Social Business strategist, podcaster, blogger, founder of Social Connections and conference speaker
They told us at Connect that IBM Connections 6.0 would be made available in Q1, and here’s the announcement that they’ll be sneaking it across the line on the 31st March…
IBM yesterday published a press release previewing the headline features of the upcoming new on-premises release of Connections, Connections 6. I take a look at some of the headline features, and then pick out one specific enhancement that will make a huge difference for community managers!
IBM Connect 2017 takes place later this month in San Francisco, and the last-minute push to increase attendance is already underway. I’m a big fan of the new venue, and the shift from Florida to California, and so really hope that the event is a huge success.
One of the interesting aspects of the registration push has been the unveiling of some information that previously being kept relatively quiet – if not under NDA, certainly out of the limelight
Unfortunately I’ve just missed the actual anniversary, but I thought it worth celebrating that this week marks a decade since the announcement (on 22nd January 2007) of two products that have had an immense impact on my working life, Lotus IBM Connections and Lotus Quickr.
Like many long-time IBM Connections Cloud users, my muscle memory was to access the site via the lotuslive.com URL (the longest-lasting of the few brands that service has had over the years).
Sadly IBM has now retired this, and so collabserv.com seems to be the way to go (you may remember that my thoughts on that domain have never been particularly positive). This is what you get when you arrive there – see the screenshot for full context:
Maintenance Window
In order to continue providing you quality service, we will be performing planned maintenance to the IBM Connections Cloud services on the following schedule
Now I’m not arguing that IBM doesn’t need to tell users (or at least organisation administrators) that there will be potential downtime in the near future, but it seems very curious to make this the ‘front and centre’ experience that all users see when going to the most obvious service URL. It appears to accentuate the fact that this isn’t an ‘always on’ service, and is something that I cannot imagine Google or Microsoft doing on their primary customer-facing home page for a paid service.
What makes this even more odd is that when the user then clicks on ‘Sign In’ to actually access their Connections Cloud account, they get a pop up that reads as follows (again, see the screenshot for context):
Leaving the IBM Web site
You are now leaving the IBM Web site. IBM makes no representations or warranties about any other Web site which you may access through this one. When you access non-IBM Web sites, even though they might contain the IBM logo and content regarding IBM’s products and services, such Web sites are independent of IBM and IBM has no control over the operation of non-IBM Web sites. In addition, a link to a non-IBM Web site does not mean that IBM endorses that Web site or has any responsibility for the use of such Web site.
Yep, you can’t make this up. This message actually suggests that the login to a customer’s paid Connections Cloud account is in some way untrustworthy. Again, hardly inspiring confidence in the service…
Now, I know there might be a better, more specific URL to use to login (Most likely https://apps.na.collabserv.com/), and some larger customers may have vanity URLs for their own Connections Cloud service. However, for the majority of accounts, including those new to the service, this is not a great customer experience.
Am I missing something? Is there a better route into Connections Cloud for the uninitiated?
Either way, I see no reason why this experience shouldn’t be improved for those that hit that collabserv.com URL themselves.
Lately we have heard a lot of POODLE I have already blogged about it twice here and here at ibmconnections.com. But there is much more to tell about it so that the reason I am creating this article.
Nowadays when we talk about POODLE we have to specify which one (to make things easier 🙂 ). Nowadays we have POODLE SSLv3 and POODLE TLS. The one we call POODLE SSLv3 bites IBM Connections the most but POODLE TLS is easier to exploit. So for environments which are connected to the internet I advise you to be sure that both variants of POODLE are not exploitable at your implementation.
I will try to describe both variants in detail and how it/they can be solved. Lets first start with POODLE SSL v3
POODLE SSLv3
The news about this first POODLE exploit was brought to the world as a major problem while in fact the problem wasn’t that big if you ask me. The problem itself was there where still site’s out there who did support SSLv3. SSLv3 has shown in the past that it isn’t sufficient anymore as a secure protocol. I will try to describe why I think it wasn’t really such big news as it was brought by all news agencies. Normally when a clients connect to a server the clients tells the server the highest secure protocol it supports (this is what is generally is called the ClientHello package). Within this ClientHello package the clients also send also all cipher suites (these cipher suites are the real data encryption packages) it supports for that version of SSL/TLS. The server then responds with 3 things ServerHello and Certificate and ServerHelloDone messages. Within the ServerHello message the server will send the protocol it is gonna use. This is decided on the protocol version send in the ClientHello message and the highest version the server supports. So for the real world (which is kind of dependent on browser behavior and version) this means in general that TLS1.2 is used. But with the POODLE SSLv3 bug if both parties supported SSLv3 it was possible by the attacking code to force the connection down from TLS1.2 to SSLv3 (with all the intermediate protocols because you can always fall back only one version at a time). So when this happens a user would still see it has a secure connection but it is over SSLv3 (and not the most sucre possible way between server and client as they bot did support TLSv1.2). The cipher suites used in SSLv3 are all general seen as insecure (only RC4 seems to be the most secure one) and fairly easy to decrypt unintentionally. So as you can see POODLE SSLv3 wasn’t the real problem if you ask me ! but that the server (and or client) still supported SSLv3 was the real problem :-). I added a screenshot to show how that traffic flows between the client and the server so you have and idea what happens on the network to build a SSL/TLS connection.
