Changing and Signing jar files with JDK 1.8, no questions asked. Dictionaries in IBM Notes.

Posted by:

Case:
Dictionaries where missing from client installation on Windows machines.
Client is multi user and users are not allowed to write in Program Directories (non admin on their PCs).
Client is IBM Notes 9.0.1FP6, because this is the one rolled out to end users.
This means that nothing can be installed via Widgets in framework\rpc or framework\shared because both are under Program Directory.
Objective is to provide all of the dictionaries to the end users to choose from from the Widgets catalog. Installation should progress without any questions asked.

Description:
I downloaded the Dictionaries provided by IBM (Notes_XTAF_Dictionaries_V9.0_Win_ML.zip).
For a full description of this package, please read Tomas Hampels blog at
(https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/deploying-xtaf-dictionaries-as-widgets.htm

The problem I got was that the Feature jar files configured to install in framework\rpc which is fine if you include them during installation of the original package running with administrative rights on the computer.

Only way in my scenario was to make sure that the installation was made in a user context meaning Data\workspace\applications

Solution:
Change configuration of the Feature jar to make sure that the installation is done in a user context.

Unpacking the jar file in the features directory of any given dictionary reveals that the feature.xml file contains <feature colocation-affinity="com.ibm.rcp.platform.feature"
this needs to be changed to this <feature colocation-affinity="com.ibm.rcp.site.anchor.user.feature" to make sure that installation will go to Data\workspace\applications where the end user is allowed to write.

To unpack and repack i use PeaZip (http://www.peazip.org/peazip-64bit.html and as an Editor I use Notepad++ (https://notepad-plus-plus.org/download/v7.3.3.html

Explanation of the different options could be found here:
https://www.ibm.com/support/knowledgecenter/en//SSVHEW_6.2.0/com.ibm.rcp.tools.doc.admin/controllingfeatureinstallocation.html
http://www-01.ibm.com/support/docview.wss?uid=swg21497657
http://www-01.ibm.com/support/docview.wss?uid=swg21440976

Also when doing this it will break the signatures and this means that a resigning (after repackage) is necessary for security reasons (you should not allow anything that you have not trusted)
If you want to include your own signed jars files during installation of the client, this can be done following this instruction (http://www-01.ibm.com/support/docview.wss?uid=swg21305165)
You could also use iKeyman to do this if you prefer.

If you look at Tomas Hampels blog above you will find that there are a lot of files that needs to be changed and signed before importing to an update site.

Changing:
In every features directory in every updateSite_xx directory the file feature.xml needs to be changed according to the above solution.
IMPORTANT!!!
Also, preparing for signing, 3 files need to be deleted from a subdirectory called META-INF also in the features catalog:
IBM_WPLC.RSA
IBM_WPLC.SF
MANIFEST.MF
IMPORTANT!!!

Preparing:
Repack all files in each Directory e.g. com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545 to com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545.zip
Move (cut) the zip file to where the original jar file is located rename the original jar file with an extension .org instead of .jar end the rename the newly moved .zip file to .jar
A features catalog could then look like this:
Capture

Signing:
To sign I downloaded JDK 1.8 from
(http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html Windows x64 because I am using W10 64-bit.

IMPORTANT!!!
Only sign jar files that you have made changes to. The others are already signed with valid signatures.
Only sign 1 time with 1 signature for each jar file. Signing a second time could cause unexpected results.
IMPORTANT!!!

First I examined the file that was signed by IBM, this is now <filename>.org if the instructions where followed.
C:\Program Files\Java\jdk1.8.0_121\bin>
jarsigner -verify -verbose "C:\updateSite_af\features\com.ibm.langware.v5.dic.af_ZA.feature_7.2.0.201111100545.org"

I got:
– Signed by "CN=International Business Machines Corporation, OU=Lotus Software Group, OU=Digital ID Class 3 – Java Object Signing, O=International Business Machines Corporation, L=Littleton, ST=Massachusetts, C=US"
    Digest algorithm: SHA1
    Signature algorithm: MD5withRSA, 2048-bit key
  Timestamped by "CN=GeoTrust Timestamping Signer 1, O=GeoTrust Inc, C=US" on lö feb 02 04:31:44 UTC 2013
    Timestamp digest algorithm: SHA-1
    Timestamp signature algorithm: SHA1withRSA, 1024-bit key

jar verified.

