IBM Connections mail with exchange backend

IBM Connections Mail Plugin Configuration with

Exchange Backend

Michele Buccarello

4/16/2015

This document describe how to configure the IBM Connection Mail Plugin with Exchange Backend

IBM Connections Mail Plugin Configuration with Exchange Backend

IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 1

Table of Contents PREREQUISITES ............................................................................................................................................ 2

WHAT THE WIKI SAYS .................................................................................................................................. 2

KERBEROS CONFIGURATION ........................................................................................................................ 2

CONFIGURE THE AUTODISCOVERY SERVLET ................................................................................................. 7

CERTIFICATE EXPORT ............................................................................................................................... 8

IMPORT THE SSL CERTIFICATE IN WEBSPHERE .........................................................................................11

CONFIGURE socialmail-discovery-config.xml ...........................................................................................12

TROUBELSHOOTING....................................................................................................................................13

WIDGET ARCHITECTURE ..........................................................................................................................13

SERVER SIDE ........................................................................................................................................14

BROWSER SIDE ....................................................................................................................................14

AUTHENTICATION FLOW .........................................................................................................................14

ADDITIONAL TRACE .................................................................................................................................15

GATHERING TRACE AND DEBUG INFORMATION ......................................................................................16

HTTP 400 ISSUE (negotiation header too long) ........................................................................................19

DELEGETION DOESN’T WORK ONLY IN CHROME .....................................................................................20



PREREQUISITES This guide cover all configuration of IBM Connections Mail plugin with Exchange as a backend, before to

read check these requirements

1) IBM Connections 5 CR2 or later

2) IBM Connections Mail 1.6

3) Exchange server compliant with System Requirements and with Kerberos enabled. For system

requirements check http://www-01.ibm.com/support/docview.wss?uid=swg27036069

4) A good knowledge about Kerberos protocol and delegation process

5) A basic knowledge about Exchange Web Services (EWS) and autodiscovery mechanism

6) Kerberos Enabled on all Exchange server (NTLM auth works only with autodiscoery process not for

EWS )

7) A basic knowledge about Whireshark

WHAT THE WIKI SAYS

In the URL below you could find all official information about Mail Plugin configurations

http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_pre-install.dita

This guide is a compendium about the configuration and authentication flow for the Exchange integration.

KERBEROS CONFIGURATION

In the official wiki the first step is configuring correctly the SPNEGO and KERBEROS authentication

mechanism as described in this link

http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_spnego.dita

Before to start the SPNEGO configuration two steps are important requirement:

1) Mapping an Active Directory Account to Administrativer roles

http://www-

01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_kerb_configure_AD_accou

nmhhhbnt.dita?lang=en

2) Create a Service Principal Name and Keytab file

http://www-

01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service

_account.dita?lang=en

You could skip the point one only if your installation is built with an active directory user, check the image

below if during your installation process in the administrator user id field you have used an user from LDAP.

http://www-01.ibm.com/support/docview.wss?uid=swg27036069

http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_pre-install.dita

http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_spnego.dita

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_kerb_configure_AD_accounmhhhbnt.dita?lang=en



http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service_account.dita?lang=en





In the wiki the point two is really detailed but if you are going to do this configuration on Windows 2012

Active Directory some extra steps are a requirement to avoid problems with Kerberos authentication:

- Windows 2012 have a strong encryption this creates problems with the Kerberos protocol because

normally the communication between the Key Distribution Center and the Domain Computer

works via UDP protocol but the UDP payload isn’t unable to contain all encrypted information

because it is really small than the TCP packet, to force the communication via TCP protocol you

must add this line inside the krb5.conf udp_preference_limit = 1

- If you are going to setup Kerberos in an Active Directory Domain forest with child site and Different

Realm you must explicit all realm in the sections realms and domain_realm

- If you see error related to the KDC options you must manually set this options in the krb5.ini, in

particular with Windows 2012 I force the proxiable = false and renewable = false, this step is not a

requirement and it solve problems in the infrastructure where I setup the Kerberos authentication.



In the image below a full example of the krb5.ini

Below the screen about Kerberos / SPNEGO WebSphere settings.



In the step five you should add the generic property inside the properties tag. In my environment I

experienced some problems but more investigation are required about this generic property:

- <genericProperty name="shindig.config.container.overrides">

By default in connections 5 we have a generic property “shinding overrides” in the sections properties and

if you follow the wiki the result would be something like this

We experienced some problems with the this configuration because it seems the first property is

overwritten by the second. To avoid any strange issue we merge the two property into a big one.

Now we have successful complete all Kerberos / SPNEGO configuration.

CONFIGURE THE AUTODISCOVERY SERVLET

The autodiscovery servlet is used to discovery the mail server where the mail file is located, in particular

Exchange have the own system to give this type of information. In the wiki link we could find all information

about the autodiscovery configuration:

- http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_discovery.dita

The first step described in the section 2.A says to ask the certificate to the administrator, we could export

the certificate manually from the browser. Below the screens show an export of the ibm ssl certificate, the

steps are the same for Exchange.

http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_discovery.dita



CERTIFICATE EXPORT Click on the padlock icon, and the click on view certificates.

