If you use Apple push notifications with HCL Connections, please be aware that the certificates included in 8.0CR12 and earlier will expire on March 13th, 2026 at 15:32:47 CET.
Over the last few days, I received several messages from Connections users reporting that their embedded YouTube videos could no longer load in Connections Blogs and instead displayed Error 153. This prompted me to investigate the issue.
Warning The is just a proof of concept and shouldn’t be used in production! I still have some issues with redirects to the new hostname.
In the series of encrypting network traffic within HCL Connections and Component Pack:
Encrypt IHS Proxypass Traffic To Component Pack Securing Redis Traffic in HCL Connections with SSH Tunnels the customizer part is missing. In a default configuration (or when you install as documented), the traffic from IHS and NGINX that is forwarded to the customizer (mw-proxy) and Ingress is unencrypted.
HCL published the Security Bulletin: HCL Connections is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988) that Connections is also vulnerable for CVE-2025-54988!
Some years ago Connections Files changed the catalog view from paginated view to continuous scrolling.
This had two caveats:
On large monitors (4k for example) only 10-20 files appear and the trigger to start loading more files to complete the list is not working Feed icon (Feed for these Files) to copy the RSS feed URL is hard to get on large file catalogs (scrolling starts, and you can’t right-click to copy)
I’m still working on encrypting all network traffic between Connections and Component Pack servers. This time I checked the Ingress-Nginx Controller - TLS/HTTPS documentation.
The default configuration for connecting IHS with Component Pack uses the plain HTTP port 32080. All traffic like /social or the Tailored Experience wizard is routed from IHS to Kubernetes on port 32080.
Our target is to encrypt the traffic on port 32443.
At the moment I’m working with a customer to secure all traffic in HCL Connections. The target is to have only encrypted network traffic between servers.
Today I started enabling encryption to Redis. This is a documented process, but the documentation is outdated and incomplete.
Today I read the article KB0118248 and remembered my blog post from 2018. I also checked the attached aha idea where a comment states that you can use iframe for Youtube. Despite what KB0118248 incorrectly states, it is absolutely possible to embed videos in HCL Connections blogs and wikis using the HTML video tag as demonstrated in this post.
The HCL Connections documentation describes the process for configuring Windows desktop single-sign-on in a somewhat complicated way. Here are the necessary steps for setting up with the highest possible encryption.
I received several complaints from users who struggle to identify uploaded images in the File Uploads section of blogs. This happens because pasted images get cryptic filenames like editor_image_ + UUID, making it challenging to identify and delete unused images.
I haven’t touched the Connections scripts for a long time, but I recently made some minor updates to fix compatibility issues with newer versions and added small scripts to speed up configuration. I also got the documentation script running from the menu.
For HCL Connections 8 CR9, it is mandatory to update MongoDB to version 7. During my first migrations, I encountered some issues and would like to provide workarounds and additional troubleshooting tips to help others with this process.
The last weeks I had twice the issue of a huge homepage database with HCL Connections. Both systems weren’t installed by me, but I reviewed them.
So I know this issues quite well since I faced it the first time years ago. This always happens when you migrate Connections environments side-by-side, and you forget to remove the old search nodes.
I had some issues with PDF export functionality in HCL Connections the last weeks.
The server became unresponsive multiple times due to high load from PDF exports. To quickly address the issue, the simplest solution is to disable the PDF export feature by configuring the icxt.pdfexport.access.requiredrole property in the Resource Environment Entries.
This week, I investigated an issue with the advanced profiles search in HCL Connections. I had a system which did not show any results in the advanced search for the department number of Connections profiles.
HCL support tried for three months to reproduce the issue, and the users missed the option to search for their teammates with the advanced profiles search.
The HCL Software knowledge base is built with ServiceNow. You can register and subscribe for channels and documents. You receive mails for new documents and changed documents you have subscribed for.
I showed, in several slides and sessions, how you can use the search-admin role in the search application of HCL Connections for troubleshooting and reviewing some key configurations.
In several environments, my user or other administrative users have this role, just to access the link to /search/serverStatus for example.
Last week, I had three systems with issues displaying the Top Updates in the Orient Me. So I tried to find out which applications and containers are involved in generating the content for this view.
