have any "blank password", or course. Maybe it is considered "not valid", but my password is pretty secure.

But the deploy application got stuck. Processes are not working at all. I stopped after 15 mn. And restarted websphere.

Restart servers -> The Filenet Engine Application is not deployed in websphere so not OK.

In :

C:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\configuration

There is a log file which has 4 "access refused" FileNotFoundException error.

I went back to the Deploy Application task, and this time saved before running (which wasn't explicit in the readme but ok i guess) and I got an error back. The default_host was not accepted.

Application server virtual host: com.ibm.ecm.configmgr.engine.ConfigurationManagerException: The connection to the web application server cannot be established. Ensure that the specified administrator user name and password are correct.

And indeed, in the application server properties :

I don't have a password for wasadmin :

Connection to the server seems ok after entering the password :

I run the "Deploy Application" task again and restart all websphere layers.

How to verify that the update is ok : 

• Verify the Content Platform Engine build number in the Startup Message key is the same as the Content Platform Engine build number from the version.txt file, which is located in the temporary directory where you extracted the contents of this interim fix.

I checked on :

http://connections.showroom.org:9081/FileNet/Engine

and version.txt :

Everything is good!

Accessing Problems in Connections 4.5

Today I'm on a quest for login. I have a test environment on which login on Connections 4.5 is really random. I think the install is really good because Patrice Villemagne from Bestware basically did it, with me on his side. And he masters this installation.

Source

A. Choosing login values in Connections Wiki

Symptoms

• One user is able to login but others are not.
• Coincidentally it is the first on the list by alphabetical order, and the first created.
• Users are visible under websphere console
• Users are visible in the database (using IBM Data Studio) :

In Websphere log, an authentication error :

[05/07/13 09:27:57:664 CEST] 000000ba LTPAServerObj E   SECJ0369E: L'authentification a échoué lors de l'utilisation de LTPA. L'exception est com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E  Echec de vérification du mot de passe pour le nom de principal 'ctest'. Cause principale : 'javax.naming.AuthenticationException: [LDAP: error code 49 - Failed, invalid credentials for CN=Charles Test,O=Org]; Resolved object: 'com.sun.jndi.ldap.LdapCtx@141d1f60''..
[05/07/13 09:27:57:680 CEST] 000000ba FormLoginExte E   SECJ0118E: Une erreur s'est produite lors de l'authentification de l'utilisateur ctest


In Domino for LDAP log, authentication error :
05/07/2013 09:27:57   LDAP Server: Bind request for CN=Charles Test,O=Org failed: Invalid credentials specified: failed to authenticate
05/07/2013 09:29:29   LDAP Server: You should full text index Domino directory names.nsf on SHOWROOM1/org to improve search performance for filters like '(&(objectclass=x)(uid=*))'

And finally I just didn't have any internet password for a few users into Domino for LDAP! :)
I was sure that I checked the box while registering them in Notes, but I guess you should never assume.
Also I full-text indexed the directory in order for search to be more effective.

Symptoms 2

Not able to login using email.

In websphere I changed LDAP Connections Properties to make sure that "mail" was included as an option to login.

This what I did instinctively, and it turns out to be wrong. This is related to Websphere login and not Connections login.

In order to set this up, use source A.

But it is already set up :

Actually I see now that some of them are able to login using mail and others are not. And those that don't work are the ones with redirection to another email. The "other email" was set but not the "internet address". The email address DID appear in websphere administration console! But they were not able to login using mail. I changed all this into Domino LDAP, launched the sync task (maybe this wasn't even necessary).

And ok now, they are able to login. The connections environment was set up correctly, but not domino.

Tasks for sync LDAP with profiles database

Summary : In order to receive changes from your LDAP directory to your profiles database you have to launch the sync every now and then using windows task.

Source

A. Running Sync_All_DNS as scheduled task on Windows 2008
B. System Store access rights at google groups

Configuring

I have Windows 2008 R2

Task planner :

Add a task to launch sync_all_dns.bat when suited to your environnement :

Task not launching

I found that he wasn't synchronizing my people anymore. By running the sync_all_dns by the command line I was able to get more information :

After a clearLock.bat, I was able to launch sync_all_dns

CTGDKE039E in ibmdi.log

2013-07-05 15:14:02,555 ERROR [com.ibm.di.TDIProperties] - [System-Properties] CTGDKE039E Une erreur s'est produite lors de la création du magasin de propriétés IBM Tivoli Directory Integrator. Magasin de propriétés : System-Properties Exception : DERBY SQL error: SQLCODE: -1, SQLSTATE: XJ040, SQLERRMC: Echec du démarrage de la base de données 'TDISysStore' ; pour plus de détails, voir l'exception suivante.::SQLSTATE: XSLAEAucune écriture dans le fichier de contrôle situé dans C:\IBM\Wizards\TDIPopulation\win\TDI\TDISysStore\log\log.ctrl, ni aucune mise à jour de ce fichier ne peuvent être effectuées. 

java.sql.SQLException: DERBY SQL error: SQLCODE: -1, SQLSTATE: XJ040, SQLERRMC: Echec du démarrage de la base de données 'TDISysStore' ; pour plus de détails, voir l'exception suivante.::SQLSTATE: XSLAEAucune écriture dans le fichier de contrôle situé dans C:\IBM\Wizards\TDIPopulation\win\TDI\TDISysStore\log\log.ctrl, ni aucune mise à jour de ce fichier ne peuvent être effectuées.

at org.apache.derby.client.am.SQLExceptionFactory40.getSQLException(Unknown Source)

at org.apache.derby.client.am.SqlException.getSQLException(Unknown Source)

I would have guessed, and got the confirmation with source B, that it is a rights issue. Even launching sync_all_dns in administrator in not working, a subprocess (derby ?) is not admin, but the wizard might have been copied using admin rights. It's ok for me to just change the rights here, this was not an install but a copy of files.

