Changing and Signing jar files with JDK 1.8, no questions asked. Dictionaries in IBM Notes.

Posted by:

Case:
Dictionaries where missing from client installation on Windows machines.
Client is multi user and users are not allowed to write in Program Directories (non admin on their PCs).
Client is IBM Notes 9.0.1FP6, because this is the one rolled out to end users.
This means that nothing can be installed via Widgets in framework\rpc or framework\shared because both are under Program Directory.
Objective is to provide all of the dictionaries to the end users to choose from from the Widgets catalog. Installation should progress without any questions asked.

Description:
I downloaded the Dictionaries provided by IBM (Notes_XTAF_Dictionaries_V9.0_Win_ML.zip).
For a full description of this package, please read Tomas Hampels blog at
(https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/deploying-xtaf-dictionaries-as-widgets.htm

The problem I got was that the Feature jar files configured to install in framework\rpc which is fine if you include them during installation of the original package running with administrative rights on the computer.

Only way in my scenario was to make sure that the installation was made in a user context meaning Data\workspace\applications

Solution:
Change configuration of the Feature jar to make sure that the installation is done in a user context.

Unpacking the jar file in the features directory of any given dictionary reveals that the feature.xml file contains <feature colocation-affinity="com.ibm.rcp.platform.feature"
this needs to be changed to this <feature colocation-affinity="com.ibm.rcp.site.anchor.user.feature" to make sure that installation will go to Data\workspace\applications where the end user is allowed to write.

To unpack and repack i use PeaZip (http://www.peazip.org/peazip-64bit.html and as an Editor I use Notepad++ (https://notepad-plus-plus.org/download/v7.3.3.html

Explanation of the different options could be found here:
https://www.ibm.com/support/knowledgecenter/en//SSVHEW_6.2.0/com.ibm.rcp.tools.doc.admin/controllingfeatureinstallocation.html
http://www-01.ibm.com/support/docview.wss?uid=swg21497657
http://www-01.ibm.com/support/docview.wss?uid=swg21440976

Also when doing this it will break the signatures and this means that a resigning (after repackage) is necessary for security reasons (you should not allow anything that you have not trusted)
If you want to include your own signed jars files during installation of the client, this can be done following this instruction (http://www-01.ibm.com/support/docview.wss?uid=swg21305165)
You could also use iKeyman to do this if you prefer.

If you look at Tomas Hampels blog above you will find that there are a lot of files that needs to be changed and signed before importing to an update site.

Changing:
In every features directory in every updateSite_xx directory the file feature.xml needs to be changed according to the above solution.
IMPORTANT!!!
Also, preparing for signing, 3 files need to be deleted from a subdirectory called META-INF also in the features catalog:
IBM_WPLC.RSA
IBM_WPLC.SF
MANIFEST.MF
IMPORTANT!!!

Preparing:
Repack all files in each Directory e.g. com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545 to com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545.zip
Move (cut) the zip file to where the original jar file is located rename the original jar file with an extension .org instead of .jar end the rename the newly moved .zip file to .jar
A features catalog could then look like this:
Capture

Signing:
To sign I downloaded JDK 1.8 from
(http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html Windows x64 because I am using W10 64-bit.

IMPORTANT!!!
Only sign jar files that you have made changes to. The others are already signed with valid signatures.
Only sign 1 time with 1 signature for each jar file. Signing a second time could cause unexpected results.
IMPORTANT!!!

First I examined the file that was signed by IBM, this is now <filename>.org if the instructions where followed.
C:\Program Files\Java\jdk1.8.0_121\bin>
jarsigner -verify -verbose "C:\updateSite_af\features\com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545.org"

I got:
– Signed by "CN=International Business Machines Corporation, OU=Lotus Software Group, OU=Digital ID Class 3 – Java Object Signing, O=International Business Machines Corporation, L=Littleton, ST=Massachusetts, C=US"
    Digest algorithm: SHA1
    Signature algorithm: MD5withRSA, 2048-bit key
  Timestamped by "CN=GeoTrust Timestamping Signer 1, O=GeoTrust Inc, C=US" on lö feb 02 04:31:44 UTC 2013
    Timestamp digest algorithm: SHA-1
    Timestamp signature algorithm: SHA1withRSA, 1024-bit key

jar verified.

