Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : September 2014

Mail Rules Analyzer has been published- 29 September 2014 - (1) Comments

Thomas Hampel
 29 September 2014

Today OpenNTF published one of my contributions Mail Rules Analyzer
It is a small tool for Domino Administrators to scan mail files on one many servers to find out if any mail rule has been set up for external forwarding of mails.

Main use case is to analyze an environment to notify users who have such mail rules configured before preventing users from forwarding mails to external recipients
Results can be grouped/sorted/analyzed later on. At present the tool will only scan for rules that will forward a mail to external recipients but certainly there is room for further improvement...
Here are a few screenshot of the user interface:

Image:Mail Rules Analyzer has been published

Image:Mail Rules Analyzer has been published
Please post your comments and ideas in the feature requests section of the project
This is just the first publication out of a number of tools which our team has developed over time, we expect to publish them one by one in the near future.

Special thanks to Julian Robichaux for allowing the design reuse of the OpenLog template.

References:

Import Contacts from GDI Business Line / FirebirdSQL to Domino- 23 September 2014 - (1) Comments

Thomas Hampel
 23 September 2014

GDI Business Line is an ERP & CRM software for the small & medium businesses market. It is developed by the German vendor GDI based in Landau in der Pfalz.
A customer wanted to use the address data from the GDI platform in the Notes/Domino environment. Main purpose was to simplify communication with known customers by synchronizing contact names, addresses, and phone numbers to Domino.

We all know integrating Directory Data with Domino is made easy with TDI, so lets see if we can use it here.
The backend database of GDI is based on
FirebirdSQL , and they provide a JDBC driver which is all we need to make it work.

Here are step-by-step instructions for connecting TDI with the GDI Address table

Part 1 - TDI Installation

Tivoli Directory Integrator V7.1.1 is provided free of charge as an additional entitlement for Notes/Domino customers.
All you need to download from
Passport Advantage is IBM Tivoli Directory Integrator Identity Edition V7.1.1 with the part number that fits you needs
Platform Part Number Size
Windows 32Bit CZUF0ML 555mb
Windows 64Bit CZUF7ML 567mb
Linux 32bit CZUF2ML 547mb
Linux 64bit CZUF3ML 554mb


We are intending to use a local Notes Client connector so we will be using the 32bit version of TDI. In case you're planning to install TDI on a  64bit Domino Server you could also go for that version.
The installation process of version 7.1.1 is not any different than V7.1, so you can just follow instructions for installing Tivoli Directory Integrator on
IBM Infocenter or on Connections101 (Thanks gabturtle & Paul Mooney for this site).

Part 2 - Apply TDI Fix Pack

Download the
latest fix pack for TDI v7.1.1 from Fix Central which at the time of writing this blog post is Fix Pack 3 and this JRE upgrade
Follow installation instructions provided with the fix pack(s)
Hint : {TDI_install_dir}\bin\Applyupdates.bat  -update [path to FP zip file]

Part 3 - Notes Connector

TDI can establish different types of connections to Notes/Domino, not all of them can be used everywhere (see
Supported session types by Connector )
e.g. if you dont want IIOP to be enabled on your Domino server, you'll have to use either the Local Client connector, which requries a Notes Client to be installed on the same machine, or the Local Server Connector, which requires a Domino Server installed on the same machine. My personal preference is the Notes client connector because it just requires a Notes ID and I can connect from my own client workstation to any server regardless if IIOP is enabled or not.
  • Copy the file {NotesProgramDir}\jvm\lib\ext\Notes.jar  to  {TDI_install_dir}/jars/3rdparty/IBM  
    (or to the folder defined in the variable "com.ibm.di.loader.userjars" parameter defined in the solution.properties file)
  • Append the Notes Directory to the PATH parameter in the following TWO files
    {TDI_install_dir}ibmditk.bat
    {TDI_install_dir}ibmdisrv.bat
    Example:
    set PATH=%TDI_HOME_DIR%;%TDI_JAVA_BIN_DIR%;%TDI_LIB_DIR%;C:\Program Files (x86)\IBM\Notes;%PATH%


