Running The Population Wizard

The first thing we’re going to want to do once the Connections applications successfully install is test them by logging in as a regular user.  To do that the user must have a profile in the PEOPLEDB or Connections will throw an error and the easiest way to ensure that exists is to run the Population Wizard.

The Population Wizard is a simple tool that asks a series of questions such as where is your LDAP directory, where are your DB2 databases, and where is TDI and uses those answers to run a one off script using TDI to import all users into Connections, creating them a profile along the way.  It’s designed to work in only one direction (you can pull information from LDAP to databases only, not the other way around).

For a test environment or a very small manually-maintained environment you could run the PopulationWizard to update the databases whenever you want but for production it’s not really workable.  However, this is just to ensure we have some data in place that we can use for testing.  We will work with the custom TDI scripts later to fine tune what we want.

To run the population wizard look in the “Wizards” directory from the ConnectionsWizards download.  The file will be called populationWizard.sh (or populationWizard.bat).

skitch.6

skitch.5

The JDBC drive path must contain the drivers for your database platform.  If you aren’t running TDI on the same server as your databases you will need to copy the drivers from the database server to the TDI server to reference them here.

The User ID is the account granted full rights to the PEOPLEDB database.  This can often be a custom account and not (as in this case) the instance owner.

skitch.4

Here we tell the wizard where our LDAP server is and how to connect to it.  If you are using a secure port such as 636 make sure you check the box for “Use SSL communication”

skitch.3

These are the bind credentials to login and query LDAP.  They aren’t stored anywhere in this activity or used for any purpose other than running this one-off wizard so any credentials would do.

skitch.2

This shows the sample mapping of LDAP attributes to database fields. For example “mail” in LDAP will map to the field “Office Email”.  On this screen we can choose what attributes to map where and even if we want to map attributes at all.  Anything we don’t map won’t be populated with data and will appear as empty in Connections.

Once the populationWizard completes it should report that it imported your users.  To do this it wrote instructions to properties files and ran script files stored in the location:

/Wizards/TDIPopulation/linux/TDI –

The files it wrote our instructions to are:

profiles_tdi.properties
solutions.properties
mapdb_repos_from_source.properties

The script files it ran were:

collect_dns.sh
populate_from_dn_file.sh

The activity is recorded in /Wizards/TDIPopulation/linux/TDI/Logs.

We’ll come back to this later when we start customising our syncing activity.

Setting Up An LDAP Repository

Before we do anything else we now need to make sure our users can login.

WebSphere only has an internal file repository that will only contain the “wasadmin” entry we created when installing.  The users and groups we want to be able to use Connections aren’t in that File Repository, they are in a LDAP directory (or directories) somewhere.  We need to tell WebSphere’s deployment manager where to find and authenticate those users.

First we need to consider where our directory is going to be and if there will be one or multiple directories (if all users aren’t held in one place).  For instance, if all my users login to Active Directory I might use that, or I might use Domino which itself could be running Directory Assistance.

When deciding on LDAP directory configuration:

  1. As few directories as possible should be referenced
  2. Every user should have a unique key in the directory
  3. If you use multiple directories each user should appear only once with their unique key. If my key is my email, gabriella@connections101.info, then there should only be one entry with that name across all the directories we reference.
  4. The directory should be a trusted source with strong password validation

In this case we’re going to choose a single Domino LDAP server but we could have just as easily chosen Active Directory or many other LDAP directory sources.

Adding external directories in WebSphere is known as adding Federated Repositories. Before modifying or adding any federated repository I like to take a backup of the Deployment Manager.  Very often if the LDAP configuration is wrong you can end up locking yourself out of WebSphere entirely and you will need to restore from that backup.

To backup go to the /bin directory under /profiles/Dmgr01 and run:

./backupConfif.sh <locationofzipfile> -nostop

skitch.11

To add or modify a Federated Repository we go to Global Security in the ISC and choose “Configure” next to the “Available realm definitions – Federated repositories”:

skitch.9

We are going to add an LDAP repository:

skitch.8

Here we enter the details of the LDAP directory source we’re going to use.  In this case I have a Domino server running LDAP on hostname ldap.connections101.info and secure port 636.  Note how the “Require SSL Communications” checkbox is enabled, you must select this if you are connecting to LDAP securely.

Choosing the right Directory type from the drop down list ensures that the LDAP query syntax is correctly formed for the directory you are accessing. Selecting “IBM Lotus Domino” when pointing to an Active Directory server will prevent the directory from working.