This meant that I need to sign with MD5withRSA and also SHA-1 where needed.
I tried all of the possible combinations of signing and digest and did the provisioning to the IBM Notes Client for all the different cases (puh this was hard and took a lot of time!) just to make sure.
I found only 1 configuration that worked all of the times.

IMPORTANT!!!
To sign you must first create a signer and also you need to import the certificate of the signer and crosscertify it with your Notescertificate and push that crosscertificate to the client thru your security policy.
This done is done in your Domino Directory of the server.
Signing the jar file with this signature is then trusted to be installed on the client.
IMPORTANT!!!

Inspired by Tomas Hampel (again) and the blog entry (https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/untitled.htm?opendocument&comments).
I decided to make my own script to help me out with this task.

Script Solution:
I decided to make 2 types of script, 1 for creating the necessary JKS file used for signing and 1 for the actual signing.
Both solutions consists of a command file an a property file containing values needed for the execution.

Code and samples will be provided here for download.Cool_Signing

Keytool:
Signing_mykeytool.cmd Cool_Signer.keytool
in the sample provided and this will create a JKS file and a CER file in the C:\temp directory.

To customize for your own needs you can creating you own .keytool file using Cool_Signer.keytool as a template. Read the included Readme.txt file for explanation.

IMPORTANT!!!
You must change/customize this if You want to use this in your own environment, because sample provided here is not intended for other purposes than demonstrating the code.
IMPORTANT!!!

Jarsigner:
Signing_myjarsigner.cmd Cool_Signing_with_XTAF_MD5.jarsigner
in the sample provided will sign all jar files that ends with *.feature_7.2.0.201111100545.jar from the catalog C:\Notes_XTAF_Dictionaries_V9.0_Win_ML and down.
IMPORTANT!!!
It also contains the parameters that where tested to work with these features. I will recommend you to use these if you modify and sign the XTAF Dictionaries.
IMPORTANT!!!

To customize for your own needs you can creating you own .jarsigner file using Cool_Signing_with_XTAF_MD5.jarsigner as a template. Read the included Readme.txt file for explanation.

Conclusion:
Changing and Signing is hard work but script at least provides you with the means of organising your stuff and ease the burden of signing.

 

0

SugarCRM IBM Notes plug-in, no questions asked

Posted by:

Case:
I was involved in a SugarCRM project and one of the requirements was to rollout a widget to IBM Notes sidebar provided by Sugar.

Description:
Problem was that the instructions from Sugar included an option for the user to bail out of the installation,
because of the signatures where not trusted. also the user needs to cross certify with his own Notes id.
(http://support.sugarcrm.com/Documentation/Plug-ins/Lotus_Notes_Plug-in/Notes_Plugin_Installation_Guide_2/index.html)

From the project perspektive this was not OK.

Solution:
I needed to find a way to cross certify in advance, making the installation in the background without giving the user the option to bail out.
I wanted to cross certify with my organizational certifier instead and avoiding questions.

First problem was to find the certifiers.
What I did was to install the plug-in manually in my testenvironment:
I then took the RSA file located in the workspace\applications\eclipse\features catalog
and in the META-INF catalog there is a file called LPI.RSA.

Using OpenSSL using the command
"openssl pkcs7 -in LPI.RSA -print_certs -inform DER -out lpi.cer"
and then opening it in an editor you could se all of the certifiers.
Using the instructions from Sugar as a guideline I tried to cross certify the certificate
that was used by Sugar, which was:
CN=SugarCRM/OU=Software/OU=Digital ID Class 3 – Java Object Signing/O=SugarCRM/L=Cupertino/ST=California/C=US
but when trying to do that I got the message:
"A cross certificate will not be made due to key usage restrictions in the input certificate"

Found a discussion thread indicating that using crosscertification at a higher would do it
(http://www-10.lotus.com/ldd/nd85forum.nsf/0/565f1122814572b3852579f900521ce0?OpenDocument)
so I imported the certificates into Domino Directory:

CN=VeriSign Class 3 Code Signing 2010 CA/OU=Terms of use at https://www.verisign.com/rpa (c)10/OU=VeriSign Trust Network/O=VeriSign, Inc./C=US
VeriSign Class 3 Public Primary Certification Authority – G5/(c) 2006 VeriSign, Inc. – For authorized use only/VeriSign Trust Network/VeriSign, Inc./US
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO14649
https://www.symantec.com/content/dam/symantec/docs/other-resources/roots.zip

and crosscertified them with my Domino Organizational certifier instead, into Domino Directory.