With IBM Connections we always had to enable the HTTP server with SSLv3 because the code within IBM Connections was still making use of SSLv3 calls to itself. The reason for that is that in the code they made use for example with code like this SSLContext.getInstance(“SSL”). Within the IBM JDK JSSE interface this SSL Keyword translated to make use of SSLv3. This was basically a combination of 2 problems , one that they still used a bit of outdated code within IBM Connections binaries , and also of the JSSE implementation in the IBM JDK that the keyword SSL still translated to make use of SSLv3. As said and stated by me, SSLV3 shouldn’t be used already for many years if you ask me 🙂
Well for IBM Connections we have a solution now (luckily) I will talk about that a bit later in the article.
POODLE TLS
The original attacking method of POODLE was made so that they made use of the padding bytes. Within SSLv3 nobody (wel thats a assumption) did a check on those padding bytes. Within the TLS specification it is specified to check on those padding bytes but most of the implementations out there didn’t do that (which makes the officially incompatible with the TLS’s RFC’s but okay 🙂 ) . So that makes TLS connections which make use of CBC cipher’s also vulnerable when they don’t check those padding bytes (and the funny thing about this is that most of the devs creating these encrypting/decrypting libararies still used the old functions/implementations within their code base which didn’t check those padding bytes). The IBM HTTP Server (IHS) which makes use of gskit for the data encrypting/decrypting part functionality of the SSL/TLS implementation where the rest of the world makes use of OpenSSL. So in the case of the IBM World we need to make sure if the CBC encrypting/decrypting routine checks on those padding bytes. Well I can tell you that older version of those gskit didn’t do that and are vulnerable to those POODLE on TLS attacks also.
But also for that there is a solution where I talk about a bit later in this article.
Solution POODLE SSLv3
Well as explained above there are 2 ways how this could have been solved. IBM did choose to fix it on the IBM JDK side instead of the original problem, the code itself. To solve it on the IBM JDK side we have to install a Interim Fix on top of WebSphere which updates the IBM JDK so that the SSL Keyword doesn’t force a SSLv3 connection anymore but a TLS connection. For the different IBM Connections version I will list the Interim Fixes needed.
For IBM Connections 3.0.1 and 3.0.1.1 and 4 you have to apply iFix PI28934
For IBM Connections 4.5 you have to apply PI29575
For IBM Connections 5.0 you have to apply PI28920 or PI28437
The strange thing is that for IBM Connections 5 (which is running on WebSphere 8.5.5.x) we have 2 iFixes available. Personally I have tried to use PI28920 and couldn’t get that iFix to work but I got some reaction from IBM Connections community (for instance from Klaus Bild) that they where able to use to iFix to get SSLv3 switched off. I personally have used PI28437 several times now with success. PI28437 (SDK6 (J9 2.6) SR8 FP1) also installs a newer version of the JAVA SDK then the PI28920 (SDK6 (J9 2.6) SR7 FP1) so my advice is to make use of the PI28437 iFix instead of the PI28920
After you have installed this iFix you can safely disable SSLv3 on your IHS (IBM HTTP Server). This can be done with the SSLProtocolDisable SSLv3 in your vHost configuration part of the config file(default httpd.conf) for your IHS.
Solution POODLE TLS
As described above also the gskit implementation has some problems regarding the checking of the padding bytes. To tell the gskit implementation that we want a strict checking on those padding bytes we have to add the following setting
SSLAttributeSet 471 1 to the config file (default httpd.conf) to all VHOST sections which have SSLEnable in them. This setting can only be applied to the following IHS versions.
For other release version which can not be upgraded, for whatever reason, to the above specified versions you can install any of the following iFixes as what I understood from this technote to make use of this SSLAttributeSet 471 1 setting.
So I hope this makes everthing a bit more clear in the POODLE jungle out there 🙂
If you have any addition to this story please let me know so I will update the article.
This is terrific – a BBC Click article discussing how IBM is help local education institutions to evaluate the use of social platforms and analytics to assist students to learn:
IT company IBM and Brockenhurst College in the UK have created a private social network to help give staff a better understanding of their students and tailor lessons to them.
Students can use the system to find out more information about their course, watch videos and chat with others at a sister college in China.
The network can also monitor social media – with consent – to see if students might be underperforming or struggling.
The solution features IBM Connections.
Check the BBC article to view a short overview video (hopefully available worldwide), those in the UK can watch the full programme.
Michael Sampson has just published the results of this year’s IBM Connections usage survey: 
A couple of months ago I kicked off a global survey on the use and adoption of IBM Connections. The survey garnered 58 valid responses, and the results are finally available.
They are really fascinating results and statistics, and it’s going to take a while to digest them!
You can download the report directly from Michael’s site.
Last 2 days (13 & 14 November) the most important User Group for the IBM Connections world has been held in Stockholm in Sweden called “Social Connections”. I attended this event and it was a perfectly organized event once again ! On this event I meet several people who have asked me the following question,
Can I easily change the place where are my files get stored by IBM Connections.
What the questioner’s mean with this question is the so called shared data drive within IBM Connections.