I do not recommend using bind credentials to login to your LDAP directory unless you are also using a secure SSL protocol to connect. If you are connecting using 389 or another non-encrypted port I would suggest an anonymous bind.

The field “Federated repository properties for login” will determine what values can be used to login.  These are all LDAP attributes that map to fields in the source directories. If possible in a Connections environment we want to have “uid” listed first.  UID maps to the value ‘shortname’ in Domino LDAP, ‘mail’ maps to the internet mail address and ‘cn’ maps to my fullname.  With the values set here as uid,mail,cn I will be able to login using variations of my name including:

gdavis
gabriella@turtlepartnership.com
Gabriella Davis
Gabriella Davis/Turtle

Finally the value for failover server can be used to point to other identical directories. Although many customers use a separate load balancer to handle LDAP failover, WebSphere actually responds faster to multiple LDAP failover servers entered here rather than waiting for a load balancer to return a new host.

WebSphere will attempt to validate all the information on this screen including hostname, bind credentials and port when we save. The next step is to define the Unique Distinguished Name for entries in this repository. Whatever we choose here, it must be unique across all directories.skitch.6

For this directory I could use the value O=Turtle and that will restrict valid users to just those with a hierarchical name containing the Turtle organisation e.g Gabriella Davis/Turtle.  In a Domino directory, unique for LDAP sources, not all entries are hierarchical (groups names for instance are flat) so with this configuration WebSphere won’t recognise any Domino groups.  One option to workaround that is to use the value “root” for the Unique distinguished name which will tell WebSphere to recognise all organisations and even flat names or groups.

skitch

We also need to make sure the Group definitions are correct for the directory type we are using.  For Domino the attribute use for defining a group is called “dominoGroup” not the default “groupofNames” and the member attribute is called “member”.

Once the repository is configured we log out of the ISC and restart the deployment manager, then we log back in and go to Users and Groups – Manage Users / Manage Groups to confirm that all our LDAP users and groups are found and displayed.

If I can’t log back in after a restart I can rollback to the earlier backed up instance of the deployment manager and start over.

skitch.4

Now that the Federated Repository is set up the next thing we want to do is add additional accounts that can administer the ISC, including a LDAP account which will become the Connections Administrator.  Here we are using an account called “connadmin” that I created in the Domino directory.  Once the account is added we can test that it works by logging out of the ISC and attempting to login as “connadmin”.

Linux Setup And Tools

I like installing on Linux and know just enough about RHEL and SLES to get the work done that I need to do. I wouldn’t call myself an expert but I know what works for me to build Connections.  For instance there are several things I have on my checklist when deploying a Linux OS for Connections.

  1. I always deploy using supported distros.  That means for me specifically RHEL or SLES. I know people deploy using CentOS and others – I don’t.  Partly because it’s not supported so if it goes wrong I can’t expect IBM to help me and partly because I’m providing a Connections installation consultancy not Linux consultancy – when I quote work it’s to install Connections not to go down a rabbit hole of Linux workarounds.  I would feel bad charging people for Linux consultancy, there are far better Linux experts out there!
  2. I always take a subscription so I can update the OS and download any tools or libraries I need.  For this demo build which is only going to run for a few months I’m using a 30 day RHEL trial license so I can set it up properly.  Once more it’s about time. It costs a lot more in my time to manually find, download, place and install packages without subscription then a single license costs.  When you install RHEL the first thing you are going to want to do is update and add packages, with subscription you can do that in minutes rather than hours.
  3. I like to use gedit for editing XML files in place (yum install gedit) rather than vi or another text editor. The display of the structure and attributes is very clear which makes it easy for me to find content and spot typos. Connections is all about XML files
  4. I use WinSCP to copy files from a Windows machine over to a Linux one.  If I’m using my Mac I just use scp from within terminal but often I am on a remote server on a customer site and winscp is easier to deploy and use.  It’s also really easy to recursively copy entire directories like the log directories off the server to read.  Whenever I’m analysing logs, for all but the simplest reviews, I prefer to offload them from the server and review them on my workstation
  5. I use AQT (Advanced Query Tool) for opening and reviewing databases and install it on my Windows workstation.  It’s not expensive and supports all ODBC connections and a lot more. I have a blog piece on it here
  6. I install a graphical interface on Linux (usually GNOME) because I prefer working with that for things like Installation Manager and because X11 forwarding is too slow through most customer VPNs to make it workable for me.  If you’re not a seasoned Linux expert having a GUI will save you a lot of stress and make you better able to manage the environment.
  7. I use NoMachine as a remote desktop on Linux which ensures my session activity doesn’t timeout even if I go away, shut my laptop, get some sleep.  It also means other people can connect and takeover my session where I left it.
  8. I edit the /etc/hosts file and ensure that I have explicit entries for the local server, whatever hostnames it may use and all the other servers in my Connections environment with their hostnames.  I could rely on DNS to do this.  I choose to have more direct control over name resolution by using the hosts file.

