Connections 5 SPNEGO Confusion – Dogs & Cats Living Together!

I have been working on a PMR for Connections 5 trying to configure SPNEGO , foolishly as it turns out using the IBM Connections 5 Knowledge Center.  I have just finished a 3hr screenshare with WebSphere security support who started the call asking why on earth I was configuring it the way I was.  When I showed them the documentation on the Knowledge Center for configuring SPNEGO I was asked “why are the Connections team saying to do that, that will never work”. Imagine my joy having spent nearly 2 days working on it before opening a PMR.

They are going to fix the knowledge center documentation hopefully but in the meantime this handy dandy little screenshot should help you


The incorrect documentation (and hopefully it will be fixed before you even click on it) is here

In addition the WebSphere security team disagree with the Connections team on creating a keytab for the IHS server only in any circumstances which this document says to do

Finally they also disagree on requiring the connectionsAdmin account to be the one that is used to start Windows services which may be a bad use of wording on this document here (See item 6).   They have advised that as far as SPNEGO is concerned any AD account would do.

They have also advised that you should make sure there are no other SPNs for that hostname floating about (I don’t have visibility of AD but it’s one for the customer to check)

I have asked for definitive documentation from the Connections and Websphere teams on how they want this configured before moving forward

Anyone Fancy An Indispensbile Tool For Connections Migrations?

When working with Connections so much of the configuration is done in XML or properties files on the file system of the servers.  That means, no matter how organised I try and be, I often find multiple copies of files each with different date/time stamps or even with different names (LotusConnections-Config.PreNewNode for example) for me to identify.  This is especially true with the TDI syncing where I often end up creating multiple TDISol directories over the course of a deployment as customers want to change what data syncs, how and where.

The problem with this is that everything is very reliant on how well the files are commented and more often than not I’m coming in behind someone else so I have to look at files with no commenting at all or commenting that only makes sense to the person who wrote it.

As an admin I have never really needed to compare the contents of one file with another to spot the differences (that’s more a coding problem) but with Connections I need to use that technique all the time.  Take my work this week for instance, upgrading a Connections 4.5 server to Connections 5 .

The first question is, looking at the TDISol directory, have any of the properties files I need to update changed since 4.5. If not then great, I can just add new servers and passwords and away we go.  If they have I have to merge the old settings into the new and I’d rather not rely on me reading each line and visually comparing them across several dense pages.  To do this my favourite tool is Kaleidescope  for the Mac.  It’s not free (it’s about 70 dollars) but it has a great UI , features and does the job.  I’ve been using it for a couple of years and they keep adding new features.  It also does a great job on comparing and spotting changes in images – or what I call the “hey that’s been photoshopped” feature.




In the picture above i’m comparing the file from the 4.5 install to a new one for the 5.0 install to make sure I don’t miss any custom settings.  I did the same with and  As you can see from the screenshot (the one on the left being the 4.5 one), any additions are in green, deletions in red and changes in purple (with the actual changed words being darker purple).  This makes it very easy for me to spot what needs to be changed from one file to the other.  It’s not perfect , if the format of the file means that some lines appear a page further down in one document vs the other then you will see markup for both but it’s a lot better than any hope I have to spot all the differences myself.




Champion Gift Finding A Good Home

Thanks to IBM my gifts for being an  IBM Champion have arrived.  This year we were given an amount to spend in the online store on various items like jackets and shirts and I chose to buy many of these hot and cold drinks containers which I can donate to charity.  As well as keeping a set myself 🙂  They are very nicely made.





Connections CCM Problems – Libraries not “quite” working

My 2nd PMR this week was for Connections and Content Manager.  I had already installed FileNet in the test environment for this customer and the only difference between test and production was really the number of servers with CCM having its own dedicated VM.  The install completed and I tested uploading files, editing files, clicking “like” etc and it all seemed OK so I handed it over to the customer.