The Answer to this question is YES. But the documentation isn’t really completely clear about it. For all the basic applications being delivered with IBM Connections it can be quite easily be solved and that’s by just renaming the directory and then update the WebSphere variables which where pointing to the old directory (there are lots so closely look you get them all !). and you should be finished for the basic IBM Connections applications.
For CCM (Connections Content Manager) its a bit different. CCM is based on IBM FileNet and the storage path of FileNet is actually being configured within FileNet itself. Within IBM FileNet you have a configuration item called “FileNet P8 domains” within the CCM implementation this domain is called “ICDomain”. So we have to go to the ACCE console (Administration Console for Content Platform Engine) you can access this console on the address https://<FQHN>/acce and you have to login with your connections admin user ID. With this admin application you have to click on the “ICDomain” and the Click on the category “Object Stores” and the click the IBM Connections specific called objectstore called “ICObjectStore”. It will open an extra TAB now with all the configuration items for the ObjectStore which is specific for IBM Connections. Within the configuartion of the ObjectStore click on the category “Administrative” and then “”Storage Areas”. Here you have a configuration item called “Root directory path” which points to the directory which is the root for the IBM Connections ObjectStore. Change that property value to the new directory where you want to store the data and stop and start the FileNet environment. Now you should be able to download your old documents again from your libraries within IBM Connections.
Please let me know if this was of any value for you as reader.
So after exploring the reasons why users still send e-mail (part 1) and trying to analyse the reasons why people have not changed their ways and how products have not helped the people either (part 2). In this third and last part of the essay present six idea’s to fix the fact that people don’t just change easily. The ideas explored are technology driven idea’s that will help users to change habits effortlessly.
Let’s innovate to close the gap now…
Finally, it’s time to present the six ideas that I think we need to fix the problem. Let try to close the gap between the future state and the current situation. The gap currently lacking typically in siloed products and inter-vendor integrations. Because let’s be honest there is no such digital space that is “perfect” but we can try and bridge that gap for end-users by iterating now.
Warning: The ideas are described using an end-user perspective. Not worrying about products limits or feature lack. They just describe what we need to close that gap.
Idea 1: Stop sending me attachments…
So the most common task that people do to collaborate is to send each other files. Of course we want them to use Connections Files. But the practical situation is that people don’t change their ways and still use attachments. So instead of trying to change the people, let’s just change the behavior of the mail client to help the end user. Every time a user clicks the “paperclip” to attach a file to a e-mail, the file attachment gets uploaded to Connections Files (or even just pick a file from his personal files). The user does not worry about “rights” to the file, so instead all receivers get access to the file automagically.
To make the user experience as seamless as possible we mimic the principle of sending an e-mail with a file attachment as closely as possible. So this means, if a file is attached, then the file is upload to Connections Files and a link is inserted into the mail instead. All recipients of the mail should automatically have access in editor mode to the attached file (no matter if that’s to, cc or bcc).
If an e-mail is sent outside the company’s boundaries, then the mail client (or infrastructure) will detect that and it should insert a unique link so that receiving users can fetch the file from the Connections Files implementation. By using unique links for each external recipient you can later on even see how picked up the file and who did not. The unique link to the shared file makes so that it can be fetched WITHOUT the need to login. This way to the sending and receiving users its the same as sending an attachment through e-mail.
Dialogue should be kept to an absolute minimum. All files that are attached this way are put in a separate folder, called “Attached Files” or something like that. So users can later see what files they have sent to others, separate from My Files.
Ps. if you think that the Connections Mail plugin actually already did this, you are wrong. It’s broken, a link is inserted, but the “rights” to the file need to be modified manually. So users get frustrated and stop using it 🙁
Any incoming email is automatically analyzed and attachments will be turned into links on the boundary. Files are automatically uploaded to the Connections Files repository. Users that receive the e-mail within the company’s firewall will get an email with links to the Files in the Connections Files repository. Stop sending me attachments remember. All receivers of the me-ail will be owners of the file, since the mail was sent to them, they own the file.
All files are always put in a user folder, called “Attached Files”.
Currently if you have links to files in emails most people will launch a word processing client that uses the web http links to fetch the file and open it. This causes a very bad user-experience for the end user. There is no seamless integration between Office and documents stored in Connections Files. The idea is to change the behavior of the workplace. So that if the e-mail client opens a Web link that points to a “file” in the Connections Files repository. It always opens through the “Connections Desktop Connector” seamless for the user. When the users is done he can simply save the file back to the “Storage locations”. The result will be a more seamless experience. This would be a way better experience than through the http Web interface which is scaring people away.
So in the real world of mixed environments we live in, we will have files in e-mail and links in e-mail files. But people want to have order. Add stuff to folders. With CCM (Quickr) and Notes Connections Files Sidebar plugins you can drag and drop files in nested folders. This helps people a lot to organize. They still want to move their files around and order them. Users want to put attachments into folders (Files) or even nested folders (CCM). From the Notes client it should be possible to drag and drop files into folders or CCM folders. AND a links should be left behind in the e-mails (when removing attachments from mail).
So users can find the file that was moved out of the e-mail. And in cases where files are still attached (old school) to e-mail it can seamlessly be moved into the folder, a link is inserted in the mail object, and the attachments are removed from the e-mail object itself. In all scenarios links are inserted, so a user can later read his e-mail and find the file that way (never forget: old habits die hard).
