I had the pleasure to install an IBM Connections pilot for a customer together with Etienne Döhler a few weeks back.

One of the obstacles we faced during the install was a rather sealed off RedHat GNU/Linux box, that had only port 22 (ssh) open to the PCs we were using for the install (fortunately with X11 installed and X11 forwarding allowed). As the customer wanted the IBM HTTP Server (IHS) to listen on 8080/8443 for the communication with the already existing Reverse Proxy (RP, managed by Lufthansa) they also opened that port, but only for connections with the RP.

One of the "best practices" I try to convey at Social Connections et.al. is that you should always test your install without a Reverse Proxy, Load Balancer, ... and make sure everything works before you introduce the additional complexity of a Reverse Proxy or similar.

So how to connect to the IBM Solutions Console and the IHS when the only open port to that machine is SSH (22)? Well, SSH and its config file to the rescue!

SSH has a nifty feature called port forwarding. This allows you to forward local ports to a remote machine. Together with some creative hosts file editing, you can use your local browser to access the remote machine as if the necessary ports were open on the remote machine.

We needed the following URLs to work:

  • https://machinename.example.com:9043/ibm/console
  • http://machinename.example.com:8080/homepage
  • https://machinename.example.com:8443/homepage

So the first thing to do was to modify the hosts file to point machinename.example.com to    localhost machinename.example.com

And then create an entry in ~/.ssh/config with the local port forwarding and further settings to spare us some typing:

Host customername 

        # Specify destination host by IP, as we have an hosts entry for the name
        Port 22
        User zaphod
        IdentityFile ~/.ssh/customername_rsa
        Compression no
        AddressFamily inet
        ForwardX11 yes
        LocalForward 9043
        LocalForward 8080
        LocalForward 8443
        PreferredAuthentications publickey,keyboard-interactive,password

So with a simple "ssh customername" I can now connect to the GNU/Linux machine with the key I created to that purpose and have X11 forwarding as well as local port forwarding activated. And as long as that ssh session is open, I can now access the ISC and the IHS in my local browser as if 9043, 8080 and 8443 were open network ports on the remote box.

And it was a good thing that we were able to test directly with the IHS and verify that everything was working as expected, as the RP had disabled SSLv3, which broke the IBM Connections Widgets at that time. But that is a story for another blog entry.

For more SSH voodoo, see my "Was, SSH kann auch das?" talk at the Grazer Linuxwochen 2013 (in german).


Back to top

If you need to open a VPN connections to Softlayers private network, you should do this via a browser, as described at http://knowledgelayer.softlayer.com/procedure/ssl-vpn-connections. From what I experienced, with Linux you would need to run a browser as root to follow the instructions.

Fortunately, there is another way: The command-line client. Using that is rather straight forward (except one gotcha).
1.        Download the VPN software from http://speedtest.dal05.softlayer.com/array/ArrayNetworksL3VPN_LINUX.zip
cd ~/Downloads
wget http://speedtest.dal05.softlayer.com/array/ArrayNetworksL3VPN_LINUX.zip

2.        Rename the zip file to bin (I tried to uncompress it, which failed miserably)
mv ArrayNetworksL3VPN_LINUX.zip ArrayNetworksL3VPN_LINUX.bin
3.        Make the file executable
chmod 777 ArrayNetworksL3VPN_LINUX.bin
4.        Execute it as root
sudo ./ArrayNetworksL3VPN_LINUX.bin

And your are done.

Now you can open up a VPN connections to Softlayer from the comfort of your command-line:
sudo /usr/local/array_vpn/array_vpnc -hostname https://vpn.ams01.softlayer.com -username [YOUR SOFTLAYER USERNAME] -passwd '[SUPER_SECRET PASSWORD]' &

Which should give you a

message back.

A quick "ifconfig tun[x]" should also show a valid 10.a.b.c Softlayer IP adresss.
ifconfig tun1 
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
        inet addr:  P-t-P:  Mask:
        RX packets:1 errors:0 dropped:0 overruns:0 frame:0
        TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:500
        RX bytes:20 (20.0 B)  TX bytes:0 (0.0 B)

If you can also successfully ping or your server's private address,  you are successfully connected.
ping -c 3 
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=253 time=35t4.6 ms
64 bytes from icmp_seq=2 ttl=253 time=34.9 ms
64 bytes from icmp_seq=3 ttl=253 time=35.1 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 34.605/34.886/35.148/0.222 ms

Pro-tip: Use the VPN server of the Softlayer datacenter where your machines reside.  Apparently, there exists at least one Softlayer VPN Server for every datacenter:
  • https://vpn.dal01.softlayer.com for Dallas, Texas, USA
  • https://vpn.sea01.softlayer.com for Seattle, Washington, USA
  • https://vpn.wdc01.softlayer.com for Washington, D.C., USA
  • https://vpn.ams01.softlayer.com for Amsterdam, The Netherlands, Europe
  • and so on ...