Turns out there was a problem.  No library , once created, could be edited.  Not the title, not the security, nothing.  Any editing threw up an error

All the installs were correct.  The updates had applied OK.  The correct versions of FileNet were running.  We even checked the security on the ICObjectStore in FileNet’s ACCE administration interface.  Nothing looked wrong but the error message was strange

“The requested approval  action could not be performed because the library, CCM Libraries, is not enabled for document approval. The library’s repository, ICObjectStore, might not have the document approval addon installed, or the library might not be a teamspace. Contact your administrator and report this error message”

As part of the investigation trying to find out what was wrong (and whilst waiting for L3 to review) I saw this option when I right clicked on the ICObjectStore in ACCE – add on features.  AddOnFeatures


So , whilst we waited, the IBM support guy (can I name him here?) sent me a list of all his add ons and I compared them to all of mine and sure enough about 8 were missing.  I added those and everything started working.  Why those 8 failed to install is another matter since all the logs said everything installed fine.  Interestingly at this customer we’ve had trouble deploying applications in the past due to network timeouts between the Dmgr and other servers so I do wonder if that was it (for instance CR3 seemed to install but several of the applications were corrupted when we tried to use them and I had to install them again manually).

An interesting one and a nice easy fix.  I’ve added screenshots below of all the add ons we should have had so you can compare if you find a similar problem.

Addons Pt1 Addons Pt1



Sametime Audio and Video Problems

This week’s Sametime PMR was a problem with Audio / Video on a newly deployed infrastructure.  This is a long blog but hopefully you’ll find it all useful. The installs all went fine and the peer to peer calling worked, which meant the clients were able to register with the proxy registrar.  However multi user or meeting video was failing.

The first thing you need to know about ST Audio / Video is that there are several moving parts – in this instance all servers are installed on SLES11

  1. Proxy Registrar / Conference Manager – in this environment both these applications are installed into one instance of STMediaServer
  2. Video Manager which is a WebSphere server installed as a standalone node (outside the SSC cell) and requires SolidDB (which the Video Manager installer places and configures)
  3. VMCU – the Video MCU which will handle the multi way video traffic via the Video Manager

The second thing you need to know – and it’s not well documented at all – is that the start order of those elements is vitally important. Start them in the wrong order and you won’t get any audio / video at all (if you check your Sametime client preferences you will not see any A/V components or options).  So what’s the start and stop order?

Start with Video Manager components

  1. Soliddb must be started first using /opt/soliddb/soliddb-7.0/bin/solid -c /opt/soliddb/soliddb-7.0/eval/standalone*
  2. Once started the Video manager can be started using the server name STMediaServer
  3. Start the Video MCU by typing  :  service soft_mcu start (also “status” and “stop”) work
  4. Start the PR/CM WebSphere server STMediaServer

To stop all elements do 4-3-2-1 in reverse

To stop soliddb type solsql then when prompted for login details use the name and password admin
issue the commands (with a semi colon at the end of each line)

admin command ‘force shutdown’;


*soliddb listens on port 2315 – you can verify it’s running or stopped by doing a netstat. On linux that’s
netstat -an | grep -i “2315”

(the solid.ini file in /opt/soliddb/solidb-7.0/eval/standalone will tell you which port is being used by the server)

The next thing you need to know is that even if it all installed perfectly you must go through the process of exchanging certificates between the PR/CM in the SSC cell and the Video Manager standalone server.  This is documented here and this is where my PMR occurred   The problem was once the certificates were exchanged we lost all video completely.  Even peer to peer.  I assumed it was a small problem, maybe my start order or I wasn’t letting everything have enough time to start but no.. the problem was that we were using a wildcard certificate.

IBM do support wildcards, they have to since the ST Advanced server and ST Proxy server must share a certificate.  Unfortunately we discovered that the underlying video software (which actually comes from Polycom licensed to IBM) doesn’t support a wildcard certificate so when I did the exchange, everything broke.  Once I knew that I reverted the Video servers (PR/CM and Video Manager) to the IBM installed certificate (since the clients don’t directly connect there) and everything started working.