With HCL Connections 6.5 and later, we got the add-on HCL Connections Engagement Center (aka CEC, HCEC, ICEC or XCC) included in a normal HCL Connections deployment.
I had one Connections’ environment that I wanted to switch from OpenLDAP to Active Directory LDAP. The old OpenLDAP environment used LDAPS to connect, and so I assumed that the change was done quickly.
The first step was to make a copy of the tdisol folder I used for OpenLDAP and start changing the configuration files for the new LDAP server.
The official documentation, “Migrating data from MongoDB 3 to 5”, wants to dump the MongoDB databases in 3.6 and then restore this data into the newly deployed MongoDB 5.
One issue with this process is that we can’t run the two MongoDB versions in parallel on Kubernetes because the provided helm charts and container for MongoDB 3.6 stop running after Kubernetes 1.21. On the other side, the helm chart providing MongoDB 5 can’t be installed on those old Kubernetes versions. So the process to update is:
After updating HCL Connections to 8CR3 and Tiny Editors to 4.9.2.24 the lines of tables are no longer visible during editing.
Here is the edit form with Tiny Editors 4.8.2.0:
To install the Component Pack for HCL Connections 8, you need to create a Mongodb5 image. The image sources can be found in the HCL MongoDB repository, and the process for creating the image is documented in Installing MongoDB5 for Component Pack 8. The process involves using Docker, so if you have it installed, you can follow the instructions provided.
Elasticsearch in HCL Connections Componentpack is secured with Searchguard and needs certificates to work properly. These certificates are generated by bootstrap during the initial container deployment with helm.
These certificates are valid for 10 years (chain_ca.pem) or 2 years (elasticsearch*.pem) and stored in the Kubernetes secrets elasticsearch-secret, elasticsearch-7-secret. So when your HCL Connections deployment is running for 2 years, the certficates stop working.
Last week I played around with the HCL Connections documentation to backup Elasticsearch in the article Backup Elasticsearch Indices in Component Pack.
In the end I found that I couldn’t get the snapshot restored and that I have to run a command outside of my Kubernetes cluster to get a snapshot on a daily basis. That’s not what I want.
During a migration from Cognos Metrics to Elasticsearch Metrics, I had some issues with the index. So I wanted to create a backup of the already migrated data and start over from scratch.
The official documentation has an article on the topic: Backing up and restoring data for Elasticsearch-based components, but I had to slightly adjust the commands to get a successful snapshot.
In the last few years, I have had issues with application servers using a large amount of CPU and even hanging application servers running the Tiny Spellchecking service. It ended with disabled spellchecking in the Tiny Editors’ config.js.
I created a git repository with some smaller CSS files to fix some annoyances within HCL Connections.
I started with this to prevent Orient Me to load fonts from external URLs or Elasticsearch Metrics to break the UI on larger screens. These issues are solved after the last updates I got from support, but Blogs and Tailored Experience Wizard can be improved with some simple rules.
After rebooting the Kubernetes server for HCL Connections Componentpack, I sometimes see that Orient Me is not working and just shows:
{"error":{"statusCode":500,"message":"Internal Server Error"}}
CVE-2021-44228 was a very serious problem end of 2021, and we are still finding new occurrences, or security teams scan servers and find vulnerable log4j files. Don’t get me wrong most of these occurrences are not vulnerable any more, because the JVM is hardened like in the Elasticsearch 7 containers, or they use of the JVM parameter -Dlog4j2.formatMsgNoLookups=true.
Today I got the question of how to disable the highlights app in Connections 7. When you follow the documentation for Connections 6.0CR6 you get an error message (and the document is not available in Connections 7).
I commented out the widget definition in widgets-config.xml like described in the documentation for the former release.
Our users are often building Highlights and Overview pages within HCL Connections Communities, where they link from one description widget to RTE or from one RTE widget to another.
We found that these anchor links often disappear behind the top navigation bar and the users wonder what happened.
In late 2021 I had an HCL Connections environment starting swapping, because the AppCluster used more than 30 GB of memory.