I then pushed these 2 internet cross certificates out to the clients thru my security policy.

After that I included the widget in my widget catalog according to the instructions provided by Sugar and in this case we made a special desktop policy (explicit because it was in the cloud) that installed it for everyone belonging to a Domino group.

Worked perfectly.

0

Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by:

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates 
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: http://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: http://ibm.co/1SAYX5E
Fixcentral long: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:

1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: http://www.infoware.eu/?p=7226

 

0

IBM Connections using Active Directory and Nested Groups

Posted by:

Case:
Customer wants to use nested groups in Access control for Communities, also it should be reflected in I'm a Member when user is looking for their communitys and so on. Connections was 4.5CRx

Google search Links that where tried, but did not work for me (for some reason unknown).
http://www.lbenitez.com/2015/11/how-to-enable-nested-ldap-groups-in-ibm.html
http://www-01.ibm.com/support/docview.wss?uid=swg21321308
http://www-10.lotus.com/ldd/lcforum.nsf/869c7412fe5d56b7852569fa007826e3/4aa9a40d4818785f85257b3b004e3240?OpenDocument
http://www.communardo.de/home/techblog/2014/06/04/nested-groups-ibm-connections/

Found something that worked for me (seems logical looking at the description).
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
coming from thread
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG

Description:
All groups specified user belongs to, including due to group nesting (Notes 10, 19)
eg. (member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
All members of specified group, including  due to group nesting (Note 10)
eg. (memberOf:1.2.840.113556.1.4.1941:=  cn=Test,ou=East,dc=Domain,dc=com) 
Note 10.
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

NOTE: 
All of this is of course done in the context of Deployment Manager.
After doing the changes a full resynch needs to be done with all nodes in the cluster (sometimes also take down node and use synchNode from the node) and restart the node.

Solution is to change my setting in Websphere to reflect this:
nestgroup1
nestgroup2
nestgroup3

Also changed for performance reasons the following (optional):
Reason:
http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.wim.doc/disablingnestedgroupsearches.html
Solution is to change according to instructions

How does it look in the files before and after the change, here are snippets of this:

wimconfig.xml before the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberof" scope="nested"/>
      </config:groupConfiguration>

wimconfig.xml after the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member:1.2.840.113556.1.4.1941:" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberOf:1.2.840.113556.1.4.1941:" scope="nested"/>
      </config:groupConfiguration>

security.xml before the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>

security.xml after the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry">
    <properties xmi:id="VMMURProperty_1" name="com.ibm.ws.wim.registry.grouplevel" value="1"/>
  </userRegistries>

 

Shortcut to this document: http:// http://www.infoware.eu/?p=7180
Thats all folks

0

Wildcard SSL certificate from P12/PFX file into Domino (SHA2 as well)

Posted by:

New article on this here
Just made a key file from scratch using a file exported from another webserver.
I am using iKeyman for Sametime/Connections and the tools provided by Domino all the time, but this is explicitly to describe the process of using already bought wildcard certificates used by other parts of your organisation and extending the use of them to also include Domino servers, instead of having to request a new wildcard certificate just for Domino and paying the certificate authority one more time. Of course you must follow the agreement made on how many servers you can use the certificate for, but still it gives you the option of not paying more than one time and include your Domino servers in the same package.

This article http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments and the comments as well as discussion on notesnet
http://www-10.lotus.com/ldd/nd8forum.nsf/Customer/59aad6f8ac81d8648525744900202ad1?OpenDocument provided me with information to start with.

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.

