IBM Connections mail with exchange backend

IBM Connections Mail
Plugin Configuration with
Exchange Backend
Michele Buccarello
4/16/2015
This document describe how to configure the IBM Connection Mail Plugin with Exchange Backend

IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 1
Table of Contents
PREREQUISITES............................................................................................................................................ 2
WHAT THE WIKI SAYS .................................................................................................................................. 2
KERBEROS CONFIGURATION........................................................................................................................ 2
CONFIGURE THE AUTODISCOVERY SERVLET................................................................................................. 7
CERTIFICATE EXPORT ............................................................................................................................... 8
IMPORT THE SSL CERTIFICATE IN WEBSPHERE.........................................................................................11
CONFIGURE socialmail-discovery-config.xml ...........................................................................................12
TROUBELSHOOTING....................................................................................................................................13
WIDGET ARCHITECTURE..........................................................................................................................13
SERVER SIDE........................................................................................................................................14
BROWSER SIDE....................................................................................................................................14
AUTHENTICATION FLOW.........................................................................................................................14
ADDITIONAL TRACE.................................................................................................................................15
GATHERING TRACE AND DEBUG INFORMATION......................................................................................16
HTTP 400 ISSUE (negotiation header too long) ........................................................................................19
DELEGETION DOESN’T WORK ONLY IN CHROME .....................................................................................20

PREREQUISITES
This guide cover all configuration of IBM Connections Mail plugin with Exchange as a backend, before to
read check these requirements
1) IBM Connections 5 CR2 or later
2) IBM Connections Mail 1.6
3) Exchange server compliant with System Requirements and with Kerberos enabled. For system
requirements check http://www-01.ibm.com/support/docview.wss?uid=swg27036069
4) A good knowledge about Kerberos protocol and delegation process
5) A basic knowledge about Exchange Web Services (EWS) and autodiscovery mechanism
6) Kerberos Enabled on all Exchange server (NTLM auth works only with autodiscoery process not for
EWS )
7) A basic knowledge about Whireshark
WHAT THE WIKI SAYS
In the URL below you could find all official information about Mail Plugin configurations
http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_pre-install.dita
This guide is a compendium about the configuration and authentication flow for the Exchange integration.
KERBEROS CONFIGURATION
In the official wiki the first step is configuring correctly the SPNEGO and KERBEROS authentication
mechanism as described in this link
http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_spnego.dita
Before to start the SPNEGO configuration two steps are important requirement:
1) Mapping an Active Directory Account to Administrativer roles
http://www-
01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_kerb_configure_AD_accou
nmhhhbnt.dita?lang=en
2) Create a Service Principal Name and Keytab file
http://www-
01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service
_account.dita?lang=en
You could skip the point one only if your installation is built with an active directory user, check the image
below if during your installation process in the administrator user id field you have used an user from LDAP.

In the wiki the point two is really detailed but if you are going to do this configuration on Windows 2012
Active Directory some extra steps are a requirement to avoid problems with Kerberos authentication:
- Windows 2012 have a strong encryption this creates problems with the Kerberos protocol because
normally the communication between the Key Distribution Center and the Domain Computer
works via UDP protocol but the UDP payload isn’t unable to contain all encrypted information
because it is really small than the TCP packet, to force the communication via TCP protocol you
must add this line inside the krb5.conf  udp_preference_limit = 1
- If you are going to setup Kerberos in an Active Directory Domain forest with child site and Different
Realm you must explicit all realm in the sections realms and domain_realm
- If you see error related to the KDC options you must manually set this options in the krb5.ini, in
particular with Windows 2012 I force the proxiable = false and renewable = false, this step is not a
requirement and it solve problems in the infrastructure where I setup the Kerberos authentication.

In the image below a full example of the krb5.ini
Below the screen about Kerberos / SPNEGO WebSphere settings.

In the step five you should add the generic property inside the properties tag. In my environment I
experienced some problems but more investigation are required about this generic property:
- <genericProperty name="shindig.config.container.overrides">
By default in connections 5 we have a generic property “shinding overrides” in the sections properties and
if you follow the wiki the result would be something like this
We experienced some problems with the this configuration because it seems the first property is
overwritten by the second. To avoid any strange issue we merge the two property into a big one.
Now we have successful complete all Kerberos / SPNEGO configuration.
CONFIGURE THE AUTODISCOVERY SERVLET
The autodiscovery servlet is used to discovery the mail server where the mail file is located, in particular
Exchange have the own system to give this type of information. In the wiki link we could find all information
about the autodiscovery configuration:
- http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_discovery.dita
The first step described in the section 2.A says to ask the certificate to the administrator, we could export
the certificate manually from the browser. Below the screens show an export of the ibm ssl certificate, the
steps are the same for Exchange.

CERTIFICATE EXPORT
Click on the padlock icon, and the click on view certificates.
Click on Certification Path

Export the Certificate authority and the intermediate certificate ( first and second certificate)
CA Export: select the first certificate and click “view certificate”.
Check in the new window if in the certificate path there is only the CA certificate

Now we export the CA
In the last screen press finish to complete the export of CA certificate and close the CA window.

