IBM Connections and SPNEGO – AES256 and logout button

I’m right in a IBM Connections migration project for a large swiss customer and there I had to enable SPNEGO SSO with strong AES256 encryption.

First I tried standard way (described here in the Connections Knowledge center and even better here by Dave Hay) and of course SSO failed 😉

After debugging I found out that it fails because  the standard Java policy files do not support strong encryption.

So whenever you want to have SPNEGO with strong encryption go to this site, download the unrestricted SDK JCE policy files for Java 6 and copy them to all your WAS servers.

This customer had a requirement that a user logout should even work with enabled SPNEGO SSO. This can be done with some URL rewriting on the HTTP server as described by my good friend Sjaak in the Connections forum.

In this special case I had to change the rewriting of the logout button to the app login pages because restricted access to IBM Connections was enabled. Just use following rules to enable the logout button for SPNEGO SSO:

 #Logout Button for SPNEGO
RewriteRule ^/activities/ibm_security_logout$ /activities/auth/login.jsp [noescape,R,L,NC]
RewriteRule ^/blogs/ibm_security_logout$ /blogs/login [noescape,R,L,NC]
RewriteRule ^/communities/ibm_security_logout$ /communities/login [noescape,R,L,NC]
RewriteRule ^/dogear/ibm_security_logout$ /dogear/login [noescape,R,L,NC]
RewriteRule ^/files/ibm_security_logout$ /files/login [noescape,R,L,NC]
RewriteRule ^/forums/ibm_security_logout$ /forums/auth/login [noescape,R,L,NC]
RewriteRule ^/homepage/ibm_security_logout$ /homepage/login [noescape,R,L,NC]
RewriteRule ^/metrics/ibm_security_logout$ /metrics/login [noescape,R,L,NC]
RewriteRule ^/moderation/ibm_security_logout$ /moderation/login [noescape,R,L,NC]
RewriteRule ^/news/ibm_security_logout$ /news/login [noescape,R,L,NC]
RewriteRule ^/profiles/ibm_security_logout$ /profiles/login [noescape,R,L,NC]
RewriteRule ^/search/ibm_security_logout$ /search/login [noescape,R,L,NC]
RewriteRule ^/wikis/ibm_security_logout$ /wikis/login [noescape,R,L,NC]

PS: Or use this shorter version (kindly provided by Christoph Stoettner) which sends all logouts to the homepage login site:

RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !logoutExitPage=http:\/\/hostname
RewriteRule /(.*)/ibm_security_logout(.*) /$1/ibm_security_logout?logoutExitPage=http://connections-fqdn/homepage/login/ [noescape,L,R]

The Silence of the Installers – ICSUG Event in Bremen

Last week I had the pleasure to present a session at the ICSUG event in Bremen. Topic was how you can automate the installation of IBM Connections prerequisites, the installation of  Connections itself and finally how you can automate post install tasks.

The event was a huge success, more than 100 people were attending, the Keynote was delivered by Kramer Reeves, almost 50 top-notch sessions and 15 IBM Champions were present.

Big thank you to Stefan Sucker and the WE4IT Team for this great event!

The Silence of the Installers on Slideshare

A movie how you can use all these scripts will follow soon.

It’s pretty sure that I will publish some of the code in future. Please contact me if you want to know in detail how this was done or if you want to help improving the scripts even further.

Add a new Webserver to all IBM WebSphere Apps/Modules through python script

If you define your Webserver in WebSphere before you install your applications the apps/modules will not be automatically mapped to this server.

Same happens occasionally even if you have installed your apps before you Webserver.

I.e. if you want to map your Webserver manually to your IBM Connections installation you have to click hundreds of times inside the WebSphere Integrated Solutions Console or you use the following script which I created today:

If you already use Christoph Stöttners Connections Scripts from GitHub you are used to run the scripts through the Right now this new script is not available in this menu but I will try to add it in future.

Have fun (and provide feedback if script works for you)!


AdminCamp 2014 – Mein erstes Mal

Endlich schaffe ich es einmal an eine Konferenz in Deutschland, genauer ans AdminCamp in Gelsenkirchen.

Ich freue mich sehr darauf 3 Vorträge mit Christoph Stöttner rund ums Thema IBM Connections Administration halten zu dürfen, mehr Detail dazu in der Agenda zum Event:

Falls Leser dieses Blogs auch am Event teilnehmen, schaut doch bei unseren Vorträgen vorbei und sagt Hallo.

Fun with TDI (aka SDI) and AD/Domino/Cnx – Part 2 – Upload a file to Connections

Files can be directly uploaded to IBM Connections through the API via a HTTP request. This is documented in the IBM Connections 4.5 API Documentation i.e. when we want to update a file inside Connections we find some informations on how to this here.  

Unfortunately the documentation has no examples (as Carl Tyler nicely described in “The Domino Designer documentation team screwed us all“) and is far away from being perfect. Starting point for me was to use the SBT API Explorer on Greenhouse and/or a local Rest client (I’m using the Cocoa Rest client on my OS X machine). Read more