Compare 2 variants

Posted by: Mats

Function Compare2Variants(C2Var1,C2Var2, C2VarExactMatch As Boolean) As Boolean

Dim C2Var1strList List As String
Dim C2Var2strList List As String
Dim C2VarCount As String
Dim C2Var1intList List As Integer
Dim C2Var2intList List As Integer

Compare2Variants = False

If (UBound(C2Var1)-Lbound(C2Var1)) <> (UBound(C2Var2)-Lbound(C2Var2)) Then
    Compare2Variants = False
    Exit Function               
End If

If C2VarExactMatch Then
    C2VarCount = 0
    ForAll C2Var1Values In C2Var1
        C2Var1strList(C2VarCount) = C2Var1Values    
        C2VarCount = C2VarCount +1 
    End ForAll
    C2VarCount = 0      
    ForAll C2Var2Values In C2Var2
        C2Var2strList(C2VarCount) = C2Var2Values    
        C2VarCount = C2VarCount +1 
    End ForAll
    ForAll x In C2Var1strList
        If Not C2Var1strList(ListTag(x)) = C2Var2strList(ListTag(x)) Then
            Compare2Variants = False
            Exit Function
        End If
    End ForAll
    Erase C2Var1strList 
    Erase C2Var2strList 
Else        
    ForAll C2Var1Values In C2Var1
        If IsElement(C2Var1intList(C2Var1Values)) Then
            C2Var1intList(C2Var1Values) = C2Var1intList(C2Var1Values) + 1                                   
        Else
            C2Var1intList(C2Var1Values) = 1                                 
        End If
    End ForAll
    ForAll C2Var2Values In C2Var2
        If IsElement(C2Var2intList(C2Var2Values)) Then
            C2Var2intList(C2Var2Values) = C2Var2intList(C2Var2Values) + 1                                   
        Else
            C2Var2intList(C2Var2Values) = 1                                 
        End If
    End ForAll
    ForAll y In C2Var1intList
        If IsElement(C2Var2intList(ListTag(y))) = True Then     
            If Not (C2Var1intList(ListTag(y)) = C2Var2intList(ListTag(y))) Then
                Compare2Variants = False
                Exit Function               
            End If              
        Else
            Compare2Variants = False
            Exit Function
        End If
    End ForAll
    Erase C2Var1intList 
    Erase C2Var2intList         
End If

Compare2Variants = True

End Function

26
NOV
2020

Blog

Domino server rating from F to A+ in seconds

Posted by: Mats

Requirements:
Server running 9.0.1 FP4 and up

Background:
Running SSL Labs test on https://www.ssllabs.com/ssltest/index.html
Gives You low rating

Mission:
Increase rating

Step1:
Gather OCSP information
Goto Site and View certificate

Go to Intermediate certificate next to Your own and View Certificate

Go to Details and Authority Information and under Alternative name write down the URL.
In our case it is https://ocsp.starfield.com/

Step2:
Update notes.ini from console with the following, remember to replace the value of OCSP_RESPONDER with Your value from Step1.!!

set config DISABLE_SSLV3=1
set config HTTP_HSTS_MAX_AGE=17280000
set config HTTP_HSTS_INCLUDE_SUBDOMAINS=1
set config SSL_ENABLE_OCSP_STAPLING=1
set config OCSP_RESPONDER=https://ocsp.starfield.com/
set config OCSP_CLOCKSKEW=10
set config OCSP_LOGLEVEL=31
set config SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C013

In Release 10 the last notes.ini SSLCipherSpec is not respected it must be set in Internet Sites\Security

a. Is most secure

b. If You have with a. You can use this and get a good rating anyway

Step3:
Restart HTTP task with following command:
restart task http

Now You can test Your server again and everything should be running fine

19
JUN
2019

Blog

A+, certificate, cipher, configuration, Domin, domino, domino security, Domino SSL, Domino10, HCL Domino, hsts, IBM Domino, OCSP, rating, security, SSL, SSL Labs, SSLCipherSpec, SSLv3, stapling, subdomains, www.ssllabs.com

Changing and Signing jar files with JDK 1.8, no questions asked. Dictionaries in IBM Notes.

Posted by: Mats

Case:
Dictionaries where missing from client installation on Windows machines.
Client is multi user and users are not allowed to write in Program Directories (non admin on their PCs).
Client is IBM Notes 9.0.1FP6, because this is the one rolled out to end users.
This means that nothing can be installed via Widgets in framework\rpc or framework\shared because both are under Program Directory.
Objective is to provide all of the dictionaries to the end users to choose from from the Widgets catalog. Installation should progress without any questions asked.

Description:
I downloaded the Dictionaries provided by IBM (Notes_XTAF_Dictionaries_V9.0_Win_ML.zip).
For a full description of this package, please read Tomas Hampels blog at
(https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/deploying-xtaf-dictionaries-as-widgets.htm

The problem I got was that the Feature jar files configured to install in framework\rpc which is fine if you include them during installation of the original package running with administrative rights on the computer.

Only way in my scenario was to make sure that the installation was made in a user context meaning Data\workspace\applications

Solution:
Change configuration of the Feature jar to make sure that the installation is done in a user context.

Unpacking the jar file in the features directory of any given dictionary reveals that the feature.xml file contains <feature colocation-affinity="com.ibm.rcp.platform.feature"
this needs to be changed to this <feature colocation-affinity="com.ibm.rcp.site.anchor.user.feature" to make sure that installation will go to Data\workspace\applications where the end user is allowed to write.

To unpack and repack i use PeaZip (https://www.peazip.org/peazip-64bit.html and as an Editor I use Notepad++ (https://notepad-plus-plus.org/download/v7.3.3.html

Explanation of the different options could be found here:
https://www.ibm.com/support/knowledgecenter/en//SSVHEW_6.2.0/com.ibm.rcp.tools.doc.admin/controllingfeatureinstallocation.html
https://www-01.ibm.com/support/docview.wss?uid=swg21497657
https://www-01.ibm.com/support/docview.wss?uid=swg21440976

Also when doing this it will break the signatures and this means that a resigning (after repackage) is necessary for security reasons (you should not allow anything that you have not trusted)
If you want to include your own signed jars files during installation of the client, this can be done following this instruction (https://www-01.ibm.com/support/docview.wss?uid=swg21305165)
You could also use iKeyman to do this if you prefer.

If you look at Tomas Hampels blog above you will find that there are a lot of files that needs to be changed and signed before importing to an update site.

Changing:
In every features directory in every updateSite_xx directory the file feature.xml needs to be changed according to the above solution.
IMPORTANT!!!
Also, preparing for signing, 3 files need to be deleted from a subdirectory called META-INF also in the features catalog:
IBM_WPLC.RSA
IBM_WPLC.SF
MANIFEST.MF
IMPORTANT!!!

Preparing:
Repack all files in each Directory e.g. com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545 to com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545.zip
Move (cut) the zip file to where the original jar file is located rename the original jar file with an extension .org instead of .jar end the rename the newly moved .zip file to .jar
A features catalog could then look like this:

Signing:
To sign I downloaded JDK 1.8 from
(https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html Windows x64 because I am using W10 64-bit.

IMPORTANT!!!
Only sign jar files that you have made changes to. The others are already signed with valid signatures.
Only sign 1 time with 1 signature for each jar file. Signing a second time could cause unexpected results.
IMPORTANT!!!

First I examined the file that was signed by IBM, this is now <filename>.org if the instructions where followed.
C:\Program Files\Java\jdk1.8.0_121\bin>
jarsigner -verify -verbose "C:\updateSite_af\features\com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545.org"

I got:
– Signed by "CN=International Business Machines Corporation, OU=Lotus Software Group, OU=Digital ID Class 3 – Java Object Signing, O=International Business Machines Corporation, L=Littleton, ST=Massachusetts, C=US"
    Digest algorithm: SHA1
    Signature algorithm: MD5withRSA, 2048-bit key
Timestamped by "CN=GeoTrust Timestamping Signer 1, O=GeoTrust Inc, C=US" on lö feb 02 04:31:44 UTC 2013
    Timestamp digest algorithm: SHA-1
    Timestamp signature algorithm: SHA1withRSA, 1024-bit key

jar verified.

This meant that I need to sign with MD5withRSA and also SHA-1 where needed.
I tried all of the possible combinations of signing and digest and did the provisioning to the IBM Notes Client for all the different cases (puh this was hard and took a lot of time!) just to make sure.
I found only 1 configuration that worked all of the times.

IMPORTANT!!!
To sign you must first create a signer and also you need to import the certificate of the signer and crosscertify it with your Notescertificate and push that crosscertificate to the client thru your security policy.
This done is done in your Domino Directory of the server.
Signing the jar file with this signature is then trusted to be installed on the client.
IMPORTANT!!!

Inspired by Tomas Hampel (again) and the blog entry (https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/untitled.htm?opendocument&comments).
I decided to make my own script to help me out with this task.

Script Solution:
I decided to make 2 types of script, 1 for creating the necessary JKS file used for signing and 1 for the actual signing.
Both solutions consists of a command file an a property file containing values needed for the execution.

Code and samples will be provided here for download.Cool_Signing

Keytool:
Signing_mykeytool.cmd Cool_Signer.keytool
in the sample provided and this will create a JKS file and a CER file in the C:\temp directory.

To customize for your own needs you can creating you own .keytool file using Cool_Signer.keytool as a template. Read the included Readme.txt file for explanation.

IMPORTANT!!!
You must change/customize this if You want to use this in your own environment, because sample provided here is not intended for other purposes than demonstrating the code.
IMPORTANT!!!

Jarsigner:
Signing_myjarsigner.cmd Cool_Signing_with_XTAF_MD5.jarsigner
in the sample provided will sign all jar files that ends with *.feature_7.2.0.201111100545.jar from the catalog C:\Notes_XTAF_Dictionaries_V9.0_Win_ML and down.
IMPORTANT!!!
It also contains the parameters that where tested to work with these features. I will recommend you to use these if you modify and sign the XTAF Dictionaries.
IMPORTANT!!!

To customize for your own needs you can creating you own .jarsigner file using Cool_Signing_with_XTAF_MD5.jarsigner as a template. Read the included Readme.txt file for explanation.

Conclusion:
Changing and Signing is hard work but script at least provides you with the means of organising your stuff and ease the burden of signing.

10
MAR
2017

Blog

1.8, colocation-affinity, Dictionaries, feature colocation-affinity="com.ibm.rcp.site.anchor.user.feature, features.xml, free download, ibm, IBM Notes Client, jar, jarsigner, JDK, keytool, Notes, Notes_XTAF_Dictionaries, signing, signing with JDK 1.8, XTAF

SugarCRM IBM Notes plug-in, no questions asked

Posted by: Mats

Case:
I was involved in a SugarCRM project and one of the requirements was to rollout a widget to IBM Notes sidebar provided by Sugar.

Description:
Problem was that the instructions from Sugar included an option for the user to bail out of the installation,
because of the signatures where not trusted. also the user needs to cross certify with his own Notes id.
(https://support.sugarcrm.com/Documentation/Plug-ins/Lotus_Notes_Plug-in/Notes_Plugin_Installation_Guide_2/index.html)

From the project perspektive this was not OK.

Solution:
I needed to find a way to cross certify in advance, making the installation in the background without giving the user the option to bail out.
I wanted to cross certify with my organizational certifier instead and avoiding questions.

First problem was to find the certifiers.
What I did was to install the plug-in manually in my testenvironment:
I then took the RSA file located in the workspace\applications\eclipse\features catalog
and in the META-INF catalog there is a file called LPI.RSA.

Using OpenSSL using the command
"openssl pkcs7 -in LPI.RSA -print_certs -inform DER -out lpi.cer"
and then opening it in an editor you could se all of the certifiers.
Using the instructions from Sugar as a guideline I tried to cross certify the certificate
that was used by Sugar, which was:
CN=SugarCRM/OU=Software/OU=Digital ID Class 3 – Java Object Signing/O=SugarCRM/L=Cupertino/ST=California/C=US
but when trying to do that I got the message:
"A cross certificate will not be made due to key usage restrictions in the input certificate"

Found a discussion thread indicating that using crosscertification at a higher would do it
(https://www-10.lotus.com/ldd/nd85forum.nsf/0/565f1122814572b3852579f900521ce0?OpenDocument)
so I imported the certificates into Domino Directory:

CN=VeriSign Class 3 Code Signing 2010 CA/OU=Terms of use at https://www.verisign.com/rpa (c)10/OU=VeriSign Trust Network/O=VeriSign, Inc./C=US
VeriSign Class 3 Public Primary Certification Authority – G5/(c) 2006 VeriSign, Inc. – For authorized use only/VeriSign Trust Network/VeriSign, Inc./US
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO14649
https://www.symantec.com/content/dam/symantec/docs/other-resources/roots.zip

and crosscertified them with my Domino Organizational certifier instead, into Domino Directory.

I then pushed these 2 internet cross certificates out to the clients thru my security policy.

After that I included the widget in my widget catalog according to the instructions provided by Sugar and in this case we made a special desktop policy (explicit because it was in the cloud) that installed it for everyone belonging to a Domino group.

Worked perfectly.

14
FEB
2017

Blog

A cross certificate will not be made due to key usage restrictions in the input certificate, certify, CRM, cross certify, features, ibm, IBM Notes plug-in, Java, lpi.rsa, META-INF, Notes, openssl, pkcs7, plug-in, provisioning, signature, Sugar, SugarCRM, updatesite, verisign, widget, workspace

Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by: Mats

The objective of this article is to provide an example on how to do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: https://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: https://ibm.co/1SAYX5E
Fixcentral long: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:
1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: https://infoware.com/?p=7226

11
APR
2016

Blog

certificate, configure, domino, domino security, Domino SSL, domino wildcard certificate, kyrtool, Open SSL, openssl, p12, PFX, Poodle, security, sha2, SSL, TLS, wildcard, wildcard certificate, Wildcard SSL

IBM Connections using Active Directory and Nested Groups

Posted by: Mats

Case:
Customer wants to use nested groups in Access control for Communities, also it should be reflected in I'm a Member when user is looking for their communitys and so on. Connections was 4.5CRx

Google search Links that where tried, but did not work for me (for some reason unknown).
https://www.lbenitez.com/2015/11/how-to-enable-nested-ldap-groups-in-ibm.html
https://www-01.ibm.com/support/docview.wss?uid=swg21321308
https://www-10.lotus.com/ldd/lcforum.nsf/869c7412fe5d56b7852569fa007826e3/4aa9a40d4818785f85257b3b004e3240?OpenDocument
https://www.communardo.de/home/techblog/2014/06/04/nested-groups-ibm-connections/

Found something that worked for me (seems logical looking at the description).
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
coming from thread
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG

Description:
All groups specified user belongs to, including due to group nesting (Notes 10, 19)
eg. (member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
All members of specified group, including due to group nesting (Note 10)
eg. (memberOf:1.2.840.113556.1.4.1941:= cn=Test,ou=East,dc=Domain,dc=com)
Note 10.
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

NOTE:
All of this is of course done in the context of Deployment Manager.
After doing the changes a full resynch needs to be done with all nodes in the cluster (sometimes also take down node and use synchNode from the node) and restart the node.

Solution is to change my setting in Websphere to reflect this:

Also changed for performance reasons the following (optional):
Reason:
https://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.wim.doc/disablingnestedgroupsearches.html
Solution is to change according to instructions

How does it look in the files before and after the change, here are snippets of this:

wimconfig.xml before the change:
<config:groupConfiguration>
<config:memberAttributes name="member" objectClass="group" scope="nested"/>
<config:membershipAttribute name="memberof" scope="nested"/>
</config:groupConfiguration>

wimconfig.xml after the change:
<config:groupConfiguration>
<config:memberAttributes name="member:1.2.840.113556.1.4.1941:" objectClass="group" scope="nested"/>
<config:membershipAttribute name="memberOf:1.2.840.113556.1.4.1941:" scope="nested"/>
</config:groupConfiguration>

security.xml before the change (you can not cut and paste any of these because some parameters are unique to your environment):
<userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>

security.xml after the change (you can not cut and paste any of these because some parameters are unique to your environment):
<userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry">
<properties xmi:id="VMMURProperty_1" name="com.ibm.ws.wim.registry.grouplevel" value="1"/>
</userRegistries>

Shortcut to this document: https:// https://https://infoware.com/?p=7180
Thats all folks

1
APR
2016

Blog

Access, Access Control, Active Directory, AD, Connections, Control, Groups, ibm connections, IBM Connections using Active Directory and Nested Groups, Nested, Nested Groups

Open Sametime Meetings in IBM Notes Client using HTTPS

Posted by: Mats

Problem:
Users preference is to open all Sametime Meeting Rooms in the client. Customer does not allow mixed content in the browser (good thinking).
When user clicks on links to Meeting Servers that was setup with SSL, meaning the link is an https link instead of a http link Meeting Room is not opening in the client.

Cause(s):
1. Webapi is not enabled at all in the IBM Notes Client
2. Webapi on the Client is not SSL enabled
3. The login.jsp on the Meeting server can not handle request to the IBM Notes Client when accessed thru https
4. All of the above

I did all this in Windows so commands and packaging is different if you use eg. Linux, so don't hold that against me.
Probably this code can also be used on Linux but with different commands to check if it works, also I did an extended
version of the jar file that is only valid for Windows running in Administrative context.

I did this and tested it for IBM Notes client 9 only.

You can download code and textfiles here, please use the textfiles if you cut and paste because formatting on this site could otherwise give unpredictable results

Problem:
Users preference is to open all Sametime Meeting Rooms in the client.
When user clicks on links to Meeting Servers that was setup with SSL, meaning the link is an https link instead of a http link Meeting Room is not opening in the client.

Solution(s):
1. Make sure that the following parameter is present in plugin_customization.ini (or distributed in some other way)
com.ibm.collaboration.realtime.webapi/startWebContainer=true
2. Use the Sametime SDK sample as a starting to develop your own jar file to include in the install package or distribute as an update
3. Change the content of login.jsp to meet your needs
4. Distribute the certificate file into the Trusted Root Certification Authorities store.
5. Do all of the above

Description(s):
1.
In my case 1. above was present and webapi was started in the client but was not listening on https only http.
The way this implemented is as follows:
http listens on port 59449
https listens on port 59669 (if enabled)

To see what is running use the following command:
netstat -an | findstr "59"

When the solution is working you should be able to see:
TCP 127.0.0.1:59449 0.0.0.0:0 LISTENING
TCP 127.0.0.1:59669 0.0.0.0:0 LISTENING

2.
The problem with doing 2. above is the following:
a. Install a Development environment
b. Develop something that can be installed inside a package and also thru provisioning to both single and multiuser clients
c. Solve the problem with installing unsigned code
d. Solve the problem with SSL certifikates on a local machine
e. Decide which part of IBM that has the correct answer to how a local machine is defined in the context of Sametime SDK, IBM Connections integration, Sametime Meeting server team.
The adress to a local url could basically be 127.0.0.1 or localhost
f. Poodle meaning TLS must be on otherwise browser will not work
g. Include the jar file inside the windows install package for Sametime Embedded (I guess this can be done in a DEB package as well), description not included here.

When all this is done login.jsp (3. above) must be changed to reflect decisions made earlier

For a. I downloaded and installed eclipse-jee-luna-R-win32, I got help from my developer friend @Tobias Gruvfält to include the sample code provided by the Sametime SDK in a new project

For c. I also tried to sign my jar file, but when I tried to install it was always failing (documentation on this is really poor I think), instead I decided to make changes to
plugin_customization.ini by changing the following 3 lines before installing:
com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY=ALLOW
com.ibm.rcp.security.update/UNSIGNED_PLUGIN_POLICY=ALLOW
com.ibm.rcp.security.update/UNTRUSTED_SIGNATURE_POLICY=ALLOW

For d. I created a keystore and a truststore valid for localhost (that I decided on e.), because SDK people and Connections people used localhost

Later on I needed f. and found documentation on how to disable SSLv3 and enable TLS

After that I made changes to certificate files and ssl config files as well as handlers to make sure that b. above was met.

For g. I used sametime.embedded.addon.win32_20141030-0523 (but other distributions can be used) and unzipped the zip file and added my jar file to the features catalog
(all jar files and certificate files as well as text to include in deploy is here ->webapissl-2)
Added 3 lines to site.xml:

I added it just below the definiton of com.ibm.collaboration.realtime.webapi.feature

And also added lines to the following 3 files located in the deploy catalog:

x. plugin_customization.ini

# Trying to fix the problem with signing for this addon
com.ibm.collaboration.realtime.webapi/startWebContainer=true
com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY=ALLOW
com.ibm.rcp.security.update/UNSIGNED_PLUGIN_POLICY=ALLOW
com.ibm.rcp.security.update/UNTRUSTED_SIGNATURE_POLICY=ALLOW

at the bottom of the file

y. install.addon.xml

just below com.ibm.collaboration.realtime.webapi.feature

z. uninstall.addon.xml

just below com.ibm.collaboration.realtime.webapi.feature

Remember to zip the features and deploy catalogs together with site.xml to a zip file with the same name as the old zip you earlier unzipped and replace the old zip file with the new one.

3.
If I remember correctly the original line inside login.jsp on the Meeting Server (please refer to your own environment on where to find it) is as follows:

window.installedClientWebApiUrl = "https://127.0.0.1:59449/stwebapi";

I changed that to the following:

window.installedClientWebApiUrl = (("http:" == document.location.protocol) ? "https://localhost:59449/stwebapi" : "https://localhost:59669/stwebapi");

4.
Talk to your Administrators and make them distribute the included localhosttrustedroot.der to all clients and put it in Trusted Root Certification Authorities
this will work for both IE and Chrome in Windows but for FF you need to make an exception by actually accessing the local site accepting the exception localhost:59669
you can use this url in FF to do it:
https://localhost:59669/stwebapi/listservices

I also made a second jarfile that included the installation of the certfile as root in Windows and that must be run in the context of an Administrator on the other hand
the installation of the total package should run in Administrative context
This version has only been tested on a development machine and also it should not be used if you use provisioning (updatesite) as this always runs in user context.

Catalogs included in the zipfile available for download is as follows ->webapissl-2:

1. "nocertificateinstall" this is the catalog where the jarfile to use for both icluding in package and update site that is also tested on customer site, certificate file for distribution also.
2. "withcertificateinstallwindows" this is the not so tested version where installation of the certfile is included in the package, please read above before using.
3. "webapissl.txt" same content as this article use this when do cut and paste
4. "nocertificateinstallworkspace1-2" source code (eclipse EE) for 1.
5. "withcertificateinstallwindowsworkspace2-2" source code (eclipse EE) for 2.
6. "com.ibm.collaboration.realtime.webapi.ssl.updateSite.zip" sample of zip file to use for provisioning based on 1. of course

The End

5
MAR
2015

Administrator, Blog

127.0.0.1, 59449, 59669, Chrome, code for download, com.ibm.collaboration.realtime.webapi, com.ibm.collaboration.realtime.webapi.feature, com.ibm.collaboration.realtime.webapi.ssl.feature, com.ibm.rcp.security.update, Connections, Eclipse, FireFox, HTTPS, IBM Notes Client, IE, install.addon.xml, listservices, localhost, login.jsp, meeting, Meeting Room, Meeting Server, Notes Client, plugin_customization.ini, Poodle, provisioning, Sametime, Sametime Embedded, Sametime integration, Sametime Meeting Room, Sametime SDK, Sametime Web API, sametime.embedded.addon, security, SSL, SSLv3, startWebContainer, stwebapi, TLS, Trusted Root Certification Authorities, window.installedClientWebApiUrl