Because of the nature of this instruction a PDF file will be provided to use as a checklist. I highly recommend using this (screenshotsforblogP12)

Contents
1. What do I need
2. Import your P12/PFX file into your browser
3. Export root and any intermediate certificates to file
4. Run iKeyman to create new kyrfile and then Add and Import certificate information
5. Check your file and add sth file to enable it for Domino use
6. Implement the files on the server
7. Check out if it works
8. Conclusion

What do I need:
1. One instance of a 32 bit Windows operating system, I used 32 bit Windows XP running on my laptop with VMware 10. You can not use 64 bit Windows for this task.
2. GSK5 that you can download from http://www-01.ibm.com/support/docview.wss?uid=swg21615277&aid=1. This should be unzipped inside your XP virtual machine.
Source: http://www-01.ibm.com/support/docview.wss?uid=swg21615277
3. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it, more on this later on.

Import your P12/PFX file into your browser
This should contain private key as well as all certificates in the certification path if possible.
Open the file with Crypto Shell Extensions and Import into your browser, to import you need a password provided by the administrator that exported the file.
Examine the newly imported certificate in Internet Explorer under ContentCertificates..Personal
View the certificate and each certificate in the path and write down the labels to easily find them under Intermediate… and Trusted Root… later as well as using them inside iKeyman when labelling them.

Export root and any intermediate certificates to file
Find the different certificates under Intermediate Certification Authorities or Trusted Root Certification Authorities using the labels noted in the step above.
Export them to file.

Run iKeyman to create new kyrfile and then Add and Import certicate information
You must be Administrator on your machine to run this, make sure you are.
Go to the directory where you unzipped your files in a Command Prompt.
1. notepad readme.txt and read it
2. gskregmod.bat Add
3. runikeyman.bat
4. Create new keyring file
5. Add Signer Certificates from the earlier exported Trusted Root and any Intermediate in this order starting with the top meaning trusted Root first and then Intermediate.
6. Import Personal Certificates using the first provided P12/PFX file
7. View this key information to make sure that it is looking good.

Check your file and add sth file to enable it for Domino use
1. Copy the kyr file to your data directory on the notes client
2. Open or create the Server Certificate Admin application
3. View & Edit Key Rings
4. Select key Ring to Display and check that you can read it using the password set by you earlier.
5. Change Key Ring Password and follow the procedure
6. Check that you have received an sth file with the same name as the kyr file in your data directory
7. Check your certificate in Server Certificate Admin

Implement the files on the server
1. Copy both files to your servers data directory
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.
Domino can use the same wildcard certificates already used by others, you do not have to pay twice.
Use the checklist with screenshots included above to make sure that you understand the instructions.screenshotsforblogP12
I think IBM needs to either change Domino server SSL implementation to use the same files for this as the rest of IBM products, meaning same structure as eg. WebSphere Application Server or it must include support for Keyring files into the latest versions of GSK. Keeping instances of old operating systems for this task only could not be a good solution.
Also got this working with SHA2 and my internal Domino 9 server, but then I had to work with multiple GSK kits, but ended up with a valid kyr file. This is not documented here, but I could do it if it is still interesting after this Poodle issue. I guess not, because TLS is more important now.
OK here we go, Instead of creating a kyr file directly under Windows XP I first created a CMS – kbd file with the GSK kit provided by IBM HTTP servers, that I had on another server. Then I copied the kbd file into Windows XP and GKS kit version 5 and opened it there and saved as kyr file and then proceeded to:
1. Copy the kyr file to your data directory on the notes client

Link directly to this document: http://www.infoware.com/?p=1592

6

IBM Notes 9.0 and Ubuntu 64

Posted by:

Background
Customer running 64 bit Ubuntu 12.04 LTS as their primary client platform.
Customer wants Notes 9.0 to be their primary collaboration client.

I googled on this and got no satisfactory solution for implementing this in a corporate production environment as all of the solutions were using force to install and some ended up with broken dependencies and so on.
The goal for me was to install this without broken dependencies and a fully functional operating system without warnings inside update manager.