Part 4 - Firebird JDBC Connector

As long as there is a JDBC connector, TDI should be able to connect to the database. FirebirdSQL is nothing special here, so this is what you have to do:
  • Pick the JDBC driver here (make sure to choose the one for Java 7)
  • Extract the ZIP file to a temporary folder of your choice
  • Copy the following three files to the folder {TDI_install_dir}\jars\3rdparty\other
    jaybird22.dll, jaybird-2.2.5.jar, jaybird-full-2.2.5.jar

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

Part 5 - Connect and Feed Data

Now launch TDI Configuration Editor ( {TDI_install_dir}ibmditk.bat ) and add a new JDBC connector

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
We would like this connector to be used in Iterator mode because we want to loop thru the data later on.
When you click on "Next >" you will be prompted to specify additional connection parameters.
The syntax for the JDBC URL is

jdbc:firebirdsql://host[:port]/database


JDBC URL = jdbc:firebirdsql://sqlserver:23053/C:\Database\GDI.GDB?sql_dialect=1&charset=WIN1252
JDBC Driver = org.firebirdsql.jdbc.FBDriver

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
and of course you must define your database credentials and the table you want to connect to. In our case the table is "CM_ADRESSEN"

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
Click Finish to add the connector as your input feed.

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

Part 6 - Data Map

Now lets use the connection and define the input map:
  • Within the connector, use to connect button to establish a first connection for reading the database schema.
  • Select the fields which you want to make use of by either dragging/dropping them from the schema or by using the button "Add"
    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
Part 7 - Output to Notes/Domino
Lets write this data to Domino...
(Remark: assuming the target database already exists and is using a standard pubnames template)
  • Add a Notes Connector in Update mode
    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    When you click on "Next >" you will be prompted to specify additional connection parameters.
    This example will connect to a remote database hosted on "DominoServer/Org/O", you can of course leave the server name empty to connect to a local database.

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    Click Finish to add the connector as your Data Flow.
  • Click the output connector again to define which data to write to which field in Notes/Domino
    Here is an example, feel free to modify or extend:

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
  • In the connector define the Link Criteria
    It seems the field SATZUUID is used as a unique key, so we are going to use it as well. Of course you need to make sure to write this field to the target database, otherwise the lookup will always fail and duplicate entries are the result.

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

Part 8 - Fine Tuning

This part is to be done by yourself. You should probably add some special handling to handle different address types such as if the record is using...

"Adresstyp=1" = Contact
"Adresstyp=4" = Company

"Adresstyp=16" = Person


or updating the full text index when the assemblyline has finished...


try{

  notes=NotesConnector.getConnector

  dbname=notes.getParam(
"notesDatabase")
  srvname=notes.getParam(
"notesServer")
  sess=notes.getDominoSession()

  db=sess.getDatabase(srvname,dbname)

 
if (db.isOpen())         {
          message=
"Requesting to update FTIndex on " + srvname + "!!" + dbname ;
          task.logmsg (
"INFO",message) ;
          db.updateFTIndex(true);

  }
else {
          message=
"Unable to open target notes database." + srvname + "!!" + dbname
          task.logmsg (
"ERROR",message) ;
          java.lang.System.out.println (message);

}

 
} catch (ex) {

  message=
"Unable to update FTIndex in target Notes database. , "  + ex
  task.logmsg (
"ERROR",message)
  java.lang.System.out.println (message)

}



Part 9 - Run it

Run the assemblyline and (optionally) have a beer while you will see new person documents showing up in Domino.


Summary

For those of you who are very lazy, here is the TDI AssemblyLine for further use.
GDIDataImportExample.xml


Please note that you must adjust it to fit your needs!  Concluding with
Notes Sensei's words : YMMV

IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client- 22 September 2014 - (1) Comments

Thomas Hampel
 22 September 2014

Following up on David's post, here is a WIMP's Guide to get a GUI version of an iKeyman which is supproting the CMS format that is used by the IBM HTTP Server.
iKeyman is actually part of your Notes Client, it is available in "/jvm/bin/ikeyman.exe" but this version does not provide support for CMS keystores unfortunately.
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
So what does it take to add support for the CMS format
There is a (much) longer method to get the same done by downloading a specific version of ikeyman which includes CMS support... but this I'll explain at the end of this post.

