Warning The is just a proof of concept and shouldn’t be used in production! I still have some issues with redirects to the new hostname.
In the series of encrypting network traffic within HCL Connections and Component Pack:
Encrypt IHS Proxypass Traffic To Component Pack Securing Redis Traffic in HCL Connections with SSH Tunnels the customizer part is missing. In a default configuration (or when you install as documented), the traffic from IHS and NGINX that is forwarded to the customizer (mw-proxy) and Ingress is unencrypted.
I’m still working on encrypting all network traffic between Connections and Component Pack servers. This time I checked the Ingress-Nginx Controller - TLS/HTTPS documentation.
The default configuration for connecting IHS with Component Pack uses the plain HTTP port 32080. All traffic like /social or the Tailored Experience wizard is routed from IHS to Kubernetes on port 32080.
Our target is to encrypt the traffic on port 32443.
At the moment I’m working with a customer to secure all traffic in HCL Connections. The target is to have only encrypted network traffic between servers.
Today I started enabling encryption to Redis. This is a documented process, but the documentation is outdated and incomplete.
Today I read the article KB0118248 and remembered my blog post from 2018. I also checked the attached aha idea where a comment states that you can use iframe for Youtube. Despite what KB0118248 incorrectly states, it is absolutely possible to embed videos in HCL Connections blogs and wikis using the HTML video tag as demonstrated in this post.
The HCL Connections documentation describes the process for configuring Windows desktop single-sign-on in a somewhat complicated way. Here are the necessary steps for setting up with the highest possible encryption.
I haven’t touched the Connections scripts for a long time, but I recently made some minor updates to fix compatibility issues with newer versions and added small scripts to speed up configuration. I also got the documentation script running from the menu.
I showed, in several slides and sessions, how you can use the search-admin role in the search application of HCL Connections for troubleshooting and reviewing some key configurations.
In several environments, my user or other administrative users have this role, just to access the link to /search/serverStatus for example.
Last week I played around with the HCL Connections documentation to backup Elasticsearch in the article Backup Elasticsearch Indices in Component Pack.
In the end I found that I couldn’t get the snapshot restored and that I have to run a command outside of my Kubernetes cluster to get a snapshot on a daily basis. That’s not what I want.
During a migration from Cognos Metrics to Elasticsearch Metrics, I had some issues with the index. So I wanted to create a backup of the already migrated data and start over from scratch.
The official documentation has an article on the topic: Backing up and restoring data for Elasticsearch-based components, but I had to slightly adjust the commands to get a successful snapshot.
In the last few years, I have had issues with application servers using a large amount of CPU and even hanging application servers running the Tiny Spellchecking service. It ended with disabled spellchecking in the Tiny Editors’ config.js.
The annual conference of DNUG took place in Constance from 22nd to 23rd of June 2022.
I attended the HCL Connections Roadmap session given by Rene Schimmer and David Strachan. They showed the updates for version 8 and beyond.
Today I got the question of how to disable the highlights app in Connections 7. When you follow the documentation for Connections 6.0CR6 you get an error message (and the document is not available in Connections 7).
I commented out the widget definition in widgets-config.xml like described in the documentation for the former release.
In late 2021 I had an HCL Connections environment starting swapping, because the AppCluster used more than 30 GB of memory.
The system has
two nodes is installed with the medium-sized deployment option About 7500 users with a high adoption rate, because Connections is also used as intranet
I wrote about font loading from external CDN in the post Hiding The Create Community Button 2nd last year and hoped this is finally fixed for all Connections applications. A good summary on the reasons to not allow external font loading is Blocking Web Fonts for Speed and Privacy.
So I checked with a Connections 7 deployment with the latest CFix (CFix.70.2112) deployed, if this is still an issue with Connections.
In former Connections’ versions we found external fonts loaded in Orient Me (/social), Communities Catalog (/communities) and the Admin panel (/cnxadmin/).
Some time ago I got the tip from HCL Support, that the Create Community button will recognize the role community-creator only when the gatekeeper option CATALOG_CARD_UPDATED is set to false.
This is working, but I had to complain, that this option activates some code, which loads fonts from a CDN instead of the local Connections deployment.
The last days I analyzed an issue, that file uploads to HCL Connections via IBM HTTPServer stopped working on a fresh installed 6.5CR1.
Today I configured a Connections 7 and tried with it. I think that the official documentation is old in some important parts for the upload configuration.
First of all my IBM HTTPServer 8.5.5.18 is not 32-bit like the documentation tells us:
Since IBM Connections 6.0CR4 we can use a new newsletter format which needs still (now with HCL Connections 7) be activated separately in LotusConnections-config/notification-config.xml.
Today some users asked how they can add other users to their private communities (visible in Community catalog) without manually adding them. As we investigated the question I had a look at the old notification format.