When a user forwards a e-mail with attachment(s) then the mail client should simply re-share the file using the Connections API, this way an user can even track the sharing of his file. The true power of sharing is knowing who files are shared with, even when mails are forward outside the IBM platform you could still track the fact that mail is shared. An user can also track the downloads of his file that was sent to external users this way, even have policies disabling the downloads.
So the most radical idea is to not “fix” something that is fundamentally broken, the whole idea of attachments is about sending documents around through a communication channel is flawed. At the time of inception there was nothing better around. So way back it made sense to send e-mails with attachment(s). So even though idea #1 fixes the way of sharing a document by putting it in a centralized place we should make users even think more. Remember the title: Stop sending me attachments!
Why not simply remove the option to “send” files or links? Just remove the option. That way people have to think again about how to communicate with others. Finally they might start to consider the sharing of documents by themselves. Put knowledge in a wiki or write up a report as a blog and share it more openly, instead of sending tasks via e-mail. People just might start using Activities to get their jobs done and communicate tasks with others, instead of dropping an e-mail that needs decoding by the receiver (bad habits die hard).
If the future state is a more holistic view on collaboration platforms, then ESN and e-mail should just melt and become a purposeful platform. You should be able to reply from within an e-mail (on any e-mail client) and the ecosystem should just make sure your “response” is put in the right place (a comment field, a reply to a status update, etc.).
So why this now? The future is bright, but is it not always that bright? Would we want to go forward if the future was bad? So I am a realistic optimist, we need to start to iterate. To take baby steps. It’s not just tools, it is also about people who need to change, too. But that takes time. In the mean time, it should become easier to collaborate. It should be a goal to break the unnatural boundaries of the current products out in the marketplace (and yes, I dream of looking beyond the “one” supplier). The current boundaries make it hard to see how this will end up.
So let’s make an effort to fix what can be fixed first, and in that try to walk toward the future state where people work effortlessly in a purposeful way and get the things done they need to get done in the most efficient way possible.
So there are many reasons why people have their habits (part 1), not least in the product they use in their daily work life. So in part 2 I will explore the technology angle and look for causes why tools are the way they are and why a seamless integrated platform is harder then it looks.
So while this is happening the quasi religious war is being fought. People are searching for purposeful ways to work. Can we make tools that help them to just be more collaborative? Can we make it so that people don’t need to change habits? That culture can adapt to the new ways? Can the tools facilitate the old habits and ways? And at the same time, create a simple cross over to the new and more efficient ways of working?
So let’s start with some simple facts:
In case of IBM Connections and IBM Notes this is clearly the case. But that’s not unique in the marketplace, by the way! Products have been dealt with by different groups. Notes is a 25 year old product and on the other hand Connections is just 7 years old (ok, the roots of the products can be traced to internal projects, but still). So it’s not weird that the products have their own ways and create their own habits. And believe me e-mail is not dead, not by a long shot. So over time other mail clients appeared in the marketplace, like Gmail, Yahoo Mail, Hotmail and Apple Mail. All in all THE most common way to collaborate is through e-mail and documents. For both within organizations and beyond, it’s simply the least common denominator in most cases. Collaboration based on e-mail has run into many issues over the years and fixed them. The standards lack precision so there are issues between technology implementations. e-Mail is still not secure from end user to end user after 25 years+. Attachments get bounced because of size. Calendar items are handled differently by everyone. This causes lots of problems in everyday worklife. Who has not dealt with calendar problems, file size issues (it’s just too big) and security worries (viruses and unencrypted mail traffic)?
That said, e-mail is still one of the best use cases of product evolution. Some e-mail clients have added features on top of features for many years now. They have become truly amazing information processing products. Integrated with calendaring, task management and contacts databases.
But lets go back a step. In the last 10 or so years we have seen the arrival of new collaboration solutions that augment e-mail and are “more” social. They create places where people can work on documents online, co-create and share knowledge with others. And yet, these new products do not integrate well (not being by the same father or even the same family). At best “notifications” are sent into the old-and-trusted mailbox of the user. The notifications try to get them to come over to the more collaborative space where they can collaborate on a document. But the products are still siloed, each having their own space. It’s the innovator dilemma happening in real life, since the old products still make money and people are used to them. While the new products have not disrupted the marketplace enough to truly replace e-mail at this point. This causes the situation where their is a multitude of solutions to for users to choose from on how to collaborate.
The e-mail client is changing, hopefully for the better. At least that is what the signs in the marketplace is, Microsoft, Google and IBM are all looking for better ways of doing e-mail. IBM has a project called Mail.Next… Google is working on the next generation Inbox. So everyone in the marketplace is trying to reinvent e-mail. No believe me, the future is upon us. So why worry? All the issues will be fixed in the Cloud Service or Startup Innovation or New App or the Next version of the same product…
Somehow we (=enterprise users) feel left behind. The on-premise customers. Even when there is a product release. We work and slave for another 9-12 months before we can help our end users to make a next step. In reality of our workplace it will take another 2 years before we can reap the benefits of the IBM Mail.Next initiative. And even Google is cautious to just replace their old and trusted Gmail product with the new Inbox, so this innovator of cloud is not moving as fast as you might expect.
