Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows
Troubleshoot Lotus Domino and the Extended Products
- Set debug parameters for the Extended Products
- IBM Lotus Domino
- WebSphere Global Security with SSO-enabled Lotus Domino LDAP requires modification to the Lotus Domino Web Configuration document
- SSO does not work after the portal is configured to use SSL
- Single Sign-On may fail when the portal is configured to use multiple realms
- Database lists in some portlets fail to populate with database names
- The Domino Directory used for people awareness may cause delays or lack of awareness if it contains identical common user names
- For portlets that display users' names with online awareness, similar names do not display the correct online status
- For portlets that display users' names with online awareness, names containing commas do not display the correct online status when the Lotus Domino server is 6.5.4
- IBM Lotus QuickPlace
- Domino-WebSphere Portal Integration Wizard
Set debug parameters for the Domino Extended Products
You can set the following parameters in the NOTES.INI file of the two Domino servers running Lotus Sametime and Lotus QuickPlace:debug_sso_trace_level=2
debug_outfile=debug.out
Name the Lotus Sametime debug file imdebug.out and Lotus QuickPlace file twdebug.out to distinguish between the two.
You can add these through the Domino console by typing:
set config <parameter>
...or by editing the NOTES.INI file manually.
Restart the server to create the new debug out file in...
domino_data/IBM_TECHNICAL_SUPPORT
Troubleshoot IBM Lotus Domino
This section provides information about troubleshooting problems that might arise with Lotus Domino.
WebSphere Global Security with SSO-enabled Lotus Domino LDAP requires modification to the Lotus Domino Web Configuration document
If you enable SSO between WebSphere Application Server (WAS) and Lotus Domino servers in a portal environment that has applied WebSphere Global Security, you will need to edit the Lotus Domino Web Configuration document to correct an error that occurs in the LDAP Realm when Lotus Domino imports LTPA keys from WAS.
Solution: To correct the LDAP Server setting that is imported into Lotus Domino with the LTPA keys, open the Lotus Domino Web Configuration document and edit the LDAP Server value to include the backslash, for example...
yourLDAPServer.yourdomain.com\:389
Restart the Lotus Domino LDAP server to initialize this change. Replicate the Domino Directory to all Lotus Domino LDAP servers, Lotus Sametime, andLotus QuickPlace servers. Remember to start and stop the HTTP task on all Lotus Domino and Lotus QuickPlace servers.
SSO does not work after the portal is configured to use SSL
If you configure SSO for WAS and Lotus Domino servers in a portal environment, and then enable SSL for the portal, regenerate and then import a new LTPA key to reflect the new port number for the SSL configuration.
Solution: If you enable SSO between WAS and Lotus Domino servers, the default port number used is 389. This port number changes to 636 (by default) for an SSL configuration. In the WebSphere Administrative Console, regenerate the LTPA key, restart WAS, and then export the key from the WebSphere Administrative Console. Next, import the LTPA key into the Web SSO Configuration document on the Lotus Domino servers.
Single Sign-On may fail when the portal is configured to use multiple realms
Single Sign-On (SSO) may work incorrectly on Lotus Domino, Lotus Sametime, or Lotus QuickPlace servers integrated in the site if WebSphere Portal Express is configured with multiple realms. Features that may fail include user authentication in collaborative portlets, Lotus Sametime awareness, and automatic detection of mail files for Lotus Domino messaging portlets.
When the portal is configured for multiple realms (by running the enable-security-wmmur-ldap or the enable-security-wmmur-db configuration task), the security realm is set to the value WMMRealm. This value cannot be recognized by the Domino and Extended Products servers.
Solution: Before retrieving the LPTA token and copying it to Domino and Extended Products servers to include them in SSO, make sure that the security realm has been corrected in configuration properties to an alias for the LDAP user registry. Perform the following steps to set the userRegistryRealm property on the WAS:
- In the WAS Administrative Console, select Security>Global Security>User Registry>Custom>Custom Properties.
See Starting and logging off the administrative console for information on how to log on to the WAS Administrative Console.
- Add the userRegistryRealm key with the value yourname, where this is the name of the security realm used within the WAS cell to uniquely identify the user based on their origin source. For example, the LDAP implementation of WAS uses the LDAP server name and the used port as the origin source, such as ldap.nameofyourcompany.com:389.
- Save your changes.
If SSO has already been configured for Lotus Domino servers, you can still correct the problem by setting the property above, and by correcting the value in the security.xml file for any additional exports of the LTPA token. For instructions, see the following technote:
Technote 1198736: Single-Sign-On issues between WebSphere Portal and other applications (e.g. Lotus Domino or Sametime) within the same Single-Sign-On domain
Database lists in some portlets fail to populate with database names
In the Lotus Notes View, Domino Web Access, and My Lotus QuickPlaces portlets, drop-down lists of database names may appear empty. There are several possible causes:- The Lotus Domino server configured for use with the portal does not have SSL set up correctly
- The Lotus Domino server uses the setting Redirect to SSL instead of Enable SSL.
- The Lotus Domino messaging/application server for the portlets does not actually contain databases of the correct type.
- All Lotus Domino servers used with the portal do not have SSL certificates signed by the same certificate authority.
Solution: Perform the following steps to eliminate the possible problems:
- Ensure that the Lotus Domino server configured for use with the portal has SSL set up properly.