Since the update to the new HCL Connections Community Card-Based Overview (Connections 6.0 CR4) I search for a way to hide the button “Create Community” from users without the role “Community-Creator”. This was always possible in the earlier versions of Connections, but the button was shown always since the update.
During the year I mostly forgot about it, but yesterday I opened a case with HCL Connections Support and got immediatly following answer:
Some weeks ago I wrote about an workaround to prevent TDI from deleting the touchpoint status in HCL Connections.
During some research on TDI I found Mapping fields manually in the HCL Connections documentations. This document describes how to add additional fields to the TDI synchronisation. On point 11 I found something new for me. You can add additional fields and then add the content with an Javascript function for example.
Today I activated Elasticsearch Metrics and Typeahead Search on my demo HCL Connections cluster.
To my surprise the indices weren’t created and I got errors on the wsadmin.sh commands.
SearchService.createESQuickResultsIndex() I checked the Elasticsearch pods which showed a running state, but the logs showed following messages:
HCL included some additional apps with HCL Connections 6.5CR1. One of them is Touchpoint, which can be used to present users the “Terms and Conditions” (or Privacy and Guidelines) of the environment and some help creating their profile, network and become member of their first communities.
Touchpoint writes some profile extension entries in the PEOPLEDB database in the table PROFILE_EXTENSIONS, most important:
This week I attended the DNUG Connections Day 2020 in Munich. First of all I need to thank the organization team which did a really good job (Thanks Andreas , Martti and Lara ). During the short breaks we had great conversations with parts of the HCL Developer team and other attendees.
Update
I completely forgot to mention Jörg Rafflenbeul ! He was responsible for beer steins, a great glass of quits jar, photos, videos and a ton more. Sorry Joerg and thank you!
A lot of people don’t like to store credentials in mobile apps or browsers. A good workaround is the usage of OAuth 2.0 tokens, but the application needs to support it and the server you’re talking to too. The IBM Connections Mobile App can use it for authentication.
OAauth2 can be used directly with WebSphere Application Server and Connections 6.0. There are no special OAuth servers or applications needed!
The Documentation at IBM was a little bit confusing for me, there are lots of sidenotes, but you just need to do following steps, to use OAuth 2.0 token-based authentication with the IBM Connections Mobile App.
This week starts with Admincamp in Gelsenkirchen. Thanks Rudi Knegt and team for this awesome event! The conference or lets name it camp was real fun. In the end I did three sessions and a workshop. You can find download links to all slides and used files in this article or on https://stoeps.de/speaking/2018/. I learned and heared a lot of interesting stuff around IBM Notes, IBM Connections and Sametime. You can get most of the session slides through the Admincamp agenda.
Today I learned a new lesson during troubleshooting a IBM Connections System. I updated to 6.0 CR2, updated WebSphere to FP13, last fixpack for Docs and so on. You will ask if I added IFP88438 to the list, be sure that I installed this fix which reanables the root element in Federated Repositories. Have a look at WAS 8.5.5 FP12 breaks Domino “root” base entry setting for more details.
Then one of the two deployments showed strange behavior with Activities. On the Activitystream I only got an orange error symbol instead of the Todo list and when I opened Activities directly I got an empty page.
IBM Docs Viewer can open source files with syntax highlighting. This feature is default disabled, but sometimes very useful.
You need to enable it with IBM Connections Gatekeeper.
:icons: font
After some deployments of IBM Connections pink and IBM Cloud private, I want to share some tools, links and hopefully helpful information around these products.
So up to IBM Connections 6.0 everything was allowed until it was not excluded in one of the blocklist files. This files are stored within the Deployment Manager profile/config/cells/<cellname>/LotusConnections-config/extern. Now with Connections 6.0CR1 everything is forbidden, until it is enabled in the allowlist. This concept is rolled out for widgets (homepage and communities) and active content. Active content means HTML content too. So everything you or your users add to Connections (blog-posts, wiki pages) gets filtered during the save procedure. This removes all HTML tags and attributes which are not explicitly allowed!
During the week we integrated IBM Connections and IBM Docs in our test environment and everything worked fine. Then we moved the configuration to production and most of the stuff was working, like showing Business cards, profile pictures and Connections files to add into mails. Docs Viewer and uploading files from a mail to Connections generated an error: “because of an internal server error”
This year I attended IBM Connect in San Francisco. In my eyes it was a great event and I enjoyed it very much.
Some announcements are very important for the future and evolution of the IBM portfolio:
This week I installed IBM Connections 5.5CR1 on a Windows Server. I used WebSphere Application Server 8.5.5.9 and everything ran pretty smooth, but the Connections install itself ended in an error after all applications were successfully installed.
Wikis in IBM Connections 5.5 have a little bug, because the link (/library instead of /wikis/form/api/library) for images are wrong and so they are not displayed.
