Hi Folks,

After months of troubleshooting in our client side, we finallymanaged to solve the Multi /GET/Command.Login issue in our WebSphere Portal environment.

Basically it is caused by the unproper JSESSIONID cookie handling by the WPS 6.0. These are the steps to solve it:

1. Change the WebSphere Portal cookie name to something else, as long as not JSESSIONID (let’s say FERNANDO-JSESSIONID)
2. Navigate to Resources->Resource Environment providers->WP PortletServiceRegistryService->Custom Properties
3. Add the following custom properties: com.ibm.wps.pb.service.PropertyBrokerServiceImpl.sessionid.cookie.names =<new_cookie_name> and com.ibm.wps.propertybroker.standard.service.PropertyBrokerServiceWrapper.com.ibm.portal.propertybroker.standard.sessionid.cookie.names.property = <new_cookie_name>
4. Save and synchronize to Nodes
5. Generate and Propagate the Web Plugin
6. Then restart both Nodes

Hope this will be helpful!

Hi Folks,

What a long weekend, just to troubleshoot why the Group Authorization does not work in my Lotus Domino Quickr server. Actually it is just a silly mistake that I did when adding the group into that Place ACL. Basically these are the correct steps…

If you like to use qptool command, use this command:

“load qptool addmember -g parameter ..“; the ‘-g’ here means that the DN that we are adding is the DN for external group.

If you like to do it manually using the Quickr Manage Members GUI, just make sure that you select the “Group” radio button when searching and adding the search entries.

But, if it is already too late, just simply use “load qptool updatemember -targetg parameter” command to promote the DN to be Group External.

Hope this will help.

Cheers!!

Hi Folks,

Last weekend I hit the “Failed to Fetch” error during the WCM Syndication. After consulting to several IBM engineers, I finally managed to solve it.

This article shows you how to solve this issue.

This is the error that you will see in the

“SystemOut.logDepRef(id:e1e33e004d38843daddcbfa9d90c6c64 type: com.aptrix.pluto.cmpnt.FileResourceCmpnt nonDraft:true draft:false purged:false parentId:e1e33e004d38843daddcbfa9d90c6c64 timeStamp:1242648680000 stateUpdate: false versions:null) could not be found”

These are the steps to solve it:

1. Delete the existing syndicator-subscriber pair
2. Stop the portal server on the syndicator machine
3. Navigate to /WPSHOME/config
4. Run the /wpsconfig.bat wcm-reset-event-log task. This will essentially clear the data that the syndicator is using to send the content. Note that this is to be run inside the syndicator machine
5. You might also want to exclude the versions from the syndication by adding “deployment.noVersions=true” inside the WCMConfigService.properties in both syndicator and subscriber machines
6. Start the portal server at the syndicator machine
7. Re-create the syndicator – subscriber pair
8. Make sure that you rebuild the syndication once this has been done.

Hope this will help everyone!

Cheers!

Hi Folks,

Last weekend our Portal Production server got some issue, related to the Certificate problem.

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Subject nane of signer cert does not match issuer name of supplied cert chain
at com.ibm.jsse2.bx.a(bx.java:14)
at com.ibm.jsse2.by.a(by.java:147)
at com.ibm.jsse2.by.a(by.java:202)
at com.ibm.jsse2.w.a(w.java:206)
at com.ibm.jsse2.w.a(w.java:280)
at com.ibm.jsse2.v.a(v.java:184)
at com.ibm.jsse2.by.a(by.java:193)
at com.ibm.jsse2.by.l(by.java:257)
…
…

Just to share a abit…

If you find this error, you might need to check whether the Certificate that is installed at the server side valid (or even broken) or not. Be noticed that you will not know the validity of the certificate by using the browser to view certificate. This is seen only by the Java code.

Then, after replacing this certificate, our problem was solved.

Cheers!

Hi Folks,

Last time I posted article on how to implement AJAX in the IBM WCM Portlet. The missing from that writing is the content caching portion. In this article, I will finish up that portion for the completeness of the entire solution.

IBM WCM stores the content inside the JCR database, which stores the entire content as XML record, which makes developer a bit tough to interface with it. The best approach is to use the IBM WCM API. This API is limited in the sense that we can have a flexibility to search content based on a certain content attribute, for example: search based on content title, or published date, etc.. Apart from that, this API provides some generic functions to do content filtering, based on categories, authoring templates, or site areas. However, once again this does not really help. At the end of the day, we will hit some performance problem just to get it done according to the content filtering requirement that is not supported by the basic IBM API.

But, do not worry, as this problem can be solved by implementing the content caching. The following is the concept to do the content caching:

1. Use the file system caching. It means that the portlet should check if the a particular content is already cached. If the cache exists, then the portlet should take the content from the cache, otherwise, retrieve from WCM repository via the WCM API
2. As the content is always cached, then there is a need to update the cache, in case the actual content gets updated. To achieve this, we need to have a job program that is scheduled to run upon the success of the content syndication. This job program will basically purge the folder where the cache files reside.
3. Upon the completion of this job execution, another job program will run to perform an HTTP call the Portal page, and this will automatically re-generate the cache files (see point 1) for this technique.
4. If the point 3 cannot be achieved, then we should provide another job program which is run within the Portal environment (this can be a Java cron job, using Quartz and Servlet). This program will call the WCM API and regenerate the cache file.

Of course we can use the database to cache the content, if file system cache is not feasible, especially in the clustered environment.

Hope this will explain.

Cheers!!

Hi Folks,

Maybe you have heard about or even been using the Lotus Connections, but do not want to open this LC access to anonymous user. This article gives you some hints to make it happen.

