Using SSL in Sametime 8.5.x for LDAP connections Part 2

Took me a little bit longer as expected but here is now part 2, how to enable SSL for LDAP connections on the community server.

In part 1 described how you can enable SSL for LDAP connections on the WAS servers.

You can find some information on this topic in the Sametime Wiki but I found it rather confusing and misleading.

First of all I had to set up iKeyman and the GSKit on the community server to support Cryptographic Message Syntax (CMS) and create the Keystore DBs. We need 3 different Keystore databases:

- CMS Keystore key.kdb -> used by different Sametime server components to connect securely to LDAP server

- Java Keystore stkeys.jks -> used by the userinfo servlet (Business Card) to connect securely to LDAP server

- Keyring File sametime85.kyr -> used by the Domino server (directory assistance) to connect securely to LDAP server

Install GSKit

- Go to the folder where you extracted the Sametime Standard Server Installation files. In there you find a folder “GSKit” – “Win32″. Run gsk8crypt32.exe as Admin

- Use standard values for installation wizard

- Run gsk8ssl32.exe as Admin and use standard values for installation wizard

- Add you Domino java folder as JAVA_HOME system variable

Update iKeyman to support CMS

- copy gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC) server to the community server and replace the older ones. You can find these files in the C:\WAS_INSTALL_DIR\WebSphere\UpdateInstaller\java\jre\lib\ext\ folder. Copy them to C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\ext\ folder.

- Edit the file java.security in folder C:\DOMINO_INSTALL_DIR\ibm-jre\jre\lib\security\

- after security.provider.5=com.ibm.security.sasl.IBMSASL add following line:
security.provider.6=com.ibm.security.cmskeystore.CMSProvider 

Create CMS and Java Keystore files

- Start iKeyman (double click ikeyman.exe) which you can find in C:\DOMINO_INSTALL_DIR\ibm-jre\jre\bin\ folder

- Check the “Help” – “About iKeyman”, you should see

If you see an older Version# check if you copied  gskikm.jar and ibmcmsprovider.jar from you Sametime System Console (SSC)

- Now create a new CMS database by clicking on “Key Database file” – “New”. Choose CMS as type, name it key.kdb (has to be exactly this name!) and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Define a password and activate “Stash password to a file”

- Go to the “Signer Certificates” and click on “Add”

- Click “Browse” and open the Root.cer file (which you have create before on the SSC Server in Part 1)

- Enter a Label for the Certificate (i.e. GeoTrust Root Certificate)

- Do the same for the Intermediate Certificate

- You should now see 2 Signer Certificates in your keyDB

- Now create a new JKS database by clicking on “Key Database file” – “New”. Choose JKS as type, name it stkeys.jks and place it in C:\DOMINO_INSTALL_DIR\ (D:\IBM\Lotus\Domino in my example)

- Repeat all steps to import the root certificate and the intermediate certificate

Create the Domino Keyring file

- open the Server Certificate Admin DB (certsrv.nsf) on your Community Server with your Notes Client

- click on “1. Create Key Ring” to create a new keyring file

- fill in a name and a password and define your key size

- fill in your server name as Common Name, add your Organization/State/Country and click “Create Key Ring”

- you will see a confirmation window

- now import your Root Certificate, click on “3. Install Trusted Root Certificate…” and fill in a Label/Source/File Name and choose the appropriate file format

- click on “Merge Trsuted Root Certificate…” and fill in the password for the key ring file

- you will see a success window, click on “OK”

- import your intermediate certificate with same steps

- copy your keyring file and stash file to the data directory of your Community Server

- open the server document of your community server and go to “Ports” – “Internet Ports” and fill in your keyring file name

- save the document and close it

Encrypt the UserInfoServlet

- open UserInfoConfig.xml (in D:\IBM\Lotus\Domino)

- change SslEnabled to true and ensure SslPort is 636

- in the SslProperties tag add the path to your stkeys.jks file and insert your password for the keystore

Configuring Directory Assistance for SSL& Connect Sametime Community Server through SSL

- open the Directory Assistance DB (da.nsf) on your community server with your notes client and change the LDAP settings

- Click “Save and Close” and close the DB

- Now open the Sametime Community Server webpage and login as Sametime Admin and click on “Administer the Server”

- go to “LDAP Directory” > “Connectivity” and enable the use of SSL for LDAP and ensure that the used SSL port is 636

- Click on “Update”

(Optional) If you want to improve performance, you may choose to loosen security and encrypt only user credentials as follows:

- Open the sametime.ini file (in D:\IBM\Lotus\Domino)

- Locate the [Directory] section within the file and add the following setting:

ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1

- Save and close the file

- Restart your Community Server

That’s it, now you Security Officer is your friend again!

Using SSL in Sametime 8.5.x for LDAP connection Part 1

Securing a connection to a LDAP server sounds pretty easy but doing this for a Sametime 8.5 deployment, especially the community server, is far away from easy.

Documentation (Infocenter, Sametime Wiki) is not very clear on this topic and has some conflicting infos.

These are the steps which worked for me.

Configure WAS Servers for secure access to LDAP server

This is pretty easy and is well documented in the Sametime Wiki, you just have to import the public root CA of the LDAP server certificate. In my case I only had the .pfx file of the LDAP server and first hat to export the CA’s root and intermediate certificates.

- Export the certificate as “DER encoded binary”
- Choose a file name and a location where to save the file on the server

- Click on “Signer certificates” and “Add”

I will describe what I had to change on the community server in part 2, stay tuned.