Requirements
To install Notes 9 in Ubuntu 64 I'm assuming the following:

1. You are using an administrative account and you are using Ubuntu 12.04 LTS 64 bit

2. No other Notes installations are present to begin with.
To check out if there are any other ibm/lotus installations present use the following command in a terminal window (open it an expand it to see all information):
sudo dpkg -l 'ibm*':i386 | grep ii (in 32 bit it is sudo dpkg -l 'ibm*' | grep ii)

If you have earlier installations you should be able to uninstall them one by one with the following:
sudo dpkg -r <packagename>
sudo dpkg –purge <packagename>

Unpack
Unpack your downloaded tar files and extract the file ibm-notes-9.0.i586.deb to ibm-notes-9.0.i586 folder and the rename ibm-notes-9.0.i586.deb to original-ibm-notes-9.0.i586.deb

Change the package
Go into the ibm-notes-9.0.i586 folder and into the DEBIAN folder
(here it is a good idea to show hidden files, done by pressing Ctrl+H while in file browser)
Open the file control in edit mode and remove the following:

gdb, coreutils, unzip, bash, procps, grep, sed,

from the Depends line, control file should now look lihe this:

Screenshot from 2013-07-26 11:38:18save the file and leave the editor

If you have a hidden file called control~ after editing the actual control file delete the file control~

NOTE: To keep things clean inside your packages always show hidden files and all files created with the ~ ending should be deleted before recompiling the package.

Before creating the new package you should also consider to change the file plugin_customization.ini that is located under the same folder ibm-notes-9.0.i586 but under opt/ ibm/notes/framework/rcp to make it more customized for your needs. See example further down in this document.

Repacking/compressing the new package
Now in a terminal window go to the folder where you first unpacked your tar file.
In that folder the ibm-notes-9.0.i586 folder should now be available and the file ibm-notes-9.0.i586.deb must not be there. Issue the command:

sudo dpkg-deb -b ibm-notes-9.0.i586

If everything goes well a new ibm-notes-9.0.i586.deb file is created.

Installing files that installation depends on
Now, still present in the control file inside the package there are still dependencies that must be installed before proceeding with the installation of the Notes 9.0 client. This is also true for the 32 bit version of Ubuntu even if the deb file doesn't need to be changed there.

Install for 64 bit dependencies
In a terminal window issue the command:

sudo apt-get update; sudo apt-get install ia32-libs libgnomeprint2.2-0:i386 libgnomeprintui2.2-0:i386 libbonobo2-0:i386 libbonoboui2-0:i386 libgconf2-4:i386 libgnome-desktop-2-17:i386 libgnomevfs2-bin:i386 libgnomeui-0:i386 libjpeg62:i386 libpam0g:i386 libxkbfile1:i386 ttf-xfree86-nonfree t1-xfree86-nonfree -y

or if you want to put it inside a script:
(if the script is already in sudo, remove sudo before apt-get)

sudo apt-get update
sudo apt-get install ia32-libs -y #NOT to be used in 32 bit Ubuntu
sudo apt-get install libgnomeprint2.2-0:i386 -y
sudo apt-get install libgnomeprintui2.2-0:i386 -y
sudo apt-get install libbonobo2-0:i386 -y
sudo apt-get install libbonoboui2-0:i386 -y
sudo apt-get install libgconf2-4:i386
sudo apt-get install libgnome-desktop-2-17:i386 -y
#sudo apt-get install libgnome-desktop-3-2:i386 -y #for 32 bit it works instead of 2-17
sudo apt-get install libgnomevfs2-bin:i386
sudo apt-get install libgnomeui-0:i386 -y
sudo apt-get install libjpeg62:i386
sudo apt-get install libpam0g:i386
sudo apt-get install libxkbfile1:i386
sudo apt-get install ttf-xfree86-nonfree
sudo apt-get install t1-xfree86-nonfree

Using this in 32 bit version the :i386 must be removed because it is already i386 also ia32-libs should NOT be installed in 32 bit version

Checking that there are no dependencies left
Install the program GDebi Package Installer from Ubuntu Software Center.
In a window Right click on the ibm-notes-9.0.i586.deb and choose Open With GDebi Package Installer.
Don't use this to install only to see that there are no more dependencies left.
(you can use this to install but not to uninstall in 64 bit)

Installing the client
This is the commands to install but you can always choose to not install all of these features, but you must start with ibm-notes-9.0.i586.deb.

sudo dpkg -i ibm-notes-9.0.i586.deb
sudo dpkg -i ibm-cae-9.0.i586.deb
sudo dpkg -i ibm-feedreader-9.0.i586.deb
#sudo dpkg -i ibm-connections-4.5.0.i586.deb #See instructions further down
sudo dpkg -i ibm-activities-9.0.i586.deb
sudo dpkg -i ibm-sametime-9.0.i586.deb
sudo dpkg -i ibm-opensocial-9.0.i586.deb

As we all know the full Activities and Status Update package (IBM Connections Plug-ins for IBM Notes) is delivered as an update instead of being included in the activities package for Linux. The only thing included in the activities package is the Business card component. Further down in this document I will give an unsupported solution to install the "IC45PluginsforIBMNotes-20130517-1715.zip" as an install package directly instead of using provisioning to install it as a plug-in.

