Pages

Wednesday, September 24, 2008

How to disable SSL in Lotus Connections

I've gotten this question several times so I figured it was time to blog about it. While I don't recommend this for a production environment, some customers have asked for instructions on how to disable SSL for Lotus Connections. This can be more convenient than using a self-signed certificate which may cause some annoying pop-ups.

Here's the simple procedure:

  1. Disable SSL in the config file
    1. Go to <WAS_ROOT>/profiles/AppSrv01/config/cells/<cellName>/LotusConnections-Config
    2. Save a copy of LotusConnections-Config.xml
    3. Open LotusConnections-Config.xml with your favorite text editor
    4. Set all the SSL_ENABLED flags to false
    5. Save and close the file
  2. Modify the login page to go over port 80 (HTTP) instead of 443 (HTTPS)
    1. Go to <WAS_ROOT>/profiles/AppSrv01/config/cells/<cellName>/applications/<featureEAR>/deployments/<featureName>/<featureWAR>/WEB-INF
    2. Save a copy of web.xml
    3. Open web.xml with your favorite text editor
    4. Look for the following section:

      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>


    5. Change the transport-guarantee from CONFIDENTIAL to NONE
    6. Save and close the file

That's it! Now, if you are wondering what <featureEAR>, <featureName>, and <featureWAR> mean, take a look at the table below.

Note: You are at your own risk here

FeatureEAR Feature Name FeatureWAR
Activities.ear Activities oawebui.war
Blogs.ear Blogs Blogs.war
Communities.ear Communities tango.web.ui.war
Dogear.ear Dogear dogear.webui.war
Homepage.ear Homepage dboard.war
Profiles.ear Profiles peoplepages.war

Enjoy!

14 comments:

  1. AnonymousSeptember 24, 2008 at 9:48 AM

    Does this definitely work for HomePage as well? I understood that SSL was almost impossible to remove from the HomePage feature...

    Would be very glad to hear that this is not the case!

    ReplyDelete
  2. AnonymousSeptember 24, 2008 at 10:09 AM

    It should work fine for Home Page. HP only uses SSL for login by default, same as the rest of the Connections features.

    ReplyDelete
  3. Adrian SpenderSeptember 24, 2008 at 10:11 AM

    Hmm, that last comment was from me. I don't know why my OpenID provider doesn't identify me...

    ReplyDelete
  4. Mac GuideraSeptember 24, 2008 at 3:47 PM

    Keep in mind that any update to the service components will over write this change. Especially to the <featureEAR>, <featureName>, and <featureWAR> files.

    ReplyDelete
  5. Luis Alejandro GuirigaySeptember 24, 2008 at 10:55 PM

    I had to restart the Enterprise Application for this change to take effect.

    ReplyDelete
  6. Luis BenitezSeptember 25, 2008 at 9:40 AM

    Hi Stuart,

    Yes, I tested this on my v2 deployment and it works like a charm!

    @Mac, thanks for reminding me, yes this configuration may be overwritten when you upgrade to a later release.

    @Luis, yes, I forgot to mention you had to restart the server for the changes to go into effect, thanks!!

    ReplyDelete
  7. Rodrigo CanhissareSeptember 26, 2008 at 7:01 PM

    I tested this in last week and work very well.
    Tks for information Luis.

    ReplyDelete
  8. Luis BenitezSeptember 30, 2008 at 8:17 PM

    FYI... home page search requires SSL to work, so if you have the Home page deployed, do NOT make the changes to the LotusConnections-config.xml file, only to the web.xml (maybe that's what Stuart was referring to).

    ReplyDelete
  9. UnknownDecember 8, 2008 at 8:36 PM

    I followed the described steps and restarted the server, but the log in pages such as those for Profiles and Dogear still go to the SSL version. I am using 2.0.1 with the latest fixes. Is this a new bug in 2.0.1 with the latest fixes ?

    ReplyDelete
  10. Luis BenitezDecember 11, 2008 at 8:38 PM

    Hi Michael,

    Make sure you clear your browser's cache too just in case. Also, make sure that there are no redirects specified in the httpd.conf file (specially if you are migrating from v1).

    Hope this helps.

    ReplyDelete
  11. Andrew FraylingJanuary 13, 2009 at 7:59 AM

    Thanks for the config tips.

    Anyone use this config to configure SSL offloading to a hardware SSL accelerator? Having problems with backend servers making calls to HTTP and the JS libraries not being able to redirect to HTTPS.

    Most stuff works, but the JS that calls the forum topics in Communities is 404'ing because it's failing to redirect to HTTPS. Any ideas for a Connections n00b?

    ReplyDelete
  12. Luis BenitezJanuary 13, 2009 at 9:38 AM

    Hi Andrew,

    I think you'll still want to enable SSL at the Connections level (i.e. leave the settings as-is in web.xml and LotusConnections-config.xml). This is important because this controls the URL redirection and how the URLs are generated.

    I've never used an SSL hardware accelerator, but I think you'll enable SSL at that level (as opposed to the HTTP server...).

    Hope this helps.

    ReplyDelete
  13. Andrew FraylingJanuary 14, 2009 at 3:39 PM

    Thanks Luis, will give that a try.

    We've used SSL accelerators (Netscalers) a lot and tend to use them where we can configure SSL on the accelerator and leave everything else as plain text (less SSL handshakes, less resources on the app server, more performant, etc.)

    Having SSL enabled on Connections was causing problems for the Netscalers when Connections redirected from HTTP to HTTPS at the backend. Will see if our infrastructure bods can do some Netscaler "voodoo" to make things work with the redirects.

    Cheers,

    Andrew.

    ReplyDelete
  14. UnknownJanuary 18, 2010 at 1:16 PM

    FYI this description made it to the InfoCenter Lotus Connections InfoCenter: Disabling SSL

    But seems they forgot to put an entry in the toc (should be under LC25 -> Security -> Disable SSL)

    ReplyDelete

Anonymous comments are not encouraged. I reserve the right to delete anonymous comments.