Old version of Notes Java breaks IBM Connections Files plugin when TLSv1.2 is enforced

I had to raise a PMR on a problem I and others in my company had with the Notes client. After enforcing TLSv1.2 in Connections 5.5 using the following configuration in httpd.conf the Files plugin would not work but the Activities and Status Updates plugins would.

SSLProtocolDisable SSLv2 SSLv3 TLSv11 TLSv10

I kept seeing the following screen and clicking “try again using existing options” did nothing.

Whilst clicking on “try again using existing options” I would see the following in IHS.

[Wed Mar 29 14:30:41 2017] [warn] [client xxx.xxx.xxx.xx] [7f9a480ec800] [30453] SSL0222W: SSL Handshake Failed, No ciphers specified (no shared ciphers or no shared protocols).  [xxx.xxx.xxx.xx:49296 -> xxx.xxx.xxx.xx:443] [14:30:41.000571168] 0ms

The SSL certificate is at 4096 bits and I had previously replaced US_export_policy.jar and local_policy.jar with the unrestricted policy jars so that was not the problem.

I found, oddly, that if I swapped to the IBM Sametime Meetings plugin first and then changed to Files, my files would load…. Also, if I ran Fiddler and restarted my Notes client but went directly to Files it would load too. Weird.

I had a screen share with Elizabeth Hecht and Jacqueline Chewens to show them the odd behaviour and they too were baffled. Liz came across a thought of the version of Java being used may not be allowing connectivity to Files and asked whether I had applied the Java update for FP6? Not having so much focus on Notes and Domino of late I told her I wasn’t even aware that previously you were supposed to update the version of Java being used by the Notes client.

To test this I updated Notes to FP8, which bundles in the Java update and low and behold the Files plugin started working. Also, there was no need to replace the jars with the unrestricted ones!

The version of Java now in play is as follows.

c:\Program Files (x86)\IBM\Notes\jvm>java -version
java version “1.8.0_121”
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) Client VM (build 25.121-b13, mixed mode, sharing)

BTW – if Connections enforces SSL then you need to make sure that com.ibm.documents.connector.service/ENABLE_SSL=true is set in the plugin_customization.ini.


Connections Pink and container orchestration using CfC

A while ago I started dabbling with Docker after reading some great blogs about ELK by Klaus Bild and Christoph Stoettner thinking I could do with a tool like ELK to analyse log files and to give me something tangible to work with whilst learning about Docker.

After a lot of hard learning and some frustrating hours I got my head around containers and how they could be used to my advantage and got ELK running natively on Ubuntu and then on my work Windows 7 laptop.

A few months before Connect 2017 news was leaking about Connections Pink and its architecture and how the applications will run within containers. Recently Jason Gary Roy held a webinar (Open Mic Webcast: Think Pink – The Future of IBM Connections – 07 March 2017) replaying some of his slides from Connect 2017 and in the video he mentions (briefly) CfC in combination with Docker and containers.

I asked the question in the IBM Connections Community Skype chat and a few people told me that CfC was an IBM product called IBM Spectrum Conductor for Containers. I looked through the community for CfC and realised how important having an orchestration tool is for running multiple containers and scaling for high availability. This was a long way away from running three containers on my laptop.

Installing CfC was pretty easy and well documented in the CfC community. Installation wise you need to install on Ubuntu 16.04 or RHEL although I am sure CentOS will work. I’ll get to that next week.

What you end up with is a rather nice UI which does many of the hard things for you such as networking, setting up persistent storage for your containers, moving applications to other nodes, automatic scaling when demand requires and many more.

What I also liked is that it acts as a private repository for your containers avoiding you needing to push to Docker Hub for storage.

In the latest version you can install on a single node which is great for testing purposes but it also allows you to add and remove worker nodes when you want to branch out.

I asked in the CfC Slack channel what the future looks like for CfC because if it requires a license then it is another hurdle to overcome when selling in Connections. The response I got was:

“We are intending to keep providing a free version that customer can use and deploy as it is a packaging of open-source. Business discussion on what to do beyond that are still ongoing so I can’t comment. Options include providing commercial support or additional add-ons around the open-source for a commercial product. Right now this is a community effort, and we are currently looking  technical feedback  and understanding of what use cases people would like to use CfC for.  Looking forward to  your participation.”