Uninstalling the client
Try to uninstall packages in reverse order from installing them this means ibm-notes-9.0.i586.deb goes last.Here are the commands to do this:

Check what is installed with sudo dpkg -l 'ibm*':i386
could look like this:
Screenshot from 2013-07-26 13:46:48

based on this uninstall looks like this
sudo dpkg -r ibm-notes:i386
sudo dpkg –purge ibm-notes:i386

Example of plugin_customization.ini
This example assumes that you are using Domino Directory and have Sametime Community in a separate Domain from the Domino Directory and using LDAP. Sametime is 8.5.2 IFR1 and with meeting proxy and so on. As for the Connections parameters in this it is only for hiding sidebars so that can install them but hide them by default. Connection configuration for the client could be done from Domino policys after this. The example gets you going with Notes client and Sametime in a SSO (if you have configured it correctly) scenario and you can build on this to do the same with Activities and Status Updates. This example also open up the Application install so that it is available for clients when needed. Sametime Community servers should also be able to respond to any client request coming on port 1352 regardless of the Domino server names as we are using them (clustered configuration) to authenticate the clients for SSO.

com.ibm.collaboration.realtime.bcs/skilltapServicePath=/bcsa/servlet/rpcrouter
com.ibm.rcp.esupport.client/defaultTaxCode=SSKTWP!8!5
com.ibm.collaboration.realtime.brokerbridge/startBroker=false
com.ibm.rcp.topologyhandler/hashCacheFilenames=true
com.ibm.rcp.provisioning/startupProgressRect=18,18,400,20
com.ibm.collaboration.realtime.webapi/startWebContainer=true
com.ibm.rcp.security.update/VERIFICATION_LISTENER=com.ibm.rcp.security.update.PromptVerificationListener
com.ibm.rcp.personality.framework/DISABLE_EXCEPTION_DIALOG=true
com.ibm.rcp.managedsettings/com.ibm.notes.desktopsets=com.ibm.notes.managedsettings.provider.PolicyProvider
com.ibm.rcp.esupport.client/defaultCollector=general.problem.noninteractive
com.ibm.esupport.autopd.ui/useSingleArchive=true
com.ibm.esupport.autopd.ui/showPortableCollector=false
com.ibm.collaboration.realtime.community/defaultAuthType=ST-DOMINO-SSO
com.ibm.rcp.provisioning/startupForegroundColor=000000
com.ibm.rcp.ui/HIDE_PANEL_com.ibm.rtc.meetings.shelf.ui.MeetingsShelf.shelfview=true
com.ibm.rcp.security.update/UNSIGNED_PLUGIN_POLICY=ALLOW
com.ibm.rcp.ui/HIDE_PANEL_com.ibm.collaboration.realtime.filteredbuddies.shelfview=true
com.ibm.rcp.ui/HIDE_PANEL_com.ibm.collaboration.realtime.primarybuddies.shelfview=true
com.ibm.rcp.provisioning/startupMessageRect=20,43,400,20
com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY=ALLOW
com.ibm.rcp.security.update/UNTRUSTED_SIGNATURE_POLICY=ALLOW
com.ibm.rcp.toolbox.admin/toolboxvisibleChild=false
# IBM Sametime Config
# Community Server
com.ibm.collaboration.realtime.community/name=<your COMMUNITY_ID>
com.ibm.collaboration.realtime.community/host=<your community server FQDN>
com.ibm.collaboration.realtime.community/defaultAuthType=ST-DOMINO-SSO
com.ibm.collaboration.realtime.community/loginByToken=true
com.ibm.collaboration.realtime.community/loginAtStartup=true
com.ibm.collaboration.realtime.login/autologin=true
com.ibm.collaboration.realtime.community/port=80