IBM Connections iPhone App

Seit heute kann man die offizielle IBM Connections iPhone App im App Store runterladen:

http://itunes.apple.com/ch/app/ibm-connections/id450533489?l=en&mt=8

Damit die Applikation mit IBM Connections funktioniert braucht ihr Version 3.0.1 und das July Update (interim fix: 3.0.1.0-IC-Multi-Mobi-IFLO61851) für Connections, welches ihr auf FixCentral finden könnt: http://www-933.ibm.com/support/fixcentral/

Die Applikation bietet mehr oder weniger die Funktionalität, welche auch das mobile Webinterface von Connections bietet, hat aber einige kleine Ergänzungen:
- die Login Credentials werden gespeichert und man ist somit immer sofort eingeloggt
- Integration der Kamera Funktion, Fotos können direkt hochgeladen werden (Profilfoto, Dateien)

Hier einige Screenshots, welche euch einen Eindruck der Funktionalität vermitteln sollen:

Im Profil kann man direkt ein neues Profilfoto hochladen resp. ein neues Foto mit dem iPhone erstellen

Man kann Fotos auch direkt in die Dateien hochladen (mit tagging etc.)

Bilder kann man direkt betrachten oder auch aufs iPhone herunterladen.

Es gibt auch eine Applikation für Android & BlackBerry und das schöne dabei ist, dass alle das gleiche Interface nutzen. Die Funktionalität auf allen Geräten ist die gleiche und die Schulung und der Support von den Endbenutzer stellt somit keinen grossen Aufwand dar.

Customizing IBM Connections Profile Labels

Customizing IBM Connections 3.x labels is pretty easy, you just have to create a properties file, store your customized labels in it and place this file inside your <customization_dir>/strings directory:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Customizing_product_strings_ic301
Customizing the profile labels on my installation unfortunately did not work although mentioned on wiki page (com.ibm.lconn.profiles.strings.ui_xx, com.ibm.lconn.profiles.strings.uilabels_xx).
So I had to find a workaround by using an external resource bundle and use it in my profiles. This needs more than one properties file but is still pretty easy. In this example I will reuse a given profile field (pagerNumber) and will add a customized label to it.

1. Create a properties file for each language you are using inside your strings directory -> I’m using com.belsoft.profiles.strings.uilabels_xx.properties

2. Add the key-value pair for the string that you want to customize (for each language) and save the file

3. Add your external resource bundle to LotusConnections-config.xml by checking out the config and adding some lines:

cd D:\IBM\WebSphere\AppServer\profiles\Dmgr01\bin
wsadmin.bat -lang jython -port 8879
execfile(“connectionsConfig.py”)
LCConfigService.checkOutConfig(“D:/temp”,”BSAZ-ZHRU-VSV04Cell01″)

Open LotusConnections-config.xml and add your widgetBundle inside the resource tag, you have to use your property file name as widgetbundle name:

<widgetBundle name=”com.belsoft.profiles.strings.uilabels” prefix=”belsoft”/>

Check in your changes:

LCConfigService.checkInConfig(“D:/temp”,”BSAZ-ZHRU-VSV04Cell01″)

4. Now we have to use the new labels inside the profiles:

execfile(“profilesAdmin.py”)
ProfilesConfigService.checkOutConfig(“D:/temp”,”BSAZ-ZHRU-VSV04Cell01″)

Open profiles-config.xml and change the line for attribute pagerNumber (bundeleIdRef has to be the prefix of your added widgetBundle!):

<editableAttribute labelKey=”label.belsoft.privateMobileNumber” bundleIdRef=”belsoft” showLabel=”true” hideIfEmpty=”true”>pagerNumber</editableAttribute>

Check in your changes:

ProfilesConfigService.checkInConfig(“D:/temp”,”BSAZ-ZHRU-VSV04Cell01″)
  

5. Last step is to update your versionStamp and sync all your nodes:

execfile(“connectionsConfig.py”)
LCConfigService.checkOutConfig(“D:/temp”,”BSAZ-ZHRU-VSV04Cell01″)
LCConfigService.updateConfig(“versionStamp”,”")
LCConfigService.checkInConfig(“D:/temp”,”BSAZ-ZHRU-VSV04Cell01″)
synchAllNodes()
exit
   

After a restart of your profiles server you should see the new label on your profiles page:

Media Gallery Image Preview in IBM Connections 3.0.1 aktivieren

Wir nutzen bei uns intern seit dem Erscheinen der IBM Connections 3.0.1 Version diese auch. Die wichtigsten Neuerungen in dieser Version waren die Ideation Blogs sowie die Media Gallery, in welcher man Bilder und Videos ablegen und mit einer nützlichen Vorschaufunktion durchsuchen kann.
Nur leider hat diese Vorschaufunktion vom Beginn weg nicht funktioniert und wir haben auf eine Nutzung der Galleries somit ersteinmal verzichtet.
Im Connections Forum habe ich dann festgestellt, dass ich nicht der einzige mit dem Problem war und das es ein Problem mit den Zugriffsrechten auf die Files Komponente war. Nur auf eine Lösung mussten wir länger warten.
Sjaak Ursinus hat nun eine Lösung gefunden und diese netterweise auch im Forum mitgeteilt. Solltet ihr also jemals ein Problem mit der Vorschau haben, hier ist eure Lösung:

http://www-10.lotus.com/ldd/lcforum.nsf/d6091795dfaa5b1185256a7a0048a2d0/50de0a00b4b1c4f3852578bf0042270b?OpenDocument