IBM Support

Unable to login to any applications except Profiles after installing IBM Connections. Directory Service Extension (DSX) errors appear in the logs.

Technote (troubleshooting)


Problem

After installing IBM Connections, you are able to login sucessfully to Profiles, but not to Homepage or any other application.
Content for public applications like Communities, Blogs, etc. can still be viewed, but the user will receive an error if trying to login to them.
Directory Service Extension (DSX) errors appear in the logs.

Symptom

Checking the SystemOut.log of the server InfraCluster_Server1, the following exceptions can be observed:
[4/16/13 11:04:39:708 CEST] 00000089 WaltzSyncServ E com.ibm.lconn.homepage.services.impl.WaltzSyncServiceImpl
getUserByLoginName CLFRQ0221E: Reference to directory services could not be retrieved.
com.ibm.lconn.homepage.services.ServiceException: CLFRQ0221E: Reference to directory services could not be retrieved.

which is caused by:
Caused by: com.ibm.connections.directory.services.exception.DSOutOfServiceException:
com.ibm.connections.directory.services.exception.DSOutOfServiceException: CLFRK0003E: Directory Service Extension(DSX)
received a HTTP response from URL 'https://<connections_server>:WAS_port/profiles/dsx/instance.do?login=<loginname>'
with unexpected status '403'!
at com.ibm.connections.directory.services.engine.DSXSearchEngine.search(DSXSearchEngine.java:128)
at com.ibm.connections.directory.services.engine.WPISearchEngine.searchProfiles(WPISearchEngine.java:65)
... 68 more
Caused by: com.ibm.connections.directory.services.exception.DSOutOfServiceException:
CLFRK0003E: Directory Service Extension(DSX) received a HTTP response from URL
'https://<connections_server>:WAS_port/profiles/dsx/instance.do?login=<loginname>' with unexpected status '403'!
at com.ibm.connections.directory.services.engine.DSXSearchEngine.search(DSXSearchEngine.java:111)
... 69 more


Cause

If "Interoperability Mode" is enabled in the SSO settings for WAS, then the interservice communications between the applications in Connections will not work if anything other than the default cookie names "LtpaToken" and "LtpaToken2" are used.
In IBM Connections, it is no longer mandatory to enable "interoperability mode". This option can now either be enabled or disabled.
However, whenever it is turned on, it enforces you to type cookie names. The default cookie names hinted by the 'help' pop-up are incorrect*.
As yet, Connections will not work with custom cookie names.
So if this option is enabled, you must specify the default cookie names.


Resolving the problem

Take the following steps to resolve this issue:

1. Login to the ISC.
2. Navigate to Security -> Global Security -> Single sign-on (SSO).
3. If "Interoperability Mode" is enabled, then you must specify the case-sensitive default names of "LtpaToken" and "LtpaToken2" for the
"LTPA V1 cookie name" and "LTPA V2 cookie name" fields respectively.
4. Synchronize the nodes & restart Connections.

[*Please note that the Help tips for these fields contain the incorrect case of "LTPAToken" and "LTPAToken2".
See screenshots:





This defect is documented in the following APAR, which is due to be fixed in WAS FixPack 8.0.0.7:

APAR ID: PM86864
Brief Description: MOUSE OVER HELP HAS INCORRECT DEFAULT NAME FOR SSO
TOKEN 1 AND TOKEN 2 ]

Document information

More support for: IBM Connections
Install

Software version: 4.5, 5.0, 5.5

Operating system(s): AIX, IBM i, Linux, Windows

Reference #: 1635025

Modified date: 18 March 2014