In the latter part of last year I was involved in installing IBM Connections at a customer site for initially 20.000 users and then, if all went well, for the full 70.000 users. The challenges in evangelizing the solution and getting people to use it is for another blog post but the project is interesting from other perspectives as well.
Firstly they wanted to change the layout of IBM Connections and add their own colors etc. which wasn't a biggie. Next they wanted to change certain core words within IBM Connections. In Danish the word for "Communities" is "Fællesskaber" but they wanted it to be "Grupper". Changing that throughout IBM Connections was a hazzle and we have to migrate these changes by hand when we upgrade to version 3 but it was possible which is the good story here. The last one was the biggest requirement and the the requirement it took the most work to satisfy. They wanted to turn the entire login process for IBM Connections on its head.
So what do I mean by that?
By default IBM Connections works by you importing all valid users into the Profiles database using TDI or a handcrafted tool and then hooking Websphere Application Server up to LDAP. They didn't want that and the users actually didn't exist in a LDAP directory but instead in another (Domino based) member database.
They had a number of requirements:
IBM Connections should work with their existing single-sign-on (SSO) solution which supported a number of different login methods incl. two-factor and digital certificates.
Before being granted access to IBM Connections the user should accept an End User License Agreement (EULA) and if not the user should be denied access to IBM Connections.
Users wasn't allowed to be available in IBM Connections before opting in to using it by accepting the EULA i.e. they didn't want users in the Profiles database before they had accepted the EULA.
The access procedure they wanted may be illustrated as below.
(click the image to a larger version)
So what does an IBM Business Partner do? Say "Sorry that isn't possible" and "That's really not the way that IBM Connections work"? Well of course not because it was and is possible due to IBM Connections being built on top of Websphere Application Server which is an open and highly extensible platform.
The key piece to the puzzle is a piece of technology called a Trust Association Interceptor - or TAI for short - and is a way to change the way Websphere handles authentication and how Websphere normally integrates with reverse proxies such as WebSEAL.
A TAI is a Java class written to a specification (interface) from IBM and very easy to write. The functionality may of course be complex but the way you integrate with Websphere Application server isn't. Once the TAI was written and installed into Websphere Application Server the customer now has an access procedure like this:
User tries to access IBM Connections.
If the user isn't logged in using the 3rd party SSO solution the user is sent to the login screen (1 in the diagram above).
If the user is logged in (and tokens are still valid) an EULA check is performed to verify that the latest EULA has been agreed to.
If not the user is sent to the EULA system (2 in the diagram above) to accept the EULA instructing the EULA system to return the user to IBM Connections afterwards.
If the user did accept the latest EULA we check to see if the user is available in IBM Connections.
If the user isn't in Profiles yet the user is sent to the Populator system (3 in the diagram above) that handles collecting using information and populating Profiles. Once completed the user is returned to Websphere Application Server.
If the user is in Profiles already the user is granted access to IBM Connections (bottom on the diagram).
It sounds complex but it's done in less than 500 lines of code incl. comments and documentation. That isn't too bad is it? What's really cool is that it allows for some very exciting ways to integrated IBM Connections into existing environments.
I'll post more about TAI's over the next few days about how you write them and more about the technical underpinnings. Stay tuned.
Trusting certificates in WebSphere Application Server
Fri, Nov 29th 2013 3:33a Mikkel Heisterberg If you make SSL connections from a WebSphere Application Server based application the server (or rather the cell) needs to trust the certificate of the server you are connecting to. This is very easy to do in WAS and is easily done using the Integrated Solutions Console (ISC). The way to establish the trust is as follows:
Log into the WebSphere Application Server Integrated Solutions Console (ISC)
From the lefthand navigator select Security/SSL certificate and key management
In the list of rela [read] Keywords: connections
On the IBM Connections SPI's
Wed, Nov 6th 2013 1:25a Mikkel Heisterberg Earlier this week I had a requirement to interact with the IBM Connections user storage from a servlet running within WebSphere Application Server meaning that I needed to obtain the currently logged in users email address from the username (i.e. the principal name in JEE speak). As I saw it there were three options - 1) reproduce the entire Federated Repositories configuration in the servlet config, 2) use an IBM Connections API if available or 3) try and figure out if there was a WebSphere API [read] Keywords: connections
New plugin appdev values for Notes 9.0.1
Tue, Oct 29th 2013 3:36a Mikkel Heisterberg With the release of Notes 9.0.1 we need new values to tweak our configuration to continue developing plugins for Notes. The new values for rcp.base_version and install_id are below. I've also updated the Configure Eclipse 4.2 for Notes 9 page.
rcp.home=framework [read] Keywords: notes
List of OpenSocial fixes in 9.0.1?
Tue, Oct 29th 2013 2:58a Mikkel Heisterberg As reported all over the Yellow-bubble we've now got a Domino 9.0.1 server and a Notes 9.0.1 client to install. All is good and the list of fixes reported by developerWorks is 267. The list however doesn't mention OpenSocial at all. This is sad as this is one of the new features from 9.0 and getting an idea as to what have been fixed would have been nice (plus I know that lots have been fixed).
Hope that IBM will release more information as to what was fixed for OpenSocial. [read] Keywords: domino
Elusive IBM Connections 4.5 CR2 upgrade issue solved
Tue, Oct 15th 2013 3:03a Mikkel Heisterberg We've had a lot of problems trying to upgrade one of our internal test environments
from IBM Connections 4.5 CR1 to CR2. The only symptom was the we were unable to move
past the screen in the update wizard (updateWizard.sh / updateWizard.bat) where we select
to install or remove fixes. The UI would simply refuse to move past this screen -
no message, no log, no nothing. To try "something else" I got the idea to try and run
the update installer in silent mode (updateSilent.bat / updateSil [read] Keywords: connections