This meant that I need to sign with MD5withRSA and also SHA-1 where needed.
I tried all of the possible combinations of signing and digest and did the provisioning to the IBM Notes Client for all the different cases (puh this was hard and took a lot of time!) just to make sure.
I found only 1 configuration that worked all of the times.

IMPORTANT!!!
To sign you must first create a signer and also you need to import the certificate of the signer and crosscertify it with your Notescertificate and push that crosscertificate to the client thru your security policy.
This done is done in your Domino Directory of the server.
Signing the jar file with this signature is then trusted to be installed on the client.
IMPORTANT!!!

Inspired by Tomas Hampel (again) and the blog entry (https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/untitled.htm?opendocument&comments).
I decided to make my own script to help me out with this task.

Script Solution:
I decided to make 2 types of script, 1 for creating the necessary JKS file used for signing and 1 for the actual signing.
Both solutions consists of a command file an a property file containing values needed for the execution.

Code and samples will be provided here for download.Cool_Signing

Keytool:
Signing_mykeytool.cmd Cool_Signer.keytool
in the sample provided and this will create a JKS file and a CER file in the C:\temp directory.

To customize for your own needs you can creating you own .keytool file using Cool_Signer.keytool as a template. Read the included Readme.txt file for explanation.

IMPORTANT!!!
You must change/customize this if You want to use this in your own environment, because sample provided here is not intended for other purposes than demonstrating the code.
IMPORTANT!!!

Jarsigner:
Signing_myjarsigner.cmd Cool_Signing_with_XTAF_MD5.jarsigner
in the sample provided will sign all jar files that ends with *.feature_7.2.0.201111100545.jar from the catalog C:\Notes_XTAF_Dictionaries_V9.0_Win_ML and down.
IMPORTANT!!!
It also contains the parameters that where tested to work with these features. I will recommend you to use these if you modify and sign the XTAF Dictionaries.
IMPORTANT!!!

To customize for your own needs you can creating you own .jarsigner file using Cool_Signing_with_XTAF_MD5.jarsigner as a template. Read the included Readme.txt file for explanation.

Conclusion:
Changing and Signing is hard work but script at least provides you with the means of organising your stuff and ease the burden of signing.

 

0

SugarCRM IBM Notes plug-in, no questions asked

Posted by:

Case:
I was involved in a SugarCRM project and one of the requirements was to rollout a widget to IBM Notes sidebar provided by Sugar.

Description:
Problem was that the instructions from Sugar included an option for the user to bail out of the installation,
because of the signatures where not trusted. also the user needs to cross certify with his own Notes id.
(http://support.sugarcrm.com/Documentation/Plug-ins/Lotus_Notes_Plug-in/Notes_Plugin_Installation_Guide_2/index.html)

From the project perspektive this was not OK.

Solution:
I needed to find a way to cross certify in advance, making the installation in the background without giving the user the option to bail out.
I wanted to cross certify with my organizational certifier instead and avoiding questions.

First problem was to find the certifiers.
What I did was to install the plug-in manually in my testenvironment:
I then took the RSA file located in the workspace\applications\eclipse\features catalog
and in the META-INF catalog there is a file called LPI.RSA.

Using OpenSSL using the command
"openssl pkcs7 -in LPI.RSA -print_certs -inform DER -out lpi.cer"
and then opening it in an editor you could se all of the certifiers.
Using the instructions from Sugar as a guideline I tried to cross certify the certificate
that was used by Sugar, which was:
CN=SugarCRM/OU=Software/OU=Digital ID Class 3 – Java Object Signing/O=SugarCRM/L=Cupertino/ST=California/C=US
but when trying to do that I got the message:
"A cross certificate will not be made due to key usage restrictions in the input certificate"

Found a discussion thread indicating that using crosscertification at a higher would do it
(http://www-10.lotus.com/ldd/nd85forum.nsf/0/565f1122814572b3852579f900521ce0?OpenDocument)
so I imported the certificates into Domino Directory:

CN=VeriSign Class 3 Code Signing 2010 CA/OU=Terms of use at https://www.verisign.com/rpa (c)10/OU=VeriSign Trust Network/O=VeriSign, Inc./C=US
VeriSign Class 3 Public Primary Certification Authority – G5/(c) 2006 VeriSign, Inc. – For authorized use only/VeriSign Trust Network/VeriSign, Inc./US
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO14649
https://www.symantec.com/content/dam/symantec/docs/other-resources/roots.zip

and crosscertified them with my Domino Organizational certifier instead, into Domino Directory.