Now the ibmdi.log is error free.

A test with the planned task again, and everything seems fine.

Sametime awareness in Connections

At this moment, in order to have proper web sametime awareness, and coming from a classic Sametime Community Server standalone, you have to :

• Update your Community to 8.5.2 (FP4)
• Change directory access from Notes to LDAP (so choose one of your other domino to serve as a LDAP)
• Install Sametime System Console (SSC) 8.5.2 IFR1
• Install Sametime Proxy Server (SPS) 8.5.2 IFR1
• Install 8521-ST-PROXY-IF-WHOS-96PHBX on top of SPS
• Register your Community to the SSC

That's a lot!

I did not document all that, will probably in my next install. But here I am, and trying to make all this coordinate.

Source

A. Adding Sametime Awareness through the Sametime server

B. Zero To Hero Guides

C. FiddlerCap

Open Ports

In our test environnement, our traveler is in DMZ, but our SPS is not. In order for the communication to flow properly, you might want to open some ports depending on your environnement.

In Connections

In connections, I access the profile of a user and I get a "No Sametime status available". It is searching, that's the good point, that means that the feature is enabled.

http://sametime.showroom.org:9444/stwebclient/index.jsp -> connection refused

http://sametime.showroom.org:9081/stwebclient/index.jsp -> Connects to IBM Sametime

So why is the connections refused ? Well SSL is not configured.

I can see in WireShark that it accesses into 9444 port which is SSL in my configuration, so I changed settinges (using source A) to disable SSL for sametime proxy server access.

Unfortunately now he won't let me synchronize my nodes :
[03/07/13 17:13:04:448 CEST] 00000292 NodeSyncTask  A   ADMS0003I: La synchronisation de la configuration a abouti.
[03/07/13 17:13:37:057 CEST] 00000046 RoleBasedAuth A   SECJ0305I: Echec du contrôle d'autorisation basée sur le rôle pour admin-authz opérations ConfigRepository : refreshRepositoryEpoch.  L'utilisateur wasadmin (ID unique : user:defaultwimfilebasedrealm/uid=wasadmin,o=defaultwimfilebasedrealm) n'a pas reçu l'un des rôles requis suivants : deployer, operator, configurator, administrator, auditor, adminsecuritymanager.

I had another user (my LDAP user) configured with administrative role and I was able to synchronize nodes using this accout. Why wasn't I able to do so with my wasadmin account ?

And after node synchronization, that works ! :) Not even needing a server restart.

I'm glad because I've hade some trouble with this. Like always with ICS trouble, the solution was actually pretty simple. In this case using correct URL and port. But I learned a lot about how to monitor flux of data.

Using groups in sametime

Working on

When LDAP user is not in admin group, users cannot use domino groups in sametime.

Architecture :

Sametime community server, Sametime system console (SSC) 8.5.2 IFR1

Websphere in SSC sees groups correctly. The problem might be related to LDAP filters for Community Server.

I accessed the Sametime Administration Tool (sametime.ics.com/stcenter.nsf) and changed LDAP filters.

The thing with domino LDAP is that, by default, groups are not at the same hierarchical level than users. So you are tempted to use an overall global filter in the O=ICS fashion. But it is almost certain (depending on your domino configuration but 90 % at least are that way) that you will miss group, because they are at the upper level of LDAP.

In the LDAP lookup section of the administration tool, I removed the base lookup (in french here) :
(For confidentiality reasons I also removed the server name from the screenshot)

And in the "General properties" of the LDAP section I added again the LDAP base filter for persons lookup (first field here) :

Restart server

However, after a test, still the same. LDAP user has to be into admin group. This might be ok for a test environnement, but I want my test environnement to be bullet proof, for the day it'll be a production one.

More information next time ...

Troubleshooting, logs and trace

Building an ICS environnement, you are trying to find the information you need at the time you need it.

Here some logs I use :

Notes Client

• log.nsf of course. You can modify setting into the notes.ini.
• Menu : Help/Support/View Trace and View Log. This can be customized by modifiying the workspace\.config\rcpinstall.properties file. You can add logs for specific modules, like open social, or sametime.
• IBM_TECHNICAL_SUPPORT folder, in the data directory contains a lot of stuff. But this is mainly to communicate to the IBM support, as the name entails.

Websphere Application Server

Websphere seems complicated at first, but when you use it, you notice that it's actually pretty straightforward. The log is a bit too full but it's efficient, you detect errors quickly, and each error has a unique googlable number.

• System.out and other logs files in AppServer\profiles\<profileName>\logs\<ServerName>
• Into the console, troubleshooting section, "logs and trace" you can set log level.

Domino Server/ Sametime Community Server

• log.nsf, customizable by notes.ini or sametime.ini
• data\domino\workspace\logs\. Log level in customizable in data\domino\workspace\.config\rpcinstall.properties
• IBM_TECHNICAL_SUPPORT folder, in the data directory to send to support.

Communication

• ping / telnet
• FiddlerCap is a good tool to monitor HTTP/S requests between your computer and webservers.
• DITrace is a tool to see the communication between client and server for both Quickr Spaces and Connections Desktop Plugin. It is installed by default with the plugin, and you can find it in C:\IBM\Connections Desktop Plugin\ and C:\IBM\Places Connector\ depending on which plugin you want to check.