So what do we as users want? We want to see evolution in small steps and at a faster pace. While the products are being reinvented, we want to see the the gaps closed now in anticipation of the future convergence of products into “collaboration platforms” that can support purposeful collaboration and do actually integrate seamlessly over product and vendor boundaries.
In the last part I will present ideas that try to innovate and iterate the products and platforms use to get our job done. Ideas that make technology help users to change habits in an effortless way.
Before I begin, let’s first introduce myself. My name is Robert van den Breemen. I am working as an Enterprise IT Architect for over 15 years in a large Dutch government department. I am passionate about technology and the effect it has on the way people work. As the lead in the Digital Workspace Initiative that tries to enable users to do their work in a modern way I have seen and experienced first hand what technology-enablement means and how resistant people and organizations are to change. That leads me to exploration of the causes and present some ideas for improvements that will hopefully inspire change in technology. Simply because there is bright future ahead of us.
In this essay (in three parts) I am going to explore the topic by creating a context and give my analysis of the situation. I will paint a picture of the reasons why people are not as efficient as they could be. I will explore what is probably going on in large enterprises. Which finally leads me to some new ideas why seamless cross integration of products is way more important than tons of new features in product and platforms.
So one of the use cases that seems to be ignored in the collaboration space is the fact that sharing files and documents is done through e-mail as often as before. Even though Connections Files is a great way to share Files and Documents around it’s not done as much as you would expect. So let’s look at the root causes of this problem and why do people not change their behavior.
Some causes that we have seen within our deployment of Notes and Connections:
When you ask adoption consultants what the problem is most of them will tell you that it’s a training and habit problem. So you just need to educate people more, teach them where to do their tasks more efficiently and how to collaborate more efficiently. Thus the movement of “Zero eMail”. But lots of tasks still happen in e-mail and people just have plain bad habits. But to be honest, the tools to communicate and collaborate don’t help you… In the last 5 years we have seen more and more options to collaborate to work differently. And yes, we just gave people yet another option to worry about, we added a channel, we called it a “social platform” (Connections). So basically we just added one more channel to their daily work habits. What do you think, did that help? It depends, it all depends on who you ask.
There are the true believers. We call them evangelists. People who truly believe that the way to go is to leave email behind and start working as a connected company. They will tell you that email is inefficient and that you have to change your ways. They show you convincing examples of how to change your ways. They create the 7 habits of highly effective people without e-mail. And they are right, of course. In a way we can be more efficient by working in a more open and connected platform, where people collaborate more openly, where you work together online in real time on a document, instead 
of exchanging e-mails with individuals, fragmenting the discussions. You can involve your whole team, they can all see and comment on work items (aka documents). Thus you build on each other’s knowledge (like standing on the shoulders of giants). Clearly this is better. Its potential is clear. So people try. Some convert and will become believers as well. The believers will always try to work in the new way. Use the tools of their new beliefs. Even though it’s not always easy to follow along this path…
However in the meantime there are the haters too. They believe there is nothing wrong with their ways. They have worked this way for many many many years. Even though they can see some benefits in the way of the believers. They also see the flaws. They notice that the products are different. The ways of working are more open. You could easily see flaws. People make mistakes. So it boils down that these people resist. And start hating what the believers are telling them. They will resist the change that is happening. At every chance they will point out the flaws in the new way of working and the new tools. Some even believe that it might work, but point out that there is a whole other religion. It’s similar but another church and their ways and tools are just more appealing. They work better, smoother and have been around just as long. And that church copies some of the features, but improves upon them.
The truth is that the majority of people within an enterprise is caught somewhere in between the lines. They yet don’t see the benefits of the new ways of working and don’t understand the new tools. In fact, they just need to get their work done and want to get out of the office in time. They are just overwhelmed with the all the new functions and old options they are used to. They don’t want to change, it’s working just fine. They just want to be productive and get their work done. Of course they want to collaborate. Most work in teams anyway, so they have worked that way, right? Over the years the tools keep changing over and over again. And the collaboration is done by groups of people. So even if the individual believes there are better ways, there is still the bigger group that needs to change their ways. In the mean time the world is changing in an increasingly faster pace, with mobile and cloud introducing new options daily, it seems.
So this is the context of most enterprise organizations that have started down the route to become a more social or a more connected enterprise. Some start with a clear vision of a more collaborative future of the work environment, where people can collaborate seamlessly with others, where leadership recognizes that they need to differentiate themselves from their competitors. There are different strategies to reach those goals of course. But as we all know culture eats strategy for lunch. In large organizations it is very hard to change culture . Strong leadership is needed. But even if you have strong leadership and a great vision of the future, even if that’s there that’s not a recipient for success. Why? Well leadership changes. The change of culture is difficult. The payoff takes a while. Value is not immediately apparent. People resist change. And tools are flawed. But, but, but, in time this will all be fixed. If we just switch to a tool that works? Or it will work the tools will become better and work seamlessly. Tools are simple to change, it is just the technology. And then people will see the benefit in the end and start working differently. And while this is all happening around us, people suffer. They are faced with an ever growing multitude of tools and choices. Choices they have to make. People have become the “integrators” between all the tools for their new way of working. And most enterprises fail to implement this better future effortlessly. Simply because you need long term leadership in place and that’s not the way most companies are built. It’s about short term and immediate return.