com.ibm.collaboration.realtime.community/connectionType=direct
# Sets timeformat
com.ibm.collaboration.realtime.chatwindow/showtimestamp=true
com.ibm.collaboration.realtime.chatwindow/timeformat=24
# Meeting Server
com.ibm.rtc.meetings.shelf/meetingServerHostName=<your meeeting server FQDN>
com.ibm.rtc.meetings.shelf/serverPort=443
com.ibm.rtc.meetings.shelf/useHTTP=false
com.ibm.rtc.meetings.shelf/useHTTPS=true
com.ibm.rtc.meetings.shelf/communityServerName=<your community server FQDN>
com.ibm.rtc.meetings.shelf/useCommunityCredentials=true
com.ibm.rtc.meetings.shelf/meetings.launchURLRichClient=true
com.ibm.rtc.meetings.shelf/instantMeetingShowDialog=true
com.ibm.collaboration.realtime.meetings/hasCamera=true
com.ibm.collaboration.realtime.meetings/hasSpeakers=true
com.ibm.collaboration.realtime.meetings/hasMic=true
com.ibm.collaboration.realtime.meetings/hideLegacyMeetingUI=true
# Handles the contact list conflict popup
com.ibm.collaboration.realtime.imhub/showBuddyListConflictDialog=false
com.ibm.collaboration.realtime.imhub/buddyListConflictPref=replaceLocal
# Activates chat logging
com.ibm.collaboration.realtime.chat.logging/logging.default=2
com.ibm.collaboration.realtime.chat.logging/logging.enabled=true
com.ibm.collaboration.realtime.chat.logging/logging.service=service.notes
com.ibm.collaboration.realtime.chat.logging/firsttime.askprefs=true
# Handles the a media manager popup error message
com.ibm.collaboration.realtime.telephony.softphone/suppress.failed.sip.registration=true
# Path for file transfer
com.ibm.collaboration.realtime.filetransfer/saveFileLocation=\SametimeFileTransfer
# IBM Connections Config
com.ibm.rcp.ui/HIDE_PANEL_com.ibm.workplace.ae.client.views.AESideShelfView=true
com.ibm.rcp.ui/HIDE_PANEL_com.ibm.lconn.statusupdates.ui.shelfview=true
# Status Updater Fix to show profile pictures
com.ibm.lconn.statusupdates/download.image.enabled=true
# Fix Getting Started page
com.ibm.rcp.jfaceex/overrideAutoStart=com.ibm.rcp.gettingstarted.GettingstartPerspective
# Install Application Menu
com.ibm.notes.branding/enable.update.ui=true

IBM Connections Plug-ins for IBM Notes as an installer instead of a plug-in (unsupported solution but still nice to have)

Extract IC45PluginsForIBMNotes-20130517-1715.zip and go into the updateSiteforLinux folder and copy the file updateSite.zip to folder of your choice where you want to work with it.
Copy the file ibm-activities-9.0.i586.deb (from the installation kit) to the same folder as the above updateSite.zip where copied to.

Extract the ibm-activities-9.0.i586.deb to the ibm-activities-9.0.i586 folder
Rename the ibm-activities-9.0.i586 folder to ibm-connections-4.5.0.i586

Go into the folder ibm-connections-4.5.0.i586 and delete all files in features and plugins folders in the opt/ibm/notes/framework/shared/eclipse sub three but leave the folders.

Extract the updateSite.zip to the updateSite folder.
Extract all of the jar files in the features folder.Move all of the newly crated folders into the features folder of ibm-connections-4.5.0.i586 above.
Copy the jar files from the updateSite plugins folder to the plugins folder of ibm-connections-4.5.0.i586 above

Go into the DEBIAN folder of ibm-connections-4.5.0.i586
Open the file control in gedit and change:
Package: ibm-connections-plugin
and
Version: 4.5.0.20130224-1730
save the file and leave the editor.

