Sametime Client Update Breaks Single Sign On

I recently built a new Sametime Complete environment for a customer that included an Advanced and Meeting server.  When I had completed the build I tested a new standalone Sametime client in a VM to confirm that I could login to the new Community server and it would log me into the Advanced and Meeting servers.   Having added the necessary lines to plugin_customization.ini to enable  Sametime Advanced* I was able to login to the Community server successfully and be automatically logged into the Meeting and Advanced servers.   However, when I handed over to the customer for testing I was surprised that they couldn’t actually login to the Meeting server at all through the Sametime client. They got a server unreachable error.

So I did further testing

  1. On my client I was configured to use SSL for both the Meeting server and Sametime Advanced. I could login to the Community server and that logged me in securely to Meetings and Advanced.  That same configuration on a test workstation of theirs failed to login to the Meeting server saying server not responding (although it did successfully log in to Advanced)
  2. If I removed the Sametime Advanced servers from the Sametime workstation client it could suddenly log in to the Meeting server
  3. If I changed the Meeting server configuration in the workstation client to use HTTP (80) instead of HTTP (443) I would be logged in to the Meeting and Advanced server
  4. On the test workstation I could always login to the Meeting server securely through a browser and open a tab to the Advanced server and be automatically logged in there even when the Sametime client claimed it couldn’t reach the server.

So why did it fail on every one of their workstations and not for me? It turns out they were using the latest Sametime client I had downloaded from Fix Central (20170402-0344) for them whereas I was using the 2016 build (20160624-0209).  I took a snapshot of my VM and upgraded my Sametime client to the April 2017 one and I immediately was unable to log in to the Meeting server. I rolled the snapshot back to the 2016 client and everything worked again.

One of the major updates in the 2017 client was SAML functionality and it does seem that the single sign on logic has been broken in some way by that 2017 update.  Everything is working with the 2016 client so for the time being (and whilst IBM investigate the PMR) we are rolling that out.  One to watch out for though – newer is not always better and you might want to avoid the latest 20170402-0344 update.

 

*for Sametime Advanced login to work at all in the client you must ensure “remember password” is checked and the following two lines are in the plugin_customization.ini

com.ibm.collaboration.realtime.bcs/useTokens=false
com.ibm.collaboration.realtime/enableAdvanced=true

Engage – Was It Really Over A Week Ago?

It’s 2am so apologies in advance for any rambling in this post but I’ve been wanting to write about the Engage conference in Antwerp ever since I got back last Thursday (and if I leave it much longer I might as well write about next  year’s conference).

This year Engage was held in Antwerp which is only a 3.5hr drive for me so we met everyone else there who came by train.  Top tip – don’t try and drive in Antwerp, the one way systems will get you every time.  Yet another beautiful city and conference location by Theo and the Engage team.  The Elizabeth conference center was spacious and since there were 400 of us and the Engage team had made sure to provide lots of seating / meeting areas, it felt right.  One thing I really enjoy at conferences is the opportunity to meet people (OK I hate approaching people to talk but I like being part of a conversation) and I had the opportunity for some great conversations with sponsors and attendees. I managed to bore people to death about my latest obsession (docker).  IBM also sent a lot of speakers this year with Scott Souder and Barry Rosen updating us on Domino and Verse futures and both Jason Roy Gary and Maureen Leland there to sprinkle some (Connections) pink around.  There was a lot of open discussion about technology now and what we were each learning and working with along with a fair amount of enthusiasm for what we’re each working with, so thanks to everyone for that.

This year the agenda expanded to including emerging technologies and one of my sessions was in that track – on IoT in the Enterprise, GDPR and data.  I try to aim my presentations at the audience I’m talking to and when it comes to IoT the IT audience naturally has a lot more concerns then line of business managers.  Outside of IT IoT is purely about opportunity but since IT need to take care of the rest my presentation was more technical with a security checklist for deploying IoT devices.  All the opportunity for businesses will inevitably involve a lot of work from IT in the areas of data retention, data analysis, security and process redesign.  Some really interesting technologies are evolving and IoT is very fast moving as evolutionary technologies are so now is the time to start planning how your business can take advantage of the incoming swarm of data and tools.

