ShowTable of Contents
Overview
This article discusses the functional changes, data collection, and troubleshooting issues with respect to security in IBM® Lotus® Connections 3.0. This topic is not extensive because there were not many changes related to security in Connections 3.0. Further, the big changes were in the single sign-on (SSO) environments, and those topics are already covered in other documentation topics such as SSO, WebSeal/TAM, SiteMinder integration, and IBM Lotus Connections 3.0: SPNEGO.
Functional changes in Connections 3.0
Error messages on the client
The error messages that display to the user have been changed. Rather than giving specific details about the exception stack trace and other system internal information (which is a security violation), the user is presented with a page providing an explanation of the problem and an error ID string. This ID string also appears in the SystemOut.log along with the exception stack trace. The user can communicate this ID string to an administrator, who can find the details of the issue by searching for that string in the log.
The user initially sees the screen shown in figure 1.
Figure 1. First error message screen
Upon clicking "Report this Problem" (sometimes it is a button reading "View error details"), the user sees a dialog box such as that shown in figure 2. Typically these dialog boxes instruct the user to send the identifier to the system administrator if the problem persists. If you scroll to the bottom of the text box, you see the error identifier.
Figure 2. Second error message screen
The details appear as part of the exception that gets logged. To locate the details, search for the identifier specified in the message (see figure 2) in the system logs files (by default this is SystemOut.log). The logged exception will contain details, including the:
- given identifier
- browser being used
- specific request
- Session ID
Active content filter (ACF)
Lotus Connections 2.5 introduced the "allowedContent" setting that enabled users to configure whether Blogs and Wikis would permit Flash animations. This setting is no longer supported in 3.0. It still appears in the LotusConnections-config.xml file, but it has no effect, and supporting documentation has been removed from the InfoCenter.
<allowedContent> <contentType name="FLASH" enabled="true"/> </allowedContent>
To enable/disable Flash, refer to the Product Documentation topic, "
Configuring the active content filter for Blogs and Wikis: lc3."
The ACF configuration files with "flash" in the filename support flash in the page content. Those without "flash" strip it from the page. For example, Blogs' default configuration uses acf_config_file="acf-config-flash.xml"
to disable flash; instead, replace this with "acf-config.xml":
<sloc:serviceReference acf_config_file="acf-config-flash.xml" bootstrapHost="lcappscan1.swg.usma.ibm.com" bootstrapPort="2811" clusterName="cluster1" enabled="true" person_card_service_name_js_eval="generalrs.label_personcard_blogslink" person_card_service_url_pattern="/roller-ui/blog/{userid}" serviceName="blogs" ssl_enabled="true">
To completely disable flash in a deployment, it must be disabled in both Blogs and Wikis.
These two topics describe the various configuration permutations possible: "
Configuring the active content filter for Blogs and Wikis: lc3" and "
Configuring the active content filter for Activities, Communities, and Forums."
Note that only Blogs/Wikis support flash animations in the page. All other options are available for the other services.
The ability to customize the ACF configuration files were enabled in the product in 2.5.0.1 but were not documented in the Info Center until 3.0.
These choices allow customers to decide if they will allow forms, styles, margins and flash
:
- ns: No styles - disallows HTML styles from being added to text.
- nf - No forms - disallows things like buttons and input boxes to be added to a page.
- nm - No margins - disallows the user from changing the margins on images.
A/V
(1) Table 1 lists the LotusConnections-config.xml file virus scanning configuration properties and their descriptions.
Table 1. LotusConnections-config.xml file virus scanning configuration properties
<avFilter class="AVScannerICAP"> |
|
<property>av.scanner.servers=scanner host name or IP address</property> | Required: Can be a comma-separated list if customer has a fail-over scanner |
<property>exception.on.virus=yes</property> | This doesn't do anything. It's there for historical purposes. |
<property>av.scanner.service=AVSCAN</property> | Required: AVSCAN for Symantec, RESPMOD for McAfee |
<property>av.chunk.size=50000</property> | Optional: How much data to send at a time, in bytes |
<property>first.read.timeout=120000</property> | Optional: How long to wait for the scanner to respond, in milliseconds |
</avFilter> |
|
Refer to the InfoCenter topic, "
Enabling virus scanning," for more information on configuring virus scanning.