- Do one of the following:
- If the Lotus Domino server uses HTTP, set HTTP to run on the default port of 80.
- If the Lotus Domino server uses HTTPS, set HTTPS to run on the default port of 443, and enable DIIOP over SSL.
- In the Server document, select Internet Protocols > HTTP, and make sure that Allow HTTP clients to browse databases is set to Yes.
- While examining the Lotus Domino server, determine whether the server uses the Enable SSL or Redirect to SSL setting.
- Restart the Domino server.
- If the problem remains, check the Lotus Domino messaging/application servers and make sure that the databases users are attempting to view through the portlets exist, and are of the appropriate design for the portletType parameter configured in the portlets. For example, in a portlet configured with a portletType of NOTESDISCUSSION, the drop-down list shows only Notes databases with a discussion design. If no databases of the appropriate type exist, either inform users of this error, or make appropriate databases available.
- If the problem remains, examine the SSL certificates for each of the Lotus Domino servers that contain source databases for portlets in the portal, and make sure they are all signed by a single certificate authority (CA).
- From any of the Lotus Domino servers that has a properly signed SSL certificate, copy the TrustedCerts.class file from within the domino_data_root/domino/java directory.
- Navigate to the portal server's class directory portal_server_root/shared/app/ and paste the copied TrustedCerts.class file.
- If the problem remains, and you determined earlier that the Lotus Domino server uses the Redirect to SSL setting, locate and edit the CSEnvironment.properties file on the portal server.
- If the following property does not already exist and is not already set to this value, add it and set its value using the following line:
CS_SERVER_DOMINO_DIRECTORY_1.iiopport=63148
- Save the CSEnvironment.properties file.
- Restart the portal server.
The Domino Directory used for people awareness may cause delays or lack of awareness if it contains identical common user names
Solution: Modify names of any users who share a common name so that names become unique (for example, by including an initial).
For portlets that display users' names with online awareness, similar names do not display the correct online status
If two users' names are similar – for example, they begin with identical strings, such as Jane Smith and Jane Smithson – and the LDAP directory configured for the portal is not Lotus Domino, the correct online status for the users will not be displayed. This problem occurs in any of the Domino and Extended Products Portlets that display names with online awareness.
Solution: Add the following content to the CSEnvironment.properties file:
# The format of the name that will be added to the watch lists for awareness.
CS_SERVER_SAMETIME_1.watchnameformat=dn
For portlets that display users' names with online awareness, names containing commas do not display the correct online status when the Lotus Domino server is 6.5.4
If a user's common name contains a comma, for example, "Smith, Chris," and the Lotus Domino LDAP server is running release 6.5.4, the correct online status for the user will not be displayed in the portlet. This problem occurs in any of the Domino and Extended Products Portlets that display user' names with online awareness.
Workaround: There is a workaround that will fix the problem. However, if the portal also uses Lotus Domino for its LDAP directory, this workaround will disable awareness for the People Finder portlet entirely, even on names that do not contain commas.
Add the following content to the CSEnvironment.properties file:
# The format of the name that will be added to the watch lists for awareness.
CS_SERVER_SAMETIME_1.watchnameformat=dn
Solution: Upgrade the LDAP server to a later release of Lotus Domino. If you cannot upgrade at this time, check with IBM Support for an interim fix for the Lotus Domino LDAP server release 6.5.4.
Troubleshoot IBM Lotus QuickPlace
This section provides information about troubleshooting problems that might arise with Lotus QuickPlace.
Team Workplace 6.5.1 (Lotus QuickPlace) requires an interim fix to work with Lotus Domino 6.5.x
Without this fix, Lotus Domino HTTP does not start, preventing the Team Workplace (Lotus QuickPlace) server software from operating.
For release 6.5.1 only, Lotus QuickPlace is called Team Workplace.
Solution: A required interim fix for Team Workplace release 6.5.1 is available on the IBM Support Web site. Refer to the following troubleshooting technote:
Technote 1198555: Required Team Workplace 6.5.1 Enabling Fixes for Domino 6.5.4 and 6.5.5
Enabling diagnostic tracing on the Lotus QuickPlace (QuickPlace) server
Perform the following steps to enable diagnostic tracing on the Lotus QuickPlace (QuickPlace) Server Console (when using any QuickPlace portlet, or any other portlet using the QPService APIs):
- Add the following lines in the notes.ini file of the Lotus QuickPlace server.
- For Information: QuickPlaceJavaLogging=3
- Details for other logging levels:
- For Debug: QuickPlaceJavaLogging=5 or 4
- For Error only: QuickPlaceJavaLogging=0 or 1
- For Warnings: QuickPlaceJavaLogging=2
- Restart the Lotus QuickPlace server.
Troubleshoot the Domino-WebSphere Portal Express Integration Wizard
Problem: Consistency check errors appear in the Lotus Domino server console referencing the DPICGF.NSF file
Solution: Run fixup on the DPICFG.NSF file.
Windows and Linux only: On every Lotus Domino server where you have copied the file, in the server console, run the fixup task by issuing this command:
load fixup dpicfg.nsf
Parent topic:
Search the product documentation for a solutionRelated concepts
WebSphere Portal Express logs
Related reference
Troubleshoot Domino and Extended Products Portlets
Related information
IBM Support Web site
Lotus Domino Administrator 7 Help: Running the Fixup task