The same steps are used for the intermediate certificate the important thing is to select in the first window
under certificate path the second certificate
After click on view certificate apply the same steps to export the intermediate certificate.
At this point we need to import this certificates on the WebSphere cacertes via keytool utility.
IMPORT THE SSL CERTIFICATE IN WEBSPHERE
The commands are described in the section 2.b, below the command used
keytool -import -file cacert.cer -alias exchange_cacert -
keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts
keytool -import -file intermdiate.cer -alias exchange_intermediatecert -
keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts
the default password for cacerts file is changeit.

CONFIGURE socialmail-discovery-config.xml
In the wiki step three and four you need to copy the socialmail-discovery-config-template.xml
from the ConnectionsMail folder and paste it in theDMGR folder:
- WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config
In the steps five and six are described the options, in the image below an example configuration.

TROUBELSHOOTING
IBM Connections Mail Plugin is a widget based on open-social gadget running on Apache Shinding widget
container. In IBM Connections, the Apache shinding implementation is contained in the
WidgetContainer.ear installed in the InfraCluster server.
The mustgather link is:
- http://www-01.ibm.com/support/docview.wss?uid=swg21677101
all websphere trace must set in the server where the widgetcontainer.ear is located.
WIDGET ARCHITECTURE

SERVER SIDE
IBM Connections Mail opensocial gadget use a different Ajax Proxy the name is CREAjaxProxy. This Ajax
proxy is used to send all back-end call to the Exchange EWS WebService, for example the HTTPS post with
the delegated credential are sent through the CREAjaxProxy to the Exchange Mail server.
The discovery Servlet is registered as an extension point via OSGI in the Widget Container application.
BROWSER SIDE
On the browser side all ajax call are sent via makerRequest servlet ( the apache shinding implementation of
the method gadget.makerRequest) the response of this call is a json with the backend http response code (
rc=401 for example).
AUTHENTICATION FLOW
This image shows all network calls to take the user's email from Exchange.

ADDITIONAL TRACE
To track all request related to:
- Widget container (CREAjaxProxy)
- Kerberos Delegation / SPNEGO
You must add this trace and JVM properties on the server where is located the WidgetContainer.ear
application.

GATHERING TRACE AND DEBUG INFORMATION
Before to start you need to have this requirements:
- A domain computer with WireShark and Fiddler installed
- If the domain computer is a windows 7 machine check if the klist command is available on the
command prompt, otherwise install the windows resource kit.
- Install on the Connections Server WireShark if you are in Windows or use tcpdump with the –s0
parameter to take the full payload under linux
- Enable trace on the infracluster Server and test the mail with the homepage application because is
in the same cluster of the WidgetContainer application.
1. Verify the browser settings for SPNEGO authentication
http://www-
01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEG
O_configweb_new.html?cp=SSAW57_8.5.5%2F1-3-0-21-3-0
2. Clear Kerberos token via klist
3. Start fiddler and WireShark on computer domain and wireshark on the server

4. On domain Computer put this filter
5. On Connections Server put this filter
6. Check four Kerberos request on WireShark Domain Computer
7. Check on fiddler if the request to discoveryServlet and makerRequest servlet have the right
response

the field rc is the HTTP response code if you get http 401 that means you are not authorized and
the delegation process doesn’t work propertly.
8. Check in the logs if there are problems on Kerberos ticket decryption
9. Check if the GSSCredential are correctly read
10. Check If the delegation process works correctly

11. Check if the CREAjaxProxy contact correctly the Exchange EWS WebService
HTTP 400 ISSUE (negotiation header too long)
When we try to automatically login in Connections some users receive a white page with HTTP error 400, in
this case you need to increase on all HTTP server the maximum header size if in the fiddler trace inside the
HTTP packe you saw the error header is too long inside the HTML response. This error doesn’t affect all
users for example in my case all users that had ten or more group in active directory get the HTTP 400
error, when groups became nine the SPNEGO authentication works. This happen because the header
NEGOTIATION contains the Kerberos TGT and the Microsoft privilege attribute certificate (PAC), the second
contains several logical components, including group membership data for authorization, alternate
credentials for non-Kerberos authentication protocols, and policy control information for supporting
interactive logon. To increase the header size put inside the virtualhost this apache directive:
- LimitRequestFieldSize 12392
The number is suggested inside the apache wiki http://httpd.apache.org/docs/2.2/mod/core.html. In the
image below an example configuration

DELEGETION DOESN’T WORK ONLY IN CHROME
Like Firefox in CHROME you must enable the delegation to have the mail plugin fully functional.
Follow the links below to enable the Kerberos delegation
- https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

IBM Connections mail with exchange backend

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to IBM Connections mail with exchange backend

Similar to IBM Connections mail with exchange backend (20)

Recently uploaded

Recently uploaded (20)

IBM Connections mail with exchange backend