(2) The error information that appears in the SystemOut.log has been improved in version 3.0. When the scanner reports a problem with the file being scanned, detailed information is now available in the SystemOut.log. Examples are in the InfoCenter topic, "
Troubleshooting virus scanning":
[9/15/10 16:28:06:063 EDT] 000000ba GenericPersis I
com.ibm.sn.av.icap.net.GenericPersistentClient askServerPersistent
CLFAQ0012I: ICAP Headers: ICAP/1.0 200 OK
ISTag: "E7A38AFAE1C53F592855CD024058C2AD"
Date: Wed Sep 15 20:21:19 2010 GMT
Service: Symantec Scan Engine/5.1.7.33
Service-ID: Respmod AV Scan
X-Infection-Found: Type=2; Resolution=2; Threat=Container extract time
violation;
X-Violations-Found: 1
no.file
Container extract time violation - scan incomplete.
-9
0
X-Outer-Container-Is-Mime: 0
Encapsulated: res-hdr=0, res-body=83
Note that, when the error message references a "container", it means the scanned file was a .zip or other archive file. Also note that many of the services report a virus when any error is returned from the scanner; therefore it's important to check the log to determine whether it's actually a virus, or if some other type of error occurred.
(3) Files/Wikis often had issues with A/V timing out during testing when uploading large files, with following message displaying in the UI:
And this set of errors would appear in the SystemOut.log:
[9/29/10 15:44:09:612 EDT] 00000069 GenericPersis E com.ibm.sn.av.icap.net.GenericPersistentClient askServerPersistent CLFAQ0004E: ICAP error processing content: Read timed out
[9/29/10 15:44:09:675 EDT] 00000069 Transactional E EJPVJ9989E: Unable to create a transactional file at C:\IBM\LotusConnections\data\shared\files\upload\files\79\8\b00df666-97ce-4ab1-bc8d-d40b56bf9df8.
com.ibm.lconn.filemanager.transaction.VirusScanException
The second log error (unable to create a transactional file) is not important; it means that the upload could not be saved. The real problem is that the socket read would time out. Users encountering this issue should increase the timeout in the <avFilter> settings:
<property>first.read.timeout=120000</property> (This is for a 2-minute timeout)
The first.read.timeout is how long the A/V system will wait for the first response from the scanner. This is important because the scanner won't respond until it has processed the file. For large .zip files, this can take some time because the scanner expands the archive and then scans the files. (Default value is 10000 milliseconds.)
(4) If users have desktop virus scanning enabled (for example, Symantec RTVScan) as well as having Lotus Connections configured to use a virus scanning engine, and then attempt to upload a file that contains a virus, they may get the following error:
This occurs because the desktop virus scanner has deleted the temporary file that Lotus Connections made before Connections got the message from its virus scanner that the file was infected.
This doesn't hurt anything, because the user probably doesn't want to save an infected file into Connections. They can, however, receive the correct error message from Connections indicating that the file contains a virus if they disable their desktop virus scanner and try to upload the file again.
Asynchronous JavaScriptTM + XML (AJAX) proxy
- For users who have an Internet-facing deployment (one that is accessible from users on the Internet, as opposed to only those behind a corporate firewall or members of a private domain), it is recommended that they remove the default policy (<proxy:policy url="*" acf="none">). Leaving this policy in place allows unauthenticated access to areas inside the user's network.
- It's also recommended that they not specify any cookies in the <policy:cookie> section, unless they want to restrict which cookies are sent. The default behavior is to pass all cookies.