My second session was on configuring a Domino  / Cloud Hybrid solution with step by step instructions for setting up your first environment.  That presentation is on my slideshare and also shared below.  The key thing to understand about hybrid cloud is that as a Domino administrator you still manage all your users, groups, policies and your on premises and hybrid servers, in fact the only things you don’t manage are the cloud servers themselves.  Getting started with a hybrid cloud deployment is a good way to understand what the potential might be for migrating or consolidating some of your mail services.

As always the Engage team put on an amazing event, lots to sessions to learn from, lots of people to meet and a lot of fun.  I was very pleased to see Richard Moy who runs the US based MWLUG event there for the first time and I’m looking forward to attending his event in the US in August.   Finally my crowning achievement of the week was when no-one on my table could identify either a Miley Cyrus or Justin Bieber song at the closing dinner and none of us considered cheating by using Shazam (I’m looking at YOU Steph Heit and Amanda Bauman :-)).  Theo promises us Engage will be back in May 2018 at a new location.   See you there.

More Adventures In *** RHEL Configuration

I know I shouldn’t have blogged on Saturday – as soon as I think I have a problem fixed the universe rises up and slaps me roundly about the head.  So fast forward to the end, it’s Sunday night and I’m installing Connections on RHEL 7 so that’s good.  However to get there I had more hurdles which I’ll note here both for myself and for anyone else

I configured and enabled VNC and SSH for access which worked fine on the same network but not from any other network (“Connection Refused”).  The obvious first guess is that the firewall on the server hasn’t been disabled.  It’s always the first thing I do since I have perimeter firewalls between networks and I don’t like to use OS ones. So Saturday and Saturday night was an adventure in checking, double checking and checking again that I had the firewall disabled.  RHEL 7 has replaced iptables with firewalld but iptables still exists so my worry was that I had something enabled somewhere.  I didn’t think it could be my perimeter firewall since I had built the server with the same ip as an earlier server that already worked. My other guess was VNC being accidentally configured with –nolisten but that wasn’t true either.

By the time I went to bed Sunday morning I had ruled out it being the OS and was going to start fresh a few hours later.  I’d also noticed that although I could connect via VNC it was slow as hell despite having a ton of resources.

Sunday morning I decided to delete all the entries referring to that server’s ip on our Sonicwall perimeter device and recreate them.  That fixed the network access. The one thing I didn’t build from scratch was the one thing that was broken. *sigh*.

At this point I did consider switching to Windows 2016 on a new box but I already planned to use that for another server component and wanted to build with mixed OS. Also #stubborn.

So now I have VNC and SSH access but the GUI is awful. I can’t click on most of the menus and it keeps dropping out.  I’m running GNOME 3 and I can find endless posts about problems with GNOME 3 and Cent OS or Redhat so I bite the bullet and install KDE because all I want is a GUI.  KDE is as bad, slow, menus not clickable.  I make sure SELINUX is set to “Disabled” but still no luck.   I try installing NoMachine as an alternative method but that has the same problem with the GUI – slow, unresponding, menus unclickable and eventually a crash with “Oh no!, Something has gone wrong”.  Which isn’t nearly as entertaining the 100th time you see it.  Along the way I disable IPV6 entirely and found and fixed this bug

https://bugzilla.redhat.com/show_bug.cgi?id=912892

and this one

https://bugzilla.redhat.com/show_bug.cgi?id=730378

oh and this irritating setting

https://access.redhat.com/solutions/195833 “Authentication is required” prompt

Throughout Sunday I’m continually working with /etc/systemd/system/vncserver@:1.0 to modify the settings, create new instances, create new VNC users but no matter what I try it proves unworkable.

I’m using the Red Hat instructions from here which has a configurator you can use to automatically create the file vncserver@ file according to your settings.  I’m suspicious of that file because it has settings I don’t normally use like  -RANDR so eventually I edit the file and change

ExecStart=/sbin/runuser -l turtlevnc -c \”/usr/bin/vncserver %i -extension RANDR -geometry 1024×768\”
PIDFile=~turtlevnc/.vnc/%H%i.pid

To

ExecStart=/sbin/runuser -l turtlevnc -c “/usr/bin/vncserver %i -geometry 1024×768”
PIDFile=~turtlevnc/.vnc/%H%i.pid
Cleared the /tmp/X11.unix/X? directories and restart once more.  Everything including GNOME 3 works and it’s zippy zippy fast.