But what if we can incrementally change and grow slowly toward a better future? In the next part of this essay I will explore why products don’t help as much as they could…
*** UPDATE: 10:53GMT, 3 November 2014 ***
As reader Oliver Regelmann has commented below, these fixes are sadly not for the POODLE issue at all, but to fix an altogether different vulnerability in Connections, caused by a issue in Apache Commons FileUpload.
My fellow contributor, Sjaak Ursinus, created a detailed post a couple of weeks back detailing the impact that the POODLE vulnerability could have on your IBM Connections platform, and the steps required to code a route around the issue (though Sjaak himself noted that it wasn’t much of a workaround). If you haven’t heard of POODLE, then I suggest you go read Sjaak’s post now.
Just a few days ago, IBM Connections product manager Luis Benitez added a comment to the post linking to IBMs technote on the topic.
Since then, IBM has released a further update, and this post attempts to bring you the latest news on the issue.
Firstly, the vulnerability itself:
A security vulnerability was reported against Apache Commons FileUpload. IBM Connections uses Apache Commons FileUpload. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix this vulnerability apply the fixes as detailed in the Remediation section.
CVE-ID: CVE-2014-0050
Description: MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
This vulnerability affects all versions of IBM Connections, including all releases under IBM support and maintenance, i.e. 5.0, 4.5, 4.0 and 3.0.1.1.
The good news is that IBM has released fixes for all these versions, including the somewhat ancient 3.0.1.1, which I think is pretty impressive:
Apply the appropriate fix pack or APAR to remediate these issues as per this table. Note, if possible, it is always recommended to upgrade to the most recent release of IBM Connections.
Product Version Remediation IBM Connections 5.0 Upgrade to IBM Connections 5.0 CR1 IBM Connections 4.5 Upgrade to IBM Connections 4.5 CR5 and apply Interim Fix APAR LO82478 IBM Connections 4.0 Upgrade to IBM Connections 4.0 CR4 and apply Interim Fix APAR LO82478 IBM Connections 3.0.1.1 Upgrade to IBM Connections 3.0.1.1 CR3 and apply Interim Fix APAR LO82478 IBM Connections 3.0.1 and earlier releases Either upgrade to IBM Connections 5.0 CR1 or upgrade to IBM Connections 3.0.1.1 CR3 , apply prerequisites and apply APAR LO82478
Whichever version of IBM Connections you run, my advice is that it really is imperative to get these fixes onto your systems as quickly as is reasonably possible – particularly if your Connections system is available to external access.
My good friend and esteemed analyst and author, Michael Sampson, is asking for feedback on your usage of IBM Connections:
I am running a research survey on how organizations are using IBM Connections. The survey has 17 questions, spread across four pages:
- Demographics and Current State of Connections
- Current and Forecasted Use of IBM Connections
- Upgrading to Connections 5.0
- Satisfaction, Value, and Next Steps
If you are decision-maker with reference to IBM Connections at your organization, please take the survey.
If you know people who are using IBM Connections at their organization, could you please forward them the link and ask them to take the survey?
Michael has run similar surveys previously, and the results have been very useful in terms of understanding the take-up of Connections across the world, and also the value derived at both the individual and the organisational level.
Please do take a few minutes to complete the survey – your input will be much appreciated!
Ovum Research ‘create tangible business advantage for our customers by providing actionable intelligence that can be relied upon in evaluating opportunities, benchmarking performance, and making better business-critical decisions.‘
In short, they research and analyse the IT industry, thus providing insight to their customers – usually commercial organisations looking to take strategic decisions on IT investments.
They’ve just published a new paper, entitled ‘SWOT Assessment: IBM Connections Version 5.0 and IBM SmartCloud Connections‘. In it they analyse IBM’s solutions in the Social Business area – Connections and SmartCloudConnections, covering the following:
[titled_box title = “Report contents”]Features and Benefits
Key Questions Answered
Sadly (though understandably) the report is only available to Ovum’s paying customers. However, if your organisation is currently evaluating whether to deploy either of these products, I have no doubt that this research piece could be very useful purchase…
When IBM Connections was first released, all patches to the on-premises code were released as iFixes – individual fix packages that could be installed and deinstalled individually. This was really flexible and allowed issues to be patched very quickly but also lead to very time-consuming patching processes and almost every system I visited had a different set of code updates installed. Not ideal!
For the past few versions, IBM has managed updates to Connections using Cumulative Refreshes (CRs). These packages consist of a set of cumulative fixes for each of IBM Connections applications. This is a much more manageable approach, with approximately one CR released each quarter to be installed, and single fixes available from IBM support should an issue be particularly serious.
The latest CR for IBM Connections 4.5 has just been released:
[titled_box title = “Cumulative Refresh 5 summary”]CR5 is a set of 20 fix packages, which update each application entirely. Please apply all 20 fix packages together. The CCM (Connections Content Management) package should only be installed on Connections environments which have Content Management configured. In addition to these 20 fix packages, there is a new TDISOL version released along with CR5, which can be installed on any 4.5 Connections environment. Please download TDISOL 4.5 2014-07-10 from Fix Central.CR5 uses the same version of the Update Installer as CR4, which is published in Fix Central under this link: 4.5.0.0-IC-Multi-UPDI-20131020
CR5 includes all fixes in CR1, CR2, CR3, and CR4, plus fixes LO74499 and LO74629, listed in this document. It also includes LO74571 for Connections Mail support. It is not necessary to apply these previous fixes if you are installing CR5. CR5 can also be applied on environments that have those fixes already applied.[/titled_box]
You can download IBM Connections 4.5 CR5 from Fix Central.