The system has
two nodes is installed with the medium-sized deployment option About 7500 users with a high adoption rate, because Connections is also used as intranet
Yesterday I updated a Connections environment to the latest CFix. In other environments I found that PushNotification Cluster was not started after the update, like described in the knowledge base document PushNotification broken after upgrading to CFix.65CR1.2201. In this update the application and cluster were running, but not working at all. Browser console.log showed the error:
Error connecting to push auth sync service /servic/info: RequestError: Unable to load https://cnx-fqdn/push/service/info status: 500
When I test topics with the different Connections editors (CKEditor, Textbox.io and TinyMCE), I always used multiple users in my test environment, installed the editor selector ear and then gave each of the test users a different editor. That’s easy with the different j2ee roles, but I always had to use multiple browsers or sandboxes to see them next to each other.
I wrote about font loading from external CDN in the post Hiding The Create Community Button 2nd last year and hoped this is finally fixed for all Connections applications. A good summary on the reasons to not allow external font loading is Blocking Web Fonts for Speed and Privacy.
So I checked with a Connections 7 deployment with the latest CFix (CFix.70.2112) deployed, if this is still an issue with Connections.
In former Connections’ versions we found external fonts loaded in Orient Me (/social), Communities Catalog (/communities) and the Admin panel (/cnxadmin/).
I installed HCL Connections Docs 2.0.1 on top of an already installed HCL Connections 6.5CR1 with Docs Viewer. Usually a simple task, the installation was smooth, after the mandatory restart the Edit button in the files’ application appeared and all looked good, but when the users clicked on edit a white page was loaded.
During the latest automated deployment of the HCL Connections Desktop Plug-ins for Microsoft™ Windows™, I had issues activating the Password Save Policy. We wanted to disable the option that users can save passwords.
The documentation tells us, that the registry key HKLM\SOFTWARE\Wow6432Node\IBM\Social Connectors\Settings\Password Save Policy needs to be set to 1 to achieve this.
Some time ago I got the tip from HCL Support, that the Create Community button will recognize the role community-creator only when the gatekeeper option CATALOG_CARD_UPDATED is set to false.
This is working, but I had to complain, that this option activates some code, which loads fonts from a CDN instead of the local Connections deployment.
Connections 7 creates the Community Highlights page automatically and sets it as the start page for new communities.
That’s configured in the highway service, which is available for administrative users on https://your_connections_url/connections/config/highway.main.gatekeeper.tiles
A long time ago, I wrote about the new implementation of allowlists in HCL Connections and that the documentation on customization and adding new rules was an absolute miracle for me.
The last days I analyzed an issue, that file uploads to HCL Connections via IBM HTTPServer stopped working on a fresh installed 6.5CR1.
Today I configured a Connections 7 and tried with it. I think that the official documentation is old in some important parts for the upload configuration.
First of all my IBM HTTPServer 8.5.5.18 is not 32-bit like the documentation tells us:
Since IBM Connections 6.0CR4 we can use a new newsletter format which needs still (now with HCL Connections 7) be activated separately in LotusConnections-config/notification-config.xml.
Today some users asked how they can add other users to their private communities (visible in Community catalog) without manually adding them. As we investigated the question I had a look at the old notification format.
Since the update to the new HCL Connections Community Card-Based Overview (Connections 6.0 CR4) I search for a way to hide the button “Create Community” from users without the role “Community-Creator”. This was always possible in the earlier versions of Connections, but the button was shown always since the update.
During the year I mostly forgot about it, but yesterday I opened a case with HCL Connections Support and got immediatly following answer:
Some weeks ago I wrote about an workaround to prevent TDI from deleting the touchpoint status in HCL Connections.
During some research on TDI I found Mapping fields manually in the HCL Connections documentations. This document describes how to add additional fields to the TDI synchronisation. On point 11 I found something new for me. You can add additional fields and then add the content with an Javascript function for example.
Today I activated Elasticsearch Metrics and Typeahead Search on my demo HCL Connections cluster.
To my surprise the indices weren’t created and I got errors on the wsadmin.sh commands.
SearchService.createESQuickResultsIndex() I checked the Elasticsearch pods which showed a running state, but the logs showed following messages:
HCL included some additional apps with HCL Connections 6.5CR1. One of them is Touchpoint, which can be used to present users the “Terms and Conditions” (or Privacy and Guidelines) of the environment and some help creating their profile, network and become member of their first communities.