Change the contents of 2 files in the following folder of ibm-connections-4.5.0.i586:
/opt/ibm/notes/framework/rcp/deploy folder contains 2 xml files that needs to be changed:
install.ibm_activities.xml
and
uninstall.ibm_activities.xml

Replacing the content of install.ibm_activities.xml

<?xml version="1.0"?>
<ibm-portal-composite>
<domain-object name="com.ibm.rcp.installmanifest">
<object-data>
<install version="4.5.0.20130224-1730">
<installfeature mergeaction="add" require="true" default="false" description="%Activities.description" id="Activities" name="%Activities.name" required="false" show="true" version="4.5.0.20130224-1730">
<requirements>
<feature id="com.ibm.lconn.client.bizcard.feature" version="4.5.0.20130224-1730" shared="true" action="install" download-size="2452" match="greaterOrEqual" mergeaction="add" size="2101"/>
<feature id="com.ibm.lconn.statusupdates.feature" version="4.5.0.20130224-1730" shared="true" action="install" download-size="2452" match="greaterOrEqual" mergeaction="add" size="2101"/>
<feature id="com.ibm.lconn.client.activities.nl.feature" version="4.5.0" shared="true" action="install" download-size="2452" match="greaterOrEqual" mergeaction="add" size="2101"/>
<feature id="com.ibm.lconn.client.activities.feature" version="4.5.0.20130224-1730" shared="true" action="install" download-size="2452" match="greaterOrEqual" mergeaction="add" size="2101"/>
</requirements>
</installfeature>
</install>
</object-data>
</domain-object>
</ibm-portal-composite>

Replacing the content of uninstall.ibm_activities.xml

<?xml version="1.0"?>
<ibm-portal-composite>
<domain-object name="com.ibm.rcp.installmanifest">
<object-data>
<install version="4.5.0.20130224-1730">
<installfeature default="false" description="%Activities.description" id="Activities" name="%Activities.name" required="false" show="true" version="4.5.0.20130224-1730">
<requirements>
<feature action="uninstall" id="com.ibm.openactivities.client.feature" match="greaterOrEqual" shared="true" version="1.0.0"/>
<feature action="uninstall" download-size="2452" id="com.ibm.lconn.client.bizcard.feature" match="greaterOrEqual" shared="true" size="2101" version="4.5.0.20130224-1730"/>
<feature action="uninstall" download-size="2452" id="com.ibm.lconn.statusupdates.feature" match="greaterOrEqual" shared="true" size="2101" version="4.5.0.20130224-1730"/>
<feature action="uninstall" download-size="2452" id="com.ibm.lconn.client.activities.nl.feature" match="greaterOrEqual" shared="true" size="2101" version="4.5.0"/>
<feature action="uninstall" download-size="2452" id="com.ibm.lconn.client.activities.feature" match="greaterOrEqual" shared="true" size="2101" version="4.5.0.20130224-1730"/>
</requirements>
</installfeature>
</install>
</object-data>
</domain-object>
</ibm-portal-composite>

Repacking/compressing the new package

Open a terminal window and go to the working directory of your choice.
Issue the command:

sudo dpkg-deb -b ibm-connections-4.5.0.i586

If everything is OK a ibm-connections-4.5.0.i586.deb file is created.

Installing the new package

sudo dpkg -i ibm-connections-4.5.0.i586.deb

Uninstalling the new package

Check what is installed with sudo dpkg -l 'ibm*':i386
could look like this:
Screenshot from 2013-07-26 15:57:29

based on this uninstall looks like this
sudo dpkg -r ibm-connections-plugin:i386
sudo dpkg –purge ibm-connections-plugin:i386

Conclusion

It seems to me that the installation of the Notes 9.0 client in a 64 bit Ubuntu environment is not going to be done without changing and repacking/compressing the package(s) as well as installing some dependencies from the 32 bit environment. On the other hand, from experience, other client environments like Windows usually involve this type of changes to include own versions of eg. plugin_customization.ini so this is not so much different than customizing and testing any other package in any other environment as you do inside larger corporate environments.

Shortlink to this document: http://www.infoware.com/?p=1106

13

IBM Docs

Posted by:

Is now available in an on premise version for Connections. It is shipped as an addon to version 4.x of Connections.
Later version for Sametime and especially meetings and awareness.
Also showing integration on an iPad inside the Connection native app, really cool with offline editing and synch back to Files.

0
Page 1 of 2 12