Since the product is built on the following open technologies I would hope that a free option remains available going forward.

Another other benefit for using CfC is that IBM are using it for Pink. I assume that most of the documentation referring to orchestration of the containers will reference CfC in some form. Getting to know it now, I hope, will make deploying Pink containers easier.

Thanks to Michele Buccarello for answering my questions.

CwC has been built with below individual components

Core component:

  • Kubernetes and Mesosphere API/CLI
  • GUI
  • Installer for HA
  • Authentication through LDAP
  • An App store
  • A Private image registry

Sample applications:

  • Frontend
  • Liberty
  • Nginx
  • Redis
  • Tomcat

Built in Network

  • Flannel
  • Calico

Built in persistent Storage

  • NFS
  • Hostpath
  • GlusterFs

Supported CPU Architecture

  • PowerPC LE
  • x86

Whiteboard now removed from Sametime meetings

I created Whiteboard in Sametime 9.0.1 after finding that a whiteboard feature was added to meetings some time ago.

This morning Andreas Bader got back to the Skype group, IBM Sametime Community Chat after finding that the whiteboard feature had been removed after applying the latest Meeting server patch. Andreas had logged a PMR asking IBM where it had gone. IBM’s response was;

“I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
The module “Core Whiteboard Services” has been removed permanently from the ST Meetings build, the whiteboard was an unsupported proof of concept feature.”

Cheers IBM. You finally gave us something people wanted for ages and then took it away.

Exception when Connections email digests are sent – LO90678

I saw the following error in the Infrastructure SystemOut.log each day when the daily or weekly digest is sent on this Connections 5.5 CR2 server.

Weekly Email Digest Report
Tranche ID: tranche_2_5oPldKwZTaR7aAiPFw4L08CyRW
Start Time: 7 Mar 2017 23:00:02 GMT -> End Time: 7 Mar 2017 23:00:02 GMT
Users Processed: 4, Digest Mails Sent: 2
[3/7/17 23:00:04:110 GMT] 00000413 CrudDao       E com.ibm.lconn.hpnews.data.dao.impl.ibatis.CrudDao DELETE Batch – doInSqlMapClient Exception caught –
com.ibm.db2.jcc.am.BatchUpdateException: [jcc][t4][102][10040][3.69.66] Batch failure.  The batch was submitted, but at least one exception occurred on an individual member of the batch.
Use getNextException() to retrieve the exceptions for specific batched elements. ERRORCODE=-4229, SQLSTATE=null

I thought that there was a problem with data in the database and being a recent migration I thought there was something “bad” in there.


The above query gave me the users that were in this tranche. I then applied the following trace to see what was being sent


This really didn’t help me too much as the data looked fine. Then I turned to Google and found that Ted Hardenburgh had already come across this problem detailed in IBM Connections 5.5 – Errors in SystemOut.log cleaning up HOMEPAGE database

I raised a PMR and IBM sent me LO90678 which I applied. Checking the SystemOut.log the next day I still saw the same errors. IBM passed this back to development and they responded with, “exceptions should go away after expiration period (default 30 days) for stories. News cleanup service should work normally after this period of time.”

I have checked this morning and the exceptions at 23:00 seem to have stopped.

iOS push notifications not received due to expired APNs certificates

I was finding in a Connections 5.0 CR4 environment push notifications were not being received on iOS devices but they were for Android.