Touchpoint writes some profile extension entries in the PEOPLEDB database in the table PROFILE_EXTENSIONS, most important:
The last IBM Connections 6.0 CR4 introduced the new feature “Sharing Files via Link”. A quite handy way to share files with users by link. Just open the file, go to sharing and select “Share by Link”.
“Share by Link” makes it easy to share and grant read access to personal and Community files.
A lot of people don’t like to store credentials in mobile apps or browsers. A good workaround is the usage of OAuth 2.0 tokens, but the application needs to support it and the server you’re talking to too. The IBM Connections Mobile App can use it for authentication.
OAauth2 can be used directly with WebSphere Application Server and Connections 6.0. There are no special OAuth servers or applications needed!
The Documentation at IBM was a little bit confusing for me, there are lots of sidenotes, but you just need to do following steps, to use OAuth 2.0 token-based authentication with the IBM Connections Mobile App.
Today I learned a new lesson during troubleshooting a IBM Connections System. I updated to 6.0 CR2, updated WebSphere to FP13, last fixpack for Docs and so on. You will ask if I added IFP88438 to the list, be sure that I installed this fix which reanables the root element in Federated Repositories. Have a look at WAS 8.5.5 FP12 breaks Domino “root” base entry setting for more details.
Then one of the two deployments showed strange behavior with Activities. On the Activitystream I only got an orange error symbol instead of the Todo list and when I opened Activities directly I got an empty page.
IBM Docs Viewer can open source files with syntax highlighting. This feature is default disabled, but sometimes very useful.
You need to enable it with IBM Connections Gatekeeper.
:icons: font
After some deployments of IBM Connections pink and IBM Cloud private, I want to share some tools, links and hopefully helpful information around these products.
So up to IBM Connections 6.0 everything was allowed until it was not excluded in one of the blocklist files. This files are stored within the Deployment Manager profile/config/cells/<cellname>/LotusConnections-config/extern. Now with Connections 6.0CR1 everything is forbidden, until it is enabled in the allowlist. This concept is rolled out for widgets (homepage and communities) and active content. Active content means HTML content too. So everything you or your users add to Connections (blog-posts, wiki pages) gets filtered during the save procedure. This removes all HTML tags and attributes which are not explicitly allowed!
During the week we integrated IBM Connections and IBM Docs in our test environment and everything worked fine. Then we moved the configuration to production and most of the stuff was working, like showing Business cards, profile pictures and Connections files to add into mails. Docs Viewer and uploading files from a mail to Connections generated an error: “because of an internal server error”
With IBM Connections 6 you can deploy the additional component Orient Me, which provides the first microservices which will build the new IBM Connections pink. Orient Me is installed on top of IBM Spectrum Conductor for Containers (CFC) a new product to help with clustering and orchestrating of the Docker containers.
Since some versions of IBM Connections, it is mandatory to delete temp and wstemp of your Connections node after deployment or updates, or you end up with an old layout/design of Connections GUI.
On a Windows Server System this can be a pain, because within temp/wstemp WebSphere Application Server creates a folder structure with nodename / application server name and so on. In must cases the delete ends with the message “path too long”.
Last week I had an issue that some Domino Server didn’t provide SSO through SPNEGO any longer (environment worked for over 2 years now). This environment uses the customized domcfg.nsf template of Andreas Artner, maybe it’s related, but I don’t think so, on Windows 7 with latest Internet Explorer 11 and Domino Servers 9.0.1 with latest fix pack.
This week I installed IBM Connections 5.5CR1 on a Windows Server. I used WebSphere Application Server 8.5.5.9 and everything ran pretty smooth, but the Connections install itself ended in an error after all applications were successfully installed.
Several people told me that installing the Editors is not described very well in the IBM Connections documentation. So i decided to write down the steps I used to deploy the editors. Hope it helps.
Check Installation on ephox: http://docs.ephox.com/display/EphoxForIBMConnections/Installing+Textbox.io+Services
Wikis in IBM Connections 5.5 have a little bug, because the link (/library instead of /wikis/form/api/library) for images are wrong and so they are not displayed.
Today I got a call that a IBM HTTP Server stopped working after a reboot. The service starts and ends again after some seconds. In the error_log of IBM HTTP we found following messages:
