IBM Connections mail with exchange backend

2.434 Aufrufe

Veröffentlicht am

This Article is a step by step guide to integrate Microsoft Exchange 2013 with IBM Connections 5 CR02

Veröffentlicht in: Software
0 Kommentare
0 Gefällt mir
Statistik
Notizen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Keine Downloads
Aufrufe
Aufrufe insgesamt
2.434
Auf SlideShare
0
Aus Einbettungen
0
Anzahl an Einbettungen
440
Aktionen
Geteilt
0
Downloads
76
Kommentare
0
Gefällt mir
0
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie

IBM Connections mail with exchange backend

  1. 1. IBM Connections Mail Plugin Configuration with Exchange Backend Michele Buccarello 4/16/2015 This document describe how to configure the IBM Connection Mail Plugin with Exchange Backend
  2. 2. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 1 Table of Contents PREREQUISITES............................................................................................................................................ 2 WHAT THE WIKI SAYS .................................................................................................................................. 2 KERBEROS CONFIGURATION........................................................................................................................ 2 CONFIGURE THE AUTODISCOVERY SERVLET................................................................................................. 7 CERTIFICATE EXPORT ............................................................................................................................... 8 IMPORT THE SSL CERTIFICATE IN WEBSPHERE.........................................................................................11 CONFIGURE socialmail-discovery-config.xml ...........................................................................................12 TROUBELSHOOTING....................................................................................................................................13 WIDGET ARCHITECTURE..........................................................................................................................13 SERVER SIDE........................................................................................................................................14 BROWSER SIDE....................................................................................................................................14 AUTHENTICATION FLOW.........................................................................................................................14 ADDITIONAL TRACE.................................................................................................................................15 GATHERING TRACE AND DEBUG INFORMATION......................................................................................16 HTTP 400 ISSUE (negotiation header too long) ........................................................................................19 DELEGETION DOESN’T WORK ONLY IN CHROME .....................................................................................20
  3. 3. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 2 PREREQUISITES This guide cover all configuration of IBM Connections Mail plugin with Exchange as a backend, before to read check these requirements 1) IBM Connections 5 CR2 or later 2) IBM Connections Mail 1.6 3) Exchange server compliant with System Requirements and with Kerberos enabled. For system requirements check http://www-01.ibm.com/support/docview.wss?uid=swg27036069 4) A good knowledge about Kerberos protocol and delegation process 5) A basic knowledge about Exchange Web Services (EWS) and autodiscovery mechanism 6) Kerberos Enabled on all Exchange server (NTLM auth works only with autodiscoery process not for EWS ) 7) A basic knowledge about Whireshark WHAT THE WIKI SAYS In the URL below you could find all official information about Mail Plugin configurations http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_pre-install.dita This guide is a compendium about the configuration and authentication flow for the Exchange integration. KERBEROS CONFIGURATION In the official wiki the first step is configuring correctly the SPNEGO and KERBEROS authentication mechanism as described in this link http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_spnego.dita Before to start the SPNEGO configuration two steps are important requirement: 1) Mapping an Active Directory Account to Administrativer roles http://www- 01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_kerb_configure_AD_accou nmhhhbnt.dita?lang=en 2) Create a Service Principal Name and Keytab file http://www- 01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service _account.dita?lang=en You could skip the point one only if your installation is built with an active directory user, check the image below if during your installation process in the administrator user id field you have used an user from LDAP.
  4. 4. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 3 In the wiki the point two is really detailed but if you are going to do this configuration on Windows 2012 Active Directory some extra steps are a requirement to avoid problems with Kerberos authentication: - Windows 2012 have a strong encryption this creates problems with the Kerberos protocol because normally the communication between the Key Distribution Center and the Domain Computer works via UDP protocol but the UDP payload isn’t unable to contain all encrypted information because it is really small than the TCP packet, to force the communication via TCP protocol you must add this line inside the krb5.conf  udp_preference_limit = 1 - If you are going to setup Kerberos in an Active Directory Domain forest with child site and Different Realm you must explicit all realm in the sections realms and domain_realm - If you see error related to the KDC options you must manually set this options in the krb5.ini, in particular with Windows 2012 I force the proxiable = false and renewable = false, this step is not a requirement and it solve problems in the infrastructure where I setup the Kerberos authentication.
  5. 5. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 4 In the image below a full example of the krb5.ini Below the screen about Kerberos / SPNEGO WebSphere settings.
  6. 6. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 5
  7. 7. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 6
  8. 8. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 7 In the step five you should add the generic property inside the properties tag. In my environment I experienced some problems but more investigation are required about this generic property: - <genericProperty name="shindig.config.container.overrides"> By default in connections 5 we have a generic property “shinding overrides” in the sections properties and if you follow the wiki the result would be something like this We experienced some problems with the this configuration because it seems the first property is overwritten by the second. To avoid any strange issue we merge the two property into a big one. Now we have successful complete all Kerberos / SPNEGO configuration. CONFIGURE THE AUTODISCOVERY SERVLET The autodiscovery servlet is used to discovery the mail server where the mail file is located, in particular Exchange have the own system to give this type of information. In the wiki link we could find all information about the autodiscovery configuration: - http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_discovery.dita The first step described in the section 2.A says to ask the certificate to the administrator, we could export the certificate manually from the browser. Below the screens show an export of the ibm ssl certificate, the steps are the same for Exchange.
  9. 9. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 8 CERTIFICATE EXPORT Click on the padlock icon, and the click on view certificates. Click on Certification Path
  10. 10. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 9 Export the Certificate authority and the intermediate certificate ( first and second certificate) CA Export: select the first certificate and click “view certificate”. Check in the new window if in the certificate path there is only the CA certificate
  11. 11. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 10 Now we export the CA In the last screen press finish to complete the export of CA certificate and close the CA window.
  12. 12. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 11 The same steps are used for the intermediate certificate the important thing is to select in the first window under certificate path the second certificate After click on view certificate apply the same steps to export the intermediate certificate. At this point we need to import this certificates on the WebSphere cacertes via keytool utility. IMPORT THE SSL CERTIFICATE IN WEBSPHERE The commands are described in the section 2.b, below the command used keytool -import -file cacert.cer -alias exchange_cacert - keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts keytool -import -file intermdiate.cer -alias exchange_intermediatecert - keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts the default password for cacerts file is changeit.
  13. 13. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 12 CONFIGURE socialmail-discovery-config.xml In the wiki step three and four you need to copy the socialmail-discovery-config-template.xml from the ConnectionsMail folder and paste it in theDMGR folder: - WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config In the steps five and six are described the options, in the image below an example configuration.
  14. 14. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 13 TROUBELSHOOTING IBM Connections Mail Plugin is a widget based on open-social gadget running on Apache Shinding widget container. In IBM Connections, the Apache shinding implementation is contained in the WidgetContainer.ear installed in the InfraCluster server. The mustgather link is: - http://www-01.ibm.com/support/docview.wss?uid=swg21677101 all websphere trace must set in the server where the widgetcontainer.ear is located. WIDGET ARCHITECTURE
  15. 15. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 14 SERVER SIDE IBM Connections Mail opensocial gadget use a different Ajax Proxy the name is CREAjaxProxy. This Ajax proxy is used to send all back-end call to the Exchange EWS WebService, for example the HTTPS post with the delegated credential are sent through the CREAjaxProxy to the Exchange Mail server. The discovery Servlet is registered as an extension point via OSGI in the Widget Container application. BROWSER SIDE On the browser side all ajax call are sent via makerRequest servlet ( the apache shinding implementation of the method gadget.makerRequest) the response of this call is a json with the backend http response code ( rc=401 for example). AUTHENTICATION FLOW This image shows all network calls to take the user's email from Exchange.
  16. 16. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 15 ADDITIONAL TRACE To track all request related to: - Widget container (CREAjaxProxy) - Kerberos Delegation / SPNEGO You must add this trace and JVM properties on the server where is located the WidgetContainer.ear application.
  17. 17. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 16 GATHERING TRACE AND DEBUG INFORMATION Before to start you need to have this requirements: - A domain computer with WireShark and Fiddler installed - If the domain computer is a windows 7 machine check if the klist command is available on the command prompt, otherwise install the windows resource kit. - Install on the Connections Server WireShark if you are in Windows or use tcpdump with the –s0 parameter to take the full payload under linux - Enable trace on the infracluster Server and test the mail with the homepage application because is in the same cluster of the WidgetContainer application. 1. Verify the browser settings for SPNEGO authentication http://www- 01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEG O_configweb_new.html?cp=SSAW57_8.5.5%2F1-3-0-21-3-0 2. Clear Kerberos token via klist 3. Start fiddler and WireShark on computer domain and wireshark on the server
  18. 18. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 17 4. On domain Computer put this filter 5. On Connections Server put this filter 6. Check four Kerberos request on WireShark Domain Computer 7. Check on fiddler if the request to discoveryServlet and makerRequest servlet have the right response
  19. 19. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 18 the field rc is the HTTP response code if you get http 401 that means you are not authorized and the delegation process doesn’t work propertly. 8. Check in the logs if there are problems on Kerberos ticket decryption 9. Check if the GSSCredential are correctly read 10. Check If the delegation process works correctly
  20. 20. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 19 11. Check if the CREAjaxProxy contact correctly the Exchange EWS WebService HTTP 400 ISSUE (negotiation header too long) When we try to automatically login in Connections some users receive a white page with HTTP error 400, in this case you need to increase on all HTTP server the maximum header size if in the fiddler trace inside the HTTP packe you saw the error header is too long inside the HTML response. This error doesn’t affect all users for example in my case all users that had ten or more group in active directory get the HTTP 400 error, when groups became nine the SPNEGO authentication works. This happen because the header NEGOTIATION contains the Kerberos TGT and the Microsoft privilege attribute certificate (PAC), the second contains several logical components, including group membership data for authorization, alternate credentials for non-Kerberos authentication protocols, and policy control information for supporting interactive logon. To increase the header size put inside the virtualhost this apache directive: - LimitRequestFieldSize 12392 The number is suggested inside the apache wiki http://httpd.apache.org/docs/2.2/mod/core.html. In the image below an example configuration
  21. 21. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 20 DELEGETION DOESN’T WORK ONLY IN CHROME Like Firefox in CHROME you must enable the delegation to have the mail plugin fully functional. Follow the links below to enable the Kerberos delegation - https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

×