- There have been several questions about problems with Microsoft® Windows® NT LAN Manager (NTLM) authentication and the AJAX proxy. This is not currently supported. A defect was opened with the Proxy team, who informed us that this support is planned to be added with the next version of the proxy.
Data collection
Must gathers
All the items in this section are collected by the IBM Support Assistant (ISA) program. Customers are urged to use this tool to ensure we collect everything we need. When diagnosing issues with the AJAX proxy, be sure to enable debug in the proxy-config.tpl file and send traffic through the proxy so that we can gather the proxy-config.xml file as well.
AJAX proxy
SystemOut.log and trace.log, LotusConnections-config.xml, proxy-config.tpl (or customized, for example, proxy-homepage-config.tpl, if customer has made a service-specific file). Enable debug in the proxy-config.tpl and collect the resultant proxy-config.xml file (found in the LotusConections-config directory).
A/V
SystemOut.log, LCC.xml, exact steps to reproduce the problem.
ACF
SystemOut.log, LCC.xml and exact steps to reproduce the problem (including the string pasted into the editor, or modifications made to an image's attributes, such as margins)
Running trace
AJAX proxy
com.ibm.ws.ajaxproxy.*=all:org.apache.commons.httpclient.HttpClient=finest:httpclient.wire.header=finest
AV
There is no trace string. Information displays when the scanner returns an error (virus detected, timeout, container violation...)
ACF
There is no trace string.
Troubleshooting
Diagnostic process
AV
If you can successfully upload small files, but large files or zips are failing, you probably have a timeout issue. To resolve the issue, try increasing the first.read.timeout and av.chunk.size values. If you have raised them to excessive levels (such as sending a MB at a time with a 5 minute timeout) and you're still having problems, investigate the policies on the scanner engine.
Symantec has a host of settings for container policies (how large the .zip can be on the disk after it is expanded, how long the engine will wait for the .zip to expand, how many levels deep the .zip can be when it is expanded) and any of those might need to be adjusted.
ACF
Be sure you have configured the ACF config file that supports what you are trying to do. For example, if you are trying to set the margins on an image, but the settings won't stick, make sure the system isn't configured with one of the "nm" config files.
AJAX proxy
When you look at the proxy-config.xml (created when you set "debug=true" in the proxy-config.tpl file, restart the server, and then try to hit a URL through the proxy), there should be at least one entry for each active service in LCC.xml, and two if both http and https are enabled.
Log interpretation
AJAX proxy
If trace is enabled for the AJAX proxy, but the trace.log does not include the string "ajaxproxy", then the problem is not with the AJAX proxy because traffic is not going through the AJAX proxy. If the ajaxproxy is included, there is a lot of output associated with it, so you will easily be able to see it.
For customized policies, check that any specialized headers you might need to access the widget or feed are being passed. All cookies are passed by default, but if you have specified
any cookies, those are the only ones that will be passed. Check that all needed cookies are included.
These lines indicate NTLM authentication is being used, which is unsupported (these lines are not consecutive in the log):
[1/22/10 23:57:36:633 CST] 00000051 header 1 org.apache.commons.logging.impl.Jdk14Logger debug << "Proxy-Authenticate: NTLM[\r][\n]"
[1/22/10 23:57:36:695 CST] 00000051 HttpMethodDir E org.apache.commons.logging.impl.Jdk14Logger error Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
A/V
The InfoCenter topic, "
Troubleshooting virus scanning," shows several examples of error messages returned from the ICAP scanner including when a virus is detected and a couple of policy violations.
Known issues
- NTLM support missing in AJAX Proxy.
- ACF does not support non-flash video types.
- VenturaConfigProvider should not read in proxy-config.xml (reported to Quality Engineering via SPR# ASRE8BXPK7).
Resources
Refer to the Product Documentation section, "
Security: lc3."
Participate in the
IBM Connections Forum.
Refer to the
developerWorks® IBM Connections product page.
About the author
Robert Stanger is a Software Engineer based at IBM's Durham, NC, facility. You can reach him at
stanger@us.ibm.com.