So all of that is in place and now I’m ready to get started.

Time To Download Take 2 – Connections 5.5

Update for Connections 5.5 – the previous post referred to Connections 5 and we will be installing 5.5 which shipped Dec 18th 2015.

There were a Day 1 fixes for Connections which must be installed. 

I usually set aside a day in my planning to find all the latest software, the latest patches and get them in place and extracted on the servers I’m using.  I like to create a “Software” directory on the deployment manager to put everything in one place and so I don’t have to keep copies on every server but that takes space. Expect to need up to 50GB for your installers. To manage space I like to delete the  extracted directories once I’ve completed the installs

None of the downloads I’ve listed below are optional and that certainly includes the fixpacks and fixes. You need all of these if you’re going to install Connections.

IBM Installation Manager

I like to download the latest 64bit version.  It will give you a warning when you install Connections that Connections itself is a 32bit product but I find the 64bit version works better regardless.  The latest version if 1.8.4 but find all versions here with links to their downloads  on Fix Central (where you’ll need to login).

WebSphere 8.5.5

Comes in three parts and you’ll need all three extracted to the same directory.

CIK2HML IBM WebSphere Application Server Network Deployment V8.5.5 (1 of 3)

CIK2IML IBM WebSphere Application Server Network Deployment V8.5.5 (2 of 3)

CIK2JML IBM WebSphere Application Server Network Deployment V8.5.5 (3 of 3)

Websphere 8.5.5 Fixpack 6

Once WebSphere is installed,  Installation Manager will connect to the IBM download sites to bring down fixes and fixpacks on demand.  To do this you need a login for your Passport account and your server needs to be able to connect outbound on port 80 either directly or via a proxy.  I find this a much simpler way of deploying updates than finding and downloading the files so I usually don’t download them in advance.

If your server isn’t going to be able to do that you will need to download the fixpack from this document

IBM HTTP Server 8.5.5

IHS is found inside the WebSphere Supplementals downloads, along with other tools that we’re not going to use here.  There are once again three separate download files and you’ll need to get all three and extract them all to their own directory.  Which I like to call WASSUPP because it makes me smile.

CIK1VML IBM WebSphere Application Server V8.5.5 Supplements (1 of 3)

CIK1WML IBM WebSphere Application Server V8.5.5 Supplements (2 of 3)

CIK1XML IBM WebSphere Application Server V8.5.5 Supplements (3 of 3)

DB2 10.5 Fixpack 5

There are a lot and I mean A LOT of DB2 products but the one I’m going to download and use is

CIXV0ML IBM DB2 Server V10.5 for Linux on AMD64 and Intel EM64T systems x64) Multilingual

For a full list of DB2 10.5 products and part numbers take a look here

DB2 10.5 Fixpack 5 (10.5.0.5) is downloadable from Fix Central via this document.  I like to download the Universal Fix Pack installer.

All download links for all DB2 version and platform fixpacks are found on this technote

Tivoli Directory Integrator 7.1.1

CZUF3ML IBM Tivoli Directory Integrator Identity Edition V7.1.1 for Linux – x86-64,

TDI Fixpack 4

The documentation and a link to the Fix Central download is here

The Fix Central homepage is here

IBM Connections Wizards

CN80DML IBM Connections V5.5 Wizard for Windows Multilingual

IBM Connections Installer

CN80AML IBM Connections V5.5 for Linux Multilingual

Day 1

Details of the upgrade strategy for the Day 1 fixes are here

Upgrade Installer (needed to install the updates) here

Day 1 Connections Fixes here

Database Wizard (Windows) here

iFix 5.5.0.0-IC-News-IFLO87487

iFix  5.5.0.0-TypeAhead-20151218

iFix  5.5.0.0-IC-Common-IFLO87469

Updated migration tool (only used for migrating from a previous install) here

 

 

 

Download Files for v5. CR3

I usually set aside a day in my planning to find all the latest software, the latest patches and get them in place and extracted on the servers I’m using.  I like to create a “Software” directory on the deployment manager to put everything in one place and so I don’t have to keep copies on every server but that takes space. Expect to need up to 50GB for your installers. To manage space I like to delete the  extracted directories once I’ve completed the installs

None of the downloads I’ve listed below are optional and that certainly includes the fixpacks. You need all of these if you’re going to install Connections.