I just wanted to quickly recommend a couple of posts from Julius Schwarzweller at German IBM business partner, GIS AG.
He was quick to get hold of the new IBM Connections 5.0 release and has been working with it for the past few weeks. He’s been kind enough to document his findings on a couple of blog posts, My experiences with IBM Connections 5 and My Experiences with IBM Connections 5 – Part 2.
In part 1, Julius discusses some of the details of installation and of configuring the new External Communities functionality.
In part 2, he goes onto outline more of the features that have been added to the new release.
Well worth digesting if you’ll be looking to deploy Connections 5 in the near future!
I’ve just come across an IBM technote from May 2014 that has been updated over the last few days, listing details of a number of vulnerabilities in Apache Struts:
[titled_box title=”Vulnerability Details”]Several security vulnerabilities have been reported against Apache Struts through April 2014. IBM Connections uses Struts. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix these vulnerabilities apply the fixes as detailed in the Remediation section.The following versions of IBM Connections are impacted:
IBM Connections 5.0
IBM Connections 4.5
IBM Connections 4.0
IBM Connections 3.0.1.1 and earlier releases[/titled_box]
There are fixes for all the above mentioned versions of Connections. Here are the two most recent:
| IBM Connections 5.0 | Apply APAR LO80688 |
| IBM Connections 4.5 | Upgrade to IBM Connections 4.5 CR4 and apply Interim Fix APAR LO81215 |
I would definitely recommend getting these security fixes on ASAP, particularly if your IBM Connections platform is public-facing…
The powerful enhanced rich text editor for IBM Connections, Ephox EditLive, has just been updated to version 2.5.2.45 and is available from IBM FixCentral:
| 1. |
interim fix:Ephox EditLive 2.5.2.45 for IBM Connections 4.5.
|
Jul 19, 2014 |
|---|
Now bundled with IBM Connections for all organisations under active maintenance, Ephox adds significant value for users of the platform.
This video shows the solution in action:
[youtube url=”http://www.youtube.com/watch?v=iwXfYX79e_M” width=”600″]Whilst this power doesn’t come free of some administrative complexity, deployment of EditLive should definitely be a consideration in most Connections environments.
I first blogged about the IBM Connections QuickSearch plugin for Google Chrome three weeks ago. Back then it was at version 1.8.
Remarkably since then the author, Romain Lienard, has released four updated versions:
[titled_box title=”Changelog for IBM Connections QuickSearch”]V.2.2:
– New group feature !!!
– Can now post a message to the user’s board with @mention (using the new group feature)
– Can now share a File to a group of users. To unlock the “share this file” feature you have to be first on a webpage which is an IBM Connections File URL
V2.1:
– “share this URL” now works with communities (with typeahead)
V2.0:
– new “share this URL” feature
– UI bug fixes
V1.9:
– a context menu is now available. Just select some piece of text within any webpage, then right-click and select a service to fire the search !
V1.8.1:
– can now set a default scope (in the options page)[/titled_box]
I’m so impressed by this development effort, and by the rate that new features are being added.
For example, the context-sensitive search:
and ‘Share this URL’:
If you access IBM Connections on a regular basis and use Google Chrome as your main browser, you really would benefit from this plugin.
Grab it from the Chrome Store (it’s free), and say a big thank you to Romain (@lienardr)!
A new and very neat IBM tool has been added to the IBM Collaboration Solutions Catalog in the last week or so:
[titled_box title = “The Sanity Validation Tool for IBM Connections 4.5”]The Sanity Validation Tool for IBM Connections 4.5 release was developed to help developers, system administrators, support engineers and eventually customers during their deployment of Connections. The tool was designed with the ability to run Pre-install, During and Post installation to verify a handful of common configuration requirements and settings. Refer to the Read Me file for list of System, Websphere, Database, IHS configuration settings the tool validates. The tool supports installation on Linux/DB2 LDAP.[/titled_box]
You can download by clicking through from the Catalog, or by going direct to the ‘Lotus Business Solutions IBM Download site‘, logging in with your IBM ID and then searching for ‘Sanity’ to find the download in the very long list of tools on that site (there’s all sorts of interesting stuff on that list, something to investigate on a rainy day!). You then need to fill in the obligatory IBM survey (‘Select which best describes your plans to use this software’ etc.), agree to the license and then you get to download the 176KB zip file.
Unpacking the zip file gives a folder named ‘sanity as of 9 16 2013’ (so this code has obviously been kicking around inside IBM for a while now!). This folder contains the code to be installed on your Linux server, plus a rudimentary README.txt file:
This is the first I’ve seen of this tool, so these are my comments as I go.
Starting test group: WebSphere Pre-install tests…
Starting test: Determine if security is enabled
Checking WebSphere for wsadmin.sh…
Found wsadmin.sh
Getting WebSphere security status…
Test finished with result: SECURITY ERROR: Security is not enabled[/titled_box]This was run on a server that has been successfully running Connections 4.5 for a year or so. As you can see from the snippet of output above, it has already picked out some things that can be improved. The script took about 30 seconds to run in all.