I am waiting to hear back from L3 if using the mixed certificates (wildcard for ST Proxy, Meeting and Advanced and IBM installed for the Video and SSC) will present any problems but right now we are back in business with all ST features.

The IBM Support Overnight Mystery

Several days this week I have worked on a different PMR (two ST bugs one CCM more on later) with people from IBM support who have been helpful, informed and as curious about the problem as I was (or faking it really really well) . We’ve had screen shares, investigated the problem and left it at the end of day the as “escalate to L3 development”.

Then each morning I wake up to an overnight email from someone new saying they are in charge of the PMR but who has seemingly never seen the problem and is asking me to do basic stuff like send in logs or apply a patch that was already checked (and updated in the PMR) at least a day earlier.

I understand the difficulties in providing 24×7 support and I’m sure there’s an alert somewhere that gives someone a kick overnight and tells them I HAVE to be followed up even if there’s no action task back from L3. Clearly there is a process for “following up” out of hours which does exactly that and only that based on the original call. I now reluctantly set those emails to ignore , or respond asking them to read the PMR history, but I worry what customers do .

Do they run around in circles doing this repeat “make work” until someone who has read the actual updates comes in ?

Oh and two out of the three PMRs are now closed. I will blog both which are interesting and apparently a googlewhack of problems (we were the first to report) later today. :-). So thank you to everyone who worked with me on them this week.

Connections 5 Worksheet – In Case It’s Useful

The IBM wiki and now Knowledge Centre publish a worksheet you can use when installing Connections to help document your work.  I have used  this,  or a version of this,  when I’m doing installs but unfortunately although the wiki (4.5) version can be copied / pasted straight into Excel and retain its table format, the Knowledge Centre Connections 5 one here  doesn’t format properly when I take it into a spreadsheet.  Rather than spend time trying to work out how to fix it I created my own spreadsheet and since I’m using it this week for another install I thought it would be useful to share here.

It’s in Excel format, one tab per product.  Fill this in as you install and you have ready made documentation.


Hello IBM Support – How Can I Confuse You?

It’s been a busy week of opening PMRs across various products and customers.  The IBM PMR system has nuggets of hilarity in it if you just decide to go with the flow….This morning I needed to open a PMR for a customer in the US.  My problem is that under my IBM registration I am listed as the admin or authority for several different customer numbers* but can only open a PMR for two of them.  No idea why just those two.  I also have , several times, opened a call and only had “Save As Draft” instead of submit as an option – hilariously if you “Save As Draft” you never see it again.  You only have to learn that lesson two or three times….

Finding the right number to call (because I have to call the right IBM centre for the region each customer is in) I placed the call ,  since it was out of hours , let’s just say I didn’t get their “A” team.

Problem No.1 the guy I spoke to had not heard of IBM Connections Content Manager and could not find it on their system to log a call against

Problem No.2  he did not understand my summary sentence of the problem although he told me he had written it down, when I went to look online the PMR had no assigned product, title or description.

My favourite bit though was this conversation

Support: So shall I open this as Severity 1
Me: Well no, it’s not a system down , it’s loss of feature so that Sev 2
Support: If I don’t open it as Severity 1 no-one will contact you for at least 24 hrs. Do you not want to be contacted today?
Me: Well yes I do want to be contacted today but it’s not a Severity 1
Support: I will go ahead and open it as Severity 1 so you are contacted today
Me: But my system isn’t down – that means system down
Support: I will uncheck the “System Down” box
Me: {confused} OK.

I then went in online updated it and changed it to Sev 2.  Oh and I was contacted by support already.

*yes I know I can ask a customer to approve me as a BP but most customers know the process for adding me to their accounts like they do other internal users and so that’s what the majority have done.  I choose not to ask them to jump through IBM hoops just to make my life easier.