I must say, that I was pleasantly surprised (again) by Softlayers support. I had a correct answer to my question in under 5 minutes after opening the ticket.


Back to top

Join subject matter experts from the IBM Domino team for an Ask the Experts Q&A session titled "Managing Domino - Admin Client, AdminP, and Policies." We'll begin the session with a short demo or presentation but the main focus of the session is Q&A. So bring your questions!

Topic: Managing Domino - Admin Client, AdminP, and Policies
Date: Tuesday, November 4, 2014
Time: 11:00 AM EST (15:00 UTC/GMT, UTC-4 hours) for 60 minutes
Webcast URL: https://apps.na.collabserv.com/meetings/join?id=2897-4178
Webcast Password:  webcast

For a list of world-wide phone numbers, the phone passcode, and an iCalendar (.ics) file for this session, click here: http://www.ibm.com/support/docview.wss?uid=swg27043194


Back to top

Join John Ballam from the Domino team as he discusses installation, setup, and going into production with your Lotus Protector for Mail Security (LPMS) server.

After a presentation, attendees will be given an opportunity to ask questions to the technical experts we will have on hand. Throughout the event, attendees will also be encouraged to comment or ask questions in the IBM SmartCloud Meeting Web chat.

For a list of world-wide phone numbers, the phone passcode, and an iCalendar (.ics) file for this session, visit http://www.ibm.com/support/docview.wss?uid=swg27043642.


Back to top

Running a Domino based web application behind a reverse proxy (as I am doing for quite some time now) is the latest craze (due to the SSL issues in the current Domino SSL stack). Sean Cull has instructions for configuring Apache, Jesse Gallagher for ngix.

There is one issue unsolved though in Seans configuration w(that Jesse solved for ngix). The field "Remote_Addr" in the web application will, due to Apache acting as a reverse proxy, not contain the IP of the client calling the app any more. Which can be an issue, if you need that information in your app. The Domino Blog for example can't block clients based on their IP any more.

The solution for that is to set the parameter "HTTPEnableConnectorHeaders=1" either in the notes.ini or a configuration document. With that, Domino maps the following additional headers to the corresponding, regular fields:

The Auth Type that is being used to make this request.

The Client Certificate used for this request. If the value is not base64 encoded for us by the Web server, then the plug-in will base64 encode it before sending it across to the application server.
Restriction: If you enable this, it is assumed you know what you’re doing, and how to protect direct access to the port at which the embedded http is listening.
Note: If you set the LogLevel to TRACE in the plugin XML config file, it is possible to see what headers are actually added for a given request. Appendix C. Domino 6 HTTP plug-in hints and tips 659

The cipher suite that the Web server negotiated with the client. This is not necessarily the cipher suite that the plug-in will use to send the request across to the application server.

This header will be set to either True or False depending on whether or not the request is secure (came in over SSL/TLS).

The scheme being used for the request. This header will normally be set to either http or https.

The HTTP protocol level being used for this request. The plug-in currently has support for up to HTTP/1.1 requests.

The remote IP address of the machine the client is running on.

The remote host name of the machine the client is running on. If the hostname can't be resolved, this header should be set to the IP address.

The remote user specified for the given request.

The server name used for this request. This should be the value that was specified in the HOST header of the incoming request.

The server port that the request was received on. This will be the port value that is used in route determination.

The SSL Session ID being used for this request. If the value is not base64 encoded for us by the Web server, the plug-in will base64 encode it before sending it across to the application server.

So in our case, "$WSRA" would get mapped to the Domino field "Remote_Addr", thereby "fixing" our problem of the missing client IP:

But what have we got to do in order to set  that additional Header in the proxy request from Apache to Domino? The following magic incantation in the correct httpd.conf does the trick:
SetEnvIf REMOTE_ADDR (.*) temp_remote_addr=$1
RequestHeader set "$WSRA" "%{temp_remote_addr}e"

(you need, of course, to enable mod_headers and  mod_setenvif )

This maps the REMOTE_ADDR, containing the clients IP address, to the environment variable "temp_remote_addr", which we then can use to set the $WSRA header in the proxy request. Rinse and repeat for other variables you need.

Simple, isn't it?


Back to top

The latest point release of IBM Mobile Connect, IMC, is available on the Recommended Maintenance page.  You can also find the latest builds of 6.1.5 and 6.1.4 in this location.

In there are new features including the ability for IBM Mobile Connect to act as a True Load Balancer in front of Traveler.  It will have the concept of a Traveler HA Pool Object!  
This means IMC can now sit in front of the pool and all of the servers in a pool are defined in this HA Pool Object. IMC's existing load balancing algorithms can be used to balance the traffic and help Traveler to manage users and follow their sessions when changing Traveler servers.