IBM Installation Manager

I like to download the latest 64bit version.  It will give you a warning when you install Connections that Connections itself is a 32bit product but I find the 64bit version works better regardless.  The latest version if 1.8.3 but find all versions here with links to their downloads  on Fix Central (where you’ll need to login).

WebSphere 8.5.5 

Comes in three parts and you’ll need all three extracted to the same directory.

CIK2HML IBM WebSphere Application Server Network Deployment V8.5.5 (1 of 3)

CIK2IML IBM WebSphere Application Server Network Deployment V8.5.5 (2 of 3)

CIK2JML IBM WebSphere Application Server Network Deployment V8.5.5 (3 of 3)

Websphere 8.5.5 Fixpack 4 (as of CR3)

Once WebSphere is installed,  Installation Manager will connect to the IBM download sites to bring down fixes and fixpacks on demand.  To do this you need a login for your Passport account and your server needs to be able to connect outbound on port 80 either directly or via a proxy.  I find this a much simpler way of deploying updates than finding and downloading the files so I usually don’t download them in advance.

If your server isn’t going to be able to do that you will need to download the fixpack from this document

IBM HTTP Server 8.5.5

IHS is found inside the WebSphere Supplementals downloads, along with other tools that we’re not going to use here.  There are once again three separate download files and you’ll need to get all three and extract them all to their own directory.  Which I like to call WASSUPP because it makes me smile.

CIK1VML IBM WebSphere Application Server V8.5.5 Supplements (1 of 3)

CIK1WML IBM WebSphere Application Server V8.5.5 Supplements (2 of 3)

CIK1XML IBM WebSphere Application Server V8.5.5 Supplements (3 of 3)

DB2 10.5

DB2 10.1 is supported still and if you search for IBM Connections downloads that will be what you are offered but DB2 10.5 is licensed and supported (as of CR2 of Connections)

There are a lot and I mean A LOT of DB2 products but the one I download and use is

CIXV0ML IBM DB2 Server V10.5 for Linux on AMD64 and Intel EM64T systems (x64)Multilingual

For a full list of DB2 10.5 products and part numbers take a look here

DB2 10.5 Fixpack 4 (10.5.0.4 known as “Cancun” apparently) is downloadable from Fix Central via this document.  I like to download the Universal Fix Pack installer.

All download links for all DB2 version and platform fixpacks are found on this technote

Tivoli Directory Integrator 7.1.1

CZUF3ML IBM Tivoli Directory Integrator Identity Edition V7.1.1 for Linux – x86-64,

TDI Fixpack 4

The documentation and a link to the Fix Central download is here

The Fix Central homepage is here

IBM Connections Wizards

CN1F6ML IBM Connections V5.0 Wizard for Linux, AIX Multilingual

IBM Connections Installer

CIYQ7ML IBM Connections V5.0 for Linux Multilingual

Connections CR3

Downloadable from Fix Central here . The entire update strategy technote for all CRs for v5 along with IBM documentation is here

CR3 Database Update Scripts

Although CR3 only requires an update to the Homepage schema, if you are updating from 5.0 (instead of from CR2) you also need all the updates supplied with CR1 and CR2.  The script package includes all updates including the CR3 homepage and previous schema changes.

Database scripts are in a zip file downloadable here

Forms Experience Builder 8.5

CN0VYML IBM Forms Experience Builder V8.5.1 Linux Multilingual

IBM File Viewer 1.0.7

IBM File Viewer will support WebSphere 8.5.5.4 as a platform although it requires an additional fix according to this link . Since Connections only just started supporting 8.5.5.4 itself (as of CR3) I haven’t installed File Viewer using that version yet, only 8.0.0.x.  I’ll be using it for this blog though.

IBM File Viewer itself is in theory available on http://greenhouse.lotus.com but I always struggle to get it from there.  However if you can get the IBM Docs download from your passport site, we actually install a Conversion Server and a File Viewer Server which are components of IBM Docs.  Installing an IBM Docs server requires separate licensing but you can use the download to install just the two components you need.

CN54LML IBM Connections Docs V1.0.7 for Windows and Linux Multilingual