 

So. Note to self. Next time remove that RANDR setting and win yourself an entire day back.

 

Me vs Technology (spoiler: I win)

Yesterday Connections 6 shipped and although I was in meetings all day my goal for last night was to get everything downloaded and in place on a VM and have that VM built with a configured and hardened OS.  That was the plan.  I thought it might be fun to share my 4pm – 4am battle against technology and maybe it will help someone else.  It might also explain all the “other” work that tends to take up my time before I  ever get to the actual stuff I’m meant to be installing.

All my servers are hosted in a data centre and mostly I run ESXi boxes with multiple servers on them. I have 5 current ESXi boxes. So first things first, create a new virtual machine on a box with capacity so I can download the software.  All of this is done from a Windows VM on my Mac which connects to Turtle’s data centre

Vsphere lets me create the machine then gives me VMRC disconnected when I try and open a console.  After some checking I realise it’s the older ESXi boxes that are throwing that error for every VM and only since I upgraded to Windows 10.  If I can’t open a console on the VM I can’t do anything so I search the internet for various random advice which included

  • Disable anti virus
  • Remove Vsphere
  • Install latest Vsphere (which keeps being overwritten with an older one each time I connect to an older machine)
  • Uninstall VMware Converter (which I had forgotten was even there) – that required me booting into safe mode in my VM which only worked if I used msconfig to get it to restart in safe mode
  • Downgrade Windows
  • Create a new clean desktop VM to install Vsphere into

This is a bigger problem than just this install because I also can’t manage any of my servers on those boxes.  I rarely connect to them via the console so I don’t know how long it’s been like that but it can’t stay like that.

Several hours later.. still no luck. Vsphere lets me do everything to a virual machine except open a console.  I could use another ESXi box but I’m being stubborn at this point. I want to use this box

Then I find reference to VGC – Virtual Guest Console  https://labs.vmware.com/flings/vgc.  Created in VMWare labs in 2010 and still in “beta” it does one thing I need which is open a console.  So now I have VSphere where I can create and manage the instances and the VGC to open a console I’m ready to install and OS.

But which OS?  The host boxes have ISOs on them I already use but those are Windows 2012 R2 and RHEL 6.4.  I want either Windows 2016 or RHEL 7.1  Again I could use Windows 2012 but #stubborn.

I download Windows 2016 to my Mac and it’s over 5GB.  That’s going to take a few hours to upload to the datastore and I’m optimistically thinking I don’t have a few hours to waste.  So Plan B is that I take an existing RHEL 6.4 ISO and use that to install then upgrade it to 7.1 in place since you can now do that with Redhat if you’re moving from the latest 6.x to 7.x.  Top tip – it would have been quicker to upload Windows 2016.

I start building the new VM using RHEL 6.4 and eventually I get to the point where I can tell it to get all updates and off it goes.  It’s now 1am and it’s showing 19/1934 updates.  So.. I go to bed taking my iPad with me and leaving my laptop downstairs.  Once I’m in bed I can use Jump on the iPad to connect to my laptop which is on the same network and Terminus and the VPN on the iPad to open a putty session to the data centre.  The 6.4 updates finish and now I need to get it to 7.1  First thing I need to do is download 7.1 directly to that new VM which I can do easily because I installed a browser so I download the 3GB ISO directly to the VM which only takes 3 minutes and I’m ready to install.

Except not quite.  Redhat requires to you run their pre upgrade utility before doing an inplace upgrade.  In fact the upgrade won’t even run until you run pre-upgrade.  So I do that and as expected it fails a bunch of stuff that I don’t care about because this is a new machine and I’m not using anything yet so I’m not bothered if something stops working.  Except the upgrade still won’t run because it spots I failed the pre upgrade test.  That’s where “redhat-upgrade-tool -f” comes in.  Around 4am I left that running and got some sleep.

Incidentally this is a great document on upgrading but I think you may need a login to read it https://access.redhat.com/solutions/637583

At 7am I found it completed at RHEL 7.1 and then ran one more update to make sure everything was on the latest patches,  added the GUI and configured the firewall.