This allows the administrator to add parameters to be applied to the test, and also to select the tests to be executed:
Once the tests have been run, the output is displayed in the browser, and is then stored for review later.
As I mentioned above, getting the config file correct took a little while initially, but once this is done, the tool produces some excellent output and has already proved to be very useful. I can imagine running it on all my servers (most Connections platforms I’ve worked on are Linux/DB2 so this fits the bill for me), and using it on a regular basis – particularly during upgrades and migrations.
Whilst this is a ‘USE AS IS’ tool and is not supported, I can imagine it becoming part of most Connections admin toolkits… It only supports Connections 4.5 today, but should in theory work on Connections 5.0 as well, perhaps with a few minor tweaks to deal with the newer version of WAS involved. I haven’t had a chance to test this yet though. It obviously isn’t supported on Windows, AIX or System i either.
I’m not sure who in IBM is responsible for the tool, but kudos to them! I’d love to see it included in the default Connections install for Linux, then many of the parameters could be set automatically during the install. Till then, download it and install ASAP. Recommended!
I’ve long felt that ideation is a prime use case for IBM Connections and other social collaboration platforms.
Others clearly feel the same way, and whilst standalone tools such as Yambla, BrightIdea and even Elguji’s IdeaJam have been very successful, in my experience it is when ideation is at the centre of a well-designed ESN (Enterprise Social Network) that it becomes not just a one-off task for a particular ideas generation campaign but instead core to the way that an organisation operates day-in and day-out. Of course, the orgnisational culture has to be aligned in that direction too – as you might expect, ideation is not simply a technology play!
That’s why IBM adding Ideation Blogs to Connections a few versions ago was such a good step forward – users could now publish their ideas and gather feedback in the form of comments and votes in favour of the idea.
However, whilst Ideation Blogs cover some of the principal requirements, there are a number of areas in which other platforms have gone further… For example, voting down as well as up (a very important aspect for me personally), analysis and trending of key ideas, grading of comments as well as the ideas themselves and so on.
Therefore I am delighted to see TemboSocial fully integrate their cross-platform ideation technology, Ideas, with IBM Connections.
Supporting Connections 3, 4 and 4.5 (support for the just released version 5 is coming soon), plus WebSphere Portal, TemboSocial Ideas is the ideation platform that Connections has been calling for!
[TemboSocial Ideas is now listed in our Solutions catalog]Just a reminder to be watchful of non-standard characters in IBM Connections user names, and also to thoroughly review your IBM Connections TDI logs on a regular basis. This is a current APAR (IBM ID required):
[titled_box title = “IBM APAR LO81076”]LO81076: USERS WHO ARE REGISTED WITH QUOTATION MARKS IN THEIR NAMES CANNOT USE CONNECTIONS PROPERLYInternet Explorer displays many errors after the user logs in and the Profiles home page is displayed. Firefox simply doesn’t show certain features such as the search entry box[/titled_box]
I’m sure that this particular APAR will get resolved in an upcoming fix for Connections 4.5 (I’m not sure if 5.0 is similarly afflicted?), however these types of issue do crop up every so often, so be ready for them!
This was a pleasant surprise this morning:
Yes, the IBM Greenhouse has been upgraded to IBM Connections 5.0.0.0.
New features including External Collaboration (which isn’t strictly relevant to the Greenhouse), improvements to Files and file-sync (using the new mobile apps and desktop plugins), plus significant significant enhancements to the activity stream and @mentions should all now be visible on the community test/demo platform.
PS. As the Greenhouse was already running the NextGen theme there aren’t too many changes visually…
PPS. The Greenhouse has over 100,000 members… Pretty amazing:
More good news from IBM’s Paul Godby – this time discussing a new self-paced workshop, explicitly for IBM Connections 5.0:
[titled_box title = “IBM Connections 5.0 workshop”]In the IBM Connections 5.0 Workshop, you will learn about the new and existing capabilities of IBM Connections and IBM Connections Mobile. You will learn how to implement external collaboration in your environments and gain an understanding of both the internal and external user experiences in these deployments. If you are an administrator or a developer, you will also learn about the following topics: UI Customization, Mobile UI Customization, iWidget Development for Profiles, and Activity Streams Integration using the Social Business Toolkit SDK.[/titled_box]
The course is written for the Connections 5.0 Softlayer device that will be available soon, but could be run against a Linux-based self-hosted server if required.
Here’s the full course detail:
[titled_box title = “IBM Connections 5.0 workshop detail”]Description
New capabilities in IBM Connections V5.0 make it easier for a company’s employees to work with customers and business partners on projects. Enhancements throughout IBM Connections V5.0 make relevant content more accessible, encourage brainstorming on new ideas, and organize the content that is shared in communities.
IBM Connections V5.0 adds new capabilities that make it easier for a company’s employees to collaborate with customers and business partners on projects and share relevant information. With IBM Connections V5.0, external users, such as customers and business partners, can be invited to a shared file and an IBM Connections community. Communities that have been opened to external users are identified as such to the members of the community.
Event highlights
Prerequisites