iPhone 3GS
Christoph Stoettner
Munich, 18-09-2019
+49 173 8588719 |
|
I don’t think Connections is the reason for my gray hair. I’m just getting old. |
2007: Lotus Connections 1.0
2009: Lotus Connections 2.5 (my first release)
2011: Lotus IBM Connections 3.0.1
2017: IBM Connections pink announced
2019: IBM HCL Connections 6.0 CR5
So I will talk about my 10 years with Lotus IBM HCL Connections. |
iPhone 3GS
Nokia N96
Blackberry Key2
iPhone 11
Worldwide
Germany
My personal point of view
Is it hard to deploy?
Depends
It’s not just Connections
During install we touch nearly everything in the network
Core Product (WebSphere, DB2, Connections) greenfield deployment
Pretty easy
ComponentPack
Kubernetes
Interesting, but something to practise | learn a little bit
Often got this deployment plans in the first years
Lotus Wiki (official documentation)
Operating System
Linux
Windows
AIX
Database
DB2
Oracle
MS SQL Server
LDAP
Domino LDAP
Active Directory (and any LDAP v3 compatible product)
Experience of administrators is the main criteria
easier to troubleshoot
Shared Directory
Windows Fileserver sometimes unstable for WebSphere
not recognized for Windows clients
short timeouts
WebSphere will not reconnect
WebSphere restart needed
leading directory in your environment
performance (Server hang with default settings)
dependencies
Spnego
Mail integration
Add AD $dn to the Domino Fullname
Define a failover server
WebSphere will not reconnect
No DNS round robin (for WebSphere it’s one host → no failover)
customer with AIX
Admin got a list with prerequisits
Disk space
Tools
Installation crashed several times
Admin enabled disk in 500 MB to 1GB chunks (10 steps to get up to 5GB)
AIX tar does not support paths longer 100 characters, Weird errors during install
GNU tar needed, just a sidenote in the documentation
KSH
No tab completion
cite: "That’s for real men."
IBM Docs
IBM Docs Viewer
IBM Surveys (formerly Forms Experience Builder)
Touchpoint
ICEC (lite for Community Highlights)
Metrics | Cognos
Elasticsearch (Standalone, Kubernetes) | Solr (deprecated)
Mail Integration (Exchange & Domino)
Sametime Integration (Chat, Persistent Chat, Meeting Rooms)
Verse on Premises (Profile Photos)
Always test deployment without them
check the web application firewall logs
Chrome:
affects not only blogs
had this with the activity stream
NetIQ, WebSeal
Header unset Origin
RequestHeader unset Origin
Load Balancer
No access after WebSphere 8.5.5 FP14 Update
Java 1.8 mandatory
LB wasn’t able to access TLS with high encryption
Database
WebSphere
Web-Server
Single point of failure
Connections supports only one URL. So using multiple webserver means multiple different DNS entries. |
Example: Intranet
Getting content from Connections
Posting to Connections
Authentication Gateway only supports SPNEGO
No exceptions
|
IBM World: LTPAToken
Sametime
Portal
Domino
Kerberos | SPNEGO
SAML
ADFS
Tivoli
Combinations of Authentication Gateways
Authentication Gateway
Tivoli Access Manager
Siteminder
Firewalls
Proxy
Reverse Proxy
Decent name resolution is important
With componentpack /etc/hosts
is more complicated
you can use hostAliases
in yaml files
edit of yaml | helm is needed (don’t forget to do before each update)
→ unusable
Possible with custom Trust Association Interceptor (TAI)
All applications needs to be tested
Weird issues with Docs Viewer
Uses a seperate login page
Documentation for SAML tells you to add a TAI
Only for TFIM and ADFS
Tivoli Access Manager
Supports Spnego | Kerberos
handles LtpaToken (not promoted to browsers / clients)
So all integrated products need to be configured in TAM
Example
Connections with TAM
Sametime and Domino use same LTPAToken
No Single Sign On, because only CNX is on TAM
connectionsAdmin
Url Preview
docsAdmin
|
Documentation often mentions the wasadmin
account
No dependencies for password or security rules
Problems in several Connections versions
UrlPreview
File Preview
SPNEGO not possible
No SAML
I use a LDAP account for connectionsAdmin since 3.0 |
Customer with 4 Connections environments
All use the same technical account for connectionsAdmin
Each time when we generated a new keytab file
SSO in other environments broke until we deployed the new keytab everywhere
Remember to add all SPN and deploy one keytab with all SPN to all servers |
Documentation: connectionsAdmin
j2c-alias needs to be able to login to IDP
Often technical users are not allowed to login
security reasons
Policies I saw:
Password change mandatory all 30 days (even connectionsAdmin
)
60 character password instead → no support statement
tested and it’s working → check after each fixpack
Chrome
Import SSL Certs to Websphere cacerts
IE
compatibility mode
intranet zone
breaks SPNEGO if you aren’t careful with GPO and Enterprise mode
Ad blocker
define exceptions for Connections
SSL Only
LotusConnections-config.xml
: <forceConfidentialCommunications enabled="true"/>
Broke Notes Plugins several times
Adjustments in account documents needed
Plugin_customization.ini
: com.ibm.lconn.client.base/requireSSL
SPNEGO
Server and Client in same domain
SAML
Only for cloud at the moment
Hardcoded name cluster.local
in older ComponentPacks
Should be fixed with 6.0.0.5
Still issues with a mongo-k8s-sidecar
Workaround: https://github.com/stoeps13/ibm-connections-component-pack-install-script
Idea at a customer was deploying a huge Kubernetes Cluster
Test, QA and production should use it (better HA)
6.0.0.5 uses Nodeport (reverse proxy from IBM HTTP Server)
So you need to manually adjust the ports in the helm charts
redo with each fixpack install
I think it’s planned for the next version
+49 173 8588719 |