Lotus Connections consists of the following features:

1. Homepage
2. Profiles
3. Blogs
4. Dogear
5. Community
6. Activities

To prevent anonymous access to these features (except Profiles), you need to go to the WAS Integrated Console, then change the Security Roles to Users/Groups mapping for each of those applications. That means that you need to change the “reader” role from “everyone” to “authenticated users”.

Particularly for “Profiles”, you need to change the “web.xml” manually.

You can find the web.xml as shown below

Change the content of this file as shown below

and

Hope this will help you.

Cheers.

Hi Folks,

This week, I found a silly issue in the Lotus Connections. This issue was encountered during the creation of the new blog entry. When I clicked on the “New Entry” link on the Blog feature, it showed the “Unexpected Exception, Blog has encountered and logged an unexpected exception”.

The following is the error as I mentioned

From the Error Log in SystemOut.log, I saw this message:

[5/14/09 17:49:19:456 SGT] 00000024 WebApp        E   [Servlet Error]-[action]: javax.servlet.jsp.JspException: ServletException in ‘/WEB-INF/jsps/tiles/menu-editor.jsp’: Exception; TEMPLATE_CLASSPATH=templates/menu/menu-tabbed.vm; exception=Unable to find resource ‘templates/menu/menu-tabbed.vm’

As a J2EE developer, I know that the Blog application seems to be unable to load the “templates/menu/menu-tabbed.vm” from the TEMPLATE_CLASSPATH (just realized that LC-Blog uses Roller and Velocity as the core engine)..

Then I saw the original folder structure as follows

Allright then, now I found the problem and temporary solution.

Copy the <templates> folder to the “classes” folder, as shown below

Then, I consulted IBM consultant about this, and guess what…, this guy mentioned that this is just caused by the Classloader issue. So the solution is just to restart the Blog application.

After restarting the Blog application, suddenly this issue was solved.

Cheers.

Hi Folks, Just in case you are facing the issue in Domino Directory Assistance Group lookup, when you cannot search other groups, this information might be useful.

The followings are the steps to solve this issue:

1. Go to the Directory Assistance (DA) document in Domino Administration
2. Delete the DA document that is supposed to be able to retrieve the correct number of groups
3. Restart the Domino Server
4. After restarted, go back to the DA tab, and re-create the DA document with the same values as the deleted one
5. Make sure that you restart the Domino Server after adding the new DA document

Then, now you should be able to lookup the Groups and as well to the Group Authorization to the Domino Web Application that you have developed which make use of DA.

Cheers.

Hi Folks,

Last time I found a problem when trying to access my applet from a web site. The problem is that “The publisher cannot be verified by a trusted source. Code will be treated as unsigned”, with the Exception “sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing”

After troubleshooting and doing to analysis, finally I found the root cause of it.

Cause:

http://www.docjar.com/html/api/sun/security/validator/EndEntityChecker.java.html

This site shows the actual Java code that throws this Exception

This means that the Certificate Extended Key that is used to sign this Applet JAR cannot be used for code signing.

References:

http://tools.ietf.org/html/rfc2459#section-4.2.1.13

This site (section 4.2.1.13 Extended key usage field) explains the extended key usage.

This extension may, at the option of the certificate issuer, be either critical or non-critical. If the extension is flagged critical, then the certificate MUST be used only for one of the purposes indicated. If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application.

If a certificate contains both a critical key usage field and a critical extended key usage field, then both fields MUST be processed independently and the certificate MUST only be used for a purpose consistent with both fields.  If there is no purpose consistent with both fields, then the certificate MUST NOT be used for any purpose.

The following key usage purposes are defined by this profile:

id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }

id-kp-serverAuth              OBJECT IDENTIFIER ::=   {id-kp 1}
– TLS Web server authentication
– Key usage bits that may be consistent: digitalSignature,
–                         keyEncipherment or keyAgreement
–
id-kp-clientAuth              OBJECT IDENTIFIER ::=   {id-kp 2}
– TLS Web client authentication
– Key usage bits that may be consistent: digitalSignature and/or
–                            keyAgreement
–
id-kp-codeSigning             OBJECT IDENTIFIER ::=   {id-kp 3}
– Signing of downloadable executable code
– Key usage bits that may be consistent: digitalSignature
–
id-kp-emailProtection         OBJECT IDENTIFIER ::=   {id-kp 4}
– E-mail protection
– Key usage bits that may be consistent: digitalSignature,
–                         nonRepudiation, and/or (keyEncipherment
–                         or keyAgreement)
–
id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
– Binding the hash of an object to a time from an agreed-upon time
– source. Key usage bits that may be consistent: digitalSignature,
–       nonRepudiation

Solutions:

Re-create certificate with Extended Key Usage for Code Signing.

Hi folks,

Last time I got a bit of pain in my head when trying to configure the IBM Tivoli Directory Server (TDS) Password Policy. Finally I managed to do it and ran some test scenarios. This article describes the steps to configure the Password Policy in TDS and also shows some test scenario.

How to configure the password policy?

The first thing is that you go into the TDS Web Console

Click the “pwdpolicy” and then select All

Click “Next”

Make sure that you check the “Enabled”

Do the changes as necessary

Make sure that you choose the “Check Syntax” in he above screen

And then click “Finish”

Then assign the ACL appropriately

Go to the “Directory Management – Manage Entries”

Choose the “Edit ACL” and click “GO” button

On the “Effective ACL”, click “Load” or “Refresh”

View the “cn=anybody”

Make sure that you remember this ACL setting, because after you assign another ACL, this current ACL setting will be automatically removed by the TDS

Click the “Non-filtered ACLs”

Click the “Add” button

Use the “cn=this” which means that this ACL applies to the user to change attributes belong to himself

Make sure that you add “userPassword” into it and grant all access

Then put back the “cn=anybody” to the ACLs list

Then you should be able to see “cn=this” and “cn=anybody”

Testing the password policy (to be continued…)