Back to top

Of the stuff that interests me:

Connections is the new Lotus
IBM strengthened and unified its naming strategy using the IBM Connections brand. Throughout 2014 customers will see IBM increasingly expand the use of the IBM Connections brand and naming throughout our collaborative SaaS and on premises software portfolio.

  • IBM Connections “Next” – this will be a new release of the on premises version of IBM Connections.
  • IBM Mail next is based on Domino both for backend and frontend
  • IBM Sametime is now IBM Connections Chat, IBM Sametime Meetings is IBM Connections Meetings

New in IBM Connections Next
  • Ability to collaborate with external users directly without needing to set up a separate collaboration space.
  • Add new Users by their e-mail and give them access to parts of Connections.
  • Ephox editor now in Connections
  • The capability to change the landing page of an ibm connections community to a blog, wiki
  • File sync !!! Its like dropbox for ibm connections file
  • New feature in #connections you can surf files in a community in Windows Explorer
  • @ mentions coming across the whole product,
  • Forums have a make over too, enhanced view, answered questions
  • IBM Connections Next blog comments are now threaded, and there are permalinks for individual sub-threads
  • Shared connections community folders, file improvements for moving files, improvements to the media gallery & files previews
  • Update desktop plugins and mobile apps with file sync to allow users to travel stress free knowing they have the latest version of a file always available to them.

New in IBM Notes/Domino
  • Out of office support coming to Traveler
  • Notes/Domino language packs to be released at the same time as English. Yes, the EXACT same time
  • Apache Solr will be used for search in future versions of Notes, but GTR is not dead yet
  • Domino Applications in the cloud are now available through a ready-made Platform as a Service offering build on IBM SoftLayer.

Other News


Back to top

Topic: Architecting an IBM Sametime 9.0 Audio/Visual deployment
Day: Wednesday, December 11, 2013
Time: 11:00 AM EST (16:00 UTC/GMT, UTC-5 hours) for 60 minutes

This Open Mic Webcast will provide information for planning, implementing, using, and troubleshooting IBM Sametime 9.0 audio and video (A/V) features. Join IBM's Tony Payne, along with several other members of the IBM Sametime team as they discuss the process for architecting an IBM Sametime 9.0 Audio/Visual deployment.

After a presentation attendees will be given an opportunity to ask questions. Throughout the event, attendees will also be encouraged to comment or ask questions through our SmartCloud meeting web chat. Join us for this interactive, educational, lively session.


Back to top

Live Q&A: Expert advice for upgrading to IBM Sametime 9
Date: Friday, December 13
Time: 11:00 AM Eastern Time

IBM Sametime 9 is the most flexible, robust and affordable social communications platform on the market today. This new release boasts an array of powerful new features, including software-based video Multipoint Control Units (MCUs) that enable continuous video without the use of third-party technologies. What does all of this new functionality mean for your enterprise as it evaluates an upgrade?

Register today to join John Del Pizzo, Head of Product Management for IBM Sametime, for a live Q&A on December 13 from 11 am – 12 pm ET to get a handle on everything IBM Sametime 9 has to offer and how to best deploy it in your environment.

Post your questions for John on IBM Sametime 9 strategy and topics such as:
· How will IBM Sametime 9 integrate with IBM Notes?
· What is the recommended upgrade path from IBM Sametime 8.5.x?
· On which devices are the IBM Sametime 9 mobile feature supported?

John Del Pizzo, Head of Product Management for IBM Sametime
John Del Pizzo currently serves as the head of Product Management for IBM Sametime, IBM's communications software. As Program Director for Social Communications, John is also helping IBM customers explore the intersection of social networking, analytics and unified communications. John has over 15 years of experience in the technology industry, holding sales and business development roles in several startups prior to joining IBM. He earned his MBA from Carnegie Mellon and has a BA in International Relations from the University of Pennsylvania. John currently resides in Broomall, Pennsylvania with his wife and three children.


Back to top

Upgrading / Migrating to Sametime 9

Day: Wednesday, December 4, 2013
Time: 11:00 AM EST (16:00 UTC/GMT, UTC-5 hours) for 60 minutes

 Whether you've already decided to migrate to the new IBM Sametime 9.0 release or you want a bit more information to educate yourself on the process, this will be an educational Open Mic webcast. Join IBM's Tony Payne, along with several other members of the IBM Sametime team as they review the upgrade / migration process to the new IBM Sametime 9.0 release.

After a presentation attendees will be given an opportunity to ask questions. Throughout the event, attendees will also be encouraged to comment or ask questions through our SmartCloud meeting web chat. Join us for this interactive, educational, lively session.


Back to top

This is the Blog of Martin Leyrer, currently employed as IT-Specialist at IBM Austria - IBM Software Group, IBM Collaboration Solutions.

The postings on this site are my own and do not represent the positions, strategies or opinions of any former, current or future employer of mine.