During the week we integrated IBM Connections and IBM Docs in our test environment and everything worked fine. Then we moved the configuration to production and most of the stuff was working, like showing Business cards, profile pictures and Connections files to add into mails. Docs Viewer and uploading files from a mail to Connections generated an error: “because of an internal server error”
I digged into it with Burpsuite and Fiddler4, in the meantime a customer called me and described the same symptoms. Within the traces I found that the systems which didn’t upload the files had following header set:
X-IBM-INOTES-NONCE: <none>and the working one had:
X-IBM-INOTES-NONCE: 2640941AE5454F5853E6732F79E7D2F5So i searched a little bit on X-IBM-INOTES-NONCE and found that is introduced in Notes/Domino 8.5.2 and shall prevent XSS.
You can disable this with iNotes_WA_Security_NonceCheck=0 and this is mentioned in a technote, that sometimes proxies or F5 needs this setting. First we tried that on our testsystems and we seemed to be right, the upload was broken too.
We removed the notes.ini entry (or set it to 1) and after a http restart the file upload from VOP and the IBM Viewer worked!
Thanks to Thomas who digged into this with me today.