Here is the short version:

What you need:
  • Notes Client (which you should already have installed)
  • Text editor of your choice

Actions:
  • Edit the file /jvm/lib/security/java.security
  • Find the list of security providers, e.g. by searching for "security.provider", which should look like this:
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.4=com.ibm.security.cert.IBMCertPath
    security.provider.5=com.ibm.security.sasl.IBMSASL
    security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.8=org.apache.harmony.security.provider.PolicyProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  • Append one new line at the end of this list, where [X] is the next integer value available
    security.provider.[X]=com.ibm.security.cmskeystore.CMSProvider
  • Save

So it should look like this:
{...}
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
{...}

Result:
Voila: CMS support is ready
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client

This blog post could end here but I'd like to share what someone would have to do without using the method above:

The (very) long route:
  1. Try downloading IBM HTTP Server from www.ibm.com/software/webservers/httpservers/download or here
  2. Recognize this website only offers version:  7.0.0.0 dated from 15 May 2009
  3. Try anyway and download and install v7.0.0
  4. Notice iKeyman in this version does not Subject Alternate Support
    Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
  5. Read Technote 1444027
    Notice it clearly describes "later versions of IBM HTTP Server (IHS), after v7.0, do not require these special steps to enable SAN functionality."
  6. Conclude the Technote 1444027 is wrong or needs update
  7. Try downloading t he IBM HTTP Server trial 8.0 or 8.5
  8. Notice the web site does not offer a download link and only shows a blank page (why?)
  9. Get IBM HTTP Server in the latest version, (which is part of Websphere Application Server 8.5.5 Supplements disks, so its just 3 Gbyte to download)
  10. Install the IBM Installation Manager v1.8  and add the WAS Supplements folder location as a new repository
  11. Install IBM HTTP Server
  12. Launch iKeyman with CMS support and Subject Alternative Support
    Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
  13. Notice that iKeyman is actually part of the Notes Client anyway and the same could have been done without all those actions before: priceless

For reference:
Creating a certificate request incl. Subject Alternate Names can be done by using the GSKTool command line version
/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label foobar -dn "cn=www.foobar.ibm.com" -size 2048 -file /tmp/foobar.csr -san_dnsname "www.foobar.ibm.com" -san_emailaddr "admin@us.ibm.com" -san_ipaddr "192.168.1.221"

Further reading:

IBM HTTP Server - SSL Handshake Failed and why it matters to keep a backup of the key ring file- 20 September 2014 - (0) Comments

Thomas Hampel
 20 September 2014

All of a sudden (as usual) clients started to receive SSL expiration warnings when accessing the customer's Connections environment.

A quick look into the log file  /opt/IBM/HTTPServer/logs/error.log confirmed the SSL certificate has expired.:
[Sat Sep 20 22:21:05 2014] [error] [client 10.175.198.62] [8222a80] [30015] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.175.198.62:40028 -> 10.175.220.11:443] [22:31:05.000019743]


Opening the *.kdb file with the gsktool showed the default certificate had expired.
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file
Ok, nothing easier than that... so lets create a new signing request and get this signed by the certificate authority.
Once that is completed we can import the new certificate incl. any trusted roots quickly.


However when you try to import/receive your signed certificate keep the following in mind:
  • You can only import a signed certificate into >exactly< the same *.kdb file which was used to create the certificate request.

Within the iKeyman utility, switch from "Personal certificates" to "Personal Certificate Requests" (sorry, only got screenshots in German available and hope the translation is correct)
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

normally it would look like this...
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

but if it looks like the following screenshot, then bad luck... you can not import your signed certificate anymore.
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

Instead you'll see "The certificate request created for the certificate is not in the key database"  / "Die für das Zertifikat erstellte Zertifikatsanforderung ist nicht in der Schlüsseldatenbank vorhanden."
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

Now your options to solve this are:
a) find the original key ring file (*.kdb) which was used to create the certificate request
b) create a new certificate request, but this time make sure to keep the *.kdb file
c) set up a self signed certificate - although this is an option, it should not be considered
d) update the SSL directives on your IBM HTTP Server and set SSLClientAuth to "noverify". This will not fix the problem but will at least allow the server to be up and running with an expired certificate until you have obtained a new one.
(...if there are other options, please let me know)

Lessons learned:
  • Keep the key ring file backed up
  • Track certificate expiration time
  • When expired, take action well in advance
  • Even when delegating simple work, supply detailled instructions on least 250 pages

Off topic:
Why do I need to troubleshoot such a very very basic problem myself on a Saturday night?


Further reading:
Thomas Hampel, All rights reserved.