Click on Certification Path



Export the Certificate authority and the intermediate certificate ( first and second certificate)

CA Export: select the first certificate and click “view certificate”.

Check in the new window if in the certificate path there is only the CA certificate



Now we export the CA

In the last screen press finish to complete the export of CA certificate and close the CA window.



The same steps are used for the intermediate certificate the important thing is to select in the first window

under certificate path the second certificate

After click on view certificate apply the same steps to export the intermediate certificate.

At this point we need to import this certificates on the WebSphere cacertes via keytool utility.

IMPORT THE SSL CERTIFICATE IN WEBSPHERE

The commands are described in the section 2.b, below the command used

keytool -import -file cacert.cer -alias exchange_cacert -

keystore E:\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts

keytool -import -file intermdiate.cer -alias exchange_intermediatecert -

keystore E:\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts

the default password for cacerts file is changeit.



CONFIGURE socialmail-discovery-config.xml

In the wiki step three and four you need to copy the socialmail-discovery-config-template.xml

from the ConnectionsMail folder and paste it in theDMGR folder:

- WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config

In the steps five and six are described the options, in the image below an example configuration.



TROUBELSHOOTING IBM Connections Mail Plugin is a widget based on open-social gadget running on Apache Shinding widget

container. In IBM Connections, the Apache shinding implementation is contained in the

WidgetContainer.ear installed in the InfraCluster server.

The mustgather link is:

- http://www-01.ibm.com/support/docview.wss?uid=swg21677101

all websphere trace must set in the server where the widgetcontainer.ear is located.

WIDGET ARCHITECTURE

http://www-01.ibm.com/support/docview.wss?uid=swg21677101



SERVER SIDE

IBM Connections Mail opensocial gadget use a different Ajax Proxy the name is CREAjaxProxy. This Ajax

proxy is used to send all back-end call to the Exchange EWS WebService, for example the HTTPS post with

the delegated credential are sent through the CREAjaxProxy to the Exchange Mail server.

The discovery Servlet is registered as an extension point via OSGI in the Widget Container application.

BROWSER SIDE

On the browser side all ajax call are sent via makerRequest servlet ( the apache shinding implementation of

the method gadget.makerRequest) the response of this call is a json with the backend http response code (

rc=401 for example).

AUTHENTICATION FLOW

This image shows all network calls to take the user's email from Exchange.



ADDITIONAL TRACE

To track all request related to:

- Widget container (CREAjaxProxy)

- Kerberos Delegation / SPNEGO

You must add this trace and JVM properties on the server where is located the WidgetContainer.ear

application.



GATHERING TRACE AND DEBUG INFORMATION

Before to start you need to have this requirements:

- A domain computer with WireShark and Fiddler installed

- If the domain computer is a windows 7 machine check if the klist command is available on the

command prompt, otherwise install the windows resource kit.

- Install on the Connections Server WireShark if you are in Windows or use tcpdump with the –s0

parameter to take the full payload under linux

- Enable trace on the infracluster Server and test the mail with the homepage application because is

in the same cluster of the WidgetContainer application.

1. Verify the browser settings for SPNEGO authentication

http://www-

01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEG

O_configweb_new.html?cp=SSAW57_8.5.5%2F1-3-0-21-3-0

2. Clear Kerberos token via klist

3. Start fiddler and WireShark on computer domain and wireshark on the server

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEGO_configweb_new.html?cp=SSAW57_8.5.5%2F1-3-0-21-3-0





4. On domain Computer put this filter

5. On Connections Server put this filter

6. Check four Kerberos request on WireShark Domain Computer

7. Check on fiddler if the request to discoveryServlet and makerRequest servlet have the right

response



the field rc is the HTTP response code if you get http 401 that means you are not authorized and

the delegation process doesn’t work propertly.

8. Check in the logs if there are problems on Kerberos ticket decryption

9. Check if the GSSCredential are correctly read

10. Check If the delegation process works correctly



11. Check if the CREAjaxProxy contact correctly the Exchange EWS WebService

HTTP 400 ISSUE (negotiation header too long) When we try to automatically login in Connections some users receive a white page with HTTP error 400, in

this case you need to increase on all HTTP server the maximum header size if in the fiddler trace inside the

HTTP packe you saw the error header is too long inside the HTML response. This error doesn’t affect all

users for example in my case all users that had ten or more group in active directory get the HTTP 400

error, when groups became nine the SPNEGO authentication works. This happen because the header

NEGOTIATION contains the Kerberos TGT and the Microsoft privilege attribute certificate (PAC), the second

contains several logical components, including group membership data for authorization, alternate

credentials for non-Kerberos authentication protocols, and policy control information for supporting

interactive logon. To increase the header size put inside the virtualhost this apache directive:

- LimitRequestFieldSize 12392

The number is suggested inside the apache wiki http://httpd.apache.org/docs/2.2/mod/core.html. In the

image below an example configuration

http://httpd.apache.org/docs/2.2/mod/core.html



DELEGETION DOESN’T WORK ONLY IN CHROME

Like Firefox in CHROME you must enable the delegation to have the mail plugin fully functional.

Follow the links below to enable the Kerberos delegation

- https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

IBM Connections mail with exchange backend

Software

Transcript of IBM Connections mail with exchange backend