Sunday, October 4, 2020

Skills Sunday: Traveler problems since 11.06 iOS Came Out? Help is here

Note: Edited October 6th with more details, see the end of the post.

Hello everyone, I know I don't blog so much about technical items, I have moved away from much of it towards product marketing and specifically CI, Competitive Intelligence.

But I have a few clients still that I help and this came up this week and as people posted in FB and other places about it, figured I should help the greater community.

If you have iPhone users already on Traveler, this is not needed for you....yet. These people are all fine, for now, and even using 11.06 because until it is a fresh uninstall and install, it relies on the "older" authentication method.

If you have a person who got a new phone in the last week, or maybe was a new onboard, then you were probably hit by the Traveler is not working problem.

I do not believe it matters which version of Domino or Traveler you run on the server-side. Of course, you should be on the latest version of Traveler, 11.01 Fix Pack 1 which happens to also run on Domino 10.x, not just R11.

The real problem is on Sept  29/30 release 11.05 was removed from the Apple App Store and was replaced by 11.06. 

No big deal, right, apps get updated all the time.

BUT

Not so fast.

HCL slipped in something which only was posted 2 days before the update. Take a look at this technote which in its own words, was posted 6(!?) days ago.

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0082562&sys_kb_id=792782151be7d8d0beab64e6ec4bcbff

Starting with HCL Verse iOS 11.0.6, support was added for Certificate Based Authentication. There is currently only one mode supported: the server (or access gateway) requires the client device to provide a certificate only. Requiring a certificate and userid/password is not supported. Additionally, this version of the client does not alternatively support basic authentication in the event the certificate-based authentication fails.

Ok, like any other admin I figured I would follow the paper trail of tech notes which would tell me what to do to fix this. 

NOTE: NOTHING in the above technote is helpful, aside from the paragraph quoted.

Now I go searching on this Certificate Based Authentication and 11.06 I find this great session from my friend Milan Matejic (go follow him on Twitter, @Milan_Matejic90) which he gave at the last Engage conference before the whole pandemic started. His slides are here, and a video too and he provides a great example and way to create and merge this certificate.

https://milanmatejic.wordpress.com/2020/03/30/engageug-implementing-certificate-based-authentication-for-hcl-traveler-access/

BUT this is overkill, at least it was for my client. 

So try the override option below first, then if not working, go back to Milan's.

The other thing you may find is this Admin Documentation: 

https://help.hcltechsw.com/traveler/11.0.0/Android_CBA.html

This includes a freshly added Note, with the article at the end of it, the first technote up above! So circular guidance, please HCL Documentation team fix this:

Note: Starting with HCL Verse 11.0.6 for iOS, limited support was added for Certificate Based Authentcation. For more information, see this article.

What you really want, is the technote below, that HCL support sent me after I was trying to figure out what was going on, this worked for my client very easily.

How to OVERRIDE form-based login for the /traveler URL: 

 https://help.hcltechsw.com/traveler/11.0.0/httpauthentication.html

Along the way, we figured out the client also changed their notes redirector and renamed the SSL kyr file so the steps we followed caused more oddities, but I fixed those and now can log in fine. So check everything along the way.

The question is which is the right way to go? Should we follow Milan's session or do this override? I am still digging into it but feel free to comment and let me know what you think, and if this helped you, let me know too.

Oct 6 Update: After discussions with HCL, they will be updating the documentation to be clearer about the changes and what is required. 

You can continue to log in with just name/password, if you follow the overriding guide(the one that worked for me). 

What they were trying to say is IF you needed or wanted the client certification (which is different from an SSL certificate and also NOT your notes id file) then you would have to follow the other links and possibly use Milan's session as your guide and that down the road it may be preferable.

Remember this is ONLY a client-side change, nothing changed in how the server works as the server is flexible, which is why we love Domino.

No comments:

Post a Comment