I then pushed these 2 internet cross certificates out to the clients thru my security policy.

After that I included the widget in my widget catalog according to the instructions provided by Sugar and in this case we made a special desktop policy (explicit because it was in the cloud) that installed it for everyone belonging to a Domino group.

Worked perfectly.

0

Official announcement from IBM – Extending support for Notes/Domino 9.0.1 to 2021

Posted by:

IBM announcent today that they will extend their support for IBM Notes/Domino 9.0.1 to September 2021. There has been some discussion in the community about Notes/Domino and IBMs future plan for the platform. What we know for a fact now is that Notes/Domino will be around to at least 2021. We also know that the IBM Domino Server is a core part of IBM Verse (and Verse on-prem is soon to be released) and that IBM is adding new functionality to the platform, like the possibility to use MS Outlook as your email client with IBM Domino Server as the backend. We also know that IBM will release Fix Pack 7 (FP7) for IBM Notes/Domino 9.0.1 in September 2017 which is a scheduled maintenance release, containing several bug fixes and some new features.

traveler connections ibm_notes_9_icon sametime9

Will there be a IBM Notes/Domino 9.0.2 or maybe a 9.1.0? Or will IBM Verse take over as the platform name, only time will tell…

So what about todays announcement, that is IBM telling us? Well support for version 9 of IBM Notes, IBM Domino, IBM Notes Traveler, and IBM Enterprise Integrator are extended to September 2021. Support for the following associated entitlements is also extended to September 2021:

  • IBM Sametime® V9.0 Limited Use
  • IBM Domino Designer V9.0.1
  • IBM Mobile Connect V6.1.5
  • IBM Domino Global Workbench V9.0.1

IBM is also adding entitlement to your Notes/Domino license to use some IBM Connections 5.5 features. The features we are talking about is the Files and Profiles features.

  • The Files feature helps users easily share content with other people and removes the need to send large files through email
  • The Profiles feature helps users find the people they need by searching across the organization

 

Link: IBM Notes and Domino V9.0.1 extends support and enhances its collaboration toolset with social capabilities from IBM Connections V5.5

As you know you can always contact us if you have any questions about this 🙂 

 

0

Report from the booth at IBM ConnectED 2015

Posted by:

I know you're all dying to hear what went on at IBM ConnectED so here is my take!

We flew down on Thursday before Connected to have some time to prepare and to meet-up with customers and friends. Our hotel was not Disney this time and it felt somewhat strange, but also positive. As always, American hotel rooms are so large that Mats Ekman said that we could easily fit all 10 of us in the same room if needed.

Friday and Saturday flew by with shopping, sightseeing, meetings and preparations for the upcoming conference week. We enjoyed large American breakfasts with everything included, a good steak dinner, a delicious lobster dinner, numerous pizza slices, pool time, lots of good discussions, and most of all the ever shining Florida sun. We all concluded that this was going to be a great week!

On Saturday night we hosted our annual Infoware Collaboration Reception at Texas de Brazil. The event is a perfect way to start off the conference and to welcome customers and resellers from all over the world. This time for the 10th year in a row! We had a fabulous evening with friends, good food, lovely desserts, laughter and fun. We are also happy that we can connect our customers with each other in a steadily growing network. It always feels very good to welcome everybody to us.

And Sunday! A day of sessions and booth preparations. 7 of us are here to focus on covering all the session tracks and to gather knowledge about all the latest from IBM and other business partners. So they were off to different kind of sessions. Me, on the other hand, Daniel Svanström and Fredrik Söderquist, were busy in our booth in TechnOasis getting everything ready for the evening’s Welcome Reception. We checked our demo environments, the leads scanner and of course our t-shirts!

Every year our t-shirts make a bit of a buzz among the visitors, and also this year! The word is spreading. "Aaww, you guys have the coolest t-shirt!". "I want one of those!" and so on. Some visitors dress up wearing our shirts and our message is visible here and there. Our kick ass ninja warrior that guards all our customer’s environments and also let’s everybody know that we offer the best solutions for every IBM customer!