I’m NOW ready to download Connections 6

Session from InterConnect – IoT In The Enterprise

Firstly I’d like to thank Chris Miller from Connectria who wrote and submitted the original abstract then kindly let me have the session when he had a scheduling conflict.  Any issues or problems with the content are down to me not Chris so please don’t hold him responsible 🙂

The original abstract was

Enabling Internet of Things (IoT) so your employees and your customers can have a simplified experience with new services and products sounds exciting. In this session, we will dig into the top ten risks that come with the IoT experience. Due to the rapidly evolving nature of IoT and associated threats, there are risks in allowing access to your enterprise resources. Custom firmware, embedded operating systems and wi-fi connectivity of IoT devices offer many possible areas for exploits and misuse. Come explore current security offerings and get a first look at best practices. Walk away with an immediate checklist to benefit your enterprise as it deploys and offers IoT access.

There are several aspects to IoT in the Enterprise which are important to the world of collaborative working

  1. IoT devices generate a huge amount of data. That data has to be analysed and actioned.  In a presentation at InterConnect IBM made the point that 80% of data analysts’ time is spent on cleanup and scrubbing not analysis.  Although we have had access to big data for many years, most companies simply haven’t gotten their heads around how to work with it.  That’s going to become more and more critical as IoT devices start to appear in companies.
  2. Security is a huge issue with IoT devices that are still primarily designed for consumer use.  Most devices still transfer data over HTTP (even authentication data) and security has not been a priority.  The introduction of blockchain technologies such as the one IBM has developed is the best chance for having secure IoT devices but we’re not there yet.
  3. IoT is really the beginning of Industry 4.0 with 3.0 being “the internet” 2.0 being “the conveyor belt” and 1.0 being “steampower”.  Consider that your company is on the precipice of the beginning of the internet. You’ve heard of it, you wonder where it’s going to take you, you might be considering something called email.  Well IoT is going to change your business and give you the same kind of opportunities to leap ahead of your competitors as the Internet did.  This isn’t something you can choose to ignore.
  4. The technology might not yet be there but now is the time to consider how you would change your business processes if you could access any data and use it in any way.  Again, consider the changes in processes pre Internet and now.
  5. Being able to analyse data , redesign business processes on the fly and take action is all in the DNA of those of us who have worked for years in the ICS community.
    Data Analysis = WATSON
    Business Process Action = WATSON APIs

I will be presenting (hopefully with Chris) on this at Engage in Antwerp on May 9th. You can register for that here

Watson Work Services – Connect Review #4

I know it’s a bit late in the day but I have a couple more things I want to talk about post Connect and with preparations for Interconnect and trying to tie up work before I go away – well these got pushed back.

Watson Work Services, what is it?  WWS (not sure if anyone else is using that acronym but let’s go with it) is not a product, it’s a platform. It is designed to connect to Watson’s APIs and leverage those for language, search, and data. The results can then be fed back to your application and used to trigger actions.  If you’ve seen Watson Workspace (formerly known as “Toscana”) then you might know that it is underpinned by Watson Work Services.   I stole this screenshot from Marc Pagnier’s presentation which I think explains the role WWS is intended to play.

Screen Shot 2017-03-14 at 23.37.37

So why is this good news? Well most of us have heard of IBM’s Watson efforts and understand some of the things Watson can do but for the majority the idea of accessing Watson’s APIs or applying its intelligence to our data appeared out of reach. I mean it’s not like you’re going to install Watson on site.  WWS gives any size company or even single developer access to those Watson APIs without installing anything on site and without investing a lot of money.  In fact WWS works within Bluemix and so your application, whether on premises or in the cloud, can call a query to WWS to feed it data and get results back you can then store and act on.  The cost is calculated in pennies each time you run a WWS query so , as an application designer, that is entirely within your control.   With that model you can easily and quickly experiment with integrating cognitive logic and intelligent behaviour into your applications.

To get started with WWS go to https://developer.watsonwork.ibm.com and to access example applications visit http://github.com/watsonwork . To stimulate  your creative brain here’s another screenshot I stole that shows some of Watson’s APIs and you can find out more about what they can do here Screen Shot 2017-03-14 at 23.53.36

For a start we already have several ideas for our customers who generate a lot of data and would benefit from integrating  intelligent analysis and action triggers into their applications.