iPhone 3GS
How being a Connections administrator gave me gray hairs
Munich, 18-09-2019
Christoph Stoettner
 +49 173 8588719   |
|
Disclaimer
I don’t think Connections is the reason for my gray hair. I’m just getting old. |
Naming history of Connections
2007: Lotus Connections 1.0
2009: Lotus Connections 2.5 (my first release)
2011: Lotus IBM Connections 3.0.1
2017: IBM Connections pink announced
2019: IBM HCL Connections 6.0 CR5
| So I will talk about my 10 years with Lotus IBM HCL Connections. |
2009
Mobile Phones
Nokia N96
Lotus Connections 2.5
Lotus Connections 2.5 - Profile
as I promised
2019
Mobile Phones
Blackberry Key2
iPhone 11
HCL Connections 2019
Figure 1. Image IBM
HCL Connections 2019 (Designstudy with Customizer)
What has changed?
Browser 2009 → 2019
Worldwide
Figure 2. Image Statcounter
Germany
Figure 3. Image Statcounter
Device (Mobile or Desktop)
Figure 4. Image statcounter
10 years of Connections
My personal point of view
Is it hard to deploy?
Depends
It’s not just Connections
During install we touch nearly everything in the network
Core Product (WebSphere, DB2, Connections) greenfield deployment
Pretty easy
ComponentPack
Kubernetes
Interesting, but something to practise | learn a little bit
The IBM View - Greenfield
Often got this deployment plans in the first years
Lotus Wiki (official documentation)
Figure 5. Image IBM
More real
And now mostly meeting reality
Decisions
Operating System
Linux
Windows
AIX
Database
DB2
Oracle
MS SQL Server
LDAP
Domino LDAP
Active Directory (and any LDAP v3 compatible product)
Selecting the Operating System
Experience of administrators is the main criteria
easier to troubleshoot
Shared Directory
Windows Fileserver sometimes unstable for WebSphere
not recognized for Windows clients
short timeouts
WebSphere will not reconnect
WebSphere restart needed
Select the LDAP server
leading directory in your environment
performance (Server hang with default settings)
dependencies
Spnego
Mail integration
Add AD $dn to the Domino Fullname
Define a failover server
WebSphere will not reconnect
No DNS round robin (for WebSphere it’s one host → no failover)
Men operating system
customer with AIX
Admin got a list with prerequisits
Disk space
Tools
Installation crashed several times
Admin enabled disk in 500 MB to 1GB chunks (10 steps to get up to 5GB)
AIX tar does not support paths longer 100 characters, Weird errors during install
GNU tar needed, just a sidenote in the documentation
KSH
No tab completion
cite: "That’s for real men."
Core Connections & …
IBM Docs
IBM Docs Viewer
IBM Surveys (formerly Forms Experience Builder)
Touchpoint
ICEC (lite for Community Highlights)
Metrics | Cognos
Elasticsearch (Standalone, Kubernetes) | Solr (deprecated)
Mail Integration (Exchange & Domino)
Sametime Integration (Chat, Persistent Chat, Meeting Rooms)
Verse on Premises (Profile Photos)
Firewalls and (Reverse)Proxies
Always test deployment without them
check the web application firewall logs
Chrome:
affects not only blogs
had this with the activity stream
NetIQ, WebSeal
httpd.conf
Header unset Origin
RequestHeader unset OriginHigh Availability
Load Balancer
No access after WebSphere 8.5.5 FP14 Update
Java 1.8 mandatory
LB wasn’t able to access TLS with high encryption
Database
WebSphere
Web-Server
Single point of failure
Connections supports only one URL. So using multiple webserver means multiple different DNS entries. |
Important for integrations
Example: Intranet
Getting content from Connections
Posting to Connections
Authentication Gateway only supports SPNEGO
No exceptions
|
Single Sign On
IBM World: LTPAToken
Sametime
Portal
Domino
Kerberos | SPNEGO
SAML
ADFS
Tivoli
Combinations of Authentication Gateways
Security
Authentication Gateway
Tivoli Access Manager
Siteminder
Firewalls
Proxy
Reverse Proxy
Hosts file is not a workaround
Decent name resolution is important
With componentpack
/etc/hostsis more complicatedyou can use
hostAliasesin yaml filesedit of yaml | helm is needed (don’t forget to do before each update)
→ unusable
Unsupported Authentication Gateway or SAML
Possible with custom Trust Association Interceptor (TAI)
All applications needs to be tested
Weird issues with Docs Viewer
Uses a seperate login page
Documentation for SAML tells you to add a TAI
Only for TFIM and ADFS
Single Sign On with TAM
Tivoli Access Manager
Supports Spnego | Kerberos
handles LtpaToken (not promoted to browsers / clients)
So all integrated products need to be configured in TAM
Example
Connections with TAM
Sametime and Domino use same LTPAToken
No Single Sign On, because only CNX is on TAM
Technical Accounts
connectionsAdmin
Url Preview
docsAdmin
|
Local WebSphere Users
Documentation often mentions the
wasadminaccountNo dependencies for password or security rules
Problems in several Connections versions
UrlPreview
File Preview
SPNEGO not possible
No SAML
I use a LDAP account for connectionsAdmin since 3.0 |
Kerberos and the technical user
Customer with 4 Connections environments
All use the same technical account for connectionsAdmin
Each time when we generated a new keytab file
SSO in other environments broke until we deployed the new keytab everywhere
| Remember to add all SPN and deploy one keytab with all SPN to all servers |
SAML and the technical user
Documentation:
connectionsAdminj2c-alias needs to be able to login to IDPOften technical users are not allowed to login
security reasons
Policies I saw:
Password change mandatory all 30 days (even
connectionsAdmin)60 character password instead → no support statement
tested and it’s working → check after each fixpack
Browsers
Chrome
Import SSL Certs to Websphere cacerts
IE
compatibility mode
intranet zone
breaks SPNEGO if you aren’t careful with GPO and Enterprise mode
Ad blocker
define exceptions for Connections
Plugins
SSL Only
LotusConnections-config.xml:<forceConfidentialCommunications enabled="true"/>Broke Notes Plugins several times
Adjustments in account documents needed
Plugin_customization.ini:com.ibm.lconn.client.base/requireSSL
SPNEGO
Server and Client in same domain
SAML
Only for cloud at the moment
Kubernetes (Cluster Name)
Hardcoded name
cluster.localin older ComponentPacksShould be fixed with 6.0.0.5
Still issues with a mongo-k8s-sidecar
Workaround: https://github.com/stoeps13/ibm-connections-component-pack-install-script
Kubernetes (Namespace)
Idea at a customer was deploying a huge Kubernetes Cluster
Test, QA and production should use it (better HA)
6.0.0.5 uses Nodeport (reverse proxy from IBM HTTP Server)
So you need to manually adjust the ports in the helm charts
redo with each fixpack install
I think it’s planned for the next version
+49 173 8588719 |  |