I saw the following errors and similar on apps server startup

3/7/17 10:49:16:874 GMT] 00002240 ApnsConnectio I com.notnoop.apns.internal.ApnsConnectionImpl sendMessage Failed to send message Message(Id=1; Token=A907EA2FBD34C6E222B9176FE65AA51576D5100713F3E6061A288F42013287B8; Payload={“1″:”joe.bloggs@dev-acme.com”,”2″:null,”3″:null,”aps”:{“badge”:2,”alert”:{“loc-key”:”N1″,”loc-args”:[“JOE BLOGGS”]},”sound”:”chimes”},”4″:2,”5″:”1″})… trying again after delay
javax.net.ssl.SSLException: Received fatal alert: internal_error
at com.ibm.jsse2.p.a(p.java:20)
at com.ibm.jsse2.p.a(p.java:23)
at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:789)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:397)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:320)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:609)
at com.ibm.jsse2.l.write(l.java:24)
at java.io.OutputStream.write(OutputStream.java:69)
at com.notnoop.apns.internal.ApnsConnectionImpl.sendMessage(ApnsConnectionImpl.java:268)
at com.notnoop.apns.internal.ApnsConnectionImpl.sendMessage(ApnsConnectionImpl.java:258)
at com.notnoop.apns.internal.ApnsPooledConnection$2.run(ApnsPooledConnection.java:77)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:790)

These error look network or security related.

Network tests

My tests showed that the network is open.

# telnet gateway.push.apple.com 2195
Connected to gateway.push.apple.com.
Escape character is ‘^]’.
telnet> quit
Connection closed.
#  telnet feedback.push.apple.com 2196
Connected to feedback.push.apple.com.
Escape character is ‘^]’.

This is a Java application provided by IBM to test connection to APNs for Sametime servers.

# /opt/IBM/WebSphere/AppServer/java/bin/java -jar ./07700.019.866.cert.jar apns -t -f ./apns-prod.pkcs12
IssuerDN: CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
SubjectDN: C=US, O=IBM, OU=RBVH72H5WP, CN=Apple Push Services: com.ibm.lotus.sametime, UID=com.ibm.lotus.sametime
From (yyyy-mm-dd): 2016-04-04
To (yyyy-mm-dd): 2017-05-04
MD5: B8:D3:2E:B3:42:04:D5:26:A9:63:68:30:00:15:CA:18:78:A9:AE:20

testing connection to gateway.push.apple.com:2195

testing connection to feedback.push.apple.com:2196

Security tests

I copied /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/Cell01/Mobile.ear/mobile.web.war/WEB-INF/lib/mobile.web.jar locally

I unzipped mobile.web.jar and found \mobile.web\com\ibm\lotus\connections\mobile\push\ios\PushNotificationService.class

I pasted PushNotificationService.class into http://www.javadecompilers.com having failed to get a local application working

The decompiled file lists the certificates as well as the passwords for each .p12

I downloaded the certificates from /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/Cell01/Mobile.ear/mobile.web.war/WEB-INF/classes/certificates/ locally although you could do the following from your server.

Locally, I then ran the following to retrieve the public certificate

$ openssl.exe pkcs12 -in ConnectionsEnterpriseAPNS.p12 -clcerts -nokeys -out ConnectionsEnterpriseAPNSpubliccert.crt
$ openssl.exe pkcs12 -in ConnectionsProductionAPNS.p12 -clcerts -nokeys -out ConnectionsProductionAPNSpubliccert.crt

You can open the certificates or use $ openssl.exe x509 -in ConnectionsProductionAPNSpubliccert.crt -text to get the information on them. I found that the expiration had passed.

        Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
Not Before: Jan  6 18:08:26 2016 GMT
Not After : Feb  4 18:08:26 2017 GMT
Subject: UID=com.ibm.lotus.connections, CN=Apple Push Services: com.ibm.lotus.connections, OU=RBVH72H5WP, O=IBM, C=US


As this is a Connections 5.0 CR4 server and the fix list states that LO87599 (Updated Connections Mobile APNS Certificates) was included. I’m not sure why the certificates were not replaced as the CR4 logs showed BUILD SUCCESSFUL….

I created a PMR and IBM quickly sent me LO90462: UPDATE TO APNS CERTIFICATES FOR 5.5 CR1

After applying the ifix (for 5.0 CR4) I see that PushNotificationService.class has changed matching the file used in Connections 5.5 and the expiration dates are now 20th October 2017. On restart push notifications are now working to iOS devices.