Infoware is exhibitors and sponsors of IBM ConnectED for the 10th time in a row! That’s something! Infoware is a true blue IBM Premier Business Partner, and has social business as one of our main areas. This year we focus wholeheartedly to promote DomainPatrol Social, our administrating tool for IBM Connections.

Luckily we got ready in time, since the TechnOasis filled up to the brim at precisely 18:30! We realized quite soon that the rumors we heard were right. The organizers had expected around 1,500 attendees, but at least 1,000 more has registered. Excellent news! This resulted in a packed TechnOasis, and also a more intimate feel of the whole conference. The atmosphere was full of expectations and everybody had happy faces.

So the reception! Refreshments were served and it was busy in the booth right away! Our well-oiled machinery chugged off and we did demo after demo. We talked about our new release, social business and a new way to work according to Infoware etc. We noticed immediately that almost every visitor were using IBM Connections one way or another. A positive trend! And of course good for us, since our tool cover the needs of an organization using IBM Connections.

We worked hard! And after opening in the TechnOasis, the Welcome Reception continued outside on the Swan Lake terrace with food, drinks and DJs who played far too modern music according to Mats Feretti. 🙂

The next day after breakfast: OGS! Exciting! What would happen? How will this conference turn out? It was big expectations in the air and good music was playing when all the people were gathered. Jeff Schick opened with a bang. Talked about taking on Google and Dropbox. About the collaboration with Apple. Go IBM! Scott Probes did a live demo IBM Verse! Very cool. Scott smiled like a kid on Christmas Eve on stage. And we smiled with him! The whole concept of IBM Verse is "A New Way to Work". IBM Verse will work for you, and not vice versa. The mail has jumped to the next step and is now a tool to sort, categorize and prioritize all the information flowing over you on a normal working day. He also showed cool Watson features. The look of Verse is totally fabulous and I for one cannot wait until I can try and use it! Then Luiz Benitez showed us the new Connections interface which seamlessly waves into Verse in a very nice way.

The week went on in similar fashion. Three whole more days in the booth with non-stop networking and connecting with new and new friends. We decided that every member of our booth crew needs to have the same amount of tattoos as Fredrik. Well, we’ll see about that.

We caught up with our resellers that attended the conference too. Very good to show them our new release of our product and talk business, but also just to spend time together over a beer or two.

I also took the opportunity to meet my friends from Social Connections! Both Lars Samuelsson, Brian O’Neill, Jan Waldman and new friend Doug Morrison. All happy faces!

Notes/Domino turns 25 this year, which raised some attention during the week. Small happenings popped up here and there at the conference to celebrate the youngster. For example bubbly champagne, cakes, and not to forget temporary tattoos handed out by Matt Newman. We all got branded!

The evenings was of course a great deal of fun too! Every night we had something to look forward to. One small disappointing thing though was that there was no theme park booked for the ConnectED Party this year. I who, love roller coasters over than many, many other things had to settle for some drinks and food at the Dolphin Hotel instead. Although, there WAS indeed a very short ConnectED Party, with food and drinks in the Atlantic Hall at Dolphin. After we had eaten, we thought it was time to start the party! We went up on the huge empty dance floor and started dancing, and soon the dance floor filled up with others. 🙂 It’s always like this!

The week went on and soon it was Wednesday, and time for the Closing Session. Somewhat tired we went into the darkness of the session room to hear IBM say thank you and goodbye for a fantastic conference week! And we agree.

Last night with the gang. The week has been long and full of hard work, rest = zero, so we decide to do something simple and just for us at Infoware. A short trip down to Downtown Disney and a burger at the House of Blues. Great place with the music scene and American good food. We had a long table where we could take a break and rest and have a good time together. When the clock was 0:00, I was at home in the room, received a glass of whiskey from a colleague and started packing my bags. #yawn

Then it was over .. the end? 🙁 The feeling when we close the booth and say goodbye to all our friends and acquaintances cannot be described. I strolled by the Dolphin fountain and listened to its noise one last time and then went out waiting taxi to take us to the hotel. For several months I have breathed #ibmconnected with all the planning and hard work. And now it's over? Impossible. But there is also joy. An incredibly joy that has spread among us throughout the week. The buzz to have scooped a number of leads, talking to "everyone", said hello to "everyone". The IBM ConnectEd Community is not like others. It’s magical and captivating. And once you have walked over the bridge between Swan and Dolphin, you know you want to do it again and again and again. Because the reward for all the hours you invested is amazing!

0